information security management
DESCRIPTION
INFORMATION SECURITY MANAGEMENT. Protection Mechanisms - Cryptography. Cryptography. Encryption The process of converting an original message into a form that cannot be understood by unauthorized individuals Cryptology The science of encryption Composed of two disciplines: cryptography - PowerPoint PPT PresentationTRANSCRIPT
INFORMATION SECURITY MANAGEMENT
PROTECTION MECHANISMS - CRYPTOGRAPHY
Cryptography
• Encryption
• Cryptology
Cryptography (cont’d.)
• Algorithm• Key• Keyspace
Encipher
Cryptosystem
Decipher
Common Ciphers
Most commonly used algorithms include three functions:
Substitution
Transposition Plaintext: 0010…Key: 1 > 3, 2 > 4, 3 > 2, 4 > 1, …
Example: FROM -> MOFR
Common Ciphers
• XOR • ‘0’ XOR’ed with ‘0’ results in a ‘0’. (0 0 = 0)• ‘0’ XOR’ed with ‘1’ results in a ‘1’. (0 1 = 1)• ‘1’ XOR’ed with ‘0’ results in a ‘1’. (1 0 = 1)• ‘1’ XOR’ed with ‘1’ results in a ‘0’. (1 1 = 0)• If the two values are the same, you get “0”; if not, you get “1”• Process is reversible; if you XOR the ciphertext with the key
stream, you get the plaintext
01010111 01101001 01101011 01101001
11110011 11110011 11110011 11110011
= 10100100 10011010 10011000 10011010
10100100 10011010 10011000 10011010
11110011 11110011 11110011 11110011
= 01010111 01101001 01101011 01101001
Common Ciphers
• Book or running key cipher– Uses text in a book as the algorithm to decrypt a
message
– The key relies on two components:• Knowing which book to use• A list of codes representing the page number, line
number, and word number of the plaintext word
Symmetric Encryption
– Known as private key encryption
– Same key used to encrypt/decrypt the message
Symmetric Encryption Cryptosystem
• Data Encryption Standard (DES) – Based on the Data Encryption Algorithm which uses a
64-bit block size and a 56-bit key– Cracked in 1997– Triple DES (3DES) improved version
• Advanced Encryption Standard (AES)– Based on the Rinjndael Block Cipher
• Variable block length and a key length of either 128, 192, or 256 bits
Asymmetric encryption
Uses two different, but related keys Either key used to encrypt/decrypt message However, if Key A is used to encrypt the message, then
only Key B can decrypt it; conversely, if Key B is used to encrypt a message, then only Key A can decrypt it
Most valuable when one of the keys is private and the other is public
Figure 10-12 Public key encryption
Source: Course Technology/Cengage Learning
Asymmetric encryption
Digital Signatures
– Asymmetric process is reversed The fact that the message was sent by the
organization that owns the private key cannot be refuted
This nonrepudiation is the foundation of digital signatures
• Based on:• Digital certificate• A certificate authority (CA)
Public key infrastructure (PKI)
• The entire set of hardware, software, and cryptosystems necessary to implement public key encryption
• PKI systems are based on public key cryptosystems and include digital certificates and certificate authorities
Encryption Operations (cont’d.)
• PKI provides the following services– Authentication– Integrity– Confidentiality– Authorization– Nonrepudiation
Hybrid Systems
– Asymmetric encryption is typically employed in conjunction with symmetric key encryption, creating a hybrid system
– Diffie-Hellman key exchange method– asymmetric encryption is used to exchange
symmetric keys so that two organizations can conduct quick, efficient, secure communications based on symmetric encryption
– Diffie-Hellman provided the foundation for subsequent developments in public key encryption
Encryption Operations (cont’d.)
Figure 10-14 Hybrid encryption
Source: Course Technology/Cengage Learning
Using Cryptographic Controls
• Modern cryptosystems can generate unbreakable ciphertext
• Cryptographic controls used for:– e-mail and its attachments– e-commerce transactions– remote access through VPN connections
Email Cryptographic Controls
• Secure Multipurpose Internet Mail Extensions (S/MIME)
• Privacy Enhanced Mail (PEM)
Email Cryptographic Controls
• Pretty Good Privacy (PGP)
– Uses the IDEA Cipher• A 128-bit symmetric key block encryption algorithm
with 64-bit blocks for message encoding
– Like PEM, it uses RSA for symmetric key exchange and to support digital signatures
Securing the Web
• IP Security (IPSec)– The primary and dominant cryptographic authentication
and encryption product of the IETF’s IP Protocol Security Working Group
– Combines several different cryptosystems: • Diffie-Hellman key exchange • Public key cryptography• Bulk encryption algorithms• Digital certificates
Securing the Web
• IPSec works in two modes of operation:– Transport
• Only the IP data is encrypted, not the IP headers themselves
• Allows intermediate nodes to read the source and destination addresses
– Tunnel• The entire IP packet is encrypted and inserted as the
payload in another IP packet– Often used to support a virtual private network
Securing the Web
• Secure Electronic Transactions (SET)– Encrypts credit card transfers with DES for encryption
and RSA for key exchange
• Secure Sockets Layer (SSL)– Uses RSA for key transfer
• On IDEA, DES, or 3DES for encrypted symmetric key-based data transfer
• HTTPS
www.amazon.com
Securing the Web - SSL
Securing the Web
• Secure Shell (SSH)– Provides security for remote access
connections over public networks by using tunneling, authentication services between a client and a server
– Used to secure replacement tools for terminal emulation, remote management, and file transfer applications
Hacking Cryptography
Known plaintext attack
Ciphertext-only attack
Replay attack
Managing Cryptographic Controls
• Don’t lose your keys• Know who you are communicating with• It may be illegal to use a specific encryption
technique when communicating to some nations• Every cryptosystem has weaknesses• Give access only to those with a business need• When placing trust into a certificate authority, ask
“Who watches the watchers?”
Managing Cryptographic Controls (cont’d.)
• There is no security in obscurity• Security protocols and the cryptosystems they use
are installed and configured by humans– They are only as good as their installers
• Make sure that your organization’s use of cryptography is based on well-constructed policy and supported with sound management procedures