Chapter 7:

Cryptographic Systems

Net Security
C. Leghris
7.0 Introduction
7.1 Cryptographic Services
7.2 Basic Integrity and Authenticity
7.3 Confidentiality
7.4 Public Key Cryptography
7.5 Summary

2
Upon completion of this section, you should be able to:
• Explain the requirements of secure communications including integrity,
authentication, and confidentiality ;
• Explain cryptography ;

• Describe cryptoanalysis ;

• Describe cryptology.

3
4
❑ The first goal is to secure the network infrastructure, including routers,
switches, servers, and hosts ;
• Device hardening, AAA access control, ACLs, firewalls, monitoring threats using IPS,
securing endpoints …

❑ The next goal is to secure the data as it travels across various links ;

❑ Three primary objectives :

• Authentication - Guarantees that the
message is not a forgery and does
actually come from whom it states ;
• Integrity - Guarantees that no one
intercepted the message and altered it;
similar to a checksum function in a frame.
• Confidentiality - Guarantees that if the
message is captured, it cannot be
deciphered ;

5
❑ Authentication guarantees that a message comes from the source that it
claims to come from ;
❑ Data nonrepudiation is a similar service that allows the sender of a
message to be uniquely identified ;
• The most important part of nonrepudiation is that a device cannot repudiate, or
refute, the validity of a message sent ;

6
❑ Data integrity ensures that messages are not altered in transit ;
❑ With data integrity, the receiver can verify that the received message is
identical to the sent message and that no manipulation occurred ;

7
❑ Data confidentiality ensures privacy so that only the receiver can read the
message;
• This can be achieved through encryption ;

• Encryption is the process of scrambling data so that it cannot be easily read by

unauthorized parties ;

❑ The purpose of encryption and hashing is to guarantee confidentiality so that

only authorized entities can read the message ;

8
9
❑ A cipher is a series of well-defined steps that can be
followed as a procedure when encrypting and decrypting
messages ;
❑ Ciphertext can be creating using several methods:
• Transposition ;
• Substitution ;
• One-time pad,

10
❑ In transposition ciphers, no letters are replaced; they are simply rearranged ;
❑ Exemple : The rail fence cipher ;
• The words are spelled out as if they were a rail fence. They are staggered, some in
front, some in the middle and some in back, across several parallel lines;
• The key specifies that three lines are required when creating the encrypted code ;

11
❑ Substitution ciphers substitute one letter for another ;
❑ In their simplest form, substitution ciphers retain the letter frequency of the
original message ;
❑ Example : The Caesar cipher ;
• It was a simple substitution cipher. If the key used was 3, the letter A was moved three
spaces to the right ;

xxxx

12
❑ Viginère cipher :
• It’s based on the Caesar cipher, except that it encrypts text by using a different
polyalphabetic key shift for every plaintext letter ;
• The different key shift is identified using a shared key between sender and receiver .

- Le texte chiffré est alors : V'UVWHY IOIMBUL

PM LSLYI XAOLM BU NAOJVUY.

13
❑ A plaintext is paired with a random secret key. Then, each bit or character of the
plaintext is encrypted by combining it with the corresponding bit or character
from the pad using modular addition ;
❑ To decipher the ciphertext, the same paper tape key was again combined
character by character, producing the plaintext ;
❑ Each tape was used only once; hence, the name one-time pad ;
❑ Example :
7 (H) 4 (E) 11 (L) 11 (L) 14 (O) message
+ 22 (W) 12 (M) 2 (C) 10 (K) 11 (L) masque
= 29 16 13 21 25 masque + message
= 3 (D) 16 (Q) 13 (N) 21 (V) 25 (Z) masque + message modulo 26

14
15
❑ Cryptanalysis is the practice and study of determining the meaning of
encrypted information (cracking the code), without access to the shared
secret key.

16
❑ Methods used for cryptanalysis:
• Brute-force method ;

• Ciphertext method ;

• Known-Plaintext method ;

• Chosen-Plaintext method ;

• Chosen-Ciphertext method ;

• Meet-in-the-Middle method.

17
 Frequency Analysis of the
English Alphabet

Deciphering Using Frequency

Analysis

18
19
❑ Cryptology is the science of making and breaking secret codes. It
combines two separate disciplines :
• Cryptography - the development and use of codes ;

• Cryptanalysis - the breaking of those codes ;

20
21
❑ Authentication, integrity, and data confidentiality are implemented in many ways
using various protocols and algorithms ;
• The choice of protocol and algorithm varies based on the level of security required to
meet the goals of the network security policy ;

❑ Example :
• For message integrity, message-digest 5 (MD5) is faster but less secure than Secure
Hash Algorithm 2 (SHA2) ;
• Confidentiality can be implemented using DES, 3DES, or the very secure AES ;

❑ Old encryption algorithms, such as the Caesar cipher or the Enigma machine,
were based on the secrecy of the algorithm to achieve confidentiality ,
❑ With modern technology, the security of encryption lies in the secrecy of the
keys, not the algorithm.

