comptia security+ - wordpress.com · 3 cryptography goals confidentiality renders the information...
TRANSCRIPT
1
CompTIA Security+
Lecture Nine
Cryptography
Copyright 2011 - VTC
Basics of Cryptography� Cryptography is an effective way of protecting sensitive information as it is stored on media or transmitted through untrusted networks.
� Cryptography converts plaintext or data into unreadable ciphertext
� Earlier methods used transposition or substitution ciphers (algorithms)
� Modern methods much more complex
� Mathematical algorithms used to encipher
2
2
Substitution Ciphers
� Caesar Cipher
� Each letter is replaced by the letter threepositions further down the alphabet.
• Plaintext: a b c d e f g h i j k l m n o p q r s t u v w x y z
• Cipher: d e f g h i j k l m n o p q r s t u v w x y z a b c
� Example: secret � vhfuhw
c = EK(p) = (p + k) mod 26
p = DK(c) = (c – k) mod 263
Transposition ciphers
4
� The values are scrambled, or put into a different order.
� The key determines the positions the values are moved to.
3
Cryptography Goals� Confidentiality◦ renders the information unintelligible except by authorized entities
� Authentication◦ verifies the identity of the user or system that created information
� Integrity◦ Data has not been altered in an unauthorized manner since it was created, transmitted, or stored
� Non-Repudiation◦ ensures that the sender cannot deny sending the message 5
Cryptography Definitions
� Cryptography: science of writing secrets through a cryptosystem
� Cryptanalysis: breaking cryptosystems
� Cryptology: Cryptography & Cryptanalysis
� Cryptosystem: device or system used to encrypt/decrypt data
� Algorithm: mathematical formula used in conjunction with key to encrypt/decrypt
6
4
Cryptography Definitions� Plaintext/Cleartext: unencrypted data
� Ciphertext/Cryptogram: encrypted data
� Encipher/Encrypt/Encode: to make data unreadable through cryptography
� Decipher/Decrypt/Decode: to make data readable by converting it from its encrypted state
� Key/Cryptovariable: defined set of characters that combine with algorithm to encrypt or decrypt data
� Key space: number of distinct keys available to a cipher based upon key size
7
Encryption Algorithms
� Kerckhoff's Principle states that security of encryption should depend upon secrecy of key - not encryption algorithm
� Most commonly used algorithms are open
� Government algorithms exception
� Algorithms are also classified as symmetric or asymmetric key algorithms
8
5
Encryption Algorithms� Symmetric algorithms classified as block or stream ciphers
◦ Block cipher: encrypts text in discrete block size
◦ Stream cipher: encrypts one bit at a time
� Ciphers use logical operations on bits to change them to encrypted form
� Logical AND/NAND
� Logical OR/NOR/XOR
9
Block Cipher
10
� The message is divided into blocks of bits. These blocks are then put through mathematical functions, one block at a time.
� A strong cipher contains the right level of two main attributes: confusion and diffusion. Confusion is carried out through substitution, while diffusion is carried out by using transposition.
6
Stream Cipher
11
� XOR each bit of plaintext continuous stream with a bit from a pseudo-random sequence
Symmetric Encryption
12
7
Symmetric Encryption
� Symmetric key
� Uses a shared secret key
� N(N-1)/2 = number of keys
� Faster than Asymmetric systems
� Difficult to break with larger key sizes
� Key exchange is problematic
13
Symmetric Encryption Algorithms
� Symmetric key algorithms include
◦ DES/3DES
◦ Blowfish
◦ IDEA
◦ RC4, RC5, RC6
◦ Advanced Encryption Standard (Rijndael)
14
8
DES
� Data Encryption Standard (DES)
� Block encryption, 56-bit key, 16 rounds
� Early algorithm no longer in widespread use -replaced by 3DES (triple DES)
� DES has 5 common modes of operation
◦ Electronic Code Book (ECB) mode
◦ Cipher Block Chaining (CBC) mode
◦ Cipher Feedback (CFB) mode
◦ Output Feedback (OFB) mode
◦ Counter Mode (CTR)15
DES
16
In CBC mode, the ciphertext from the previous block of data is used in
encrypting the next block of data.
