Upload
technical-dude
View
2.159
Download
0
Embed Size (px)
Citation preview
EncryptionEncryptionMatches Domain 4.0 Basics of Matches Domain 4.0 Basics of
Cryptography Cryptography (15 percent of Security +)(15 percent of Security +)
Network Security ClassNetwork Security ClassDr. KleistDr. Kleist
Note: Most material from Harris, Shon. (2003). Note: Most material from Harris, Shon. (2003). All-In-One CISSP All-In-One CISSP Certification Exam Guide.Certification Exam Guide. New York: McGraw-Hill/Osborne. New York: McGraw-Hill/Osborne.
Security + Exam and Security + Exam and CryptographyCryptography
4.1 Identify and explain hashing, symmetric, 4.1 Identify and explain hashing, symmetric, asymmetric (chpt. 5)asymmetric (chpt. 5)
4.2 Understand cryptography and 4.2 Understand cryptography and confidentiality, integrity (digital signatures), confidentiality, integrity (digital signatures), authentication, non-repudiation (digital authentication, non-repudiation (digital signatures), access control (Chpt. 5)signatures), access control (Chpt. 5)
4.3 PKI: certificates, certificate policies, 4.3 PKI: certificates, certificate policies, revocation, trust models (Chpt. 5)revocation, trust models (Chpt. 5)
4.4 Crypto standards and protocols (Chpt. 5)4.4 Crypto standards and protocols (Chpt. 5) 4.5 Key Management and Certificate Lifecycles 4.5 Key Management and Certificate Lifecycles
(centralized v. decentralized, storage, escrow, (centralized v. decentralized, storage, escrow, expiration, revocation, suspension, recovery, expiration, revocation, suspension, recovery, renewal, destruction, key usage (Chpt. 6)renewal, destruction, key usage (Chpt. 6)
Sources of LectureSources of Lecture Slides are drawn from several sources. Slides are drawn from several sources. Some research from Conklin, W. A., G. Some research from Conklin, W. A., G.
White, C. Cothren, D. Williams, R. Davis. White, C. Cothren, D. Williams, R. Davis. (2004). (2004). Principles of Computer SecurityPrinciples of Computer Security. . Boston: McGraw-Hill Technology Boston: McGraw-Hill Technology Education. Education.
Also material from Schneier, B. (2000, Also material from Schneier, B. (2000, 2004). 2004). Secrets & Lies: Digital Security in a Secrets & Lies: Digital Security in a Networked World.Networked World. Indianapolis: Wiley Indianapolis: Wiley Publishing, Inc.Publishing, Inc.
Most of this material from Harris, Shon. Most of this material from Harris, Shon. (2003). (2003). All-In-One CISSP Certification Exam All-In-One CISSP Certification Exam Guide.Guide. New York: McGraw-Hill/Osborne. New York: McGraw-Hill/Osborne.
Exam 1Exam 1 Real exam is 90 minutes for 100 Real exam is 90 minutes for 100
questions, you must get a score of 764, questions, you must get a score of 764, and your points are normalized from 100 and your points are normalized from 100 to 900 points (i.e., changed in scaleto 900 points (i.e., changed in scale
Our exam 1 will be from real Security + Our exam 1 will be from real Security + exams, and will cover sections that are exams, and will cover sections that are matched to the chapters in our text, our matched to the chapters in our text, our lectures and the Schneier book. lectures and the Schneier book.
First exam will have 60 multiple choice First exam will have 60 multiple choice questions. questions.
Outline of Crypto SectionOutline of Crypto Section History of CryptographyHistory of Cryptography Common elements of all cryptographic Common elements of all cryptographic
systemssystems Cryptographic systems strengthCryptographic systems strength Types of ciphersTypes of ciphers Government involvementGovernment involvement Symmetric and asymmetric encryptionSymmetric and asymmetric encryption Digital signatures and certificate authoritiesDigital signatures and certificate authorities Cryptography in real networksCryptography in real networks PKIPKI
Outline, cont’d.Outline, cont’d. Key escrowKey escrow Methods of EncryptionMethods of Encryption Symmetric cryptography in NetworksSymmetric cryptography in Networks Asymmetric cryptography in NetworksAsymmetric cryptography in Networks Hybrid systemsHybrid systems PKIPKI CACA Message Integrity and HashesMessage Integrity and Hashes Digital SignatureDigital Signature One time padOne time pad
Outline, cont’dOutline, cont’d
Key managementKey management Hardware vs. software key Hardware vs. software key
managementmanagement Email standards, MIME, S/MIME, Email standards, MIME, S/MIME,
PEM, MSPPEM, MSP Standard cryptography used in Standard cryptography used in
networks of interest networks of interest Attacks on crypto systemsAttacks on crypto systems
History of CryptoHistory of Crypto The Code BookThe Code Book Substitution cipherSubstitution cipher Transposition cipherTransposition cipher Monoalphabetic substitutionMonoalphabetic substitution Scytale cipherScytale cipher Caesar cipherCaesar cipher Mary Queen of ScotsMary Queen of Scots Benedict ArnoldBenedict Arnold Enigma and TuringEnigma and Turing WindtalkersWindtalkers LuciferLucifer
Common Elements of All Common Elements of All CryptoCrypto
CryptanalysisCryptanalysis. . Trying to figure out the message Trying to figure out the message without the key.without the key.
