RESOLVING SECURITY ISSUES USING CRYPTOGRAPHY

ABSTRACT

Does increased security provide comfort to paranoid people? Or does security provide some very basic protections that we are naive to believe that we don't need? During this time when the Internet provides essential communication between tens of millions of people and is being increasingly used as a tool for commerce, security becomes a tremendously important issue to deal with. There are many aspects to security and many applications, ranging from secure commerce and payments to private communications and protecting passwords. One essential aspect for secure communications is that of cryptography, which is the focus of this report. Cryptography is where security engineering meets mathematics. It provides us with the tools that underlie most modern security protocols. It is the key enabling technology for protecting distributed systems. Cryptography is the science of using mathematics to encrypt and decrypt data. Cryptography enables you to store sensitive information or transmit it across insecure networks (like the Internet) so that it cannot be read by anyone except the intended recipient. The discussion will start with the history of cryptography. All 3 categories of cryptography viz. public key cryptography, secret key cryptography and hash function cryptography will be explored in detail. Emphaisi will be given on RSA, one of the public key cryptography algorithm.
.

Ankushdeep Singh

0571322808

RESOLVING SECURITY ISSUES USING CRYPTOGRAPHY

HISTORICAL BACKGROUND
Suetonius tells us that Julius Caesar enciphered his dispatches by writing D for A, E for B and so on . When Augustus Caesar ascended the throne, he changed the imperial cipher system so that C was now written for A, D for B, and so on. In modern terminology, we would say that he changed the key from D to C. The Arabs generalized this idea to the monoalphabetic substitution, in which a keyword is used to permute the cipher alphabet. We will write the plaintext in lowercase letters, and the ciphertext in uppercase, as shown in Figure 1. Artificial intelligence researchers have shown some interest in writing programs to solve monoalphabetic substitutions; using letter and digraph (letter- pair) frequencies alone. They typically succeed with about 600 letters of ciphertext, while-smarter strategies, such as guessing probable words, can cut this to about 150 letters. A human cryptanalyst will usually require much less.

Figure 1 Monoalphabetic substitution cipher.

PURPOSE OF CRYPTOGRAPHY
Cryptography is the science of writing in secret code and is an ancient art; the first documented use of cryptography in writing dates back to circa 1900 B.C. when an Egyptian scribe used nonstandard hieroglyphs in an inscription. Some experts argue that cryptography appeared spontaneously sometime after writing was invented, with applications ranging from diplomatic missives to war-time battle plans. It is no surprise, then, that new forms of cryptography came soon after the widespread development of computer communications. In data and telecommunications, cryptography is necessary when communicating over any untrusted medium, which includes just about any network, particularly the Internet.

Ankushdeep Singh

0571322808

RESOLVING SECURITY ISSUES USING CRYPTOGRAPHY

While cryptography is the science of securing data, cryptanalysis is the science of analyzing and breaking secure communication. Classical cryptanalysis involves an interesting combination of analytical reasoning, application of mathematical tools, pattern finding, patience, determination, and luck. Cryptanalysts are also called attackers. Cryptology embraces both cryptography and cryptanalysis.

Within the context of any application-to-application communication, there are some specific security requirements, including:

Authentication: The process of proving one's identity. (The primary forms of host-tohost authentication on the Internet today are name-based or address-based, both of which are notoriously weak.) Privacy/confidentiality: Ensuring that no one can read the message except the intended receiver. Integrity: Assuring the receiver that the received message has not been altered in any way from the original. Non-repudiation: A mechanism to prove that the sender really sent this message.

Cryptography, then, not only protects data from theft or alteration, but can also be used for user authentication. The initial unencrypted data is referred to as plaintext. It is encrypted into ciphertext, which will in turn (usually) be decrypted into usable plaintext.

How does cryptography work?

