1

Cryptography

Purpose: to protect transmitted information from being read or altered by non authorized subjects

2

Definitions Cipher – transformation program Ciphertext – translated message Block Cipher – message transformed into

blocks then enciphered XOR – binary translation Key – info that controls encipherment Plaintext – clear text message Steganography – message in pictures or

other binary forms

3

History of Cryptosystems Cryptography

Secures information by encrypting it

Early instances 3000 BC hieroglyphics 400 BC Spartans: text on a stick 50 BC Julius Caesar: Substitution Cipher 1523 Polyalphabetic substitution cipher

4

Types of Ciphers

Substitution cipher Every occurrence of a given letter is replaced by a different

letter

Transposition cipher Shifts the ordering of letters

5

Outline of Encryption

Secret-key encryption Public-key encryption Digital signature Digital certificate Certificate authority Key Agreement Protocols Key Management

6

Encryption Methods The essential technology underlying

virtually all automated network and computer security applications is cryptography

Two fundamental approaches are in use: conventional encryption, also known as

symmetric encryption public-key encryption, also known as asymmetric

encryption

7

Secret-key Encryption Secret-key cryptography

Same key to encrypt and decrypt message Sender sends message and key to receiver

Problems with secret-key cryptography Key must be transmitted to receiver Different key for every receiver Key distribution centers used to reduce these

problems Generates session key and sends it to sender and

receiver encrypted with the unique key Encryption algorithms

Dunn Encryption Standard (DES), Triple DES, Advanced Encryption Standard (AES)

8

Secret-key Encryption (Cont’) Encrypting & decrypting a message using symmetric key

9

Public Key Encryption Asymmetric, involving the use of two separate

keys Based on mathematical “one-way” functions

rather than on simple operations on bit patterns

Misconceptions about public key encryption it is more secure from cryptanalysis it is a general-purpose technique that

has made conventional encryption obsolete

Trap doors ?

10

Public Key Encryption Operation

11

Public Key Signature Operation

12

Characteristics of Public-Key Infeasible to determine the decryption key given

knowledge of the cryptographic algorithm and the encryption key.

Either of the two related keys can be used for encryption, with the other used for decryption.

Slow, but provides tremendous flexibility to perform a number of security-related functions

Most widely used algorithm is RSA http://www.rsasecurity.com/, invented by Ron Rivest, Adi Shamir and Len Adleman at MIT in 1977.

13

Asymmetric - Symmetric

Asymmetric (public key) cryptography is 1000 to 10000 times slower than symmetric

Asymmetric Key Size Symmetric Key Sized

512 bits 64 bits

1792 bits 112 bits

2304 bits 128 bits

14

Conventional EncryptionKey Distribution

Both parties must have the secret key Key should be changed frequently Requires either manual delivery of

keys, or a third-party encrypted channel

Most effective method is a Key Distribution Center (e.g. Kerberos)

15

Public-Key EncryptionKey Distribution Parties create a pair of keys; public key is broadly

distributed, private key is not To reduce computational overhead, the following

process is then used:1. Prepare a message.2. Encrypt that message using conventional encryption

with a one-time conventional session key.3. Encrypt the session key using public-key encryption

with recipient’s public key.4. Attach the encrypted session key to the message and

send it.

16

Digital Signature An electronic message that can be used by someone

to authenticate the identity of the sender of a message or of the signer of a document.

Can also be used to ensure that the original content of the message or document that has been conveyed is unchanged.

Additional benefits: Easy transportation, not easily repudiated, not

imitated by someone else, and automatically time-stamped.

17

Digital Signature Process

18

Public Key Certificates1. A public key is generated by the user and submitted to

Agency X for certification.2. X determines by some procedure, such as a face-to-

face meeting, that this is authentically the user’s public key.

3. X appends a timestamp to the public key, generates the hash code of the result, and encrypts that result with X’s private key forming the signature.

4. The signature is attached to the public key.

19

X.500 Standard & X.509 Certificates

LDAP uses Directories store

Names, addresses, phone numbers, public key certificates

X.509 certificate format

Version Period of Validity

Serial Number Subject

Algorithm ID Subject’s Public Key

Issuer Signature

20

Certificate AuthorityA certificate authority is a trusted organization that can

vouch for the authenticity of the person or organization using authentication.

A person wanting to use a CA registers with the CA and must provide some proof of identify.

The CA issues a digital certificate that is the requestor's public key encrypted using the CA's private key as proof of identify.

This certificate is then attached to the user's email or Web transactions in addition to the authentication information.

The receiver then verifies the certificate by decrypting it with the CA's public key -- and must also contact the CA to ensure that the user's certificate has not been revoked by the CA.

For higher level security certification, the CA requires that a unique “fingerprint” (key) be issued by the CA for each message sent by the user.

