Module 3: Data Security & Privacy
Chapter 1: Cryptography
1
Communications Security and Authentication
Secure Communication Needs and Requirements
Needs for secure communication:
• War time communication
• Business transactions
Requirements of secure communication
1. Secrecy
– Only intended receiver understands the message
2. Authentication
– Sender and receiver need to confirm each other's identity
3. Message Integrity
– Ensure that their communication has not been altered, either maliciously or by accident
during transmission
Cryptography Basics
Cryptography is the science of secret, or hidden writing, It has two main Components:
Encryption & Secrecy
– Practice of hiding messages so that they can not be read by anyone other than the intended recipient
Authentication & Integrity
– Ensuring that users of data/resources are the persons they claim to be and that a message has not been
stealthily altered
4
Cryptography Basics
Plain Text Encryption Cipher Text Decryption Plain Text
Algorithm Algorithm
Key A Key A
Encryption algorithms are standardized & published, the key which is an input to the algorithm is
secret Key is a string of numbers or characters:
• If same key is used for encryption & decryption the algorithm is called Symmetric
• If different keys are used for encryption & decryption the algorithm is called Asymmetric
5
Encryption - Symmetric Algorithms
• Algorithms in which the key for encryption and decryption are the same are Symmetric
• Types of Symmetric Algorithms:
1. Block Ciphers
– Encrypt data one block at a time (typically 64 bits, or 128 bits)
– Used for a large amounts of Data
2. Stream Ciphers
– Encrypt data one bit or one byte at a time
– Used if data is a constant stream of information
6
Symmetric Encryption - Key Strength
Strength of algorithm is determined by the size of the key
• The longer the key the more difficult it is to crack
Key length is expressed in bits
• Typical key sizes vary between 48 bits and 448 bits
Set of possible keys for a cipher is called key space
• For 40-bit key there are 240 possible keys
• For 128-bit key there are 2128 possible keys
To crack the key the hacker has to use brute-force
(i.e., try all the possible keys till a key that works is found)
• Supercomputer can crack a 56-bit key in 14 hours
• It will take 272 times longer to crack a 128-bit key
(Longer than the age of the universe)
Data Encryption Standard (DES) Basics
DES is a block Cipher Algorithm uses 56 bits Key Length
• Encodes plaintext in 64 bit chunks
It is the most used algorithm
• Standard approved by US National Bureau of Standards for Commercial and nonclassified US
government use in 1993
Data Encryption Standard (DES) Basics
• DES run in reverse to decrypt
• Cracking DES
• 1997: 140 days
• 1999: 14 hours
• TripleDES uses DES 3 times in tandem
• Output from 1 DES is input to next DES
Symmetric Encryption Algorithm Summary
Algorithm Type Key Size Features
DES Block Cipher 56 bits Most Common, Not strong
enough
TripleDES Block Cipher 168 bits Modification of DES,
(112 Adequate Security
effective)
Blowfish Block Cipher Variable Excellent Security
(Up to 448
bits)
AES Block Cipher Variable Replacement for DES,
(128, 192, or Excellent Security
256 bits)
RC4 Stream Cipher Variable Fast Stream Cipher, Used
(40 or 128 in most SSL
bits) implementations
Symmetric Encryption Pros & Cons
Very fast and not resource intensive:
Preferred for encrypting large amounts of data
Key Exchange is a challenge:
Any exposure to the secret key compromises secrecy of ciphertext
A key needs to be delivered to the recipient of the coded message for it to be deciphered
Potential for eavesdropping attack during transmission of key
Asymmetric Encryption Basics
Uses a pair of keys for encryption
• Public key for encryption
• Private key for decryption
Messages encoded using public key can only be decoded by the private key
• Secret transmission of key for decryption is not required
• No exchange of secret keys -Man-in-the middle attack avoided
• Every entity can generate a key pair and release its public key
Plain Text Cipher Text Plain Text
Cipher Cipher
Public Key Private Key
What is a Digital Certificate?
Digital certificates are electronic credentials
that bind the identity of the certificate owner to a
pair of electronic encryption keys, (one public
and one private), that can be used to encrypt
and sign information digitally. ... All the receiver
would know is that a valid key pair was used
What is a Digital Certificate?
What is a Digital Certificate?
Asymmetric Encryption algorithm Types
Two most popular algorithms are RSA & El Gamal
• RSA
• Developed by Ron Rivest, Adi Shamir, Len Adelman
• Both public and private key are interchangeable
• Variable Key Size (512, 1024, or 2048 bits)
• Most popular public key algorithm
• El Gamal
• Developed by Taher ElGamal
• Variable key size (512 or 1024 bits)
• Less common than RSA, used in protocols like PGP
Asymmetric Encryption Session-Key Encryption
• Used to improve efficiency
• Symmetric key is used for encrypting data
• Asymmetric key is used for encrypting the symmetric key
Plain Text Cipher Cipher Text
(DES)
Send to Recipient
Encrypted
Cipher Key
(RSA)
Session Key
Recipient’s Public Key
Public Key Infrastructure
A public key infrastructure (PKI) is a set of roles, policies, hardware, software and procedures needed to create, manage,
distribute, use, store and revoke digital certificates and manage public-key encryption.
