Asymmetric Encryption

Weaknesses

• Efficiency is lower than Symmetric

Algorithms
– A 1024-bit asymmetric key is equivalent to
128-bit symmetric key
• Potential for man-in-the middle attack
• It is problematic to get the key pair
generated for the encryption
Asymmetric Encryption
Man-in-the-middle Attack
• Hacker could generate a key pair, give the
public key away and tell everybody, that it
belongs to somebody else. Now, everyone
believing it will use this key for encryption,
resulting in the hacker being able to read the
messages. If he encrypts the messages again
Bob with the public key of the
Trudeau’s real recipient, he will
Trudeau’s
Message Encrypted
not be recognized
David’s
Public Key
easily.
+ public key Cipher Message

David’s
Bob’s Bob’s Public Key
Message Trudeau
Cipher Encrypted David
+ Public key (Middle-man)
Message

Bob’s Attacker Trudeau’s

Public Key Public Key

Trudeau’s David’s
Trudeau’s Trudeau’s
New Message Message
Encrypted Cipher + public key Encrypted Cipher + public key
Message Message
 How it work
• Let's say Alice wants to send Bob a confidential message:
• Alice requests Bob’s public key to encrypt the message.
• Eve intercepts this request and sends her own public key
to Alice, pretending it’s Bob’s.
• Alice encrypts the message with Eve’s public key and
sends it back.
• Eve decrypts the message, reads it, and then re-encrypts
it using Bob’s actual public key.
• Bob receives the message and decrypts it, completely
unaware that Eve has read the contents.
 Session Key Encryption Process

• The hybrid session key encryption process

combines these two methods Symmetric and
Asymetric to ensure both efficiency and
security.
.
 Here’s how it works step-by-step:
• Generate a Session Key using Symmetric (e.g.,
AES key) :
• Encrypt the Data Using the Session Key:
• Encrypt the Session Key Using Asymmetric
Encryption:
• Send the Encrypted Data and Encrypted
Session Key:
• Decrypt the Session Key Using the Private Key
Why Use Session Key Encryption?
• The session key approach is preferred because
it balances security and efficiency:
• Symmetric Encryption is extremely fast and
well-suited for encrypting large amounts of
data (like files or entire messages).
• Asymmetric Encryption provides robust
security for the session key but is
computationally expensive, so it’s only used to
encrypt the session key, not the data itself
 Pretty Good Privacy (PGP)
• Pretty Good Privacy (PGP)
• Definition:
PGP is an encryption program used to secure email communication. It
provides encryption, decryption, digital signatures, and key management
capabilities.
• Key Points:
• Encryption: PGP uses a combination of symmetric and asymmetric
encryption methods to secure data.
– Session Key Encryption: It encrypts data using a symmetric session key (e.g.,
TripleDES). This session key is then encrypted using the recipient’s RSA public key.
– RSA: An asymmetric algorithm used to encrypt the symmetric session key. Only
the recipient’s private RSA key can decrypt this.
– TripleDES: A symmetric encryption algorithm used by PGP for the bulk
encryption of the message.
 Pretty Good Privacy (PGP)
• How it Works:
• The message is encrypted using a symmetric key
(fast for large data).
• This symmetric key is then encrypted using the
recipient's public key (RSA).
• The recipient decrypts the symmetric key using their
private key, which is then used to decrypt the
message.
• Use Case: Primarily used for email encryption but
can also secure files and folders.
 Secure/Multipurpose Internet Mail
Extension (S/MIME)

