In this chapter, we will learn about cryptography, various types of cryptography, ciphers, cryptography tools, Public Key Infrastructure (PKI), and digital signature. We will discuss about SSL (Secure Sockets Layer), disk encryption, and disk encryption tools. This chapter focuses on AES, RC4, RC5, RC6 algorithms, RSA, Message Digest Function: MD5, and SHA.

18.1 Understand cryptography, learn various types of cryptography, and understand ciphers

Exam Focus: Understand cryptography, learn various types of cryptography, and understand ciphers. Objective includes:

  • Understand cryptography.
  • Learn various types of cryptography.
  • Understand ciphers.

Cryptography

Cryptography is a technique of encrypting and decrypting messages. When the text is encrypted, it is unreadable by humans but when it is decrypted, it is readable. Cryptography is necessary to protect email messages, credit card information, and corporate data. The terms used in cryptography are as follows:

  • Plaintext: Plaintext can be read by a user.
  • Ciphertext: Ciphertext can be converted to a non-readable format.
  • Encryption: Encryption is the process of creating ciphertext from plaintext.
  • Decryption: Decryption is the process of converting ciphertext to plaintext.
  • Cipher: Cipher is an algorithm that is used to encrypt and decrypt text.
  • Key: Key is an element used in the technology of encrypting and decrypting text.

Goals of cryptography

The following are the goals of cryptography:

  1. Confidentiality: It makes sure that the message remains private and cannot be accessed by any unauthorized user when transmitted between two or more parties. There are two types of cryptosystems that ensure message confidentiality. They are as follows:
  2. Symmetric key cryptosystem: It uses the shared key that is available to all the users of the cryptosystem.
  3. Public key cryptosystem: It makes use of a combination of public and private keys for each user of the cryptosystem.
  4. Integrity: It makes sure that the message remains unaltered when transmitted between two or more parties. If the goal of integrity is attained, the recipient is ensured that the received message is identical to the message that was sent.
  5. Authentication: It verifies the user's identity.
  6. Non-repudiation: It assures the recipient that the message was really sent by the sender and someone is not masquerading as the sender.

Types of cryptography

The following are the types of cryptography:

  • Symmetric encryption: It is a type of encryption that uses a single key to encrypt and decrypt data. Symmetric encryption algorithms are faster than public key encryption. Therefore, it is commonly used when a message sender needs to encrypt a large amount of data. Data Encryption Standard (DES) uses the symmetric encryption key algorithm to encrypt data.
  • Asymmetric encryption: It is a type of encryption that uses two keys, i.e., a public key and a private key pair for data encryption. The public key is available to everyone, while the private or secret key is available only to the recipient of the message. For example, when a user sends a message or data to another user, the sender uses the public key to encrypt the data. The receiver uses his private key to decrypt the data.
  • Hash function: It does not use any key for encryption and decryption. A cryptographic hash function is a deterministic procedure that takes an arbitrary block of data and returns a fixed-size bit string, the (cryptographic) hash value, such that an accidental or intentional change to the data will change the hash value. Cryptographic hash functions have many information security applications, notably in digital signatures, message authentication codes (MACs), and other forms of authentication. They can also be used as ordinary hash functions, to index data in hash tables, for fingerprinting, to detect duplicate data or uniquely identify files, and as checksums to detect accidental data corruption.

Public Key Encryption

The Public Key Encryption, also called asymmetric encryption, was first publicly proposed by Diffie and Hellman in 1976. Public Key Encryption is more secure than non-public key encryption. It is based on the mathematical functionality rather than on the simple operations on bit patterns. It uses two separate keys. It has five stages as follows:

  • Plain Text: It is the original message.
  • Encryption Algorithm: It performs different transformations on plain text.
  • Public and Private Key: It is the input to the encryption algorithm.
  • Cipher Text: It is the scrambled message as an output.
  • Decryption Algorithm: It performs on cipher text and gives the original message as an output.

Government Access to Keys (GAK)

Government Access to Keys (GAK) implies that software companies will give copies of all keys or at least some keys using which the remaining keys can be cracked to the government. The government promises that they will securely keep the keys and will only use them when a warrant will be issued by a court to do so.

