GS: Chapter 3 Encryption, Authentication and Java Cryptography - PowerPoint PPT Presentation

1 / 27
About This Presentation
Title:

GS: Chapter 3 Encryption, Authentication and Java Cryptography

Description:

Title: Case Study: A Forensic Lesson for Web Security (MSS, part one) Author: T. Andrew Yang Last modified by: Yang Created Date: 1/15/2003 4:02:36 AM – PowerPoint PPT presentation

Number of Views:276
Avg rating:3.0/5.0
Slides: 28
Provided by: T168
Category:

less

Transcript and Presenter's Notes

Title: GS: Chapter 3 Encryption, Authentication and Java Cryptography


1
GS Chapter 3Encryption, Authentication and
Java Cryptography
2
Cryptography Java
  1. Encryption
  2. Authentication
  3. Java Cryptography

3
Encryption
  • Encryption Basics
  • An algorithm (or cipher) and a key are required
    in order to encrypt or decrypt messages.
  • Example the Caesar cipher (p.34)
  • A symmetric, stream cipher
  • Exercise Encrypt DDAY using Caesar cipher (5).
  • Answer IIFD.
  • Q What is the algorithm?
  • Q What is the key?
  • Q How would the cipher be decrypted?

4
Encryption
  • Symmetric Encryptions
  • Both the encrypter and the decrypter share the
    same key.
  • Key space The set of possible keys that work
    with a cipher determined by the number of bits
    used in the cipher.
  • The larger the key space is, the more secure the
    encryption will be.
  • Each additional bit added to the key length
    doubles its security.

5
Encryption
  • Symmetric Encryptions
  • Two types of symmetric ciphers block ciphers and
    stream ciphers.
  • Examples of symmetric encryptions
  • DES (Data Encryption Standard) TripleDES block
    ciphers
  • Blowfish a faster and more secure replacement of
    DES
  • RC4 (Rivests Code 4) a stream cipher
  • AES (Advanced Encryption Standard) a block cipher

6
Encryption
  • Limitations of Symmetric Encryptions
  • Key distribution can be a vulnerability.
  • If the key is exposed, the encrypted message and
    all future communication using the same key will
    suffer the eavesdropping attack.
  • Key management problems distribution, update,
    revoking

7
Encryption
  • Asymmetric Encryptions
  • Also known as public key encryption
  • Messages encrypted with the public key can only
    be decrypted by the corresponding private key.
  • The public key can be made known to the public,
    but the private key is kept as secret and only
    known to the owner of the key.
  • Examples of asymmetric encryption algorithms
  • Merkel Hellman Knapsacks
  • RSA Rivest, Shamir, Adleman
  • El Gamal

8
Encryption
  • Limitations of asymmetric Encryptions
  • Asymmetric encryption requires much larger keys
    than symmetric encryption.
  • A 1024-bit asymmetric key a 128-bit symmetric
    key
  • Why?
  • Asymmetric encryption is much slower ( 1000
    times slower) than symmetric encryption.
  • It is subject to man-in-the-middle attack.
  • Solution? Digital certificates (Ch. 6)

9
Encryption
  • Session-key Encryption
  • A session-key is a symmetric key that is used to
    encrypt the plaintext message. The session key
    itself is encrypted using a public key.
  • Sender
  • C Spub ( S ) Sencrypt (message) ? Recipient
  • Recipient
  • Spriv ( Spub (S) )? S
  • Sdecrypt (Sencrypt (message)) ? message
  • Alternatively, the session key may be assigned an
    expiration time and be used over several sessions.

10
Encryption
  • Examples of Session-key Encryption
  • PGP (Pretty Good Privacy)
  • Originally (1991) used to encrypt e-mail using
    session-key encryption
  • Supports RSA, TripleDES, etc.
  • http//www.pgp.com/
  • S/MIME (Secure/MIME)
  • Invented by RSA to secure e-mail
  • Backed by Microsoft, RSA, and AOL
  • SSL/TLS (Secure Socket Layer/Transport Layer
    Security) Ch. 9
  • Originally an attempt to secure TCP/IP traffic
    using encryptions

11
Encryption
  • Key Agreement Algorithm
  • A key agreement algorithm takes the private and
    the public keys of two distinct parties (Apriv
    Bpub or Apub Bpriv) and generates a common
    shared secret key, which is then used to generate
    a session key. See the diagram on p.41.
  • Diffie-Hellman Key Agreement Algorithm The first
    ever public key encryption
  • Allows two parties to independently generate the
    shared key The session key is never transmitted.
  • References
  • See http//www.apocalypse.org/pub/u/seven/diffie.h
    tml
  • IETF RFC2631 http//www.ietf.org/rfc/rfc2631.txt

12
Encryption
  • Strength of Encryption Algorithms
  • Two factors
  • The algorithm used
  • The size of the key space
  • See the tables comparing symmetric ciphers (p.42)
    and asymmetric ciphers (p.43)

13
Alternative Data-hiding Methods
  • Steganography hiding messages inside another
    message or in a picture.
  • See Steganography Hidden Data. By Deborah
    Radcliff. ComputerWorld. June 10, 2002.
  • Elliptic Curve Cryptography (ECC) based on the
    elliptic curve logarithm problem a more
    efficient public key encryption (faster, smaller
    key size)
  • An intro http//world.std.com/dpj/elliptic.html
  • Codes, one-time pads, etc.

14
Authentication
  • The process of determining the authenticity of a
    message or user.
  • Methods
  • Message Digest
  • a check value generated from a document, usually
    generated by a hash function
  • to prove that the data in the document has not
    been tampered with.
  • Commonly used for password authentication (i.e.,
    one-way authentication)
  • Examples MD4, MD5, SHA (secure hash algorithm)
  • Any problem? Man-in-the-middle attack Why?

