The Role of Cryptography in Cyber...
39
The Role of Cryptography in Cyber Security DR. VICTOR ONOMZA WAZIRI; (ASSOCIATE PROFESSOR OF CYBER SECURITY SCIENCE) Department of Cyber Security Science, SCHOOL OF INFORMATION AND COMMUNICATION TECHNOLOGY, FEDERAL UNIVERSITY OF TECHNOLOGY, MINNA NIGER STATE
-
Upload
trinhthuan -
Category
Documents
-
view
224 -
download
6
Transcript of The Role of Cryptography in Cyber...
The Role of Cryptography in Cyber Security
DR. VICTOR ONOMZA WAZIRI;
(ASSOCIATE PROFESSOR OF CYBER SECURITY SCIENCE)
Department of Cyber Security Science,
SCHOOL OF INFORMATION AND COMMUNICATION TECHNOLOGY,
FEDERAL UNIVERSITY OF TECHNOLOGY,
MINNA
NIGER STATE
OUTLINE
Content OutLine
1. Overview of Cryptography
2. What is Cryptography?
3. Cryptography as a Branch of Information Security
4. State-of-the-Art in Cryptography
5. Cryptographic principles
6. Shannon’s Perfect Secrecy
7. Mathematics of Cryptography
8. Core Cryptographic Security Keywords
9. Cyber Security Attack
10. Nature of Cyber Security Attack
11. Application of Cryptography in Cyberspace
12. Developing a Digital Signature
13. Signcryption
14. Shor’s Algorithm and Challenges to Post-Quantum Cryptography
Overview of Cryptography • The aim of this Presentation is to provide an overview for
the role of Cryptography in Cyber security with respect to
Public Encryption Scheme.
• Cryptography Maybe defined as the art of concealing
information from eavesdroppers by means of a secret that is
only known to the communicating parties
• In modern times, cryptography is almost always used to refer to electronic scrambling of data, but in a historical context, cryptography refers to using written secret codes.
What is Cryptography? Cont … • An excellent overview of the history of
cryptography with lots of photographs and detailed explanations can be found at the online Museum of Cryptography: http://www.cryptomuseum.com/index.htm
Cryptography as Branch of Information Security
• Information security is the field of research that aims to protect information from malicious attackers while still allowing legitimate users to manipulate data freely.
• Cryptography is the branch of information security which covers the study of algorithms and protocols that secure data on transmission over the Internet and on static computer systems.
• Cryptography is of a diverse field, taking in elements of electronic engineering, computer science and mathematics, including computational and algebraic number theory, combinatorics, group theory, and complexity theory.
State-of-the-Art in Cryptography • Cryptography is the art and science of protecting
information by transforming an encrypted message into an unreadable format, called cipher text.
• Only those who possess a secret key can decipher or decrypt the ciphertext into its original form known as a plaintext.
• Encrypted messages can sometimes be broken by cryptanalysis; which is also called science of code breaking.
• In, short Using Cryptography, data is first encrypted into another form and then transmitted over the unsecure channel such as the omnibus Internet.
• In Cryptography, there are different steps which are
taken in the encryption scheme and are as follows: 1. In the first step, Keys are generated using some
specified random oracle(s) where the keys are obtained from some subkey space.
2. In the Second Step, message (plaintext) is encrypted by applying some mathematical function called a cipher or algorithm and a mapping key to transform the plaintext into unreadable ciphertext. In this step, Encryption Process of the plaintext is done using agreed private key or public key.
3. At the last step, message is decrypted by using private key known only by an authorized recipient who has the deciphering key.
State-of-the-Art …
Cryptographic principles • Most cryptographic algorithms and cryptosystems
share common principles. This section aims to introduce and briefly explain some of these principles.
• One of the main goals of cryptography is to guarantee the secrecy of data.
• In order to achieve this, a cryptographic algorithm should be ‘secure’.
• This raises the question on what a secure algorithm is.
