Informatics College

Information Technology Department

Chapter Four
Review of Shared Key Cryptography and Hash
Functions

1
 Chapter Three Outlines!
• Review of Shared Key Cryptography and Hash Functions
• Basic Public Key Cryptography (DH, RSA, CAs, PKI)
• Introduction to the TCP/IP Stack
• Network Security (ports and protocols)

2
 Shared Key Cryptography
• Shared key cryptography, also known as symmetric key cryptography, is a cryptographic
approach where the same key is used for both encryption and decryption of a message.
• The key must be kept secret and securely shared between the communicating parties.
• Shared key cryptography offers several advantages.
• It is generally faster and more computationally efficient compared to public key
cryptography.
• It is suitable for encrypting large amounts of data and is often used in applications like
bulk data encryption, secure communication channels, and secure storage systems.
• However, shared key cryptography also poses challenges in terms of key distribution and
management.
• As the same key is used for encryption and decryption, the communicating parties need a
secure method to exchange the key without it being intercepted or compromised.

3
 Shared Key Cryptography…
Symmetric key problem:
• How do two entities establish shared secret key over network?
• Distribution of a key is a difficult matter! in a shared key cryptography.
• Solution:
• Trusted key distribution center (KDC) acting as intermediary between entities.
Public key problem:
• When Alice obtains Bob’s public key (from web site, e-mail, diskette), how does
she know it is Bob’s public key?
Solution:
• Trusted certification authority (CA).
• For public key, we need a body that certifies the public key is that of the party
we need to communicate with. 4
 Key Exchange Using Public Key Encryption
Other solution for Sharing SK
• Sender creates the symmetric key (SK)
• Sender contacts receiver, and requests that the receiver send a public key (from
PKE)
• Using the PKE public key, the sender encrypts the SK
• Sender transmits the encrypted SK to the receiver
• Receiver decrypts the SK using her private key (from PKE)
• Sender and receiver can now communicate using the symmetric key( SK)
IS this a good solution?
• Not quite
• The receiver has no way of verifying that the SK was sent by the sender
5
 Hash Functions
• Hash functions, also called message digests and one-way encryption, are
algorithms that, in some sense, use no key.
• Hash algorithms are typically used to provide a digital fingerprint of a file's
contents, often used to ensure that the file has not been altered by an intruder
or virus.
• Hash functions are also commonly employed by many operating systems to
encrypt passwords. Hash functions, then, provide a measure of the integrity of
a file.
6
Hash Functions

7
Hash Functions (Cont’d)

8
 Hash Functions (Cont’d)
 Hash Functions are extremely useful and appear in almost all information security
applications.
• A hash function is a mathematical function that converts a numerical input value
into another compressed numerical value.
• The input to the hash function is of arbitrary length but output is always of fixed
length.
• Values returned by a hash function are called message digest or simply hash values
• SHA(Secure Hash Algorithm) works in such a way even if a single character of the
message changed, then it will generate a different hash.
• For example, hashing of two similar, but different messages i.e., Heaven and heaven
is different.
• However, there is only a difference of a capital and small letter.
• See the image below for the working of SHA algorithm. 9
 Hash Functions (Cont’d)

• The above change is referred to as the avalanche effect.

• This effect is important in cryptography, as it means even the slightest
change in the input message completely changes the output.
• This will stop attackers from being able to understand what the hash
digest originally said.
10
 Hash Functions(Cont’d)
 Here are some key features of hash functions:
1. Deterministic: Hash functions are deterministic, meaning that for a given
input, the output will always be the same.
2. Fixed-size output: Hash functions produce a fixed-size output, regardless of the
size of the input data.
3. One-way: Hash functions are one-way, meaning that it is computationally
infeasible to determine the input data from the hash value.
4. Collision-resistant: Hash functions are designed to be collision-resistant,
meaning that it is computationally infeasible to find two different inputs that
produce the same hash value.
5. Efficient: Hash functions are typically very efficient and can be computed quickly,
even for large amounts of data.
11
 Digital Signature
• A digital signature is an authentication mechanism that enables the creator of a message
to attach a code that acts as a signature.
• The signature is derived from the original message by taking the hash of the message and
encrypting the message with the creator’s private key.
 It has two goals:
– A guarantee of the source of the data
– Proof that the data has not been tampered
 Digital sig. protects against Man in the middle attack
• A digital signature is a technique that binds a person/entity to the digital data.
• This binding can be independently verified by receiver as well as any third party.
• Digital signature is a cryptographic value that is calculated from the data and a secret key
known only by the signer.
 Generally, DS Can be performed by:
– Encrypting the entire message with the sender private key or ü Encrypting the hash message12 using
 Algorithm
 There must be a key generation algorithm
 Generate public-private key pair.
The private key used for signing is referred to as the signature key and the
public key as the verification key.
 There must be a signing algorithm
 Inputs =Message + private key, output = digital signature
Since digital signature is created by ‘private’ key of signer and no one else can
have this key; the signer cannot repudiate signing the data in future.
 There must be a verification algorithm
 At receiver side to verify the signature using message, Public key + sign

