DePaul University Security Forum Cryptography 101

1
DePaul University Security ForumCryptography
101

• Jean-Philippe Labruyere
• jlabruyere_at_cs.depaul.edu

2
Overview

• Today we will cover very basic concept in
  Cryptography.
• We will cover
• Cryptography Fundamentals
• Brute Force Attacks
• Key management considerations
• Symmetric key cryptography concepts
• Asymmetric key cryptography concept
• Steganography (Stego) concepts
• We will not cover
• How encryption is done CSC 440
• Applications TDC 572 and ECT 582

3
Overview

• Cryptography is crucial it is the key building
  block for many other security services.
• Without it no eCommerce, no Authentication
  services, no secure logins.
• It is a key component that will allow
  Confidentiality Services, Integrity Services and
  Authentication Services.
• What does Cryptography means?
• Origin of the word from Greek
• Crypto Secret
• Graph Writing
• Not a new concept was used by Roman Ceasar
  Cipher

4
Overview

• Encryption is the process of taking a message (in
  cleartext or plaintext format) and transform
  it (in a format often called Ciphertext) so
  that its meaning can not be understood.
• Decryption is the process of taking the
  Ciphertext and transforming it back to Cleartext.
• To encrypt a message, you will use an encryption
  algorithm and an encryption key.
• To decrypt a message, you will use a decryption
  algorithm and a decryption key.

5
Characteristics of Encryption Algorithms

• The Encryption/Decryption algorithms must have
  the following characteristics
• Efficient It must minimize amount of memory and
  time required to run it.
• Secure and/or reliable. We can have 2 ways to
  ensure the eavesdropper can not decrypt the data
  without the decryption key
• Make the algorithm secret. The opponent does not
  know HOW to decrypt the data. The keys further
  protects it.
• Make the algorithm public. The opponent knows how
  to decrypt the data but has no known weaknesses
  and the only way to decrypt the data is to try
  all possible keys. This types of attacks are
  known as brute force attacks.

6
Brute Force Attacks

• The algorithm will be scrutinized by experts and
  if after some time, nobody find a weakness
  chances are there are none!
• So how do you defeat the encryption? Can you
  even defeat it?
• The only way is by going through and trying all
  possible decryption keys! This is called a
  Brute Force attack.
• How many possible keys exist? It depends on the
  length/size of the key.
• 40 bits key 240
• 56 bits key 256
• 128 bits key 2128
• In average you will need to go through ½ the
  possible keys. However here is a fun question
  how do you know you found the right key? Can you
  identify the plaintext? If it is English (or
  French for that matter) it is easy but what if it
  is a binary file?
• So to further protect use longer keys With
  todays technologies, Symmetric keys above 100
  bits are deemed secured.

7
Case Study Reliable Algorithm with long key is
it safe?

• So I mentioned that if you use an algorithm that
  has no known weakness (for example DES/3DES) with
  a long enough key (for example 128 bits) you are
  safe from eavesdropping. Is that really true?
  What could go wrong?

8
Case Study Reliable Algorithm with long key is
it safe?

• Case example Law enforcement vs. child
  pornographer.
• In 1998, Law enforcement hired a well recognized
  cryptanalyst to apprehend an individual suspected
  of transmitting child pornography.
• After getting a court order to sniff the traffic,
  they quickly determined that is was strongly
  encrypted. How did they determine that?
  Encrypted traffic has the inherent characteristic
  of been very blend no patterns, no interesting
  characteristics.
• Large size also gave information on the type of
  information transmitted it was large.
• So how do you defeat that? One solution would be
  to bring in the suspect and interrogate him
  hoping he will crack. Or another way perform a
  search at the destination of the traffic. That
  is what they did, they found the destination and
  on the computer found the decryption key in plain
  view! Then they could decode the traffic and
  apprehend the suspect.
• What is the lesson? It does not matter of large
  you key is if it is not protected, it is not
  safe!

9
Symmetric Encryption

• The key used for encryption is the same as the
  key used for decryption.
• The algorithm used for decryption is just the
  reverse of the one used for encryption.
• What if many parties want to securely
  communicate? How many keys do we need? How do
  we manage these keys?

10
Asymmetric Encryption

• Asymmetric Cryptology was the only (and most
  important) breakthrough is cryptographic science
  in 4000 years.
• Public Key encryption uses manipulation of
  message AND mathematical properties between the
  keys used. Instead of using only key, public key
  cryptography uses TWO keys that are linked
  together by mathematical properties.
• Now we have 2 keys, this has great consequences
  in term of confidentiality, key distribution and
  authentication We can use one key as a public
  key and openly distribute it while keeping one
  key private for sole use by the party that
  generated the pair of keys.
• The key used for encryption is different than the
  key used for decryption.
• Also known as public key encryption.

11
Asymmetric Cryptography Requirements

• Its computationally easy to generate a pair of
  keys
• Its computationally easy to encrypt
• Its computationally easy to decrypt
• It is computationally infeasible for an opponent
  to derive the private key from the known public
  key
• It is computationally infeasible for an opponent
  to recover the original message from the
  ciphertext knowing only the public key.
• (useful but not necessary requirement) either of
  the 2 related keys can be used for encryption and
  the other for decryption.
• MDK-pubEK-priv(M)DK-privEK-pub(M)

12
Public Key Usage Examples

• Confidentiality (Encryption)
• Authentication (via Hash Message Authentication
  Code HMAC)
• Examples to be presented during forum

13
Steganography Fundamentals

• Steganography (Stego in short) is the field of
  hiding a message within another message.
• With crypto you hide the meaning of the message
  but someone can easily notice a message is been
  sent. In fact because encrypted messages have a
  very distinct characteristic (which is that they
  are very very blend no statistical
  characteristics) they can sometime trigger alarms
  and attention.
• In Stego you hide the message within another
  message. An eavesdropper does not even notice
  that a message is been transmitted.
• In many cases, someone will want the message be
  first encrypted then hidden and sent.
• Stego also used for watermaking files
• Stego can be used in many file formats
• Most popular images (Jpg, bmp, gif)
• Word documents
• Text Documents
• HTML
• MP3 files

14
Steganography - Injection

• Many file types have fields or areas that are
  ignored or hidden.
• Add the data there!
• Example
• Hidden HTML fields
• In MS Word use track revisions and erase data.
• Using injection will alter the size of the host
  file.

15
Steganography - Substitution

• The data in the host file is replaced or
  substituted by the hidden message.
• Usually try to substitute part of the host
  message that are insignificant.
• If hidden message is large and depending on the
  type of host file degradation can occur.
• Example replace the least significant bits (LSB)
  of an image. The human eye may not be able to
  detect it. Now if the hidden message is large
  and we change the 5 LSB bits of an image a human
  eye will probably notice the poor quality of the
  image.

16
Steganography Generate New File

• Another possible solution is to generate the host
  file based on the hidden message we want to
  transmit.
• For example assuming the message can be read by
  taking every 4th letter starting with 2nd. You
  can create the following
• tHey wIsh a Bold Ones Back (HIBOB)
• You get the idea I am not very creative at
  making examples ?

17
Steganography - Links

• http//members.tripod.com/steganography/stego.html
  
• http//www.jjtc.com/Steganography/
• http//www.cotse.com/tools/stega.htm