Information Security

Cryptography & PKI

Sep 02, 2023

Muhammad Wasi
Senior Application Security Analyst, BankIslami – Head Office
MS CYBERSECURITY, NUST UNIVERSITY

Cryptography Slides Credit: Tutorialspoint

 Previous Class Review
1. Which principle ensures that the security policies enforced in an organization ?
A. SAC
B. BCP
C. SCA
D. None of the above

C. Security Control Assessment (SCA)

Security Control Assessment is a principle that ensures that the security policies enforced in an organization are
meeting their goals and objectives.
 Previous Class Review
2. A password must be at least 8 characters long and must include at least one uppercase
letter, one lowercase letter, and one number.
A. Procedures
B. Standard
C. Policy
D. Guidelines

B. Standard
A standard is a more specific and detailed document that defines the requirements that must be met in order to
achieve the goals and objectives of a policy.
 Previous Class Review
3. Which of the following is the state of data when it is being processed by an application?
A. Data at rest
B. Data in motion
C. Data in use
D. Data in storage

C. Data in use
Data in use is the state of data when it is being processed by an application.
 Previous Class Review
4. Which of the following is the state of data when it is being transmitted over a network?
A. Data at rest
B. Data in motion
C. Data in use
D. Data in storage

B. Data in motion
The state of data when it is being transmitted over a network.
 What we will be covering ?

We will cover:
1. Cryptography & Origin
2. Steganography
3. Context of Cryptography
4. Cryptography Primitives
5. Cryptosystems
6. PKIs
7. Cryptographic Attacks
 1- Cryptography & Origin
Human being from ages had two inherent needs:
(a) to communicate and share information
(b) to communicate selectively

These two needs gave rise to the art of coding the messages in such a way that only the
intended people could have access to the information.
Unauthorized people could not extract any information, even if the scrambled messages
fell in their hand.
 1- Cryptography & Origin
The word "cryptography" is derived from the Greek words "kryptos" meaning "hidden"
and "graphein" meaning "writing". OR – Secret Writing

Cryptography is the process of hiding or coding information so that only the person a
message was intended for, can read it.

Cryptography is the study of techniques for secure communication in the presence of

third parties. It includes techniques such as encryption, hashing, and digital signatures.
 1- Cryptography & Origin
Hashing is a one-way function that takes an input of any size and produces an output of a
fixed size. The output of a hash function is called a hash value or digest. Hash values are
often used to verify the integrity of data.

For example, a hash value can be calculated for a file and then stored. If the file is later
modified, the hash value will change. This can be used to detect if the file has been
tampered with.
 1- Cryptography & Origin
Encryption is a two-way function that takes an input of any size and produces an output
of the same size. The output of an encryption function is called ciphertext. Ciphertext is
unreadable without the encryption key. Encryption is used to protect the confidentiality
of data.

For example, passwords are often encrypted to prevent unauthorized access.

Hashing and encryption are both important techniques for protecting data. Hashing can
be used to verify the integrity of data, while encryption can be used to protect the
confidentiality of data.
 1- Cryptography & Origin
Some other techniques that are part of cryptography:

 Digital signatures are used to verify the authenticity of a message or document.

 Key exchange is used to securely share encryption keys between two parties.
 Steganography is the practice of hiding information within another piece of
information.
 1- Cryptography & Origin
The earlier Roman method of cryptography, popularly known as the Caesar Shift Cipher,
relies on shifting the letters of a message by an agreed number (three was a common
choice).

The recipient of this message would then shift the letters back by the same number and
obtain the original message.
1- Cryptography & Origin
 2- Steganography
Steganography is similar but adds another dimension to Cryptography.
In this method, people not only want to protect the secrecy of an information by concealing it,
but they also want to make sure any unauthorized person gets no evidence that the information
even exists.
For example, invisible watermarking.

In steganography, an attacker is unaware of the fact that observed data contains hidden
information.

In cryptography, an intruder is normally aware that data is being communicated, because they
can see the coded/scrambled message.
2- Steganography
 3- Context of Cryptography
Cryptology, the study of cryptosystems, can be subdivided into two branches:

 Cryptography
 Cryptanalysis
 3- Context of Cryptography
What is Cryptanalysis?
The art and science of breaking the cipher text is known as cryptanalysis.

Cryptography concerns with the design of cryptosystems, while cryptanalysis studies the
breaking of cryptosystems.

Cryptanalysis is also used during the design of the new cryptographic techniques to test
their security strengths.
 3- Context of Cryptography
Security Services of Cryptography

The primary objective of using cryptography is to provide the following four fundamental
information security services.

 Confidentiality
 Data Integrity
 Authentication
 Non-repudiation
 4- Cryptography Primitives
Cryptography primitives are nothing but the tools and techniques in Cryptography that
can be selectively used to provide a set of desired security services.