A cryptographic algorithm, or cipher, is a mathematical function used in the encryption and decryption process. A cryptographic algorithm works in combination with a keya word, number, or phraseto encrypt the plaintext. The same plaintext encrypts to different ciphertext with different keys. The security of encrypted data is entirely dependent on two things: the strength of the cryptographic algorithm and the secrecy of the key. A cryptographic algorithm, plus all possible keys and all the protocols that make it work, comprise a cryptosystem. PGP is a cryptosystem.

Ankushdeep Singh

0571322808

RESOLVING SECURITY ISSUES USING CRYPTOGRAPHY

TYPES OF CRYPTOGRAPHIC ALGORITHMS
There are several ways of classifying cryptographic algorithms. For purposes of this report, they will be categorized based on the number of keys that are employed for encryption and decryption, and further defined by their application and use. The three types of algorithms that will be discussed are (Figure 1):

Secret Key Cryptography (SKC): Uses a single key for both encryption and decryption Public Key Cryptography (PKC): Uses one key for encryption and another for decryption Hash Functions: Uses a mathematical transformation to irreversibly "encrypt" information

Ankushdeep Singh

0571322808

RESOLVING SECURITY ISSUES USING CRYPTOGRAPHY

SECRET KEY CRYPTOGRAPHY

With secret key cryptography, a single key is used for both encryption and decryption. As shown in Figure 1A, the sender uses the key (or some set of rules) to encrypt the plaintext and sends the ciphertext to the receiver. The receiver applies the same key (or ruleset) to decrypt the message and recover the plaintext. Because a single key is used for both functions, secret key cryptography is also called symmetric encryption.

With this form of cryptography, it is obvious that the key must be known to both the sender and the receiver; that, in fact, is the secret. The biggest difficulty with this approach, of course, is the distribution of the key. Secret key cryptography schemes are generally categorized as being either stream ciphers or block ciphers. Stream ciphers operate on a single bit (byte or computer word) at a time and implement some form of feedback mechanism so that the key is constantly changing. A block cipher is so-called because the scheme encrypts one block of data at a time using the same key on each block. In general, the same plaintext block will always encrypt to the same ciphertext when using the same key in a block cipher whereas the same plaintext will encrypt to different ciphertext in a stream cipher. Stream ciphers come in several flavors but two are worth mentioning here. Self-synchronizing stream ciphers calculate each bit in the keystream as a function of the previous n bits in the keystream. It is termed "self-synchronizing" because the decryption process can stay synchronized with the encryption process merely by knowing how far into the n-bit keystream it is. One problem is error propagation; a garbled bit in transmission will result in n garbled bits at the receiving side. Synchronous stream ciphers generate the keystream in a fashion independent of the message stream but by using the same keystream generation function at sender and receiver. While stream ciphers do not propagate transmission errors, they are, by their nature, periodic so that the keystream will eventually repeat. Block ciphers can operate in one of several modes; the following four are the most important:

Electronic Codebook (ECB) mode is the simplest, most obvious application: the secret key is used to encrypt the plaintext block to form a ciphertext block. Two identical plaintext blocks, then, will always generate the same ciphertext block. Although this is

Ankushdeep Singh

0571322808

RESOLVING SECURITY ISSUES USING CRYPTOGRAPHY

the most common mode of block ciphers, it is susceptible to a variety of brute-force attacks. Cipher Block Chaining (CBC) mode adds a feedback mechanism to the encryption scheme. In CBC, the plaintext is exclusively-ORed (XORed) with the previous ciphertext block prior to encryption. In this mode, two identical blocks of plaintext never encrypt to the same ciphertext.

Cipher Feedback (CFB) mode is a block cipher implementation as a self-synchronizing stream cipher. CFB mode allows data to be encrypted in units smaller than the block size, which might be useful in some applications such as encrypting interactive terminal input. If we were using 1-byte CFB mode, for example, each incoming character is placed into a shift register the same size as the block, encrypted, and the block transmitted. At the receiving side, the ciphertext is decrypted and the extra bits in the block (i.e., everything above and beyond the one byte) are discarded.

