- By
**marin** - Follow User

- 172 Views
- Uploaded on

Download Presentation
## Cryptography in .Net

**An Image/Link below is provided (as is) to download presentation**

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

### Cryptography in .Net

CS 795

Goals

- Confidentiality---no one else can intercept a message as it passes from A to B---Encryption is the answer
- Integrity---message is not tampered as it passes from A to B --- Hashing is the answer
- Authentication---B wants to be sure to be sure it is A who has sent the message---digital signature is the answer
- Cryptography is key management

Hashing Algorithms

- Create a message digest or hash code for a given message
- Hashing algorithms break a message into fixed blocks (512 or 1024 bits)
- Given a seed value and the 1st block, it produces a hash code. This hash code and the next block are fed again, that produce a new hash code. This continues until the last data block. The final hash code is the message digest.

Programming Hashing Algorithms

- Managed (e.g., SHA1Managed) and unmanaged (e.g., SHA1CryptoServiceProvider)
- System.Security.Cryptography.HashAlgorithm class: Methods: Create, ComputeHash, Initialize, Clear, TransformBlock,

SHA1Managed hash_alg = new SHA1Managed();

Or

hashAlgorithm hash_alg = HashAlgorithm.Create(“SHA1”);

byte[ ] hash_code = hash_alg.ComputeHash(message_data);

To validate hash code, generate a new hash code and compare byte-by-byte.

Keyed Hashing Algorithms (MAC)

- These mix a secret key with the message data blocks when creating a hash code.
- HMAC is one standard to combine secret key and message data (e.g., HMAC-SHA-1)---here the key is used as the 1st data block
- HMAC-SHA-1 and MAC-Triple-DES

KeyedHashAlgorithm hash_alg = KeyedHahAlgorithm.Create(“HMACSHA1”);

Hash_alg.Key = key_bytes;

byte [ ] hash_code = hasg_alg.ComputeHash(message_data);

Symmetric Encryption

- Both parties agree on a secret key
- Sender encrypts the message using secret key and sends the encrypted data
- Receiver decrypts the received data using the secret key
- To create encrypted data: (i) Data is treated as a number of fixed-size blocks
- (ii) The fixed-size blocks are converted to encrypted blocks

Programming Symmetric Encryption

- System.Security.SymmetricAlgorithm
- Managed (DES, TripleDES, RC2, Rijndeal) and unmanaged (DESCryptoServiceProvider, TripleDESCryptoServiceProvider…)
- Methods: Create, CreateEncryptor, CreateDecryptor, GenerateIV, ValidKeySize
- Padding mode: PKCS7 (value of the padding byte is the numbe rof padded bytes); Zeros (0’s are padded)
- Cipher Modes: ECB, CBC, CFB, CTS, OFB
- KeySizes structure: MinSize, SkipSize, MaxSize of the range of key sizes
- IV: Initialization vector; .Net Framework has some default value for it; but it can be changed
- Secret key: Same as in the case of IV

Configuring the Symmetric Encryption Algorithms

SymmetricAlgorithm algx = SymmetricAlgorithm.Create(“Rijndael”);

//This assigns default values to the parameters; but they may be changed as follows

algx.BlockSize = 192;

algx.KeySize = 128;

KeySizes[ ] x_size_ranges = algx.LegalKeySizes;

Console.WriteLine(x_size_ranges[0].MinSize);

algx.Padding = PaddingMode.Zeros;

algx.Mode = CipherMode.ECB;

byte[ ] x_secretkey = algx.Key; // Get the secret key value assigned

algx.Key = new byte[ ] {0x64, …..};

algx.IV = new bytes[ ] {…};

Symmetric Encryption (Cont.)

- Encrypting and Decrypting is done by ICryptoTransform interface

SymmetricAlgorithm algx = SymmetricAlgorithm.Create(“Rijndael”);

ICryptoTransform encryptorx = algx.CreateEncryptor();

ICryptoTransform decryptorx = algx.CreateDecryptor();

See pages 356-358 have an example

Asymmetric Encryption

- Public-key encryption
- A has a public-secret (or private) key pair
- B has a public-secret (or private) key pair
- A encrypts a message using B’s public key and sends it to B
- B uses corresponding secret key to decrypt it
- Main limitation: Very slow relative to symmetric encryption

