2. PART - 1
Topics discussed in this section:
Basic Concepts
Encryption Technique
Decryption Technique
Introduction to Cryptosystems
Symmetric Cryptosystems
Asymmetric Cryptosystems
Symmetric vs. Asymmetric
2
3. BAISC CONCEPTS
Cryptography – hidden writing
Encryption – encode or encipher
Decryption – decode or decipher
Cryptosystem – a system for encryption and decryption
Cryptographer – anyone who invents encryption algorithms
Cryptanalyst – anyone who attempts to break encryption
algorithms
Cryptology – research of encryption and decryption, including
both cryptography and cryptanalysis
3
5. DECRYPTION TECHNIQUE
Cipher text
• Decryption
– Input: cipher text
and a key
– Output: original
plaintext
Decryption
Function
Plaintext
5
6. CRYPTOSYSTEMS
Plaintext Encryption Ciphertext Decryption Plaintext
P Algorithm E C Algorithm D P
• Algorithms with a parameter – key K
6
7. SYMMETRIC CRYTOSYSTEM
Plaintext Encryption Ciphertext Decryption Plaintext
P Algorithm E C Algorithm D P
Secret channel
K K
• C=E(P,K)
• P=D(C,K)
7
8. ASYMMETRIC CRYPTOSYSTEM
Asymmetric key cryptography uses two separate keys: one
private and one public.
Locking and unlocking in asymmetric-key cryptosystem
8
9. ASYMMETRIC CRYPTOSYSTEM (Contd.)
General idea of asymmetric-key cryptosystem
General formulae of asymmetric-key cryptosystem
C = f (Kpublic , P) P = g(Kprivate , C)
9
10. SYMMETRIC vs ASYMMETRIC
Symmetric algorithm 100 to 1000 times faster than asymmetric one.
Symmetric key 10 times shorter than asymmetric key.
In Asymmetric algorithm Public Key must be authenticated by CA.
Asymmetric Key Generator robustness.
Asymmetric algorithm is mainly used for exchange and storage of the
secret (symmetric) keys.
10
12. PART - 2
Topics discussed in this section:
Certificates and X.509 structure
Generating Self-Signed Certificate
Certificate Components
Why Certificates needs to be signed by CA
RSA Cryptosystem
Operation Modes for Symmetric Cryptosystems
AES Cryptosystem
Hybrid Cryptosystem
OpenSSL X509 Functions
OpenSSL EVP Functions
OpenSSL RSA Functions
12
13. CERTIFICATES and X.509 STRUCTURE
What is Certificate?
A digitally signed statement from the issuer saying that the
public key of the subject has some specific values.
Basic Concepts
Signed Statement :- The certificate must be signed by the issuer
with a digital signature.
Issuer :- The person or organization who is issuing this certificate.
Public key :- The public key of a key pair selected by the subject.
Subject :- The person or organization who owns the public key.
13
14. CERTIFICATES and X.509 – Contd.
What is X.509 Certificate?
Certificate written in X.509 standard format is called as X.509
Certificate and X.509 standard was introduction in 1988. It
requires a certificate to have the following information:
Version :- X.509 standard version number.
Serial Number :- A sequence number given to each certificate.
Signature Algorithm Identifier :- Name of the algorithm used to
sign this certificate by the issuer
14
15. CERTIFICATES and X.509 – Contd.
Issuer Name :- Name of the issuer.
Validity Period :- Period during which this certificate is valid.
Subject Name :- Name of the owner of the public key.
Subject Public Key Information :- The public key and its related
information.
15
16. GENERATING SELF-SIGNED CERTIFICATES
Introduction
A self-signed certificate is a certificate that the "issuer" is the
"subject" himself. In other word, a seft-signed certificate is a
certificate where the "issuer" signs his own public key with
his private key.
Procedure
Step-1 :- Enter your own name as the "subject".
Step-2 :- Provide your public key.
Step-3 :- Sign it with your private key.
Step-4 :- Put everything in the X.509 format.
