cryptography szabist – spring 2012. cryptography this chapter presents the following: ...

CRYPTOGRAPHY

SZABIST – Spring 2012

Cryptography

This chapter presents the following:

Cryptography/Encryption/Ciphers Public / Private Key Cryptosystems Digital Signature Public Key Infrastructure (PKI) Vulnerability Assessment and Penetration Testing Applications of Cryptography

What is Cryptography?

Cryptography is a method of storing and transmitting data in a form that only those it is intended for can read and process.

What are the possible uses of encryption?

What is Cryptography?

Cryptography is a method of storing and transmitting data in a form that only those it is intended for can read and process.

What are the possible uses of cryptography (encryption)? Tool in warfare E-commerce transactions

Financial transactions Government Detect accidental or intentional alterations of data

The History of Cryptography

Cryptography has roots that begin around 2000 B.C.

Encryption methods evolved and used to hide information from others. A Hebrew cryptographic method (“Atbash”)require

the alphabet to flip

ABCDEFGHIJKLMNOPQRSTUVWXYZZYXWVUTSRQPONMLKJIHGFEDCBA

For example, the word “security” is encrypted into “hvxfirgb.” What does “hazyrhg” come out to be?

The History of Cryptography – contd.Around 400 B.C.,… Spartans used a system of encrypting

information a message is written on a sheet of paper that was

wrapped around a wooden stick, which was then delivered and wrapped around a different rod by the recipient.

The message was only readable if it was wrapped around the correct size stick, which made the letters properly match up.


Later, in Rome, Julius Caesar (100–44 B.C.) A method of shifting letters of the alphabet, shifted the

alphabet by three positions. The following example shows a standard alphabet and a shifted alphabet. Alphabet - ALGORITHM Number Of Locations – KEY

Standard Alphabet: ABCDEFGHIJKLMNOPQRSTUVWXYZ

Cryptographic Alphabet: DEFGHIJKLMNOPQRSTUVWXYZABC

Encrypt the word ‘LOGICAL SECURITY’


Standard Alphabet: ABCDEFGHIJKLMNOPQRSTUVWXYZ

Cryptographic Alphabet: DEFGHIJKLMNOPQRSTUVWXYZABC

Encrypt the word ‘LOGICAL SECURITY’

Cryptography – Definitions & Concepts Encryption / Decryption Process

Cryptosystem! Message Algorithm also known as Cipher

Key Space Key

128, 256, 512, or even 1,024 bits and larger (i.e. 2512)

Cryptography – Definitions & Concepts

Cryptosystem! Message Algorithm also known as Cipher

Key Space

Key 128, 256, 512, or even 1,024 bits and larger (i.e. 2512)

Cryptography – Definitions & Concepts Kerckhoffs’ Principle

the only secrecy involved with a cryptography system should be the key and the algorithm should be publicly known.

if security were based on too many secrets, there would be more vulnerabilities to possibly exploit.

Q: Would you agree or disagree with this???

Write down the reasoning with the answer.

The Strength of Cryptosystems

Strength of encryption method from algorithm The secrecy of the key The length of the key

Can be broken through BRUTE FORCE ATTACK Processing Power Necessary Recourses Time

GOAL“Make Compromising Too Expensive and

Too Time Consuming”

Services of Cryptosystems

Cryptosystems can provide the following services: Confidentiality - Renders the information unintelligible

except by authorized entities. Integrity - Data has not been altered in an

unauthorized manner since it was created, transmitted, or stored.

Authentication - Verifies the identity of the user or system that created information.

Authorization - Upon proving identity, the individual is then provided with the key or password that will allow access to some resource.

Non-repudiation - Ensures that the sender cannot deny sending the message.

Private Key Cryptosystems

Private key cryptographic systems are based on a symmetric encryption algorithm

Following are some of the examples of ‘Symmetric Algorithms’: Data Encryption Standard (DES)

Triple-DES (3DES) Blowfish RC4, RC5, and RC6 IDEA (International Data Encryption Algorithm)

Advanced Encryption Standard (AES)


DES (Data Encryption Standard)

Block of 64 bits and key of 56 bits (additional 8 bits for parity check) is used

No longer considered a strong cryptographic solution since its entire key can be brute-forced by large computer systems within a relatively short period of time.

