Cryptography: Securing the Information Age

1
Cryptography Securing the Information Age
Source www.aep.ie/product/ technical.html
2
Agenda

• Definitions
• Why cryptography is important?
• Available technologies
• Benefits problems
• Future of cryptography
• Houston resources

3
Essential Terms

• Cryptography
• Encryption
• Plain text ? Cipher text
• Decryption
• Cipher text ? Plain text
• Cryptanalysis
• Cryptology

Source http//www.unmuseum.org/enigma.jpg
4
Information Security for

• Defending against external/internal hackers
• Defending against industrial espionage
• Securing E-commerce
• Securing bank accounts/electronic transfers
• Securing intellectual property
• Avoiding liability

5
Threats to Information Security

• Pervasiveness of email/networks
• Online storage of sensitive information
• Insecure technologies (e.g. wireless)
• Trend towards paperless society
• Weak legal protection of email privacy

6
Types of Secret Writing
Secret writing
Steganography
Cryptography
7
Steganography

• Steganography covered writing is an art of
  hiding information
  
• Popular contemporary steganographic technologies
  hide information in images

New York Times, August 3rd, 2001
http//www.nytimes.com/images/2001/10/30/science/s
ci_STEGO_011030_00.jpg
8
Hiding information in pictures
Image in which to hide another image
Image to hide within the other image
http//www.cl.cam.ac.uk/fapp2/steganography/image
_downgrading/
9
Retrieving information from pictures
Image with other hidden within
Recreated image
http//www.cl.cam.ac.uk/fapp2/steganography/image
_downgrading/
10
Digital Watermarks
Source http//www.digimarc.com
11
Types of Secret Writing
Secret writing
Steganography
Cryptography
Substitution
Transposition
Code
Cipher
12
Public Key Cryptography

• Private (symmetric, secret) key the same key
  used for encryption/decryption
  
• Problem of key distribution
• Public (asymmetric) key cryptography a public
  key used for encryption and private key for
  decryption
  
• Key distribution problem solved

13
Currently Available Crypto Algorithms (private
key)

• DES (Data Encryption Standard) and derivatives
  double DES and triple DES
  
• IDEA (International Data Encryption Standard)
• Blowfish
• RC5 (Rivest Cipher 5)
• AES (Advance Encryption Standard)

14
Currently Available Crypto Algorithms (public key)

• RSA (Rivest, Shamir, Adleman)
• DH (Diffie-Hellman Key Agreement Algorithm)
• ECDH (Elliptic Curve Diffie-Hellman Key Agreement
  Algorithm)
  
• RPK (Raike Public Key)

15
Currently Available Technologies

• PGP (Pretty Good Privacy) a hybrid encryption
  technology
  
• Message is encrypted using a private key
  algorithm (IDEA)
  
• Key is then encrypted using a public key
  algorithm (RSA)
  
• For file encryption, only IDEA algorithm is used
• PGP is free for home use

16
Authentication and Digital Signatures

• Preventing impostor attacks
• Preventing content tampering
• Preventing timing modification
• Preventing repudiation
• By
• Encryption itself
• Cryptographic checksum and hash functions

17
Digital Signatures

• Made by encrypting a message digest
  (cryptographic checksum) with the senders
  private key
  
• Receiver decrypts with the senders public key
  (roles of private and public keys are flipped)

18
PKI and CA

• Digital signature does not confirm identity
• Public Key Infrastructure provides a trusted
  third partys confirmation of a senders
  identity
  
• Certification Authority is a trusted third party
  that issues identity certificates

19
Problems with CAs and PKI

• Who gave CA the authority to issue certificates?
  Who made it trusted?
  
• What good are the certificates?
• What if somebody digitally signed a binding
  contract in your name by hacking into your
  system?
  
• How secure are CAs practices? Can a malicious
  hacker add a public key to a CAs directory?
  