15
Authentication Methods
  • MAC (Message Authentication Codes)
  • A message digest created with a key
  • Typically used for data verification in a context
    where a secure connection is already available.
  • Example SSL uses MACs to verify the data
    received, using a secret key that is exchanged at
    the beginning of the session.
  • Example MACs
  • HmacMD5 (Hashing MAC using MD5)
  • HmacSHA1 (Hashing MAC using SHA-1)

16
Authentication Methods
  • Digital Signatures
  • Based on public key encryption
  • Computed with a persons private key and verified
    with the persons public key
  • An example of creating a digital signature p.48
  • The sender applies a message digest algorithm to
    get a message digest (md) out of the message to
    be sent.
  • The message digest is then encrypted by the
    persons private key. The ciphertext is the
    digital signature (ds).
  • To check the digital signature
  • The recipient applies the digest algorithm to get
    a message digest (md-2).
  • The recipient decrypts the ds using the senders
    public key.
  • The output from step 2 is verified against md-2.

17
Authentication Methods
  • Digital Certificates
  • Purpose To authenticate a persons public key
  • Vouching one party certifies that another
    partys identity is authentic. e.g., passport,
    id cards
  • A digital certificate for A is As public key
    plus some identifying information, signed by the
    private key of a certification authority (CA)
    verifying As identity.
  • Other example usage of certificates
  • To authenticate a host/server (e.g., SSL
    certificates)
  • To sign and encrypt e-mail

18
Authentication Methods
  • Digital Certificates (Cont.)
  • Certificates are often chained. That is, a CA
    may be authenticated by a root CA.
  • The top CA of a certificate chain must be
    self-signed.
  • Verisign has been accepted as the top CA.
  • Example of certificate chaining Both Internet
    Explorer and Netscape Communicator include
    certificates from Verisign in their install. So
    when the browser makes an SSL connection to a
    server, if the server presents a certificate that
    is signed by Verisign, the servers certificate
    will be automatically accepted.

19
Cryptanalysis
  • The practice of analyzing and breaking
    cryptography
  • Mehtods
  • Brute force attack versus the key space
  • Common cryptanalytic tools Frequency
    distribution, Digram/trigram study, IC, Repeated
    patterns, Probable letters
  • 4 cryptanalytic cases
  • Ciphertext only ? Ciphertext-only attack
  • Full or partial plaintext
  • Known plaintext attack
  • Probable plaintext analysis
  • Ciphertext of any plaintext ? Chosen plaintext
    attack
  • Algorithm Ciphertext ? Chosen ciphertext attack

20
Key Management (storage)
  • A dilemma Keys must be securely stored while
    allowing users easy access when necessary.
  • A typical solution is to encrypt the stored keys
    with passwords and then protect the storage with
    the OS access control.
  • A key storage is an attractive target for attack.
  • The smart card solution A smart card stores a
    private key and a certificate, which can be used
    to encrypt and/or decrypt information.
  • An example of smart card solution See Protection
    of Keys (RSA vs nCipher)

21
Cryptographical Protocols
  • Cryptographical protocols determine the exact
    order and way in which each algorithm must be
    used in order to maximize security.
  • Examples of protocols
  • Distribution of keys,
  • Certificates, Digital signatures,
  • Key escrow,
  • Mental poker,
  • Electronic voting,
  • oblivious transfer, contract signing,
  • certified mail

22
JCA/JCE
  • Java Cryptography Architecture (JCA) is part of
    the Java 2 run-time environment. ?
    java.security.
  • JCE (Java Cryptography Extension), on the other
    hand, is an extension to the JCA. JCE adds
    encryption and decryption APIs to the JCA. ?
    java.crypto.
  • Major classes defined in JCA
  • MessageDigest, Signature, KeyPairGenerator,
    KeyFactory, CertificateFactory, KeyStore,
    AlgorithmParameters, AlgorithmParameterGenerator,
    SecureRandom,

23
JCA/JCE
  • A cryptographic service provider implements
    various cryptographic algorithms.
  • See page 54 for a list of algorithms implemented
    in the SUN provider (sun.security.provider.Sun),
    Java 2 (v1.2).
  • A second provider, the RSAJCA provider
    (com.sun.rsajca.Provider) is shipped with JDK
    v1.3, to provide RSA-specific cryptos.

24
JCA
  • An example of using MessageDigest in the JCA
  • Get an instance of a message digest.
  • MessageDigest myMessageDigest
  • MessageDigest.getInstance (MD5)
  • Or MessageDigest myMessageDigest
  • MessageDigest.getInstance (MD5,Sun)
  • Add data to be digested.
  • myMessageDigest.update (myData)
  • Get the digest.
  • byte signatureBytes
  • myMessageDigest.digest ( )

25
JCE
  • Major JCE classes
  • Cipher, KeyAgreement, KeyGenerator, MAC,
    SecretKey, SecretKeyFactory
  • JCE needs to be separately downloaded and
    installed if you have JDK older than v1.4.  For
    JDK1.4 or higher, JCE is an integrated component.
     
  • See http//java.sun.com/products/jce/index-14.html
    for more details.

26
JCE
  • Installation of JCE security provider
  • Sample programs http//nas.cl.uh.edu/yang/teachin
    g/csci5931webSecurity/JCE20provider.htm
  • Visit http//sce.cl.uh.edu/yang/teaching/proJavaSe
    curityCode.html and download all the sample
    programs from the book.

27
Next
  • Symmetric Encryption (GS 4)
  • Asymmetric Encryption (GS 5)
Write a Comment
User Comments (0)
About PowerShow.com