EncryptionEncryptionMatches Domain 4.0 Basics of Matches Domain 4.0 Basics of

Cryptography Cryptography (15 percent of Security +)(15 percent of Security +)

Network Security ClassNetwork Security ClassDr. KleistDr. Kleist

Note: Most material from Harris, Shon. (2003). Note: Most material from Harris, Shon. (2003). All-In-One CISSP All-In-One CISSP Certification Exam Guide.Certification Exam Guide. New York: McGraw-Hill/Osborne. New York: McGraw-Hill/Osborne.

Security + Exam and Security + Exam and CryptographyCryptography

4.1 Identify and explain hashing, symmetric, 4.1 Identify and explain hashing, symmetric, asymmetric (chpt. 5)asymmetric (chpt. 5)

4.2 Understand cryptography and 4.2 Understand cryptography and confidentiality, integrity (digital signatures), confidentiality, integrity (digital signatures), authentication, non-repudiation (digital authentication, non-repudiation (digital signatures), access control (Chpt. 5)signatures), access control (Chpt. 5)

4.3 PKI: certificates, certificate policies, 4.3 PKI: certificates, certificate policies, revocation, trust models (Chpt. 5)revocation, trust models (Chpt. 5)

4.4 Crypto standards and protocols (Chpt. 5)4.4 Crypto standards and protocols (Chpt. 5) 4.5 Key Management and Certificate Lifecycles 4.5 Key Management and Certificate Lifecycles

(centralized v. decentralized, storage, escrow, (centralized v. decentralized, storage, escrow, expiration, revocation, suspension, recovery, expiration, revocation, suspension, recovery, renewal, destruction, key usage (Chpt. 6)renewal, destruction, key usage (Chpt. 6)

Sources of LectureSources of Lecture Slides are drawn from several sources. Slides are drawn from several sources. Some research from Conklin, W. A., G. Some research from Conklin, W. A., G.

White, C. Cothren, D. Williams, R. Davis. White, C. Cothren, D. Williams, R. Davis. (2004). (2004). Principles of Computer SecurityPrinciples of Computer Security. . Boston:  McGraw-Hill Technology Boston:  McGraw-Hill Technology Education.  Education. 

Also material from Schneier, B. (2000, Also material from Schneier, B. (2000, 2004).  2004).  Secrets & Lies:  Digital Security in a Secrets & Lies:  Digital Security in a Networked World.Networked World.  Indianapolis:  Wiley   Indianapolis:  Wiley Publishing, Inc.Publishing, Inc.

Most of this material from Harris, Shon. Most of this material from Harris, Shon. (2003). (2003). All-In-One CISSP Certification Exam All-In-One CISSP Certification Exam Guide.Guide. New York: McGraw-Hill/Osborne. New York: McGraw-Hill/Osborne.

Exam 1Exam 1 Real exam is 90 minutes for 100 Real exam is 90 minutes for 100

questions, you must get a score of 764, questions, you must get a score of 764, and your points are normalized from 100 and your points are normalized from 100 to 900 points (i.e., changed in scaleto 900 points (i.e., changed in scale

Our exam 1 will be from real Security + Our exam 1 will be from real Security + exams, and will cover sections that are exams, and will cover sections that are matched to the chapters in our text, our matched to the chapters in our text, our lectures and the Schneier book. lectures and the Schneier book.

First exam will have 60 multiple choice First exam will have 60 multiple choice questions. questions.

Outline of Crypto SectionOutline of Crypto Section History of CryptographyHistory of Cryptography Common elements of all cryptographic Common elements of all cryptographic

systemssystems Cryptographic systems strengthCryptographic systems strength Types of ciphersTypes of ciphers Government involvementGovernment involvement Symmetric and asymmetric encryptionSymmetric and asymmetric encryption Digital signatures and certificate authoritiesDigital signatures and certificate authorities Cryptography in real networksCryptography in real networks PKIPKI

Outline, cont’d.Outline, cont’d. Key escrowKey escrow Methods of EncryptionMethods of Encryption Symmetric cryptography in NetworksSymmetric cryptography in Networks Asymmetric cryptography in NetworksAsymmetric cryptography in Networks Hybrid systemsHybrid systems PKIPKI CACA Message Integrity and HashesMessage Integrity and Hashes Digital SignatureDigital Signature One time padOne time pad

Outline, cont’dOutline, cont’d

Key managementKey management Hardware vs. software key Hardware vs. software key

managementmanagement Email standards, MIME, S/MIME, Email standards, MIME, S/MIME,