Output Feedback (OFB) mode is a block cipher implementation conceptually similar to a synchronous stream cipher. OFB prevents the same plaintext block from generating the same ciphertext block by using an internal feedback mechanism that is independent of both the plaintext and ciphertext bitstreams.

Ankushdeep Singh

0571322808

RESOLVING SECURITY ISSUES USING CRYPTOGRAPHY

PUBLIC-KEY CRYPTOGRAPHY
Public-key cryptography refers to a cryptographic system requiring two separate keys, one to lock or encrypt the plaintext, and one to unlock or decrypt the cyphertext. Neither key will do both functions. One of these keys is published or public and the other is kept private. If the lock/encryption key is the one published then the system enables private communication from the public to the unlocking key's owner. If the unlock/decryption key is the one published then the system serves as a signature verifier of documents locked by the owner of the private key. This cryptographic approach uses asymmetric key algorithms, hence the more general name of "asymmetric key cryptography". Some of these algorithms have the public key / private key property, that is, neither key is derivable from knowledge of the other; not all asymmetric key algorithms do. Those with this property are particularly useful and have been widely deployed and are the source of the commonly used name.

HOW DOES IT WORK?

The public key is used to transform a message into an unreadable form, decryptable only by using the (different but matching) private key. Participants in such a system must create a mathematically linked key pair (i.e., a public and a private key). By publishing the public key, the key producer empowers anyone who gets a copy of the public key to produce messages only he can read -- because only the key producer has a copy of the private key (required for decryption). When someone wants to send a secure message to the creator of those keys, the sender encrypts it (i.e., transforms it into an unreadable form) using the intended recipient's public key; to decrypt the message, the recipient uses the private key. No one else, including the sender, can do so. Thus, unlike symmetric key algorithms, a public key algorithm does not require a secure initial exchange of one, or more, secret keys between the sender and receiver. These algorithms work in such a way that, while it is easy for the intended recipient to generate the public and private keys and to decrypt the message using the private key, and while it is easy for the sender to encrypt the message using the public key, it is extremely difficult for anyone to figure out the private key based on their knowledge of the public key. They are based on mathematical relationships (most notably the integer factorization and discrete logarithm problems) which have no efficient solution. The use of these algorithms also allows authenticity of a message to be checked by creating a digital signature of a message using the private key, which can be verified using the public key.

Ankushdeep Singh

0571322808

RESOLVING SECURITY ISSUES USING CRYPTOGRAPHY

Public key cryptography is a fundamental and widely used technology. It is an approach which is used by many cryptographic algorithms and cryptosystems. It underpins such Internet standards as Transport Layer Security (TLS) (successor to SSL), PGP, and GPG. The distinguishing technique used in public key cryptography is the use of asymmetric key algorithms, where the key used to encrypt a message is not the same as the key used to decrypt it. Each user has a pair of cryptographic keysa public encryption key and a private decryption key. The publicly available encrypting-key is widely distributed, while the private decrypting-key is known only to the recipient. Messages are encrypted with the recipient's public key and can only be decrypted with the corresponding private key. The keys are related mathematically, but parameters are chosen so that determining the private key from the public key is prohibitively expensive. The discovery of algorithms that could produce public/private key pairs revolutionized the practice of cryptography beginning in the middle 1970s. In contrast, symmetric-key algorithms, variations of which have been used for thousands of years, use a single secret keywhich must be shared and kept private by both sender and receiverfor both encryption and decryption. To use a symmetric encryption scheme, the sender and receiver must securely share a key in advance.

The two main branches of public key cryptography are:

Public key encryption: a message encrypted with a recipient's public key cannot be decrypted by anyone except a possessor of the matching private keypresumably, this will be the owner of that key and the person associated with the public key used. This is used for confidentiality.

Digital signatures: a message signed with a sender's private key can be verified by anyone who has access to the sender's public key, thereby proving that the sender had access to the private key (and therefore is likely to be the person associated with the public key used), and the part of the message that has not been tampered with. On the question of authenticity, see also message digest.

