5 Cryptography Whitman_Ch08.pdf

Full Transcript

CRYPTOGRAPHY Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Learning Objectives Upon completion of this material, you should be able to: – Chronicle the most significant events and discoveries in the history of cryptology – Explain the basic principles of cryptography – Describe the operating principles of the most popular cryptographic tools – List and explain the major protocols used for secure communications Introduction Cryptology: the field of science that encompasses cryptography and cryptanalysis. Cryptanalysis: the process of obtaining the plaintext message from a ciphertext message without knowing the keys used to perform the encryption. Cryptography: the process of making and using codes to secure information. Foundations of Cryptology Cryptology has an extensive and multicultural history. All popular Web browsers use built-in encryption features for secure e-commerce applications. Restrictions on the export of cryptosystems began after World War II. Terminology (1 of 2) Algorithm Bit stream cipher Block cipher Cipher or cryptosystem Ciphertext/Cryptogram Code Decipher Decrypt Terminology (2 of 2) Encipher Encrypt Key/Cryptovariable Keyspace Link encryption Plaintext/Cleartext Steganography Work factor Cipher Methods Plaintext can be encrypted through: – Bit stream: each plaintext bit is transformed into a cipher bit one bit at a time. – Block cipher: message is divided into blocks (e.g., sets of 8- or 16-bit blocks), and each is transformed into encrypted block of cipher bits using algorithm and key. Substitution Cipher Substitutes or exchanges one value for another Monoalphabetic substitution: only incorporates a single alphabet in the encryption process Polyalphabetic substitution: incorporates two or more alphabets in the encryption process Vigenère cipher: advanced type of substitution cipher that uses a simple polyalphabetic code; made up of 26 distinct cipher alphabets Table 8-2 The Vigenere square Transposition Cipher Also known as a permutation cipher; involves simply rearranging the values within a block based on an established pattern. Can be done at the bit level or at the byte (character) level. To make the encryption even stronger, the keys and block sizes can be increased to 128 bits or more. Exclusive OR (XOR) A function within Boolean algebra used as an encryption function in which two bits are compared. – If the two bits are identical, the result is a binary 0. – If the two bits are not identical, the result is a binary 1. Very simple to implement and simple to break; should not be used by itself when organization is transmitting/storing sensitive data. Table 8-3 XOR Table First bit Second bit result 0 0 0 0 1 1 1 0 1 1 1 0 Table 8-3 Example XOR Encryption Text value Binary value CAT as bits 010000110100000101010100 VVV as key 010101100101011001010110 Cipher 000101010001011100000010 Vernam Cipher A cryptographic technique developed at AT&T and known as the “one-time pad.” This cipher uses a set of characters for encryption operations only one time and then discards it. To perform: – The pad values are added to numeric values that represent the plaintext that needs to be encrypted – Each character of the plaintext is turned into a number and a pad value for that position is added – The resulting sum for that character is then converted back to a ciphertext letter for transmission – If the sum of the two values exceeds 26, then 26 is subtracted from the total Book-Based Ciphers Uses text from a predetermined book as a key to decrypt a message. Book cipher: ciphertext consists of a list of codes representing page, line, and word numbers of plaintext word. Running key cipher: uses a book for passing the key to cipher similar to Vigenère cipher; sender provides encrypted message with sequence of numbers from predetermined book to be used as an indicator block. Template cipher: involves use of hidden message in book, letter, or other message; requires page with specific number of holes cut into it. Hash Functions Mathematical algorithms that create a message summary or digest to confirm message identity and integrity Convert variable-length messages into a single fixed-length value Message authentication code (MAC) may be attached to a message Used in password verification systems to store passwords and confirm the identity of the user Figure 8-4 Various hash values Source: SlavaSoft HashCalc. Cryptographic Algorithms Often grouped into two broad categories, symmetric and asymmetric. Today’s popular cryptosystems use a combination of both symmetric and asymmetric algorithms. Symmetric and asymmetric