Information System Security - INSY3073 Year III and IV

Aksum University

College of Engineering & Technology

Department of Computing-Information Systems

“The most secured computers are those not connected to the Internet and shielded from any interference”

Information Assurance and Security Lecture Notes

(Handout Instead of Slides)

By: MezgebeMehari

[email protected]

To: 3rd and 4th IS students

October 12/2007 E.C

1
Information System Security - INSY3073 Year III and IV

CHAPTER – Four

Security Techniques

4.1. Cryptography
4.1.1. Introduction

 In 1973, the NBS (National Bureau of Standards, now called NIST - National Institute of
Standards and Technology) published a request for an encryption algorithm that would
meet the following criteria:
 have a high security level
 be easily understood
 not depend on the algorithm's confidentiality
 be adaptable and economical
 be efficient and exportable
 In late 1974, IBM proposed "Lucifer", which was then modified by NSA (National
Security Agency) in 1976 to become the DES (Data Encryption Standard). DES was
approved by the NBS in 1978. The DES was standardized by the ANSI under the name
of ANSI X3.92, also known as DEA (Data Encryption Algorithm).
 The vulnerability of DES was practically demonstrated in 1997, where RSA Security
sponsored a series of contests, offering a $10,000 prize to the first team that broke a
message encrypted with DES for the contest. That contest was won by the DESCHALL
Project, led by Rocke Verser, Matt Curtin, and Justin Dolske, using idle cycles of
thousands of computers across the Internet.
 The feasibility of cracking DES quickly was demonstrated in 1998 when a custom DES-
cracker was built by the Electronic Frontier Foundation (EFF), a cyberspace civil rights
group, at the cost of approximately US$250,000. Their motivation was to show that DES
was breakable in practice as well as in theory.

2
Information System Security - INSY3073 Year III and IV

4.1.2 Definitions and Terms

Some Basic Terminologies:

Cryptography
In greek=> krptos : hidden
graphein : to write
It is the art of encryption

 Plaintext - original message

 Ciphertext - coded message
 Key - info used in cipher known only to sender/receiver
 Cryptography - study of encryption principles/methods
 Cryptanalysis (codebreaking) - study of principles/ methods of deciphering
ciphertext without knowing key
Note: that in our lab manual one, we have seen that:
 Encipher (encrypt) - converting plaintext to ciphertext
 Decipher (decrypt) - recovering ciphertext from plaintext
Hence, here the crypt analysis deals with the Deciphering technique without knowing
the key, but not the enciphering one.
 Cryptology - field of both:
 Cryptography and
 Cryptanalysis

Model for Security:

3
Information System Security - INSY3073 Year III and IV

4.1.3 Private Key cryptosystems/conventional / Symmetric /single-key

 Traditional private/secret/single key cryptography uses one key.
 Sender and recipient shares the common key.
 If this key is disclosed communications are compromised.
 Also is symmetric, parties are equal. And by far most widely used.
 Was only type prior to invention of public-key in 1970’s.
 All classical encryption algorithms are private-key.
 Two requirements for secure use of symmetric encryption:
 A strong encryption algorithm
 A secret key known only to sender / receiver
 Mathematically have:
Y = EK(X)
X = DK(Y)
Symmetric/conventional Cipher Model:

 Hence does not protect sender from receiver forging a message & claiming is sent by sender.

4.1.4 Public Key Cryptosystems/two-key/asymmetric

Key Points in Public Key Cryptosystems:
 Public-key encryption is a form of cryptosystem in which encryption and decryption are
performed using the different keys, one a public key and one a private key. It is also known as
asymmetric encryption.
 Asymmetric encryption transforms plaintext into ciphertext using a one of two keys and an
encryption algorithm. Using the paired key and a decryption algorithm, the plaintext is
recovered from the ciphertext.
 Asymmetric encryption can be used for confidentiality, authentication, or both.
 The most widely used public-key cryptosystem is RSA. The difficulty of attacking RSA is
based on the difficulty of finding the prime factors of a composite number.

