 So to recap on hash functions. We have some function that takes some usually arbitrary size input any length input M And it produces a fixed size usually small Output H the hash value and we said about some of the properties The two main things that we care about is the one-way property and collision-free property That is this function to use it for security purposes Depending on how we're going to use it, but two properties of interest one is that it should be easy to Take the hash of a message But it should be hard to calculate that message from the hash That's the one-way property Going one way using the function is easy going the opposite way calculating the inverse of the function should be hard Hard in terms of it would take forever to do it That's what we mean by hard in this case computationally infeasible and Another property is that We know that if we have an input which is larger than the output If the length of the input is larger than the length of the output then there are possible inputs that will put map to the same output So we know in theory there may be collisions. That is two different inputs produce the same hash value But in practice for security reasons, we we require the collision-free property It's not that there will not be collisions. It's that it will be very hard to find two messages that will produce a collision from The security of the algorithm we require that for an attacker It's practically impossible them for them to find two messages that do map to the same hash value We know there are messages that map to the same hash value There must be but finding them should be hard and That's we'll see the role of that those two properties when we see hash functions used in different security mechanisms hash functions are used in in different places We will see in today will see them used in digital signatures for authentication So like signing something to prove that it came from you but using on on on digital data and in When we finish this topic eventually we'll move on to user authentication like storing passwords and again We'll see hash functions arise there and they have different property requirements But we'll see hash functions are used in a number of different security mechanisms so We're not going to go into details of how the functions work This is Just one example That we can use hash functions for authentication by combining it with Symmetric key encryption and the example shows that the way to read this diagram is we take a message M so on the the sender on the Left side has a message M and they want to send that to the receiver B And they want B to be able to be sure that nothing's been modified along the way and that it actually came from the sender A and We went through a procedure last week where we can do that just with symmetric key encryption Just by encrypting the message but another alternative is to take a hash of the message So here we have this function H uppercase H We take the message take a hash of the message and instead of encrypting the entire message We encrypt the hash value so we apply our encryption function E Taking a shared secret key K and Encrypt the hash value What is this operator? Anyone No, the one with the two bars there what operator Pause no Any other attempts Concatenate we usually use that to join two things so we're talking about sending messages The the way to read this diagram is that we this is happening at the source user Concatenate is to take we take the message M We apply a function on M So we take the hash of M the output of this hash function will be the hash value and an important Practical characteristic here is the M. Maybe the message M may be very large Maybe it's a 10 megabyte file when we take the hash of the message We get a short fixed size hash value as output maybe 128-bit hash value So we only encrypt the hash value So that has some practical benefits because encrypting in small things is much faster than encrypting large files So rather than encrypting the entire file. We just encrypt the hash value using a shared secret key K and We take the encrypted hash value and Attach it to the message Join them together concatenate is that operation and send both of them across the network to be So what does be received they receive this so it's really spinning to two parts one is the original message and Two they receive the hash of that message, but encrypted with a key K The purpose of this scheme is authentication What B does is they want to check is the message that I receive correct By correct I mean has it been modified along the way and did it come from a or did it come from someone pretending to be a he wants to know whether something's been changed and how it checks is that It takes the received message M Calculates the hash of that using the same hash function that I used and Takes the received second part this encrypted part decrypts it using the same key K and Then they compare the results and if they are the same B accepts this message it assumes nothing's gone wrong if they are different then assume something's gone wrong And it doesn't trust the message First a simple question Does this scheme provide? Confidentiality what is confidentiality keep your message secret does this scheme provide confidentiality? No, why not? The message itself is not encrypted in this case So this is not intended to keep the message secret This is only intended to for the receiver B to detect Whether something's gone wrong in the communications. It doesn't matter if someone sees the message and often we need that as a service That is we don't care if someone sees the message I just care that the message I receive is in fact the one that was sent So the message is not encrypted. So there's no confidentiality How could an attacker modify the message and it go undetected