Chapter 1 and 2

Chapter 1 and 2 Classic Cryptography and Information Assurance

Session 1 – Contents • Introduction • Classical Cipher Techniques • Substitution Ciphers • Monoalphabetic Substitution • Polyalphabetic Substitution • Transposition Ciphers • Early Cipher Machines • The Saint Cyr Slide • The Jefferson Cylinder • Vernam Cipher • The Rotor Crypto Machines

We need to proceed with the plan Introduction • Scribes in the Egyptian civilization used unusual hieroglyphics to tell the story of their masters' lives. • The inscriptions were not secret writing, but incorporated one of the essential elements of cryptography: an intentional transformation of writing so that only certain people could read it • The Spartans were probably the first to use cryptography for military purposes. • Their crypto device was called the scytale (stick).

Crypto Analysis Rules • The Arab civilization, with its advanced mathematics, was the first to establish specific rules to cryptanalyze written messages. These rules were the following: • The cryptanalyst must know the language in which the crypto message is written and its linguistic characteristics. • In every language, there are letters that are never found together in one word, letters that rarely come together in a word, and combinations of letters that are not possible. • All letters are not used equally in any language, and the proportions in which the letters occur remain constant.

Classical Cipher Techniques • Too weak for serious applications; however, many of their basic principles are still used in modern cryptography. • Substitution Ciphers • Monoalphabetic Substitution • The number of possible substitutions is 26! or 4.0329 x 1026. • It is a very weak cipher; in any language there are some letters that occur more often than others. Plain a b c d e f g h i j k l m n o p q r s t u v w x y z Cipher d e f g h i j k l m n o p q r s t u v w x y z a b c Plain a b c d e f g h i j k l m n o p q r s t u v w x y z Cipher h o s b r g v k w c y f p j t a z m x i q d l u e n

Polyalphabetic Substitution The Vigenere Tableau (Plain Text) A B C D E F G H I J K L M N O P Q R S T U V W X Y Z A a b c d e f g h i j k l m n o p q r s t u v w x y z B b c d e f g h i j k l m n o p q r s t u v w x y z a C c d e f g h i j k l m n o p q r s t u v w x y z a b D d e f g h i j k l m n o p q r s t u v w x y z a b c E e f g h i j k l m n o p q r s t u v w x y z a b c d F f g h i j k l m n o p q r s t u v w x y z a b c d e G g h i j k l m n o p q r s t u v w x y z a b c d e f H h i j k l m n o p q r s t u v w x y z a b c d e f g I i j k l m n o p q r s t u v w x y z a b c d e f g h J j k l m n o p q r s t u v w x y z a b c d e f g h i K k l m n o p q r s t u v w x y z a b c d e f g h i j L l m n o p q r s t u v w x y z a b c d e f g h i j k M m n o p q r s t u v w x y z a b c d e f g h i j k l N n o p q r s t u v w x y z a b c d e f g h i j k l m O o p q r s t u v w x y z a b c d e f g h i j k l m n P p q r s t u v w x y z a b c d e f g h i j k l m n o Q q r s t u v w x y z a b c d e f g h i j k l m n o p R r s t u v w x y z a b c d e f g h i j k l m n o p q S s t u v w x y z a b c d e f g h i j k l m n o p q r T t u v w x y z a b c d e f g h i j k l m n o p q r s U u v w x y z a b c d e f g h i j k l m n o p q r s t V v w x y z a b c d e f g h i j k l m n o p q r s t u W w x y z a b c d e f g h i j k l m n o p q r s t u v X x y z a b c d e f g h i j k l m n o p q r s t u v w Y y z a b c d e f g h i j k l m n o p q r s t u v w x Z z a b c d e f g h i j k l m n o p q r s t u v w x y • Introduced by Blaise de Vigenere in the 16th century. • Uses one alphabet for each of the plain letters. • Has several key methods, such as words, phrases, and a running key in which the message itself is its own key —the so-called autokey. Key D N O W I S T H E T I M Plain N O W I S T H E T I M E Cipher Q B K E A L A L X B U Q CipherQ B K E A L A L X B U Q Key D N O W I S T H E T I M Plain N O W I S T H E T I M E

Transposition Ciphers • Successive letters of the plaintext are arranged according to the key. • The key is a group of sequential numbers arranged at random. • The plaintext is separated into groups of letters in which each group has the same number of letters as the number chosen as a key. Plaintext n o w i s / t h e t i / m e f o r / a l l x x / Key 5 1 3 4 2 s n w i o i t e t h r m f o e x a l x l Ciphertext s n w i o i t e t h r m f o e x a l x l