• Claude Shannon, the father of information theory, coined the term perfect secrecy to quantify a secure algorithm
Shannon’s Perfect Secrecy Con … • Shannon Defines Perfect Secrecy of a Cryptographic
Algorithm as: • Perfect Secrecy is defined by requiring of a system that
after a cryptogram is intercepted by the enemy, the aposteriori probabilities of this cryptogram representing various messages be identically the same as the apriori probabilities of the same messages before the interception.
• Though this may sound complicated, when paraphrased, it is actually rather simple if envisioned mathematically
• Perfect secrecy means that even if the encrypted message is observed, this should in no way increase the likelihood of uncovering the plain text.
• All modern cryptographic algorithms rely on mathematical principles. The most important of these is that the maths that the algorithm relies on should be based on a problem that is very hard to solve by brute force (i.e. without knowing the secret information).
• A second principle, derived from this, is that, a good cryptographic algorithm should be efficient in use (i.e. not consume excessive CPU time and/or memory) but should be infeasible or intractable (requiring excessive or infeasible amounts of CPU time) to break.
Mathematics of Cryptography
Random number generation • Modern cryptographic algorithms depend on random
data generation, for instance for key material. It is therefore very important to use a good random number generator.
• Most random number generators used on computers today are what are called ‘pseudo random numbers generators’ (pseudo RNGs)
• A pseudo RNG is based on a mathematical formula that produces output that should approximate truly random data as best as possible.
• A pseudo RNG always takes some input data as a starting point (called a seed) from which it then starts generating data.
• All pseudo RNGs are predictable; given a certain seed they will always produce the same output sequence
• Randomness plays another role in cryptography. An important property of a good cryptographic algorithm is that its encrypted output data should – to all intents and purposes – be indistinguishable from random data (i.e. should have no content that can be leveraged to derive any information on the original input data from the encrypted output).
• If some of the structure of the plain text is preserved in the ciphertext, then this can provide attackers a foothold that they can use to break the code (that is, cryptanalyze the Code)
Random number generation ...
Bits of key strength • Cryptographic algorithms invariably use keys.
• The size of these keys is usually expressed in bits (e.g. 128 bits or 1024 bits).
• It can be very hard to compare the cryptographic strength of different cryptographic algorithms.
• To overcome this problem, the concept of “bits of key strength” is often used.
• This number expresses the number of different keys that would have to be tried to break an algorithm by brute force.
ALICE, EVE AND BOB • In Cryptography, there three fictional characters
that are encountered, Alice, Bob and Eve.
• Alice and Bob are the fictional characters favoured by cryptographers to describe two communicating parties.
• The third character–Eve–often represents an attacker (A Cryptanalyst).
• It should be noted that Alice, Bob and Eve do not necessarily represent real world people; they can also represent computer systems (servers) or entire organisations or program codes.
Types of Cryptography • There are two Generic Cryptography models that are generally
classified as follows: • Symmetric Key Encryption scheme or Private key Cryptography. • Asymmetric Encryption scheme or Public Key Cryptography • Symmetric: Symmetric cryptography is the most widely used
form of cryptography. It can be used to secure communication by two or more parties and relies on a secret that is shared between the parties.
• In this scheme, the key applied in the cryptographic mapping is also known as shared-key, single-key, secret-key, and private-key or one-key cryptography. That means it is called as Secret-Key Cryptography which uses a single key for both encryption and decryption.
• Examples of Symmetric Key Encryption are AES (Advanced Encryption Standard), Triple DES (Data Encryption Standard), Blowfish Encryption Algorithm, International Data Encryption Algorithm(IDEA), Triple Data Encryptions Standard, RC5(Rivets cipher#5) etc.
Types of Symmetric Keys … • Block ciphers – these operate on groups of bits called blocks;
a block cipher typically has a fixed block size that is a multiple of 8 bits (common block sizes are 64 bits and 128 bits)
• Stream ciphers – these operate on single bits of data
• The security of block ciphers depends on the ability of the algorithm to create an output that is indistinguishable from truly random data and on the randomness of the key.
• It is almost always necessary to pad data to a multiple of the block size.
• Furthermore, several modes of operation exist for block ciphers. The two most common ones are called ‘Electronic Codebook’ (ECB) mode and ‘Cipher Block Chaining’ (CBC) mode. Of these two modes, CBC-mode is significantly more secure.
