Mais conteúdo relacionado
Semelhante a Information Security Lesson 8 - Cryptography - Eric Vanderburg (20)
Mais de Eric Vanderburg (20)
Information Security Lesson 8 - Cryptography - Eric Vanderburg
- 2. Terminology
• Cryptography – transforming information so that
it is secure when stored or transmitted.
• Steganography – Hiding data inside another file
• Encryption – changing data so that it cannot be
read
• Decryption – changing a message back so it can
be read
• Algorithm – the mathematical formula used for
encryption
• Key – value used by an algorithm to encrypt and
decrypt
Information Security © 2006 Eric Vanderburg
- 3. Terminology
• Weak key – A key that can easily be
determined
• Plaintext (cleartext) – Unencrypted data
• Cypher – algorithm tool used for
encryption and decryption
• Cyphertext – encrypted data
Information Security © 2006 Eric Vanderburg
- 4. Cryptography Uses
• Non-repudiation – someone cannot deny
that they did an action (sending an email)
• Confidentiality - encryption
• Authentication – verify individuals
• Integrity – hashes
• Access Control – limited to those who
possess the key or token
Information Security © 2006 Eric Vanderburg
- 5. Hashing
• One-way hash – create cyphertext from
plaintext. It cannot be decrypted. It is used for
integrity.
• Passwords stored on machines and devices are
usually hashed
– Windows: Store passwords using reversible
encryption
• Checksum – looks at 1’s and 0’s in a byte and
adds a 1 or 0 to the end.
– Even parity – if the number of 1’s is odd, add a 1, if
not add a 0
– Odd parity – if the number of 1’s is odd, add a 0, if not
add a 1
Information Security © 2006 Eric Vanderburg
- 6. Secure Hashes
• Collision - hashing algorithms should not
be able to produce two identical hashes
from different messages
• You cannot predict what the hash will be
for a message
• The hash cannot be reversed
• Hashing algorithms can be public but still
produce secure hashes
• Hashes are all the same size no matter
what size the message is
Information Security © 2006 Eric Vanderburg
- 7. Message Digest (MD)
• Hashing algorithm
• MD2 – turns plaintext into a 128 bit hash
– Padding is used to make the plaintext it 128 if
it is less than 128.
– 16 byte checksum is attached
– Created in 1989 for Intel processors that
processed 16 bits at a time
• MD4 - turns plaintext into a 128 bit hash
– Pads plaintext to 512 bits instead of 128
– Many collisions – not secure. Less than a
minute for a collision to occur
Information Security © 2006 Eric Vanderburg
- 8. Message Digest (MD)
• MD5 - turns plaintext into a 128 bit hash.
Also pads to 512 bits
– Splits the data into 4 32 bit sections and
compresses the result.
– The compression is considered slightly weak
Information Security © 2006 Eric Vanderburg
- 9. SHA (Secure Hash Algorithm)
• Creates a 160 bit hash of messages
padded to 512 bits
• Invented in 1993 by the NSA (National
Security Agency)
• Best hash to use
Information Security © 2006 Eric Vanderburg
- 10. Symmetric Encryption
• Single key used for encryption and decryption
• Private Key Cryptography
• Stream cipher – one character is processed at a
time
– Fast on short messages
– Easier to exploit because they are more predictable
– Substitution – one letter is replaced by something else
• Monoalphabetic – one to one
• Homoalphabetic – one character is mapped to many
ciphertext characters
Information Security © 2006 Eric Vanderburg
- 11. Symmetric Encryption
• Transposition Cipher – rearranges
characters
• All symmetric ciphers combine the
plaintext and cipher stream together in the
end to form the ciphertext. The process
uses a binary XOR (different = 1, same =
0)
• 0011011
• 0101001
• 0110010
Information Security © 2006 Eric Vanderburg
- 12. Symmetric Encryption
• Block cipher – works on 8-16 bytes (a
block) at a time
– Better for encrypting longer messages
– Harder to break because an 8-16 byte block is
more unique than a single character
Information Security © 2006 Eric Vanderburg
- 13. Symmetric Algorithms
• Iteration – running data through an algorithm –
each iteration is called a round
• DES (Data Encryption Standard)
– Developed by IBM called Lucifer in 128 bit length.
– NSA adopted it in the early 70’s but shortened the
length to 56 bits
– Block cipher
– 56 bit because the 64 bit parity is not used so 1 bit
per byte is lost.
– 64 bits of plaintext is iterated 16 times
– Uses weak keys, can be broken in about 3 hours
Information Security © 2006 Eric Vanderburg
- 14. Symmetric Algorithms
• DES Modes
– ECB (Electronic Code Book) – block cipher that encrypts 64 bit
portions of plaintext individually
– CBC (Cipher Block Chaining) – links the blocks together to vary
the output – more secure than ECB
– CFB (Cipher Feedback) – The output of the first round is used
as the pattern for the next. Most secure DES mode but very
slow.
– OFB (Output feedback) – adds the results of rounds together
with the plaintext in each iteration
• 3DES (Triple DES)
– 3 DES iterations (3x16 = 48)
– Uses same weak keys as DES
– Must use different keys for the iterations for it to be better than
DES at all.
– Takes much longer than DES
Information Security © 2006 Eric Vanderburg
- 15. Symmetric Algorithms
• AES (Advanced Encryption Standard)
–
–
–
–
Replaced DES in 2000
Rinjdael algorithm
Block cipher
Can work with different key sizes
• 128 bit – 9 rounds
• 192 bit – 11 rounds
• 256 bit – 13 rounds
– Each round performs substitution, transposition, and then
multiplication
– So far, AES is secure
• Blowfish
– Block cipher, 64 bit blocks
– Key length from 32-448 bits
– So far, blowfish is secure
Information Security © 2006 Eric Vanderburg
- 16. Symmetric Algorithms
• IDEA (International Data Encryption Algorithm)
–
–
–
–
–
Created in early 90’s in Europe
8 rounds
128 bit key
Block cipher that works with 64 bit data slices
Used in PGP
• RC (Rivest Cipher)
– RC1 and 3 not released
– RC2 – block cipher, 40 bit key, works with 64 bit data slices,
created first for lotus, 18 rounds
– RC4 – steam cipher, 128 bit key, used in WEP & SSL, weak
keys
– RC5 – block cipher, works with different key lengths, 12 rounds
– RC6 – block cipher, 128, 192, and 256 bit keys, 20 rounds
(finalist for AES)
Information Security © 2006 Eric Vanderburg
- 17. Asymmetric Encryption
• Public Key Cryptography
• Solves the problem of key management
• Public Key – everyone knows, use for
encryption
• Private Key – you know, use for
decryption and signing
• Small key sizes can be broken
• A good key size is 1,536 bits
Information Security © 2006 Eric Vanderburg
- 18. Asymmetric Algorithms
• RSA (Rivest Shamir Adleman)
–
–
–
–
Most common algorithm
Uses prime numbers
Slower
Used by S/MIME & SSL
• Diffie Hellman
– Used in IPSec and SSH
• Elliptic Curve Cryptography
– Uses a mathematical curve where two points intersect
the curve and then a third point on the curve
– A new algorithm so it has not been tested much
Information Security © 2006 Eric Vanderburg
- 19. Algorithm Overview
Hashing Symmetric Asymmetric
MD 2, 4, 5
DES
RSA
SHA
3DES
Diffie-Hellman
AES
Elliptic Curve
Blowfish
RC 2,4,5,6
IDEA
Information Security © 2006 Eric Vanderburg
- 20. Digital Signature
•
•
1.
2.
3.
4.
Proves identity and integrity
Non-repudiation
Create a hash of a message
Encrypt hash with private key
Receiver receives the message
Receiver decrypts the hash with the sender’s
public key knowing the message came from
them.
5. Receiver hashes the message and compares
the hash with the hash contained in the
message. If they match, the message was not
changed or corrupted in transit.
Information Security © 2006 Eric Vanderburg
- 21. Implementations
• PGP (Pretty Good Privacy)
–
–
–
–
Encrypts email messages
Uses asymmetric cryptography
GPG (GNU Privacy Guard) – free PGP program
PGP Desktop 9.0 (works with many other programs and also
AOL Instant Messenger, Apple iChat and Trillian.
• EFS (Encrypting File System)
– Encrypt documents or folders on an NTFS volume.
– Uses a private key associated with a user and the recovery
agent
• PAM (Pluggable Authentication Modules)
– Modules written for PAM will work with many different
authentication methods that PAM supports.
– Used on UNIX machines
• CFS (Cryptographic File System)
– Linux file encryption method using DES and 3DES
Information Security © 2006 Eric Vanderburg
- 22. Acronyms
•
•
•
•
•
•
•
•
•
•
•
•
•
AES, Advanced Encryption Standard
CFS, Crypographic File System
DES, Data Encryption Standard
EFS, Encrypting File System
GPG, GNU Privacy Guard
IDEA, International Data Encryption Algorithm
MD, Message Digest
PAM, Pluggable Authentication Module
PGP, Pretty Good Privacy
RC, Rivest Cipher
RSA, Rivest Shamir Adleman
SHA, Secure Hash Algorithm
3DES, Triple Data Encryption Standard
Information Security © 2006 Eric Vanderburg