Understanding Cryptography - Essay Example

Understanding Cryptography. Number: Lecturer: Introduction. Internet communication, wireless networking, mobile computing, and cloud computing are some of the trends shaping the computing and communication industry. All organizations are embracing such new technologies in a bid to enhance their performance and gain a competitive edge. These technologies help the companies to achieve great milestones in data processing and communication (Cisco Inc., 2014). However, they have a great concern with regard to information and data security. This is where cryptography is used to secure and enhance security of data and information in the communication and wireless networks. Cryptography is somehow omnipresent going beyond the conventional environments such as banking systems, government communications among others (Christoff, 2009). Cryptography is now used in web browsers, cell phones, e-mail programs, embedded software, manufacturing systems, cars, medical plants, smart buildings among others (Christoff, 2009). Therefore, designers and system users need to understand comprehensively the concept of cryptography and how it is applied in order to appreciate its effectiveness in securing wireless networks and communication. According to Christoff (2009), cryptography is the study and practice of techniques for securing communication particularly in the presence of a third party (adversary). Essentially, cryptography is mainly concerned with the development and determining protocols that protect against the influence of third parties in communication and networking. It also analyzes protocols and mechanisms that are related to information security aspects including data integrity, confidentiality, non-repudiation and authentication (Paar & Pelzl, 2010). Over the years, various techniques similar to encryption have been used as cryptography. However, modern cryptography borrows from disciplines of computer science, mathematics and electrical engineering among others. Cryptography is predominantly used in computer passwords, e-commerce, and ATM cards. It employs several tools and techniques to implement the security needed for the various applications (Christoff, 2009). OpenSSL. OpenSSL is one of the tools of cryptography that implements the SSL and the TSS security protocols in the network (Viega, Messier, & Chendra, 2002). It is mainly used in many web servers to transmit packets in encrypted form rather than in plain readable text. Open SSL has a core library that is developed in C programming language and is used for the implementation of the basic cryptographic functions and the various utility functions (Viega, Messier, & Chendra, 2002). OpenSSL employs the use of sophisticated algorithms to create a security framework that ensures security of packets transmitted over the network. The OpenSSL program can be used for various functions and purposes including: creation of the X.509 certificates, CRLs and CSRs, creation of RSA, DH and DSA key parameters, calculating message digests, performing client and server tests for SSL and TLS, encryption and decryption, and handling of encrypted or signed mails (Armknecht, et al., 2008). Cryptographic algorithms and modes supported by OpenSSL OpenSSL supports a range of cryptographic algorithms that are used to ensure security of data in the network during transmission and communication. The algorithms support the encryption of long plain text data using a block cipher. These algorithms are all aimed at providing security of data and information sent from point A to point B. these algorithms are explained below: Electronic Code Book (ECB). This is one of the most straightforward algorithms of cryptography used by the OpenSSL. According to (Armknecht, et al., 2008) a block cipher is used to encrypt data and information to be sent and another block cipher is used to decrypt the information. These block ciphers can either be 3DES or AES (Christoff, 2009). The process of encryption and decryption in ECB is illustrated using the following equation (Christoff, 2009): “Let e() be a block cipher of block size b, and let xi and yi be bit strings of length b. Encryption: yi = ek(xi), i ≥ 1 Decryption: xi = e−1 k (yi) = e−1 k (ek(xi)), i ≥ 1” (Christoff, 2009). Block synchronization between the sender and recipient in ECB is not necessary as it is in other