Skip to content

4. Encryption and Authentication

Introduction 1

  • The first historically documented encryption goes back to 600 BC when the ancient Spartans “used a device called a scytale to send secret messages during battle”.
  • The history of modern cryptography begins in the early 1970s. IBM developed a block cipher that was adopted in 1973 as Data Encryption Standard (DES).
  • DES is a Symmetric encryption algorithm. It means the same encryption key is used to both encrypt and decrypt the data.
  • In 1997 American cryptographers Whitfield Diffie and Martin Hellman:
    • Proved that DES can be broken by Brute Force.
    • Introduced a new approach in encryption using two encryption keys (one public and one private) to exchange protected messages over the computer networks
  • See 2 3 4 5 for more information about the history of encryption.

Brief History of Encryption 2

  • Cesar Cipher (50 BC): Shift all letters by a certain number of places, e.g. shift all letters by 3 places, then A becomes D, B becomes E, etc.
  • Cryptography:
    • It is the science of ciphering a message into secret code and deciphering it back.
    • It includes encryption, decryption, cryptanalysis, and digital signatures, etc.
  • Encryption: is the process of ciphering and deciphering a message.
  • Cryptanalysis: is the science of deciphering data and revealing the message in plain text.
  • 1945: Claude E. Shannon of Bell Labs published an article called “A Mathematical Theory of Cryptography.” It’s the starting point of modern cryptography.
  • 2005: Elliptic-curve cryptography (ECC) is an advanced public-key cryptography scheme that allows shorter encryption keys. Elliptic curve crypto-systems are more challenging to break than RSA and Diffie-Hellman.
  • ECC is used to protect bitcoins or messages on Signal or Telegram.
  • Challenges to encryption:
    • Quantum computers: as computers become more powerful, they can break encryption faster.
    • Experts foresee that RSA 2048 can be broken by 2035.
    • Scientists cannot guarantee encryption beyond thirty years.
  • Tokenization:
    • Tokenization is the process of replacing sensitive data with a non-sensitive equivalent known as a token without compromising the security of the original data.
    • Tokens can be stored in databases, transmitted over networks, or used to generate dynamic reports.
  • Zero-knowledge proof:
    • It is a method by which one party (the prover) can prove to another party (the verifier) that they know a value x, without conveying any information apart from the fact that they know the value x.
    • It’s a way of proving knowledge without giving away the knowledge itself, which is not the primary function of many other cryptographic methods.
    • It is a tool of cryptography.
  • Steganography:
    • It is the practice of hiding a secret message inside another real message.
    • E.g. writing a message in invisible ink between the visible lines of a letter.
    • E.g. sending a message in a digital image by changing the least significant bits of the image pixels.
    • E.g. Sending a blank paper, but after some processing (applying heat, etc.) the message appears.

Cryptographer Career Overview 3

  • Cryptographers typically work in finance, tech, or government organizations handling important information.
  • Careers:
    • Information Security Analyst: is responsible for protecting an organization’s computer networks and systems.
    • Penetration Tester: is responsible for finding vulnerabilities in computer systems and networks. aka Ethical Hacker.
    • Security Architect: is responsible for designing and building computer systems and networks that are secure.
    • Chief Information Security Officer (CISO): is responsible for overseeing the overall security of an organization’s computer systems and networks.

