150 likes | 212 Vues
Cryptography and the Internet. Daryl Banttari daryl@windsorcs.com. Introduction. Cryptography
E N D
Cryptography and the Internet Daryl Banttari daryl@windsorcs.com
Introduction • Cryptography • ‘There are two kinds of cryptography in this world: cryptography that will stop your kid sister from reading your files, and cryptography that will stop major governments from reading your files. This book is about the latter.’--Bruce Schneier, preface, “Applied Cryptography, Second Ed”http://www.counterpane.com/actoc.html
Topics of Discussion • Types of Cryptography • Applications to the Internet • SSL • Digital Signatures • Digital Signatures and SSL • E-Mail Encryption and Authentication (PGP)
Types of Cryptography • Cryptographically Strong “Hash” Functions (MD5) • Symmetric Key (Conventional) Encryption • Public Key Encryption
The MD5 Hash Algorithm • Turns an arbitrary string into a 128-bit “Message Digest” or “Hash” • Always creates the same hash when given the same string • Impossible* to create a string from a hash or to alter a string and produce the same hash • Commonly used to verify that files are unaltered Hash("Hello1"): 7A6D1B13498FB5B3085B2FD887933575 Hash("Hello2"): B83099B8CE596F31F2F60C8FD4D72826 Hash("Hello3"): E1C0F8926581BE86F96BD0007371CCA0 *Impossible: read “Practically Impossible.” It is believed to require 2128 operations to produce a message that would create a given digest. http://www.faqs.org/rfcs/rfc1321.html
Symmetric Encryption • Proven and Secure • Fast • Uses the same key to decrypt as was used to encrypt • Requires “out of band” communication to exchange the key
Public Key Encryption • Pioneered by Whitfield Diffie and Martin Hellman in 1975. • Data encrypted with the Public key can only be decrypted with the Private key, even by the encrypter • Data encrypted with Private key can only be decrypted by the Public key • Commonly used to exchange a conventional “session” key • Public key encryption algorithms include RSA, DSA, Diffie-Hellman, Blowfish
SSL • Secure Server gives its Public key to the client • The client generates a conventional Session key • The client encrypts Session key with server’s Public key • The rest of the communication uses Session key for speed http://developer.netscape.com/docs/manuals/security/sslin/contents.htm
Digital Signatures • MD5 Hash created of document • Hash in encrypted with Private key and appended to document • If the hash you decrypt using the sender’s Public key matches your own hash of the document: • The document must have been unaltered in transit • The document must have come from the sender • The combination of hash and private key is a Digital Signature
SSL Certificate Signing • Encryption does not equal authentication • Some means needed of ensuring consumer that they are sending their credit card number to the people they expect, not some lookalike Web server • Verisign et al diligently ensure the public key belongs to a given organization • Attach organization info and expiration date to public key • Digitally sign public key with attached info • Public key of major certificate signers shipped with browsers
E-Mail Encryption and/or Authentication • PGP is an open, reasonably easy method of applying digital signatures and encryption to e-mail • People and organizations can sign a message that can then can be verified for authenticity by their public key • PGP uses session keys like SSL, so messages can be encrypted to multiple recipients without multiplying size of message- think of a keyed safe with multiple lock-boxes attached • You must have public key of recipient to encrypt an e-mail to them, which makes encryption to mailing lists, newsgroups, etc. unfeasible http://www.pgpi.org/doc/pgpintro/
PGP “Web of Trust” • Anyone can upload keys to “Key Servers”-- even fake keys • If you can verify that a key belongs to its owner, you can sign that key, indicating that you have verified ownership • The Web of Trust is established by people signing other people’s keys; if you trust Person A to diligently verify identity of keys, and Person A signed Person B’s key, then you can trust that Person B’s key is authentic
ColdFusion’s hash() Function • Available with CF4.5 • Generates md5 hashes of strings in hex format (use char(32) to store) • Useful for storing passwords so they can’t be read or recreated • Append an arbitrary string to “salt” the password hash to prevent “hash dictionary” attacks Hash("Hello1"): 7A6D1B13498FB5B3085B2FD887933575 Hash("Hello2"): B83099B8CE596F31F2F60C8FD4D72826 Hash("Hello3"): E1C0F8926581BE86F96BD0007371CCA0
Summary • An understanding of why encryption works is not necessary for an understanding of how it works • Although encryption and digital signature technology seem daunting, the processes are conceptually simple
What do I do with this info? • Hash passwords • Use encryption and authentication methods for secure processes • Evangelize!