Ch09 Encryption

Guide to Firewalls and VPNs, 3rdEditionChapter NineEncryption-The Foundation for the Virtual Private Network

Guide to Firewalls and VPNs, 3rdEdition


OverviewDescribe the role encryption plays in firewall and VPN architecturesExplain how digital certificates work and why they are important security toolsAnalyze the workings of SSL, PGP, and other popular encryption schemesDiscuss Internet Protocol Security (IPSec) and identify its protocols and modes*



IntroductionFirewalls can be equipped to serve Virtual Private Network (VPN) endpointsEncryption Integral part of VPNsEnables the firewall to determine whether the user who wants to connect to the VPN is actually authorized to do soEncodes the payload of the information to maintain privacy*



Encryption OverviewEncryption Process that turns information that is plainly readable (plaintext) into scrambled form (ciphertext)Added to firewall and VPN products to provide protection against:Passive attacks -- sniffingLoss of confidentialityActive attacks -- session hijackingLoss of integrity *



Encryption Overview (contd.)*Figure 9-1 Unencrypted Packet@ Cengage Learning 2012



Encryption Overview (contd.)*Figure 9-2 Encrypted Packet@ Cengage Learning 2012



Encryption Overview (contd.)Figure 9-2Packet integrity and confidentiality is maintainedSecurity statisticsLaptop is stolen every 12 secondsOver 2.6 million laptops stolen per year42 percent of surveyed companies suffered laptop or mobile device theftAverage loss of over $234,000 per incidentAnother source says $49,000 (link Ch 9a)*



Principles of CryptographyEncryption Converting a message into a form that cannot be read by unauthorized individualsCryptology encompasses two disciplinesCryptography Encoding and decoding messages so that others cannot understand themCryptanalysisDeciphering the original message from an encrypted message without knowing the algorithms and keys used to perform the encryption*



Encryption DefinitionsAlgorithm: Mathematical formula or method used to convert an unencrypted message into an encrypted messageCipher: Transformation of the individual components (characters, bytes, or bits) of an unencrypted message into encrypted componentsCiphertext or cryptogram:Encrypted or encoded message resulting from an encryption*



Encryption Definitions (contd.)Cryptosystem:Set of transformations necessary to convert an unencrypted message into an encrypted messageDecipher: Decrypt or convert ciphertext to plaintextEncipher: Encrypt or convert plaintext to ciphertextKey or cryptovariable: Information used in conjunction with the algorithm to create the ciphertext from the plaintext*



Encryption Definitions (contd.)Keyspace: Entire range of values that can possibly be used to construct an individual keyPlaintext: Original unencrypted message or the results from successful decryptionWork factor: Amount of effort (usually expressed in units of time) required to perform cryptanalysis on an encoded message*



Cryptographic Notation (contd.)General methods: stream or block ciphersStreamEach plaintext bit is transformed into a cipher bit, one after the otherBlock Message is divided into blocksEach block is transformed using the algorithm and key*



Common Encryption OperationsSubstitutionA -> D; B ->E TranspositionAPPLE -> PALEPXOR (Exclusive OR)1100101 XORed with1001010-------------0101111

*



Common CiphersSubstitution cipherSubstitute one value for another

Monoalphabetic substitutionUses only one alphabetPolyalphabetic substitutions More advanced substitution ciphers Use two or more alphabets*



Common Ciphers (contd.)Transposition cipher Rearranges the values within a block to create the ciphertext

Transposition ciphers and substitution ciphers Used in multiple combinations to create a very secure encryption process*



Common Ciphers (contd.)XOR cipher conversionBit stream is subjected to a Boolean XOR function against some other data streamProcess is reversible*



Vernam Cipher (One-Time Pad)Developed at AT&T Uses a set of characters for encryption operations only one time and then discards itUnbreakable--there is no pattern in the outputNo way to crack it without stealing the one-time pad*



Encryption Operations: Vernam Cipher (contd.)*



Book CodeUses text in a book as the algorithm to decrypt a messageRelies on:Knowing which book to use Having a list of codes representing the page number, line number, and word number of the plaintext wordSample message: 67,3,1;145,9,4;375,7,4;394,17,3Using dictionariesNecessary to use only a page and word number*



