Chapter 1 Introduction to Cryptography PDF
Document Details
Uploaded by SalutaryRevelation7854
Jordan University of Science and Technology
2024
Dr. Qasem Abu Al-Haija
Tags
Summary
This document is an introduction to cryptography, covering security goals and services. It also provides a summary of topics covered in the course. Topics such as, data confidentiality, integrity and availability are covered in details.
Full Transcript
1 CY 261 CRYPTOGRAPHY Dr. Qasem Abu Al-Haija Department Of Cybersecurity 10/17/2024 Chapter 1: Introduction to Cryptography 1 Objectives 2 To define three security goals To define security attacks that threaten security goals ...
1 CY 261 CRYPTOGRAPHY Dr. Qasem Abu Al-Haija Department Of Cybersecurity 10/17/2024 Chapter 1: Introduction to Cryptography 1 Objectives 2 To define three security goals To define security attacks that threaten security goals To define security services and how they are related to the three security goals To define security mechanisms to provide security services To introduce two techniques, cryptography and steganography, to implement security mechanisms. Jordan University for Science of Technology-Dr.Qasem Abu Al- 10/17/2024 Haija Outline 3 What is cryptography and cryptology? The main components of a crypto system. Problems solved by cryptography. Basic concepts: symmetric cryptography, asymmetric cryptography, digital signatures. Types of algorithms and related concepts. 3 10/17/2024 Jordan University for Science of Technology-Dr.Qasem Abu Al-Haija The Main Players 4 Eve? Alice Bob 10/17/2024 Jordan University for Science of Technology-Dr.Qasem Abu Al-Haija Definitions 5 10/17/2024 Jordan University for Science of Technology-Dr.Qasem Abu Al-Haija Definitions 6 Definition of Computer Security (NIST Computer Security Handbook [NIST95]): The protection afforded to an automated information system to attain the applicable objectives of preserving (protecting) the integrity, availability, and confidentiality of information system resources (including hardware, software, information/data, and telecommunication. Three fundamental questions: 1. What assets do we need to protect? 2. How are those assets threatened (vulnerable)? 3. What can we do to counter those threats? 10/17/2024 Jordan University for Science of Technology-Dr.Qasem Abu Al-Haija Definitions 7 Network Security - measures to protect data during their transmission. ― Policies & procedures implemented by a network admin to avoid & keep track of unauthorized access, exploitation, modification, or denial of the network and resources. Internet Security - measures to protect data during their transmission over a collection of interconnected networks. ― It’s a branch of computer security that deals with Internet-based threats. These include: ― Hacking, where unauthorized users gain access to computer systems, email accounts, or websites; ― Viruses & other malicious software (malware) can damage data or make systems vulnerable to other threats. The network and Internet security field consists of measures to deter, prevent, detect, and correct security violations involving information transmission. That is a broad statement that covers a host of possibilities. 10/17/2024 Jordan University for Science of Technology-Dr.Qasem Abu Al-Haija Always Remember 8 Nothing is ever completely or truly secure: There is always a way around or through any security precaution we construct. 10/17/2024 Jordan University for Science of Technology-Dr.Qasem Abu Al-Haija The Main Pillars of Security 9 These three concepts form what is often referred to as the CIA triad. The three concepts represent the fundamental security objectives for both data and for information and computing services. 10/17/2024 Jordan University for Science of Technology-Dr.Qasem Abu Al-Haija Topic 1: Security Goals 10 Figure 1 Taxonomy of security goals 10/17/2024 Jordan University for Science of Technology-Dr.Qasem Abu Al-Haija 1.1 Confidentiality 11 Confidentiality is probably the most common aspect of information security. We need to protect our confidential information. An organization needs to guard against those malicious actions that endanger the confidentiality of its information. 10/17/2024 Jordan University for Science of Technology-Dr.Qasem Abu Al-Haija 1.2: Integrity 12 Information needs to be changed constantly. Integrity means that changes need to be done only by authorized entities and through authorized mechanisms. 10/17/2024 Jordan University for Science of Technology-Dr.Qasem Abu Al-Haija 1.3: Availability 13 The information created and stored by an organization needs to be available to authorized entities. 10/17/2024 Jordan University for Science of Technology-Dr.Qasem Abu Al-Haija Topic 2: ATTACKS 14 The three goals of security⎯confidentiality, integrity, and availability⎯can be threatened by security attacks. Topics discussed in this section: 2.1 Attacks Threatening Confidentiality 2.2 Attacks Threatening Integrity 2.3 Attacks Threatening Availability 2.4 Passive versus Active Attacks 10/17/2024 Jordan University for Science of Technology-Dr.Qasem Abu Al-Haija Topic 2: ATTACKS 15 Figure 1.2 Taxonomy of attacks with relation to security goals 10/17/2024 Jordan University for Science of Technology-Dr.Qasem Abu Al-Haija 2.1: Attacks Threatening Confidentiality 16 Snooping refers to unauthorized access to or interception of data. Traffic analysis refers to obtaining other information by monitoring online traffic. 