J. A. Drew Hamilton, Jr., Ph.D. - Mississippi State Universityweb.cse.msstate.edu/~hamilton/P3I/CEH/lessons/10_Cryptography.pdf · • Describe cryptography and encryption techniques

Mississippi State University Center for Cyber Innovation 1

J. A. “Drew” Hamilton, Jr., Ph.D. Director, Center for Cyber Innovation

Professor, Computer Science & Engineering

CCI Post Office Box 9627 Mississippi State, MS 39762

Voice: (662) 325-2294 Fax: (662) 325-7692 [email protected]


Section Objectives

•  Describe cryptography and encryption techniques

•  Define cryptographic algorithms •  Describe public and private key generation

concepts •  Describe digital signature components and usage •  Describe cryptanalysis and code-breaking tools

and methodologies •  List cryptography attacks


Cryptography

Dr. Drew Hasmilton Dr. John Copeland Dr. Henric Johnson


Cryptographic Shortfalls - Enigma

•  The machine has several variable settings that affect the operation of the machine. The user must select three rotors from a set of rotors to be used in the machine. A rotor contains one-to-one mappings of all the letters. Some Enigma machines had more than 3 rotors which just added to the number of possible encryption combinations. The other variable element in the machine is the plug board. The plug board allowed for pairs of letters to be remapped before the encryption process started and after it ended.

http://www.ugrad.cs.jhu.edu/~russell/classes/enigma/


Mor

e on

Eni

gma

•  When a key is pressed, an electrical current is sent through the machine. The current first passes through the plug board, then through the three rotors, through the reflector which reverses the current, back through the three rotors, back through the plug board and then the encrypted letter is lit on the display. After the display is lit up, the rotors rotate. The rotors rotate similar to an odometer where the right most rotor must complete one revolution before the middle rotor rotated one position and so on.

•  As the current passes through each component in the Enigma machine, the letter gets remapped to another letter. The plug board performed the first remapping. If there is a connection between two letters, the letters are remapped to each other. For example if there is a connection between "A" and "F", "A" would get remapped to "F" and "F" would get remapped to "A". If this isn't a connection for a particular letter, the letter doesn’t get remapped. After the plug board, the letters are remapped through the rotors. Each rotor contains one-to-one mappings of letters but since the rotors rotate on each key press, the mappings of the rotors change on every key press. Once the current passes through the rotors, it goes into the reflector. The reflector is very similar to a rotor except that it doesn't rotate so the one-to-one mappings are always the same. The whole encryption process for a single letter contains a minimum of 7 remappings (the current passes through the rotors twice) and a maximum of 9 remappings (if the letter has a connection in the plug board).

•  In order to decrypt a message, the receiver must have the encrypted message, and know which rotors were used, the connections on the plug board and the initial settings of the rotors. To decrypt a message, the receiver would set up the machine identically to the way the sender initially had it and would type in the encrypted message. The output of typing in the encrypted message would be the original message. Without the knowledge of the state of the machine when the original message was typed in, it is extremely difficult to decode a message.


The Venona Intercepts •  The U.S. Army’s Signal Intelligence Service, the precursor to

the National Security Agency, began a secret program in February 1943 later codenamed VENONA. The mission of this small program was to examine and exploit Soviet diplomatic communications but after the program began, the message traffic included espionage efforts as well.

•  Although it took almost two years before American cryptologists were able to break the KGB encryption, the information gained through these transactions provided U.S. leadership insight into Soviet intentions and treasonous activities of government employees until the program was canceled in 1980.

•  The VENONA files are most famous for exposing Julius (code named LIBERAL) and Ethel Rosenberg and help give indisputable evidence of their involvement with the Soviet spy ring.

•  The first of six public releases of translated VENONA messages was made in July 1995 and included 49 messages about the Soviet’s efforts to gain information on the U.S. atomic bomb research and the Manhattan Project. Over the course of five more releases, all of the approximately 3,000 VENONA translations were made public. http://www.nsa.gov/venona


USS Pueblo - Crypto Compromise


John Walker & the USS Pueblo •  The KW-37, code named JASON, was an encryption system developed In

the 1950s by the U.S. National Security Agency to protect fleet broadcasts of the U.S. Navy.

