TeamStation AI System Report LATAM IT Salaries 2024
Fundamentals of Cryptography
1. Credera is a full-service management and Dallas Office Houston Office Austin Office Denver Office
15303 Dallas Parkway 800 Town & Country Blvd 9020 N Capital of Texas Hwy 5445 DTC Parkway
technology consulting firm. Our clients range Suite 300 Suite 300 Suite 345 Suite 1040
from Fortune 1,000 companies to emerging Addison, TX 75001 Houston, TX 77024 Austin, TX 78759 Greenwood Village, CO 80111
industry leaders. We provide expert, objective
advice to help solve complex business and 972.692.0010 Phone 713.496.0711 Phone 512.327.1112 Phone 303.623.1344 Phone
technology challenges. 972.692.0019 Fax 713.401.9650 Fax 512.233.0844 Fax 303.484.4577 Fax
3. Agenda …
Tonight we will overview some cryptography principles, and how symmetric and
asymmetric approaches address them
• What is Cryptography?
– Definition
– Four basic principles
• How do we get these principles?
– Two methods
• Symmetric Key Cryptography
– Diffie-Hellman key exchange
– Limitations
• Asymmetric Key Cryptography
– Satisfying cryptographic principles
– RSA keygen algorithm
• Q&A
Dallas Web Security Group
4/8/2013 3
4. Introduction
Dallas Web Security Group
4/8/2013 4
5. Introduction …
John Lutteringer
John Lutteringer
John Lutteringer is a Consultant in the Custom Java practice at
Credera. John graduated from Baylor University with a BS in
Computer Science – Software Engineering and a minor in
Mathematics. His technical skills include a focus on predominately
open source web technologies with Java + Spring MVC as the most
familiar. Additionally, John is familiar with relevant technologies like
HTML and CSS, Javascript, SQL, and also agile development
methodologies, software development life cycle, software design, and
design patterns.
John’s background in web security comes from a combination of
personal study and schooling along with a passion for learning about
new technologies.
Dallas Web Security Group
4/8/2013 5
7. What is Cryptography? …
Cryptography focuses on one major problem – How do we establish
communication secure from third parties?
Definition
• The science or study of the techniques of secret writing, especially code and cipher systems,
methods, and the like
The Perfect Cryptographic System
• What should it do?
– Provide secure communication
– Anything else??
• What other characteristics should it have?
– Hard or impossible to decrypt
– Simple to understand/implement
– Fast
– Versatile in terms of medium (internet, paper messages, radio, etc.)
– Deterministic
– Variable
– Walks your dog
Dallas Web Security Group
4/8/2013 7
8. What is Cryptography? …
Four basic principles
• Encryption
– How do we convert data into some unreadable form?
• Authentication
– How can I prove you are who you say you are?
• Integrity
– How can I be sure the message you sent hasn’t been modified?
• Non Repudiation
– How can I prove that the message was sent by you, even if you deny it?
Dallas Web Security Group
4/8/2013 8
9. What is Cryptography? …
Encryption – How do we convert data into some unreadable form?
• The sender and receiver share some “secret” that they only know. This secret is then used to encrypt
and decrypt messages so that intercepted messages are unreadable.
• What do we want?
– Has to be hard or impossible to decrypt (computationally intractable)
– Has to be hard to decrypt even if the attacker has access to an unlimited number of plaintext and
its corresponding ciphertext
– Need some way to distribute our secret key without a secure channel (key distribution problem)
Dallas Web Security Group
4/8/2013 9
10. What is Cryptography? …
Authentication – How can I prove you are who you say you are?
• Why do we need this?
– Internet is inherently anonymous
– Trust is a problem
– What if a trusted source has been compromised? How do we know?
Dallas Web Security Group
4/8/2013 10
11. What is Cryptography? …
Integrity – How can I be sure the message you sent hasn’t been modified?
• Why do we need this?
– The internet is essentially a series of handoffs between routers
– Even if the endpoints are secure, and intermediary router could be compromised
– Possible to modify encrypted text even if an attacker can’t understand it
Dallas Web Security Group
4/8/2013 11
12. What is Cryptography? …
Non Repudiation – How can I prove the message was sent by you, even if you
deny it?
