This post (and the follow ups to this post) are based on a study book, Network Security: Private Communications in a Public World (2nd Edition) from Prentice Hall, that I started reading end of the summer of 2014.
I wanted to write some cheatsheets to make it easier to look up the information at a later stage. You can find the book in the Amazon bookstore.
Alice, Fred and Trudy are the participants in the different transactions. They make it easier to remember instead of talking about A, B or C.
Definitions and history
First of, we need some basic definitions so that there’s no misunderstanding of the meaning of the different terms and definitions.
- A plaintext or cleartext message is the message in the original form;
- A ciphertext or secret code is the mangled information;
- The encryption process is the process of going from plaintext to ciphertext;
- The decryption process is the process of going from ciphertext to plaintext;
- A key is the secret value that is used in cryptographic systems.
Some of the historic cryptographic systems or ciphers are
- The Caesar cipher that substitutes every letter of the message with the “letter + n” from the alphabet;
- The monoalphabetic cipher that consists of an arbitrary mapping of one letter to another letter (this means 26! possible pairings of letters)
Breaking a scheme
There are three different basic attacks known against an encryption scheme
- In a ciphertext only attack (or recognizable plaintext attack) Fred has seen (enough) ciphertext that he can analyze. It is important that Fred can differentiate plaintext from gibberish and that Fred is able to recognize he has succeeded;
- In a known plaintext attack Fred somehow obtained a [plaintext,ciphertext] pair and he’s able to learn the used scheme from this data;
- In a chosen plaintext attack Fred can choose any plaintext he wants, and get the system to tell him what the corresponding ciphertext is.
Basically there are three different cryptographic functions
- In secret key cryptography or symmetric cryptography you use a single key to transform a message to unintelligible data. The key is shared with the recipient of the message;
- In public key cryptography or asymmetric cryptography each participant has two keys, a private key (not shared) and a public key (available to everyone). Next to encrypting a message we can also use this technology to generate a digital signature of a message (guarantee the integrity of a message);
- A hash algorithm or message digest or one-way transformation uses a function to compute a fixed length number of a message.
In general these algorithms convert a fixed-length block of a message into a block of output via a fixed-length key. There are two kinds of transformations on a block of data
- A substitution specifies for each of the possible input values an output;
- A permutation (or bit shuffle) specifies for each of the input bits the output position.
DES (Data Encryption Standard) was published in 1977 and uses a 56-bit key and transforms a 64-bit input block into a 64-bit output block. AES (Advanced Encryption Standard) is a standardization of Rijndael and uses a 128-bit block size and a key of 128, 192 or 256 bits.
A stream cipher generates a long random string (a one time-pad) that is applied to a stream of plaintext with a bitwise exclusive or (ex-or) function. RC4 is an example of a stream cipher.
Encrypting larger messages
Messages are seldom exactly the same size as requested by the input block (64-bit or otherwise). So how do we encrypt a message with a different length?
- In ECB – Electronic Code Book you break the message in 64-bit blocks and encrypt each block with the secret key. This is not ideal. Two identical input blocks will generate the same output blocks which might provide useful information to Fred. Furthermore Fred might rearrange one of the blocks to his own advantage;
- With CBC – Cipher Block Chaining you avoid some of the problems in ECB. For each block we generate a 64-bit random number and x-or the plain-text block with the random number, encrypt the result and transmit both the unencrypted random number and the ciphertext block. CBC is slower and it does not prevent Fred to rearrange the blocks;
- OFB – Output Feedback Mode is a stream cipher that x-ors the message with a generated one-time pad;
- CFB – Cipher Feedback Mode is similar to OFB but uses the last bits of ciphertext of the previous block as input for the one-time pad. Therefore CFB can only be used if the message is known;
- CTR – Counter Mode is similar to OFB where a one-time pad is generated and x-or’d with the data.
A MAC – message authentication code or MIC – message integrity code is a cryptographic checksum generated by a secret key system. It is used to protect against modifications by an eavesdropper.
A hash or message digest is a one-way function. It is often used to fingerprint a file.
- SHA-1 = secure hash algorithm
- MD2, MD4 and MD5 = message digest
MD2 requires the message to be an integral number of octets and works as follows
- The input is a message whose length is an arbitrary number of octets;
- The message is padded to a multiple of 16 octets;
- A 16-bit quantity (called a checksum) is appended to the end;
- The message is processed, 16 octets at a time. Each intermediate value of the message digest depends on the previous value.
MD4 was designed to be 32-bit-word-oriented and can handle messages with an arbitrary number of bits. The output message digest is 128 bits.
- input must be a multiple of 512 bits (16 32-bit words)
- add 1 bit to the original message, followed by enough 0 bits to leave the message 64 bits less than a multiple of 512 bits
- then a 64-bit quantity is appended
MD5 was less concerned with speed but more concerned with security. It is very similar to MD4 but uses an extra pass (4 instead of 3) over each 16-octet part.
SHA-1 maximum input length message is 2^64 bits and produces a 160-bit output. It is similar to MD5 but a little bit slower and more secure.
Public key algorithms
RSA = Rivest, Shamir and Adleman is a public key algorithm that does encryption and decryption and has a variable key length. The block size is also variable. The ciphertext block will be the length of the key.
PKCS = Public-key Cryptography Standard is a standard which recommends encodings.
Diffie-Hellman is the oldest public key system still in use and does neither encryption or signatures. It uses a shared key. ElGamal uses the same sort of keys as D-H and does signatures.
DSA – Digital Signature Algorithm (known as a standard as DSS, Digitial Signature Standard) is an algorithm for digital signatures. It is based on ElGamal but is much faster.
Mathematicians do not yet have algorithms to break ECC – Elliptic Curve Cryptography.