algorithms. Therefore, if the recipient receives partial data or information due to transmission problems, the received block can still be decrypted by the recipient. Additionally, this algorithm is suitable for high-speed implementations since it allows parallelization (Christoff, 2009). Despite this advantage, ECB has some major weaknesses that could eventually jeopardise with the security of data and information. Given its working principle of mapping all the inputs to corresponding outputs including maintaining a static encryption and decryption key for same messages (Viega, Messier, & Chendra, 2002). This enables an attacker to easily notice if the message has been repeatedly sent by simply analyzing the cipher text. Cipher text analysis makes the ECB algorithm susceptible to substitution attacks and violation of integrity (Armknecht, et al., 2008). Cypher Block Chaining (CBC). The main ideas behind the CBC algorithm are chaining together of all blocks and the randomization of encryption using an Initialization vector (IV). According to Christoff (2009), the details of this algorithm is summarised below: Encryption. To explain this process Christoff (2009), notes “the cipher text is denoted yi, this is a result of the plain text xi. Yi is fed to the cipher input and the XORed with the succeeding block of plain text xi+1.” The xi+1 XOR sum is the one encrypted to yield yi+1, which is in turn xi+2 this continues consecutively until the final text is encrypted. Since the first plain text xi there is no previous cipher text therefore an IV is added to this plain text, this allows CBC to be non-deterministic. It is important to note here that the first yi depends on xi and the IV. The second cipher text block yi+1 depend on x1+i and the IV and so on. The last cipher is a function of all the plain texts and the IV (Christoff, 2009). Decryption. During decryption of the cipher text, the operations on the encryption are reversed. First, the block cipher encryption is reversed using the decryption function e−1 (). Then the XOR operation is undone by performing an XOR operation on the correct cipher block. It is important to note that once the cipher text block yi is decrypted, the XOR operation must be performed on the results with IV. This is to determine the plain text block. The following equations describe the entire encryption and decryption process (Viega, Messier, & Chendra, 2002): “Let e() be a block cipher of block size b; let xi and yi be bit strings of length b; and IV be a nonce of length b. Encryption (first block): y1 = ek(x1⊕IV ) Encryption (general block): yi = ek(xi⊕yi−1), i ≥ 2 Decryption (first block): x1 = e−1k (y1)⊕ IV Decryption (general block): xi = e−1k (yi)⊕ yi−1, i ≥ 2” (Armknecht, et al., 2008) Output Feedback (OFB). Christoff states that “this algorithm uses a block cipher to form a stream cipher encryption scheme. In this algorithm the key stream is generated in a block wise fashion” (Christoff, 2009). The XOR operation is used to encrypt the plain text bits. Basically, the algorithm encrypts an IV with a block cipher. The first output from encryption provides the first set of stream bits and consecutive stream bits are computed by encrypting the previous cipher output. This process is repeated until the final block is encrypted (Armknecht, et al., 2008). The OFB algorithm creates a synchronous stream cipher that is the key stream and does not depend on the cipher text. Since the algorithm uses the stream cipher, both the encryption and decryption operations are similar. Both the encryption and decryption is done using the XOR operation at both ends (Christoff, 2009). Since the algorithm uses the IV it is therefore non deterministic. The following equation according to Christoff describes the encryption and description process of the OFB algorithm (Christoff, 2009): “Let e() be a block cipher of block size b; let xi, yi and si be bit strings of length b; and IV be a nonce of length b. Encryption (first block): s1 = ek(IV ) and y1 = s1⊕x1 Encryption (general block): si = ek(si−1) and yi = si⊕xi, i ≥ 2 Decryption (first block): s1 = ek(IV ) and x1 = s1⊕y1 Decryption (general block): si = ek(si−1) and xi = si⊕yi, i ≥ 2” (Christoff, 2009). Cipher Feedback (CFB). This algorithm also utilizes the block cipher as a building block as a stream cipher. CFB is similar to OFB algorithm but unlike the