Electronic Business MS 114

It is not the strongest of the species that survive, nor the most intelligent, but the one most responsive to change Charles Darwin

If youre not changing faster than your environment, you are falling behind
Jack Welsh, CEO of GE
Electronic Business MS114 Ms. Surabhi Deshpande

Basic Terminologies
Cryptography deals with creating documents that can be shared secretly over public communication channels Cryptographic documents are decrypted with the key associated with encryption, with the knowledge of the encryptor The word cryptography comes from the Greek words: Krypto (secret) and graphein (write) Cryptanalysis deals with finding the encryption key without the knowledge of the encryptor Cryptology deals with cryptography and cryptanalysis Cryptosystems are computer systems used to encrypt data for secure transmission and storage

Electronic Business MS114

UNIT-II

Encryption
In cryptography, encryption is the process of transforming information (referred to as plaintext) using an algorithm (called cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information (in cryptography, referred to as ciphertext). Julius Cesar used alphabetical code to communicate with his commanders.

Electronic Business MS114

UNIT-II

Security options at Mozilla Firefox

Electronic Business MS114

UNIT-II

Security options at Microsoft IE

Electronic Business MS114

UNIT-II

Secure Option using https

Hypertext Transfer Protocol Secure (HTTPS) is a combination of the Hypertext Transfer Protocol with the SSL/TLS protocol to provide encrypted communication and secure identification of a network web server. HTTPS connections are often used for payment transactions on the World Wide Web and for sensitive transactions in corporate information systems.

Electronic Business MS114

UNIT-II

Trusted connection

Electronic Business MS114

UNIT-II

Untrusted connection

Electronic Business MS114

UNIT-II

Basic Terminologies Keys are rules used in algorithms to convert a document into a secret document Keys are of two types:
Symmetric Asymmetric

A key is symmetric if the same key is used both for encryption and decryption A key is asymmetric if different keys are used for encryption and decryption
Electronic Business MS114 UNIT-II

Secret-Key or Symmetric Cryptography

Alice and Bob agree on an encryption method and a shared key. Alice uses the key and the encryption method to encrypt (or encipher) a message and sends it to Bob. Bob uses the same key and the related decryption method to decrypt (or decipher) the message.

Electronic Business MS114

UNIT-II

Secret-Key or Symmetric Cryptography

Symmetric algorithms can be divided into:

Stream Cipher: A symmetric algorithm that encrypts a bit of plain text at a time. Block Cipher: A symmetric algorithm that encrypts a number of bit as single unit of plain text at a time.

Electronic Business MS114

UNIT-II

Advantages
There are some very fast classical encryption (and decryption) algorithms Since the speed of a method varies with the length of the key, faster algorithms allow one to use longer key values. Larger key values make it harder to guess the key value -- and break the code -- by brute force.

Electronic Business MS114

UNIT-II

Disadvantages Requires secure transmission of key

value

Requires a separate key for each group of people that wishes to exchange encrypted messages (readable by any group member)
For example, to have a separate key for each pair of people, 100 people would need 4950 different keys. [n*(n-1)/2]

Electronic Business MS114

UNIT-II

Public-Key or Asymmetric Cryptography Alice generates a key value (usually a number or pair of related numbers) which she makes public. Alice uses her public key (and some additional information) to determine a second key (her private key). Alice keeps her private key (and the additional information she used to construct it) secret.

Electronic Business MS114

UNIT-II

Public-Key or Asymmetric Cryptography

Bob (or Carol, or anyone else) can use Alices public key to encrypt a message for Alice. Alice can use her private key to decrypt this message. No-one without access to Alices private key (or the information used to construct it) can easily decrypt the message.

Electronic Business MS114

UNIT-II

Electronic Business MS114

UNIT-II

An Example: Internet Commerce Bob wants to use his credit card to buy some brownies from Alice over the Internet. Alice sends her public key to Bob. Bob uses this key to encrypt his credit-card number and sends the encrypted number to Alice. Alice uses her private key to decrypt this message (and get Bobs credit-card number).

