Cryptography

Cryptography CISSP Guide to Security Essentials Chapter 5

Objectives • Applications and uses of cryptography • Encryption methodologies • Cryptanalysis • Management of cryptography • Key management CISSP Guide to Security Essentials

What Is Cryptography • Cryptography is the science of hiding information in plain sight, in order to conceal it from unauthorized parties. • Substitution cipher first used by Caesar for battlefield communications CISSP Guide to Security Essentials

Encryption Terms and Operations • Plaintext – an original message • Ciphertext – an encrypted message • Encryption – the process of transforming plaintext into ciphertext (also encipher) CISSP Guide to Security Essentials

Encryption Terms and Operations (cont.) • Decryption – the process of transforming ciphertext into plaintext (also decipher) • Encryption key – the text value required to encrypt and decrypt data CISSP Guide to Security Essentials

Methods of Encryption • Substitution • Transposition • Monoalphabetic • Polyalphabetic • Running-key • One time pads CISSP Guide to Security Essentials

Types of Encryption • Block cipher • Stream cipher CISSP Guide to Security Essentials

Types of Encryption Keys • Symmetric key • A common secret that all parties who participate must know • Asymmetric key • Public / private key • Openly distribute public key to all parties CISSP Guide to Security Essentials

Types of Encryption Keys (cont.) • One-time pad • Used once, is as large as the message to be encrypted CISSP Guide to Security Essentials

Substitution Cipher • Plaintext characters are substituted to form ciphertext • “A” becomes “R”, “B” becomes “G”, etc. • Character rotation • Caesar rotated three to the right (A > D, B > E, C > F, etc.) • A table or formula is used CISSP Guide to Security Essentials

Transposition Cipher • Plaintext messages are transposed into ciphertext Plaintext: ATTACK AT ONCE VIA NORTH BRIDGE • Write into columns going down • Read from columns to the right CISSP Guide to Security Essentials

Transposition Cipher (cont.) Ciphertext: AKCNBTAEORTTVRIAOITDCNAHG • Subject to frequency analysisattack CISSP Guide to Security Essentials

Monoalphabetic Cipher • One alphabetic character is substituted or another • Caesar right-three shift: • Or a more random scheme: • Subject to frequency analysis attack CISSP Guide to Security Essentials

Polyalphabetic Cipher • Two or more substitution alphabets CISSP Guide to Security Essentials

Polyalphabetic Cipher (cont.) • CAGED becomes RRADB • Not subject to frequency attack CISSP Guide to Security Essentials

Running-key Cipher • Plaintext letters converted to numeric (A=0, B=1, etc.) • Plaintext values “added” to key values giving ciphertext CISSP Guide to Security Essentials

Running-key Cipher • Modulo arithmetic is used to keep results in range 0-26 • Add 26 if results < 0; subtract 26 if results > 26 CISSP Guide to Security Essentials

One-time Pad • Works like running key cipher, except that key is length of plaintext, and is used only once • Highly resistant to cryptanalysis CISSP Guide to Security Essentials

Block Ciphers • Encrypt and decrypt a block of data at a time • Typically 128 bits • Typical uses for block ciphers • Files, e-mail messages, text communications, web CISSP Guide to Security Essentials

Block Ciphers (cont.) • Well known encryption algorithms • §DES, 3DES, AES, CAST, Twofish, Blowfish,§Serpent CISSP Guide to Security Essentials

Block Cipher: Electronic Code Book • Simplest block cipher mode • Each block encrypted separately • Like plaintext encrypts to like ciphertext CISSP Guide to Security Essentials

Block Cipher: Cipher-block Chaining (CBC) • Ciphertext output from each encrypted plaintext block in the encryption used for the next block • First block encrypted with IV (initialization vector) CISSP Guide to Security Essentials

Block Cipher: Cipher Feedback (CFB) • Plaintext for block N is XOR’d with the ciphertext from block N-1. • In the first block, the plaintext XOR’d with the encrypted IV CISSP Guide to Security Essentials

Block Cipher: Output Feedback (OFB) • Plaintext is XOR’d with the encrypted material in the previous block to produce ciphertext CISSP Guide to Security Essentials

Block Cipher: Counter (CTR) • Uses a “nonce” (a random number that is used once) that is concatenated with a counter or other simple function, which is encrypted by… CISSP Guide to Security Essentials

Block Cipher: Counter (cont.) • …the block cipher, and the output XOR’d with the plaintext block to product the ciphertext block. CISSP Guide to Security Essentials

Stream Ciphers • Used to encrypt a continuous stream of data, such as an audio or video transmission • A stream cipher is a substitution cipher that typically uses an exclusive-or (XOR) operation that can be performed very quickly by a computer. CISSP Guide to Security Essentials

Stream Ciphers (cont.) • Encryption: simple XOR with key: • Decryption: simple XOR with the same key: CISSP Guide to Security Essentials

