OpenVMS
Notes:
Cryptography, etc.
Edit: 20191208 (fixed a few typos)
Introduction
For a quick bootstrap into cryptography I recommend reading
The Code Book:
The Science of Secrecy (2000) by Simon Singh
Substitution Basics
 Caesar Cipher

https://en.wikipedia.org/wiki/Caesar_cipher
 Alphabetic fixed shift (e.g. each letter in your message is
uppercased then shifted
by 3 letters)
Cleartext Message: 
WAIT FOR ME AT THE RUBICON 
Encrypted Message: 
ZDLW IRU PH DW WKH UXELFRQ 
 Removing spaces and punctuation before you encrypt makes
codebreaking somewhat harder
 Easy to hack with frequency analysis
(e.g. the most frequent letter in English is "E"; the second is "T"; the
third is "A", etc.)
 Download cryptool to see
what I mean:
 Passphrases to encrypt and decrypt
 alphabetic (or whole character set) variable shift
 consider the passphrase: "THE QUICK BROWN FOX JUMPS THE LAZY DOGS BACK".
 If this phrase is repeatedly used to shift characters in your message...
 then your first character is shifted by 20 (because "T" is
the twentieth
letter in the alphabet)
 then your second character is shifted by 8 (because "H" is
the eighth letter of the alphabet)
 then your third character is shifted by 5 (because "E" is
the fifth letter of the alphabet)
 etc.
 Alternatively, if the message is in
ASCII format
then you might wish to
XOR (exclusive OR) it with the ASCII value of the passphrase...
 then your first character is XOR'd with 84 which is the ASCII value of
"T"
 then your second character is XOR'd with 72 which is the ASCII value of
"H"
 then your third character is XOR'd with 70 which is the ASCII value of
"E"
 etc.
 If you hit the end of your passphrase, just wrap around to the
beginning (therefore longer phrases introduce more scrambling).
 If someone guesses your passphrase, then they will be able to
decrypt your message
 You use the same passphrase to decrypt (shift back or just XOR a second
time)
 Seemingly random passphrases
 in essence, this is what the Germans used with their
Enigma Machine.
Changing rotors (wiring), and starting settings (initialization value) produced a different code
phrase every
day. The standard machine only possessed three rotors while the Navy
version possessed four.
 BTW, Enigma was a lot easier for British Intelligence to crack than
the Lorenz Machine
which was used by German high command. Almost everyone in common society
has heard about Enigma whilst very few have heard about Lorenz.
Transposition Basics
 I won't waste too much time here exception to mention that substitution
ciphers still have a common problem: the information still contains positional
information which means ciphertext may still be subjected to
certain kinds of frequency analysis.
 Transpositions change character position in order to hide positional
information thus defeating most kinds of frequency analysis.
Keys and other stuff
 Symmetric Keys
 used to both encrypt and decrypt
 this means that either party can both encode or decode
 think of a mechanical lock with one physical key
 https://en.wikipedia.org/wiki/Symmetric_key
 think of these keys as really long passphrases (a 1024 bit key = a
single 128character passphrase)
 Alternatively: think of each byte in the key acting as a pseudo CPU opcode
with instructions like these:
 Substitute single character using polyalphabet X;
 Interchange characters between positions X and Y;
 XOR key character with cleartext character;
 left rotate (shift) bits of character;
 right rotate (shift) bits of character;
 and so on...
 Asymmetric Keys
 both public and private keys are two really large prime numbers
 one key encrypts while another decrypts
 if you encrypt with the private key then anyone with the public
key can decrypt
 if you encrypt with the public key then anyone with a private
key can decrypt
 think of a mechanical lock with two physical keys (one to close and
another to open)
 https://en.wikipedia.org/wiki/Asymmetric_key
 in the case of SSL, each end maintains their own private key whilst
the public key is distributed by a trusted third party like Verisign or
Thawte to only name two of many.
 If I encrypt a message with my private key, and you then decrypt it
with my public key, then you know the encrypted message came from me
(electronic signature)
To continue...
 If I encrypt this signed message with your public key before I send
it to you, then I will be sure that only you can read it (with your
private key).
The message is now secured and verified
in both directions
 Computational Load
 Due to a reliance upon a pair of large prime numbers, asymmetric keys require much more computer power to encrypt/decrypt
than symmetric keys.
 So before each communication session:
 large random numbers are used to generate a set of symmetric keys (which
are also known as session keys)
 asymmetric keys are used to encrypt then exchange (through the
communications channel) these symmetric keys
 symmetric keys (session keys) are then used to encrypt/decrypt the message
 DiffieHellman key exchange
What do you want to do?
 If you want to encrypt a file or hard drive
 you encrypt with your
asymmetric public key (which is publically available to everyone) and will
decrypt with your private key (which is only known to you)
 If you want to prove who you are on the net (a good example is
Secure DNS)
 then you encrypt with your private key.
 others will use your public key then say: "yes, he was the only one
who could have encrypted that message"
 If Alice wants to send a message to Bob which can only be read by Bob
 then Alice encrypts using Bob's public key (only he will be able to decrypt
with his private key)
 this is what happens during web banking (you use a password to prove
who you are; by encrypting with your banks public key, only your bank
will be able to decrypt)
 If Alice wants to send a message to Bob but also wants to prove it came
from Alice
 then Alice encrypts using Alice's private key (Bob will decrypt
using Alice's public key)
 Caveat: eves dropper "Eve" will also have
access to Alice's public key so this communication is not considered
secure; in fact, it is only known as a "digital signature"
 If Alice wants to send a message to Bob which can only be read by Bob
but wishes to ensure that it only came from Alice
 Alice encrypts using Alice's private key ("digital signature")
 Alice encrypts again using Bob's public key
 Bob will decrypt using Bob's private key (only he can do this)
 Bob will decrypt again but this time will use Alice's public key
(which only she could have encrypted)
 In SSL/TLS you would always encrypt with the other guys' public key (which
everyone has access to via a trusted third party)
 In SSH/SSH2, you create a public/private pair, then copy the public key
to the remote end. This means you would always encrypt with your private
key. The far end always decrypts with your public key.
 The UNIX/Linux/Enterprise Server community sort of went the way of SSH2 while the
public web went the way of SSL/TLS. Today, most systems employ both
 Today, encrypting with large asymmetrical keys is too computational
intensive so they are only used to encrypt randomly generated asymmetric
session keys. Session keys are then used to drive cyphers (like
TripleDES,
BlowFish,
TwoFish, etc.)
What's in a name?
 Usually, if "S" is the first character then the protocol employs
SSH/SSH2:
SCP 
secure copy 