13
Algorithm (Cont’d)

14
Verifying Hash and digital signature

15
 Digital Signature Using Message Digest
Notation: KX- : Private key of X KX+ : Public key of X
Hana has to first obtained a signature using hash algorithm (h = H(m) ) and
encrypt the digital signature using her private key ( K-H (H(m)) )
Then encrypt the (message +signature included) with Ahmed’s public key (K +A
(m, K -H (H(m))))
Sends the encrypted message to Ahmed
Ahmed decrypts the message using his private key
Ahmed then decrypts the signature using Hana’s public key
Ahmed hashes the message m and compares it with signature that he has
received from Hana
If successful, he insures that it comes from Hana
16
Digital Signature Using Message Digest…

17
 Security of Digital Signatures
If the hashes match then we have guaranteed the following:
 Integrity: if m changed then the hashes would be different
Authenticity and
Non-repudiation: A is who sent the hash, as we used A’s public key to reveal
the contents of the signature, so A cannot deny signing, nobody else has the
private key of A.
• Satisfies the requirements of a Digital Signature

• If we wanted to further add confidentiality, then we would encrypt the sent m +

signature with recipient public key

18
 Basic Public Key Cryptography
An asymmetric-key (or public-key) cipher uses two keys: one private and one
public key.
AKA public key encryption(PKE)
Uses a pair of keys for encryption and decryption
– Public key for encryption
– Private key for decryption
Messages encoded using public key can only be decoded by the private key
– Secret transmission of key for decryption is not required
– Every entity can generate a key pair and release its public key
– keys for encryption and decryption are different but form a unique pair
Note that: Private key can also be public by keeping public key secret
PKE systems eliminate the problems(key exchange) encountered with symmetric
key systems 19
Public Key Cryptography…

20
Public Key Cryptography…

21
 Public Key Cryptography…
 Public-key algorithms are based on mathematical functions rather than
on substitution and permutation.
 The use of two keys has positive consequences in: key distribution,
confidentiality and authentication.
 A public-key encryption scheme has 6 ingredients:
 Plaintext: This is the readable message or data
 Encryption algorithm: The encryption algorithm performs various
transformations on the plaintext.
 Public and private keys: This is a pair of keys that have been selected so that if
one is used for encryption, the other is used for decryption.
 Ciphertext: This is the scrambled message produced as output
 Decryption algorithm: This algorithm accepts the ciphertext and the matching22
 The RSA Algorithm
 The most common public key algorithm is RSA, named for its inventors Rivest,
Shamir, and Adleman (RSA).
 Developed in 1977 and first published in 1978.
 It uses two numbers, e and d, as the public and private keys, as shown in Figure.
 The two keys, e and d , have a special relationship to each other.

23
 The RSA Algorithm
 Selecting Keys / Key Generation
 Bob use the following steps to select the private and public keys:
1. Bob chooses two very large prime numbers p and q. Remember that a prime
number is one that can be divided evenly only by 1 and itself. In addition q and
p must not be similar.
2. Bob multiplies the above two primes to find n, the modulus for encryption and
decryption. In other words, n = p X q.
3. Bob calculates another number m =(p -1) X (q - 1).
4. Bob chooses a random integer e. i.e gcd(e, m)=1; and 1<e< Ø
5. He then calculates d so that dxe = 1 mod m; and d< m
6. Bob announces e and n to the public; he keeps n and d secret. i.e. keep all the
values d, p, q and n secret 24
 The RSA Algorithm
 Encryption
 Anyone who needs to send a message to Bob can use n and e.
 For example, if Alice needs to send a message to Bob, she then calculates the
ciphertext, using e and n.
 Alice sends C, the ciphertext, to Bob:
 Decryption
 Bob keeps n and d private. When he receives the ciphertext, he uses his private
key d to decrypt the message:
Restriction
 For RSA to work, the value of P must be less than the value of n.
 If P is a large number, the plaintext needs to be divided into blocks to make P
less than n. 25
 The RSA Algorithm
RSA Example 1: Encrypt the plaintext 14. Here is how.
1. pick two prime numbers, we'll pick p = 3 and q = 11
2. calculate n = p * q = 3 * 11 = 33
3. calculate F= ( p - 1 ) * ( q - 1 ) = ( 3 - 1 ) * ( 11 - 1 ) = 20
4. choose a prime number e, such that e is co-prime to F,
 i.e., F is not divisible by e. We have several choices for e: 7, 11, 13, 17, 19 (we cannot use
5, because 20 is divisible by 5). Let's pick e=7 (smaller e, "less math").
 So, the numbers n = 33 and e = 7 become the Server's public key.
 Now, still done in advance of any transmission, the Server has to calculate it's
secret key. Here is how.
5. e * d = 1 ( mod F); 7 * d = 1 ( mod 20 )

