Comp3123 internet security
1 / 39

COMP3123 Internet Security - PowerPoint PPT Presentation

  • Uploaded on

COMP3123 Internet Security. Richard Henson University of Worcester October 2010. Week 2: Cryptography. Objectives: Describe a simple mathematical operation that could encrypt a text message Explain the differences between symmetric and asymmetric encryption

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'COMP3123 Internet Security' - roden

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Comp3123 internet security

COMP3123 Internet Security

Richard Henson

University of Worcester

October 2010

Week 2 cryptography
Week 2: Cryptography

  • Objectives:

    • Describe a simple mathematical operation that could encrypt a text message

    • Explain the differences between symmetric and asymmetric encryption

    • Apply public-private key encryption to the sending of Internet email

    • Explain why digital signatures are necessary in the real world, and how they can be implemented

The answer to data breaches
The Answer to Data Breaches

  • Make it impossible for the information to be read…

  • Nothing new!

    • been happening for millennia

    • many clever techniques involved

  • Technique of changing digital data in a mathematical reversible way known as ENCRYPTION

    • studies involving encryption - cryptography

What is cryptography
What is Cryptography?

  • Practice of safely securing, storing, transmitting sensitive information

  • Purpose: conceal sensitive information from unauthorised persons

  • Outlines protocols, practices, procedures to build components of a cryptosystem

  • Associated with:

    • authenticity (proof of ownership)

    • integrity (data not tampered with in any way)

Osi level of cryptosystem
OSI level of cryptosystem

  • Depends on:

    • circumstances

    • risk

    • value of information

  • could be layer 1

    • e.g. electronically, in communications equipment

  • could be layer 7…

    • encrypted directly from/to the screen

Symmetric v asymmetric
Symmetric v Asymmetric

  • Asymm

    • Encryption: shared public key

    • Decryption: unshared private key

    • One way function

Message authentication
Message Authentication

  • Message arrives:

    • intact & unmodified (integrity)

    • original authorship established (authenticity)

  • Message Authentication scheme:

    • inputs: secret key, message

    • output: message authentication code

Key escrow and key recovery
Key Escrow and Key Recovery

  • Escrow: a system of checks and balances to ensure that privacy rights are not infringed where agencies need to get hold of encrypted information

    • separate agencies keep complementary components of the key system so no entity possesses a usable key

    • law enforcement agencies can only intervene to get all components:

      • under a court order in pursuit of criminal evidence or activity

Why is it necessary to change email data into secret codes
Why is it necessary to change email data into Secret Codes?

  • As discussed last week…

    • Internet designed to be an “open” system

    • IDs of devices based on IP address

  • Data at rest or moving round the Internet could be intercepted by:

    • someone with a good knowledge of TCP/IP

    • any IT literate person with the appropriate software

  • This person could be anywhere in the world!

How does encryption work
How does Encryption work?

  • Unencrypted data sent over the Internet usually a sequence of ASCII codes

    • ASCII code generated at keyboard by converting a selected keyboard character into a particular binary number

  • Encryption puts further coding onto each ASCII character in some reversible way before it is sent. Requires…

    • a coding method (often a mathematical operation)

    • a numerical value used with the coding method

  • The ASCII codes can always be recovered by someone who knows the encryption method

Simple encryption example
Simple Encryption Example

  • Algorithm based on a mathematical operation such as ADD operating

  • Key based on a numerical digit (e.g 5)

  • Data represented by an ASCII code

  • Algorithm + key produce encrypted data

Encryption keys
Encryption Keys

  • The key must be kept secret – anyone with access to the key and the algorithm can decrypt any encrypted data produced with that combination

  • The coding method and the key used to produce cipher text must be known in order to get back the plain text

Simple example of an encryption method
Simple example of an Encryption Method

  • Method of encryption – add 5 to each ASCII code (this would be the key)

  • e.g. if plain text = HELLO (ASCII codes 48 45 4B 4B 4F)

  • Cipher text would be MJQQT (ASCII codes 4D 4A 50 50 54)

  • Getting the original data back would mean subtracting 5 from each ASCII character – very easy to anyone with access to the key

Diagram single key encryption
Diagram – single key encryption


Message is decoded

Message is coded



User sends message

via server

Message is received

Data is transmitted to

another server

Effectiveness of encryption
Effectiveness of Encryption

  • Encryption can only be effective if:

    • either the key remains secret

    • Or the algorithm remains secret

  • During WWII, the Germans thought they had an encryption method that was impossible to decipher

