Contents

Basic Public Key Cryptography (DH, RSA, CAs, PKI)

Hashing Functions
Introduction to the TCP/IP Stack
Network Security (ports and protocols)

1
Public key encryption algorithms
Definition: The multiplicative inverse of x with modulo n is y such that (x*y) mod n = 1

E.g: x=3; n=10, => y=7; since (3*7) mod 10 = 1

• The above multiplicative inverse can be used to create a simple public key cipher:
either x or y can be thought of as a secret key and the other is the public key. Let x =
3, y = 7, n = 10, and M be the message:
• M=4;
• 3*4 mod 10 = 2; (ciphertext) - encrypting
• 2*7 mod 10 = 4 = M ; (message) - decrypting
• M =6 ;
• 3*6 mod 10 = 8;
• 8*7 mod 10 = 6 = M (message)
2
 RSA
RSA was invented by three scholars Rivest, Shamir, and Adleman.

The two aspects of the RSA are pair of key generation and encryption-decryption algorithms.

1. Generate the RSA modulus (n)

Select two large primes, p and q , Calculate n=p*q.

 For strong unbreakable encryption, let n be a large number, typically a minimum of 512 bits.

Find Derived Number (e)

 Number e must be greater than 1 and less than ɸ =(p − 1)(q − 1).

There must be no common factor for e and ɸ except for 1.

 In other words two numbers e and ɸ are coprime.
3
 RSA Cont..
Form the public key

 The pair of numbers (n, e) form the RSA public key and is made public.

 Interestingly, though n is part of the public key, difficulty in factorizing a large prime number ensures
that attacker cannot find in finite time the two primes (p & q) used to obtain n. This is strength of
RSA.

 Generate the private key

 Private Key d is calculated from p, q, and e. For given n and e, there is unique number d.

 Number d is the inverse of e modulo ɸ. This means that d is the number less than ɸ such that when
multiplied by e, it is equal to 1 modulo ɸ.

 This relationship is written mathematically as follows: ed = 1 mod ɸ.

4
 The Extended Euclidean Algorithm takes p, q, and e as input and gives d as output.
 RSA Cont..
2. Encryption and Decryption

The process of encryption and decryption are relatively straightforward and

computationally easy. modulo n

RSA operates on numbers. Hence, it is necessary to represent the plaintext as a

series of numbers less than n.

5
 RSA Cont..

An example of generating RSA Key pair is given below.

 Let two primes be p = 7 and q = 13. Thus, modulus n = pq = 7 x 13 = 91.

 Select e = 5, which is a valid choice since there is no number that is common factor of 5 and (p − 1)
(q − 1) = 6 × 12 = 72, except for 1.

 The pair of numbers (n, e) = (91, 5) forms the public key and can be made available to anyone whom
we wish to be able to send us encrypted messages.

 Input p = 7, q = 13, and e = 5 to the Extended Euclidean Algorithm. The output will be d = 29.

 Check that the d calculated is correct by computing: de = 29 × 5 = 145 = 1 mod 72

 Hence, public key is (91, 5) and private keys is (91, 29).

6
RSA Cont…
Extended Euclidean Algorithms to find Multiplicative Inverse Modulo
Of n will be calculated as follows: we goes until the remainder will be
zero and calculate one step beyond the steps as follows:
• Example: 5 inverse modulo 72. will be calculated
• Step 1: 72=14*5+2 po=0;
• Step 2: 5=2*2+1 p1=1;
• Step 3: 2=2*1+0; pn=pn-2-pn-1(qn-1)mod n
• Then p2=p0-p1(q1)=0-1(14)mod72=58
• P3=p1-p2(q2)mod72=1-58*2mod72=29=Private Key
7
 RSA Cont..
RSA Encryption

The sender wish to send some text message to someone whose public key is (n, e).

The sender then represents the plaintext as a series of numbers less than n.

To encrypt the first plaintext P, which is a number modulo n. The encryption process
is simple mathematical step as: C = mod n

In other words, the ciphertext C is equal to the plaintext P multiplied by itself e
times and then reduced modulo n. This means that C is also a number less than n.

Returning to our Key Generation example with plaintext P = 10, we get ciphertext C

= mod 91 8
 RSA Cont..
RSA Decryption

The decryption process for RSA is also very straightforward. Suppose that the
receiver of public-key pair (n, e) has received a ciphertext C.

