Cryptography and the Web

Lincoln Stein

Whitehead Institute/MIT Center for Genome Research

Cryptography

The art of secret message writing. Creating texts that can only be read by

authorized individuals only.

Simple Cryptography

Plaintext

Key

Ciphertext

Caesar Cipher

ABCDEFGHIJKLMNOPQRSTUVWXYZ

NOPQRSTUVWXYZABCDEFGHIJKLM

THE GOTHS COMETH

rotate 13 positions

FUR TAFUE PAYRFU

Plaintext

Key

Ciphertext

13

ABCDEFGHIJKLMNOPQRSTUVWXYZBCDEFGHIJKLMNOPQRSTUVWXYZACDEFGHIJKLMNOPQRSTUVWXYZABDEFGHIJKLMNOPQRSTUVWXYZABCEFGHIJKLMNOPQRSTUVWXYZABCDFGHIJKLMNOPQRSTUVWXYZABCDEGHIJKLMNOPQRSTUVWXYZABCDEFHIJKLMNOPQRSTUVWXYZABCD...

Rotating Key Cipher

SOUND THE RETREAT

DEADFED

VSUPC XKG UEWWEX

plaintext

key

ciphertext

General Principles

Longer keys make better ciphers Random keys make better ciphers Good ciphers produce “random” ciphertext Best keys are used once and thrown away

Symmetric (Private Key) Cryptography

Examples: DES, RC4, RC5, IDEA, Skipjack Advantages: fast, ciphertext secure Disadvantages: must distribute key in

advance, key must not be divulged

DES: Data Encryption Standard

Widely published & used - federal standard Complex series of bit substitutions,

permutations and recombinations Basic DES: 56-bit keys

– Crackable in about a day using specialized hardware

Triple DES: effective 112-bit key– Uncrackable by known techniques

Asymmetric (Public Key) Cryptography

Examples: RSA, Diffie-Hellman, ElGamal Advantages: public key widely

distributable, does digital signatures Disadvantages: slow, key distribution

RSA

Algorithm patented by RSA Data Security Uses special properties of modular

arithmetic– C = Pe (mod n)– P = Cd (mod n)– e, d, and n all hundreds of digits long and

derived from a pair of large prime numbers Keys lengths from 512 to 1024 bits

Public Key Encryption: The Frills

Frill Technique

Fast encryption/decryption Digital envelopesAuthentication of sender Digital signatureVerification of message integrity Message digestsSafe distribution of public keys Certifying authorities

Digital Envelopes

Digital Signatures

Message Digests

Certifying Authorities

Hierarchy of Trust

Secure, Verifiable Transmission

Public Key Cryptography on the Web

Secure Socket Layer (SSL)– Netscape Communications Corporation

Secure HTTP (SHTTP)– Commerce Net

SSL and SHTTP, similarities

RSA public key cryptography MD5 message digests Variety of private key systems

– Strong cryptography for use in U.S.– Weakened cryptography for export.

SSL and SHTTP, differences

Physical Layer

Network interface

Internet

Transport

Application

SSL

HTTP

TELNET NNTP

FTP

SHTTP

Using SSL

Signed Certificate

Applying for a Server Certificate

Filling out Certificate Request

URLs

SSL Protocol– http://home.netscape.com/newsref/std/SSL.html

SHTTP Protocol– http://www.eit.com/projects/s-http/

Verisign– http://www.verisign.com/

RSA Data Security– http://www.rsa.com/