560 likes | 734 Views
Cryptography. BAI514 – Security I. Cryptography. The art and science of hiding the meaning of a communication from unintended recipients Comes from the Greek kryptos – hidden graphein – to write An attacker may be able to decipher or decode a message using a variety techniques
E N D
Cryptography BAI514 – Security I
Cryptography • The art and science of hiding the meaning of a communication from unintended recipients • Comes from the Greek • kryptos – hidden • graphein – to write • An attacker may be able to decipher or decode a message using a variety techniques • Work Factor – the cost or time required to recover the encrypted text
Cryptography • Cryptography • Can be used to provide • integrity • authentication • non-repudiation
Cryptography • Cryptanalysis • The process of “cracking” a cryptographic algorithm • Cryptology • Encompasses both cryptanalysis and cryptography
Symmetric Key Cryptography • Most familiar form of cryptography • Secret Key • Private Key • Sender and recipient require the same key • Sender encrypts the message with the secret key (cryptovariable) to produce ciphertext • Recipient applies the same secret key to the ciphertext to decrypt the message • Secret key must be shared in a secure manner
Symmetric Key Cryptography • Symmetric Key Encipherment • Many methods exist for scrambling a message • Some date back more than 5000 years • Ciphers were also employed by the Romans • Caesar cipher • Substitution cipher • Letters of the alphabet are shifted n positions to the right • If the key was 3, then A would encrypt to D, etc.
Symmetric Key Cryptography • Symmetric Key Encipherment (cont.) • Substitution Cipher • Similar to Caesar Cipher • Implemented numerically using modulo 26 addition • Letters of alphabet given values of 0-25 • Two parameters required • D – number or repeating letters representing the key • K – the key
Symmetric Key Cryptography • Symmetric Key Encipherment (cont.) • Substitution Cipher (cont.) • Example: D=3, K=HAT, MSG=NO TIME13 14 19 8 12 4 7 0 19 N O T I M E H A T 7 0 19 7 0 19 20 14 12 15 12 2313 14 19 8 12 4 U O M P M X20 14 38 15 12 23 (ciphertext)- 2620 14 12 15 12 23
Symmetric Key Cryptography • Symmetric Key Encipherment (cont.) • Substitution Cipher (cont.) • Can be attacked through frequency analysis • Most common letters (in order of frequency) • e, t, a, o, i, n, s, r • This type of cryptanalysis possible with a monoalphabetic (simple substitution) cipher • a char of ciphertext is substituted for a char of plaintext • Polyaphabetic cipher • more difficult • different alphabet is used for every char substitution
Symmetric Key Cryptography • Symmetric Key Encipherment (cont.) • Vernam Cipher (One-Time Pad) • Employs a truly random key as long as the message • Key is used only once • Transposition (Permutation) Cipher • Rather than substitution, the plaintext is scrambled by permutation • ex. NO TIME TI EONMT
Symmetric Key Cryptography • Symmetric Key Encipherment (cont.) • Exclusive OR (XOR) Function • Performs the Boolean operation of binary addition without carry on the input bits • Amenable to hardware implementations • Used as part of encryption/decryption process in symmetric key cryptography
Symmetric Key Cryptography • Symmetric Key Cryptography Characteristics • Cryptosystems have information known to public and other data kept secret • Public known information • Copies of plaintext and associated ciphertext • Algorithm for enciphering the plaintext copy of the enciphered message • Possibly, an encipherment of the plaintext that was chosen by an unintended receiver • Secret information • Key (Cryptovariable) • Specific transformation, out of all possible transformations
Symmetric Key Cryptography • Symmetric Key Cryptography Characteristics (cont.) • Generally, the larger the key, the more difficult it is to determine the key • 128-bit keys are difficult to break • Issues • Sender needs a different secret key for each recipient to communicate securely with each individually • Keys must be communicated between sender and recipient • Does not provide authentication or non-repudiation
Symmetric Key Cryptography • Symmetric Key Cryptography Characteristics (cont.) • Examples • DES – Data Encryption Standard • Triple DES • AES – Advanced Encryption Standard • Blowfish • Twofish • IDEA • RC5/RC6
