what is encryption

What is Encryption? תשס"ט

What is Encryption ?

Encryption (enciphering) transforms original information (plaintext) into cipher text (cipher)

The transformed information is called cryptogram

The technique or rules used for encryption are calledencryption algorithm

Encryption provides:

the Confidentiality (keep the information confidential)

the Integrity (keep the accuracy of the information)

the Authenticity (information comes from an authentic source) of a message

Two Basic Types of Encryption

Transposition Ciphers

rearrange the order of the bits or the characters

NUCLEAR → LUCNARE

Substitution Ciphersreplace the actual bits or the characters

with substitutes (next letter in the alphabet) NUCLEAR → OVDMFBS

A Bible Cipherא-ת-ב-ש

a substitution cipher

איך נלכדה ששך, ותתפש תהלת כל הארץ נ"א, מ"א( )ירמיהו

ששך = בבל

Julius Caesar EncryptionA substitution cipher

Susceptible to frequency analysis and brute force attacks

The Vigenère Cipher

French diplomat of the 16th century who invented a substitution cipher using a keyword

Yet easy to crack using the frequency analysis technique

The Enigma MachineA substitution cipher using a set of rotating wheels

Used in WW II by the Germans (U-Boote) and the Japanese

Code was cracked by the Allies in 1941(Alan Turing & Polish mathematicians)

Poor assumption: letters in plain text should not be substituted for the same letter in cipher text

The Protagonists

Alice (wants to talk securely with Bob)

Bob (Alice’s friend)

Eve (eavesdropping the conversation)

Mallory (a malicious person)

Plain text: Bob → Alice “I love you”Cipher text: Nkn → Mgsbc “S gktc wky”

In “Real” Life: Who Are Alice & Bob ?

Web browser/server for electronic transactions (credit cards etc.)

On-line banking applications Routers exchanging tables updates Corporate VPN (virtual private network) E-mails B2B or B2U Wireless connections to the network

There are bad guys out there

What can they (Eve and Mallory) do ?

Eavesdropping (intercept the message)

Spoof the message (faking source or content)

Hijack the communication (insert himself)

Denial of Service (overloading resources)

Sniffing (Packet Analyzing)

Sniffers can capture the packets across the network and analyze their content

Spoofing

Receiver “A” can’t tell if source is spoofed

Modern Ciphers

Four cryptographic primitives:

1. Random number generationused to generate keys

2. Symmetric encryption (private keys) same secret key is used to encrypt and decrypt information

3. Asymmetric encryption (private/public keys)two keys are used: a public key and a private key, each user has both a public key (published) and a private key (secret), public and private key are mathematically related:encrypt with sender’s private key, decrypt with sender’s public key encrypt with recipient’s public key, decrypt with recipient’s private key

4. Hash functionstakes a message of any size and computes a smaller fixed-size message called a digest (used to store passwords and signatures)

Symmetric Key Algorithms

2 types of algorithms used

Stream Cipher: plain text is processed as a stream of data

Block Cipher: plain text is processed through blocks with additional measures to avoid repeating blocks

Diffie-Hellman Shared Symmetric Key Before 1975, all encryption forced the sender and receiver to have the same key

If a thousand users had to share secrets with each other, using a secret-key system, they needed half a million shared-keys (1000 x 1000) / 2 = 500’000 keys

Diffie-Hellman proposed in 1975 a way to exchange secret keys across an unsecured communication channel

How does it work ? First assume that everybody has a three-liter bucket of yellow paint (the shared public encryption key)

If Alice and Bob want to agree on a secret key, each of them adds one liter of their secret color to their own bucket (Alice: pink, Bob: red)

Finally, Alice takes Bob’s mixture and add her secret color and Bob takes Alice’s mixture and adds his own secret color

Alice ends up with yellow + pink + red and Bob with yellow + red + pink in his bucket (the shared secret encryption key)

We have confidentiality but not authentication (everybody has a yellow color bucket)

Asymmetric Keys (public & private)

Encrypting with private key, decrypting with public key provides

authenticity without confidentiality (anyone can access the public key)

Encrypting with public key, decrypting with private key providesconfidentiality without authenticity (anyone can access the public key)

Solution: use a mixture of both (double encryption) for the digital signature and the public key for the message (confidentiality)

Public Key Cryptography

RSA Algorithm For Key Generation Based on large prime numbers:

1. Choose two large prime numbers p, q2. Compute n = pq and z = (p - 1)(q - 1)3. Choose e (e < n) that has no common factors with z

(e and z are relatively prime)4. Choose d such that ed – 1 is exactly divisible by z

i.e. ed (mod z) = 15. Public key KB

+ is (n,e) ; private key KB- is (n,d)

