Cryptography & Steganography
Introduction:
Basic understanding
Symmetric and Asymmetric
Steganography
Cryptographic Algorithms and standards
Strength
Applications
Network (deploying packet switching) security through cryptography
Digital Certificates
Kerberos
SSL/IPSEC
Looking AheadConclusion
Introduction:
Security is the art of protecting access to information and other computing resources from those whom we do not fully trust. Security is only possible if we are able to keep certain secrets, such as passwords, keys and so forth. Cryptography is the science of encrypting data to keep them secret.
In the simplest, the original message, before being encrypted, is called plaintext. After the message is encrypted, it is called ciphertext. A ciphertext has no importance for the intruder as it gives no sense in reading random bits of data. An encryption algorithm transforms the plaintext to ciphertext; a decryption algorithm transforms the ciphertext back to plaintext.
Basic Understanding:
Symmetric Cryptography:
In this type of cryptography, the same key is used both to encrypt and to decrypt the data. The key is shared. Symmetric-key algorithms are often used to encrypt long messages as they are efficient and take less time to encrypt a message.
Asymmetric (public key) Cryptography :
Here there is one key (known as private key) to encrypt the data and another (public key) to decrypt the data. With mathematical combinations, there may be several public keys for a single private key. Such encryption is widely used over internet for authorized access of some data to a group of people.
The Private and Public Keys can we chosen in a variety of way. For example the most common algorithm (RSA) has a private key pair of numbers (N,d) and a public key pair of numbers (N,e). The sender uses the following algorithm to encrypt the message.
C=Pemod N
And the receiver uses the following algorithm to decrypt the same message
P=Cdmod N
The numbers used in this algorithm are so large that the trial-and-error approach of breaking the code takes a long time (years) with the fastest computers available.
Steganography
It is the art of concealing information in such a way that the fact that information is being concealed is itself a secret. The message is concealed in even an image or other media file/data file.
Let us take an example of how it works. An image file (bitmap image) is made up of millions of pixels made of different color combinations of Red, Green and Blue. Each 8-bit byte of the original message is incorporated into a corresponding pixel in the bitmap image. Each byte in the original message is split into a set of 3-bit, 3-bit and 2-bit fields. These are then used to replace the least significant 3 bits, 3 bits and 2 bits of the corresponding pixel’s red, green and blue color components, respectively. The image before and after a short secret message has been inserted looks the same.
This technique works because the least significant bits tend to have little effect on the visual appearance of the image. If we try doing this using the most significant pixel bits, we will see a startling result that looks very psychedelic. In Steganography, as in real life, psychedelic effects are best avoided.
Thus we can carry information in images, audio files, email attachments, Voice over IP and so forth. In addition, secret-loaded files can be communicated anonymously and in large volumes via newsgroup, email, Web sites, and services such as Napster/Kazaa.
Hashing:
Hashing algorithms are used to digitally sign a message to guarantee its integrity and genuineness. A checksum of manageable length is derived from the message and only that part is signed (asymmetrically encrypted). This checksum is known as a hash result. An algorithm for calculating a hash result is called a hash function.
The hashed signature is small and a small change in original text makes large change in signature and thus originality of the message is assured.
Cryptographic standards and algorithms:
Symmetric (Secret Key) Algorithms * DES is an algorithm developed in the 1970s. DES is a block cipher with 64-bit block size. It uses 56-bit keys. This makes it fairly easy to break with modern computers or special-purpose hardware. A variant of DES, Triple-DES or 3DES is based on using DES three times (normally in an encrypt-decrypt-encrypt sequence with three different, unrelated keys).* Rijndael is an AES (Advance Encryption Standard) symmetric block cipher replacing the DES.* Blowfish is an algorithm developed by Bruce Schneier. It is a block cipher with 64-bit block size and variable length keys (up to 448 bits). No attacks are known against it.* IDEA (International Data Encryption Algorithm) is an algorithm developed at ETH Zurich in Switzerland. It uses a 128 bit key, and it is generally considered to be very secure. It is currently one of the best public known algorithms.* RC4 is a cipher designed by RSA Data Security, Inc. RC4 is essentially a pseudo random number generator, and the output of the generator is xored with the data stream. For this reason, it is very important that the same RC4 key never be used to encrypt two different data streams. Exportable version of SSL (Netscape's Secure Socket Layer) uses RC4-40.