Receiver raises C to the power of his private key d. The result modulo n will be the
plaintext P: Plaintext = mod n

Returning again to our numerical example, the ciphertext C = 82 would get

decrypted to number 10 using private key 29: Plaintext = mod 91 = 10.

9
 RSA Analysis
The security of RSA depends on the strengths of two separate functions. The RSA
cryptosystem is most popular public-key cryptosystem strength of which is based on
the practical difficulty of factoring the very large numbers.

Encryption Function: is considered as a one-way function of converting plaintext

into ciphertext and it can be reversed only with the knowledge of private key d.

Key Generation: The difficulty of determining a private key from an RSA public
key is equivalent to factoring the modulus n.
 An attacker thus cannot use knowledge of an RSA public key to determine an RSA private key
unless he can factor n. It is also a one way function, going from p & q values to modulus n is
easy but reverse is not possible.
10
 RSA Analysis
If either of these two functions are proved non one-way, then RSA will be broken.
In fact, if a technique for factoring efficiently is developed then RSA will no longer
be safe.

The strength of RSA encryption drastically goes down against attacks if the number
p and q are not large primes and/ or chosen public key e is a small number.

11
 RSA example:
Bob chooses p=5, q=7. Then n=35, ɸ =24.
e=5 (so e, ɸ relatively prime).
d=29 (so ed-1 exactly divisible by ɸ.
Keys generated are
Public key: (35,5)
Private key is (35, 29)

letter m me c = me mod n
encrypt:
l 12 1524832 17

d
decrypt:
c c m = cd mod n letter
17 481968572106750915091411825223071697 12 l

12
RSA Example Cont…
Encrypt the word love using (c = me mod n)
Assume that the alphabets are between 1 & 26
Plain Text Numeric Representation me Cipher Text (c = me mod
n)

l 12 248832 17
o 15 759375 15
v 22 5153632 22

Decrypt
e the word
5 love using
3125 (m = c10d mod n)
n = 35, c=29
Cipher cd (m = me mod Plain
Text n) Text
17 481968572106750915091411825223072000 17 l

15 12783403948858939111232757568359400 15 o

22 85264331908653770195619449972111000000 22 v
0
13
10 100000000000000000000000000000 10 e
Question
Given that in the RSA algorithm model p=7,q=9,e=5 and the quotient when we divide
ed-1 by ɸ is 3 (in other words: ed mod ɸ = 1 ).
Calculate:
1. n
2. ɸ
3. d
4. Public Key
5. Private Key
RSA Question: Solve the above question?

14
Diffie Helman Key exchange
• Discovered by Whitfield Diffie and Martin Hellman
“New Directions in Cryptography”

• Diffie-Hellman key agreement protocol

Exponential key agreement
Allows two users to exchange a secret key
Requires no prior secrets
Real-time over an untrusted network

15
 Diffie-Hellman Key Exchange Cont…
 first public-key type scheme proposed
 by Diffie & Hellman in 1976 along with the exposition of public key
concepts

note: now know that Williamson (UK CESG) secretly proposed
the concept in 1970
 is a practical method for public exchange of a secret key
 used in a number of commercial products

16
 Implementation
• P and G are both publicly available numbers
P is at least 512 bits
• Users pick private values a and b
• Compute public values
x = ga mod p
y = gb mod p
• Public values x and y are exchanged

17
Diffie Helman Implementation
• Compute shared, private key
ka = ya mod p
kb = xb mod p

• Algebraically it can be shown that ka = kb

Users now have a symmetric secret key to encrypt

18
Diffie Helman Example
• Alice and Bob get public numbers
P = 23, G = 9

• Alice and Bob compute public values

X = 94 mod 23 = 6561 mod 23 = 6
Y = 93 mod 23 = 729 mod 23 = 16

• Alice and Bob exchange public numbers

19
Diffie Helman Example Cont…
• Alice and Bob compute symmetric keys
ka = ya mod p = 164 mod 23 = 9
kb = xb mod p = 63 mod 23 = 9
• Alice and Bob now can talk securely!