• Why do we need this?
– Legal reasons
– Digital signatures
– Accountability
Dallas Web Security Group
4/8/2013 12
13. How do we get these principles?
Dallas Web Security Group
4/8/2013 13
14. How do we get these principles? …
Two predominate methods
• Symmetric Key Cryptography
– “Familiar” approach
– Sender and receiver share a secret key and use that secret key to encrypt and decrypt
messages
• Asymmetric Key Cryptography (Public Key Cryptography)
– Pairs of keys - each entity as a public key, which is shared to everyone, and a private key, which
is shared to no one
– Any message encrypted with a public key can be decrypted with a private key and vice versa,
but an encrypted message cannot be decrypted by the same key that encrypted it as in
symmetric key encryption
• In practice, the methods are typically used together as a way to play off the advantages of each
– RSA/IDEA
– DSA/BLOWFISH
Dallas Web Security Group
4/8/2013 14
16. Symmetric Key Cryptography …
Symmetric Key Cryptography
• Principles satisfied
– Encryption - Yes!
– Authentication - ???
– Integrity - ???
– Non repudiation - ???
• Advantages
– Fast
– Conceptually simple to understand
• Disadvantages
– How do we distribute keys?
Hardcode keys?
Some other way??
– Can we satisfy our four baseline principles?
Dallas Web Security Group
4/8/2013 16
17. Symmetric Key Cryptography …
Solving the key distribution problem - Diffie-Hellman key exhange
• The algorithm relies on the mathematical identity:
– (ga)b mod p = (gb mod p)a mod p
Dallas Web Security Group
4/8/2013 17
18. Symmetric Key Cryptography …
Solving the key distribution problem - Diffie-Hellman key exhange
Alice Bob
Knows: Eve Knows:
a=6 b = 15
Computes secret Computes secret
integer a = 6 integer b = 15
Dallas Web Security Group
4/8/2013 18
19. Symmetric Key Cryptography …
Solving the key distribution problem - Diffie-Hellman key exhange
Alice Bob
Eve
Knows: Knows:
Knows:
a=6 b = 15
p = 23
p = 23 p = 23
g=5
g=5 g=5
Sends prime
number p = 23 and Intercepts p and g Recieves p and g
base g = 5
Dallas Web Security Group
4/8/2013 19
20. Symmetric Key Cryptography …
Solving the key distribution problem - Diffie-Hellman key exhange
Alice Bob
Knows: Eve Knows:
a=6 Knows: b = 15
p = 23 p = 23 p = 23
g=5 g=5 g=5
A=8 B = 19
Calculates A = Calculates B =
ga mod p gb mod p
A=8 B = 19
Dallas Web Security Group
4/8/2013 20
21. Symmetric Key Cryptography …
Solving the key distribution problem - Diffie-Hellman key exhange
Bob
Alice
Eve Knows:
Knows:
Knows: b = 15
a=6
p = 23 p = 23
p = 23
g=5 g=5
g=5
A=8 B = 19
A=8
A=8
Sends A Intercepts A Recieves A
Dallas Web Security Group
4/8/2013 21
22. Symmetric Key Cryptography …
Solving the key distribution problem - Diffie-Hellman key exhange
Alice Bob
Eve
Knows: Knows:
Knows:
a=6 b = 15
p = 23
p = 23 p = 23
g=5
g=5 g=5
A=8
A=8 B = 19
B = 19
B = 19 A=8
Receives B Intercepts B Sends B
Dallas Web Security Group
4/8/2013 22
23. Symmetric Key Cryptography …
Solving the key distribution problem - Diffie-Hellman key exhange
Alice Bob
Eve
Knows: Knows:
Knows:
a=6 b = 15
p = 23
p = 23 p = 23
g=5
g=5 g=5
A=8
A=8 B = 19
B = 19
B = 19 A=8
s = ???
s=2 s=2
Computes Computes
s = Ba mod p s = Ab mod p
s=2 s=2
We know Ba mod p = Ab mod p = (ga)b mod p
from our identity:
(ga)b mod p = (gb mod p)a mod p
Dallas Web Security Group
4/8/2013 23
24. Symmetric Key Cryptography …
What about our four principles?
