Upload
troy-parks
View
21
Download
1
Embed Size (px)
DESCRIPTION
Cryptography. What is Cryptography?. A method of storing and transmitting data in a form that is unreadable to unauthorized individuals. History of Cryptography. It has been around since the time of the Egyptians It can take on many different forms - PowerPoint PPT Presentation
Citation preview
CISSP All in One Shon Harris 2
What is Cryptography?
• A method of storing and transmitting data in a form that is unreadable to unauthorized individuals
CISSP All in One Shon Harris 3
History of Cryptography
• It has been around since the time of the Egyptians
• It can take on many different forms– Scytale - Used by Egyptians to send encoded
messages to front line– Caesars cipher - A simple substitution cipher– Enigma– Red machine - WWII
CISSP All in One Shon Harris 4
Cryptography in the Modern World
• Used by -– The military– Government– Industry– Individuals
CISSP All in One Shon Harris 5
Cryptography in Our Life
• Secure Web browsing
• PGP
• ATM
• DVD's
• Mobile phones
CISSP All in One Shon Harris 6
Understanding Cryptography
• Encryption = Plaintext converted to Ciphertext• Decryption = Ciphertext converted to
Plaintext
CISSP All in One Shon Harris 7
Terms• Secret key encryption - Symmetric keys that
cryptography algorithms use– One key used to lock and unlock the data
• Public key encryption - Asymmetric keys that cryptography algorithms use– Two keys– One key is used to lock the data– One key is used to unlock the data
• Algorithm - Set of mathematical rules used in encryption and decryption
• Cryptanalysis - Practice of -– Obtaining plaintext from ciphertext without a key– Breaking the encryption
• Steganography - Method of hiding data in another media so that the very existence of the data is concealed
CISSP All in One Shon Harris 8
Goals of Cryptography
• Goals– Privacy– Integrity– Authentication– Nonrepudiation
• Realistic goal– To make obtaining the information too work
intensive or time-consuming to be worthwhile to the attacker
CISSP All in One Shon Harris 9
Cipher Methods• Plaintext can be encrypted through bit stream or block cipher
method
• Bit stream: each plaintext bit transformed into cipher bit one bit at a time
• Block cipher: message divided into blocks (e.g., sets of 8,16,32,64-bit blocks) and each is transformed into encrypted block of cipher bits using algorithm and key
• Bit stream methods use algorithm functions like exclusive OR (XOR)
• Block methods use substitution, transposition, XOR or combinations of each
CISSP All in One Shon Harris 10
Substitution Cipher
Substitution cipher: substitute one value for another
– Example: Substitute a letter in the alphabet with 3 letters to the right
• Monoalphabetic substitution: uses only one alphabet
• Polyalphabetic substitution: more advanced; uses two or more alphabets
CISSP All in One Shon Harris 11
Transposition and XOR• Transposition cipher (Permutation Cipher): rearranges
values within a block to create ciphertext
• Exclusive OR (XOR): function of Boolean algebra; two bits are compared
– If two bits are identical, result is binary 0
– If two bits not identical, result is binary 1
– XOR is simple to implement and equally simple to break
CISSP All in One Shon Harris 12
Elements of Cryptosystems• Vernam cipher: developed at AT&T
– uses set of characters once per encryption process
– Also known as the one-time pad
– Message is XORed with a keystream
– Most secure if the key is secure
CISSP All in One Shon Harris 13
Running and Concealment Cipher
• Book (running key) cipher– uses text in book as key to decrypt a
message– ciphertext contains codes representing page,
line and word numbers – Example: Message = 259.19.8; 22,3,8;
375,7,4• Concealment Cipher
– Message within a message.
CISSP All in One Shon Harris 14
What is Steganography?
