MTC - Module 10-IAS101
MTC - Module 10-IAS101
1
“CRYPTOGRAPHY”
Topic Outline
This lesson discusses several topics associated with encryption of data. Objectives important to this
lesson:
The text begins this chapter with a lot of history which will be interesting to people who love
cryptography, but it is all background. You may want to know some of the famous concepts, and some
vocabulary:
plaintext, cleartext - a message that has not been encrypted or has been decrypted
encrypt, encipher - to change an ordinary message with a code or cipher system so that the
message is unreadable
decrypt, decipher - to change and encrypted message to plaintext
cipher or code - the difference between a cipher and a code is that a cipher uses one symbol to
stand for another, while a code can use a symbol to stand for several symbols or words
Caesar cipher - Julius Caesar is famous for several things, one of which is the creation of
a substitution cipher that is incredibly easy to crack: he wrote down the Latin alphabet on one
line, then wrote it again on a second line, offset by three characters, which was used as an
encrypting/decrypting tool. The two lines below show what this would look like in English:
abcdefghijklmnopqrstuvwxyz
defghijklmnopqrstuvwxyzabc
The text surveys several cipher methods. You should know some of the concepts in this section:
Substitution Cipher - like the Caesar cipher above, it may use one letter to represent another, or
it may use a series of such ciphers like the Vigenčre Square shown on page 357. To use that
cipher, you need to know the pattern to follow, which could be changed from one message to
another. The cryptogram example on page 355 uses one simple cipher, that is not an offset. It is
a tad harder to crack because it contains an error. If you want to crack it, in the first line, third
word, change the second ciphertext character to Y instead of X. The X in the book must be a
typo.
Transposition Cipher - the text shows us several words whose letters have been rearranged,
which is the basic concept. A more advanced concept is described: instead of mixing up the
letters, we can follow a pattern that mixes up the bits in each character.
Hashing - A hash function takes a plaintext block of any size and converts it to an encrypted
block of a specific size. This is often done with passwords and PINs. The idea is to use the same
hash function each time a user enters a password, and to compare the hash to a stored version
of the hashed password, which is the only version of the password that is saved on the system.
This method makes sure that anyone reading the file that holds the hash versions cannot know
what the actual passwords are. Hash algorithms work only one way: you can't use the hash
algorithm to decrypt the hash output. You can only compare to see if the hash of the user's
input matches the saved hash. The text explains that an experienced hacker could use rainbow
tables to compare to a captured hash. A rainbow table holds the hash values of known words
and numbers. If the hacker finds a match, the password is no longer secret.
Unlike hashes, cryptographic algorithms are typically meant to be used for encryption and decryption.
The methods in this group use the same key to encrypt and to decrypt, which is why they are
called symmetric. They are also called private key algorithms because the key must remain private to
the users of the system or there is no security. Consider the Enigma machine from chapter 1. Once the
encryption and decryption methods are available to your enemy, the code is worthless. (This seems like
an obvious point, but we will consider another system where it is not true.)
Stream ciphers encrypt one character at a time (from the flowing stream of data). Block ciphers divide
the message into blocks of a specific size, then encrypt each block as a unit. Many variations exist on
the methods discussed. The text lists three symmetric algorithms to be aware of:
It should be obvious that asymmetric (not symmetric) algorithms will use different keys. This method is
also called public key cryptography. This name does not describe the method well. A person must have
two keys in this system, a public key and a private key. They are created as a pair, so that whatever
is encrypted with one must be decrypted with the other. The owner of the keys gives the public key
to anyone who wants it, but keeps the private key safe from anyone else.
This is how SSL encryption on a web site works. I connect to a vendor's web site. I obtain the vendor's
public key when I make the secure connection. My browser encrypts my credit card data with the
vendor's public key and sends the ciphertext to the vendor. If the vendor's private key is secure, the
vendor is the only one who can decrypt the data sent through the public key. In this way, a key is made
available to anyone who wants it, but using it makes the data unintelligible to everyone who does not
have the private key.
Of course, this falls apart if I did not get the vendor's key, or if I got a key from someone who hijacked
my connection to the vendor's web site.
The text only discusses one asymmetric algorithm. You should be aware of these three for most
certification tests:
Encryption algorithms are mathematical. Keys may be the numbers that are used to start the
calculations in the algorithms. The larger the keys are, the better the protection your message will have.
Think of the algorithm as the series of steps in the encryption, and the keys as tools that are used in
particular steps.
The Public Key Infrastructure is a system that includes several parts that have evolved to make the
system work. It addresses the concern above about actually getting the right key from the selected
vendor.
