rothke info security canada 2007 final
Post on 07-Nov-2014
2.001 Views
Preview:
DESCRIPTION
TRANSCRIPT
Everything an Audit Professional needs to know
about encryption in 50 minutes
Session 2FBen Rothke, CISSP CISM
Security ConsultantBT INS
Thursday June 14, 200711:00 – 11:50AM
About me
• Ben Rothke, CISSP CISM• Security Consultant – BT INS• Previously with AXA, ThruPoint, Baltimore Technologies,
Ernst & Young, Citibank• Have worked in the information technology sector since
1988 and information security since 1994• Frequent writer and speaker• Author of Computer Security: 20 Things Every Employee
Should Know (McGraw-Hill 2006)
Full disclosure
This session is:• An introduction of the fundamentals of cryptography, encryption and digital signatures
This session is not:• A comprehensive overview about cryptography• Heavy mathematics and science of cryptography• Moral, legal, privacy, social and political issues
Key Points
• Need for cryptography has never been greater
– eroding levels of security and privacy that is occurring.
• Aspects of cryptography are indeed rocket science.
– Average person, who wants to utilize the security that cryptography provides, they can ignore the deep mathematics, and focus on the basics of what cryptography can provide them.
Topics to be discussed
• What and why’s of cryptography• Brief history of cryptography• Symmetric and asymmetric
cryptography• Keys and key sizes• Digital Signatures and
Certificates• Advanced Encryption Standard
What is cryptography?
• Cryptography is:– science of using mathematics to encrypt and decrypt
data– ensuring that communications are private
• Branch of cryptology dealing with the design of algorithms for encryption and decryption; used to ensure the secrecy and authenticity of data.
• Study of transforming information into a form that makes it unreadable to those without the appropriate permission to view it
• Derived from the Greek kryptos, meaning hidden.
Why is cryptography so important?
• Allows people to have the same level of trust and confidence that exists in the physical world with their data in the digital world.
• Enables interaction via e-mail, e-commerce, ATM machines, cell phones, etc.
• Continual increase of data transmitted electronically has lead to an increased need and reliance on cryptography.
• Until January 2000, the US Government considered strong cryptography to be an export-controlled munition, much like an M-16 or F-18.
Uses of cryptography
• Network and operating systems security– Logins, data encryption, file system encryption
• Private Internet, telephone communications • Electronic payments
– Secure web transactions, SSL, ATM
• Database security• Software protection
– Music, DRM, DVD
• Pay television• Confidential military communications
Four objectives of cryptography
1. Confidentiality – Data can’t be read by anyone for whom it wasn’t intended
2. Integrity – Data can’t be altered in storage or transit between sender and intended receiver without the alteration being detected.
3. Authentication - Sender and receiver can confirm each other’s identity
4. Non-repudiation – Inability to deny at a later time one’s involvement in a cryptographic process
Objectives of cryptography
Confidentiality Integrity
Authentication
Interception Modification
Fabrication
Are my communications private? Has my communication been altered?
Who am I dealing with?
History of cryptography
Usually dated from about 2000 BC, with Egyptian hieroglyphics.
– Consisted of complex pictograms, the full meaning of which was only known to an elite few.
First known use of a modern cipher was by Julius Caesar (100 BC - 44 BC)
– Caesar didn’t trust his messengers when communicating with his governors and officers.
– He created a system with each character replaced by a character three positions ahead of it in the Roman alphabet.
History of cryptography
• Benedict Arnold, Mary Queen of Scotts & Abraham Lincoln all used ciphers.
• Cryptography has long been a part of war, diplomacy and politics.
• Development and growth of cryptography in the last 20 years is directly tied to the development of the microprocessor– Cryptography is computationally intensive– Without the PC revolution & ubiquitous x86 processor,
there would have never been a vehicle where cryptography could have been economically and reasonably deployed.