• Now we know we can distribute symmetric keys over an unsecure network to establish a secure
channel, can we also use symmetric keys to get our four desired properties?
• Encryption – This one is easy!
– Alice sends message M to Bob encrypted with their shared key s: Es(M)
– Bob decrypts Alice’s message with the shared key: Ds(Es(M)) = M
• Authentication
– Since the keys are temporary, there’s no good way to establish authenticity baked into the
cryptographic system
– Authentication is not possible through symmetric key encryption, at least not without using some
mechanism external to the cryptographic method itself
Dallas Web Security Group
4/8/2013 24
25. Symmetric Key Cryptography …
What about our four principles?
• Integrity
– Alice sends encrypted message M to Bob Es(M) along with its encrypted hash Es(H(M))
– Bob decrypts Alice’s message Ds(Es(M)) = M and the hash Ds(Es(H(M))) = H(M)
– Bob hashes Alices message H(M) and compares it to the hash Alice sent, if the hashes are
equal, then we can be confident that integrity holds
• Non repudiation
– Much like authentication, without permanent keys trust cannot be established, so this is not
possible without some external mechanism
Dallas Web Security Group
4/8/2013 25
27. Asymmetric Key Cryptography …
Asymmetric Key Cryptography
• In asymmetric key cryptography, each party has two keys, a public key and a private keys
• The public key is shared to the world, and the private key is kept private
• The keys are generated in such a way that any message encrypted by the public key in the pair can
only be decrypted by the private key, and vice versa
• Advantages
– Symmetric Key Cryptography only satisfied two of our four principles. We can do better!
– Key distribution isn’t a problem. We want everyone to see our public key!
• Disadvantages
– Slow, at least compared against symmetric key cryptography
– Non intuitive
Dallas Web Security Group
4/8/2013 27
28. Asymmetric Key Cryptography …
Encryption - Can we satisfy our four basic principles?
Alice Bob
Public Key: Apub Public Key: Bpub
Private Key: Apriv Private Key: Bpriv
Wants to send
Bob an
Decrypts Alice’s
encrypted
message with
message
his private key
DBpriv(EBpub(M))
Sends Bob a =M
message M
encrypted
with Bob’s
public key
EBpub(M)
Dallas Web Security Group
4/8/2013 28
29. Asymmetric Key Cryptography …
Authentication - Can we satisfy our four basic principles?
Alice Bob
Public Key: Apub Public Key: Bpub
Private Key: Apriv Private Key: Bpriv
Wants to
Sends Bob an validate Alice’s
encrypted identity
message
EBpub(M)
“signed” with Decrypts message with
her private Alice’s public key
key to get DApub(EApriv(EBpub(M))) =
EApriv(EBpub(M)) EBpub(M))
Then, decrypts with private
key
DBpriv(EBpub(M)) = M
Dallas Web Security Group
4/8/2013 29
30. Asymmetric Key Cryptography …
Integrity - Can we satisfy our four basic principles?
Alice Bob
Public Key: Apub Public Key: Bpub
Private Key: Apriv Private Key: Bpriv
Wants to know
Sends Bob an Alice’s message
encrypted hasn’t been
message modified
EBpub(Mo)
and the hash Decrypts message
of that DBpriv(EBpub(Mr)) = Mr
message, Decrypts hash
encrypted DBpriv(EBpub(H(Mo))) = H(Mo)
EBpub(H(Mo)) Verify integrity by hashing
received message
H(Mr) = H(Mo)
Dallas Web Security Group
4/8/2013 30
31. Asymmetric Key Cryptography …
Non Repudiation - Can we satisfy our four basic principles?