  • With the efforts of the Mathematicians at Bletchley Park, the key and algorithm were deciphered

Encryption techniques
Encryption Techniques

  • Many techniques have been developed to enable digital data to be efficiently encrypted and decrypted

  • Examples:

    • DES (Data Encryption Standard)

    • IDEA (ID Encryption Algorithm)

    • RSA (Rivest, Shamir, Adleman)

    • Diffie-Hellmann

  • These can be classified into two types:

    • Symmetric Key

    • Asymmetric Key

Symmetric encryption
Symmetric Encryption

  • Sender and receiver share a single, common key – known as a symmetric key

  • Used both to encrypt and decrypt the message

  • Advantages: simpler and faster than other systems

  • Disadvantages:

    • the two parties must need to exchange the key in a secure way

    • the sender cannot easily be authenticated

Des an example of symmetric encryption
DES – an example of symmetric encryption

  • IBM/US gov, 1974-7; still popular

    • 56-bit encryption working on 64-bit blocks of data

  • However, in view of recent research, clearly inadequate for really secure encryption

    • “Using P2P architecture and over 100,000 participants (using only idle CPU time), was able to test 245 billion keys per second to break the 56 bit DES encryption algorithm in less than 24 hours (22 hours and 15 minutes).”

What levels of encryption are available
What levels of encryption are available?

  • The more complex the key, the more difficult the encryption method is to decipher

    • a single 40-digit key can be mathematically deduced very quickly using a computer

      • known as WEAK encryption

    • an equivalent 128-digit key would take much longer to “crack”

      • known as STRONG encryption

Making encryption as effective as possible
Making Encryption as Effective as Possible

  • It makes sense to use 128-digit key encryption if possible….

  • However, with commercial products there may be trade offs…

    • e.g. Verisign 40-bit SSL

      • actually 128-bit within US

      • 40-bit for any communications that go outside US borders…

    • e.g. Verisign Global Server SSL

      • “the world’s strongest encryption”

      • standard for large-scale online merchants, banks, brokerages, health care organisations and insurance companies worldwide

    • Verisign product runs on servers from:

      • any non-U.S. software vendor

      • a U.S. software vendor properly classified by the U.S. Department of Commerce

  • Strong encryption may cost a little more

    • Is the extra expense going to be justified?

Breaking an encryption technique
Breaking an Encryption Technique

  • Usually achieved with the aid of very powerful computers

  • The more powerful the computer, the more likely that the key can be mathematically deduced

  • Until fairly recently, a 128-bit encryption key would have been considered to be secure

  • However, a research team have now succeeded in breaking 128 bit encryption in seconds, using a supercomputer…

Secure keys for today and tomorrow
Secure Keys for Today and Tomorrow…

  • 256-bit encryption is probably now a minimum for single key encryption

    • but only a matter of time…

  • 512-bit encryption is currently used by financial institutions to transfer funds electronically via the Internet

    • again, only a matter of time before even this can be cracked…

    • Solution - 1024 bit keys?

Authentication encryption alone may not be enough or even helpful
Authentication – encryption alone may not be enough, or even helpful

  • When data is on the move to a computer or device OUTSIDE a particular domain, there must be a technique for verifying that the user really who he or she claims to be

  • In paper correspondence, authentication is provided by a signature

  • A number of digital methods of signature are now available

  • Windows 2000 provides SIGVER (file signing)

    • A method of checking incoming files to ensure that they are from a Microsoft approved source

Asymmetric two key encryption
Asymmetric ( even helpfultwokey) encryption

  • Announced in 1976 byDiffie andHellman (US), but British scientists were secretly working on it much earlier and Ellis, at GCHQ made the first breakthrough in 1970

  • Uses two keys:

    • public key- known to everyone

    • private orsecret key- known only to the recipient of the message

  • Example: John wants to send a secure message to Jane…

    • He uses Jane's public key to encrypt themessage

    • Jane then uses her private key to decrypt it

  • Original method did not support either encryption or digital signatures, and therefore was vulnerable to third party in the middle eavesdroppers

Public key encryption pke
Public Key Encryption (PKE) even helpful

  • can work in two ways:

  • private key encryption, public key decryption

  • public key encryption, private key decryption

Private key on sender’s computer

Unencrypted data

Encrypted data

Data sent through the Internet

Public key on recipient computer

Encrypted data

Decrypted data

Received by

recipient’s computer

Public key encryption pke1
Public Key Encryption (PKE) even helpful

  • The public and private keys must be related in such a way that

    • only the public key can be used to encrypt messages

    • only the corresponding private key can be used to decrypt them.