Algorithm.Algorithm. Set of mathematical rules that dictate Set of mathematical rules that dictate enciphering and deciphering. Not part of the encryption enciphering and deciphering. Not part of the encryption process, widely known. process, widely known.
Key.Key. The key is the secret part of the process. An The key is the secret part of the process. An algorithm contains a keyspace, which is a range of values that algorithm contains a keyspace, which is a range of values that can be used to construct a key. Key is random values within can be used to construct a key. Key is random values within the keyspace range. The larger the key space, the more the keyspace range. The larger the key space, the more values can be used, and some think the safer the key, values can be used, and some think the safer the key, although Schneier disagrees. although Schneier disagrees.
Keyspace:Keyspace: Possible values to construct keys Possible values to construct keys Plaintext.Plaintext. The original data. The original data. Ciphertext.Ciphertext. Message after key is used following the Message after key is used following the
algorithm to the message, transforming it so eavesdroppers algorithm to the message, transforming it so eavesdroppers cannot figure it out. cannot figure it out.
Common Elements of All Common Elements of All CryptoCrypto
Encipher:Encipher: Transform data into Transform data into unreadable formatunreadable format
Decipher:Decipher: Transform data into Transform data into readable formatreadable format
Work factor:Work factor: Definition of the Definition of the amount of time, effort and resources amount of time, effort and resources necessary to break a crypto system.necessary to break a crypto system.
Cryptographic Systems Cryptographic Systems StrengthStrength
Strength of encryption comes from:Strength of encryption comes from: Algorithm, secrecy of key, length of key, Algorithm, secrecy of key, length of key, initialization vectors, and how they all work initialization vectors, and how they all work together. together.
Improper protection of the key can Improper protection of the key can seriously weaken cryptoseriously weaken crypto. (2600 discussion). (2600 discussion)
Goals of Crypto systems:Goals of Crypto systems: confidentiality, confidentiality, authenticity, integrity, nonrepudiationauthenticity, integrity, nonrepudiation
Crypto system:Crypto system: The hardware and software The hardware and software that implement the crypto transformationsthat implement the crypto transformations
Types of CiphersTypes of Ciphers
Substitution cipherSubstitution cipher Transposition cipherTransposition cipher Running and concealment cipherRunning and concealment cipher Stream and Block CiphersStream and Block Ciphers A little bit different: SteganographyA little bit different: Steganography
Government InvolvementGovernment Involvement
NSANSA Clipper ChipClipper Chip FBI and WiretappingFBI and Wiretapping
Symmetric and Asymmetric Symmetric and Asymmetric EncryptionEncryption
Symmetric:Symmetric: Faster than Faster than asymmetric, hard to break with asymmetric, hard to break with large key, hard to distribute keys, large key, hard to distribute keys, too many keys required, cannot too many keys required, cannot authenticate or provide non-authenticate or provide non-repudiation. repudiation.
