Information Security Cryptography ( L03- Old Cryptography Algorithms )
Cryptography
description
Transcript of Cryptography
![Page 1: Cryptography](https://reader035.fdocuments.net/reader035/viewer/2022062501/56815bbc550346895dc9b8d2/html5/thumbnails/1.jpg)
Cryptography
Chapter 14
![Page 2: Cryptography](https://reader035.fdocuments.net/reader035/viewer/2022062501/56815bbc550346895dc9b8d2/html5/thumbnails/2.jpg)
Learning Objectives
Understand the basics of algorithms and how they are used in modern cryptography
Identify the differences between asymmetric and symmetric algorithms
Have a basic understanding of the concepts of cryptography and how they relate to network security
continued…
![Page 3: Cryptography](https://reader035.fdocuments.net/reader035/viewer/2022062501/56815bbc550346895dc9b8d2/html5/thumbnails/3.jpg)
Learning Objectives
Discuss characteristics of PKI certificates and the policies and procedures surrounding them
Understand the implications of key management and a certificate’s lifecycle
![Page 4: Cryptography](https://reader035.fdocuments.net/reader035/viewer/2022062501/56815bbc550346895dc9b8d2/html5/thumbnails/4.jpg)
Cryptography
Study of complex mathematical formulas and algorithms used for encryption and decryption
Allows users to transmit sensitive information over unsecured networks
Can be either strong or weak
![Page 5: Cryptography](https://reader035.fdocuments.net/reader035/viewer/2022062501/56815bbc550346895dc9b8d2/html5/thumbnails/5.jpg)
Cryptography Terminology
Plaintext Data that can be read without any manipulation
Encryption Method of disguising plaintext to hide its substance
Ciphertext Plaintext that has been encrypted and is an unreadable
series of symbols and numbers
![Page 6: Cryptography](https://reader035.fdocuments.net/reader035/viewer/2022062501/56815bbc550346895dc9b8d2/html5/thumbnails/6.jpg)
How Encryption and Decryption Work
![Page 7: Cryptography](https://reader035.fdocuments.net/reader035/viewer/2022062501/56815bbc550346895dc9b8d2/html5/thumbnails/7.jpg)
Algorithms
Mathematical functions that work in tandem with a key
Same plaintext data encrypts into different ciphertext with different keys
Security of data relies on: Strength of the algorithm Secrecy of the key
![Page 8: Cryptography](https://reader035.fdocuments.net/reader035/viewer/2022062501/56815bbc550346895dc9b8d2/html5/thumbnails/8.jpg)
Hashing
Method used for verifying data integrity Uses variable-length input that is
converted to a fixed-length output string (hash value)
![Page 9: Cryptography](https://reader035.fdocuments.net/reader035/viewer/2022062501/56815bbc550346895dc9b8d2/html5/thumbnails/9.jpg)
Symmetric versus Asymmetric Algorithms
Type of Algorithm
Advantages Disadvantages
Symmetric Single key Requires sender and receiver to agree on a key before transmission of dataSecurity lies only with the keyHigh cost
Asymmetric Encryption and decryption keys are differentDecryption key cannot be calculated from encryption key
Security of keys can be compromised when malicious users post phony keys
![Page 10: Cryptography](https://reader035.fdocuments.net/reader035/viewer/2022062501/56815bbc550346895dc9b8d2/html5/thumbnails/10.jpg)
Symmetric Algorithms
Usually use same key for encryption and decryption
Encryption key can be calculated from decryption key and vice versa
Require sender and receiver to agree on a key before they communicate securely
Security lies with the key Also called secret key algorithms, single-key
algorithms, or one-key algorithms
![Page 11: Cryptography](https://reader035.fdocuments.net/reader035/viewer/2022062501/56815bbc550346895dc9b8d2/html5/thumbnails/11.jpg)
Encryption Using aSymmetric Algorithm
![Page 12: Cryptography](https://reader035.fdocuments.net/reader035/viewer/2022062501/56815bbc550346895dc9b8d2/html5/thumbnails/12.jpg)
Categories of Algorithms
Stream algorithms Operate on the plaintext one bit at a time
Block algorithms Encrypt and decrypt data in groups of bits,
typically 64 bits in size
![Page 13: Cryptography](https://reader035.fdocuments.net/reader035/viewer/2022062501/56815bbc550346895dc9b8d2/html5/thumbnails/13.jpg)
Asymmetric Algorithms
Use different keys for encryption and decryption
Decryption key cannot be calculated from the encryption key
Anyone can use the key to encrypt data and send it to the host; only the host can decrypt the data
Also known as public key algorithms
![Page 14: Cryptography](https://reader035.fdocuments.net/reader035/viewer/2022062501/56815bbc550346895dc9b8d2/html5/thumbnails/14.jpg)
![Page 15: Cryptography](https://reader035.fdocuments.net/reader035/viewer/2022062501/56815bbc550346895dc9b8d2/html5/thumbnails/15.jpg)
Common Encryption Algorithms
Lucifer (1974) Diffie-Hellman
(1976) RSA (1977) DES (1977)
Triple DES (1998) IDEA (1992) Blowfish (1993) RC5 (1995)
