chapter 17 security. information systems cryptography key exchange protocols password combinatorics...
TRANSCRIPT
Chapter 17
Security
Information Systems
•Cryptography•Key Exchange Protocols•Password Combinatorics•Other Security Issues
12-2
Chapter Goals
• Cryptography Techniques• Information Security Issues
12-3
Cryptography and Information Security
12-4
5
Cryptography
CryptographyThe field of study related to encoded information (comes from Greek word for "secret writing")EncryptionThe process of converting plaintext into ciphertextDecryptionThe process of converting ciphertext into plaintext
6
Cryptography
plaintextmessage
ciphertextmessage
Encryption
Decryption
Encrypted(Information) cannot be read (understood )
Decrypted(Encrypted(Information)) can be
7
Cryptography
CipherAn algorithm used to encrypt and decrypt textKeyThe set of parameters that guide a cipher
•Neither is any good without the other•Need to keep at least one of these secret•(or even better, both)
8
Cryptography
Substitution cipher --A cipher that substitutes one character with another
Caesar cipher --A substitution cipher that shifts characters a certain number of positions in the alphabet
Transposition ciphers --A cipher that rearranges the order of existing characters in a message in a certain way (e.g., a route cipher)
9
Substitution cipherA B C D E F G H I J K L M N O P Q R S T U V W X Y Z
D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
Encrypt(COMPUTER) = FRPSXWHU
Decrypt(FRPSXWHU) = COMPUTER
Why is this called the Caesar cipher?What is the key?
10
Transposition CipherT O D A Y
+ I S + M
O N D A Y
Algorithm 1:Write across rows Read down columns
Encrypt(TODAY IS MONDAY) = T+OOINDSDA+AYMY
The key is the table dimensions, 5 x 3
11
Transposition CipherT O D A Y
+ I S + M
O N D A Y
Algorithm 2:Write across rows Read in a counter clockwise spiral from top-left
Encrypt(TODAY IS MONDAY) = T+ONDAYMYADOIS+
12
Cryptanalysis
CryptanalysisDecrypting a message without knowing the cipher or the key
Substitution and transposition ciphers are easy for modern computers to break using frequency analysis of characters and patterns
To protect information more sophisticated schemes are needed
13
Cryptanalysis withFrequency analysis
Frequency AnalysisBreaking a cipher by looking for the frequency of letters (or other patterns)
English
Letter Frequency A 8.23B 1.26C 4.04D 3.40E 12.32F 2.28G 2.77H 3.94I 8.08J 0.14K 0.43L 3.79M 3.06N 6.81O 7.59P 2.58Q 0.14R 6.67S 7.64T 8.37U 2.43V 0.97W 1.07X 0.29Y 1.46Z 0.09
Encryption Standards
There are 2 standard encryption systems:
1)3DES aka Private Key CryptographyEfficient, but needs a secret key!
2)RSA aka Public-Key CryptographyActually uses a pair of keys, one public, one private
12-14
15
3DES (Triple Data Encryption Standard)
3DES•Uses multiple substitutions and transpositions to hide patterns•Etext appears essentially random•it is very hard to crack
The cipher algorithm is publicThe key is kept secret
16
3DES (Triple Data Encryption Standard)
3DESSince the cipher is public, bad guys can always try to guess the key
The key is 128 bits so quessing takes a loooooooooooooooong time: 2 ^ 128 = 340,000,000,000,000,000,000,000,000,000,000,000,000 keys
PROBLEM: How to keep the key secret????
17
RSA Public Key Cryptography
Public-key cryptography•There are two related keys, one public and one private
•Sender encrypts an outgoing message, using the Receiver's public key •Only the Receiver's private key can decrypt the message
Exchanging Secret Keys
• 3DES is a more efficient algorithm than RSA• However, the problem with 3DES is how to do
the secret exchange of the private “session key” between sender and receiver
• RSA can help with this exchange
12-18
RSA Public Key Cryptography
Session Key Exchange
1)B generates a “session key”, encrypts it using A’s public key, and sends it to A
2)A uses its private key to decrypt the session key
12-19
3 Things RSA can help do
• Session Key Exchange• Used to exchange 3DES “session keys”
• Authentication - Are you who you say you are? – Like a written signature says: “I am me”
• Certification - Are you a “good guy”– Like a drivers license says “CA says I can drive”– Or a Diploma says “FLC says I am educated”
12-20
21
AuthenticationDigital Signatures
Key Exchange Protocol with Authentication:• A encrypts a random number using B’s public key• B decrypts A’s number using B’s private key,
combines the number with a Session Key, encrypts the whole message using A’s public key, and sends it to A
• A decrypts the message using A’s private key, if the random number matches the message must be from B. – (Or at least from the same person who sent “B’s public key”)
22
Certification
Digital certificateUses a Third Party to prove you are a “good guy”
Example: Verisign
Made possible by RSA key pairsCertificates can only be decrypted by Certificate Issuer, essentially validating the certificate bearer
Passwords Combinations
12-23
24
Password Strength
Math number bases can be used to calculate password strength
Questions
how many combinations are there for a 4 digit base ten number?
how about a 4 digit binary number?
How about a 4 (capital) letter password?
25
Password Strength
Answers
9999 = 9999
11112 = 1510
ZZZZ = ??
More Security Issues
12-26
27
Computer SecurityMalicious Code
A computer program that attempts to bypass appropriate authorization and/or perform unauthorized functions
Worm stands alone, targets network resources
Trojan horse disguised as benevolent resource
Virus self-replicating
Logic bomb set up to execute at system event
28
Computer SecuritySecurity Attacks
An attack on the computer system itself
Password guessing
Phishing trick users into revealing security information
Spoofing malicious user masquerades as authorized user
Back door unauthorized access to anyone who knows it exists
29
Computer Security
Denial-of-service attack that overwhelms a system
Man-in-the-middle network communication is intercepted in an attempt to obtain key data