Cryptography

An Introduction

ASIM SHARIF SATTI

 Cryptography
3.1.1 Definitions and Concepts
• When data is stored on a computer, it is
usually protected by logical and physical
access controls
• When this same sensitive information is sent
over a network, it can no longer take these
controls for granted, and the information is in
a much more vulnerable state
In computers, logical access controls are
tools and protocols used for identification,
authentication, authorization, and
accountability in computer information
systems
 Cryptography
Definitions and Concepts
• Encryption is a method of transforming
readable data, called plaintext, into a form
that appears to be random and unreadable,
which is called ciphertext

• This enables the transmission of confidential

information over insecure channels without
unauthorized disclosure
 Receiver

Sender

Without the right key, the captured

message is useless to an attacker.
 Cryptography
Definitions and Concepts
• A system or product that provides encryption and
decryption is referred to as a cryptosystem
• can be created through hardware components or
program code in an application
• The cryptosystem uses an encryption algorithm
• Most algorithms are complex mathematical
formulas
– that are applied in a specific sequence to the plaintext
Cryptosystems
A cryptosystem encompasses all of the necessary
components for encryption and decryption to take
place. Pretty Good Privacy (PGP) is just one
example of a cryptosystem.

A cryptosystem is made up of at least the

following:
• Software
• Protocols
• Algorithms
• Keys
 Cryptography
Definitions and Concepts
• Most encryption methods use a secret value
called a key (usually a long string of bits),
– which works with the algorithm to encrypt and
decrypt the text
• The algorithm, the set of rules also known as the
cipher,
– dictates how enciphering and deciphering takes place
• Many of the mathematical algorithms used in
computer systems today are publicly known and
are not the secret part of the encryption process
What is the secret part or encryption?
• If the internal mechanisms of the algorithm
are not a secret,
– then something must be
• The secret piece of using a well-known
encryption algorithm is the key
 Cryptography
Definitions and Concepts
• In encryption, the key (crypto-variable) is a
value that comprises a large sequence of
random bits
• An algorithm contains a key-space, which is a
range of values that can be used to construct a
key
The larger the keyspace, the more available values can be used
to represent different keys—and the more random the keys
are, the harden it is for intruders to figure them out
 Cryptography
Definitions and Concepts
• When the algorithm needs to generate a new
key, it uses random values from this keyspace
For example, if an algorithm allows a key
length of 2 bits, the keyspace for that
2^2
algorithm would be 4, which indicates the 00
total number of different keys that would be 01
10
possible. That would not be a very large 11

keyspace, and certainly it would not take an

attacker very long to find the correct key that
was used.
 Cryptography
Definitions and Concepts
• A large keyspace allows for more possible
keys.
• Today, we are commonly using key sizes of
128, 256, 512, or even 1,024 bits and larger.
• So a key size of 512 bits would provide
____possible combinations (the keyspace)
• The encryption algorithm should use the
entire keyspace and choose the values to
make up the keys as randomly as possible.
 Key Length and Exhaustive Search Time
Key Length in Number of Possible Keys
Bits Each extra bit
doubles the number of
1 keys 2
2 4
4 16
8 256
16 65,536
40 1,099,511,627,776
56 72,057,594,037,927,900
112 5,192,296,858,534,830,000,000,000,000,000,000
112 5.1923E+33
168 Shaded keys are 3.74144E+50
256 Strong symmetric keys 1.15792E+77
512 (>=100 bits) 1.3408E+154

Raymond R. Panko
 Time Required For Decryption
Key Size (bits) Number of Alternative Keys Time required at 1 decryption

32 232 = 4.3  109 231 µs = 35.8 minutes

56 256 = 7.2  1016 255 µs = 1142 years

128 2128 = 3.4  1038 2127 µs = 5.4  1024 years

168 2168 = 3.7  1050 2167 µs = 5.9  1036 years

26 characters 26! = 4  1026 2  1026 µs = 6.4  1012 years

(permutation)
 Major Symmetric Key Encryption Ciphers
RC4 DES 3DES AES
Key Length 40 bits or 56 112 or 168 128, 192, or
(bits) more 256
Key Strength Very weak at Weak Strong Strong
40 bits
Processing Low Moderate High Low
Requirements
RAM Low Moderate Moderate Low
Requirements
Remarks Can use Created in Applies Today’s gold
keys of the 1970s DES three standard for
variable times with symmetric
length two or three key
different encryption
DES keys