An analogy to public-key encryption is that of a locked mailbox with a mail slot. The mail slot is exposed and accessible to the public; its location (the street address) is in essence the public key. Anyone knowing the street address can go to the door and drop a written message through the slot; however, only the person who possesses the key can open the mailbox and read the message.

Ankushdeep Singh

0571322808

RESOLVING SECURITY ISSUES USING CRYPTOGRAPHY

An analogy for digital signatures is the sealing of an envelope with a personal wax seal. The message can be opened by anyone, but the presence of the seal authenticates the sender. A central problem for use of public-key cryptography is confidence (ideally proof) that a public key is correct, belongs to the person or entity claimed (i.e., is 'authentic'), and has not been tampered with or replaced by a malicious third party. The usual approach to this problem is to use a public-key infrastructure (PKI), in which one or more third parties, known as certificate authorities, certify ownership of key pairs. PGP, in addition to a certificate authority structure, has used a scheme generally called the "web of trust", which decentralizes such authentication of public keys by a central mechanism, substituting individual endorsements of the link between user and public key. No fully satisfactory solution to the public key authentication problem is known.

Ankushdeep Singh

0571322808

RESOLVING SECURITY ISSUES USING CRYPTOGRAPHY HASH FUNCTION CRYPTOGRAPHY

Hash functions, also called message digests and one-way encryption, are algorithms that, in some sense, use no key . Instead, a fixed-length hash value is computed based upon the plaintext that makes it impossible for either the contents or length of the plaintext to be recovered. Hash algorithms are typically used to provide a digital fingerprint of a file's contents, often used to ensure that the file has not been altered by an intruder or virus. Hash functions are also commonly employed by many operating systems to encrypt passwords. Hash functions, then, provide a measure of the integrity of a file. One way hash function A one-way hash function takes variable-length inputin this case, a message of any length, even thousands or millions of bitsand produces a fixed-length output; say, 160 bits. The hash function ensures that, if the information is changed in any wayeven by just one bit an entirely different output value is produced. PGP uses a cryptographically strong hash function on the plaintext the user is signing. This generates a fixed-length data item known as a message digest. Then PGP uses the digest and the private key to create the signature. PGP transmits the signature and the plaintext together. Upon receipt of the message, the recipient uses PGP to recompute the digest, thus verifying the signature. PGP can encrypt the plaintext or not; signing plaintext is useful if some of the recipients are not interested in or capable of verifying the signature. As long as a secure hash function is used, there is no way to take someones signature from one document and attach it to another, or to alter a signed message in any way. The slightest change to a signed document will cause the digital signature verification process to fail.

Ankushdeep Singh

0571322808

RESOLVING SECURITY ISSUES USING CRYPTOGRAPHY

CHARACTERISTICS OF HASH FUNCTION A hash function is a function that takes some message of any length as input and transforms it into a fixed-length output called a hash value, a message digest, a checksum, or a digital fingerprint. A hash function is a function f : D ->R, where the domain D = f0; which means that the elements of the domain consist of binary string of variable length; and the range R = f0; 1gn for some n _ 1, which means that the elements of the range are binary string of fixed-length. So, f is a function which takes as input a message M of any size and produces a fixed-length hash result h of size n. A hash function f is referred to as compression function when its domain D is finite, in other word, when the function f takes as input a fixed-length message and produces a shorter fixed-length output. A cryptographic hash function H is a hash function with additional security properties: 1. H should accept a block of data of any size as input. 2. H should produce a fixed-length output no matter what the length of the input data is. 3. H should behave like random function while being deterministic and efi ciently reproducible. H should accept an input of any length, and outputs a random string of fixed length. H should be deterministic and efficiently reproducible in that whenever the same input is given, H should always produce the same output. 4. Given a message M, it is easy to compute its corresponding digest h; meaning that h can be computed in polynomial time O(n) where n is the length of the input message, this makes hardware and software implementations cheap and practical. 5. Given a message digest h, it is computationally difficult to find M such that H(M) = h. This is called the one-way or pre-image resistance property. It simply means that one should not be capable of recovering the original message from its hash value. These properties are required in order to prevent or withstand certain types of attacks which may render a cryptographic hash function useless and insecure. In addition to producing a \digital _ngerprint" of a message M that is unique and to providing strong collision resistance, a cryptographic hash function should also be highly sensitive to the smallest change in the input message. Such that a change, as small as a single digit, in the input message should produce a large change in the hash value of the message. Note that a message in this context can be a binary text file, audio file, or executable program. The security of the hash function does not originate in keeping the hash function itself secret but comes from its ability to produce one-way hash values alongside with the property of being collision-free.

