Information Security Lesson 8 - Cryptography - Eric Vanderburg

Information Security © 2006 Eric Vanderburg

Information Security

Chapter 8

Cryptography


Terminology

• Cryptography – transforming information so that it is secure when stored or transmitted.

• Steganography – Hiding data inside another file• Encryption – changing data so that it cannot be

read• Decryption – changing a message back so it can

be read• Algorithm – the mathematical formula used for

encryption• Key – value used by an algorithm to encrypt and

decrypt


Terminology

• Weak key – A key that can easily be determined

• Plaintext (cleartext) – Unencrypted data

• Cypher – algorithm tool used for encryption and decryption

• Cyphertext – encrypted data


Cryptography Uses

• Non-repudiation – someone cannot deny that they did an action (sending an email)

• Confidentiality - encryption

• Authentication – verify individuals

• Integrity – hashes

• Access Control – limited to those who possess the key or token


Hashing• One-way hash – create cyphertext from

plaintext. It cannot be decrypted. It is used for integrity.

• Passwords stored on machines and devices are usually hashed– Windows: Store passwords using reversible

encryption

• Checksum – looks at 1’s and 0’s in a byte and adds a 1 or 0 to the end. – Even parity – if the number of 1’s is odd, add a 1, if

not add a 0– Odd parity – if the number of 1’s is odd, add a 0, if not

add a 1


Secure Hashes

• Collision - hashing algorithms should not be able to produce two identical hashes from different messages

• You cannot predict what the hash will be for a message

• The hash cannot be reversed• Hashing algorithms can be public but still

produce secure hashes• Hashes are all the same size no matter

what size the message is


Message Digest (MD)

• Hashing algorithm• MD2 – turns plaintext into a 128 bit hash

– Padding is used to make the plaintext it 128 if it is less than 128.

– 16 byte checksum is attached– Created in 1989 for Intel processors that

processed 16 bits at a time

• MD4 - turns plaintext into a 128 bit hash– Pads plaintext to 512 bits instead of 128– Many collisions – not secure. Less than a

minute for a collision to occur


Message Digest (MD)

• MD5 - turns plaintext into a 128 bit hash. Also pads to 512 bits– Splits the data into 4 32 bit sections and

compresses the result. – The compression is considered slightly weak


SHA (Secure Hash Algorithm)

• Creates a 160 bit hash of messages padded to 512 bits

• Invented in 1993 by the NSA (National Security Agency)

• Best hash to use


Symmetric Encryption

• Single key used for encryption and decryption• Private Key Cryptography• Stream cipher – one character is processed at a

time– Fast on short messages– Easier to exploit because they are more predictable– Substitution – one letter is replaced by something else

• Monoalphabetic – one to one• Homoalphabetic – one character is mapped to many

ciphertext characters



• Transposition Cipher – rearranges characters

• All symmetric ciphers combine the plaintext and cipher stream together in the end to form the ciphertext. The process uses a binary XOR (different = 1, same = 0)

• 0011011• 0101001• 0110010



• Block cipher – works on 8-16 bytes (a block) at a time– Better for encrypting longer messages– Harder to break because an 8-16 byte block is

more unique than a single character


Symmetric Algorithms

• Iteration – running data through an algorithm – each iteration is called a round

• DES (Data Encryption Standard)– Developed by IBM called Lucifer in 128 bit length. – NSA adopted it in the early 70’s but shortened the

length to 56 bits– Block cipher– 56 bit because the 64 bit parity is not used so 1 bit

per byte is lost. – 64 bits of plaintext is iterated 16 times– Uses weak keys, can be broken in about 3 hours


Symmetric Algorithms• DES Modes

– ECB (Electronic Code Book) – block cipher that encrypts 64 bit portions of plaintext individually

– CBC (Cipher Block Chaining) – links the blocks together to vary the output – more secure than ECB

– CFB (Cipher Feedback) – The output of the first round is used as the pattern for the next. Most secure DES mode but very slow.

