Asymmetric Cryptography

-
Asymmetric Cryptography

Public Key Cryptosystems rely on a pairs of keys assigned to each user of the cryptosystem.

RSA

  • 1977, Ronald Rivest, Adi Shamir, Leonard Adleman
  • RSA algorithm (Patented) form the backbone of large number of well known security infrastructure



  • Computational difficulty inherent in factoring large prime numbers
  • Each User of the cryptosystem generates a pair of public and private keys using the algorithm below :-
  1. Choose 2 large prime numbers (p and q of 200 digits length each)
  2. compute the product:    n = p * q
  3. Select a number  e such that
    • e < n
    • e and (n-1)(q-1) are relatively prime - that is, the 2 numbers have no common factors other than 1.
  4. Find a number d, such that (ed-1)mod(p-1)(q-1) = 0
  5. Distribute e and n as the public key to all cryptosystem users. Keep d secret as the private key.



    • If Alice wants to send an encrypted message to Bob, she generates the ciphertext (C) from the plain text (P) using the formula (where e is Bob's public and n is the product of p and q created during the key generation process):

    C = P (power e) mod n

    When Bob receives the message, he performs tha following calculation ro retrieve the plaintext message:

    P = C (power d) mod n


    Merkle-Hellman Knapsack

    • 1978
    • Based on the difficulty of performing factoring operations, but it relies on a component of set theory known as super-increasing sets rather than on large prime numbers. Proven ineffective when it was broken in 1984.



    Cryptosystem---------------------Key length
    RSA---------------------1088 bits
    DSA---------------------1024 bits
    Elliptic curve---------------------160 bits






    El Gamal

    • Based on Diffie-Hellman key exchange algorithm
    • Major Disadvantage - the algorithm doubles the length of any message it encrypts.
    • This is a major hardship when encrypting long messages or data that will be transmitted over a narrow bandwidth communications circuit.



    Elliptic Curve

    • 1985
    • Mathematicians - Neal Koblitz abd Victor Miller
    • Elliptic Curve Cryptography (ECC) theory


    y(power 2) = x(power 3) + ax + b

    x,y,a and b are all real numbers





    Hash Functions


    • Take a long potentially long message and generate a unique output value derived from the content of the message.
    • This value is commonly referred as message digest.
    • Most cases, message digest is 128 bits or longer.


    5 basic requirements


    1. Input can be of any length
    2. Output has a fixed length
    3. Hash function os relatively easy to compute
    4. Hash function is one-way . It is extremely hard to determine the input when provided with output
    5. Hash function is collision free (it is externally hard to find two messages that produce the same hash value)



    SHA, SHA-1, SHA-2

    • Government Standard hash functions developed by National Institute of Standard and Technology (NIST)
    • Publication - Secure Hash Standard (SHS) aka Federal Information Processing Standard (FIPS) 180
    • SHA-1 takes Input length upto 2,097,152 terabytes ----> Output 160-bit message digest
    • processes a message in 512-bit blocks
    • therefore it pads the Input message with additional data so that length reaches tge next highest mutiple of 512.


    Recent cryptanalytic attacks demontrated weaknesses in SHA-1

    Four new variants

    1. SHA-256 output 256-bit, 512 bit block size
    2. SHA-224 output 224-bit, 512 bit block size
    3. SHA-512 output 512-bit, 1024 bit block size
    4. SHA-384 output 384-bit, 1024 bit block size




    MD2

    • 1989
    • Ronald Rivest
    • 8-bit processors
    • pads the message with 16 bytes
    • output 16-byte checksum and appends it to the end of the message
    • 128-bit message digest is then generated by using the entire original message along with the appended checksum




    MD4

    • 1990
    • Rivest
    • enhanced the algorithm to support 32-bit processors and increase the level of security
    • It first pads the message to ensure that the message length is 64 bits smaller than a mutiple of 512 bits
    • For example, a 16-bit message will be padded with 432 additional bits of data to make it 448 bits, which is 64 bits smaller than a 512-bit message.
    • MD4 then processes 512-bit blocks in three rounds of computation to produce the message digest of 128-bit 
    • No longer secure


    MD5

    • 1991
    • Rivest
    • Problems again - Slow
    • Subject to collisions



    Hash algorithm chart

    Name--------------------------------------------Hash Value Length
    Hash of Variable Length(HAVAL)-an MD5 variant--------------------------------------------128,160,192,224,256
    Hash Message Authenticating Code(HMAC)--------------------------------------------Variable
    MD2--------------------------------------------128
    MD4--------------------------------------------128
    MD5--------------------------------------------128
    SHA-1--------------------------------------------160
    SHA-224--------------------------------------------224
    SHA-256--------------------------------------------256
    SHA-384--------------------------------------------384
    SHA-512--------------------------------------------512


    Digital Signatures
    Once you have chosen a cryptographically sound hashing algorithm, you can use it to implement a digital signature system.
    2 Distinct Goals

    1. Digitally signed messages assure the recipient that the message truly came from the claimed sender. Nonrepudiation
    2. Digitally signed messages assure the recipient that the message was not altered while in transit between the sender and recipient. 



    Process:-

    1. Alice generates a message digest of the original plaintext message using one of the cryptographically sound hashing algorithms, such as SHA-512.
    2. Alice then encrypts only the message digest using her private key. This is Digital Signature.
    3. Alice appends the signed message digest to the plaintext message.
    4. Alice sends the appended message to Bob.



    Bob reverses the procedure

    1. Bob decrypts the digital signature using Alice's public key,
    2. Bob uses the same hashing function to create a message digest of the full plaintext message received from Alice.
    3. Bob then compares the decrypted message digest he received from Alice with the message digest he computed himself. If the 2 digests match, then he is assured that the message was only sent from Alice and also it was not modified in the transit.

    Digital Signature Standard

    NIST specifies the digital signature algorithms acceptable for federal government use in Federal Information Processing Standard (FIPS) 186-4, aka Digital Signature Standard (DSS)
    1. Digital Signature Algorithm (DSA) as specified in FIPS 186-4
    2. RSA algorithm as specified in ANSI X9.31
    3. Elliptic Curve DSA (ECDSA) as specified in ANSI X9.62

    Comments

    Post a Comment

    Popular posts from this blog

    OIM 11g Custom ADF Application Development

    -
    Image
    In this post , I will cover the steps required to create a custom ADF web application. What this application does is facilitate Account Claim Process. Users has been migrated from some other IAM product to OIM and exist in disabled state and hence cannot login to perform Self Service operations. User needs to identify themselves by providing their personal details like personal identification number, zip code and dob etc. After successfully Identifying themselves they will be able to set a new password and set their challenge questions and answers. During this process the application will activate their account and set the new password and QnA. At the end of the process, they will be able to login OIM with their new password set. The application has been developed using JDeveloper using ADF technology to render user interfaces and MVC design pattern to keep the concerns separate. Application Structure                                                                                  
    Read more

    Oracle Identity Manager (OIM) Interview Questions

    -
    This is my 100th post on my blog and in this post, I will list down interview questions on OIM. This post will always be work in progress as I keep appending this list with more and more questions. Please find the list of questions below :-) What are the new features in PS3 ? What are the differences between PS2 and PS3 ? How do you identify rogue account creation in target system ? What is the high level architecture of OIM 11g ? List out difference between OIM 9.1 and 11g and possibly 11gR2 What are the new features in 11gR2 PS2 , PS3 How do you save multi-valued attribute in process form and how the linking happens between process form & child form ,   1 child form per multi valued attribute Can we still use entity adapters in OIM 11g What is pluginservice in oim 11g/  What is the orchestration service in oim 11g. what is the difference between entity match found  and process match found ? what are service accounts in oim ? why remote manager is used ? What is a c
    Read more

    OIM 11g R2 PS2 : SOA Approval Workflow Sample

    -
    Image
    In this post I am posting the sample code for a sample SOA approval workflow. Some of the features that this workflow addresses are Approval to Manager or Role Owners is dynamic based on the custom OIM system property "approval-condition". Value is set either "AND" or "OR". Manager or Role Owner can be set to be notified only with no approval required. In this case only email is sent to notify them but no approval is required from them. Custom OIM system property are created to address this.   manager-notify-only = TRUE or FALSE  TRUE = only notify the manager no approval request sent. FALSE = notify the manager and send an approval request.   roleowner-notify-only = TRUE or FALSE  TRUE = only notify the role owner no approval request sent. FALSE = notify the role owner and send an approval request. Third Level System Notification was required but it should be dynamic.  Custom OIM system property are created to address this sysadmin-noti
    Read more