Alice Bob
Public Key: Apub Public Key: Bpub
Private Key: Apriv Private Key: Bpriv
Wants to
Sends Bob an validate Alice’s
encrypted identity
message
EBpub(M)
“signed” with Decrypts message with
her private Alice’s public key
key to get DApub(EApriv(EBpub(M))) =
EApriv(EBpub(M)) EBpub(M))
Then, decrypts with private
key
DBpriv(EBpub(M)) = M
Dallas Web Security Group
4/8/2013 31
32. Asymmetric Key Cryptography …
How does asymmetric key cryptography work?
• Asymmetric key cryptography works in a similar manner to symmetric key cryptography except that
the keys are generated in a special manner that allows them to decrypt only messages encrypted by
the other key in the pair
• While there are many ways to do this, the most common algorithm is known as the RSA keygen
algorithm
• RSA Algorithm:
1. Choose two distinct prime numbers p and q
2. Compute n = pq
3. Compute φ(n) = (p – 1)(q – 1) where φ is Euler’s totient function
4. Chose an integer e such that 1 < e < φ(n) and gcd(e, φ(n)) = 1 (e and φ(n) are coprime)
5. Solve for d given de ≡ 1 (mod φ(n))
6. Compute keys:
Public key: (n, e); To encrypt: C ≡ Me (mod n)
Private key (n, d); To decrypt: M ≡ Ce (mod n)
Dallas Web Security Group
4/8/2013 32
33. Asymmetric Key Cryptography …
RSA key generation algorithm
1. Choose two distinct prime numbers p and q
p = 61
q = 53
Dallas Web Security Group
4/8/2013 33
34. Asymmetric Key Cryptography …
RSA key generation algorithm
p = 61
q = 53
2. Compute n = pq
n = (61)(53) = 3233
Dallas Web Security Group
4/8/2013 34
35. Asymmetric Key Cryptography …
RSA key generation algorithm
p = 61
q = 53
n = 3233
3. Compute the totient of the product (pq) as (p - 1)(q - 1)
φ(3233) = (61 - 1)(53 - 1) = 3120
Dallas Web Security Group
4/8/2013 35
36. Asymmetric Key Cryptography …
RSA key generation algorithm
p = 61
q = 53
n = 3233
φ(n) = 3120
4. Choose and number 1 < e < φ(n) that is coprime to φ(n)
Picking this number could be hard, but if we choose a prime number, then we just have to make
sure that 3120 isn’t divisible by it
So lets choose e = 17
Dallas Web Security Group
4/8/2013 36
37. Asymmetric Key Cryptography …
RSA key generation algorithm
p = 61
q = 53
n = 3233
φ(n) = 3120
e = 17
5. Solve for d given de ≡ 1 (mod φ(n))
This is a different way to write the modular multiplicative inverse of e (mod φ(n))
d(17) ≡ 1 (mod 3120)
d = 2753
(17 * 2753 = 46801 which has remainder 1 when divided by 3120)
Dallas Web Security Group
4/8/2013 37
38. Asymmetric Key Cryptography …
RSA key generation algorithm
p = 61
q = 53
n = 3233
φ(n) = 3120
e = 17
d = 2753
• To encrypt, our public key is (n = 3233, e = 17) with function
C ≡ Me (mod n)
Lets say M = 65
C ≡ 6517 (mod 3233)
C = 2790
Dallas Web Security Group
4/8/2013 38
39. Asymmetric Key Cryptography …
RSA key generation algorithm
p = 61
q = 53
n = 3233
φ(n) = 3120
e = 17
d = 2753
C = 2790
• To decrypt, our private key is (n = 3233, d = 2753) with function
M ≡ Cd (mod n)
M ≡ 2790 2753 (mod 3233)
M = 65
Dallas Web Security Group
4/8/2013 39
41. Credits …
Credits
• Credera
• http://dictionary.reference.com/browse/cryptography
• http://www.thegeekstuff.com/2012/07/cryptography-basics/
• http://users.suse.com/~garloff/Writings/mutt_gpg/node3.html
• All of Wikipedia
• http://mathworld.wolfram.com
Dallas Web Security Group
4/8/2013 41
Here’s a little about meConsultant at CrederaI know some languagesBaylor – BS CSNot a security expert – don’t do this professionallyLearned a lot in this presentationHope you will tooFirst time presenting at a user grp & for this long
Turns out there are 4Read themTransition: “SO LETS TALK ABOUT EACH OF THEM”
Read title1st bullet – symmetric keyKey distribution is a chicken and egg problem, we need a secure channel to distribute our key so we can create a secure channel for communication…
Internet anonymity – Ips change, spoofing sites, phishing attacks, changing a letter in the url, etc… trust hierarchy can protect us from all of thisTalk briefly about the internet’s web of trust: your browser trusts Amazon because Amazon’s key is signed by VeriSign’s key and VeriSign’s key is hardcoded into your browser as assumed to be trustworthy since it’s a root CA
At every router there is an opportunity for the contents of your packets to changeIt would be easy for a malicious person with access to compromised router to flip random bits in an encrypted message, even if he didn’t know what they meant. This could end up being catastrophic if you had no way of testing this.