•  KWR-37s fell into North Korean hands when the USS Pueblo was captured in 1968. New keying material was issued to ships throughout the world to limit the ongoing damage. In 1985 it was revealed that the Walker spy ring had been selling key lists and cards to the Soviet Union for decades. KW-37 systems were taken out of service by the early 1990s.

•  John Walker’s last “drop” to the KGB pictured below. The KGB attempted to pay Walker $200,000.00 for that drop.


What is Cryptography?

•  No crypto is unbreakable •  Brute force always works

plaintext (data file or message)

encryption ciphertext (stored or transmitted safely)

decryption plaintext (original data or message)


Term Definitions

•  Cryptographers - Invent cryptographic algorithms (secret codes).

•  Cryptoanalysts - Find ways to break codes.

•  Decipher a message - find the plaintext without being given the key or secret algorithm.

•  Code Breaking - findind a systematic way to decipher ciphertext created using the code with affordable resources.


Circular or Ceasar Cipher

•  This code is easily broken when the plaintext is English (the value of n is obvious from viewing the ciphertext only).

•  Even if the substitution string is "scrambled," known redundancies in English show up in the ciphertext ("e" is 2nd most common, "i" is third, "th" is most common diad, ... .

•  AVOID double-rot 13 encryption.

In: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890_ Out: DEFGHIJKLMNOPQRSTUVWXYZ1234567890_ABC The quick red fox jumped over the lazy brown dog WKHCTXLFNCUHGCIR1CMXPSHGCRYHUCWKHCOD32CEURZQCGRJ


Factoring Primes

•  Key Generation/Public Key Systems •  Factoring means finding a number’s prime

factors –  Product of 2 primes – 5 * 7 = 35 –  35 factors into 5 * 7. –  10 = 2 * 5 –  60 = 2 * 5 * 2 * 3

•  Keep this in mind for our discussion of public key systems.


Notes from Dr. John Copeland, GTech

•  Cryptographic algorithms are probably reliable if they are not broken after many bright cryptoanalysts try. –  This implies that such algorithms should be published.

•  Keeping a cryptographic algorithm secret makes deciphering messages much harder, but since the algorithm's code must be at every location that uses it, this is usually impossible.

•  Exceptions - where one organization implements a proprietary algorithm in an integrated circuit that is designed to foil reverse engineering.

•  Examples: Clipper , Smart Cards, CATV Boxes.


Key Length & Strength of Encryption

•  Variables for graph: –  Computing

power of attacking machine

–  Time required to engage 1 password try.


Cryptographic Cstegories •  Secret Key (also "Conventional" or"Symmetric”)

–  Identical keys used to encrypt and decrypt data –  Ciphertext is same length as plaintext (+ padding) –  Used for transmission and storage for privacy –  Can be used for authentication –  Message integrity check (MIC) (receiver can generate)

•  Public Key Cryptography (“PKI”, Public-Private", "Asymmetric") –  Invented in 1975 ("Knapsack" broken, then "RSA”) –  Public Key can be used by anyone to send a message –  Private Key can be used for a "Digital Signature"

•  Hash Algorithms ("Message Digest" or "1-Way Transform” –  Password hashing


Snake-Oil Cryptography (Matt Curtin)

•  Check out: http://www.interhack.net/people/cmcurtin/snake-oil-faq.html

“Trust Us, We Know What We're Doing” Techno-babble Secret Algorithms Revolutionary Breakthroughs Experienced Security Experts, Rave Reviews, and Other Useless

Certificates Unbreakability One-Time-Pads Algorithm or product X is insecure Recoverable Keys Exportable from the USA “Military Grade”


One-Time Pads and “Venona”

•  One-time pad: a randomly-generated, non-repeating key (length of the key at least equal to length of the message) is used only once. –  Perfect secrecy is achieved only with a perfect RNG. –  Quantum events, such as those measured by a geiger counter are

believed to be the only source of truly random information. •  VENONA was the codename used for the U.S. Signals Intelligence

effort to collect and decrypt the text of Soviet KGB and GRU messages from the 1940's.