Ankushdeep Singh

0571322808

RESOLVING SECURITY ISSUES USING CRYPTOGRAPHY

Certain extensions of hash functions are used for a variety of information security and digital forensics applications, such as:

Hash libraries are sets of hash values corresponding to known files. A hash library of known good files, for example, might be a set of files known to be a part of an operating system, while a hash library of known bad files might be of a set of known child pornographic images.

Rolling hashes refer to a set of hash values that are computed based upon a fixed-length "sliding window" through the input. As an example, a hash value might be computed on bytes 1-10 of a file, then on bytes 2-11, 3-12, 4-13, etc.

Fuzzy hashes are an area of intense research and represent hash values that represent two inputs that are similar. Fuzzy hashes are used to detect documents, images, or other files that are close to each other with respect to content. See "Fuzzy Hashing" (PDF | PPT) by Jesse Kornblum for a good treatment of this topic.

Ankushdeep Singh

0571322808

RESOLVING SECURITY ISSUES USING CRYPTOGRAPHY WHY THREE ENCRYPTION TECHNIQUES?

So, why are there so many different types of cryptographic schemes? Why can't we do everything we need with just one? The answer is that each scheme is optimized for some specific application(s). Hash functions, for example, are well-suited for ensuring data integrity because any change made to the contents of a message will result in the receiver calculating a different hash value than the one placed in the transmission by the sender. Since it is highly unlikely that two different messages will yield the same hash value, data integrity is ensured to a high degree of confidence. Secret key cryptography, on the other hand, is ideally suited to encrypting messages, thus providing privacy and confidentiality. The sender can generate a session key on a per-message basis to encrypt the message; the receiver, of course, needs the same session key to decrypt the message. Key exchange, of course, is a key application of public-key cryptography (no pun intended). Asymmetric schemes can also be used for non-repudiation and user authentication; if the receiver can obtain the session key encrypted with the sender's private key, then only this sender could have sent the message. Public-key cryptography could, theoretically, also be used to encrypt messages although this is rarely done because secret-key cryptography operates about 1000 times faster than public-key cryptography. Figure 2 puts all of this together and shows how a hybrid cryptographic scheme combines all of these functions to form a secure transmission comprising digital signature and digital envelope. In this example, the sender of the message is Alice and the receiver is Bob.

Ankushdeep Singh

0571322808

RESOLVING SECURITY ISSUES USING CRYPTOGRAPHY

A digital envelope comprises an encrypted message and an encrypted session key. Alice uses secret key cryptography to encrypt her message using the session key, which she generates at random with each session. Alice then encrypts the session key using Bob's public key. The encrypted message and encrypted session key together form the digital envelope. Upon receipt, Bob recovers the session secret key using his private key and then decrypts the encrypted message. The digital signature is formed in two steps. First, Alice computes the hash value of her message; next, she encrypts the hash value with her private key. Upon receipt of the digital signature, Bob recovers the hash value calculated by Alice by decrypting the digital signature with Alice's public key. Bob can then apply the hash function to Alice's original message, which he has already decrypted (see previous paragraph). If the resultant hash value is not the same as the value supplied by Alice, then Bob knows that the message has been altered; if the hash values are the same, Bob should believe that the message he received is identical to the one that Alice sent. This scheme also provides nonrepudiation since it proves that Alice sent the message; if the hash value recovered by Bob using Alice's public key proves that the message has not been altered, then only Alice could have created the digital signature. Bob also has proof that he is the intended receiver; if he can correctly decrypt the message, then he must have correctly decrypted the session key meaning that his is the correct private key.

