Académique Documents
Professionnel Documents
Culture Documents
INTRODUCTORY COURSE
BCSE - WHITEHAT
Slide 2
Cryptography
Slide 3
Content
1. Introduction to encryption
2. Methods of encryption
3. Public key infrastructure (PKI) and
digital signature
4. Standards and encryption protocols
Today, with appearance of computer, written documents and important information has been
digitized and handled on the computer, transmitted in an environment defaulted is not safe.
Therefore, requiring a mechanism and solution to protect the safety and private of sensitive and
important information is more and more imperative. Encryption is the solution to solve all
above problems.
Present example in advance, followed by definition
So, What is encryption?
Slide 4
Introduction to encryption
Definition
(Cyphertext)
Introduction to encryption
Denifition:
Sender/Receiver
Plain text (clear text)
Cipher text/Cypher text
Encryption/Decryption
Key
Algorithm
Important terms needs to understand when learning about field of encryption, including:
Sender/Receiver: Sender/Receiver shall appear in a communication system with the use of
encryption
Plain text: means document in understandable (readable) manner before encrypting and after
decrypting.
In contrast, Cipher text or ciphertext is documents in a incomprehensible manner
Encryption is an encryption process or a process transferring plain text to corresponding
ciphertext
In contrary to Encryption, Decryption is process transferring the ciphertext to original plain text
Key is a key word used during the encryption and decryption
Algorithm: includes 02 concepts of encryption algorithm and decryption algorithm, is set of
rules associated with the use of keys to switch back and forth between plaintext and ciphertext
These are basic concepts when saying encryption, detailing about the terms shall be clarified
when delving into the next contents of this lecture
Slide 6
Introduction to encryption
Mục đích: mã hóa nhằm đảm bảo:
Confidentiality: The data is not seen by third
party
Intergrity: The data is not changed during the
transmission
Authentication: verify origin of information
Non-repudiation: is a mechanism ensuring
those who implemented action cannot deny
such action.
As stated from the beginning, encryption is a solution in order to solve the requirements of
security and confidentiality of the data transmitted in the communication session, thus
Basic targets of encryption include:
Confidentiality: encryption ensures that content of data is hidden inside a communication
session or transaction session, not be seen by third party.
Integrity: Encryption ensures that data can only be affected by the competent or not be
intervened to change contents by third party
Accuracy: Encryption helps confirm the source of the information. I would like to give an
example as follows: when the transaction still is only exchanged through paper, the exchange of
documents that Mr. a gives to Mr. b, for the information society using electronic transaction, is
difficult to confirm where information comes from, encryption shall solve this problem
Nonrepudiation: is a mechanism ensuring those who implemented action cannot deny such
action.
Slide 7
Introduction to encryption
For
Gaius Julius Caesar
example:
H E L LO
Plain text H E L LO
Encryption
Cipher text C Z G G J
Decryption
Plain text H E L LO
Content
1. Definition
2. Methods of encryption
3. Standards and encryption protocols
4. Public key infrastructure (PKI) and
digital signature
Thus, we has had a quick overview about encryption, understood basic concepts inside one
encryption system.
Now, we shall learn together an important part of encryption systems. These are encryption
methods or encryption algorithm.
Slide 9
Methods of encryption
Hash
Symmetric encryption
Asymmetric encryption
Typically, the encryption system is divided into two types: symmetric encryption system (or
private encryption system) and asymmetric encryption system (or public encryption system)
Corresponding to the encryption system is the methods or encryption algorithms, including
Symmetric encryption system algorithms correspond to the private encryption system
Asymmetric encryption system algorithms correspond to public encryption system
Besides, hash algorithms, also known as the hash function used in electronic signatures or
public encryption system.
Slide 10
Methods of encryption
Hash
- Hash transfers head any
chain into chain with fixed
length
- Purpose: use to check
integrity of data
- Feature::
• Is one-way function
• Clashed
First of all, we are going to clarify the concept of hash function together:
Taking a variable length chain, the hash function has obligation to transform such chain into a
fixed-length chain (called a hash value).
