Introduction to Cryptography & IP Security PDF

**Introduction to Cryptography & IP Security** **Encryption** Encryption is a security method in which information is encoded in such a way that only authorized user can read it. It uses encryption algorithm to generate ciphertext that can only be read if decrypted. Types of Encryption There are two types of encryptions schemes as listed below: - Symmetric Key encryption - Public Key encryption Symmetric Key encryption **Symmetric key encryption** algorithm uses same cryptographic keys for both encryption and decryption of cipher text. internet\_technologies\_tutorial Public Key encryption **Public key encryption** algorithm uses pair of keys, one of which is a secret key and one of which is public. These two keys are mathematically linked with each other. ![internet\_technologies\_tutorial](media/image2.jpeg) **Decryption** Decryption is taking encoded or encrypted text or other data and converting it back into text you or the computer can read and understand. This term could be used to describe a method of unencrypting the data manually or unencrypting the data using the proper codes or keys. **Plaintext** can refer to anything which humans can understand and/or relate to. This may be as simple as English sentences, a script, or Java code. If you can make sense of what is written, then it is in plaintext. **Ciphertext**, or encrypted text, is a series of randomized letters and numbers which humans cannot make any sense of. An [**encryption algorithm**](https://learn.encryptionconsulting.com/what-is-an-encryption-algorithm/) takes in a plaintext message, runs the algorithm on the plaintext, and produces a ciphertext. The ciphertext can be reversed through the process of [**decryption**](https://learn.encryptionconsulting.com/what-is-decryption/), to produce the original plaintext. ***Cryptography*** ---There are five primary functions of cryptography: 1. *Privacy/confidentiality:* Ensuring that no one can read the message except the intended receiver. 2. *Authentication:* The process of proving one\'s identity. 3. *Integrity:* Assuring the receiver that the received message has not been altered in any way from the original. 4. *Non-repudiation:* A mechanism to prove that the sender really sent this message. 5. *Key exchange:* The method by which crypto keys are shared between sender and receiver. In cryptography, we start with the unencrypted data, referred to as *plaintext*. Plaintext is *encrypted* into *ciphertext*, which will in turn (usually) be *decrypted* back into usable plaintext. The encryption and decryption is based upon the type of cryptography scheme being employed and some form of key. For those who like formulas, this process is sometimes written as: C =E~k~(P)\ P = D~k~(C) where **P** = plaintext, **C** = ciphertext, **E** = the encryption method, **D** = the decryption method, and **k** = the key. **Cryptography function** - ***Secret Key Cryptography (SKC):*** Uses a single key for both encryption and decryption; also called *symmetric encryption*. Primarily used for privacy and confidentiality. - ***Public Key Cryptography (PKC):* **Uses one key for encryption and another for decryption; also called *asymmetric encryption*. Primarily used for authentication, non-repudiation, and key exchange. - ***Hash Functions:*** Hash functions, also called *message digests* and *one-way encryption*, are algorithms that, in essence, use no key (Figure 1C). Instead, a fixed-length hash value is computed based upon the plaintext that makes it impossible for either the contents or length of the plaintext to be recovered. - Hash algorithms are typically used to provide a *digital fingerprint* of a file\'s contents, often used to ensure that the file has not been altered by an intruder or virus. - Hash functions are also commonly employed by many operating systems to encrypt passwords. Hash functions, then, provide a mechanism to ensure the integrity of a file. +-----------------------------------------------------------------------+ | **FIGURE 1: Three types of cryptography: secret key, public key, and | | hash function.** | +-----------------------------------------------------------------------+ Below is the difference between secret-key cryptography and public-key cryptography: -- Key Secret Key Public Key ------------- -------------------------------------------------------------------------------------------------------------------------------------------- -------------------------------------------------------------------------------------------------------- Algorithm Secret Key is used to both encryption and decryption of the data and the data is shared between the receiver and sender of encrypted data. The public key is used to encrypt data and to decrypt the data, the private key is used and is shared. Performance Mechanism performance is faster. The performance is slower. Secret The secret is shared to the sender and receiver. The public key is free to use Type The secret key mechanism is called symmetric being a single key between two parties. The public key mechanism is known as asymmetric as its two keys are used for different purposes. Sharing The secret key is shared between two parties. The public key can be used by everyone. Targets Performance testing checks the speed, reliability and scalability of the system. Load testing checks the sustainability of the system. **Hash Function** - A **hash function** H accepts a variable-length block of data as input and produces a fixed-size hash value. - A "good" hash function has the property