Includes:Includes: DES, Triple DES, DES, Triple DES, Blowfish, IDEA, RC4, RC5, RC6, AESBlowfish, IDEA, RC4, RC5, RC6, AES
Symmetric and Asymmetric Symmetric and Asymmetric EncryptionEncryption
Asymmetric cryptography:Asymmetric cryptography: Better Better at key distribution, better scalability at key distribution, better scalability for large systems, can provide for large systems, can provide authentication and non-repudiation, authentication and non-repudiation, slow, math intensiveslow, math intensive
Includes:Includes: RSA, ECC, Diffie Hellman, RSA, ECC, Diffie Hellman, El Gamal, DSA, Knapsack, PGPEl Gamal, DSA, Knapsack, PGP
Hybrid Asymmetric and Hybrid Asymmetric and Symmetric SystemsSymmetric Systems
Called Public Key CryptographyCalled Public Key Cryptography Use asymmetric algorithm for protecting Use asymmetric algorithm for protecting
symmetric encryption keyssymmetric encryption keys Use asymmetric for protecting key Use asymmetric for protecting key
distributiondistribution Use secret key for bulk encryption Use secret key for bulk encryption
requirementsrequirements Just don’t let the secret key travel unless it Just don’t let the secret key travel unless it
was asymmetrically encrypted!was asymmetrically encrypted! Uses best advantages of each approachUses best advantages of each approach
Public Key InfrastructurePublic Key Infrastructure
Comprehensive approach to Comprehensive approach to establishing a level of securityestablishing a level of security
PKI as an amalgam of approachesPKI as an amalgam of approaches InfrastructureInfrastructure Provides authentication, Provides authentication,
confidentiality, nonrepudiation, confidentiality, nonrepudiation, integrityintegrity
Specific protocols are not PKI, but an Specific protocols are not PKI, but an overarching architectureoverarching architecture
Certificate AuthorityCertificate Authority
Public Key CertificatePublic Key Certificate Registration AuthorityRegistration Authority Structure of CertificatesStructure of Certificates Trusted OrganizationTrusted Organization Can be internal or external to the Can be internal or external to the
organizationorganization Entrust, VerisignEntrust, Verisign Certification Revocation ListsCertification Revocation Lists Can be provided by browserCan be provided by browser
Message Integrity and Message Integrity and HashesHashes
Has message been altered?Has message been altered? Hash, hash functionHash, hash function One way hashOne way hash Message digestMessage digest Create a fingerprint of a messageCreate a fingerprint of a message Message can be altered either Message can be altered either
intentionally or unintentionallyintentionally or unintentionally
Digital SignatureDigital Signature
Hash value encrypted with the Hash value encrypted with the sender’s private keysender’s private key
Act of signing means encrypting Act of signing means encrypting message’s hash value with private keymessage’s hash value with private key
Ensures that message was not altered Ensures that message was not altered and also came from Boband also came from Bob
Ensures integrity, authentication, and Ensures integrity, authentication, and non-repudiationnon-repudiation
DSSDSS
AlgorithmsAlgorithms AsymmetricAsymmetric
RSARSA ECCECC Diffie HellmanDiffie Hellman El GamalEl Gamal Digital SignatureDigital Signature
SymmetricSymmetric DES, 3DESDES, 3DES BlowfishBlowfish IDEAIDEA RC4RC4 SAFERSAFER
Hashing AlgorithmsHashing Algorithms
MD2MD2 MD4MD4 MD5MD5 SHASHA HAVALHAVAL What does a good cryptographic What does a good cryptographic
hash function have?hash function have?
One Time PadOne Time Pad
What is a one time pad?What is a one time pad? Perfect encryptionPerfect encryption RandomRandom Integrated into some applicationsIntegrated into some applications High securityHigh security But, have to distribute pad (like But, have to distribute pad (like
German High Command with German High Command with submarines and Enigma codes)submarines and Enigma codes)
Issues of Key Issues of Key ManagementManagement
PrinciplesPrinciples Key lengthKey length StorageStorage RandomRandom More used, shorter its lifetimeMore used, shorter its lifetime EscrowEscrow Destroy at end of lifetimeDestroy at end of lifetime
Hardware v. SoftwareHardware v. Software
Software less expensiveSoftware less expensive Hardware more expensiveHardware more expensive Software slower throughputSoftware slower throughput Hardware faster throughputHardware faster throughput Software more easily modifiedSoftware more easily modified High end solutions will be hardwareHigh end solutions will be hardware
Email StandardsEmail Standards
MIMEMIME S/MIMES/MIME PEMPEM MSPMSP
What do Networks Use What do Networks Use for Real?for Real?
PGPPGP
Phil ZimmermanPhil Zimmerman FreeFree DownloadDownload ImplementImplement Use on emailUse on email Print message encoded and decodedPrint message encoded and decoded Web of TrustWeb of Trust
Internet SecurityInternet Security
HTTPHTTP S-HTTPS-HTTP HTTPSHTTPS SSLSSL SETSET SSHSSH IPSecIPSec
Attacks on Crypto Attacks on Crypto SystemsSystems
Ciphertext Only AttackCiphertext Only Attack Know Plaintext AttackKnow Plaintext Attack Chosen Plaintext AttackChosen Plaintext Attack Man In the Middle AttackMan In the Middle Attack Dictionary AttackDictionary Attack Side ChannelSide Channel