Ankushdeep Singh

0571322808

RESOLVING SECURITY ISSUES USING CRYPTOGRAPHY FUTURE SCOPE

From e-mail to cellular communications, from secure Web access to digital cash, cryptography is an essential part of today's information systems. Cryptography helps provide accountability, fairness, accuracy, and confidentiality. It can prevent fraud in electronic commerce and assure the validity of financial transactions. It can protect your anonymity or prove your identity. It can keep vandals from altering your Web page and prevent industrial competitors from reading your confidential documents. And in the future, as commerce and communications continue to move to computer networks, cryptography will become more and more vital. But the cryptography now on the market doesn't provide the level of security it advertises. Most systems are not designed and implemented by cryptographers, but by engineers who think cryptography is like any other computer technology. It's not. You can't make systems secure by tacking on cryptography as an afterthought. You have to know what you are doing every step of the way, from conception through installation. Billions of dollars are spent on computer security, and most of it is wasted on insecure products. After all, weak cryptography looks the same on the shelf as strong cryptography. Two e-mail encryption products may have almost the same user interface, yet one is secure while the other permits eavesdropping. A comparison chart may suggest that two programs have similar features, although one has gaping security holes that the other doesn't. An experienced cryptographer can tell the difference. So can a thief. Present-day computer security is a house of cards; it may stand for now, but it can't last. Many insecure products have not yet been broken because they are still in their infancy. But when these products are widely used, they will become tempting targets for criminals. The press will publicize the attacks, undermining public confidence in these systems. Ultimately, products will win or lose in the marketplace depending on the strength of their security. No one can guarantee 100% security. But we can work toward 100% risk acceptance. Fraud exists in current commerce systems: cash can be counterfeited, checks altered, credit card numbers stolen. Yet these systems are still successful because the benefits and conveniences outweigh the losses. Privacy systems -- wall safes, door locks, curtains -- are not perfect, but they're often good enough. A good cryptographic system strikes a balance between what is possible and what is acceptable. Strong cryptography can withstand targeted attacks up to a point -- the point at which it becomes easier to get the information some other way. A computer encryption program, no matter how good, will not prevent an attacker from going through someone's garbage. But it can prevent data-harvesting attacks absolutely; no attacker can go through enough trash to find every AZT user in the country.

Ankushdeep Singh

0571322808

RESOLVING SECURITY ISSUES USING CRYPTOGRAPHY

REFERENCES 1) IEEE Survey, 2010 Implementation of RSA Security Protocol for Sensor Network Security: Design and Network Lifetime Analysis Authors: Avijit Sahanaa ,Iti Saha Misrab 2) Intl Conf. on Computer & Communication Technology 2010 IEEE Energy Efficient Sensor Network Security Using Stream Cipher Mode of Operation Authors: Shish Ahmad, CSE Dept, Integral University Mohd. Rizwan beg, CSE Dept,Integral University Qamar Abbas 3) Environmental and Computer Science, 2009. ICECS '09. Second International Conference Limitations of Quantum & the Versatility of Classical Cryptography: A Comparative Study Authors: Vignesh, R.S.; Sudharssun, S.; Kumar, K.J.J.; Electron. & Commun., SSN Coll. of Eng., Chennai, India 4) Wireless Information Network and systems(WINSYS) , Proceedings of International Conference Chaotic Cryptography: An Ultimate Solution for Network security Authors: Kartalopoulos, Stamatios; University of Oklahoma, U.S.A.

Ankushdeep Singh

0571322808