• Definition:
S/MIME is a standard for public key encryption and signing of MIME
(Multipurpose Internet Mail Extension) data. It secures email
communication and attachments.
• Key Points:
• Encryption: Similar to PGP, S/MIME uses a combination of symmetric
and asymmetric encryption. It supports various encryption algorithms
like RSA.
• Digital Signatures: Allows for digital signatures to authenticate the
sender and ensure message integrity.
• Supported by Major Providers: Backed by companies like Microsoft, RSA
Security, and AOL, ensuring wide compatibility with many email clients.
 How it Works:
• How it Works:
• A message is encrypted using a symmetric algorithm.
• The symmetric key is encrypted using the recipient’s
public key (usually RSA).
• The recipient uses their private key to decrypt the
symmetric key and then decrypts the message.
• Use Case: Secures email and attachments for
organizations needing high-security standards, and is
widely used in enterprise environments.
 Secure Socket Layer (SSL) and Transport
Layer Security (TLS)
• Definition:
SSL and TLS are cryptographic protocols designed to provide secure
communication over a network, typically used for securing web
traffic.
• Key Points:
• SSL: Older protocol used to secure TCP/IP traffic, most commonly for
HTTP (HTTPS). It ensures data encryption between client and server.
• TLS: The successor to SSL, offering stronger encryption and security.
It is the modern standard for securing internet communications.
• Uses Asymmetric and Symmetric Encryption: The handshake
process uses asymmetric encryption (RSA, ECDSA) to securely
exchange symmetric keys (AES, 3DES), which then encrypt the data.
 How it Works:
• The client (browser) and server exchange public
keys.
• A secure session key is negotiated using these keys.
• The session key is used to encrypt all data sent over
the connection.
• Use Case:
Primarily used for web traffic encryption (HTTPS),
but can also secure other types of internet traffic
such as email (using STARTTLS), FTP, and more.
 Key Agreement in Cryptography
• Key agreement is a cryptographic method where
two or more parties establish a shared secret
key over an insecure communication channel.
• This shared key is then used for further
encryption and decryption of messages between
the parties.
• Unlike key exchange (where one party sends a
key to another), both parties in key agreement
contribute to generating the shared key.
Asymmetric Encryption
Key Agreement
• Key agreement is a method to create secret key by
exchanging only public keys.
• Example
– Bob sends Alice his public key
– Alice sends Bob her public key
– Bob uses Alice’s public key and his private key to generate
a session key
– Alice uses Bob’s public key and her private key to generate
a session key
– Using a key agreement algorithm both will generate same
key Alice’s
Private Key
– Bob and Alice do not need to transfer any key
Bob’s Cipher
Public Key
(DES) Alice and Bob
Bob’s Session Key
Generate Same
Private Key Session Key!
Alice’s Cipher
Public Key
(DES)
Asymmetric Encryption
Key Agreement con’t.

• Diffie-Hellman is the first key agreement

algorithm
– Invented by Whitfield Diffie & Martin
Hellman
– Provided ability for messages to be
exchanged securely without having to have
shared some secret information previously
– Inception of public key cryptography which
allowed keys to be exchanged in the open
• No exchange of secret keys
– Man-in-the middle attack avoided
Asymmetric Encryption
Key Diffie-Hellman Mathematical Analysis

Bob & Alice

Bob agree on non-secret Alice
prime p and value a

Generate Secret Generate Secret

Random Number x Random Number y

Bob & Alice

Compute Public Key exchange Compute Public Key
ax mod p public keys ay mod p

Compute Session Key Compute Session Key

(ay)x mod p (ax)y mod p

Identical Secret Key

Authentication
Basics

• Authentication is the process of

validating the identity of a user or the
integrity of a piece of data.
• There are three technologies that
provide authentication
– Message Digests / Message Authentication
Codes
– Digital Signatures
– Public Key Infrastructure
• There are two types of user
authentication:
– Identity presented by a remote or
application participating in a session
 Hashing
• Hashing is a process that transforms any data
into a fixed-size string (hash).
• Purpose: In cryptography, it is used for data
verification, authentication, and integrity
checking.
• Key Feature: The hash is unique for each
input, ensuring the data has not been altered.
Cryptographic Hash Function
 Hash Functions & Message
Authentication
Symmetric Key
Keyed Hash

a) Message
unencrypted

d) Message
encrypted
Hash Functions & Digital
Signatures - PKCS
 Example; Password Verification Using
Hashing
• User Creates a Password:
“mysecurepassword”
• System Stores Hashed Password:
Stored Hash:
c00f58a4f1de9c60acb8a2b1ac91be5de01ddf1df04
0272f9289534a0d6e799e
• User Logs In:
– Password is hashed again.
• Password Verification:
– If the new hash matches the stored hash, access is
granted.
 Applications of Hashing Techniques