The process of hiding data in images • Uses-
– Graphic images – MP3 files– Word documents
• Does not use algorithms or keys to encrypt the data
• Changes the least significant bit of each byte within the image
CISSP All in One Shon Harris 15
Steganography in MP3 Files
• MP3Stego hides information in MP3 files
• The data is -– Compressed– Encrypted– Hidden in the MP3 bit stream
CISSP All in One Shon Harris 17
Secret Key EncryptionSymmetric• DES• 3DES•Blowfish•IDEA• RC4, RC5, RC6•AES
Crypto Type• Tradition or standard• One key (private)• Key size - 40, 56,
128, 256, or 512 bit• The larger the key the more secure the data
Problems - Key
management
CISSP All in One Shon Harris 18
Public Key Encryption
Crypto Type• Public key cryptography• Dual key (public and private)• Larger key size• Common algorithms
DH and RSA• Problem – Speed. Not as fast as private key encryption
Asymmetric• DH• RSA• PGP
CISSP All in One Shon Harris 19
Encryption Methods
• Symmetric keys (or secret keys)
• Asymmetric keys (or public keys)
CISSP All in One Shon Harris 20
Symmetric Cryptography
• Strengths– Fast
• Weaknesses– Key distribution– Scalability
• Many keys for encrypting different data– Limited security
• Symmetric crypto achieves– Confidentiality– NO authentication or non repudiation
• Security of the encryption depends on how well users protect the key
• Keys must be distributed in an out-of-band method• Number generation must be random
CISSP All in One Shon Harris 21
PRNGs, Truly Random Seed Values, and Keys
Truly Random Seed Value
PRNG (Psudo Random Number Generator)
and Key Generator
Keys
The security of an algorithm rests in the key. If you're using a cryptographically weak process to generate keys, then your whole system is weak.— Bruce Schneier, Applied Cryptography
CISSP All in One Shon Harris 22
Random Seed values and Keys
• How keys are generated– Primer
• Dummy initialization vector (IV) to build up the cipher speed and strength of the key
– Padding• Adds random data to even-out block sizes
CISSP All in One Shon Harris 23
Block and Stream Ciphers
• Block cipher– A cipher which processes one block at a time– Blocks of data
• Subject to frequency analysis• Not suited for hardware• Implemented in software
• Stream cipher– A cipher which processes a single bit or byte at a time– Stream of bits
• Easily implemented in hardware– Sending and receiving device must have the same
key
CISSP All in One Shon Harris 24
Block Cipher
• Confusion– Carried out through substitution
• Diffusion– Carried out by using transposition
• S-boxes– Substitution boxes– Contain lookup tables used by the algorithm to
encrypt– Key dictates the use of an s-box
• Implemented in Software
CISSP All in One Shon Harris 25
Symmetric CryptographyName Block Size Key SizeDES 64 56 bits
3DES 64 56 bits (may use 2 or 3 keys)
AES 128 128,192 or 266 bits
IDEA 64 128 bits
Blowfish 64 Up to 448 bits
Twofish 128 Up tp 256 bits
RC4 N/A (stream) Variable (WEP uses 40 or 104 bits)
RC5 32,64 or 128 bits Up to 2048
CISSP All in One Shon Harris 26
DES – Data encryption Standard
• NIST-National Institute of Standards and Technology– Began researching symmetric ciphers in the 1960s
• Lucifer– Developed by IBM in 1974– Accepted as the first national standard
• ANSI– Agreed in 1978
• From these roots, the NSA developed DES• Replaced by Rijndael (AES)
CISSP All in One Shon Harris 27
DES Attacks
• Cryptanalysis assumptions– Algorithm known by adversaries– Adversary may have ciphertext and /or
plaintext– Adversary must try to find all possible keys– Trying all keys is a very time-intensive
process but possible with the increasing power of computer processors
CISSP All in One Shon Harris 28
How Does DES Work?
• 64 bit blocks
• Minus 8 parity bits = 56 bit key
• 16 rounds of transposition and substitution– Electronic Code Book (ECB)– Cipher Block Chaining (CBC)– Cipher Feedback Mode (CFB)– Output Feedback Mode (OFB)– Counter mode
CISSP All in One Shon Harris 29
Electronic Code Book (ECB)
• A mode of DES that operates like a code book– Using a key, a 64 bit data block is entered into
the algorithm– A block of cipher text is produced– ECB pads the ends of messages that don't
have exactly 64 bits
• Fast/simple• Small amounts of data – PIN numbers
CISSP All in One Shon Harris 30
Cipher Block Chaining (CBC)
• Produces a more secure cipher text – Each block of text and the key is applied to the next
block of text– 64 bit plaintext blocks loaded sequentially
• XORed with next text block
CISSP All in One Shon Harris 31
Cipher Feedback Mode (CFB)• Takes the previously-generated ciphertext from the last
encrypted block of text• Inputs it into an algorithm • Generates random values • Combines random values with the current block of text to
produce ciphertext• Block cipher
CISSP All in One Shon Harris 32
Output Feedback Mode (OFM)
• Similar to CFB• Keystream from the previous block used to
generate keystream for the next block• OFB used to encrypt digital video, digital voice
CISSP All in One Shon Harris 33
Counter Mode