22
Upon completion of the section, you should be able to:
• Describe the purpose of cryptographic hashes ;

• Explain how MD5 and SHA-1 are used to secure data communications ;

• Describe authenticity with HMAC ;

• Describe the components of key management.

23
24
❑ A hash function takes binary data, called the message, and produces a fixed-
length, condensed representation, called the hash ;
• The resulting hash is called the message digest, digest, or digital fingerprint ;

❑ Hashing is based on a one-way mathematical function that is relatively easy to

compute, but significantly harder to reverse ;
❑ The cryptographic hashing
function is designed to verify and
ensure data integrity ;

25
❑ Mathematically, a hash function H takes an input x and returns a fixed-size
string called the hash value h. The equation reads: h= H(x) ;
❑ A cryptographic hash function should have the following properties:
• The input can be any length ;

• The output has a fixed length ;

• H(x) is relatively easy to compute for any given x ;

• H(x) is one way and not

reversible ;
• H(x) is collision free, meaning
that it is hard to find two different
input values that result in the
same hash value ;
• If a hash function is hard to
invert, it is considered a one-way
hash

26
❑ Both the message and the hash are in plaintext ;
❑ This fingerprint is then attached to the message and sent. The receiving device
removes the fingerprint and inputs the message into the same hashing algo ;
• If the hash is equal to the one that is attached to the message, the message has not
been altered during transit; Else , then the integrity of the message can no longer be
trusted ;

❑ Two well-known hash functions are:

• MD5 with 128-bit digest ;

• SHA-256 with 256-bit digest ;

27
28
❑ The MD5 algorithm is a hashing algorithm that
was developed by Ron Rivest and is used in a
variety of Internet applications today ;
❑ MD5 is essentially a complex sequence of
simple binary operations, such as exclusive OR
(XOR) and rotations, which are performed on
input data and produce a 128-bit hashed
message digest ;
❑ MD5 is now considered a legacy algorithm and
should be avoided ;
• It should be used only when no better alternatives
are available ;

29
❑ The U.S. National Institute of Standards and
Technology (NIST) developed SHA, the algorithm
specified in the Secure Hash Standard (SHS).
SHA-1, published in 1994 ;
❑ The SHA-1 algorithm takes a message of less
than 2^64 bits in length and produces a 160-bit
message digest ;
❑ SHA-1 is now considered to be a legacy
algorithm. Therefore, NIST published four
additional hash functions in the SHA family, which
are collectively known as SHA-2 :
• SHA-224 (224 bit) ;

• SHA-256 (256 bit) ;

• SHA-384 (384 bit) ;

• SHA-512 (512 bit) ;

30
❑ Remember that the longer the hash values are, the more secure they are ;
❑ Both MD5 and SHA-1 are based on a previous version of the message digest
algorithm. This makes MD5 and SHA-1 similar in many ways ;
❑ SHA-1 involves 80 steps, and MD5 involves 64 steps ;
❑ The SHA-1 algorithm must also process a 160-bit buffer instead of the 128-bit
buffer of MD5 ;
❑ Because there are fewer steps, MD5 usually executes more quickly, given the
same device.

31
32
❑ A keyed-Hash Message Authentication Code (HMAC or KHMAC) is a type of
message authentication code (MAC) ;
❑ HMACs use an additional secret key as input to the hash function ;
• This adds authentication to integrity
assurance ;
• An HMAC is calculated using a
specific algorithm that combines a
cryptographic hash function with a
secret key ;

33
34
❑ Cisco products use hashing for entity authentication, data integrity, and
data authenticity purposes :
• Cisco IOS routers ;

• IPsec gateways and clients ;

• Cisco software images ;

35
36
❑ Key management is often considered
the most difficult part of designing a
cryptosystem ;
❑ Many cryptosystems have failed
because of mistakes in their key
management, and all modern
cryptographic algorithms require key
management procedures ;
❑ In practice, most attacks on
cryptographic systems are aimed at
the key management level, rather
than at the cryptographic algorithm
itself.

37
❑ Two terms that are used to describe keys are :
• Key length - Also called the key size, this is the measure in bits. In this course, we will
use the term key length ;
• Keyspace - This is the number of possibilities that can be generated by a specific key
length.

