Download presentation
Presentation is loading. Please wait.
1
Chapter 11 Basic Cryptography
Security+ Chapter 11 Basic Cryptography Modified 9/29/15 - jw
2
Objectives Define cryptography
Describe hash, symmetric, and asymmetric cryptographic algorithms List the various ways in which cryptography is used
3
Introduction So far we have covered a Multilevel approach to information security Example - Physical Security Example - Network Security Second level of protection Encryption of document contents If attackers penetrate the host and reach data, they still must uncover key to unlock encrypted contents: a virtually impossible task (if encryptions are properly applied) As more data taken off-premises it becomes increasingly important to use encryption
4
Defining Cryptography
Cryptography – scrambles data The science of transforming information into an unintelligible secure form while it is being transmitted or stored so that unauthorized users cannot access it. Simply put - scrambles data
5
Defining Cryptography
Steganography– hides data Hides the existence of the data What appears to be a harmless image, audio, or video files can contain hidden data embedded in the file Achieved by dividing data and hiding in unused portions of the file Ch11k: Terrorist instructions hidden online Ch11L: The ancient art of hidden writing
6
Source: USA Today 02/05/2001
7
Source: BBC 7/2/2010
8
Data hidden by Steganography
9
What is Cryptography? (cont’d.)
Origins of cryptography - Used by Julius Caesar Caesar Cipher Caesar shifted each letter of his messages to his generals three places down in the alphabet So BURN THE BRIDGE becomes EXUQ WKH EUKFIG Link: History of Cryptography A D B E C F D G E H F I G J H K
10
What is Cryptography? (cont’d.)
Encryption Changing original text into a secret message using cryptography Decryption Changing a secret message back to its original form
11
What is Cryptography? (cont’d.)
Cleartext Data stored or transmitted without encryption Plaintext Data to be encrypted Input into an encryption algorithm Ciphertext Data that has been encrypted
12
What is Cryptography? (cont’d.)
Algorithm Procedures based on mathematical formula used to encrypt and decrypt data Key Mathematical value entered into the algorithm to produce ciphertext (scrambled text) Reverse process uses a key to decrypt the message
13
Figure 11-2 Cryptography process
© Cengage Learning 2012
14
Cryptography and Security
Cryptography can provide five basic information protections Confidentiality Insures only authorized parties can view it Integrity Insures information is correct and unaltered Availability Authorized users can access it Guarantee Authenticity of the sender Enforce Non-repudiation Proves that a user performed an action User cannot deny the performed action
15
Table 11-1 Information protections by cryptography
16
Data Processed One of fundamental differences in cryptographic algorithms is amount of data that is processed at a time: Stream cipher Takes one character and replaces it with one character Block cipher Manipulates entire block of plaintext at one time Sponge function Takes as input a string of any length, and returns a string of any requested variable length Data Processed One of fundamental differences in cryptographic algorithms is amount of data that is processed at a time: Stream cipher - Takes one character and replaces it with one character Block cipher - Manipulates entire block of plaintext at one time Sponge function - Takes as input a string of any length, and returns a string of any requested variable length
17
Cryptographic Algorithms
Three categories of cryptographic algorithms Hash algorithms Symmetric encryption algorithms Asymmetric encryption algorithms
18
Hashing Algorithms Hashing is a one-way process
Converting a hash back to the original data is difficult or impossible A hash is a unique “signature” for a set of data This signature, called a hash or digest, represents the contents Hashing is used only for integrity to ensure that: Information is in its original form (Comparison Purposes) No unauthorized person or malicious software has altered the data Common hash algorithms MD5, SHA-1
19
Example of Hashing Example of hashing concept:
12 * 34 = 408 If user asked to determine the two numbers used to create the number 408, it would not be possible to “work backward” and derive the original numbers with absolute certainty because there are too many mathematical possibilities , 407+1, 999‒591, , etc. Hashing is similar: used to create a value, but it is not possible to determine the original set of data Example of Hashing Example of hashing concept: 12 * 34 = 408 If user asked to determine the two numbers used to create the number 408, it would not be possible to “work backward” and derive the original numbers with absolute certainty because there are too many mathematical possibilities , 407+1, 999‒591, , etc. Hashing is similar: used to create a value, but it is not possible to determine the original set of data
20
Hashing Algorithms (cont’d.)
Secure hashing algorithm characteristics Fixed size Short and long data sets have the same size hash Unique Two different data sets cannot produce the same hash, which is known as a collision Original Dataset cannot be created to have a desired or predefined hash Secure Resulting hash cannot be reversed to determine original plaintext data
21
Hashing Algorithms (cont’d.)