20
Applications
• Diffie-Hellman is currently used in many protocols, namely:
• Secure Sockets Layer (SSL)/Transport Layer Security (TLS)
• Secure Shell (SSH)
• Internet Protocol Security (IPSec)
• Public Key Infrastructure (PKI)

21
Hashing Function

Hash functions are extremely useful and appear in almost all information security
applications.
A hash function is a mathematical function that converts a numerical input value
into another compressed numerical value. The input to the hash function is of
arbitrary length but output is always of fixed length.
Values returned by a hash function are called message digest or simply hash
values. The following picture illustrated hash function.

22
Hashing Function Cont…

23
Hashing Function Cont…
Features of Hash Functions
• The typical features of hash functions are −
Fixed Length Output (Hash Value)
Hash function coverts data of arbitrary length to a fixed length. This process is
often referred to as hashing the data.
In general, the hash is much smaller than the input data, hence hash functions are
sometimes called compression functions.
Since a hash is a smaller representation of a larger data, it is also referred to as a
digest.
Hash function with n bit output is referred to as an n-bit hash function. Popular
hash functions

24
Hashing Function Cont…
generate values between 160 and 512 bits.
Efficiency of Operation
Generally for any hash function h with input x, computation of h(x) is a fast operation.
Computationally hash functions are much faster than a symmetric encryption.
Properties of Hash Functions
In order to be an effective cryptographic tool, the hash function is desired to possess
following properties:
Pre-Image Resistance
This property means that it should be computationally hard to reverse a hash function.
In other words, if a hash function h produced a hash value z, then it should be a difficult
process to find any input value x that hashes to z.
This property protects against an attacker who only has a hash value and is trying to find
the input.
25
Hashing Function Cont…
Second Pre-Image Resistance
This property means given an input and its hash, it should be hard to find a different
input with the same hash.
In other words, if a hash function h for an input x produces hash value h(x), then it
should be difficult to find any other input value y such that h(y) = h(x).
This property of hash function protects against an attacker who has an input value
and its hash, and wants to substitute different value as legitimate value in place of
original input value.
Collision Resistance
This property means it should be hard to find two different inputs of any length that
result in the same hash. This property is also referred to as collision free hash
function.
In other words, for a hash function h, it is hard to find any two different inputs x and
y such that h(x) = h(y).
26
Since, hash function is compressing function with fixed hash length, it is impossible
Certificate Auhtority
• A certificate authority (CA), also sometimes referred to as a certification
authority, is a company or organization that acts to validate the identities of
entities (such as websites, email addresses, companies, or individual persons) and
bind them to cryptographic keys through the issuance of electronic documents.
• A digital certificate provides:
• Authentication, by serving as a credential to validate the identity of the entity
that it is issued to.
• Encryption, for secure communication over insecure networks such as the
Internet.
• Integrity of documents signed with the certificate so that they cannot be altered
by a third party in transit.

27
Certificate Authority Cont…

28
Certificate Auhtority Cont…
• Typically, an applicant for a digital certificate will generate a key pair consisting of a private key
and a public key, along with a certificate signing request (CSR). A CSR is an encoded text file that
includes the public key and other information that will be included in the certificate (e.g. domain
name, organization, email address, etc.). Key pair and CSR generation are usually done on the server
or workstation where the certificate will be installed, and the type of information included in the CSR
varies depending on the validation level and intended use of the certificate. Unlike the public key,
the applicant’s private key is kept secure and should never be shown to the CA (or anyone else).
• After generating the CSR, the applicant sends it to a CA, who independently verifies that the
information it contains is correct and, if so, digitally signs the certificate with an issuing private key
and sends it to the applicant.
• When the signed certificate is presented to a third party (such as when that person accesses the
certificate-holder’s website), the recipient can cryptographically confirm the CA’s digital signature
via the CA’s public key. Additionally, the recipient can use the certificate to confirm that signed
content was sent by someone in possession of the corresponding private key, and that the information
has not been altered since it was signed.

29
Public key infrastructure (PKI)
• The Public key infrastructure (PKI) is the set of hardware, software,
policies, processes, and procedures required to create, manage,
distribute, use, store, and revoke digital certificates and public-keys.
PKIs are the foundation that enables the use of technologies, such as
digital signatures and encryption, across large user populations. PKIs
deliver the elements essential for a secure and trusted business
environment for e-commerce and the growing Internet of Things (IoT)

30
Public key infrastructure (PKI)
Cont…
• PKIs help establish the identity of people, devices, and services – enabling
controlled access to systems and resources, protection of data, and accountability
in transactions. Next generation business applications are becoming more reliant
on PKI technology to guarantee high assurance, because evolving business models
are becoming more dependent on electronic interaction requiring online
authentication and compliance with stricter data security regulations .