• Similar to OFB
• Instead of using randomly unique IV to generate keystream uses a IV counter to increment IV for each block
• Used for encrypting ATM cells for virtual circuits, IPSec and 802.11i
CISSP All in One Shon Harris 34
Double DES
• Developed to be more secure than DES
• No more effective than standard DES
• Key length 112 bits
CISSP All in One Shon Harris 35
Triple-DES (3DES)
• 3 rounds of computation• May use two or three keys
– DES-EEE3• Three different keys
– DES-EDE3• Encrypt / decrypt / encrypt method
– DES-EEE2• Same as previous except first and third encryption use same
key
– DES-EDE2• Same as EDE3, except first and third encryption use the
same key
CISSP All in One Shon Harris 36
Advanced Encryption Standard (AES)
• DES was crackable
• Government searched for a new symmetric encryption standard
• Rijndael was chosen– Block cipher– Variable block and key lengths
CISSP All in One Shon Harris 38
Asymmetric Cryptography
• Secure message format
• Open message format
• Signatures
CISSP All in One Shon Harris 39
Strengths – Asymmetric cryptography
• Key distribution
• Scalability
• Provides -– Confidentiality– Authentication– Non-repudiation
• Weaknesses– Slow
CISSP All in One Shon Harris 40
Asymmetric Cryptography
• Two keys in a public key system– Public - Known to everyone– Private - Known only to the sender
• Public keys are usually listed in directories or databases
CISSP All in One Shon Harris 41
Public Key Cryptography
Ciphertext
Ciphertext PlainText
Receiver's Public Key
Receiver's Private Key
PlainText
Decryption
Encryption
CISSP All in One Shon Harris 42
Asymmetric Cryptography Types
• RSA– Large prime numbers
• Elliptical curve cryptosystem (ECC)– Wireless
• Diffie-Hellman (DH)– Only for session key agreement– Based on calculating discrete logarithms into
a finite field
CISSP All in One Shon Harris 43
Asymmetric Cryptography Types
• EIGamal– Same algorithm as DH– Used for more services
• Digital Signature Algorithm (DSA)– Used in DSS
• Knapsack– Older key agreement protocol– Based on weights
CISSP All in One Shon Harris 44
RSA
• A public-key cryptosystem • Developed in 1977 by MIT professors Ronald L.
Rivest, Adi Shamir, and Leonard M. Adleman• Goal was to help ensure internet security• Widely used• "De-facto" encryption standard• Used with -
– SSL– PGP– Many Web browsers
CISSP All in One Shon Harris 45
El Gamal
• Another public key algorithm
• Can be used for digital signatures and key exchange
• Operates by calculating discrete logarithms
CISSP All in One Shon Harris 46
Elliptical Curve Cryptosystem (ECC)
• Much like RSA Used for -– Digital signatures– Secure key distribution– Encryption
• Widely used in wireless devices
CISSP All in One Shon Harris 47
Knapsack
• Older key agreement protocol
• Developed in 1984
• Revised in 1988
• Based on weights
• Has been broken
CISSP All in One Shon Harris 48
Diffie-Hellman
• Public-key cryptography
• Invented in 1976 by Whitfield Diffie and Martin Hellman
• Used for key distribution
• Cannot be used to encrypt and decrypt messages
CISSP All in One Shon Harris 50
Network Layer Protection -IPSEC
Main advantage – Transparency to
applications
• Main disadvantage
- Requires a new version of the operating system
TCP/IP Stack
Process layer
Host-to-host layer
Internet layer
IPSEC encrypts everything the higher level protocols and applications send down the stack
Network access layer
CISSP All in One Shon Harris 51
Application Layer Protection – S- HTTP
TCP/IP Stack
Process layer
S-HTTP is a direct replacement for HTTP when secure messages are required
Host-to-host layer
Internet layer
Network access layer
CISSP All in One Shon Harris 52
Transport layer protection - SSL
• Designed by Netscape to be a generic protocol for application other than just HTTP
• All information between two computers has to be encrypted
TCP/IP Stack
Process layer
Host-to-host layer
The SSL protocol operates at the Host-to-Host layer of the TCP/IP model to authenticate and encrypt an entire two-way TCP session
Internet layer
Network access layer
CISSP All in One Shon Harris 53
PGP Purpose and Function
• PGP provides security services for-– Files– Email– TCP/IP network communications
• PGP provides four security functions– Authentication– Message integrity– Non-repudiation (digital signature)– Data privacy
CISSP All in One Shon Harris 54
PGP Message Transformation
• Plaintext
• Optional signature
• Compression
• Optional encryption
• Optional transmission encoding
• Ciphertext
CISSP All in One Shon Harris 55
PGP- Signature
• Senders encrypt the hash result using their RSA private key– Hashing is a one way process– Where we take a value and hash it and we
get a result– Hash value is added to the private key– Now we have a signature and a way to know
that the data was sent by a particular individual
– Authentication and non-repudiation
CISSP All in One Shon Harris 56
PGP Compression
• After the signing step– Combines and compresses message and
signature– Provides transmission efficiencies– Eliminates redundancies in plaintext
