00:01

so welcome to session of unrestricted applications just the initial reminder that the bonus examiners tomorrow nite more reasoning that gives the order of register and to wish you good luck for that OK we have looked at all kinds of topics with

00:28

respect to a cryptographic algorithms have long been passed these things here

00:37

that look at the RSA was already behind us

00:43

last time we looked at that and add to these few new slides on perfect for all secrecy and there are the public was that it is interesting to have a cryptographic system which does not some of which is not vulnerable to uh and um being detected or being a pact if it if it key is broken and offer some longer time so this long-term secret keys unknown the cryptographic secrets get lost and so this is something which is not forward secrecy the Diffie-Hellman key exchange it does not suffer from that problem I

01:31

showed you that scheme the Diffie-Hellman scheme last time and we looked at like this is the principle scheme we have the the basic idea behind that which is

01:42

wonderfully uh but that was all over which is uh

01:51

likely the explicit way of of executing that are constructing that is based on a modular arithmetic on finite fields I was a bit surprised that actually none of you knew where as a knowledge of quite a bright things like groups of fields and so on and critics who thinks there are a few extensions but I hope that these few uh some of this the these few lines with information on what is behind that are sufficient to get some understanding what's happening there so essentially it is what you see in their basic the 2 year behind groups then we

02:33

looked at the Diffie-Hellman key exchange where the essential idea is that you have a group you have a generator which are openly lowered with which are the public and then you select some exponent some multiple of the generator and this and that but that's value but through the use of secret is just the exponent that you have to use in order to get that value is the this site a group is large enough then it is difficult to find out which exponent actually has been used and then I

03:19

also showed you all the very very end where elliptic curves so I used for that site 2 groups of a little psychic groups and I'll briefly introduced you to elliptic curves uh where we have uh . addition black points of the 2 points on the curve can be ended uh and this is the addition can be explained this geometric away where you have the line through P and Q and the intersection point of the curve is then this point our or sorry the the symmetric point minus R is actually this is the result of that some and then the interesting point is since here we are not like in the original Diffie-Hellman reporting about elements of some site that group which was defined by and large prime number p so the elements that have to be operated on if we compute that those exponents of of the generator and those and operations operations on a very large number of having a few thousand of elements in a few thousand bits now here we're talking about arithmetic on points and the points again are defined or the the the coordinates are the elements of the again defined outside the group like that p but still we have now put dimensions and so this this this the size of P can be much smaller than that but since we have a two-dimensional scenario now we get many more points in on because we have square of PD many points in there and that the elliptic curve is a subset of that and sold the arithmetic it's is much more efficient on those coordinates than before it was on the elements of a very large and uh finite group so that's the central advantage that if you

05:41

do with the elliptic curves the that

05:43

was this example was show choice because the comparison of the key length which are the uh guaranteeing a similar level of security so here we have a few hundred bits for elliptic curves and you have several thousand bits for hours a or the the origin of Diffie-Hellman psychic groups that are just sums that P. so this difference is due to the fact that you have a two-dimensional uh setting elliptic curves so this is much more efficient setting and so that's the major

06:25

major advantage of that we then briefly looked at the the that that we have some problems if we uh have some attacker the protocols all the man in the middle of the public and that was that

06:43

would become come back to the problem the moment and then I'm going to introduce to you the Advanced Encryption Standard showed you how that is operating that is defined as the essential operations in the number of rounds which are defined by that table here so we have 10 12 of 14 rounds depending on the size of the key that is use there and that these operations are bytes substitution shift role mix column I explained those to you uh which are all operations on some uh some polynomial rings or groups over a finite fields and to the major point is certainly that all the operations that are performed here have to be uh I have to be invertible because we want to be able also to be too decrepit and not only the increase and like this extended that this operation is another Brock operational on some field there and there but it can be like this operation can just be done by looking up such a table and then psychic shift it it's just a permutation of the entries of the uh intermediate cyphertext of block mix column again was larger bright operation which is just this vector that clicks modification and finally the Huron key addition is that the major point is how to generate around key I didn't give you a taste of that that is defined in the sky scheduled to the key extension uh which is using the initial key and repeatedly motif find that in order to generate the round keys and that was wondering how where and I think this yeah this was the final slide more information on a as is available suffer for that is available and so if you want to use that uh all the information is there and you can just download the that those that information the software and use looking that we go until the

09:12

last slide mode again so now we come to the next topic which have to address we've seen all several ways of encrypting information and that 1 point is that uh we have always just did our plaintext into blocks and they're not normally the uh we we we just have block-wise encryption soul and what we actually do it is that we only increase our plain text and that's it uh what we actually want to do is to a large degree of diffusion we want to make sure that some information which is in this part here should influence in some way and not just the cyphertext here but should also influence the following cyphertext not uh looks as if this is difficult if you have just a block-wise encryption for these modes of operation which are defined as we will see in a moment achieves that in the following way so for this mechanical book mode is just the standard way of applying a block cypher to some longer plain text and the problem is you should do that and you have some with this is the