at the receiver? What could the attacker do? Want to put on their black hat and think what would you do as an attacker to try and fool the receiver B and Thinking the message they receive has not been modified What can you do? You're an attacker. What are you going to do to try and trick the receiver B? What about trying changing the message? All right, let's say with authentication We often think of two things two parts of authentication data integrity and source authentication Data integrity is to make sure that the message I receive when I say I use a B receives I want to make sure it hasn't been modified along the way. It maintains its integrity Also, I want to make sure that the message I receive did in fact come from a it didn't come from someone pretending to be a So we want to provide those two services and we call them authentication in general Let's consider what the attacker could do in this case And I'll write it a little bit briefer than what that picture captures just to save a bit of time the idea was that A is sending a message to B and What does a send the message and The message and the encrypted hash Okay, the message concatenated with the hash of the message Encrypted with key K. So I'll write down what they send so they send a message and we can write it as M concatenated with The encrypted hash of that message That's what sent across the network The two bars mean concatenation just join them together if M is a thousand bits and the second part is a hundred bits We just attach them together and send the one thousand one hundred bits the hash of the message Usually a small value. For example, if we use MD5, it's a hundred and twenty eight Beats yes hundred twenty eight bits. I have to think Shah uses hundred and sixty bits or sometimes longer and To encrypt the hash what length will the cipher text be if I encrypt a hundred and twenty eight bit hash value How long will the cipher text be the output of the encryption? The same okay normally when we encrypt plain text the cipher text that comes out is the same length so the encrypted part here would be quite small if we have a large message and the key K maybe I should have made it clearer, but Let's think of it as KAB remember shared between A and B not much space That's the secret key shared between A and B only A and B have it they send this across the network let's say Someone intercepts that message before it gets to be our malicious user Intercepts the message and they're going to change it forward on the B With the intention that B when they receive it Will think it's from a and think it hasn't been modified That's the goal of the attacker make B think the message it received is from a and The message they received is exactly the same as what a sent As the malicious user we want to modify the message and hope B doesn't notice So let's consider some different ways in which we can modify it the first approach Let's just modify the message and we'll denote it as What we send is write it here instead of sending M. I'll denote it as M prime Okay, a sent the message M. Maybe the message was Decrease the malicious user salary by one million, but The malicious user changes that message to increase Okay, so when I say M prime here, I mean something different than the original M Prime Let's say they change that and they keep the rest the same We'll try some different options in a moment, but let's say that What the malicious that user does is change is the first part, but keeps the remaining part the same and then forwards are on to be for example, let's say the message was 1000 bits in length and Encrypted part was 128 bits. So in total we have 1000 bits plus 128 bits in length All the malicious user does is changes some of the bits in the first 1000 and the last 128 bits they send as is they don't modify They don't in fact encrypt They just take those bits whatever they were and attach them to their new message They send that to be what does be do? Be decrypts what they receive in the second part to try and check so they do some verification so Really they do two steps that be they write it down here step one we You're correct. We we encrypt a decrypt, but we also write it first. We also take a hash of the received message So we do two steps we received M prime Beated so the first step is take a hash of that the second step is To decrypt the second half of that message or the second part Decrypt Using which key? What key do we decrypt with? The same key key AB. We think the message is from B From a so we decrypt with the key that we've shared with a What do we decrypt this second part and I'll write it in full if I can find the space H of M. I'm gonna run out of space. You'll do it better and there's one more bracket there is there Yes Two steps take a hash of the received message So we treat the message in two parts with the received part of the received message and the encrypted hash value Take a hash of the received message M prime and decrypt the second part Because it's from a we decrypt with a key we've shared with a and What happens when we decrypt? What do we get as an output when we? let's See what we're doing here the hash of M Encrypted with key KAB all of that decrypted with key KAB gives us What's the value here? Not M No What did we encrypt the hash of M? So we We think This part is the encryption of the hash of M with key KAB So therefore if we decrypt that ciphertext with key a KAB our rule or our assumption is if we encrypt it with Some key and decrypt it with the same key will get the original input back That's our requirement for encryption you encrypt a message With a key you decrypt that ciphertext. You must get the original plaintext back so H of M was encrypted encrypted with KAB All of that decrypted with KAB returns H of M the hash of the message So these are the two steps that B does to try and verify first hash the received message H of M prime in this case second decrypt the the second part and Since we're encrypting and decrypting with the same key We assume that what we'll get out when we decrypt is the correct plaintext. Ie hash of M Step three compare them Compare the results of step one and two. Are they equal? Does the hash of M prime equal the hash of M? Now I've got a third step There's there are three steps we The comparison is a simple step. All right, just look at the two we hash the received message decrypt the Encrypted hash value then compare the results and The result of the first step was hash of M prime the result of the second step was hash of M Are they the same and why or why not? Does the hash of M equal the hash of M prime? Why not? because Assuming we have a good hash function our property or of our hash function is the hash of two different messages Produces two different values Since M and M prime are different Because the malicious use of modified M to get M prime then the hash of the two values should be different So they will not be equal and that tells B something's gone wrong So they're not equal and that's a trigger to B to Right don't trust it B knows not to trust that message So treats it as compromised If they are equal trust it if they don't don't trust it, so it's a verification procedure This has failed the verification. How do we know the hash is not the same? How does B know when they calculate the hash come back to our properties of hash functions for a secure hash function we We have this requirement of collision-free property We require it to be not possible or Practically impossible for someone to choose two different messages M1 and M2 that produce the same hash function so if that's true if No one can find two messages that produce the same hash function Therefore when we hash two different messages, they must give a different hash values So assuming that our hash function Will produce different hash values for different inputs Then the hash of M prime and the hash of M must be different Correct this hash of M is what a created Okay, because we decrypted with the correct key From last week we said if we encrypt with one key and decrypt with that same key We will get the original input everything will work. Okay, which we did so we get hash of M and Since M doesn't equal M prime the hash of M prime does not equal the hash of M and This is an indicator of why we need this property for hash functions If the attacker could find a message M prime That was different and The hash values were the same this wouldn't work So such a scheme relies on the property of collision-free hash functions So it's an example of why we need that property The logic here gets a bit confusing. So try and follow along and ask questions when you don't Capture it. This is just to be clear. This is what B is doing. Look at B is doing this we need to This picture shows us both what A and B do on the left is A on the right is B The idea was we don't encrypt the entire message There's no encryption of the message. So we don't have confidentiality What B does we see here B receives everything But it's really broken into two parts the message received the top part and the encrypted hash value We see the two steps. It does hash of M decrypt and compare step three The idea is verifying Checking that what we receive is okay Correct. If you if you go back to what we did last week, do we have a picture? That's not the point This one we went through this one last week Where we encrypt the entire message This scheme provided three services Confidentiality the message is encrypted Okay, no one will can see the message in this case but it also provides Data authentication or data integrity if the message is modified we'll be able to detect with this scheme and source authentication in That if someone fakes a message sends it saying that from a we will detect that So this scheme using just symmetric key encryption provides Both the same so the same services as our new scheme, but it also provides confidentiality our new scheme Which we just went through does not provide confidentiality. So we may think it's worse than the previous one But the main benefit of this is we only encrypt a small value Okay, imagine your message is a 10 gigabyte file Taking encrypting something is takes a long time with with such a large piece of data so instead of doing that we take a hash of that file and Just encrypt the hash value Very small value and that can make The performance much better in this case So just encrypting the hash value can perform much better than encrypting the entire file Especially when we don't need to encrypt the file We don't care if someone sees the message What we care about is that no one fakes the message So that's this where this alternative is considered better than the previous one So it's just another way to do it Okay Not only do we have a lecturer who doesn't speak Thai we have students that don't speak Thai So feel free to ask questions and we'll answer for everyone That's okay Take Take the message a has a message. They want to send a B they want They want B To be able to prove that it came from a and to be able to prove that it wasn't modified along the way One way to do it. This is just one way to do it. There's others. Okay one way to do it is to take a hash of that message and And and one benefit of taking a hash is that we What we're going to encrypt next is very small compared to the message So take a hash of the message and encrypt just the hash value Okay, that's what we do at a We encrypt with a key that we've shared with B in the past send that to be and What B will do when they receive is verify and the verification steps are always the same Take the hash of the message you