Ciphers

Ciphers are algorithms that are used for encrypting or decrypting the data. The following are classical ciphers:

  • Substitution cipher: In cryptography, a substitution cipher is a method of encryption in which units of plaintext are replaced with ciphertext according to a regular system. The units may be single letter, pairs of letters, triplets of letters, mixtures of the all, and so forth. The receiver deciphers the text by performing an inverse substitution.
  • Transposition cipher: In cryptography, a transposition cipher is a method of encryption in which the positions held by units of plaintext are shifted according to a regular system, so that the ciphertext constitutes a permutation of the plaintext. The units are commonly characters or groups of characters. In the transposition cipher, the order of the units is changed.

Modern ciphers are classified based on the type of key used and on the type of input data.
The following are classifications of modern ciphers based on the type of key used:

  • Private key: It involves the use of same key for encryption and decryption.
  • Public key: It involves the use of two different keys for encryption and decryption.

The following are classifications of modern ciphers based on the type of input data:

  • Block cipher: It is a symmetric key cipher that operates on blocks of messages. It encrypts an entire message block at the same time. Transposition ciphers are examples of block ciphers. Each block cipher has a mode of operation that functions as a stream cipher. The more complicated columnar transposition cipher operates on an entire message, and uses the transposition algorithm and a secret keyword to encrypt the entire message.
  • Stream cipher: It is a symmetric key cipher that operates on each character, or bit of a message. It encrypts one character per bit at a time. Caesar cipher and one-time pad are the examples of a stream cipher. One-time pad is a stream cipher since it independently operates on each letter of the plaintext message. Significant computational resources are required by the stream ciphers.

Twofish

Twofish is a symmetric key block cipher. It operates on 128-bits block size and uses key sizes up to 256 bits. It uses pre-computed key-dependent S-boxes and a relatively complex key schedule. One half of an n-bit key is used as the actual encryption key, and the other half of the key is used to modify the encryption algorithm. It borrows some elements from the pseudo-Hadamard transform (PHT) from the SAFER family of ciphers.

Blowfish

Blowfish is a symmetric 64-bit block cipher that can support key lengths up to 448 bits. It is included in a large number of cipher suites and encryption products. It was designed in 1993 by Bruce Schneier and is freely available for anyone to use. This has contributed to its popularity in cryptographic software.

Boomerang attack

A boomerang attack is a method for the cryptanalysis of block ciphers. The attack is based on differential cryptanalysis. In differential cryptanalysis, an attacker exploits how differences in the input to a cipher (the plaintext) can affect the resultant difference at the output (the ciphertext). A high-probability "differential" (that is, an input difference that will produce a likely output difference) is needed that covers all, or nearly all, of the cipher. The boomerang attack allows differentials to be used which cover only part of the cipher.

18.2 Understand AES, RC4, RC5, RC6 algorithms, RSA, Message Digest Function: MD5, and SHA

Exam Focus: Understand AES, RC4, RC5, RC6 algorithms, RSA, Message Digest Function: MD5, and SHA. Objective includes:

  • Gain insights on Advanced Encryption Standard (AES).
  • Understand RC4, RC5, RC6 Algorithms.
  • Examine RSA (Rivest Shamir Adleman).
  • Explain Message Digest Function: MD5.
  • Understand Secure Hashing Algorithm (SHA).

Advanced Encryption Standard (AES)

The Advanced Encryption Standard (AES) is an encryption standard that comprises three block ciphers, AES-128, AES-192, and AES-256, adopted from a larger collection originally published as Rijndael. Each AES cipher has a 128-bit block size, with key sizes of 128, 192, and 256 bits, respectively. The AES ciphers have been analyzed extensively and are now used worldwide, as was the case with its predecessor, the Data Encryption Standard (DES). AES is one of the most popular algorithms used in symmetric key cryptography. It is available in many different encryption packages. AES is the first publicly accessible and open cipher approved by the NSA for top secret information. It is an iterated block cipher. It involves the repetition of the same defined steps multiple times.