In the introduction to this section, the text lists five kinds of security that cryptography might provide,
and notes that not all kinds of cryptography provide all five features. PKI typically addresses all of them.
This leads us to an industry that supports verified identities by the use of digital certificates. There are
companies whose business is to create key pairs and to provide the appropriate keys to vendors and
their customers. Verisign and Entrust are examples.
certificate authority (CA) - an agency that issues digital certificates; the CA may create key pairs
for users or accept them from users who create them; the CA is responsible for verifying the
identity of the key owner; organizations with the proper software can act as their own internal
CA
registration authority (RA) - an entity that takes on some of the tasks of a CA and operates on
their behalf; think of them like a subcontractor
certificate revocation list (CRL) - a list of certificates that are no longer valid for various reasons
certificate repository (CR), certificate directory (CD) - a public directory of valid certificates; may
contain invalid certificates as well or may link to a CRL
S/MIME - may be used by mail applications or applications that use secure forms; it stands for
Secure Multipurpose Internet Mail Extension
SSL - Secure Sockets Layer certificates are used for transactions on the world wide web
The text moves on to discuss another type of digital certificates, a digital signature. It mentions that this
kind of certificate supports nonrepudiation.
On page 378, the text mentions Pretty Good Privacy (PGP) as a popular certificate creation tool. This is a
tool you have to purchase. An Open Source version is called GPG, Gnu Privacy Guard.
Everyone who uses PGP will have a public key that is freely available, a private key that remains secure,
and everyone can generate new keys as needed.
1. When I want to send a message to you, I generate a new symmetric key for that message.
2. I encrypt the message with the symmetric key.
3. I encrypt the symmetric key with your public key. (Which I got from your CA).
4. I send the encrypted message and the encrypted key to you.
5. You are the only person who can decrypt the encrypted key, by using your private key.
6. You then use the decrypted symmetric key to decrypt the message.
In this way, PGP (and GPG) can use both symmetric and asymmetric keys.
On page 380, the text has a pretty good explanation of steganography, hiding a message in an image.
The short form is that an image typically has three bytes (RGB) of color information for each pixel in it. It
is unlikely that anyone just looking at an image could tell the difference between pixels that are true to
color and those that have had each of their least significant color bits changed as needed to
hide/provide data. If you change one bit per color, you can hide one byte every three pixels.
Imagine that the table below represents a series of pixels. I have used cells in a table to make the idea
more visual. I have put a reference color in the first cell: hex code 58C314 stands for 111, because I
chose that color as the key. I have modified the color in each of the other cells in the second row to
indicate three bits. The bits are indicated by the color's deviation from the key color.
The binary code for that sequence, which would have taken 15 pixels, is:
The text considers some methods that make the things we do safer.
We have already seen that Secure Sockets Layer (SSL) should be used to conduct encrypted
transactions over the web. When you are using SSL, you are using HTTPS instead of HTTP
S-HTTP is not the same as HTTPS. S-HTTP is another version of HTTP that supports transferring
files with encryption, digital certificates, or both. This article on Wikipedia discusses the
differences between HTTPS and S-HTTP.
We have discussed using S/MIME to encrypt email. The text also mentions using Privacy
Enhanced Mail (PEM) and PGP (discussed above).
The text turns to wireless networks for a moment, and mentions two widely used
standards, WEP and WPA. You should know that WEP is no longer considered secure and should not be
used. Note the comparison of WEP and WPA on page 385. When you set up a wireless access point,
WEP is still offered as an encryption choice. Don't use it. Use WPA2 instead, unless you have to provide
access to devices that do not speak it.
Reference:
1. https://stevevincent.info/CSS111_2014_4.htm
2. https://stevevincent.info/CSS111_2014_5.htm
1. ___________- a message that has not been encrypted or has been decrypted
2. ___________- to change an ordinary message with a code or cipher system so that the message
is unreadable
3. ___________- to change and encrypted message to plaintext
4. ___________- the difference between a cipher and a code is that a cipher uses one symbol to
stand for another, while a code can use a symbol to stand for several symbols or words
5. ___________-that is incredibly easy to crack: he wrote down the Latin alphabet on one line,
then wrote it again on a second line, offset by three characters, which was used as an
encrypting/decrypting tool.
SELF-CHECK ANSWER KEY MD-10.1.1
1. PLAINTEXT, CLEARTEXT
2. ENCRYPT, ENCIPHER
3. DECRYPT, DECIPHER
4. CIPHER OR CODE
5. SUBSTITUTION CIPHER