16
18. VIEWING COMPONENTS OF CERTIFICATES
(Contd)
This certificate tells us that:
The subject is "C=CN, ST=PN, L=LN, O=ON, OU=UN, CN=MCC"
The subject's public key is included in it.
The issuer is "C=CN, ST=PN, L=LN, O=ON, OU=UN, CN=MCC". The issuer is
identical to the subject, because this is a self-signed certificate.
The certificate is valid for one month.
The certificate is signed by the issuer with the signature at the end.
18
19. WHY CERTIFICATES NEED TO BE SIGNED BY CA?
Definition of the Certificate Authority (CA)
A Certificate Authority (CA) issues digital certificates that contain a public key
and the identity of the owner. The matching private key is not made available
publicly, but kept secret by the end user who generated the key pair. The
certificate is also a confirmation or validation by the CA that the public key
contained in the certificate belongs to the person, organization, server or other
entity noted in the certificate. A CA's obligation in such schemes is to verify an
applicant's credentials, so that users and relying parties can trust the
information in the CA's certificates. CAs use a variety of standards and tests to
do so. In essence, the Certificate Authority is responsible for saying "yes, this
person is who they say they are, and we, the CA, verify that".
If the user trusts the CA and can verify the CA's signature, then he can also
verify that a certain public key does indeed belong to whoever is identified in
the certificate.
19
20. WHY CERTIFICATES NEED TO BE SIGNED BY CA?
(Contd).
Certificate Authority (CA) comes into picture when your communication partner
does not trust digital signature generated in your certificate.
For Certificates to be signed by CA following is the Procedure
Step - 1 :- Owner puts its public key into a certificate signing request (CSR) and
mails it to the Certificate Authority (CA).
Step - 2 :- The Certificate Authority (CA) will verify the request and put owner’s
public key in a certificate and sign it with CA's private key.
Step - 3 :- Certificate Authority (CA) will share the certificate been signed by the
CA back to the owner.
When your communication partner receives your public key signed by a CA,
communication partner can validate the signature with the Certificate Authority
CA's public key. If the validation is ok, communication partner can then trust
sender public key.
20
21. RSA CRYPTOSYSTEM
The most common public-key algorithm is the RSA cryptosystem,
named for its inventors (Rivest, Shamir, and Adleman).
21
23. RSA CRYPTOSYSTEM - EXAMPLE
Bob chooses 7 and 11 as p and q and calculates n = 77. The value of
f(n) = (7 − 1)(11 − 1) or 60. Now he chooses two exponents, e and d,
from Z60∗. If he chooses e to be 13, then d is 37. Note that e × d mod
60 = 1 (they are inverses of each Now imagine that Alice wants to
send the plaintext 5 to Bob. She uses the public exponent 13 to
encrypt 5.
Bob receives the ciphertext 26 and uses the private key 37 to
decipher the ciphertext:
23
24. OPERTION MODES FOR SYMMETRIC CRYPTOSYSTEM
ECB Mode
CBC Mode
Other Modes are OFB, CFB, CTR Modes 24
26. CBC: Cipher Block Chaining
Encryption Using CBC Mode
Decryption Using CBC Mode
26
27. AES CRYPTOSYSTEM
AES stands for Advanced Encryption Standard performs encryption and
decryption based on the Block Cipher technique. Block Ciphers could be
CBC, EBC etc.
Encryption of the Plan Text Decryption of the Plan Text
27
28. AES CRYPTOSYSTEM
Need for a more efficient and secured algorithm
AES is Rindjael (Rijmen & Daemen) with 128-bit data block only
Key Size: 128, 192, and 256 bits.
Approved as a Federal Standard (FIPS 197).
Five Standard Modes of Operation specified in the NIST Special Publication
800-38A.
28
29. AES CRYPTOSYSTEM - FEATURES
Need for a more efficient and secured algorithm
AES is Rindjael (Rijmen & Daemen) with 128-bit data block only.
Key Size: 128, 192, and 256 bits.
Approved as a Federal Standard (FIPS 197).