Related to Authentication. If you’re developing the concept of digital signatures to prove you are who you say you are, then I also want to be able to prove that you did, indeed, agree to something that had your digital signature on it even after the fact
Describe eachRelate to real word & using bothRSA/IDEA- pgp
ASK THE AUDIENCE – Any ideas for key distribution?
Don’t get too caught up in the math, its there for anyone interested and to prove that it works!Just think of it as exploiting a mathematical identity to hide values
Bob is a very sensitive man & cryptographic expertIntegers are typically large
G can be any integer
a and b ARE transmitted, but their values are “hidden” in the mathematical identity, so that even someone who can see the messages can’t extract the hidden value (key) without one of the originalsLimitation: can’t determine the key
What problem are we trying to solve here? TRUSTASK THE AUDIENCE: How would we solve the next principle - Encryption
ASK THE AUDIENCE: How would we solve the next principle - Authentication
ASK THE AUDIENCE: How would we solve the next principle - Integrity
ASK THE AUDIENCE: How would we solve the next principle – Non repudiation
AMAZON & VERSIGN – TIE IT ALL TOGTHER
Totient function just counts the number of integers from 1 to n that are relatively prime to n. That is… they share no common divisors except 1, or the only number that evenly divides both of them is 1.φ = PHIφ(n) is just a number that we calculate from (p – 1)(q – 1), so think of it as just a numberTriple equals means congruentCongruent means for a ≡ b (mod n) that a − b is an integer multiple of n OR the same as saying a / n and b /n have THE SAME REMAINDERde ≡ 1 (mod φ(n)) is a simpler notation for the modular multiplicative inverse of e-1 = d (mod φ(n))Basically, we want to find a d so that de mod φ(n) = 1 mod φ(n) which is like saying we want to find a d so that de / φ(n) has a remainder of 1, because 1 mod anything is 1Don’t worry, we’re going to go through this step by step….
Don’t get too caught up in the math, its there for anyone interested and to prove that it works!Just think of it as exploiting a mathematical identity to hide values
Once again, just think of φ(3233) as a number!It’s just (61 - 1)(53 - 1) = 3120
Coprime means they share no common divisors other than 1. Since 17 is prime, by definition its only divisors are 1 and 17, so as long as 17 doesn’t evenly divide 3120, we’re good.
Probably the most difficult step to grasp, but its actually really simpleThink: Congruent! We want to find d so that the remainder of de / 3120 is the same as 1 / 3120 which is 1! So…We just want to look for a number that when multiplied by 17, divides by 3120 with a remainder of 1There are algorithms to do this quickly, but its easily brute forced… just count up from 1, multiply by 17… divide by 3120… does it have a remainder 1?
Think: Congruent! We want to find C so remainder of C / n is equal to remainder of Me / nExactly the same thing as before. We can think of this as just solving for 65^17 / 3233… what is the remainder? 2790
Think: Congruent! We want to find M so remainder of M / n is equal to remainder of Cd / nExactly the same thing as before. We can think of this as just solving for 2790^2753 / 3233… what is the remainder? 65! Which was our original message!!