CRYPTOGRAPHY SZABIST – Spring 2012
Cryptography This chapter presents the following: • Cryptography/Encryption/Ciphers • Public / Private Key Cryptosystems • Digital Signature • Public Key Infrastructure (PKI) • Vulnerability Assessment and Penetration Testing • Applications of Cryptography
What is Cryptography? • Cryptography is a method of storing and transmitting data in a form that only those it is intended for can read and process. • What are the possible uses of encryption?
What is Cryptography? • Cryptography is a method of storing and transmitting data in a form that only those it is intended for can read and process. • What are the possible uses of cryptography (encryption)? • Tool in warfare • E-commerce transactions • Financial transactions • Government • Detect accidental or intentional alterations of data
The History of Cryptography • Cryptography has roots that begin around 2000 B.C. • Encryption methods evolved and used to hide information from others. • A Hebrew cryptographic method (“Atbash”)require the alphabet to flip ABCDEFGHIJKLMNOPQRSTUVWXYZ ZYXWVUTSRQPONMLKJIHGFEDCBA • For example, the word “security” is encrypted into “hvxfirgb.” What does “hazyrhg” come out to be?
The History of Cryptography – contd. Around 400 B.C.,… • Spartans used a system of encrypting information • a message is written on a sheet of paper that was wrapped around a wooden stick, which was then delivered and wrapped around a different rod by the recipient. • The message was only readable if it was wrapped around the correct size stick, which made the letters properly match up.
The History of Cryptography Later, in Rome, Julius Caesar (100–44 B.C.) • A method of shifting letters of the alphabet, shifted the alphabet by three positions. The following example shows a standard alphabet and a shifted alphabet. • Alphabet - ALGORITHM • Number Of Locations – KEY Standard Alphabet: • ABCDEFGHIJKLMNOPQRSTUVWXYZ Cryptographic Alphabet: • DEFGHIJKLMNOPQRSTUVWXYZABC • Encrypt the word ‘LOGICAL SECURITY’
The History of Cryptography Standard Alphabet: • ABCDEFGHIJKLMNOPQRSTUVWXYZ Cryptographic Alphabet: • DEFGHIJKLMNOPQRSTUVWXYZABC • Encrypt the word ‘LOGICAL SECURITY’
Cryptography – Definitions & Concepts • Encryption / Decryption Process • Cryptosystem! • Message • Algorithm also known as Cipher • Key Space • Key • 128, 256, 512, or even 1,024 bits and larger (i.e. 2512)
Cryptography – Definitions & Concepts • Cryptosystem! • Message • Algorithm also known as Cipher • Key Space • Key • 128, 256, 512, or even 1,024 bits and larger (i.e. 2512)
Cryptography – Definitions & Concepts • Kerckhoffs’ Principle • the only secrecy involved with a cryptography system should be the key and the algorithm should be publicly known. • if security were based on too many secrets, there would be more vulnerabilities to possibly exploit. Q: Would you agree or disagree with this??? • Write down the reasoning with the answer.
The Strength of Cryptosystems • Strength of encryption method from algorithm • The secrecy of the key • The length of the key • Can be broken through BRUTE FORCE ATTACK • Processing Power • Necessary Recourses • Time GOAL “Make Compromising Too Expensive and Too Time Consuming”
Services of Cryptosystems Cryptosystems can provide the following services: • Confidentiality - Renders the information unintelligible except by authorized entities. • Integrity -Data has not been altered in an unauthorized manner since it was created, transmitted, or stored. • Authentication - Verifies the identity of the user or system that created information. • Authorization -Upon proving identity, the individual is then provided with the key or password that will allow access to some resource. • Non-repudiation - Ensures that the sender cannot deny sending the message.
Private Key Cryptosystems • Private key cryptographic systems are based on a symmetric encryption algorithm • Following are some of the examples of ‘Symmetric Algorithms’: • Data Encryption Standard (DES) • Triple-DES (3DES) • Blowfish • RC4, RC5, and RC6 • IDEA (International Data Encryption Algorithm) • Advanced Encryption Standard (AES)
Private Key Cryptosystems • DES (Data Encryption Standard) • Block of 64 bits and key of 56 bits (additional 8 bits for parity check) is used • No longer considered a strong cryptographic solution since its entire key can be brute-forced by large computer systems within a relatively short period of time. • DES is being replaced with AES, a public algorithm that supports keys from 128 to 256 bits and onwards in size.
