Cryptology is derived from the Greek words kryptos, which stands for “hidden” and grafein, which stands for to “write”. Through history, cryptography has meant the process of concealing the contents of a message from all except those who know the key. Cryptography is used to protect e-mail messages, credit card information, and corporate data. Cryptography has been used for centuries to hide messages when they are submitted through means where they might be intercepted, such as the Internet.
But encrypting email messages as they traverse the Internet is not the only reason to understand or use various cryptographic methods. Every time you check your email, your password is being sent over the wire. Many ISPs or corporate environments use no encryption on their mail servers and the passwords used to check mail are submitted to the network in clear text (with no encryption). When a password is put into clear text on a wire it can easily be intercepted. This is especially dangerous when you are on the road, at hotels, on wireless hotspots, or at an internet café. However, it is often simple to also obtain another users password for email, payroll systems and file servers while at work and on the same network. Applications such as WireShark, Ethereal and many others and have existed for a long time and are now fairly advanced, allowing the user to possibly replay the password or a stream of packets that resemble credentials to a server in order to gain entry.
To aid in protecting communications between computers, there are a wide variety of cryptographic implementations in use. They are typically provided for one of two reasons: to protect data on the computer or to protect data as it is being transferred. Most cryptographic techniques rely heavily on the exchange of cryptographic keys.
Symmetric-key cryptography refers to encryption methods where both senders and receivers of data share the same key and data is encrypted and decrypted with algorithms based on those keys. The modern study of symmetric-key ciphers revolves around block ciphers and stream ciphers and how these ciphers are applied.
Block ciphers take a block of plaintext and a key, then output a block of ciphertext of the same size. DES and AES are block ciphers. AES, also called Rijndael, is a designated cryptographic standard by the US government. AES usually uses a key size of 128, 192 or 256 bits. DES is no longer an approved method of encryption triple-DES, its variant, remains popular. Triple-DES uses three 56-bit DES keys and is used across a wide range of applications from ATM encryption to e-mail privacy and secure remote access. Many other block ciphers have been designed and released, with considerable variation in quality.
Stream ciphers create an arbitrarily long stream of key material, which is combined with a plaintext bit by bit or character by character, somewhat like the one-time pad encryption technique. In a stream cipher, the output stream is based on an internal state, which changes as the cipher operates. That state’s change is controlled by the key, and, in some stream ciphers, by the plaintext stream as well. RC4 is an example of a well-known stream cipher.
Cryptographic hash functions do not use keys but take data and output a short, fixed length hash in a one-way function. For good hashing algorithms, collisions (two plaintexts which produce the same hash) are extremely difficult to find, although they do happen.
Symmetric-key cryptosystems typically use the same key for encryption and decryption. A disadvantage of symmetric ciphers is that a complicated key management system is necessary to use them securely. Each distinct pair of communicating parties must share a different key. The number of keys required increases with the number of network members. This requires very complex key management schemes in large networks. It is also difficult to establish a secret key exchange between two communicating parties when a secure channel doesn’t already exist between them.
Whitfield Diffie and Martin Hellman are considered the inventors of public-key cryptography. They proposed the notion of public-key (also called asymmetric key) cryptography in which two different but mathematically related keys are used: a public key and a private key. A public key system is constructed so that calculation of the private key is computationally infeasible from knowledge of the public key, even though they are necessarily related. Instead, both keys are generated secretly, as an interrelated pair.
In public-key cryptosystems, the public key may be freely distributed, while its paired private key must remain secret. The public key is typically used for encryption, while the private or secret key is used for decryption. Diffie and Hellman showed that public-key cryptography was possible by presenting the Diffie-Hellman key exchange protocol. Ronald Rivest, Adi Shamir, and Len Adleman invented RSA, another public-key system. Later, it became publicly known that asymmetric cryptography had been invented by James H. Ellis at GCHQ, a British intelligence organization and that both the Diffie-Hellman and RSA algorithms had been previously developed.
Diffie-Hellman and RSA, in addition to being the first public examples of high quality public-key cryptosystems are among the most widely used.
In addition to encryption, public-key cryptography can be used to implement digital signature schemes. A digital signature is somewhat like an ordinary signature; they have the characteristic that they are easy for a user to produce, but difficult for anyone else to forge. Digital signatures can also be permanently tied to the content of the message being signed as they cannot be ‘moved’ from one document to another as any attempt will be detectable. In digital signature schemes, there are two algorithms: one for signing, in which a secret key is used to process the message (or a hash of the message or both), and one for verification, in which the matching public key is used with the message to check the validity of the signature. RSA and DSA are two of the most popular digital signature schemes. Digital signatures are central to the operation of public key infrastructures and to many network security schemes (SSL/TLS, many VPNs, etc). Digital signatures provide users with the ability to verify the integrity of the message, thus allowing for non-repudiation of the communication.
Public-key algorithms are most often based on the computational complexity of “hard” problems, often from number theory. The hardness of RSA is related to the integer factorization problem, while Diffie-Hellman and DSA are related to the discrete logarithm problem. More recently, elliptic curve cryptography has developed in which security is based on number theoretic problems involving elliptic curves. Because of the complexity of the underlying problems, most public-key algorithms involve operations such as modular multiplication and exponentiation, which are much more computationally expensive than the techniques used in most block ciphers, especially with typical key sizes. As a result, public-key cryptosystems are commonly “hybrid” systems, in which a fast symmetric-key encryption algorithm is used for the message itself, while the relevant symmetric key is sent with the message, but encrypted using a public-key algorithm. Hybrid signature schemes are often used, in which a cryptographic hash function is computed, and only the resulting hash is digitally signed.
OpenSSL is one of the main applications used in Linux and Mac OS X to access the various encryption mechanisms supported by the operating systems. OpenSSL supports Diffie-Hellman and various versions of RSA, MD5, AES, Base, sha, DES, cast and rc. OpenSSL allows you to create ciphers, decrypt information and set the various parameters required to encrypt and decrypt data.
THIS ARTICLE IS A REPRINT FROM:
Foundations of Mac OS X Security, from Apress
Written by Charles Edge, William Barker and Zack Smith of 318
318, Inc. is proud to announce the immediate availability of our flagship software product, RepTools™ 2008.