  • In theory it is virtually impossible to deduce the private key if you know the public key

  • PKE is also called asymmetric encryption because it uses two keys instead of one

Practical public key encryption
Practical Public Key Encryption even helpful

  • Authentication of sender is ALSO needed for securely transmitting information via the Internet

  • A variety of techniques have been developed to achieve this:

    • Pretty Good Privacy (PGP)

    • Digital Certificates & Public Key Infrastructure (PKI)

Pgp pretty good privacy
PGP even helpful (Pretty Good Privacy)

  • Developed by Philip Zimmerman

    • official repository held at the Massachusetts Institute of Technology

  • One of the most common ways to protect messages on the Internet:

    • Effective

    • easy to use

    • free

  • based on the public-key method

    • with authentication using a “web of trust”

  • To encrypt a message using PGP, the receiver needs the PGPencryption package

    • made available for free download from a number of Internet sources

Comp3123 internet security
PGP even helpful

  • Such an effective encryption tool that the U.S. government actually brought a lawsuit against Zimmerman

  • Case:

    • he made PGP public

    • hence made it available to enemies of the U.S.

  • After a public outcry, U.S. lawsuit was dropped

  • still illegal to use PGP in many other countries

Ldap and the pki
LDAP and the PKI even helpful

  • An alternative approach to the “web of trust” the creation of an Internet infrastructure that could be used with PKE

    • became known as the Public Key Infrastructure

  • Use a central registry of public keys associated with authentication data, which is readily accessible

    • included a set of “lookup” protocols known as LDAP (Lightweight Directory Access Protocol)

    • enabled public key lookup to occur transparently i.e. without intervention from the user

  • More about the PKI and LDAP next week…

Digital signatures digital ids
Digital Signatures/Digital-IDs even helpful

  • A unique 'security code' appended to an electronic document

    • the digital equivalent of a signature on a paper document

      • authenticates the sender

      • permits the authenticity of the document to be proven

    • also used the ensure the integrity of the message sent

  • Digital Signatures are supplied packaged within a digital certificate

Digital certificate
Digital Certificate even helpful

  • A randomly generated number:

    • used to create the public-private key pair

    • Creates the attachment to an electronic message known as a digital signature

  • An individual wishing to send an encrypted email message applies for a digital certificate from a Certificate Authority (CA)

Certificate authorities
Certificate Authorities even helpful

  • Example: verisign


  • Trusted third-party organizations that issues the digital certificates used to create public-private key pairs

  • The role of the CA is to guarantee that the individual granted the unique certificate is, in fact, who he or she claims to be.

Certificate authorities1
Certificate Authorities even helpful

  • Usually, this means that the CA has an arrangement with a financial institution, such as a credit card company

  • The finance company provides it with information to confirm an individual's claimed identity

  • CAs are a critical component in data security and e-commerce because they guarantee that the two parties exchanging information really are who they claim to be

Supplying digital certificate s
Supplying even helpfulDigital Certificates

  • On request, a CA can produce an encrypted digital certificate for any applicant

  • Digital certificates contain:

    • the applicant's private key

    • a digital signature

  • The CA makes its own public key readily availableon the Internet

  • The recipient of the encrypted message can use the CA's public key to decode the digital certificate attached to the message

Digital certificate continued
Digital Certificate even helpful (continued)

  • The recipient:

    • verifies the digital signature as issued by the CA

    • obtains the sender's public key and digital signature held within the certificate

  • With this information, therecipient can send an encrypted reply

  • This procedure relies on the integrity of the CA, and the user must be able to trustthem

Digital signatures an increasing role in society
Digital Signatures: an increasing role in society… even helpful

  • Digital signatures allow online delivery of traditionally paper based correspondence

    • Contracts

    • Government forms such as tax returns

    • anything else that would require a hand-written signature for authentication…

  • The flip side of this is that information submitted WITHOUT a digital signature has NOT been authenticated, and a further means of proof of identity of sender should be sought

Authentication identity and identity theft
Authentication, Identity, and Identity Theft even helpful

  • Authentication alone is not enough

    • username/password may be stolen (or even borrowed with permission!)

  • Need proof:

    • something only that person would know…

    • something unique to that person Biometric data)

  • More on this later…