DES is being replaced with AES, a public algorithm that supports keys from 128 to 256 bits and onwards in size.


Triple DES (3DES) (also known as TDEA - Triple Data Encryption Algorithm)

3DES was a quick fix to DES on the way to AES.

More secure then DES but because of the extra work 3DES performs, there is a heavy performance hit.

It can take up to three times longer than DES to perform encryption and decryption.


Blowfish The key length can be from 32 bits up to 448 bits.

It was intended as a replacement to the aging DES as many of the other algorithms were either proprietary and thus encumbered by patents or kept as government secrets, this wasn’t the case with Blowfish.

Bruce Schneier, the creator of Blowfish, has stated, “Blowfish is un-patented, and will remain so in all countries. The algorithm is hereby placed in the public domain, and can be freely used by anyone.”


RC4 It is used in the SSL protocol, and was implemented

in the 802.11 WEP protocol standard. RC4 was developed by and considered a trade

secret of RSA Data Security, Inc. until someone posted the source code on a mailing list.

Since the source code was released nefariously, the stolen algorithm is sometimes implemented and referred to as ArcFour or ARC4 because the title RC4 is trademarked.

The algorithm is very simple, fast, and efficient, which is why it became so popular.


RC5 RC5 is a block cipher that uses block sizes in

algorithms of 32, 64, or 128 bits, and the key size goes up to 2,048 bits.

RC6 RC6 is a block cipher that was built upon RC5, so it has

all the same attributes as RC5.

The algorithm was developed mainly to be submitted as AES, but Rijndael was chosen instead.

There were some modifications of the RC5 algorithm to increase the overall speed, the result of which is RC6.


International Data Encryption Algorithm (IDEA) A block cipher that operates on 64-bit blocks of data. The

64-bit data block is divided into 16 smaller blocks. The key is 128 bits long, and IDEA is faster than DES when implemented in software.

The IDEA algorithm is considered to be harder to break than DES because it has a longer key size.

IDEA is used in the PGP and other encryption software implementations.

It was thought to replace DES, but it is patented, meaning that licensing fees would have to be paid to use it.

Advanced Encryption Standard (AES) After DES was used as an encryption standard for over

20 years and it was cracked in a relatively short time once the necessary technology was available.

AES has replaced the DES as the cryptographic algorithm standard (Due to the short key length of DES).

In 1997, NIST announced the initiation of the AES development effort and made a formal call for algorithms. On 2 October 2000, Rijndael was selected algorithm for the

AES.

For AES the block length was fixed to 128 bits and three different key sizes (128, 192 and 256 bits) were specified.


Advanced Encryption Standard (AES) – contd. Rijndael works well when implemented in

software and hardware in a wide range of products and environments.

It has low memory requirements and has been constructed to easily defend against timing attacks.

Rijndael is now the algorithm required to protect sensitive but unclassified U.S. government information.



Advantages: User has to remember only one key for both encryption

and decryption.

Generally less complicated and, therefore, use up less processing power than asymmetric techniques and also ideally suited for bulk data encryption.

Disadvantages: How to communicate the keys to those with whom you

want to exchange data, particularly in e-commerce environments where customers are unknown, untrusted entities.

A symmetric key cannot be used to sign electronic documents as the mechanism is based on a shared secret.

Following are the strengths and weaknesses of symmetric key algorithms: Strengths

Much faster (less computationally intensive) than asymmetric systems.

Hard to break if using a large key size. Weaknesses

Requires a secure mechanism to deliver keys properly. Each pair of users needs a unique key, so as the number

of individuals increases, so does the number of keys, possibly making key management overwhelming.

Provides confidentiality but not authenticity or nonrepudiation.


Public Key Cryptosystems

Public Key Cryptosystems are based on an asymmetric encryption process, two keys work together as a pair. One key is used to

encrypt data, the other is used to decrypt data. With asymmetric encryption, one key - the secret or

private key is known only to one person; the other key - the public key is known by many people.