38
❑ Types of cryptographic keys:
• Symmetric keys - Can be exchanged between two routers supporting a VPN ;

• Asymmetric keys - Are used in secure HTTPS applications ;

• Digital signatures - Are used when connecting to a secure website ;

• Hash keys - Are used in symmetric and asymmetric key generation, digital signatures,
and other types of applications ;

39
❑ Performance is another issue that can influence the choice of a key length ;
❑ An administrator must find a good balance between the speed and
protective strength of an algorithm, because some algorithms, such as the
Rivest, Shamir, and Adleman (RSA) algorithm, run slowly due to large key
lengths ;
❑ Strive for adequate protection, while enabling communication over untrusted
networks.

40
Upon completion of the section, you should be able to:
• Explain how encryption algorithms provide confidentiality.

• Explain the function of the DES, 3DES, and the AES algorithms .

• Describe the function of the Software Encrypted Algorithm (SEAL) and the
Rivest ciphers (RC) algorithms.

41
42
❑ Two approaches to ensuring the security of data when using encryption :
• The first is to protect the algorithm. If the security of an encryption system is based on
the secrecy of the algorithm itself, the algorithm code must be heavily guarded ;
• The second approach is to protect the keys. With modern cryptography, all algorithms
are public. The cryptographic keys ensure the secrecy of the data ;

43
 Symmetric
algorithm

Asymmetric
algorithm

44
❑ Symmetric, or secret key encryption, is the most commonly used form of
cryptography ;
❑ With symmetric encryption, key management can be a challenge ;
• The encryption and decryption keys are the same. The sender and the receiver must
exchange the symmetric, secret key using a secure channel before any encryption
can occur ;
• By obtaining the key, anyone can encrypt and decrypt messages.

45
❑ Block ciphers transform a fixed-length block of plaintext into a common block
of ciphertext of 64 or 128 bits ;

❑ Stream ciphers encrypt plaintext one byte or one bit at a time

46
❑ Two main criteria that should be considered when selecting an encryption
algorithm for an organization:
• The algorithm is trusted by the cryptographic community - Most new algorithms are
broken very quickly, so algorithms that have been resisting attacks for a number of years
are preferred ;
• The algorithm adequately protects against brute-force attacks - A good cryptographic
algorithm is designed in such a way that it resists common cryptographic attacks. The
best way to break data that is protected by the algorithm is to try to decrypt the data using
all the possible keys ;

47
48
❑ Data Encryption Standard (DES) is a legacy symmetric encryption algorithm that
usually operates in block mode by encrypting data in 64-bit blocks ;
❑ The DES algorithm is essentially a sequence of permutations and substitutions
of data bits combined with an encryption key ;
❑ The same algorithm and key are used for encryption and decryption ;

❑ DES has a fixed key length. The key is 64-bits long, but only 56 bits are used for
encryption. The remaining 8 bits are used for parity to verify the key’s integrity.
The least significant bit of each key byte is used to indicate odd parity.

49
❑ Etape intermédiaire Bloc de 64 bits initial
Permutation initiale
• Consiste à couper le bloc de
Bloc permuté
64 bits en 2 blocs de 32 bits ;
• Le bloc de sortie de gauche Séparation en deux blocs
K1 D0
sera une recopie du bloc de G0
droite en entrée ; f
xor
• Le bloc de droite est utilisé
pour calculer un nombre de 48 K2
G1 = D0 D1=G0 xor f(D0,K1)
bits à l'aide de règles de
transposition et de recopie ; f
xor
• Ces règles sont stockées dans
Deuxième itération
des tables et leur construction
reste compliquée ;
G16 = D15 D16=G15 xor f(D15,K16)
Reconstitution du Bloc

Bloc modifié
Permutation finale
Bloc de 64 bits final

50
❑ DES should no longer be used in to protect production networks. However, if
the devices cannot support more secure encryption algorithms, then there are
several things to consider when securing DES-encrypted data:
• Change keys frequently to help prevent brute-force attacks ;

• Use a secure channel to communicate the DES key from the sender to the receiver ;

• Consider using DES in CBC mode ;

• Test a key to see if it is a weak key before using it. However, because testing the key
has no significant impact on the encryption time, testing is recommended.

51
❑ With advances in computer-processing power, the original 56-bit DES key
became too short to withstand an attack from those with a medium-sized
budget for hacking technology ;
❑ One way to increase the DES effective key length, without changing the well-
analyzed algorithm itself, is to use the same algorithm with different keys
several times in a row.
• The technique of applying DES three times in a row to a plaintext block is called 3DES.