SFTP 
secure FTP 
not a real FTP implementation since no ASC
(text) mode 
FTP over SSH 
FTP over SSH 
not the same as SFTP 
SSH 
secure shell 
when used as a standalone app, can be used
as a terminal emulator when used as a technology, is the basis
for other secure apps 
 Usually, if "S" is the last character then the protocol employs SSL/TLS:
FTPS 
FTP over SSL/TLS 
HTTPS 
HTTP over SSL/TLS 
DNSSEC 
DNS with security extensions 
Internal VMS Links
External Links
Three Good Books
(of many)
 The Code Book: The Science of Secracy (Simon Singh)
 this book is a must read for anyone bootstrapping
into this profession
 Applied Cryptography: Protocols, Algorithms, and Source Code in C (Bruce Schneier)
 SSH: The Secure Shell The Definitive Guide (O'Reilly)
 second edition published in May of 2005
Introduction to Cryptography (web)
Tools and Toys
 download the cryptool learning
program from our friends at Deutsche Bank
Links:
(mostly) Wikipedia Resources
 Publickey Cryptography
 RSA
 Elliptic Curve Cryptography (who needs prime
number anyway?)
 OpenSSL
 OpenSSH
 OpenPGP

Steganography (hiding information
in plain sight (like inside GIFs and JPEGs)
comments:
 First consider a totally red pixel with
the HTML color code of "255,0,0". Would your eye be able to see the
difference between this color and "254,0,0"? (probably not)
 Now consider a picture in which all the colors have be preadjusted
to have even color numbers
 A binary code (zeros and ones) could be serially inserted into the
picture just by adjusting the color of each addressable pixel (binary 0
= even color; binary 1 = odd color)
 The code would be right before you eyes but you
would not see it but a computer could
Back
to
HomeNeil Rieck
Waterloo, Ontario, Canada.