Rothke Info Security Canada 2007 Final

Everything an Audit Professional needs to know

about encryption in 50 minutes

Session 2FBen Rothke, CISSP CISM

Security ConsultantBT INS

Thursday June 14, 200711:00 – 11:50AM

About me

• Ben Rothke, CISSP CISM• Security Consultant – BT INS• Previously with AXA, ThruPoint, Baltimore Technologies,

Ernst & Young, Citibank• Have worked in the information technology sector since

1988 and information security since 1994• Frequent writer and speaker• Author of Computer Security: 20 Things Every Employee

Should Know (McGraw-Hill 2006)

Full disclosure

This session is:• An introduction of the fundamentals of cryptography, encryption and digital signatures

This session is not:• A comprehensive overview about cryptography• Heavy mathematics and science of cryptography• Moral, legal, privacy, social and political issues

Key Points

• Need for cryptography has never been greater

– eroding levels of security and privacy that is occurring.

• Aspects of cryptography are indeed rocket science.

– Average person, who wants to utilize the security that cryptography provides, they can ignore the deep mathematics, and focus on the basics of what cryptography can provide them.

Topics to be discussed

• What and why’s of cryptography• Brief history of cryptography• Symmetric and asymmetric

cryptography• Keys and key sizes• Digital Signatures and

Certificates• Advanced Encryption Standard

What is cryptography?

• Cryptography is:– science of using mathematics to encrypt and decrypt

data– ensuring that communications are private

• Branch of cryptology dealing with the design of algorithms for encryption and decryption; used to ensure the secrecy and authenticity of data.

• Study of transforming information into a form that makes it unreadable to those without the appropriate permission to view it

• Derived from the Greek kryptos, meaning hidden.

Why is cryptography so important?

• Allows people to have the same level of trust and confidence that exists in the physical world with their data in the digital world.

• Enables interaction via e-mail, e-commerce, ATM machines, cell phones, etc.

• Continual increase of data transmitted electronically has lead to an increased need and reliance on cryptography.

• Until January 2000, the US Government considered strong cryptography to be an export-controlled munition, much like an M-16 or F-18.

Uses of cryptography

• Network and operating systems security– Logins, data encryption, file system encryption

• Private Internet, telephone communications • Electronic payments

– Secure web transactions, SSL, ATM

• Database security• Software protection

– Music, DRM, DVD

• Pay television• Confidential military communications

Four objectives of cryptography

1. Confidentiality – Data can’t be read by anyone for whom it wasn’t intended

2. Integrity – Data can’t be altered in storage or transit between sender and intended receiver without the alteration being detected.

3. Authentication - Sender and receiver can confirm each other’s identity

4. Non-repudiation – Inability to deny at a later time one’s involvement in a cryptographic process

Objectives of cryptography

Confidentiality Integrity

Authentication

Interception Modification

Fabrication

Are my communications private? Has my communication been altered?

Who am I dealing with?

History of cryptography

Usually dated from about 2000 BC, with Egyptian hieroglyphics.

– Consisted of complex pictograms, the full meaning of which was only known to an elite few.

First known use of a modern cipher was by Julius Caesar (100 BC - 44 BC)

– Caesar didn’t trust his messengers when communicating with his governors and officers.

– He created a system with each character replaced by a character three positions ahead of it in the Roman alphabet.

History of cryptography

• Benedict Arnold, Mary Queen of Scotts & Abraham Lincoln all used ciphers.

• Cryptography has long been a part of war, diplomacy and politics.

• Development and growth of cryptography in the last 20 years is directly tied to the development of the microprocessor– Cryptography is computationally intensive– Without the PC revolution & ubiquitous x86 processor,

there would have never been a vehicle where cryptography could have been economically and reasonably deployed.