PEM, MSPPEM, MSP Standard cryptography used in Standard cryptography used in

networks of interest networks of interest Attacks on crypto systemsAttacks on crypto systems

History of CryptoHistory of Crypto The Code BookThe Code Book Substitution cipherSubstitution cipher Transposition cipherTransposition cipher Monoalphabetic substitutionMonoalphabetic substitution Scytale cipherScytale cipher Caesar cipherCaesar cipher Mary Queen of ScotsMary Queen of Scots Benedict ArnoldBenedict Arnold Enigma and TuringEnigma and Turing WindtalkersWindtalkers LuciferLucifer

Common Elements of All Common Elements of All CryptoCrypto

CryptanalysisCryptanalysis. .  Trying to figure out the message Trying to figure out the message without the key.without the key.

Algorithm.Algorithm.  Set of mathematical rules that dictate   Set of mathematical rules that dictate enciphering and deciphering.  Not part of the encryption enciphering and deciphering.  Not part of the encryption process, widely known.  process, widely known. 

Key.Key.   The key is the secret part of the process.  An The key is the secret part of the process.  An algorithm contains a keyspace, which is a range of values that algorithm contains a keyspace, which is a range of values that can be used to construct a key.  Key is random values within can be used to construct a key.  Key is random values within the keyspace range.  The larger the key space, the more the keyspace range.  The larger the key space, the more values can be used, and some think the safer the key, values can be used, and some think the safer the key, although Schneier disagrees.  although Schneier disagrees. 

Keyspace:Keyspace:  Possible values to construct keys Possible values to construct keys Plaintext.Plaintext.   The original data. The original data. Ciphertext.Ciphertext.  Message after key is used following the   Message after key is used following the

algorithm to the message, transforming it so eavesdroppers algorithm to the message, transforming it so eavesdroppers cannot figure it out. cannot figure it out.

Common Elements of All Common Elements of All CryptoCrypto

Encipher:Encipher:  Transform data into   Transform data into unreadable formatunreadable format

Decipher:Decipher:  Transform data into   Transform data into readable formatreadable format

Work factor:Work factor:  Definition of the   Definition of the amount of time, effort and resources amount of time, effort and resources necessary to break a crypto system.necessary to break a crypto system.

Cryptographic Systems Cryptographic Systems StrengthStrength

Strength of encryption comes from:Strength of encryption comes from:    Algorithm, secrecy of key, length of key, Algorithm, secrecy of key, length of key, initialization vectors, and how they all work initialization vectors, and how they all work together.  together. 

Improper protection of the key can Improper protection of the key can seriously weaken cryptoseriously weaken crypto.  (2600 discussion).  (2600 discussion)

Goals of Crypto systems:Goals of Crypto systems:  confidentiality,   confidentiality, authenticity, integrity, nonrepudiationauthenticity, integrity, nonrepudiation

Crypto system:Crypto system:  The hardware and software   The hardware and software that implement the crypto transformationsthat implement the crypto transformations

Types of CiphersTypes of Ciphers

Substitution cipherSubstitution cipher Transposition cipherTransposition cipher Running and concealment cipherRunning and concealment cipher Stream and Block CiphersStream and Block Ciphers A little bit different: SteganographyA little bit different: Steganography

Government InvolvementGovernment Involvement

NSANSA Clipper ChipClipper Chip FBI and WiretappingFBI and Wiretapping

Symmetric and Asymmetric Symmetric and Asymmetric EncryptionEncryption

Symmetric:Symmetric: Faster than Faster than asymmetric, hard to break with asymmetric, hard to break with large key, hard to distribute keys, large key, hard to distribute keys, too many keys required, cannot too many keys required, cannot authenticate or provide non-authenticate or provide non-repudiation. repudiation.

Includes:Includes: DES, Triple DES, DES, Triple DES, Blowfish, IDEA, RC4, RC5, RC6, AESBlowfish, IDEA, RC4, RC5, RC6, AES

Symmetric and Asymmetric Symmetric and Asymmetric EncryptionEncryption

Asymmetric cryptography:Asymmetric cryptography: Better Better at key distribution, better scalability at key distribution, better scalability for large systems, can provide for large systems, can provide authentication and non-repudiation, authentication and non-repudiation, slow, math intensiveslow, math intensive

Includes:Includes: RSA, ECC, Diffie Hellman, RSA, ECC, Diffie Hellman, El Gamal, DSA, Knapsack, PGPEl Gamal, DSA, Knapsack, PGP