ABCDEFGHIJKLMNOPQRSTUVWXYZ A DEFGHIJKLMNOPQRSTUVWXYZABC GHIJHLMNOPQRSTUVWXYZ Early Cipher Machines • The Saint Cyr Slide • 18th Century Wheel Cipher Picture from: http://www.nsa.gov/museum/wheel.html

Key Stream Key Stream Ciphertext Plaintext Plaintext Decryption AlgorithmModulo 2 Adder Encryption AlgorithmModulo 2 Adder + + Decipher Encipher Early Cipher Machines • The Vernam Cipher was designed in 1917 by Gilbert Vernam • Is a bit-by-bit combination of random characters (keystream) with characters of plaintext using modulo-2 addition (the XOR function) 1 + 0 = 1 1 + 1 = 0 0 + 1 = 1 0 + 0 = 0 Enciphering Deciphering Plaintext 1 0 0 1 1 0 0 0 1 0 1 0 0 0 1 1 0 Ciphertext 0 0 1 0 1 0 1 1 0 0 1 1 0 0 1 0 1 Keystream 1 0 1 1 0 0 1 1 1 0 0 1 0 0 0 1 1 Keystream 1 0 1 1 0 0 1 1 1 0 0 1 0 0 0 1 1 ──────────────────── ──────────────────── Ciphertext 0 0 1 0 1 0 1 1 0 0 1 1 0 0 1 0 1 Plaintext 1 0 0 1 1 0 0 0 1 0 1 0 0 0 1 1 0

ABCDEFGHI ABCDEFGHI Ciphertext Plaintext Encryption ABCDEFGHI ABCDEFGHI Ciphertext Plaintext Decryption The Rotor Crypto Machines • Rotor Crypto Machines implement polyalphabetic substitution ciphers with long periods. • These machines consist of several “t” rotary discs, each one with 26 electrical contacts called studs. • Each stud is connected at random by wire to another stud on the other side of the disc. • After each letter is enciphered, one or more of the rotors are rotated one step. • A machine with “t” rotors does not return to its starting position until after 26t successive steps. • A five-rotor machine has a period of265 = 11,881,376 different alphabets before it repeats itself.

The M 209 The Enigma • Used by the U.S. Army until the early 1950s. • Polyalphabetic ciphertext with a period of 26 x 25 x 23 x 21 x 19 x 17 = 101,405,850, nearly ten times greater than a five-rotor machine. Picture from http://www.nsa.gov/museum/enigma.html Picture from http://www.maritime.org/csp1500.htm

Information Assurance and Security Services & Mechanisms

Session 1a – Contents • Introduction • OSI and TCP/IP Stack • Crypto Terminology • Security Services and Security Mechanisms

NSA Terminology COMSEC / (1960s) Communications security which provided protection against disclosure to unauthorized parties when information was transmitted or broadcasted from point-to-point. COMPUSEC / (Late 1970s) Computer security which provided protection against unauthorized disclosure of information, injection of malicious code, or the theft of data on magnetic media. INFOSEC / (Early 1980s) Information security which was the result of the convergence of COMSEC and COMPUSEC. IA / (Late 1990s) Information Assurance which deals with providing protection against unauthorized disclosure of information (confidentiality), modification of information (integrity), denial of service (availability), authenticity, and non-repudiation. Definitions taken from Daniel G. Wolf, NSA Director of Information Assurance statement before the House Select Committee of Homeland Security on July 22, 2003, pages 4 and 5.

OSI and TCP/IP Stacks Application Layer 7 Application Layer SMTP, Telnet, FTP, Gopher Presentation Layer 6 Session Layer 5 Transport Layer TCP UDP Transport Layer 4 IP ARP RARP Network Network Layer Layer 3 Ethernet, Token-Ring, FDDI, X.25, Wireless, Async, ATM, SNA...Data Layer Data Link Layer 2 Data Layer Physical Layer 1 OSI Stack TCP/IP Stack

