Cryptography and Privacy (Week 14)

Question 1

What is Computer Security?

Answer 1

Computer Security means protection of computer systems from…
* Theft or damage of hardware, software and data
* Disruption or misdirection of services

Question 2

What is the challenge of Data Privacy?

Answer 2

The challenge of Data Privacy is to…
* use data while
* protecting an individual’s privacy preferences and their personally identifiable information (PII)

Question 3

How to Protect Data Privacy?

Answer 3

Most systems and services are designed to collect (as) many data points on users (as possible)
* Tracking, data aggregation, etc.
* Social media services
* Integration of services, e.g. as described in the video “How China is changing your Internet”

But we do have a few tools to protect data privacy:
* Technical measures, e.g. cryptography, The Onion Router (TOR)
* Legal measures, e.g. data privacy legislation

Question 4

What is Cryptography?

Answer 4

Cryptopgraphy is the process/art of writing code that keeps
information encrypted.

Question 5

What is Symmetric Encryption?

Answer 5

Symmetric: Conventional mode of encryption – uses the same key to encode and decode information

Question 6

What is Asymmetric Encryption?

Answer 6

Asymmetric: Newer and more complex mode of encryption. - utilizes two keys to unlock encrypted information. This is a public and a private key.
* Public key is for use of the public.
* Private key is held for the owner’s use to protect information.

Question 7

Anonymity on the Internet (I have no clue how to pose this one as a question)

Answer 7

Anonymity in the Internet is hard to achieve, but there are some tools available that are helpful, e.g.

The Onion Router Project (TOR)
* Used to surf in the Internet while hiding your IP address, e.g. with the customized TOR browser
* Sends internet traffic through a series of relays (randomly selected out of thousands of relays worldwide)
* Uses multiple layers of encryption (=> onion analogy)
* No single entity knows the whole route (no one can follow you)

Question 8

What is E2EE?

Answer 8

End-to-End Encryption (E2EE)

Secure line of communication/data transfer. The secure line blocks 3rd -party users from access.

Only sender and receiver can decrypt the communication with a key.

Mitigates risk and protects data / information transfer from source to source.

Question 9

Secure Communication with Cryptography

How can we ensure that nobody can intercept and read a message except the intended recipient?

Answer 9

Solution: encrypt it with a secret key before sending it.

Message is then decrypted at the receiver’s end.

Question 10

What is Secret Key Cryptography?

Answer 10

Encryption and decryption use the same key: symmetric key encryption

Problem: all parties (sometimes more than 2) must exchange a secret key before they can start to communicate

A common standard for secret key cryptography is AES (Advanced Encryption Standard) => it is used for HTTPS

Longer keys are more secure

Question 11

What is a Secret or Private Key?

Answer 11

Symmetric: a secret key is a framework to decrypt and encrypt messages.

Each party (sender/receiver) possess a common secret key.
* Message is transformed from plaintext to ciphertext and the receiving party reverses the process to reveal the information. Process repeats.

Question 12

What is the Caesar’s Cipher Encryption Technique?

Answer 12

Uses a very simple encryption rule:
* Each letter in the plaintext is replaced by a letter some fixed number of positions down the alphabet, e.g., shift of 23 positions

This encryption can easily be broken by letter frequency analysis

Question 13

What are some Cryptography Concerns with security by obscurity?

Answer 13

An approach that is NOT recommended: security by obscurity
* Assuming others will never learn how the system works
* History proves: this fails eventually as details of the system come to light

Better approach: assume everybody knows how the cryptographic system works (experts can probe it) and use it with a secret key

Question 14

What can compromise a Secret Key?

Answer 14

Communication is secret unless the key is compromised.

Compromises:
* Revealing it by theft, bribery, carelessness of users, etc.
* Breaking it with cryptographic attacks

Breaking a key is only a matter of time and computational power
=> no key is 100 % secure

Question 15

What is Public Key Cryptography?

Answer 15

Instead of one shared secret key, each party participating in a conversation creates a pair of two matching keys:
* Private key: only the creator knows it (and it must be kept secret)
* Public key: everybody may know it (and it is publicly available)

Any message encrypted by one key can be decrypted by the other key (no matter which one, it works in both directions)

This is also called asymmetric cryptography

Most common public key cryptography system is RSA (used for HTTPS)

Question 16

What is an example of how Public Key Encryption could be used to send a secret message?

Answer 16

Common example for using public key encryption: Bob sends a secret message to Alice which only she can read:

Bob encrypts the message with Alice ́s public key, sends it over the network and Alice decrypts it with her private key

Question 17

How can Public Key Encryption be used to verify the sender of a message?

