1 / 39

COMP3123 Internet Security

COMP3123 Internet Security. Richard Henson University of Worcester October 2010. Week 2: Cryptography. Objectives: Describe a simple mathematical operation that could encrypt a text message Explain the differences between symmetric and asymmetric encryption

roden
Download Presentation

COMP3123 Internet Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. COMP3123 Internet Security Richard Henson University of Worcester October 2010

  2. Week 2: Cryptography • Objectives: • Describe a simple mathematical operation that could encrypt a text message • Explain the differences between symmetric and asymmetric encryption • Apply public-private key encryption to the sending of Internet email • Explain why digital signatures are necessary in the real world, and how they can be implemented

  3. The Answer to Data Breaches • Make it impossible for the information to be read… • Nothing new! • been happening for millennia • many clever techniques involved • Technique of changing digital data in a mathematical reversible way known as ENCRYPTION • studies involving encryption - cryptography

  4. What is Cryptography? • Practice of safely securing, storing, transmitting sensitive information • Purpose: conceal sensitive information from unauthorised persons • Outlines protocols, practices, procedures to build components of a cryptosystem • Associated with: • authenticity (proof of ownership) • integrity (data not tampered with in any way)

  5. What is a Cryptosystem?

  6. OSI level of cryptosystem • Depends on: • circumstances • risk • value of information • could be layer 1 • e.g. electronically, in communications equipment • could be layer 7… • encrypted directly from/to the screen

  7. Symmetric v Asymmetric • Asymm • Encryption: shared public key • Decryption: unshared private key • One way function

  8. Message Authentication • Message arrives: • intact & unmodified (integrity) • original authorship established (authenticity) • Message Authentication scheme: • inputs: secret key, message • output: message authentication code

  9. Key Escrow and Key Recovery • Escrow: a system of checks and balances to ensure that privacy rights are not infringed where agencies need to get hold of encrypted information • separate agencies keep complementary components of the key system so no entity possesses a usable key • law enforcement agencies can only intervene to get all components: • under a court order in pursuit of criminal evidence or activity

  10. Why is it necessary to change email data into Secret Codes? • As discussed last week… • Internet designed to be an “open” system • IDs of devices based on IP address • Data at rest or moving round the Internet could be intercepted by: • someone with a good knowledge of TCP/IP • any IT literate person with the appropriate software • This person could be anywhere in the world!

  11. How does Encryption work? • Unencrypted data sent over the Internet usually a sequence of ASCII codes • ASCII code generated at keyboard by converting a selected keyboard character into a particular binary number • Encryption puts further coding onto each ASCII character in some reversible way before it is sent. Requires… • a coding method (often a mathematical operation) • a numerical value used with the coding method • The ASCII codes can always be recovered by someone who knows the encryption method

  12. Simple Encryption Example • Algorithm based on a mathematical operation such as ADD operating • Key based on a numerical digit (e.g 5) • Data represented by an ASCII code • Algorithm + key produce encrypted data

  13. Encryption Keys • The key must be kept secret – anyone with access to the key and the algorithm can decrypt any encrypted data produced with that combination • The coding method and the key used to produce cipher text must be known in order to get back the plain text

  14. Simple example of an Encryption Method • Method of encryption – add 5 to each ASCII code (this would be the key) • e.g. if plain text = HELLO (ASCII codes 48 45 4B 4B 4F) • Cipher text would be MJQQT (ASCII codes 4D 4A 50 50 54) • Getting the original data back would mean subtracting 5 from each ASCII character – very easy to anyone with access to the key

  15. Diagram – single key encryption server Message is decoded Message is coded key key User sends message via server Message is received Data is transmitted to another server

  16. Effectiveness of Encryption • Encryption can only be effective if: • either the key remains secret • Or the algorithm remains secret • During WWII, the Germans thought they had an encryption method that was impossible to decipher • With the efforts of the Mathematicians at Bletchley Park, the key and algorithm were deciphered

  17. Encryption Techniques • Many techniques have been developed to enable digital data to be efficiently encrypted and decrypted • Examples: • DES (Data Encryption Standard) • IDEA (ID Encryption Algorithm) • RSA (Rivest, Shamir, Adleman) • Diffie-Hellmann • These can be classified into two types: • Symmetric Key • Asymmetric Key

  18. Symmetric Encryption • Sender and receiver share a single, common key – known as a symmetric key • Used both to encrypt and decrypt the message • Advantages: simpler and faster than other systems • Disadvantages: • the two parties must need to exchange the key in a secure way • the sender cannot easily be authenticated

  19. DES – an example of symmetric encryption • IBM/US gov, 1974-7; still popular • 56-bit encryption working on 64-bit blocks of data • However, in view of recent research, clearly inadequate for really secure encryption • “Using P2P architecture and over 100,000 participants (using only idle CPU time), distributed.net was able to test 245 billion keys per second to break the 56 bit DES encryption algorithm in less than 24 hours (22 hours and 15 minutes).”

  20. What levels of encryption are available? • The more complex the key, the more difficult the encryption method is to decipher • a single 40-digit key can be mathematically deduced very quickly using a computer • known as WEAK encryption • an equivalent 128-digit key would take much longer to “crack” • known as STRONG encryption

  21. Making Encryption as Effective as Possible • It makes sense to use 128-digit key encryption if possible…. • However, with commercial products there may be trade offs… • e.g. Verisign 40-bit SSL • actually 128-bit within US • 40-bit for any communications that go outside US borders… • e.g. Verisign Global Server SSL • “the world’s strongest encryption” • standard for large-scale online merchants, banks, brokerages, health care organisations and insurance companies worldwide • Verisign product runs on servers from: • any non-U.S. software vendor • a U.S. software vendor properly classified by the U.S. Department of Commerce • Strong encryption may cost a little more • Is the extra expense going to be justified?