4
Information System Security - INSY3073 Year III and IV

Principles of public key cryptosystems:

 The concept of public-key cryptography evolved from an attempt to attack two of the most
difficult problems associated with symmetric encryption:
 Key distribution: how to have secure communications in general without having
to trust a KDC(Key Distribution Center) with your key.
 Digital signature: how to verify a message comes intact from the claimed sender
Ingredients of public key cryptosystem:
 Plaintext: This is the readable message or data that is fed into the algorithm as input
 Encryption algorithm: The encryption algorithm performs various transformations on the
plaintext
 Public and private keys: This is a pair of keys that have been selected so that if one is used for
encryption, the other is used for decryption
 Ciphertext: This is the scrambled message produced as output.
 Decryption algorithm: This algorithm accepts the ciphertext and the matching key and produces
the original plaintext
Asymmetric/Public key Model:

Essential steps of public key cryptosystem:

1. Each user generates a pair of keys to be used for the encryption and decryption of
messages( private and public keys).
2. Each user has to place the public key in public register.
3. If Bob wishes to send a confidential message to Alice, Bob encrypts the message using
Alice's public key.
4. When Alice receives the message, she decrypts it using her private key.

5
Information System Security - INSY3073 Year III and IV

Comparisons
Public Key
Conventional

• The same algorithm with the • One algorithm is used for

same key is used for encryption and decryption
encryption and decryption. with a pair of keys, one for
encryption and one for
• The sender and receiver decryption.
must share the algorithm and
the key. • The sender and receiver
must each have one of the
matched pair of keys (not the
same one).

Why Public-Key Cryptography?

 developed to address two key issues:
– key distribution – how to have secure communications in general without having to trust
a KDC with your key
– digital signatures – how to verify a message comes intact from the claimed sender
 public invention due to Whitfield Diffie & Martin Hellman at Stanford Uni in 1976
– known earlier in classified community
 public-key/two-key/asymmetric cryptography involves the use of two keys:
– a public-key, which may be known by anybody, and can be used to encrypt messages,
and verify signatures
– a private-key, known only to the recipient, used to decrypt messages, and sign (create)
signatures
 is asymmetric because
– those who encrypt messages or verify signatures cannot decrypt messages or create
signatures
Public-Key Characteristics: since its algorithm relay on tw keys:
 it is computationally infeasible to find decryption key knowing only algorithm &
encryption key
 it is computationally easy to en/decrypt messages when the relevant (en/decrypt) key is
known
 either of the two related keys can be used for encryption, with the other used for
decryption (for some algorithms)

Details of public key

 The source A generate the plain text X
 B generates a related pair of keys: a public key, PU b, and a private key, PRb.
PRb is known only to B
 Y = E(PUb, X)
6
Information System Security - INSY3073 Year III and IV

 X = D(PRb, Y)

Secrecy

Authentication

Steps:
 A prepares a message to B and encrypts it using A's private key
 B can decrypt the message using A's public key
 Therefore, the entire encrypted message serves as a digital signature

7
Information System Security - INSY3073 Year III and IV

4.1.5 Public-key Cryptographic algorithm: RSA

Key Points of RSA:

 RSA is from R. Rivest, A. Shamir and L. Aldleman.

 Principle: No mathematical method is yet known to efficiently find the prime
factors of large numbers.
 In RSA, the private and public keys are constructed from very large prime numbers
(consisting of hundred of decimal digits).
 Breaking RSA is equivalent to finding the prime factors for large numbers: this is
know to be computationally infeasible.
NB: factorization takes O(e log n log log n) operations (hard).
 It is only the person who has produced the keys from the prime number who can
easily decrypt the messages.
 Makes use of an expression with exponentials.
 Plaintext is encrypted in blocks. And one of the keys can be made public.
 With each block having a binary value less than some number n.
 For some plaintext block M and ciphertext block C:
C = Me mod n
M = Cd mod n = (Me)d mod n = Med mod n
 Both sender and receiver must know the value of n.
 The sender knows the value of e, and only the receiver knows the value of d.
 Thus, this is a public-key encryption algorithm:
 Public key of PU = {e, n}
 Private key of PR = {d, n}
 For the algorithm to be satisfactory, the following criterias should be satisfied
 It is possible to find values of e, d, n such that Med mod n = M for all M < n.
 It is relatively easy to calculate mod Me mod n & Cd for all values of M < n.
 It is infeasible to determine d given e and n.

RSA Key Setup:

 Major Activities
 Key Generation
 Encryption
 Digital signing
 Decryption
 Signature verification
 Each user generates a public/private key pair by: Selecting two large primes at
random p, q and computing their system modulus n=p.q
 Note: ø(n)=(p-1)(q-1)
 Selecting at random the encryption key e
 Where 1<e<ø(n), gcd(e,ø(n))=1
 Solve following equation to find decryption key d
 e.d Ξ 1 mod ø(n) and 0≤d≤n

8
Information System Security - INSY3073 Year III and IV

 Publish their public encryption:

 key: PU={e,n} and keep secret private decryption, key: PR={d,n}
RSA - Key Generating Algorithm:
1. Choose/generate two distinct prime numbers p and q.
2. Compute n = pq.
3. Compute φ(n) = (p – 1)(q – 1), where φ is Euler's totient function.
4. Choose an integer e such that 1 < e < φ(n) and gcd(e, φ(n)) = 1.
5. Determine d (1<d<phi) such that φ(n) divides ed-1.