Creating Asymmetric Keys

- RSA (Rivest, Shamir, Adleman, 1977)
- Algorithm:
- Choose two large random #s, p and q, of equal length and multiply them together to create n, the RSA key modulus: n=p*q; If p=23, q=31, n=713
- Randomly choose e, the public exponent so that e and (p-1)(q-1) are relatively prime (i.e., share no common factors except 1). In the above, (p-1)(q-1)=660; choose e=19
- Find d such that d*e = 1 mod (p-1)(q-1)

19d= 1 mod 660; So 19d=661, 1321, 1981, 2641, .. Here, d=2641/19=139

4. Public key consists of e and n. Private key is d. Discard p and q, but do not reveal their values.

Why is RSA algorithm secure? Because it is hard to find the factors of a large number.

Here, we are given n. So we have to find factors p and q so that n=p*q

Encryption (with asymmetric keys)

- Break the plaintext into small blocks of data
- Encrypt each plaintext block using the public key and the encryption function
- Concatenate the encrypted blocks
- Length of block = trunc[(length of n in the public key -1)/8]
- RSA Algorithm
- Example: Encryption: If m= 25, (n=713,e=19) as the public key, c=(me)mod n

= (2519)mod 713 = 156

Decryption: c=156, use private key (n=713, d=139), compute m = cd (mod n) = 156139 mod 713 =

How secure is Asymmetric Encryption?

Given only the public key e and n, how many computations does it take to discover the private key d?

Once we know factors p and q, it is relatively easy to calculate d, and decrypt cipher text. So the secret is in the values d,p, and q.

Programming Asymmetric Encryption

- System.Security.Cryptography.AsymmetricAlgorithm
- System.Security.Cryptography.RSA
- System.Security.Cryptography.RSACryptoServiceProvider

Digital Signatures

- Purpose: For receiver to verify the sender (or author)
- Use asymmetric keys
- Sender signs the message; receiver verifies it

A generates a digital signature on a message using its private key;

B receives the message and the signature;

B uses A’s public key to verify the and that the content has not been changed

Due to the slow performance of the asymmetric algorithms, A first creates a cryptographic hash code of the message and then applies the signature algorithm on the hash code.

Joint signatures on a document

RSA Algorithm for DS

Digital signing

Sender A does the following:-

- Creates a message digest (hash code) of the information to be sent.
- Represents this digest as an integer m between 0 and n-1.
- Uses her private key (n, d) to compute the signature s = m^d mod n.
- Sends this signature s to the recipient, B.

Signature verification

Recipient B does the following:-

- Uses sender A's public key (n, e) to compute integer v = s^e mod n.
- Extracts the message digest from this integer.
- Independently computes the message digest (hash code) of the information that has been signed.
- If both message digests are identical, the signature is valid.

DS and Encryption/Decryption

- Decryption and signing are identical as far as the mathematics is concerned as both use the private key.
- Similarly, encryption and verification both use the same mathematical operation with the public key.
- That is, mathematically, m = (m^e mod n)^d mod n = (m^d mod n)^e mod n, m < n
- However, note these important differences in implementation:-
- The signature is derived from a message digest of the original information. The recipient will need to follow exactly the same process to derive the message digest, using an identical set of data.
- The recommended methods for deriving the representative integers are different for encryption and signing (encryption involves random padding, but signing uses the same padding each time).

DS Algorithms in .Net

- RSA algorithm (used for encryption and digital signatures)
- DSA or Digital Signature Algorithm (only digital signature, not encryption)
- Hashing algorithms to be used prior to digital signature generation:
- MD5, SHA-1, SHA-256 (minimum key length 256 bit ), SHA-384, SHA-512
- http://en.wikipedia.org/wiki/SHA_hash_functions

XML Signatures

- .Net supports XML signatures specification or XMLDSIG for XML documents

<book>

<title> Programming .Net Security </title>

<author>Adam Freeman </author>

<year>2004</year>

</book>

- Create a URL reference for the document (page 414, O’Reilly)
- Create a new instance of the SignedXML class and the URL reference;
- Create a new asymmetric signing algorithm instance and assign it to the reference object created along with all other parameters (signing key, etc.)
- Call ComputeSignature on the reference object.
- Use GetXml().OuterXml to get the signature.

Follow similar procedure for verification of the signature.

Performance of web services security

- Performance Comparison: Security Design Choices

Download Presentation

Connecting to Server..