Symmetric Key Cryptography • Symmetric Key Cryptography Characteristics (cont.) • Data Encryption Standard (DES) • Derived from Lucifer cryptographic system developed by Horst Feistel at IBM in the early 1970s • Used for commercial and non-classified purposed • Has been broken
Symmetric Key Cryptography • Symmetric Key Cryptography Characteristics (cont.) • Triple DES • Data encrypted with DES three times • EDE (DES-EDE2) • Encrypted with Key 1 • Decrypted with Key 2 • Encrypted with Key 1 • EEE (DES-EEE3) • Encrypted with Key 1 • Encrypted with Key 2 • Encrypted with Key 3
Symmetric Key Cryptography • Symmetric Key Cryptography Characteristics (cont.) • Advanced Encryption Standard (AES) • Officially replaced DES as the official US standard on November 1, 2001 • Based on the Rijndael algorithm, developed by two Belgian cryptographers • Dr. Joan Daemen • Dr. Vincent Rijmen • Supports 128-bit, 192-bit, and 256-bit keys
Symmetric Key Cryptography • Symmetric Key Cryptography Characteristics (cont.) • Blowfish • Designed by Bruce Schneier • Published in 1993 as a replacement for DES • Keys range from 32-448-bits • Available to public domain • Predecessor to Twofish
Symmetric Key Cryptography • Symmetric Key Cryptography Characteristics (cont.) • Twofish • Keys upto 156-bits • Finalist in the competition for AES
Symmetric Key Cryptography • Symmetric Key Cryptography Characteristics (cont.) • IDEA Cipher • International Data Encryption Algorithm • Designed by James Massey and Xuejia Lai • Published in 1992 • Uses 128-bit key • Uses the same modes of operation as DES • Used in PGP (Pretty Good Privacy) email encryption
Symmetric Key Cryptography • Symmetric Key Cryptography Characteristics (cont.) • RC5/RC6 • Patented family of symmetric cryptographic algorithms introduced in 1994 • Developed by Ronal Rivest • Supports keys upto 2,048 bits • RC6 in an upgrade to RC5 and operations faster
Public Key Cryptosystems • Asymmetric key • Addresses problem of key distribution in symmetric key cryptography • All participants have a private key (secret) • All participants have a public key (available to public) • The two keys are mathematically related • Messages encrypted with one of the keys can only be decrypted with the other key • The private key cannot be derived from the public key
Public Key Cryptosystems • One-Way Functions • Used to generate the public key from the private key • Relatively simple to generate the public key • Next to impossible to reverse the process • PK cryptography was advanced by Dr. W. Diffie and Martin Hellman • Described a process of securely exchanging secret keys over a non-secure medium • Diffie-Hellman key exchange
Public Key Cryptosystems • Public Key Algorithms • RSA • Developed by Rivest, Shamir, and Addleman • Can be used for • Encryption • Key exchange • Digital signatures • Based on the difficulty of factoring a number, N, which is the product of two large prime numbers • The prime numbers may be ~200 digits each
Public Key Cryptosystems • Public Key Algorithms (cont.) • RSA (cont.) • Choose two large prime numbers, p and q, and compute p*q=n, which is the public modulus • Choose a random public key, e, so that e and (p – 1)*(q – 1) are relatively prime (the GCD is 1) • Compute e*d = 1 mod [(p – 1)(q – 1)], where d is the public key • Therefore d = e-1 mod [(p – 1)(q – 1)] • (d,n) is the private key • (e,n) is the public key
Public Key Cryptosystems • Public Key Algorithms (cont.) • El Gamal • Expanded the Diffie-Hellman key exchange to apply to encryption and digital signatures • Uses the problem of finding the discrete logarithm of a number as a hard, one-way function • Not patented and is available for public use
Public Key Cryptosystems • Public Key Algorithms (cont.) • Elliptic Curve (EC) • Usually defined over finite fields, such as real and rational numbers • Novel approach to hard, one-way functions • Can implement an analog to the discrete logarithm problem where multiplication is the counterpart of modular exponentiation
Public Key Cryptosystems • Digital Signatures • Intended to provide at least the same protection and guarantees as obtained when a person physically signs a document • Can also be used to detect unauthorized modifications of a document