6. Encrypt m with c = me (mod n)7. Decrypt c as m = cd (mod n)

This works because: m = [me (mod n)]d (mod n)

Example of RSA Key Generation

Bob chooses p = 5 and q = 71. then n = 5 * 7 = 35 and z = (5-1)*(7-1) = 242. e = 5 (relatively prime to z)3. d = 29 (ed-1 = 144 exactly divisible by z)4. encrypt the letter l (m = 12):

me = 125 = 248’832c = me (mod n) = 248’832 (mod 35) = 17

5. decrypt (c =17):m = cd (mod n) = 1729 (mod 35) = 4.819686 *1035 (mod 35) = 12

Receiver’s public key

Sender’s public key

` `

Sender’s private key

Receiver’s private key

InternetSenderAlice

ReceiverBob

Get the re

ceiver’s public key

Get the sender’s public key

Encrypt the entire message using the receiver’s public key

Encrypt the signature with the sender’s private key and the receiver’s public key

Signature is double encrypted to ensure confidentiality & authentication

Some Useful Acronyms DES: Data Encryption Standard (60’s – 70’s), improved with triple DES (IBM 1978)

Diffie & Hellman: algorithm for key exchange (1976)

Kerberos: authentication mechanism using authentication and ticket granting server

RSA: Rivest, Shamir & Adleman algorithm, using large prime numbers for the generation of the keys (1982)

X509: International Standard for Certificates (1988)

FIPS140-2: Federal Information Processing Standard (2001)

AES-256: Advanced Encryption Standard (2002), a sophisticated block cipher algorithm

PKI: Public Key Infrastructure

TLS: Transport Layer Security, used for secure Web connections

IPsec: Protocol suite based on IP and encryption standards for use in VPN

IBE: Identity Based Encryption, a simplified method for B2U E-mail encryption

S/MIME: (Secure Multipurpose Internet Mail extensions), for B2B E-mail encryption

PGP: (Pretty Good Privacy), for B2B and B2U E-mail encryption

Some Israeli Cryptographers

Prof. Adi Shamir (Weizmann Institute)

Prof. Dan Boneh (Stanford University)

SSL (Secure Sockets Layer) & TLS (Transport Layer Security)

TLS provides connection securityensuring that the connection is both encrypted and authenticated

Counterparty’s identity is authenticatedusing asymmetric keys

Exchange of the secret symmetric session key is secure

No attacker can modify the negotiated communication without being detected

The SSL Handshake

Certificate Authority (CA) Repository of public keys used for

encrypted connections

Certificate Sample

E-Learning uses TLS

Aventail uses TLS (access the VPN)

Yet another way to access the VPN:Two-Factor Authentication (PIN + Token)

VPN uses IPsec, TLS and RSA

E-mail & Web Security Appliance

Enables to send encrypted E-mails toa particular destination using TLS

ePO server - agent communication uses digital signature(self-signed certificates)

ePO Agent

Hos

t Com

plia

nce

Ant

i-Viru

s

Ant

i-Spy

war

e

Des

ktop

FW

Hos

t IPS

NA

C

Hos

t DLP

Rem

edia

tion

ePOManagementConsole

NetworkVM

SecureGateway

Network IPS

Data LossPrevention

Total Protection…futuretechnologies

ComplianceReporting

HostCompliance

Remediation

Endpoint Device Encryption

Device encryption for PC/Laptop Device encryption for PDA’s Device encryption for Tablet PC

Uses FIPS 140 certified AES-256 algorithm

Encrypted USB Manager

Uses FIPS140-2 certified AES-256 encryption

Wireless 802.11b (Wi-Fi)

Uses radio frequencies (2.4 GHz) Transmission speed 5.5 Mbps (new 54 Mbps)

WEP (Wired Equivalent Privacy) uses a shared key between the mobile station and the base, but has security loopholes

IEEE 802.11i addresses the WEP weaknesses, uses AES and block cipher to encrypt the wireless communication

IronMail from Secure Computing

Policy-Based Protection for Outbound Messages

Business-to-Business (B2B) Encryption – SSL/TLS: Secure Sockets Layer – S/MIME: Secure Multipurpose Internet Mail Extensions – OpenPGP: Pretty Good Privacy for businesses

Business-to-Users (B2U) Encryption– Secure Mail Encryption / Push : attachment with password– Secure Mail Encryption / Pull : mail is in a secure Web site– Voltage IBE Server: Identity Based Encryption– PGP Universal: Pretty Good Privacy for private users

IronMail Compliance Server

World War III via Encrypted E-mail