Cryptography

Overview and Objectives

This module on Cryptography delves into the core mechanisms that underpin digital trust, enabling secure communication, data protection, and authentication in an increasingly connected world. Encryption transforms readable data into an unreadable format, only decipherable by authorized parties, forming the bedrock of cybersecurity. Students will gain hands-on experience applying cryptographic algorithms and managing systems, with a focus on practical implementation. By the end of this module, students will be able to:

• Use AES (Advanced Encryption Standard), RSA (Rivest-Shamir-Adleman), and ECC (Elliptic Curve Cryptography) algorithms via OpenSSL for encryption, decryption, and key management.
• Build a PKI (Public Key Infrastructure) and manage digital certificates, including issuance, revocation, and validation.
• Secure TLS (Transport Layer Security) communications, analyzing and configuring protocols for real-world applications.

This module assumes basic math (e.g., modular arithmetic) and programming knowledge. Incorporate current trends: As of August 2025, with the rise of quantum computing threats, post-quantum cryptography (PQC) is transforming standards. NIST's finalized PQC algorithms (e.g., ML-KEM for key encapsulation, ML-DSA for signatures) are being integrated into PKI and TLS for quantum resistance. OpenSSL's latest version is 3.5.2 (released August 5, 2025), with 3.6 in development, supporting emerging PQC features. TLS 1.3 remains the standard, now enhanced with hybrid PQC key exchanges like X25519MLKEM768 to counter quantum risks. PGP continues to be secure for email and file encryption. Use case studies like the Log4Shell vulnerability (exploited via weak TLS configs) or quantum-threat simulations.

Estimated Time: 5-7 hours of lecture/discussion, plus labs (e.g., setting up a secure web server).

Prerequisites: Introduction to Cybersecurity, Basic Programming (e.g., command-line tools).

Assessment Ideas:

• Quiz on algorithms and their strengths/weaknesses.
• Lab report: Implement RSA encryption/decryption with OpenSSL and analyze performance.
• Project: Design a PKI for a small organization, including TLS setup and PQC considerations.

Key Concepts and Explanations

1. Symmetric Encryption: AES with OpenSSL

Symmetric algorithms use the same key for encryption and decryption, ideal for bulk data due to speed.

• AES: A block cipher standard (NIST-approved since 2001), operating on 128-bit blocks with key sizes of 128, 192, or 256 bits. AES-256 is recommended in 2025 for high-security needs, resistant to brute-force but vulnerable to side-channel attacks if poorly implemented.
  • Modes: ECB (insecure for patterns), CBC (chaining), GCM (authenticated encryption, preferred for integrity).
  • OpenSSL Usage: Commands like openssl enc -aes-256-cbc -in file.txt -out encrypted.bin for encryption.
  • Why it matters: Fast and efficient; used in VPNs, disk encryption (e.g., BitLocker).
  • Term to Explain: Block Cipher – An encryption method that processes data in fixed-size blocks (e.g., 128 bits), padding if needed, vs. stream ciphers (bit-by-bit).

2. Asymmetric Encryption: RSA and ECC with OpenSSL

Asymmetric (public-key) cryptography uses key pairs: public for encryption/signing verification, private for decryption/signing.

• RSA: Based on the difficulty of factoring large prime products. Key sizes: 2048-bit minimum, 4096-bit for long-term security in 2025. Shor's algorithm on quantum computers threatens RSA, prompting PQC shifts.

  • OpenSSL Usage: openssl genrsa -out private.key 4096 for key generation; openssl rsautl -encrypt for operations.
  • Applications: Key exchange, digital signatures.

• ECC: Leverages elliptic curve discrete logarithm problem for stronger security with smaller keys (e.g., 256-bit ECC ≈ 3072-bit RSA). Curves like NIST P-256 or Curve25519 are secure; Ed25519 for signatures.

  • OpenSSL Usage: openssl ecparam -name secp256r1 -genkey -out ecc.key.
  • Advantages: Faster, lower resource use; ideal for IoT/mobile.
  • Performance Comparison: ECC outperforms RSA in speed for similar security levels. Both vulnerable to quantum attacks, hence hybrids with PQC (e.g., ML-KEM).
  • Term to Explain: Key Exchange – Process where parties agree on a shared secret over insecure channels (e.g., Diffie-Hellman in ECC).

• Hybrid Cryptography: Combine asymmetric (for key exchange) with symmetric (for data), as asymmetric is slower.

3. Building PKI and Managing Digital Certificates

PKI provides a framework for secure electronic transactions using public-key cryptography.

• PKI Components: Root CA, intermediate CAs, end-entity certificates; revocation lists (CRL) or OCSP for validity checks.

  • Building PKI: Use OpenSSL to create a CA (openssl req -new -x509), issue certs (openssl x509 -req), and manage chains.
  • Management: Handle expiration (shorter lifespans in 2025: down to 47 days by 2029 for agility), revocation, and automation (e.g., ACME protocol).
  • 2025 Updates: Shift to crypto-agile PKI for PQC integration, supporting quantum-safe algorithms like ML-DSA for signatures.
  • Why it matters: Enables trust in e-commerce, VPNs; failures lead to breaches (e.g., Heartbleed in OpenSSL).
  • Term to Explain: Certificate Revocation List (CRL) – A list of revoked certificates published by CAs; OCSP provides real-time checks.

