Internet Security - Cryptography fundamentals

Internet security is becoming more relevant in life as internet is growing daily. There are many aspects of internet security. Cryptograph is a fundamental element when we talk about internet security related to encryption and decryption.

cryptography](/uploads/crypto/security-crypto-1.jpg)

In this post, I will give a summary of cypto used in network security.

terminology

Cipher

A cipher is an algorithm for performing data encryption and decryption. e.g. old day’s Caesar Cipher, Vigenere Cipher, Tranposition Cipher; today’s DES, 3DES, AES, Rivest Ciphers. See a brief desciption for each.

DES

The Data Encryption Standard (DES) has now been in use for over 35 years and still has not been found to have a signifi cant fl aw. However, because its key length is relatively short, it can be susceptible to brute - force attacks. DES uses a 64 -bit key, but only 56 of the bits are used for encryption. Unfortunately, 16 of those remaining 56 bits are known and 40 bits are unknown. The other 8 bits are used for parity. What that means, essentially, is that DES has a 40 - bit key strength. DES has two operating modes, stream cipher and block cipher. Further, each of these two modes has two types within it.

3DES

Triple DES, as the 3DES encryption algorithm has become known, essentially strengthens the original DES algorithm by applying it three times. Because the original DES algorithm is cryptographically strong, it can be made much stronger by encrypting the data three times. This triple encryption makes a brute - force attack unfeasible. The effective key strength can be either 112 bit or 168 bit, which is what Cisco uses. Let us examine how the 3DES algorithm works.

  1. A first 56 -bit key is used to encrypt the plaintext.
  2. A second 56 -bit key is used to decrypt the data.
  3. A third 56 -bit key is used to encrypt the data again.

AES

Advanced Encryption Algorithm (AES) came about after the federal government decided that it needed to create a new standard that would replace DES as the offi cial government encryption cipher. A bake - off of sorts was initiated in 1997. The winner, selected in 2000, was the Rijndael cipher, a mixture of the last names of the two creators, Joan Daemen and Vincent Rijmen. This cipher became an offi cial government standard in 2002. The Rijndael cipher uses a variable key length and block size in the implementation of the cipher. There are potentially nine different combinations of key length and block size. You may use a key length of 256 bits, 192 bits, or 128 bits to encrypt block sizes of 128 bits, 192 bits, or 256 bits.

Rivest Ciphers

The Rivest ciphers are also known as the RC ciphers. Ron Rivest is a well -known cryptographer and professor at MIT. He is the author of the Rivest ciphers known as RC2, RC4, and RC5 and coauthor of RC6.

  • RC2: Variable - length key - block cipher, designed to be an alternative to DES.
  • RC4: Variable key - length stream cipher used frequently in file encryption products, as well as in Secure Sockets Layer (SSL).
  • RC5: RC5 has a variable - length key and variable - length block size.
  • RC6: Block cipher meant to compete for the AES standard.

Examples: encryt and decrypt a text file

We can use openssl in linux to encrypt and decryt file.

First let’s create a file named as “plaintext-hello.txt”

weng@weng-VirtualBox:/tmp$ echo "hello world" > plaintext-hello.txt
weng@weng-VirtualBox:/tmp$ cat plaintext-hello.txt 
hello world

Second, let’s encrypt it using passord “cipherme”

 weng@weng-VirtualBox:/tmp$ openssl enc -aes-256-cbc -in plaintext-hello.txt -out cipher-hello.bin
enter aes-256-cbc encryption password:
Verifying - enter aes-256-cbc encryption password:
weng@weng-VirtualBox:/tmp$ ls -l plaintext-hello.txt cipher-hello.bin 
-rw-rw-r-- 1 weng weng 32 May 29 23:21 cipher-hello.bin
-rw-rw-r-- 1 weng weng 12 May 29 16:46 plaintext-hello.txt
weng@weng-VirtualBox:/tmp$ file cipher-hello.bin
cipher-hello.bin: data
weng@weng-VirtualBox:/tmp$ hexdump cipher-hello.bin 
0000000 6153 746c 6465 5f5f b3c1 c94b f30d 73a9
0000010 1ab0 022b 57c9 40fe 3da4 3450 f47d ec8f
0000020
weng@weng-VirtualBox:/tmp$ 

Third, let’s decrypt the binary to see if we can restore “hello world” plain text. As shown below, we did it.