algorithms are distinguished by the types of keys used for encryption and decryption operations. Symmetric Encryption (1 of 2) A cryptographic method in which the same algorithm and “secret” are used both to encipher and decipher the message; also known as private-key encryption. Can be programmed into fast computing algorithms and executed quickly. Both sender and receiver must possess the same secret key. If either copy of the key is compromised, an intermediate can decrypt and read messages without sender/receiver knowledge. Symmetric Encryption Encryption (2 of 2) Data Encryption Standard (DES): one of the most popular symmetric encryption cryptosystems. – 64-bit block size; 56-bit key Triple DES (3DES): created to provide security far beyond DES. – Advanced Encryption Standard (AES): developed to replace both DES and 3DES Adopted by NIST in November 2001 as the federal standard for encrypting non-classified information Figure 8-5 Example of symmetric encryption Rachel at ABC corp. generates a secret key. She must somehow get it to Alex at XYZ corp. out of band. Once Alex has it, Rachel can use it to encrypt messages, and Alex can use it to decrypt and read them. Asymmetric Encryption A cryptographic method that incorporates mathematical operations involving two different keys (commonly known as the public key and the private key) to encipher or decipher a message. Either key can be used to encrypt a message, but then the other key is required to decrypt it. Also known as public-key encryption. Uses two different but mathematically related keys – Either key can encrypt or decrypt a message – If Key A encrypts a message, only Key B can decrypt – Greatest value when one key serves as a private key and the other serves as a public key RSA algorithm was the first public-key encryption algorithm developed/published for commercial use. Figure 8-6 Example of asymmetric encryption Alex at XYZ corp. wants to send a message to Rachel at ABC corp. Rachel stores her public key where it can be accessed by anyone. Alex retrieves Rachel’s key and uses it to create ciphertext that can be decrypted only by Rachel’s private key, which only she has. To respond, Rachel gets Alex’s public key to encrypt her message. Encryption Key Size When deploying ciphers, the size of the cryptovariable or key is very important. The strength of many encryption applications and cryptosystems is measured by key size. For cryptosystems, the security of encrypted data is not dependent on keeping the encrypting algorithm secret. Cryptosystem security depends on keeping some or all of elements of cryptovariable(s) or key(s) secret. Table 8-5 Encryption key power (1 of 2) It is estimated that to crack an encryption key using a brute force attack, a computer needs to perform a maximum of 2^k operations (2k guesses), where k is the number of bits in the key. In reality, the average estimated time to crack is half that time. The estimated average time to crack is based on a 2015-era PC with an Intel i7-6700k Quad core CPU performing 207.23 Dhrystone GIPS (billion instructions per second) at 4.0 GHz** Key Length (Bits) Maximum Number of Operations (Guesses) Maximum Time to Crack Estimated Average Time to Crack 16 65,536 0.0000003 seconds 0.00000016 seconds 24 16,777,216 0.00008 seconds 0.00004 seconds 32 4,294,967,296 0.02 seconds 0.01 seconds 56 7.E+16 4.02 days 2.01 days 64 2.E+19 42.93 years 21.47 years 128 3.E+38 19,005,227,625,557,100, 000,000 years 9,502,613,812,778,540, 000,000 years Table 8-5 Encryption key power (2 of 2) Key Length (Bits) 256 512 Maximum Number of Operations (Guesses) Maximum Time to Crack Estimated Average Time to Crack 1.E+77 6,467,143,840,295,770, 000,000,000,000,000, 000,000,000,000,000, 000,000,000,000,000 years 3,233, 571,920,147,890,000, 000,000,000,000,000, 000,000,000,000,000, 000,000,000,000 years 1.E+154 748,844,096, 666,088,000,000,000,000, 000,000,000,000,000,000, 000,000,000,000,000,000, 000,000,000,000,000,000, 000,000,000,000,000,000, 000,000,000,000,000,000, 000,000,000,000,000,000, 000 years 374,422,048, 333,044,000,000,000,000, 000,000,000,000,000,000, 000,000,000,000,000,000, 000,000,000,000,000,000, 000,000,000,000,000,000, 000,000,000,000,000,000, 000,000,000,000,000,000, 000 years Cryptographic Tools Potential areas of use include: – Ability to conceal the contents of sensitive messages – Verify the contents of messages and the identities of their senders Tools must embody cryptographic capabilities so that they can be applied to the everyday world of computing. Public-Key Infrastructure (PKI) (1 of 2) Integrated system of software, encryption methodologies, protocols, legal