OpenVMS Notes: Cryptography, etc.

Introduction
- substitution basics
- transposition basics
- keys and other stuff
- what do you want to do?
- what's in a name?
  - scp, sftp, ftps, ssh, etc.
Internal VMS Links
External Links
- Introduction to cryptography
- Tools and Toys
- Links

This is mostly a links/resource page
Edit: 2016-05-02

Introduction

For a quick bootstrap into cryptography, you must read The Code Book (2000) by Simon Singh.

http://simonsingh.net/books/the-code-book/

Substitution Basics

Caesar Cipher
- https://en.wikipedia.org/wiki/Caesar_cipher
- Alphabetic fixed shift (e.g. each letter in your message is upper-cased then shifted by 3 letters)
  
  Clear-text Message: WAIT FOR ME AT THE RUBICON
  
  Encrypted Message: ZDLW IRU PH DW WKH UXELFRQ
- Removing spaces and punctuation before you encrypt makes code-breaking somewhat harder
- Easy to hack with frequency analysis (e.g. the most frequent letter in English is "E"; the second is "T"; the third is "A", etc.)
- Download cryptool to see what I mean:
  - https://en.wikipedia.org/wiki/CrypTool (from our friends at Deutsche Bank)
Passphrases to encrypt and decrypt
- alphabetic (or whole character set) variable shift
- consider the phrase: "THE QUICK BROWN FOX JUMPS THE LAZY DOGS BACK".
  - If this phrase is repeatedly used to shift characters in your message...
    - then the first message character is shifted by 20 (because "T" is the twentieth letter in the alphabet)
    - then the second message character is shifted by 8 (because "H" is the eighth letter of the alphabet)
    - then the third message character is shifted by 5 (because "E" is the fifth letter of the alphabet)
    - etc.
  - Alternatively, if the message is in ASCII format then you might wish to XOR (exclusive OR) it with the ASCII value of the passphrase...
    - then the first message character is XOR'd with 84 which is the ASCII value of "T"
    - then the second message character is XOR'd with 72 which is the ASCII value of "H"
    - then the third message character is XOR'd with 70 which is the ASCII value of "E"
    - etc.
- If you hit the end of your pass phrase, just wrap around to the beginning (therefore longer phrases introduce more scrambling).
- If someone guesses your pass phrase, then they will be able to decrypt your message
- You use the same phrase to decrypt (shift back or just XOR a second time)
Seemingly random passphrases
- in essence, this is what the Germans used with their Enigma Machine. Changing rotors (wiring), and starting settings (initialization value) produced a different code phrase every day. The standard machine only possessed three rotors while the Navy version possessed four.
- BTW, Enigma was a lot easier for British Intelligence to crack than the Lorenz Machine which was used by German high command. Almost everyone in common society has heard about Enigma and almost no one has heard about Lorenz.

Transposition Basics

I won't waste too much time here exception to mention that substitution ciphers still have a common problem: the information still contains positional information which means cipher-text may still be subjected to certain kinds of frequency analysis.
Transpositions change character position in order to hide positional information thus defeating most kinds of frequency analysis.

Keys and other stuff

Symmetric Keys
- used to encrypt and decrypt
  - this means that either party can encode or decode
- think of a mechanical lock with one physical key
- https://en.wikipedia.org/wiki/Symmetric_key
- think of these keys as really long pass phrases (1024 bits = a single 128-character pass phrase)
- Alternatively: think of each byte in the key acting as a CPU op-code like so:
  - Substitute single character using polyalphabet X;
  - Interchange characters between positions X and Y;
  - XOR key character with clear-text character;
  - left rotate (shift) bits of character;
  - right rotate (shift) bits of character;
  - and so on...
Asymmetric Keys
- one key encrypts while another decrypts
  - if you encrypt with the private key then anyone with the public key can decrypt
  - if you encrypt with the public key then anyone with a private key can decrypt
- think of a mechanical lock with two physical keys (one to close and another to open)
- https://en.wikipedia.org/wiki/Asymmetric_key
- in the case of SSL, each end maintains their own private key whilst the public key is distributed by a trusted third party like Verisign or Thawte to only name two.
- If I encrypt a message with my private key, and you then decrypt it with my public key, then you know the encrypted message came from me (electronic signature)
  To continue...
- If I encrypt this signed message with your public key before I send it to you, then I will be sure that only you can read it (with your private key).
  The message is now secured and verified in both directions
Computational Load
- Due to a reliance upon a pair of large prime numbers, asymmetric keys require much more computer power to encrypt/decrypt than symmetric keys.
- So before each communication session:
  - large random numbers are used to generate a set of symmetric keys (which are known as session keys)
  - asymmetric keys are used to encrypt then exchange symmetric keys
  - symmetric keys (session keys) are then used to encrypt/decrypt the message

