Encryption Fundamentals

Hugo Fruehauf
hxf@zyfer.com
October 2001
Securing Data through a Cryptographic Process

Sender Packet length,

however long
Data Packet 101010011100100100100101001000100010

Encryption Key
Encryption Key 101001010010010100101001001010010100100 (i.e. 128 bits)

Packet chopped
Encrypted Data 000110001001001000010010000100000100000 into Key length
sections

Network If too short, pad

Receiver with ‘0s’ to the
key length
128 bit StealthKey

Encrypted Data 000110001001001000010010000100000100000

Same Key for 101001010010010100101001001010010100100

Decryption

Data Packet 101010011100100100100101001000100010

9-01
 Cryptographic Algorithms

• Cryptography allows two parties to exchange sensitive

information in a secure manner.

• Encryption scrambles the information so that only the intended

recipient can recover the original information by decrypting it.
• Two types of cryptographic algorithms
– Symmetric (Secret-Key) algorithms
– Asymmetric (Public-Key) algorithms

• Cryptography can also provide the following security properties

– Authentication - authenticates the party that sent the information.
– Integrity - assures that the information was not modified while in
transit.
– Non-repudiation - disallows a party denying a previous message or
action.

6-01
 Symmetric (Secret-Key) Cryptography

Sender
Unencrypted Encrypted
Encryptor
Data Data
Key

Must Be Given To
Receiver (RF, Wire,
Fiber, Physical, etc.) Communications
Media

Receiver Key

Red
Unencrypted Encrypted
Data Decryptor
Data Data

6-01
 Symmetric Key Pros and Cons

• Pros: A new key must be created

– Fast and kept for every new
party that exchanges
– Easy to implement in information:
hardware
– Widely used
• 2 parties = 1 key
• Cons:
• 3 parties = 3 keys
– Secret key must be
exchanged via a trusted • 4 parties = 6 keys
(secure) channel • 5 parties = 10 keys
– Most have fixed key length
– Can be intercepted if poor n2 − n
algorithm is used
2
– Requires added effort for
authentication of sender
– Key administration logistics
6-01
 Asymmetric (Public-Key) Cryptography

• Public Key Infrastructure (PKI) definition

– A policy for establishing a secure method for exchanging
information within an organization, an industry or a nation.
It includes the cryptographic methods, the use of digital
signatures, digital certificates and certification authorities
(CAs) and the system for managing the process.
• Provides enterprise-wide security and authentication
• Administers security once for all network applications across
all platforms
• Provides security consistently
• Builds a “trusted” network environment

6-01
 Hierarchical PKI Model

Signing Certificate for

specific policy created
Point of authentication
Root Authority Authority Signing
(Off-line) (Off-line)

Point of authentication
Secure Root and
Infrastructure
Certificate created
Secure communications
with other CAs
Customer
CA
CA - Certification Authority
Point of authentication
RA - Registration Authority

Point of verification
Customer
RA

Network

Secure Transactions
6-01
 Registration and Certification Process

Complete 2
Application

Generate Key 3
Pair
Deliver
Applicant 1 Certificate
4 Send to RA Application

5 Review
Create Application
6
Certificate
Request
Registration
Authority
7 Send to CA
Send 9
Certificate to 8 Generate
Certificate
Applicant
Name
Org
Key
Signature
Certificate
Date
Issuer

6-01
 Basics of Asymmetric (Public-Key) Cryptography

• PKI (simplified)
Public Key Data Base
Public Key (B)
Receiver’s
Public Key (B)

Network Private Key (B)

Encrypt

Decrypt

Data to be
Encrypted Decrypted
Data

Sender (A) Receiver (B)

• Usable mainly for relatively low data rates

because asymmetric cryptography is math
intensive which slows down the pipe
9-01
 Symmetric Key Exchange via PKI

• PKI (simplified) Public Key Data Base

Public Key (B)
Receiver’s Public Key (B)

(A) Generates Network Private Key (B)

Symmetric Key Encrypt

Decrypt Symmetric
Key Rcv’d
Encrypt

Decrypt
Data to be
Encrypted
Decrypted
Sender (A) Data Receiver (B)

• Using symmetric key transferred to receiver via PKI, now

system is ready for high data rates, no key resolution math, just
the encryption algorithm which should not to slow the pipe
6-01
 Public-Key vs. StealthKey Infrastructure