DES Algorithm 5

  • EDS stands for Data Encryption Standard.
  • Symmetric-key algorithm using block-by-block encryption.
  • Uses a 56-bit or 48-bit key to encrypt a 64-bit block of data.
  • It has several steps (rounds) of encryption, the lengthier the key, the more rounds of encryption.
  • E.g. for a 128-bit key, there are 10 rounds of encryption, for a 192-bit key, there are 12 rounds of encryption, and for a 256-bit key, and so on.
  • History:
    • 1971: The Feistel block cipher was developed, which is the basis for DES.
    • 1976: DES was adopted as a federal standard.
    • 2002: DES was replaced by the Advanced Encryption Standard (AES).
  • Initial Permutation (IP):
    • The plain text is divided into 64-bit blocks.
    • This is done before the first round of encryption.
    • The bits of each block are rearranged according to a fixed permutation table.
    • E.g. bit 1 of the plain text becomes bit 58 of the cipher text, bit 2 becomes bit 50, etc.
    • The 64-bit ciphered block is divided into two 32-bit blocks: Left Plain Text (LPT) and Right Plain Text (RPT).
    • Output: 64-bit ciphered block.
  • Key Transformation:
    • DES process uses a 56-bit key, which is obtained by eliminating all the bits present in every 8th position in a 64-bit key.
    • A 48-key is generated from the 56-bit key; by compression permutation process.
    • Output: 48-bit key.
  • Expansion Permutation (EP):
    • Starts with the RPT generated in step 1, and converts it from 32-bit to 48-bit by adding 2 more bits to each 4-bit block.
    • The expanded RPT is XORed with the 48-bit key generated in step 2.
    • Output: 48-bit block.
  • DES Algorithm Steps: see5.
  • DES Modes of Operation: see5:
    • Electronic Code Book (ECB): Each block of plain text is encrypted/decrypted separately.
    • Cipher Block Chaining (CBC): Each block of the plain text depends on the previous block using an initialization vector.
    • Cipher Feedback (CFB): The encrypted text so far is used as input to the algorithm.
    • Output Feedback (OFB): The encrypted text so far is used as input to the algorithm.
    • Counter (CTR): Each plaintext block is XORed with an encrypted counter. The counter is then incremented for each subsequent block

Fundamentals of Encryption

  • see: 6 7 8
  • Non-repudiation ensures that a message sender cannot deny sending the message, that is, the original creator of the message can not deny his ownership of the message.
  • Symmetric-key encryption is much faster than asymmetric encryption.
  • Encryption strength is directly proportional to key size, but as the key size increases so does the number of resources required to perform the computation of the encryption algorithm 6.
  • Methods to break encryption:
    • Brute force: randomly guessing the key until the correct key is found.
    • Side-channel attack: Targets the encryption algorithm itself, not the key. It tries to find errors in the design that may help crack it.
    • Cryptanalysis: Uses mathematical analysis to find weaknesses in the encryption algorithm.
  • Some cipher algorithms 7:
    • MD5: Message Digest 5.
    • SHA: Secure Hash Algorithm.
    • RSA: Rivest-Shamir-Adleman.
    • AES: Advanced Encryption Standard.
    • RC4: Rivest Cipher 4, a stream cipher.
  • Nowadays, most keys are 256-bit long.
  • AES-128 is the most commonly used encryption algorithm, its key size is 128-bit, AES-256 has a key size of 256-bit and it is more secure 7.
  • RSA usually uses much larger keys than AES, e.g. 2048-bit keys.
Algorithm Key Size Block Size Rounds Mode of Operation Type
AES-128 128-bit 128-bit 10 CBC Symmetric
AES-256 256-bit 128-bit 14 CBC Symmetric
RSA 2048-bit - - - Asymmetric
DES 56-bit 64-bit 16 CBC Symmetric
3DES 168-bit 64-bit 48 CBC Symmetric
RC4 128-bit - - - Symmetric
MD5 128-bit - - - Hash
SHA-1 160-bit - - - Hash
SHA-256 256-bit - - - Hash
MD5 128-bit - - - Hash
  • Modes of operation 7:
    • Block Ciphers:
      • Divide the plaintext into blocks of fixed size, before encrypting them.
      • More common than the stream ciphers.
      • Modes of block ciphers: ECB, CBC, CFB, OFB, CTR, GCM.
      • Galois/Counter Mode (GCM) is the most used mode of operation right now and the most secure.
    • Stream Ciphers:
      • Starts by creating a One-Time Pad (OTP), which is a random key that is as long as the plaintext.
      • The OTP is then XORed with the plaintext to produce the ciphertext.
      • To decrypt the ciphertext, the OTP is XORed with the ciphertext to produce the plaintext again.
    • One-way encryption:
      • It is a type of encryption that is not reversible, as opposed to two-way encryption (symmetric and asymmetric encryption).
      • Also known as hashing, message digest, or one-way transformation.
      • Takes any input and produces a fixed-length output called the hash.
      • Even if a single bit of the input is changed, the hash will be completely different.
      • There is no way to reverse the hash to get the original input.
      • Message Authentication code:
        • Before sending a message, the sender hashes the message and sends the hash along with the message.
        • After receiving the message, the receiver hashes the message and compares the hash with the one received from the sender.
        • If the hashes match, the message is not altered during transmission.
      • Used in:
        • Password hashing: nobody can know the original password.
        • Message Authentication Code (MAC): to verify that a message is not altered during transmission.
        • Download verification: to verify that a file is not altered during download or that all the file parts are downloaded correctly.
  • Data must be protected at rest and in transit 8.
  • Keys can be generated using a Deterministic Random Bit Generator.

