PACE-IT, Security+ 6.2: Cryptographic Methods (part 2)

Cryptographic methods II.

Page 2

Instructor, PACE-IT Program – Edmonds Community College

Areas of Expertise Industry Certifications PC Hardware Network

Administration IT Project

Management

Network Design User Training IT Troubleshooting

Qualifications Summary

Education M.B.A., IT Management, Western Governor’s University B.S., IT Security, Western Governor’s University

Entrepreneur, executive leader, and proven manger with 10+ years of experience turning complex issues into efficient and effective solutions. Strengths include developing and mentoring diverse workforces, improving processes, analyzing business needs and creating the solutions required— with a focus on technology.

Brian K. Ferrill, M.B.A.

Page 3

Cryptographic methods II.PACE-IT.

– Key stretching.

– Cryptographic implementations.

Page 4

Key stretching.Cryptographic methods II.

Page 5

The greatest vulnerability in any cryptographic implementation tends to be in the security key that is used in the process.In many cases, the security key is either a

password or passphrase that is used in the cryptographic process. Both passwords and passphrases—when used on their own—are susceptible to brute force type attacks, leading to a weakness in the cryptography.The solution to this is to use a process called key stretching (key strengthening) to harden the keys against these attacks. With key stretching, the

Key stretching.Cryptographic methods II.

password or passphrase is processed by an algorithm to strengthen the password by increasing the complexity of the key. Two popular algorithms used for key stretching are bcrypt and PBKDF2 (Password-Based Key Derivation Function 2).

Page 6

Cryptographic implementations.Cryptographic methods II.

Page 7


– One-time pad (OTP).» A symmetrical cryptographic encryption method in

which a random security key is used to encrypt a message only one time.

• It is particularly resistant to hacking, as the key will change with every message that is sent.

• When the random key used is the same length as the message, it is even more difficult to break.

– DES (Data Encryption Standard).» A symmetrical cryptographic encryption standard

developed by the U.S. government.• It is a block cipher (encrypts complete blocks of data)

that utilizes a 56-bit encryption algorithm; it is not considered secure.

– 3DES (Triple DES).» An improvement on DES that utilizes three separate

56-bit encryption keys to create a 168-bit encryption method.

• Each block of data is encrypted three times (once for each of the security keys).

Page 8


– RC (Rivest Cipher).» A family of symmetrical cryptographic encryption

methods developed by Ronald Rivest.• RC4 is a stream cipher (encrypts data one bit at a

time) used by other cryptographic solutions including SSL (Secure Socket Layer) and WEP (Wired Equivalent Privacy); it is considered to be a weak encryption standard.

• RC5 is a block cipher algorithm that is much more secure than RC4.

– Blowfish.» A symmetrical cryptographic encryption method

developed by Bruce Schneier as a replacement for the weaker DES standard.

• Utilizes a variable encryption bit length—can offer anywhere from single bit encryption to 448-bit encryption.

Page 9


– TwoFish.» A symmetrical cryptographic encryption method

developed by Bruce Schneier based on the development of Blowfish.

• Utilizes 128-bit encryption.

– AES (Advanced Encryption Standard).

» A symmetrical cryptographic encryption method developed on behalf of the National Institute of Standards and Technology (NIST), an agency of the U.S. government.

• It is a block cipher encryption method in which the block size is always 128 bits, but the key used for the encryption can be 128 bits, 192 bits, or 256 bits.

• AES has been adopted worldwide as an acceptable level of encryption and performance.

Page 10


– RSA (Rivest Shamir Adleman).» An asymmetrical cryptographic encryption method that

is named after the developers.» It is the first widely used encryption standard to employ

the use of public and private security keys.• An entity’s public key can be used by anyone to

encrypt messages.• Only the entity’s private key can be used to decrypt

messages encrypted by the public key.

– PGP (Pretty Good Privacy).» An asymmetrical cryptographic encryption method that

can be used to generate security keys and to publish the public security keys in a secure manner.

• Allows for the secure (encrypted) use of email between two endpoints with minimal effort.

» GPG (GNU Privacy Guard) is a GNU system’s implementation of PGP.

• GNU is a UNIX-like operating system (Linux is part of the GNU family of operating systems).

Page 11

One issue with asymmetrical encryption is how the exchange of security keys is going occur in a secure manner.

The first practical solution was developed by Whitfield Diffie and Martin Hellman. Their solution was referred to as the Diffie-Hellman (DH) key exchange. It created a secure method in which two unrelated parties could jointly create a shared secret key over an unsecure communication channel (e.g., the Internet).Diffie-Hellman has since been improved upon with the creation of DHE (Diffie-Hellman ephemeral key) and ECDHE (elliptic curve Diffie-Hellman ephemeral key). Both DHE and ECDHE help to provide perfect forward secrecy and help to ensure the security of the key exchange process.


Page 12

What was covered.Cryptographic methods II.

One of the greatest vulnerabilities in any cryptographic implementation is the weaknesses that are found in the security keys. The security keys are often passwords or passphrases that can be subjected to brute force attacks. Key stretching is a process of using a special algorithm on the security key to strengthen the key. Two of the most popular key strengthening algorithms are bcrypt and PBKDF2.

Topic

Key stretching.

Summary

Some common implementations of cryptography that provide symmetrical encryption include: OTP, DES, 3DES, RC, Blowfish, TwoFish, and AES. Some common implementations of cryptography that provide asymmetrical encryption include: RSA, PGP, and GPG. An issue with asymmetrical encryption is how to ensure that the key exchange remains secure. The first practical solution was DH. It has since been improved upon with DHE and ECDHE.

Cryptographic implementations.

Page 13

THANK YOU!

This workforce solution was 100 percent funded by a $3 million grant awarded by the U.S. Department of Labor's Employment and Training Administration. The solution was created by the grantee and does not necessarily reflect the official position of the U.S. Department of Labor. The Department of Labor makes no guarantees, warranties, or assurances of any kind, express or implied, with respect to such information, including any information on linked sites and including, but not limited to, accuracy of the information or its completeness, timeliness, usefulness, adequacy, continued availability or ownership. Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53.PACE-IT is an equal opportunity employer/program and auxiliary aids and services are available upon request to individuals with disabilities. For those that are hearing impaired, a video phone is available at the Services for Students with Disabilities (SSD) office in Mountlake Terrace Hall 159. Check www.edcc.edu/ssd for office hours. Call 425.354.3113 on a video phone for more information about the PACE-IT program. For any additional special accommodations needed, call the SSD office at 425.640.1814. Edmonds Community College does not discriminate on the basis of race; color; religion; national origin; sex; disability; sexual orientation; age; citizenship, marital, or veteran status; or genetic information in its programs and activities.