Public Key Cryptosystems • Digital Signatures (cont.) • Hash Function • Digital signature protection is accomplished by transforming a message or document into a smaller representation that is uniquely bound to the original • A change made to the original will also change the compressed representation • A digital signature is generated by passing the message or file through a one-way hash function • The hash function generates a fixed size output called a message digest
Public Key Cryptosystems • Digital Signatures (cont.) • Hash Function (cont.) • An ideal hash algorithm should have the following characteristics • Original file cannot be recreated from the message digest • Two files should not have the same message digest
Public Key Cryptosystems • Digital Signatures (cont.) • Developing the Digital Signature • To complete the process, the message digest is encrypted with the sender’s private key • The encrypted message digest is attached to the original file and the package is sent to the receiver • The receiver decrypts the message with the sender’s public key • If the public key opens the message digest and it is the true public key of the sender, verification of the sender is accomplished • The sender’s public key is the only key that can decrypt the message digest encrypted with the sender’s private key
Public Key Cryptosystems • Digital Signatures (cont.) • MD5 • Hash function that generates a fixed length message digest of 128 bits from input files of arbitrary length • Developed in 1991 by Ronald Rivest
Public Key Certificates • Possible attack of public key cryptography is an attacker posting a public key with the name of another person • A counter to this attack would be to implement an analog to a notary public that would certify that a public key is that of the true individual • This is done in the digital world through digital certificates
Public Key Certificates • Digital Certificates • Certification mechanism used to bind individuals to their public keys • Trusted entity is need to guarantee the public key is the valid public key of the associated person • The entity is a Certificate Authority • Acts as notary by verifying a person’s identity and issuing a certificate that vouches for the public key of the named individual • The CA signs the certificate with their own private key • The certificate is then sent to a repository • The repository holds the certificate and Certificate Revocation Lists • To verify the CA’s signature, its public key must be cross-referenced with another CA.
Public Key Certificates • Digital Certificates (cont.) • The X.509 standard defines the format for public key certificates • Digital Certificates and digital signatures are components of the larger field of electronic commerce that requires a public key infrastructure (PKI)
Public Key Certificates • Public Key Infrastructure (PKI) • The integration of digital signatures, certificates, and the other services required for E-commerce. • PKI provides • Integrity • Access Control • Confidentiality • Authentication • Non-repudiation
Public Key Certificates • Public Key Infrastructure (PKI) (cont.) • PKI comprises the following elements: • Certificate Authority (CA) • Certificate revokation • Digital certificates • Lightweight Directory Access Protocol (LDAP) • Non-repudiation support • Policies and procedures • Registration authorities • Security-enabled applications • Timestamping
Cryptanalysis • The act of deciphering an encrypted message without originally having the key • Used to obtain valuable information and to pass on altered or fake information in order to deceive the original intended recipient
Cryptanalysis • Common Cryptanalysis Attacks • Known plaintext • The adversary has a copy of the plaintext corresponding to the ciphertext • Chosen plaintext • Selected plaintext is encrypted and produces corresponding ciphertext output • Brute Force • Adversary conducts an exhaustive search of the key space until the correct key is found
Cryptanalysis • Common Cryptanalysis Attacks (cont.) • Ciphertext only • Ciphertext alone is available to the attacker • Adaptive chosen plaintext • Similar to chosen plaintext attack but the selection of the plaintext is adjusted depending on previous results • Chosen ciphertext • Attacker attempts to decrypt selected portions of ciphertext while having access to the corresponding plaintext