Hybrid Asymmetric and Hybrid Asymmetric and Symmetric SystemsSymmetric Systems

Called Public Key CryptographyCalled Public Key Cryptography Use asymmetric algorithm for protecting Use asymmetric algorithm for protecting

symmetric encryption keyssymmetric encryption keys Use asymmetric for protecting key Use asymmetric for protecting key

distributiondistribution Use secret key for bulk encryption Use secret key for bulk encryption

requirementsrequirements Just don’t let the secret key travel unless it Just don’t let the secret key travel unless it

was asymmetrically encrypted!was asymmetrically encrypted! Uses best advantages of each approachUses best advantages of each approach

Public Key InfrastructurePublic Key Infrastructure

Comprehensive approach to Comprehensive approach to establishing a level of securityestablishing a level of security

PKI as an amalgam of approachesPKI as an amalgam of approaches InfrastructureInfrastructure Provides authentication, Provides authentication,

confidentiality, nonrepudiation, confidentiality, nonrepudiation, integrityintegrity

Specific protocols are not PKI, but an Specific protocols are not PKI, but an overarching architectureoverarching architecture

Certificate AuthorityCertificate Authority

Public Key CertificatePublic Key Certificate Registration AuthorityRegistration Authority Structure of CertificatesStructure of Certificates Trusted OrganizationTrusted Organization Can be internal or external to the Can be internal or external to the

organizationorganization Entrust, VerisignEntrust, Verisign Certification Revocation ListsCertification Revocation Lists Can be provided by browserCan be provided by browser

Message Integrity and Message Integrity and HashesHashes

Has message been altered?Has message been altered? Hash, hash functionHash, hash function One way hashOne way hash Message digestMessage digest Create a fingerprint of a messageCreate a fingerprint of a message Message can be altered either Message can be altered either

intentionally or unintentionallyintentionally or unintentionally

Digital SignatureDigital Signature

Hash value encrypted with the Hash value encrypted with the sender’s private keysender’s private key

Act of signing means encrypting Act of signing means encrypting message’s hash value with private keymessage’s hash value with private key

Ensures that message was not altered Ensures that message was not altered and also came from Boband also came from Bob

Ensures integrity, authentication, and Ensures integrity, authentication, and non-repudiationnon-repudiation

DSSDSS

AlgorithmsAlgorithms AsymmetricAsymmetric

RSARSA ECCECC Diffie HellmanDiffie Hellman El GamalEl Gamal Digital SignatureDigital Signature

SymmetricSymmetric DES, 3DESDES, 3DES BlowfishBlowfish IDEAIDEA RC4RC4 SAFERSAFER

Hashing AlgorithmsHashing Algorithms

MD2MD2 MD4MD4 MD5MD5 SHASHA HAVALHAVAL What does a good cryptographic What does a good cryptographic

hash function have?hash function have?

One Time PadOne Time Pad

What is a one time pad?What is a one time pad? Perfect encryptionPerfect encryption RandomRandom Integrated into some applicationsIntegrated into some applications High securityHigh security But, have to distribute pad (like But, have to distribute pad (like

German High Command with German High Command with submarines and Enigma codes)submarines and Enigma codes)

Issues of Key Issues of Key ManagementManagement

PrinciplesPrinciples Key lengthKey length StorageStorage RandomRandom More used, shorter its lifetimeMore used, shorter its lifetime EscrowEscrow Destroy at end of lifetimeDestroy at end of lifetime

Hardware v. SoftwareHardware v. Software

Software less expensiveSoftware less expensive Hardware more expensiveHardware more expensive Software slower throughputSoftware slower throughput Hardware faster throughputHardware faster throughput Software more easily modifiedSoftware more easily modified High end solutions will be hardwareHigh end solutions will be hardware

Email StandardsEmail Standards

MIMEMIME S/MIMES/MIME PEMPEM MSPMSP

What do Networks Use What do Networks Use for Real?for Real?

PGPPGP

Phil ZimmermanPhil Zimmerman FreeFree DownloadDownload ImplementImplement Use on emailUse on email Print message encoded and decodedPrint message encoded and decoded Web of TrustWeb of Trust

Internet SecurityInternet Security

HTTPHTTP S-HTTPS-HTTP HTTPSHTTPS SSLSSL SETSET SSHSSH IPSecIPSec

Attacks on Crypto Attacks on Crypto SystemsSystems

Ciphertext Only AttackCiphertext Only Attack Know Plaintext AttackKnow Plaintext Attack Chosen Plaintext AttackChosen Plaintext Attack Man In the Middle AttackMan In the Middle Attack Dictionary AttackDictionary Attack Side ChannelSide Channel