UNIT-4
Cryptography
It is a technique of securing information and communications through
use of codes so that only those person for whom the information is
intended can understand it and process it. Thus preventing unauthorized
access to information. The prefix “crypt” means “hidden” and suffix
graphy means “writing”.
In Cryptography the techniques which are use to protect information are
obtained from mathematical concepts and a set of rule based
calculations known as algorithms to convert messages in ways that make
it hard to decode it. These algorithms are used for cryptographic key
generation, digital signing, verification to protect data privacy, web
browsing on internet and to protect confidential transactions such as
credit card and debit card transactions.
Techniques used For Cryptography:
In today’s age of computers cryptography is often associated with the
process where an ordinary plain text is converted to cipher text which is
the text made such that intended receiver of the text can only decode it
and hence this process is known as encryption. The process of
conversion of cipher text to plain text this is known as decryption.
Features Of Cryptography are as follows:
1. Confidentiality:
Information can only be accessed by the person for whom it is
intended and no other person except him can access it.
2. Integrity:
Information cannot be modified in storage or transition between
sender and intended receiver without any addition to information
being detected.
3. Non-repudiation:
The creator/sender of information cannot deny his intention to send
information at later stage.
4. Authentication:
The identities of sender and receiver are confirmed. As well as
destination/origin of information is confirmed.
Types Of Cryptography:
In general there are three types Of cryptography:
1. Symmetric Key Cryptography:
It is an encryption system where the sender and receiver of message
use a single common key to encrypt and decrypt messages.
Symmetric Key Systems are faster and simpler but the problem is
that sender and receiver have to somehow exchange key in a secure
manner. The most popular symmetric key cryptography system is
Data Encryption System(DES).
2. Asymmetric Key Cryptography:
Under this system a pair of keys is used to encrypt and decrypt
information. A public key is used for encryption and a private key is
used for decryption. Public key and Private Key are different. Even if
the public key is known by everyone the intended receiver can only
decode it because he alone knows the private key.
PUBLIC KEY CRYPTOGRAPHY
The most commonly used implementations of public key
cryptography (also known as public-key encryption and
asymmetric encryption) are based on algorithms presented by
Rivest-Shamir-Adelman (RSA) Data Security.
Public key cryptography involves a pair of keys known as a public
key and a private key (a public key pair), which are associated with
an entity that needs to authenticate its identity electronically or to
sign or encrypt data.
Each public key is published and the corresponding private key is
kept secret. Data that is encrypted with the public key can be
decrypted only with the corresponding private key.
RSA public key pairs can be any size. Typical sizes today are
1024 and 2048 bits.
Public key cryptography enables the following:
Encryption and decryption, which allow two communicating
parties to disguise data that they send to each other. The
sender encrypts, or scrambles, the data before sending it.
The receiver decrypts, or unscrambles, the data after
receiving it. While in transit, the encrypted data is not
understood by an intruder.
Nonrepudiation, which prevents:
The sender of the data from claiming, at a later date,
that the data was never sent
The data from being altered.
Figure 1 shows you a simplified view of how public key
cryptography works.
Figure 1. Public-key encryption
Figure 1 shows how you can freely distribute the public key so that
only you (the owner of the private key) can read data that was
encrypted with the public key. In general, to send encrypted data
to someone, you must encrypt the data with that person's public
key, and the person receiving the data decrypts it with the
corresponding private key.
RSA Algorithm in Cryptography
RSA algorithm is asymmetric cryptography algorithm. Asymmetric
actually means that it works on two different keys i.e. Public
Key and Private Key. As the name describes that the Public Key is given
to everyone and Private key is kept private.
An example of asymmetric cryptography :
1. A client (for example browser) sends its public key to the server and
requests for some data.
2. The server encrypts the data using client’s public key and sends the
encrypted data.
3. Client receives this data and decrypts it.
Since this is asymmetric, nobody else except browser can decrypt the data
even if a third party has public key of browser.
The idea! The idea of RSA is based on the fact that it is difficult to
factorize a large integer. The public key consists of two numbers where
one number is multiplication of two large prime numbers. And private
key is also derived from the same two prime numbers. So if somebody
can factorize the large number, the private key is compromised. Therefore
encryption strength totally lies on the key size and if we double or triple
the key size, the strength of encryption increases exponentially. RSA keys
can be typically 1024 or 2048 bits long, but experts believe that 1024 bit
keys could be broken in the near future. But till now it seems to be an
infeasible task.
Let us learn the mechanism behind RSA algorithm :
>> Generating Public Key :
Select two prime no's. Suppose P = 53 and Q = 59.
