520 likes | 598 Vues
Learn about basic cryptography procedures to transform messages into cryptograms for secure communication. Explore cipher systems, cryptographic algorithms like RSA, encryption/decryption, message digest functions, and certificates. Enhance your knowledge of data security!
E N D
Cryptography • Basic goal: • design procedures to transform messages (plaintext) into cryptograms (ciphertext). • withstand intense cryptoanalysis for recovering the original plaintext. • Basic approach: • code system: text content depending on the size of code book. • cipher system: require two basic elements • cryptographic algorithm • a set of variable cryptographic keys. C. Edward Chow Page 1
Cipher Systems Two useful cipher system types: block ciphers and stream ciphers • Block ciphers • Data are encrypted/decrypted in blocks. • Block length is predetermined by the algorithm designer. • Stream ciphers • Users of algorithms decide the lengths to be encrypted or decrypted. • Require additional parameter defined as initializing vector (seed value) C. Edward Chow Page 2
Cryptographic Algorithms Two basic types: • Symmetric key algorithms: same key are used to encrypt and decrypt. In SSL, the symmetric key are encrypted by the public key and sent over at the • Public key algorithms: permit many users to encrypt using the same public key, but only the specific user possessing the secret key to decipher or unlock the data. C. Edward Chow Page 3
RSA: a Public Key Algorithm • Paper appeared on "A Method for obtaining Digital Signatures and Public-Key Cryptosystems," published in CACM vol. 21, No. 2, 120-126 (1978) by MIT Professors, Ronald Rivest, Adi Shamir, and Leonard Adleman. • Based on extension of Euler's theorem af(r) - 1 is divisible by r where a and r are relatively prime, i.e., gcd(a, r) = 1, and • f(r)=r(1-1/p1)(1-1/p2)...(1-1/pn), where p1, p2, ...,pn are the prime factors of r. C. Edward Chow Page 4
Choosing Private Key in RSA Algorithm p and q are primes (chosen, secret) p=47, q=61 r=p.q (publish, public) r=47*61=2867 f(r)=(p-1)(q-1) (derived, secret) f(r)=46*60=2760 SK = private key (chosen, secret) SK=167 Here SK is a chosen prime and it must be a relative prime of f(r). 2760=167*16+88 --> 88 = 2760 - 167*16 167=88*1+79 --> 79 = 167 - 88*1 88=79*1+9 --> 9 = 88 - 79*1 79=9*8+7 --> 7 = 79 - 9*8 9=7*1+2 --> 2 = 9 - 7*1 7=2*3+1 --> 1 = 7 - 2*3 2=1*2 C. Edward Chow Page 5
Choosing Public Key in RSA PK = public key (derived, public) PK=1223 It is derived by reversing the above computation on private key and substituting eq. 1=7-2*3 1=7-(9-7*1)*3=7*4-9*3 1=(79-9*8)*4-9*3=79*4-9*32-9*3=79*4-9*35 1=79*4-(88-79)*35=79*39-88*35 1=(167-88)*39-88*35=167*39-88*74 1=167*39-(2760-167*16)*74=167*1223-2760*74 C. Edward Chow Page 6
Encryption/Decryption using Private/Public keys A message can be encrypted is first divided into blocks, the value of block is less than r-1=2867-1=2866. In real system, r is much bigger. To apply RSA algorithm, we substitute each letter with two digits, e.g., blank = 00, A=01, B=02, ..., Z=26. The plaintext , "RSA ALGORITHM," is encrypted in 7 blocks: 1819 0100 0112 0715 1809 2008 1300 1819, the first block of the plaintext, is encrypted by raising it to the power of PK=1223, dividing by r = 2867, then taking the remainder, 2756 becomes the ciphertext. Note that 18191223 mod 2867 = 2756 but 18191223 is a big number. It can be computed by 18191024*1819128*181964*18194*18192*18191 since 1223=1024+128+64+4+2+1 DecryptionLikewise, 2756SK mod 2867=1819 The ciphertext is 2756 2001 0542 0669 2347 0408 1815 C. Edward Chow Page 7
Message Digest (one-way hash function) • The message digest functions take a file as input, produce a single large number called digest (128-256 bits in length). • They are difficult to invert, mostly unique, widely distributed. • MD5 developed by Ronald Rivest. Here is an example of MD5 results: • [root@viva guest]# cat t1 • There is $1500 in the blue box. • [root@viva guest]# ssleay • SSLeay>md5 t1 • MD5(t1)= 05f8cfc03f4e58cbee731aa4a14b3f03 • SSLeay>[root@viva guest]# • MD5(There is $1500 in the blue box!)=4b36807076169572b804907735accd42 • Just one character differs. The digest values are dramatically different. • Can be attached in email for message authentication. • Instead of signing the whole document, most digital signature standards simply sign a message digest of the document. • Programs such as PGP use message digests to transform a passphrase into an • symmetric encryption key. C. Edward Chow Page 8
Certificate • Signed documents, which match public keys to information, such as a name, organization, and e-mail address. • They are signed by CA authority, organization that accept certificate requests and return the certificate. C. Edward Chow Page 9
Client Certificate • Use for Secure Web Access and Secure Email. • 60 days digital ID free trial from Verisign for Outlook Express • After type in name, email address, pobox, birthday info. • It asks for challenging phrase. • After click to accept the Verisign CPS statement, IE ask for confirm email address. • Then IE indicates it is generate RSA exchnage keys C. Edward Chow Page 10
Private Key Container • Select the High Security Level which will ask for password each time private key is accessed. C. Edward Chow Page 11
