Cryptography

CISSP All in One Shon Harris 1

Cryptography


What is Cryptography?

• A method of storing and transmitting data in a form that is unreadable to unauthorized individuals


History of Cryptography

• It has been around since the time of the Egyptians

• It can take on many different forms– Scytale - Used by Egyptians to send encoded

messages to front line– Caesars cipher - A simple substitution cipher– Enigma– Red machine - WWII


Cryptography in the Modern World

• Used by -– The military– Government– Industry– Individuals


Cryptography in Our Life

• Secure Web browsing

• PGP

• ATM

• DVD's

• Mobile phones


Understanding Cryptography

• Encryption = Plaintext converted to Ciphertext• Decryption = Ciphertext converted to

Plaintext


Terms• Secret key encryption - Symmetric keys that

cryptography algorithms use– One key used to lock and unlock the data

• Public key encryption - Asymmetric keys that cryptography algorithms use– Two keys– One key is used to lock the data– One key is used to unlock the data

• Algorithm - Set of mathematical rules used in encryption and decryption

• Cryptanalysis - Practice of -– Obtaining plaintext from ciphertext without a key– Breaking the encryption

• Steganography - Method of hiding data in another media so that the very existence of the data is concealed


Goals of Cryptography

• Goals– Privacy– Integrity– Authentication– Nonrepudiation

• Realistic goal– To make obtaining the information too work

intensive or time-consuming to be worthwhile to the attacker


Cipher Methods• Plaintext can be encrypted through bit stream or block cipher

method

• Bit stream: each plaintext bit transformed into cipher bit one bit at a time

• Block cipher: message divided into blocks (e.g., sets of 8,16,32,64-bit blocks) and each is transformed into encrypted block of cipher bits using algorithm and key

• Bit stream methods use algorithm functions like exclusive OR (XOR)

• Block methods use substitution, transposition, XOR or combinations of each


Substitution Cipher

Substitution cipher: substitute one value for another

– Example: Substitute a letter in the alphabet with 3 letters to the right

• Monoalphabetic substitution: uses only one alphabet

• Polyalphabetic substitution: more advanced; uses two or more alphabets


Transposition and XOR• Transposition cipher (Permutation Cipher): rearranges

values within a block to create ciphertext

• Exclusive OR (XOR): function of Boolean algebra; two bits are compared

– If two bits are identical, result is binary 0

– If two bits not identical, result is binary 1

– XOR is simple to implement and equally simple to break


Elements of Cryptosystems• Vernam cipher: developed at AT&T

– uses set of characters once per encryption process

– Also known as the one-time pad

– Message is XORed with a keystream

– Most secure if the key is secure


Running and Concealment Cipher

• Book (running key) cipher– uses text in book as key to decrypt a

message– ciphertext contains codes representing page,

line and word numbers – Example: Message = 259.19.8; 22,3,8;

375,7,4• Concealment Cipher

– Message within a message.


What is Steganography?

The process of hiding data in images • Uses-

– Graphic images – MP3 files– Word documents

• Does not use algorithms or keys to encrypt the data

• Changes the least significant bit of each byte within the image


Steganography in MP3 Files

• MP3Stego hides information in MP3 files

• The data is -– Compressed– Encrypted– Hidden in the MP3 bit stream


Secret Key Encryption and Uses


Secret Key EncryptionSymmetric• DES• 3DES•Blowfish•IDEA• RC4, RC5, RC6•AES

Crypto Type• Tradition or standard• One key (private)• Key size - 40, 56,

128, 256, or 512 bit• The larger the key the more secure the data

Problems - Key

management


Public Key Encryption

Crypto Type• Public key cryptography• Dual key (public and private)• Larger key size• Common algorithms

DH and RSA• Problem – Speed. Not as fast as private key encryption

Asymmetric• DH• RSA• PGP


Encryption Methods

• Symmetric keys (or secret keys)

• Asymmetric keys (or public keys)


Symmetric Cryptography

• Strengths– Fast

• Weaknesses– Key distribution– Scalability

• Many keys for encrypting different data– Limited security

• Symmetric crypto achieves– Confidentiality– NO authentication or non repudiation

• Security of the encryption depends on how well users protect the key

• Keys must be distributed in an out-of-band method• Number generation must be random


PRNGs, Truly Random Seed Values, and Keys

Truly Random Seed Value

PRNG (Psudo Random Number Generator)

and Key Generator

Keys

The security of an algorithm rests in the key. If you're using a cryptographically weak process to generate keys, then your whole system is weak.— Bruce Schneier, Applied Cryptography


Random Seed values and Keys

• How keys are generated– Primer

• Dummy initialization vector (IV) to build up the cipher speed and strength of the key

– Padding• Adds random data to even-out block sizes


Block and Stream Ciphers

• Block cipher– A cipher which processes one block at a time– Blocks of data

• Subject to frequency analysis• Not suited for hardware• Implemented in software

• Stream cipher– A cipher which processes a single bit or byte at a time– Stream of bits

• Easily implemented in hardware– Sending and receiving device must have the same

key


Block Cipher

• Confusion– Carried out through substitution

• Diffusion– Carried out by using transposition

• S-boxes– Substitution boxes– Contain lookup tables used by the algorithm to

encrypt– Key dictates the use of an s-box

• Implemented in Software


Symmetric CryptographyName Block Size Key SizeDES 64 56 bits

3DES 64 56 bits (may use 2 or 3 keys)

AES 128 128,192 or 266 bits

IDEA 64 128 bits

Blowfish 64 Up to 448 bits

Twofish 128 Up tp 256 bits

RC4 N/A (stream) Variable (WEP uses 40 or 104 bits)

RC5 32,64 or 128 bits Up to 2048


DES – Data encryption Standard

• NIST-National Institute of Standards and Technology– Began researching symmetric ciphers in the 1960s

• Lucifer– Developed by IBM in 1974– Accepted as the first national standard

• ANSI– Agreed in 1978

• From these roots, the NSA developed DES• Replaced by Rijndael (AES)


DES Attacks

• Cryptanalysis assumptions– Algorithm known by adversaries– Adversary may have ciphertext and /or

plaintext– Adversary must try to find all possible keys– Trying all keys is a very time-intensive

process but possible with the increasing power of computer processors


How Does DES Work?

• 64 bit blocks

• Minus 8 parity bits = 56 bit key

• 16 rounds of transposition and substitution– Electronic Code Book (ECB)– Cipher Block Chaining (CBC)– Cipher Feedback Mode (CFB)– Output Feedback Mode (OFB)– Counter mode


Electronic Code Book (ECB)

• A mode of DES that operates like a code book– Using a key, a 64 bit data block is entered into

the algorithm– A block of cipher text is produced– ECB pads the ends of messages that don't

have exactly 64 bits

• Fast/simple• Small amounts of data – PIN numbers


Cipher Block Chaining (CBC)

• Produces a more secure cipher text – Each block of text and the key is applied to the next

block of text– 64 bit plaintext blocks loaded sequentially

• XORed with next text block


Cipher Feedback Mode (CFB)• Takes the previously-generated ciphertext from the last

encrypted block of text• Inputs it into an algorithm • Generates random values • Combines random values with the current block of text to

produce ciphertext• Block cipher


Output Feedback Mode (OFM)

• Similar to CFB• Keystream from the previous block used to

generate keystream for the next block• OFB used to encrypt digital video, digital voice


Counter Mode

• Similar to OFB

• Instead of using randomly unique IV to generate keystream uses a IV counter to increment IV for each block

• Used for encrypting ATM cells for virtual circuits, IPSec and 802.11i


Double DES

• Developed to be more secure than DES

• No more effective than standard DES

• Key length 112 bits


Triple-DES (3DES)

• 3 rounds of computation• May use two or three keys

– DES-EEE3• Three different keys

– DES-EDE3• Encrypt / decrypt / encrypt method

– DES-EEE2• Same as previous except first and third encryption use same

key

– DES-EDE2• Same as EDE3, except first and third encryption use the

same key


Advanced Encryption Standard (AES)