Raymond R. Panko
 3.1.2 Kerckhoffs’ Principle
• Auguste Kerckhoffs published a paper in 1883
stating that the only secrecy involved with a
cryptography system should be the key. He
claimed that the algorithm should be publicly
known.
• He asserted that if security were based on too
many secrets, there would be more
vulnerabilities to possibly exploit
 Remarks on Kerckhoff’s principle
• Cryptographers in the private and academic
sectors agree with Kerckhoffs’ principle,
– because making an algorithm publicly available means
that many more people can view the source code,
test it, and uncover any type of flaws or weaknesses
• It is the attitude of “many heads are better than
one.”
– Once someone uncovers some type of flaw, the
developer can fix the issue, and provide society with a
much stronger algorithm
 Remarks on Kerckhoff’s principle
• But, not everyone agrees with this philosophy.
• Governments around the world create their own
algorithms that are not released to the public.
– Their stance is that if a smaller number of people know
how the algorithm actually works, then a smaller number
of people will know how to possibly break it
• Cryptographers in the private sector do not agree with
this practice and do not trust algorithms they cannot
examine
• It is basically the same as the open-source versus
compiled software debate that is in full force today.
The Strength of the Cryptosystem
• The strength of an encryption method comes
from
– the algorithm, the secrecy of the key, the length of
the key, the initialization vectors, and
– how they all work together within the
cryptosystem.
• When strength is discussed in encryption,
– it refers to how hard it is to figure out the
algorithm or key, whichever is not made public.
The Strength of the Cryptosystem
• The strength of an encryption method correlates to
the
– amount of necessary processing power,
– resources, and
– time required to break the cryptosystem or
– to figure out the value of the key.
• Breaking a cryptosystem can be accomplished by
– a brute force attack, which means trying every possible
key value until the resulting plaintext is meaningful
• Depending on the algorithm and length of the key,
– this can be an easy task or one that is close to impossible
The Strength of the Cryptosystem
• The goal when designing an encryption
method is to make compromises
– too expensive or too time-consuming
• Another name for cryptography strength is
work factor,
– which is an estimate of the effort and resources it
would take an attacker to penetrate a
cryptosystem
The Strength of the Cryptosystem
• Important elements of encryption are to
– use an algorithm without flaws,
– use a large key size,
– use all possible values within the keyspace,
– and to protect the actual key.
• If one element is weak, it could be the link
that dooms the whole process.
What if I share the key after taking care of all mentioned
points???
 Services of Cryptosystems
• Confidentiality
Renders the information unintelligible except by authorized entities
• Integrity
Data has not been altered in an unauthorized manner since it was
created, transmitted, or stored
• Authentication
Verifies the identity of the user or system that created information
• Authorization
Upon proving identity, the individual is then provided with the key or
password that will allow access to some resource
• Nonrepudiation
Ensures that the sender cannot deny sending the message.
If David sends a message and then later
claims he did not send it, this is an act of
repudiation.
When a cryptography mechanism
provides nonrepudiation, the sender
cannot later deny he sent the message.
(He can try to deny it, but the
cryptosystem proves otherwise)
Suppose your boss sends you a message
telling you that you will be receiving a raise
that doubles your salary.
•The message is encrypted, so you can be
sure it really came from your boss
(authenticity)
•Someone did not alter it before it arrived at
your computer (integrity)
•No one else was able to read it as it
traveled over the network (confidentiality)
•Your boss cannot deny sending it later
when he comes to his senses
(nonrepudiation)
 Services of Cryptosystems
• Military and intelligence agencies are very concerned about
keeping information confidential,
– so they would choose encryption mechanisms that provide a
high degree of secrecy
• Financial institutions care about confidentiality, but they
also care about the integrity of the data being transmitted,
– so the encryption mechanism they would choose may differ
from the military’s encryption methods
• If messages were accepted that had a misplaced decimal
point or zero,
– the ramifications could be far reaching in the financial world
 Services of Cryptosystems

• Legal agencies may care most about the

authenticity of the messages they receive
• If information received ever needed to be
presented in a court of law,
– its authenticity would certainly be questioned;
therefore, the encryption method used must
ensure authenticity, which confirms who sent the
information