Hashing used to determine message integrity Can protect against man-in-the-middle attacks Figure 11-4 Man-in-the-middle attack defeated by hashing © Cengage Learning 2012
22
Hashing Algorithms (cont’d.)
Collisions – Weakness Normally a hash is used to verify that a file has not been altered. If two files have the same hash value, they are expected to be identical. If two non identical files have the same hash value, then a Collision has occurred
24
Hashing Algorithms (cont’d.)
Hash values are often posted on download sites Used to verify file integrity after download
25
Hashing Algorithms Only Ensure Integrity
Table 11-2 Information protections by hashing cryptography © Cengage Learning 2012
26
Cryptographic Algorithms (cont’d.)
Most common hash algorithms Message Digest Secure Hash Algorithm Whirlpool RIPEMD Password hashes Online Hash Calculators
27
Message Digest (MD) Algorithm
Common hash algorithm Suffer from collisions Not secure Three versions Message Digest 2 (MD2) Takes plaintext of any length and creates 128 bit hash Padding added to make short messages 128 bits Considered too slow today and rarely used Message Digest 4 (MD4) Has flaws and was not widely accepted See links Ch 11b, c, d
28
Message Digest (MD) Algorithm (cont’d.)
Designed to address MD4’s weaknesses Message length padded to 512 bits Weaknesses in compression function could lead to collisions Security experts recommend using a more secure hash algorithm
29
Secure Hash Algorithm (SHA) (cont’d.)
Designed by NSA More secure than MD No weaknesses identified SHA-0 Design flaw and never implemented SHA-1 Patterned after MD4 and MD5, but creates a hash that is 160 bits in length instead of 128 bits
30
Secure Hash Algorithm (SHA) (cont’d.)
Comprised of six variations SHA-224 SHA-256 SHA-384 SHA-512/224 SHA-512/256 SHA-512 Note: Names relate to the length of the digest output Considered to be a secure hash
31
Secure Hash Algorithm (SHA) (cont’d.)
New NIST published standard Link: NIST hash function competition - Wikipedia
32
Whirlpool Algorithm Whirlpool Recent cryptographic hash
Has received international recognition and adoption by standards organizations Creates hash of 512 bits Used by TrueCrypt
33
RIPEMD Algorithm Race Integrity Primitives Evaluation Message Digest (RIPEMD) Two different and parallel chains of computation Results are combined at end of process
34
Hashing Algorithms (cont’d.)
Hashed Message Authentication Code (HMAC) Hash variation providing improved security Uses secret key possessed by sender and receiver Receiver uses key to decrypt the hash May be used to simultaneously verify both the data integrity and the authenticity Any cryptographic hash function, such as MD5 or SHA-1, may be used in the calculation of an HMAC; the resulting MAC algorithm is termed HMAC-MD5 or HMAC-SHA1 accordingly
35
Using HMAC A MITM attacker could change the "correct" hash value to fool the recipient The general solutions for such MITM attacks are A trusted third party A shared secret HMAC uses a shared secret key for this reason
36
Password Hashes Another use for hashes is in storing passwords
When a password for an account is created, the password is hashed and stored The Microsoft NT family of Windows operating systems hashes passwords in two different forms LAN Manager hash New Technology LAN Manager (NTLM) hash
37
LANMAN Password Hashes
Used in Microsoft Windows through Windows XP to hash passwords Very old and weak, easily cracked with rainbow tables Too insecure to be trusted Should be disabled in Local Security Policy on Windows XP or earlier systems
38
Disabling LANMAN Hashes
39
LANMAN Algorithm Password: Xydke23498Qq Break into 7-character fields
Change letters to UPPERCASE XYDKE23 498QQ Hash each field separately, using DES
40
NTLM Password Hashes Microsoft's replacement for LANMAN
NTLMv1 uses MD4 Considered compromised Still used for logon passwords NTLMv2 uses MD5 More secure, used for network authentication
41
NTLMv2 in Windows XP
42
NTLMv2 in Windows Versions
From the Windows 7 Local Security Policy setting's "Explain" tab
43
Password Hashes (cont’d)
Linux and Apple Mac strengthen password hashes by including random bit sequences Known as a salt Make password attacks more difficult Apple Mac OS X uses SHA-1 hashes Most Linux Systems use MD5 hashes
44
Symmetric Cryptographic Algorithms
Understanding symmetric algorithms Use the same single key used to encrypt plaintext and decrypt ciphertext Also called private key cryptography Key must be kept private (confidential)
45
Symmetric Cryptographic Algorithms
Original cryptographic algorithms Data Encryption Standard (DES) Triple Data Encryption Standard (3DES) Advanced Encryption Standard (AES) Several other algorithms Rivest Cipher (RC) International Data Encryption Algorithm (IDEA) Blowfish
46
Figure 11-6 Symmetric (private key) cryptography
© Cengage Learning 2012
47
Symmetric Cryptographic Algorithms (cont’d.)