•  The Soviet traffic that was ultimately read under the VENONA project spanned the years 1942-46, efforts to exploit it continued for decades.

–  This was due to the agonizingly slow and difficult process in which sometimes only one or two words at a time were wrenched grudgingly from the code

•  Soviet codebooks during the years in which the main analytic breakthroughs were made (through 1952).

–  It was not until 1953 that a photocopy of a partially burned codebook (recovered by U.S. Military Intelligence in 1945) was discovered to be related to the VENONA cryptographic systems after another cryptanalytic breakthrough.

•  These messages provided extraordinary insight into Soviet attempts to infiltrate the highest levels of the United States Government.

http://www.nsa.gov/docs/venona


Conventional Encryption Principles

•  An encryption scheme has five ingredients: –  Plaintext –  Encryption algorithm –  Secret Key –  Ciphertext –  Decryption algorithm

•  Security depends on the secrecy of the key, not the secrecy of the algorithm


XOR (exclusive or)

•  Base 2 •  2 inputs, one output


Block Ciphers versus Stream Ciphers

•  A stream cipher is transmitted bit by bit. •  Block ciphers are transmitted in standard-size

blocks based on a power of 2. –  64 bit, 128 bit and 256 bit ar


Conventional Encryption Principles

Simplified Model of Conventional Encryption -- Stallings


Cryptography

•  Classified along three independent dimensions: –  The type of operations used for transforming plaintext

to ciphertext –  The number of keys used

•  symmetric (single key) •  asymmetric (two-keys, or public-key encryption)

–  The way in which the plaintext is processed


Average time required for exhaustive key search

Key Size (bits)

Number of Alternative Keys

Time required at 106 Decryption/µs

32 232 = 4.3 x 109 2.15 milliseconds

56 256 = 7.2 x 1016 10 hours

128 2128 = 3.4 x 1038 5.4 x 1018 years

168 2168 = 3.7 x 1050 5.9 x 1030 years


Feistel Cipher Structure

•  Virtually all conventional block encryption algorithms, including DES have a structure first described by Horst Feistel of IBM in 1973

•  The realization of a Feistel Network depends on the choice of the following parameters and design features (see next slide):

•  Choice of permutation classifies algorithms of this class.


Feistel Cipher Structure

•  Block size: larger block sizes mean greater security

•  Key Size: larger key size means greater security •  Number of rounds: multiple rounds offer

increasing security •  Subkey generation algorithm: greater complexity

will lead to greater difficulty of cryptanalysis. •  Fast software encryption/decryption: the speed of

execution of the algorithm becomes a concern


Classical Feistel Network -- Stallings

Inputs to the encryption algorithm: plaintext block of 2w bits

a key K

Plaintext block is divided into two halves: L0 and R0

The 2 halves pass through n rounds of processing & combine to form the ciphertext block

Each round i has as inputs Li-1 & Ri-1, derived from the previous round as well as subkey Ki, derived from the overall K.

All rounds have same structure

A substitution is performed on the left half of the data by applying a round function F to the right half of the data and then taking the XOR of the output of F and the left half of the data.

The round f F is parameterized by the round subkey Ki

Then a permutation is performed that consists of the interchange of the 2 halves


Conventional Encryption Algorithms

•  Data Encryption Standard (DES) –  The most widely used encryption scheme –  The algorithm referred to is the Data Encryption Algorithm

(DEA) –  DES is a block cipher –  The plaintext is processed in 64-bit blocks –  The key is 56-bits in length

•  A note from Stallings on DEA, DES, TDEA and 3DES: The terminology is a bit confusing. Until recently, the terms DES and DEA could be used interchangeably. However, the most recent edition of the DES document includes a specification of the DEA described here plus the triple DEA (TDEA). Both DEA and TDEA are part of the data encryption standard. Further, until the recent adoption of the official term TDEA, the triple DEA algorithm was typically referred to as triple DES and written as 3DES.


