Cryptography Essentials: Keys, Hashes, and Authentication

Posted on Nov 20, 2024 in Computers

X.509 Certificate Format

An X.509 certificate is a digital certificate used to establish the identity of an entity, such as a person or a website, and ensure secure communication.

Key Components

  1. Version: Specifies the X.509 version (usually v3).
  2. Serial Number: A unique identifier for the certificate issued by the Certificate Authority (CA).
  3. Signature Algorithm: The algorithm used by the CA to sign the certificate (e.g., RSA or ECDSA).
  4. Issuer: The CA that issued the certificate (e.g., “CN=Example CA”).
  5. Validity Period: The start and end date of the certificate’s validity.
  6. Subject: The entity the certificate is issued to (e.g., “CN=www.example.com“).
  7. Subject Public Key: The public key of the subject.
  8. Extensions: Extra fields that provide additional information, such as:
    • Key Usage: What the key can be used for (e.g., encryption, signing).
    • Subject Alternative Name (SAN): Additional identifiers (e.g., IP addresses or DNS names).
  9. Signature: The CA’s digital signature that ensures the certificate’s authenticity and integrity.

Message Authentication Code (MAC)

A Message Authentication Code (MAC) is a cryptographic value used to verify the authenticity and integrity of a message. It ensures that the message comes from a legitimate sender and that the message has not been tampered with during transmission. The MAC is generated using a secret key and a hash function.

Malicious Code Forms

  1. Virus: Attaches to a legitimate program or file, spreading when executed and often causing damage.
  2. Trojan Horse: Disguises itself as a legitimate application, allowing unauthorized access and potential damage.
  3. Worm: Self-replicating code that spreads over networks, causing congestion or system crashes.

Digital Signatures

A digital signature is a mathematical scheme used to verify the authenticity and integrity of a message, document, or transaction. It ensures that the data has not been altered and that it truly comes from the sender.

Types of Digital Signatures

  1. Basic Digital Signature: The sender signs the message with their private key (e.g., signing an email). Provides authentication and integrity.
  2. Advanced Digital Signature: Uses a secure signature creation device (SSCD) for enhanced security (e.g., signing sensitive documents). Provides strong authentication, integrity, and non-repudiation.
  3. Qualified Digital Signature: Issued by a Qualified Trust Service Provider (QTSP), meeting legal standards for transactions (e.g., legal contracts).

Benefits of Digital Signatures

  1. Authentication: Ensures the sender’s legitimacy.
  2. Integrity: Guarantees the content’s unchanged state.
  3. Non-repudiation: Prevents the sender from denying they sent the message.

Message Authentication

Message Authentication verifies that a message hasn’t been altered and confirms the sender’s identity.

Approaches to Achieve Message Authentication

  1. Plaintext Message Authentication: Directly verifying the message content (not commonly used due to low security).
  2. Hash Functions: Generating a fixed-size hash of the message for verification.
  3. Message Authentication Code (MAC): Using a secret key and a cryptographic algorithm to create a MAC.
  4. Digital Signatures: Encrypting the message hash with the sender’s private key.
  5. Public Key Infrastructure (PKI): Using digital certificates to authenticate messages.

SHA Algorithm (Secure Hash Algorithm)

The SHA (Secure Hash Algorithm) produces a fixed-size hash value from an input message.

Key Features of SHA

  1. Fixed Size Output: Produces a hash of a consistent size (e.g., SHA-256 outputs a 256-bit hash).
  2. One-way Function: Easy to generate a hash, but hard to reverse.
  3. Collision-Resistant: Unlikely that two different inputs produce the same hash.

Types of SHA Algorithms

  1. SHA-0: Original, now insecure.
  2. SHA-1: 160-bit hash, considered weak.
  3. SHA-2: Includes SHA-224, SHA-256, SHA-384, SHA-512.
  4. SHA-3: Latest version with enhanced security.

Usage of SHA

  • Data Integrity
  • Digital Signatures
  • Password Hashing

Diffie-Hellman Key Exchange

The Diffie-Hellman Key Exchange securely shares a secret key between two parties over a public channel.

How It Works

  1. Agree on public parameters (prime number p and base g).
  2. Each party picks a private key.
  3. Compute public values (g raised to the private key, modulo p).
  4. Exchange public values and compute the shared secret key.

Key Points

  • Secure as eavesdroppers only see public values.
  • Helps agree on a shared secret key for encryption.

Hash Function Uses

A hash function produces a fixed-size hash value from an input.

Main Uses of Hash Functions

  1. Data Integrity: Detects data alterations.
  2. Password Storage: Stores password hashes instead of plain text.
  3. Digital Signatures: Creates a message digest for signing.
  4. Checksums: Verifies file integrity (e.g., MD5, SHA).
  5. Efficient Data Retrieval: Used in databases and hash tables.

Characteristics of Hash Functions

  1. Deterministic: Same input produces the same output.
  2. Fixed Output Length: Output is always a fixed size.
  3. Efficient: Quick processing for applications like data integrity checks.
  4. Pre-image Resistance: Hard to find the original input from the hash.
  5. Collision Resistance: Difficult to find two inputs with the same hash.
  6. Avalanche Effect: Small input changes result in significantly different hashes.

Kerberos Working

Kerberos is a network authentication protocol using symmetric key cryptography and a Key Distribution Center (KDC).

How Kerberos Works

  1. User logs in with credentials.
  2. Authentication Server (AS) issues a Ticket Granting Ticket (TGT).
  3. User requests service access using the TGT.
  4. Ticket Granting Server (TGS) issues a service ticket.
  5. User accesses the service with the service ticket.

Key Points

  • Relies on encrypted tickets.
  • Tickets are time-sensitive.
  • Centralized authentication through KDC.

Public Key Distribution

Securely distributing public keys is crucial in public key cryptography.

Approaches to Public Key Distribution

  1. Public Announcement: Insecure, keys are publicly shared.
  2. Public Key Directories: Central authority maintains a directory of keys.
  3. Public Key Certificates: Trusted Certificate Authorities (CAs) issue certificates.
  4. Web of Trust: Decentralized authentication based on mutual trust.
  5. Key Exchange Protocols: Secure exchange over networks (e.g., Diffie-Hellman, SSL/TLS).

HMAC Algorithm

HMAC (Hash-Based Message Authentication Code) verifies data integrity and authenticity using a secret key and a hash function.

Steps in HMAC Algorithm

  1. Key Padding: Pad the key to match the hash function’s block size.
  2. Inner Hashing: XOR the padded key with inner padding and hash with the message.
  3. Outer Hashing: XOR the key with outer padding and hash with the inner hash result.
  4. Output: The final HMAC is a fixed-length code.

Key Points

HMAC provides strong security by using both a secret key and a hash function, making it difficult to tamper with data.