• Stream ciphers work in a completely different way. They are based on a perfectly concealing algorithm, the one-time pad. They work by generating a pseudo random bit stream called the key stream from a starting key.
• This key stream is then applied to the bit stream that needs to be encrypted using a simple exclusive-or (XOR) operation. This means that encryption and decryption are the same operation.
• Stream ciphers can be implemented in hardware extremely efficiently.
• And because they can operate very efficiently on streams of data of variable and unknown length (contrary to block ciphers which usually require padding) stream ciphers are used in applications such as wireless communication.
• An example of this is the A5/1 algorithm used for GSM telephony.
Types of Symmetric Keys …
Asymmetric/Public Key Cryptography • Asymmetric cryptography is also known as public-key
cryptography. • This refers to the most important property of
asymmetric key algorithms. • They always have two keys, a public key that can be
freely shared over unprotected channels and a private key that needs to be kept secret.
• Together, these two keys form what is known as a key pair. An example of asymmetric key encryption systems are RPK(Raike Public Key), DSA, DH (Diffie-Hellman Key Agreement Algorithm), ECDH (Elliptic Curve Diffie-Hellman Key Agreement Algorithm), RSA(Rivest, Shamir, Adleman), Rabin Cryptosystem, Merkle-Hellman Encryption Scheme etc .
Asymmetric/Public Key Cryptography Cont ...
• Public-key scheme provides Convenience, Provides for message authentication, Detection of tampering, Provide for non-repudiation .
• The two most important applications of asymmetric cryptography are encrypted communication without the need for a pre-shared secret and digital signatures for authentication and non-repudiation.
• The verification step is thus intended to establish trust in the public key and it should always be performed the first time a key is exchanged between communicating parties.
• Apart from one-to-one verification there are also mechanisms that involve a web of trust or a trusted third party (TTP) to achieve this.
Core Cryptographic Security Keywords
• The core principles of Cyber security for data preservation are confidentiality, integrity, authentication and non-repudiation.
1. Authentication:
• Another important application of asymmetric cryptography is (message) authentication.
• It is possible to authenticate an entity based on what is called ‘proof-of-possession’. The entity proves that it has a certain private key belonging to a known public key, thus proving its identity.
2. Confidentiality:
• Confidentiality means that only people with the right permission can access and use information. It also means protecting it from unauthorized access at all stages of its life cycle. Confidentiality is necessary (but not sufficient) for maintaining the privacy of the people whose personal information a system holds. Encryption is one way to make sure that information remains confidential while it’s stored and transmitted.
• Encryption converts information into code that makes it unreadable. Only people authorized to view the information can decode and use it.
Core Cryptographic Security Keywords Cont …
3. Integrity: • Integrity means that information systems and their data
are accurate. Integrity ensures that changes can’t be made to data without appropriate permission. If a system has integrity, it means that the data in the system is moved and processed in predictable ways. The data doesn’t change when it’s processed.
4. Nonrepudiation: • Nonrepudiation means to ensure that a transferred
message has been sent and received by the parties claiming to have sent and received the message. Nonrepudiation is a way to guarantee that the sender of a message cannot later deny having sent the message and that the recipient cannot deny having received the message.
Core Cryptographic Security Keywords Cont …
4. Availability
• Availability is the security goal of making sure information systems are reliable. It makes sure data is accessible at all time.
• It also helps to ensure that individuals with proper permission can use systems and retrieve data in a dependable and timely manner.
Core Cryptographic Security Keywords Cont …
5. Authentication:
• The most basic unilateral security problem is to establish a secure connection between any user and the database.
• The term “secure connection" captures both secrecy and authentication of the communication. Also user authentication can be viewed as being implied by the authentication of the connection.
• Of course, a concrete protocol for establishing a secure connection might involve subprotocols at different layers of the communication stack, and a user authentication step may be involved.
• If one assumes a public-key infrastructure (PKI) to be in place, then establishing secure connections can be achieved by standard cryptographic mechanisms and protocols.
Core Cryptographic Security Keywords Cont …
Cyber Security Attack
• Cyber Security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction in the cyberspace.
