ITIS 412: Information Security

Chapter 5: Basic Cryptography

Objectives
 Define cryptography
 Describe hash, symmetric, and asymmetric cryptographic
algorithms
 List the various ways in which cryptography is used

ITIS 412
Defining Cryptography
 Cryptography – Science of transforming information
into secure form so that unauthorized persons cannot
access it
 Steganography - Hides existence of data:
 Image, audio, or video files containing hidden message
embedded in the file
 Achieved by dividing data and hiding it in unused portions
of the file

ITIS 412
Data Hidden By Steganography

ITIS 412
Origins of Cryptography
 Origins of cryptography dates back centuries to time of
Julius Caesar
 Encryption - Changing original text into secret message
using cryptography
 Decryption - Changing secret message back to original
form
 Cleartext - Data in unencrypted form
 Plaintext – Cleartext data to be encrypted (and is result of
decryption)

ITIS 412
Cryptography Terminology
 Algorithm - Procedures based on mathematical
formula used to encrypt and decrypt data
 Key - Mathematical value entered into cryptographic
algorithm to produce encrypted data
 Ciphertext - Data that has been encrypted

ITIS 412
Cryptographic Process

ITIS 412
Cryptography and Security
 Cryptography can provide five basic information
protections:
 Confidentiality - Insures only authorized parties can
view it
 Integrity - Insures information is correct and unaltered
 Availability - Authorized users can access it
 Authentication – Verify sender
 Nonrepudiation - Proves that a user performed an action

ITIS 412
Information Protections By Cryptography

ITIS 412
Data Processed
 One of fundamental differences in cryptographic
algorithms is amount of data that is processed at a
time:
 Stream cipher - Takes one character and replaces it with one
character
 Block cipher - Manipulates entire block of plaintext at one
time
 Sponge function - Takes as input a string of any length, and
returns a string of any requested variable length

ITIS 412
Cryptographic Algorithms
 Three categories of cryptographic algorithms:
 Hash algorithms
 Symmetric encryption algorithms
 Asymmetric encryption algorithms

ITIS 412
Hash Algorithms
 Hash - Algorithm that creates a unique digital
fingerprint of data
 Process called hashing
 Fingerprint called digest (sometimes message digest
or simply hash)
 Contents cannot be used to reveal original data set
(“one-way”)
 Primarily used for comparison purposes

ITIS 412
Example of Hashing
 Example of hashing concept:
 12 * 34 = 408
 If user asked to determine the two numbers used to
create the number 408, it would not be possible to
“work backward” and derive the original numbers with
absolute certainty because there are too many
mathematical possibilities
 204+204, 407+1, 999‒591, 361+47, etc.
 Hashing is similar: used to create a value, but it is not
possible to determine the original set of data

ITIS 412
Secure Hash Algorithms
 Secure hashing algorithm characteristics:
 Fixed size - Short and long data sets have the same size
hash
 Unique - Two different data sets cannot produce the
same hash
 Original - Dataset cannot be created to have a
predefined hash
 Secure - Resulting hash cannot be reversed to determine
original plaintext

ITIS 412
Hashed Message Authentication Code
(HMAC)
 Hashing used to determine message integrity (digests
often posted on download sites so user can verify file
integrity after download)
 Hashed Message Authentication Code (HMAC) -
Hash variation providing improved security:
 Uses secret key possessed by sender and receiver
 Receiver uses key to decrypt the hash

ITIS 412
Information Protections By Hashing
Cryptography

ITIS 412
Verifying File
Integrity With
Digests

ITIS 412
Common Hash Algorithms
 Most common hash algorithms:
 Message Digest
 Secure Hash Algorithm
 Whirlpool
 RIPEMD

ITIS 412
Message Digest
 Message Digest (MD) – One of most common hash
algorithms
 Message Digest 2:
 Takes plaintext of any length and creates 128 bit hash
 Padding added to make short messages 128 bits
 No longer considered secure
 Message Digest 4 - Has flaws and was not widely
accepted

ITIS 412
Message Digest 5
 Message Digest 5:
 Designed to address MD4’s weaknesses
 Message length padded to 512 bits
 Weaknesses in compression function could lead to
collisions
 Some security experts recommend using a more secure
hash algorithm

ITIS 412
Secure Hash Algorithm (SHA)
 Secure Hash Algorithm (SHA):
 Family of hashes
 SHA-0 – Design flaw and withdrawn
 SHA-1 - Developed 1993 and patterned after MD4 and
MD5
 SHA-2 – Six variations and considered secure
 SHA-3 – Different from previous hash algorithms and
approved in 2012