PGP History• 1991 – v1.0 written by Phil Zimmerman ships. RSA files suit against
Zimmerman • 1992 – v2.0 ships. Bass-O-Matic replaced by IDEA• 1993 – FBI investigates Zimmerman for possible ITAR violations• 1994 – v2.4 – ViaCrypt starts commercial distribution• 1996 - PGP Inc. created. Legal case against Phil Zimmermann
dropped.• 1997 – v5.0 released by PGP Inc.• 1997 – PGP Inc. acquired by Network Associates• 1998 – v6.0 ships• 1999 – PGP, Inc. rolled out as separate division of NAI• 2000 – v7.0 ships• 2000 – RSA patents expired on September 20, 2000• 2000 - Bowing to intense pressure from Silicon Valley Clinton
administration eliminates most restrictions on the export of data-encryption technology
• 2001 – Phil Zimmerman leaves NAI for Hush Communications• 2002 - PGP Corp. buys back PGP products and intellectual property
from NAI• 2004 - PGP Desktop v.8.1 released• 2005 - PGP Desktop v.9.0 released (May 2007 – current version -
9.6)
History of cryptography
• The Codebreakers: The Comprehensive History of Secret Communication from Ancient Times to the Internet David Kahn
• The Code Book : The Science of Secrecy from Ancient Egypt to Quantum Cryptography - Simon Singh
• ICSA Guide to Cryptography - Randall Nichols
• Applied Cryptography - Bruce Schneier, CTO BT Counterpane
Everything You Need to Know
about Cryptography
Six fundamental cryptography terms
1. Encryption – Conversion of data into a pattern, called ciphertext, rendering it unreadable.
2. Decryption – Process of converting ciphertext data back into its original form, so it can be read.
3. Algorithm - formula used to transform the plaintext into ciphertext. Also called a cipher.
4. Key – Complex sequence of alpha-numeric characters, produced by the algorithm, that allows you to encrypt and decrypt data
5. Plaintext – Decrypted or unencrypted data6. Ciphtertext – Data that has been encrypted
RSA Factoring Challenge
PKCS
Discrete logarithms
Root CA
block cipher
One-time pad
Factoring methods
Covert channel
Blind signature schemechosen ciphertext attack
key escrow Pollard Rho method
discrete logarithmKerberos
CP & CPS
Capstone
meet-in-the-middle attack
linear cryptanalysis
Adaptive-chosen-ciphertext attach
Operationalpolicy and procedures
One-way function
tamper resistant
Exclusive-OR
multiple polynomial quadratic sievedifferential cryptanalysisDiffie-Hellman
key exchange
Iterated block cipher
Factoring methods
KeyManagement
General purpose factoring algorithm
CAPI
Dictionary attack
Random numbers
SKPI
Private exponentchosen plaintext attackElliptic curve discrete logarithm problem
NSA
General purpose factoring algorithm
Brute force attack
CRLSession keyPrime numbersQuantum cryptography
Fields and rings
Vector spaces and latticesBoolean expressions
Number field sieveProvably secure
Threshold cryptography
key recovery
Advanced cryptography terms(that you don’t need to know)
Modular arithmetic
Galois field
Goppa code
Random number
generation
Cryptographic tokens
X.509v3
ANSI X9.24
ICV
PRNG
ASN.1 FIPS EALBSAFE
IDEA
Paper based trust
• In a paper based society, we:– Write a letter and sign it– Have a witness verify that the signature is authentic– Put the letter in an envelope and seal it– Send it by certified mail
• This gives the recipient confidence that the:– Contents had not been read by anyone else– Contents of the envelope were intact– Letter came from the person who claimed to have sent it– Person who sent it could not easily deny having sent it
Paper vs. Electronic trust
Symmetric Cryptography
• Oldest form of cryptography• Single key is used both for
encryption and decryption
Symmetric Cryptography
Q4 sales well below forecast
“BxWv;5df~TmWe#4^,sdgfMwir3:dkJeTsY\s@!q3”
Q4 sales well below forecast
Same Key (Secret)
Encrypt Decrypt
22
Asymmetric (Public-Key Cryptography)
• Form of encryption based on the use of two mathematically related keys (the public key and the private key) such that one key cannot be derived from the other.– Public key encrypts data and verifies
digital signature– Private key decrypts data and digitally
signs a document
PKC concepts
• You publish your public key to the world while keeping your private key secret.
