Chapter 8: Scrambling Through Cryptography

1
Chapter 8 Scrambling Through Cryptography

• Security Guide to Network Security Fundamentals
• Second Edition

2
Objectives

• Define cryptography
• Secure with cryptography hashing algorithms
• Protect with symmetric encryption algorithms
• Harden with asymmetric encryption algorithms
• Explain how to use cryptography

3
Cryptography Terminology

• Cryptography science of transforming information
  so it is secure while being transmitted or stored
• Steganography attempts to hide existence of data
• Encryption changing the original text to a
  secret message using cryptography

4
Cryptography Terminology

• Decryption reverse process of encryption
• Algorithm process of encrypting and decrypting
  information based on a mathematical procedure
• Key value used by an algorithm to encrypt or
  decrypt a message

5
Cryptography Terminology

• Weak key mathematical key that creates a
  detectable pattern or structure
• Plaintext original unencrypted information (also
  known as clear text)
• Cipher encryption or decryption algorithm tool
  used to create encrypted or decrypted text
• Ciphertext data that has been encrypted by an
  encryption algorithm

6
Cryptography Example
7
Five Key Security Functions

1. Intended to protect the confidentiality of
   information
2. Second function of cryptography is authentication
3. Should ensure the integrity of the information as
   well
4. Should also be able to enforce nonrepudiation,
   the inability to deny that actions were performed
5. Can be used for access control

8
Securing with Cryptography Hashing Algorithms

• One of the three categories of cryptographic
  algorithms is known as hashing.

9
Defining Hashing

• Hashing, also called a one-way hash, creates a
  ciphertext from plaintext
• Hash algorithms verify the accuracy of a value
  without transmitting the value itself and
  subjecting it to attacks
• A practical use of a hash algorithm is with
  automatic teller machine (ATM) cards
• A hash of your PIN is kept on the magnetic strip
  of your ATM card instead of the PIN iteself

10
Defining Hashing (continued)
11
Defining Hashing (continued)

• Hashing is typically used in two ways
• To determine whether a password a user enters is
  correct without transmitting the password itself
• To determine the integrity of a message or
  contents of a file
• A benefit of using a hash value is the password
  itself never has to sent over the media.
• The hash is not intended to be decrypted, it is
  simply used as a comparison value.

12
Hash Algorithm Characteristics

• Hash algorithms are considered very secure if the
  hash that is produced has the following
  characteristics
• Impossible for two different hashes to produce
  the same hash (collision)
• Impossible to produce the message from the hash
• Impossible to produce a desired predefined hash
  value (pseudo-random)
• Hash algorithm itself does not have to be secure
• Hash algorithm produces a hash of a fixed size no
  matter what the size of the input

13
Defining Hashing (continued)
14
Message Digest (MD)

• Message digest 2 (MD2) takes plaintext of any
  length and creates a hash 128 bits long
• MD2 divides the message into 128-bit sections
• If the message is less than 128 bits, data known
  as padding is added
• MD2 was optimized to run on Intel-based computers
  that processed 16 bits at a time.
• Message digest 4 (MD4) was developed in 1990 for
  computers that processed 32 bits at a time
• Takes plaintext and creates a hash of 128 bits
• The plaintext message itself is padded to a
  length of 512 bits
• MD4 was flawed in that it could produce
  collisions and was never widely accepted.

15
Message Digest (MD)

• Message digest 5 (MD5) is a revision of MD4
  designed to address its weaknesses
• The length of a message is padded to 512 bits
• The hash algorithm then uses four variables of 32
  bits each in a round-robin fashion to create a
  value that is compressed to generate the hash
• Weaknesses have been found in the compression
  function of MD5 that could lead to collisions
• Secure Hashing Algorithm (SHA) is the replacement
  for MD5

16
Secure Hash Algorithm (SHA)

• Patterned after MD4 but creates a hash that is
  160 bits in length instead of 128 bits
• The longer hash makes it more resistant to
  attacks
• SHA pads messages less than 512 bits with zeros
  and an integer that describes the original length
  of the message
• SHA was developed in 1993 by the National
  Security Agency (NSA) and the National Inst. of
  Standards and Technology (NIST)
• So far, there have not been any weaknesses found
  in SHA

17
Symmetric Encryption Algorithms

• Most common type of cryptographic algorithm (aka
  private key cryptography)
• Use a single key to encrypt and decrypt a message
  
• With symmetric encryption, algorithms are
  designed to decrypt the ciphertext
• It is essential that the key be kept
  confidential if an attacker secured the key, she
  could decrypt any messages

18
Symmetric Encryption Algorithms

• Can be classified into two distinct categories
  based on amount of data processed at a time
• Stream cipher (such as a substitution cipher)
• Block cipher
• Substitution ciphers substitute one letter or
  character for another
• Monoalphabetic
• Homoalphabetic

19
Symmetric Encryption Example
20
Symmetric Encryption Algorithms

• A monoaphabetic substitution cipher maps a single
  plaintext character to a single ciphertext
  character
• A homoalphabetic substitution cipher maps a
  single plaintext character to multiple ciphertext
  characters
• A transposition cipher rearranges letters without
  changing them
• With most symmetric ciphers, the final step is to
  combine the cipher stream with the plaintext to
  create the ciphertext

21
Transposition Example

• A M A N D A S I G N
• 1 7 2 8 4 3 0 6 5 9
• A P R O F I T W A S
• A C H E I V E D B Y
• O U R AC T U N I T
• AAO RHR IVT FIC ABI WDN PCU OEA SYT TEU

First a key is created and then a number is
assigned to each letter of the key in
alpha- betic order.
1
2
3
4
5
6
7
8
9
0
This process is known as Single Columnar
Transposition.
22
Protecting with Symmetric Encryption Algorithms
(ALGORITHM)
http//mathworld.wolfram.com/XOR.html
http//en.wikipedia.org/wiki/XOR
23
Protecting with Symmetric Encryption Algorithms

• A block cipher manipulates an entire block of
  plaintext at one time
• The plaintext message is divided into separate
  blocks of 8 to 16 bytes and then each block is
  encrypted independently
• The blocks can be randomized for additional
  security
• Block ciphers are more secure than stream ciphers
  because it is difficult to tell what the length
  of the actual input is since the input is padded
  to reach the required block size.
• Block ciphers are also considered more secure
  because their output is more random.

24
Data Encryption Standard (DES)

• One of the most popular symmetric cryptography
  algorithms
• DES is a block cipher and encrypts data in 64-bit
  blocks
• DES encrypts 64-bit plaintext by executing the
  algorithm 16 times to create ciphertext
• There are four modes of DES
• Electronic Code Book (ECB)
• Cipher Block Chaining (CBC)
• Cipher Feedback (CFB)
• Output Feedback (OFB)
• See pages 282 and 283 for their details

25
Triple Data Encryption Standard (3DES)

• Uses three rounds of encryption instead of just
  one
• The ciphertext of one round becomes the entire
  input for the second iteration
• Employs a total of 48 iterations in its
  encryption (3 iterations times 16 rounds)
• The most secure versions of 3DES use different
  keys for each round other versions use only two
  keys

26
Advanced Encryption Standard (AES)

• Approved by the NIST in late 2000 as a
  replacement for DES
• Process began with the NIST publishing
  requirements for a new symmetric algorithm and
  requesting proposals
• Requirements stated that the new algorithm had to
  be fast and function on older computers with
  8-bit processors as well as 32-bit, and 64-bit
  processors
• AES uses the Rinjdal algorithm

27
Advanced Encryption Standard (AES)

• Performs three steps on every block (128 bits
  16 bytes) of plaintext
• Within step 2, multiple rounds are performed
  depending upon the key size
• 128-bit key performs 9 rounds
• 192-bit key performs 11 rounds
• 256-bit key uses 13 rounds
• To date, no attacks have been successful against
  AES

28
Rivest Cipher (RC)

• Family of cipher algorithms designed by Ron
  Rivest
• He developed six ciphers, ranging from RC1 to
  RC6, but did not release RC1 and RC3
• RC2 and RC5 are block ciphers
• RC2 processes 64 bit blocks
• RC5 has a variable block size (32, 64 or 128
  bits)
• RC4 is a stream cipher that accepts keys up to
  128 bits in length
• RC4 is used for WEP
• RC6 also has three different key lengths
• 128, 192 and 256 bit keys
• http//en.wikipedia.org/wiki/Rivest27s_Cipher

29
International Data Encryption Algorithm (IDEA)

• IDEA algorithm dates back to the early 1990s and
  is used in European nations
• Block cipher that processes 64 bits with a
  128-bit key with 8 rounds
• PGP uses IDEA for symmetric encryption

30
Blowfish

• Block cipher that operates on 64-bit blocks
• Can have a key length from 32 to 448 bits
• To date, no weaknesses have been found

31
Hardening with Asymmetric Encryption Algorithms

• The primary weakness of symmetric encryption
  algorithm is keeping the single key secure
• This weakness, known as key management, poses a
  number of significant challenges
• Asymmetric encryption (or public key
  cryptography) uses two keys instead of one
• The private key typically is used to encrypt the
  message
• The public key decrypts the message