10:43

typical example for that if you have a certain image you would like to include that since all of these uh uh bit blocks here often in this case 128 bits are encrypted independently of each other if you have similar information in a bit block then this is encrypted and in the same way and so the structure of some image that you have for example will appear again in the way certain a different way but you still see the structure uh because there like this the same information here all the information there is transfer they're in the same way subtly in cryptic but the structure is still visible because you have no diffusion across those blocks sold in order to circumvent that sort of prove to prevent the possibility of actually using the information from the accredited uh I think you

11:46

should try to modify that such that the the the encryption of 1 block actually influences the graph of the other block and then there are several ways of several questions also requirements 1 point is that we actually have to been crippled decreed sequentially through your text or can you do that in a screen like well what can you do that in parallel can do it that speed up the encryption by doing apparel encryption or what's also interested if you have like if you will have uh some initial fire you would have to include that and later on you would like to decrease only part of the this is a typical uh this scenario if you uh write something into encrypted archive and you would like to retrieve just 1 part of your large archive don't want to decrease the complete archive in order to be able to retrieve some part of that but you would like to be able to retrieve the part of the it and cryptic but if all the rest influences what has been in the Indian scripted there always has influenced the cyphertext may be difficult to decrease that without the decrypting all the remaining parts of the and then the question is if some bits of the cyphertext gets corrupted you you transmit the cyphertext is a bit there is modified by and decree does this did actually influence very large area of that of the of of the information or is the influence limited so in 1 way of saying it should be possible to make sure that you don't have this penguin effect that I just showed that you can see the the the structure of the original document sold the blocks should influence each other but it should also be possible to all restrict the influence that for example a corrupted bit has on the side on than on the information that is retrievable and also if complete block gets lost something which might happen if you send something that by UDP for example UDP is not here reliable protocol just sent some blocks and then some gets lost what happens to the to the to the remaining cyphertext can you still decreed that we use it to be the questions that have to be addressed if you uh design such a mode of

14:44

operation so we're talking about large files and 1 way of doing that is the so-called size of block chaining mode that that should should mention that there is a large variety of different modes of operations available the ones that show here are some standard ones but uh if you look on the pages for on on on the information pages for for example for a s he will also find other modes of operation I just want to show you some simple ones just to give you an impression of what kind of topics have to be addressed if you choose a mode of operation so here we have now the the following but we modify the uh us uh and encryption in the following way we have the 1st plaintext block via some initial vector of the same size uh which has to be chosen in some random way and then we solve the tool at the 2 128 bit block so the plaintext is modified already and then we apply AS and then cyphertext block this encryptor block is used folks soaring with the next plaintext block and then you apply A S again and again you use that following cyphertext block so over the next thing explore and so now we have something if you continue that obviously the information that you have here that 1st plaintext block in some way will influence all the other side textbook because the result is sort of the next plaintext block and then scripted again and so on and so you have exactly the diffusion effect that we want to obviously if you look at the order that if you look at the encryption the encryption obviously has to be done in a sequential way blockwise to Proc was sequential um because we have to want to have this diffusion effect question is what about description would like to decrease this cyphertext plot here what can you do the crime that what you need to be crap that you have to a reverse a the AES encryption you can't do that systematically here them and can also suddenly is if it's and what would you can be equipped with a yes and then you have took sorry again with the same value that the head that you used before and that's just the neighboring cyphertext so what you need for decryption is very simple and sold to the you just have 2 blocks of cyphertext that you need to retrieve 1 per 1 plaintext block just needles to in order to retrieve that 1 and so you can do exactly what I told you that it is possible to retrieve just part of the peak of the of the of all of the information from the it cryptid that information and to uh but uh all the like the bits of 1 block always influence all of the following so in this way we have exactly a much higher diffusion effect than by just applying the codebook mode uh the uh uh encryption to the individual blocks on so the initial vector is certainly has to be transmitted also has to be used in the same way for decryption because in order to decrease that cyphertext you must know the initial vector and then you can certainly you can retrieve all the other remaining plaintext blocks but without knowing the initial vector you cannot retrieve the 1st but it's not that much of a problem but that we could say I always put something which is not that relevant into 1st block and then easily can retrieve all the remaining blocks that OK now if we have so in this way the the sterilization of encryption is not possible this a complete the sequential decryption can be paralyzed can do all the encryption so approach away very fast and then if you change the bits in the cyphertext what would happen if you have a bitch or if you if you have it forwarded there then you apply A S stood decreed lovely know that yes is designed in a way such that the complete block after road will be changed and so this will be change completely uh and sold this plaintext block can no longer be retrieved from that cyphertext but the next like if you have a change their the influence on the next cyphertext block is that at 1 position here you would have a chance to only 1 bit of the neighbouring block is modified in the plaintext but the complete plaintext block in that block is of minimal 45 so it is a restricted to influence all of that that corruption and so this is actually a nice feature OK for other ways of