• Cyber security is concerned with the confidentiality, integrity and availability of data regardless of the form the data may take: it could be in the form of electronic, print, or other forms.
• Thus, Cyber security attack insinuates any valuation of the two points described which is synonymous to Information security attack that could be mitigated using Cryptography
Nature of Cyber SecurityThreats
• First, we must understand that Cyber Security in this presentation means Information privacy-preservation; being it on a static computer storage device or dynamic over the Internet transmission using symmetric or Classical Public cryptography.
• Thus, with this perception, it is possible to overview on how the privacy of Information Technology (IT) could be preserved over Cyberspace Attack
• This presentation focuses on how IT dataset could be secured using public encryption protocol.
Nature of CyberThreats ...
• Computers and Networks are critical for key functions such as managing and operating nuclear power plants, dams, the electric power grid, the air traffic control system, and the financial infrastructural Institutions.
• Computers are also instrumental to the day-to-day operations of companies, organizations, the security agencies and government. Companies; large and small, rely on computers to manage payroll, to track inventory and sales, and to perform research and development.
• It is useful to distinguish between three important concepts of cybersecurity. A vulnerability is an error or a weakness in the design, implementation, or operation of a system.
• A threat is an adversary that is motivated to exploit a system vulnerability and capable of doing so.
• Risk refers to the likelihood that a vulnerability will be exploited, or that a threat may become harmful.
• In this lexicon, a system that allows computer viruses to replicate or unauthorized users to gain access exhibits vulnerabilities.
Nature of CyberThreats ...
• The creator of the virus or the unauthorized user is the threat to the system. Operating a system with known vulnerabilities in the presence of possible threats entails some risk that harm or damage will result.
• Modern cryptography, however, encompasses much more than the description of Cyber threats and its forestation using encryption protocols.
• Functionalities such as authentication, signatures, oblivious transfer, bit commitment and Byzantine agreement are important, for example, in communication, for multi-party computation and for secure voting schemes.
Nature of CyberThreats Cont ...
Application of Cryptography in Cyber Security
• Cryptography is used to secure transactions over the Internet by providing ways to assure data confidentiality (assurance that the information will be protected from unauthorized access), data integrity (assurance that data have not been accidentally or deliberately altered), authentication of message originator, electronic certification of data, and nonrepudiation (proof of the integrity and origin of the data that can be verified by a third party).
• Accordingly, cryptography has had, and will continue to have, an important role in protecting information over the Cyberspace both within a computer system and when information is sent over the Internet and other unprotected communications channels. Encryption is the process of transforming ordinary data (commonly referred to as plaintext) into code form (ciphertext) using a special value known as a key and a mathematical process called an algorithm.
• Cryptographic algorithms are designed to produce ciphertext that are unintelligible to unauthorized users. Decryption of ciphertext is possible only with use of the proper key.
• Other processes, such as authorisation can only take place after authentication has been successfully completed.
• Many different methods are used for authentication, ranging from simple user name/password combinations to advanced biometric pattern recognition.
• Password generators form a class of hardware tokens that use cryptography to generate session passwords (sometimes called one-time-password, or OTP) that can be recognised by the verifying party as valid and cannot be guessed by an attacker.
• Internally such a token has a clock whose value is hashed and encrypted using a key shared with the verifying party. The verifying party has a clock that is synchronised with the token’s clock.
Cryptography Implementation In Cyber Security Cont … Application of Cryptography in Cyber Security …
• Hash technologies use cryptography to provide
assurance to a message recipient that the contents of the message have not been altered. For example, operating systems use cryptography to protect passwords.
• Protocols such as IP Security protocol (IPSec) and Secure Sockets Layer (SSL) use cryptographic technologies for confidential communications. SHA and MD5 are examples of hash technologies implémentations. Digital signature technologies use cryptography to authenticate the sender of a message.
• Virtual private networks (VPN) use cryptography to establish a secure communications link across unprotected networks.