receive So you receive two parts really the message and the encrypted hash value The role of B is to take the hash of the received message decrypt the second part and Then compare them and the rule is if they're the same trust it if they're not the same don't trust it Why does it work? Well in this case we see that if someone in the middle tries to modify the message The malicious user tries to change M to M prime They want to perform an attack. What's the name of such an attack? Starts with M the name of this attack. They want to modify the message is called a Modification attack. Okay, not a hard one this one. They're just changing the message But they don't change the second part They don't try we'll see another way where they do in a moment, but they don't train this change the second part so B Takes a hash of the received message decrypts the second part compares them and because of our properties of hash functions The hash of two different messages will diff produce two different hash values B detects something gone wrong No, because The message can be anything. Okay The message couldn't be anything. Okay, so you can think of any example any example It can be a one word or it can be one gigabyte Okay Okay Okay, I don't know if it'll work fully, but let's try an encrypted message Here's our message That's our message Okay, that's M What do we do first I'm Going to send I take a hash of that MD5 is the name of a hash function. So MD5 some on that file takes a hash of that actual message There's the hash value Okay That's the hash value so far. So we have M and hash of M We will just move across so you can see a little bit more more So we've got two parts M and hash of M. The next thing is we encrypt the hash value Can I encrypt that? Let's encrypt the hash value. That's the hash and encrypt We're using death. I need a key What key do we use to encrypt? We use the key shared between A and B and I'm just making up a value here So we can put one in. Here's a random key. I've chosen as user A and let's assume B has it as well Turns out this algorithm needs another value called an initialization vector, but not so important for this. Just wrap it around IV The values here don't matter no pads not so important We've encrypted. Do you want to see the encrypted? If you look at the encrypted file, you'll just see it's random looking bits. Okay Open SSL we saw in a previous demonstration is how to or is a software to encrypt encryption software encryption Open SSL encrypt minus e means encrypt Take this input file produce an output file encrypt the hash So we have We've done this step Okay, we started with a message. We took the hash of the message. We encrypted the hash of the message Encrypted with a key. What do we do next? How do you concatenate? Just concatenate just join them put them both in the same file for example. They're just two sequences of bits Let's say the message goes first and the encrypted part goes second as long as both sides know and agree Either way it doesn't matter So we send the both so I think we send the both to be What does be do? What does be do? Decrypts the message Decrypts the encrypted part Okay, so we take so now we're be We use some software to Decrypt the minus d to decrypt What's the input encrypted Okay We took the hash Encrypted it and got this value So now at B We're going to decrypt minus D Here's the value. We're going to decrypt No, this is the hash which was encrypted. We haven't touched the message at B yet Okay, this is taking the encrypted hash value and as the output. Let's call the output Decrypted We'll look at it in a moment. What key do we use? We should this use the same that we use to encrypt and the same initialization vector Not so important correct See we receive the message plus the encrypted hash the picture shows that and we separate them the hat the message goes this direction The gray box here goes down this direction and now in where we're doing this part Decrypt Decrypt The received encrypted part and hope this works. We get a file That's the contents of the file Okay, that's the contents of decrypting that received encrypted part What do we do next at B? What does B do now last step almost the last step? Almost the last step before we compare compare what so we've decrypted we get this value We need to take the hash of the received message Now let's assume that the message hasn't been modified. So we'll take the hash MD5 some of the received message and The received message in this case is the same as the original message Okay, what have I done wrong Are they the same? This is the decrypted value we got this is the hash value. We got are they the same Yes, they're the same therefore we trust this message In this case the message wasn't modified. It was the original one. I didn't change a name If you change the message Let's change the message plain text Hello change remove the dot Replace it with a space just change one character Take the MD5 some now It's a different hash value Okay If the message was modified the hash value Will not be the same as the decrypted hash value and that's how we know that something's gone wrong And that's what happened in this example We did modify the message therefore the hash values didn't match in our picture No, this these these Almost squares are operations the hash operation The input to this function H is M The output is a hash value The input to the encryption is a hash value and a key the output is ciphertext the input to this H is a message and and the input of the decryption function is the encrypted hash value if you Right in in this case the so in the example whether it's a file or not doesn't The file name doesn't matter. It's the contents So if the two if the contents of the files in my example are identical We'll get the same hash value if they're different contents Then it will be a different hash value if the contents Then file name doesn't matter how you're going to defeat this What else can you do as the malicious user? What could you do? This one didn't work for the malicious user They tried to change the message Be detected that So from the attackers perspective the attack was unsuccessful Could the attacker do something else to try to be successful? What could they try? What do we assume that they don't know the key? Okay, so we assume that the attacker doesn't know the secret key KAB because otherwise it wouldn't be secret So they cannot know the key. So what could they try the attacker they could modify the message like we did here and instead of sending the Same as what a sent in this part They could try to take the hash of the modified message and encrypt it with what key malicious user Any key except KAB so that's the problem. I think if you follow it through you'll see it still will not work because If we change the hash value We need to encrypt that again with a key and our assumption is that malicious user doesn't know KAB If they did then the attack would be successful, but we assume that they don't know the the secret so Let's do it Let's try what the malicious to user could attempt to do modify the message modify the second part so take the hash of that modified message and Prime Encrypted with what any K except KAB They don't have KAB the key of the malicious user for example modified the message Recalculate the hash of that modified message Encrypt with a different key the one that they know Send that to be what does be do step one step one the other order hash You're correct, but I would do it in a different order hash of the received message hash of m prime This is what B is doing step to decrypt the received part decrypt this part Decrypt Decrypt what or decrypt the second part, and I'll just rewrite that step one Hash this part step to Decrypt this part Decrypt with what key what will be decrypt with which key B thinks the message came from a Therefore, I will use the key that I've shared with a KAB What's the output? What do we assume what goes wrong here? We've got some plain text Encrypted with one key we try to decrypt it with a different key the wrong key Our assumption is when we do that what we will get is not the plain text. It's some something else So what we get will not be hash of m prime Think of it's some other String sequence of bits, but we know if we encrypt with one key and Decrypt with the wrong key The output would not be the plain text Okay, that was our assumption for encryption Actually, we'll get something that's Recognizably wrong usually, but it will not be the in the plain text Well, it doesn't matter what we get Except that it's not hash of m prime So it will not be hash of m prime. So I'll write instead of equal to we know for sure it would not be Hash of m prime that we get out here. I don't know what we get But I do know that will not be this so step three we compare whatever the values are and we'll see that Let's say we call this x The output of this was x some value We compare x with hash of m prime They're not equal Decrypting using the wrong key will not produce hash of m prime therefore when we compare to the hash of m prime They are not equal Okay Right this so maybe I've written this not so clearly, but What do we get out of this decryption? Let's call it x. Okay, some value comes out x Then we compare this value x with this value and we want to know are they the same and I know that they are not the same because we know that if we had an input of hash of m prime Encrypted with one key Decrypted with another key the output will not be the hash of m prime Because that's our assumption if we decrypt with the wrong key. We will not get the original input Therefore x is not hash of m prime Therefore we verify we check that this is a wrong Message something gone wrong We don't trust So this scheme what we've gone through is two cases where the attacker tries something But we detect it and that's how authentication works We cannot stop someone pretending or sending a fake message or modifying a message But we can detect if they do Detection is important any more questions. I don't have an example to do on the screen, but there's this Last questions before we move on 100% clear good We will see some other very similar cases as well. So we'll repeat this but in a slight variation What have we got? Let's move on and then we'll see another variation of this so you'll get some more practice Different hash algorithms the two main ones are empty five created by Ron revests his name will come up later Generate 128-bit hash value It's no longer considered secure What that means is that Those properties that we talked about the one-way property and the collision-free property It turns out with this hash function now it is possible to for people to find collisions hard, but No longer can recommend it no longer considered secure. There are attacks on MD5 But it still seems to be used a lot secure hash algorithm has gone through different iterations sh1 sh2 sh3 and With sh2 there's actually different length hash outputs Okay, let's let's get through hash functions So we can move on to the next part Which one is more secure MD5 or shah? Shah shah is a bit confusing shah has different variants Shaha one is not the original version so shah zero even older than that, but shah to is considered secure and In shah to there are different length hash outputs So there's shah with a 224 bit output or 256 or 384 or shah 512 that is the length of the hash value they generally considered secure for most applications So shah is is still commonly used There are others, but those are two popular ones you'll see That's a little bit more theory about the attacks, but we