General Cryptography Part 1 of 2 Table of Contents Cryptography .................................................................................................................................. 2 Cryptography Interoperability ........................................................................................................ 3 Cryptography in Everyday Use ........................................................................................................ 5 Common Terms in Cryptography -1 ................................................................................................ 6 Common Terms in Cryptography - 2 ............................................................................................... 8 Common Terms in Cryptography - 3 ............................................................................................... 9 Kerckhoff’s Principle ..................................................................................................................... 12 Symmetric Cryptosystem .............................................................................................................. 14 Asymmetric Cryptosystems .......................................................................................................... 16 Asymmetric Algorithms ................................................................................................................ 18 Block Cipher .................................................................................................................................. 21 Block Cipher Modes -1 .................................................................................................................. 22 Block Cipher Modes -2 .................................................................................................................. 25 Block Cipher Modes -1 .................................................................................................................. 26 Block Cipher Modes -2 .................................................................................................................. 27 Block Cipher Examples .................................................................................................................. 28 Stream Cipher ............................................................................................................................... 30 Stream Cipher Examples ............................................................................................................... 32 Notices .......................................................................................................................................... 33 Page 1 of 33 Cryptography Cryptography Used to protect data at-rest and data in-transit from being compromised or misused. Assures confidentiality and integrity of data • Protected communications are not visible by others. • Verifies data has not been altered or corrupted. Provides authentication • Verifies identity of participants. Non-repudiation • Undeniable transactions – sender sent it, recipient received it. • Usually requires an independent third party (Certificate Authority). • Digital signatures provide the mechanisms behind the concept. 6 **006 First, before we go any further whatsoever, the idea of cryptography is to communicate in the presence of adversaries. You and I want to talk, and we don't want them to listen in. So what we want in cryptography is we want to use mathematical transforms of different kinds to ensure that our communication is protected, confidential. We also want to make sure that our communications aren't interrupted by a man in the middle that can swap our communications out and put something else in. Page 2 of 33 We also want to provide authentication. How do you know it wasn't somebody else that jumped into this? There's no take- backsies." That's what nonrepudiation is. It says you can't deny that you said something. You can't take it back. Nonrepudiation typically involves a certification authority. You could do it without. So then with cryptography, we need to talk about the tools that we use. Cryptography Interoperability Cryptography Interoperability Achieved when crypto systems work together seamlessly. • For example, web-browser based SSL Good design goal when designing new systems. • For example, does a WAP support WEP, WPA, WPA2, or all 3? Validate any vendor claims of interoperability. • Common Criteria, NIST, and the Cryptographic Module Validation Program (CMVP). 7 **007 When we use those tools, can you use the same tool that I do? So Page 3 of 33 what we have to do is all agree that we're going to use the same protocol and the same encryption methodologies for it to all work out. And the reason why old cryptography stays in place for a really long time is because not only do you and I have to agree, but we have to get the whole world to agree. And when we design new systems, we need to make sure that that system-- well, that it thinks about the other possibilities in the future. A perfect example of a good system gone bad is our first try at encryption for wireless communications, in WEP. Also, we need to roll this out to the vendors and they need to be able to implement it. And in a lot of cryptography, what we do is we use hardware, special purpose ASIX chips that are designed for that one thing. So think about chip fabrication. How long do you think that takes? That's years. Then once we create a design, once we create an implementation-- maybe even once we create chips-- how do we know that that is verifiable and valid for the uses that we put it to? And that's where we start reaching out to cryptographic module validation programs; we start reaching out to governments and asking them to review our design. Page 4 of 33 Cryptography in Everyday Use Cryptography in Everyday Use E-mail • Messages and attachments can be encrypted. • Implementations are S/MIME, PGP, and PEM. E-commerce • Transactions can be encrypted. • Implementations include SSL/TLS, and PCI-DSS. 8 **008 We use this every single day in ecommerce. There's no doubt about it. Some of us use it every single day in email. You don't have to have any fancy setup to use cryptography on a day-to-day basis, because it's built into most of the things that we're doing. Some regulations require that we have cryptography end-to-end. Page 5 of 33 Common Terms in Cryptography -1 Common Terms in Cryptography -1 Cryptosystem – the system of algorithm, parameters, key, and/or password used for encrypting and decrypting data. Code – a cryptosystem that uses substitution of words for the original text. Cipher – a procedure to scramble a message so only the person with the knowledge of how it was scrambled (the key) can read it. Steganography – process of hiding information in another message or file. 9 **009 Cryptosystems. This is all of the mathematical transforms that are all jammed together. This is where the key sits. This is where the algorithm sits. There is where all the parameters can be changed within the system, and if it's got a password, this is where it encrypts and decrypts. This could be a chip right with current Intel processors. There is actually a separate chip within most Intel processors today that does AES encryption and decryption as a separate chip. When we talk about code, that is usually a substitution, a trade for one thing or the other. For example, Page 6 of 33 code talker. So, in World War II, we wanted to have communications from ship to shore, and the way we did that was we didn't use what everybody else used. We had our own special cryptographers, which were Native Americans. What they did was is they took information from the ships and translated it into their native language, which there was no written record of that native language for our adversaries. And then on the other side, the other Native American on the other side would retranslate that back into issued orders. There was no record of this, so there was no way to do that code translation. Well, these code talkers had to come up with codes that fit with artillery movements and words that weren't in their language. So a code is to trade one for another, or substitution. A cipher is a way to scramble things. I want to encipher or decipher. And so we'll create a mathematical transformation that predictively scrambles those things. And when we run that math the other way-- or run it the same way in some cases, especially for symmetric encryption-- it will decipher it so that we can read it again. So ciphering is the procedure for scrambling. Steganography is covert communications. And the best way that I can give you an example of this is when we do invisible ink. We Page 7 of 33 still have to pass something back and forth, but when our adversaries look at it, they just see, "Oh, he's handing them a piece of paper." Common Terms in Cryptography - 2 Common Terms in Cryptography -2 Plain text – the original, unencrypted data. Cipher text – the encrypted data. Substitution – each character is replaced with another to form the cipher text. • Simple – one to one Message Nfttbhf • Homophonic – one to many Message Nafbtctdbehffg • Polygram – block to block Message Actksisiwksiea • Polyalphabetic – multiple alphabets Message Transposition – reorders plain text to form cipher text. MES MESSAGE SAG MSEEA0SG0 E00 10 **010 Some other common cryptology terms that dig down into what we're doing. Plain text-- that's the stuff that humans can read. Cipher text-- that's the stuff that's been transformed