General Depiction of DES Encryption Algorithm -- Stallings

Longer plaintext processed in 64-bit blocks

3 phase processing for left side: 1. initial permutation that rearranges the bits

2. 16 iterations of the same function the 16th iteration consists of 64 bits that are a function of the input plaintext and the key.

3. Both halves are swapped to produce the pre-output

Finally, the preoutput is passed through a permutation (IP-1) that is the inverse of the initial permutation to produce the 64-bit ciphertext.

Mississippi State University Center for Cyber Innovation 29 Single Round of DES Algorithm -- Stallings

56 bit key used to produce 48 bit output

S-box maps 48 bit input into 32 bit pattern


DES

•  The overall processing at each iteration: –  Li = Ri-1

–  Ri = Li-1 F(Ri-1, Ki) •  Concerns about:

–  The algorithm and the key length (56-bits) •  No PUBLISHED weaknesses found in the algorithm •  1998 – DES cracker machine built

–  cost = $250,000 –  attack length = 3 days

⊗


Time to break a code (106 decryptions/µs)


Triple DEA •  Use three keys and three

executions of the DES algorithm (encrypt-decrypt-encrypt) –  decrypt stage only for

legacy DES decryption

•  C = ciphertext •  P = Plaintext •  EK[X] = encryption of X

using key K •  DK[Y] = decryption of Y

using key K •  Effective key length of 168

bits •  RFC 3217

C = EK3[DK2[EK1[P]]]


Other Symmetric Block Ciphers •  International Data Encryption Algorithm (IDEA)

–  128-bit key –  For the round function uses XOR, addition of 16-bit integers and

binary multiplication of 16-bit integers. •  These functions are combined in such a way as to produce a complex

transformation that is very difficult to analyze and hence very difficult to cryptanalyze.

–  Subkey generation algorithm relies soley on circular shifts in a complex way in order to generate six subkeys for each of the eight rounds of IDEA.

•  Blowfish –  Easy to implement

•  High execution speed •  Run in less than 5K of memory

–  Uses dynamic S-boxes –  Subkeys and S-boxes produced by repeated application of the

Blowfish algorithm to the key –  A total of 521 executions of the Blowfish algorithm are required to

produce subkeys and S-boxes. •  not suitable for applications where secret key frequently changes


Other Symmetric Block Ciphers (RC-5) •  RC5 (defined in RFC 2040)

–  Suitable for hardware and software •  uses only computational primitives

–  Fast, simple •  works on full data words

–  Adaptable to processors of different word lengths •  # of bits in a word is a parameter of RC5– different lengths result

in different implementations –  Variable number of rounds

•  also a parameter, allow for trade-offs between speed and security –  Variable-length key –  Low memory requirement

•  smart cards and other restricted memory media –  High security (with appropriate parameters) –  Data-dependent rotations

•  Circular bit shifts whose amount is data dependent. This appears to strengthen the algorithm


CAST-128

•  Cast-128 (defined in RFC 2144) –  Key size from 40 to 128 bits (8 bit increments) –  The round function differs from round to round –  Uses fixed S-boxes

•  longer than those in DES •  nonlinear and believed further resistant to cryptanalysis

–  S-boxes used to generate sub-keys


Conventional Encryption Algorithms Algorithm Key Size Number of

Rounds Mathematical Operations

Applications

DES 56 Bits 16 XOR, fixed S-boxes

SET Kerberos

Triple DES

112 or 168 Bits

48 XOR, fixed S-boxes

Financial Key PGP S/MIME

IDEA 126 16 XOR, variable S boxes, add

Blowfish 40 - 448 16 Add. Sub. XOR, rotation

CAST-128 40 to 128 bits

16 Add. Sub. XOR, rotation, fixed S-boxes

PGP


Cipher Block Modes of Operation

•  Cipher Block Chaining Mode (CBC) –  The input to the encryption algorithm is the XOR of the

current plaintext block and the preceding ciphertext block.