• Password Storage:
– Secures user credentials using salted hashes.
• Data Integrity:
– Ensures data is not altered during transmission.
• Digital Signatures:
– Verifies the authenticity and integrity of digital
documents.
Authentication
Message Digests
• A message digest is a fingerprint for a
document
• Purpose of the message digest is to provide
proof that data has not altered
• Process of generating a message digest from
data is called hashing
• Hash functions are one way functions with
following properties
– Infeasible to reverse the function
– Infeasible to construct two messages which hash to
same digest
• Commonly used hash algorithms are
– MD5 – 128 bit hashing algorithm by Ron Rivest of
RSA
– SHA & SHA-1 – 162
Message bit hashing algorithm
Message
Digest
Digest developed
by NIST Algorithm
Message Authentication Codes
Basics

• A message digest created with a key

• Creates security by requiring a secret
key to be possesses by both parties in
order to retrieve the message

Message
Message Digest Digest
Algorithm

Secret Key
 Common Cryptographic Hash Functions

• MD5 (Message Digest Algorithm 5):

– Produces a 128-bit hash value.
– Used for basic data integrity checks.
– Weakness: Susceptible to collisions.
• SHA-1 (Secure Hash Algorithm 1):
– Produces a 160-bit hash value.
– Weakness: Vulnerable to cryptographic attacks.
 Advanced Hashing Techniques

• SHA-256:
– Part of the SHA-2 family.
– Produces a 256-bit hash.
– Widely used in blockchain and digital signatures.
• SHA-3 (Secure Hash Algorithm 3):
– Designed to be more secure and resistant to
attacks than SHA-2.
– Can generate hash values of different lengths (224,
256, 384, 512 bits).
lide 6: Comparison of Hashing Techniques

• SMD5: Fast but insecure (128-bit).

• SHA-1: More secure than MD5, but vulnerable
(160-bit).
• SHA-256: Secure, commonly used in modern
applications (256-bit).
• SHA-3: Highly secure and resistant to modern
attacks (varies in bit lengths).
 Signature
• We use signature as to conform that we are who,
we claim to be i.e. Authentication
• It is also a proof that a signing body cannot deny
signing a the document i.e. Non Repudiation
 Digital Signature

• Digital signatures are cryptographic

mechanisms for ensuring the authenticity,
integrity, and non-repudiation of digital data.
• Purpose: A digital equivalent of a handwritten
signature, but more secure due to encryption.
• We Use Asymmetric Cryptography and
Hashing.
 how a Digital Signature Works

• Step 1: Hashing the Data:

– Original message/document → Hash function (e.g.,
SHA-256) → Fixed-length hash.
– The hash is unique to the data, ensuring even minor
changes alter the hash.
• Step 2: Signing the Hash:
– Sender encrypts the hash using their private key
(from RSA, ECDSA).
– Creates the digital signature, which is attached to
the message.
 Verification Process
• Step 1: Decrypting the Signature:
– Receiver uses the sender's public key to decrypt the
digital signature and retrieve the original hash.
• Step 2: Hash Comparison:
– Receiver hashes the message again using the same
hash function.
– If both hashes match, the data is authentic and
unaltered.
– Confirms the sender’s identity and integrity of the
message.
 Properties of Digital Signatures

• Authentication: Verifies the identity of the

sender (only the sender’s private key can
create the signature).
• Integrity: Ensures that the message has not
been tampered with (hash values would differ
if altered).
• Non-repudiation: The sender cannot deny
sending the message (as it requires their
private key).
 Example Algorithms