OFB the output of the block is not fed back but the cipher text is fed back (Christoff, 2009). “Just as it is in the OFB, the key stream is not generated bitwise but in a block wise fashion. The basic idea behind this algorithm is that the first key stream block is generated by encrypting the IV” (Armknecht, et al., 2008). Then for all subsequent key stream blocks, the preceding cipher text is encrypted. The encryption and decryption operations are similar due to the fact that the algorithm forms a stream cipher (Viega, Messier, & Chendra, 2002). OFB asynchronous stream cipher since the cipher output is also a function of the cipher text. Description of CFB: “Let e() be a block cipher of block size b; let xi and yi be bit strings of length b; and IV be a nonce of length b. Encryption (first block): y1 = ek(IV )⊕x1 Encryption (general block): yi = ek(yi−1)⊕xi, i ≥ 2 Decryption (first block): x1 = ek(IV )⊕y1 Decryption (general block): xi = ek(yi−1)⊕yi, i ≥ 2” (Christoff, 2009). Counter Algorithm (CTR). The CTR algorithm also uses the block cipher as a stream cipher. The stream cipher is also computed in a block wise fashion (Christoff, 2009). Input to the block cipher is in form of a counter that changes value each time the block cipher computes a new key stream block. Initialization of the input to the block cipher must be different to prevent subjection to attack. Description of the CTR algorithm (Christoff, 2009): “Let e() be a block cipher of block size b, and let xi and yi be bit strings of length b. The concatenation of the initialization value IV and the counter CTRi is denoted by (IV ||CTRi) and is a bit string of length b. Encryption: yi = ek(IV ||CTRi)⊕xi, i ≥ 1 Decryption: xi = ek(IV ||CTRi)⊕yi, i ≥ 1” (Christoff, 2009) Galois Counter Mode GCM “GCM encrypts data and information by computing a message authentication code (MAC). The code provides a cryptographic checksum that is computed by the sender and appended to the message to be sent. The recipient then computes another MAC from the message and confirms whether they are the same” (Christoff, 2009). This enables the recipient to verify the sender and to determine whether the cipher text has been tampered with along the way. Consequently, GCM algorithm ensures confidentiality, authenticity of the plain text and the additional authenticated data (Armknecht, et al., 2008). “It consists of an underlying block cipher and a Galois field multiplier that handles the encryption and decryption operations” (Armknecht, et al., 2008) The GCM utilizes the CTR to encrypt data and then computation of the MAC value is done (Paar & Pelzl, 2010). “The initial counter value is derived from the IV and a serial number. The value is then incremented and then encrypted and XORed for the first plain text. The counter is incremented and then encrypted for the subsequent plain texts” (Armknecht, et al., 2008). Authentication is achieved by performing a chained Galios field multiplication. The algorithm is described by the following equation (Christoff, 2009): “Let e() be a block cipher of block size 128 bit; let x be the plaintext consisting of the blocks x1, . . . ,xn; and let AAD be the additional authenticated data” (Armknecht, et al., 2008). “Encryption a. Derive a counter value CTR0 from the IV and compute CTR1 =CTR0+1. b. Compute cipher text: yi = ek(CTRi)⊕xi, i ≥ 1. Authentication a. Generate authentication subkey H = ek(0) b. Compute g0 = AAD×H (Galois field multiplication) c. Compute gi = (gi−1 ⊕yi)×H, 1 ≤ i ≤ n (Galois field multiplication) d. Final authentication tag: T = (gn×H)⊕ek(CTR0) “ (Christoff, 2009). References Armknecht, F., Gasmi, Y., Sadeghi, A. R., Stewin, P., Unger, M., Ramunno, G., et al. (2008). An efficient implementation of trusted channels based on OpenSSL. the 3rd ACM workshop on Scalable trusted computing (, (pp. 41-50). Christoff, P. (2009). Understanding Cryptography. London: Springer. Cisco Inc. (2014, April). Next generation Encryption. Retrieved November 26, 2014, from Cisco: http://www.cisco.com/web/about/security/intelligence/nextgen_crypto.html Paar, J., & Pelzl, J. (2010). Introduction to Cryptography and Data security. In J. Paar, & J. Pelzl, Understanding Cryptography (pp. 1-27). Berlin: Springer. Viega, j., Messier, M., & Chendra, P. (2002). Network security with OpenSSL:Cryptography for secure communications. OReilly Media Inc. Read More