![Page 16: Cryptography](https://reader035.fdocuments.net/reader035/viewer/2022062501/56815bbc550346895dc9b8d2/html5/thumbnails/16.jpg)
Primary Functions of Cryptography
Confidentiality Authentication Integrity Nonrepudiation
![Page 17: Cryptography](https://reader035.fdocuments.net/reader035/viewer/2022062501/56815bbc550346895dc9b8d2/html5/thumbnails/17.jpg)
Digital Signatures
Based on asymmetric algorithms, allow the recipient to verify whether a public key belongs to its owner
![Page 18: Cryptography](https://reader035.fdocuments.net/reader035/viewer/2022062501/56815bbc550346895dc9b8d2/html5/thumbnails/18.jpg)
![Page 19: Cryptography](https://reader035.fdocuments.net/reader035/viewer/2022062501/56815bbc550346895dc9b8d2/html5/thumbnails/19.jpg)
Certificates
Credentials that allow a recipient to verify whether a public key belongs to its owner Verify senders’ information with identity
information that is bound to the public key Components
Public key One or more digital signatures Certificate information (eg, user’s name, ID)
![Page 20: Cryptography](https://reader035.fdocuments.net/reader035/viewer/2022062501/56815bbc550346895dc9b8d2/html5/thumbnails/20.jpg)
Public Key Infrastructure (PKI) Certificates
Certificate storage facility that provides certification management functionality (eg, ability to issue, revoke, store, retrieve, and trust certificates)
Certification authority (CA) Primary feature of PKI Trusted person or group responsible for issuing
certificates to authorized users on a system Creates certificates and digitally signs them using a
private key
![Page 21: Cryptography](https://reader035.fdocuments.net/reader035/viewer/2022062501/56815bbc550346895dc9b8d2/html5/thumbnails/21.jpg)
PKI Policies and Practices
Validity establishes that a public key certificate belongs to its owner
CA issues certificates to users by binding a public key to identification information of the requester
User can manually check certificate’s fingerprint
![Page 22: Cryptography](https://reader035.fdocuments.net/reader035/viewer/2022062501/56815bbc550346895dc9b8d2/html5/thumbnails/22.jpg)
PKI Revocation
Certificates have a restricted lifetime; a validity period is created for all certificates
Certificate revocation list (CRL) Communicates which certificates within a PKI
have been revoked
![Page 23: Cryptography](https://reader035.fdocuments.net/reader035/viewer/2022062501/56815bbc550346895dc9b8d2/html5/thumbnails/23.jpg)
Trust Models
Techniques that establish how users validate certificates Direct trust Hierarchical trust Web of trust
![Page 24: Cryptography](https://reader035.fdocuments.net/reader035/viewer/2022062501/56815bbc550346895dc9b8d2/html5/thumbnails/24.jpg)
Direct Trust Model
User trusts a key because the user knows where it came from
![Page 25: Cryptography](https://reader035.fdocuments.net/reader035/viewer/2022062501/56815bbc550346895dc9b8d2/html5/thumbnails/25.jpg)
Hierarchical Trust Model
Based on a number of root certificates
![Page 26: Cryptography](https://reader035.fdocuments.net/reader035/viewer/2022062501/56815bbc550346895dc9b8d2/html5/thumbnails/26.jpg)
![Page 27: Cryptography](https://reader035.fdocuments.net/reader035/viewer/2022062501/56815bbc550346895dc9b8d2/html5/thumbnails/27.jpg)
Web of Trust
Combines concepts of direct trust and hierarchical trust
Adds the idea that trust is relative to each requester
Central theme: the more information available, the better the decision
![Page 28: Cryptography](https://reader035.fdocuments.net/reader035/viewer/2022062501/56815bbc550346895dc9b8d2/html5/thumbnails/28.jpg)
Key and Certificate Life Cycle Management
Setup or initialization Administration of issued keys and
certificates Certificate cancellation and key history
![Page 29: Cryptography](https://reader035.fdocuments.net/reader035/viewer/2022062501/56815bbc550346895dc9b8d2/html5/thumbnails/29.jpg)
Setup and Initialization
Registration Key pair generation Certificate creation Certificate distribution Certificate dissemination Key backup
![Page 30: Cryptography](https://reader035.fdocuments.net/reader035/viewer/2022062501/56815bbc550346895dc9b8d2/html5/thumbnails/30.jpg)
Registration
User requests certificate from CA CA verifies identity and credentials of user Certificate practice statement
Published document that explains CA structure to users
Certificate policy establishes: Who may serve as CA What types of certificates may be issued How they should be issued and managed
![Page 31: Cryptography](https://reader035.fdocuments.net/reader035/viewer/2022062501/56815bbc550346895dc9b8d2/html5/thumbnails/31.jpg)
Key Pair Generation
Involves creation of one or more key pairs using different algorithms
Dual or multiple keys are often utilized to perform different roles to support distinct services