Food-for-thought

Diffie-Hellman key exchange

this method allows two parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure communications channel. This key can then be used to encrypt subsequent communications using a symmetric key cipher.
Diffie-Hellman Description - which uses colors to represent a "shared secret" (randomly generated keys)
Videos: http://www.khanacademy.org/science/brit-cruise/cryptography
- http://britcruise.com/2012/02/26/public-key-cryptography-diffie-hellman-key-exchange/

Example Math (caveat: implemented in JavaScript with usual JS limitations so stick to small numbers)

Step	Alice	Bob	Notes
1			Choose two random values then notify the other "in the clear". Rule: y must be smaller than p Example Values: y= and p=
2	picks: secret number A=	picks: secret number B=	similar to starting colors in the video above
3	uses this formula: a=y^A mod p to compute public number a=	uses this formula: b=y^B mod p to compute public number b=	similar to mixed colors in the video above
4	send "a" to Bob	send "b" to Alice	This transmission is also done "in the clear"
5	uses Bob's "b" value in this formula: key=b^A mod p to compute shared secret key=	uses Alice's "a" value in this formula: key=a^B mod p to compute shared secret key=	both people encrypt/decrypt with the computed secret key

Don't be confused by the fancy math. As far as I am concerned, any formula could be used including simple addition or multiplication. Consider these non-modulus examples:
- Addition:
  - Assume: y=7
  - Alice chooses: A=3
  - Alice computes: a=(7+3)=10 which she sends to Bob
  - Bob chooses: B=6
  - Bob computes: b=(7+6)=13 which he sends to Alice
  - Alice now computes: key=(3+13)=16
  - Bob now computes: key=(6+10)=16
- Multiplication:
  - Assume: y=7
  - Alice chooses: A=3
  - Alice computes: a=(7x3)=21 which she sends to Bob
  - Bob chooses: B=6
  - Bob computes: b=(7x6)=42 which he sends to Alice
  - Alice now computes: key=(3x42)=126
  - Bob now computes: key=(6x21)=126
So why the fancy math?

What do you want to do?

If you want to encrypt a file or hard drive
- you encrypt with your asymmetric public key (which is publically available to everyone) and will decrypt with your private key (which is only known to you)
If you want to prove who you are on the net (a good example is Secure DNS)
- then you encrypt with your private key.
- others will use your public key then say: "yes, he was the only one who could have encrypted that message"
If Alice wants to send a message to Bob which can only be read by Bob
- then Alice encrypts using Bob's public key (only he will be able to decrypt with his private key)
- this is what happens during web banking (you use a password to prove who you are; by encrypting with your banks public key, only your bank will be able to decrypt)
If Alice wants to send a message to Bob but also wants to prove it came from Alice
- then Alice encrypts using Alice's private key (Bob will decrypt using Alice's public key)
- Caveat: eves dropper "Eve" will also have access to Alice's public key so this communication is not considered secure; in fact, it is only known as a "digital signature"
If Alice wants to send a message to Bob which can only be read by Bob but wishes to ensure that it only came from Alice
- Alice encrypts using Alice's private key ("digital signature")
- Alice encrypts again using Bob's public key
- Bob will decrypt using Bob's private key (only he can do this)
- Bob will decrypt again but this time will use Alice's public key (which only she could have encrypted)
In SSL/TLS you would always encrypt with the other guys' public key (which everyone has access to via a trusted third party)
In SSH/SSH2, you create a public/private pair, then copy the public key to the remote end. This means you would always encrypt with your private key. The far end always decrypts with your public key.
The UNIX/Linux/Enterprise Server community sort of went the way of SSH2 while the public web went the way of SSL/TLS. Today, most systems employ both
Today, encrypting with large asymmetrical keys is too computational intensive so they are only used to encrypt randomly generated asymmetric session keys. Session keys are then used to drive cyphers (like TripleDES, BlowFish, TwoFish, etc.)

