Overview of Cryptography: SSRN Electronic Journal January 2011
Overview of Cryptography: SSRN Electronic Journal January 2011
Overview of Cryptography: SSRN Electronic Journal January 2011
net/publication/315029214
Overview of Cryptography
CITATIONS READS
2 8,897
1 author:
Anthony-Claret Onwutalobi
Lahden ammattikorkeakoulu
7 PUBLICATIONS 6 CITATIONS
SEE PROFILE
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by Anthony-Claret Onwutalobi on 11 December 2017.
Overview of Cryptography
Onwutalobi Anthony Claret, Member, IEEE
using a key that was 56 bits in size. Each user randomly Pretty Good Privacy (PGP)
selected a key and revealed it only to those persons authorized
to see the protected data. DES was broken in 1998.
In 1978 three American computer scientists, Ronald L.
Rivest, Adi Shamir, and Leonard Adleman, who later founded
the company RSA Data Security, created the Rivest-Shamir-
Adleman (RSA) system. The RSA system uses two large prime
numbers, p and q, multiplied to form a composite, n. The
formula n = pq, capitalizes on the very difficult problem of
factoring prime numbers.
returned data, and, if successful, know that it has established key, then the receiving computer may decrypt the message,
communication with you. [4] first using its secret key and then the sender's public key. [6]
If private -key cryptography is used to send secret messages Using this public-key cryptographic method, the sender and
between two parties, both the sender and receiver must have a receiver are able to authenticate one another as well as protect
copy of the secret key. However, the key may be compromised the secrecy of the message. Single key methods, in contrast,
during transit. If you know the party you are exchanging require great secrecy in conveying a key from sender to
messages with, you can give them the key in advance. recipient
However, if you need to send an encrypted message to
someone, you have never met; you will need to figure out a VI. OTHER CRYPTOSYSTEMS
way to exchange keys in a secure way. One method is to send
it via another secure channel. Secure Sockets Layer (SSL), a protocol developed by
The Rivest, Shamir, Adleman (RSA) algorithm is a popular Netscape Communications Corporation for transmitting
encryption method that uses two keys. It was developed for private documents via the Internet, and Secure Hypertext
general use in 1977 and was named for the three computer Transfer Protocol (S-HTTP), designed to transmit individual
scientists—Ronald L. Rivest, Adi Shamir, and Leonard messages, also use encryption methods.
Adleman—who originated it. The RSA Data Security The length or complexity of the key (along with the difficulty
Company has been highly successful in licensing its algorithm of the algorithm) usually indicates the effectiveness of the
for others to use. encryption. DES, for example, uses 56 bits in its key to change
Unlike symmetric cryptography, the keys are 8-character message segments into 64-bit segments of
mathematically related, yet it is computationally infeasible to ciphertext. In 1997 the National Institute of Standards and
deduce one from the other. Anyone with the public key can Technology began coordinating development of a new
encryption system called Advanced Encryption Standard
encrypt a message but not decrypt it. Only the person with the
(AES). AES is to replace DES, as it will use a stronger
private key can decrypt the message. One of the most common
algorithm, based on a 128-bit encryption standard instead of
uses of public-key technology is to provide a secure
the 64-bit standard that DES now uses. Another advanced
communication channel between computer programs, although encryption system employs the International Data Encryption
private-key techniques can be used for this, too. Public key Algorithm, or IDEA, based on 128-bit segments. The Swiss
infrastructure also provides the foundation for secure emails Federal Institute of Technology developed the IDEA standard
because public key cryptography is used to distribute in the 1990s. Banks in the United States and several countries
symmetric keys, which are then used to encrypt and decrypt in Europe use the IDEA standard
actual messages. For example, in using a public-key system
for personal authentication or secure messaging, you keep one VII. KERBEROS
key secret. The second (public) key can then be distributed to Kerberos is another secure encryption method. It was
anyone. developed at MIT in the mid 1980. Kerberos is available as
The typical example of public key infrastructure is SSL open source or in supported commercial software. Kerberos
(Secure Socket Layer) protocol. SSL is often used to protect employs client/server architecture and provides user-to-server
information sent between Web browsers and web servers; this authentication rather than host-to-host authentication. In this
is commonly used in e-commerce systems. model, security and authentication will be based on secret key
PGP is an encryption system as demonstrated above it also technology where every host on the network has its own secret
uses two keys. It is based on the RSA algorithm. PGP was key. It would clearly be unmanageable if every host had to
invented by software developer Philip Zimmerman and is one know the keys of all other hosts so a secure, trusted host
of the most common cryptosystems used on the Internet somewhere on the network, known as a Key Distribution
because it is effective, free, and simple to use. PGP is such an Center (KDC), knows the keys for all of the hosts (or at least
effective encryption tool that the United States government some of the hosts within a portion of the network, called a
sued Zimmerman for releasing it to the public, alleging that realm). In this way, when a new node is brought online, only
making PGP available to enemies of the United States would the KDC and the new node need to be configured with the
endanger national security. [5] The lawsuit was dropped, but it node's key; keys can be distributed physically or by some other
is still illegal in some countries to use PGP to communicate secure means.