20:59

doing that sort of feedback well again we have here this initial vector and here this initial vector it is initially encryption there yes and then it is just sort of the plaintext the plaintext is not directly descriptive yes but this initial vector is is encryptor and then we have the story and then you can imagine how that continues like this way that we always apply A S 2 over the next cyphertext block sort of the plaintext so we just reverse the ordering between the soaring operation and the encryption operation compared to the previous jobs compared to to this

21:58

was just reversed those 2 operation or that's the

22:05

size of the deck mode and the so it has similar

22:09

characteristics as the previous 1 10th of training mode so here if you would like to to retrieve the information like we create for what you would like to retrieve that information how can you do that you have a source with the same information as before so you have to take that size text apply A S and then you get the plaintext again plot so again similar characteristics as before

22:52

then we have the output Bigweld there you have again that the S is applied to the initial vector salt the result is sort of the plaintext and then not the cyphertext sort what is used for the next plaintext encryption but the initial vector is encrypted again sort of the next plaintext this is completely different way you don't increase the plaintext blocks with a but to include the initial vector and again and again and tasks or the plaintext so here for example you could have a precomputed necessary encryption is all the initial vector and apply all of those soaring the parallel way but certainly these operates here have to be computed sequentially and then that like if the block gets lost here then suddenly you don't know the pose the position of that block in the original position of the block in the sequence in the sequential way of encrypting so if you don't know the position of the block and that the sequence and you don't know which of those encryptor dimensional vectors actually has to be applied so this is the 1 difference and if you have ever here if you have 1 bit flip of cyphertext certainly if you if you flip the bits and did there it will only lead to a bit flip over there uh but it was not modified more than that because you just have the soaring operation OK so these are examples of all 4 of all of the modes of operation and it shows that although you have just the block-oriented encryption is still can achieve some diffusion effect across the uh complete text information which will prevent something as they're paying penguin picture where you can get us see the structure from the encrypted version of your of uh your plaintext OK so in the

25:37

end up at the modes there's another problem but this is always like this is a problem which is only applied to a situation where the attacker is able to influence the sender of all of them that movement in a way such that the sender sends the same text except for 1 bit which it gets inserted into the text so if you have 1 text here and you have another text and all you have inserted at some position of that sort of thing you would be to know which between then then you know that you know everything that has been uh salt before is now moved 1 position to the right and if you can achieve that this is the same for all like they're all encryptions based just on soaring if you can you achieve that as a plain text send again but shifted by 1 position then you can immediately very easily find out the original all of the values of those bits that are uh sort that this is something you can find out a set of how that is all of

27:01

that stuff OK now this is all I wanted to tell you it's directly on encryption algorithms how they work directly there we have to look at how the encryption was security protocols in order to be able to do something to prevent for example man-in-the-middle attacks and uh so here Alice sends a message to bob and bob or somebody else would like to check to have a chance to check whether the contents have been notified of not so Alice and Bob he sent some document it sent somewhere here and now the question is is that still the same so this is it's a X this is Y and the question is is x equal to Y. or not and if somebody else and if year to year of our got and modified that element of that document can we detect that people can read at some information which allows us to actually check whether something has been modified so a typical example is Alice sends Bob and chronic checked over 5 thousand euro Bob just changes the amount of 50 thousand euros and goes to the bank since this is a chronic he check it cannot see from the contents so that something has been changed a lot but somehow this must be possible you must be able to make sure that the bank can check whether that information on the check is correct or not and the idea is this is an almost safe method because something is still missing but the major idea is here for the 1st part of that idea here Ellis uses some function f to compute a message digest so he computes a certain amount of information a message digest some information which is computed from that document and medicines both parts together and then afterwards Bob can check whether that digest that has been said actually corresponds correctly to all the file that Bob perceived to the 5 1 so if the that case F of X must be equal to f of y f of x is equal to f of y we assume that x and y are the same just 1 side remark that I already indicated that this digest usually will be much smaller in size than the document usually such a message digest would have something like 128 of appointed 605 of something that range for the documents would be or might have a few fumigant and nevertheless if those tools that documents have the same digest we assume that they are of the same this is only possible if we have an adequate function f there so we assume that D is the original value computed by Alice and that this year is the same as the value there and how to achieve that object that is you you could say it's the same problem again because certainly somebody can easily interfere and modify both the document and the dodgers just compute new dodges center new dodges the bob and then that is notified of that cannot be checked again on this example that the bank would not be able to check whether getting a motif Dodgers would think that the 50 thousand EUR of course now we have so the