that the results of applying the function to a large set of inputs will produce outputs that are evenly distributed and apparently random. - In general terms, the principal object of a hash function is data integrity. - A change to any bit or bits in results, with high probability, in a change to the hash code. ![](media/image4.png) - Hash function used for security applications is referred to as a **cryptographic hash function**. - A cryptographic hash function is an algorithm for which it is computationally infeasible to find either - A data object that maps to a pre-specified hash result (the one-way property) or - Two data objects that map to the same hash result (the collision-free property). - Because of these characteristics, hash functions are often used to determine whether or not data has changed. - Figure depicts the general operation of a cryptographic hash function. a. Themessageplusconcatenatedhashcodeisencryptedusingsymmetricencryption.BecauseonlyA andBsharethesecretkey,themessagemusthavecomefromAandhasnotbeenaltered.Thehash codeprovidesthestructureorredundancyrequiredtoachieveauthentication.Confidentialityisalso provided. b. Onlythehashcodeisencrypted,usingsymmetricencryption.Thisreducestheprocessingburdenfor thoseapplicationsthatdonotrequireconfidentiality. c. Itispossibletouseahashfunctionbutnoencryptionformessageauthentication.Twocommunicating partiesshareacommonsecretvalueS.AcomputesthehashvalueovertheconcatenationofMand SandappendstheresultinghashvaluetoM.BecauseBpossesses,itcanrecomputedthehashvalue toverify.Opponentcannotgenerateafalsemessage. d. Confidentialitycanbeaddedtotheapproachofmethod(c)byencryptingtheentiremessageplusthe hashcode. Secure Hash Algorithm (SHA) =========================== - SHAisbasedonthehashfunctionMD4. - Thealgorithmtakesasinputamessageofmaximumlengthoflessthan2128bitsandproducesa512-bit messagedigest. - Theinputisprocessedin1024-bitblocks. - Theprocessingconsistsofthefollowingsteps: 1. ### Append paddingbits. - Themessageispaddedsothatitslengthiscongruentto896modulo1024. - Thepaddingconsistsofasingle1-bitfollowedbythenecessarynumberof0-bits. 2. ### Appendlength. - Ablockof128bitsisappendedtothemessage.Thisblockcontainsthelengthoftheoriginal message (before thepadding). - Themessageisnowanintegermultipleof1024bitsinlength. - Inthefigurebelow,expandedmessageisrepresentedasthesequenceof1024-bitblocksM1,M2,\...,MN andthetotallengthoftheexpandedmessageisNx1024bits. ![](media/image6.png) 3. ### Initialize hashbuffer. - A512-bitbufferisusedtoholdintermediateandfinalresultsofthehashfunction. - Thebuffer canberepresentedaseight64-bitregisters(a,b,c,d,e,f,g,h). - Theseregistersareinitializedtothe64-bitintegers(hexadecimalvalues)obtainedbytakingthe firstsixty-fourbitsofthefractionalpartsofthesquarerootsofthefirsteight primenumbers. 4. ### Processmessagein1024-bit(128-word)blocks. - Theheartofthealgorithmisamodule**F**thatconsistsof80rounds. - SHA has 80rounds. - Eachroundtakesasinput: - 512-bit buffer value(**Hi-1**) - 64-bitwords**Wt**obtainedfromthecurrentdatablockbymessageschedule. - Additiveconstant**Kt**whichrepresentthefirstsixty-fourbitsofthefractionalpartsofthecuberoots ofthefirsteightyprimenumbers. - Thecontentsofthebufferareupdatedaftereveryround. ![](media/image8.png) ### SHA algorithm - Theoutputoftheeightiethroundisaddedmodulo264totheinputtothefirstround(Hi-1)toproduceHi. 5. ### Output. - Afterall*N*1024-bitblockshavebeenprocessed,theoutputfromtheN^th^stageisthe512-bit messagedigest. Digital Signature ================= The Digital Signature is a technique which is used to validate the authenticity and integrity of the message. We know that there are four aspects of security: privacy, authentication, integrity, and non-repudiation. We have already discussed the first aspect of security and other three aspects can be achieved by using a digital signature. The basic idea behind the Digital Signature is to sign a document. When we send a document electronically, we can also sign it. We can sign a document in two ways: to sign a whole document and to sign a digest. **Signing the Whole Document** ------------------------------ - In Digital Signature, a public key encryption technique is used to sign a document. However, the roles of a public key and private key are different here. The sender uses a private key to encrypt the message while the receiver uses the public key of the sender to decrypt the message. - In Digital Signature, the private key is used for encryption while the public key is used for decryption. - Digital Signature cannot be achieved by using secret key encryption. Digital Signature ### **Digital Signature is used to achieve the following three aspects:** - **Integrity:** The Digital Signature preserves the integrity of a message because, if any malicious attack intercepts a message and partially or totally changes it, then the decrypted message would be impossible. - **Authentication:** We can use the following reasoning to show how the message is authenticated. If an intruder (user X) sends a message pretending that it is coming from someone else (user A), user X uses her own private key to encrypt the message. The message is decrypted by using the public key of user A. Therefore, this makes the message unreadable. Encryption with X\'s private key and decryption with A\'s public key results in garbage value. - **Non-Repudiation:** Digital Signature also provides non-repudiation. If the sender denies sending the message, then her private key corresponding to her public key is tested on the plaintext. If the decrypted message is the same as the original message, then we know that the sender has sent the message. **Signing the Digest** ---------------------- - Public key encryption is efficient if the message is short. If the message is long, a public key encryption is inefficient to use. The solution to this problem is to let the sender sign a digest of the document instead of the whole document. - The sender creates a miniature version (digest) of the document and then signs it, the receiver checks the signature of the miniature version. - The hash function is used to create a digest of the message. The hash function creates a fixed-size digest from the variable-length message. - The two most common hash functions used: MD5 (Message Digest 5) and SHA-1 (Secure Hash Algorithm 1). The first one produces 120-bit digest while the second one produces a 160-bit digest. - A hash function must have two properties to ensure the success: - First, the digest must be one way, i.e., the digest can only be created from the message but not vice versa. - Second, hashing is a one-to-one function, i.e., two messages should not create the same digest. ### **Following are the steps taken to ensure security:** - The miniature version (digest) of the message is created by using a hash function. - The digest is encrypted by using the sender\'s private key. - After the digest is encrypted, then the encrypted digest is attached to the original message and sent to the receiver. - The receiver receives the original message and encrypted digest and separates the two. The receiver implements the hash function on the original message to create the second digest, and it also decrypts the received digest by using the public key of the sender. If both the digests are same, then all the aspects of security are preserved. **At the Sender site** - **At the Receiver site** ![Digital Signature](media/image11.png) **IP Security Architecture -- Authentication Header, Encapsulating Security Payload** **IPSec (IP Security) architecture** uses two protocols to secure the traffic or data flow. These protocols are ESP (Encapsulation Security Payload) and AH (Authentication Header). IPSec Architecture include protocols, algorithms, DOI, and Key Management. All these components are very important in order to provide the three main services: - Confidentiality - Authentication - Integirity **IP Security Architecture:** **1. Architecture:**\ Architecture or IP Security Architecture covers the general concepts, definitions, protocols, algorithms and security requirements of IP Security technology. **2. ESP Protocol:**\ ESP(Encapsulation Security Payload) provide the confidentiality service. Encapsulation Security Payload is implemented in either two ways: - ESP with optional Authentication. - ESP with Authentication. **Packet Format:** ![](media/image13.jpeg) - **Security Parameter Index(SPI):**\ This parameter is used in Security Association. It is used to give a unique number to the connection build between Client and Server. - **Sequence Number:**\ Unique Sequence number are allotted to every packet so that at the receiver side packets can be arranged properly. - **Payload Data:**\ Payload data means the actual data or the actual message. The Payload data is in encrypted format to achieve confidentiality. - **Padding:**\ Extra bits or space added to the original message in order to ensure confidentiality. Padding length is the size of the added bits or space in the original message. - **NextHeader:**\ Next header means the next payload or next actual data. - **Authentication Data**\ This field is optional in ESP protocol packet format. **3. Encryption algorithm:**\ Encryption algorithm is the document that describes various encryption algorithm used for Encapsulation Security Payload. **4. AH Protocol:**\ AH (Authentication Header) Protocol provides both Authentication and Integrity service. Authentication Header is implemented in one way only: Authentication along with Integrity. Authentication Header covers the packet format and general issue related to the use of AH for packet authentication and integrity. **5.AuthenticationAlgorithm:**\ Authentication Algorithm contains the set of the documents that describe authentication algorithm used for AH and for the authentication option of ESP. **6. DOI (Domain of Interpretation):**\ DOI is the identifier which support both AH and ESP protocols. It contains values needed for documentation related to each other. **7. Key Management:**\ Key Management contains the document that describes how the keys are exchanged between sender and receiver. **Internet Key Exchange (IKE).** Internet Key Exchange (IKE) is the standard used for remote host, network access, and virtual private network (VPN) access. IKE enables two parties on the Internet to communicate securely. Specifically it is a key management protocol used to set up a security association (SA) using Internet Protocol Security (IPsec). IKE uses X.509 certificates to authenticate, whether pre-shared or distributed, and a Diffie--Hellman key exchange to create a shared session secret through which cryptographic keys are derived. In Phase 1 IKE establishes an authenticated connection between the host and user before generating the private key (mutual secret) that make Phase 2 or subsequent communications secure. **Example:** "Our VPN uses IKE so when you're working from home, you can be sure that it's you and the home office --- and only those two parties --- working over a secure connection."

Introduction to Cryptography & IP Security PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue