This is the quick-hit version of the second of three parts of Introduction to Cryptography training I gave. As with all of the formal training, you can use the below for a quick reference, or view the full presentation here.
The XOR Proof
Given three values related by an XOR operation:
- Input Value:
0110 1010 0010 1011 1010 1010 0110 - XOR Key Value:
1111 1010 1011 1101 0101 1110 1000 - Result Value:
1001 0000 1001 0110 1111 0100 1110
XOR(Input,Key) = Result
XOR(Input,Result) = Key
XOR(Key,Result) = Input
This relationship is called involution, or when f(f(x)) = x.
Initialization Vectors
Think of them as nonces. Can have a substantial impact on the cryptographic strength of a system.
Block Cipher: DES
- Data Encryption Standard
- Symmetric algorithm
- 64 bit block, 64 bit key size… well, 56 bit. Has 8 parity bits
- Broken… do not use
Block Cipher: 3DES
- Triple Data Encryption Standard
- 64 bit block, and 56-bit, 112-bit, or 168-bit key sizes (those 8 parity bits add up)
- Still considered secure enough for most applications
- Still used by PCI, Microsoft OneNote, SCCM, etc.
Block Cipher: AES
- Advanced Encryption Standard (AES)
- Approved by NSA for Top Secret information
- Symmetric algorithm
- 128 bit block, 128-bit, 192-bit, and 256-bit key sizes
Block Cipher: RC5
- Rivest Cipher 5 (also “Ron’s Code 5”)
- Symmetric algorithm
- Variable blocks (32/64/128 bit), key sizes (0-2040-bit), and rounds (0-255)
- Uses the key with multiple NUMS numbers to generate unique words used by parts of the algorithm.
- Still considered secure
Stream Cipher: RC4
- Rivest Cipher 4 (also “Ron’s Code 4”)
- DO NOT USE THIS. It’s considered broken.
- Gets even worse when bad IVs are used.
- Assumed to be breakable in near real time by nation states within TLS.
Stream Cipher: A5/1 and A5/2
- The security used by GSM cell phones.
- A5/1 was “strong” crypto, and A5/2 was “weak” export crypto.
- Both are now acknowledged as weak, but still used in some parts of the world.
- Part of the original crypto wars, although not often recognized for it.
- Rainbow tables available.
Public Key Cryptography
- Asymmetric algorithms using a “public” and “private” key
- Uses two algorithms (one for confidentiality, one for integrity)
- RSA or ECC for confidentiality
- SHA-2 is only good option for integrity at this point
- Properties of key pair lead to interesting functionality
- Encrypt(data, public key) can only be decrypted by Decrypt(cipher, private key)
- Encrypt(data, private key) can only be decrypted by Decrypt(cipher, public key)
- You can demonstrate ownership of a private key by encrypting with it.
- Multiple formats
- PKCS1 – Specifies how to use RSA keys.
- PKCS3 – Specifies how to do Diffie-Hellman Key Exchanges (DHKE)
- PKCS7 – Specifies how to sign/encrypt messages within PKI.
- PKCS12 – A container for multiple cryptographic objects
Diffie-Hellman-Merkle (Conceptual) Example
- Client and server start with “5” as a value
- Client randomly chooses ”258” as a value, and server randomly chooses “314” as a value
- Each sends the factor of their choices to the other
- Client sends 5 * 258 = “1290”, server sends 5 * 314 = ”1570”
- Each adds their factor to the transmitted value
- Client takes 1570 * 258 = “405060”, server takes 1290 * 314 = “405060”
- A new key is made! (405060)
Signing With PKI
- Alice wants to communicate with Bob
- First, she and Bob exchange public keys
- Eve gets those too, but since she’s not part of this we won’t mention her again
- Alice writes her message
- Alice calculates the hash of her message
- Alice encrypts the hash with her private key
- Alice encrypts the message, the hash algorithm, and the hash with Bob’s public key
- Bob decrypts the message and gets the text, hash algorithm, and hash
- Bob calculates the hash of the message using the specified algorithm
- Bob decrypts Alice’s hash using her public key
- If the calculated and decrypted hashes match, Bob knows that Alice sent the message and it hasn’t been modified
Hermit's Cave 