As stated, in the electronic communication session, information transmitted in an environment
defaulted is not safe, so how to take part in by parties, namely the sender and the receiver can
ensure the integrity of the information (i.e., ensuring that the information is not altered in
transmission). A hash function is a solution to solve the problem.
Present the example
A hash function is used for the primary purpose: to check the integrity of the data, the data
after processing through the hash algorithm called a hash value. Fixed length of this hash value
depends on the hash algorithm, but not depending on the input data.
Characterization of hash function:
Is a one-dimensional function: i.e., from a hash value cannot infer original text.
Clashed: this nature is caused by activity principles of hash function. Because hash value has
fixed length, space of hash value is finite, at that time, and then there exists the ability to
appear 2 input strings producing 01 hash value.
A strong hash function is generated on the basis of difficult one-dimensional trap problem, in
other words, there has no solution or take a long time to get answers, besides combining with
the full-length hash value to ensure a non-collision of a hash function.
Slide 11
Methods of encryption
Hash:
Hash will be sent with the
data, the receiver will use
hash algorithm to create
new hash.
with attached hash value.
Accordingly, verify that
whether data is changed
during the transmission.
We return together to the previous example, after initial processing of hash, the hash shall be
sent with the original.
After receiver have been received the original with its hash value, the receiver shall use the
same hash algorithm with sender to calculate the hash value of document received, and then
compare the hash value attached to the original. Accordingly, we can define whether the data
have been modified during transmission.
Slide 12
Methods of encryption
hash) – (Cont.):
Some hash algorithms
MD5 (Message Digest 5): hash value of 128
Methods of encryption
bits
SHA-1 (Secure Hash Algorithm): hash value
of 160 bits
Currently, there exist a lot of different hash algorithms, however, two algorithms are evaluated
with high reliability to being widely used as MD5 and SHA-1 by ensuring the high non-collision
and decryption or the hash function is a difficult problem.
Slide 13
Methods of encryption
Problems with MD5 and SHA-1
MAC – Message Authentication Code
HMAC–MD5
HMAC–SHA-1
MD5 is an improved version of MD4 hash function given by Ronald Rivest in 1991. The hash
function uses the hash value with length of 128bits
SHA-1 is given by National Security Agency in 1995 (the previous version is SHA-0 given in 1993)
and considered to be standard to process Federal information of USA. This hash function uses
the hash value string with length to 160bits.
The decryption of the hash function can be regarded as impossible, SHA-1 is a example, in 2005,
a group of experts at Shandong University (China) declared how to exploit SHA-1 with 2^69 tests
that exploits 200 times as fast as the previous 2^80 tests.
Thus, to complete the implementation of 269 tests will take 1,757 x 8 = 14056 days (~ 38 years
and a half) or the number of computers is necessary to mobilize 331,252 x 8 = 2650016
computers
Slide 14
Methods of encryption
Symmetric encryption
- Using code locks is related equally key key
- Dividing into small types:
+ Stream cipher
+ Lock cipher
The second encryption method is going to be presented which is symmetric encryption method
The symmetric encryption algorithm, also known as private encryption algorithm, but the
algorithm using code locks is related equally together (usually both processes of encryption and
decryption are exactly the same.)
The encryption algorithm can be divided into stream cipher and block cipher
Stream cipher shall encrypt all bits of a message once only
While block cipher splits a message into blocks, each of block contains certain fixed bit, and
then encrypt them into each a separate unit.
Methods of encryption
Symmetric encryption
Use the same to encrypt and decrypt
Types
DES (Data Encryption Standard): 56 bits key
3DES (Triple DES ): 168 bits key
AES (Advanced Encryption Standard): 128, 192, 256
bits key.
As presented, block cipher algorithm is belong to the private encryption algorithm, also known
as symmetric encryption algorithm, we use the same a lock for both processes, outstanding
algorithms have been developed such as
DES uses code lock with the length of 56bits
3DES is the extended algorithm of DES used in connection with 03 consecutive DES cycles helps
to increase the security with lock lengths up to 168bits.
Advanced AES data encryption standard is private lock code system allowing to process the
input data block with size of 128 bits, using locks with length of 128, 192 or 256 bits
Because 01 clock used jointly, pp can attack exhaustively -> so, management and lock exchange
are very important problem to be solved.