  22. Breaking an Encryption Technique • Usually achieved with the aid of very powerful computers • The more powerful the computer, the more likely that the key can be mathematically deduced • Until fairly recently, a 128-bit encryption key would have been considered to be secure • However, a research team have now succeeded in breaking 128 bit encryption in seconds, using a supercomputer…

  23. Secure Keys for Today and Tomorrow… • 256-bit encryption is probably now a minimum for single key encryption • but only a matter of time… • 512-bit encryption is currently used by financial institutions to transfer funds electronically via the Internet • again, only a matter of time before even this can be cracked… • Solution - 1024 bit keys?

  24. Authentication – encryption alone may not be enough, or even helpful • When data is on the move to a computer or device OUTSIDE a particular domain, there must be a technique for verifying that the user really who he or she claims to be • In paper correspondence, authentication is provided by a signature • A number of digital methods of signature are now available • Windows 2000 provides SIGVER (file signing) • A method of checking incoming files to ensure that they are from a Microsoft approved source

  25. Asymmetric (twokey) encryption • Announced in 1976 byDiffie andHellman (US), but British scientists were secretly working on it much earlier and Ellis, at GCHQ made the first breakthrough in 1970 • Uses two keys: • public key- known to everyone • private orsecret key- known only to the recipient of the message • Example: John wants to send a secure message to Jane… • He uses Jane's public key to encrypt themessage • Jane then uses her private key to decrypt it • Original method did not support either encryption or digital signatures, and therefore was vulnerable to third party in the middle eavesdroppers

  26. Public Key Encryption (PKE) • can work in two ways: • private key encryption, public key decryption • public key encryption, private key decryption Private key on sender’s computer Unencrypted data Encrypted data Data sent through the Internet Public key on recipient computer Encrypted data Decrypted data Received by recipient’s computer

  27. Public Key Encryption (PKE) • The public and private keys must be related in such a way that • only the public key can be used to encrypt messages • only the corresponding private key can be used to decrypt them. • In theory it is virtually impossible to deduce the private key if you know the public key • PKE is also called asymmetric encryption because it uses two keys instead of one

  28. Practical Public Key Encryption • Authentication of sender is ALSO needed for securely transmitting information via the Internet • A variety of techniques have been developed to achieve this: • Pretty Good Privacy (PGP) • Digital Certificates & Public Key Infrastructure (PKI)

  29. PGP (Pretty Good Privacy) • Developed by Philip Zimmerman • official repository held at the Massachusetts Institute of Technology • One of the most common ways to protect messages on the Internet: • Effective • easy to use • free • based on the public-key method • with authentication using a “web of trust” • To encrypt a message using PGP, the receiver needs the PGPencryption package • made available for free download from a number of Internet sources

  30. PGP • Such an effective encryption tool that the U.S. government actually brought a lawsuit against Zimmerman • Case: • he made PGP public • hence made it available to enemies of the U.S. • After a public outcry, U.S. lawsuit was dropped • still illegal to use PGP in many other countries

  31. LDAP and the PKI • An alternative approach to the “web of trust” the creation of an Internet infrastructure that could be used with PKE • became known as the Public Key Infrastructure • Use a central registry of public keys associated with authentication data, which is readily accessible • included a set of “lookup” protocols known as LDAP (Lightweight Directory Access Protocol) • enabled public key lookup to occur transparently i.e. without intervention from the user • More about the PKI and LDAP next week…

  32. Digital Signatures/Digital-IDs • A unique 'security code' appended to an electronic document • the digital equivalent of a signature on a paper document • authenticates the sender • permits the authenticity of the document to be proven • also used the ensure the integrity of the message sent • Digital Signatures are supplied packaged within a digital certificate

  33. Digital Certificate • A randomly generated number: • used to create the public-private key pair • Creates the attachment to an electronic message known as a digital signature • An individual wishing to send an encrypted email message applies for a digital certificate from a Certificate Authority (CA)

  34. Certificate Authorities • Example: verisign • www.verisign.com • Trusted third-party organizations that issues the digital certificates used to create public-private key pairs • The role of the CA is to guarantee that the individual granted the unique certificate is, in fact, who he or she claims to be.

  35. Certificate Authorities • Usually, this means that the CA has an arrangement with a financial institution, such as a credit card company • The finance company provides it with information to confirm an individual's claimed identity • CAs are a critical component in data security and e-commerce because they guarantee that the two parties exchanging information really are who they claim to be

  36. Supplying Digital Certificates • On request, a CA can produce an encrypted digital certificate for any applicant • Digital certificates contain: • the applicant's private key • a digital signature • The CA makes its own public key readily availableon the Internet • The recipient of the encrypted message can use the CA's public key to decode the digital certificate attached to the message

  37. Digital Certificate (continued) • The recipient: • verifies the digital signature as issued by the CA • obtains the sender's public key and digital signature held within the certificate • With this information, therecipient can send an encrypted reply • This procedure relies on the integrity of the CA, and the user must be able to trustthem

  38. Digital Signatures: an increasing role in society… • Digital signatures allow online delivery of traditionally paper based correspondence • Contracts • Government forms such as tax returns • anything else that would require a hand-written signature for authentication… • The flip side of this is that information submitted WITHOUT a digital signature has NOT been authenticated, and a further means of proof of identity of sender should be sought

  39. Authentication, Identity, and Identity Theft • Authentication alone is not enough • username/password may be stolen (or even borrowed with permission!) • Need proof: • something only that person would know… • something unique to that person Biometric data) • More on this later…

More Related