Vikas Gothwal

Cryptography

5 min read

These notes are directly copied from my Notion. Please excuse any formatting issues.

Cryptography History and Basics

  • Caesar Cipher

    • Substitution Cipher
    • Shift characters 3 spaces (A=D, B=E, C=F)
    • Substitution Ciphers are subject to pattern analysis
    • ROT13

  • Scytale

    • Wrapped tape around a rod
    • The diameter of the rod is the pre-agreed upon secret (key)
    • Symmetric (same secret)

  • Vignere

    • First polyalphabetic cipher
    • keyword is agreed upon ahead of time
    • First letter of the key is matched up against the first of the message and so on.

  • Enigma Machine

    • Used by the Germans in WWII
    • Rotor based
    • Symmetric Encryption
    • Secret shared ahead of time

  • Purple machine used by Japanese in Warfare

  • Vernam Cipher

    • One Time Pad
    • Mathematically unbreakable
    • Pad must be as long as the message
    • Pad must be securely distributed and only use once

💡 Plain Text + Initialization Vector + Algorithm (Cipher) = Cipher Text
Initialization Vector → Random Number (nonce), a random bit string (psuedo random)
Algorithm → collection of math functions (should be strong and complex)

  • Kerckhoff’s Principle → Algorithms should be open i.e. the concept that a Cryptographic system should be designed to be secure, even if all its details, except for the key, are publicly known.
  • Keys
    • Provide instructions on how to use the math (algorithm)
    • should be random
    • should be protected
    • should be long enough

Symmetric Cryptography

  • A single key shared by both parties
  • Pros:
    • Provides fast data transfer
    • Good strong privacy
  • Cons:
    • Out-of-band key distribution
    • Doesn’t scale well
    • Doesn’t provide non-repudiation, or integrity, or authenticity.

Number of symmetric keys needed for n people

[ (n*(n-1))/2 ]

Example for 50 people:

[ (50*(50-1))/2 = 1225 ]

  • Can be called Secret, Private, Shared, or Session Key.

Symmetric Ciphers

  • Stream
    • One bit at a time
    • Transposition, Substitution, XOR
    • Fast
    • Not very secure
    • RC-4
    • Data passes through S-boxes

block ciphers.png

  • Block
    • Works on chunks of data

Symmetric Algorithms

DES
3DES
AES
Two Fish
Blowfish
RC-4
RC-5
IDEA
CAST
MARS
Skipjack

Asymmetric Cryptography

  • Every user has a key pair
    • Public Key → made available to anyone who requests it
    • Private → only available to that user and must not be disclosed or shared
  • The keys are mathematically related so that anything encrypted with one can only be decrypted by the other.

Public_key_encryption.svg.png

  • Scalable

    • Example: If 50 people are communicating using asymmetric cryptography, we need only 100 keys i.e. a key pair for each user.

  • Authenticity through asymmetric cryptography

authenticity.png

  • Asymmetric Algorithms

RSA
DSA
ECC
El Gamal
Diffie-Hellman
Knapsack

  • RSA

    • Rivest, Shamir, and Adleman
    • Currently the standard for Digital Signatures
    • Factorization
    • Uses the idea that there is no efficient way to factor the product of large prime numbers

  • Diffie-Hellman

    • First asymmetric algorithm
    • Secure key-agreement without pre-shared secrets

  • Elliptical Curve Cryptography (ECC)

    • Based upon plotting points along a curve
    • Very efficient, but only applicable for key agreement, digital signatures, pseudo-random generators, and other tasks
    • Frequently used for handheld devices due to their processing capability.

Email Cryptosystems

  • S/MIME
    • Privacy → Receiver’s public key
    • Authenticity → Sender’s private key
    • Integrity → Hash/checksum/CRC (neither symmetric nor asymmetric)
    • Non-repudiation → Hash encrypted by sender’s private key
    • S/MIME created digital envelopes

smime.png

  • Pretty Good Privacy (PGP)
    • IDEA algorithm
    • not a standard but rather an independently developed product
    • provides confidentiality and authentication services for e-mail and file storage applications
    • uses Web of trust
    • passphrases instead of passwords
    • learned keys are stored in a file called the key ring

Integrity and Non-Repudiation

Hashing (Checksums/Message Digests)

  • One-way math or Not reversible i.e. Cannot get plaintext from the hash value.
  • Fixed-length digital representation of the contents of the file
  • If the file changes, the hash will change
  • Good for accidental modification. Not for intentional modification. Because an attacker can change the message along with the hash.
  • Collision or Hash Collision → when two different documents produce the same hash

💡 Birthday Attack → attempt to cause collisions. It is easier to find two hashes that match than a specific hash.

  • Example algorithms:
    • MD5 → 128 bit
    • SHA-1 → 160 bit
    • SHA-2 → 256, 384, 512, etc.

Non-repudiation

  1. Sender hashes a document and sends both the document and the hash by encrypting the hash with his private key → proves integrity
  2. Receiver decrypts with sender’s public key → proves authenticity
  3. Receiver hashes the document and compares both hashes → proves Non-repudiation (authenticity + integrity)
  • Sender encrypts the hash with private key → Digital Signature

Asymmetric P.A.I.N

  • Privacy → Receiver’s public key
  • Authenticity → Sender’s private key
  • Integrity → Hash/checksum/CRC
  • Non-repudiation → Hash encrypted by sender’s private key

IPSec

  • Provides the framework for services such as encryption, authentication, integrity
  • Comes integrated with IPV6, but is reverse compatible with IPV4
  • IPSec provides encapsulation, not encryption

ipsec.png

Sub-Protocols

  • Authentication Header (AH)

    • Provides integrity, authenticity, and non-repudiation through ICV
    • AH + NAT incompatible

  • Encapsulating Security Payload (ESP)

    • Provides authenticity & integrity through MAC
    • Provides encryption
    • ICV is run on payload only

  • Internet Key Exchange (IKE)

    • No security service
    • Just management of secure connection

Security Associations / SPIs

  • SPI uniquely identifies number of connections with the same server.

spi.png

PKI (Public Key Infrastructure)

  • Components
    • Digital certificates
      • X.509 Standard (version 4)
      • Provides authenticity of server’s public key
      • Necessary to avoid MITM
      • Digitally signed by CA
    • Certificate Authority
    • Registration Authority
    • Certificate Repository
    • Certificate Revocation
      • Certificate Revocation List (CRL) → CA publishes, client downloads
      • Online Certificate Status Protocol (OCSP) → live certificate revocation checking

ocsp.png

Graph View