Slide 16
Encryption algorithm
DES algorithm
16 16
As DES is an example, we shall analyze DES algorithm together for purpose of understanding
way in which a block cipher operates.
In the late 60s, Lucifer code system was given by Horst Feistel. Then, US Standards
Commission agreed to develop it into a data encryption standard and announced on 02.15.1977
DES is a encryption algorithm containing input and output are 64bits
Lock is 64 bits, but having 8 bits for odd- even examination, remaining 56bits. Therefore, lock
space is 2^56.
Slide 17
Encryption algorithm
DES algorithm
Elements::
- subset key
- F function
- Initial Permutation
17 17
Encryption algorithm
DES algorithm
- f function:
18 18
As mentioned, f function plays an important role in DES; this function appears in each cycle of
DES.
Input is a block of 32 bits, given to extended function of E to get block of 48bits
Then, collected block shall implement XOR bit with small block generated via K generating set.
Result block shall continue passing a S-Box black box to get output of 32 bits, currently, there
exists many disputes about operation of S-Box, it is said that S-Box is key to increase the safe of
DES.
Slide 19
Encryption algorithm
DES algorithm
• Assessment:
- ensure basic principles of a block cipher, including: The
length of key is large enough to ensure that decryption is
a difficult problem, the dependence of code on the
information is a nonlinear.
19 19
DES is considered to be data encryption standard of UAS announced by United States Standards
Committee on February 15th, 1977. DES has ensured basic principles of a block cipher, including:
The length of key is large enough to ensure that decryption is a difficult problem
The dependence of code on the information is a nonlinear, this is guaranteed by operation
manner of f function, particularly is above mentioned E extended function.
Besides, DES has still several limitations such as:
Addition: (x = 010011 with the addition as x’=101100), this makes key space is reduced a haft
compared to key space at normal state.
DES contains 08 weak key pairs, in other words the key when using to encrypt makes code
exactly identical to original information or also known as making the information is exposed DES
Therefore, in fact, one does not use separate DES, normally combines many consecutive times
of DES encryption such as 3DES, or Cipher Block Chaining –CBS, k-bit Cipher Feedback Mode…
Slide 20
Methods of encryption
Asymmetric encryption
Public Private
key key
Among private block ciphers, if we know how to unlock and how to decrypt quickly the
encryption function (multi real time). Besides, the symmetric encryption algorithm in general
always exist weaknesses. It is when the number of user increases, the number of key also
increase, for example, for n users, the number of key that must manage shall be n*(n-1)/2
leading to the difficulty of management. And, this code also cannot be applied in the field of
electronic commerce (as service with the most important demand for encryption in the present)
Therefore, in 1975, Diffie and Hellman, in a study works, proposed ideas on development of
code system operating under new principles, associated to in transmission side as opposed to
transmission pairs.
Slide 21
Methods of encryption
Asymmetric Encryption
Key that uses to encrypt and decrypt is different
There are 02 types of key
Private key: keep separately
Public key: give the publicity
Meaning
Encryption
Digital signatures
The encryption system generated according to this principle is called as asymmetric encryption
system; their basic principle is each user shall own a key pairs (private and public) using for the
encryption and decryption.
Public key encryption system overcomes the limitations of private key encryption system,
increases the safe in key management, and be able to apply to small areas of electronic
commerce such data encryption, supply of digital signatures
Slide 22
Methods of encryption
Asymmetric encryption
We are going to present together on basic operation model of public key encryption system or
asymmetric encryption system:
You can see an example on the slide:
Alice wants to send message to Bob, when
Somehow Alice have to (be able to call directly to Bob, or through competent key manager of
Bob) contact to Bob for purpose of getting public key of Bob (Bob must create his previous key
pairs, of course)..
Alice shall use this key, combining with a public key encryption algorithm to change the message
into cipher text
This cipher text, currently, can transmit on all public transmission, but its confidentiality is still
guaranteed.
When Bob receives the cipher text, he shall use private key stored, combining with decryption
algorithm corresponding to the encryption algorithm that Alice used to decrypt.
