## One-way Functions

One-way functions are the foundation of modern cryptography, which are used by both asymmetric ciphers and hash functions.

For instance, the message encrypted with the public key can not be decrypted with the public key, because the public key encryption is an one-way function. And once a message is hashed, people should not be able to recover the original message from the hash.

## Confidentiality and Symmetric/Asymmetric Ciphers

**Symmetric cipher modes fall into two categories: block mode and stream mode**. For block mode ciphers, the plaintext or ciphertext can only be processed one block at a time. This means that a "padding scheme" is needed to specify how to handle the last block of a message. For stream mode ciphers, the plaintext or ciphertext is processed one byte at a time, and padding is not required.

**Block ciphers can operate in Electronic Code Book (ECB) mode or Cipher Block Chaining (CBC) mode**. In ECB mode, the same block of plaintext will encrypt, with the same key, into the same block of ciphertext. This makes it possible to build a code book of all possible ciphertexts for a known plaintext. To prevent this problem, CBC mode takes the previous block of ciphertext and XORs it with the next block of plaintext prior to encryption.

Block Ciphers include:

*** AES
* Blowfish
* DES / 3DES
* IDEA**

Stream Ciphers include:

*** RC4**

Asymmetric ciphers uses a public key and a private key. A message encrypted with the public key can only be decrypted with the private key and vice versa.

The most well known asymmetric ciphers are:

*** RSA**

* El-Gamal

* Diffie-Hellman

* El-Gamal

* Diffie-Hellman

**RSA is normally used for encryption/decryption with the public/private key pairs. Diffie-Hellman provides a way to generate a shared secret with two peers' public/private key pairs. El-Gamal is very similar to Diffie-Hellman.**

Below is how Diffie-Hellman works:

1) First the hosts must agree on the "Diffie-Hellman parameters". A prime number,

**(larger than 2) and "base",**

*p***, an integer that is smaller than**

*g***.**

*p*2) The hosts each secretly generate a private number called

**, which is less than**

*x***- 1.**

*p*3) The hosts next generate the public keys,

**. They are created with the function:**

*y***=**

*y***^**

*g***mod**

*x*

*p*4) The two host now exchange the public keys

*and the exchanged numbers are converted into a secret key,*

**y****.**

*z***=**

*z**^*

**y****mod**

*x'*

*p***can now be used as the key for whatever encryption method is used to transfer information between the two hosts. Mathematically, the two hosts should have generated the same value for**

*z***.**

*z***= (**

*z***^**

*g**mod*

**x****)^**

*p***mod**

*x'***= (**

*p***^**

*g***mod**

*x'***)^**

*p***mod**

*x*

*p*And here is an example:

1) Alice and Bob agree to use a prime number

**=23 and base**

*p***=3.**

*g*2) Alice chooses a secret integer

**=6, then sends Bob**

*x***^**

*g***mod**

*x***= 3^6 mod 23 = 16.**

*p*3) Bob chooses a secret integer

**=15, then sends Alice**

*x'***^**

*g***mod**

*x'**= 3^15 mod 23 = 12.*

**p**4) Alice computes (

**^**

*g**mod*

**x'****)^**

*p***mod**

*x***= 12^6 mod 23 = 9.**

*p*5) Bob computes (

**^**

*g***mode**

*x***)^**

*p***mod**

*x'***= 16^15 mod 23 = 9.**

*p***Symmetric ciphers are much faster than the asymmetric ciphers, but they require a secure key exchange mechanism.**

**Asymmetric ciphers are rarely used for encrypting messages. They are normally used to generate digital signatures or to provide secure key exchange for symmetric ciphers.**

## Authenticity and Digital Signatures

**Digital signature** can be used for authentication purposes. A digital signature algorithm uses hash functions to reduce the message down to a digest, then generates the digital signature using the private key.

There are two types of digital signature algorithms:

*** RSA Signature
* Digital Signature Standard (DSS)**

RSA uses the private key to encrypt the digest to generate the digital signature. DSS is similar to El-Gamal algorithm, it uses the private key and the digest to generate (not encrypt) two 160-bit values which represent the signature. And verification is a mathematical demonstration, using the public key, that those two values could only have been generated by the private key.

## Integrity and Hash Functions

Message integrity can be provided by:

*** Digital Signatures
* Message Authentication Codes (MAC)**

**A digital signature uses public/private key pair to provide both authentication and integrity on the signed document**. But digital signatures are slow and the entire message must be known prior to signature generation, which makes it unsuitable for an ongoing data stream.

Two popular hash functions are

*** MD5
* SHA-1
**

Hash is unique for a given text. If you use the hash function on the same text again, you'll get the same hash, and you should never get the same hash with different text. Therefore hash functions are used to guarantee the data integrity.

