CRYPTOGRAPHY

ENCRYPTION - DECRYPTION

© 2007 Prentice-Hall, Inc 13-1

BRX VKRXOG FRQFHQWUWH
RQ VWXGBLQJ

© 2007 Prentice-Hall, Inc 13-2

Cryptography
• In Greek, it means “secret writing”.
• It is a science of communication over untrusted
communication channels.
What Is Encryption?
• A way to transform a message so that only the sender and
recipient can read, see, or understand it
• Plaintext (cleartext): the message that is being protected
• Encrypt (encipher): transform a plaintext into ciphertext
• Encryption: a mathematical procedure that scrambles data
so that it is extremely difficult for anyone other than
authorized recipients to recover the original message
• Key: a series of electronic signals stored on a PC’s hard
disk or transmitted as blips of data over transmission lines
– Plaintext + key = ciphertext
– Ciphertext – key = Plaintext
Public-Key Infrastructure (PKI)
• Creates the ability to authenticate users, maintain
privacy, ensure data integrity, and process
transactions without the risk of repudiation
• PKI satisfies four security needs
– Authentication - identifies or verifies that the senders
of messages are, in fact, who they claim to be
– Integrity - verifies that neither the purchase amount not
the goods bought are changed or lost during
transmission
– Nonrepudiation - prevents sender and vendor in a
transaction of communication activity from later falsely
denying that the transaction occurred
– Privacy - shields communications from unauthorized
viewing or access, confidentiality and anonymity.
Basic Encryption Algorithm
• Cryptography is a science of applying complex
mathematics to increase the security of electronic
transactions.
• Basic encryption relies on two components : an
algorithm and a key.
• Encrypting information is simple : A computer
program is used that has an encryption algorithm.
The algorithm converts data, documents, credit
card numbers, and other information into an
encoded message using a key.
Basic Encryption Algorithm…
• Both sender and receiver have to know the rules
used to transform the original message or
transaction into its coded form.
• A set of rules for encoding and decoding
messages is called a cipher (or cyper) and the
encoded message is called a ciphertext.
• A message can be decrypted only if the
decryption key matches the encryption key.
• Number of bits in the key decides the number of
keys a algorithm will support.
Basic Encryption Algorithm…
• The greater the number of possible keys, the more
complex the key becomes and the more difficult it
is to crack an encrypted message.
• A 6-bit key allows for only 64 possible numeric
combinations(26) whereas 100 bit key has 2100
possible combinations.
• The standard 56-bit DES encryption code can be
cracked on a high-speed computer in a few hours
Classes of Algorithms
• Secret-key (symmetric) encryption: encryption system in
which sender and receiver possess the same key; the key used to
encrypt a message also can be used to decrypt it.
• This can pose two problems:
– Key must be delivered securely to the two parties involved.
– If the business has 10 business vendors, it needs 10 different
single keys unique to each vendor. Key distribution /
maintenance can be a hassle.
Classes of Algorithms…
• Symmetric encryption satisfies the requirement of message
content security, because the content cannot be read without the
shared secret key.
• Symmetric algorithms can be divided into :
– Stream cipher: a symmetric algorithm that encrypts a single
bit of plaintext at a time
– Block cipher: a symmetric algorithm that encrypts a number
of bits as a single unit
• Public-key (asymmetric) encryption: encoding/decoding
using two mathematically related keys or key-pairs; one public key
and one private key.
• One half of the pair (public key) can encrypt information that only
the other half (private key or secret key) can decrypt.
• Key-pairs can be used in two ways:
– To provide message confidentiality
– To prove the authenticity of the message originator
 Public Key Encryption
Public Key Encryption for Confidentiality

Encrypt with Decrypt with

Encrypted
Party B’s Public Key Party B’s Private Key
Message

Note:
Four keys are used to encrypt
Party A and decrypt in both directions Party B

