cyber security: essentials · • openssl command-line tools for almost all ciphers, hashes, and...

CYBERSECURITY:ESSENTIALSDanielMedina—medina@nyu.edu

ADMINISTRATION

Notes:h)ps://medina.github.io

Anyonenewjoin?

NEWS

RECAP

CRYPTOGRAPHY

SUBSTITUTION

ASECRETMESSAGE

XPBZOBQJBPPXDB

What’sthekey?

TRANSPOSITION

ASECRETMESSAGE

RGAERESSTXESMXCA

What’sthekey?

ASECRETMESSAGEXX

AREGSESEETSXCMAX

RGAERESSTXESMXCA

RGAERESSTXESMXCA

TRANSPOSITION&

SUBSTITUTION

BITSBYTESCHARS

ASECRETMESSAGE

Sisacharacter

8-bitsbyteperchar

01010011

AND,OR,XOR

ONETIMEPAD

MessageXORKey=Encrypted

Length(KEY)==Length(MESSAGE)

ONETIMEPAD

Message=BUY_|SELL|HOLD Key=4randomchars

EncryptedMessage=XOR(M,K)

M = 1010011 1000101 1001100 1001100 K = 0110101 0100100 0011111 1010110 E = 1100110 1100001 1010011 0011010

ONETIMEPAD

Problems?

DES

F has subs, trans, xor

Certified for gov’t use:NIST FIPS PUB 46

Tampering:S-BoxesKey length (64/56 bits)

DES

What’sthekey?

(64-bits=>56-bits+8paritybits)

Problems?

AES:S$ckFigureGuide

DIFFIEHELLMANKX

Keyexchange

Solvethekey-sharingproblem

CryptoCharacters:

Alice&BobEve(passiveadversary)Mallory(aceveadversary)

Ilikethecookie-doughversionofthis…

RSA

RSA

Asymmetric System

Public Key

Private Key

A “hard” problem:factoring large #s

HASHFUNCTIONSMD5:128bits,`md5`or`opensslmd5`

'IleaveallmyfortunetoAlice'|md519755c81218340ed42f575bff3691c57'IleaveallmyfortunetoBob'|md54b67189b91f32b8a12f968ea1989a8fe

#Thiswouldbebad'IleaveallmyvastfortunetoEve'|md519755c81218340ed42f575bff3691c57

HASHFUNCTIONSSHA1:160bits,`shasum`or`opensslsha1`

echo'Hello,World'|shasum-a1#160bits4ab299c8ad6ed14f31923dd94f8b5f5cb89dfb54

echo'Hello,World'|shasum-a256#256bits8663bab6d124806b9727f89bb4ab9db4cbcc3862\f6bbf22024dfa7212aa4ab7d

echo'Hello,World'|shasum-a512#512bits44c4f73161332b2b058360310640c6704796ece7\6593e22ca32f76ccbc2c469d5b26ae64b996c781\65929ac1af7f9a0ae6132010c917f6b104196b86\48e108d3

HYBRIDS

Weknowabout:SymmetricKeyEncrypeonAsymmetricKeyEncrypeon

KeyExchangeHashFunceons

Howtomixandmatch?

SSL/TLS

ConfidentialityIntegrityAuthenticity

“Data in transit” security on the Internet

Increasingly attacked

SSL/TLS

Lotsofbackgroundreadingsonthechallenges• Heartbleed,comic(SSL/TLSvulnerability)• AAacksonSSL(iSecPartners)• SSLObservatory(EFF)• Themostdangerouscodeintheworld• SSLLabs/SSLLabsGradingChangesJanuary2017• RogueCAs:fakinggoogle.com,geknghacked,andgenerallyfailing

TOOLS

• opensslcommand-linetoolsforalmostallciphers,

hashes,andcombinaeons• Smallexercisewithopensslencrypeonmodes• SSLLabsprovidesexcellent“scoring”• SSLCheckerdecodecereficates• Let’sEncryptisafreeCAthatworkswithwebserverstogeneratecereficates

• Keybaseispublic/privatekeyhosengforpeople

OTHERCRYPTOREADINGS

• Crypto101,onlinebookunderdevelopment• SecurityEngineering,RossAnderson• TheDebianPRNGBug,HDMoore(2008)• RandomnessandtheNetscapeBrowser(1996)• WindowsNTran$ngsfromtheL0pht(1997)• Encryp$ngtheWeb,EFF

NSA,CIA,OTHERTLASThatcapability[oftheNSAandUSintelligencecommunity]atany$mecouldbeturnedaroundontheAmericanpeopleandnoAmericanwouldhaveanyprivacyleV.Therewouldbenoplacetohide.

Ifthisgovernmenteverbecameatyranny,thetechnologicalcapacitythattheintelligencecommunityhasgiventhegovernmentcouldenableittoimposetotaltyranny.Therewouldbenowaytofightback,becausethemostcarefulefforttocombinetogetherinresistancetothegovernment,nomaAerhowprivatelyitwasdone,iswithinthereachofthegovernmenttoknow.Suchisthecapacityofthistechnology.

Idon’twanttoseethiscountryevergoacrossthebridge.IknowthecapacitythatistheretomaketyrannytotalinAmerica,andwemustseetoitthatthisagencyandallagenciesthatpossessthistechnologyoperatewithinthelawandunderpropersupervisionsothatwenevercrossoverthatabyss.Thatistheabyssfromwhichthereisnoreturn

Sen.FrankChurch,1975,aquoteIknowfromDecryp$ngthePuzzlePalaceIusedtocallthisthe“scaryquote”.Nowit’scurrentevents.