• Digital Certificates: X.509 standard binds public keys to identities, including subject, issuer, validity period, and extensions.

  • Management: Validation chains, pinning (HPKP deprecated; use Certificate Transparency logs).

4. Securing TLS Communications

TLS encrypts and authenticates web traffic, evolving from SSL.

• TLS 1.3: Mandatory since 2025 for compliance; features 0-RTT resumption, perfect forward secrecy (PFS). Deprecates weak ciphers (e.g., no RC4).

  • Securing: Configure servers (e.g., Nginx/Apache with OpenSSL) to enforce strong ciphers (AES-GCM + ECC).
  • 2025 Updates: Hybrid PQC support in TLS 1.3 (e.g., pure PQC or hybrids like SecP256r1MLKEM768) for quantum safety; rollouts by providers like Akamai and Microsoft.
  • Analysis: Use Wireshark to inspect handshakes; tools like SSL Labs for grading.
  • Term to Explain: Perfect Forward Secrecy (PFS) – Ensures session keys aren't compromised if long-term keys are, using ephemeral keys.

• PGP: OpenPGP standard for end-to-end encryption (e.g., emails via GPG). Uses hybrid model; still secure in 2025 for at-rest/transit protection, unlike TLS (transit-only).

Visualizations Using Mermaid Script

Incorporate these in lectures; students can modify them in Mermaid editors.

Visualization 1: PKI Hierarchy

Tree diagram showing certificate chain.

graph TD
    A[Root CA] --> B[Intermediate CA 1]
    A --> C[Intermediate CA 2]
    B --> D[Server Cert]
    B --> E[Client Cert]
    C --> F[Another Server Cert]
    subgraph "Trust Chain"
    A -.-> B
    B -.-> D
    end
    style A fill:#ff9,stroke:#333
    style D fill:#9f9,stroke:#333

Explanation in Class: Root is self-signed; trust flows down. Discuss revocation at any level.

Visualization 2: TLS 1.3 Handshake

Sequence diagram for simplified handshake.

sequenceDiagram
    participant Client
    participant Server
    Client->>Server: ClientHello (Extensions, Key Share)
    Server->>Client: ServerHello (Key Share, Cipher)
    Server->>Client: Encrypted Extensions, Certificate, Verify
    Client->>Server: Certificate (if mutual), Verify
    Note over Client,Server: Session Keys Derived (Hybrid PQC Possible)
    Client<->>Server: Application Data (Encrypted)

Explanation in Class: Highlight PQC integration in key share (e.g., ML-KEM). Compare to TLS 1.2's longer process.

Visualization 3: RSA Encryption Process

Flowchart for RSA operations.

flowchart TD
    A[Generate Primes p, q] --> B[Compute n = p*q, φ(n)]
    B --> C[Choose e (coprime to φ)]
    C --> D[Compute d (mod inverse of e)]
    D --> E[Public Key (e,n), Private (d,n)]
    E --> F[Encrypt: c = m^e mod n]
    F --> G[Decrypt: m = c^d mod n]
    style A fill:#ccf,stroke:#333
    style G fill:#ccf,stroke:#333

Explanation in Class: Walk through math; note quantum threats to factoring n.

Hands-On Activities and Examples

• Lab 1: Use OpenSSL to encrypt a file with AES-256-GCM, generate RSA/ECC keys, and sign/verify a message.
• Lab 2: Build a simple PKI: Create a root CA, issue certs, and set up a TLS-enabled web server (e.g., with Python's http.server).
• Case Study: Analyze the 2021 SolarWinds attack (supply-chain compromise via weak cert management); simulate PQC hybrid in TLS using OpenSSL experimental builds.
• Group Exercise: Benchmark AES vs. RSA vs. ECC performance on sample data, discussing trade-offs.

Key Skills Development

• OpenSSL: Command-line mastery through labs; explore PQC modules in v3.5+.
• AES/RSA/ECC: Implement and compare in scripts; measure against quantum risks.
• PKI/Digital Certificates: Design hierarchies; use tools like OpenSSL CA for management.
• TLS Analysis: Wireshark captures; configure secure servers with PFS and PQC hybrids.
• PGP: Set up GPG for email encryption; integrate with tools like Thunderbird.

Resources and Further Reading

• Books: "Cryptography Engineering" by Ferguson et al.; "Serious Cryptography" by Aumasson.
• Online: OpenSSL docs (openssl.org); NIST PQC site (csrc.nist.gov/projects/post-quantum-cryptography); Mozilla's TLS guidelines.
• Videos: Khan Academy on RSA; YouTube channels like Computerphile for ECC explanations.
• Tools: OpenSSL 3.5.2; Wireshark; GPG (gnupg.org); Libraries like Python's cryptography.io (updated to v45.0.6 in 2025).

Encourage monitoring sources like Schneier on Security for PQC advancements, as quantum threats loom closer in 2025. End with Q&A on terms like those explained.