Information Security Lesson 8 - Cryptography - Eric Vanderburg
-
Upload
eric-vanderburg -
Category
Technology
-
view
350 -
download
0
description
Transcript of Information Security Lesson 8 - Cryptography - Eric Vanderburg
Information Security © 2006 Eric Vanderburg
Information Security
Chapter 8
Cryptography
Information Security © 2006 Eric Vanderburg
Terminology
• Cryptography – transforming information so that it is secure when stored or transmitted.
• Steganography – Hiding data inside another file• Encryption – changing data so that it cannot be
read• Decryption – changing a message back so it can
be read• Algorithm – the mathematical formula used for
encryption• Key – value used by an algorithm to encrypt and
decrypt
Information Security © 2006 Eric Vanderburg
Terminology
• Weak key – A key that can easily be determined
• Plaintext (cleartext) – Unencrypted data
• Cypher – algorithm tool used for encryption and decryption
• Cyphertext – encrypted data
Information Security © 2006 Eric Vanderburg
Cryptography Uses
• Non-repudiation – someone cannot deny that they did an action (sending an email)
• Confidentiality - encryption
• Authentication – verify individuals
• Integrity – hashes
• Access Control – limited to those who possess the key or token
Information Security © 2006 Eric Vanderburg
Hashing• One-way hash – create cyphertext from
plaintext. It cannot be decrypted. It is used for integrity.
• Passwords stored on machines and devices are usually hashed– Windows: Store passwords using reversible
encryption
• Checksum – looks at 1’s and 0’s in a byte and adds a 1 or 0 to the end. – Even parity – if the number of 1’s is odd, add a 1, if
not add a 0– Odd parity – if the number of 1’s is odd, add a 0, if not
add a 1
Information Security © 2006 Eric Vanderburg
Secure Hashes
• Collision - hashing algorithms should not be able to produce two identical hashes from different messages
• You cannot predict what the hash will be for a message
• The hash cannot be reversed• Hashing algorithms can be public but still
produce secure hashes• Hashes are all the same size no matter
what size the message is
Information Security © 2006 Eric Vanderburg
Message Digest (MD)
• Hashing algorithm• MD2 – turns plaintext into a 128 bit hash
– Padding is used to make the plaintext it 128 if it is less than 128.
– 16 byte checksum is attached– Created in 1989 for Intel processors that
processed 16 bits at a time
• MD4 - turns plaintext into a 128 bit hash– Pads plaintext to 512 bits instead of 128– Many collisions – not secure. Less than a
minute for a collision to occur
Information Security © 2006 Eric Vanderburg
Message Digest (MD)
• MD5 - turns plaintext into a 128 bit hash. Also pads to 512 bits– Splits the data into 4 32 bit sections and
compresses the result. – The compression is considered slightly weak
Information Security © 2006 Eric Vanderburg
SHA (Secure Hash Algorithm)
• Creates a 160 bit hash of messages padded to 512 bits
• Invented in 1993 by the NSA (National Security Agency)
• Best hash to use
Information Security © 2006 Eric Vanderburg
Symmetric Encryption
• Single key used for encryption and decryption• Private Key Cryptography• Stream cipher – one character is processed at a
time– Fast on short messages– Easier to exploit because they are more predictable– Substitution – one letter is replaced by something else
• Monoalphabetic – one to one• Homoalphabetic – one character is mapped to many
ciphertext characters
Information Security © 2006 Eric Vanderburg
Symmetric Encryption
• Transposition Cipher – rearranges characters
• All symmetric ciphers combine the plaintext and cipher stream together in the end to form the ciphertext. The process uses a binary XOR (different = 1, same = 0)
• 0011011• 0101001• 0110010
Information Security © 2006 Eric Vanderburg
Symmetric Encryption
• Block cipher – works on 8-16 bytes (a block) at a time– Better for encrypting longer messages– Harder to break because an 8-16 byte block is
more unique than a single character
Information Security © 2006 Eric Vanderburg
Symmetric Algorithms
• Iteration – running data through an algorithm – each iteration is called a round
• DES (Data Encryption Standard)– Developed by IBM called Lucifer in 128 bit length. – NSA adopted it in the early 70’s but shortened the
length to 56 bits– Block cipher– 56 bit because the 64 bit parity is not used so 1 bit
per byte is lost. – 64 bits of plaintext is iterated 16 times– Uses weak keys, can be broken in about 3 hours
Information Security © 2006 Eric Vanderburg
Symmetric Algorithms• DES Modes
– ECB (Electronic Code Book) – block cipher that encrypts 64 bit portions of plaintext individually
– CBC (Cipher Block Chaining) – links the blocks together to vary the output – more secure than ECB
– CFB (Cipher Feedback) – The output of the first round is used as the pattern for the next. Most secure DES mode but very slow.