A message that is sent encrypted by the private key of the sender can be deciphered by anyone with the corresponding public key (authenticity of the sender is ensured).

A message that has been sent encrypted using the public key of the receiver can be generated by anyone, but can only be read by the receiver. (confidentiality is ensured).


Asymmetric keys are often used for short messages such as encrypting DES symmetric keys or creating digital signatures.

If asymmetric keys were used to encrypt bulk data (long messages), the process would be very slow; this is the reason they are used to encrypt short messages such as digests or signatures

The following are examples of asymmetric key algorithms: RSA (Rivest-Shamir-Adleman) Elliptic curve cryptosystem (ECC) Diffie-Hellman El Gamal Digital Signature Algorithm (DSA)


The Diffie-Hellman Algorithm Address the shortfalls of symmetric key cryptography, the

issue of secure distribution of the symmetric key. The first asymmetric key agreement algorithm, called

Diffie-Hellman. How Diffie-Hellman works,

User A and User B would like to communicate over an encrypted channel by using Diffie-Hellman.

They would both generate a private and public key pair and exchange public keys. User A’s software would take the private key and User B’s public key and put them through the Diffie-Hellman algorithm.

User B’s software would take the private key and User A’s public key and insert them into the Diffie-Hellman algorithm on the computer.

Through this process, User A and User B derive the same shared value, which is used to create instances of symmetric keys.


The Diffie-Hellman Algorithm – contd. So, User A and User B exchanged information that did not

need to be protected (their public keys) over an untrusted network, and in turn generated the exact same symmetric key on each system. They both can now use these symmetric keys to encrypt, transmit, and decrypt information as they communicate with each other.

NOTE: key agreement is different from key exchange. With key exchange functionality, the sender encrypts the symmetric key with the receiver’s public key before transmission.

The Diffie-Hellman algorithm allows for key distribution, but does not provide encryption or digital signature functionality.

It is vulnerable to a man-in-the-middle attack, because no authentication occurs before public keys are exchanged.


RSA (Rivest-Shamir-Adleman) RSA is a worldwide de-facto standard and is used for

encryption / decryption, digital signatures generation and verification and key exchange (i.e. Key encryption)

It can be used as a key exchange protocol, meaning it is used to encrypt the symmetric key to get it securely to its destination.

RSA has been most commonly used with the symmetric algorithm DES / AES. When RSA is used as a key exchange protocol, a cryptosystem generates a symmetric key using either the DES or AES algorithm.

RSA has been implemented in applications, operating systems by Microsoft, Apple, Sun, and Novell; and at the hardware level in network interface cards, secure telephones, and smart cards..

El Gamal

El Gamal is a public key algorithm that can be used for digital signatures, encryption, and key exchange.

El Gamal is actually an extension of the Diffie-Hellman algorithm.

Although El Gamal provides the same type of functionality as some of the other asymmetric algorithms, its main drawback is performance. When compared to other algorithms, this algorithm is usually the slowest.


Elliptical Curve Cryptography More efficient form of public key cryptography based on the

elliptic curve discrete algorithm. ECC is more efficient than RSA and any other asymmetric

algorithm, it demands less computational power and, therefore, offers more security per bit.

For example, an ECC with a 160-bit key offers the same security as an RSA-based system with a 1,024-bit key.

ECCs work well on smart cards, wireless devices, cellular telephones requiring strong cryptography but have limitations such as bandwidth, power supply and processing power.

In most cases, the longer the key, the more protection that is provided, but ECC can provide the same level of protection with a key size that is shorter than what RSA requires.


Following are the strengths and weaknesses of asymmetric key algorithms: Strengths

Better key distribution than symmetric systems

Can provide authentication and non-repudiation

Weaknesses Works much more slowly than symmetric systems

Mathematically intensive tasks


A digital envelope is used to send encrypted information, using symmetric keys, and the relevant key session along with it.

It is a secure method to send electronic documents without compromising the data integrity, authentication and non-repudiation, which were obtained with the use of asymmetric keys.

