Week 4 & 5: Cryptography

1. Basic Cryptographic Concepts: PGP, S/MIME, and SET

Cryptography is the science of protecting information by transforming it into an unreadable

format, ensuring that it can only be decoded and accessed by authorized parties. Cryptographic
methods are fundamental to computer security, safeguarding data privacy, authenticity, and
integrity.

1.1 Pretty Good Privacy (PGP)

• Overview of PGP:
o PGP is an encryption program that provides cryptographic privacy and
authentication for data communication. It is widely used for securing email
communications, file storage, and other data transfers.
o Developed by Phil Zimmermann in 1991, PGP uses both symmetric (private
key) and asymmetric (public key) encryption methods. It combines these to
provide confidentiality, authentication, and data integrity.
• How PGP Works:
o Symmetric Encryption: PGP encrypts the message using a symmetric
encryption algorithm (e.g., AES). The message is encrypted with a secret key,
which is fast and efficient.
o Asymmetric Encryption: After encrypting the message with a symmetric key,
the symmetric key itself is then encrypted with the recipient's public key using
asymmetric encryption (e.g., RSA). This ensures that only the recipient can
decrypt the symmetric key with their private key.
o The recipient can then use the symmetric key to decrypt the actual message
content.
• PGP's Key Features:
o Public Key Infrastructure (PKI): Users have public and private key pairs.
Public keys are shared openly, while private keys are kept secret.
o Message Integrity and Digital Signatures: PGP allows users to digitally sign
messages with their private key, ensuring the authenticity of the message and
proving that it hasn’t been altered during transit.
 o Web of Trust: Unlike centralized systems like SSL certificates, PGP uses a
decentralized approach where users verify each other's public keys, forming a
“web of trust.”
• Advantages:
o Strong encryption and widely used for securing email and files.
o Provides both confidentiality and message integrity.
o Highly flexible and can be used with various email clients and systems.
• Disadvantages:
o PGP can be complex for users to understand and implement effectively.
o Key management can be cumbersome for individuals with many keys.

1.2 Secure/Multipurpose Internet Mail Extensions (S/MIME)

• Overview of S/MIME:
o S/MIME is a protocol for securing email communications. It is an enhancement
to the MIME (Multipurpose Internet Mail Extensions) standard, which allows
email attachments like images and audio files.
o S/MIME provides cryptographic services such as encryption, digital
signatures, and message integrity, ensuring that emails are secure and
trustworthy.
• How S/MIME Works:
o S/MIME uses asymmetric encryption (public and private key pairs) to encrypt
email content and digital signatures for authentication. The sender encrypts the
email content using the recipient's public key, and the recipient can decrypt it
using their private key.
o The sender can also digitally sign the email using their private key, and the
recipient can verify the authenticity of the sender's identity by using the sender’s
public key.
• S/MIME Key Features:
o Digital Signatures: S/MIME guarantees that the email message has not been
altered and confirms the identity of the sender.
o End-to-End Encryption: Provides confidentiality by encrypting the email
contents, ensuring that only the recipient can decrypt and read the message.
 o Certificate Authorities (CAs): S/MIME certificates are issued by trusted third-
party CAs, which help validate the authenticity of the sender’s public key.
• Advantages:
o Provides a high level of security for email communications.
o Supported by many major email clients (e.g., Microsoft Outlook, Apple Mail).
• Disadvantages:
o Requires infrastructure support and certificates from trusted CAs.
o Managing and maintaining certificates can be complex.

1.3 Secure Electronic Transactions (SET)

• Overview of SET:
o SET is a cryptographic protocol designed to secure online payment
transactions, primarily used for credit card transactions over the internet. It was
developed by Visa and MasterCard in the late 1990s as a way to combat fraud
in online payments.
o SET was aimed at providing a secure method for transmitting payment
information, including credit card details, between buyers, merchants, and
financial institutions.
• How SET Works:
o SET uses public key cryptography to ensure the confidentiality and integrity
of payment transactions. It involves several steps:
▪ Encryption of Payment Information: The buyer's credit card
information is encrypted using the merchant’s public key to ensure that
only the merchant can decrypt and view the information.
▪ Digital Signatures: Both the buyer and merchant sign their messages
digitally to prove the authenticity of the transaction.
▪ Secure Payment Processing: A trusted third party (usually a bank or
financial institution) verifies the transaction’s legitimacy and ensures
that the payment is legitimate.
• Key Features of SET:
o Confidentiality: Protects sensitive information, such as credit card details, by
using strong encryption methods.
 o Authentication: Verifies the identity of both the buyer and the merchant to
ensure the legitimacy of the transaction.
o Non-repudiation: Prevents either party from denying the transaction once it
has been completed.
• Advantages:
o Strong security for online credit card transactions.
o Provides confidentiality and authentication, reducing the risk of fraud.
• Disadvantages:
o Complex and difficult to implement, which led to limited adoption.
o SET has been largely replaced by other payment protocols like 3D Secure and
SSL/TLS for securing online transactions.