Cryptanalysis • Common Cryptanalysis Attacks (cont.) • Adaptive chosen ciphertext • Attacker attempts to decrypt selected portions of ciphertext based on the results of previous attempts • Meet-in-the-middle • Adversary attacks double encryption schemes by encrypting known plaintext from one end with each possible key (K) and comparing the results “in the middle” with the decryption of the corresponding ciphertext with each possible key (K)
Cryptanalysis • Common Cryptanalysis Attacks (cont.) • Linear cryptanalysis • Attacker generates a linear estimation of the key using pairs of known plaintext and corresponding ciphertext • Differential cryptanalysis • Attack is normally applied to block cipher symmetric key cryptographic systems. Adversary looks at ciphertext pairs, which were generated through the encryption of plaintext pairs, with specific differences, and analyzes the effect of these differences
Cryptanalysis • Common Cryptanalysis Attacks (cont.) • Differential linear cryptanalysis • Attacker uses both differential and linear approaches • Factoring • Attacker mathematically determines the prime factors of a product • Algebraic • Applied to block ciphers that exhibit mathematical relationships when encrypted with different keys
Managing Encryption Keys • Key destruction • Keys employed for extended periods of time should be disposed of so they cannot be used to read previously transmitted messages • Key distribution • Problem with symmetric key cryptography • Keys can be distributed by public key cryptosystems, personal delivery, secure channels, other means?
Managing Encryption Keys • Key Recovery • Recovering a key if it is lost, stolen, or misplaced • If an employee leaves an organization, encrypted information on their computer must be accessible to the organization • Key Escrow can be used to assist in key recovery • Key is subdivided into difference parts, each of which is encrypted and then sent to a different trusted individual in an organization
Managing Encryption Keys • Key renewal • Keys used for long periods of time are subject to interception and compromise • Keys should be changed at frequent intervals • Key revocation • Once a key has been compromised, it must be declared insecure and invalid • Can be accomplished through CRL lists provided by CAs
Email Security • Addresses a number of issues • Message integrity • Restricting access • Non-repudiation • Source authentication
Email Security • Email Security Mechanisms • MIME Object Security Services (MOSS) • Applied DES, MD2/MD5, and RSA public key for non-repudiation, authentication, confidentiality, and integrity • Pretty Good Privacy (PGP) • Strong email encryption package which uses IDEA symmetric key cipher for email encryption and RSA for symmetric key exchange and digital signatures • Privacy Enhanced Mail (PEM) • Uses RSA public key encryption for digital signatures and secure key distribution and applies Triple DES-EDE to maintain message confidentiality • Secure Multi-purpose Internet Mail Extensions (S/MIME) • Provides secure services to email in MIME format through digital signature authentication and public key message encryption
Disk Encryption • Disks can be protected by encryption to different degrees of security. • Tools available for disk encryption • True Crypt • Provides disk or USB flash drive encryption for Linux and Windows using AES, Serpent, or Twofish symmetric key algorithms • PGP Whole Disk Encryption • Useful to protect desktops, laptops, USB flash drives, external drives, and swap files • WinMagicSecureDoc • Applicable to hard disks, USB flash drives, CDs and DVDs on Windows • Employs a variety of access controls including hardware tokens, passwords, smart cards, and biometrics
Hacking Tools • PGPCrack • Brute-force approach to finding a PGP passphrase to attack a PGP encrypted file • Magic Lantern • Developed by the FBI to capture keystrokes • Can be delivered to the victim by email • WEPCrack • Used to break WEP keys • Airsnort • Used to audit wireless networks and break WEP keys • CypherCalc • Cryptographic and cryptanalysis programmable calculator that performs mathematical operations used in many cryptosystems