with people in other countries.
In the two-key system, also known as the public key system,
one key encrypts the information and another, mathematically
related key decrypts it. The computer sending an encrypted
message uses a chosen private key that is never shared and so
is known only to the sender. All computers authorized to
receive and decrypt the message are given the matching public
key. This method also establishes who sent the message. If a
sending computer first encrypts the message with the intended
receiver's public key and again with the sender's secret, private
In a transposition cipher, the order of plaintext letters is technology greatly reduces the opportunity for "sniffing" or
changed to derive the ciphertext. The message is usually eavesdropping on people's conversations.
written without word divisions in rows of letters arranged in a Adoption of methods for sending passwords through secure
rectangular block. The letters are then transposed in a (encrypted) channels.
prearranged order, such as by vertical columns, diagonals, or
spirals, or by more complicated systems, such as the knight's There is a Cryptographic authentication system, which do not
tour, which is based on the move of the knight in chess. The rely on transmitting passwords.
arrangement of the letters in the enciphered message depends
upon the size of the block of code words used and upon the Key Management
route followed in inscribing and transposing the letters. One of the big challenges in using cryptography on a
A cipher in which every pair of letters is swapped is an widespread basis especially public-key encryption--is the
example of a transposition cipher. In this case, for example, management of private and public keys. Key management
the ciphertext for elephant would be lepeahtn. The first and deals with the secure generation, distribution, and storage of
second letters are swapped, then the third and fourth letters are keys. Secure methods of key management are extremely
swapped, and so on. Transposition ciphers may be combined important. Once a key is randomly generated, it must remain
with substitution ciphers to produce a more complex encoded secret to avoid unfortunate mishaps. Most attacks on public-
message. key systems will probably be aimed at the key management
level, rather than at the cryptographic algorithm itself.
Breaking Simple Ciphers Users must be able to securely obtain a key pair suited to their
Substitution and transposition ciphers appear to be difficult efficiency and security needs. There must be a way to look up
to break. However, if enough messages are encrypted with any other people's public keys and to publicize one's own public
cipher, the cipher is easily broken. Repetition of a series of key. Users must be able to legitimately obtain others' public
letters may lead code breakers to the key of any cipher system. keys; otherwise, an intruder can either change public keys
In a substitution cipher, once a letter is associated with another listed in a directory, or impersonate another user.
letter, a pattern emerges and the cipher is easily decrypted. If someone's private key is lost or compromised, others must
[10] be made aware of this, so they will no longer encrypt messages
In order to make a cipher even more secure, a key word or under the invalid public key nor accept messages signed with
number may be used. Transposition ciphers might be the invalid private key. Users must be able to store their
recognized by the letter frequencies (the number of times a private keys securely, so no intruder can obtain them, yet the
common letter, such as e, is used compared to the number of keys must be readily accessible for legitimate user. Keys need
times a less frequently used letter, such as q, appears) for the to be valid only until a specified expiration date but the
language used. Solution of such ciphers without the key is expiration date must be chosen properly and publicized in an
possible by rearranging the letters in various geometric designs authenticated channel.