TCP/IP • TCP/IP — Transmission Control Protocol/Internet Protocol. • TCP/IP is the protocol suite used by the Internet. • TCP/IP is based on a connectionless networking. Eliminates the need for the network to support signaling and maintain connections (and thus state information). All aspects of a reliable connection are moved to Layer 4 and supported in the endpoints. • TCP/IP has two parts, TCP and IP. • TCP perform the functions of the transport layer in the OSI model (e.g., breaking the data into smaller packets, numbering them, ensuring each packet is reliably delivered and putting them in the proper order). • IP performs the role of the network layer in the OSI model (e.g., routing and addressing). • Some of the protocols used in the TCP/IP suite are: • Data Layer: Frame Relay, ATM, IEEE 802.3, PPP PPP EAP (among others) • Network Layer: IP • Transport Layer: User Data Protocol (UDP), Transmission Control Protocol (TCP) • Applications Layer Applications: HTTP, FTP, SMTP, SNMP

TCP/IP Protocol Stack • Application Layer: Provides services for a user to send and received data over the network, such as web browsers (HTTP), FTP, SMTP, SNMP, and emails. • Transport Layer: Provides connection, error and flow control (TCP or UDP), and security. • Network Layer: Responsible for addressing (IP) and routing the packets. • Data Link Layer: Defines the electrical, mechanical, and physical interfaces to the network. It frames the packets for transmission over the physical media, such as Ethernet, Token Ring, Frame Relay, Asynchronous Transfer Mode (ATM). Data Application Layer Application Layer Data TH Transport Layer TH Transport Layer NH Payload Network Layer NH Network Layer NH Payload DH Payload Data Layer DH Payload Data Layer DH Payload Router

TCP/IP Stack and Security Related Protocols • S/MIME • S-HTTP • PGP • SET • IPSec (ISAKMP) Application Layer SMTP, Telnet, FTP, Gopher Transport Layer TCP UDP • SOCKS V5 • SSL, TLS • IPSec (AH, ESP) • Packet filtering • Tunneling Protocols IP ARP RARP Network Layer Ethernet, Token-Ring, FDDI, X.25, Wireless, Async, ATM, SNA...Data Layer PPP-EAP, IEEE 802.1X, CHAP, PAP, MS-CHAP Data Layer The Data Layer is also called Network Interface Layer, Link Layer, or Data-Link Layer.

What is Cryptography? • cryptography / The art or science that treats of the principles, means, and methods to render information unintelligible to all but the intended receiver. The sender enciphers a message into an unintelligible form, and the receiver deciphers it into intelligible form. The word "cryptology" is derived from the Greek “kryptos” (hidden) and “logos” (word).

What is Cryptology? • cryptology / The scientific study of cryptography and cryptanalysis. • cryptanalysis / The process of deducting the plaintext from the ciphertext (breaking a code) without being in possession of the key or the system (codebreaking).

Cryptographic Variables (CV), Secret Keys, Private Keys Cryptographic Variables (CV), Secret Keys, Public Keys Synchronization Key Generator Key Generator Key Stream Key Stream Message Message Plaintext Ciphertext Plaintext Encryption Algorithm Encryption Algorithm As the market requirements for secure products has exponentially increased, our strategy will be to …. Asdfe8i4*(74mjsd(9&*nng654mKhnamshy75*72mnasjadif3%j*j^3cdf(#4215kndh_!8g,kla/”2acd:{qien*38mnap4*h&fk>0820&ma012M As the market requirements for secure products has exponentially increased, our strategy will be to …. Encipher Decipher Crypto Terminology Security is based on the crypto variable, not on the encryption algorithm.

Message Message As the market requirements for secure products has exponentially increased, our strategy will be to …. Crypto Terminology Cryptographic Variables (CV), Secret Keys, Private Keys Cryptographic Variables (CV), Secret Keys, Public Keys Synchronization Encryption Algorithm (Block Cipher) Encryption Algorithm (Block Cipher) Plaintext Ciphertext Plaintext Asdfe8i4*(74mjsd(9&*nng654mKhnamshy75*72mnasjadif3%j*j^3cdf(#4215kndh_!8g,kla/”2acd:{qien*38mnap4*h&fk>0820&ma012M As the market requirements for secure products has exponentially increased, our strategy will be to …. Encipher Decipher

Digital Signatures Security Tokens Access Authentication Confidentiality Non-Repudiation Digital Signatures Security Services Security Mechanisms Encryption Hash Functions Integrity

Typical Protections - Need Many Tools Used in Concert • Physical Security • Physical access (guards, fences, alarms, locks,, etc.) • Environment risk security (power Filtering and UPS devices surge protectors • Fire and flooding protection • Information Assurance • Confidentiality (symmetric and asymmetric encryption) • Integrity (hash functions) • Authentication (digital certificates, tokens, digital signatures, passwords, biometrics, etc.) • Non-Repudiation (public key encryption, digital signatures, • System Security • Access controls authentication (firewalls, passwords, biometrics, etc.) • Virus protection tools • Operation system protection (Windows, Unix, Linux) • Network Security • Management tools (sniffers, scanners, profilers, honeypots, shunts, program registers, etc.) • Database security • Disaster Recovery Planning • Contingency plans • Security policies. • EMI/RFI Shielding • Training and Education