Two symmetric algorithm categories Based on amount of data processed at a time Stream Cipher Takes one character and replaces it with one character Block cipher Manipulates an entire 8 to 256 byte block of plaintext at one time
48
Symmetric Cryptographic Algorithms (cont’d.)
Stream cipher Takes one character and replaces it with one character Simplest type: substitution cipher WEP (Wired Equivalent Protocol) is a stream cipher Figure 11-7 Stream cipher © Cengage Learning 2012
49
Symmetric Cryptographic Algorithms (cont’d.)
Monoalphabetic substitution cipher Easy to break The simplest type of stream cipher Simply substitutes one letter or character for another Figure 11-8 Substitution cipher © Cengage Learning 2012
50
Symmetric Cryptographic Algorithms (cont’d.)
Polyalphabetic substitution cipher Single plaintext character mapped to multiple ciphertext character Enigma Machine
51
Symmetric Cryptographic Algorithms (cont’d.)
Transposition cipher Rearranges letters without changing them Figure 11-9 Transposition cipher © Cengage Learning 2012
52
Symmetric Cryptographic Algorithms (cont’d.)
Final step in most symmetric ciphers Combine cipher stream with plaintext using XOR function to create the ciphertext Figure Combine ciphertext © Cengage Learning 2012
53
Symmetric Cryptographic Algorithms (cont’d.)
XOR binary logic operation Typical use of binary operations such as XOR: 1 + 1 = 0 0 + 0 = 0 1 + 0 = 1 0 + 1 = 1 Figure Combine ciphertext © Cengage Learning 2012
54
One-Time Pad (OTP) Creates a truly random key to combine with the plaintext Considered secure if random, kept secret, and not reused A printed list of random numbers Effectively a very long shared-secret key Each part of the key is used only once Considered unbreakable Key must be random Key must be as long as the message Key is never re-used
55
RSA Tokens These things SHOULD be one-time pads
They aren't—RSA held some sort of master key and got hacked in 2011, compromising their security
56
Symmetric Cryptographic Algorithms (cont’d.)
Block cipher Manipulates an entire block of plaintext at one time Plaintext message is divided into separate blocks of 8 to 256 bytes and then each block is encrypted independently Blocks randomized for additional security
57
Symmetric Cryptographic Algorithms (cont’d.)
Stream cipher advantages Fast when the plaintext is short Stream cipher disadvantages Consumes much processing power if plaintext is long More prone to attack because engine generating the stream does not vary Block ciphers are considered more secure than Stream Ciphers because output is more random
58
Information Protections by Symmetric Cryptography
59
Symmetric Cryptographic Algorithms (cont’d.)
Data Encryption Standard (DES) Based on IBM’s Lucifer product (128 bit keys) originally designed in early 1970s Declared as a standard by the U.S Government DES is a block cipher and encrypts data in 64-bit blocks Breakable? Uses 56-bit key, very insecure Has been broken many times No longer considered secure
60
Data Encryption Standard (DES) (continued)
In 1988, NSA thought the standard was at risk to be broken In 1997, a DES key was broken in 3 months In 1998, the EFF built a a computer system that cracked a DES key in 3 days 2008 – DES broken in less than one day
61
Symmetric Cryptographic Algorithms (cont’d.)
Triple Data Encryption standard (3DES) Designed as a secure replacement for DES Uses three rounds of DES encryption Effective key length 112 bits Ciphertext of first round becomes input for second iteration Most secure versions use different keys used for each round Performs better in hardware than as software
62
Figure DES © Cengage Learning 2012
63
Symmetric Cryptographic Algorithms (cont’d.)
Advanced Encryption Standard (AES) Symmetric cipher approved by NIST in 2000 as a replacement for DES Official encryption standard used by the U.S. government Performs three steps on every block of plaintext Designed to be secure well into the future Considered secure – has not been cracked, but ????
