1 / 49

Information Systems Security

Information Systems Security. Cryptography Domain #3. Cryptography Now and Before. In the past – mainly used for confidentiality Today Still used for confidentiality Data integrity Source authentication Non-repudiation. Definitions. Cryptography Hiding the meaning of communication

makaio
Download Presentation

Information Systems Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Systems Security Cryptography Domain #3

  2. Cryptography Now and Before • In the past – mainly used for confidentiality • Today • Still used for confidentiality • Data integrity • Source authentication • Non-repudiation

  3. Definitions • Cryptography • Hiding the meaning of communication • Cipher • Transforms characters or bits into an unreadable format • Cryptographic Algorithm • Procedure that turns readable data into an unreadable format (usually through mathematical formulas

  4. More Definitions • Cryptanalysis • Science of studying and breaking encryption mechanisms • Cryptology • Study of cryptography and cryptanalysis • Key Clustering • When two keys generate the same ciphertext from the same plaintext

  5. MORE Definitions • Cryptosystem • Encompasses all of the components for encryption and decryption • Plaintext • Readable format / decrypted • Ciphertext • Unreadable format / encrypted • Work Factor • Time, effort, and resources necessary to break a cryptosystem (should be too high for compromise)

  6. Symmetric Cryptography • Two instances of the same key • One key used for encryption and decryption • Sender/receiver use same key (public/shared) • Key distribution a problem • Secure 2nd channel needed or offline • Does not implement non-repudiation

  7. Historical Symmetric Keys • Hieroglyphics • Recorded in use in 2000 B.C. • 1st known type of cryptography • Only certain people knew the symbols • Used to glorify the life of deceased

  8. Scytale Cipher • Paper or leather was wrapped around a rod • Message was written on paper and delivered by messenger • Sender and receiver had to have rod of same diameter • Was used around 400 B.C. • Transposition Cipher

  9. Caesar Cipher • Symmetric cipher • Keys shifted ‘n’ number of letters • Also referred to as a shift cipher • If one alphabet is used – monoalphabetic substitution • If two alphabets are used – polyalphabetic substitution

  10. Example • Decode the following messages: • UIJT POF JT FBTA

  11. Vigenere Cipher • Polyalphabetic substitution cipher • Proposed by court of King Henry III • An extension of the Caesar Cipher • Strength is no frequency analysis can be performed

  12. Enigma Machine • Rotor cipher used polyalphabetic substitution • Employed in WWII • Symmetric – original setting of rotors and how rotors moved must be the same • Sender entered characters and the rotors moved

  13. Vernam Cipher • One-time pad • Only method that is completely secure • Still used today for backups encryption method • Senders uses one-time pad to encrypt and receiver uses twin to decrypt

  14. Vernam • Deemed unbreakable if: • Pad is truly random values • Used only once • Securely distributed • Securely stored • Pad is at least as long as message

  15. Key & Algorithm Relationship • Key – long string of values • Algorithm – group of mathematical equations that can be used for the encryption process • Used together – key values are used by the algorithm to indicate which equations to use, in what order, and with what values

  16. Breaking Cryptosystems • Brute Force • Attempts all possible combinations of a given key space to derive the key • Takes ciphertext, applies key, and sees if understandable plaintext is derived • How many possible keys? • 40-bit key = 1 trillion • 56-bit key = 72 quadrillion • Easily breakable due to Moore’s Law • In 1998, broke DES in three days with 1536 PCs running at 40 MHz

  17. Frequency Analysis • Patterns in ciphertext are identified and matched back to plaintext • For example, the most common letters in the English language are “iron seat” • Allows attackers to reverse-engineer encryption process

  18. Characteristics of Strong Algorithms • Confusion • Complexity of the process to increase the workfactor of reverse engineering • Interceptor should not be able to predict what changing one character will do to ciphertext • Diffusion • Component going through an encryption should have MANY things take place • Change should affect many part of the ciphertext

  19. Kerckhoff’s Principle • Only secrecy involved with cryptography should be the key • Should not base security on figuring out the algorithm • Algorithms should be publicly known • Government does NOT agree

  20. Type of Ciphers Used Today • Substitution Methods • Transposition Methods • Symmetric Ciphers • Block • Stream • Asymmetric Ciphers

  21. Encryption/Decryption • Substitution • Substitute one bit for another • Destination has to have the correct key to indicate how to substitute • Transposition • Bits are moved to new place in stream • No new bits are introduced • Destination must have correct key to unscramble

  22. Symmetric – Block Cipher • Message is divided into blocks and put through mathematical function • Each block is encrypted separately • While message is not encrypted as one entity • Best used in software implementation

  23. S-Box • Substitution box is common component • Table where a lookup using a few bits as an index yields some other bits • For example, in an 8 by 32 s-box, you enter with 8 bits and come out with 32 • DES uses 6 by 4 boxes • Blowfish uses 8 by 32 boxes

  24. Symmetric Stream Cipher • Encrypts individual bits of the message • Bits are X-ORed with a bit from message • Stream algorithms have keystroke generators • Best used in hardware implementations • Caesar cipher is an example

  25. Message Authentication Code (MAC) • MACs are computed and verified with same key • Four types • Unconditionally secure • One time pad • Has function-based MAC (HMAC) • Uses key with hash function (MD5) • Stream – broken into two substreams • Block – encrypt message and output final block of ciphertext as checksum (DES)

  26. Digital Signatures • Provide Authenticity and Non-Repudiation • After hashed, MD value is encrypted with sender’s private key • Receiver validates the digital signature by decrypting it with the sender’s public key • Provides data integrity, authenticity, and non-repudiation