• Before encryption step
CISSP All in One Shon Harris 57
Encryption and Decryption
• Sender sends a message to the Recipient• Sender
– Creates a message and compresses it– Generates a session key– Encrypts the message using the session key– Encrypts the session key using the recipient's public
key– Transmits the session key along with the encrypted
message • Recipient -
– Decrypts the session key using his private key– Decrypts the message using the session key
CISSP All in One Shon Harris 58
PGP Trust
• Distribution methods– Hand delivery– Email attachment– Key repository
• Trust models– Direct– Hierarchical– Web
• Trust levels– Complete– Marginal– Untrusted
CISSP All in One Shon Harris 59
PGP Algorithms Supported
• Digital signature creation– RSA/SHA– DSS/SHA
• Encrypt the message– IDEA (International Data Encryptions
Algorithm)– 3DES with DH or RSA
CISSP All in One Shon Harris 61
Key Management and PKI
• PKI addresses Key management issues
• Basic concepts and terms
• Public and private key algorithms
• Key distribution and management
• Digital signatures
• Miscellaneous crypto
CISSP All in One Shon Harris 62
Key Management Issues
• Key storage and recovery• Key revocation for lost or compromised keys• Must be fully automated• No key is clear outside the crypto system• Choose key randomly from entire key space• Key-encrypting key (session key) must be
separate from data keys• Infrequent use keys with long life
CISSP All in One Shon Harris 63
Key Management Concepts
• Using the public key system, A wants to talk to B
• C is the key distribution center and A has B’s public key
• A calls B, and the calling protocol contacts C
• C encrypts a session key, K with the public keys and send the encrypted K to A and B
• A and B can then communicate
CISSP All in One Shon Harris 64
Key Escrow
• Separate agencies maintain components of private key, which combined, can be used to decipher text
• Two agencies have to get together to decrypt cipher text
• Example: Clipper chip– Secret algorithm– Unpopular and unsued
• Issues include key storage and big brother
CISSP All in One Shon Harris 65
PKI Components
• Stands for Public Key Infrastructure (PKI)
• Necessary for widespread electronic commerce
• No absolute definition or standard
CISSP All in One Shon Harris 66
Certificate Authority
• A system of digital certificates and other registration authorities
• Verifies and authenticates the validity of parties in Internet transactions
• Trusted, third-party organization• Guarantees that the individual granted the
certificate is who he / she claims to be• Usually has arrangement with a financial
institution to confirm identity• Critical to data security and electronic commerce
CISSP All in One Shon Harris 67
Digital Signature
• Used like a written signature
• Binds a message to an individual
• Provides non-repudiation
• Easy with public key encryption
• Also known as a Message Authentication Code
CISSP All in One Shon Harris 68
Digital Signature
• S is sender, R is recipient, and M is the message
• R must be able to validate S's signature on M• No one can forge S's signature• If S denies signing M, a third party must be able
to resolve the dispute between S and R• Alternative
– Compute a digest of message using a public hash function
– Encrypt digest using private key– The only cipher text is the hash
CISSP All in One Shon Harris 69
Hash Function
• Hash function produces a message digest• Message digest is also known as a
fingerprint or imprint• Two messages with the same digest are
extremely unlikely– Neither signer nor recipient can claim a
different message was signed
• Birthday attack: Collision. Two messages generate the same MAC
CISSP All in One Shon Harris 70
Digital Signature Standard (DSS)
• Uses secure hash algorithm
• Condenses message to 160 bits
• Key size 512-1024 bits
• Proposed by NIST in 1991
CISSP All in One Shon Harris 72
Message Authentication Code
• MAC – General term used to describe digital
signature
CISSP All in One Shon Harris 74
Cryptanalysis Terms
• Cipher text-only attack - Attacker attempts to decrypt cipher text
• Known-plain text attack - Attacker attempts to decrypt cipher text given knowledge of some plain text
CISSP All in One Shon Harris 75
Cryptanalysis Terms
• Chosen-plain text attack - Attacker obtains cipher text corresponding to selected plain text
• Chosen-cipher text attack - Attacker obtains plain text corresponding to selected cipher text (in a public key system, when trying to deduce private key)
CISSP All in One Shon Harris 76
Attacks
• Brute force attack– Attempts to use all keys
• Expensive • Time consuming
• However, processing speed doubles every 18 months
• Clustered workstations
CISSP All in One Shon Harris 77
Attacks
• Analytic– Uses algorithm and algebraic manipulation to
reduce complexity
• Implementation– Microsoft – PPP – passwords in clear text– Netscape - Poorly randomized keys
• Statistical– Uses statistical weaknesses in design– Certain amount of 0s and 1s in a stream.