31:11

requirements of f 1st of all F share compress the contents of and significantly a sad that quite often we we have something around each 128 or just very few hits a few hundred it's not if we have uh toward different values eminent prime different messages they should have different digest with a high probability for least we should say if we have 1 element here and we have some environment there all of some X primed X W primed X so that the prime and so on just slight changes like here documents which are not that far away from the document that it was the original document all of those in the neighborhood of and should lead to a different to the Dodgers so it may well be if you have some that there is another document here document Y which has the same guy just as x 2 in particular if it is compressing the elements and significantly definitely many documents will be mapped onto the same Dijon have to be like like like that so there will be many documents having the same digest but it should be very difficult to compute exactly pairs of documents having the same died but they're just the case that there are 2 documents also several documents having the same Dodgers does not tell that uh the uh this does not allowed to check the validity of the doctor and then if you have the digest it should be unfeasible to compute an animal or some uh and prime having the same digest you is that they have the Dodgers can in some way deduce what was the introduction and certainly not a few 128 bits the document had several k bits of megabits and if you have M and F M if you have the digest that of the document of the digest it should be unfeasible very difficult or expensive to to compute the message in prime differentfrom and having the same digest so you could try to just modified document in some way but to find some of which is which has the same digest fuel as as the original 1 so these are the essential requirements on uh so called one-way hash function it's not that hard to have a complete uh in order to get function which completely satisfied the uh but it should be as much as possible and of this this the satisfaction of those that require requirements these one-way hash functions have different names sometimes called compression functions concentration functions cryptographic checksum message integrity checks and so on if you know if you remember we had on on the uh on TCP IP headers we had the check sums in some way checksums are away all of the uh checking whether something has been modified but uh those simple addition schemes don't satisfy the or the requirements the simple for how can you use those

35:07

those hash functions that you check the identity of documents like toward transmission errors file downloads that you want to store passwords or digital signatures and you have to make sure that you uh uses uh this uh just use the hashtag can certainly also like if you want to store passwords just to get use hash functions for making sure that nothing bad happens and 1 point is to use digital signatures that's the major application that we will look at digital signatures for those of you which will actually then provides a means to check whether a document has been modified or not then what kind of attacks are possible against that against those a one-way hash functions so-called preimage generation you just find another document with the same hash value as I said this is possible in principle but it should be very difficult if you manage to have that you could combine the new document signature from the old documents up this only makes makes sense if you have an interest in the content of the modified on this this this other the document so if it is of no value for you to refer to use that attack suddenly you would do that but if you can manage that there's some content in the document which you would like to pretend to be the original content then there's a problem generator collision

36:57

generate true documents with the same hash value but different content uh I began to get 1 of the document signed and he was the signature on the document that because if you have those 2 documents that you only have to do is to show only 1 version and uh so this is the uh this is something which you can do this in order to generate a collision in that way I think I have another become back to that in a moment the 3rd way here is to have a display signs so you have on your computer you have a certain text you as the person who is signing that look at that document and to OK that's what I would like to send to or some other person and that person displays the content and it looks very different but still has the same signature correctly that the point is that if this is a big this is just showing the content of some documents on the screen so we assume that this year's just some screen you have your document of this document is a PDF document can modify the PDF code of a document and just make sure that it did is it will display different content at different dates of different they're on on different IP so whatever you like because you click on insert cold PDF cold that has some test all that the place things dependent on certain value on on the the budget of some parameters and so in this way if you have the PDF code you can uh just make sure of that some person which has sign something just signs a check with 5 thousand euro and if it's displayed to the the the to the bank it's shown as 50 thousand EUR but the PDF this year has been signed this has been signed with some message digests it has that message digest and it's this digest certainly is true for both uh visualisations because it is the document the PDF document that is behind them so you have to be very careful if you sign something you have to to know what you actually exercise we know that usually we don't care about these things because we assume that this is exactly the same Texas somebody else will see but there's a simple way of modifying the worst thing by the way is that there are some schemes still give the impression as if you would actually have some security so for example at KIT if you were if you generate your transcript when you have statement on of the you know the from recurrent marks then it is associated with the message digest all over the the document dodgems with the cold and that this this cold is printed fingerprint of that a document is printed on that document direct PDF version of the document and now somebody else looks at that and you get to have this code here and you can send this goal to of k T they would check whether this document is correct only give you back the information that since you know that cold you must have looked at this document here and this document with that culture has been generated at a certain date uh by that computer but it is very simple to modify the content of the PDF file directly and don't modify the code and the it cannot check whether it is still the same document so if you'll that so if this is a very simple way of modifying the content of such a transcript and it is not like using the methods that are that all apply the method used here and in our service department they have no way of checking whether these changes and because the cold just states this document was a document like this has been generated so it can a by character of the assumed that nobody has modified this is this would be my soul 124 do more than that and so that would at least have to check whether the document where you to rats that cold from is still the same as the 1 that has been sent to that would have to look at this document and not just at the coat pocket solo difficult it is to actually do something in a secure way now there and this statement here don't know like this and wrote about the birthday paradox solar currently there are too few people in this room but if there are more people in a room in the rule is usually it is a random sample and now the birthday paradox is the following you have 23 randomly chosen people then the probability that there are 2 people having the same birthday it's greater than 50 % of 365 possible dates of the here you could have your birthday just take it a sample of 23 people the probability that you have a collision with respect to the birthday is more than 50 % and this is not surprising that this is because the I find surprising that optical what's called both the paradox other people also find that surprising that you just need a very small sample random sample and the probability of a collision it's really hard and it shows that even if you have a large set of potential elements that there should be different if you use these hash functions that probability of of collision is quite so there is a problem everybody knows about those problems and so 1 has to try to make those hash functions as secure as possible but you have to be aware of the risks that are associated with another very well

