Cryptography(Chapter 14)

Presented By

Jeff Shinsky

April 13, 2004

Cryptography

The coding and decoding of secret messages – which may involve the use of complex mathematical formulas, algorithms, and certificate mechanisms to encrypt today’s data flows.

Cryptography

Data Types

1) Plaintext - Data that can be read without any manipulation

2) Ciphertext - Encrypted plaintext that contains an unreadable series of symbols and numbers.

Encryption and Decryption

1) Algorithm - Mathematical function that works in tandem with a key. Security relies on strength of algorithm and secrecy of key.

2) Hashing - Involves taking a variable-length input and converting it to a fixed-length output, called a hash value. Makes sure data received is same as data sent.

Symmetric vs. AsymmetricAlgorithms

Symmetric

• Uses single key for encryption/decryption• Security relies solely with the key. If it

becomes known, anyone can access info• Encryption key can be calculated from

decryption key and vice versa• High cost because key transfer done over

secure channels• Also known as secret key, single-key, or one-

key algorithms

Symmetric Algorithm

Symmetric vs. AsymmetricAlgorithms

Asymmetric

• Known as public-key algorithms• Encryption key and the decryption key are

different• Decryption key cannot be calculated from the

encryption key• Encryption key can be made public and used

by anyone to encrypt data and send to host• Only host can decrypt data using a

corresponding decryption key• No need to share private keys over secure

channel – as with symmetric algorithms

Asymmetric Algorithm

Encryption Algorithms

1) Most in use today are based on a structure developed by Horst Feistel of IBM in 1973

2) More security attained with larger block size, key size, increased complexity of algorithm

3) With increasing computing power, more complex algorithms can be utilized

Encryption Algorithms1) Lucifer (1974) - IBM developed it to provide

strong encryption algorithm for protecting non-classified data. Uses 128-bit key and 16 rounds in the encryption process

2) Diffie-Hellman (1976) - Oldest public key system in use, commonly found in IP sector

3) RSA (1977) - Public key system with variable key length and block size for flexibility

4) DES (1977) - Block cipher (cipher is a technique used for encryption/decryption). Used 56-bit key length, but was cracked in less than three days in 1998.

Encryption Algorithms

5) Triple DES (1998) - Uses three keys and three executions of the algorithm, resulting in a 168-bit key

6) IDEA (1992) - Patented for corporate use. Uses 64-bit blocks and 128-bit key.

7) Blowfish (1993) - Unpatented, uses 64-bit blocks, no known attacks

8) RC5 (1995) - Suitable for either hardware or software functions, fast, flexible, and easy to use

Four Primary Functions of Cryptography

1) Confidentiality - Discussions are kept confidential

2) Authentication - Discussions are with people who really are who they say they are

3) Integrity - Information exchanged can be trusted

4) Nonrepudiation - Information provided is actually coming from the person with whom they are interacting

Digital Signatures

1) A feature used with most public key systems

2) Public key can decrypt a message encrypted with the private key, as well as the reverse

3) If public key can successfully decrypt message, then must have been encrypted with corresponding private key

4) Entire message can be encrypted with private key, providing for nonrepudiation

Digital Signatures

Digital Certificates

1) For verifying whether a public key belongs to its owner

2) Contain information that helps other users verify that the key is valid

3) Contain a public key, one or more digital signatures, and certificate information such as the user’s name, ID, etc.

4) A certificate server is used to provide security, storage, and exchange mechanisms for digital certificates

Public Key Infrastructure (PKI)

1) Certificate storage facility allowing ability to issue, revoke, store, retrieve, and trust certificates

2) Uses a certification authority (CA) for issuing certificates to authorized users. They create certificates and digitally sign them w/private key

3) Validity establishes that a public key certificate does belong to its owner

4) If it does, it is placed on a keyring (list of validated certificates) so no revalidation needed

Public Key Infrastructure (PKI)

5) Fingerprinting provides a unique property for each certificate. A fingerprint is a hash of the user’s certificate.

6) Certificates have a limited lifetime to reduce risk should certificate become compromised

7) A certificate revocation list (CRL), compiled by the CA, contains a list of all suspended or revoked certificates in the system

8) CA is responsible for establishing a certificate’s validity

Trust Models

• Organizations typically follow a trust model, which explains how users can establish a certificate’s validity

• There are three different trust models:

1) Direct Trust

2) Hierarchical trust

3) Web of trust

Direct Trust Model

• A user trusts that a key is valid because he knows where it came from

Hierarchical Trust Model

• Root certificates are arranged in a hierarchical fashion to facilitate validation

Web of Trust Model

1) Uses the concepts of the other two models

2) Creates a more decentralized approach

3) Has the central theme that the more information, the better

4) A certificate may be trusted directly, via a hierarchical path, or by a group of trusted sources

Key and CertificateLife Cycle Management

Three main phases:

1) Setup or initialization

2) Administration of issued keys and certificates

3) Certificate cancellation and key history

Setup or Initialization Phase

1) Registration - When CA verifies credentials of user, CA registers the user

2) Key Pair Generation - One or more key pairs are created using different algorithms

3) Certificate Creation - CA creates a certificate and binds it with a public key

4) Certificate Distribution - Keys and certificates are distributed using secure transmission modes

5) Certificate Dissemination - Getting certificate to user without too much difficulty

6) Key Backup and Recovery - Ensures that after a catastrophic loss, encrypted data can still be read–stored, key escrow, M of N control

Cancellation and Key History Phase

1) Certificate Expiration - Occurs when validity period of certificate expires–may be renewed

2) Certificate Revocation - Cancellation of certificate prior to its natural expiration–privilege changes for the owner, key loss from hardware failure, etc.

3) Certificate Destruction - Destroy private key if used for signing, save if used for encryption

4) Key History - Deals with providing secure and reliable storage of expired keys for later retrieval to recover encrypted data

5) Key Archive - Long-term storage of keys and certificates for meeting audit requirements and resolving disputes in the future