Information Security&

Cryptographic Principles

Infosec and Cryptography

Subjects / Topics :

1. Introduction to computer cryptography 2. Single key cryptographic algorithms 3. Public key cryptographic algorithms 4. Crypto Applications 5. Business Continuity

Intranet

Extranet

InternetAliceBob

There are Confidence and Trust Issues …

Basic Problem

Multiple Security Issues

Privacy

Integrity

Authentication

Non-repudiation

Not sent not received

Interception Spoofing

Modification Proof of parties involved

Claims

Information Security

Integrity Availability

Confidentiality

Security Services

IntegrityInformation has not been altered

ConfidentialityContent hidden during transport

AuthenticationIdentity of originator confirmed

Non-RepudiationOriginator cannot repudiate transaction

Some confidential text (message) in clear (readable) form

Data Confidentiality

Some confidential text (message) in clear (readable) form

Someconfid entialtext essage) in clear

E n c r y p t i o n E n c r y p t i o n

Cryptography

Some confidential text (message) in clear (readable) form

D e c r y p t i o n D e c r y p t i o n

Someconfid entialtext essage) in clear

Cryptography

Some confidential text (message) in clear (readable) form

SomeconfiEntialteessage)in clear

Crypto Transformations

Some confidential text (message) in clear (readable) form

Crypto Transformations

SomeconfiEntialteessage)in clear

Some confidential text (message) in clear (readable) form

Crypto key

Parameterization

Someconfid entialtext essage) in clear

Someconfid entialtext essage) in clear

Someconfid entialtext essage) in clear

Someconfid entialtext essage) in clear

Someconfid entialtext essage) in clear

Someconfid entialtext essage) in clear

Someconfid entialtext essage) in clear

SomeconfiEntialteessage)in clear

Infosec and Cryptography

Subjects / Topics :

1. Introduction to computer cryptography 2. Single key cryptographic algorithms 3. Public key cryptographic algorithms 4. Crypto Applications 5. Business Continuity

Some confidential text (message) in clear (readable) form

SomeconfidEntialtext essage) in clear

E n c r y p t i o n E n c r y p t i o n

D e c r y p t i o n D e c r y p t i o n

Crypto key

Single Key Crypto

How to design good cryptographic systems ?

What does it mean good crypto system ?

Design . . . ?

1. Simple for users 2. Complicated for intruders 3. Public algorithm 4. Secret key 5. Large number of combinations 6. Special properties

Principles

1. AES 2. IDEA 3. Triple - DES 4. RC-2 5. RC-4 6. Blowfish

Other Symmetric Algorithms

Infosec and Cryptography

Subjects / Topics :

1. Introduction to computer cryptography 2. Single key cryptographic algorithms 3. Public key cryptographic algorithms 4. Crypto Applications 5. Business Continuity

Some confidential text (message) in clear (readable) form

Someconfi entialtext essage) in clear

E n c r y p t i o n E n c r y p t i o n

D e c r y p t i o n D e c r y p t i o n

Crypto key

Secret Key Systems

?

Key Exchange

Public Key Cryptography

Some confidential text (message) in clear (readable) form

EncryptionEncryption

Key 1

Key 2Someconfi entialtext essage) in clear

DecryptionDecryption

Public Key Cryptography

MSG EncryptionEncryption

Bob Public

Bob

tia DecryptionDecryption MSG

Alice

Alice Public

Bob Private Alice Private

Digital Signature … Authentication … Non-Repudiation

Public Key Cryptography

MSG EncryptionEncryption

Bob Public

Bob

tia DecryptionDecryption MSG

Alice

Alice Public

Bob Private Alice Private

Confidentiality

Symmetric: Faster than asymmetric, hard to break with large key, hard to distribute keys, too many keys required, cannot authenticate or provide non-repudiation.

Includes: DES, Triple DES, Blowfish, IDEA, RC4,

RC5, RC6, AES

Symmetric and Asymmetric Encryption

Asymmetric cryptography: Better at key distribution, better scalability for large systems, can provide authentication and non-repudiation, slow, math intensive

Includes: RSA, ECC, Diffie Hellman, El Gamal, DSA, Knapsack, PGP

Symmetric and Asymmetric Encryption

Infosec and Cryptography

Subjects / Topics :

1. Introduction to computer cryptography 2. Single key cryptographic algorithms 3. Public key cryptographic algorithms 4. Crypto Applications 5. Business Continuity

1. Digital signature

2. Digital enveloping

3. Digital certificates

4. Secret key exchange

Crypto Applications

A Digital Signature is a data item that vouches for the origin and the integrity of a Message

Intranet

ExtranetInternet

AliceBob

Digital Signature

Hash Function

Message

Signature

Private Key Encryption

Digest

Message

Decryption

Public Key

Expected

Digest

Actual

Digest

Hash Function

Signer ReceiverChannel

DigestAlgorithm Digest

Algorithm

Digital Signature

“Real Identity” of the Signer.

Why should I trust what the Sender claims to

be ?

Moving towards PKI …

Digital Signature

A Digital Certificate is a binding

between an entity’s Public Key

and one or more Attributes related to its Identity.

The entity can be a Person, an Hardware Component, a Service,

etc.

A Digital Certificate is issued (and signed) by someone :

Usually the issuer is a Trusted Third Party

Digital Certificate

CERTIFICATE

Issuer

Subject

Issuer Digital Signature

Subject Public Key

Digital Certificate

How are Digital Certificates Issued?

Who is issuing them?

Why should I Trust the Certificate Issuer?

How can I check if a Certificate is valid?

How can I revoke a Certificate?

Who is revoking Certificates?Moving towards PKI …

Digital Certificate

Infosec and Cryptography

Subjects / Topics :

1. Introduction to computer cryptography 2. Single key cryptographic algorithms 3. Public key cryptographic algorithms 4. Crypto Applications 5. Business Continuity

Business Continuity and Disaster Recovery

Businesses are more susceptible to failure after a disaster

Goal• To minimize disaster aftermath and ensure resources,

personnel, and business processes resume

By• Planning measures• Backing up data and hardware• Getting the right people in place

Requirements• Management support• Driving the project, top-down approach• Must understand value of investing in BCP

– Returns can be priceless

Business Continuity Steps

Steps• Develop the continuity planning policy statement• Conduct the business impact analysis (BIA)• Identify preventive controls• Develop recovery strategies• Develop the contingency plan• Test the plan and conduct training and exercises• Maintain the plan

Understanding the Organization

Business Continuity Plan

Business Impact AnalysisBIA

• Considered a functional analysis• Team collects data in variety of ways• Maps out following characteristics:

– Maximum tolerable downtime– Operational disruption and productivity– Financial considerations– Regulatory responsibilities– Reputation

• Understand the variety of possible threats• Must go through all possible scenarios

Questions