Data Encryption Standard

Data Encryption Standard (DES) is the name of the Federal Information Processing Standard (FIPS) 46-3. It is a 64 bit block cipher. It includes four modes of operation: Electronic Codebook mode, Cipher Block Chaining mode, Cipher Feedback mode, and Output Feedback mode. All the DES modes function on 64 bits of plaintext at a time in order to generate 64-bit blocks of ciphertext. DES uses the 56 bit long key.
The various modes of Data Encryption Standards are as follows:

  • Electronic Codebook (ECB) mode: It is the least secure mode. In this mode, DES uses secret keys to encrypt the 64-bit block. It produces the same encrypted block if the algorithm encounters the same block multiple times.
  • Cipher Block Chaining (CBC) mode: In this mode, before encryption, each block of unencrypted text is XORed with the block of ciphertext immediately preceding it.
  • Cipher Feedback (CFB) mode: In this mode, the preceding block of ciphertext is encrypted using the DES algorithm. This block is then XORed with the next block of plaintext in order to achieve the next block of ciphertext. Errors propagating in this mode corrupt the next transmitted block.
  • Output Feedback (OFB) mode: In this mode, DES functions in almost the same manner as it does in the CFB mode. The plaintext with the seed value is XORed by DES, instead of XORing an encrypted version of the previous preceding block of ciphertext.

3DES

3DES, also referred to as triple DES, is a mode of the Data Encryption Standard (DES) encryption algorithm. 3DES uses three 64-bit keys to encrypt data thrice. Primarily, it encrypts data with a 64-bit key. Then, the output data is again encrypted with the second 64-bit key. Finally, the third 64-bit key is used for encryption. DES uses the block cipher method to break a data file into 64-bit blocks, which are then encrypted.

Triple Data Encryption Algorithm (TDEA)

The Triple Data Encryption Algorithm (TDEA) was proposed by Tuchman and first came into existence in functional applications in 1985. The Triple DEA algorithm uses three keys and executes the DES algorithm three times. It follows an encrypt-decrypt-encrypt (EDE) sequence as follows:

C = E<;sub>k3 [ Dk2 [ Ek1 [P] ] ]
where
C = Cipher Text
P = Plain Text
Ek [X] = encryption of X using key K
Dk [Y] = decryption of Y using key K

RC2

RC2 is a block cipher designed by Ron Rivest in 1987, and the other ciphers designed by Rivest include RC4, RC5, and RC6. RC2 is a 64-bit block cipher with a variable size key. Its 18 rounds are arranged as a source-heavy Feistel network with 16 rounds of one type punctuated by two rounds of another type.

RC4

RC4 is a stream cipher designed by Ron Rivest. It is used in many applications including Transport Layer Security (TLS), Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA), etc. RC4 is fast and simple. However, it has weaknesses that argue against its use in new systems. It is especially vulnerable when the beginning of the output keystream is not discarded, nonrandom or related keys are used, or a single keystream is used twice. Some ways of using RC4 can lead to very insecure cryptosystems such as WEP.

RC5

RC5 is a block cipher algorithm with a variable block size (32, 64, or 128 bits), key size (0 to 2040 bits), and number of rounds (0 to 255). 12-round RC5 (with 64-bit blocks) can be easily cracked by using a differential attack of 244 chosen plaintexts. Hence, 18-20 rounds of RC5 are suggested as sufficient protection.

RC6

RC6 is a cryptographic symmetric key algorithm, which is derived from the RC5 algorithm. RC6 proper has a block size of 128 bits. It also supports key sizes of 128, 192, and 256 bits. Unlike RC5, RC6 does use an extra multiplication operation in order to make the rotation dependent on every bit in a word.

Digital Signature Algorithm

Digital Signature Algorithm (DSA) is a United States Federal Government standard or FIPS for digital signatures. DSA is a public key algorithm. The secret key operates on the message hash generated by SHA-1. To verify a signature, one recomputes the hash of the message, uses the public key to decrypt the signature, and then compares the results. The key size is variable from 512 to 1024 bits; it is adequate for the current computing capabilities as long as a user uses more than 768 bits.