– OFB (Output feedback) – adds the results of rounds together with the plaintext in each iteration

• 3DES (Triple DES)– 3 DES iterations (3x16 = 48)– Uses same weak keys as DES– Must use different keys for the iterations for it to be better than

DES at all. – Takes much longer than DES


Symmetric Algorithms• AES (Advanced Encryption Standard)

– Replaced DES in 2000– Rinjdael algorithm– Block cipher– Can work with different key sizes

• 128 bit – 9 rounds• 192 bit – 11 rounds• 256 bit – 13 rounds

– Each round performs substitution, transposition, and then multiplication

– So far, AES is secure

• Blowfish– Block cipher, 64 bit blocks– Key length from 32-448 bits– So far, blowfish is secure


Symmetric Algorithms• IDEA (International Data Encryption Algorithm)

– Created in early 90’s in Europe– 8 rounds– 128 bit key– Block cipher that works with 64 bit data slices– Used in PGP

• RC (Rivest Cipher)– RC1 and 3 not released– RC2 – block cipher, 40 bit key, works with 64 bit data slices,

created first for lotus, 18 rounds– RC4 – steam cipher, 128 bit key, used in WEP & SSL, weak

keys– RC5 – block cipher, works with different key lengths, 12 rounds– RC6 – block cipher, 128, 192, and 256 bit keys, 20 rounds

(finalist for AES)


Asymmetric Encryption

• Public Key Cryptography

• Solves the problem of key management

• Public Key – everyone knows, use for encryption

• Private Key – you know, use for decryption and signing

• Small key sizes can be broken

• A good key size is 1,536 bits


Asymmetric Algorithms

• RSA (Rivest Shamir Adleman)– Most common algorithm– Uses prime numbers– Slower– Used by S/MIME & SSL

• Diffie Hellman– Used in IPSec and SSH

• Elliptic Curve Cryptography– Uses a mathematical curve where two points intersect

the curve and then a third point on the curve– A new algorithm so it has not been tested much


Algorithm Overview

Hashing Symmetric Asymmetric

MD 2, 4, 5

SHA

DES

3DES

AES

Blowfish

RC 2,4,5,6

IDEA

RSA

Diffie-Hellman

Elliptic Curve


Digital Signature• Proves identity and integrity• Non-repudiation1. Create a hash of a message2. Encrypt hash with private key3. Receiver receives the message4. Receiver decrypts the hash with the sender’s

public key knowing the message came from them.

5. Receiver hashes the message and compares the hash with the hash contained in the message. If they match, the message was not changed or corrupted in transit.


Implementations• PGP (Pretty Good Privacy)

– Encrypts email messages– Uses asymmetric cryptography– GPG (GNU Privacy Guard) – free PGP program– PGP Desktop 9.0 (works with many other programs and also

AOL Instant Messenger, Apple iChat and Trillian. • EFS (Encrypting File System)

– Encrypt documents or folders on an NTFS volume. – Uses a private key associated with a user and the recovery

agent• PAM (Pluggable Authentication Modules)

– Modules written for PAM will work with many different authentication methods that PAM supports.

– Used on UNIX machines• CFS (Cryptographic File System)

– Linux file encryption method using DES and 3DES


Acronyms• AES, Advanced Encryption Standard• CFS, Crypographic File System• DES, Data Encryption Standard• EFS, Encrypting File System• GPG, GNU Privacy Guard• IDEA, International Data Encryption Algorithm• MD, Message Digest• PAM, Pluggable Authentication Module• PGP, Pretty Good Privacy• RC, Rivest Cipher• RSA, Rivest Shamir Adleman• SHA, Secure Hash Algorithm• 3DES, Triple Data Encryption Standard

Information Security Lesson 8 - Cryptography - Eric Vanderburg

Technology

Transcript of Information Security Lesson 8 - Cryptography - Eric Vanderburg