Now First part of the Public key : n = P*Q = 3127.
We also need a small exponent say e :
But e Must be
An integer.
Not be a factor of n.
1 < e < Φ(n) [Φ(n) is discussed below],
Let us now consider it to be equal to 3.
Our Public Key is made of n and e
>> Generating Private Key :
We need to calculate Φ(n) :
Such that Φ(n) = (P-1)(Q-1)
so, Φ(n) = 3016
Now calculate Private Key, d : d = (k*Φ(n) + 1) / e for some integer
k
For k = 2, value of d is 2011.
Now we are ready with our – Public Key ( n = 3127 and e = 3) and
Private Key(d = 2011)
Now we will encrypt “HI” :
Convert letters to numbers : H = 8 and I = 9
Thus Encrypted Data c = 89e mod n.
Thus our Encrypted Data comes out to be 1394
Now we will decrypt 1394 :
Decrypted Data = cd mod n.
Thus our Encrypted Data comes out to be 89
8 = H and I = 9 i.e. "HI".
Digital Signatures and Certificates
Encryption – Process of converting electronic data into another form,
called ciphertext, which cannot be easily understood by anyone except
the authorized parties. This assures data security.
Decryption– Process of translating code to data.
The message is encrypted at the sender’s side using various encryption
algorithms and decrypted at the receiver’s end with the help of the
decryption algorithms.
When some message is to be kept secure like username, password,
etc., encryption and decryption techniques are used to assure data
security.
Types of Encryption
1. Symmetric Encryption– Data is encrypted using a key and the
decryption is also done using the same key.
2. Asymmetric Encryption-Asymmetric Cryptography is also known as
public-key cryptography. It uses public and private keys to encrypt
and decrypt data. One key in the pair which can be shared with
everyone is called the public key. The other key in the pair which is
kept secret and is only known by the owner is called the private key.
Either of the keys can be used to encrypt a message; the opposite key
from the one used to encrypt the message is used for decryption.
Public key– Key which is known to everyone. Ex-public key of A is 7,
this information is known to everyone.
Private key– Key which is only known to the person who’s private key it
is.
Authentication-Authentication is any process by which a system verifies
the identity of a user who wishes to access it.
Non- repudiation– Non-repudiation means to ensure that a transferred
message has been sent and received by the parties claiming to have sent
and received the message. Non-repudiation is a way to guarantee that the
sender of a message cannot later deny having sent the message and that
the recipient cannot deny having received the message.
Integrity– to ensure that the message was not altered during the
transmission.
Message digest -The representation of text in the form of a single string
of digits, created using a formula called a one way hash function.
Encrypting a message digest with a private key creates a digital signature
which is an electronic means of authentication..
Digital Signature
A digital signature is a mathematical technique used to validate the
authenticity and integrity of a message, software, or digital document.
1. Key Generation Algorithms: Digital signature is electronic
signatures, which assure that the message was sent by a particular
sender. While performing digital transactions authenticity and
integrity should be assured, otherwise, the data can be altered or
someone can also act as if he was the sender and expect a reply.
2. Signing Algorithms: To create a digital signature, signing algorithms
like email programs create a one-way hash of the electronic data
which is to be signed. The signing algorithm then encrypts the hash
value using the private key (signature key). This encrypted hash along
with other information like the hashing algorithm is the digital
signature. This digital signature is appended with the data and sent to
the verifier. The reason for encrypting the hash instead of the entire
message or document is that a hash function converts any arbitrary
input into a much shorter fixed-length value. This saves time as now
instead of signing a long message a shorter hash value has to be signed
and moreover hashing is much faster than signing.
3. Signature Verification Algorithms : Verifier receives Digital
Signature along with the data. It then uses Verification algorithm to
process on the digital signature and the public key (verification key)
and generates some value. It also applies the same hash function on
the received data and generates a hash value. Then the hash value and
the output of the verification algorithm are compared. If they both are
equal, then the digital signature is valid else it is invalid.
The steps followed in creating digital signature are :
1. Message digest is computed by applying hash function on the message
and then message digest is encrypted using private key of sender to
form the digital signature. (digital signature = encryption (private key
of sender, message digest) and message digest = message digest
algorithm(message)).
2. Digital signature is then transmitted with the message.(message +
digital signature is transmitted)
3. Receiver decrypts the digital signature using the public key of sender.
(This assures authenticity, as only sender has his private key so only
sender can encrypt using his private key which can thus be decrypted
by sender’s public key).
