1 / 15

Cryptography and the Internet

Cryptography and the Internet. Daryl Banttari daryl@windsorcs.com. Introduction. Cryptography

tate
Download Presentation

Cryptography and the Internet

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Cryptography and the Internet Daryl Banttari daryl@windsorcs.com

  2. Introduction • Cryptography • ‘There are two kinds of cryptography in this world: cryptography that will stop your kid sister from reading your files, and cryptography that will stop major governments from reading your files. This book is about the latter.’--Bruce Schneier, preface, “Applied Cryptography, Second Ed”http://www.counterpane.com/actoc.html

  3. Topics of Discussion • Types of Cryptography • Applications to the Internet • SSL • Digital Signatures • Digital Signatures and SSL • E-Mail Encryption and Authentication (PGP)

  4. Types of Cryptography • Cryptographically Strong “Hash” Functions (MD5) • Symmetric Key (Conventional) Encryption • Public Key Encryption

  5. The MD5 Hash Algorithm • Turns an arbitrary string into a 128-bit “Message Digest” or “Hash” • Always creates the same hash when given the same string • Impossible* to create a string from a hash or to alter a string and produce the same hash • Commonly used to verify that files are unaltered Hash("Hello1"): 7A6D1B13498FB5B3085B2FD887933575 Hash("Hello2"): B83099B8CE596F31F2F60C8FD4D72826 Hash("Hello3"): E1C0F8926581BE86F96BD0007371CCA0 *Impossible: read “Practically Impossible.” It is believed to require 2128 operations to produce a message that would create a given digest. http://www.faqs.org/rfcs/rfc1321.html

  6. Symmetric Encryption • Proven and Secure • Fast • Uses the same key to decrypt as was used to encrypt • Requires “out of band” communication to exchange the key

  7. Public Key Encryption • Pioneered by Whitfield Diffie and Martin Hellman in 1975. • Data encrypted with the Public key can only be decrypted with the Private key, even by the encrypter • Data encrypted with Private key can only be decrypted by the Public key • Commonly used to exchange a conventional “session” key • Public key encryption algorithms include RSA, DSA, Diffie-Hellman, Blowfish

  8. SSL • Secure Server gives its Public key to the client • The client generates a conventional Session key • The client encrypts Session key with server’s Public key • The rest of the communication uses Session key for speed http://developer.netscape.com/docs/manuals/security/sslin/contents.htm

  9. Digital Signatures • MD5 Hash created of document • Hash in encrypted with Private key and appended to document • If the hash you decrypt using the sender’s Public key matches your own hash of the document: • The document must have been unaltered in transit • The document must have come from the sender • The combination of hash and private key is a Digital Signature

  10. SSL Certificate Signing • Encryption does not equal authentication • Some means needed of ensuring consumer that they are sending their credit card number to the people they expect, not some lookalike Web server • Verisign et al diligently ensure the public key belongs to a given organization • Attach organization info and expiration date to public key • Digitally sign public key with attached info • Public key of major certificate signers shipped with browsers

  11. E-Mail Encryption and/or Authentication • PGP is an open, reasonably easy method of applying digital signatures and encryption to e-mail • People and organizations can sign a message that can then can be verified for authenticity by their public key • PGP uses session keys like SSL, so messages can be encrypted to multiple recipients without multiplying size of message- think of a keyed safe with multiple lock-boxes attached • You must have public key of recipient to encrypt an e-mail to them, which makes encryption to mailing lists, newsgroups, etc. unfeasible http://www.pgpi.org/doc/pgpintro/

  12. PGP “Web of Trust” • Anyone can upload keys to “Key Servers”-- even fake keys • If you can verify that a key belongs to its owner, you can sign that key, indicating that you have verified ownership • The Web of Trust is established by people signing other people’s keys; if you trust Person A to diligently verify identity of keys, and Person A signed Person B’s key, then you can trust that Person B’s key is authentic

  13. ColdFusion’s hash() Function • Available with CF4.5 • Generates md5 hashes of strings in hex format (use char(32) to store) • Useful for storing passwords so they can’t be read or recreated • Append an arbitrary string to “salt” the password hash to prevent “hash dictionary” attacks Hash("Hello1"): 7A6D1B13498FB5B3085B2FD887933575 Hash("Hello2"): B83099B8CE596F31F2F60C8FD4D72826 Hash("Hello3"): E1C0F8926581BE86F96BD0007371CCA0

  14. Summary • An understanding of why encryption works is not necessary for an understanding of how it works • Although encryption and digital signature technology seem daunting, the processes are conceptually simple

  15. What do I do with this info? • Hash passwords • Use encryption and authentication methods for secure processes • Evangelize!

More Related