Application of Cryptography in Cyber Security …
Implementation of Cryptography in Digital Signatures and Certificates
• Properly implemented digital signatures use public key cryptography to provide authentication, data integrity, and nonrepudiation for a message on transaction. Just as a physical signature provides assurance that a letter has been written by a specific person, a digital signature confirms the identity of a message’s sender. Digital signatures are often used in conjunction with a digital certificate.
• A digital certificate is an electronic credential that guarantees the association between a public key and a specific entity. The most common use of digital certificates is to verify that a user sending a message is who he or she claims to be and to provide the receiver with a means to encode a reply.
• Certificates can be issued to computerize equipment and processes as well as to individuals. For example, companies that do business over the Internet can obtain digital certificates for their computer servers. These certificates are used to authenticate the servers to potential customers, who can then rely on the servers to support the secure exchange of encrypted information, such as passwords and credit card numbers.
Application of Cryptography in Cyber Security …
Developing Digital Signature • The creation of a digital signature can be divided into a two-
steps-process: Encryption and Message Digest.
• Public key cryptography is not used to encrypt large amounts of data. Therefore, the first step involves reducing the amount of data that needs to be encrypted.
• This is typically accomplished by using a cryptographic hash algorithm, which condenses the data into a message digest. Then the message digest is encrypted, using the sender’s private signing key to create a digital signature.
• Because the message digest will be different for each signature, each signature will also be unique; if a good hash algorithm is used, it is computationally infeasible to find another message that will generate the same message digest.
• Signcryption is a cryptographic primitive which offers authentication and confidentiality simultaneously with a cost lower than signing the message independently.
• Ring Signcryption enables a user to signcrypt a message along with identities of a set of potential senders (including himself) without revealing which user in the set has produced the signcryption. Thus a ring signcrypted message has anonymity in addition to authentication and confidentiality.
• For example, if Bob wishes to digitally sign an electronic document, he can use his private key to encrypt the message digest of the document. His public key is freely available, so anyone with access to his public key can decrypt the document.
• Although this seems backward because anyone can read what is encrypted, the fact that Bob’s private key is held only by Bob provides the proof that Bob’s digital signature is valid. However, the pure privacy with authentication and confidentiality can be achieved by applying ring signcrepted message.
Signcryption
Signcryption
• Ring signcryption schemes have no group managers, no setup procedures, no revocation procedures and no coordination:
• Any user can choose any set of users (ring), that includes himself and signcrypt any message by using his private and public key as well as other users (in the ring) public keys, without getting any approval or assistance from them.
• Ring Signcryption is useful for leaking trustworthy secrets in an anonymous, authenticated and confidential way.
• Research along signcryption lines is open-ended.
Ring Signcryption …
Challenge of Post-Quantum Cryptography
• Shor’s Algorithm has Induced Another Modern Cryptography that looks to supersede Public-key Encryption Scheme (Now Known as Classical Public-key) is the Quantum Cryptography.
• Shor’s Algorithm is quantum based Cryptographyic Scheme. It can break all classical Public Key encryption schemes that are based on computational problems which are assumed hard for efficient classical algorithms
• Thus, advances in quantum information processing and quantum computing have brought about fundamental challenges to classical Public-key cryptography.
• Many classical cryptographic constructions are based on computational hardness of Integer Factorization and Discrete Logarithm problems. However, some of these problems, such as factoring, discrete-logarithm and Pell’s equation, can be solved efficiently on a quantum computer within Polynomial Probabilistic Time (PPT).
Shor’s Algorithm and Challenges to Post-Quantum Cryptography
• As a result, a host of crypto-systems, e.g, the RSA encryption scheme that is deployed widely over the Internet, are broken by a quantum attacker.
• A natural countermeasure is to use quantum-resistant assumptions instead. Namely, one can switch to other computational problems which appear hard to solve even on quantum computers, and construct cryptographic schemes based on them. Examples include:
1. Problems in discrete lattices
2. Hard coding problems
3. Generic assumptions such as the existence of one-way functions that no efficient quantum algorithms can invert.
This leads to the active research area termed Post-Quantum Cryptography
Shor’s Algorithm and Challenges to Post-Quantum Cryptography …
Thank You For LISTENING;
QUESTIONS?