44:29

that there are quite a few one-way hash functions 1 is M 5 is 1 of the standard functions that is used although there are some successes of that meanwhile a message digest function obviously not the first one has the number 5 and here the idea is to have a message of a certain length and I would like to compute the hash value this vital one-way hash function or message Dodgers you split 1st of all you would you extend that into a multiple of 512 bits if it's not a multiple of 112 of 512 bits you just add some values there and then you also insert here uh the value K in what put the 64 uh because you have to know what the the length of the message actually is and then this message is that is uh this message then it's not hashed in the following way you have this you take 512 bits the 1st 512 bits from that long message and apply a certain scheme that's the that's the major content that's the core of the M D 5 algorithm I don't go to the details of that a box here it's a black box here but is 512 bits you 128 bits there and you have an initial vector again as we had in the modes of operation and so you have for 32 bit parts and they're all those 128 bits and you have the and here you have 16 32 bit parts in the that those 512 bits and they are combined with the number of arithmetic operations of the bright operations to fit actually generate again 128 bits their combined with the next 512 bits and then this is continued until finally get this 128 bit Dodgers so and this way have by applying the same scheme involves this yellow box here uh is applied to all of the intermediate values and the next 512 bits and then you have your final uh digest and uh so this has been designed in a certain way I don't have time to go into the details but I want to show you the general structure of that algorithm and certainly the strength of the uh the way this actually satisfies the requirements for 1 uh way hash functions that's inside that yellow box can look it up in the the literature but this is too much for this

47:40

course is an eternity of 2 that has age a secure hash algorithm that lot of text on this slide because this is a quite a large family of algorithms that starting from stage 0 there's can see here and uh these see it as a generic tool 24 384 512 they indicate the size of the digest that in the end is actually created uh there are are are related to MT 5 also but our the different here this year I should say is that I should you that from this slide against because essentially 1 there is no longer the 1 which is which should be used uh but as H A 1 of the target generated digest of 160 bits not of 128 as 5 160 bits can also use some issues which have even more bits and certainly the more bits you have the stronger the digest actually is with respect to checking the contents of the document it is not as fast and it is part of the digital signature algorithm which is in the air recommended uh algorithm for the digital signature standard that is recommended by in this case the made the American authorities that can use any other digital signature algorithm the gene for that would show you in a moment now both and 5 and S H of those versions there have been considered to be insufficient because people managed to generate collisions in a systematic way and so they had as for cryptographic algorithms for the encryption standard uh competition has been run and uh this is like a description is on that you that here now this is just briefly uh repeating what has happened there there were 64 complete all of its 64 submissions were tested then was consolidated started then they had 14 candidates in 2009 the next round that was running 5 of those made at around 3 is seen 2009 was the 2nd round the winner was proclaimed 2012 and only the last August the final standard has been published has been released so this if 5 PS tool tool is the you'll S H A S H A S H A 3 uh new secure hash out and the details you can look at look them up in that document as a set of keys the details of the message digests are beyond the scope of

