310 likes | 413 Views
Cryptography: Securing the Information Age. Source: www.aep.ie/product/ technical.html. Agenda. Definitions Why cryptography is important? Available technologies Benefits & problems Future of cryptography Houston resources. Essential Terms. Cryptography Encryption
E N D
Cryptography: Securing the Information Age Source: www.aep.ie/product/ technical.html Source: www.viisage.com
Agenda • Definitions • Why cryptography is important? • Available technologies • Benefits & problems • Future of cryptography • Houston resources Source: www.zonezero.com
Essential Terms • Cryptography • Encryption Plain text Cipher text • Decryption Cipher text Plain text • Cryptanalysis • Cryptology Secret writing Source: http://www.unmuseum.org/enigma.jpg Source: www.zonezero.com
Information Security for… • Defending against external/internal hackers • Defending against industrial espionage • Securing E-commerce • Securing bank accounts/electronic transfers • Securing intellectual property • Avoiding liability Source: www.zonezero.com
Threats to Information Security • Pervasiveness of email/networks • Online storage of sensitive information • Insecure technologies (e.g. wireless) • Trend towards paperless society • Weak legal protection of email privacy Source: www.zonezero.com
Types of Secret Writing Secret writing Steganography Cryptography Source: www.zonezero.com
Steganography • Steganography – covered writing – is an art of hiding information • Popular contemporary steganographic technologies hide information in images New York Times, August 3rd, 2001 http://www.nytimes.com/images/2001/10/30/science/sci_STEGO_011030_00.jpg
Hiding information in pictures Image in which to hide another image Image to hide within the other image http://www.cl.cam.ac.uk/~fapp2/steganography/image_downgrading/
Retrieving information from pictures Image with other hidden within Recreated image http://www.cl.cam.ac.uk/~fapp2/steganography/image_downgrading/
Digital Watermarks Source: http://www.digimarc.com
Types of Secret Writing Secret writing Steganography Cryptography Substitution Transposition Code Cipher Source: www.zonezero.com
Public Key Cryptography • Private (symmetric, secret) key – the same key used for encryption/decryption • Problem of key distribution • Public (asymmetric) key cryptography – a public key used for encryption and private key for decryption • Key distribution problem solved Source: www.zonezero.com
Currently Available Crypto Algorithms (private key) • DES (Data Encryption Standard) and derivatives: double DES and triple DES • IDEA (International Data Encryption Standard) • Blowfish • RC5 (Rivest Cipher #5) • AES (Advance Encryption Standard) Source: www.zonezero.com
Currently Available Crypto Algorithms (public key) • RSA (Rivest, Shamir, Adleman) • DH (Diffie-Hellman Key Agreement Algorithm) • ECDH (Elliptic Curve Diffie-Hellman Key Agreement Algorithm) • RPK (Raike Public Key) Source: www.zonezero.com
Currently Available Technologies PGP (Pretty Good Privacy) – a hybrid encryption technology • Message is encrypted using a private key algorithm (IDEA) • Key is then encrypted using a public key algorithm (RSA) • For file encryption, only IDEA algorithm is used • PGP is free for home use Source: www.zonezero.com
Authentication and Digital Signatures • Preventing impostor attacks • Preventing content tampering • Preventing timing modification • Preventing repudiation By: • Encryption itself • Cryptographic checksum and hash functions Source: www.zonezero.com
Digital Signatures • Made by encrypting a message digest (cryptographic checksum) with the sender’s private key • Receiver decrypts with the sender’s public key (roles of private and public keys are flipped) Source: www.zonezero.com
PKI and CA • Digital signature does not confirm identity • Public Key Infrastructure provides a trusted third party’s confirmation of a sender’s identity • Certification Authority is a trusted third party that issues identity certificates Source: www.zonezero.com
Problems with CAs and PKI • Who gave CA the authority to issue certificates? Who made it “trusted”? • What good are the certificates? • What if somebody digitally signed a binding contract in your name by hacking into your system? • How secure are CA’s practices? Can a malicious hacker add a public key to a CA’s directory? Source: www.zonezero.com
