Cryptography
Table of Contents
1. AES
- Advanced Encryption Standard
Symmetric encryption.
2. RSA
- An acronym of the three designers: Ron Rivest, Adi Shamir, Leonard Adleman.
2.1. Key Generation
- Choose two large prime numbers \(p\) and \(q\). This is secret.
- Compute \(n=pq\). This is part of the public key.
- Compute Carmichael's totient function of
\(n\), \(\lambda(n)\). This is secret. It can be easily computed
if we know the prime factor of \(n\), but practically impossible
if we don't.
- The original paper uses Euler's totient function instead.
- Choose an integer \(e\), such that \(2< e < \lambda(n)\) and it is coprime to \(\lambda(n)\). This is part of the public key.
- Determine \(d\) satisfying \(d\equiv e^{-1}\pmod{\lambda(n)}\). This
is part of the private key.
- \(d\) can be computed by extended Euclidean algorithm.
2.2. Encryption and Decryption
It uses the fact that: \[ m \equiv m^{ed}\pmod{n}. \]
Encrypt \(m\) with \(c = m^{a}\pmod{n}\), where \(a\) is either \(e\) or \(d\). Use \(e\) for and \(d\) for digital signiture.
Decrypt \(c\) with \(m = c^b\pmod{n}\), where \(b\) is either \(d\) or \(e\).
3. SHA
- Secure Hashing Algorithm
3.1. Algorithm
- Five 4 bytes internal states \( H_0, H_1,\dots,H_4 \) are set to the value that is determined by the specification.
- Take 512 bits of the message (pad it if necessary) and use compression function 80 times on it with the internal states.
- Add the result to the initial internal states, under modulo 160 bit.
- Set the internal states to be the result of the addition.
- Repeat the procedure until the message gets exhausted.
4. File Formats
4.1. DER
- Distinguished Encoding Rules
Binary Encoding of data defined along with Basic Encoding Rules (BER) and Canonical Encoding Rules (CER)(??, 2021).
4.2. PEM
- Privacy-Enhanced Message or Privacy-Enhanced Mail, Privacy-enhanced Electronic Mail
Encoding of binary data into ASCII. Base64 encoding with begin/end markers. -
-----BEGIN PRIVATE KEY-----
MIICdg....
... bhTQ==
-----END PRIVATE KEY-----
5. Public Key Infrastructure
- PKI
The system for officially giving public key certificate .
5.1. Public Key Certificate
- Digital Certificate, Identity Certificate
A certificate contains metadata and public key encoded in DER format, with the digital signature of certificate authority attached at the end.
The validity of certificate autority are established through the chain of trust consisting of certificates signed by higher authority, eventually leading up to the root CAs whose certificates are distributed by the operating system, and system administrator on each local machine.
Root certificates are any truested self-signed certificates.
5.1.1. X.509
The standard that deals with public key certificates. As the name suggests it validates the public key.
https://en.wikipedia.org/wiki/X.509#Certificate_filename_extensions File format related to certificate is as follows:
.pem(.crt,.cer): base64 encoded DER binary certificate.der(.crt,.cer): plain DER binary certificate.p8,.p8e,.pk8: exported private key as specified in PKCS#8. DER or PEM..p8emeans it's encrypted..p12,.pfx,.pkcs12: PKCS#12 format..pfx: Personal inFormation eXchange. Predecessor of PKCS#12. Usually contains PKCS#12 format nowadays..crl: Certificate Revocation List. List of de-authorized certificates.
5.2. Decryption Proxy
- SSL inspection
The corporate root CA can be installed to the local machines within the local network, allowing the gateway to issue certificates for the external websites and act as the man in the middle.
5.3. Korea
CA의 인증을 받은 public private key pair를 local machine이나 cloud에 보관
NPKI
- National public key infrastructure
- Person, Legal Person, Server
- (구)공인인증서 -> 공동인증서
- 공인인증기관의 Root CA
- 6개 인증기관에서 은행, 증권회사 등의 대행을 통해 인증서를
발급받는다.
- 한국정보인증(KICA)
- 코스콤(KOSCOM)
- 금융결제원(KFTC)
- 은행이 대행한다.
- 한국전자인증(KECA)
- 한국무역정보통신(KTNET)
- 한국정보사회진흥원
GPKI
- Government Public Key Infrastructure
- PKI for governmental entities.
- 행정인증서
MPKI
- 국방인증서
금융인증서
- 금융기관의 Root CA
- 금융결제원의 인증을 거친다.
사설인증서
- 민간업체의 Root CA
6. Public Key Cryptography Standards
- PKCS
File format for container.
6.1. PKCS#8
6.2. PKCS#12
The format may contain certificates, public and private keys in a single file.
7. Digital Signature
Encrypt the hash of the content with private key and attach it to the file, so that it can be verified with public key.
8. OpenPGP
OpenPGP is the standard used in PGP. PGP(Pretty Good Privacy) is an encryption program.
8.1. GnuPG
gpg- GNU Privacy Guard
GnuPG is part of GNU project that implements OpenPGP standard.
8.2. Design
Chain of encryption for information exchange:
It also supports symmetric encryption in which the key is generated from the passphrase using S2K (string-to-key) algorithm.
9. SSL
- Algorithms are implemented in
libctypto. - Implements Secure Socket Layer and protocols.
9.1. Algorithm
- Cryptographic primitives such as SHA256 digest or AES encryption.
9.2. Operation
- Group of algorithms that have the same purpose such as encrypting or digesting.
9.3. Provider
- A provider contains cryptographic algorithms so that it can be loaded modularly.
9.4. openssl
$ openssl <command> [ <option> ... ] [ <parameter> ]
9.4.1. Commands
x509rsa-pubin: Read the private key by default. Set this flag to read public key. This implicitly sets-puboutwhich outputs public key.-RSAPublicKey_in,-RSAPublicKey_out: Use RSAPublicKey format instead.PEMis the default-informand-outform.
asn1parse- Parse the structure of the .
9.4.2. Options
-inform PEM|DER -in <file> -outform PEM|DER -out <file>-text [-noout]: Print the content (and the original file if-nooutis not set).