1 / 39

# COMP3123 Internet Security - PowerPoint PPT Presentation

COMP3123 Internet Security. Richard Henson University of Worcester October 2010. Week 2: Cryptography. Objectives: Describe a simple mathematical operation that could encrypt a text message Explain the differences between symmetric and asymmetric encryption

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

## PowerPoint Slideshow about 'COMP3123 Internet Security' - roden

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

### COMP3123 Internet Security

Richard Henson

University of Worcester

October 2010

• Objectives:

• Describe a simple mathematical operation that could encrypt a text message

• Explain the differences between symmetric and asymmetric encryption

• Apply public-private key encryption to the sending of Internet email

• Explain why digital signatures are necessary in the real world, and how they can be implemented

• Make it impossible for the information to be read…

• Nothing new!

• been happening for millennia

• many clever techniques involved

• Technique of changing digital data in a mathematical reversible way known as ENCRYPTION

• studies involving encryption - cryptography

• Practice of safely securing, storing, transmitting sensitive information

• Purpose: conceal sensitive information from unauthorised persons

• Outlines protocols, practices, procedures to build components of a cryptosystem

• Associated with:

• authenticity (proof of ownership)

• integrity (data not tampered with in any way)

• Depends on:

• circumstances

• risk

• value of information

• could be layer 1

• e.g. electronically, in communications equipment

• could be layer 7…

• encrypted directly from/to the screen

• Asymm

• Encryption: shared public key

• Decryption: unshared private key

• One way function

• Message arrives:

• intact & unmodified (integrity)

• original authorship established (authenticity)

• Message Authentication scheme:

• inputs: secret key, message

• output: message authentication code

Key Escrow and Key Recovery

• Escrow: a system of checks and balances to ensure that privacy rights are not infringed where agencies need to get hold of encrypted information

• separate agencies keep complementary components of the key system so no entity possesses a usable key

• law enforcement agencies can only intervene to get all components:

• under a court order in pursuit of criminal evidence or activity

• As discussed last week…

• Internet designed to be an “open” system

• IDs of devices based on IP address

• Data at rest or moving round the Internet could be intercepted by:

• someone with a good knowledge of TCP/IP

• any IT literate person with the appropriate software

• This person could be anywhere in the world!

• Unencrypted data sent over the Internet usually a sequence of ASCII codes

• ASCII code generated at keyboard by converting a selected keyboard character into a particular binary number

• Encryption puts further coding onto each ASCII character in some reversible way before it is sent. Requires…

• a coding method (often a mathematical operation)

• a numerical value used with the coding method

• The ASCII codes can always be recovered by someone who knows the encryption method

• Algorithm based on a mathematical operation such as ADD operating

• Key based on a numerical digit (e.g 5)

• Data represented by an ASCII code

• Algorithm + key produce encrypted data

• The key must be kept secret – anyone with access to the key and the algorithm can decrypt any encrypted data produced with that combination

• The coding method and the key used to produce cipher text must be known in order to get back the plain text

• Method of encryption – add 5 to each ASCII code (this would be the key)

• e.g. if plain text = HELLO (ASCII codes 48 45 4B 4B 4F)

• Cipher text would be MJQQT (ASCII codes 4D 4A 50 50 54)

• Getting the original data back would mean subtracting 5 from each ASCII character – very easy to anyone with access to the key

Diagram – single key encryption

server

Message is decoded

Message is coded

key

key

User sends message

via server

Data is transmitted to

another server

• Encryption can only be effective if:

• either the key remains secret

• Or the algorithm remains secret

• During WWII, the Germans thought they had an encryption method that was impossible to decipher

• With the efforts of the Mathematicians at Bletchley Park, the key and algorithm were deciphered

• Many techniques have been developed to enable digital data to be efficiently encrypted and decrypted

• Examples:

• DES (Data Encryption Standard)

• IDEA (ID Encryption Algorithm)

• Diffie-Hellmann

• These can be classified into two types:

• Symmetric Key

• Asymmetric Key

• Sender and receiver share a single, common key – known as a symmetric key

• Used both to encrypt and decrypt the message

• Advantages: simpler and faster than other systems

• the two parties must need to exchange the key in a secure way

• the sender cannot easily be authenticated

• IBM/US gov, 1974-7; still popular

• 56-bit encryption working on 64-bit blocks of data

• However, in view of recent research, clearly inadequate for really secure encryption

• “Using P2P architecture and over 100,000 participants (using only idle CPU time), distributed.net was able to test 245 billion keys per second to break the 56 bit DES encryption algorithm in less than 24 hours (22 hours and 15 minutes).”

What levels of encryption are available?

• The more complex the key, the more difficult the encryption method is to decipher

• a single 40-digit key can be mathematically deduced very quickly using a computer

• known as WEAK encryption

• an equivalent 128-digit key would take much longer to “crack”

• known as STRONG encryption

• It makes sense to use 128-digit key encryption if possible….

• However, with commercial products there may be trade offs…

• e.g. Verisign 40-bit SSL

• actually 128-bit within US

• 40-bit for any communications that go outside US borders…

• e.g. Verisign Global Server SSL

• “the world’s strongest encryption”

• standard for large-scale online merchants, banks, brokerages, health care organisations and insurance companies worldwide

• Verisign product runs on servers from:

• any non-U.S. software vendor

• a U.S. software vendor properly classified by the U.S. Department of Commerce

• Strong encryption may cost a little more

• Is the extra expense going to be justified?