Private Key Cryptosystems • Triple DES (3DES) (also known as TDEA - Triple Data Encryption Algorithm) • 3DES was a quick fix to DES on the way to AES. • More secure then DES but because of the extra work 3DES performs, there is a heavy performance hit. • It can take up to three times longer than DES to perform encryption and decryption.
Private Key Cryptosystems • Blowfish • The key length can be from 32 bits up to 448 bits. • It was intended as a replacement to the aging DES as many of the other algorithms were either proprietary and thus encumbered by patents or kept as government secrets, this wasn’t the case with Blowfish. • Bruce Schneier, the creator of Blowfish, has stated, “Blowfish is un-patented, and will remain so in all countries. The algorithm is hereby placed in the public domain, and can be freely used by anyone.”
Private Key Cryptosystems • RC4 • It is used in the SSL protocol, and was implemented in the 802.11 WEP protocol standard. • RC4 was developed by and considered a trade secret of RSA Data Security, Inc. until someone posted the source code on a mailing list. • Since the source code was released nefariously, the stolen algorithm is sometimes implemented and referred to as ArcFour or ARC4 because the title RC4 is trademarked. • The algorithm is very simple, fast, and efficient, which is why it became so popular.
Private Key Cryptosystems • RC5 • RC5 is a block cipher that uses block sizes in algorithms of 32, 64, or 128 bits, and the key size goes up to 2,048 bits. • RC6 • RC6 is a block cipher that was built upon RC5, so it has all the same attributes as RC5. • The algorithm was developed mainly to be submitted as AES, but Rijndael was chosen instead. • There were some modifications of the RC5 algorithm to increase the overall speed, the result of which is RC6.
Private Key Cryptosystems • International Data Encryption Algorithm (IDEA) • A block cipher that operates on 64-bit blocks of data. The 64-bit data block is divided into 16 smaller blocks. The key is 128 bits long, and IDEA is faster than DES when implemented in software. • The IDEA algorithm is considered to be harder to break than DES because it has a longer key size. • IDEA is used in the PGP and other encryption software implementations. • It was thought to replace DES, but it is patented, meaning that licensing fees would have to be paid to use it.
Private Key Cryptosystems • Advanced Encryption Standard (AES) • After DES was used as an encryption standard for over 20 years and it was cracked in a relatively short time once the necessary technology was available. • AES has replaced the DES as the cryptographic algorithm standard (Due to the short key length of DES). • In 1997, NIST announced the initiation of the AES development effort and made a formal call for algorithms. • On 2 October 2000, Rijndael was selected algorithm for the AES. • For AES the block length was fixed to 128 bits and three different key sizes (128, 192 and 256 bits) were specified.
Private Key Cryptosystems • Advanced Encryption Standard (AES) – contd. • Rijndael works well when implemented in software and hardware in a wide range of products and environments. • It has low memory requirements and has been constructed to easily defend against timing attacks. • Rijndael is now the algorithm required to protect sensitive but unclassified U.S. government information.
Private Key Cryptosystems • Advantages: • User has to remember only one key for both encryption and decryption. • Generally less complicated and, therefore, use up less processing power than asymmetric techniques and also ideally suited for bulk data encryption. • Disadvantages: • How to communicate the keys to those with whom you want to exchange data, particularly in e-commerce environments where customers are unknown, untrusted entities. • A symmetric key cannot be used to sign electronic documents as the mechanism is based on a shared secret.
Private Key Cryptosystems • Following are the strengths and weaknesses of symmetric key algorithms: • Strengths • Much faster (less computationally intensive) than asymmetric systems. • Hard to break if using a large key size. • Weaknesses • Requires a secure mechanism to deliver keys properly. • Each pair of users needs a unique key, so as the number of individuals increases, so does the number of keys, possibly making key management overwhelming. • Provides confidentiality but not authenticity or nonrepudiation.
Public Key Cryptosystems • Public Key Cryptosystems are based on an asymmetric encryption process, • two keys work together as a pair. One key is used to encrypt data, the other is used to decrypt data. • With asymmetric encryption, one key - the secret or private key is known only to one person; the other key - the public key is known by many people. • A message that is sent encrypted by the private key of the sender can be deciphered by anyone with the corresponding public key (authenticity of the sender is ensured). • A message that has been sent encrypted using the public key of the receiver can be generated by anyone, but can only be read by the receiver. (confidentiality is ensured).