–  Repeating pattern of 64-bits are not exposed

Equations below verifies the following illustration --

ii1i1iiK1i

i1iiK

i1iKKiK

i1iki

PPCC][CDC)P(C][CD

)]P(C[ED][CD

]P[CEC

=⊕⊕=⊕

⊕=

⊕=

⊕=

−−−

−

−

−

Mississippi State University Center for Cyber Innovation 38 Cipher Block Chaining Mode -- Stallings

IV = initialization vector


Location of Encryption Device

•  Link encryption: –  A lot of encryption devices –  High level of security –  Decrypt each packet at every switch

•  End-to-end encryption –  The source encrypt and the receiver decrypts –  Payload encrypted –  Header in the clear

•  High Security: Both link and end-to-end encryption are needed

Mississippi State University Center for Cyber Innovation 40 Encryption Across a Packet-Switching Network-- Stallings


Key Distribution

1.  A key could be selected by A and physically delivered to B.

2.  A third party could select the key and physically deliver it to A and B.

3.  If A and B have previously used a key, one party could transmit the new key to the other, encrypted using the old key.

4.  If A and B each have an encrypted connection to a third party C, C could deliver a key on the encrypted links to A and B.


Key Distribution

•  Session key: –  Data encrypted with a one-time session key. At the

conclusion of the session the key is destroyed •  Permanent key:

–  Used between entities for the purpose of distributing session keys

Mississippi State University Center for Cyber Innovation 43 Automatic Key Distribution for Connection-Oriented Protocol -- Stallings


Authentication

•  Requirements - must be able to verify that: 1. Message came from apparent source

or author, 2. Contents have not been altered, 3. Sometimes, it was sent at a certain time or sequence.

•  Protection against active attack (falsification of

data and transactions)


Approaches to Message Authentication

•  Authentication Using Conventional Encryption –  Only the sender and receiver should share a key

•  Message Authentication without Message Encryption –  An authentication tag is generated and appended to

each message •  Message Authentication Code

–  Calculate the MAC as a function of the message and the key. MAC = F(K, M)


Cryptographic Hash •  Producing hash values for accessing data or for security. •  A hash value (or simply hash) is a number generated from a

string of text. –  The hash is substantially smaller than the text itself, and is

generated by a formula in such a way that it is extremely unlikely that some other text will produce the same hash value.

•  Hashes play a role in security systems where they're used to ensure that transmitted messages have not been tampered with. –  The sender generates a hash of the message, encrypts it, and

sends it with the message itself. –  The recipient then decrypts both the message and the hash,

produces another hash from the received message, and compares the two hashes.

–  If they're the same, there is a very high probability that the message was transmitted intact.


Trivial Hashing Example •  Hashing is also a common method of accessing data

records. Consider, for example, a list of names: –  John Smith –  Sarah Jones –  Roger Adams

•  To create an index, called a hash table, for these records, you would apply a formula to each name to produce a unique numeric value. So you might get something like: –  1345873 John Smith –  3097905 Sarah Jones –  4060964 Roger Adams

•  Then to search for the record containing Sarah Jones, you just need to reapply the formula, which directly yields the index key to the record.

•  This is much more efficient than searching through all the records till the matching record is found.


One-way HASH function


One-way HASH function

•  Secret value is added before the hash and removed before transmission.


Secure HASH Functions

•  Purpose of the HASH function is to produce a “fingerprint.”

•  Properties of a HASH function H : 1.  H can be applied to a block of data at any size 2.  H produces a fixed length output 3.  H(x) is easy to compute for any given x. 4.  For any given block x, it is computationally infeasible

to find x such that H(x) = h 5.  For any given block x, it is computationally infeasible

to find with H(y) = H(x). 6.  It is computationally infeasible to find any pair (x, y)

such that H(x) = H(y)

xy ≠


Hash Functions – MD5

•  MD5 (Message Digest algorithm) –  Produces a 128-bit hash value output, expressed as a

32-digit hexadecimal. –  MD5 was originally popular for ensuring file integrity. –  Algorithmic flaws renders MD5 obsolete (U.S. CERT,

August 2010). –  However MD5 is still used for file verification on

downloads and, in many cases, to store passwords.


Hash Functions SHA Family •  SHA-1 Developed by the NSA,

–  SHA-1 produces a 160-bit value output and was required by law for use in U.S. government applications.

–  Flaws were found beginning in 2005 so USG recommending the replacement of SHA-1 with SHA-2 after the year 2010 (see FIPS Pub 180-1)

•  SHA-2 This hash algorithm actually holds four separate hash functions that produce outputs of 224, 256, 384, and 512 bits. –  Although it was designed as a replacement for SHA-1, SHA-2 is

still not as widely used. •  SHA-3 This hash algorithm uses “sponge construction”

–  data is “absorbed” into the sponge (by XOR-ing the initial bits of the state) and then “squeezed” out

–  (output blocks are read and alternated with state transformations).


Hashed Passwords & Rainbow Tables •  Ready-to-use Free Software •  Phillippe Oechslin – Rainbow Tables

–  Dictionary of hashes •  Easy and cheap to develop advanced capability. •  Bootable live CDs/USB key – Local OS does not

matter.


Some Asymmetric Crypto Algorithms

•  Diffie-Hellman (DH) –  Developed for use as a key exchange protocol, Diffie-

Hellman is used in Secure Sockets Layer (SSL) and IPSec encryption.

–  DH vulnerable to man-in-the-middle attacks, however, if digital signatures not used.

•  Elliptic Curve Cryptosystem (ECC) –  This uses points on an elliptical curve in conjunction

with logarithmic problems, for encryption and signatures.

–  It uses less processing power than other methods, making it a good choice for mobile devices.


More Asymmetric Crypto Algorithms

•  El Gamal –  Not based on prime number factoring, –  Uses the solving of discrete logarithm problems for

encryption and digital signatures. •  RSA

–  Achieves strong encryption through the use of two large prime numbers.

–  Factoring these numbers creates key sizes up to 4096 bits.

–  RSA can be used for encryption and digital signatures and is the modern de facto standard.


Public-Key Cryptography Principles

•  The use of two keys has consequences in: key distribution, confidentiality and authentication.

•  The scheme has six ingredients –  Plaintext –  Encryption algorithm –  Public key –  Private key –  Ciphertext –  Decryption algorithm


PGP

•  Freeware available from MIT (version 8) and Network Associates (version 8).

•  Source code publicly available.

•  PGP versions have been publicly available and tested since 1991.

•  However, as with most reported results, insufficient information is provided to replicate the tests.


Session Key Generation Random Number Generator

Compression Huffman

Asymmetric Encryption RSA

Symmetric Encryption IDEA - 128 CAST - 128 3DES - 112

M Comp(M)

SK

SK

File containing: PKB(SK) and SK(Comp(M)) and SKA(Hash(M))

PKB(SK)

SK(Comp(M))

PKB

Asymmetric Encryption RSA

SKA

SKA(Hash(M))

Hash MD5

PKB

Hash(M)

PGP Sender

Digital Signature

one algorithm used


PGP Receiver

Decompression Huffman

Asymmetric Decryption RSA

Symmetric Decryption IDEA - 128 CAST - 128 3DES - 112

M Comp(M)

SK

File containing: PKB(SK) and SK(Comp(M)) and SKA(Hash(M))

PKB(SK)

SK(Comp(M))

Asymmetric Decryption RSA

PKA

SKA(Hash(M)) Hash MD5

SKB

Hash(M) Hash(M)

Comparison

Signature Verification


Endpoint Concerns

•  Physical Security •  Tempest •  Compromise (pass phrase, Session Keya, secret

keys) •  Public Key Tampering •  Viruses or Trojan Horses (PGP) •  Social Engineering •  Audio/Video Surveillance •  Key Management