52
❑ 3DES uses a method called 3DES-Encrypt-Decrypt-Encrypt (3DES-EDE) to
encrypt plaintext ;
❑ The 3DES-EDE procedure is much more effective at increasing security than
simply encrypting the data three times with three different keys.

53
❑ In 1997, the AES initiative was announced, and the public was invited to
propose encryption schemes to replace DES ;
❑ The AES algorithm has been analyzed extensively and is now used worldwide ;
❑ AES with the Rijndael cipher is the more efficient algorithm,

54
❑ AES was chosen to replace DES for a number of reasons ;
• The key length of AES makes the key much stronger than DES ;

• AES runs faster than 3DES on comparable hardware ;

• AES is more efficient than DES and 3DES on comparable hardware, usually by a factor
of five when it is compared with DES. ;
• AES is more suitable for high-throughput, low-latency environments, especially if pure
software encryption is used.

55
56
❑ SEAL is an alternative algorithm to software-based DES, 3DES, and AES ;
❑ It is a stream cipher that uses a 160-bit encryption key ;

❑ This makes it much faster than block ciphers.

❑ SEAL has a lower impact on the CPU compared to other software-based
algorithms ;
• However, it has a longer initialization phase during which a large set of tables is created
using SHA.

❑ SEAL has several restrictions:

• The Cisco router and the peer must
support IPsec ;

• The Cisco router and the other peer

must run an IOS image that supports
encryption ;

• The router and the peer must not

have hardware IPsec encryption.
57
❑ Rivest Cipher ;
❑ The RC algorithms are widely deployed in many networking applications
because of their favorable speed and variable key-length capabilities ;
❑ There are a number of widely used RC algorithms: RC2, RC4, RC5 and RC6 ;

58
59
❑ The DH algorithm is the basis of most modern automatic key exchange
methods, and is one of the most common protocols used in networking today ;
❑ Diffie-Hellman is not an encryption mechanism and is not typically used to
encrypt data. Instead, it is a method to securely exchange the keys that encrypt
data ;
❑ DH is a mathematical algorithm that allows two computers to generate an
identical shared secret on both systems, without having communicated before.

60
❑ DH uses modular arithmetic in its calculations ;
❑ There are six steps in the DH process.

61
Upon completion of the section, you should be able to:
• Explain the differences between symmetric and asymmetric encryptions and
their intended applications.
• Explain the functionality of digital signatures.

• Explain the principles of a public key infrastructure (PKI).

62
63
❑ Four protocols that use asymmetric key algorithms:
• Internet Key Exchange (IKE) ;

• Secure Socket Layer (SSL) ;

• Secure Shell (SSH) ;

• Pretty Good Privacy (PGP).

64
❑ The confidentiality objective of asymmetric algorithms is initiated when the
encryption process is started with the public key. The process can be
summarized using the formula:
Public Key (Encrypt) + Private Key (Decrypt) = Confidentiality
❑ When the public key is used to encrypt the data, the private key must be used
to decrypt the data ;
• Only one host has the private key; therefore, confidentiality is achieved.

65
❑ The authentication objective of asymmetric
algorithms is initiated when the encryption
process is started with the private key. The
process can be summarized using the
formula:
Private Key (Encrypt) + Public Key
(Decrypt) = Authentication

66
Alice Encrypts Alice Encrypts a Bob Uses Alice’s Bob Uses His Public
Message Using Bob’s Hash Using His Public Key to Key to Decrypt
Public Key Public Key Decrypt Hash Message

67
❑ Although the mathematics differ, these algorithms all have one thing in
common; they require complicated calculations ;
❑ Their design is based on computational problems, such as factoring extremely
large numbers or computing discrete logarithms of extremely large numbers ;

68
❑ RSA (Rivest, Shamir et Adleman)
❑ Détails de l’algorithme :
• Pour chiffrer un message M, on fait : C =M
e mod n ;
d
• Pour déchiffrer : M = C mod n ;

• Construction des clés :

✓ Prendre deux nombres premiers « p » et « q » (de taille à peu près égale) ;

✓ Calculer « n » comme suit : n = p*q ;

✓ Prendre un nombre « e » qui n'a aucun facteur en commun avec (p-1)(q-1) ;

✓ Calculer « d » tel que : e *d mod (p-1)(q-1)=1 ;

✓ Le couple (e,n) constitue la clé publique ;

✓ Le couple (d,n) est la clé privée ;

69
70
❑ Services provided by Digital Signature :
• Authenticity ;

• Integrity ;

• Non repudiation ;
❑ Digital Signature Properties :
• Signature is authentic ;

• Signature is unalterable ;

• Signature is not reusable ;

• Signature cannot be repudiated.