Result:
 Keep all the values d, p, q and φ secret
 e is known as the public key exponent
 d is known as the private key exponent
RSA - Encryption:
 Sender A does the following
 Obtains the recipient B's public key (n, e)
 Represents the plaintext message as a positive integer m
 Computes the cipher-text c = me mod n
 Sends the cipher-text c to B
RSA- Decryption:
 Recipient B does the following
 Uses his private key (n, d) to compute m = cd mod n
 Extracts the plaintext from the message representative m

9
Information System Security - INSY3073 Year III and IV

RSA- Key Generation Simple Example:

1. Select primes p=11, q=3.
2. n = pq = 11*3 = 33
phi = (p-1)(q-1) = 10*2 = 20
3. Choose e=3
Check gcd(e, phi) = gcd(e, (p-1)(q-1)) = gcd(3, 20) = 1
4. Compute d (1<d<phi) such that such that phi divides ed-1 (20 divides 3d-1.)
Simple testing (d = 2, 3 ...) gives d = 7
Check: ed-1 = 3*7 - 1 = 20, which is divisible by phi (20).
5. Public key = (n, e) = (33, 3)
Private key = (n, d) = (33, 7).

Given: Public key = (n, e) = (33, 3)

Private key = (n, d) = (33, 7)
How do we encrypt and decrypt?
Hence: Encryption:
 Now say we want to encrypt the message m = 7
 c = me mod n = 73 mod 33 = 343 mod 33 = 13
 Hence the ciphertext c = 13
Decryption:
 To check decryption we compute
 m = cd mod n = 137 mod 33 = 7
Example 2:
1. Select primes: p=17 & q=11
2. Compute n = pq =17 x 11=187
3. Compute ø(n)=(p–1)(q-1)=16 x 10=160
4. Select e: gcd(e,160)=1; choose e=7
5. Determine d: de=1 mod 160 and d < 160 Value is d=23 since 23x7=161= 10x16+1
6. Publish public key PU={7,187}
7. Keep secret private key PR={23,187}
 Sample RSA encryption/decryption is:
 Given message M = 88 (nb. 88<187)
 Encryption:
C = 887 mod 187 = 11
 Decryption:
M = 1123 mod 187 = 88

RSA- More Meaningful Example:

 Message: ATTACKxATxSEVEN
 Grouping the characters into blocks of three and computing a message representative
integer for each block:
 ATT ACK XAT XSE VEN

10
Information System Security - INSY3073 Year III and IV

 In the same way that a decimal number can be represented as the sum of powers
of ten, e.g. 135 = 1 x 102 + 3 x 101 + 5, we could represent our blocks of three
characters in base 26 using A=0, B=1, C=2, ..., Z=25

 ATT = 0 x 262 + 19 x 261 + 19 = 513

ACK = 0 x 262 + 2 x 261 + 10 = 62
XAT = 23 x 262 + 0 x 261 + 19 = 15567
XSE = 23 x 262 + 18 x 261 + 4 = 16020
VEN = 21 x 262 + 4 x 261 + 13 = 14313
RSA- More Meaningful Example – Key Generation

1. We "generate" primes p=137 and q=131

2. n = pq = 137*131 = 17,947
phi = (p-1)(q-1) = 136*130 = 17680
3. Select e = 3
check gcd(e, (p-1)(q-1)) = gcd(3, 17680 ) = 1, OK
4. Compute d such that phi divides ed-1 (17680 divides 3d-1.)
Simple testing (d = 2, 3 ...) gives d = 11787
Check: ed-1 = 3* 11787 - 1 = 20, which is divisible by phi (20).
5. Hence
 public key, (n, e) = (17947, 3) and
 private key (n, d) = (17947, 11787).
 Using:
 Public key = (n, e) = (17947, 3)
 Private key = (n, d) = (17947, 11787)
 To encrypt the first integer that represents "ATT“ (513), we have
 c = me mod n = 5133 mod 17947 = 8363
 We can verify that our private key is valid by decrypting
 m = cd mod n = 836311787 mod 17947 = 513
 Overall, our plaintext is represented by the set of integers m
 (513, 62, 15567, 16020, 14313)
 We compute corresponding cipher text integers c = me mod n
 (8363, 5017, 11884, 9546, 13366)

11