26
 The RSA Algorithm
• ( 7 * d ) / 20 = ? with the remainder of 1 (the "?" here means: "something, but
don't worry about it"; we are only interested in the remainder).
• Since we selected (on purpose) to work with small numbers, we can easily
conclude that 21 / 20 gives "something" with the remainder of 1. So, 7 *d = 21,
and d = 3. This is our secret key.
• We MUST NOT give this key away.
• Now, after the Server has done the above preparatory calculations in advance,
we can begin our message transmission from our Browser to the Server.
• First, the Browser requests from the Server, the Server's public key, which the
Server obliges,
• i.e., it sends n=33 and e=7 back to the Browser.

27
 The RSA Algorithm
• Now, we said that the Browser has a Plain message P=14, and it wants to encrypt
it, before sending it to the Server. Here is how the encryption is done on the
Browser see on the next slide.
• Public key = (n, e) = (33, 7)
• Private key = (n, d) = (33, 3).
Encrypting the message
• Here is the encryption math that Browser executes.
– C = Pe mod n = 147 mod 33 =105,413,504mod 33 = 20
– Hence the ciphertext C = 20
• So, our Encrypted message is C=20. This is now the value that the
Browser is going to send to the Server.
28
 The RSA Algorithm
• When the Server receives this message, it then proceeds to Decrypt it, as
follows.

Decrypting the Message

• P = Cd mod n = 203 mod 33 = 8,000mod 33=14
• which is exactly the Plain text message that the Browser started with!

29
 The DH/Diffie-Hellman Key Exchange
• The Diffie-Hellman key agreement protocol (1976) was the first practical method
for establishing a shared secret over an unsecured communication channel.
• It allows two individuals to agree on a shared private key, by exchanging public
messages, in such a way that an eavesdropper cannot obtain the key.

• It does neither encryption nor signatures.

30
 The DH/Diffie-Hellman Key Exchange
Steps in the algorithm:
1. Alice and Bob agree on a prime number p and a base g.

a
2. Alice chooses a secret number a, and sends Bob (g mod p).

b
3. Bob chooses a secret number b, and sends Alice (g mod p).

b a
4. Alice computes ((g mod p) mod p).

a b
5. Bob computes ((g mod p) mod p).
31
 The DH/Diffie-Hellman -Example
1. Alice and Bob agree on p = 23 and g = 5.
2. Alice chooses a = 6 and sends 56 mod 23 = 8.
3. Bob chooses b = 15 and sends 515 mod 23 = 19.
4. Alice computes 196 mod 23 = 2.
5. Bob computes 815 mod 23 = 2.
• Then 2 is the shared secret key between Alice and Bob
• Clearly, much larger values of a, b, and p are required.
• An eavesdropper cannot discover this value even if she knows p and g and can
obtain each of the messages.
32
 The DH/Diffie-Hellman -Security
• The protocol is secure only if the authenticity of the two participants can be
established
• In Diffie-Hellman key exchange, there is possibility of a man-in-the-middle attack
• Suppose p is a prime of around 300 digits, and a and b at least 100 digits each.
• Discovering the shared secret given g, p, gamodp and gbmodp would take longer
than the lifetime of the universe, using the best known algorithm. This is called
the discrete logarithm problem.
• The Diffie-Hellman algorithm accomplishes this, and is still widely used.
• With sufficiently large inputs, Diffie-Hellman is very secure. 33
 Introduction to the TCP/IP Stack
• The TCP/IP stack is a set of protocols that allows communication between
devices over a network.
• It is the foundation of the internet and is widely used in local area networks
(LANs) and wide area networks (WANs).
• The TCP/IP stack consists of several layers, each responsible for specific tasks in
data transmission.
• The TCP/IP model was developed prior to the OSI model.
• The TCP/IP model is not exactly similar to the OSI model.
34
 Introduction to the TCP/IP Stack
The TCP/IP stack is organized into four layers:
4. Application Layer
3. Transport Layer
2. Internet Layer
1. Network Access Layer