2. Cryptography in Authentication and Privacy

Cryptography plays a pivotal role in both authentication (verifying the identity of users and
systems) and privacy (ensuring that data remains confidential and is not exposed to
unauthorized parties). The integration of cryptographic techniques into authentication systems
and privacy mechanisms ensures secure communication and safe data exchanges.

2.1 Cryptography in Authentication

Authentication is the process of verifying the identity of a user, device, or system before
granting access to resources. Cryptographic techniques such as digital signatures, hash
functions, and public key infrastructure (PKI) are used extensively in authentication
systems.

• Digital Signatures for Authentication:

o A digital signature is a cryptographic technique that verifies the authenticity
of a message or document. It uses the sender’s private key to sign the message,
and the recipient can verify the signature using the sender’s public key. Digital
signatures provide proof that the message has not been altered and that it
originated from the sender.
o Use Cases: Digital signatures are commonly used in email systems, software
distribution, legal documents, and secure online transactions.
• Public Key Infrastructure (PKI):
 o PKI is an integrated framework for managing digital keys and certificates. PKI
enables secure authentication, email encryption, and digital signatures through
the use of public-private key pairs.
o PKI includes components such as certificate authorities (CAs) that issue
digital certificates, which bind a public key to an individual’s identity.
o Use Cases: PKI is used for secure email (e.g., S/MIME), VPN access, and
SSL/TLS encryption.
• Hash Functions in Authentication:
o Hash functions take an input (e.g., a password or file) and generate a fixed-
length string of characters (a hash) that represents the input data. Hash functions
are used in authentication to store password hashes instead of plain-text
passwords.
o When a user enters their password, the system hashes it and compares it to the
stored hash to authenticate the user. Hash functions are designed to be one-way,
meaning they cannot be reversed to obtain the original input.

2.2 Cryptography in Privacy

Privacy involves ensuring that sensitive data is protected and only accessible to authorized
parties. Cryptography helps preserve privacy by encrypting data and ensuring that unauthorized
individuals cannot read or tamper with it.

• Encryption for Data Privacy:

o Encryption transforms data into an unreadable format that can only be
decrypted with the correct key. Encryption can be applied to data at rest (e.g.,
files stored on a hard drive) or data in transit (e.g., data sent over the internet).
o Symmetric encryption (e.g., AES) and asymmetric encryption (e.g., RSA)
are both used to ensure that sensitive data, such as personal information,
financial transactions, and communication, remains private.
• End-to-End Encryption (E2EE):
o E2EE ensures that data is encrypted on the sender’s device and can only be
decrypted by the intended recipient, preventing third parties from intercepting
or tampering with the data during transmission.
 o Use Cases: E2EE is widely used in messaging applications (e.g., WhatsApp,
Signal) to protect user privacy and ensure that messages are readable only by
the sender and recipient.
• Privacy-Enhancing Cryptography:
o Zero-Knowledge Proofs (ZKPs) are a cryptographic method that allows one
party to prove to another party that a statement is true without revealing any
additional information. ZKPs are increasingly being used in privacy-focused
technologies like blockchain to ensure user privacy while maintaining the
integrity of transactions.
• Privacy in Digital Payments:
o Cryptography also plays a crucial role in securing digital payments, ensuring
that payment data is encrypted during transmission. Technologies like
tokenization (replacing sensitive data with randomly generated tokens) are
used to protect payment card information.

Conclusion

Cryptography is an essential component of modern computer security, ensuring the

confidentiality, integrity, and authenticity of data and communications. Key cryptographic
systems like PGP, S/MIME, and SET have provided powerful tools for securing email, online
transactions, and data communication. Moreover, cryptographic techniques play a fundamental
role in both authentication and privacy, ensuring that only authorized users can access
sensitive resources and that communication remains secure from unauthorized interception. As
cyber threats continue to evolve, the role of cryptography in safeguarding privacy and securing
digital interactions will remain more important than ever.