• Encryption
• Hash functions
• Message Authentication codes (MAC)
• Digital Signatures
4- Cryptography Primitives
 5- Cryptosystems
A cryptosystem is an
implementation of cryptographic
techniques. A cryptosystem is also
referred to as a cipher system.

A simple model of a cryptosystem

that provides confidentiality to the
information being transmitted.

Components of a Cryptosystem
 5- Cryptosystems
Types of Cryptosystems

 Symmetric Key Encryption

 Asymmetric Key Encryption
 5- Cryptosystems
 Symmetric Key Encryption
The encryption process where the same keys are used for encrypting and decrypting
the information is known as Symmetric Key Encryption.

A few well-known examples of symmetric key encryption methods/algorithms are:

Digital Encryption Standard (DES), Triple-DES (3DES), and BLOWFISH.
 5- Cryptosystems
 Symmetric Key Encryption
 5- Cryptosystems
Challenge of Symmetric Key Cryptosystem

Key establishment – Before any communication, both the sender and the receiver
need to agree on a secret symmetric key. It requires a secure key establishment
mechanism in place.

Trust Issue – Since the sender and the receiver use the same symmetric key, there is an
implicit requirement that the sender and the receiver ‘trust’ each other.
For example, it may happen that the receiver has lost the key to an attacker and the
sender is not informed.
 5- Cryptosystems
 Asymmetric Key Encryption
The encryption process where different keys are used for encrypting and decrypting
the information is known as Asymmetric Key Encryption.

Asymmetric key encryption algorithms include:

• RSA
• ElGamal
• Diffie-Hellman
• elliptic curve cryptography (ECC)
 5- Cryptosystems
 Asymmetric Key
Encryption
 5- Cryptosystems
Challenge of Asymmetric Key Cryptosystem

The user needs to trust that the public key that he is using in communications with a
person really is the public key of that person and has not been spoofed by a malicious
third party.

Public Key Infrastructure (PKI) provides assurance of public key. It provides the
identification of public keys and their distribution.
 6- PKIs
Key Management

There are two specific requirements of key management for public key cryptography.
Secrecy of private keys. Throughout the key lifecycle, secret keys must remain secret from all
parties except those who are owners and are authorized to use them.

Assurance of public keys. In public key cryptography, the public keys are in the open domain and
seen as public pieces of data. By default, there are no assurances of whether a public key is correct,
with whom it can be associated, or what it can be used for. Thus key management of public keys
needs to focus much more explicitly on assurance of purpose of public keys.
 6- PKIs
The most crucial requirement of ‘assurance of public key’ can be achieved through the
public-key infrastructure (PKI), a key management system for supporting public-key
cryptography.

PKI provides assurance of public key. It provides the identification of public keys and
their distribution. The anatomy of PKI comprises the following components.
 Public Key Certificate, commonly referred to as ‘digital certificate’.
 Private Key tokens.
 Certification Authority.
 Registration Authority.
 Certificate Management System.
 6- PKIs
Digital Certificate

A certificate can be considered as the ID card issued to the person. People use ID cards
such as a driver's license, passport to prove their identity. A digital certificate does the
same basic thing in the electronic world, but with one difference.

Digital Certificates are not only issued to people but they can be issued to computers,
software packages or anything else that need to prove the identity in the electronic
world.
Digital certificates are based on the ITU standard X.509 which defines a standard.
 6- PKIs
Digital Certificate
The process of obtaining
Digital Certificate.
 6- PKIs
Certifying Authority (CA)

CA issues certificate to a client and assist other users to verify the certificate.
The CA takes responsibility for identifying correctly the identity of the client asking for
a certificate to be issued, and ensures that the information contained within the
certificate is correct and digitally signs it.
 6- PKIs
Key Functions of CA

• Generating key pair

• Issuing digital certificates
• Publishing Certificates
• Verifying Certificates
• Revocation of Certificates
 6- PKIs
Hierarchy of CA
 7- Cryptographic Attacks
Attacks are typically categorized based on the action
performed by the attacker. An attack, thus, can
be passive or active.

Passive Attacks
The main goal of a passive attack is to
obtain unauthorized access to the information.

For example, actions such as intercepting and

eavesdropping on the communication channel can be
regarded as passive attack.
 7- Cryptographic Attacks
Active Attacks
An active attack involves changing the
information in some way by conducting some
process on the information. For example,

• Modifying the information

• Alteration of information
• Unauthorized deletion of data
• Denial of access to information for legitimate
users (denial of service)
 7- Cryptographic Attacks
Assignment – Describe with examples
 Dictionary Attack
 Brute Force Attack
 Rainbow table Attack
 Birthday Attack
 Side Channel Attack
 Timing Attacks
 Known Plaintext Attack
 Hands-on Activity
Steganography