Security Services • Confidentiality • Protection against unauthorized individuals reading information that is supposed to be kept private. • Data Integrity • Assurance that a message was not accidentally or deliberately modified in transit by replacement, insertion, or deletion. • Authentication • Assurance that the message is coming from the source from which it claims to come. • Non-Repudiation of Origin • Protection against an individual denying sending or receiving a message. • Access Control • The prevention of the unauthorized use of a resource by identifying or verifying the eligibility of a station, originator or individual to access specific categories of information. A security policy is implemented using security mechanisms to provide security services.

IA Security Policy When is the provide Collected, Used, Processed, Transmitted, or Stored, Confidentiality, Integrity,Availability, Authenticity, Non-repudiation. ElectronicInformation Security Mechanisms Security Mechanisms must be: Comprehensive, Coordinated, Scaleable, & Technology Agnostic

Confidentiality and its Security Mechanisms Confidentiality Protection of data from unauthorized disclosure Encryption Algorithms Symmetric Asymmetric Stream Ciphers Block Cipher Public-Key Pohlig Hellman DES AES RSA Synchronous OFB 3DES Blowfish ElGamal Self-Synchronous CFB MARS RC5 Schnorr ECC RC4 CAST IDEA

Integrity and its Security Mechanisms Assurance that a message was not accidentally or deliberately modified in transit by replacement, insertion, or deletion. Integrity Hash Functions Encryption Digital Signature SHA MD5 MAC HMAC DES CBC HMAC-SHA-1-96 SHA-1 SHA-384 AES-XCBC-MAC-96 HMAC-MD5-96 SHA-256 SHA-512

Authentication and its Security Mechanisms Authentication Assurance that the message is coming from the source from which it claims to be. Digital Signatures provide authentication, non-repudiation, and integrity. Digital Signatures Hash Functions MD5 SHA SHA ElGamal RSA DSA RSA DSA ECDSA A Digital Signature is created by taking the message’s hash and encrypting it with the sender’s private key.

Access Authentication The prevention of the unauthorized use of a resource. Access Authentication Protocol EAP Method Mechanism IEEE 802.1X CHAP OTP EAP-TLS EAP-SIM MS-CHAP v2 EAP-AKA GTC EAP-TTLS EAP-PSK Digital Certificates EAP-PEAP PEAP: Protected EAP CHAP: Challenge-Handshake Authentication Protocol OTP: One-Time Password GTC: Generic Token Card IEEE 802.1X: Port-based Access Control Protocol EAP: Extensible Authentication Protocol TLS: Transport Layer Security TTLS: Tunneled Transport Layer Security

Non-Repudiation and its Security Mechanisms Protection against an individual denying sending a message. Non-Repudiation Public-Key Encryption Digital Signature Schnorr ElGamal RSA ECC Sender enciphers the message with his private key and recipient deciphers the message with sender’s public key.

Example: Ecommerce – SSL Application Intranet or DMZ • Firewall • SSL Accelerator Web Servers Internet Buyer Seller • SSL Accelerator • SSL traffic is encrypted • Offloads expensive public key operation from backend servers • Normally, 250,000 transactions/sec • Authenticates seller. • Enciphers information. • Clientless • Access from any computer

Example: Remote Access Application – VPNs VoIP Authentication Server VPN Gateway Internet Home office Intranet Firewall • Firewall • VPN Gateway • Authenticates remote access user. • Creates tunnel for VPN connection • Enciphers communications using IPSec. Remote End

Example: Remote Wireless Access Application – VPNs VoIP Authentication Server VPN Gateway Internet Home office Intranet Firewall • Firewall • VPN Gateway Wireless Security Switch Remote End Wireless Point Security • Authenticate wireless remote access user. • Create tunnel for VPN connection • Encipher communications using IPSec. • Access to all applications through client desktop software. WifiVoIP

Remote Wireless/Wireline Access Application – SSL VPNs VoIP Authentication Server Home office Internet Intranet Router • Firewall • SSL VPN Router Remote End Wireless Point Security • Authenticate wireless/wireline remote access user. • Secure communications using SSL IPSec. • Access to selected applications through a web portal. • Erase any connection information in the access point after log-out.

