“ “ More damage could be done by a More damage could be done by a mouse click than a bomb” mouse click than a bomb” ………… ………… . Are . Are we we really really prepared ?? prepared ?? Cryptography
Cryptography & Digital certificate
Jan 28, 2015
Just a brief intro for beginners.
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
““More damage could be done by a mouse More damage could be done by a mouse click than a bomb”click than a bomb” ………… …………. Are we . Are we reallyreally prepared ??prepared ??
Cryptography
Why Encryption needed ?Why Encryption needed ?How Does Cyber Security Differs From conventional How Does Cyber Security Differs From conventional
security?security?• The parties to the transaction cannot be certain of
each other’s identities– Email addresses can be spoofed
• They cannot be sure that the messages between them have not been intercepted by third parties – Confidentiality(privacy) of the transaction (read by outsiders)– Integrity of the transaction (changed by outsiders)
• How do we achieve unequivocal agreement?– Both parties have the authority to do the transaction– Assurance that neither side can later repudiate the transaction– How do the parties sign their acceptance of the deal?
• Do we have adequate evidence to the transaction?
Pillars of reliable e- SecurityPillars of reliable e- Security
Security Infrastructure
Security Policies
Au
then
ticati
on
Pri
vacy
Au
thori
zati
on In
teg
rity
of
Data
N
on
-R
ep
ud
iati
on
Reliablee-
Transaction/ e-Business
Technology
Management
A PAIN ….Authentication
• be sure you know who you are communicating with
Privacy (Confidentiality)• keep secrets secret
Authorization(Access Control)• ensure users do not exceed their allowed authority
Integrity (of the Data)• be sure nothing is changed behind your back
Non-Repudiation• have the evidence in the event of a dispute
Pillars of reliable e- SecurityPillars of reliable e- Security
Cryptography Principles• The science of scrambling a message so that only authorized parties can read
it
• Process must be reversible
– Hiding is called encryption
– Retrieving the hidden message is decryption
• Converts the original message (“plaintext”) into a scrambled message (“cipher text”)
CONSEQUENCES OF WEAK ENCRYPTION ….
• World War I, Russian Army at Tannenberg
– Two Russian armies couldn’t communicate securely
– Germans could read their communications and attack them separately
– Result: defeat!
• Allied cracked German Enigma Cipher machine in World War 2
– Montgomery (Monty) often read Rommel’s (Desert Fox) orders before he did
– Result: tide turned in North Africa
• U.S. Navy cryptographers cracked Japanese convoy codes (“Purple”)WW2
– U.S. subs could destroy Japanese submarine ships
– Surprise attack on Midway Pacific Island
• Germans also cracked Allied codes
– U-boats were devastated in the Atlantic
Cosmetic Encryption ??
Ancient Encryption Techniques
A. Secret/Symmetric Key CryptographyUses a secret key known to both parties (“symmetric”)
1) Caesar Cipher : (Skip 2 letters) A Þ D, B Þ E, etc.- Easy to “crack” by elementary cryptanalyst
2) Mono-Alphabetic Substitution: A long sequence of key consisting of 26 alphabets. Alphabets : a b c d e f … k t .. z Key : Q W E R A B S N C
eg: Plain Text a t t a c k Cipher Text Q N N Q E S
English Letter Frequencies
• Symmetric/Secret Key Cryptography(Modern)
– DES (Data Encryption Standard)
– Triple DES
– AES (Advanced Encryption Standard)
– SkipJack
– RC2, RC4, RC5, RC6(Rivest Ciphers)
• Asymmetric Cryptography
-Public Private Key Pairs Cryptography
Encryption Techniques Encryption Techniques (Modern)(Modern)
Common Symmetric Key Algorithms Algorithm Supporter Length Availability Comments
DES NSA, NIST, 40 & 56 bits Public Domain Most widely used; ANSI now too weak
Triple-DES - same - 80 & 112 bits Public Domain Stronger variant of DES
Skipjack NSA 80 bits Recently Planned for the declassified US Govt’s Clipper
RC2, RC4 RSA variable Proprietary Very strong;
Websites: rsasecurity.com, nsa.com, nist.comNSA: Netwk Security AgencyNIST: National Institute of Standarad & TechnologyANSI: American National Standards Institute.SHA: Secure Hash AlgoNSI :Netwk Solutions Incorporation
Symmetric/Secret Cryptography System
EncryptEncrypt
Symmetric key Symmetric key (shared secret,(shared secret,known to A & B)known to A & B)
DecryptDecrypt
CiphertextCiphertext
aN!3q*nB5+aN!3q*nB5+
C=E(M, K)C=E(M, K)
C = Cipher textM = Message (plaintext)K = Secret KeyE = Encryption function
AliceAlice
PlaintextPlaintext
Hi BobAliceHi BobAlice
!!??!!??