agreements, and third-party services enabling users to communicate securely PKI systems based on public-key cryptosystems PKI protects information assets in several ways: – – – – – Authentication Integrity Privacy Authorization Nonrepudiation Public-Key Infrastructure (PKI) (2 of 2) Typical PKI solution protects the transmission and reception of secure information by integrating: – – – – – A certificate authority (CA) A registration authority (RA) Certificate directories Management protocols Policies and procedures Digital Signatures Created in response to rising the need to verify information transferred via electronic systems. Asymmetric encryption processes used to create digital signatures. Nonrepudiation: the process that verifies the message was sent by the sender and thus cannot be refuted. Digital Signature Standard (DSS) is the NIST standard for digital signature algorithm usage by federal information systems. DSS is based on a variant of the ElGamal signature scheme. Digital Certificates Electronic document/container file containing key value and identifying information about entity that controls key. Digital signature attached to certificate’s container file certifies file’s origin and integrity. Different client-server applications use different types of digital certificates to accomplish their assigned functions. Distinguished name (DN): uniquely identifies a certificate entity. Figure 8-7 Digital signature in Windows Internet Explorer Source: Windows Internet Explorer. Figure 8-8 Example digital certificate Source: Amazon.com. Table 8-6 X.509 v3 Certificate Structure (1of 2) X.509 v3 Certificate Structure Version Certificate Serial Number Algorithm ID Algorithm ID Parameters Issuer Name Validity Not Before Not After Subject Name Subject Public-Key Information Public-Key Algorithm Parameters Subject Public Key Issuer Unique Identifier (Optional) Table 8-6 X.509 v3 Certificate Structure (2 of 2) Subject Unique Identifier (Optional) Extensions (Optional) Type Criticality Value Certificate Signature Algorithm Certificate Signature Source: Stallings, W. Cryptography and Network Security, Principles and Practice. Hybrid Cryptography Systems Except with digital certificates, pure asymmetric key encryption is not widely used. Asymmetric encryption is more often used with symmetric key encryption, as part of a hybrid system. Diffie-Hellman Key Exchange method: – Most common hybrid system – Provides foundation for subsequent developments in public-key encryption Figure 8-9 Example of hybrid encryption Rachel at ABC corp. stores her public key where it can be accessed. Alex at XYZ corp. retrieves it and uses it to encrypt his session (symmetric) key. He sends it to Rachel, who decrypts Alex’s session key with her private key, and then uses Alex’s session key for short-term private communications. Steganography The process of hiding messages; for example, hiding a message within the digital encoding of a picture or graphic so that it is almost impossible to detect that the hidden message even exists Also known as the art of secret writing Has been used for centuries Most popular modern version hides information within files that contain digital pictures or other images Some applications hide messages in.bmp,.wav,.mp3, and.au files, as well as in unused space on CDs and DVDs Protocols for Secure Communications Most of the software currently used to protect the confidentiality of information are not true cryptosystems. They are applications to which cryptographic protocols have been added. Particularly true of Internet protocols. As the number of threats to the Internet grew, so did the need for additional security measures. Securing Internet Communication with S-HTTP and SSL Secure Sockets Layer (SSL) protocol: developed by Netscape; uses public-key encryption to secure channel over public Internet. Secure Hypertext Transfer Protocol (S-HTTP): extended version of Hypertext Transfer Protocol; provides for encryption of individual messages between client and server across Internet. S-HTTP is the application of SSL over HTTP – Allows encryption of information passing between computers through protected and secure virtual connection Securing E-mail with S/MIME, PEM, and PGP Secure Multipurpose Internet Mail Extensions (S/MIME): builds on Multipurpose Internet Mail Extensions (MIME) encoding format and uses digital signatures based on public-key cryptosystems. Privacy Enhanced Mail (PEM): proposed as standard to use 3DES symmetric key encryption and RSA for key exchanges and digital signatures. Pretty Good Privacy (PGP): uses IDEA Cipher for message encoding. Securing Web Transactions