1

CompTIA Security+

Lecture Nine

Cryptography

Copyright 2011 - VTC

Basics of Cryptography� Cryptography is an effective way of protecting sensitive information as it is stored on media or transmitted through untrusted networks.

� Cryptography converts plaintext or data into unreadable ciphertext

� Earlier methods used transposition or substitution ciphers (algorithms)

� Modern methods much more complex

� Mathematical algorithms used to encipher

2

2

Substitution Ciphers

� Caesar Cipher

� Each letter is replaced by the letter threepositions further down the alphabet.

• Plaintext: a b c d e f g h i j k l m n o p q r s t u v w x y z

• Cipher: d e f g h i j k l m n o p q r s t u v w x y z a b c

� Example: secret � vhfuhw

c = EK(p) = (p + k) mod 26

p = DK(c) = (c – k) mod 263

Transposition ciphers

4

� The values are scrambled, or put into a different order.

� The key determines the positions the values are moved to.

3

Cryptography Goals� Confidentiality◦ renders the information unintelligible except by authorized entities

� Authentication◦ verifies the identity of the user or system that created information

� Integrity◦ Data has not been altered in an unauthorized manner since it was created, transmitted, or stored

� Non-Repudiation◦ ensures that the sender cannot deny sending the message 5

Cryptography Definitions

� Cryptography: science of writing secrets through a cryptosystem

� Cryptanalysis: breaking cryptosystems

� Cryptology: Cryptography & Cryptanalysis

� Cryptosystem: device or system used to encrypt/decrypt data

� Algorithm: mathematical formula used in conjunction with key to encrypt/decrypt

6

4

Cryptography Definitions� Plaintext/Cleartext: unencrypted data

� Ciphertext/Cryptogram: encrypted data

� Encipher/Encrypt/Encode: to make data unreadable through cryptography

� Decipher/Decrypt/Decode: to make data readable by converting it from its encrypted state

� Key/Cryptovariable: defined set of characters that combine with algorithm to encrypt or decrypt data

� Key space: number of distinct keys available to a cipher based upon key size

7

Encryption Algorithms

� Kerckhoff's Principle states that security of encryption should depend upon secrecy of key - not encryption algorithm

� Most commonly used algorithms are open

� Government algorithms exception

� Algorithms are also classified as symmetric or asymmetric key algorithms

8

5

Encryption Algorithms� Symmetric algorithms classified as block or stream ciphers

◦ Block cipher: encrypts text in discrete block size

◦ Stream cipher: encrypts one bit at a time

� Ciphers use logical operations on bits to change them to encrypted form

� Logical AND/NAND

� Logical OR/NOR/XOR

9

Block Cipher

10

� The message is divided into blocks of bits. These blocks are then put through mathematical functions, one block at a time.

� A strong cipher contains the right level of two main attributes: confusion and diffusion. Confusion is carried out through substitution, while diffusion is carried out by using transposition.

6

Stream Cipher

11

� XOR each bit of plaintext continuous stream with a bit from a pseudo-random sequence

Symmetric Encryption

12

7

Symmetric Encryption

� Symmetric key

� Uses a shared secret key

� N(N-1)/2 = number of keys

� Faster than Asymmetric systems

� Difficult to break with larger key sizes

� Key exchange is problematic

13

Symmetric Encryption Algorithms

� Symmetric key algorithms include

◦ DES/3DES

◦ Blowfish

◦ IDEA

◦ RC4, RC5, RC6

◦ Advanced Encryption Standard (Rijndael)

14

8

DES

� Data Encryption Standard (DES)

� Block encryption, 56-bit key, 16 rounds

� Early algorithm no longer in widespread use -replaced by 3DES (triple DES)

� DES has 5 common modes of operation

◦ Electronic Code Book (ECB) mode

◦ Cipher Block Chaining (CBC) mode

◦ Cipher Feedback (CFB) mode

◦ Output Feedback (OFB) mode

◦ Counter Mode (CTR)15

DES

16

In CBC mode, the ciphertext from the previous block of data is used in

encrypting the next block of data.