Decrypt with Encrypted Encrypt with

Party A’s Private Key Message Party A’s Public Key
• Symmetric key is fast and can be implemented
easily in most hardware.
• The problem are that both the keys are the same,
distributing keys is not a straightforward process,
and the symmetric method does not support
digital signatures.
• It also does not adequately address the non
repudiation requirement, because both parties
have the same key.
• A public (asymmetric) key is a more secure
approach.
• It has two distinct advantages :
– only one party needs to know the private key
and, if a third party knows the public key, it
does not compromise the security of the
message.
– It is easy to distribute the keys.
The approach also addresses all the integrity,
authentication and non-repudiation
requirements.
• The main disadvantage is that it takes time to
compute.
• Currently, a 1024 – bit asymmetric key length is
necessary to provide security. This requires a lot
of processing power, resulting in delays when
large volumes of messages are sent.
• The choice of an encryption method depends on
the sensitivity of the data to be protected and the
duration of the protection.
Digital Signatures
• The digital signatures is to the electronic world
what the handwritten signature is to the
commerce. It must incorporate the following
properties:
– It must be able to verify the author, the date,
and the time of the signature.
– It must be able to authenticate the contents, at
the time of the signature.
– It must be verifiable by third parties, in case of
any dispute.

© 2007 Prentice-Hall, Inc 13-16

Digital Signatures…

• These properties place the following

requirements on the digital signature :
– The signature must be a bit pattern that is
dependent on the message being signed.
– To prevent forgery and denial, the signature
must use some information unique to the
sender.
– The digital signature must be easy to generate.
– The storage of a copy of the digital signature
must be simple.

13-17
Digital Signatures…
– Forging the signature must be computationally
infeasible, i.e., either by constructing a
fraudulent signature for a given message, or
constructing a new message with an existing
signature.
– The signatures must be easy to recognize and
verify.

© 2007 Prentice-Hall, Inc 13-18

 What is a Digital Signature?

(Bob's public key)

Bob (Bob's private

key)

Bob has been given two keys. One of Bob's keys is called a
Public Key, the other is called a Private Key.

Bob's Co-workers:

Anyone can get Bob's

Public Key, but Bob
Pat Doug Susan keeps his Private Key
to himself.
Keys are used to encrypt information. Encrypting information
means "scrambling it up", so that only a person with the
appropriate key can make it readable again. Either one of Bob's
two keys can encrypt data, and the other key can decrypt that
data.
Susan (shown below) can encrypt a message using Bob's Public
Key. Bob uses his Private Key to decrypt the message. Any of
Bob's coworkers might have access to the message Susan
encrypted, but without Bob's Private Key, the data is worthless.

Hey Bob, how

"HNFmsEm6Un
about lunch BejhhyCGKOK
at Taco Bell. JUxhiygSBCEiC
I hear they have 0QYIh/Hn3xgiK
free refills! BcyLK1UcYiY
 HNFmsEm6Un "Hey Bob, how
BejhhyCGKOK about lunch at taco
JUxhiygSBCEi Bell. I hear they
0QYIh/Hn3xgiK have free refills”
BcyLK1UcYiY

With his private key and the right software, Bob can
put digital signatures on documents and other data.
A digital signature is a "stamp" Bob places on the
data which is unique to Bob, and is very difficult to
forge. In addition, the signature assures that any
changes made to the data that has been signed can
not go undetected.
To sign a document, Bob's software will crunch down the
data into just a few lines by a process called "hashing".
These few lines are called a message digest. (It is not
possible to change a message digest back into the original
data from which it was created.)

Bob's software then encrypts the message digest with his

private key. The result is the digital signature.

Finally, Bob's software appends the digital signature to

document. All of the data that was hashed has been
signed.
Bob now passes the document on to Pat.
First, Pat's software decrypts the signature
(using Bob's public key) changing it back into a
message digest. If this worked, then it proves that
Bob signed the document, because only Bob
has his private key. Pat's software then hashes
the document data into a message digest. If the
message digest is the same as the message digest
created when the signature was decrypted, then Pat
knows that the signed data has not been changed.
 Plot complication...

Doug (our disgruntled employee) wishes to

deceive Pat. Doug makes sure that Pat receives
a signed message and a public key that appears to
belong to Bob. Unbeknownst to Pat, Doug
deceitfully sent a key pair he created using Bob's
name. Short of receiving Bob's public key from
him in person, how can Pat be sure that Bob's public
key is authentic?