4. The receiver now has the message digest.
5. The receiver can compute the message digest from the message
(actual message is sent with the digital signature).
6. The message digest computed by receiver and the message digest (got
by decryption on digital signature) need to be same for ensuring
integrity.
Message digest is computed using one-way hash function, i.e. a hash
function in which computation of hash value of a message is easy but
computation of the message from hash value of the message is very
difficult.
Digital Certificate
Digital certificate is issued by a trusted third party which proves sender’s
identity to the receiver and receiver’s identity to the sender.
A digital certificate is a certificate issued by a Certificate Authority (CA)
to verify the identity of the certificate holder. The CA issues an encrypted
digital certificate containing the applicant’s public key and a variety of
other identification information. Digital certificate is used to attach public
key with a particular individual or an entity.
Digital certificate contains:-
1. Name of certificate holder.
2. Serial number which is used to uniquely identify a certificate, the
individual or the entity identified by the certificate
3. Expiration dates.
4. Copy of certificate holder’s public key.(used for decrypting messages
and digital signatures)
5. Digital Signature of the certificate issuing authority.
Digital certificate is also sent with the digital signature and the message.
Digital certificate vs digital signature :
Digital signature is used to verify authenticity, integrity, non-
repudiation ,i.e. it is assuring that the message is sent by the known user
and not modified, while digital certificate is used to verify the identity of
the user, maybe sender or receiver. Thus, digital signature and certificate
are different kind of things but both are used for security. Most websites
use digital certificate to enhance trust of their users
Feature Digital Signature Digital Certificate
Basics /Digital signature is like aDigital certificate is a file that
Definition fingerprint or an attachment toensures holder’s identity and
a digital document that ensuresprovides security.
its authenticity and integrity.
Process /Hashed value of originalIt is generated by CA
Steps message is encrypted with(Certifying Authority) that
sender’s secret key to generateinvolves four steps: Key
the digital signature. Generation, Registration,
Verification, Creation.
Security Authenticity of It provides security
Services Sender, integrity of theand authenticity of certificate
document and non-holder.
repudiation.
Standard It follows Digital SignatureIt follows X.509 Standard
Standard (DSS). Format
EMAIL SECURITY CERTIFICATE
Email Secure SSL Certificates also known as Email Signing SSL
Certificates are designed to protect and authenticate the email
transmissions. Unlike Code Signing certificate, the email secured SSL
Certificate signs email and email message digitally which ensures no
other person or robot can read or modify the message.
What is an Email Certificate?
When people talk about an email certificate, they’re typically referring to
a type of X.509 digital certificate that’s used to secure data at rest for
email users. Some users prefer terms like “S/MIME certificates” (because
they secure MIME data), “email signing certificate,” or “personal
authentication certificates,” etc.
Regardless of what you want to call it, it’s a useful tool to have at your
disposal that enhances the security of your personal or business digital
correspondences.
That’s because an email certificate is like the modern, high-tech version
of a certified letter. You know, if the postal service made it so that a
sender could encrypt their message, prove their identity, and also require
the recipient to provide a specific piece of validating information that
verifies they’re the intended recipient…
Okay, so it’s not really like a certified letter. But it does help people send
emails while doing those things.
What an Email Certificate Does and How It Works
In a nutshell, an email certificate uses public key infrastructure (PKI) to:
Allow users to digitally sign their emails to verify their identity
through the attestation of a trusted third party known as a certificate
authority (CA).
Allow users to encrypt the entire contents (messages, attachments, etc.)
of their emails so that the information is secure before it transmits from
server to server across the internet. This helps to protect the data from
man-in-the-middle (MitM) attacks.
You may be wondering: “Wait, isn’t public key encryption something for
SSL/TLS certificates?” And, yes, you’d be correct in that assumption.
But we’re here to tell you that public key encryption isn’t only for
SSL/TLS encrypted connections for data in transit protection. It’s also
used to create end-to-end encryption that protects data when it’s at rest
and sitting in your (or your recipient’s) email server as well.
Transport Layer Security (TLS)
TLS encrypts data sent over the Internet to ensure that eavesdroppers and
hackers are unable to see what you transmit which is particularly useful
for private and sensitive information such as passwords, credit card
numbers, and personal correspondence. This page explains what TLS is,
how it works, and why you should deploy it.
What is TLS?
TLS is a cryptographic protocol that provides end-to-end security of data
sent between applications over the Internet. It is mostly familiar to users
through its use in secure web browsing, and in particular the padlock icon
that appears in web browsers when a secure session is established.