• Anyone with a copy of your public key can then encrypt information that only you can read, even people you have never met.
• No one can deduce the private key from the public key.
• Anyone who has a public key can encrypt information but cannot decrypt it.
• Only the person who has the corresponding private key can decrypt the information.
PKC Benefits
• Key management – Symmetric cryptography is essentially impossible
to provide effective key management for large networks.
• Allows people who have no preexisting security arrangement to exchange messages securely.
• Need for sender and receiver to share secret keys via a secure channel is eliminated– all communications involve only public keys– no private key is ever transmitted or shared.
PKC history
• 1976 - Conceptual ideas developed by Whitfield Diffie and Martin Hellman to solve two pressing key management problems:– You need a secure channel to set up a secure channel– How do you get the key to a recipient without
someone intercepting it?
• 1977 - First public-key cryptosystem designed by Ron Rivest, Adi Shamir & Len Adlelman (RSA) at MIT– British developed a PKC first; didn’t publicly
acknowledge it.
PKC Process
• When sending a message to someone, you encrypt the message with their public key.
• Each user has a publicly known encryption key and a corresponding private key known only to that user
• They receive it and decrypt it with their private key
27
Symmetric vs. Asymmetric
Secret-key (symmetric) encryption
Public-key (asymmetric) encryption
Public-key Cryptography
CFO to resign next week
“BxWv;5df~TmWe#4^,sdgfMwir3:dkJeTsY\s@!q3”
Encrypt Decrypt
CFO to resign next week
Public Key of recipient
Private Key of recipient
Portrait of a Public Key
The n2 Problem
• With symmetric cryptography, as the number of users increase, the number of keys required to provide secure communications among those users increases rapidly.
• For a group of n users, there needs to be 1/2 (n2 - n) keys for total communications
• As the number of parties increases (i.e., n becomes larger), the number of symmetric keys becomes unreasonably large for practical use.– This is known as the n2 Problem
The n2 Problem
Users 1/2 (n2 - n) Shared key pairsrequired
2 ½ (4 - 2) 1
3 ½ (9 – 3) 3
10 ½ (100 – 10) 45
100 ½ (10,000 – 100) 4,950
1000 ½ (1,000,000 –1,000)
499,500
Symmetric vs. Asymmetric
• From a security functionality perspective, symmetric cryptography is for the most part just as strong as asymmetric cryptography.– Symmetric is much quicker though
• Where asymmetric shines is in solving the key management issues.
• No key management issues?– No compelling need to use asymmetric
cryptography.
Keys & key sizes
• Key – A value that works with a cryptographic algorithm to produce a specific ciphertext
• Keys do not encrypt or decrypt data; the algorithm does that.
• Keys are huge numbers measured in bits– PGP key sizes range from 1024 to 4096 bits– Key size depends on the data you want to protect
and the hardware it is on (cell phone, PDA, server)• Too big a key, too time-consuming• Too small a key, too insecure
Keys & key sizes
• Symmetric and asymmetric key sizes are not equivalent– 80-bit symmetric == 1024-bit asymmetric– 128-bit symmetric == 3000-bit asymmetric
• Caveat: Key sizes are only one aspect of effective security
• Longer keys don’t always mean more security– Does a longer dead-bolt mean your house is more
secure?
• Can build a weak cryptographic system using huge keys.
How secure is good cryptography?
• If the underlying application software is configured correctly – very secure.
• Brute-force key search– IDEA uses 128-bit keys for 2128 possible
combinations.
• If a special purpose chip (FPGA) could perform one billion decryptions per second, and the server had a billion chips running in parallel, it would still require over 1012 years to try all of the possible keys, which is about a thousand times the age of the universe.
