Information Security&
Cryptographic Principles
Infosec and Cryptography
Subjects / Topics :
1. Introduction to computer cryptography 2. Single key cryptographic algorithms 3. Public key cryptographic algorithms 4. Crypto Applications 5. Business Continuity
Intranet
Extranet
InternetAliceBob
There are Confidence and Trust Issues …
Basic Problem
Multiple Security Issues
Privacy
Integrity
Authentication
Non-repudiation
Not sent not received
Interception Spoofing
Modification Proof of parties involved
Claims
Information Security
Integrity Availability
Confidentiality
Security Services
IntegrityInformation has not been altered
ConfidentialityContent hidden during transport
AuthenticationIdentity of originator confirmed
Non-RepudiationOriginator cannot repudiate transaction
Some confidential text (message) in clear (readable) form
Data Confidentiality
Some confidential text (message) in clear (readable) form
Someconfid entialtext essage) in clear
E n c r y p t i o n E n c r y p t i o n
Cryptography
Some confidential text (message) in clear (readable) form
D e c r y p t i o n D e c r y p t i o n
Someconfid entialtext essage) in clear
Cryptography
Some confidential text (message) in clear (readable) form
SomeconfiEntialteessage)in clear
Crypto Transformations
Some confidential text (message) in clear (readable) form
Crypto Transformations
SomeconfiEntialteessage)in clear
Some confidential text (message) in clear (readable) form
Crypto key
Parameterization
Someconfid entialtext essage) in clear
Someconfid entialtext essage) in clear
Someconfid entialtext essage) in clear
Someconfid entialtext essage) in clear
Someconfid entialtext essage) in clear
Someconfid entialtext essage) in clear
Someconfid entialtext essage) in clear
SomeconfiEntialteessage)in clear
Infosec and Cryptography
Subjects / Topics :
1. Introduction to computer cryptography 2. Single key cryptographic algorithms 3. Public key cryptographic algorithms 4. Crypto Applications 5. Business Continuity
Some confidential text (message) in clear (readable) form
SomeconfidEntialtext essage) in clear
E n c r y p t i o n E n c r y p t i o n
D e c r y p t i o n D e c r y p t i o n
Crypto key
Single Key Crypto
How to design good cryptographic systems ?
What does it mean good crypto system ?
Design . . . ?
1. Simple for users 2. Complicated for intruders 3. Public algorithm 4. Secret key 5. Large number of combinations 6. Special properties
Principles
1. AES 2. IDEA 3. Triple - DES 4. RC-2 5. RC-4 6. Blowfish
Other Symmetric Algorithms
Infosec and Cryptography
Subjects / Topics :
1. Introduction to computer cryptography 2. Single key cryptographic algorithms 3. Public key cryptographic algorithms 4. Crypto Applications 5. Business Continuity
Some confidential text (message) in clear (readable) form
Someconfi entialtext essage) in clear
E n c r y p t i o n E n c r y p t i o n
D e c r y p t i o n D e c r y p t i o n
Crypto key
Secret Key Systems
?
Key Exchange
Public Key Cryptography
Some confidential text (message) in clear (readable) form
EncryptionEncryption
Key 1
Key 2Someconfi entialtext essage) in clear
DecryptionDecryption
Public Key Cryptography
MSG EncryptionEncryption
Bob Public
Bob
tia DecryptionDecryption MSG
Alice
Alice Public
Bob Private Alice Private
Digital Signature … Authentication … Non-Repudiation
Public Key Cryptography
MSG EncryptionEncryption
Bob Public
Bob
tia DecryptionDecryption MSG
Alice
Alice Public
Bob Private Alice Private
Confidentiality
Symmetric: Faster than asymmetric, hard to break with large key, hard to distribute keys, too many keys required, cannot authenticate or provide non-repudiation.
Includes: DES, Triple DES, Blowfish, IDEA, RC4,
RC5, RC6, AES
Symmetric and Asymmetric Encryption
Asymmetric cryptography: Better at key distribution, better scalability for large systems, can provide authentication and non-repudiation, slow, math intensive
Includes: RSA, ECC, Diffie Hellman, El Gamal, DSA, Knapsack, PGP
Symmetric and Asymmetric Encryption
Infosec and Cryptography
Subjects / Topics :
1. Introduction to computer cryptography 2. Single key cryptographic algorithms 3. Public key cryptographic algorithms 4. Crypto Applications 5. Business Continuity
1. Digital signature
2. Digital enveloping
3. Digital certificates
4. Secret key exchange
Crypto Applications
A Digital Signature is a data item that vouches for the origin and the integrity of a Message
Intranet
ExtranetInternet
AliceBob
Digital Signature
Hash Function
Message
Signature
Private Key Encryption
Digest
Message
Decryption
Public Key
Expected
Digest
Actual
Digest
Hash Function
Signer ReceiverChannel
DigestAlgorithm Digest
Algorithm
Digital Signature
“Real Identity” of the Signer.
Why should I trust what the Sender claims to
be ?
Moving towards PKI …
Digital Signature
A Digital Certificate is a binding
between an entity’s Public Key
and one or more Attributes related to its Identity.
The entity can be a Person, an Hardware Component, a Service,
etc.
A Digital Certificate is issued (and signed) by someone :
Usually the issuer is a Trusted Third Party
Digital Certificate
CERTIFICATE
Issuer
Subject
Issuer Digital Signature
Subject Public Key
Digital Certificate
How are Digital Certificates Issued?
Who is issuing them?
Why should I Trust the Certificate Issuer?
How can I check if a Certificate is valid?
How can I revoke a Certificate?
Who is revoking Certificates?Moving towards PKI …
Digital Certificate
Infosec and Cryptography
Subjects / Topics :
1. Introduction to computer cryptography 2. Single key cryptographic algorithms 3. Public key cryptographic algorithms 4. Crypto Applications 5. Business Continuity
Business Continuity and Disaster Recovery
Businesses are more susceptible to failure after a disaster
Goal• To minimize disaster aftermath and ensure resources,
personnel, and business processes resume
By• Planning measures• Backing up data and hardware• Getting the right people in place
Requirements• Management support• Driving the project, top-down approach• Must understand value of investing in BCP
– Returns can be priceless
Business Continuity Steps
Steps• Develop the continuity planning policy statement• Conduct the business impact analysis (BIA)• Identify preventive controls• Develop recovery strategies• Develop the contingency plan• Test the plan and conduct training and exercises• Maintain the plan
Understanding the Organization
Business Continuity Plan
Business Impact AnalysisBIA
• Considered a functional analysis• Team collects data in variety of ways• Maps out following characteristics:
– Maximum tolerable downtime– Operational disruption and productivity– Financial considerations– Regulatory responsibilities– Reputation
• Understand the variety of possible threats• Must go through all possible scenarios
Questions