35
Introduction to the TCP/IP Stack

36
 Introduction to the TCP/IP Stack
4. Application layer
• The application layer is the topmost layer in the TCP/IP stack and provides
services to applications running on a device.
• It includes protocols such as HTTP (Hypertext Transfer Protocol), FTP ( File
Transfer Protocol), SMTP (Simple Mail Transfer Protocol), and DNS ( Domain
Name System), among others.
• These protocols enable various applications to exchange data over the network.
• This layer allows the user to interact with the application.
• When one application layer protocol wants to communicate with another
application layer, it forwards its data to the transport layer.
• The application layer is used by end-user software such as web browsers and
email clients.
37
 Introduction to the TCP/IP Stack
3. Transport Layer
• The transport layer establishes end-to-end communication between devices.
• The Transport Layer is responsible for breaking data into smaller units called
segments or datagrams and ensuring their reliable delivery to the destination.
• q It achieves this through two main protocols:
A. Transmission Control Protocol (TCP): TCP is a connection-oriented protocol
that guarantees reliable and ordered delivery of data.
• It establishes a connection between the sender and receiver before data
transmission and provides features such as flow control, error detection and
correction, and retransmission of lost or corrupted segments.
Example, Web browsing, email, and file transfer.

38
 Introduction to the TCP/IP Stack
B . User Datagram Protocol (UDP): UDP is a connectionless protocol that provides
a lightweight and best-effort delivery mechanism.
• It does not establish a connection before data transmission and does not
guarantee reliable delivery or ordering of data.
• Example, streaming media, online gaming, and voice over IP (VoIP),

39
 Introduction to the TCP/IP Stack
2. Internet Layer
• An internet layer is the second layer of the TCP/IP model.
• An internet layer is also known as the network layer.
• The main responsibility of the internet layer is to send the packets from any
network.
• The internet layer is also responsible for addressing and routing data packets
across different networks.
• It uses IP (Internet Protocol) to assign unique IP addresses to devices and
determines the best path for data to travel from the source to the destination.

40
 Introduction to the TCP/IP Stack
1. Network Access Layer
• A network access layer is the lowest layer of the TCP/IP model.
• A network access layer is the combination of the Physical layer and Data Link
layer defined in the OSI reference model.
• This layer deals with the physical connection to the network, including the
cabling, network interface cards, and the protocols used to transmit data over
the physical medium.
• It ensures that data is properly formatted for transmission.

