Cryptography PDF

3.1: Cryptography (page. 148) Cryptography is the use of mathematical operations to protect messages traveling between parties or stored on a computer Confidentiality means that someone intercepting your communications cannot read them ??? 7 3.1: Cryptography Confidentiality is only one cryptographic protection Authentication means proving one’s identity to another so they can trust you more Integrity means that the message cannot be changed or, if it is change, that this change will be detected Known as the CIA of cryptography No, not that CIA 8 3.1: Cryptography Encryption for confidentiality needs a cipher (mathematical method) to encrypt and decrypt The cipher cannot be kept secret The two parties using the cipher also need to know a secret key or keys A key is merely a long stream of bits (1s and 0s) The key or keys must be kept secret Cryptanalysts attempt to crack (find) the key 9 3.1: Symmetric Key Encryption for Confidentiality (page. 149) 10 3.1: Types of Ciphers Substitution Ciphers Substitute one letter (or bit) for another in each place The cipher we saw in Figure 3-2 is a substitution cipher Transposition Ciphers Transposition ciphers do not change individual letters or bits, but they change their order Most real ciphers use both substitution and transposition 12 3.1: Ciphers versus Codes Ciphers can encrypt any message expressed in binary (1s and 0s) This flexibility and the speed of computing makes ciphers dominant for encryption today Codes are more specialized They substitute one thing for another Usually a word for another word or a number for a word Codes are good for humans and may be included in messages sent via encipherment 14 3.1: Key Length and Exhaustive Search Time Key Length in (page. 156) Number of Possible Keys Bits Each extra bit doubles the number 1 of keys 2 2 4 4 16 8 256 16 65,536 40 1,099,511,627,776 56 72,057,594,037,927,900 112 5,192,296,858,534,830,000,000,000,000,000,000 112 5.1923E+33 168 Shaded keys are 3.74144E+50 256 Strong symmetric keys 1.15792E+77 512 (>=100 bits) 1.3408E+154 16 3.1: Key Length and Exhaustive Search Time Public key/private key pairs (discussed later in the chapter) must be much longer than symmetric keys to be considered to be strong because of the disastrous consequences that could occur if a private key is cracked and because private keys cannot be changed frequently. Public keys and private keys must be at least 512 to 1,024 bits long. 17 3.3: Cryptographic System Stages Cryptographic Systems 1. Two parties first agree upon a particular cryptographic system to use 2. Each cryptographic system dialogue begins with three brief handshaking stages 3. The two parties then engage in cryptographically protected communication This ongoing communication stage usually constitutes nearly all of the dialogue 20 3.3: Cryptographic System Stages (page. 165) 21 3.5: Hashing Hashing A hashing algorithm is applied to a bit string of any length The result of the calculation is called the hash For a given hashing algorithm, all hashes are the same short length Hashing Hash: bit string of Bit string of any length Algorithm small fixed length 28 3.5: Hashing Hashing versus Encryption Characteristic Encryption Hashing Result length About the same Short fixed length length as the regardless of plaintext message length Reversible? Yes. Decryption No. There is no way to get from the short hash back to the long original message 29 Selecting methods and parameters Authentication Keying (the secure exchange of secrets) Ongoing communication 34 3.6: Public Key Encryption for Confidentiality There are two types of ciphers used for confidentiality In symmetric key encryption for confidentiality, the two sides use the same key For each dialogue (session), a new symmetric key is generated: the symmetric session key In public key encryption, each party has a public key and a private key that are never changed A person’s public key is available to anyone A person keeps his or her private key secret 35 Selecting methods and parameters Authentication Keying (the secure exchange of secrets) Ongoing communication 39 3.7: Ongoing Communication Consumes nearly all of the dialogues Message-by-Message Encryption ◦ Nearly always uses symmetric key encryption ◦ Already covered ◦ Public key encryption is too inefficient Message-by-Message Authentication ◦ Digital signatures ◦ Message authentication codes (MACs) ◦ Also provide message-by-message integrity 40 3.7: Digital Signature for Message- by-Message Authentication (page. 178) 41 3.7: Digital Signature for Message- by-Message Authentication (page. 178) 43 3.7: Public Key Encryption for Confidentiality and Authentication (page. 180) Encryption Goal Sender Encrypts Receiver with Decrypts with Public Key The receiver’s The receiver’s Encryption for public key private key Confidentiality Public Key The sender’s The True Party’s Encryption for private key public key Authentication (not the sender’s public key) Point of frequent confusion 44 3.7: Finding the True Party’s Public Key Cannot use the sender’s public key It would always “validate” the sender’s digital signature Normally requires a digital certificate File provided by a certificate authority (CA) The certificate authority must be trustworthy Digital certificate provides the subject’s (True Party’s) name and public key Don’t confuse digital signatures and the digital certificates used to test digital signatures! 45 3.7: Verifying the Digital Certificate Testing the Digital Signature The digital certificate has a digital signature of its own Signed with the Certificate Authority’s (CA’s) private key Must be tested with the CA’s well-known public key If the test works, the certificate is authentic and unmodified 46 3.7: Verifying the Digital Certificate Checking the Valid Period Certificate is valid only during the valid period in the digital certificate If the current time is not within the valid period, reject the digital certificate 47 3.7: Verifying the Digital Certificate Checking for Revocation Certificates may be revoked for improper behavior or other reasons Revocation must be tested Cannot be done by looking at fields within the certificate Receiver must check with the CA 48 3.7: Verifying the Digital Certificate Checking for Revocation Verifier may download the entire certificate revocation list from the CA See if the serial number is on the certificate revocation list If so, do not accept the certificate Or the verifier may send a query to the CA Requires the CA to support the Online Certificate Status Protocol 49 3.7: Message-by-Message Authentication Also Brings Message Integrity ◦ If the message has been altered, the authentication method will fail automatically Digital Signature Authentication ◦ Uses public key encryption for authentication ◦ Very strong but expensive Key-Hashed Message Authentication Codes ◦ An alternate authentication method using hashing ◦ Much less expensive than digital signature authentication ◦ Much more widely used 51 3.7: Key-Hashed Message Authentication Code (HMAC) (page. 185) 52 3.8: Quantum Security Quantum Mechanics Describes the behavior of fundamental particles Complex and even weird results 56 3.8: Quantum Security Quantum Key Distribution Transmits a very long key—as long as the message This is a one-time key that will not be used again A one-time key as long as a message cannot be cracked by cryptanalysis If an interceptor reads part of the key in transit, this will be immediately apparent to the sender and receiver 57 3.8: Quantum Security Quantum Key Cracking Tests many keys simultaneously If quantum key cracking becomes capable of working on long keys, today’s strong key lengths will offer no protection 58 3.10: IPsec Operation: Tunnel and Transport Modes (page. 199) 2. 3. No Security in No Setup Cost Site Network On Each Host (Bad) (Good) 66

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue