4/8/99 C. Edward Chow Page 1

Cryptography

• Basic goal:– design procedures to transform messages

(plaintext) into cryptograms (ciphertext). – withstand intense cryptoanalysis for recovering the

original plaintext.

• Basic approach:– code system: text content depending on the size

of code book.– cipher system: require two basic elements

• cryptographic algorithm • a set of variable cryptographic keys.

4/8/99 C. Edward Chow Page 2

Cipher Systems

Two useful cipher system types: block ciphers and stream ciphers

• Block ciphers– Data are encrypted/decrypted in blocks. – Block length is predetermined by the algorithm

designer.

• Stream ciphers– Users of algorithms decide the lengths to be

encrypted or decrypted. – Require additional parameter defined as initializing

vector (seed value)

4/8/99 C. Edward Chow Page 3

Cryptographic Algorithms

Two basic types:• Symmetric key algorithms: same key are

used to encrypt and decrypt. In SSL, the symmetric key are encrypted by the public key and sent over at the

• Public key algorithms: permit many users to encrypt using the same public key, but only the specific user possessing the secret key to decipher or unlock the data.

4/8/99 C. Edward Chow Page 4

RSA: a Public Key Algorithm

• Paper appeared on "A Method for obtaining Digital Signatures and Public-Key Cryptosystems," published in CACM vol. 21, No. 2, 120-126 (1978) by MIT Professors, Ronald Rivest, Adi Shamir, and Leonard Adleman.

• Based on extension of Euler's theorem a(r) - 1 is divisible by r where a and r are relatively prime, i.e., gcd(a, r) = 1, and

• (r)=r(1-1/p1)(1-1/p2)...(1-1/pn), where p1, p2, ...,pn are the prime factors of r.

4/8/99 C. Edward Chow Page 5

Choosing Private Key in RSA Algorithm

p and q are primes (chosen, secret) p=47, q=61 r=p.q (publish, public) r=47*61=2867 (r)=(p-1)(q-1) (derived, secret) (r)=46*60=2760 SK = private key (chosen, secret) SK=167 Here SK is a chosen prime and it must be a relative prime of (r). 2760=167*16+88 --> 88 = 2760 - 167*16 167=88*1+79 --> 79 = 167 - 88*1 88=79*1+9 --> 9 = 88 - 79*1 79=9*8+7 --> 7 = 79 - 9*8 9=7*1+2 --> 2 = 9 - 7*1 7=2*3+1 --> 1 = 7 - 2*3 2=1*2

4/8/99 C. Edward Chow Page 6

Choosing Public Key in RSA

PK = public key (derived, public) PK=1223

It is derived by reversing the above computation on private key and substituting eq.

1=7-2*3

1=7-(9-7*1)*3=7*4-9*3

1=(79-9*8)*4-9*3=79*4-9*32-9*3=79*4-9*35

1=79*4-(88-79)*35=79*39-88*35

1=(167-88)*39-88*35=167*39-88*74

1=167*39-(2760-167*16)*74=167*1223-2760*74

4/8/99 C. Edward Chow Page 7

Encryption/Decryption using Private/Public keys

A message can be encrypted is first divided into blocks, the value of block is less than r-1=2867-1=2866. In real system, r is much bigger.

To apply RSA algorithm, we substitute each letter with two digits, e.g., blank = 00, A=01, B=02, ..., Z=26.

The plaintext , "RSA ALGORITHM," is encrypted in 7 blocks: 1819 0100 0112 0715 1809 2008 1300 1819, the first block of the plaintext, is encrypted by raising it to the power of

PK=1223, dividing by r = 2867, then taking the remainder, 2756 becomes the ciphertext.

Note that 18191223 mod 2867 = 2756 but 18191223 is a big number. It can be computed by 18191024*1819128*181964*18194*18192*18191 since

1223=1024+128+64+4+2+1 DecryptionLikewise, 2756SK mod 2867=1819 The ciphertext is 2756 2001 0542 0669 2347 0408 1815

4/8/99 C. Edward Chow Page 8

Message Digest (one-way hash function)• The message digest functions take a file as input, produce a single large number called digest

(128-256 bits in length). • They are difficult to invert, mostly unique, widely distributed. • MD5 developed by Ronald Rivest. Here is an example of MD5 results: • [root@viva guest]# cat t1 • There is $1500 in the blue box. • [root@viva guest]# ssleay • SSLeay>md5 t1 • MD5(t1)= 05f8cfc03f4e58cbee731aa4a14b3f03 • SSLeay>[root@viva guest]# • MD5(There is $1500 in the blue box!)=4b36807076169572b804907735accd42 • Just one character differs. The digest values are dramatically different. • Can be attached in email for message authentication. • Instead of signing the whole document, most digital signature standards simply sign a message

digest of the document. • Programs such as PGP use message digests to transform a passphrase into an• symmetric encryption key.

4/8/99 C. Edward Chow Page 9

Certificate

• Signed documents, which match public keys to information, such as a name, organization, and e-mail address.

• They are signed by CA authority, organization that accept certificate requests and return the certificate.

4/8/99 C. Edward Chow Page 10

Client Certificate

• Use for Secure Web Access and Secure Email.• 60 days digital ID free trial from Verisign

for Outlook Express • After type in name, email address, pobox, birthday

info.• It asks for challenging phrase.• After click to accept the Verisign CPS statement, IE

ask for confirm email address.• Then IE indicates it is generate RSA exchnage keys

4/8/99 C. Edward Chow Page 11

Private Key Container

• Select the High Security Level which will ask for password each time private key is accessed.

4/8/99 C. Edward Chow Page 12

Select the Password

4/8/99 C. Edward Chow Page 13

Certificate Request Sent• After the password is confirmed, a certificated will be sent to Verisign.• They will send an email to the address you specified in the request with

instruction on how to install the digital ID. Hit the continue button.

4/8/99 C. Edward Chow Page 14

Pickup Digital ID

• You can also go to https://digitalid.verisign.com/client/outlook/outlookpickup.htm

• And enter the PIN included in the email to pickup the digital ID.

4/8/99 C. Edward Chow Page 15

Setup Digital ID for Secure Email

Associate a Digital ID With Your E-mail Account Microsoft Outlook Express:

1. Select Accounts from the Tools menu, then the Mail tab. 2. Select your Mail account, click the Properties button,

select the Security tab. 3. Check the box "Use a digital ID when sending secure

messages from", then click the Digital ID button. 4. Select the certificate you want to use to digitally sign your

e-mail. Outlook 98:

1. In the Tools menu select Options, then the Security tab 2. Click "Add digital signature to outgoing messages", click

the "Change Settings" button 3. On the next screen click the "Choose..." button. Select the

Digital ID you want to use for signing e-mail in Outlook.

4/8/99 C. Edward Chow Page 16

Find Other’s Digital ID• https://digitalid.verisign.com/services/client/index.html

4/8/99 C. Edward Chow Page 17

Digital ID Search Result

4/8/99 C. Edward Chow Page 18

Digital ID Search Result

4/8/99 C. Edward Chow Page 19

Receive Signed Email

Indicate a signed email

4/8/99 C. Edward Chow Page 20

Examine the Signature

• Click on the signature symbol.

4/8/99 C. Edward Chow Page 21

View the Certificate

4/8/99 C. Edward Chow Page 22

Certificate Detail

4/8/99 C. Edward Chow Page 23

Setup Option for Signed Encrypted Email

• Go to outlook (not the email window), tools | options select security tab.

4/8/99 C. Edward Chow Page 24

Receive Signed and Encrypted Email

4/8/99 C. Edward Chow Page 25

On Windows 2000

4/8/99 C. Edward Chow Page 26

4/8/99 C. Edward Chow Page 27

4/8/99 C. Edward Chow Page 28

4/8/99 C. Edward Chow Page 29

4/8/99 C. Edward Chow Page 30

4/8/99 C. Edward Chow Page 31

4/8/99 C. Edward Chow Page 32

4/8/99 C. Edward Chow Page 33

Import Certificate to Outlook 2000

4/8/99 C. Edward Chow Page 34

Specify path and password for the certificate

4/8/99 C. Edward Chow Page 35

Change the Hash Algorithm or Encryption Algorithm

4/8/99 C. Edward Chow Page 36

Make sure your email account has the same emailAddress as that in the certificate!!

4/8/99 C. Edward Chow Page 37

Reply Secure Email on Outlook2000

• To send an encrypted e-mail message to someone, you must have a copy of that person's digital ID in your contact list. Just have the person send you a digitally signed message. When you receive the message, you copy the person's address in the From field of the message into your contacts.

• If you had old entry in contacts without certificate, you need to click on the From field to update entry with the certificate.

4/8/99 C. Edward Chow Page 38

Netscape Communicator 4.51

• Go to home.netscape.com and select download netcape communicator 4.51.

• After download, click on cc32e451.exe to install.• Accept default settings, except that do choose

the netscape communicator as default browser, netcenter as default web page on frodo.uccs.edu.

• After restart, click on the netscape messager.• It will go through a series of dialog to help set up

your incoming and outgoing mail server on cs.uccs.edu.

4/8/99 C. Edward Chow Page 39

Setup Netscape Messenger• Create a New Profile.

4/8/99 C. Edward Chow Page 40

Enter Name and Email Address

4/8/99 C. Edward Chow Page 41

Choose Name and Directory for the Profile

• This name will show up on main messenger mail window

4/8/99 C. Edward Chow Page 42

Setup Outgoing Mail Server

• Use cs.uccs.edu

4/8/99 C. Edward Chow Page 43

Setup Incoming Mail Server

• Enter your loginname

• Select cs.uccs.edu as incoming mail server (make sure you forward your email to cs.uccs.edu.)

• Choose IMAP instead of POP.

– IMAP leaves mails in the mail server.Down load the header first.

– POP download the mails and remove mails on mail servers as default.

4/8/99 C. Edward Chow Page 44

Setup News Group Server• Enter harpo.uccs.edu as news server.

4/8/99 C. Edward Chow Page 45

Setup Different User Profile

• After netscape communicator is stalled, the next login user will find the netscape messenger using the profile of the user who installs the software.

• Actually, even if you can read some of the headers of the email (a bad design), you can not download the content since you will be prompt for the password.

• Each time you have the encrypted email, you will be prompted for the password of the certificate in order to obtain private key to decrypt the email.

• The following describes how you set up your own netscape profile (especially for email).

4/8/99 C. Edward Chow Page 46

Netscape User Profile Manager• Select start | programs| netscape|utilities|user profile

manager. Click new and enter your loginname

4/8/99 C. Edward Chow Page 47

Setup Different User Profile(2)

• The rest of the steps follows that of page 18 of this handout.

4/8/99 C. Edward Chow Page 48

Using Communicator with Different User Profiles

• After the profile is set up, when you invoke communicator, you

will be asked to select the specific profile.

4/8/99 C. Edward Chow Page 49

Download Other’s Certificate From Verisign

• On navigator, select security | people

• Select search directory

4/8/99 C. Edward Chow Page 50

Search Verisign Directory• Select verisign directory in pull down menu• Enter the email address of the person you would like to request

the certificate. Then click search button.

4/8/99 C. Edward Chow Page 51

Send Signed Encrypted Msg

• Click the 3rd tab in the sending section

• Check the encrypted and signed boxes.

4/8/99 C. Edward Chow Page 52

Comparison of Secure Email Support

• Netscape messenger allows individual email to be signed or encrypted.

• Netscape messenger shares the security files with the navigator browser and therefore did not have to export and then import to a different application.

• For Microsoft mail programs, the certificate needs to be export out from IE browser as a file, then imported in.