It just so happens that Susan works at the company's

certificate authority center. Susan can create a digital
certificate for Bob simply by signing Bob's public key as
well as some information about Bob.
Bob Info:
Name
Department
Cubical Number
Certificate Info:
Expiration Date
Serial Number
Bob's Public Key:

Now Bob's co-workers can check Bob's trusted

certificate to make sure that his public key truly belongs
to him. In fact, no one at Bob's company accepts a
signature for which there does not exist a certificate
generated by Susan. This gives Susan the power to
revoke signatures if private keys are compromised, or
no longer needed. There are even more widely accepted
certificate authorities that certify Susan.
The Digital Signature Process
Digital Certificates

A digital certificate or identity certificate is an

electronic document which uses a digital
signature to bind a public key with an identity —
information such as the name of a person or an
organization, their address, and so forth. The
certificate can be used to verify that a public key
belongs to an individual.
Digital Certificates
• Digital certificates are the heart of secure online
transactions
• A digital certificate is a software program that
can be installed in a browser
• Your digital certificate identifies you to Web
sites equipped to check it automatically
• Digital certificate is an electronic document
issued by a certificate authority to establish a
merchant’s identity
• Certificate authority (CA) is a trusted entity
that issues and revokes public-key certificates
and manages key-pairs
 Q: What are the different classes of
Digital Signature Certificates?
• A: In addition to four classes of certificates given
below, the Certifying Authority may issue more
classes of Public Key Certificates, but these must be
explicitly defined including the purpose for which
each class is used and the verification methods
underlying the issuance of the certificate. The
suggested four classes are the following :-
• Class 0 Certificate: This certificate shall be issued
only for demonstration/ test purposes.

© 2007 Prentice-Hall, Inc 13-29

• Class 1 Certificate: Class 1 certificates shall be
issued to individuals/private subscribers. These
certificates will confirm that user's name (or alias)
and E-mail address form an unambiguous subject
within the Certifying Authorities database.
• Class 2 Certificate: These certificates will be issued
for both business personnel and private individuals
use. These certificates will confirm that the
information in the application provided by the
subscriber does not conflict with the information in
well-recognized consumer databases.
• Class 3 Certificate: This certificate will be issued to
individuals as well as organizations. As these are
high assurance certificates, primarily intended for
e-commerce applications, they shall be issued to
individuals only on their personal (physical)
appearance before© 2007 the Certifying
Prentice-Hall, Inc Authorities. 13-30
About CCA…
• As per Section 18 of The Information Technology
Act, 2000 provides the required legal sanctity to
the digital signatures based on asymmetric
cryptosystems. The digital signatures are now
accepted at par with handwritten signatures and
the electronic documents that have been digitally
signed are treated at par with paper documents.

• The IT Act provides for the Controller of Certifying

Authorities(CCA) to license and regulate the
working of Certifying Authorities. The Certifying
Authorities (CAs) issue digital signature
certificates for electronic authentication of users.
© 2007 Prentice-Hall, Inc 13-31
• The Controller of Certifying Authorities (CCA) has
been appointed by the Central Government under
section 17 of the Act for purposes of the IT Act.
The Office of the CCA came into existence on
November 1, 2000. It aims at promoting the growth
of E-Commerce and E- Governance through the
wide use of digital signatures.
• The Controller of Certifying Authorities (CCA) has
established the Root Certifying Authority (RCAI)
of India under section 18(b) of the IT Act to
digitally sign the public keys of Certifying
Authorities (CA) in the country. The RCAI is
operated as per the standards laid down under the
Act.
© 2007 Prentice-Hall, Inc 13-32
• The CCA certifies the public keys of CAs using its
own private key, which enables users in the
cyberspace to verify that a given certificate is
issued by a licensed CA. For this purpose it
operates, the Root Certifying Authority of
India(RCAI). The CCA also maintains the
Repository of Digital Certificates, which contains
all the certificates issued to the CAs in the
country.

• http://cca.gov.in/cca/

© 2007 Prentice-Hall, Inc 13-33