64
Animation of AES Algorithm
65
Other Algorithms Rivest Cipher (RC) Family (RC1 to RC6)
Family of cipher algorithms designed by Ron Rivest RC4 – Stream cipher with Keys up to 128bits in length. Used in WEP and WPA International Data Encryption Algorithm (IDEA) Used in European nations Block cipher processing 64 bits with a 128-bit key with 8 rounds
66
Other Algorithms Blowfish Twofish
Block cipher operating on 64-bit blocks with key lengths from bits No significant weaknesses have been identified Twofish Derivation of Blowfish considered to be a strong algorithm Not as widely used as Blowfish
67
Asymmetric Cryptographic Algorithms
Asymmetric algorithms were developed to deal with the weakness of symmetric algorithms Distributing and maintaining a secure single key among multiple users distributed geographically Also known as public key cryptography Uses two mathematically related keys The public key is known to everyone and can be freely distributed The private key is known only to the owner of the key
68
Asymmetric Cryptographic Algorithms (cont’d.)
Important principles Key pairs Requires pair of keys Public key Does not need to be protected Private key Must be kept private (confidential) Both directions Document encrypted with public key can be decrypted with corresponding private key (and document encrypted with private key can be decrypted with public key)
69
Key Use Data encrypted with the public key must be decrypted with the private key Data encrypted with the private key must be decrypted with the public key Private keys are kept secret and never shared Public keys are distributed widely, in certificates or key servers
70
Figure 11-12 Asymmetric (public key) cryptography
© Cengage Learning 2012
71
Asymmetric Cryptographic Algorithms (cont’d.)
Digital signature Verifies the sender Prevents sender from disowning the message (non-repudiation) Proves message integrity A digital signature does not encrypt the message, it only signs it
72
Figure 11-13 Digital signature
© Cengage Learning 2012
73
Table 11-4 Asymmetric cryptography practices
74
Information Protections by Asymmetric Cryptography
75
Asymmetric Cryptographic Algorithms (cont’d.)
RSA Published in 1977 and patented by MIT in 1983 The most common asymmetric cryptography algorithm RSA makes the public and private keys by multiplying two large prime numbers p and q To compute their product (n=pq) It is very difficult to factor the number n to find p and q Finding the private key from the public key would require a factoring operation RSA is complex and slow, but secure 100 times slower than DES
76
Asymmetric Cryptographic Algorithms (cont’d.)
Elliptic curve cryptography (ECC) Users share one elliptic curve and one point on the curve An elliptic curve is a function drawn on an X-Y axis as a gently curved line By adding the values of two points on the curve, you can arrive at a third point on the curve Uses less computing power than prime number-based asymmetric cryptography
77
Asymmetric Cryptographic Algorithms (cont’d.)
Elliptic curve cryptography (ECC) cont’d Faster and more efficient than RSA ECC can use much smaller keys than RSA while being as secure (512 bits with ECC equals the security of a 15,260 bit RSA key) Elliptic Curve Digital Signature Algorithm (ECDSA) is used for signing and key exchange. Uses elliptic curves instead of prime numbers to calculate keys Used on small wireless devices because of lower power consumption Approved by NIST in 2005
78
Figure 11-14 Elliptic curve cryptography (ECC)
© Cengage Learning 2012
79
NTRUEncypt NTRUEncypt: Uses lattice-based cryptography
Relies on a set of points in space Faster than RSA and ECC More resistant to quantum computing attacks NTRUEncypt NTRUEncypt: Uses lattice-based cryptography Relies on a set of points in space Faster than RSA and ECC More resistant to quantum computing attacks
80
Lattice-Based Cryptography (Figure 5-11)
A grid of dots. A line connects one of the dots to four other dots.
81
Asymmetric Cryptographic Algorithms (cont’d.)