weng@weng-VirtualBox:/tmp$ openssl enc -aes-256-cbc -d -in cipher-hello.bin -out decrypt-plaintext-hello.txt
enter aes-256-cbc decryption password:
weng@weng-VirtualBox:/tmp$ ls -l plaintext-hello.txt decrypt-plaintext-hello.txt 
-rw-rw-r-- 1 weng weng 12 May 29 23:23 decrypt-plaintext-hello.txt
-rw-rw-r-- 1 weng weng 12 May 29 16:46 plaintext-hello.txt
weng@weng-VirtualBox:/tmp$ cat decrypt-plaintext-hello.txt 
hello world
weng@weng-VirtualBox:/tmp$ diff plaintext-hello.txt  decrypt-plaintext-hello.txt 
weng@weng-VirtualBox:/tmp$ 

In the above example, the algorithm aes-256-cbc is picked. For supported encrypt algorithm, use “man openssl” to find out.

Digital signature

hashing

What is hashing? Simply put, hashing is taking some type of input data and generating some sort of value. This value is typically a fixed - length integer. The process of taking input data and generating the value is called a hash function . The output of the hash function is called the hash value. A hash function has fi ve main features:

  • Easily compute the hash value for any message ---> Fast and Efficient
  • Must never create the same hash value from two different sets of data ---> Collision Resistant
  • Cannot modify the message without altering the hash value ---> Manipulation resistant
  • Cannot determine the message from the hash value ---> One-way hash
  • Take variable -length data and produce a fixed-length value ---> Fixed-length hash value

The typical hashing used are: MD5, SHA1, SHA256, SHA512. See example below.

weng@weng-VirtualBox:/tmp$ md5sum plaintext-hello.txt 
6f5902ac237024bdd0c176cb93063dc4  plaintext-hello.txt
weng@weng-VirtualBox:/tmp$ sha1sum plaintext-hello.txt 
22596363b3de40b06f981fb85d82312e8c0ed511  plaintext-hello.txt
weng@weng-VirtualBox:/tmp$ sha256sum plaintext-hello.txt 
a948904f2f0f479b8f8197694b30184b0d2ed1c1cd2a1ec0fb85d299a192a447  plaintext-hello.txt
weng@weng-VirtualBox:/tmp$ sha512sum plaintext-hello.txt 
db3974a97f2407b7cae1ae637c0030687a11913274d578492558e39c16c017de84eacdc8c62fe34ee4e12b4b1428817f09b6a2760c3f8a664ceae94d2434a593  plaintext-hello.txt
weng@weng-VirtualBox:/tmp$ 

Hash Message Authentication Code (HMAC)

Hash Message Authentication Code (HMAC) is a way to further secure a hash. HMAC is not a hash function requirement but has its place when we talk about securing the hash function. Because some popular hash algorithms have been shown not to be completely collision resistant, it is important to add newer techniques to validate the integrity of a hash. HMAC accomplishes this by adding another layer of data into the hashing mix. This layer is called a secret key . The secret key is known only by the sender and receiver, and it provides authentication to HMAC. In the HMAC process, the input data is taken and a secret key is added. Both the input data and secret key are put through the hashing algorithm. This produces an HMAC hash . The size of the HMAC hash is the same as that of the corresponding hashing algorithm. (The two main types of HMAC hashes are HMAC - MD5, which produces a 128 - bit hash, and HMAC - SHA - 1, which produces a 160 -bit hash.)

See example below, HMAC of “Hello World” from file plaintext-hello.txt, using secret key “mykey”. The sender sends the message along with HMAC using shared secret key (in below example “mykey”). The receiver gets the message, and computes HMAC using received data, plus shared secret key, generate HMAC, and comparing too received HMAC. If both are equal, then it means message is received as sent exactly.

weng@weng-VirtualBox:/tmp$ cat plaintext-hello.txt | openssl dgst -md5 -hmac "mykey"
(stdin)= 8bd99a681483d550395267d84b9f18dc
weng@weng-VirtualBox:/tmp$ cat plaintext-hello.txt | openssl dgst -sha1 -hmac "mykey"
(stdin)= 7d7eaa5f37fda075bfc031b4b7c36d14c841f217
weng@weng-VirtualBox:/tmp$ 

Digital Signatures

A digital signature is an electronic means to validate the authenticity and integrity of a message, software, or document. Most digital signatures use asymmetric cryptography to accomplish the authenticity.

digtial signature process](/uploads/crypto/digital-signature-process.jpg)

As shown above, it uses private key to genearte HMAC in the sender side, however the pubic key is used in receiver side to generate HMAC to compare. This is the key feature of asymmetric encryption technology, which we talk next.

Asymmetric encryption

PKI

Digital Certificate