cryptography and network security
DESCRIPTION
This presentation introduces the Basics of Cryptography and Network Security concepts. Heavily derived from content from William Stalling's book with the same title.TRANSCRIPT
Cryptography and Network SecurityAn Overview
Nagendra U [email protected]
Agenda• Introduction
• Security Trends
• ASM: Attacks, Services, Mechanisms
• A Network Security Model
• Private-Key Cryptography / Symmetric Ciphers
• DES, 3DES, AES
• Private Key Distribution
• Public-Key Cryptography
• Mathematical Concepts
• The RSA Algorithm
• Key Management
• Hashing Algorithms
• Digital Signatures
• Authentication Protocols
• Network Security
• X.509, Public Key Infrastructure (PKI)
• PGP, S/MIME
• SSL/TLS
• IPSec
Model for Network Security
Simplified Model of Conventional Encryption
Model of Conventional Cryptosystem
Goals of an ‘Unconditionally Secure’ Encryption Algorithm:
● The cost of breaking the cipher exceeds the value of the encrypted information.● The time required to break the cipher exceeds the useful lifetime of the information.
CLASSIC SUBSTITUTION ALGORITHMS:
Caesar Cipher:C = E(k, p) = (p + k) mod 26p = D(k, C) = (C - k) mod 26
where K={1..25} for english
Monoalphabetic Ciphers:Substitute one arbitrary alphabet in the place of a particular alphabetFor english, it generates a key space of 26! (~4 x 10^26) keysBUT it can be broken by exploiting patterns in language
Polyalphabetic Ciphers:Use different monoalphabetic substitutions as one proceeds through the plaintext message.Vignere Cipher
CLASSIC TRANSPOSITION ALGORITHMS:
Rail-fence Technique:
Written as a sequence of diagonals and read off as a sequence of rows
Eg: “CiscoSystems” is written as
C s o y t m i c S s e s CipherText: CsoytmicSses A more complex scheme is to write the message in a rectangle, row by row, and read the message off, column by
column, but permute the order of the columns. The order of the columns then becomes the key to the algorithm.
Rotor Machines:
Steganography: Strictly speaking, its NOT encryption Conceal the existence of a message JPEG steganography
The Fiestel Cipher
DES: Data Encryption Standard• 64-bit plaintext blocks => 64-bit ciphertext blocks• 56-bit key• Same algorithm with the same key is used to decrypt and encrypt• Exhibits a strong Avalanche effect• No big deal nowadays
3DES: Triple DES• Since DES was too weak in itself• Do DES encryption 3 times in an E-D-E sequence• C = E(K1, D(K2, E(K1, P)))• Much stronger than DES
AES: Advanced Encryption Standard• Released in 2001 by the U.S. Govt.• Extremely strong algorithm• 128-bit plaintext blocks => 128-bit ciphertext blocks• 128, 192 or 256-bit keys
Blowfish• Developed by Bruce Schneier in 1993• Unofficially the strongest encryption algorithm• 64-bit plaintext blocks => 64-bit ciphertext blocks• Variable length keys from 32 to 448 bits• Twofish is the successor of Blowfish (128-bit blocks, 256-bit keys)
Block Cipher Modes• ECB – Electronic Code Book• CBC – Cipher Block Chaining
Where to do encryption?
Centralized Symmetric Key Distribution
Public Key Cryptography
Mathematical Concepts:• The ability to choose a large prime number• Discrete Logarithms
Asymmetric encryption is a form of cryptosystem in which encryption and decryption are performed using the different keys - one a public key and one a private key.
It can be used for confidentiality, authentication or both.
Hailed as the greatest revolution in information security – no more substitutions and permutations and the use of 2 keys !!!
Attacks 2 problems in symmetric cryptography: Key distribution and digital signatures
One way function:Y = f(X) easyX = f^-1(X) infeasible (NP-hard or NP-complete)
Public-key algorithms are very slow and resource-consuming to be used for encryption. For practical uses, they are confined to key management and signature applications
The Public Key cryptosystem for secrecy
The Public Key cryptosystem for authentication, integrity, nonrepudiation
Best of both worlds : Authentication/Integrity and Secrecy
RSA Algorithm
• Invented by Ronald Rivest, Adi Shamir, and Len Adleman at MIT in 1978• Block cipher (usually ~1024 bits block size)
The Algorithm:• p and q should be chosen at random, both of the same size and large numbers• n = p*q where n is used as the modulus for bothpublic and private keys• φ(n) is the Euler’s totient function• Choose e such that e and φ(n) are relatively prime• d is the private key exponent and e is the public key exponent
An Example:1) Let Plaintext = 882) Let p = 17, q = 11 (both primes)3) n = p*q = 17 * 11 = 1874) φ(n) = (p-1)(q-1) = 16*10 = 1605) We choose e = 7 since e < φ(n) and e is relatively prime to φ(n)6) Choose d such that d = 1(mod φ(n)) / e i.e. de = 1 (mod 160).
So, d = 7Public Key = {7,187} Private Key = {23,187}
7) At the sender’s end: Ciphertext C = P^e (mod n) = 88^7 (mod 187) = 118) At the receiver’s end: Plaintext P = C^d (mod n) = 11^7 (mod 187) = 88
Key Management
• Public-key encryption schemes are secure only if the authenticity of the public key is assured.• Various ways
● Public announcement● Publicly available directory● Public-key authority● Public-key certificates
Message Authentication• used to verify the integrity of a message
• Hash Functions• accepts a variable-size message M as input and produces a fixedsize output, referred to as a hash
code H(M) or Message Digest• Eg: MD5, SHA-256, SHA-512
Digital Signatures• taking the hash of the message and encrypting the message with the creator's private key
Authentication Applications• Kerberos – distributed authentication using symmetric cryptography• ITU-T X.509 – authentication based on X.500 directory service• PKI – Public Key Infrastructure• CHAP
Email SecurityPGP – Pretty Good Privacy
• FOSS• Authentication via digital signatures, confidentiality via symmetric block ciphers, compression via ZIP etc.
S/MIME – Secure/Multipurpose Internet Mail Extension• Internet standard approach
IP Security (IPSec)• capability that can be added to IPv$4 or IPv6 via additional headers• 3 areas – authentication, confidentiality, key management• Confidentality in 2 modes : tunnel and transport• Higher-level layers may be ignorant of security implications• RFC 2401-2408 • 2 main headers : AH (Authentication Header) and ESP (Encapsulating Security Payload)• Key Management: Internet Security Association and Key Mgmt. Protocol (ISAKMP)
Web Security• Secure Socket Layer (SSL)/Transport Layer Security(TLS)
Detailed Reference