Breaking an Encryption Technique

• Usually achieved with the aid of very powerful computers

• The more powerful the computer, the more likely that the key can be mathematically deduced

• Until fairly recently, a 128-bit encryption key would have been considered to be secure

• However, a research team have now succeeded in breaking 128 bit encryption in seconds, using a supercomputer…

• 256-bit encryption is probably now a minimum for single key encryption

• but only a matter of time…

• 512-bit encryption is currently used by financial institutions to transfer funds electronically via the Internet

• again, only a matter of time before even this can be cracked…

• Solution - 1024 bit keys?

• When data is on the move to a computer or device OUTSIDE a particular domain, there must be a technique for verifying that the user really who he or she claims to be

• In paper correspondence, authentication is provided by a signature

• A number of digital methods of signature are now available

• Windows 2000 provides SIGVER (file signing)

• A method of checking incoming files to ensure that they are from a Microsoft approved source

• Announced in 1976 byDiffie andHellman (US), but British scientists were secretly working on it much earlier and Ellis, at GCHQ made the first breakthrough in 1970

• Uses two keys:

• public key- known to everyone

• private orsecret key- known only to the recipient of the message

• Example: John wants to send a secure message to Jane…

• He uses Jane's public key to encrypt themessage

• Jane then uses her private key to decrypt it

• Original method did not support either encryption or digital signatures, and therefore was vulnerable to third party in the middle eavesdroppers

Public Key Encryption (PKE) even helpful

• can work in two ways:

• private key encryption, public key decryption

• public key encryption, private key decryption

Private key on sender’s computer

Unencrypted data

Encrypted data

Data sent through the Internet

Public key on recipient computer

Encrypted data

Decrypted data

recipient’s computer

Public Key Encryption (PKE) even helpful

• The public and private keys must be related in such a way that

• only the public key can be used to encrypt messages

• only the corresponding private key can be used to decrypt them.

• In theory it is virtually impossible to deduce the private key if you know the public key

• PKE is also called asymmetric encryption because it uses two keys instead of one

Practical Public Key Encryption even helpful

• Authentication of sender is ALSO needed for securely transmitting information via the Internet

• A variety of techniques have been developed to achieve this:

• Pretty Good Privacy (PGP)

• Digital Certificates & Public Key Infrastructure (PKI)

PGP even helpful (Pretty Good Privacy)

• Developed by Philip Zimmerman

• official repository held at the Massachusetts Institute of Technology

• One of the most common ways to protect messages on the Internet:

• Effective

• easy to use

• free

• based on the public-key method

• with authentication using a “web of trust”

• To encrypt a message using PGP, the receiver needs the PGPencryption package

• Such an effective encryption tool that the U.S. government actually brought a lawsuit against Zimmerman

• Case:

• hence made it available to enemies of the U.S.

• After a public outcry, U.S. lawsuit was dropped

• still illegal to use PGP in many other countries

LDAP and the PKI even helpful

• An alternative approach to the “web of trust” the creation of an Internet infrastructure that could be used with PKE

• became known as the Public Key Infrastructure

• Use a central registry of public keys associated with authentication data, which is readily accessible

• included a set of “lookup” protocols known as LDAP (Lightweight Directory Access Protocol)

• enabled public key lookup to occur transparently i.e. without intervention from the user

• More about the PKI and LDAP next week…

• A unique 'security code' appended to an electronic document

• the digital equivalent of a signature on a paper document

• authenticates the sender

• permits the authenticity of the document to be proven

• also used the ensure the integrity of the message sent

• Digital Signatures are supplied packaged within a digital certificate

• A randomly generated number:

• used to create the public-private key pair

• Creates the attachment to an electronic message known as a digital signature

• An individual wishing to send an encrypted email message applies for a digital certificate from a Certificate Authority (CA)

• Example: verisign

• www.verisign.com

• Trusted third-party organizations that issues the digital certificates used to create public-private key pairs

• The role of the CA is to guarantee that the individual granted the unique certificate is, in fact, who he or she claims to be.

• Usually, this means that the CA has an arrangement with a financial institution, such as a credit card company

• The finance company provides it with information to confirm an individual's claimed identity

• CAs are a critical component in data security and e-commerce because they guarantee that the two parties exchanging information really are who they claim to be

• On request, a CA can produce an encrypted digital certificate for any applicant

• Digital certificates contain:

• the applicant's private key

• a digital signature

• The CA makes its own public key readily availableon the Internet

• The recipient of the encrypted message can use the CA's public key to decode the digital certificate attached to the message

• The recipient:

• verifies the digital signature as issued by the CA

• obtains the sender's public key and digital signature held within the certificate

• With this information, therecipient can send an encrypted reply

• This procedure relies on the integrity of the CA, and the user must be able to trustthem

• Digital signatures allow online delivery of traditionally paper based correspondence

• Contracts

• Government forms such as tax returns

• anything else that would require a hand-written signature for authentication…

• The flip side of this is that information submitted WITHOUT a digital signature has NOT been authenticated, and a further means of proof of identity of sender should be sought

Authentication, Identity, and Identity Theft even helpful

• Authentication alone is not enough