Quantum cryptography Exploits the properties of microscopic objects such as photons Does not depend on difficult mathematical problems Send a secret key one photon at a time A photon can only be measured once because measuring it destroys it If the key gets to the recipient undamaged, that proves no one else snooped on it
82
Commercial Quantum Cryptography Devices
$82,000 for a pair of devices in 2010
83
Key Exchange Key exchange - Problem of sending and receiving keys
Out-of-band - Make the exchange outside of normal communication channels In-band - Key exchange that occurs within normal communications channel Key Exchange Key exchange - Problem of sending and receiving keys Out-of-band - Make the exchange outside of normal communication channels In-band - Key exchange that occurs within normal communications channel
84
Symmetric Keys Asymmetric encryption is strong, but resource intensive
It is considered too slow to encrypt all traffic Instead, it is often used to share a symmetric key which is then used to encrypt data
85
In-Band Key Exchange: Diffie-Hellman
Not an encryption system An in-band key exchange algorithm to share a private key between two parties Had been a military secret, but it was independently re-invented by civilian mathematicians The basis for public-key cryptography
86
In-Band Key Exchange: Diffie-Hellman Ephemeral
Diffie-Hellman Ephemeral (DHE) Similar to DH but uses different keys Ephemeral keys are temporary keys that are used only once and then discarded In-Band Key Exchange: DH and DHE Diffie-Hellman (DH) - Requires Alice and Bob to each agree upon a large prime number and related integer; two numbers can be made public, yet Alice and Bob, through mathematical computations and exchanges of intermediate values, can separately create the same key Diffie-Hellman Ephemeral (DHE) - Uses different keys (Ephemeral keys are temporary keys that are used only once and then discarded)
87
In-Band Key Exchange: ECDH and Perfect Forward Secrecy
Elliptic Curve Diffie–Hellman (ECDH) Uses elliptic curve cryptography instead of prime numbers in its computation Perfect forward secrecy Public key systems that generate random public keys that are different for each session. If the secret key is compromised, it cannot reveal the contents of more than one message In-Band Key Exchange: ECDH and Perfect Forward Secrecy Elliptic Curve Diffie–Hellman (ECDH) - Uses elliptic curve cryptography instead of prime numbers in its computation Perfect forward secrecy - Public key systems that generate random public keys that are different for each session; value of perfect forward secrecy is that if the secret key is compromised, it cannot reveal the contents of more than one message
88
Using Cryptography Cryptography
Should be used to secure data that needs to be protected Can be applied through either software or hardware
89
Encryption Through Software
File and file system cryptography Encryption software can be applied to one or many files Protecting groups of files Based on operating system’s file system
90
Encryption Through Software
Pretty Good Privacy (PGP) One of the most widely used asymmetric cryptography system for files and messages on Windows systems GNU Privacy Guard (GPG) Similar open-source PGP program Runs on Windows, UNIX, and Linux PGP and GPG use both asymmetric and symmetric cryptography
91
File System Encryption
Microsoft Windows Encrypting File System (EFS) Cryptography system for Windows Uses the Windows NTFS file system Tightly integrated with the file system, so file encryption and decryption are transparent to the user Users can set encryption attribute for a file in the Advanced Attributes dialog box
92
File System Encryption
TrueCrypt NOT SECURE Open-source, free, and can encrypt folders or files Developer says migrate from TrueCrypt to BitLocker
93
Whole Disk Encryption Whole disk encryption- Protects all data on a hard drive Windows BitLocker A hardware-enabled data encryption feature Can encrypt the entire Windows volume Includes Windows system files as well as all user files Encrypts the entire system volume, including the Windows Registry and any temporary files that might hold confidential information Apple FileVault - encrypts a user's home folder or whole disk
94
Cold Boot Attack Can defeat all currently available whole disk encryption techniques (link Practical?
95
"Evil Maid" Attacks on Encrypted Hard Drives
96
Hardware Encryption Software encryption can be subject to attacks to exploit its vulnerabilities Cryptography can be embedded in hardware to provide a higher degree of security Can be applied to USB devices and standard hard drives
97
Hardware Encryption (cont’d.)
USB device encryption Encrypted hardware-based flash drives Will not connect a computer until correct password has been provided All data copied to the drive is automatically encrypted Tamper-resistant external cases Administrators can remotely control and track activity on the devices Stolen drives can be remotely disabled
98
Hardware Encryption (cont’d.)
Hard disk drive encryption Self-encrypting hard disk drives protect all files stored on them Drive and host device perform authentication process during initial power up If authentication fails, drive can be configured to deny access or even delete encryption keys so all data is permanently unreadable
99
Hardware Encryption (cont’d.)
Trusted Platform Module (TPM) A chip on the motherboard of the computer that provides cryptographic services Includes a true random number generator Entirely done in hardware so cannot be subject to software attack Prevents computer from booting if files or data have been altered Prompts for password if hard drive moved to a new computer
100
Hardware Encryption (cont’d.)
Trusted Platform Module (TPM) TPM support implement in Windows Vista, 7 and 8 No native Linux and MacOSX support Leaked German government documents claim Windows 8 and TPM backdoor big enough to drive a bus through….. sideways.
101
Hardware Encryption (cont’d.)
Hardware Security Module (HSM) Secure cryptographic processor Includes onboard key generator and key storage facility Performs accelerated symmetric and asymmetric encryption Can provide services to multiple devices over a LAN
102
Summary Cryptography is science of transforming information into a secure form while being transmitted or stored Hashing creates a unique digital fingerprint that represents contents of original material Used only for comparison Symmetric cryptography uses a single key to encrypt and decrypt a message Stream ciphers and block ciphers
103
Summary (cont’d.) Asymmetric cryptography
Public key cryptography Uses two keys: public key and private key Can be used to create a digital signature Cryptography can be applied through hardware or software Hardware encryption cannot be exploited like software cryptography
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.