are on the properties, but we've said enough about the properties Where are they used in? Many different security Mechanisms we see hash functions. So just in the the left column We'll see shortly they use for digital signatures So we'll explain what that is and see how they use they use for intrusion detection So for a network or a computer system try and detect are there People who have gained access to that system that shouldn't hash functions are used there and in virus detection to detect if there's some virus attached to some application hash functions are used to compare maybe the infected application with the original Uninfected application to check if there's been a change so hash functions are used in virus detection we saw Previously what we went through is a case of hash function used with symmetric key encryption We'll see we'll spend some time about passwords Everyone's seen the password file on a Linux computer. What's it called? What's the name of the file that stores password information in a Linux computer not past WD the other one shadow We haven't seen the content set but it later will on one topic We'll see the contents of that file and we'll see we don't store the actual password We store a hash of the password So hash functions come up in different cases One aspect of hash functions is that it should be hard to find collisions We said that in theory there are collisions two different messages produce the same hash values But the requirement is that in practice it's practically impossible for someone to find two different messages that produce the same hash value and One way that attackers try and do that is that they try many different values So the security of hash functions depends in a large part upon How long it takes to try to hash many different messages? From the attackers perspective they find a message Calculate the hash does it produce the same as the other hash value if not try a different message and keep trying so the speed at which you can calculate hash functions is important and we'll just do it quickly on My computer How fast can I calculate hash functions anyone want to guess how many hashes per second? Let's try Let's run a speed test on the MD5 for example one of the simpler hash functions This my software open SSL is just calculating hashes. In fact, we'll stop there. It does some more tests It calculated what? six million hashes in three seconds So that software just went and did a lot of hash MD5 hashes of random messages And it did about six million in three seconds or about two million per second So my computer can try about two million hashes per second. You can actually buy More dedicated hardware or hardware that is much faster and people do estimates Because they used in many different things Anyone know the recent GPUs graphics cards anyone bought one recently. What's the latest GPUs available today? Who makes them what company? No one's got a computer at home No one's played a game before oh No, maybe you should change from it to arts or something, huh? Come on. What's what's the one of the latest GPUs available or a manufacturer and video, okay turns out that for hash functions GPUs graphics cards are much faster than your General-purpose CPU my Intel CPU is very slow. I got about two million hashes per second I'll zoom in in a moment. I'll find some of the most recent GPUs Where I don't know I don't not up to date but Some NVIDIA graphics cards different models They can calculate hash functions at about 10 million 10 billion per second Okay, so my computer did two million per second Lake at graphics card, which is not very expensive several hundred dollars can calculate at about 10 billion hashes per second and In fact, you can buy dedicated hardware that can calculate even a hundred or thousand times faster than that why? Because the security of hash functions depends upon How long it takes to be able to find collisions and that the best known way to find collisions is to try many different values To try many different hashes and therefore people Try to measure and find the hardware that will calculate the fastest and That we may see some other data in another topic when we look at passwords So we'll return to hash functions again when we look at passwords We'll see the relevance of some of these numbers for now Remember these four points very about variable sized input M produces a fixed sized Small output hash, that's what our hash function does For security purposes, we require the property that if we have the hash value It should be impossible to find the original message. This is the one-way property And we'll see that when we look at storage of passwords Another property we desire in certain cases is that it should be hard to find another message M prime That produces the same hash value as some existing message M If we could our attack that our malicious user did would have been successful So it should be hard to find really two messages That produce the same hash value and in fact these two points of variations of that same property It's hard to find collisions and hard to go backwards with the hash function Let's try a different topic and then see it applied with hash functions We've mentioned symmetric key encryption. What what do we say or what defines symmetric key encryption? Symmetry across what? What's symmetric in symmetric key encryption? The same key so what you think from a and B's perspective there's symmetry in that they use the same key It's a shared key system there's an alternate crypto system called public key encryption or public key cryptography and Sometimes called asymmetric key encryption because the two entities a and B use different keys One of them uses one key to encrypt the other uses a different key to decrypt So we'll talk about that and see the role of plays