Intro to Cryptography (Part 2 of 3)

This is the quick-hit version of the second of three parts of Introduction to Cryptography training I gave.  As with all of the formal training, you can use the below for a quick reference, or view the full presentation here.

The XOR Proof

Given three values related by an XOR operation:

  • Input Value:
    0110 1010 0010  1011  1010  1010  0110
  • XOR Key Value:
    1111 1010 1011  1101  0101  1110  1000
  • Result Value:
    1001 0000 1001  0110  1111  0100  1110

XOR(Input,Key) = Result
XOR(Input,Result) = Key
XOR(Key,Result) = Input

This relationship is called involution, or when f(f(x)) = x.

Initialization Vectors

Think of them as nonces.  Can have a substantial impact on the cryptographic strength of a system.

Block Cipher: DES

  • Data Encryption Standard
  • Symmetric algorithm
  • 64 bit block, 64 bit key size… well, 56 bit. Has 8 parity bits
  • Broken… do not use

Block Cipher: 3DES

  • Triple Data Encryption Standard
  • 64 bit block, and 56-bit, 112-bit, or 168-bit key sizes (those 8 parity bits add up)
  • Still considered secure enough for most applications
  • Still used by PCI, Microsoft OneNote, SCCM, etc.

Block Cipher: AES

  • Advanced Encryption Standard (AES)
  • Approved by NSA for Top Secret information
  • Symmetric algorithm
  • 128 bit block, 128-bit, 192-bit, and 256-bit key sizes

Block Cipher: RC5

  • Rivest Cipher 5 (also “Ron’s Code 5”)
  • Symmetric algorithm
  • Variable blocks (32/64/128 bit), key sizes (0-2040-bit), and rounds (0-255)
  • Uses the key with multiple NUMS numbers to generate unique words used by parts of the algorithm.
  • Still considered secure

Stream Cipher: RC4

  • Rivest Cipher 4 (also “Ron’s Code 4”)
  • DO NOT USE THIS. It’s considered broken.
  • Gets even worse when bad IVs are used.
  • Assumed to be breakable in near real time by nation states within TLS.

Stream Cipher: A5/1 and A5/2

  • The security used by GSM cell phones.
  • A5/1 was “strong” crypto, and A5/2 was “weak” export crypto.
  • Both are now acknowledged as weak, but still used in some parts of the world.
  • Part of the original crypto wars, although not often recognized for it.
  • Rainbow tables available.

Public Key Cryptography

  • Asymmetric algorithms using a “public” and “private” key
  • Uses two algorithms (one for confidentiality, one for integrity)
    • RSA or ECC for confidentiality
    • SHA-2 is only good option for integrity at this point
  • Properties of key pair lead to interesting functionality
    • Encrypt(data, public key) can only be decrypted by Decrypt(cipher, private key)
    • Encrypt(data, private key) can only be decrypted by Decrypt(cipher, public key)
  • You can demonstrate ownership of a private key by encrypting with it.
  • Multiple formats
    • PKCS1 – Specifies how to use RSA keys.
    • PKCS3 – Specifies how to do Diffie-Hellman Key Exchanges (DHKE)
    • PKCS7 – Specifies how to sign/encrypt messages within PKI.
    • PKCS12 – A container for multiple cryptographic objects

Diffie-Hellman-Merkle (Conceptual) Example

  • Client and server start with “5” as a value
  • Client randomly chooses ”258” as a value, and server randomly chooses “314” as a value
  • Each sends the factor of their choices to the other
  • Client sends 5 * 258 = “1290”, server sends 5 * 314 = ”1570”
  • Each adds their factor to the transmitted value
  • Client takes 1570 * 258 = “405060”, server takes 1290 * 314 = “405060”
  • A new key is made! (405060)

Signing With PKI

  • Alice wants to communicate with Bob
  • First, she and Bob exchange public keys
  • Eve gets those too, but since she’s not part of this we won’t mention her again
  • Alice writes her message
  • Alice calculates the hash of her message
  • Alice encrypts the hash with her private key
  • Alice encrypts the message, the hash algorithm, and the hash with Bob’s public key
  • Bob decrypts the message and gets the text, hash algorithm, and hash
  • Bob calculates the hash of the message using the specified algorithm
  • Bob decrypts Alice’s hash using her public key
  • If the calculated and decrypted hashes match, Bob knows that Alice sent the message and it hasn’t been modified