Slide 23
Methods of encryption
Asymmetric encryption
algorithms:
RSA (Ron Rivest, Adi Shamir, Leonard
Adleman)
DSA (Digital Signature Standard)
Diffie-Hellman (W. Diffie and Dr. M. E.
Hellman)
Besides encryption algorithm, other algorithms such as DAS as algorithm for purpose of
signature and Diffie-Hellman as algorithm for purpose of crating and exchanging the key.
Slide 24
Methods of encryption
RSA (Ron Rivest, Adi Shamir, Leonard Adleman)
Select p,q prime
Calculating n =p*q
plaintext m
Calculating Φ(n) = (p-1)(q-1)
To the extent of the program, we will learn the operation of the RSA algorithm as the typical
algorithm of public key encryption system,
RSA is an abbreviation of three authors designed it (Ron Rivest, Adi Shamir, Leonard
Adleman).This is the most famous encryption algorithm and also the most practical application.
To install RSA, first, each person uses public key and private key itself by:
Selecting randomly 02 different large prime numbers p and q
Calculating n = p*q, m = (p - 1)*(q - 1)
Selecting an e is smaller m so that e and m is co-prime, e is called encrypting exponent
Finding d inversion of e on m module, d is called the decrypting exponent
Accordingly, we has public key: (e, n)
Private key: (d, p, q)
Use of RSA:
The message is expressed as the number x, the cipher text is calculated by the expression c = x ^
e (mod n)
Decryption process: x = c^d (mod n).
The safe of RSA: The safe of RSA depends on the difficulty of calculating m, this is the problem
analyzing large integer into prime number (a difficult problem in mathematics)
Currently, there have no optimal solution, so RSA is safe in the current period.
To promote RSA, during encryption and decryption, one uses two additional algorithms known
as the extended eclipse algorithm to find the d inverse of e and multiplication algorithm for
multiplying two large integers when calculating c or x.
Slide 25
Content
1. Definition
2. Encryption algorithms
3. Public key infrastructure (PKI) and
digital signature
4. Standards and encryption protocols
Digital signature
Before learning public key infrastructure, we shall learn what is digital signature and how do
signing process take place.
In fact, we need to sign a text in case we want reader later to know that such text was approved
or issued by itself. This demand also exists in electronic transactions and electronic signatures
are generated to satisfy it. In some aspects, digital signatures perform a lot better than the real
signature. Electronic signatures are more difficult to fake and it also allows reader text can be
sure that after signing, the text has not been changed.
Looking at the pictures, we shall see the number sign is divided into 2 parts:
Sign and Verify
Sign: Data is initially passed the hash function, and we shall obtain hash value (Summary value).
Then, this data will be encrypted to open private key of sender. => Results of encrypted hash +
public key of sender form 01 element called digital signature. This digital signature is attached to
document that sender wants to send.
Verify: Data signed book shall be divided into two parts by the receiver, one is document and
one is data block of "Digital Signature", the "Digital Signature" will be decrypted with the public
key of the sender obtaining decryption value, this value will be compared with the obtained
value when the document that has been received from the sender passes a respective hash
function. If == means the document has not been changed, otherwise means have been
changed (Meet one-way hash function property)
Thus, one question is how the receiver to verify that such public key belongs to person that the
receiver wants to send?
It is one part of the PKI tasks that we will learn instantly. Safe exchange of public key is taken
responsibility by the PKI system
Slide 27
27
Referring again to four problems that should be solved in problem of secure transaction data
safety
• Who is trading? (Authentication)
• Information that is sent has been eavesdropping? (Private)
• The received data has been modified or not? (Integrity)
• Refusing to act made. (Anti-rejection)
Do the safe password measures ensure the confidentiality and integrity of data?
For use of key pair in the transaction process, who will verify that Mr. A is the owner of such key
pair?
And those who receive transaction information received right information from the right
person who they are trading?
It is necessary to have a trusted third-party in order to certify that a pair of keys belongs to an
identical subject.
Slide 28
28
Full definition of PKI as follows: PKI is a secure infrastructure, including: objects of hardware and
software, people, policies, and procedures that need to create, management, storage,
distribution and retrieval of digital certificates, using public key encryption system to provide
security services for online transactions. - According to wikipedia.