RSA Algorithm

RSA is an Internet encryption and authentication system. It uses an algorithm developed by Ron, Rivest, Adi Shamir, and Leonard Adleman. It uses modular arithmetic and elementary number theories in order to perform computations using two large prime numbers. The RSA algorithm is an example of the public key algorithm in which the public key is generated from the private key. In the RSA algorithm, the public and private keys are generated as follows:

  1. Choose two large prime numbers p and q of equal lengths, and compute n=p*q.
  2. Choose a random public key e such that e and (p-1)*(q-1) are relatively prime.
  3. Calculate e*d=1*mod[(p-1)*(q-1)]. Here, d is a private key.
  4. Calculate d=e^(-1)*mod[(p-1)*(q-1)].
  5. Now (e,n) and (d,n) are the public and private keys respectively.

Message digest

A message digest is a number, which is created algorithmically from a file and represents that file uniquely. Message digest functions calculate a unique fixed-size bit string representation known as a hash value of any arbitrary block of information. If the file changes, the message digest also changes. Message digest is a compact digital signature for an arbitrarily long stream of binary data. It is used to determine whether the file has been modified. Additionally, message digests also help to identify duplicate files. As message digests produce values that are difficult to invert, they are also known as one-way functions.

MD5

The MD5 Message-Digest Algorithm is a cryptographic hash function that produces a 128-bit (16-byte) hash value. The following types of attacks can be performed on the MD5 algorithm:

  1. Collision Attack: A collision attack can be used to find collisions within seconds on a computer with a 2.6Ghz Pentium 4 processor. An attacker can use the chosen-prefix collision attack to produce a collision for two chosen arbitrarily different inputs within hours, using off-the-shelf computing hardware.
  2. Rainbow Attack: Various MD5 rainbow tables are published online, which can be used to reverse many MD5 hashes into strings that collide with the original input, usually for the purposes of password cracking.

EAP-MD5

EAP-MD5 is the only IETF Standards Track-based EAP method. It does not provide server authentication. It offers minimal security; the MD5 hash function is vulnerable to dictionary attacks, and does not support key generation, which makes it unsuitable for use with dynamic WEP, or WPA/WPA2 enterprise. EAP-MD5 differs from other EAP methods in that it only provides authentication of the EAP peer to the EAP server but not mutual authentication. By not providing EAP server authentication, this EAP method is vulnerable to man-in-the-middle attacks. EAP-MD5 support was first included in Windows 2000 and deprecated in Windows Vista.

Secure Hash Algorithm (SHA)

The Secure Hash Algorithm (SHA) is a cryptographic hash algorithm that generates a fixed-length digital representation (message digest) of an input data sequence of any length. The SHA algorithm is very secure, as it is computationally very difficult to find a message that corresponds to a given message digest. In this algorithm, any change to a message will result in a completely different message digest. There are five SHA algorithms: SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512.

SHA1 hash function

The SHA-1 hash function differs from SHA-0 only by a single bitwise rotation in the message schedule of its compression function; this was done, according to NSA, to correct a flaw in the original algorithm which reduced its cryptographic security. However, NSA did not provide any further explanation or identify the flaw that was corrected. Weaknesses have subsequently been reported in both SHA-0 and SHA-1. SHA-1 appears to provide greater resistance to attacks, supporting the NSA's assertion that the change increased the security. SHA-1 (as well as SHA-0) produces a 160-bit digest from a message with a maximum length of (264 - 1) bits. SHA-1 is based on principles similar to those used by Ronald L. Rivest of MIT in the design of the MD4 and MD5 message digest algorithms, but has a more conservative design.

The above image exhibits one iteration within the SHA-1 compression function. A, B, C, D, and E are 32-bit words of the state; F is a nonlinear function that varies; denotes a left bit rotation by n places; n varies for each operation. Wt is the expanded message word of round t, Kt is the round constant of round t. denotes addition modulo .