1 / 54

Encryption and Firewalls

Encryption and Firewalls. Objectives. Describe the role encryption plays in a firewall architecture Explain how digital certificates work and why they are important security tools Analyze the workings of SSL, PGP, and other popular encryption schemes

addison-bright
Download Presentation

Encryption and Firewalls

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Encryption and Firewalls

  2. Objectives Describe the role encryption plays in a firewall architecture Explain how digital certificates work and why they are important security tools Analyze the workings of SSL, PGP, and other popular encryption schemes Discuss Internet Protocol Security (IPSec) and identify its protocols and modes

  3. Firewalls and Encryption Hackers take advantage of a lack of encryption Encryption: Preserves data integrity Increases confidentiality Is relied upon by user authentication Plays a fundamental role in enabling VPNs

  4. Hacker and an Unencrypted Packet

  5. Hacker and an Encrypted Packet

  6. The Cost of Encryption CPU resources and time Bastion host that hosts the firewall should be robust enough to manage encryption and other security functions Encrypted packets may need to be padded to uniform length to ensure that some algorithms work effectively Can result in slowdowns Monitoring can burden system administrator

  7. Preserving Data Integrity Even encrypted sessions can go wrong as a result of man-in-the-middle attacks Encryption can perform nonrepudiation using a digital signature

  8. Maintaining Confidentiality Encryption conceals information to render it unreadable to all but intended recipients

  9. Authenticating Network Clients Firewalls need to trust that the person’s claimed identity is genuine Firewalls that handle encryption can be used to identify individuals who have “digital ID cards” that include encrypted codes Digital signatures Public keys Private keys

  10. Enabling Virtual Private Networks (VPNs) As an integral part of VPNs, encryption: Enables the firewall to determine whether the user who wants to connect to the VPN is actually authorized to do so Encodes payload of information to maintain privacy

  11. Principles of Cryptography Encryption: the process of converting an original message into a form that cannot be understood by unauthorized individuals Cryptology, the science of encryption, encompasses two disciplines: Cryptography: describes the processes involved in encoding and decoding messages so that others cannot understand them Cryptanalysis: the process of deciphering the original message (plaintext) from an encrypted message (ciphertext) without knowing the algorithms and keys used to perform the encryption

  12. Encryption Definitions Algorithm: the mathematical formula or method used to convert an unencrypted message into an encrypted message Cipher: the transformation of the individual components (characters, bytes, or bits) of an unencrypted message into encrypted components Ciphertext or cryptogram: the unintelligible encoded message resulting from an encryption

  13. Encryption Definitions (continued) Cryptosystem: the set of transformations necessary to convert an unencrypted message into an encrypted message Decipher: to decrypt or convert ciphertext to plaintext Encipher: to encrypt or convert plaintext to ciphertext Key or cryptovariable: the information used in conjunction with the algorithm to create the ciphertext from the plaintext; it can be a series of bits used in a mathematical algorithm or the knowledge of how to manipulate the plaintext

  14. Encryption Definitions (continued) Keyspace: the entire range of values that can possibly be used to construct an individual key Plaintext: the original unencrypted message that is encrypted and results from successful decryption Steganography: the process of hiding messages, usually within graphic images

  15. Encryption Definitions (continued) • Work factor: the amount of effort (usually expressed in units of time) required to perform cryptanalysis on an encoded message

  16. Cryptographic Notation M represents original message; C represents ciphertext; E represents encryption process; D represents the decryption process; K represents a key So… E(M) = C encrypting a message results in cyphertext D(C) = M and D[E(M)] = M E(M,K) = C specifies encrypting the message with a key; keys can be annotated K1, K2, etc. in the case of multiple keys

  17. Common Ciphers In encryption, the most commonly used algorithms include three functions: substitution, transposition, and XOR In a substitution cipher, you substitute one value for another; a monoalphabetic substitution uses only one alphabet and a polyalphabetic substitution use two or more alphabets The transposition cipher (or permutation cipher) simply rearranges the values within a block to create the ciphertext; this can be done at the bit level or at the byte (character) level

  18. Common Ciphers (continued) In the XOR cipher conversion, the bit stream is subjected to a Boolean XOR function against some other data stream, typically a key stream XOR works as follows: ‘0’ XOR’ed with ‘0’ results in a ‘0’ (0  0 = 0) ‘0’ XOR’ed with ‘1’ results in a ‘1’ (0  1 = 1) ‘1’ XOR’ed with ‘0’ results in a ‘1’ (1  0 = 1) ‘1’ XOR’ed with ‘1’ results in a ‘0’ (1  1 = 0) Simply put, if the two values are the same, you get “0”; if not, you get “1” This process is reversible; that is, if you XOR the ciphertext with the key stream, you get the plaintext