ITIS 412
Whirlpool
 Whirlpool - Recent cryptographic hash
 Adopted by standards organizations
 Creates hash of 512 bits

ITIS 412
RIPEMD
 Race Integrity Primitives Evaluation Message
Digest (RIPEMD):
 Two different and parallel chains of computation
 Results are combined at end of process

ITIS 412
Digests Generated From One-time Hash
Algorithms

ITIS 412
Symmetric Cryptographic Algorithms
 Symmetric cryptographic algorithms - Uses same
single key to encrypt and decrypt document
 Unlike hashing, symmetric algorithms are designed to
encrypt and decrypt the ciphertext
 Data encrypted with a symmetric cryptographic algorithm
will be decrypted when received
 Essential that the key be kept private (confidential)
 Symmetric encryption is also called private key
cryptography

ITIS 412
Symmetric
(Private Key)
Cryptography
ITIS 412
Information Protections By Symmetric
Cryptography

ITIS 412
Data Encryption Standard (DES)
 Data Encryption Standard (DES) - One of first widely
popular symmetric cryptography algorithms
 Predecessor of DES was product originally designed early
1970s by IBM called Lucifer that had key length 128 bits
 Key was later shortened to 56 bits and renamed DES
 Four modes of DES encryption exist
 No longer considered secure

ITIS 412
Triple Data Encryption Standard (3DES)
 Triple Data Encryption Standard (3DES) - Designed to
replace DES
 3DES uses three rounds of encryption instead of just one
 Most secure versions of 3DES use different keys for each
round
 Performs better in hardware than as software

ITIS 412
3DES

ITIS 412
Advanced Encryption Standard (AES)
 Advanced Encryption Standard (AES) - Symmetric
cipher approved as replacement for DES
 AES performs three steps on every block (128 bits) of
plaintext
 To date, no attacks have been successful against AES

ITIS 412
Other Symmetric Encryption Algorithms
 RC4 - Stream cipher that accepts keys up to 128 bits
in length
 International Data Encryption Algorithm (IDEA) -
Block cipher that processes 64 bits with a 128-bit key
with 8 rounds
 Blowfish - Block cipher algorithm that operates on
64-bit blocks and can have a key length from 32 to
448 bits
 Twofish - Derivation of Blowfish considered to be a
strong algorithm, although has not been used as
widely as Blowfish
ITIS 412
One-Time Pad (OTP)
 One-time pad (OTP) - Combines plaintext with random
key
 Only known method to perform encryption that cannot be
broken mathematically
 Does not require the use of computer

ITIS 412
OTP Example
Plaintext Position in Pad Position in Calculation Ciphertext
Alphabet Alphabet
S 19 C 3 19+3-1=21 U
E 5 B 2 5+2-1=6 F
C 3 Y 25 3+25-1=1 A
R 18 F 6 18+6-1=23 W
E 5 E 5 5+5-1=9 I
T 20 A 1 20+1-1=20 T

A B C D E F G H I J K L M
1 2 3 4 5 6 7 8 9 10 11 12 13

N O P Q R S T U V W X Y Z
14 15 16 17 18 19 20 21 22 23 24 25 26

ITIS 412
Asymmetric Cryptographic Algorithms
 Weakness of symmetric algorithms: distributing and
maintaining a secure single key among multiple users
distributed geographically
 Asymmetric cryptographic algorithms (public key
cryptography) - Uses two keys instead of only one
 Keys are mathematically related:
 Public key - Known to everyone and can be freely
distributed
 Private key - Known only to the individual to whom it
belongs

ITIS 412
 Asymmetric
(Public Key)
Cryptography

ITIS 412
Asymmetric Cryptographic Algorithm
Principles
 Important principles
 Key pairs – Requires pair of keys
 Public key – Do not need to be protected
 Private key – Must be kept confidential
 Both directions - Document encrypted with public key
can be decrypted with corresponding private key (and
document encrypted with private key can be decrypted
with public key)

ITIS 412
Digital Signature
 Digital signature - Electronic verification of the
sender:
 Prevents sender from disowning the message
 Proves message integrity

ITIS 412
Digital Signature
ITIS 412
ITIS 412
Information Protections By Asymmetric
Cryptography

ITIS 412
RSA
 RSA - Published in 1977 and patented by MIT in
1983
 Most common asymmetric cryptography algorithm
 Uses two large prime numbers

