Recent Changes - Search:

Network Programming

This website demonstrates using wikis as teaching and learning tool.

The course instructor is happy to share the teaching materials here with those who find it readable.

Lecture /

Cryptography and Network Security Protocols

A Network Programming Lecture by Steven Choy

Overview: Encryption Basics - Symmetric Encryption - Asymmetric Encryption - The RSA Algorithm - Digital Signature - Public Key Infrastructure (PKI) - SSL (Secure Socket Layer) - SSH (Secure Shell) - IPSec (Internet Protocol Security)

Encryption Basics

  • Cryptography is instrumental in addressing the fundamental security goals of confidentiality, integrity and authenticity
  • Confidentiality - Encrypted data can only be viewed by intended recipients who have the decryption key in hand. Any other interceptor cannot make any sense of it.
  • Authenticity - Encryption can help ensure that the data is truly issued by the stated sender and has not been forged by an intruder.
  • Integrity - Working in conjunction with the hash functions (to be explained later), encryption can ensure the transmitted data is tamper-proof.

Symmetric Encryption (also known as Secret Key Cryptography)

  • Symmetric key encryption is also known as private encryption, because it uses the same key and same cryptographic algorithm to encrypt and decrypt data.
  • The following is a scenario using symmetric encryption:
  1. Alice and Bob agree to use the Caesar cipher to communicate, and pick k as the secret key.
  2. Bob uses the Caesar cipher to encrypt a confidential message to Alice.
  3. Bob sends the encrypted message to Alice.
  4. When she receives Bob’s mail, Alice decrypts the message and reads the confidential message.
  • Symmetric key systems are much faster than asymmetric systems, but they have the following two major drawbacks:
  • Key distribution: A secure channel is required by which the correspondents can agree on a key before their first encrypted communication.
  • Scalability: It is difficult to manage the secret keys because of the growth in the number of secret pairs.
  • Some examples of symmetric key algorithm are:
Advanced Encryption Standard (AES), a recommendation of the National Institute of standards and Technology (NIST) with the key length at 128 bits or above
RC4, RC5 and RC6.
Blowfish - The Blowfish Encryption Algorithm
  • Some demonstration:
Blowfish encrypt and decrypt online
http://infoencrypt.com/
http://www.maxa-tools.com/crypt/crypt.php

Asymmetric Encryption

  • In an asymmetric key encryption system, which is also known as a public key system, a pair of keys is used for encryption and decryption.
  • If a message is encrypted by one key, we have to use the other key to decrypt the message.
  • It is not possible to use the same key for encryption and decryption in an asymmetric key system.
  • In a public key system, the pair of keys is made up of one public key and one private key.
  • The public key is made known to everyone, while the private key must only be known to the owner.
  • Weaknesses: works much slower than symmetric systems
  • Strengths: easier key distribution, better scalability
  • Confidentiality
Let’s say Bob uses Alice’s public key to encrypt a message and send the encrypted message to Alice. When Alice receives the message, she uses her private key to decrypt the message and read its content. If the encrypted message is intercepted, its content will not be divulged since the interceptor doesn’t have Alice’s private key. This achieves confidentiality.
  • Authenticity
Bobs uses his private key to encrypt a message and send the encrypted message to Alice. When Alice receives the message, she uses Bob’s public key to decrypt the message and read its content. Alice is assured that the message must be issued by Bob.

The RSA Algorithm

"In cryptography, RSA (which stands for Rivest, Shamir and Adleman who first publicly described it) is an algorithm for public-key cryptography. It is the first algorithm known to be suitable for signing as well as encryption, and was one of the first great advances in public key cryptography. RSA is widely used in electronic commerce protocols, and is believed to be secure given sufficiently long keys and the use of up-to-date implementations." (from Wikipedia)
The RSA algorithm can be used for both public key encryption and digital signatures. Its security is based on the difficulty of factoring large integers.
  • Some demonstrations:
http://www.ohdave.com/rsa/

Digital Signature

Digital signatures are a way of authenticating the identity of creators or producers of digital information. A digital signature is like a handwritten signature and can have the same legal authority in certain situations, such as buying and selling online or signing legal contracts. Digital signatures can also be used to ensure that the information signed has not been tampered with during transmission or repudiated after being received.