Symmetric Encryption VS asymmetric Encryption

  • see: 9 10 11 12 19
  • In asymmetric encryption, you need to use two keys, one for encryption and one for decryption (private) 10.
  • The symmetric key is sent to the receiver using asymmetric encryption, but the data is encrypted using symmetric encryption 10.
  • Common Public key ciphers 19:
    • RSA: Rivest-Shamir-Adleman.
    • DH: Diffie-Hellman.
    • DSA: Digital Signature Algorithm.
    • ECDHE: Elliptic Curve Diffie-Hellman Ephemeral.
    • ECC: Elliptic Curve Cryptography.
  • Cipher suites 19:
    • A cipher suite is a set of algorithms that help secure a network connection that uses Transport Layer Security (TLS) or its now-deprecated predecessor Secure Socket Layer (SSL).
    • A cipher suite combines multiple encrypting techniques to achieve a higher level of security.
    • A cipher suite specifies one algorithm for each of the following tasks:
      • Key exchange: a public key (asymmetric) cipher that is used to exchange the session key (sharing keys and authentication): RSA, DH, DSA, ECDHE.
      • Bulk encryption: a secret key (symmetric) cipher that is used to encrypt the data: AES.
      • Mode of operation: CBC, GCM, as every block cipher needs a mode of operation.
      • Security Protocol: TLS, SSL, IPsec.
      • Hashing: MD5, SHA-1, SHA-256, to verify message integrity.
    • E.g. TLS_RSA_WITH_AES_128_CBC_SHA => RSA for key exchange, AES for bulk encryption, CBC for mode of operation, SHA for hashing.
    • The idea is that asymmetric encryption is slow, so it is used to only exchange a symmetric key, this symmetric key is used to encrypt the data using a symmetric encryption algorithm.
  • Asymmetric encryption is used for public key encryption and digital signatures 11.
  • Cryptology consists of cryptography (making a working cryptosystem) and cryptanalysis(breaking a cipher) 12.
  • Security Services of Cryptography 12:
    • Confidentiality: Aka, privacy or secrecy; means data is not disclosed to unauthorized entities.
    • Data Integrity: this means data is not altered or modified during transmission, it does not prevent alteration, but it detects it.
    • Authentication: Identifying the sender and receiver of the message.
    • Non-repudiation: It is an assurance that the original creator of the data cannot deny the creation or transmission of the said data to a recipient or third party.
  • Cryptography Primitives12:
    • Encryption.
    • Hash functions.
    • Message authentication codes.
    • Digital signatures.
  • crypto primitive mapping to services
  • Challenges of public-key cryptosystem 12:
    • The sender needs to trust that the public key that he is using in communications with a person is the public key of that person and has not been spoofed by a malicious third party.
    • This is guaranteed by using a Public Key Infrastructure (PKI) involving a trusted third party called a Certificate Authority (CA).
    • The trusted authority satisfies itself about user identity by the process of attestation, notarization, or some other process - that X is the one and only, or globally unique, X.
    • The most common method of making the verified public keys available is to embed them in a certificate that is digitally signed by a trusted third party.