32
Hardening with Asymmetric Encryption Algorithms
33
Rivest Shamir Adleman (RSA)

• Asymmetric algorithm published in 1977 and
  patented by MIT in 1983
• Most common asymmetric encryption and
  authentication algorithm
• Included as part of the Web browsers from
  Microsoft and Netscape as well as other
  commercial products
• Multiplies two large prime numbers
• RSA is slower than other algorithms
• Asymmetric algorithms are slower than symmetric
  algorithms

34
Diffie-Hellman

• Unlike RSA, the Diffie-Hellman algorithm does not
  encrypt and decrypt text
• Strength of Diffie-Hellman is that it allows two
  users to share a secret key securely over a
  public network
• Once the key has been shared, both parties can
  use it to encrypt and decrypt messages using
  symmetric cryptography

35
Elliptic Curve Cryptography

• First proposed in the mid-1980s
• Instead of using prime numbers, uses elliptic
  curves
• An elliptic curve is a function drawn on an X-Y
  axis as a gently curved line
• By adding the values of two points on the curve,
  you can arrive at a third point on the curve

36
Understanding How to Use Cryptography

• Cryptography can provide a major defense against
  attackers
• If an e-mail message or data stored on a file
  server is encrypted, even a successful attempt to
  steal that information will be of no benefit if
  the attacker cannot read it

37
Digital Signature

• Encrypted hash of a message that is transmitted
  along with the message
• Helps to prove that the person sending the
  message with a public key is whom he/she claims
  to be
• Also proves that the message was not altered and
  that it was sent in the first place

38
Digital Signature Process

• Sender creates plaintext message
• Generates hash value of entire message
• Encrypts hash with her own private key
• Encrypts message with receivers public key
• Signature is appended to encrypted message
• Receiver receives encrypted message and signature
• Decrypts hash with senders public key
• Decrypts encrypted message own private key
• Hash algorithm generates new hash to match
  original hash value

39
Benefits of Cryptography

• Five key elements
• Confidentiality
• Authentication
• Integrity
• Nonrepudiation
• Access control

40
Benefits of Cryptography
41
Pretty Good Privacy (PGP) and GNU Privacy Guard
(GPG)

• PGP is perhaps most widely used asymmetric
  cryptography system for encrypting e-mail
  messages on Windows systems
• Commercial product
• Uses RSA or DH for asym and uses IDEA for sym
• GPG is a free product that can be used
  interchangeably with PGP and is supported by all
  OS platforms

42
Pretty Good Privacy (PGP) and GNU Privacy Guard
(GPG) (continued)

• GPG versions run on Windows, UNIX, and Linux
  operating systems
• PGP and GPG use both asymmetric and symmetric
  cryptography
• PGP can use either RSA or the Diffie-Hellman
  algorithm for the asymmetric encryption and IDEA
  for the symmetric encryption

43
Microsoft Windows Encrypting File System (EFS)

• Encryption scheme for Windows 2000, Windows XP
  Professional, and Windows 2003 Server operating
  systems that use the NTFS file system
• Uses asymmetric cryptography and a per-file
  encryption key to encrypt and decrypt data
• When a user encrypts a file, EFS generates a file
  encryption key (FEK) to encrypt the data

44
Microsoft Windows Encrypting File System (EFS)
(continued)

• The FEK is encrypted with the users public key
  and the encrypted FEK is then stored with the
  file
• EFS is enabled by default
• When using Microsoft EFT, the tasks recommended
  are listed on page 293 of the text

45
UNIX Pluggable Authentication Modules (PAM)

• When UNIX was originally developed,
  authenticating a user was accomplished by
  requesting a password from the user and checking
  whether the entered password corresponded to the
  encrypted password stored in the user database
  /etc/passwd
• Each new authentication scheme requires all the
  necessary programs, such as login and ftp, to be
  rewritten to support it

46
UNIX Pluggable Authentication Modules (PAM)
(continued)

• A solution is to use PAMs
• Provides a way to develop programs that are
  independent of the authentication scheme

47
Linux Cryptographic File System (CFS)

• Linux users can add one of several cryptographic
  systems to encrypt files
• One of the most common is the CFS
• Other Linux cryptographic options are listed on
  pages 294 and 295 of the text

48
Summary

• Cryptography seeks to fulfill five key security
  functions confidentiality, authentication,
  integrity, nonrepudiation, and access control
• Hashing, also called a one-way hash, creates a
  ciphertext from plaintext
• Symmetric encryption algorithms use a single key
  to encrypt and decrypt a message

49
Summary

• A digital certificate helps to prove that the
  person sending the message with a public key is
  actually whom they claim to be, that the message
  was not altered, and that it cannot be denied
  that the message was sent
• The most widely used asymmetric cryptography
  system for encrypting e-mail messages on Windows
  systems is PGP