Cryptography and Network SecurityAn Overview

Nagendra U Mnamahesh@cisco.com

Agenda• Introduction

• Security Trends

• ASM: Attacks, Services, Mechanisms

• A Network Security Model

• Private-Key Cryptography / Symmetric Ciphers

• DES, 3DES, AES

• Private Key Distribution

• Public-Key Cryptography

• Mathematical Concepts

• The RSA Algorithm

• Key Management

• Hashing Algorithms

• Digital Signatures

• Authentication Protocols

• Network Security

• X.509, Public Key Infrastructure (PKI)

• PGP, S/MIME

• SSL/TLS

• IPSec

Model for Network Security

Simplified Model of Conventional Encryption

Model of Conventional Cryptosystem

Goals of an ‘Unconditionally Secure’ Encryption Algorithm:

● The cost of breaking the cipher exceeds the value of the encrypted information.● The time required to break the cipher exceeds the useful lifetime of the information.

CLASSIC SUBSTITUTION ALGORITHMS:

Caesar Cipher:C = E(k, p) = (p + k) mod 26p = D(k, C) = (C - k) mod 26

where K={1..25} for english

Monoalphabetic Ciphers:Substitute one arbitrary alphabet in the place of a particular alphabetFor english, it generates a key space of 26! (~4 x 10^26) keysBUT it can be broken by exploiting patterns in language

Polyalphabetic Ciphers:Use different monoalphabetic substitutions as one proceeds through the plaintext message.Vignere Cipher

CLASSIC TRANSPOSITION ALGORITHMS:

Rail-fence Technique:

Written as a sequence of diagonals and read off as a sequence of rows

Eg: “CiscoSystems” is written as

C s o y t m i c S s e s CipherText: CsoytmicSses A more complex scheme is to write the message in a rectangle, row by row, and read the message off, column by

column, but permute the order of the columns. The order of the columns then becomes the key to the algorithm.

Rotor Machines:

Steganography: Strictly speaking, its NOT encryption Conceal the existence of a message JPEG steganography

The Fiestel Cipher

DES: Data Encryption Standard• 64-bit plaintext blocks => 64-bit ciphertext blocks• 56-bit key• Same algorithm with the same key is used to decrypt and encrypt• Exhibits a strong Avalanche effect• No big deal nowadays

3DES: Triple DES• Since DES was too weak in itself• Do DES encryption 3 times in an E-D-E sequence• C = E(K1, D(K2, E(K1, P)))• Much stronger than DES

AES: Advanced Encryption Standard• Released in 2001 by the U.S. Govt.• Extremely strong algorithm• 128-bit plaintext blocks => 128-bit ciphertext blocks• 128, 192 or 256-bit keys

Blowfish• Developed by Bruce Schneier in 1993• Unofficially the strongest encryption algorithm• 64-bit plaintext blocks => 64-bit ciphertext blocks• Variable length keys from 32 to 448 bits• Twofish is the successor of Blowfish (128-bit blocks, 256-bit keys)

Block Cipher Modes• ECB – Electronic Code Book• CBC – Cipher Block Chaining

Where to do encryption?

Centralized Symmetric Key Distribution

Public Key Cryptography

Mathematical Concepts:• The ability to choose a large prime number• Discrete Logarithms

Asymmetric encryption is a form of cryptosystem in which encryption and decryption are performed using the different keys - one a public key and one a private key.

It can be used for confidentiality, authentication or both.

Hailed as the greatest revolution in information security – no more substitutions and permutations and the use of 2 keys !!!

Attacks 2 problems in symmetric cryptography: Key distribution and digital signatures

One way function:Y = f(X) easyX = f^-1(X) infeasible (NP-hard or NP-complete)

Public-key algorithms are very slow and resource-consuming to be used for encryption. For practical uses, they are confined to key management and signature applications

The Public Key cryptosystem for secrecy

The Public Key cryptosystem for authentication, integrity, nonrepudiation

Best of both worlds : Authentication/Integrity and Secrecy

RSA Algorithm

• Invented by Ronald Rivest, Adi Shamir, and Len Adleman at MIT in 1978• Block cipher (usually ~1024 bits block size)

The Algorithm:• p and q should be chosen at random, both of the same size and large numbers• n = p*q where n is used as the modulus for bothpublic and private keys• φ(n) is the Euler’s totient function• Choose e such that e and φ(n) are relatively prime• d is the private key exponent and e is the public key exponent

An Example:1) Let Plaintext = 882) Let p = 17, q = 11 (both primes)3) n = p*q = 17 * 11 = 1874) φ(n) = (p-1)(q-1) = 16*10 = 1605) We choose e = 7 since e < φ(n) and e is relatively prime to φ(n)6) Choose d such that d = 1(mod φ(n)) / e i.e. de = 1 (mod 160).

So, d = 7Public Key = {7,187} Private Key = {23,187}

7) At the sender’s end: Ciphertext C = P^e (mod n) = 88^7 (mod 187) = 118) At the receiver’s end: Plaintext P = C^d (mod n) = 11^7 (mod 187) = 88

Key Management

• Public-key encryption schemes are secure only if the authenticity of the public key is assured.• Various ways

● Public announcement● Publicly available directory● Public-key authority● Public-key certificates

Message Authentication• used to verify the integrity of a message

• Hash Functions• accepts a variable-size message M as input and produces a fixedsize output, referred to as a hash

code H(M) or Message Digest• Eg: MD5, SHA-256, SHA-512

Digital Signatures• taking the hash of the message and encrypting the message with the creator's private key

Authentication Applications• Kerberos – distributed authentication using symmetric cryptography• ITU-T X.509 – authentication based on X.500 directory service• PKI – Public Key Infrastructure• CHAP

Email SecurityPGP – Pretty Good Privacy

• FOSS• Authentication via digital signatures, confidentiality via symmetric block ciphers, compression via ZIP etc.

S/MIME – Secure/Multipurpose Internet Mail Extension• Internet standard approach

IP Security (IPSec)• capability that can be added to IPv$4 or IPv6 via additional headers• 3 areas – authentication, confidentiality, key management• Confidentality in 2 modes : tunnel and transport• Higher-level layers may be ignorant of security implications• RFC 2401-2408 • 2 main headers : AH (Authentication Header) and ESP (Encapsulating Security Payload)• Key Management: Internet Security Association and Key Mgmt. Protocol (ISAKMP)

Web Security• Secure Socket Layer (SSL)/Transport Layer Security(TLS)

Detailed Reference