PGP History• 1991 – v1.0 written by Phil Zimmerman ships. RSA files suit against

Zimmerman • 1992 – v2.0 ships. Bass-O-Matic replaced by IDEA• 1993 – FBI investigates Zimmerman for possible ITAR violations• 1994 – v2.4 – ViaCrypt starts commercial distribution• 1996 - PGP Inc. created. Legal case against Phil Zimmermann

dropped.• 1997 – v5.0 released by PGP Inc.• 1997 – PGP Inc. acquired by Network Associates• 1998 – v6.0 ships• 1999 – PGP, Inc. rolled out as separate division of NAI• 2000 – v7.0 ships• 2000 – RSA patents expired on September 20, 2000• 2000 - Bowing to intense pressure from Silicon Valley Clinton

administration eliminates most restrictions on the export of data-encryption technology

• 2001 – Phil Zimmerman leaves NAI for Hush Communications• 2002 - PGP Corp. buys back PGP products and intellectual property

from NAI• 2004 - PGP Desktop v.8.1 released• 2005 - PGP Desktop v.9.0 released (May 2007 – current version -

9.6)

History of cryptography

• The Codebreakers: The Comprehensive History of Secret Communication from Ancient Times to the Internet David Kahn

• The Code Book : The Science of Secrecy from Ancient Egypt to Quantum Cryptography - Simon Singh

• ICSA Guide to Cryptography - Randall Nichols

• Applied Cryptography - Bruce Schneier, CTO BT Counterpane

Everything You Need to Know

about Cryptography

Six fundamental cryptography terms

1. Encryption – Conversion of data into a pattern, called ciphertext, rendering it unreadable.

2. Decryption – Process of converting ciphertext data back into its original form, so it can be read.

3. Algorithm - formula used to transform the plaintext into ciphertext. Also called a cipher.

4. Key – Complex sequence of alpha-numeric characters, produced by the algorithm, that allows you to encrypt and decrypt data

5. Plaintext – Decrypted or unencrypted data6. Ciphtertext – Data that has been encrypted

RSA Factoring Challenge

PKCS

Discrete logarithms

Root CA

block cipher

One-time pad

Factoring methods

Covert channel

Blind signature schemechosen ciphertext attack

key escrow Pollard Rho method

discrete logarithmKerberos

CP & CPS

Capstone

meet-in-the-middle attack

linear cryptanalysis

Adaptive-chosen-ciphertext attach

Operationalpolicy and procedures

One-way function

tamper resistant

Exclusive-OR

multiple polynomial quadratic sievedifferential cryptanalysisDiffie-Hellman

key exchange

Iterated block cipher

Factoring methods

KeyManagement

General purpose factoring algorithm

CAPI

Dictionary attack

Random numbers

SKPI

Private exponentchosen plaintext attackElliptic curve discrete logarithm problem

NSA

General purpose factoring algorithm

Brute force attack

CRLSession keyPrime numbersQuantum cryptography

Fields and rings

Vector spaces and latticesBoolean expressions

Number field sieveProvably secure

Threshold cryptography

key recovery

Advanced cryptography terms(that you don’t need to know)

Modular arithmetic

Galois field

Goppa code

Random number

generation

Cryptographic tokens

X.509v3

ANSI X9.24

ICV

PRNG

ASN.1 FIPS EALBSAFE

IDEA

Paper based trust

• In a paper based society, we:– Write a letter and sign it– Have a witness verify that the signature is authentic– Put the letter in an envelope and seal it– Send it by certified mail

• This gives the recipient confidence that the:– Contents had not been read by anyone else– Contents of the envelope were intact– Letter came from the person who claimed to have sent it– Person who sent it could not easily deny having sent it

Paper vs. Electronic trust

Symmetric Cryptography

• Oldest form of cryptography• Single key is used both for

encryption and decryption

Symmetric Cryptography

Q4 sales well below forecast

“BxWv;5df~TmWe#4^,sdgfMwir3:dkJeTsY\s@!q3”

Q4 sales well below forecast

Same Key (Secret)

Encrypt Decrypt

22

Asymmetric (Public-Key Cryptography)

• Form of encryption based on the use of two mathematically related keys (the public key and the private key) such that one key cannot be derived from the other.– Public key encrypts data and verifies

digital signature– Private key decrypts data and digitally

signs a document

PKC concepts

• You publish your public key to the world while keeping your private key secret.