Cryptographic hash function
• Is a mathematical algorithm that maps data of any size to a fixed size ("hash value",
"hash", or "message digest"). It is a one-way function, that is, a function which is
practically infeasible to invert. Cryptographic hash functions are a basic tool of modern
cryptography.
• It is deterministic, meaning that the same message always results in the same hash
• It is quick to compute the hash value for any given message
• It is infeasible to find two different messages with the same hash value
• A small change to a message should change the hash value so extensively that the new
hash value appears uncorrelated with the old hash value.
Cryptographic hash function MD5 sample
Hashing Messages/Message Digests
• A message digest is a fingerprint for a document
• Purpose of the message digest is to provide proof that a message has not altered
• Process of generating a message digest from data is called hashing
• Commonly used hash algorithms are
• MD5 – 128 bit hashing algorithm by Ron Rivest of RSA
• SHA & SHA-1 – 162 bit hashing algorithm developed by NIST
Data Hashing Hash
Algorithm
Message
Message Digest
Digest
Algorithm
Authentication Basics
• Authentication is the process of validating the identity of a User/a Message Sender.
• The Public Key Infrastructure technology that provide authentication is called Digital Signature.
• Digital Signature Process similar to the Public Key Asymmetric/Cryptography.
Walid’s
Walid’s Public Key
Private
Key
Message Message
Sent to Sent to
Receiver Receiver
Message
Sent to Digital Digital
Signature Signature Signature Signature Message is 100%
Mohamed confirmed to be
From Algorithm Sent to Sent to Algorithm
from Walid
Walid Receiver Receiver
Mohamed/The Receiver/Verifier
Walid/Sender
Mixing Hashing with/Digital Signatures
• A digital signature is a data item which accompanies or is logically associated with a digitally
encoded message.
• It has two goals
1. A guarantee of the source of the data
2. Proof that the data has not been tampered with
Sender’s Sender’s
Private Key Public Key
Message Digest Digest Message
Sent to Algorithm Algorithm Digest
Receiver
Same?
Digital
Message Signature Signature Signature Message
Digest Algorithm Sent to Algorithm Digest
Receiver
Sender Receiver
Authentication/Digital Signatures
Data Integrity/Digest Algorithm
Message
Message Digest Message
Walid’s From Walid’s
From Algorithm Digest
Private Key Walid Public Key
Walid To Ahmed
Digest
To Ahmed
Algorithm
Message wasn’t
Same? altered in transit
Digitally Digitally Message
Signature Signed Signed Signature Digest
Message
Algorithm Message Message Algorithm
Digest
Digest Digest
Message 100%
from Walid
Sender Receiver/Verifier
Asymmetric Encryption Protocols
• Pretty Good Privacy (PGP)
• Used to encrypt e-mail using session key encryption
• Combines RSA, TripleDES, and other algorithms
• Secure/Multipurpose Internet Mail Extension (S/MIME)
• Newer algorithm for securing e-mail
• Backed by Microsoft, RSA, AOL
• Secure Socket Layer(SSL) and Transport Layer Socket(TLS)
• Used for securing TCP/IP Traffic
• Mainly designed for web use
• Can be used for any kind of internet traffic
Password Authentication Basics
• Password is secret character string only known to user and server
• Password Hash is commonly used for password authentication
• Stored hash of the password is a lesser risk
• Hacker can not reverse the hash
• Problems with password-based authentication
• Attacker learns password by social engineering
• Attacker cracks password by brute-force and/or guesswork
• Eavesdrops password if it is communicated unprotected over the network
• Replays an encrypted password back to the authentication server
Authentication Protocols Basics
• Set of rules that governs the communication of data related to authentication between the server and
the user
• Techniques used to build a protocol are
• Transformed password Hash
• Password transformed using one way function before transmission
• Prevents eavesdropping but not replay
• Challenge-response
• Server sends a random value (challenge) to the client along with the authentication request. This must be
included in the response
• Protects against replay
• One-time password
• New password obtained by passing user-password through one-way function n times which keeps
incrementing
• Protects against replay as well as eavesdropping
Authentication Biometrics
Uses certain biological characteristics for authentication
• Biometric reader measures physiological indicia and compares them to specified values
• It is not capable of securing information over the network
Different techniques exist
• Fingerprint Recognition
• Voice Recognition
• Handwriting Recognition
• Face Recognition
• Retinal Scan
• Hand Geometry Recognition