  27. Digital Signature vs. MAC • Symmetric Cryptography • MAC = hash + symmetric key • Asymmetric Cryptography • DS = hash + asymmetric key

  28. US Government Standard • Digital Signature Standard (DSS) • Secure hashing algorithm (SHA) must be used for message digest creation. • DSA, RSA, and ECDSA asymmetric algorithms can be used for digital signature creation • ECDSA = elliptic curve digital signature algorithm

  29. Symmetric Algorithms • Data Encryption Standard (DES) – Break work in half and XOR several times. Became standard in 1977. • Triple DES – Encrypted/decrypted with 3 separate keys. Strength of 2 112. • Advanced Encryption Standard (AES) - Adopted in 1997 by NIST. Had larger block size then DES

  30. Advantages of Symmetric • Very fast and secure method for confidentiality • Implemented in either hardware or software • Usually available at no cost to user

  31. Disadvantages • Not able to provide non-repudiation • Can not provide access control or digital signatures • Need to share key

  32. Security in Hashing • Strength of Hashing Algorithm • The hash should be computed over the entire message • Messages cannot be disclosed by MD value • Different messages should generate different MD values • Collision free • Resistant to birthday attacks

  33. Hashing Issue • It is easier to find 2 messages that have the same MD than looking for one particular MD value on a message • Hashing value (n) Brute force to find hash value (2n) Brute force to find any 2 matching hash values 2(n/2) • Crux – A hashing algorithm that generates a larger MD value is less vulnerable to a bday attack than one that creates a smaller one

  34. Key Management • Responsibilities • Secure key creation and distribution • Secure key recovery • Secure key storage and destruction • Characteristics • Split knowledge and control • Length of key • Never available in clear text

  35. Asymmetric Key AlgorithmsPublic Key Cryptography • No key exchange needed • Users can generate their own public/private key pairs and exchange them • If you receive a public key from Bob, how do you know it is really Bob? • Need a trusted third party to vouch for the identity of the owner of a public key

  36. Asymmetric Keys • Allows non-repudiation and access control • Extremely slow • Output may be much larger than the plaintext • Hashing • Integrity • Digital Signatures

  37. CA and RA Roles • Registration Authority • Accepts registration requests from users • Validates users identities • Passes request to CA • Certificate Authority • Creates digital signature • Binds identity to signature • Maintains certificate during lifetime • Verisign, Thawte, IP, Belsign, etc.

  38. Example • Bob wants to participate in a PKI • Bob send request to RA • RA validates Bob’s identity • RA sends request to CA • CA generates certificate and sends to Bob • Bob’s identity is now bound to the public key that is embedded in the digital certificate

  39. Components of PKI • Certificate Revocation Lists (CRL) • Certificates can become revoked • CRL is list of revoked certificates signed by CA • Method to tell others not to trust (compromised) • Certificate Directory • Storage of certificates • Usually publicly accessible • Each certificate is digitally signed

  40. Steganography • Hiding information in media • No algorithm, key or encryption required • Hides data • Digital watermarks are used to detect • Messages can be sent without knowledge • Specialized tools to carry this out • Hide and Seek • Steg Detect

  41. Email Standards • Pretty Good Privacy (PGP) • Free email client that provides security • Uses passphrases instead of passwords • Web of trust instead of hierarchy of CAs • PGP provides confidentiality via IDEA • Integrity via MD5

  42. Secure Protocols • Secure Hypertext (SHTTP) • Protects each message • Older less used • HTTPS • HTTP runs on top of SSL • Provides secure communication channel • All messages are protected • Secure Socket Layer (SSL) • Netscape developed; requies PKI • Works at transport layer

  43. Secure email Standard • Secure MIME (SMIME) • Secure Multipurpose Internet Mail Extension • Allows for encryption, hashing, and digital signatures to take place in a uniform manner • Email client vendors follow this standard • Transparent between different email clients

  44. Secure Electronic Transaction • SET • Developed by Visa and Mastercard for more secure monetary transactions over the Internet • Uses PKI to protect sensitive data and authenticates each ‘hop’ in the transaction • Slow in acceptance and deployment • Goal to replace SSL • Slow the throughput of the transaction

  45. Network Layer Protection • IPSec • Developed because IPv4 has no security • Sets up a secure channel between computers instead of between applications • Application secure channels provided by SSL • Network layer security • Provides host-to-host, host-to-subnet, and subnet-to-subnet connections

  46. Key Issues with IPSec • Internet Key Exchange (IKE) • Used to negotiate the key exchange between two entities • Suite of ISAKMP and Oakley protocols • Internet Security Association and Key Management Protocol (ISAKMP) • Framework for key negotiation • Oakley Protocol • Negotiates key information using Diffie-Hellman algorithm

  47. IPSec Modes of Operation • Transport Mode • Offers payload protection • Protects header up to the network layer • Tunnel Mode • Protects the whole packet • Includes payload and all headers • Creates a new IP header`

  48. Attacks on Crypto • Ciphertext-only Attack • Attacker only has ciphertext • Goal to reverse the encryption process • Known plaintext attack • Attacker has ciphertext and plaintext • Chosen-plaintext attack • Attacker can choose what plaintext is encrypted • Chosen-ciphertext attack • Attacker can choose ciphertext to be decrypted

  49. More Attacks • Replay Attack • Attacker obtains a set of credentials and sends them to authentication source • Timestamps and sequence numbers protect against this attack • Man in Middle Attack • Attacker injects itself between two users and reads messages • Sequence numbers and digital signatures protect against this attack

More Related