Currently Available Technologies • MD4 and MD5 (Message Digest) • SHA-1 (Secure Hash Algorithm version 1) • DSA (The Digital Signature Algorithm) • ECDSA (Elliptic Curve DSA) • Kerberos • OPS (Open Profiling Standard) • VeriSign Digital IDs Source: www.zonezero.com
JAVA and XML Cryptography • java.security package includes classes used for authentication and digital signature • javax.crypto package contains Java Cryptography Extension classes • XML makes it possible to encrypt or digitally sign parts of a message, different encryption for different recipients, etc. Source: www.zonezero.com
XML Crypto Document Listing 1. Information on John Smith showing his bank, limit of $5,000, card number, and expiration date <?xml version='1.0'?> <PaymentInfo xmlns='http://example.org/paymentv2'> <Name>John Smith<Name/> <CreditCard Limit='5,000' Currency='USD'> <Number>4019 2445 0277 5567</Number> <Issuer>Bank of the Internet</Issuer> <Expiration>04/02</Expiration> </CreditCard> </PaymentInfo> (Source: http://www-106.ibm.com/developerworks/xml/library/s-xmlsec.html/index.html) Source: www.zonezero.com
XML Crypto document Listing 2. Encrypted document where all but name is encrypted <?xml version='1.0'?> <PaymentInfo xmlns='http://example.org/paymentv2'> <Name>John Smith<Name/> <EncryptedData Type='http://www.w3.org/2001/04/xmlenc#Element' xmlns='http://www.w3.org/2001/04/xmlenc#'> <CipherData><CipherValue>A23B45C56</CipherValue></CipherData> </EncryptedData> </PaymentInfo> (Source: http://www-106.ibm.com/developerworks/xml/library/s-xmlsec.html/index.html) Source: www.zonezero.com
Benefits of Cryptographic Technologies • Data secrecy • Data integrity • Authentication of message originator • Electronic certification and digital signature • Non-repudiation Source: http://www.princeton.edu/~hos/h398/matrix.jpg Source: www.zonezero.com
Potential Problems with Cryptographic Technologies? • False sense of security if badly implemented • Government regulation of cryptographic technologies/export restrictions • Encryption prohibited in some countries Source: http://www.tudor-portraits.com/Mary%20Scots%20B.jpg Source: www.zonezero.com
How Secure are Today’s Technologies? • $250,000 machine cracks 56 bit key DES code in 56 hours • IDEA, RC5, RSA, etc. resist complex attacks when properly implemented • distributed.net cracked 64 bit RC5 key (1,757 days and 331,252 people) in July, 2002 • A computer that breaks DES in 1 second will take 149 trillion years to break AES! • Algorithms are not theoretically unbreakable: successful attacks in the future are possible Source: www.zonezero.com
How Secure are Today’s Technologies? • Encryption does not guarantee security! • Many ways to beat a crypto system NOT dependent on cryptanalysis, such as: • Viruses, worms, hackers, etc. • TEMPEST attacks, • Unauthorized physical access to secret keys • Cryptography is only one element of comprehensive computer security Source: www.zonezero.com
The Future of Secret Writing Quantum cryptanalysis • A quantum computer can perform practically unlimited number of simultaneous computations • Factoring large integers is a natural application for a quantum computer (necessary to break RSA) • Quantum cryptanalysis would render ALL modern cryptosystems instantly obsolete Source: http://www.media.mit.edu/quanta/5-qubit-molecule.jpg Source: www.zonezero.com
When will it happen? • 2004 – 10-qubit special purpose quantum computer available • 2006 – factoring attacks on RSA algorithm • 2010 through 2012 – intelligence agencies will have quantum computers • 2015 – large enterprises will have quantum computers Source: The Gartner Group Source: www.zonezero.com
What is to be done? The Gartner Group recommends: • Develop migration plans to stronger crypto by 2008 • Begin implementation in 2010 Source: www.zonezero.com
The Future of Secret Writing (continued) Quantum encryption • No need for a quantum computer • A key cannot be intercepted without altering its content • It is theoretically unbreakable • Central problem is transmitting a quantum message over a significant distance Source: http://qubit.nist.gov/Images/OptLat.jpg Source: www.zonezero.com