in different security systems Any questions before we start on this? Harder topic Hash functions was the easy part any questions before we start on this one If there's no questions, then everyone listen up and we'll continue some history very quickly Up until we're about the 1960s everything was symmetric key encryption from back to Julia Caesar the Roman emperor or whoever he was thousands of years ago or a long time ago through to about 1960s It was all symmetric key encryption Then different people over a period of 10 or 20 years create discovered this new technique called public key encryption and in fact the two people who Or in fact there were two or three people But two of them got their name to it that really introduced it to the public We're called Diffie and Hellman two guys Diffie and Hellman and they really designed public key cryptography and and Introduced it to the public to everyone turned out before that some security agencies had invented it but just hadn't released it at that stage and We'll see Diffie Hellman have a very basic scheme which is still used today for exchanging secrets and Then not long after three guys revest Shamir and Edelman created a public key cryptography algorithm Called RSA, which is the most widely used algorithm for public key cryptography today. So RSA is very important So what is a public key crypto system? Remember with symmetric key algorithms. We use the same secret key of both encryption and decryption With asymmetric We use one key for encryption, but a different a different but related key for decryption How do you choose a symmetric key? How do you choose a symmetric key? How do you choose one? Create it. How but how would you choose one? Is there an algorithm that tells you how to choose one or what do you do? Random is best. Okay, so it's just a symmetric key It's just a random you choose a random number of the appropriate length and tell your friend that With public key encryption. We don't just choose a random key There are actually algorithms that tell us create or generate your key Because now we have two different keys and they need to be related in some way. It can't just be two random keys We follow some algorithm to choose one of the keys and to calculate the other key So we can often talk about a key pair and we'll talk about the names of the public the keys in the key pair in a moment We will use one key for encryption and one key for decryption and our requirement is that if we know one of the keys such as the encryption key and We know the algorithm and the ciphertext But if we know one of the keys in the key pair, it should be practically impossible to find the other key in that pair Okay, so that's an important requirement that when we have two keys Even if the attacker knows one of them They cannot find the other But the keys must be related So they can't just be random values. They need to be mathematically related usually in some of the algorithms that are popular It turns out we'll have a pair of keys We'll use one key to encrypt the other to decrypt In fact, we can usually use them in reverse use the other to encrypt and one the other to decrypt All right, that'll come up. You'll see that optional feature in a moment. What do we call the keys? So we have two keys now. We give them names. One's called a public key One's called a private key. So we talk about a public private key pair or just a key pair and We usually write them instead of K for key To distinguish between public public and private we usually write as PU for public and PR for private We can't just use P because they start with the same letter and we talk about that a particular user has a their own key pair so user a has their key pair public key of a and private key of a Whereas in symmetric key cryptography a pair of users had one shared key. Remember we had k a b Known by both a and b This is different where each user has their own pair So think everyone in the room has their own pair of keys their own public key and their own private key as You may guess by their names The public key can meet can be made public That is my public key. I can tell everyone what its value is Anyone can know it? The private key must be kept secret So my my private key if I tell someone then the system fails So my private key I must keep private or secret and we use the keys in in different orders To achieve two different things The two things we want to achieve are written here secrecy or really confidentiality and The other one is authentication. So in fact, we can use this system for both Secrecy or confidentiality and authentication. Let's see how they work in the concept first so let's say we have a public key encryption algorithm a public key decryption algorithm everyone knows them the attacker knows the algorithms and We have a pair of users on the left is user a on on the right is user b and We assume each user has their own key pair if we want to achieve confidentiality Which means a wants to send a message to be and a doesn't want Anyone but be to be able to read that message Okay, we want to keep the message confidential Then the way that we use public key crypto is that we take the message the plain text We don't Refer to the plain text as P because that's confusing with public and private So we often refer to the plain text as M the message we take the message We encrypt it using some encryption function Using the public key of B Okay, so if I want to send a message to you and I want that message to be confidential I use your public key to encrypt it and I create some cipher text So again, we take as input plain text a key. We produce ciphertext as output we send the ciphertext which can be written as Encrypt using public here B of M. We send that to be What B does when they receive is a decrypt and to decrypt a message