Cryptography, Part 2

MIS 460-561
 Cryptographic Keys

• Keys and algorithms work together

• Key strength / length is important
• Random vs. pseudo-random
⚬ Key stretching
⚬ Static key vs. ephemeral key
Hash-Based Message Authentication Code (HMAC)
HMAC is a cryptographic mechanism used to ensure the integrity and
authenticity of a message by combining a cryptographic hash function
(like SHA-256 or MD5) with a secret key. It is commonly used in various
cryptographic protocols, such as TLS, IPsec, and JWT (JSON Web
Tokens), to verify that the data has not been tampered with and that it
comes from a legitimate sender.

HMAC is a widely used cryptographic technique that ensures both the

integrity and authenticity of a message.
HMAC Example
Let’s say Alice sends a message to Bob using HMAC to ensure the message's authenticity and
integrity.

1. Alice's message: "Hello, Bob!"

2. Shared secret key: "supersecretkey"
3. Hash function: SHA-256

Alice generates an HMAC for the message using the shared key and the SHA-256 hash function.
She sends the message along with the HMAC to Bob.

When Bob receives the message, he uses the same secret key and the same hash function
(SHA-256) to generate an HMAC from the received message. If the HMAC Bob computes
matches the HMAC Alice sent, Bob knows:

● The message was not altered in transit (integrity).

● The message was indeed sent by Alice or someone who knows the secret key (authenticity).
How HMAC is used
HMAC benefits?
True or False?
1. HMAC ensures the message has not been altered during
transmission. (What is this called?)
2. HMAC is designed to provide non-repudiation.
3. HMAC verifies the message was sent by someone who knows the
key. (What is this called?)
Salting and Key Stretching
Salting
Rainbow table attacks - precomputing hashes of
common passwords. Attackers match hash values to
the table.
● Salting helps prevent rainbow table attacks by
adding randomly generating values to passwords
prior to hashing.
Salting Example

kali and john have the same

password…why are their hashes
different?
Key stretching
Make a weak key stronger - hash a password, then
hash the hash, hash the hash again…

To reveal the original weak key, each hash would have

to be reversed

Methods to stretch keys:

● Bcrypt - creates hashes from passwords using the
Blowfish cipher
● PBKDF2 (Password-Based Key Derivation Function
2)
Key stretching Example
Symmetric vs. Asymmetric
Encryption
 Symmetric
Two vs.ciphers
types of Asymmetric
usedEncryption
for confidentiality
In symmetric key encryption for confidentiality, the
two sides use the same key
• For each dialogue (session), a new symmetric key is generated: the
symmetric session key

In asymmetric key encryption, each party has a public

key and a private key
• A person’s public key is available to anyone
• A person keeps his or her private key secret
• Keys are mathematically related
 Symmetric Key Encryption

same key for

encryption and
decryption
Symmetric Key Encryption
Ciphers

Others: Blowfish, Twofish, Serpent, IDEA, GOST, SEED, Camellia (and many others)
Asymmetric Key Encryption
Public Key Cryptography
 Public Key Encryption Ciphers
• RSA
*Dominant today
*Recommended minimum key length 1024

• ECC – Elliptic Curve Cryptography

*Gaining acceptance
*Recommended minimum key length 512
*Often used in mobile devices because of low resource requirements
 How message
signing works

Benefits of a digital
signature
• Integrity
• Authenticity
• Non-repudiation
Using PKI to exchange a session key
Symmetric vs. Asymmetric
Cryptography Systems
Stream vs. Block Ciphers
Stream cipher vs. Block Cipher

Souce: theamazingking.com
 Block Cipher vs. Stream Cipher
Block Cipher Stream Cipher

Encrypts block of plaintext as a whole to produce

Encrypts a digital stream one byte at a time
same-sized ciphertext (pads data, if necessary)

Typically 64 or 128 bits 1 byte or 1 bit

Examples: AES, DES, RSA Examples: One-time pad

Application: file encryption, database encryption Application: SSL

Requires more code Requires less code

Key re-use is possible One-time key

Easier to implement in software More suitable for hardware implementation

Cipher Suites
 What is a Cipher Suite?

A cipher suite is a complete, packaged set of

methods (algorithms) needed to secure a

network connection through SSL/ TLS.

UA VPN Cipher Suite
Let’s meet, but how?
• Skype? Zoom? GoToMeeting? Google
Hangouts….? In Person?
• First stage of secure communication is to
agree on a method to communicate
-Cipher Suite
Cipher Suite Negotiation

Downgrade attack applies in this situation.

Key Exchange
 Properties of DH Key Exchange
The output (shared secret) cannot be computed
by either party without the cooperation of the
other.

Use of non-secret information cannot be used to

deduce or produce the shared secret.
Security relies on discrete logarithm problem.
Objective: Share Secret Key
Diffie-Hellman Key Agreement
Diffie-Hellman Python Demo
Forward Secrecy or PFS
Also known as Perfect Forward Secrecy

Perfect forward secrecy (PFS) is a cryptography feature that prevents

the compromise of session keys, even if long-term secrets are
compromised.

PFS is an encryption system that automatically and frequently changes

the keys used to encrypt and decrypt information. This ensures that if a
key is hacked, only a minimal amount of sensitive data is exposed.
 How does PFS work?
PFS works by generating a
new key value based on
values supplied by both
parties in the exchange.
Because each new key is
dissimilar to previously
created keys, a third party
can only use an intercepted
key for a short time.
Main Weaknesses of the DH Algorithm
No auth, susceptible to the Man-in-the-Middle (MitM) ttack
• The DH key exchange does not provide authentication

• Using the DH alone, Bob and Alice cannot verify that they

ar etalking to each other

• Use certificates (TLS) to provide authentication

No Forward Secrecy when using static keys

• If keys are used over multiple sessions the compromise of

the static private key cna lead to compromise of all past

sessions. (Use DHE or ECDHE)
 Ongoing Communication
• Consumes nearly all of the dialogues

• Message-by-Message Encryption
⚬ Nearly always uses symmetric key encryption
⚬ Already covered
⚬ Public key encryption is too inefficient

• Message-by-Message Authentication
⚬ Digital signatures
⚬ Message authentication codes (MACs)
PGP Web of Trust
 CA’s (Certificate Authorities)

2023 Market share (source:

BuiltWith, 2023)
X.509 Digital Certificate Fields
X.509 Digital Certificate Fields
3.7: Digital certificate for Google.com
Verifying the Digital Certificate
Checking for Revocation
• Certificates may be revoked for improper
behavior or other reasons
• Revocation must be tested
• Cannot be done by looking at fields within the
certificate
• Receiver must check with the CA
Browser Cert Error Messages
Browser Cert Error Messages
Browser Cert Error Messages
Replay Attacks

• Capture and then retransmit an encrypted

message later
• May have a desired effect
• Even if the attacker cannot read the message
Thwarting Replay Attacks
• Use time stamps
• Use sequence numbers
• Use nonces
⚬ A nonce is a unique randomly generated number placed in
each request message
⚬ Reflected in the response message
⚬ If a request arrives with a previously used nonce, it is
rejected
Virtual Private Networks

Personal VPN - e.g., NordVPN, ExpressVPN

Remote Access VPN
Site-to-Site VPN
Real-world example of Site-to-site
VPN
?’s

Information Systems, Statistics, and Management Science

Culverhouse College of Business
The University of Alabama
300 Alston Hall
Box 870226
205-348-8904
www.culverhouse.ua.edu