51:02

this talk just have to know there are these algorithms that have specific schemes systematic schemes of all generating those digest and you have to be aware of possible vulnerabilities and check the appropriate pages of the institutions which are uh money during what's happening with those work and now we come to a the digital signature obviously is not sufficient to have a one-way hash function because everybody went a few years that I like Bob could change the the message into a new message just compute the new digest and sends that you digest along with the document and then the recipient would just noticeable the correct digest but has no information on the original dodgers and all you have to think about the original meaning of the real signature if we have a document and we signed a document it means that sensors my signature on the document I state that I have rat that document everything which is written on that document on that piece of paper is correct and I certify that is correct by signing it with my name so it identifies a person by my signature which is unique and it also has this interpretation that since I have signed that I state that I have checked the content and I would not have written sided if the content what what was modified now if somebody would just modify that documents and some at some point this would be visible on on the piece of paper it's visible something is change so as soon as you have make a change some corrections on the underside document you need a signature again to show that this correction is also valid otherwise the documents the document is invalidated and it's it's the the the the signature has no meaning anymore so this is really a signature transforms a piece of text into a document certified contents and it is connected to a certain person and these 2 aspects must be inside a digital signature and if you just have this idea identification of uh person just the signature but relationship to node no connection to the content of the document it doesn't make sense since you cannot see in a digital document you cannot see obviously uh it's certain correction of some modifications have to do something but we what we just have seen was the message digests which allows to check whether something has been changed and what was missing there was the identification of the the relation of the connection to a person and now we know this scheme which allows to actually in some way to identify all connect document with the person because that person might have a secret key of an asymmetric encryption and if that person has a secret key this secret key is in some way identifying that person and so what we do in a digital signature is that 1st of all we compute the message digest so we have that document we compute the digest and then and takes that digest and credits it with her secret key then gets this sigma the signature it's sitting in cryptic message digest but encrypted with secret key by everybody else can check what can I use that encrypted message digest in the following way blocked receives a document computes some digest and then takes this zinc my idea that encrypted just uses the public key of Alice the cryptic and if the reside of that decryption is the same as so this is the decrypted and if those 2 are exactly the same then must have been the same doctor he knows this decree adopted a message digest has been generated by Ellis or at least by somebody knowing the secret key of analysis we can only check whether the secret key has been used to cannot check whether Alice has done that but you can check whether a secret key has been used and to find out whether there is a change in the dock us compare the results so this this way the digital signatures sigma as those 2 functions connects person to signature and the document to the signature person that fire the secret key the document by this message digest talked to k so as long as the private key remain secret neither can Palestine 9 % and Balkan Bob pretend to have received a different mass on so this is what we need a certificate which allows us to check whether document actually is the original book for the problem is 1st of all the private key is to remain secret this is under the responsibility of analysis but how can Bob check that he needs the public key so we must know whether the public key actually is and this is proper key and not somebody else's public key and so you need a certificate on the validity of the public key immediate to see that this is some recursive the way of requesting certificates you have to do something about that is

58:22

this man in the middle attack I mentioned that already for the the Diffie-Hellman but suddenly you have that also form here for the for this problem I has said that the private key has to remain secret bop uses the public key and vise versa that has to be done also so the attacker could just intercept I think have also yes I have have it here see exactly what can do Alice sends a message with that the different signature ed God could do the following could just use what take that document use the public key of analysis and what actually he doesn't need that public key just generates a new document generates his own hash value uses his own secret key to generate a signature sense both the box and knowledge he had certainly has to pretend that s he here actually is the same as I say a is analysis public key and involved a actually uses as the what users the public key that uh at got sent like his public not the the the the which is the same as a but the public key so here you know uses the public key of Edgar and then it got has stated this is Alice's public key and then Bob thinks that this document was correct you must make sure that P E all the public key of Alice for public key actually uh and can be transmitted in a secure way but nobody can forge that so you need again some statement on the validity of that public key so it got can manipulate a communication without noticing anything and so this has to be taken care of so what we need is a

1:00:33

way of preventing the man in the middle attack and 1 way of doing that is public key infrastructure so of p k public key infrastructure which is based on certificates on the validity of the public key so you have a certification authority some CA and officially appointed institutions which guarantees the correctness of public keys that means the association of keys with persons so what is this the certification authority do it generates its key certificate that's information on a person's public key keys so you have some document this has a number of different entries 1 is the public key and some other information which person is that also on what is the period of validity like the the the the time where this key actually is that it usually they have some expiration date some limited validity limited time but it's uh this is actually stated in the tolerant digital signature laws what kind of information has to be in such a certificate and the most important part is certainly is a digital signature the digital signature on this certificate on on the certificate using the secret key of the certification authority that means this that again you need a public key of that certification authorities you must have a trusted copy of that public key all you need a way of checking the correctness so you want to check the correctness of that certificate here is again a certificate you have to check that and so on so in some ways there must be a so-called route of trust starting certificates and if you usually have a certificate chain you need 1 route of trust me saying I know that this is the correct public key and then you can sequentially very verified with although certificates actually have been correct and computes that get some some attibutes certificate that's additional information on these these of the person having a key certificate um and so that you have the information you need about that public you know the public key of CA may may be certified by next level CA a we have different levels for that so so you have some CA here and then you might have several of their CA prime double prime and so on for example the SEC year Computing center is a certification authority and they are certified by the bond designed for the yard and influence or make that's the mood of trust in Germany national certification authority and they issue public keys for that of and also has some some some certification with some certification authority and things like that so another way would be to just have a trusted person so what you need is as as I said you need so in some way the root all of the process so this route of trust can be such a certification authority but it can also be just trust the person if I know exactly your trusted key or your public key just handed over to me and we can trust and across the way transmit the public key is OK and know that this is your public key now if you know somebody's public key and now if you get some certificate which is signed by that person you can check the validity of that's it that's that's a certificate because you have a trusted public key and so in this way you get another public key which is trust and then you have already to trust the keys across the public this way this can spread and self-organized way so you get and what you can receive a certificate of the key and if that center of that signature that uh on that is the signature of a person where you have a trusted public key then you can check the validity of the certificate again and this is used in the web of trust in pretty good privacy which is a software package for having self-organized web of trust you start with some initial trust and then you can deduce trust from that um as said set trust must be based on some very verifiable information you this route of trust and in Germany we have this certification this legislation for that there's a digit citizen legislation that that was that's 1997 this was signed just a few years before that there was strong discussions like around that legislation strong discussions in the Parliament whether 1 should actually allow strong cryptography at all I mentioned that in beginning of this course already because people were uh uh and afraid of criminals who would just encrypt all their that messages and this should be prevented but as we know encryption is not the only way of hiding information that the in in in Europe there was some rather more regulations for signatures actually the German signature law is very sophisticated signature law very technical how having higher requirements and so it took a long time before actually real digital signatures of the highest levels were available so there was an updated legislation through years later it's interesting to look at that we will see that you have 3 levels of signatures that that's the 1 that you actually need is the quality of the highest number is quantified signature were also the devices on which actually generate a signature have to be certified because if you have just using some standard computer or something might interfere be toward the peak between the keyboard and the computer and do different things that what you think you would do what you see on the display maybe a different document than the 1 that you have signed things like that can happen if you look at possible it attack attackers an area OK I just