A block cipher working in CFB mode
9
Triple DES (3DES)
� Triple DES replaced DES
� Block cipher, 168-bit key, 48 rounds
� Created to address vulnerabilities in DES
� Still in use, but replaced by Rijndael as Advanced Encryption Standard by NIST
� Triple DES can work in 3 different modes
◦ DES-EEE3: uses 3 different encryption keys
◦ DES-EDE3: uses 3 different encryption keys, and Encrypts, Decrypts, then Encrypts again
◦ DES-EEE2/DES-EDE2: uses 2 keys17
Triple DES (3DES)
18
10
Strengths & Weakness of Symmetric Key Systems
Strengths
� Much faster (less computationally intensive) than asymmetric systems.
� Hard to break if using a large key size.
Weaknesses
� Requires a secure mechanism to deliver keys properly
� Each pair of users needs a unique key, so as the number of individuals increases, so does the number of keys, possibly making key management overwhelming
� Provides confidentiality but not authenticity or nonrepudiation.
19
Asymmetric Encryption� Asymmetric encryption uses two keys, public and private
� Public keys given to anyone, and used to encrypt or verify digital signature
� Private keys kept secret and used to decrypt or digitally sign
� Asymmetric algorithms based on one-way function model
� Asymmetric algorithms can be used to encrypt data, to digitally sign email, and to distribute symmetric keys securely
� Asymmetric algorithms are slow20
11
Asymmetric Encryption
21
Asymmetric Encryption Algorithms� Asymmetric algorithms
◦ RSA (1977)
◦ El Gamal (1984)
◦ Elliptic Curve Cryptosystem (1985) (portable devices)
◦ Diffie-Hellman (used for secure key exchange only)
22
Adi Shamir, Ron Rivest and Len Adleman
12
Strengths & Weaknesses of Asymmetric Key Algorithms
Strengths
� Better key distribution than symmetric systems
� Better scalability than symmetric systems
� Can provide authentication and nonrepudiation
Weaknesses
�Works much more slowly than symmetric systems
� Mathematically intensive tasks
23
Differences Between Symmetric & Asymmetric Systems
24
13
Asymmetric and Symmetric Algorithms Used Together
� Public key cryptography uses for protecting encryption keys and key distribution, and a secret key is generated by a symmetric algorithm and used for bulk encryption.
25
Hashing
� Hashing is method of taking variable-length text and converting it to fixed-length ciphertext
� Usually used in hashing passwords for storage and transmission, and digital signatures
� Hashes also called message digest
� Hashing can provide for integrity of data
� Hash values should be unique to a message and not duplicated by another message - this is a collision
� Should be resistant to 'birthday' attacks26
14
Hashing
27
Digital Signature
28
Creating a digital signature
Verifying a digital signature
� A digital signature is a hash value that has been encrypted with the sender’s private key
15
Public Key Infrastructure
� PKI is group of technologies, methods, procedures, and controls established to ensure privacy and authenticity of digitally transmitted data
� Used to encrypt, digitally sign, and verify data sent over networks or the Internet
� Replaces secret key encryption
� Uses public and private keys to encrypt and digitally sign messages
� Can also be used to securely send symmetric or session keys - hybrid solution
29
Public Key Infrastructure
� Public key: encryption key that is distributed freely to anyone requiring it
� Private key: key that is kept secure and never transmitted
� Public key encrypts a message, but only private key can decrypt. Anyone can encrypt a message to you, but only you can decrypt it
� To digitally sign message, the reverse happens
30
16
Public Key Infrastructure
� Public keys have to be reliably distributed to prove they are tied to a valid private key
� Distributed through a digital certificate
� Digital certificate is issued from a trusted source that verifies the identity of the user and its connection to their private key
� Digital certificates use X.509 standards
� Trusted source is called a Certificate Authority (CA)
31
Certificate Authority
� CA can be a 3rd party entity used to verify identities of persons having public/private key
� Can also be a computer or software that issues digital certificates
� CA's can be internal or external
� Certificates issued/trusted only within your organization should come from internal CAs
� If you need trust from organizations outside yours, use external or 3rd party CA's (Verisign, Thawte, …)
32
17
Digital Certificates
� How to know the public key we receive is legitimate?
� Digital certificates use asymmetric cryptography to facilitate the secure exchange of public keys.
� Rely upon the use of trusted Certificate Authorities
� Digital certificate contents:
◦ Name of the certificate subject
◦ Subject's public key
◦ Name of the CA
◦ Serial number
◦ Signature algorithm
◦ Validity period
◦ CA's digital signature33
Public Key Certificate Use
34