EavesdropperEavesdropper
M=D(C, K)M=D(C, K)
D = Decryption function
BobBob
PlaintextPlaintext
Hi BobAlice
Strength OF Symmetric Key Encryption Method ?
• Strength of encryption = difficulty of cracking
• Length of key (Modern Symmetric Key Encryption uses 128, 256, 1024 bits as key)
• Strength of the mathematical algorithm (Modern method uses Hash function)
Cracking Symmetric Key EncryptionCracking Symmetric Key Encryption
Brute Force = Exhaustive search, trying all possible keys, starts at 0000…..1, etc.
• Successful attacks are now possible by using thousands of networked computers linked
on the Internet
Digital signatures vs Digital certificate
Digital certificate is a form of an electronic credential for the Internet.
Similar to a driver's license, employee ID card, a Digital certificate is issued
by a trusted third party to establish the identity of the certificate holder. The
third party who issues the Digital Certificate is known as the Certifying
Authority (CA).
Digital signatures are electronically generated and can be used
to ensure the integrity and authenticity of some data, such as an e-
mail message and protect against non-repudiation
Key Size No of Possible Keys Crack Time(*)
40 bits 1 x 1012 (1 trillion) 2 hours
56 7 x 1016 20 hrs (12/98)
64 2 x 1019 9 years
112 5 x 1033 1015 years
128 3 x 1038 1019 years
256 1 x 1077 1058 years
* Time required for a “brute force” attack, using a hypothetical special-purpose, “cracking” computer
Strength of Symmetric Key EncryptionStrength of Symmetric Key Encryption
Quote
“The problem with bad cryptography is that
it looks just like good cryptography”
- Bruce Schneider
2) Asymmetric Key Encryption: [Public-Private key pairs]
• No shared secret
• Bob has two complimentary keys
• What one key encrypts, only the other key can decrypt
• Bob keeps one key private (Private Key).
• Bob shares the other key (Public Key).
Asymmetric Key Encryption: Public-Private key pairs
Scenario 1
If Alice needs to send Bob a message:- Alice encrypts message with Bob’s public key, - Bob decrypts message with his private keyProblem:
• How would Bob ensure that the message has been sent by Alice? How would Bob ensure that the message has been sent by Alice?
• Anybody can encrypt the message using Bob’s public key as this key is publicly available. Anybody can encrypt the message using Bob’s public key as this key is publicly available.
[[Alice’s key not used at all]Alice’s key not used at all]
CiphertextCiphertext
B's public keyB's public key B's private keyB's private key
DecryptDecrypt BobBob
#d%G*!ki4i
EncryptEncrypt
PlaintextPlaintext
AliceAlice
Hi BobAlice
Hi BobAlice
Public-Private key pairs:
Scenario 2:
•Alice encrypts message with her private key & sends to Bob. Identity attached
•Bob is confirm that the message is from Alice. The message is authentic.
•Message is not confidential as anybody can decrypt it using Alice’s public key.