10/17/2024 Jordan University for Science of Technology-Dr.Qasem Abu Al-Haija 2.2: Attacks Threatening Integrity 17 Modification means that the attacker intercepts the message and changes it. Masquerading or spoofing happens when the attacker impersonates somebody else. Replaying means the attacker obtains a copy of a message sent by a user and later tries to replay it. Repudiation means that sender of the message might later deny that he/she has sent the message; the receiver of the message might later deny that he/she has received the message. 10/17/2024 Jordan University for Science of Technology-Dr.Qasem Abu Al-Haija 2.3: Attacks Threatening Availability 18 Denial of service (DoS) is a very common attack. It may slow down or totally interrupt the service of a system. 10/17/2024 Jordan University for Science of Technology-Dr.Qasem Abu Al-Haija 2.3: Passive Versus Active Attacks 19 Table 2.1 Categorization of passive and active attacks 10/17/2024 Jordan University for Science of Technology-Dr.Qasem Abu Al-Haija Topic 3: SERVICES AND MECHANISMS 20 ITU-T provides some security services and some mechanisms to implement those services. Security services and mechanisms are closely related because a mechanism or combination of mechanisms is used to provide a service. Topics discussed in this section: 3.1 Security Services 3.2 Security Mechanism 3.3 Relation between Services and Mechanisms 10/17/2024 Jordan University for Science of Technology-Dr.Qasem Abu Al-Haija 3.1 Security Services 21 Figure 3.1 Security services 10/17/2024 Jordan University for Science of Technology-Dr.Qasem Abu Al-Haija 3.2: Security Mechanism 22 Figure 3.2 Security mechanisms 10/17/2024 Jordan University for Science of Technology-Dr.Qasem Abu Al-Haija 3.3: Relation between Services and Mechanisms 23 Table 1.1 Relation between security services and mechanisms 10/17/2024 Jordan University for Science of Technology-Dr.Qasem Abu Al-Haija Topic 4: TECHNIQUES 24 Mechanisms discussed in the previous sections are only theoretical recipes to implement security. The actual implementation of security goals needs some techniques. Two techniques are prevalent today: cryptography and steganography. Topics discussed in this section 4.1 Cryptography 4.2 Steganography 10/17/2024 Jordan University for Science of Technology-Dr.Qasem Abu Al-Haija 4.1: Steganography 25 The word steganography, originating in Greek, means “covered writing,” in contrast with cryptography, which means “secret writing.” 10/17/2024 Jordan University for Science of Technology-Dr.Qasem Abu Al-Haija 4.2: Cryptography 26 Cryptography, a word with Greek origins, means “secret writing.” However, we use the term to refer to the science and art of transforming messages to make them secure and immune to attacks. Most security mechanisms apply cryptographic techniques ➔ This course will focus on Cryptography. 10/17/2024 Jordan University for Science of Technology-Dr.Qasem Abu Al-Haija Cryptography and Cryptology 27 Most security mechanisms apply cryptographic techniques, this course will focus on Cryptography. 10/17/2024 Jordan University for Science of Technology-Dr.Qasem Abu Al-Haija Cryptography and Cryptology 28 Encryption: transformation of intelligible, understandable information into unintelligible form to disguise its meaning and intent from intruders. Decryption: The inverse transformation of encrypted information into intelligible form. Both encryption and decryption are based on keys. It should be difficult or impossible to decrypt a message without knowing the key. Cryptography: A Greek word that means “secret writing.” However, we use the term to refer to the science and art of transforming messages to make them secure and immune to attacks. (Study of encryption principles/methods (encryption + decryption)) Cryptanalysis (codebreaking) : analyzing encrypted information with the intent of recovering the original plain information without knowing the key. (study of principles/ methods of deciphering ciphertext without knowing the key). Cryptology: Field of both cryptography and cryptanalysis. 10/17/2024 Jordan University for Science of Technology-Dr.Qasem Abu Al-Haija The Encryption and Decryption Process 29 The encryption model 10/17/2024 Jordan University for Science of Technology-Dr.Qasem Abu Al-Haija The major components of a cryptosystem 30 Plain text: the original message before encryption. Encryption Algorithm: the algorithm used to transform the plaintext into unintelligible form (the cipher text). The cipher text: the encrypted text. Encryption key: the encryption process is always based on a key. Decryption Algorithm: used to transforms cipher text back to plaintext. The Decryption key: the key used in the decryption process. All algorithms must be public; only the keys are secret. 