Cryptographic Algorithms
• An algorithm is a formula used to transform the plaintext into ciphertext
• Two types of algorithms:– Symmetric– Asymmetric
• Criteria:– Degree of security – Speed required– Hardware platform
Symmetric Algorithms
• Identical keys used for encryption and decryption
• Examples:– DES, Triple-DES, AES, IDEA, Blowfish,
CAST, MARS, Twofish, Rijndael, RC2, RC4, RC6, A5, A5/1, Serpent, Skipjack, DEAL, SAFER
DES
• Most popular crypto standard ever– Still used worldwide in myriad different scenarios
• Data Encryption Standard– Uses DEA (Data Encryption Algorithm)
• Developed by IBM in 1975 and adopted by NIST in 1977
• Key size 56-bits = 256 possible keys or 72,057,594,037,927,936 keys
• 256 possible keys was a enormous amount in 1977
• By 1997, an attack against all 256 possible keys was easily possible and carried out.
Asymmetric Algorithms
• Different keys used for encryption & decryption
• Examples:– RSA, DSA, Diffie-Hellman, ElGamal,
Elliptic curve
• Private-key and Public-key• Keys are directly related
Digital Signatures & Certificates
• Digital Certificate - An electronic credential– Used to authenticate the identity of the message sender
or the signer of a document– Ensures that the original content of the message or
document has not be altered.– Shows that the contents of the information signed has
not been modified.– Value determined by issuing certificate authority
• Digital Signature – binding of a private key to a message.
Digital Signatures & Certificates
42
What’s in the digital certificate?
• User’s name• Public key of the user
– Required so that others can verify the user’s digital signature
• Validity period (lifetime) of the certificate– Start & end date
• Approved operations– For which the public key is to be used
(whether for encrypting data, verifying digital signatures, or both)
Advanced Encryption Standard (AES)
• AES is a Federal Information Processing Standard (FIPS) that specifies a cryptographic algorithm for use by U.S. Government organizations to protect sensitive (unclassified) information.
• Replaces DES, which is now obsolete.
• Will be widely used on a voluntary basis by organizations, institutions, and individuals outside of the U.S. Government and outside of the U.S.
AES technical details
• Key sizes: 128, 192 and 256 bits•Possible 128-bit keys - 340 undecillion
•Possible 192-bit keys - 6.2 octodecillion
•Possible 256-bit keys - Almost a googol
• By comparison, DES keys are 56 bits long, which means there are 256 possible DES keys.– There are 1021 times more AES 128-bit
keys than DES 56-bit keys.
PGP (Pretty Good Privacy)
• Software package that provides strong cryptographic functionality– e-mail, file, disk
• Originally developed as freeware, PGP has since become the de facto standard for e-mail security– Has made cryptography accessible for
everyone• Commercial www.pgp.com/products/index.html
• Source codewww.pgp.com/products/sourcecode.html
Using PGP
• Create your key• Encrypt/Decrypt file• Sign/Verify message
PGP keyring of public keys
PGP encryption/decryption
Digital signing
Digital signature verification
Additional References
For further information
Bruce Schneier – Why Cryptography Is Harder Than It Looks
• www.schneier.com/essay-037.html – Security Pitfalls in Cryptography
• www.schneier.com/essay-028.html– Secrets and Lies : Digital Security in a Networked World – Applied Cryptography: Protocols, Algorithms, and
Source Code
RSA Cryptography FAQ– www.rsa.com/rsalabs/node.asp?id=2152
Information Security Magazine– http://infosecuritymag.techtarget.com
For further information
Steven Levy– Crypto : How the Code Rebels Beat the
Government -- Saving Privacy in the Digital Age
Simon Singh– The Code Book : The Science of Secrecy from
Ancient Egypt to Quantum Cryptography
H. X. Mel & Doris Baker– Cryptography Decrypted: A Pictorial
Introduction to Digital Security
Chey Cobb– Cryptography for Dummies
Conclusions
Conclusions
• With Google, spyware, leaky Internet protocols and myriad other threats to security and privacy, cryptography has never been more important.
• While the hidden engine of cryptography uses Ph.d level mathematics, as an end-user, you are shielded from such complexity.
• By knowing what you need to secure, and how to do it, you can use cryptography to the fullest, without needing a Ph.d in applied mathematics.
Thanks for attending
Any questions? comments?
Please fill out your evaluation sheets
Ben Rothke CISSP CISMSecurity ConsultantNY Metro | BT INS
Ben.Rothke@bt.com
top related