• DES was crackable

• Government searched for a new symmetric encryption standard

• Rijndael was chosen– Block cipher– Variable block and key lengths


Public Key Algorithms and Uses


Asymmetric Cryptography

• Secure message format

• Open message format

• Signatures


Strengths – Asymmetric cryptography

• Key distribution

• Scalability

• Provides -– Confidentiality– Authentication– Non-repudiation

• Weaknesses– Slow


Asymmetric Cryptography

• Two keys in a public key system– Public - Known to everyone– Private - Known only to the sender

• Public keys are usually listed in directories or databases


Public Key Cryptography

Ciphertext

Ciphertext PlainText

Receiver's Public Key

Receiver's Private Key

PlainText

Decryption

Encryption


Asymmetric Cryptography Types

• RSA– Large prime numbers

• Elliptical curve cryptosystem (ECC)– Wireless

• Diffie-Hellman (DH)– Only for session key agreement– Based on calculating discrete logarithms into

a finite field


Asymmetric Cryptography Types

• EIGamal– Same algorithm as DH– Used for more services

• Digital Signature Algorithm (DSA)– Used in DSS

• Knapsack– Older key agreement protocol– Based on weights


RSA

• A public-key cryptosystem • Developed in 1977 by MIT professors Ronald L.

Rivest, Adi Shamir, and Leonard M. Adleman• Goal was to help ensure internet security• Widely used• "De-facto" encryption standard• Used with -

– SSL– PGP– Many Web browsers


El Gamal

• Another public key algorithm

• Can be used for digital signatures and key exchange

• Operates by calculating discrete logarithms


Elliptical Curve Cryptosystem (ECC)

• Much like RSA Used for -– Digital signatures– Secure key distribution– Encryption

• Widely used in wireless devices


Knapsack

• Older key agreement protocol

• Developed in 1984

• Revised in 1988

• Based on weights

• Has been broken


Diffie-Hellman

• Public-key cryptography

• Invented in 1976 by Whitfield Diffie and Martin Hellman

• Used for key distribution

• Cannot be used to encrypt and decrypt messages


E-commerce Protection Methods

– IPSEC – SHTTP – SSL


Network Layer Protection -IPSEC

Main advantage – Transparency to

applications

• Main disadvantage

- Requires a new version of the operating system

TCP/IP Stack

Process layer

Host-to-host layer

Internet layer

IPSEC encrypts everything the higher level protocols and applications send down the stack

Network access layer


Application Layer Protection – S- HTTP

TCP/IP Stack

Process layer

S-HTTP is a direct replacement for HTTP when secure messages are required

Host-to-host layer

Internet layer



Transport layer protection - SSL

• Designed by Netscape to be a generic protocol for application other than just HTTP

• All information between two computers has to be encrypted

TCP/IP Stack

Process layer

Host-to-host layer

The SSL protocol operates at the Host-to-Host layer of the TCP/IP model to authenticate and encrypt an entire two-way TCP session

Internet layer



PGP Purpose and Function

• PGP provides security services for-– Files– Email– TCP/IP network communications

• PGP provides four security functions– Authentication– Message integrity– Non-repudiation (digital signature)– Data privacy


PGP Message Transformation

• Plaintext

• Optional signature

• Compression

• Optional encryption

• Optional transmission encoding

• Ciphertext


PGP- Signature

• Senders encrypt the hash result using their RSA private key– Hashing is a one way process– Where we take a value and hash it and we

get a result– Hash value is added to the private key– Now we have a signature and a way to know

that the data was sent by a particular individual

– Authentication and non-repudiation


PGP Compression

• After the signing step– Combines and compresses message and

signature– Provides transmission efficiencies– Eliminates redundancies in plaintext

• Before encryption step


Encryption and Decryption

• Sender sends a message to the Recipient• Sender

– Creates a message and compresses it– Generates a session key– Encrypts the message using the session key– Encrypts the session key using the recipient's public

key– Transmits the session key along with the encrypted

message • Recipient -

– Decrypts the session key using his private key– Decrypts the message using the session key