• RSA (Rivest-Shamir-Adleman):
– Used for both encryption and digital signatures.
• DSA (Digital Signature Algorithm):
– U.S. government standard for digital signatures.
• ECDSA (Elliptic Curve Digital Signature
Algorithm):
– Offers higher security with shorter key lengths, a
variation of DSA.
Alice want to send his public key to Bob
• Problem: What if when Alice Send his Public
Key to Bob. Tom act as man-in-the-middle and
receive the Public Key.
• Stop that Public Key and then create his own
pair of Public and private keys.
• Tom Send His Public Key To Bob
• Now Bob has Tom Public Thinking that it is
Alice public Key
Now Alice want to send a message to Bob .He encrypt
the message using his private key
Tom paly his role and receive the message ,decrypt the
message using alice public key
Tome encrypt the message using his private key
Tom private key encrypted message
Tom forward the message to Bob
 Bob uses Tom Public key to decrypt the message and
see the content. Thinking that the message came from
Alice.
Bob Thinking that the message came from Alice.
• Now this is a big problem
 Digital Certificate
• Digital Certificate Associate User Identity with
Public Key.
• When Alice want to send his public key to
bob .he will send the digital certificate.
Digital Certificate is issued by third party
agency
 Digital Certificate
• A Digital Certificate in cryptography, often
referred to as a public key certificate, is a
digital document used to prove the ownership
of a public key.
• It binds a public key with information about
the key's owner, such as their identity.
• Digital certificates are issued by Certificate
Authorities (CAs), trusted entities that verify
the certificate holder’s identity.
Alice want to get digital certificate. She generate a certificate
signing Request
Certificate authority issued a certificate
 Digital Certificate
• The info on Digital Certificate include
Name
Public Key
Name of the Issuer
Digital Signature of issuer
Serial No
Expiration date
Digital certificate is Forward back to Alice
Alice will communicate through DC
Alice Sends his digital certificate to bob
When bob to verify this Certificate, he verify this
through that certificate authority.
 verification
• When certificate authority received certificate
issuing request from Alice. The certificate
authority generate a hash of all the
information there using one of the hashing
algorithm.
• The certificate authority encrypted the hash
with their private key.
• Now if the encrypted hash will be decrypted
using certificate authority public key.
 verification
• When bob receive this digital certificate ,he
calculate a hash of the information in there.
• Then he went to get the public key of certificate
authority and decrypt the hash, that was encrypted
in the digital certificate.
• If he decrypt that hash with certificate authority
public key,then he know that hash was signed by
certificate authority that was mentioned on digital
certificate.
• He compare both the hashes
 Components of a Digital Certificate

• Public Key: The public key of the certificate holder.

• Certificate Holder Information: Identifying details about the
owner of the public key (e.g., name, organization, email address).
• Issuer Information: Information about the Certificate Authority
that issued the certificate.
• Digital Signature: A signature created by the CA using their private
key to ensure the certificate’s authenticity.
• Validity Period: The dates when the certificate is valid (from
issuance to expiration).
• Serial Number: A unique identifier for the certificate.
• Algorithm Information: The cryptographic algorithm used for the
certificate (e.g., RSA, ECC).
 How Digital Certificates Work
• 1. Issuing a Certificate
• The entity (e.g., a website, person, or organization)
generates a public-private key pair.
• The entity sends the public key, along with identity
details, to a CA in a Certificate Signing Request (CSR).
• The CA verifies the identity of the requesting entity.
Depending on the certificate type ,this process can
involve varying levels of scrutiny.
• Once verified, the CA issues a digital certificate, signing
it with its private key i.e Digital signature of the issuer.
 2. Verifying a Certificate

• When an entity (e.g., a user’s web browser)

receives a certificate, it verifies the certificate using
the CA’s public key.
• The browser checks the CA’s signature on the
certificate by decrypting the signature using the
CA’s public key. If the decrypted hash matches the
certificate's data, the certificate is considered valid.
• The browser also checks whether the certificate
has expired, been revoked, or is issued by a trusted
CA.
 Use Case Example: HTTPS (SSL/TLS)

• When you visit a website using HTTPS, a digital certificate is

used to authenticate the website and establish a secure,
encrypted connection.
• Client Requests Certificate: Your browser requests the
website’s certificate.
• Website Provides Certificate: The website sends its digital
certificate, containing its public key and identifying
information, to your browser.
• Browser Verifies Certificate:
– The browser checks if the certificate is signed by a trusted CA.
– It validates the CA's signature using the CA’s public key (pre-
installed in the browser).
 Use Case Example: HTTPS (SSL/TLS)
• Session Key Exchange: If the certificate is
valid, your browser generates a session key
(for symmetric encryption) and encrypts it
with the website's public key.
• Secure Communication: The website decrypts
the session key with its private key, and both
parties can now communicate securely using
symmetric encryption.