• PKI (simplified) Sender Receiver

Public Key (B) Public Key (B)

(A) Generates Network Private Key (B)

Symmetric Key Encrypt

Decrypt Symmetric
Key Rcv’d
Encrypt Data

Decrypt
Data

• Simplified StealthKey™ for comparison

Independently Generate Independently Generate

Symmetric Keys Symmetric Keys

Data Encrypt Network Decrypt Data

 Key Management - The n2 Problem

If there are ‘n’ people communicating, there needs to be (n2-n)/2 keys!

n2 − n
n
2

102 − 10 100 − 10 90
10 = = = 45
2 2 2

100 − 100
2
10,000 − 100 9,900
100 = = = 4,950
2 2 2

200 − 200
2
40,000 − 200 39,800
200 = = = 19,900
2 2 2

Source: SU and SAIC (modified)

10-01
 Key Exchange Logistics

35000
Amy
30000 KAB n2 - n
No. of Symmetric Keys (Kn)

K(n)=
KAH Barry 2
25000 KBH KBC
KCH
Henry Cathy
20000 KGH
KDH
KCD
KEH
Gina KFH Don
15000
KFG KDE
Earl
10000 Frank KEF

5000

0
50 100 150 200 250

Number of People Communicating

 PKI with Data and Sender Authentication

Certification
Authority
Receiver’s Receiver’s
(CA)
Public Key Private Key
Public Key for a person is
mathematically associated with the
Private Key for that person.

Encrypted Encrypted
Decrypted (Black (Black Decrypted
(Red Data) + = Data) Data)
+ = (Red Data)

Black
Data
HASH Sent HASH
Network
Sender’s Data
Encrypt Decrypt
Private Key Authentication

Sender’s
Public Key

Sender Receiver
6-01
 Diffie-Hellman Infrastructure

• D-H Key Exchange

IN THE
CLEAR
Public Key A Public Key B
Network

Private Diffie - Public Public Diffie - Private

Hellman Hellman
Key A Math Key B Key A Math Key B

Generate Generate
Symmetric Encrypt Network Decrypt Symmetric
Key Key

Data In Data Out

6-01
 Today’s Cryptography Systems (Simplified)

1 Request
“Setup” Phase

Get Get
2 Receive
User #1
Keys CA Keys
User #2
5
3 Look up User #2 Public Key
Store Keys Public Data
in Terminal 4 Receive User #2 Public Key Base

6
Private
Symmetric Key
Key Data 9
“Use”-Phase

Decrypt
7

Encrypt 8 Asymmetric Transfer

10
11 Acknowledge Receipt Symmetric
Key
Data
12 15 16
13 Network
Encrypt 14 Symmetric Transfer Decrypt Data
Out
Setup” Phase

Get 17 & 18 Request/Receive New

Keys
“Repeat

Keys

Or
Store in
19
Generate Terminal
New Keys
Via CA
Etc.
6-01
 “Setup” Phase StealthKeyTM Cryptography Infrastructure

Get Get
Setup 1 Receive Authorized Receive Setup
User #1 Agency
Setup Setup User #2
2
Store In
Store In Secured Data Chip
Chip Base

Symmetric Symmetric
3 Key Seq’s 3 Key Seq’s
“Use”-Phase

6 7
Symmetric Transfer
5 Encrypt Decrypt

4 Data In Data
8
Out
Network
Setup” Phase
“Repeat

6-01
 RSA - Public Key Infrastructure Details
4 3 1
RSA RSA RSA
Sender 5 Receiver Public Key 2 Public &
Receiver
Symmetric Public Key Database Private Key
RSA Generation
(Secret) Key Receiver
Generation (Receiver)
Private Key
11 6 7 9 10 21