20
Currently Available Technologies

• MD4 and MD5 (Message Digest)
• SHA-1 (Secure Hash Algorithm version 1)
• DSA (The Digital Signature Algorithm)
• ECDSA (Elliptic Curve DSA)
• Kerberos
• OPS (Open Profiling Standard)
• VeriSign Digital IDs

21
JAVA and XML Cryptography

• java.security package includes classes used for
  authentication and digital signature
  
• javax.crypto package contains Java Cryptography
  Extension classes
  
• XML makes it possible to encrypt or digitally
  sign parts of a message, different encryption for
  different recipients, etc.

22
XML Crypto Document
Listing 1. Information on John Smith showing his
bank, limit of 5,000, card number, and
expiration date
v2' John Smith CreditCard Limit'5,000' Currency'USD'
4019 2445 0277 5567
Bank of the Internet
04/02

(Source http//www-106.ibm.com/developerworks/xm
l/library/s-xmlsec.html/index.html)
23
XML Crypto document
Listing 2. Encrypted document where all but name
is encrypted
John Smith ryptedData Type'http//www.w3.org/2001/04/xmlenc
Element' xmlns'http//www.w3.org/2001/
04/xmlenc' eA23B45C56

(Source http//www-106.ibm.com/developerworks/x
ml/library/s-xmlsec.html/index.html)
24
Benefits of Cryptographic Technologies

• Data secrecy
• Data integrity
• Authentication of message originator
• Electronic certification and digital signature
• Non-repudiation

Source http//www.princeton.edu/hos/h398/matrix.
jpg
25
Potential Problems with Cryptographic
Technologies?

• False sense of security if badly implemented
• Government regulation of cryptographic
  technologies/export restrictions
  
• Encryption prohibited in some countries

Source http//www.tudor-portraits.com/Mary20Scot
s20B.jpg
26
How Secure are Todays Technologies?

• 250,000 machine cracks 56 bit key DES code in 56
  hours
  
• IDEA, RC5, RSA, etc. resist complex attacks when
  properly implemented
  
• distributed.net cracked 64 bit RC5 key (1,757
  days and 331,252 people) in July, 2002
  
• A computer that breaks DES in 1 second will take
  149 trillion years to break AES!
  
• Algorithms are not theoretically unbreakable
  successful attacks in the future are possible
  

27
How Secure are Todays Technologies?

• Encryption does not guarantee security!
• Many ways to beat a crypto system NOT dependent
  on cryptanalysis, such as
  
• Viruses, worms, hackers, etc.
• TEMPEST attacks,
• Unauthorized physical access to secret keys
• Cryptography is only one element of comprehensive
  computer security
  

28
The Future of Secret Writing

• Quantum cryptanalysis
• A quantum computer can perform practically
  unlimited number of simultaneous computations
  
• Factoring large integers is a natural application
  for a quantum computer (necessary to break RSA)
  
• Quantum cryptanalysis would render ALL modern
  cryptosystems instantly obsolete
  

Source http//www.media.mit.edu/quanta/5-qubit-mo
lecule.jpg
29
When will it happen?

• 2004 10-qubit special purpose quantum computer
  available
  
• 2006 factoring attacks on RSA algorithm
• 2010 through 2012 intelligence agencies will
  have quantum computers
  
• 2015 large enterprises will have quantum
  computers
  
• Source The Gartner Group

30
What is to be done?

• The Gartner Group recommends
• Develop migration plans to stronger crypto by
  2008
  
• Begin implementation in 2010

31
The Future of Secret Writing (continued)

• Quantum encryption
• No need for a quantum computer
• A key cannot be intercepted without altering its
  content
  
• It is theoretically unbreakable
• Central problem is transmitting a quantum message
  over a significant distance
  

Source http//qubit.nist.gov/Images/OptLat.jpg
32
Houston Resources

• University of Houston
• Crypto courses
• Ernst Leiss
• Rice University Computer Science Dept
• Crypto research and offers crypto training
• Dan Wallach (security of WAP, WEP, etc.)
• Companies
• EDS
• RSA Security
• Schlumberger
• SANS Institute

33

• Your questions are welcome!