A block cipher working in CFB mode

9

Triple DES (3DES)

� Triple DES replaced DES

� Block cipher, 168-bit key, 48 rounds

� Created to address vulnerabilities in DES

� Still in use, but replaced by Rijndael as Advanced Encryption Standard by NIST

� Triple DES can work in 3 different modes

◦ DES-EEE3: uses 3 different encryption keys

◦ DES-EDE3: uses 3 different encryption keys, and Encrypts, Decrypts, then Encrypts again

◦ DES-EEE2/DES-EDE2: uses 2 keys17

Triple DES (3DES)

18

10

Strengths & Weakness of Symmetric Key Systems

Strengths

� Much faster (less computationally intensive) than asymmetric systems.

� Hard to break if using a large key size.

Weaknesses

� Requires a secure mechanism to deliver keys properly

� Each pair of users needs a unique key, so as the number of individuals increases, so does the number of keys, possibly making key management overwhelming

� Provides confidentiality but not authenticity or nonrepudiation.

19

Asymmetric Encryption� Asymmetric encryption uses two keys, public and private

� Public keys given to anyone, and used to encrypt or verify digital signature

� Private keys kept secret and used to decrypt or digitally sign

� Asymmetric algorithms based on one-way function model

� Asymmetric algorithms can be used to encrypt data, to digitally sign email, and to distribute symmetric keys securely

� Asymmetric algorithms are slow20

11

Asymmetric Encryption

21

Asymmetric Encryption Algorithms� Asymmetric algorithms

◦ RSA (1977)

◦ El Gamal (1984)

◦ Elliptic Curve Cryptosystem (1985) (portable devices)

◦ Diffie-Hellman (used for secure key exchange only)

22

Adi Shamir, Ron Rivest and Len Adleman

12

Strengths & Weaknesses of Asymmetric Key Algorithms

Strengths

� Better key distribution than symmetric systems

� Better scalability than symmetric systems

� Can provide authentication and nonrepudiation

Weaknesses

�Works much more slowly than symmetric systems

� Mathematically intensive tasks

23

Differences Between Symmetric & Asymmetric Systems

24

13

Asymmetric and Symmetric Algorithms Used Together

� Public key cryptography uses for protecting encryption keys and key distribution, and a secret key is generated by a symmetric algorithm and used for bulk encryption.

25

Hashing

� Hashing is method of taking variable-length text and converting it to fixed-length ciphertext

� Usually used in hashing passwords for storage and transmission, and digital signatures

� Hashes also called message digest

� Hashing can provide for integrity of data

� Hash values should be unique to a message and not duplicated by another message - this is a collision

� Should be resistant to 'birthday' attacks26

14

Hashing

27

Digital Signature

28

Creating a digital signature

Verifying a digital signature

� A digital signature is a hash value that has been encrypted with the sender’s private key

15

Public Key Infrastructure

� PKI is group of technologies, methods, procedures, and controls established to ensure privacy and authenticity of digitally transmitted data

� Used to encrypt, digitally sign, and verify data sent over networks or the Internet

� Replaces secret key encryption

� Uses public and private keys to encrypt and digitally sign messages

� Can also be used to securely send symmetric or session keys - hybrid solution

29

Public Key Infrastructure

� Public key: encryption key that is distributed freely to anyone requiring it

� Private key: key that is kept secure and never transmitted

� Public key encrypts a message, but only private key can decrypt. Anyone can encrypt a message to you, but only you can decrypt it

� To digitally sign message, the reverse happens

30

16

Public Key Infrastructure

� Public keys have to be reliably distributed to prove they are tied to a valid private key

� Distributed through a digital certificate

� Digital certificate is issued from a trusted source that verifies the identity of the user and its connection to their private key

� Digital certificates use X.509 standards

� Trusted source is called a Certificate Authority (CA)

31

Certificate Authority

� CA can be a 3rd party entity used to verify identities of persons having public/private key

� Can also be a computer or software that issues digital certificates

� CA's can be internal or external

� Certificates issued/trusted only within your organization should come from internal CAs

� If you need trust from organizations outside yours, use external or 3rd party CA's (Verisign, Thawte, …)

32

17

Digital Certificates

� How to know the public key we receive is legitimate?

� Digital certificates use asymmetric cryptography to facilitate the secure exchange of public keys.

� Rely upon the use of trusted Certificate Authorities

� Digital certificate contents:

◦ Name of the certificate subject

◦ Subject's public key

◦ Name of the CA

◦ Serial number

◦ Signature algorithm

◦ Validity period

◦ CA's digital signature33

Public Key Certificate Use

34

18

35

36