RSA and PKI

  • The first asymmetric encryption RSA was developed by three MIT scientists Ron Rivest, Adi Shamir, and Leonard Adleman, and was named after them using 1st letters of each last name. RSA is widely used and known as a core of Public Key Infrastructure PKI.
  • See: 13 14 15
  • RSA 13:
    • You can only encrypt a message that is smaller than the key size (usually 2048-bit).
    • Thus, the symmetric key is encrypted using RSA, then the data is encrypted using the symmetric key.
    • Usually used in sending emails.
    • It is based on large prime numbers, see 20 and 21 for more information about the math behind RSA.
  • Sending email 13:
    • The sender encrypts a symmetric key using the receiver’s public key.
    • The body of the email is encrypted using the symmetric key.
    • The encrypted symmetric key is sent along with the encrypted email.
    • The receiver decrypts the symmetric key using his private key.
    • The receiver decrypts the email using the symmetric key that he just decrypted.

PKI 14

  • Certification Authority (CA):
    • It is a trusted third party that issues digital certificates.
    • Its public key is being distributed with the web browser, downloaded from the internet, or added by the user.
  • Registration Authority (RA):
    • It acts as an agent for the CA and confirms that the client is allowed to have a certificate for the domain (domain ownership verification).
    • CA will wait for RA’s confirmation before issuing the certificate.
  • Subject: is the entity that is being issued the certificate (e.g. a website, web server).
  • Relying Party: is the entity that is relying on the certificate to be valid (e.g. a user through a web browser).
  • Root CA:
    • It is the main CA that certifies other CAs.
    • it is kept offline to avoid being compromised.
    • Its public key is distributed with the web browser, for a fee paid to the browser vendor.
  • Certificate Revocation List (CRL):
    • It is a list of certificates that have been revoked by the CA.
    • CRL Distribution Point (CDP) is a location where the CRL is stored.
      • It is usually a web server that is accessible by the relying party.
  • Online Certificate Status Protocol (OCSP):
    • It is a protocol that allows the relying party to check the validity of a certificate.
    • It is faster than CRL.
    • OCSP Responder: is a server that responds to OCSP requests.
  • Certificate verification process:
    • The signature on the certificate is verified by the relying party using the CA’s public key.
    • The validity period of the certificate is checked, and it is not included in the CRL.
  • Certificate Transparency Log is a public log of all issued certificates and any changes to them.

Public Key Infrastructure PKI 22

  • The main function of PKI is Key Management 22, that is:
    • Keeping private keys secret.
    • Assurance that public keys are correct.
  • Components of PKI:
    • Public key Certificate, or simply, a digital certificate.
    • Private key tokens.
    • Certificate Authorities (CA).
    • Registration Authorities (RA).
    • Certificate Management System (CMS).
  • CA functions:
    • Generating public/private key pairs.
    • Issuing certificates.
    • Publishing certificates.
    • Verifying certificates.
    • Revoking certificates.
  • RA does not issue or sign certificates, it only verifies the identity of the subject.
  • Certificate authority (CA) hierarchies are reflected in certificate chains.
  • A certificate chain traces a path of certificates from a branch in the hierarchy to the root of the hierarchy.