• Anyone with a copy of your public key can then encrypt information that only you can read, even people you have never met.

• No one can deduce the private key from the public key.

• Anyone who has a public key can encrypt information but cannot decrypt it.

• Only the person who has the corresponding private key can decrypt the information.

PKC Benefits

• Key management – Symmetric cryptography is essentially impossible

to provide effective key management for large networks.

• Allows people who have no preexisting security arrangement to exchange messages securely.

• Need for sender and receiver to share secret keys via a secure channel is eliminated– all communications involve only public keys– no private key is ever transmitted or shared.

PKC history

• 1976 - Conceptual ideas developed by Whitfield Diffie and Martin Hellman to solve two pressing key management problems:– You need a secure channel to set up a secure channel– How do you get the key to a recipient without

someone intercepting it?

• 1977 - First public-key cryptosystem designed by Ron Rivest, Adi Shamir & Len Adlelman (RSA) at MIT– British developed a PKC first; didn’t publicly

acknowledge it.

PKC Process

• When sending a message to someone, you encrypt the message with their public key.

• Each user has a publicly known encryption key and a corresponding private key known only to that user

• They receive it and decrypt it with their private key

27

Symmetric vs. Asymmetric

Secret-key (symmetric) encryption

Public-key (asymmetric) encryption

Public-key Cryptography

CFO to resign next week

“BxWv;5df~TmWe#4^,sdgfMwir3:dkJeTsY\s@!q3”

Encrypt Decrypt

CFO to resign next week

Public Key of recipient

Private Key of recipient

Portrait of a Public Key

The n2 Problem

• With symmetric cryptography, as the number of users increase, the number of keys required to provide secure communications among those users increases rapidly.

• For a group of n users, there needs to be 1/2 (n2 - n) keys for total communications

• As the number of parties increases (i.e., n becomes larger), the number of symmetric keys becomes unreasonably large for practical use.– This is known as the n2 Problem

The n2 Problem

Users 1/2 (n2 - n) Shared key pairsrequired

2 ½ (4 - 2) 1

3 ½ (9 – 3) 3

10 ½ (100 – 10) 45

100 ½ (10,000 – 100) 4,950

1000 ½ (1,000,000 –1,000)

499,500

Symmetric vs. Asymmetric

• From a security functionality perspective, symmetric cryptography is for the most part just as strong as asymmetric cryptography.– Symmetric is much quicker though

• Where asymmetric shines is in solving the key management issues.

• No key management issues?– No compelling need to use asymmetric

cryptography.

Keys & key sizes

• Key – A value that works with a cryptographic algorithm to produce a specific ciphertext

• Keys do not encrypt or decrypt data; the algorithm does that.

• Keys are huge numbers measured in bits– PGP key sizes range from 1024 to 4096 bits– Key size depends on the data you want to protect

and the hardware it is on (cell phone, PDA, server)• Too big a key, too time-consuming• Too small a key, too insecure

Keys & key sizes

• Symmetric and asymmetric key sizes are not equivalent– 80-bit symmetric == 1024-bit asymmetric– 128-bit symmetric == 3000-bit asymmetric

• Caveat: Key sizes are only one aspect of effective security

• Longer keys don’t always mean more security– Does a longer dead-bolt mean your house is more

secure?

• Can build a weak cryptographic system using huge keys.

How secure is good cryptography?

• If the underlying application software is configured correctly – very secure.

• Brute-force key search– IDEA uses 128-bit keys for 2128 possible

combinations.

• If a special purpose chip (FPGA) could perform one billion decryptions per second, and the server had a billion chips running in parallel, it would still require over 1012 years to try all of the possible keys, which is about a thousand times the age of the universe.