Electronic Business MS114

UNIT-II

Two uses of Asymmetric approach To provide message confidentiality: To prove the authenticity of the message originator.

Electronic Business MS114

UNIT-II

Hybrid Encryption Systems

All known public key encryption algorithms are much slower than the fastest secret-key algorithms. In a hybrid system, Alice uses Bobs public key to send him a secret shared session key. Alice and Bob use the session key to exchange information.

Electronic Business MS114

UNIT-II

Internet Commerce
Bob wants to order brownies from Alice and keep the entire transaction private. Bob sends Alice his public key. Alice generates a session key, encrypts it using Bobs public key, and sends it to Bob. Bob uses the session key (and an agreedupon symmetric encryption algorithm) to encrypt his order, and sends it to Alice.

Electronic Business MS114

UNIT-II

Time and cost for breaking key

Estimated 40 Bits key Cost to break key $100,000 2 sec $1 Million 0.2 sec $100 Million 2 millisecond 64 Bits key 1 year 37 days 9 hours 1 hours 80 Bits key 128 Bits key 70,000 years 1019 years

7,000 years 1018 years 70 years 7 years 1016 years 1015 years

$1 Billion 0.2 millisecond

Electronic Business MS114

UNIT-II

Common Cryptosystems RSA:

Most commonly used public key algorithm. Named after its inventor, Ron Rivest, Adi Shamir, and Len Adleman of MIT. Used for encryption and electron signature. It uses 512 bits key, 768 bits key and 1024 bits key. It is embedded in major products like Windows, Netscape navigator and Lotus Notes.

Electronic Business MS114

UNIT-II

Common Cryptosystems Data Encryption Standards (DES):

It is a popular secret key encryption. Was developed by IBM in 1974. It was adopted as US federal standard in 1977 and Financial Industry standard in 1981. For conversion of 64 bits plaintext into 64 bits ciphertext a key with 56 bits is used. It is a strong algorithm which is difficult to break.

Electronic Business MS114

UNIT-II

Common Cryptosystems 3DES or Triple DES:

It uses three 56 bit key. First encrypt the data Second decrypt the data Third again encrypt the data. It is considered to be the strong version of DES It is much secure and safer than plain DES.

Electronic Business MS114

UNIT-II

Common Cryptosystems RC4:

It was designed by Ron Rivest RSA Data Security Inc. It is a stream cipher symmetric key algorithm. It is used in secure socket layer protocol as bulk encryption cipher. Key lengths range from 40 to 128 bits.

Electronic Business MS114

UNIT-II

Common Cryptosystems International Data Encryption Algorithm (IDEA):

Was created in Switzerland in by Philip Zimmermann in 1991. It is a block cipher symmetric key algorithm. It offers strong encryption using a 128 bit key to encrypt 64 bit block. Thus it is highly resistant to brute force. It was used as bulk encryption cipher in old versions of Pretty Good Privacy (PGP) SYSTEMS.
Electronic Business MS114 UNIT-II

Cryptanalysis
Cryptanalysis (from the Greek krypts, "hidden", and analein, "to loosen" or "to untie") is the study of methods for obtaining the meaning of encrypted information, without access to the secret information that is normally required to do so. Typically, this involves knowing how the system works and finding a secret key. In non-technical language, this is the practice of codebreaking or cracking the code, although these phrases also have a specialized technical meaning.

Electronic Business MS114

UNIT-II

Essentially, the practical importance of an attack is dependent on the answers to the following four questions:
What knowledge and capabilities does the attacker need? How much additional secret information is deduced? How much computation is required? (What is the computational complexity?) Does the attack break the full cryptosystem, or only a weakened version?

Electronic Business MS114

UNIT-II

Major Attacks on Cryptosystems

Algebraic attack
A method of cryptanalytic attack used against block ciphers that exhibit a significant amount of mathematical structure.