General Session Key Issues

•  Compromise of Keys (Stolen Keys) •  Destroying keys •  Seed Attacks

–  Seed stored on hard drive –  Not truly random

•  short period •  deterministic

–  Tested version of PGP: •  changes seed for each session •  new seed created from old seed and monitored keyboard

activity


Encryption Attacks

•  Symmetric Encryption – Brute force – Flaw in implementation

•  Asymmetric Encryption – Brute force – Factoring (RSA) – Flaw in implementation


Steganography

•  Steganography means “to hide in plain sight” and is derived from the Greek term for covered writing. – Kruse & Heiser, 2004

•  Automated steganographic tools exist for images, sound files, video, MP3s, documents, and other forms of transport.

+ =

1.4MB Source 400KB Message 1.4MB Composite


X.509: PKI for Certificates

•  An International Telecommunications Union (ITU) recommendation (versus “standard”) for allowing computer host or users to securely identify themselves over a network.

•  An X.509 certificate purchased from a “Certificate Authority” (trusted third party) allows a merchant to give you his public key in a way that your Browser can generate a session key for a transaction, and securely send that to the merchant for use during the transaction (padlock icon on screen closes to indicate transmissions are encrypted).


X.509 for Commerce

•  Once a session key is established, no one can hijack the session –  (for example, after your enter your credit card

information, an intruder can not change the order and delivery address).

•  User only needs a Browser that can encrypt/decrypt with the appropriate algorithm, and generate session keys from strong random number generator.

•  Merchant’s Certificate is available to the public, only the secret key must be protected. Certificates can be cancelled if secret key is compromised.


Certificate Authority generates the “signature” that is added to raw

“Certificate”

MIC

Hash

Raw “Certificate” has user name, public key, expiration date, ...

Raw Cert.

Signed Cert.

Generate hash code of Raw Certificate

Encrypt hash code with CA’s private key to form CA’s signature

Signed Certificate Recipient can verify signature using CA’s public key.

Mississippi State University Center for Cyber Innovation 67 67


Encrypted Communications - SSH

•  Secure Shell (SSH) –  a secured version of Telnet. –  SSH uses TCP port 22, by default, and relies on public

key cryptography for its encryption. –  Originally designed for remote sessions into Unix

machines for command execution, it can be used as a tunneling protocol.

–  SSH2 is the successor to SSH. –  It’s more secure, efficient, and portable, and it includes

a built-in encrypted version of FTP (SFTP).


Encrypted Communications - SSL

•  Secure Sockets Layer (SSL) •  encrypts data at the transport layer, and •  above, for secure communication across the

Internet. It uses RSA encryption and •  digital certificates and can be used with a wide

variety of upper-layer protocols. •  SSL uses a six-step process for securing a

channel, as shown in Figure 10-3. It is •  being largely replaced by Transport Layer

Security (TLS).


Encrypted Communications - TLS

•  Transport Layer Security (TLS) Uses an RSA algorithm of 1024 and 2048 bits.

•  TLS is the successor to SSL. •  The handshake portion (TLS Handshake Protocol)

allows both the client and the server to authenticate to each other.

•  The TLS Record Protocol provides the secured communication channel.


Types of Encryption Attacks

•  Brute Force •  Flaw in implementation •  Endpoint security flaws •  Social engineering •  Malware


Conclusions

•  Usability versus strength of encryption •  Strength of encryption varies inversely with time

to crack •  Certificates are a variation of public private key

systems where the certificate holder presents their private key to authenticate their identity to a certificate authority holding the public key.


Summary – Section Objectives

•  Describe cryptography and encryption techniques

•  Define cryptographic algorithms •  Describe public and private key generation

concepts •  Describe digital signature components and usage •  Describe cryptanalysis and code-breaking tools

and methodologies •  List cryptography attacks

Documents

J. A. Drew Hamilton, Jr., Ph.D. - Mississippi State Universityweb.cse.msstate.edu/~hamilton/P3I/CEH/lessons/10_Cryptography.pdf · • Describe cryptography and encryption techniques