Symmetric EncryptionSecret keyUsed to both encipher and decipher the messageKnown as private key encryption, or symmetric encryptionIf either copy of the key becomes compromisedAn intermediary can decrypt and read the messagesPopular symmetric encryption cryptosystems:Data Encryption Standard (DES) 56-bit keyCracked in 1997*



Encryption Operations: Symmetric Encryption (contd.)*Figure 9-3 Symmetric Encryption@ Cengage Learning 2012



Encryption Operations: Symmetric Encryption (contd.)Triple DES (3DES) Improvement to DES Uses as many as three keys in successionPerforms three different encryption operationsEmploys 48 rounds in its encryption computation,Effective strength: 112 bitsRequire only three times longer to process*



Encryption Operations: Symmetric Encryption (contd.)Advanced Encryption Standard (AES)Rijnjdael Block Cipher features a variable block length key length of either 128, 192, or 256 bitsFour steps within each Rijndael round*



Animation of AES AlgorithmLink Ch 9b



Asymmetric EncryptionPublic key encryptionUses two different keys for encryption and decryptionMost valuable when one of the keys is private and the other is publicRequires four keys to hold a single conversation between two partiesNot as efficient in its use of CPU resources as symmetric encryption Because of the extensive mathematical calculations*



Encryption Operations: Asymmetric Encryption (contd.)*Figure 9-4 Asymmetric (Public Key) Encryption@ Cengage Learning 2012



Encryption Operations: Digital SignaturesAsymmetric process is reversedPrivate key encrypts a messagePublic key decrypts itProves message was sent by the organization that owns the private key Digital signaturesEncrypted messages that can be independently verified by a central facility (registry) as authenticCan also be used to prove certain characteristics of the message or file with which they are associated*



Encryption Operations: Digital Signatures (contd.)Often used in Internet software updatesDigital certificateSimilar to a digital signatureAsserts that a public key is associated with a particular identityCertificate authority (CA) Agency that manages the issuance of certificates Serves as the electronic notary public to verify their origin and integrity*



Encryption Operations: RSARivest-Shamir-Aldeman (RSA)Has been integrated into both Microsoft Internet Explorer and Netscape NavigatorExtensions to the RSA algorithmRSA Encryption SchemeOptimal Asymmetric Encryption Padding (RSAES-OAEP)RSA Signature Scheme with AppendixProbabilistic Signature Scheme (RSASSA-PSS)*



Encryption Operations: Public Key InfrastructurePublic key infrastructure (PKI) Entire set of hardware software, and cryptosystems necessary to implement public key encryptionCommon implementations of PKI include Systems to issue digital certificates to users and serversEncryption enrollment Key-issuing systemsTools for managing the key issuance*



Encryption Operations: Public Key Infrastructure (contd.)Verification and return of certificatesKey revocation servicesOther services associated with PKI that vendors bundle into their products*



Encryption Operations: Public Key Infrastructure (contd.)PKI can increase organizations capability to protect its information assets by providingAuthenticationIntegrityConfidentialityAuthorizationNonrepudiation*



Encryption Operations: Hybrid SystemsAsymmetric encryption used to exchange a symmetric keyTwo organizations can conduct quick, efficient, secure communications Based on symmetric encryptionIllustrated in Figure 9-6*



Encryption Operations: Hybrid Systems (contd.)*Figure 9-6 Hybrid Encryption@ Cengage Learning 2012



Using Cryptographic ControlsOrganizations can use cryptographic controls to supportConfidentiality and integrity of e-mail and its attachmentsAuthentication, confidentiality, integrity, and nonrepudiation of e-commerce transactionsAuthentication and confidentiality of remote access through VPN connectionsA higher standard of authentication when used to supplement access control systems*



E-Mail SecuritySecure/Multipurpose Internet Mail Extensions (S/MIME) Builds on the Multipurpose Internet Mail Extensions (MIME) Encode format by adding encryption and authentication via digital signatures based on public key cryptosystemsPrivacy Enhanced Mail (PEM) Proposed by the Internet Engineering Task Force (IETF) as a standard for public key cryptosystems*