However, it can and indeed should also be used for other applications
such as e-mail, file transfers, video/audioconferencing, instant messaging
and voice-over-IP, as well as Internet services such as DNS and NTP.
TLS evolved from Secure Socket Layers (SSL) which was originally
developed by Netscape Communications Corporation in 1994 to secure
web sessions. SSL 1.0 was never publicly released, whilst SSL 2.0 was
quickly replaced by SSL 3.0 on which TLS is based.
It should be noted that TLS does not secure data on end systems. It
simply ensures the secure delivery of data over the Internet, avoiding
possible eavesdropping and/or alteration of the content.
Why should I care about TLS?
Data has historically been transmitted unencrypted over the Internet, and
where encryption was used, it was typically employed in a piecemeal
fashion for sensitive information such as passwords or payment details.
Whilst it was recognised back in 1996 (by RFC 1984) that the growth of
the Internet would require private data to be protected, it has become
increasingly apparent over the intervening period that the capabilities of
eavesdroppers and attackers are greater and more pervasive than
How does TLS work?
TLS uses a combination of symmetric and asymmetric cryptography, as
this provides a good compromise between performance and security
when transmitting data securely.
With symmetric cryptography, data is encrypted and decrypted with a
secret key known to both sender and recipient; typically 128 but
preferably 256 bits in length (anything less than 80 bits is now considered
insecure). Symmetric cryptography is efficient in terms of computation,
but having a common secret key means it needs to be shared in a secure
manner.
Asymmetric cryptography uses key pairs – a public key, and a private
key. The public key is mathematically related to the private key, but
given sufficient key length, it is computationally impractical to derive the
private key from the public key. This allows the public key of the
recipient to be used by the sender to encrypt the data they wish to send to
them, but that data can only be decrypted with the private key of the
recipient.
The advantage of asymmetric cryptography is that the process of sharing
encryption keys does not have to be secure, but the mathematical
relationship between public and private keys means that much larger key
sizes are required. The recommended minimum key length is 1024 bits,
with 2048 bits preferred, but this is up to a thousand times more
computationally intensive than symmetric keys of equivalent strength
(e.g. a 2048-bit asymmetric key is approximately equivalent to a 112-bit
symmetric key) and makes asymmetric encryption too slow for many
purposes.
For this reason, TLS uses asymmetric cryptography for securely
generating and exchanging a session key. The session key is then used for
encrypting the data transmitted by one party, and for decrypting the data
received at the other end. Once the session is over, the session key is
discarded.
IPSec (IP Security) architecture
It uses two protocols to secure the traffic or data flow. These protocols
are ESP (Encapsulation Security Payload) and AH (Authentication
Header). IPSec Architecture includes protocols, algorithms, DOI, and
Key Management. All these components are very important in order to
provide the three main services:
Confidentiality
Authentication
Integrity
1. Architecture: Architecture or IP Security Architecture covers the
general concepts, definitions, protocols, algorithms, and security
requirements of IP Security technology.
2. ESP Protocol: ESP(Encapsulation Security Payload) provides a
confidentiality service. Encapsulation Security Payload is implemented in
either two ways:
ESP with optional Authentication.
ESP with Authentication.
Packet Format:
Security Parameter Index(SPI): This parameter is used by Security
Association. It is used to give a unique number to the connection built
between the Client and Server.
Sequence Number: Unique Sequence numbers are allotted to every
packet so that on the receiver side packets can be arranged properly.
Payload Data: Payload data means the actual data or the actual
message. The Payload data is in an encrypted format to achieve
confidentiality.
Padding: Extra bits of space are added to the original message in
order to ensure confidentiality. Padding length is the size of the added
bits of space in the original message.
Next Header: Next header means the next payload or next actual
data.
Authentication Data This field is optional in ESP protocol packet
format.
3. Encryption algorithm: The encryption algorithm is the document
that describes various encryption algorithms used for Encapsulation
Security Payload.
4. AH Protocol: AH (Authentication Header) Protocol provides both
Authentication and Integrity service. Authentication Header is
implemented in one way only: Authentication along with Integrity.
Authentication Header covers the packet format and general issues
related to the use of AH for packet authentication and integrity.
5. Authentication Algorithm: The authentication Algorithm contains the
set of documents that describe the authentication algorithm used for AH
and for the authentication option of ESP.
6. DOI (Domain of Interpretation): DOI is the identifier that supports
both AH and ESP protocols. It contains values needed for documentation
related to each other.
7. Key Management: Key Management contains the document that
describes how the keys are exchanged between sender and receiver.