21

VeriSign, Inc Headquartered in Mountain View, California, a leading

provider of Internet trust services authentication, validation and payment - needed by Web sites, enterprises, and e-commerce service providers to conduct trusted and secure electronic commerce and communications over IP networks.

To date, VeriSign has issued over 215,000 Web site digital certificates and over 3.9 million digital certificates for individuals.

22

Key Agreement Protocols Key agreement protocol

Process by which parties can exchange keys Use public-key cryptography to transmit

symmetric keys Digital envelope

Encrypted message using symmetric key Symmetric key encrypted with the public key Digital signature

23

CA Functionality Certificate Revocation Lists Key Management Key Distribution Key Revocation Key Recovery Key Renewal Key Distruction Multiple Keys

24

Key Agreement Protocols

Creating a digital envelope

25

Key Management

Key management Handling and security of private keys Key generation

The process by which keys are created Must be truly random

26

Steganography

Steganography Practice of hiding information within

other information Digital watermarks

Hidden within documents and can be shown to prove ownership

27

Steganography (Example 1)

Example of a conventional watermark

Courtesy of Blue Spike, Inc.

28

Steganography (Example 2) An example of steganography: Blue Spike’s Giovanni

digital watermarking process

Courtesy of Blue Spike, Inc.

29

Cryptographic Attacks•Brute force •Man-in-the-Middle

•Known plaintext •Differential Cryptanalysis

•Chosen plaintext •Linear Cryptanlysis

•Ciphertext only •Statistical

•Birthday attack •Factoring

30

Escrowed Encryption Need for law enforcement to have access Privacy Trap doors Escrowed Encryption Standard

Divide key into two parts Escrow portions with different orgs

Fair Cryptosystems Divide key into multiple, verifiable, parts Store key with various trustees Banker’s Trust purchased copyright

31

Identity-based Encryption

String used as key can be anything Four components

Setup – generate individual’s master-key Extracting – both parties gen private key

using own public key with master Encrypting – based on recipient’s public

key (john@durrett.org) create ciphertext Decrypting – using recipient’s private key

decrypt message

32

eMail Issues

S/MIME – digital signs, encry, X.509

Privacy Enhanced Mail – dig sigs, encr

PGP Symmetric Cipher, RSA “Web of Trust”

33

Internet Security

SSL / TLS (transaction layer security) SET IpSec https Mondex ssh2

34

SSL / TLS

Size of key decides strength of encryption.(40-bit, 56-bit encryptions are considered weak. They can be cracked in about a week)

Private Certificate Authorities: Used when certain kind of trust relation exists between the client and the server

Public Certificate Authorities: Used when no other relation exists between the client and the server

35

HTTPS

Secure Hypertext Transfer Protocol Client requests a secure transaction by accessing an

HTTPS URL and informs server about the encryption algorithm and key sizes it supports

Server sends back its digital certificate issued by CA Client verifies the certificate, generates a session

key, encrypts t with server’s public key and sends it back to server

Server decrypts the session key and uses it for symmetric encryption during further communication in the session

36

Wireless Security Physical security of wireless devices PDAs, cellphones: limited processing power

& no standards Wireless Application Protocol (WAP)

WML, WAE, WSP, WTP, WTSL, WDP Can be PKI enabled

IEEE 802.11 b, a, g (e draft) 11 & b, a, g security bad thus 11i working group

37

IEEE Wireless Standards

802.11 – 1 or 2Mbp on 2.4Ghz 802.11b – 11 to 1Mbp on 2.4Ghz 802.11a – up to 54Mbp at 5Ghz 802.11g – 20 to 54 @ 2.4 802.11e – QoS 802.15, 802.16 – Wireless broadband

WAN

38

Wireless Application Protocol (WAP)

Layers Application, Session, Transaction,

Security, Transport Wireless Transport Layer Security

3 classes of authentication – anonymous, server, client-server

WEP (Wired Equivalent Privacy) 40bit shared key, Rivest Code 4 (RC4)

39

Wireless Vulnerabilities Denial of Service Attacks “WAP Gap” – protocol change at carrier’s

gateway Insertion attack & rogue access points WEP weaknesses – not designed for

directed cripto attack SSID issues Scanning & War Driving Wireless Packet sniffers & neighbors Physical Loss

40

Instant Messaging Security Issues IM systems can transport sensitive and

confidential data over public networks in unencrypted form.

IM systems do not prevent transportation of files containing viruses

Misconfigured file sharing can vide access to system files, passwords, etc.

To monitor and prevent IM traffic network can be configured to deny access to certain domains (e.g. block yahoo.com for Yahoo messenger)

41

References:

1. e-Business & e-Commerce for Manageers, Deitel,Deitel and Steinbuhler, Prentice-Hall,2002

2. www.extremetech.com & pcmag.com4.www.rsasecurity.com5.www.seruritysearch.net6. How SSL Works