However, we can summarize briefly like this:
PKI is a system to give each person one (or some) public key and answer three questions about
the public key: whose is key? What are its functions? Expire date? So, the public key of each
person will be attached to a person's digital certificate and is created, distributed and managed
by the PKI system.
Slide 29
29
So, when using PKI infrastructure, we will have to trust the third party issuing such certificate.
Model believing the third party is called “Trust model”
Composition issuing digital certificate is called CA: Certificate Authority
And as we have mentioned, a PKI as 1 infrastructure architecture containing components: ... we
will learn instantly
Slide 30
30
CA:
– Create, issue and revoke digital certificates. Create and issue the CRL.
– Manage all aspects (lifetime) of the digital certificate after issuance.
RA:
– Perform management tasks (on behalf of the end user to initialize the processes of issuance
and revocation of certificates,)
– Perform tasks related to the registration of last entity (individual identification)
Client
– Users, devices, using digital certificates - relying party
– Owner owns digital certificate (subscriber) - end entity.
– Software (fat-client, thin client, applet, DLL, library…).
Slide 32
Public Key Infrastructure - PKI is a secure infrastructure of network, using public key encryption
system to provide security services for online transactions.
· PKI provides a framework for implementing safe services (security) based on public key
encryption system.
· Same as above is some popular PKI models
§ The first is 1 CA and end user model
§ The second model is stratified CA
Slide 33
Certificate?
Data structure containing information of owner
such as full name, email
We have understood what is a PKI infrastructure?, what is its function?, what are components
like? etc. But there is one concept that we have not mentioned. It is a digital certificate? Also
known as Certificate. What is it? How to generate it by CA? And what standards must comply
with?
Digital certificate is a data structure containing information of owner such as the owner's full
name, email, ... and an important component of which is the public key of certificate holders,
this component is very important because it helps others can check their signature.
Based on the standardized data structure of a certificate, the certificate is divided into several
categories that correspond to the standards such as X.509 public-key certificate, SPKI
certificate,..
Slide 34
Certificate X.509 ?
- Data structure signed by CA in accordance
with X. 509 standard
- Indentification information for a certain
person, organization and equipment
Certificate X.509 ?
We have understood what is a PKI infrastructure?, what is its function?, what are components
like? etc. But there is one concept that we have not mentioned. It is a digital certificate? Also
known as Certificate. What is it? How to generate it by CA? And what standards must comply
with?
Digital certificate is a data structure containing information of owner such as the owner's full
name, email, ... and an important component of which is the public key of certificate holders,
this component is very important because it helps others can check their signature.
Based on the standardized data structure of a certificate, the certificate is divided into several
categories that correspond to the standards such as X.509 public-key certificate, SPKI certificate,
Creation process is completed in CA. If the public key is not generated by the CA, the public key
must be safely transferred to the CA to put on the certificate. When the pair of keys and
certificates that have been created, they must be appropriately distributed to subscriber.
Distribution of keys and certificates depends on several factors: location of key generation, use
purpose of the certificate, and the constraints on the function or policy.
Revoke: concluding a certificate (and the corresponding private key) is no longer valid and is
included in the CRL. ... reasons: doubting the disclosure the private key, changing the job status
Renew / Change key: is the process automatically generating a new key pair and issuing
respective certificate in case the legal key pair is about to expire.
Suspend/restore: is usually recovery, and then granting entirely new certificate, but now PKI
technology has developed the protocol allowing to suspend/restore temporarily the key pair:
CMP, XKMS
Slide 37
Content
1. Definition
2. Encryption algorithms
3. Public key infrastructure (PKI) and
digital signature
4. Standard and encryption protocols
The next, we are going to learn about: standards and encryption protocols being used widely
Slide 38
Ptotocols
Layer 2:L2F, PPTP, L2TP
Layer 3: IPSec
Layer 4: SSL
Layer 7: HTTS, SSL,
S/MIME
Function of IPSec.
Some major protocols are encouraged to use when working with IPSec.