* SAFER is an algorithm developed by J. L. Massey. It is claimed to provide secure encryption with fast software implementation even on 8-bit processors. Two variants are available, one for 64 bit keys and the other for 128 bit keys.* Ciphers based on a hash function. Any cryptographically strong hash function can be turned into a cipher. There are several possible arrangements; the general idea is that the hash function is used as a random number generator, and the hash value is xored with the data to be encrypted. When all bytes of the hash value have been used, a new hash value is obtained by modifying the key (or whatever was hashed) somehow, and taking a hash of that. The data to be hashed may include a key, the previous hash value, a sequence number, previous plaintext, etc. Examples of a hash-based cipher are MDC/SHA.* Enigma was the cipher used by the Germans in World War II. It is trivial to solve with modern computers.* Vigenere is a historical cipher nowadays easy to break.* RC2 is a cipher design by Ronald Rivest(symmetric stream cipher)
Asymmetric (Public Key) Algorithms * RSA (Rivest-Shamir-Adelman) is the most commonly used public key algorithm and can be used both for encryption and for signing. It is generally considered to be secure when sufficiently long keys are used (512 bits is insecure, 768 bits is moderately secure, and 1024 bits is good). The security of RSA relies on the difficulty of factoring large integers. RSA is very vulnerable to chosen plaintext attacks. There is also a new timing attack that can be used to break many implementations of RSA. * Diffie-Hellman is a commonly used public-key algorithm for key exchange. It is generally considered to be secure when sufficiently long keys and proper generators are used. The security of Diffie-Hellman relies on the difficulty of the discrete logarithm problem (which is believed to be computationally equivalent to factoring large integers). There is also a new timing attack that can be used to break many implementations of Diffie-Hellman.* Elliptic curve public key cryptosystems is an emerging field. They have been slow to execute, but have become feasible with modern computers.* DSS (Digital Signature Standard) and DSA(Digital Signature Algorithm are used specifically for digital signatures.* ElGamal public key cryptosystem. Based on the discrete logarithm problem.* LUC is a public key encryption system. It uses Lucas functions instead of exponentiation. It's inventor Peter Smith has since then implemented four other algorithms with Lucas functions: LUCDIF, a key negotiation method like Diffie-Hellman; LUCELG PK, equivalent to El Gamal public-key encryption; LUCELG DS, equivalent to El Gamal digital signature; and LUCDSA, equivalent to the US Digital Signature Standard.
Block Cipher Modes Many commonly used ciphers (e.g., IDEA, DES, BLOWFISH) are block ciphers. This means that they take a fixed-size block of data (usually 64 bits), an transform it to another 64 bit block using a function selected by the key. The cipher basically defines a one-to-one mapping from 64-bit integers to another permutation of 64-bit integers.If the same block is encrypted twice with the same key, the resulting ciphertext blocks are the same (this method of encryption is called Electronic Code Book mode, or ECB). This information could be useful for an attacker.In practical applications, it is desirable to make identical plaintext blocks encrypt to different ciphertext blocks. Two methods are commonly used for this: * CFB mode: a ciphertext block is obtained by encrypting the previous ciphertext block, and xoring the resulting value with the plaintext. * CBC mode: a ciphertext block is obtained by first xoring the plaintext block
with the previous ciphertext block, and encrypting the resulting value.The previous ciphertext block is usually stored in an Initialization Vector (IV). An initialization vector of zero is commonly used for the first block, though other arrangements are also in use.
Cryptographic Hash Functions * MD5 (Message Digest Algorithm 5) is a secure hash algorithm developed at RSA Data Security, Inc. It can be used to hash an arbitrary length byte string into a 128 bit value. MD5 is in wide use, and is considered reasonable secure.* MD2, MD4: These are older hash algorithms from RSA Data Security. They have known flaws, and their use is not recommended.* SHA (Secure Hash Algorithm) (also SHS, Secure Hash Standard): It produces a 160 bit hash value from an arbitrary length string. New versions SHA-1, SHA-256, SHA-384, SHA-512: Standard secure hash algorithms developed by NIST(National Institute of Standards and Technology) along with the NSA (for use with the Digital Signature Standard).* Tiger is a new hash algorithm developed by Anderson and Biham.* RIPEMD-160 is designed to replace MD4 and MD5. It produces a digest of 20 bytes, reportedly runs at 40 Mb/s on a 90 MHz Pentium and has been placed in the public domain by its designers.