1:08:27

mentioned prettier privacy a pretty privacy the package that has been designed in that states uh in the uh the eighties nineties uh in 91 and was published and involves responds to all these strong attempts by the government to control cryptography could have a copy of every secret key and so everybody should be able to send confidential messages by e-mail independent all of the states supervision and so the original version uses the methods that were available at that time meanwhile the modern algorithms are in there and it runs on many operating systems can be used as a plug-in into your browser's it's freely available here have think if you go to that website will notice that these uh i in the news section of that website it and somewhere the beginning of this century so 2002 2003 a thing of the latest updates there but there are but the uh definitely you can still get PGP you can download it from that site and their annual versions available if you just look for P-gp on all 4 of local Microsoft for 4 of all fall fall for windows for for commerical whatever you would like to have uh it is available for private use if you have commercial use then have to pay for them and it offers all kinds of functions encryption decryption digital signatures also compression Reddick 64 which conversion that's something which is done to prevent that in the cyphertext uh some parts might be interpreted as control characters ready to unwanted effects scientific transmit such a document massive segmentation is also done automatically if uh some uh software of some some e-mail uh some e-mail service or services that don't accept messages of arbitrary size so large documents are split into several documents and things like that and Seoul suddenly keys have to be generated also sold BGP also generates a key pair private keys public key it generates session keys for the symmetric algorithms so all the things that we would like to do with it I indicated already would like to use symmetric methods on large documents and sent the session keys in crypt of weight either with or as a all the elements that

1:11:28

make all this is supported and

1:11:31

now the question is how I call does it actually work every user has to put in her own pass-phrase if you start using that you have to put in some phrase that is used to generate private key uh so using M D 5 PGP generates from that pass-phrase 128 bit key this key is used to increase the private as a key here said using idea that may have been changed meanwhile sold that's just showing what things you have to do the important point is that the private ah as a key is not stored directly but it is stored in an accredited with so even if somebody gets that the stored object that you need to know the uh the uh key for that symmetric encryption in order to get the private however those keys generated you 1st of all generate randomness this can be supported by the user just typed in an arbitrary that text characters uh so it for some time to just to use keyboard in some way and then uh like uh this sequence of characters that you have typed in at the time you have in the in between type in between uh hitting the here can what elements this information is all used to generate some random value you know that you have to find out a large 1 large prime numbers far as a for example so random prime numbers are chosen so you have to check whether uh the prime numbers all of the numbers that choose actually our prime numbers for that they are as a set that generate the numbers using the generated randomness and then uh they test for the visibility of by small primes and after that the use 5 random tests with the little that's is essentially what I said what I showed you as run and then the algorithm for primary the testing here the use 5 random tests and just look at them from our don't use exactly the rather below with of the and they assume that that is sufficient it is slightly weaker than the other militant and that the public key should have at least 5 bits you remember that you can have keys 1 key you can choose plus the value that is primed with respect to uh and minus 1 times over here at p minus 1 times p q 1 is 1 and then the other key the thing that the private key as you know is determined by that extended Euclidean algorithm

1:14:45

and so the public key issue here is chosen in a way such that it is not too large then you have your private key which is some large values you can certainly select the size of the the the keys if you would like to have sole key size nowadays should be something around 4 thousand bits of along with 1 thousand bits and then you have