Problem: Bob’s key not used at allBob’s key not used at all
Putting It All Together
Let’s put Encryption and Authentication together
PROPERTIES OF A MESSAGE DIGEST (MD)/ HASH FUNCTION
• Properties of MD (or hash) functions :– Short output: reduces a message to a fixed length, say 16 to 20
characters– One way: impractical to determine a message from its hash– Unique: impractical to find 2 messages with the same hash– Sensitive: checksum changes if one bit changes or one bit is added to or
removed from the message
Hash Algo: MD-5(128 bits), SHA1(160bits)
• An MD is like a fingerprint– Less information than the original (me)– Unique to me– Unlikely to find 2 individuals with identical fingerprints– Given the fingerprint, can’t reconstruct the person
DIGITAL SIGNATURE WITH A MESSAGE DIGEST
PlaintextAliceAlice
Hi BobAliceHi BobAlice
PlaintextBobBob
Hi BobAliceHi BobAlice
=?=?
Hi BobAliceHi BobAlice
A's public key
1764890238
1764890238
5. Alice’s 5. Alice’s Message Message DigestDigest
5. Alice’s 5. Alice’s Message Message DigestDigest
Encrypted MD(“signature”)Encrypted MD(“signature”)
Unencrypted message
A’s private key
DigestDigest
1. Message Digest1. Message Digest
17648902381764890238
MD
17648902381764890238
MD3. Compute
the MD
DigitallySign
2.Sign it (Encryptthe MD)
Decrypt
Alice’sMD
Decrypt
Alice’sMD
4.
Certifying Authorities• Certifying Authority is a trusted third party
– similar to Passport Office
• Certifying Authorities issue digital certificates. Controller of Certifying Authority is the custodian of the following repositories:
-National Repository of Digital Certificates
-Certificate Revocation List
• A certificate contains the following:– Bob’s public key, Bob’s name, address, other info
– Expiration date & serial number
– The certificate authority’s name, etc.
• A digital certificate is “signed” with the Certifying Authority’s private key, to ensure authenticity
• Everyone has CA’s public key
Basic Certificate Contents as per International Standard ITU-T X.509 v3
VersionSerial number
Signature algorithm Issuer name
Validity periodSubject name
Subject public key
Identifies certificate formatIdentifies this certificate
Algorithmused to signcertificate
Name ofcertification
authority
Start dateand
end date
Public key value andindicator of its algorithm
Identifies the ownerof the key pairEnsures cert. dataEnsures cert. data
can’t be changedcan’t be changedEnsures cert. dataEnsures cert. datacan’t be changedcan’t be changed
VERISIGN CERTIFICATE CLASSES
11ClassClass
• email address, charges Rs 500/-
• Real name, real address, locale, email address• Verified using a “trusted” database (credentials like ration card, passport
ClassClass
22
• Real name, real address, locale, email address• Verified using “trusted” database• Verified in person, with notarization
ClassClass
33
https://www.ncodesolutions.com/certificates.asp
CAs licensed under the Govt. of India IT Act, 2000 (www.cca.gov.in)
•Controller of CAs
•IDRBT CA(Instt for Dev & Research in Banking Tech., IT Tech Arm of RBI)
•TCS Certifying Authority (CA) Services
•National Informatics Center CA
•SafeScrypt
•MTNL
•Customs & Central Excise
•GNFC (n)Code Solutions Ltd., (A division of Gujarat Narmada Valley Fertilizers Company Ltd.)
Countermeasures
Some of the measures that the Government has decided to take up to
counterattack Cyber Terrorism are:
• Establishment of National Level Cyber Emergency Response Units
• Conducting Security Training & Awareness Programs
• Developing Indigenous Security Software
• Deploying of Cyber Cops or Cyber Cells to keep a track of various
online activities
• Deployment of PKI Infrastructure
Tools:
1. Wondercrypt: A PKI Solution (wondercrypt.com)
2. PGP (Pretty Good Privacy)
Resources:WikipediaWebopediaSecurity freshZdnet
D3pak KumarD3pak KumarIT security & Forensic Consultant@D3pakFb/[email protected]
“BE THE CHANGE YOU WISH TO SEE IN THIS WORLD”
- Mahatma Gandhi
Related Documents