Implemented using a combination of Public and Private Key Infrastructure.

Digital Envelope

A one-way hash is a function that takes a variable-length string and a message and produces a fixed-length value called a hash value. For example, if A wants to send a message to B and he

wants to ensure the message integrity, he would calculate a hash value for the message and append it to the message itself.

When B receives the message, he / she performs the same hashing function A used and then compares the result with the hash value sent with the message.

If the two values are the same, B can be sure the message was not altered during transmission.

If the two values are different, B knows the message was altered, either intentionally or unintentionally.

The One-Way Hash (Hash Function)

The One-Way Hash (Hash Function)

The hashing algorithm is not a secret, it is publicly known. The secrecy of the oneway hashing function is its “one-wayness.”

Various Hashing Algorithms MD2 MD4 MD5 SHA HAVAL Tiger

The hashing one-way function takes place without the use of any keys.

The One-Way Hash – contd.

What if someone intercept the message, alter it, recalculate

another message digest, append it to the original message, and

send it the targeted user?


What if someone intercept the message, alter it, recalculate another message digest, append it to the original message, and send it the targeted user?

Message Authentication Code (MAC).


Message Authentication Code (MAC). A MAC function is an authentication scheme

derived by applying a secret key (code) to a message in some form.

Three basic types of MACs: Hash MAC (HMAC)

CBC-MAC

CMAC


Message Authentication Code (MAC). Hash MAC (HMAC)

A symmetric key is concatenated with the message


Message Authentication Code (MAC). Hash MAC (HMAC)

The sender concatenates a symmetric key with the message, put through a hashing algorithm which generates a MAC value.

The MAC value is appended to the message. The sender sends the message (with MAC attached) to the

receiver. The receiver concatenates a symmetric key with the message

and puts through a hashing algorithm and generates the MAC value.

The receiver compares the two MAC values. If they are the same, the message has not been modified.

Note: The sender does not send the symmetric key with the message.


Message Authentication Code (MAC). CBC-MAC

Sender encrypts a plain text message with a symmetric block algorithm, the last block is used as the MAC.

The plaintext message and the appended MAC are sent to the receiver.

The receiver encrypts the message, creates a new MAC, and compares the two values. If they are the same, the receiver knows the message was not modified and from which system it came.


Message Authentication Code (MAC). C-MAC

CMAC works the same way as the CBC-MAC, but is based on more complex logic and mathematical functions. the symmetric algorithm (AES or 3DES) creates the

symmetric key. This key is used to create subkeys. The subkeys are used

individually to encrypt the individual blocks of a message.

Class Assignment?


Message Authentication Code (MAC). C-MAC


Summary – One way hash

Digital Signatures

“an electronic identification of a person / entity created by using a public key algorithm and

intended to verify to a recipient the integrity of the data and the identity of the sender”

A digital signature is a hash value

encrypted with the sender’s private key. hashing function ensures the integrity of the

message; and signing of the hash value provides

authentication and non-repudiation.

Digital Signatures

Digital Signatures

Different steps and algorithms provide different types of security services:

A message can be encrypted, which provides confidentiality. A message can be hashed, which provides integrity. A message can be digitally signed, which provides

authentication, nonrepudiation, and integrity. A message can be encrypted and digitally signed, which

provides confidentiality, authentication, nonrepudiation, and integrity.

Some algorithms can only perform encryption, whereas others support digital signatures and encryption.

When hashing is involved, a hashing algorithm is used, not an encryption algorithm.

Digital Signatures

Digital Signature Standard (DSS) It was developed for federal departments and

agencies, but most vendors also designed their products to meet these specifications.

The federal government requires its departments to use RSA, or the elliptic curve digital signature algorithm (ECDSA).

RSA is considered the best known and most widely used digital signature algorithms.

Public Key Infrastructure (PKI)

“A framework to issue, maintain and revoke public key certificates by a trusted party known as a PKI”

PKI allows users to interact with other users and applications, and obtain and verify identities and keys from trusted sources.