and at the same time forming a new word by reordering the
letters of the coded word or phrase (such as from satin to stain) Certificates
A digital certificate is an attachment to an electronic
until the method of encipherment is discovered.
message used for security purposes. It is commonly used to
Computers may be used to break simple ciphers. Techniques
verify that a user is who he/she claims to be and to provide the
for encrypting data naturally took advantage of the power of
receiver with the means to encode a reply.
computers. Today’s modern cryptographic techniques are
When you obtain a certificate by applying to a certificate
based entirely on a cryptographic key that is kept secret. The
authority (CA); once the CA verifies you are who you say you
plaintext that is to be encrypted is converted to bits, or binary
are, it creates a certificate--a digital document--for you. The
digits of 1s and 0s (see Bit). Then complex substitutions and
certificate contains:
transpositions are performed on the plaintext, using the key as
A name that is unique to you
a guide. The transformation of the plaintext to ciphertext is
The length of time the certificate is valid
entirely dependent on the key.
Your public key
Your key's purpose: to sign messages or to encrypt data
Cryptographic Authentication
Certificates do the following for your system:
Providing a way to authenticate yourself to a computer system
Backed up and recoverable
without publicly sending your password is very essential in
Protected against theft
achieving your security goal. Passwords sent without
Matched with encrypted data
encryption may be discoverable by others if sent through or to
Accessible from many systems
insecure network segments or systems.
Accessible only to the authorized user
Below are the approaches used to avoid unencrypted
In order for you to manage your certificate to be used with
password problems?
applications, you will need to do the followings:
Shared network segments are gradually being replaced by
Production and maintenance of a very large standards-based
"switched" network segments. The newer, switched network
directory
The disadvantage or problem of this method compared to substituted for which other letters. Early cryptanalysis
symmetric encryption is the greater amount of processing time techniques included computing the frequency with which
required for the calculation or a process. This is why usually letters occur in the language that is being intercepted. For
the so called hybrid technology which is a mix of both example, in the English language, the letters e, s, t, a, m, and n
asymmetric and symmetric encryption is used when dealing occur much more frequently than do q, z, x, y, and w. So,
with a greater amount of data. In this case, symmetric cryptanalysts look at the ciphertext for the most frequently
encryption is used to encode the data but the symmetric key is occurring letters and assign them as candidates to be e, s, t, a,
communicated on a previously determined frequency using m, and n. Cryptanalysts also know that certain combinations of
asymmetric encryption. letters are more common in the English language than others
are. For example, q and u occur together, and so do t and h.
The frequency and combinations of letters help cryptanalysts
X. SECURITY ISSUES AND LEGAL IMPLICATION
build a table of possible solution letters. The more ciphertext
that is available, the better the chances of breaking the code.
Data encryption is regarded by the U.S. government as a In modern cryptographic systems, too, the more ciphertext that
national-security issue because it can interfere with is available to the code breaker, the better. For this reason, all
intelligence gathering—therefore, it is subject to export systems require frequent changing of the key. Once the key is
controls, which in turn make it difficult for U.S. companies to changed, no more ciphertext will be produced using the former
function competitively in the international marketplace. To key. Ciphertext that is produced using different keys—and
resolve this dilemma, the federal government in 1993 frequently changed keys—makes the cryptanalyst’s task of
proposed key escrow encryption, an approach, embodied in an code breaking difficult.
electronic device called a "Clipper chip," that makes broadly
available a purportedly unbreakable encryption technique XII. RECOMMENDATION
(although the code was broken by researchers in 1995) with
keys to unlock the information held in escrow for national
security and law-enforcement purposes by the federal It is apparent how important encryption can be in our daily
government. [12] This approach, however, has been lives. As we transfer data anyone can intercept it. Encryption
unacceptable to civil libertarians and to the international can protect any sort of data from "eavesdroppers" on the
community. In 1994, the Clipper algorithm (called Skipjack) internet. "We want to know that our information travels
was specified in the Escrow Encryption Standard (EES), a safely, without alteration and that there is neither information
voluntary federal standard for encryption of voice, facsimile theft nor identity fraud." [14]
(fax), and data communications over ordinary telephone lines. Encryption is very important when it comes to private data or
A subsequent compromise escrow scheme intended to create a information. In this technological age, where all computers on
standard for data encryption that balanced the needs of the internet are connected, it is important to encrypt private
national security, law enforcement, and personal freedom was data before it is sent to another party online.
rejected in 1995; a compromise proposed in 1999 was also Making transactions online are also one major reason for
controversial. [13] encrypting data. When credit card information is sent online
without encoding it, it can be intercepted by a malicious user.
XI. CRYPTANALYSIS With the credit card information, the cracker or the hacker will
have access to the account of the victim and use it as he/she
wishes.
Cryptanalysis is the art of analyzing ciphertext to extract the Other hackers might also take advantage of unencrypted
plaintext or the key. In other words, cryptanalysis is the data. This might bring rise to social engineering (the act of
opposite of cryptography. It is the breaking of ciphers. disguising oneself to be someone else).
Understanding the process of code breaking is very important With this, we can confidently conclude that encryption is
when designing any encryption system. The science of very important aspect of data protection in today’s highly
cryptography has kept up with the technological explosion of technological
the last half of the 20th century. Current systems require very
powerful computer systems to encrypt and decrypt data. While XIII. CONCLUSION
cryptanalysis has improved as well, some systems may exist
that are unbreakable by today’s standards. Encryption techniques have come to stay in the electronic
Today’s cryptanalysis is measured by the number and speed of world. Since every information, that passes through computer
computers available to the code breaker. Some cryptographers network is not protected. This method is there to protect
believe that the National Security Agency (NSA) of the United information and to allow safe and secure communication.
States has enormous, extremely powerful computers that are Although more and more advanced algorithm has emerge in
entirely devoted to cryptanalysis. [14] the market. Some of this method has raise some concern to the
The substitution ciphers described above are easy to break. law enforcement agency as they pose threat to the security and
Before computers were available, expert cryptanalysts would civil protection
look at ciphertext and make guesses as to which letters were
REFERENCES
[1] http://www.washington.edu/computing/windows/issue22/encryption.ht
ml Date accessed 25/07/06
[2] R. E. Frazier, 2004, data encryption techniques, [online]:
http://catalog.com/sft/encrypt.html, date accessed: 23/07/06
Gary C. Kessler, 1998, an overview of cryptography, [online]:
http://www.garykessler.net/library/crypto.html, date accessed: 23/07/06
[3] Jennifer Tauser, 2005, Encryption is the most important tool for Internet
security and privacy,
[4] http://www.washington.edu/computing/windows/issue22/encryption.html
[5] http://www.rsasecurity.com/rsalabs/node.asp?id=2262
[6] http://www.garykessler.net/library/crypto.html
[6]http://searchsecurity.techtarget.com/sDefinition/0sid14_gci21195300.html
[7]http://www.linktionary.com/p/priv_key_cryp.htmhttp://web.mit.edu/rhel-
doc/3/rhel-rg-en-3/s1-kerberos-works.html
[8] http://www.tech-faq.com/kerberos.shtml
[9] http://www.encyclopedia.com/html/d1/dataencr.asp
[10] http://www.ficora.fi/englanti/tietoturva/asymmetrinen.htm
[11]http://www.dsg.cs.tcd.ie/~reynoldv/project_reports/ModernEncryption.ht
m
[12] http://www.phptr.com/articles/article.asp?p=102212&rl=1
[13]http://filebox.vt.edu/users/jtauser/debate1/importance.htm, date accessed:
23/07/06
[14] http://filebox.vt.edu/users/jtauser/debate1/importance.htm