Cryptographic Algorithms

• An algorithm is a formula used to transform the plaintext into ciphertext

• Two types of algorithms:– Symmetric– Asymmetric

• Criteria:– Degree of security – Speed required– Hardware platform

Symmetric Algorithms

• Identical keys used for encryption and decryption

• Examples:– DES, Triple-DES, AES, IDEA, Blowfish,

CAST, MARS, Twofish, Rijndael, RC2, RC4, RC6, A5, A5/1, Serpent, Skipjack, DEAL, SAFER

DES

• Most popular crypto standard ever– Still used worldwide in myriad different scenarios

• Data Encryption Standard– Uses DEA (Data Encryption Algorithm)

• Developed by IBM in 1975 and adopted by NIST in 1977

• Key size 56-bits = 256 possible keys or 72,057,594,037,927,936 keys

• 256 possible keys was a enormous amount in 1977

• By 1997, an attack against all 256 possible keys was easily possible and carried out.

Asymmetric Algorithms

• Different keys used for encryption & decryption

• Examples:– RSA, DSA, Diffie-Hellman, ElGamal,

Elliptic curve

• Private-key and Public-key• Keys are directly related

Digital Signatures & Certificates

• Digital Certificate - An electronic credential– Used to authenticate the identity of the message sender

or the signer of a document– Ensures that the original content of the message or

document has not be altered.– Shows that the contents of the information signed has

not been modified.– Value determined by issuing certificate authority

• Digital Signature – binding of a private key to a message.

Digital Signatures & Certificates

42

What’s in the digital certificate?

• User’s name• Public key of the user

– Required so that others can verify the user’s digital signature

• Validity period (lifetime) of the certificate– Start & end date

• Approved operations– For which the public key is to be used

(whether for encrypting data, verifying digital signatures, or both)

Advanced Encryption Standard (AES)

• AES is a Federal Information Processing Standard (FIPS) that specifies a cryptographic algorithm for use by U.S. Government organizations to protect sensitive (unclassified) information.

• Replaces DES, which is now obsolete.

• Will be widely used on a voluntary basis by organizations, institutions, and individuals outside of the U.S. Government and outside of the U.S.

AES technical details

• Key sizes: 128, 192 and 256 bits•Possible 128-bit keys - 340 undecillion

•Possible 192-bit keys - 6.2 octodecillion

•Possible 256-bit keys - Almost a googol

• By comparison, DES keys are 56 bits long, which means there are 256 possible DES keys.– There are 1021 times more AES 128-bit

keys than DES 56-bit keys.

PGP (Pretty Good Privacy)

• Software package that provides strong cryptographic functionality– e-mail, file, disk

• Originally developed as freeware, PGP has since become the de facto standard for e-mail security– Has made cryptography accessible for

everyone• Commercial www.pgp.com/products/index.html

• Source codewww.pgp.com/products/sourcecode.html

Using PGP

• Create your key• Encrypt/Decrypt file• Sign/Verify message

PGP keyring of public keys

PGP encryption/decryption

Digital signing

Digital signature verification

Additional References

For further information

Bruce Schneier – Why Cryptography Is Harder Than It Looks

• www.schneier.com/essay-037.html – Security Pitfalls in Cryptography

• www.schneier.com/essay-028.html– Secrets and Lies : Digital Security in a Networked World – Applied Cryptography: Protocols, Algorithms, and

Source Code

RSA Cryptography FAQ– www.rsa.com/rsalabs/node.asp?id=2152

Information Security Magazine– http://infosecuritymag.techtarget.com

For further information

Steven Levy– Crypto : How the Code Rebels Beat the

Government -- Saving Privacy in the Digital Age

Simon Singh– The Code Book : The Science of Secrecy from

Ancient Egypt to Quantum Cryptography

H. X. Mel & Doris Baker– Cryptography Decrypted: A Pictorial

Introduction to Digital Security

Chey Cobb– Cryptography for Dummies

Conclusions

Conclusions

• With Google, spyware, leaky Internet protocols and myriad other threats to security and privacy, cryptography has never been more important.

• While the hidden engine of cryptography uses Ph.d level mathematics, as an end-user, you are shielded from such complexity.

• By knowing what you need to secure, and how to do it, you can use cryptography to the fullest, without needing a Ph.d in applied mathematics.

Thanks for attending

Any questions? comments?

Please fill out your evaluation sheets

Ben Rothke CISSP CISMSecurity ConsultantNY Metro | BT INS

[email protected]