41
 Introduction to the TCP/IP Stack
• The functions carried out by this layer are encapsulating the IP datagram into
frames transmitted by the network and mapping of IP addresses into physical
addresses.
• The protocols used by this layer are Ethernet, token ring, FDDI, X.25, frame relay.
• The main differences between the TCP/IP stack and the OSI (Open Systems
Interconnection) model are as follows:
Number of Layers: The TCP/IP stack consists of four layers. In contrast, the OSI
model is composed of seven layers.
Origins: The TCP/IP stack was developed by the U.S. Department of Defense for the
ARPANET project, which eventually evolved into the modern internet.
• On the other hand, the OSI model was created by the International Organization
for Standardization (ISO).
42
 Introduction to the TCP/IP Stack
• The OSI model provides a conceptual framework that helps in understanding the
different aspects and functions of network communication.
• It serves as a reference model for network design and troubleshooting.
• However, the TCP/IP suite is the practical implementation widely used on the
internet.
• Layer Organization: The layers in the TCP/IP stack do not have a one-to-one
correspondence with the layers in the OSI model.
• For example, the TCP/IP stack combines the presentation, session, and
application layers of the OSI model into a single application layer
• Adoption and Real-World Usage: The TCP/IP stack is the dominant protocol
suite used in networking, and it is the foundation of the internet.
• It is widely implemented and supported by various devices and operating
systems. 43
 Introduction to the TCP/IP Stack
• On the other hand, while the OSI model has influenced the development of
networking standards, it is not as widely implemented in practice.
• Complexity: The OSI model is more comprehensive and provides a more detailed
framework for understanding network protocols.
• It separates the functions of each layer more explicitly.
• In contrast, the TCP/IP stack is simpler and more practical, focusing on the
essential aspects of network communication.
• framework that provides a more detailed and comprehensive approach to
understanding network layers.
44
 Network Security (ports and protocols)
A port number is a way to identify a specific process to which an internet or other
network message is to be forwarded when it arrives at a server.
• All network-connected devices come equipped with standardized ports that have
an assigned number.
• A port number is a 16-bit unsigned integer that is used to identify specific
processes or services running on a computer or network device.
• It helps in directing network traffic to the appropriate application or service.
• Port numbers range from 0 to 65535.
45
 Network Security (ports and protocols)(Cont’d…)
The well-known ports, ranging from 0 to 1023, are reserved for specific protocols
and services.
• Port numbers can be categorized into three main types
1. Well-known Ports: Well-known ports are standardized port numbers that are
commonly used for specific protocols or services.
• They range from 0 to 1023. Some examples of well-known ports include:
• Port 80: Used for unencrypted HTTP traffic.
• Port 443: Used for encrypted HTTPS traffic.
• Port 21: Used for FTP (File Transfer Protocol) for file transfers.
2. Registered Ports: Registered ports range from 1024 to 49151 and are assigned
by the Internet Assigned Numbers Authority (IANA) to specific services or
applications.
46
 Network Security (ports and protocols)(Cont’d…)
Examples of registered ports include:
• Port 3306: Used by MySQL database server.
• Port 5432: Used by PostgreSQL database server.
• Port 8080: Often used as an alternative HTTP port or for web proxies.
3. Dynamic or Ephemeral Ports:
• Dynamic or ephemeral ports, also known as private ports or temporary ports,
range from 49152 to 65535.
• They are dynamically assigned by the operating system on a per-connection
basis and are not associated with any specific service or application.
• Port number security refers to the practice of protecting and securing the use of
network ports to prevent unauthorized access, attacks, and data breaches.
47
 Network Security (ports and protocols)(Cont’d…)
• It involves implementing measures to control and manage the use of ports to
ensure that only legitimate and authorized network traffic is allowed.
Here are some key aspects of port number security:
• Port Filtering: Port filtering involves using firewalls, routers, or other network
security devices to control the traffic that can pass through specific ports.
For example, you can configure a firewall to allow incoming traffic on port 80
(HTTP) and block traffic on other ports to protect against unauthorized access.
• Port Scanning Prevention: Port scanning is a technique used by attackers to
discover open ports on a target system.
• By identifying open ports, attackers can potentially exploit vulnerabilities.
• Port number security includes measures to detect and prevent port scanning
activities.
48
 Network Security (ports and protocols)(Cont’d…)
• Port Hardening: Port hardening involves reducing the attack surface of a system
by closing unnecessary or unused ports. By closing ports that are not required
for normal network operations, you minimize the potential ways for attackers to
gain unauthorized access
• Port-Based Access Control: Port-based access control allows you to define access
policies based on port numbers. This can be implemented using techniques such
as Access Control Lists (ACLs) on routers and switches
• Encryption of Port Traffic: In cases where sensitive data is transmitted over
specific ports, it is important to ensure that the traffic is encrypted.
For example, for secure web communication, HTTPS (HTTP over SSL/TLS) is
commonly used on port 443 to encrypt the data exchanged between the client and
the server.
49
 Network Security (ports and protocols)(Cont’d…)
• Regular Monitoring and Auditing: Monitoring network traffic and auditing port
usage is crucial for detecting any unauthorized or suspicious activities.
• Network security protocols are a set of rules and procedures that govern the
secure transmission and communication of data over computer networks.
• These protocols ensure the confidentiality, integrity, and availability of network
resources and protect against unauthorized access, data breaches, and malicious
activities.
Examples of Some Protocol Security Include
• Secure Sockets Layer (SSL) / Transport Layer Security (TLS)
• Internet Protocol Security (IPsec)
• Secure Shell (SSH)

50
 Network Security (ports and protocols)(Cont’d…)
Examples of Some Protocol Security Include
• Private Network (VPN) Protocols
• Secure File Transfer Protocols
• Intrusion Detection and Prevention Protocols etc...

51
Hagas!!!

52