Network Security Center
NetSec
Internet Services Unit - King Abdulaziz City for  Science & Technology



عربي

Home

About NetSec

Intrusion Detection

Handling an Incident

Computer Viruses

Cryptography

NetSec Disclaimer

Contact NetSec

Links

ISU

  

Cryptography

Introduction

The Need for Cryptography

Applying Cryptography

Key Based Cryptography

Digital Signatures

Message Digest

Introduction

The term cryptography is derived from the Greek word Kryptos. Kryptos is used to describe anything that is hidden, obscured, veiled, secret or mysterious. In the world of data communications, cryptography can be defined as follows:

"Cryptography, defined as "the science and study of secret writing" concerns the ways in which communications and data can be encoded to prevent disclosure of their contents through eavesdropping or message interception, using codes, ciphers and other methods, so that only certain people can see the real message" - Yamen Akdeniz       

The Need for Cryptography

Security often require that data be kept safe from unauthorized access. And the best line of defense is physical security (placing the machine to be protected behind physical walls). However, physical security is not always an option (due to cost and/or efficiency considerations). Instead, most computers are interconnected with each other openly, thereby exposing them and the communication channels that they use.

This problem can be broken down into five requirements that must be addressed:

  1. Confidentiality: assuring that private data remains private.
  2. Authentication: assuring the identity of all parties attempting access.
  3. Authorization: assuring that a certain party attempting to perform a function has the permissions to do so.
  4. Data Integrity: assuring that an object is not altered illegally.
  5. Non-Repudiation: assuring against a party denying a data or a communication that was initiated by them.

 Applying Cryptography

With regards to confidentiality, cryptography is used to encrypt data residing on storage devices or traveling through communication channels to ensure that any illegal access is not successful. Also, cryptography is used to secure the process of authenticating different parties attempting any function on the system. Since a party wishing be granted a certain functionality on the system must present something that proves that they indeed who they say they are. That something is sometimes known as credentials and additional measures must be taken to ensure that these credentials are only used by their rightful owner. The most classic and obvious credential are passwords. Passwords are encrypted to protect against illegal usage.

Authorization is a layer built on top of  authentication in the sense that the party is authenticated by presenting the credentials required (passwords, smart cards, ... etc.). After the credentials are accepted the authorization process is started to ensure that the requesting party has the permissions to perform the functions needed.

Data integrity and Non-Repudiation are achieved by means of digital signature, a method that includes performing cryptography among other things.

 Key Based Cryptography

Currently, most cryptography used in practice is key based, that is a string of bits, that is used to encode the clear text into cipher text and back again to clear text when required. Two types of key based cryptography exist, based on the availability of the key publicly:

  1. In Private key Cryptography, both the sender and the recipient share a key that must be kept private. In order to communicate with each other, the key must be passed between the two, this process is known as the key distribution and is quite complicated and difficult to do properly. The most famous example of this type of cryptography is the Data Encryption Standard (DES), other examples include Triple DES, RC2, RC4 IDEA and Skipjack. This is also known as symmetric cryptography.
  2. While in Public Key Cryptography, each party has two sets of keys, one key is published to the public, called the Public key, while the other is kept secret and only known by the owner, the Private key. Anyone wishing to communicate with a certain party securely, will encrypt the communicated data with the recipient's public key which is available and on the other side only the party that holds the matching private key can decrypt the cipher text. Example Public key algorithms: Diffie-Hellman, RSA and Merkle-Hellman.

The public key system eliminates the key distribution process that hampers all private key systems since there no need to communicate secret keys among communicating parties. However, a problem that arises with public key system is lack of assurance of the true identity of the party on the other side, for example, if (A) wants to communicate with (B), it will use (B's) public key, but how can (A) know that that the party that sent its public key as being (B) is really (B). This problem requires a trusted third party that authenticates both (A) and (B) to each other. This trusted third party is known as a Certificate Authority (CA). A CA issues certificates and guarantees their authenticity.

 Digital Signatures

The emergence of public key systems has introduced the concept of digital signature. A sample digital signature scenario goes as follows:

  1. (A) encrypts the data to be signed with his/her private key.
  2. (A) then encrypts the result from (1) with (B)'s public key and sends it to (B).
  3. (B) decrypts the incoming data with his/her private key and then decrypts the result with (A)'s public key.
  4. If the initial data is obtained then this will authenticate the data and the sender.

This is a simple example and not used in practice since it can be defeated by cutting and pasting from a captured authentic message. 

Message Digest

Both public and private key cryptography provide message integrity checks through checksums, but its not a reliable method since encryption of messages is done usually in small blocks of text, its possible to delete or duplicate a section of the message without causing any problems with the checksum.

On the other hand, message digests, provide a reliable method to check message integrity. A message digest function, also know as "one-way functions" takes a plain text message and generates from it a short fixed length string that seems random. This string is known as a hash and the original text cannot be obtained from the hash, hence the name one-way function.

These attributes of a message digest permit it to act as a digital fingerprint of the original message. The message's hash will change drastically with slightest change to the original message. 

By combining message digests and encryption, a tamper proof digital signature method can be used to send messages across the network. The Digital Signature Standard (DSS) is such a method and it works as follows:

  1. The sender runs the message to be sent through the message digest function and obtains its hash.
  2. The sender then encrypts the hash using his/her private key and sends it along with the original message to the intended recipient.
  3. When the recipient gets the message, he/she decrypts the hash using the sender's public key, and compares the result with the hash obtained from running the message through the message digest function again.
  4. If both hashes are identical, then sender's identity and message integrity are both verified.     
   

 

 

 (C) 2001 Internet Services Unit. All Rights Reserved.