Cryptography Introduction to Cryptography. Objectives A conceptual understanding of secret-key,...
-
date post
18-Dec-2015 -
Category
Documents
-
view
231 -
download
1
Transcript of Cryptography Introduction to Cryptography. Objectives A conceptual understanding of secret-key,...
Objectives
• A conceptual understanding of secret-key, public-key, and hashing cryptographic algorithms and how they fit into the notion of certificates and how these certificates form the basis of Public Key Infrastructure (PKI).
Why Cryptography
• Scramble data to keep it private
• Detect whether data has been changed
• Provide proof of origin, receipt, transaction..
• Provide digital identities
Cryptographic Functions
• Three types - each with strengths and weaknesses depending upon their intended use.
• Secret-Key (Symmetric) Cryptography - Same shared key
• Public-Key (Asymmetric) Cryptography - Different but related keys
• Hash Function
Secret-Key Cryptography
• Characteristics
Relatively fast
Poses key delivery challenges when faced with large numbers
of senders/receivers
• Popular Implementations
Data Encryption Standard (DES) 56 bit key (plus 8 parity bits)
Triple DES
RSA’s RC2, RC4, RC5
Public-Key Cryptography
• Characteristics
Slower than secret-key cryptography
Designed to accommodate key delivery and scalability
Key Strengths 512 to 2048 bits
• Popular Implementations
RSA - encryption and digital signature
El Gamal and DSS - digital signatures
Diffie-Hellman -secret-key establishment
Public-Key Cryptography
• Examples of Usage
Authentication - encrypting challenge
Key Distribution - encrypting session key
Hash Algorithms
• Message of length n - Hash Function ------> h (Fixed length, short number
• CharacteristicsEasy to compute
There is no way to get from the hash to the original message, that is any simpler than going though all possible values of the original message and computing the hash for each one
It should be computationally infeasible to find two messages that hash to the same thing.
• Popular implementations - SHA-1, MD2, MD4, MD5
Hash Algorithms
• Examples of UsageSystem can store hashes of passwords instead of the password
itself
Message integrity - send messages and the hash of (message/secret-password)
Digital signature
Digital Signatures
• Alice Signs with her Private Key - emails / file transfer/ floppy ----> Recipient Verifies with Alice’s Public Key
• Definition/Characteristics A digital signature is a number associated with a message, generated
using the private key of the sender
Anyone with Alice’s public key can verify that it is Alice’s signature
Proves the message has not been altered in any way since the signature was applied
Provides non-reputable source of origin
Digital Signatures
• Popular implementations - RSA+MD5, RSA+SHA-1, DSS+SHA-1
• Examples of Usage
Signed mail
Signed code (Java applets, Active X controls)
Hashes and Digital Signatures
Alice’s Plain textSHA-1
hAlice signs the hash (encryptsthe hash with her private key)
Bob h
h
Bob decrypts the signed hash with Alice’s Public key
Bob hashes theplain text to derive the hash
If hashed matchOnly Alice could havesignedPlain text did not change
Signed
Signed
Certificates (x.509 V3)
• Question - Can I trust the Public Key?
• Answer - Yes, if it backed up by some trustworthy authority.