ITIS 412
Elliptic Curve Cryptography (ECC)
 Elliptic curve cryptography (ECC) - Users share one
elliptic curve and one point on curve
 Considered as an alternative for prime-number-based
asymmetric cryptography for mobile and wireless devices
 Because mobile devices are limited in terms of computing
power due to their smaller size, ECC offers security that is
comparable to other asymmetric cryptography but with
smaller key sizes
 Can result in faster computations and lower power
consumption

ITIS 412
Elliptic Curve Cryptography (ECC)

ITIS 412
NTRUEncypt
 NTRUEncypt:
 Uses lattice-based cryptography
 Relies on a set of points in space
 Faster than RSA and ECC
 More resistant to quantum computing attacks

ITIS 412
Lattice-Based Cryptography

ITIS 412
Quantum Cryptography
 Quantum cryptography - Exploits properties of
microscopic objects such as photons
 Does not depend on difficult mathematical problems

ITIS 412
Key Exchange
 Key exchange - Problem of sending and receiving keys
 Out-of-band - Make the exchange outside of normal
communication channels
 In-band - Key exchange that occurs within normal
communications channel

ITIS 412
In-Band Key Exchange: DH and DHE
 Diffie-Hellman (DH) - Requires Alice and Bob to
each agree upon a large prime number and related
integer; two numbers can be made public, yet Alice
and Bob, through mathematical computations and
exchanges of intermediate values, can separately
create the same key
 Diffie-Hellman Ephemeral (DHE) - Uses different
keys (Ephemeral keys are temporary keys that are
used only once and then discarded)

ITIS 412
In-Band Key Exchange: ECDH and Perfect
Forward Secrecy
 Elliptic Curve Diffie–Hellman (ECDH) - Uses
elliptic curve cryptography instead of prime numbers
in its computation
 Perfect forward secrecy - Public key systems that
generate random public keys that are different for
each session; value of perfect forward secrecy is that
if the secret key is compromised, it cannot reveal the
contents of more than one message

ITIS 412
Using Cryptography
 Cryptography:
 Should be used to secure data that needs to be protected
 Can be applied through either software or hardware

ITIS 412
Encryption Through Software
 File and file system cryptography - Encryption
software can be applied to one or many files
 Protecting groups of files based on operating system’s
file system
 Pretty Good Privacy (PGP):
 Widely used asymmetric cryptography system
 Used for files and e-mails on Windows systems
 GNU Privacy Guard (GPG) - Runs on Windows,
UNIX, and Linux

ITIS 412
Microsoft Windows Encrypting File System
(EFS)
 Microsoft Windows Encrypting File System (EFS):
 Cryptography system for Windows
 Uses NTFS file system
 Tightly integrated with the file system
 Encryption and decryption transparent to the user
 Users can set encryption attribute for a file in the
Advanced Attributes dialog box

ITIS 412
Whole Disk Encryption
 Whole disk encryption:
 Protects all data on a hard drive
 Example: BitLocker drive encryption software

ITIS 412
Hardware Encryption
 Software encryption can be subject to attacks to
exploit its vulnerabilities
 Cryptography can be embedded in hardware to
provide higher degree of security
 Can be applied to USB devices and standard hard
drives

ITIS 412
Hardware Encryption: USB Drives
 USB device encryption - Encrypted hardware-based
flash drives
 Will not connect a computer until correct password has
been provided
 All data copied to the drive is automatically encrypted
 Tamper-resistant external cases
 Administrators can remotely control and track activity
on the devices
 Stolen drives can be remotely disabled

ITIS 412
Hardware Encryption: HDD
 Hard disk drive encryption
 Self-encrypting hard disk drives protect all files stored
on them
 Drive and host device perform authentication process
during initial power up
 If authentication fails, drive can be configured to deny
access or even delete encryption keys so all data is
permanently unreadable

ITIS 412
Hardware Encryption: TPM
 Trusted Platform Module (TPM)
 Chip on computer’s motherboard that provides
cryptographic services
 Includes a true random number generator
 Entirely done in hardware so cannot be subject to
software attack
 Prevents computer from booting if files or data have
been altered
 Prompts for password if hard drive moved to a new
computer

ITIS 412
Hardware Encryption: HSM
 Hardware Security Module (HSM)
 Secure cryptographic processor
 Includes onboard key generator and key storage facility
 Performs accelerated symmetric and asymmetric
encryption
 Can provide services to multiple devices over a LAN

ITIS 412