10/17/2024 Jordan University for Science of Technology-Dr.Qasem Abu Al-Haija Intruders and Cryptanalysis 31 It is assumed that there is an intruder who listens to all communications, and he may copy or delete any message An active intruder modifies some messages and re- inserts them A passive intruder just listens To decrypt a message without having a key, an intruder practices the art of cryptanalysis 10/17/2024 Jordan University for Science of Technology-Dr.Qasem Abu Al-Haija What Does Cryptography Solve? 32 Confidentiality Ensure that nobody can get knowledge of what you transfer even if listening to the whole conversation Integrity Ensure that the message has not been modified during the transmission Authenticity You can verify that you are talking to the entity you think you are talking to Identity You can verify who is the specific individual behind that entity Non-repudiation The individual behind that asset cannot deny being associated with it 10/17/2024 Jordan University for Science of Technology-Dr.Qasem Abu Al-Haija Classical Encryption Techniques 33 Cryptography is classified according to the number of keys used: Symmetric key cryptography (Private-Key cryptography) ▪ The same key to encrypt and decrypt. Like DES Data Encryption Standard. Asymmetric key cryptography (Public-Key Cryptography) ▪ Two mathematically related keys are used: the public key to encrypt, and the private key to decrypt. Like RSA or Al Gamal, DSA. 10/17/2024 Jordan University for Science of Technology-Dr.Qasem Abu Al-Haija Symmetric Encryption 34 Also referred to as conventional encryption or single-key encryption Was the only type of encryption in use prior to the development of public-key encryption in the 1970s Remains by far the most widely used of the two types of encryption sender and recipient share a common key 10/17/2024 Jordan University for Science of Technology-Dr.Qasem Abu Al-Haija Symmetric Encryption 35 Clear-text input Cipher-text Clear-text output “An introduction to “AxCvGsmWe#4 “An introduction cryptography” ^,sdgfMwir3:dkJ to cryptography” eTsY8R\s@!q3% ” DES DES Encryption Decryption Same key (shared secret) 10/17/2024 Jordan University for Science of Technology-Dr.Qasem Abu Al-Haija Symmetric Encryption 36 In a symmetric encryption system, both the sender and receiver must possess the same key. The sender encrypts the message using the key, and the receiver decrypts the cipher-text message using the same secret key. The word “symmetric” here means that the same key is used for encryption and decryption. 10/17/2024 Jordan University for Science of Technology-Dr.Qasem Abu Al-Haija Examples of Symmetric Cipher 37 DES (Data Encryption Standard) AES (Advanced Encryption Standard) Twofish Serpent Blowfish CAST5 RC4 Triple DES IDEA (International Data Encryption Algorithm) 10/17/2024 Jordan University for Science of Technology-Dr.Qasem Abu Al-Haija Requirements 38 Two requirements for secure use of symmetric encryption: A strong encryption algorithm A secret key known only to sender/receiver Mathematically have: C= EK(M) M = DK(C) Assume the encryption algorithm is known Implies a secure channel to distribute key 10/17/2024 Jordan University for Science of Technology-Dr.Qasem Abu Al-Haija Types of encryption operations used 39 Substitution Cipher ▪ Replace the actual bits character or block of characters with substitutes. Transposition Cipher ▪ Rearrange the order of the bits, characters, or blocks of characters being encrypted or decrypted. Product Cipher ▪ Combination between transposition cipher and substitution cipher. 10/17/2024 Jordan University for Science of Technology-Dr.Qasem Abu Al-Haija Asymmetric Encryption 40 Things to remember about asymmetric keys: ▪ The relation between the two keys is unknown, and from one key, you cannot gain knowledge of the other, even if you have access to clear-text and cipher-text ▪ The two keys are interchangeable. All algorithms make no difference between public and private keys. When a key pair is generated, any of the two can be public or private 10/17/2024 Jordan University for Science of Technology-Dr.Qasem Abu Al-Haija Asymmetric key cryptography characteristics 41 Messages encrypted with the public key can only be decrypted with the private key. (Asymmetric Encryption) Messages encrypted with the private key can only be decrypted with the public key. (Asymmetric Digital Signature) 10/17/2024 Jordan University for Science of Technology-Dr.Qasem Abu Al-Haija Asymmetric Encryption Model 42 The essential steps are as follows Each entity in a network generates a pair of keys (a public and a private key) to be used for encryption and decryption of messages, respectively. Each entity publishes its encryption key by placing it in a public domain or file. This is the public key. The private key is kept private by the owner. If user A wishes to send a message to user B, then A encrypts the message using B's public key. When user B receives the encrypted message, B decrypts it using B’s private key. No other recipient can decrypt the message because only B knows B’s private key. Something encrypted with the public key can only be decrypted with the private key. 10/17/2024 Jordan University for Science of Technology-Dr.Qasem Abu Al-Haija Requirements 43 Encryption and decryption with the public-key cryptosystem are denoted by: E KUB (M ) = C DK PB (C ) = M There is some source A for a message, which generates a message in plaintext M. Along with the message M, the encryption public key for the user destination B will be used as input parameters to perform the encryption algorithm. A produces the cipher text C. The intended receiver B, possessing the corresponding private key 𝑲𝑷𝑩 , can recover the original message M using the decryption algorithm. 