Five Standard Modes of Operation specified in the NIST Special
Publication 800-38A.
29
30. HYBRID CRYPTOSYSTEM
User User
A Symmetric Encrypted Symmetric B
Encryption Message Decryption
Message
Asymmetric Signed Asymmetric
Encryption Encrypted Key Decryption Ksecret
Ksecret
+ Signature Ksecret + Signature
KpubB KprivA KpubA KprivB
30
31. OPENSSL X509 FUNCTIONS
X509_set_serialNumber :- Set Serial Number for the X.509 Certificate.
X509_get_serialNumber :- Get Serial Number from the given X.509 Certificate.
X509_cmp_current_time :- Validates the certificate expiry time.
X509_set_pubkey :- Appends the certificate with public key.
X509_get_pubkey :- Extracts the public key from the given public certificate.
X509_to_X509_REQ :- Converts the given public certificate from X509 format to
Certificate Request (PKCS10 ).
X509_REQ_sign :- Sign the given Certificate Request (PKCS10 ).
PEM_write_X509_REQ :- Write the given Certificate Request (PKCS10 ) to the PEM file.
PEM_read_X509:- Reads the given Certificate Request (PKCS10 ) from the PEM file.
31
32. OPENSSL EVP FUNCTIONS
EVP_CIPHER_CTX_init :- initializes cipher context.
EVP_EncryptInit_ex :- sets up cipher context for encryption with cipher type from ENGINE.
EVP_EncryptUpdate :- encrypts the given data and store it in the out variable .
This function could be called multiple times to encrypt the successive blocks of data.
EVP_EncryptFinal :- This function is called only when padding is set. The main purpose
of this function is encrypts the "final" data, that is any data that remains in a partial block.
It uses standard block padding|/NOTES (aka PKCS padding).
EVP_MD_CTX_init :- initializes signing context.
EVP_SignInit_ex :- sets up signing context with digest type from ENGINE.
EVP_SignUpdate :- hashes the given data into the signature context. This function can be
called several times on the same context to include additional data .
EVP_SignFinal :- signs the data available in the context using the Private/ Shared secret key.
32
33. OPENSSL EVP FUNCTIONS (Contd.)
EVP_MD_CTX_init :- initializes verify context.
EVP_VerifyInit_ex :- sets up verification context with digest type from ENGINE.
EVP_VerifyUpdate :- hashes the given data into the verification context. This function can be
called several times on the same context to include additional data .
EVP_VerifyFinal :- verify the data available in the context using Public / Share Secret key
against the given signature.
EVP_CIPHER_CTX_init :- initializes cipher context.
EVP_DecryptInit_ex :- sets up cipher context for decryption with cipher type from ENGINE.
EVP_DecryptUpdate :- decrypts the given data and store it in the out variable .
This function could be called multiple times to decrypt the successive blocks of data.
EVP_DecryptFinal :- The main purpose of this function is decrypt the "final" data,
that is any data that remains in a partial block.
33
34. OPENSSL RSA FUNCTIONS
RSA_generate_key_ex :- This function is used to generate RSA key pair. Key size could be
512, 1024, 2048, 4096.
RSA_public_encrypt :- This function is used to encrypt a given data, RSA encrypts the given
data using Public key.
RSA_sign :- This function is used to encrypt a given data using message digest algorithm
and generates the signature on the encrypted data (generated by the message digest
algorithm).
RSA_verify :- This function is used to encrypt a given data using message digest algorithm,
generates the signature on the encrypted data (generated by the message digest
algorithm) and compares the generated signature with the given signature.
RSA_private_decrypt :- This function is used to decrypt a given encrypted data, RSA
decrypts the given encrypted data using Private key.
PEM_read_RSAPrivateKey :- This function is used to read the Private key from the PEM file.
PEM_write_RSAPrivateKey :- This function is used to write the Private key to the PEM file.
PEM_read_RSAPublicKey :- This function is used to read the Public key from the PEM file.
PEM_write_RSAPublicKey :- This function is used to write the Public key to the PEM file.
34