Algorithmic attack (Formulaic attack)

Algorithmic attacks are in some ways much more difficult to perform because they generally require an extremely high degree of knowledge in mathematics. Rather than going after the entire key space, the code breaker will try and find flaws in the algorithm that causes it to be reduced to a problem of decreased complexity.

Electronic Business MS114

UNIT-II

Major Attacks on Cryptosystems

Brute Force Attack:
Brute Force Attack is a form of attack in which each possibility is tried until success is obtained. Typically, a ciphertext is deciphered under different keys until plaintext is recognized.

Chosen ciphertext attack

An attack where the cryptanalyst may choose the ciphertext to be decrypted. The attacker can obtain the plaintexts corresponding to an arbitrary set of ciphertexts of his own choosing.

Chosen plaintext attack

A form of cryptanalysis where the cryptanalyst may choose the plaintext to be encrypted. The attacker can obtain the ciphertexts corresponding to an arbitrary set of plaintexts of his own choosing
UNIT-II

Electronic Business MS114

Major Attacks on Cryptosystems

Ciphertext-only Attack:
The cryptanalyst has access only to a collection of ciphertexts or codetexts. Works primarily from ciphertext making guesses about the plaintext

Known Plaintext Attack:

In this technique the attacker knows the plaintext for part (s) of the ciphertext. They uses this information to decrypt the rest of the ciphertext.

Dictionary attack

A brute force attack that tries passwords and or keys from a precompiled list of values. This is often done as a precomputation attack.

Electronic Business MS114

UNIT-II

Digital Signatures: Signing a Document

Alice applies a (publicly known) hash function to a document that she wishes to sign. This function produces a digest of the document (usually a number).

Alice then uses her private key to encrypt the digest. She can then send, or even broadcast, the document with the encrypted digest.

Electronic Business MS114

UNIT-II

Digital Signature Verification

Bob uses Alices public key to decrypt the digest that Alice encrypted with her private key. Bob applies the hash function to the document to obtain the digest directly. Bob compares these two values for the digest. If they match, it proves that Alice signed the document and that no one else has altered it.

Electronic Business MS114

UNIT-II

Secure Transmission of Digitally Signed Documents

Alice uses her private key to digitally sign a document. She then uses Bobs public key to encrypt this digitally signed document. Bob uses his private key to decrypt the document. The result is Alices digitally signed document. Bob uses Alices public key to verify Alices digital signature.

Electronic Business MS114

UNIT-II

Digital Signature
Alice Plain text
B public Key

Hash fn

digest Internet
B private Key

A private Key

Digital signature

ciphertext

Hash fn

plaintext

ciphertext
A public Key

digest Bob

digest

If these two are same message is authentic

Electronic Business MS114

UNIT-II

Digital Certificate An electronic document issued by a certifying authority to establish a merchants identity. Certificate authority:
A trusted entity that issues and revokes public key certificates and manages key pairs Authorities like verisgn, cybertrust, US Postal Services.

Electronic Business MS114

UNIT-II

Components of Digital Certificate

Holders Name Name of certifying authority Public key for cryptographic use The duration of the certificate The class of certificate Certificate ID number.

Electronic Business MS114

UNIT-II

Digital Certificate Class

Class1:
Quickest and simplest to issue. Contains minimum checks on users background. Only name, address and e-mail id are check. Can be compared with a library card.

Class2:
Checks for information like real name, SSN and DOB. They require proof of physical address, locale and email id. Can be compared with a credit card.

Electronic Business MS114

UNIT-II

Digital Certificate Class

Class3:
Strongest type. Can be compared with driving license To get them you need to prove who you are and you are responsible. Used for sensitive transactions like loan acquisition online. They are most thorough. In addition to class3 they check the users position at work.

Class4:

Electronic Business MS114

UNIT-II