10/17/2024 Jordan University for Science of Technology-Dr.Qasem Abu Al-Haija Examples of Asymmetric Cipher 44 There are many asymmetric cryptosystems, such as RSA Rabin ElGamal Elliptic curve cryptography 10/17/2024 Jordan University for Science of Technology-Dr.Qasem Abu Al-Haija Digital Signature 45 A digital signature is “data appended to, or a cryptographic transformation of, a data unit, that allows a recipient of the data unit to prove the source and integrity of the data unit and protects against forgery.” Digital signatures make public key cryptography (Asymmetric Cryptography) the most practical tool in real-life applications and the most reliable method for authentication, data integrity, and non-repudiation. 10/17/2024 Jordan University for Science of Technology-Dr.Qasem Abu Al-Haija Digital Signature Model 46 Digital signatures depend on two fundamental assumptions: ▪ The private key is secure, and only the owner of the key has access to it, and ▪ The only way to produce a digital signature is to use the private key. The first assumption has no technical answer except that keys must be protected. But the second assumption can be examined from a mathematical point of view. 10/17/2024 Jordan University for Science of Technology-Dr.Qasem Abu Al-Haija Creating a Digital Signature 47 Message or File Message Digest Digital Signature This is the (Typically 128 bits) document created by Ahmad Py75c%bn 3kJfgf*£$& SHA, MD5 Generate Asymmetric Hash Encryption Calculate a short message This is the digest from even a long input document using a one-way message created by digest function (hash) Ahmed priv Signatory's 3kJfgf*£$& private key Signed Document 10/17/2024 Jordan University for Science of Technology-Dr.Qasem Abu Al-Haija Verifying a Digital Signature 48 This is the Message Digest document Generate Py75c%bn created by Hash Ahmed 3kJfgf*£$& Signed ? Compare ? Document Digital Signature pub Asymmetric Py75c%bn Decryption Gianni's public key (from certificate) 10/17/2024 Jordan University for Science of Technology-Dr.Qasem Abu Al-Haija Properties of Digital Signature 49 It must have the following properties. ▪ The signature must be verifiable by third parties to resolve disputes. ▪ It must be possible to verify the author, the date, and time of the signature. ▪ It must be possible to authenticate the contents at the time of the signature. 10/17/2024 Jordan University for Science of Technology-Dr.Qasem Abu Al-Haija Examples of Digital Signature 50 ❑ DSS (Digital Signature Standard) ❑ ElGamal ❑ RSA (Rivest-Shamir Adleman) ❑ Rabin and Knapsack 10/17/2024 Jordan University for Science of Technology-Dr.Qasem Abu Al-Haija Symmetric-key vs. Asymmetric-key cryptography 51 10/17/2024 Jordan University for Science of Technology-Dr.Qasem Abu Al-Haija Advantages of symmetric-key 52 Have high rates of data throughput. Keys for symmetric-key ciphers are relatively short. 10/17/2024 Jordan University for Science of Technology-Dr.Qasem Abu Al-Haija Disadvantages of symmetric-key 53 In a two-party communication, the key must remain secret. ▪ To use a secure channel requires prior communication of the key between sender and receiver before any ciphertext is transmitted. ▪ In practice, this may be difficult to achieve because communication channels are not always available. In a large network, many key pairs must be managed (a large number of keys) ▪ For a cryptosystem with n users, each user must possess n-1 keys, requiring a total of n*(n-1)/2 keys. ▪ Thus, when the number of users increases, the risk of revealing the secret information drastically increases. 10/17/2024 Jordan University for Science of Technology-Dr.Qasem Abu Al-Haija Advantages of Asymmetric-key 54 Its concept evolved as an attempt to solve two of the most difficult problems associated with conventional encryption. ▪ Key distribution. ▪ Digital Signature. Only the private key must be kept secret. Depending on the mode of usage, a private key/public key pair may remain unchanged for considerable periods of time. 10/17/2024 Jordan University for Science of Technology-Dr.Qasem Abu Al-Haija Disadvantages of Asymmetric-key 55 Slower than the best-known symmetric key schemes. Key sizes are typically much larger than the best-known symmetric key 10/17/2024 Jordan University for Science of Technology-Dr.Qasem Abu Al-Haija