Authentication Authentication ServerRadius, Kerberos, PKI, OTP, Token EAP over Internet EAP Method Password Authentication Database Authenticator Token Authentication Database X.509 Directory Kerberos Ticket Granting Server Supplicants

Placeholder Names Used in Cryptography Alice Participant in all protocols Bob Participant in two-, three-, and four-party protocols. Carol Participant in three- and four-party protocols Dave Participant in four-party protocols Eve Passive eavesdropper, Eve, while she can listen in on messages between Alice and Bob, she cannot modify them. Mallet Malicious active attacker. Mallet, also called Mallory, can modify messages, substitute his own messages, replay old messages, and so on. The problem of securing a system against Mallory is much greater than against Eve. Peggy Prover Victor Verifier . Victor, a verifier, and Peggy, a prover, must interact in some way to show that the intended transaction between Alice and Bob has actually taken place. Trent Trusted Arbitrator Trudy Intruder. Trudy can modify messages in transit, therefore, she is more dangerous than Eve. Bob and Alice ideally should use some integrity protocols to be able to detect any such modification and either ignore the changed message, or retrieve the correct message despite the intrusion. Walter Warden. He guards Alice and Bob in some protocols.

IETF, RFCs, FIPS • The Internet Engineering Task Force (IETF) is a group of network designers, operators, vendors, and researchers concerned with the evolution of the Internet architecture and the smooth operation of the Internet. http://www.ietf.org/ • The Request for Comments (RFC) consist of the IETF working documents of approved standards and protocols for the Internet. This web site is the RFC repository and it lists all the RFCs. http://www.ietf.org/rfc.html • The Computer Security Resource Center of the National Institute of Standards and Technology, develops standards and metrics to test and validate computer security. http://csrc.nist.gov/ • Federal Information Processing Standards Publications (FIPS PUBS) home web page. http://www.itl.nist.gov/fipspubs/ • Federal Information Processing Standards Publications (FIPS PUBS) web page associated with Computer Security. http://csrc.nist.gov/publications/fips/ • Internet Security Glosary, RFC 4949 http://www.ietf.org/rfc/rfc4949.txt?number=4949

References Classic Cryptography • Bamford, J. (1982). The Puzzle Palace, A Report on NSA America's Most Secret Agency (p 35). Boston: Houghton, Mifflin Co. • Lexicon Universal Encyclopedia, Volume 5. (1987) (p 371). New York: Lexicon Publications Inc. • Khan, D. (1967). The Codebreakers (pp. 394-398, 411-426). New York: Macmillan Publishing Co., Inc. • Way, P (1977). The Encyclopedia of Espionage, Codes and Ciphers (pp 62-92). London: The Danbury Press, Published by Aldus Book. Information Assurance • Abbruscato, C.R. Data Encryption Equipment, IEEE Communications Magazine, Volumen 22, No. 9 (September 1984) • International Standards Organization (ISO), ISO 7498-2-1988 (E) Security Architecture. • Muftic, S. (1989). Security Mechanisms for Computer Networks. New York: John Wiley & Sons. • National Bureau of Standard, Federal Information Processing Standards (FIPS), Publication 113, Computer Data Authentication. • Tanenbaum, A. (1981). Computer Networks.., Englewood Cliffs, New Jersey : Prentice-Hall, Inc. • Tanenbaum, A. (1981) Networks Protocols. Computing Surveys, Vol. 13, No. 4. • Wolf, D (2003). Cybersecurity Getting it Right. Statement by the Director of Information Assurance National Security Agency Before The House Select Committee on Homeland Security Subcommittee on Cybersecurity, Science and Research & Development hearing on July 22, 2003 to the House of Representatives Select Committee on Homeland Security.

Chapter 1 and 2

Chapter 1 and 2

Presentation Transcript

Chapter 2: sections 1-2

Chapter 1 and 2

Chapter 2 1

Chapter 1 and 2

Module 1 Chapter 1, 2, and 3

Chapter 1-2

Chapter 1 Introduction (1/2)

Chapter 1 and 2

Chapter 1 and 2

CHAPTER 1-2

Chapter 1 and 2

Chapter 1 and 2

Chapter 2-1

Chapter 2 - 1

CHAPTER 2-1

Chapter 1 and 2

Chapter 2-1

Chapter 1 and 2 !!!!

Chapter 2 -1

Chapter 2 -1