1 cryptography purpose: to protect transmitted information from being read or altered by non...
TRANSCRIPT
1
Cryptography
Purpose: to protect transmitted information from being read or altered by non authorized subjects
2
Definitions Cipher – transformation program Ciphertext – translated message Block Cipher – message transformed into
blocks then enciphered XOR – binary translation Key – info that controls encipherment Plaintext – clear text message Steganography – message in pictures or
other binary forms
3
History of Cryptosystems Cryptography
Secures information by encrypting it
Early instances 3000 BC hieroglyphics 400 BC Spartans: text on a stick 50 BC Julius Caesar: Substitution Cipher 1523 Polyalphabetic substitution cipher
4
Types of Ciphers
Substitution cipher Every occurrence of a given letter is replaced by a different
letter
Transposition cipher Shifts the ordering of letters
5
Outline of Encryption
Secret-key encryption Public-key encryption Digital signature Digital certificate Certificate authority Key Agreement Protocols Key Management
6
Encryption Methods The essential technology underlying
virtually all automated network and computer security applications is cryptography
Two fundamental approaches are in use: conventional encryption, also known as
symmetric encryption public-key encryption, also known as asymmetric
encryption
7
Secret-key Encryption Secret-key cryptography
Same key to encrypt and decrypt message Sender sends message and key to receiver
Problems with secret-key cryptography Key must be transmitted to receiver Different key for every receiver Key distribution centers used to reduce these
problems Generates session key and sends it to sender and
receiver encrypted with the unique key Encryption algorithms
Dunn Encryption Standard (DES), Triple DES, Advanced Encryption Standard (AES)
8
Secret-key Encryption (Cont’) Encrypting & decrypting a message using symmetric key
9
Public Key Encryption Asymmetric, involving the use of two separate
keys Based on mathematical “one-way” functions
rather than on simple operations on bit patterns
Misconceptions about public key encryption it is more secure from cryptanalysis it is a general-purpose technique that
has made conventional encryption obsolete
Trap doors ?
10
Public Key Encryption Operation
11
Public Key Signature Operation
12
Characteristics of Public-Key Infeasible to determine the decryption key given
knowledge of the cryptographic algorithm and the encryption key.
Either of the two related keys can be used for encryption, with the other used for decryption.
Slow, but provides tremendous flexibility to perform a number of security-related functions
Most widely used algorithm is RSA http://www.rsasecurity.com/, invented by Ron Rivest, Adi Shamir and Len Adleman at MIT in 1977.
13
Asymmetric - Symmetric
Asymmetric (public key) cryptography is 1000 to 10000 times slower than symmetric
Asymmetric Key Size Symmetric Key Sized
512 bits 64 bits
1792 bits 112 bits
2304 bits 128 bits
14
Conventional EncryptionKey Distribution
Both parties must have the secret key Key should be changed frequently Requires either manual delivery of
keys, or a third-party encrypted channel
Most effective method is a Key Distribution Center (e.g. Kerberos)
15
Public-Key EncryptionKey Distribution Parties create a pair of keys; public key is broadly
distributed, private key is not To reduce computational overhead, the following
process is then used:1. Prepare a message.2. Encrypt that message using conventional encryption
with a one-time conventional session key.3. Encrypt the session key using public-key encryption
with recipient’s public key.4. Attach the encrypted session key to the message and
send it.
16
Digital Signature An electronic message that can be used by someone
to authenticate the identity of the sender of a message or of the signer of a document.
Can also be used to ensure that the original content of the message or document that has been conveyed is unchanged.
Additional benefits: Easy transportation, not easily repudiated, not
imitated by someone else, and automatically time-stamped.
17
Digital Signature Process
18
Public Key Certificates1. A public key is generated by the user and submitted to
Agency X for certification.2. X determines by some procedure, such as a face-to-
face meeting, that this is authentically the user’s public key.
3. X appends a timestamp to the public key, generates the hash code of the result, and encrypts that result with X’s private key forming the signature.
4. The signature is attached to the public key.
19
X.500 Standard & X.509 Certificates
LDAP uses Directories store
Names, addresses, phone numbers, public key certificates
X.509 certificate format
Version Period of Validity
Serial Number Subject
Algorithm ID Subject’s Public Key
Issuer Signature
20
Certificate AuthorityA certificate authority is a trusted organization that can
vouch for the authenticity of the person or organization using authentication.
A person wanting to use a CA registers with the CA and must provide some proof of identify.
The CA issues a digital certificate that is the requestor's public key encrypted using the CA's private key as proof of identify.
This certificate is then attached to the user's email or Web transactions in addition to the authentication information.
The receiver then verifies the certificate by decrypting it with the CA's public key -- and must also contact the CA to ensure that the user's certificate has not been revoked by the CA.
For higher level security certification, the CA requires that a unique “fingerprint” (key) be issued by the CA for each message sent by the user.