PGP Trust

• Distribution methods– Hand delivery– Email attachment– Key repository

• Trust models– Direct– Hierarchical– Web

• Trust levels– Complete– Marginal– Untrusted


PGP Algorithms Supported

• Digital signature creation– RSA/SHA– DSS/SHA

• Encrypt the message– IDEA (International Data Encryptions

Algorithm)– 3DES with DH or RSA


PKI and Digital Signatures


Key Management and PKI

• PKI addresses Key management issues

• Basic concepts and terms

• Public and private key algorithms

• Key distribution and management

• Digital signatures

• Miscellaneous crypto


Key Management Issues

• Key storage and recovery• Key revocation for lost or compromised keys• Must be fully automated• No key is clear outside the crypto system• Choose key randomly from entire key space• Key-encrypting key (session key) must be

separate from data keys• Infrequent use keys with long life


Key Management Concepts

• Using the public key system, A wants to talk to B

• C is the key distribution center and A has B’s public key

• A calls B, and the calling protocol contacts C

• C encrypts a session key, K with the public keys and send the encrypted K to A and B

• A and B can then communicate


Key Escrow

• Separate agencies maintain components of private key, which combined, can be used to decipher text

• Two agencies have to get together to decrypt cipher text

• Example: Clipper chip– Secret algorithm– Unpopular and unsued

• Issues include key storage and big brother


PKI Components

• Stands for Public Key Infrastructure (PKI)

• Necessary for widespread electronic commerce

• No absolute definition or standard


Certificate Authority

• A system of digital certificates and other registration authorities

• Verifies and authenticates the validity of parties in Internet transactions

• Trusted, third-party organization• Guarantees that the individual granted the

certificate is who he / she claims to be• Usually has arrangement with a financial

institution to confirm identity• Critical to data security and electronic commerce


Digital Signature

• Used like a written signature

• Binds a message to an individual

• Provides non-repudiation

• Easy with public key encryption

• Also known as a Message Authentication Code


Digital Signature

• S is sender, R is recipient, and M is the message

• R must be able to validate S's signature on M• No one can forge S's signature• If S denies signing M, a third party must be able

to resolve the dispute between S and R• Alternative

– Compute a digest of message using a public hash function

– Encrypt digest using private key– The only cipher text is the hash


Hash Function

• Hash function produces a message digest• Message digest is also known as a

fingerprint or imprint• Two messages with the same digest are

extremely unlikely– Neither signer nor recipient can claim a

different message was signed

• Birthday attack: Collision. Two messages generate the same MAC


Digital Signature Standard (DSS)

• Uses secure hash algorithm

• Condenses message to 160 bits

• Key size 512-1024 bits

• Proposed by NIST in 1991


Hashing Algorithms

• MD2

• MD4

• MD5

• SHA – HAVAL


Message Authentication Code

• MAC – General term used to describe digital

signature


Cryptographic Attacks


Cryptanalysis Terms

• Cipher text-only attack - Attacker attempts to decrypt cipher text

• Known-plain text attack - Attacker attempts to decrypt cipher text given knowledge of some plain text


Cryptanalysis Terms

• Chosen-plain text attack - Attacker obtains cipher text corresponding to selected plain text

• Chosen-cipher text attack - Attacker obtains plain text corresponding to selected cipher text (in a public key system, when trying to deduce private key)


Attacks

• Brute force attack– Attempts to use all keys

• Expensive • Time consuming

• However, processing speed doubles every 18 months

• Clustered workstations


Attacks

• Analytic– Uses algorithm and algebraic manipulation to

reduce complexity

• Implementation– Microsoft – PPP – passwords in clear text– Netscape - Poorly randomized keys

• Statistical– Uses statistical weaknesses in design– Certain amount of 0s and 1s in a stream.


Attacks Methods

• Cipher text attacks

• Known plain text attacks

• Chosen plain text attacks

• Man-in-the-middle attacks

• Dictionary attacks

• Replay attacks

• Side channel attacks

Documents

Cryptography