What's in a name?

Usually, if "S" is the first character then the protocol employs SSH/SSH2:

SCP	secure copy
SFTP	secure FTP	not a real FTP implementation (e.g. no ASC mode)
FTP over SSH	FTP over SSH	not the same as SFTP
SSH	secure shell	when used as a standalone app, can be used as a terminal emulator when used as a technology, is the basis for other secure apps

Usually, if "S" is the last character then the protocol employs SSL/TLS:

FTPS FTP over SSL or TLS

HTTPS HTTP over SSL/TLS

DNSSEC DNS with security extensions

Internal VMS Links

OpenVMS Notes: SSL/TLS
- contains some low level experiments anyone can do with their OpenSSL CLI (command line interpretor)
OpenVMS Notes: TCPware
OpenVMS Notes: SSH2

External Links

Three Good Books (of many)

The Code Book (Simon Singh)
- this book is a must read for anyone bootstrapping into this profession
Applied Cryptography: Protocols, Algorithms, and Source Code in C (Bruce Schneier)
- free source code: https://www.schneier.com/books/applied_cryptography/source.html
SSH: The Secure Shell The Definitive Guide (O'Reilly)
- second edition published in May of 2005

Introduction to Cryptography (web)

https://www.khanacademy.org/computing/computer-science/cryptography - 11 videos as of 2012-06-10
- http://britcruise.com/2012/02/26/public-key-cryptography-diffie-hellman-key-exchange/
https://www.youtube.com/watch?v=5Rz3fvRArcA&feature=related - Lesson 1: History of cryptography and its early stages in Europe
https://www.youtube.com/watch?v=YENkS4A8QyY&feature=related - Introduction to Cryptography by Liz Vonderheiden
https://www.youtube.com/watch?v=rA_ZmWPormM - Lecture - 33 Basic Cryptographic Concepts Part : I
https://www.youtube.com/watch?v=Z_mlyruYQ24&feature=related - The science of secrecy by Simon Singh

Tools and Toys

download the cryptool learning program from our friends at Deutsche Bank
- https://en.wikipedia.org/wiki/CrypTool
- lets you see the Caesar Cypher (as well of lots of other stuff) in action

Links:

Introduction to Public-Key Cryptography @ Mozilla
Just Enough Cryptography
- http://www.cromwell-intl.com/security/crypto/
- http://www.cromwell-intl.com/security/crypto/cipher-strength.html
Paul Andrew Johnson
- Paj's Cryptography
  - http://pajhome.org.uk/crypt/rsa/rsa.html (for a good overview of RSA)
  - http://pajhome.org.uk/crypt/rsa/maths.html (easy-to-read math proofs)

(mostly) Wikipedia Resources

Public-key Cryptography
RSA
Elliptic Curve Cryptography (who needs prime number anyway?)
OpenSSL
- www.OpenSSL.org
OpenSSH
- www.OpenSSH.com
OpenPGP
- www.PGPi.org (free for non-commercial use)
Steganography (hiding information in plain sight (like inside GIFs and JPEGs)
comments:
- First consider a totally red pixel with the HTML color code of "255,0,0". Would your eye be able to see the difference between this color and "254,0,0"? (probably not)
- Now consider a picture in which all the colors have be pre-adjusted to have even color numbers
- A binary code (zeros and ones) could be serially inserted into the picture just by adjusting the color of each addressable pixel (binary 0 = even color; binary 1 = odd color)
- The code would be right before you eyes but you would not see it but a computer could

Back to OpenVMS
Back to Home
Neil Rieck
Kitchener - Waterloo - Cambridge, Ontario, Canada.

Clear-text Message:	WAIT FOR ME AT THE RUBICON
Encrypted Message:	ZDLW IRU PH DW WKH UXELFRQ

FTPS	FTP over SSL or TLS
HTTPS	HTTP over SSL/TLS
DNSSEC	DNS with security extensions