180 likes | 342 Vues
FORE SEC Academy Security Essentials (IV). Secure Communications. Secure Communications Agenda. Chapter 19 : Encryption 101 Chapter 20 : Encryption 102 Chapter 21 : Applying Cryptography Chapter 22 : Steganography Chapter 23 : Viruses and Malicious Code
E N D
FORESEC AcademySecurity Essentials (IV) Secure Communications
Secure Communications Agenda • Chapter 19: Encryption 101 • Chapter 20: Encryption 102 • Chapter 21: Applying Cryptography • Chapter 22: Steganography • Chapter 23: Viruses and Malicious Code • Chapter 24: Operations Security
Course Objectives • Case Studies • The Challenge That We Face • Cryptosystem Fundamentals • Types of Cryptosystems • Real-world Implementations
What is Cryptography? • Cryptography means “hidden writing” • Encryption is coding a message in such a way that its meaning is concealed • Decryption is the process of transforming an encrypted message into its original form • Plaintext is a message in its original form • Ciphertext is a message in its encrypted form
Milestones in Cryptography AES: Advanced Encryption Standard (sponsored by NIST, 2002) …built upon the work of giants!
Crypto History • The history of Cryptography is long and interesting • In the next couple of slides we will discuss some of the highlights
Key Events • Jefferson Disk Cipher system • Japanese Purple Machine • German Enigma Machine • Vernam Cipher
Why do I Care about Crypto? • It is part of a defense-in-depth strategy. • It is a critical component and enabler of e-commerce / e-business. • The “bad guys” are using it. • Security professionals should keep abreast of cipher standards because they change and new weaknesses are found.
Crypto and E-Commerce Customers need to be sure that: • They are communicating with the correct server. • What they send is delivered unmodified. • They can prove that they sent the message. • Only the intended receiver can read the message. • Message delivery is guaranteed. • Vendors need to be sure that: • They are communicating with • the right client. • The content of the received • message is correct. • The identity of the author is • unmistakable. • Only the purported author • could have written the • message. • They acknowledge receipt of • the message.
Security by Obscurity is no Security! • Case-in-point: DVD “encryption” • Proprietary algorithms are high-risk. • “Tamper-proof” hardware can be defeated with sufficient effort. • Technical solutions usually do not satisfactorily address legal issues.
Beware of Overconfidence • Case-In-Point: Large key lengths • Simply using popular cryptographic algorithms, with large key lengths, does not make your system secure. • What's the weakest link? • Cryptanalytic compromises usually originate from totally unexpected places.
Simplicity is a “Good Thing” • Case-in-point: E-commerce /E-business • Morphing your business into an online business can be a complex undertaking. • Taking shortcuts in **any** aspect of the development of your e-commerce systems can introduce weak links. • Security is a “process” ...not a product.
Credit Cards Over the Internet • Case-in-point: How many people will use their credit card to buy merchandise on the Internet? How many people will pay for a meal with a credit card? • Which is riskier? - Perception vs. reality • Real risk is back-end database that possibly stores credit cards unencrypted. • Understanding the threat is key.
Goals of Cryptography • “Alice” and “Bob” need a cryptosystem which can provide them with: • “Cryptography is about communications in the presence of adversaries” (Rivest,1990)