One thing to notice is that, the input of a hash function can be of any length, but the output of the hash function has a fixed length. So two different inputs may end up with the same hash, and this is called collision.

**A good hash function should be strongly collision-free**.

Hash functions are also irreversible, there is no way to get the given text from the hash. This makes hash functions also great for storing passwords.

**Hash functions such as MD5 and SHA-1 does not prevent the man-in-the-middle attack, which means they can only provide integrity but not authentication**. If the message and hash is intercepted by the third party, hash doesn't prevent him to change the message and regenerate a hash.

Keyed-Hashing, also known as

**Message Authentication Codes (MAC)**, is used to mitigate such kind of attacks.

**Like digital signatures, MAC can provide both authentication and integrity,**

**unlike digital signatures, MAC is symmetric, and uses a shared key.**As the most popular MAC,

**HMAC**combines the message with a shared secret key, and then generate a hash based on that.

* H*((

**XOR**

*K***)**

*opad***,**

**((**

*H***XOR**

*K**)*

**ipad****,**

**))**

*text*where

** K** is the secret key;

**is the input;**

*text***is the byte 0x36 repeated**

*ipad***times;**

*B***is the byte 0x5C repeated**

*opad***times;**

*B***is the size of the input blocks;**

*B*and

**,**is concatenation.

**HMAC** can use **MD5** or **SHA-1** as its hash function, and is denoted by **HMAC-MD5** and **HMAC-SHA1** respectively.

Obviously, a secure key exchange mechanism is madatory for **HMAC**.

## IPSec and IKE

**IPSec uses CBC mode block symmetric cipher for encryption and HMAC for authentication. IKE is basically an authenticated Diffie-Hellman exchange**.

IPSec has two protocols: **ESP** and **AH**, and two modes: **Transport mode** and **Tunnel mode**. ESP provides both authentication (with HMAC) and confidentiality (with CBC mode symmetric ciphers) for the data payload, and AH only provides authentication (with HMAC) for both data payload and IP header.

**An IPSec Security Association (SA) associates the security services and keys for the traffic to be protected and the remote peer with whom the IPSec traffic is being exchanged**.

**SAs reside in SADB** (Security Association Database)**, and is identified by** **SPI** (Security Parameter Index).

**IPSec policy is maintained in the SPD** (Security Policy Database). **An SPD entry defines one of the three actions: 1. discard 2. bypass 3. protect**. SPD entries that define an action of "protect" will point to an SA to apply to the packet. If there is no existing SA in the SADB for an outbound packet, IPSec will dynamically create the SA using IKE.

**IP traffic is mapped to IPSec policy by selectors**. A selector is like the "match address" statement in the cryptomap definition.

IKE also uses the concept of SA. An IKE SA can be used to produce any number of IPSec SAs.

**IKE has two phases: Phase 1 is to create an IKE SA, and Phase 2 is to create IPSec SAs**. In phase 1, IKE uses Dieffie-Hellman to establish a shared secret, which will be used to negotiate IPSec SAs in phase 2.

**IKE cookies** are used to identify the peer that it's negotiating with.

**Upon completion of the Dieffie-Hellman exchange, IKE needs to authenticate the shared secret**. There are five authentication methods defined in IKE:

*** Preshared keys
* DSS signatures
* RSA signatures
* An encrypted nonce exchange using RSA
* A revised method with encrypted nonce**

## SSL

**Digital Certificate** is essentially two files: private key and the public key. These files are issued and signed by the CA.

When the client browser receives the web server's digital certificate, the browser verifies it with its internal CA list. If the certificate is okay, the browser will then compute a one-time session key and send it back to the server. This session key will be encrypted with the web server's public key. The subsequent traffic between the client and the server will then be encrypted with this session key.

**SSL uses stream mode symmetric cipher RC4.**

## E-Mail Encryption

*** S/MIME
* PGP**

**S/MIME - Secure Multipurpose Internet Mail Extensions**uses digital certificates to sign and/or encrypt e-mail (Note: Thawte's digital certificates for personal use are free). S/MIME specification mandates support for 3DES as an encryption algorithm, DH for key encryption and DSS as a signature algorithm.

**Digital Signature** - first generate a hash for the entire message and then encrypt the hash with the sender's private key. Both DSS (Digital Signature Standard) and RSA can be used to generate digital signatures.

**PGP is a hybrid cryptosystem**. If first compresses the plaintext, then creates a session key. This one-time-only secret key encrypts the data. When the data is encrypted, the session key is then encrypted with the recipient's public key. This public key-encrypted session key is transmitted along with the ciphertext to the recipient. PGP also uses DSS as signature algorithm.