E-Mail SecurityUses 3DES symmetric key encryption and RSA for key exchanges and digital signaturesPretty Good Privacy (PGP) Uses the IDEA CipherUses a "Web of Trust" instead of Certificate Authorities*



Securing the WebSecure Electronic Transactions (SET) Developed by MasterCard and VISAProvides protection from electronic payment fraud works by encrypting the credit card transfers with DES for encryption and RSA for key exchangeSecure Sockets Layer (SSL) Provide security for online electronic commerce transactionsHas largely been replaced by TLS (Transport Layer Security)Many people still refer to it as SSL*



Securing the Web (contd.)Hypertext Transfer Protocol over SSL (HTTPs) Encrypted solution to the unsecured version of HTTPProvide secure e-commerce transactions as well as encrypted Web pages for secure data transfer over the WebSecure Shell (SSH) Extension to the TCP/IP protocol suiteProvides security for remote access connections over public networks by creating a secure and persistent connection*



BEAST AttackExploits a weakness in cipher-block chainingCan break into an SSL connection without the keyMost browsers have been patched nowLink Ch 9c*



Securing the Web (contd.)IP Security (IPSec) Predominant cryptographic authentication and encryption protocol suite in use todayCombines: Diffie-Hellman key exchangePublic key cryptographyBulk encryption algorithmsDigital certificates*



Securing the Web (contd.)IPSec componentsIP Security protocol itselfInternet Key Exchange (IKE)IPSec modes: Transport modeOnly the IP data is encryptedTunnel modeEntire IP packet is encrypted and inserted as the payload in another IP packet*



Securing the Web (contd.)Virtual private network (VPN)Private, secure network Operated over a public and insecure networkKeeps the contents of the network messages hidden from observers*



Securing AuthenticationKerberosUses symmetric key encryption to validate an individual users accessConsists of: Authentication Server (AS)Key Distribution Center (KDC)Kerberos Ticket Granting Service (TGS)*



Attacks on CryptosystemsFrequency Analysis (incorrectly called "brute force" on page 277) Ciphertext is repeatedly searched for clues that can lead to the algorithms structure.Known as ciphertext attacks Involve searching for a common text structure, wording, or syntax in the encrypted messageKnown-plaintext attackHelps to reverse-engineer the encryption algorithm*



Brute Force Attack(not in textbook)Simply try every possible key56-bit and 64-bit keys have been brute-forcedA 72-bit key is being brute-forced, and is expected to be cracked within 90 yearsCh 9f*



Attacks on Cryptosystems (contd.)Selected-plaintext attack Sending the potential victim a specific text that gets forwarded to othersAttacks on cryptosystems Man-in-the-middleCorrelationDictionaryTiming*



Man-in-the-MiddleIntercept the transmission of a public keyCan be prevented by establishing public keys with digital signaturesTrusted third partyAttacker cannot duplicate the signatures*



Correlation AttacksCollections of brute-force methods Attempt to deduce statistical relationships between the structure of the unknown key and the ciphertextDefense against this kind of attack Selection of strong cryptosystems that have stood the test of timeThorough key managementStrict adherence to the best practices of cryptography in the frequency of changing keys*



Dictionary AttacksAttacker encrypts every word in a dictionary using the same cryptosystem used by the targetAttempt to locate a match between the target ciphertext and the list of encrypted words from the same cryptosystemWindows does not salt password hashes and is therefore vulnerable to dictionary attacks

*



Timing AttacksAttacker eavesdrops during a victims session Uses statistical analysis of the users typing patterns and inter-keystroke timings to discern sensitive session informationIt can also use timing of the encryption process itself to deduce information about the key*



Replay AttackReplay encrypted packets without decrypting themEffective against SMB authentication (Windows file shares)

*



Defending from AttacksEncryption Process of hiding the true meaning of informationSophisticated encryption and cryptosystemsHave the same flaw that the first systems contained thousands of years agoIf you discover the key, you can determine the message*


**************************************************

Ch09 Encryption

Documents

unencrypted message

encoded message

original message

unencrypted packet

encrypted messagecipher

encrypted messagedecipher

encrypted componentsciphertext

vpn products