Select the Password C. Edward Chow Page 12
Certificate Request Sent • After the password is confirmed, a certificated will be sent to Verisign. • They will send an email to the address you specified in the request with instruction on how to install the digital ID. Hit the continue button. C. Edward Chow Page 13
Pickup Digital ID • You can also go to https://digitalid.verisign.com/client/outlook/outlookpickup.htm • And enter the PIN included in the email to pickup the digital ID. C. Edward Chow Page 14
Setup Digital ID for Secure Email Associate a Digital ID With Your E-mail Account Microsoft Outlook Express: • Select Accounts from the Tools menu, then the Mail tab. • Select your Mail account, click the Properties button, select the Security tab. • Check the box "Use a digital ID when sending secure messages from", then click the Digital ID button. • Select the certificate you want to use to digitally sign your e-mail. Outlook 98: • In the Tools menu select Options, then the Security tab • Click "Add digital signature to outgoing messages", click the "Change Settings" button • On the next screen click the "Choose..." button. Select the Digital ID you want to use for signing e-mail in Outlook. C. Edward Chow Page 15
Find Other’s Digital ID • https://digitalid.verisign.com/services/client/index.html C. Edward Chow Page 16
Digital ID Search Result C. Edward Chow Page 17
Digital ID Search Result C. Edward Chow Page 18
Receive Signed Email Indicate a signed email C. Edward Chow Page 19
Examine the Signature • Click on the signature symbol. C. Edward Chow Page 20
View the Certificate C. Edward Chow Page 21
Certificate Detail C. Edward Chow Page 22
Setup Option for Signed Encrypted Email • Go to outlook (not the email window), tools | options select security tab. C. Edward Chow Page 23
Receive Signed and Encrypted Email C. Edward Chow Page 24
On Windows 2000 C. Edward Chow Page 25
Import Certificate to Outlook 2000 C. Edward Chow Page 33
Specify path and password for the certificate C. Edward Chow Page 34
Change the Hash Algorithm or Encryption Algorithm C. Edward Chow Page 35
Make sure your email account has the same email Address as that in the certificate!! C. Edward Chow Page 36
Reply Secure Email on Outlook2000 • To send an encrypted e-mail message to someone, you must have a copy of that person's digital ID in your contact list. Just have the person send you a digitally signed message. When you receive the message, you copy the person's address in the From field of the message into your contacts. • If you had old entry in contacts without certificate, you need to click on the From field to update entry with the certificate. C. Edward Chow Page 37
Netscape Communicator 4.51 • Go to home.netscape.com and select download netcape communicator 4.51. • After download, click on cc32e451.exe to install. • Accept default settings, except that do choose the netscape communicator as default browser, netcenter as default web page on frodo.uccs.edu. • After restart, click on the netscape messager. • It will go through a series of dialog to help set up your incoming and outgoing mail server on cs.uccs.edu. C. Edward Chow Page 38
Setup Netscape Messenger • Create a New Profile. C. Edward Chow Page 39
Enter Name and Email Address C. Edward Chow Page 40
Choose Name and Directory for the Profile • This name will show up on main messenger mail window C. Edward Chow Page 41
Setup Outgoing Mail Server • Use cs.uccs.edu C. Edward Chow Page 42
Setup Incoming Mail Server • Enter your loginname • Select cs.uccs.edu as incoming mail server (make sure you forward your email to cs.uccs.edu.) • Choose IMAP instead of POP. • IMAP leaves mails in the mail server.Down load the header first. • POP download the mails and remove mails on mail servers as default. C. Edward Chow Page 43
Setup News Group Server • Enter harpo.uccs.edu as news server. C. Edward Chow Page 44
Setup Different User Profile • After netscape communicator is stalled, the next login user will find the netscape messenger using the profile of the user who installs the software. • Actually, even if you can read some of the headers of the email (a bad design), you can not download the content since you will be prompt for the password. • Each time you have the encrypted email, you will be prompted for the password of the certificate in order to obtain private key to decrypt the email. • The following describes how you set up your own netscape profile (especially for email). C. Edward Chow Page 45
Netscape User Profile Manager • Select start | programs| netscape|utilities|user profile manager. Click new and enter your loginname C. Edward Chow Page 46
Setup Different User Profile(2) • The rest of the steps follows that of page 18 of this handout. C. Edward Chow Page 47
Using Communicator with Different User Profiles • After the profile is set up, when you invoke communicator, you will be asked to select the specific profile. C. Edward Chow Page 48
Download Other’s Certificate From Verisign • On navigator, select security | people • Select search directory C. Edward Chow Page 49
Search Verisign Directory • Select verisign directory in pull down menu • Enter the email address of the person you would like to request the certificate. Then click search button. C. Edward Chow Page 50