71
❑ Digital signatures are commonly used to provide assurance of the authenticity
and integrity of software codes and answer the question “ How can users trust
code downloaded from the Internet ? ”
❑ Digitally signing code provides several assurances about the code :
• The code is authentic and is actually sourced by the publisher ;

• The code has not been modified since it left the software publisher ;

• The publisher undeniably published the code.

72
❑ A digital certificate is equivalent to an electronic passport ;
❑ They enable users, hosts, and organizations to securely exchange information
over the Internet ;
❑ Specifically, a digital certificate is used to authenticate and verify that a user
sending a message is who they claim to be ;
❑ Digital certificates can also be used to provide confidentiality for the receiver
with the means to encrypt a reply.

73
 Sending a Digital Certificate

Receiving a Digital Certificate

74
❑ There are three Digital Signature Standard (DSS) algorithms that are used for
generating and verifying digital signatures:
• Digital Signature Algorithm (DSA) - DSA is the original standard for generating
public and private key pairs, and for generating and verifying digital signatures ;
• Rivest-Shamir Adelman Algorithm (RSA) digital signature algorithm - RSA is an
asymmetric algorithm that is commonly used for generating and verifying digital
signatures ;
• Elliptic Curve Digital Signature Algorithm (ECDSA) - ECDSA is a newer variant of
DSA and provides digital signature authentication and non-repudiation with benefits of
computational efficiency, small signature sizes, and minimal bandwidth.

75
76
❑ On the Internet, continually exchanging identification between all parties would
be impractical. Therefore, individuals agree to accept the word of a neutral
third party ;
❑ Presumably, the third party does an in-depth investigation prior to the issuance
of credentials ;
❑ After this in-depth investigation, the third party issues credentials that are
difficult to forge. From that point forward, all individuals who trust the third party
simply accept the credentials that the third party issues.

77
❑ PKI is needed to support large-scale distribution and identification of public
encryption keys ;
❑ PKI enables users and computers to securely exchange data over the Internet
and to verify the identity of the other party ;
❑ The PKI identifies the encryption algorithms, levels of security, and distribution
policy to users.

Elements of the
PKI Framework

PKI Example

78
❑ Many vendors provide CA servers as a managed service or as an end-user
product, including Symantec Group (VeriSign), Comodo, Go Daddy Group,
GlobalSign, DigiCert, and others ;
❑ CAs, especially those that are outsourced, can issue certificates of a number of
classes, which determine how trusted a certificate is ;

79
❑ Interoperability between a PKI and its supporting services, such as Lightweight
Directory Access Protocol (LDAP) and X.500 directories, is a concern because
many CA vendors have proposed and implemented proprietary solutions
instead of waiting for standards to develop ;

❑ X.509 is a well-known standard that

defines basic PKI formats, such as the
certificate and certificate revocation
list (CRL) format, to enable basic
interoperability.

80
❑ Another important set of PKI standards are the Public-Key Cryptography
Standards (PKCS) ;
• PKCS refers to a group of Public Key Cryptography Standards devised and published
by RSA Laboratories.

81
❑ The end goal is that any network user should be able to request a digital
certificate easily and electronically ;
• Previously, these processes required intensive input from network administrators and
were not suited to large scale deployments ;

❑ The IETF designed the Simple Certificate Enrollment Protocol (SCEP) to make
issuing and revocation of digital certificates as scalable as possible ;

82
Single-Root PKI Topology

Cross Certified CA

Hierarchical CA

83
❑ In a hierarchical CA topology, the RA can accept requests for enrollment in the
PKI ;
❑ The RA is responsible for the identification and authentication of subscribers,
but does not sign or issue certificates ;

❑ The RA may handle three specific tasks:

• Authentication of users when they enroll
with the PKI ;
• Key generation for users that cannot
generate their own keys ;
• Distribution of certificates after enrollment.

84
 Retrieving CA Certificates

Submitting Certificate
Requests to the CA

85
Peers Authenticate Each Other

86
Chapter Objectives:
• Explain the areas of cryptology.

• Explain to two kinds of encryption algorithms.

87
Thank you.
• Remember, there are
helpful tutorials and user
guides available via your
NetSpace home page. 1
(https://www.netacad.com) 2
• These resources cover a
variety of topics including
navigation, assessments,
and assignments.
• A screenshot has been
provided here highlighting
the tutorials related to
activating exams, managing
assessments, and creating
quizzes.

89