INFORMATION SECURITY MANAGEMENT

PROTECTION MECHANISMS - CRYPTOGRAPHY

Cryptography

• Encryption

• Cryptology

Cryptography (cont’d.)

• Algorithm• Key• Keyspace

Encipher

Cryptosystem

Decipher

Common Ciphers

Most commonly used algorithms include three functions:

Substitution

Transposition Plaintext: 0010…Key: 1 > 3, 2 > 4, 3 > 2, 4 > 1, …

Example: FROM -> MOFR

Common Ciphers

• XOR • ‘0’ XOR’ed with ‘0’ results in a ‘0’. (0 0 = 0)• ‘0’ XOR’ed with ‘1’ results in a ‘1’. (0 1 = 1)• ‘1’ XOR’ed with ‘0’ results in a ‘1’. (1 0 = 1)• ‘1’ XOR’ed with ‘1’ results in a ‘0’. (1 1 = 0)• If the two values are the same, you get “0”; if not, you get “1”• Process is reversible; if you XOR the ciphertext with the key

stream, you get the plaintext

01010111 01101001 01101011 01101001

11110011 11110011 11110011 11110011

= 10100100 10011010 10011000 10011010

10100100 10011010 10011000 10011010

11110011 11110011 11110011 11110011

= 01010111 01101001 01101011 01101001

Common Ciphers

• Book or running key cipher– Uses text in a book as the algorithm to decrypt a

message

– The key relies on two components:• Knowing which book to use• A list of codes representing the page number, line

number, and word number of the plaintext word

Symmetric Encryption

– Known as private key encryption

– Same key used to encrypt/decrypt the message

Symmetric Encryption Cryptosystem

• Data Encryption Standard (DES) – Based on the Data Encryption Algorithm which uses a

64-bit block size and a 56-bit key– Cracked in 1997– Triple DES (3DES) improved version

• Advanced Encryption Standard (AES)– Based on the Rinjndael Block Cipher

• Variable block length and a key length of either 128, 192, or 256 bits

Asymmetric encryption

Uses two different, but related keys Either key used to encrypt/decrypt message However, if Key A is used to encrypt the message, then

only Key B can decrypt it; conversely, if Key B is used to encrypt a message, then only Key A can decrypt it

Most valuable when one of the keys is private and the other is public

Figure 10-12 Public key encryption

Source: Course Technology/Cengage Learning

Asymmetric encryption

Digital Signatures

– Asymmetric process is reversed The fact that the message was sent by the

organization that owns the private key cannot be refuted

This nonrepudiation is the foundation of digital signatures

• Based on:• Digital certificate• A certificate authority (CA)

Public key infrastructure (PKI)

• The entire set of hardware, software, and cryptosystems necessary to implement public key encryption

• PKI systems are based on public key cryptosystems and include digital certificates and certificate authorities

Encryption Operations (cont’d.)

• PKI provides the following services– Authentication– Integrity– Confidentiality– Authorization– Nonrepudiation

Hybrid Systems

– Asymmetric encryption is typically employed in conjunction with symmetric key encryption, creating a hybrid system

– Diffie-Hellman key exchange method– asymmetric encryption is used to exchange

symmetric keys so that two organizations can conduct quick, efficient, secure communications based on symmetric encryption

– Diffie-Hellman provided the foundation for subsequent developments in public key encryption

Encryption Operations (cont’d.)

Figure 10-14 Hybrid encryption

Source: Course Technology/Cengage Learning

Using Cryptographic Controls

• Modern cryptosystems can generate unbreakable ciphertext

• Cryptographic controls used for:– e-mail and its attachments– e-commerce transactions– remote access through VPN connections

Email Cryptographic Controls

• Secure Multipurpose Internet Mail Extensions (S/MIME)

• Privacy Enhanced Mail (PEM)

Email Cryptographic Controls

• Pretty Good Privacy (PGP)

– Uses the IDEA Cipher• A 128-bit symmetric key block encryption algorithm

with 64-bit blocks for message encoding

– Like PEM, it uses RSA for symmetric key exchange and to support digital signatures

Securing the Web

• IP Security (IPSec)– The primary and dominant cryptographic authentication

and encryption product of the IETF’s IP Protocol Security Working Group

– Combines several different cryptosystems: • Diffie-Hellman key exchange • Public key cryptography• Bulk encryption algorithms• Digital certificates

Securing the Web

• IPSec works in two modes of operation:– Transport

• Only the IP data is encrypted, not the IP headers themselves

• Allows intermediate nodes to read the source and destination addresses

– Tunnel• The entire IP packet is encrypted and inserted as the

payload in another IP packet– Often used to support a virtual private network

Securing the Web

• Secure Electronic Transactions (SET)– Encrypts credit card transfers with DES for encryption

and RSA for key exchange

• Secure Sockets Layer (SSL)– Uses RSA for key transfer

• On IDEA, DES, or 3DES for encrypted symmetric key-based data transfer

• HTTPS

www.amazon.com

Securing the Web - SSL

Securing the Web

• Secure Shell (SSH)– Provides security for remote access

connections over public networks by using tunneling, authentication services between a client and a server

– Used to secure replacement tools for terminal emulation, remote management, and file transfer applications

Hacking Cryptography

Known plaintext attack

Ciphertext-only attack

Replay attack

Managing Cryptographic Controls

• Don’t lose your keys• Know who you are communicating with• It may be illegal to use a specific encryption

technique when communicating to some nations• Every cryptosystem has weaknesses• Give access only to those with a business need• When placing trust into a certificate authority, ask

“Who watches the watchers?”

Managing Cryptographic Controls (cont’d.)

• There is no security in obscurity• Security protocols and the cryptosystems they use

are installed and configured by humans– They are only as good as their installers

• Make sure that your organization’s use of cryptography is based on well-constructed policy and supported with sound management procedures