- By
**admon** - Follow User

- 135 Views
- Uploaded on

Download Presentation
## Cryptographic Security

**An Image/Link below is provided (as is) to download presentation**

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Overview

- What is cryptographic security?
- Uses
- Main Points
- What is a “Key/Certificate”?
- Implementations
- CAC based PKI Demonstration
- References

CS5204 – Operating Systems

What is it?

Cryptographic Security:

Leveraging a standardized system that uses a set of operations that are publicly available in order to authenticate identities, securely share data, or irrefutably sign data.

def Cryptography: cryp∙tog∙ra∙phy[3]

:the enciphering and deciphering of messages in secret code or cipher; also : the computerized encoding and decoding of information

CS5204 – Operating Systems

Uses

- Establishing Transport Layer Security (TLS/SSL)
- HTTPS
- SFTP
- Data Encryption / Decryption
- Digital Signature
- Login / Authentication Protocols
- Relies on digital signature

CS5204 – Operating Systems

Main Points

- Use of a publicly formalized system
- Centers around a third party “Certificate Authority”
- Certify Identities
- Manage (create, distribute, revoke) Keys
- Eliminates many security vulnerabilities
- Can be used to enforce least privilege, separation of duties, economy of mechanism, and complete mediation while being an open design.
- Heavy use of hashing algorithms (sha1, MD5,…)

CS5204 – Operating Systems

What is a “Key”?

- Cryptographic Key:

A set of 2 integers that can be used with a cryptographic algorithm in order to encrypt or decrypt data.

- Two types of cryptographic systems:
- Private Key – using only one secret key (symmetric)
- Public Key – using two keys, a secret key and a shared key (asymmetric)
- RSA and NIST recommend using at least:
- 112 bit symmetric keys (harder to break, efficient)
- 2048 bit asymmetric keys

CS5204 – Operating Systems

What is a “Certificate”?

- Cryptographic Certificate:

The combination of identity information with cryptographic information.

- Identity of the certificate owner
- Identity of the certificate authority (issuer)
- Dates that the certificate is valid for
- Which cryptographic algorithms are used
- Key information
- One owner may have multiple certificates for various uses: authentication, encryption, signature

CS5204 – Operating Systems

TLS / SSL

- Used for transporting data securely over non-secure channels, most namely the internet.
- Uses Handshaking:
- Employs both Symmetric and Asymmetric keys
- Symmetric keys are smaller than asymmetric keys and provide improved performance
- A secure channel must be established using asymmetric keys in order to transmit the shared secret symmetric key
- “Nonces” are used to defend against replay attacks

CS5204 – Operating Systems

Encryption / Decryption

Source:[7]

- Private Key Encryption (symmetric):
- Encrypting local files
- Must share the key in order to share the data
- Cannot use private key from PKI
- Group Authentication
- Cipher: stream/block
- AES 128 bit block

CS5204 – Operating Systems

Encryption / Decryption

source:[8]

Provides confidentiality but not authentication

Public Key Encryption (asymmetric):

CS5204 – Operating Systems

Encryption / Decryption

- The RSA Cryptosystem:
- Developed by Rivest, Shamir, and Adleman in 1977
- The de facto standard for PKI
- The encryption key is public (E)
- The decryption key is private (D)
- The Message M can be calculated by:
- M = D(E(M))
- M = E(D(M))

CS5204 – Operating Systems

Encryption / Decryption

- RSA Algorithm details (generate keys)
- 1. Find 2 unique large prime numbers
- 2. Calculate n

n = p ∙ q

- 3. Pick a large random integer d that is relatively prime to (p-1)∙(q-1) such that

gcd(d, (p-1)∙(q-1)) = 1

- 4. Calculate e

e ∙ d = 1∙(mod (p1)∙(q1))

CS5204 – Operating Systems

Encryption / Decryption

- RSA Algorithm details (encrypt/decrypt)
- Encryption:
- Given message M create ciphertext C
- C = E(M) = Me (mod n)
- Decryption:
- Given ciphertext C create message M
- M = D(C) = Cd(mod n)
- Can be calculated quickly using modular exponentiation (repeated squaring)

CS5204 – Operating Systems

Digital Signature

Not “electronic signature” which is typically implemented with a digital representation of a hand signature or acknowledgment gesture.

Provides non-repudiation, irrefutably evidence that the signature was created by the identified party.

Provides data integrity validation

Provides authentication but not confidentiality

CS5204 – Operating Systems

Digital Signature

- RSA Digital Signature details:
- A message M is signed using the private key
- S = D(M)
- A digital signature is validated using the public key
- M = E(S)
- Decryption of the message can be used to prove the identity of a user, authentication
- Validating a digital signature also validates the data by comparing the hash values

CS5204 – Operating Systems

CAC PKI

- Common Access Card (CAC) aka Smart Card
- Utilized extensively by the DoD
- Enforces two factor authentication
- Something you have – CAC
- Something you know – PIN
- Can be used for three factor authentication with addition of finger print reader (something you are)
- Newer generation cards can also be used with proximity based passive RFID readers
- Great for enforcing separation of duties and least privilege

CS5204 – Operating Systems

CAC PKI Demo

One last note, using an in house certificate authority (CA) and a smart card enabled PKI cryptosystem throughout an organization can enable greater PII (Personally Identifiable Information) security by replacing things like SSNs with othewise meaningless unique identifiers like the DoD EDIPI (Electronic Data Interchange Personal Identifier).

CS5204 – Operating Systems

References

1. “A Method for Obtaining Digital Signatures and Public-Key Cryptosystems”, Rivest et al

2. “Introduction to Algorithms, Second Edition”, Cormen et al

3. Merriam-Webster dictionary, term: cryptography, (www.merriam-webster.com)

4. National Institute for Standards and Technology, (www.nist.gov)

5. http://blog.securism.com/2009/01/summarizing-pki-certificate-validation/

6. RSA Laboratories, (www.rsa.com)

7. http://www.itportal.in/2011/12/encryption-decryption-information.html

8. http://gdp.globus.org/gt4-tutorial/multiplehtml/ch09s03.html

9. http://technet.microsoft.com/en-us/library/cc783349(v=ws.10).aspx

CS5204 – Operating Systems

Download Presentation

Connecting to Server..