Key elements of the infrastructure are as follows: Digital certificates

Certificate authority (CA)

Registration authority (RA)

Certificate revocation list (CRL)

Certification practice statement (CPS)


Digital certificates A digital credential composed of a public key, together with

identifying information about the owner of the public key. The purpose of digital certificates is to associate a public key

with the individual’s identity. These certificates are electronic documents, digitally signed

by some trusted entity, with a private key (transparent to users) that contains information about the individual.

Certificate authority (CA) An authority in a network that issues and manages security

credentials and public keys for message encryption. The CA attests, as trusted provider of the public/private key

pairs, to the authenticity of the owner (entity or individual) to whom a public/private key pair has been given.


Registration authority (RA) An authority in a network that verifies user requests for a

digital certificate and tells the certificate authority (CA) to issue it.

An optional entity separate from a CA, an RA would be used by a CA with a very large customer base.

Certificate revocation list (CRL) An instrument for checking the continued validity of the

certificates for which the certification authority (CA) has responsibility. The CRL details digital certificates that are no longer valid.

The time gap between two updates is very critical and is also a risk in digital certificates verification.


Certification practice statement (CPS) A detailed set of rules governing the certificate

authority’s operations. It provides an understanding of the value and trustworthiness of certificates issued by a given CA in terms of the controls that an organization observes, the method it uses to validate the authenticity of certificate applicants and the CA’s expectations of how its certificates may be used.


PKI Process Flow Subscriber applies to Certification Authority for Digital

Certificate. CA verifies identity of Subscriber and issues Digital

Certificate. CA publishes Certificate to Repository. Subscriber digitally signs electronic message with Private

Key to ensure Sender Authenticity, Message Integrity and Non-Repudiation and sends to Relying Party.

Relying Party receives message, verifies Digital Signature with Subscriber's Public Key, and goes to Repository to check status and validity of Subscriber's Certificate.

Repository returns results of status check on Subscriber's Certificate to Relying Party.

Application of Cryptographic Systems

Some of the applications of cryptographic systems are: Secure sockets layer (SSL)

A session or connection-layered protocol widely used on the Internet for communication between browsers and web servers, where any amount of data is securely transmitted while a session is established.

Secure Hypertext Transfer Protocol (S/HTTP) An application layer protocol, S/HTTP transmits individual

messages or pages securely, versus all messages in a session, between a web client and server by establishing an SSL-type connection through the “https://” designation in the URL, versus the standard http:// designation.

This protocol utilizes SSL secure features, but does so as a message rather than as a session-oriented protocol.


IP Security (IPSec) This IP network layer packet security protocol establishes virtual

private networks via transport and tunnel mode encryption methods. For the transport method, the data portion of each packet referred to

as the encapsulating security payload (ESP) is encrypted achieving confidentiality over the process. In the tunnel mode, the ESP payload and its header are encrypted. To achieve non-repudiation, an additional authentication header (AH) is applied.

SSH A client-server program that opens a secure, encrypted command line

shell session from the Internet for remote logon. Similar to a VPN, it uses strong cryptography to protect data, including

passwords, binary files and administrative commands, transmitted between systems on a network.

It is implemented at the application layer, as opposed to operating at the network layer (IPSec implementation).


Secure multipurpose Internet mail extensions (S/MIME)

A standard secure e-mail protocol that authenticates the identity of the sender and receiver, verifies message integrity and ensures the privacy of a message’s contents, including attachments.

Secure electronic transactions (SET) It is a protocol developed jointly by VISA and Master Card to secure

payment card transactions between all parties involved in credit card transactions on behalf of cardholders and merchants.

SET is an application-oriented protocol that uses trusted third parties’ encryption and digital signature processes, via a PKI infrastructure of trusted third party institutions, to address confidentiality of information, integrity of data, cardholder authentication, merchant authentication and interoperability.

End of Chapter

Thank You !!

cryptography szabist – spring 2012. cryptography this chapter presents the following: ...

Documents

shifted alphabet

cryptography system

history of cryptography

method of shifting letters

possible uses of encryption

word security

following example

history of cryptographylater