– OFB (Output feedback) – adds the results of rounds together with the plaintext in each iteration
• 3DES (Triple DES)– 3 DES iterations (3x16 = 48)– Uses same weak keys as DES– Must use different keys for the iterations for it to be better than
DES at all. – Takes much longer than DES
Information Security © 2006 Eric Vanderburg
Symmetric Algorithms• AES (Advanced Encryption Standard)
– Replaced DES in 2000– Rinjdael algorithm– Block cipher– Can work with different key sizes
• 128 bit – 9 rounds• 192 bit – 11 rounds• 256 bit – 13 rounds
– Each round performs substitution, transposition, and then multiplication
– So far, AES is secure
• Blowfish– Block cipher, 64 bit blocks– Key length from 32-448 bits– So far, blowfish is secure
Information Security © 2006 Eric Vanderburg
Symmetric Algorithms• IDEA (International Data Encryption Algorithm)
– Created in early 90’s in Europe– 8 rounds– 128 bit key– Block cipher that works with 64 bit data slices– Used in PGP
• RC (Rivest Cipher)– RC1 and 3 not released– RC2 – block cipher, 40 bit key, works with 64 bit data slices,
created first for lotus, 18 rounds– RC4 – steam cipher, 128 bit key, used in WEP & SSL, weak
keys– RC5 – block cipher, works with different key lengths, 12 rounds– RC6 – block cipher, 128, 192, and 256 bit keys, 20 rounds
(finalist for AES)
Information Security © 2006 Eric Vanderburg
Asymmetric Encryption
• Public Key Cryptography
• Solves the problem of key management
• Public Key – everyone knows, use for encryption
• Private Key – you know, use for decryption and signing
• Small key sizes can be broken
• A good key size is 1,536 bits
Information Security © 2006 Eric Vanderburg
Asymmetric Algorithms
• RSA (Rivest Shamir Adleman)– Most common algorithm– Uses prime numbers– Slower– Used by S/MIME & SSL
• Diffie Hellman– Used in IPSec and SSH
• Elliptic Curve Cryptography– Uses a mathematical curve where two points intersect
the curve and then a third point on the curve– A new algorithm so it has not been tested much
Information Security © 2006 Eric Vanderburg
Algorithm Overview
Hashing Symmetric Asymmetric
MD 2, 4, 5
SHA
DES
3DES
AES
Blowfish
RC 2,4,5,6
IDEA
RSA
Diffie-Hellman
Elliptic Curve
Information Security © 2006 Eric Vanderburg
Digital Signature• Proves identity and integrity• Non-repudiation1. Create a hash of a message2. Encrypt hash with private key3. Receiver receives the message4. Receiver decrypts the hash with the sender’s
public key knowing the message came from them.
5. Receiver hashes the message and compares the hash with the hash contained in the message. If they match, the message was not changed or corrupted in transit.
Information Security © 2006 Eric Vanderburg
Implementations• PGP (Pretty Good Privacy)
– Encrypts email messages– Uses asymmetric cryptography– GPG (GNU Privacy Guard) – free PGP program– PGP Desktop 9.0 (works with many other programs and also
AOL Instant Messenger, Apple iChat and Trillian. • EFS (Encrypting File System)
– Encrypt documents or folders on an NTFS volume. – Uses a private key associated with a user and the recovery
agent• PAM (Pluggable Authentication Modules)
– Modules written for PAM will work with many different authentication methods that PAM supports.
– Used on UNIX machines• CFS (Cryptographic File System)
– Linux file encryption method using DES and 3DES
Information Security © 2006 Eric Vanderburg
Acronyms• AES, Advanced Encryption Standard• CFS, Crypographic File System• DES, Data Encryption Standard• EFS, Encrypting File System• GPG, GNU Privacy Guard• IDEA, International Data Encryption Algorithm• MD, Message Digest• PAM, Pluggable Authentication Module• PGP, Pretty Good Privacy• RC, Rivest Cipher• RSA, Rivest Shamir Adleman• SHA, Secure Hash Algorithm• 3DES, Triple Data Encryption Standard