21
VeriSign, Inc Headquartered in Mountain View, California, a leading
provider of Internet trust services authentication, validation and payment - needed by Web sites, enterprises, and e-commerce service providers to conduct trusted and secure electronic commerce and communications over IP networks.
To date, VeriSign has issued over 215,000 Web site digital certificates and over 3.9 million digital certificates for individuals.
22
Key Agreement Protocols Key agreement protocol
Process by which parties can exchange keys Use public-key cryptography to transmit
symmetric keys Digital envelope
Encrypted message using symmetric key Symmetric key encrypted with the public key Digital signature
23
CA Functionality Certificate Revocation Lists Key Management Key Distribution Key Revocation Key Recovery Key Renewal Key Distruction Multiple Keys
24
Key Agreement Protocols
Creating a digital envelope
25
Key Management
Key management Handling and security of private keys Key generation
The process by which keys are created Must be truly random
26
Steganography
Steganography Practice of hiding information within
other information Digital watermarks
Hidden within documents and can be shown to prove ownership
27
Steganography (Example 1)
Example of a conventional watermark
Courtesy of Blue Spike, Inc.
28
Steganography (Example 2) An example of steganography: Blue Spike’s Giovanni
digital watermarking process
Courtesy of Blue Spike, Inc.
29
Cryptographic Attacks•Brute force •Man-in-the-Middle
•Known plaintext •Differential Cryptanalysis
•Chosen plaintext •Linear Cryptanlysis
•Ciphertext only •Statistical
•Birthday attack •Factoring
30
Escrowed Encryption Need for law enforcement to have access Privacy Trap doors Escrowed Encryption Standard
Divide key into two parts Escrow portions with different orgs
Fair Cryptosystems Divide key into multiple, verifiable, parts Store key with various trustees Banker’s Trust purchased copyright
31
Identity-based Encryption
String used as key can be anything Four components
Setup – generate individual’s master-key Extracting – both parties gen private key
using own public key with master Encrypting – based on recipient’s public
key ([email protected]) create ciphertext Decrypting – using recipient’s private key
decrypt message
32
eMail Issues
S/MIME – digital signs, encry, X.509
Privacy Enhanced Mail – dig sigs, encr
PGP Symmetric Cipher, RSA “Web of Trust”
33
Internet Security
SSL / TLS (transaction layer security) SET IpSec https Mondex ssh2
34
SSL / TLS
Size of key decides strength of encryption.(40-bit, 56-bit encryptions are considered weak. They can be cracked in about a week)
Private Certificate Authorities: Used when certain kind of trust relation exists between the client and the server
Public Certificate Authorities: Used when no other relation exists between the client and the server
35
HTTPS
Secure Hypertext Transfer Protocol Client requests a secure transaction by accessing an
HTTPS URL and informs server about the encryption algorithm and key sizes it supports
Server sends back its digital certificate issued by CA Client verifies the certificate, generates a session
key, encrypts t with server’s public key and sends it back to server
Server decrypts the session key and uses it for symmetric encryption during further communication in the session
36
Wireless Security Physical security of wireless devices PDAs, cellphones: limited processing power
& no standards Wireless Application Protocol (WAP)
WML, WAE, WSP, WTP, WTSL, WDP Can be PKI enabled
IEEE 802.11 b, a, g (e draft) 11 & b, a, g security bad thus 11i working group
37
IEEE Wireless Standards
802.11 – 1 or 2Mbp on 2.4Ghz 802.11b – 11 to 1Mbp on 2.4Ghz 802.11a – up to 54Mbp at 5Ghz 802.11g – 20 to 54 @ 2.4 802.11e – QoS 802.15, 802.16 – Wireless broadband
WAN
38
Wireless Application Protocol (WAP)
Layers Application, Session, Transaction,
Security, Transport Wireless Transport Layer Security
3 classes of authentication – anonymous, server, client-server
WEP (Wired Equivalent Privacy) 40bit shared key, Rivest Code 4 (RC4)
39
Wireless Vulnerabilities Denial of Service Attacks “WAP Gap” – protocol change at carrier’s
gateway Insertion attack & rogue access points WEP weaknesses – not designed for
directed cripto attack SSID issues Scanning & War Driving Wireless Packet sniffers & neighbors Physical Loss
40
Instant Messaging Security Issues IM systems can transport sensitive and
confidential data over public networks in unencrypted form.
IM systems do not prevent transportation of files containing viruses
Misconfigured file sharing can vide access to system files, passwords, etc.
To monitor and prevent IM traffic network can be configured to deny access to certain domains (e.g. block yahoo.com for Yahoo messenger)
41
References:
1. e-Business & e-Commerce for Manageers, Deitel,Deitel and Steinbuhler, Prentice-Hall,2002
2. www.extremetech.com & pcmag.com4.www.rsasecurity.com5.www.seruritysearch.net6. How SSL Works