Public Key Infrastructure (PKI)

  • When private and public keys grow to a sizeable number, it is not an easy task to manage them. You may then have doubts about whether Bob’s public key in your hand is still valid (i.e. that it has not expired), or you may run into the problem of mixing Bob’s public key with Alice’s.
  • To solve these problems, the public key infrastructure (PKI) should be established. PKI is made up of a number of consistent components including digital certificates (i.e. X.509), certificate authorities, keys, users, governments, cryptography technologies, etc.
  • A digital certificate is a password-protected and encrypted file that holds an individual’s identification information, including a public key. The certificate is digitally signed and issued by a trusted third party, i.e. the certificate authority (CA). The CA is responsible for verifying the identity of the key owner and for distributing the owner’s digital certificate for use by others. Alice can therefore obtain a copy of Bob digital certificate from the issuing CA, and retrieve Bob’s public key from the certificate and use it to encrypt messages for Bob or to authenticate Bob’s messages to her.
  • A digital certificate consists of:
    • The public key of the person being certified
    • The name and address of the person being certified, also known as the Distinguished Name (DN)
    • The digital signature of the CA
    • The issue date
    • The expiry date

Network Security Protocols

SSL (Secure Socket Layer)

  • The Secure Socket Layer (SSL) is a protocol developed by Netscape to provide a security sub-layer between application protocols (such as FTP, HTTP, or Telnet) and TCP/IP.
  • SSL provides data encryption (commonly using 128-bit or 256-bit data encryption) and authentication between servers and clients.
  • SSL forms a secure connection between a server and a host, and all data transmitted over the connection will be encrypted.
  • Common browsers support SSL. SSL is widely used to support on-line transactions to allow customers to place orders over the Internet securely. A URL that starts with https: indicates that it is a secure connection.
  • HTTPS (HTTP over Secure Sockets Layer) uses TCP port 443, rather than port 80, which is used by the HTTP protocol. The SSL protocol uses a digital certificate to authenticate one end or both ends of transactions.
(SSL handshaking with server authentication)

SSH (Secure Shell)

  • Secure Shell (SSH) provides secure remote connections to hosts. It allows users to log on to a host, execute commands on that host, and copy files to or from that host.
  • In the past, we used telnet to do such tasks. However, telnet provides little protection for transmitted data, including passwords. SSH circumvents this shortcoming by encrypting all data to counteract the risk of data interception. In addition, SSH performs authentication on the clients and hosts to guard against attacks set up by forged identities.
  • SSH must first generate public and private keys on the client’s workstation, and carry out the key exchange with the host. Subsequently, these keys can be used for authentication and data encryption. All modern Unix and Linux systems come with the SSH suite of protocols. Windows users can download some free SSH clients such as PuTTy to connect to SSH-enabled hosts.
  • SSH is highly configurable and supports port-forwarding function, which allows users to exchange application traffics (e.g. http, ftp) over an SSH-secured port for higher security. SSH uses TCP port 22 for communication.
  • IPSec
Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a data stream.
Illustration
More information: http://www.unixwiz.net/techtips/iguide-ipsec.html
AH versus ESP:
"Authentication Header" (AH) and "Encapsulating Security Payload" (ESP) are the two main wire-level protocols used by IPsec, and they authenticate (AH) and encrypt+authenticate (ESP) the data flowing over that connection. They are typically used independently, though it's possible (but uncommon) to use them both together.
Tunnel mode versus Transport mode:
Transport Mode provides a secure connection between two endpoints as it encapsulates IP's payload, while Tunnel Mode encapsulates the entire IP packet to provide a virtual "secure hop" between two gateways. The latter is used to form a traditional VPN, where the tunnel generally creates a secure tunnel across an untrusted Internet.

References and Resources

Thanks for Reading

If you would rather like to have this lecture note in printed format, please click the print action link in the top right corner.

If you find any problem in this lecture note, please feel free to tell Steven via steven@findaway.hk.

Edit - History - Print - Recent Changes - Search
Page last modified on April 08, 2010, at 10:50 PM