IP Security Protocol (IPSec)
+ AH (Authentication Header)
+ ESP (Encapsulation Security Payload)
Encryption of Message
+ DES (Data Encryption Standard)
+ 3 DES (Triple DES)
Integrity of Message
+ HMAC (Hash – ased Message Authentication Code)
+ MD5 (Message Digest 5)
+ SHA-1 (Secure Hash Algorithm -1)
Peer Authentication
+ Rivest, Shamir, and Adelman (RSA) Digital Signatures
+ RSA Encrypted Nonces
Key Management
+ DH (Diffie- Hellman)
+ CA (Certificate Authority)
Security Association
+ IKE (Internet Key Exchange)
+ ISAKMP (Internet Security Association and Key Management Protocol)
Slide 42
Operation of IPSec
50
1) With the rapid development of technology has brought many benefits to users, but also
poses an urgent need for confidentiality and security. And SSL is currently the best solution to
meet those needs, and it is regarded as "the last shield" in the security of electronic commerce.
2) SSL solves the above problems. SSL solves the first problem by allowing one option, each
exchange party can be sure of the identity of the partners in one process called authentication.
Once the parties are authenticated, SSL provides one encrypted connection between two
parties to transmit securely messages. The encryption during the process of information
exchange between two sides provides the privacy, so it solves the second problem. Encryption
algorithm used with SSL including the encryption hash functions include similar to 1 checksum.
It ensures that data is not changed during transmission. Encryption hash function solves the 3 rd
problem, and the integrity of data. Please pay attention that, both authentication and
encryption are optional, and depend on the cipher suites (encoders) negotiated between two
objects.
Slide 51
SSL/TLS
TLS (Transport Layer Security ) and SSL are 2 protocols providing the
ability to security for data on the transmission
• SSL is a previous version of TLS. More specifically, SSL 3.0 is the basis of TLS
1.0, and therefore, occasionally known as SSL 3.1.
TLS 1.0 is safer than its previous version - SSL 3.0 - negligible. However, later
versions of TLS - 1.1 and 1.2 are a lot safer, and have overcome many
loopholes in SSL 3.0 and TLS 1.0.
SSL Change
SSL Handshake
Cypher SSL Aler Protocol HTTP
Protocol
Spec Protocol
TCP
IP
53
Client Hello
Server Hello
( SSL Version, Session ID,CipherSuite,
Compression Method,etc )
Server Hello
Done
Client Key
Exchange
Certificate
Verify
Change
cipher spec
Finished
Change
cipher spec
Finished
57
58
Divide layer
Compression
Add MAC
Mã hóa
61
Characteristics of HTTPS:
Characteristics of HTTPS:
HTTPS stands for "Hypertext Transfer Protocol Secure". It is a combination of HTTP protocol and
SSL security protocol or TLS protocol that allows exchanging information securely on the
Internet. HTTPS protocol is often used in sensitive transactions that need high security.
Operate in port 443
Supply of service must ensure the following elements:
Confidentiality: use encryption method to ensure that messages exchanged between the client
and server are not read by others.
Integrity: use hashing method, so that both client and server can believe that message received
by them is not lost or amended.
Authenticity: use digital certificates to help the client can trust that server/website being visited
by them is the server/website that they want to visit, and not been tampered with.
Slide 64
Modes of operation:
Client Server
Client Send Request
URL với https://
Send Certificate
Send Symmetic
key
Modes of operation:
1. The client sends a request to a secure page (URL begins with https: //)
2. Server shall return its certificate to the client.
3. Client sends this certificate to the CA (which is recorded on the certificate) to verify.
Assuming that the certificate has been authenticated and still is valid or the client access
intentionally, although Web browser warned the client not to trust this certificate (because the
form is the self-signed SSL certificate or certificate expires, information of the certificate is not
true ...), then, the following step 4 shall happens.
4. Client generates itself any symmetric encryption key, and then use the public key (of the
certificate) to encrypt this symmetric key and send to the server.
5. Server uses the private key (corresponding to the public key in the above certificate) to
decrypt the above symmetric key.
6. Then, both server and client use this symmetric key to encrypt/decrypt messages during the
communication session.
And of course, the symmetric key is randomly generated and may be different in each session
with the server. Other than encryption, hashing mode will be used to ensure the Integrity of
messages exchanged.