  19. Vernam Cipher Also known as the one-time pad, the Vernam cipher was developed at AT&T and uses a set of characters that are used for encryption operations only one time and then discarded The values from this one-time pad are added to the block of text, and the resulting sum is converted to text

  20. Book or Running Key Cipher Another method, used in the occasional spy movie, is the use of text in a book as the algorithm to decrypt a message The key relies on two components: Knowing which book to use A list of codes representing the page number, line number, and word number of the plaintext word

  21. Symmetric Encryption The previous methods of encryption/decryption require the same algorithm and key be used to both encipher/decipher the message This is known as private key encryption or symmetric encryption In this approach, the same key—a secret key—is used to encrypt and decrypt the message

  22. Symmetric Encryption (continued) • Usually extremely efficient, requiring simple processing to encrypt or decrypt the message • Main challenge is getting a copy of the key to the receiver, a process that must be conducted out-of-band to avoid interception

  23. Symmetric Encryption (continued)

  24. The Technology of Symmetric Encryption Data Encryption Standard (DES) Developed in 1977 by IBM Based on the Data Encryption Algorithm (DEA), which uses a 64-bit block size and a 56-bit key Federally approved standard for nonclassified data Cracked in 1997 when developers of a new algorithm, Rivest-Shamir-Aldeman, offered $10,000 to whomever was first to crack it Fourteen thousand users collaborated over the Internet to finally break the encryption Triple DES (3DES) was developed as an improvement to DES and uses as many as three keys in succession

  25. The Technology of Symmetric Encryption (continued) Advanced Encryption Standard (AES) Successor to 3DES Based on Rijndael Block Cipher, which features a variable block length and a key length of either 128, 192, or 256 bits In 1998, it took a special computer designed by the Electronic Freedom Frontier more than 56 hours to crack DES; it would take the same computer approximately 4,698,864 quintillion years to crack AES

  26. Asymmetric Encryption Also known as public key encryption Uses two different but related keys Either key can be used to encrypt or decrypt If Key A is used to encrypt message, then only Key B can decrypt; if Key B is used to encrypt message, then only Key A can decrypt This technique is most valuable when one of the keys is private and the other is public Problem: it requires four keys to hold a single conversation between two parties, and the number of keys grows geometrically as parties are added

  27. Public Key Encryption

  28. Digital Signatures When asymmetric process is reversed, that the message was sent by organization owning the private key cannot be refuted (nonrepudiation) Digital signatures: encrypted messages verified as authentic by independent facility (registry)

  29. Digital Signatures (continued) • Digital certificate: electronic document, similar to digital signature, attached to file certifying that file is from the organization it claims to be from and has not been modified from original format • Certificate Authority (CA): agency that manages issuance of certificates and serves as electronic notary public to verify their origin and integrity

  30. Digital Signatures (continued)

  31. Public Key Infrastructure Public key infrastructure (PKI) is the entire set of hardware, software, and cryptosystems necessary to implement public key encryption Systems are based on public key cryptosystems and include digital certificates and certificate authorities

  32. Public Key Infrastructure (continued) Can increase an organization’s ability to protect its information assets by providing: Authentication: digital certificates authenticate identity of each party in an online transaction Integrity: digital certificate asserts content signed by the certificate has not been altered in transit Confidentiality: keeps information confidential by ensuring it is not intercepted during transmission Authorization: digital certificates can replace user IDs and passwords, enhance security, and reduce overhead Nonrepudiation: certificates validate actions

  33. Hybrid Systems Pure asymmetric key encryption not widely used except in area of certificates; instead, typically employed in conjunction with symmetric key encryption, creating a hybrid system Hybrid process currently in use is based on Diffie-Hellman key exchange, which provides method to exchange private keys using public key encryption without exposure to third parties

  34. Hybrid Systems (continued) • In this method, asymmetric encryption is used to exchange symmetric keys, so two entities can conduct quick, efficient, secure communications based on symmetric encryption; Diffie-Hellman provided the foundation for subsequent developments in public key encryption

  35. Hybrid Encryption

  36. Using Cryptographic Controls Generation of unbreakable ciphertext is possible only if proper key management infrastructure has been constructed and cryptosystems are operated and managed correctly Cryptographic controls can be used to support several aspects of business: Confidentiality and integrity of e-mail and its attachments Authentication, confidentiality, integrity, and nonrepudiation of e-commerce transactions Authentication and confidentiality of remote access through VPN connections Higher standard of authentication when used to supplement access control systems