Types of Encryption Keys • Symmetric keys • Same key used at both ends of a communications channel or session • A symmetric key is also known as a shared secret CISSP Guide to Security Essentials

Types of Encryption Keys (cont.) • Issues related to communicating the key to the other party – it must be safely transmitted “out of band” • Encryption algorithms that use symmetric keys • DES, 3DES, AES, Twofish, Blowfish, IDEA, RC5 CISSP Guide to Security Essentials

Types of Encryption Keys (cont.) • Asymmetric keys (public key cryptography) • Overcomes the problem of communicating a shared secret to another party • Key distribution scales better than symmetric cryptography • All parties can share each others’ public keys CISSP Guide to Security Essentials

Types of Encryption Keys (cont.) • Asymmetric keys (cont.) • Use cases • Encrypt message, sign message, sign and encrypt message • Algorithms that use asymmetric keys • RSA, El Gamal, Elliptic Curve CISSP Guide to Security Essentials

Diffie-Hellman Key Exchange • Another way to overcome the problem of exchanging encryption keys without compromising them • Jane and Tom agree to a large prime number p and a base integer g. The values p and g may be transmitted over the network in the clear. CISSP Guide to Security Essentials

Diffie-Hellman Key Exchange (cont.) • Overcome the problem (cont.) • Jane picks a secret integer a, then calculates ga mod p and sends the result to Tom. • Tom picks a secret integer b, then calculates gb mod p and sends the result to Jane. CISSP Guide to Security Essentials

Diffie-Hellman Key Exchange (cont.) • Overcome the problem (cont.) • Jane computes k=(gb mod p)a mod p. • Tom computes k=(ga mod p)b mod p. • P is at least 300 digits; a and b at least 100 digits CISSP Guide to Security Essentials

Protection of Encryption Keys • Symmetric keys • Must be restricted to as few people as possible • Protected by a strong password, or encrypted again if needed CISSP Guide to Security Essentials

Protection of Encryption Keys (cont.) • Asymmetric keys • Private key requires protection similar to symmetric key • Public keys can be published, even on the Internet CISSP Guide to Security Essentials

Protecting Keys in Applications • More difficult to protect keys that applications must be able to access directly CISSP Guide to Security Essentials

Protecting Keys in Applications (cont.) • Hardening techniques • Separation of duties • Key value known only to ops, not dev or support CISSP Guide to Security Essentials

Protecting Keys in Applications (cont.) • Hardening techniques (cont.) • Split custody • Split key value or password among two or more persons • Use of a key encrypting key CISSP Guide to Security Essentials

Cryptanalysis • Frequency analysis • Birthday attacks • Ciphertext only attack • Chosen plaintext attack CISSP Guide to Security Essentials

Cryptanalysis (cont.) • Chosen ciphertext attack • Known plaintext attack • Man in the middle attack • Replay attack CISSP Guide to Security Essentials

Uses for Cryptography • File encryption • PGP and GPG • WinZip (version 9 uses AES) • EFS (encrypting file system) for Windows • Crypt tool for Unix CISSP Guide to Security Essentials

Uses for Cryptography (cont.) • Encrypted volumes and disks • Truecrypt for Windows, Mac, Unix • Bitlocker for Windows Vista • PGP Disk • SafeBoot CISSP Guide to Security Essentials

Uses for Cryptography (cont.) • E-mail • PGP / GPG – asymmetric key (public key crypto) • S/MIME (Secure / Multipurpose Internet Mail Extensions) – certificate based CISSP Guide to Security Essentials

Uses for Cryptography (cont.) • E-mail (cont.) • PEM (Privacy Enhanced Mail) – not widely used, requires a single global PKI (which was never implemented) • MOSS (MIME Object Security Services) – not widely used CISSP Guide to Security Essentials

Uses for Cryptography (cont.) • Web browsing – protects session contents from eavesdropping • SSL / TLS (Secure Sockets Layer / Transport Layer Security) • 40-512 bit encryption with secure key exchange CISSP Guide to Security Essentials

Uses for Cryptography (cont.) • Web browsing (cont.) • Server authentication common, client authentication rare • SET (Secure Electronic Transaction) • Not widely used CISSP Guide to Security Essentials

Uses for Cryptography (cont.) • Protecting network communications • SSH • Replacement for telnet, rsh, rlogin • Secure FTP • SSL • Protects web browser traffic CISSP Guide to Security Essentials

Uses for Cryptography (cont.) • Network communications (cont.) • IPsec • Encrypts all packets between established pairs of hosts CISSP Guide to Security Essentials

Cryptography

Cryptography

Presentation Transcript

Cryptography

Cryptography

Cryptography

Cryptography

Cryptography

CRYPTOGRAPHY

Cryptography

Cryptography

CRYPTOGRAPHY

Cryptography

Cryptography

Cryptography

Cryptography

Cryptography

Cryptography

Cryptography

Cryptography

Cryptography

Cryptography

Cryptography

Cryptography