31
PKI Cont…
• PKI Deployment
PKIs provide a framework that enables cryptographic data security technologies
such as digital certificates and signatures to be effectively deployed on a mass
scale. PKIs support identity management services within and across networks and
underpin online authentication inherent in secure socket layer (SSL) and transport
layer security (TLS) for protecting internet traffic, as well as document and
transaction signing, application code signing, and time-stamping.
PKIs support solutions for desktop login, citizen identification, mass transit,
mobile banking, and are critically important for device credentialing in the IoT.
Device credentialing is becoming increasingly important to impart identities to
growing numbers of cloud-based and internet-connected devices that run the
gamut from smart phones to medical equipment
32
Introduction to the TCP/IP Stack

Application: supports network applications

ftp, smtp, http, ssh, telnet, DHCP (Dynamic Host Configuration Protocol)..
Transport:data transfer from end system to end system
TCP, UDP, SPX...
Network: finding the way through the network from machine to
machine
IP (IPv4, IPv6), ICMP, IPX
(Data) link: data transfer between two neighbours in the network
ppp, Ethernet, ATM, ISDN, 802.11 (WLAN)
Physical: bits “on the wire”
33
Introduction to the TCP/IP Stack Cont…

34
OSI model

A standard for layering of communication protocols

 Open Systems Interconnection
by the ISO – International Standardization Instituteˆ
Two additional layers to those of the Internet stack
• presentation: translates between different formats
XML, XDR
provides platform independence
• session: manages connection, control and disconnection of
communication sessions
RTP
35
Network Security (ports and protocols)
Protocols
Ethernet
IP (Internet Protocol)
UDP (User Datagram Protocol)
TCP (Transmission Control Protocol)
DHCP (Dynamic Host Configuration Protocol)
HTTP (Hypertext Transfer Protocol)
FTP (File Transfer Protocol)
Telnet (Telnet Remote Protocol)
SSH (Secure Shell Remote Protocol)
POP3 (Post Office Protocol 3)
SMTP (Simple Mail Transfer Protocol)
IMAP (Internet Message Access Protocol)
36
Network Security (ports and protocols) Cont…
Protocol TCP/ Port Description
UDP Number
File Transfer TCP 20/21 FTP is one of the most commonly used file transfer protocols on
Protocol (FTP) the Internet and within private networks.
(RFC 959)
Secure Shell TCP 22 SSH is the primary method used to manage network devices
(SSH) securely at the command level. It is typically used as a secure
(RFC 4250-4256) alternative to Telnet which does not support secure connections.

Telnet TCP 23 Telnet is the primary method used to manage network devices at
(RFC 854) the command level. Unlike SSH which provides a secure
connection, Telnet does not, it simply provides a basic unsecured
connection

Simple Mail TCP 25 SMTP is used for two primary functions, it is used to transfer mail
Transfer (email) from source to destination between mail servers and it is
Protocol (SMTP) used by end users to send email to a mail system.
(RFC 5321)

Domain Name TCP/ 53 The DNS is used widely on the public internet and on private
System (DNS) UDP networks to translate domain names into IP addresses,
(RFC 1034-1035) 37
Network Security (ports and protocols) Cont…
Internet Message TCP 143 IMAP version3 is the second of the main
Access Protocol protocols used to retrieve mail from a
(IMAP) server. While POP has wider support,
(RFC 3501) IMAP supports a wider array of remote
mailbox operations which can be helpful
to users.
Dynamic Host UDP 67/68 DHCP is used on networks that do not use
Configuration static IP address assignment (almost all of
Protocol (DHCP) them). A DHCP server can be set up by an
(RFC 2131) administrator or engineer with a poll of
addresses that are available for
assignment
NetBIOS TCP/UDP 137/138/139 NetBIOS itself is not a protocol but is
(RFC 1001-1002) typically used in combination with IP with
the NetBIOS over TCP/IP (NBT) protocol.
NBT has long been the central protocol
used to interconnect Microsoft Windows
machines.

38
Thank you!!

39