Public Key Cryptosystems • Asymmetric keys are often used for short messages such as encrypting DES symmetric keys or creating digital signatures. • If asymmetric keys were used to encrypt bulk data (long messages), the process would be very slow; this is the reason they are used to encrypt short messages such as digests or signatures • The following are examples of asymmetric key algorithms: • RSA (Rivest-Shamir-Adleman) • Elliptic curve cryptosystem (ECC) • Diffie-Hellman • El Gamal • Digital Signature Algorithm (DSA)
Public Key Cryptosystems The Diffie-Hellman Algorithm • Address the shortfalls of symmetric key cryptography, the issue of secure distribution of the symmetric key. • The first asymmetric key agreement algorithm, called Diffie-Hellman. • How Diffie-Hellman works, • User A and User B would like to communicate over an encrypted channel by using Diffie-Hellman. • They would both generate a private and public key pair and exchange public keys. User A’s software would take the private key and User B’s public key and put them through the Diffie-Hellman algorithm. • User B’s software would take the private key and User A’s public key and insert them into the Diffie-Hellman algorithm on the computer. • Through this process, User A and User B derive the same shared value, which is used to create instances of symmetric keys.
Public Key Cryptosystems The Diffie-Hellman Algorithm – contd. • So, User A and User B exchanged information that did not need to be protected (their public keys) over an untrusted network, and in turn generated the exact same symmetric key on each system. They both can now use these symmetric keys to encrypt, transmit, and decrypt information as they communicate with each other. NOTE: key agreement is different from key exchange.With key exchange functionality, the sender encrypts the symmetric key with the receiver’s public key before transmission. • The Diffie-Hellman algorithm allows for key distribution, but does not provide encryption or digital signature functionality. • It is vulnerable to a man-in-the-middle attack, because no authentication occurs before public keys are exchanged.
Public Key Cryptosystems RSA (Rivest-Shamir-Adleman) • RSA is a worldwide de-facto standard and is used for encryption / decryption, digital signatures generation and verification and key exchange (i.e. Key encryption) • It can be used as a key exchange protocol, meaning it is used to encrypt the symmetric key to get it securely to its destination. • RSA has been most commonly used with the symmetric algorithm DES / AES. When RSA is used as a key exchange protocol, a cryptosystem generates a symmetric key using either the DES or AES algorithm. • RSA has been implemented in applications, operating systems by Microsoft, Apple, Sun, and Novell; and at the hardware level in network interface cards, secure telephones, and smart cards..
Public Key Cryptosystems El Gamal • El Gamal is a public key algorithm that can be used for digital signatures, encryption, and key exchange. • El Gamal is actually an extension of the Diffie-Hellman algorithm. • Although El Gamal provides the same type of functionality as some of the other asymmetric algorithms, its main drawback is performance. When compared to other algorithms, this algorithm is usually the slowest.
Public Key Cryptosystems Elliptical Curve Cryptography • More efficient form of public key cryptography based on the elliptic curve discrete algorithm. • ECC is more efficient than RSA and any other asymmetric algorithm, it demands less computational power and, therefore, offers more security per bit. • For example, an ECC with a 160-bit key offers the same security as an RSA-based system with a 1,024-bit key. • ECCs work well on smart cards, wireless devices, cellular telephones requiring strong cryptography but have limitations such as bandwidth, power supply and processing power. • In most cases, the longer the key, the more protection that is provided, but ECC can provide the same level of protection with a key size that is shorter than what RSA requires.
Public Key Cryptosystems • Following are the strengths and weaknesses of asymmetric key algorithms: • Strengths • Better key distribution than symmetric systems • Can provide authentication and non-repudiation • Weaknesses • Works much more slowly than symmetric systems • Mathematically intensive tasks
Digital Envelope • A digital envelope is used to send encrypted information, using symmetric keys, and the relevant key session along with it. • It is a secure method to send electronic documents without compromising the data integrity, authentication and non-repudiation, which were obtained with the use of asymmetric keys. • Implemented using a combination of Public and Private Key Infrastructure.