Symmetric RSA 8 RSA Symmetric

Message Message
(Secret) Key Encrypt Decrypt (Secret) Key

13 14 18 20

Timestamped 16 Timestamped
Encrypt Decrypt
Message Message

12 19

Network
Message 15 Message
Timestamp Digest Digest Timestamp
Generation 17 Generation
(HASH) (HASH)
Data Transfer
29 Message
25 Digest Authentication (Y/N)
Authentication
- Sender Compare
- Receiver RSA 26
- Data Integrity Encrypt 28
RSA
22 Decrypt
RSA
RSA Public
Sender 24
& Private
23 Private Key 27 RSA
Key RSA
Generation Public Key Sender
(Sender) Database Public Key
6-01
 Asymmetric Keys Pros and Cons
• Pros:
– Does not require a trusted
(secure) channel
– Inherently provides
authentication of sender
– Variable key lengths
• Cons:
– Computationally intensive, not
usable for high speed
applications
– Not easily implemented in
hardware
– Authentication of public keys
– Key administration logistics
– Asymmetric algorithms
mathematically relate two
keys materials - a public
and private key pair
– The public key is in the open
domain
– The private key is protected
by a password in a secure
location, usually in a PC,
smart card or floppy
– The public key is generally
used to encrypt data and the
mated private key for
decrypting data
6-01
 Role of Certification Authority

• Certification Authorities (CA) establish the validity of

certificates, allowing an identity to be bound to a public key
and providing confidence that the binding is valid.

• CAs issue, manage, and revoke certificates for the user

communities.

• Certification Authorities
– Validate identity of certificate subject (to various degrees)
– Certify certificates with CA digital signature
– Enforce certificate validity
– Maintain a certificate revocation list (CRL)
– Generate Key Pairs

Source: Chokhani, S., Ford, W., “Internet Public Key Infrastructure: Certificate Policy and Certification Practices Framework,” IETF
6-01
Internet Draft, draft-ietf-pkix-ipki-part4-02.txt, 30 September 1997.
 Digital Signatures

• Digital Signatures: • Encryption vs. Digital

– An authentication Signatures
mechanism that enables the – Encryption solves:
creator to attach a code that
acts as a Signature. The • Confidentiality
signature guarantees the • Access Control
source and integrity of the
file. – Digital Signature solves:
– Provides authenticity and • Information Integrity
integrity. • Authentication
• Authenticity or Source:
The sender of the • Non-Repudiation
information is who he
says he is.
• Integrity: The
information sent has not
been changed during
the transmission.
6-01
 Digital Signatures
• Creation:
– Hash the data object to be
signed.
– Encrypt the hash with your
private key.
– Transmit both the data
object, public key and the
encrypted hash.
• Verification
– Hash the data object
received.
– Decrypt the encrypted
hash with senders
public key.
– Compare the
computed hash with
the decrypted hash.
6-01
 Spoofing Attacks

Need for binding A to A’s public key

A’s private key X’s public key

A A’s public key B

X’s private key

A’s public key X’s public key

B
“Send me A’s public key”

6-01
 Cost and Time to Break DES Keys

Time to Break Key

Type of Attacker Budget 40-Bit 56-Bit 168-Bit 3DES

Individual Hacker $400 5 Hours 38 Years Too long

Dedicated Hacker $10,000 12 Minutes 556 Days 1019 Years

22 Hrs*

Intelligence $10 Million 0.02 Sec. 21 Minutes 1017 Years

Community

(Source: “Minimal Key Lengths for Symmetric Ciphers to Provide Adequate Commercial Security.”
Blaze, et.al. 1/96; Schneier B. “Applied Cryptography, Second Edition” John Wiley & Sons, Inc. 1996)
* IPSec, Naganand Doraswamy, Prentice-Hall, 1999
6-01
 StealthKey™
StealthKey Encryption Layer Options
OSI Internet
Application DATA
7 (Payload)
Application
Layer
4 Packet
(Payload)
6 Presentation 32 Bit OH needed 128 128 OH+P

5 Session Host to
3 Host
(Transport OH may not be needed TCP 128 128 Pad
4 Transport
Layer)
A B
TRANSPORT MODE
IPSec
Encrypt Internet- IP ESP TCP DATA
Shim 3 Network 2 Working
Options Layer C D A B TUNNEL MODE

IP ESP IP TCP DATA

2 Data Link Network I/O

1 (Network
Access NAL IP ESP IP TCP DATA NAL
1 Physical Layer)

6-01
 Packet Loss

15%

5%
10%
25%
30%
35%
40%

20%
45%

0%
AM

Noon

PM

Midnight

Early
AM

AM

Noon

PM

Midnight
Internet Performance

Early
AM

AM
0
500
1000
1500
2000
2500

Round Trip Latency (ms)

6-01