Developer’s tools:
Cryptography with Java:
In Java API terminology, cryptographic services are programming abstractions to carry out or facilitate cryptographic operations. Most often, these services are represented as Java classes with names conveying the intent of the service. For example, digital signature service, represented by java.security.Signature class, creates and verifies digital signatures. The cryptographic service classes have a distinct structure to facilitate independence from algorithm and implementation. They typically do not have public constructors and the instances are created by invoking a static method getInstance() on the service class. Cryptographic Service Providers, or just providers, are implementations of cryptographic services consisting of classes belonging to one or more Java packages. It is possible to have multiple providers installed within a J2SE environment, some even implementing the same service with the same algorithms. A program can either explicitly specify the provider name through an identifier string assigned by the vendor, or implicitly ask for the highest priority provider by not specifying any provider. Some of the J2SE cryptographic services and supported algorithms, with brief descriptions:
Most of these are used within java.security, javax.crypto and their various subpackages. The actual implementation of these classes is in various provider classes that come bundled with J2SE. It is also possible to install additional providers.
Java class javax.crypto.Cipher is the engine class for encryption and decryption services. A concrete Cipher object is created by invoking the static method getInstance() and requires a transform string of the format algorithm/mode/padding (for e.g. "DES/ECB/PKCS5Padding") as an argument. After creation, it must be initialized with the key and, optionally, an initialization vector. After initialization, method update() can be called any number of times to pass byte arrays for encryption or decryption, terminated by a doFinal() invocation.
Cryptography with Microsoft .NET:
The .NET framework provides a very robust class library to provide cryptographic services.
The following classes provide functionality to work with symmetric algorithms:
System.Security.Cryptography.DES
System.Security.Cryptography.RC2
System.Security.Cryptography.Rijndael
System.Security.Cryptography.TripleDES
The following classes provide functionality to work with asymmetric algorithms:
System.Security.Cryptography.DSA
System.Security.Cryptography.RSA
The following classes provide functionality for hash functions:
System.Security.Cryptography.KeyedHashAlgorithm
System.Security.Cryptography.MD5
System.Security.Cryptography.SHA1
System.Security.Cryptography.SHA256
System.Security.Cryptography.SHA384
System.Security.Cryptography.SHA512
The powerful pre-built functions in the above class libraries provide easy and fast support for encryption and decryption with support of the .NET CLR.
Cryptography with PHP:
PHP has libraries like ‘mcrypt’ that supports a wide variety of block algorithms such as DES, TripleDES, Blowfish (default), 3-WAY, SAFER-SK64, SAFER-SK128, TWOFISH, TEA, RC2 and GOST in CBC, OFB, CFB and ECB cipher modes. Additionally, it supports RC6 and IDEA which are considered "non-free". Mcrypt can operate in four block cipher modes (CBC, OFB, CFB, and ECB).Example of ciphers which are currently supported by the mcrypt extension: MCRYPT_3DES, MCRYPT_ENIGMA, MCRYPT_RIJNDAEL_256, MCRYPT_TRIPLEDES (libmcrypt > 2.4.x only) etc. One must (in CFB and OFB mode) or can (in CBC mode) supply an initialization vector (IV) to the respective cipher function. The IV must be unique and must be the same when decrypting/encrypting. With data which is stored encrypted, one can take the output of a function of the index under which the data is stored (e.g. the MD5 key of the filename). Alternatively, one can transmit the IV together with the encrypted data.
Cryptography with Symbian OS:
Symbian OS is used on a very large number of mobile instruments. There are different component and associated libraries for developers for encryption:
Security on Internet through cryptography
On Internet, cryptography is used at different stage to ensure integrity, authentication and nonrepudiation of data. Encryption is involved in the following layers of the OSI layer:
* Application Layer Security
* Digital Signatures
* PGP (Pretty Good Privacy)
* Kerberos
* IP Layer security
* IPSEC
* Transport Layer security
* TLS & SSL
Certifying authorities and ticket granting mechanism is also involved to ensure problems of key distribution and authorization.
Looking Ahead
Wireless communication has given rise to increased need of reliable encryption techniques as radio waves can be very easily intercepted. The present encryption used with GSM and UMTS face challenges against high speed sniffing/hacking hardware available. Besides the need for consistent and high performing Virtual Private Networks (VPN) demands better encryption techniques.
Conclusion
Cryptography plays a very important role in security. Today in the age of E-Commerce and E-Business, the strength of cryptography is critical to the development of Information Technology in general. Internets and Intranets have changed the way the world is working today. Safe and secure transactions are possible only if trusted encryption algorithms are implemented. In the presence of Digital Signatures and other cryptographic services, internet has been a trusted mean of electronic transactions.
Wednesday, January 3, 2007
Subscribe to:
Post Comments (Atom)
1 comment:
Awesome guide. With the help of this post I have completely understood the role of cryptography in computer and information security. Thanks for posting this wonderful information.
electronic signature Microsoft
Post a Comment