The One-Way Hash (Hash Function) • A one-way hash is a function that takes a variable-length string and a message and produces a fixed-length value called a hash value. • For example, if A wants to send a message to B and he wants to ensure the message integrity, he would calculate a hash value for the message and append it to the message itself. • When B receives the message, he / she performs the same hashing function A used and then compares the result with the hash value sent with the message. • If the two values are the same, B can be sure the message was not altered during transmission. • If the two values are different, B knows the message was altered, either intentionally or unintentionally.
The One-Way Hash – contd. • The hashing algorithm is not a secret, it is publicly known. The secrecy of the oneway hashing function is its “one-wayness.” • Various Hashing Algorithms • MD2 • MD4 • MD5 • SHA • HAVAL • Tiger • The hashing one-way function takes place without the use of any keys.
The One-Way Hash – contd. What if someone intercept the message, alter it, recalculate another message digest, append it to the original message, and send it the targeted user?
The One-Way Hash – contd. • What if someone intercept the message, alter it, recalculate another message digest, append it to the original message, and send it the targeted user? • Message Authentication Code (MAC).
The One-Way Hash – contd. • Message Authentication Code (MAC). • A MAC function is an authentication scheme derived by applying a secret key (code) to a message in some form. • Three basic types of MACs: • Hash MAC (HMAC) • CBC-MAC • CMAC
The One-Way Hash – contd. • Message Authentication Code (MAC). • Hash MAC (HMAC) • A symmetric key is concatenated with the message
The One-Way Hash – contd. • Message Authentication Code (MAC). • Hash MAC (HMAC) • The sender concatenates a symmetric key with the message, put through a hashing algorithm which generates a MAC value. • The MAC value is appended to the message. • The sender sends the message (with MAC attached) to the receiver. • The receiver concatenates a symmetric key with the message and puts through a hashing algorithm and generates the MAC value. • The receiver compares the two MAC values. If they are the same, the message has not been modified. Note: The sender does not send the symmetric key with the message.
The One-Way Hash – contd. • Message Authentication Code (MAC). • CBC-MAC • Sender encrypts a plain text message with a symmetric block algorithm, the last block is used as the MAC. • The plaintext message and the appended MAC are sent to the receiver. • The receiver encrypts the message, creates a new MAC, and compares the two values. If they are the same, the receiver knows the message was not modified and from which system it came.
The One-Way Hash – contd. • Message Authentication Code (MAC). • C-MAC • CMAC works the same way as the CBC-MAC, but is based on more complex logic and mathematical functions. • the symmetric algorithm (AES or 3DES) creates the symmetric key. • This key is used to create subkeys. The subkeys are used individually to encrypt the individual blocks of a message. • Class Assignment?
The One-Way Hash – contd. • Message Authentication Code (MAC). • C-MAC
Digital Signatures “an electronic identification of a person / entity created by using a public key algorithm and intended to verify to a recipient the integrity of the data and the identity of the sender” • A digital signature is a hash value encrypted with the sender’s private key. • hashing function ensures the integrity of the message; and • signing of the hash value provides authentication and non-repudiation.
Digital Signatures • Different steps and algorithms provide different types of security services: • A message can be encrypted, which provides confidentiality. • A message can be hashed, which provides integrity. • A message can be digitally signed, which provides authentication, nonrepudiation, and integrity. • A message can be encrypted and digitally signed, which provides confidentiality, authentication, nonrepudiation, and integrity. • Some algorithms can only perform encryption, whereas others support digital signatures and encryption. • When hashing is involved, a hashing algorithm is used, not an encryption algorithm.
Digital Signatures Digital Signature Standard (DSS) • It was developed for federal departments and agencies, but most vendors also designed their products to meet these specifications. • The federal government requires its departments to use RSA, or the elliptic curve digital signature algorithm (ECDSA). • RSA is considered the best known and most widely used digital signature algorithms.
Public Key Infrastructure (PKI) “A framework to issue, maintain and revoke public key certificates by a trusted party known as a PKI” • PKI allows users to interact with other users and applications, and obtain and verify identities and keys from trusted sources. • Key elements of the infrastructure are as follows: • Digital certificates • Certificate authority (CA) • Registration authority (RA) • Certificate revocation list (CRL) • Certification practice statement (CPS)