Key pair can be restricted by policy to certain roles based on usage factors
Multiple key pairs usually require multiple certificates
![Page 32: Cryptography](https://reader035.fdocuments.net/reader035/viewer/2022062501/56815bbc550346895dc9b8d2/html5/thumbnails/32.jpg)
Certificates
Distinguished name (DN) Unique identifier that is bound to a certificate
by a CA Uses a sequence of character(s) that is unique
to each user Appropriate certificate policies govern
creation and issuance of certificates
![Page 33: Cryptography](https://reader035.fdocuments.net/reader035/viewer/2022062501/56815bbc550346895dc9b8d2/html5/thumbnails/33.jpg)
Certificate Dissemination Techniques
Securely make certificate information available to requester without too much difficulty Out-of-band distribution In-band distribution Publication Centralized repositories with controlled access
![Page 34: Cryptography](https://reader035.fdocuments.net/reader035/viewer/2022062501/56815bbc550346895dc9b8d2/html5/thumbnails/34.jpg)
Key Backup
Addresses lost keys Helps recover encrypted data Essential element of business continuity
and disaster recovery planning
![Page 35: Cryptography](https://reader035.fdocuments.net/reader035/viewer/2022062501/56815bbc550346895dc9b8d2/html5/thumbnails/35.jpg)
Key Escrow
Key administration process that utilizes a third party
Initialization phase involves: Certificate retrieval and validation Key recovery and key update
![Page 36: Cryptography](https://reader035.fdocuments.net/reader035/viewer/2022062501/56815bbc550346895dc9b8d2/html5/thumbnails/36.jpg)
Cancellation Procedures
Certificate expiration Certificate revocation Key history Key archive
![Page 37: Cryptography](https://reader035.fdocuments.net/reader035/viewer/2022062501/56815bbc550346895dc9b8d2/html5/thumbnails/37.jpg)
Certificate Expiration
Occurs when validity period of a certificate expires
Options upon expiration Certificate renewal Certificate update
![Page 38: Cryptography](https://reader035.fdocuments.net/reader035/viewer/2022062501/56815bbc550346895dc9b8d2/html5/thumbnails/38.jpg)
Certificate Revocation
Implies cancellation of a certificate prior to its natural expiration
Revocation delay Delay associated with the revocation
requirement and subsequent notification
![Page 39: Cryptography](https://reader035.fdocuments.net/reader035/viewer/2022062501/56815bbc550346895dc9b8d2/html5/thumbnails/39.jpg)
Certificate Revocation
How notification is accomplished Certificate revocation lists (CRLs) CRL distribution points Certificate revocation trees (CRTs) Redirect/Referral CRLs
Notification is unnecessary for: Short certificate lifetimes Single-entity approvals
![Page 40: Cryptography](https://reader035.fdocuments.net/reader035/viewer/2022062501/56815bbc550346895dc9b8d2/html5/thumbnails/40.jpg)
Key History
Deals with secure and reliable storage of expired keys for later retrieval to recover encrypted data
Applies more to encryption keys than signing keys
![Page 41: Cryptography](https://reader035.fdocuments.net/reader035/viewer/2022062501/56815bbc550346895dc9b8d2/html5/thumbnails/41.jpg)
Key Archive
Service undertaken by a CA or third party to store keys and verification certificates
Meets audit requirements and handles resolution of disputes when used with other services (eg, time stamping and notarization)
![Page 42: Cryptography](https://reader035.fdocuments.net/reader035/viewer/2022062501/56815bbc550346895dc9b8d2/html5/thumbnails/42.jpg)
Setting up an Enterprise PKI
Extremely complex task with enormous demands on financial, human, hardware, and software resources
Areas to explore Basic support Training Documentation issues
![Page 43: Cryptography](https://reader035.fdocuments.net/reader035/viewer/2022062501/56815bbc550346895dc9b8d2/html5/thumbnails/43.jpg)
Areas to Explore in Detail When Setting up an Enterprise PKI
Support for standards, protocols, and third-party applications
Issues related to cross-certification, interoperability, and trust models
Multiple key pairs and key pair uses How to PKI-enable applications and client-
side software availability
continued…
![Page 44: Cryptography](https://reader035.fdocuments.net/reader035/viewer/2022062501/56815bbc550346895dc9b8d2/html5/thumbnails/44.jpg)
Areas to Explore in Detail When Setting up an Enterprise PKI
Impact on end user for key backup, key or certificate update, and nonrepudiation services
Performance, scalability, and flexibility issues regarding distribution, retrieval, and revocation systems
Physical access control to facilities
![Page 45: Cryptography](https://reader035.fdocuments.net/reader035/viewer/2022062501/56815bbc550346895dc9b8d2/html5/thumbnails/45.jpg)
Chapter Summary
Ways that algorithms and certificate mechanisms are used to encrypt data flows
Concepts of cryptography Key and certificate life cycle management