  37. E-mail Security Secure Multipurpose Internet Mail Extensions (S/MIME) builds on Multipurpose Internet Mail Extensions (MIME); adds encryption and authentication via digital signatures Privacy Enhanced Mail (PEM) proposed by Internet Engineering Task Force (IETF) as a standard that will function with public key cryptosystems; uses 3DES and RSA for key exchanges and digital signatures Pretty Good Privacy (PGP): uses IDEA Cipher, a 128-bit symmetric key block encryption algorithm with 64-bit blocks for message encoding; RSA for symmetric key exchange and digital signatures

  38. Securing the Web Secure Electronic Transactions (SET) Developed by MasterCard and VISA in 1997 to provide protection from electronic payment fraud Encrypts credit card transfers with DES and uses RSA for key exchange Secure Sockets Layer (SSL) Developed by Netscape in 1994 to provide security for online electronic commerce transactions Uses several algorithms; mainly relies on RSA for key transfer and IDEA, DES, or 3DES for encrypted symmetric key-based data transfer

  39. Securing the Web (continued) Secure Hypertext Transfer Protocol (SHTTP) An encrypted version of HTTP Provides secure e-commerce transactions and encrypted Web pages for secure data transfer over the Web, using several different algorithms Secure Shell (SSH) Uses tunneling to provide security for remote access connections over public networks Provides authentication services between a client and a server Used to secure replacement tools for terminal emulation, remote management, and file transfer applications

  40. Securing the Web (continued) IP Security (IPSec): primary and now dominant cryptographic authentication and encryption product of IETF’s IP Protocol Security Working Group IPSec combines several different cryptosystems: Diffie-Hellman key exchange for deriving key material between peers on a public network Public key cryptography for signing the Diffie-Hellman exchanges to guarantee the identity of the two parties Bulk encryption algorithms for encrypting the data Digital certificates signed by a certificate authorityto act as digital ID cards

  41. Securing the Web (continued) IPSec has two components: The IP Security protocol itself, which specifies the information to be added to an IP packet and indicates how to encrypt packet data The Internet Key Exchange, which uses asymmetric key exchange and negotiates the security associations

  42. Securing the Web (continued) IPSec works in two modes of operation: Transport mode: only IP data is encrypted—not the IP headers themselves; allows intermediate nodes to read source and destination addresses Tunnel mode: entire IP packet is encrypted and inserted as payload in another IP packet IPSec and other cryptographic extensions to TCP/IP often used to support a virtual private network (VPN), a private, secure network operated over a public, insecure network

  43. Securing Authentication A final use of cryptosystems is to provide enhanced and secure authentication One approach to this issue is provided by Kerberos, which uses symmetric key encryption to validate an individual user’s access to various network resources It keeps a database containing the private keys of clients and servers that are in the authentication domain that it supervises

  44. Kerberos Kerberos system knows these private keys and can authenticate one network node (client or server) to another Kerberos also generates temporary session keys—that is, private keys given to the two parties in a conversation

  45. Kerberos (continued)

  46. Kerberos (continued)

  47. Attacks on Cryptosystems Historically, attempts to gain unauthorized access to secure communications have used brute force attacks in which the ciphertext is repeatedly searched for clues that can lead to the algorithm’s structure (ciphertext attacks) This process, known as frequency analysis, can be used along with published frequency of occurrence patterns of various languages and can allow an experienced attacker to quickly crack almost any code if the individual has a large enough sample of the encoded text

  48. Attacks on Cryptosystems (continued) Occasionally, an attacker may obtain duplicate texts, one in ciphertext and one in plaintext, which enable the individual to reverse-engineer the encryption algorithm in a known-plaintext attack scheme Alternatively, an attacker may conduct a selected-plaintext attack by sending a potential victim a specific text that they are sure the victim will forward on to others; the attacker then intercepts the encrypted message and compares it to the original plaintext

  49. Attacks on Cryptosystems (continued) Man-in-the-middle attack: method used to intercept the transmission of a public key or even to insert a known key structure in place of the requested public key Correlation attacks: collection of brute-force methods that attempt to deduce statistical relationships between the structure of the unknown key and the ciphertext that is the output of the cryptosystem

  50. Attacks on Cryptosystems (continued) In a dictionary attack, the attacker encrypts every word in a dictionary using the same cryptosystem as used by the target In a timing attack, the attacker eavesdrops during a victim’s session and uses statistical analysis of the user’s typing patterns and inter-keystroke timings to discern sensitive session information

More Related