• User CertificatesTrusted Method to Store Public Key
Binds Public Key to User
• CA CertificatesWell Known Public Key for Signature Verification
Delivered with Browser, Server, Mutually installed on Browser / Server
Encryption Can be employed at Different Levels
• Field Level - Client Browser ---> s-HTTP Web Server Status- not supported - being dropped from products
• Message Level - Mail Sender ---> S-MIME /Open PGP - Mail Server - Advantage - Mail is often intended to be kept secret as an entire unit
• Transport Level - Client Browser ---> SSL/TLS - Web Server - Advantage - Useful when a session’s interactions needs to be kept secret
• Datagram Level - Firewall ---> IPSec Firewall - Advantage Encrypted pipe enables multiple sessions to be encrypted with only single IPSec setup overhead
Public-Key Infrastructure (PKI)
Alice BobAlice & BobRequest signing certificateGenerate key pairSend public key to CARequest encryption certificate
CA (Encryption Certificate) CA (Signing Certificate)Generate Key Pair Receive signing public keyBuild certificate Build & return signing certificateReturn private key and certificateSave private key for recoveryPublish certificate with LDAP server
LDAPServer
PKI - ContinuedALice Bob
Signature
LDAPServer
CertificateAuthority
AliceSigns the messageEncrypts the message for Bob usinga generated secret keyEncrypts the secret key with BOB’spublic KeySends mail that includes:The signatureThe encrypted messageThe encrypted secret keyAlice’s signing certificate
PKI - ContinuedALice Bob
Signature
LDAPServer
CertificateAuthority
BOBDecrypts the secret key with hisprivate encryption keyDecrypts the message with the secretkeyVerifies the CA signature on Alice’scertificateChecks with the LDAP server toensure Alice’s signing certificate notrevokedValidates Alice’s signatureEnjoys private communication,assured it’s from Alice
PKI Aspects - Establishing Trust
• Need to establish trust with other CA’s
divisions of a corporation
trading partners
suppliers
competitors
• Trust Models
Flat certificate model
Hierarchical certificate model
Cross-certification
- allows one CA to recognize the authority of another
- CAs certify each other
Link X.500 directories
PKI Aspects - CAs & RAs
• Certificate AuthorityPolicy
Profile
CA key management
Handle exceptions
Support users
• Registration AuthorityAuthenticate applicants
Select attributer
Approve and forward
Request revocation
Help manage policy
Network Security -SSL
• Secure Sockets Layer (SSL)
Cryptographic protocol for protecting digital communication between client & server
Can also be used server to server
Standard, efficient and widely deployed
(Web Servers - Apache, Netscape, Microsoft -IIS …etc)
SSL- How it works
• Negotiate OptionsOne or Two way Authentication
Which Crypto Suite
• AuthenticateExchange Certificate(s)
Validate Certificate(s)
Random Number Challenge(s)
• Distribute KeysGenerate Secret Keys
Exchange Secret Keys
• Flow Secure DataEncryption
Modification Detection
Compression
SSL- How it works
• Client Server (Alice) (Bob)
<-------------------------------->
Negotiate Options
Authenticate
Distribute Keys
Flow Secure Data
<---------------------------------->
History of SSL/TLS
• SSL Version 1 - was quickly replaced by SSL version 2 . Not in use today
• SSL Version 2 - some security problems; 1-way (server) authentication
• Private Communication Technology (PCT) - Microsoft’s response to SSL 2.0. Fixes some problems, but supplanted by SSL V3.
• SSL version 3 - Complete redesign of SSL. Fixed the problems in previous versions and added many features
• Transport Layer Security (TLS) - IETF standard, based on SSL V3, under development
IPSec Overview
• A framework that provides network layer security via protection for IP datagram transit
Origin authentication, integrity, confidentiality, and key management
Basis for virtual private networks (VPNs)
• IPSec support in TCP/IP
Firewall - All connections among IP-Addressable entities
• Involves 3 protocols:
Authentication Header (AH) protocol
Encapsulating security payload (ESP)
ISAKMP/Oakley
IPSec Enables Virtual Private Networks
• Via the internet, the corporate network can be securely extended to include remote nodes/networks
• IPSec enables a secure pipe or tunnel to be established
ISAKMP/Oakley• Internet Security Association and Key Management
Protocol
• IETF Standardized Framework
Negotiate security associations
Crypto key generation/refresh
• Oakley is the mandatory key management protocol within ISAKMP
• Essential for success/growth of VPNs
Secure key exchange is most important element
Automated key distribution, without manual intervention facilitates scalability
IPSec Modes - Tunnel and Transport• IPSec tunnel and transport work together to allow tailoring of
protection: end-to-end and tunnel specific
• Transport modes:
end-to-end
original IP datagram header is used for routing intranet addresses
typical example - exchanges between a server in one intranet and client in another
• Tunnel modes:
tunnel-specific protection
outer IP header created and used for routing internet addresses
typical example - firewall to firewall VPN
IP Authentication Header (AH)
• Two Modes: Transport and Tunnel• Datagram content is clear text• AH provides data integrity and data origin
authentication • Protection for entire datagram• Data integrity is assured by the checksum
generated by a message authentication code (MD5)