1:15:16

to administer your RSA keys you can certify the keys you have to say I haven't signed by some uh certified public key now go by the web of trust in some way you need some certified public key they can sign your key with that uh I haven't signed by the time of trust and then uh this is a dynamically generated institution in some way but uh the other way suddenly like you could also say I just have my keys signed by a Certification Authority and then you would have the route of trust which is actually the legally certified institution so years pinch PGP every BGP user has republic he signed by other trusted persons that passes it on together with the signatures now uh if Alice now adds box public key PGP would ask whether you acknowledge key certificates with Bob's signature and the analyst or Alice's BGP system might say OK if I trust always what what she ate and is actually says whether she trusts always or sometimes he doesn't have complete trust she does not trust because you know that it is corrupted officers she doesn't know and have no trust information and then uh and if it is unknown key is signed by some person we have it in a public key value have 1 1 1 at level 1 signature that means signature from personal lives they always trust signatures from that person and then you trust them if and now in the keys the but maybe signatures from persons were use trust sometimes not you could say if I have tool certificates to signatures of the public key from persons who trust sometimes since they're both signed I say I trust them and sold it shows that this is an interesting topic how can you actually make operations on trust value what you did use from partial trust if you have just that 1 statement when you have partial trust don't trust that if you have several statements which agree and for all of those authors of that those statements to say I have partial trust then since they all stayed at the same you can say OK if they all stay the same since I've passed across I trust that doctor so sold the others uh things available can have a fingerprint and you can make a hash value generate a hash value all of your public key that's a smaller size and then you can just check also the fingerprint

1:18:37

of the public key so there are several ways that you can actually look at the the public keys and PGP and

1:18:47

then uh certainly uh a s a symmetric methods are used for the PGP in a standard way they use some mode of operation in this case the size of the big mode and the use of a new session keys for every encryption and the session key is ah as a encrypted with the receivers public key we know that but do this way uh then you have you can exchange the session key and you can use that in the uh communication protocol that we indicated already in a preliminary way to alleviate the advantage of PGP over other packages is that there is no public certification authority for keys this is completely self-organized and this is in contrast to the Privacy Enhanced made 2 PM 1 of those standards which also around independent of public legislation freely available you can just use it for a secret communication uh so it is important for privacy protection uh but the problem is if you want to use that for commercial purposes usually you would like to have something which is legally binding suddenly it is like if you knew was a key question if you would like him to be at some uh keypair now he knows you're keeping and this is still around in the system you cannot say and this key pair is no longer valid this is a statement which is not integrated into that PGP system there's no limited time validity and so on this is a problem of PGP and certainly without legally accepted certification authority as a route of trust the signatures that you generate with PGP uh not legally binding because to be it something which is a legally binding but you can go to court with that you need to legally certified route of trust need this certificate chain and if you have that everything is fine so if you in your web of trust there is this uh sort of trust as a certification authority everything is fine but if you don't have that you have some level of security but only with respect to your web of trust and not with respect to a legal situation working

1:21:39

so the summary for our protocol for confidential communication is not of this standard protocol which is written here and it is displayed on the next slide so you can use what I have on the next slide and written here these statements you can certainly also use Diffie-Hellman for the exchange of session keys this scheme as say reuse RSA all sums and asymmetric method that uh and to transfer includes the session key and so that pocket decrepit again afterwards

1:22:23

I would like to show you this uh final protocol uh and this way we have Alice and Bob they want to exchange messages message and as wants to send a message but she has to do with all this is written it is it is it is explained on the previous slide here the message generate the digest suddenly you have to make that function public that use their she uses her secret key to the increase the Dodgers to get the signature she uses this random session key to increase the message and then she has to use box public key retrieved from his certificate she has to use that public you Bob creating the session key and you have hidden the session key you have the cryptic message and you have the digital signature all 3 components are sent to Bob and now uh Bob suddenly also gets analysis key certificate certificate on the validity of a public key from that he can retrieve the public key he can use the public key to retrieve the original digest that he can use his own secret key to increase the session key he can decrease the message using this cryptid session key and then he can check or you can generate a message digest from that descriptor document and he can check whether both dij it's are the same because of somebody modified here that document of this is different than that message would be different the projects with be different from the 1 that had essentially set and this is this rather a secure protocol subtly depends of the public key infrastructure and so what we have now is authenticity so that requires the use of private keys by Bob and by Ellis and this has to use a public you have a private key to generate that signatures should so she must have sent that document Bob has still use his secret key to decrease the session key so only he can it can decrease the message you cannot deny notice received that message and so this is authenticity is then live integrity the then it's digital signature requires the use of the private key as a and so we can check whether this is or actually the then digest originally sent by violence we have exactly that feature that the signature connected persons and the document content to the signature and of confidentiality by using this session key have confidential information of communication and so this is a communication scheme which is actually uh used in many scenarios meanwhile as the the way how you can communicate in a secure way based on the assumption that the use of public key certificates are not modifiable so that you have a secure public key infrastructure OK that's the

1:26:09

end of this chapter of cryptographic algorithms so I met a notice that we have just 3 more weeks of this term comes running very fast uh and uh next time I will from something on payment protocols and the also to show something on the Internet of energy left speed of and there may be have to take out a few things that are OK but that's it for today which is would be