Answer 17

Another example for using public key encryption: to verify the sender of a message. It works like this:

1. Bob encrypts a message with his private key and sends it over to Alice
2. Alice decrypts the message with Bob’s public key – the message must be from Bob, because only Bob knows his private key.

• Please note that everyone else can decrypt the message as well => the message content is not secret
• How can we be sure that Bob ́s public key is not fake? => We need two more tools for that: hashes and certificates

Question 18

What is a Cryptographic Hash?

Answer 18

A cryptographic hash is a “fingerprint” of a message, a.k.a. message digest

A hash function scrambles the bits of an input of any length (message or file) into a fixed-length hash, e.g., a sequence of 128 bits

The hash identifies a message or file like a fingerprint identifies a person

Question 19

What is the purpose of a Cryptographic Hash? Why would we use it?

Answer 19

To find out whether a message (or a document) was altered => a tiny change in the message completely changes the hash

Question 20

How can we identify changes to a document using a Cryptographic Hash?

Answer 20

We can recompute the hash and watch out for changes

It is (computationally) very challenging to reverse the hash
calculation => to create a fake message that matches a given hash.

Question 21

What does a Digital Signature do?

Answer 21

Application of Hashes: Digital Signatures

A digital signature verifies that
(1) document was not changed in transit and
(2) was authorized by the signer

Example of a Digital Signature

Acrobat Reader can show who signed the document and verify that the signature is valid => the document was not altered

Question 22

What is a Digital Signature used for?

Answer 22

A digital signature is used to verify the authenticity of digital messages or documents. It proves that…
* the document was created/approved by the signing entity
* the document was not altered (e.g. in transit)

Question 23

How can we be sure that a
public key used for a signature is not fake?

Answer 23

Problem: how can we be confident that a public key really belongs to a certain person or institution

Solution: use digital certificates to prove the ownership of public keys

Important components of a certificate
* Public key of the user
* Name/Domain of the user
* Expiration date
* Digital signature of the certification issuer (usually a well established certification authority)

The issuer ́s signature verifies the public key and the subject ́s name stated in the certificate

Question 24

How are Digital Certificates used in HTTPS?

Answer 24

1) Client requests HTTPS session

2) Certificate sent back ( with Public Key)

3) Client creates random session key

4) Session key encrypted with public key
At this point, only client knows session key

5) Encrypted session key sent to server

6) Session key decrypted with private key
At this point, both client and server know session key

7) Session encrypted with symmetric session key

Question 25

How is Public Key Cryptography used for Key Exchange?

Answer 25

Public key cryptography is mathematically more challenging than secret key cryptography
* it needs more computing power => it is slower
* Simpler devices, e.g. chips on credit cards, may have trouble encrypting larger amounts of data

Hence: combine advantages of public & secret key encryption
1. Use asymmetric encryption (public key encryption) to exchange a secret key between parties
2. Continue communication with faster symmetric encryption

Question 26

How can we trust the signature of a certificate?

Answer 26

The Certificate “Chain of Trust”

We look up the certificate of the issuer, and then the certificate of the issuer of that certificate and so on…

Every OS comes with a number of various root certificates installed.

Question 27

Cryptography for Secure Storage

How to encrypt local files or complete disks?

Answer 27

Some systems come with hardware encryption for drives, e.g. most Solid State Drives (SSL) provide built in encryption

Question 28

Cryptography for Secure Storage

Software for encryption of cloud storage?

Answer 28

Boxcryptor
* Commercial, encrypts files on your Dropbox, Google Drive, OneDrive…

EncFS MP
* Open Source, similar features but less convenient to use than Boxcryptor

Question 29

Cryptography - Summary

What is Symmetric Cryptography?

Answer 29

Symmetric cryptography uses a previously exchanged secret key to encrypt and decrypt messages

Question 30

Cryptography - Summary

What is Asymmetric Cryptography?

Answer 30

Asymmetric cryptography uses a pair of keys (public and private key) to encrypt and decrypt messages

Question 31

Cryptography - Summary

What is a Cryptographic Hash (or message digest)?

Answer 31

A cryptographic hash (or message digest) is a fingerprint of a message used to prove that the message was not altered

Question 32

Cryptography - Summary

What is a Digital Signature?

Answer 32

A digital signature verifies the originator of a document and that it was not altered. Typically, signed documents are not encrypted.

Question 33

Cryptography - Summary

What is a Digital Certificate?

Answer 33

A digital certificate proves that a certain public key belongs to a person, institution or domain