with SET, SSL, and S-HTTP Secure Electronic Transactions (SET): developed by MasterCard and VISA in 1997 to protect against electronic payment fraud. Uses DES to encrypt credit card information transfers. Provides security for both Internet-based credit card transactions and credit card swipe systems in retail stores. Securing Wireless Networks with WEP Wired Equivalent Privacyand (WEP):WPA early attempt to provide security with the 8002.11 network protocol. Wi-Fi Protected Access (WPA and WPA2): created to resolve issues with WEP. Next Generation Wireless Protocols: Robust Secure Networks (RSN), AES–Counter Mode CBC MAC Protocol (CCMP). Bluetooth can be exploited by anyone within approximately 30 foot range, unless suitable security controls are implemented. Table 8-9 WEP Versus WPA Source: www.wi-fi.org/files/wp_8_WPA%20Security_4-29-03.pdf. WEP Encryption Authentication WPA Broken by scientists and hackers Overcomes all WEP shortcomings 40-bit key 128-bit key Static key- the same value is used by everyone on the network Dynamic keys-each user is assigned a key per session with additional keys calculated for each pocket Manual key distribution-each key is typed by hand into each device Automatic key distribution Broken; used WEP key itself for Improved user authentication, using Authentication stronger 802. 1X and EAP Securing TCP/IP with IPSec and PGP (1 of 2) Internet Protocol Security (IPSec): an open-source protocol framework for security development within the TCP/IP family of protocol standards. IPSec uses several different cryptosystems – Diffie-Hellman key exchange for deriving key material between peers on a public network – Public-key cryptography for signing the Diffie-Hellman exchanges to guarantee identity – Bulk encryption algorithms for encrypting the data – Digital certificates signed by a certificate authority to act as digital ID cards Securing TCP/IP with IPSec and PGP (2 of 2) Pretty Good Privacy (PGP): hybrid cryptosystem designed in 1991 by Phil Zimmermann – Combined best available cryptographic algorithms to become open source de facto standard for encryption and authentication of e-mail and file storage applications – Freeware and low-cost commercial PGP versions are available for many platforms – PGP security solution provides six services: authentication by digital signatures, message encryption, compression, e-mail compatibility, segmentation, key management Figure 8-10 IPSec headers Summary (1 of 5) Encryption is the process of converting a message into a form that is unreadable to unauthorized people. The science of encryption, known as cryptology, encompasses cryptography (making and using encryption codes) and cryptanalysis (breaking encryption codes). Two basic processing methods are used to convert plaintext data into encrypted data—bit stream and block ciphering. Summary (2 of 5) The other major methods used for scrambling data include substitution ciphers, transposition ciphers, the XOR function, the Vigenère cipher, and the Vernam cipher. The strength of many encryption applications and cryptosystems is determined by key size. Hash functions are mathematical algorithms that generate a message summary, or digest, that can be used to confirm the identity of a specific message, and confirm that the message has not been altered. Summary (3 of 5) Most cryptographic algorithms can be grouped into two broad categories: symmetric and asymmetric. Most popular cryptosystems combine the two. Public-key infrastructure (PKI) is an integrated system of software, encryption methodologies, protocols, legal agreements, and third-party services. PKI includes digital certificates and certificate authorities. Digital signatures are encrypted messages that are independently verified by a central facility, and which provide nonrepudiation. Summary (4 of 5) Steganography is the hiding of information. It is not properly a form of cryptography, but is similar in that it is used to protect confidential information while in transit. S-HTTP (Secure Hypertext Transfer Protocol), Secure Electronic Transactions (SET), and SSL (Secure Sockets Layer) are protocols designed to enable secure communications across the Internet. IPSec is the protocol used to secure communications across any IP-based network, such as LANs, WANs, and the Internet. Summary (5 of 5) Secure Multipurpose Internet Mail Extensions (S/MIME), Privacy Enhanced Mail (PEM), and Pretty Good Privacy (PGP) are protocols that are used to secure e-mail. Wireless networks require their own cryptographic protection. Originally protected with WEP and WPA, most modern Wi-Fi networks are now protected with WPA2.