Public Key Encryption 15

  • Three main types of public key encryption:
    • RSA: Rivest-Shamir-Adleman.
    • ElGamal: Named after its inventor Taher Elgamal.
    • Elliptic Curve Cryptography (ECC): Uses elliptic curves instead of prime numbers.
  • RSA:
    • The Math behind it:
      1. Generate the modulus (n) by multiplying two large prime numbers (p and q), n = p \* q.
      2. Find the derived number (e), which is a number that is relatively prime to (p-1) \* (q-1), that is:
        • 1 < e < (p-1) \* (q-1).
        • There are no common factors between e and (p-1) \* (q-1).
      3. Generate the public key (e, n).
      4. Generate the private key (d, n), where d = e^-1 mod (p-1) \* (q-1).
    • Public key: (e, n).
    • Private key: (d, n).
    • RSA does not work directly on the strings of bits, it works on numbers. hence, it is necessary to represent the plaintext as a series of numbers less than n.
  • ElGamal:
    • Based on the Discrete Logarithm Problem.
    • Private key: x.
    • Public key: (p, g, y); p is the prime modulus, g is the generator, and y equals g^x mod p.
    • It is slower than RSA.
    • The key size is usually 1024-bit.
  • Elliptic Curve Cryptography (ECC):
    • It does not use prime numbers, it uses elliptic curves.
    • It is faster than ElGamal.
    • It is a variant of ElGamal.

Brute Force Attack (BFA)

  • Types of brute force attacks 18:
    • Online brute force attack: trying different passwords on a website.
    • Offline brute force attack: the attacker steals a database of usernames and passwords, then tries to crack the passwords offline.
    • Dictionary attack: using a list of common passwords, and trying them one by one.
    • Rainbow table attack: using a precomputed table of hashes to crack passwords. That is, the hashes of a string through different hashing algorithms are stored in a table, and then the attacker tries to find the password that matches the hash.
  • See: 16 17 18
  • Attackers’ benefits from brute force attacks:
    • Profiting from ads or collecting activity data.
      • Putting spam ads on well-trafficked websites to make money each time an ad is clicked or viewed.
      • Rerouting a website’s traffic to a commissioned ad site.
      • Infecting a site and its visitors with Spyware, that collected data is being sold to third parties.
    • Stealing personal information: credit card numbers, social security numbers, etc.
    • Spreading malware, practicing their skills, or just for fun.
    • Hijacking systems for malicious purposes.
    • Ruining a company’s reputation.
  • Types of brute force attacks 16:
    • Simple BFA: manually trying different passwords, no automation.
    • Dictionary attack: using a list of common passwords, and trying them one by one.
    • Hybrid BFA: combining dictionary attack with simple BFA, that is, trying passwords from a dictionary, then trying variations of those passwords.
    • Reverse BFA: starts from a password, and tries all possible usernames that may have that password; usually, there are leaked password list that is being used.
    • Credential stuffing: using leaked username/password combinations to try to log in to other sites, as users may use the same username/password on different sites.
  • Passive Backend Protections for Passwords 16:
    • High encryption rates: like 256-bit encryption, the more bits the better.
    • Salting: adding a random string to the password before hashing it, the salt should be stored in a separate database; and retrieved and added to the password when the user tries to log in.
    • 2FA, or install intrusion detection systems.
    • Limit the number of login attempts.
    • Account lock after a certain number of failed login attempts.
    • Throttle repeated login attempts: this gives time for developers to react to the attack.
    • Use CAPTCHA: to prevent automated attacks.
    • Use IP blacklisting: to block IP addresses that are trying to brute force the system.
  • Active IT Support Protections for Passwords:
    • Password education to users.
    • Watch accounts in real time for strange activity.
  • BFA 17:
    • BFA Does not exploit vulnerabilities in the system.
    • BFA is a trial-and-error method.
    • Hydra is a tool used for BFA.
    • Crunch is a tool used to generate a word list or password list.

References

‌ ‌

‌ ‌ ‌ ‌

  1. UoPeople (2023). CS3340: Systems and Applications Security. Unit 4: Encryption and Authentication. Introduction and Lecture Notes. UoPeople. https://my.uopeople.edu/mod/book/view.php?id=392924&chapterid=471191 

  2. A brief history of encryption. (2021, March 21). ThalesGroup. Retrieved June 6, 2021. from https://www.thalesgroup.com/en/markets/digital-identity-and-security/magazine/brief-history-encryption 

  3. How to become a cryptographer. (2021, December 8). Cyberdegrees. https://www.cyberdegrees.org/jobs/cryptographer/ 

  4. Istoria, A. (2020, June 18). How did ancient Greeks send secret messages? [Video]. YouTube. https://www.youtube.com/watch?v=ac3l8J_rYNg 

  5. What is DES? Understanding DES algorithm and operation. (2021, May 10). Simplilearn. https://www.simplilearn.com/what-is-des-article#:~:text=The%20DES%20(Data%20Encryption%20Standard,ciphertext%20using%2048%2Dbit%20keys. 

  6. Lord, N., (2020, December 1). What is data encryption? Definition, best practices and more. Digital Guardian. https://digitalguardian.com/blog/what-data-encryption 

  7. Network Direction. (2019, October 30). Encryption basics | cryptography [Video]. YouTube. https://www.youtube.com/watch?v=V67drkkk2aA 

  8. Stine, K. & Dang, Q. (2011, May). Encryption basics. AHIMA. https://library.ahima.org/doc?oid=104090#.Ydlbpf5Bw2w 

  9. Nasser, H. (2019, June 8). Symmetrical vs asymmetrical encryption pros and cons by example [Video]. YouTube. https://www.youtube.com/watch?v=Z3FwixsBE94 

  10. Professor Messer. (2014, September 21). Symmetric vs. asymmetric encryption - compTIA security+ SY0-401: 6.1 [Video]. YouTube. https://www.youtube.com/watch?v=z2aueocJE8Q 

  11. Edpresso Team. (n.d.). Symmetric vs. asymmetric encryption. educative. https://www.educative.io/edpresso/symmetric-vs-asymmetric-encryption?aid=5082902844932096&utm_source=google&utm_medium=cpc&utm_campaign=edpresso-dynamic&gclid=Cj0KCQjwktKFBhCkARIsAJeDT0gFV4c5VUuxZKZSTlysDKO-Hc3j-WBnV0fRKNx4RGP9yXr8rZilk1QaArnPEALw_wcB 

  12. Cryptography – public key encryption. (2015). Cryptography for beginners, 49-56. https://www.tutorialspoint.com/cryptography/cryptography_tutorial.pdf 

  13. Mental Outlaw. (2021, February 10). How RSA encryption works [video]. YouTube. https://www.youtube.com/watch?v=ZPXVSJnDA_A 

  14. Turner, P. (2017, January 30). PKI bootcamp - what is a PKI? [Video]. YouTube. https://www.youtube.com/watch?v=5OqgYSXWYQM 

  15. Public Key Encryption. (2023). Tutorialspoint.com. https://www.tutorialspoint.com/cryptography/public_key_encryption.htm 

  16. Brute force attack: Definition and examples. (n.d.). Kaspersky. https://www.kaspersky.com/resource-center/definitions/brute-force-attack 

  17. Edureka!. (2019, November 1). What is a brute force attack? | password cracking using brute force attacks/ edureka [Video]. YouTube. https://www.youtube.com/watch?v=fHsJAei2ocM&t=3s 

  18. Professor Messer. (2019, June 9). brute force attacks - CompTIA A+ 220-1002 - 2.5 [Video]. YouTube. https://www.youtube.com/watch?v=W_NaKJrTmRk 

  19. Network Direction. (2019). Encryption Basics | Public Key Encryption | SSL [YouTube Video]. In YouTube. https://www.youtube.com/watch?v=K4YsONGZ_SE 

  20. Woo, E. (2014). The RSA Encryption Algorithm (2 of 2: Generating the Keys) [YouTube Video]. In YouTube. https://www.youtube.com/watch?v=oOcTVTpUsPQ 

  21. Woo, E. (2014). The RSA Encryption Algorithm (1 of 2: Computing an Example) [YouTube Video]. In YouTube. https://www.youtube.com/watch?v=4zahvcJ9glg 

  22. Public Key Infrastructure. (2023). Tutorialspoint.com. https://www.tutorialspoint.com/cryptography/public_key_infrastructure.htm