in this case We take the ciphertext and use B's private key Or generally we use the key or the other key in the key pair in this case the plain text was encrypted with P you be the public key of B therefore to decrypt we must use the private key of B and The algorithms must be such that when we do that we will get the original plain text the original message M So some important points here Every user has their own key pair P you be PRB in this case are the belong to user B User a would have its own key pair, but we don't use it in this case for confidentiality we send a We encrypt using the public key of the destination Let's see what the attacker can do. We have user a User B. What do they know? B has a key pair. A also has a key pair. We'll write it We assume every user has a key pair We want to provide confidentiality There's an eye in there somewhere We want our message from A to B to be confidential so we take some message and we encrypt and what we send is We encrypt using B's public key our message and send that to B to decrypt B uses its own private key and our Requirement for our encryption and D decryption function is that when we decrypt some plain text message M Sorry when we encrypt a plain text message M with P you be and Then we try and decrypt the result using PRB The answer must be M The original message that's the requirement of the functions Similar to symmetric key encryption We said if we encrypt the plain text with one key and then decrypt with the same key We'll get the original plain text This is the similar requirement if we encrypt our plain text message M with the public key of B and Then we decrypt all of that with the private key of B, then it must deliver the same value of M So the difference here is that we use not a shared secret key, but we use two different keys But they must belong to the same pair PRB and PUB What can the attacker do? The attacker takes a copy of the message They want to find M. What do they do? So the attacker has the message The the ciphertext sorry That's what the attacker knows That is in fact the ciphertext they don't know the contents but the output so their aim is to find M How do they find M? Decrypt So we decrypt that What key do we decrypt with? What key will our attacker decrypt the ciphertext with again? Private key of who? Private key of who? Who's can it not be? It cannot be the private key of B because the attacker doesn't know the private key of B So we cannot use the private key of B here because if The attacker knew the private key of B that would not be private By definition the private key must be known only by B So our malicious user So the security depends upon the fact that we can't find PRB so if we try a different key such as PRA Or PRC or just some other key. We assume that it will not decrypt That is we'll only successfully decrypt if we use the other key in the key pair Encrypted with PUB it can only decrypt with PRB If it was encrypted with PUA, it will only decrypt with PRA. That's our properties of our Public key Cryptography algorithms So since the malicious user doesn't know PRB They cannot find the message and therefore we achieve confidentiality. That was our aim keep the message confidential so What could the malicious user do what their aim therefore is to find PRB and there's two basic approaches brute force How do we stop brute force? Make it long enough so it would take forever to do it. Okay, so that's easy to stop or the other thing is that The for this this decryption step to work. We can't just use any key PRB and PUB It won't work that we just use random values. It turns out for that to be successful. We must have related keys They must be somehow related and The algorithm will define the relationship between PUB and PRB So does the malicious user know PUB? The malicious user does know PUB by definition PUB is public so everyone knows PUB so The challenge is to make it hard for them to find PRB maybe given The public key so a secure algorithm would be such that even if the malicious user knows the public key and the ciphertext They cannot find PRB That's what we require if they could it wouldn't work It's our security would fail see a ciphertext. Sorry. I didn't write it. That's See is this short for all of this The ciphertext we assume they always know the ciphertext. They know the algorithms They also know the public key. It must be practically impossible to find the private key So the algorithms must be designed such that it's it's hard to do and There are algorithms that do that RSA is a very popular one That was for confidentiality That is keeping the message secret. The other way we use public key crypto is for authentication We don't care if someone sees a message. We care that B can confirm that the message came from a Look at the difference between the two slides in the first case a Encrypted using the public key of B and we decrypt with a private key of B in the second case a encrypts with a private key of a and B decrypts with the public key of a We swap the keys and Use the sources keys in this case Your homework is to find out why that works What I mean is consider this case Try and draw the picture and try and Think as the malicious user In the second case see what the malicious user can do Can the malicious user a? create a message that They pretend to be from a and make B think it comes from a can the malicious user masquerade as a or Can the malicious user modify the message along the way and make B? Think that the message came from a and has not been modified. So see if the malicious user can do an attack on the authentication using this scheme and that should derive it our requirements for our keys Have a think about that case We may give you the answer tomorrow and we'll move on and then we'll see how We combine this with hash functions