210 likes | 393 Views
Cryptographic Security. Presented by: Josh Baker October 9 th , 2012. Overview. What is cryptographic security? Uses Main Points What is a “ Key/Certificate”? Implementations CAC based PKI Demonstration References. What is it?. Cryptographic Security :
E N D
Cryptographic Security Presented by: Josh Baker October 9th, 2012 CS5204 – Operating Systems
Overview • What is cryptographic security? • Uses • Main Points • What is a “Key/Certificate”? • Implementations • CAC based PKI Demonstration • References CS5204 – Operating Systems
What is it? Cryptographic Security: Leveraging a standardized system that uses a set of operations that are publicly available in order to authenticate identities, securely share data, or irrefutably sign data. def Cryptography: cryp∙tog∙ra∙phy[3] :the enciphering and deciphering of messages in secret code or cipher; also : the computerized encoding and decoding of information CS5204 – Operating Systems
Uses • Establishing Transport Layer Security (TLS/SSL) • HTTPS • SFTP • Data Encryption / Decryption • Digital Signature • Login / Authentication Protocols • Relies on digital signature CS5204 – Operating Systems
Main Points • Use of a publicly formalized system • Centers around a third party “Certificate Authority” • Certify Identities • Manage (create, distribute, revoke) Keys • Eliminates many security vulnerabilities • Can be used to enforce least privilege, separation of duties, economy of mechanism, and complete mediation while being an open design. • Heavy use of hashing algorithms (sha1, MD5,…) CS5204 – Operating Systems
What is a “Key”? • Cryptographic Key: A set of 2 integers that can be used with a cryptographic algorithm in order to encrypt or decrypt data. • Two types of cryptographic systems: • Private Key – using only one secret key (symmetric) • Public Key – using two keys, a secret key and a shared key (asymmetric) • RSA and NIST recommend using at least: • 112 bit symmetric keys (harder to break, efficient) • 2048 bit asymmetric keys CS5204 – Operating Systems
What is a “Certificate”? • Cryptographic Certificate: The combination of identity information with cryptographic information. • Identity of the certificate owner • Identity of the certificate authority (issuer) • Dates that the certificate is valid for • Which cryptographic algorithms are used • Key information • One owner may have multiple certificates for various uses: authentication, encryption, signature CS5204 – Operating Systems
TLS / SSL • Used for transporting data securely over non-secure channels, most namely the internet. • Uses Handshaking: • Employs both Symmetric and Asymmetric keys • Symmetric keys are smaller than asymmetric keys and provide improved performance • A secure channel must be established using asymmetric keys in order to transmit the shared secret symmetric key • “Nonces” are used to defend against replay attacks CS5204 – Operating Systems
TLS / SSL source: [9] CS5204 – Operating Systems
Encryption / Decryption Source:[7] • Private Key Encryption (symmetric): • Encrypting local files • Must share the key in order to share the data • Cannot use private key from PKI • Group Authentication • Cipher: stream/block • AES 128 bit block CS5204 – Operating Systems
Encryption / Decryption source:[8] Provides confidentiality but not authentication Public Key Encryption (asymmetric): CS5204 – Operating Systems
Encryption / Decryption • The RSA Cryptosystem: • Developed by Rivest, Shamir, and Adleman in 1977 • The de facto standard for PKI • The encryption key is public (E) • The decryption key is private (D) • The Message M can be calculated by: • M = D(E(M)) • M = E(D(M)) CS5204 – Operating Systems
Encryption / Decryption • RSA Algorithm details (generate keys) • 1. Find 2 unique large prime numbers • 2. Calculate n n = p ∙ q • 3. Pick a large random integer d that is relatively prime to (p-1)∙(q-1) such that gcd(d, (p-1)∙(q-1)) = 1 • 4. Calculate e e ∙ d = 1∙(mod (p1)∙(q1)) CS5204 – Operating Systems
Encryption / Decryption • RSA Algorithm details (encrypt/decrypt) • Encryption: • Given message M create ciphertext C • C = E(M) = Me (mod n) • Decryption: • Given ciphertext C create message M • M = D(C) = Cd(mod n) • Can be calculated quickly using modular exponentiation (repeated squaring) CS5204 – Operating Systems
Digital Signature Not “electronic signature” which is typically implemented with a digital representation of a hand signature or acknowledgment gesture. Provides non-repudiation, irrefutably evidence that the signature was created by the identified party. Provides data integrity validation Provides authentication but not confidentiality CS5204 – Operating Systems
Digital Signature source:[8] CS5204 – Operating Systems
Digital Signature • RSA Digital Signature details: • A message M is signed using the private key • S = D(M) • A digital signature is validated using the public key • M = E(S) • Decryption of the message can be used to prove the identity of a user, authentication • Validating a digital signature also validates the data by comparing the hash values CS5204 – Operating Systems
CAC PKI • Common Access Card (CAC) aka Smart Card • Utilized extensively by the DoD • Enforces two factor authentication • Something you have – CAC • Something you know – PIN • Can be used for three factor authentication with addition of finger print reader (something you are) • Newer generation cards can also be used with proximity based passive RFID readers • Great for enforcing separation of duties and least privilege CS5204 – Operating Systems
CAC PKI Demo One last note, using an in house certificate authority (CA) and a smart card enabled PKI cryptosystem throughout an organization can enable greater PII (Personally Identifiable Information) security by replacing things like SSNs with othewise meaningless unique identifiers like the DoD EDIPI (Electronic Data Interchange Personal Identifier). CS5204 – Operating Systems
References 1. “A Method for Obtaining Digital Signatures and Public-Key Cryptosystems”, Rivest et al 2. “Introduction to Algorithms, Second Edition”, Cormen et al 3. Merriam-Webster dictionary, term: cryptography, (www.merriam-webster.com) 4. National Institute for Standards and Technology, (www.nist.gov) 5. http://blog.securism.com/2009/01/summarizing-pki-certificate-validation/ 6. RSA Laboratories, (www.rsa.com) 7. http://www.itportal.in/2011/12/encryption-decryption-information.html 8. http://gdp.globus.org/gt4-tutorial/multiplehtml/ch09s03.html 9. http://technet.microsoft.com/en-us/library/cc783349(v=ws.10).aspx CS5204 – Operating Systems