Security fundamentals Topic 4 Encryption. Agenda Using encryption Cryptography Symmetric encryption Hash functions Public key encryption Applying cryptography.

Security fundamentals

Topic 4Encryption

Agenda

• Using encryption• Cryptography• Symmetric encryption• Hash functions• Public key encryption• Applying cryptography

Cryptography

• Means ‘secret writing’– Taking plaintext and encrypting it into ciphertext– Ensure confidentiality and integrity– Store confidential data– Authenticate users– Protect passwords– Ensure identity

Uses of cryptography• Confidentiality

– Only authorised people can access data• Data Integrity

– Unauthorised modifications to the data are detected (protection from man-in-middle attacks)

• Authentication– Data originates from the legitimate source/destination

• Non-repudiation – Ensures a user cannot deny performing a task or sending data

(cannot refute signing a contract)• Anti-replay protection

– Prevents a message being intercepted and replayed (re-sent) at a later time

Algorithms and keys

• A mathematical formula that is applied to data to convert plaintext to ciphertext or ciphertext to plaintext. C = f(M)

• Weakness: If the algorithm is not secret it can be used to decrypt any message

• Key: A key varies the function of the algorithm• The strength of the encryption is in the key not

the algorithm• If the key is discovered, only the messages

encrypted with that key are compromised

Strength of cryptographic methods• How difficult it is for unauthorised people to reconstruct the plaintext

from ciphertext?• The strongest algorithms are those that have been made publicly

available for cryptographers to try to break• Good cryptography creates ciphertext that appears to be entirely random• It can only be broken by discovery of the key (theft or social engineering)

or by brute force: Trying every possible combination• Increase the strength of encryption by increasing the key length,

complexity and/or changing the key frequently• 64 bit key length = 12000 years to brute force• Encryption is strong enough when it becomes impractical for an attacker

to carry out a brute force attack

Making encryption secure

• Increase the key length• Keys should be chosen at random and not be

predictable• Change keys where appropriate• Some governments (USA) restrict the use and

import/export of encryption technologies

Symmetric encryption

• Uses the same key for encrypting and decrypting data

• Uses a shared secret

Uses of symmetric encryption• Primary use is to provide confidentiality (not data

integrity, authentication, non-repudiation or anti-replay protection)

• Anyone who possesses the key can decrypt the message

• Symmetric encryption works well to provide confidentiality and the key can easily be kept secret – does not work well where the key has to be distributed to many others.

• Number of keys required n(n-1)/2 (10 people will require 45 keys)

• If many people share a single key there is greater probability that the key will be not be kept secret

Advantages of symmetric encryption

• Easy to use• Encryption/decryption is fast• Used when the confidentiality of the key can

be easily managed and large amounts of data need to be encrypted

Symmetric encryption algorithms

• DES: Data Encryption Standard– 56 bit key, relatively slow– Used in EFS for Windows 2000

• 3DES: Triple DES– 3 encryption passes on the data using 56 bit keys– More secure and widely used

• AES Advanced Encryption Standard, Rijndael– Key lengths of 128, 192, 256 bits– Current standard used by NIST National Institute for

Standards US

Symmetric encryption algorithms

• IDEA: International Data Encryption Algorithm– 128 bit keys– Patented and requires licensing for commercial use

• Blowfish:– Extremely fast, variant is Twofish, free for use of any kind– Variable length keys from 32 bits to 448 bits

• RC4:– Stream cipher, use in WEP for wireless, modifies the key as

successive portions of text are encrypted– Uses variable key lengths

Hash functions• Is a type of encryption that takes data of any length and encrypts it

to a fixed length string called a hash (or a digest)• Hash functions are one way functions, the original data cannot be

reconstructed from the hash• A hash is used to prove data integrity and not used for

confidentiality. Hashes are generated at different times and compared, if the hashes are identical then the message has not been changed

• A good hash results in a large unpredictable change in hash, even when there is just a very small change in the original data

• Hashes are a fixed length so that an attacker cannot deduce the original length of data

• A good hash ensures that it is unlikely that another message will produce the same hash

Hash uses

• To guarantee data integrity• To store passwords (Windows NT

Challenger/Response NTLM)• Digital signing

Hash algorithms

• SHA1: Secure Hash Algorithm: – 160 bits long slower – use in govt agencies

• MD5/MD4 Message Digest: – 128 bits long – used in applications that don’t have to comply

with US government requirements

Public key encryption• Public key available to anyone, private key must be kept secret• Person who uses private key, generates key pair- the public key stored in

a certificate (send the private key to a CA to create the certificate)• A brute force attack can derive a private key from the public key –

increase the key length to make that infeasible• Anyone can encrypt data using your pubic key: only you can decrypt using

the private key• You can encrypt using private key and anyone can decrypt using the

public key• In a key pair the public key is based on the product of two large prime

numbers: the private key is based on the numbers itself• Based on the idea that there is no known way to discover two large prime

numbers from just their product

Digital signing• Authenticate an email, file or program• Encrypt the item with the private key, recipient decrypts with

the public key• Encrypt a hash of the message (saves time)• Create a hash of email message, sign the hash by encrypting

with private key• Recipient decrypts the hash by using your public key to verify

that you sent the message• Recipient performs the same hashing function to compare the

hash sent with message, if both match then integrity is verified

• Because only the public key can be used to decrypt a message signed with the private key, signing proves non-repudiation

Public key encryption uses

• Confidentiality: – encrypt with your public key– only your private key can decrypt

• Data Integrity: – digital signing ensures that a message is not changed

• Authentication: – ensures a specific private key was used to sign the

message• Non-Repudiation: – recipient can be sure that only the owner signed the

message (if key not compromised)

Algorithms• Public key encryption is slow, inefficient for large amounts of data

• RSA: Ron Rivest, Adi Shamir, Leonard Adleman

– Now free and de facto standard

• Diffie-Hellman: Whitfield Diffie and Martin Hellman

– Enables two people to exchange a secret key over an insecure medium without first agreeing on a shared secret

– used to establish a VPN tunnel

• Elliptic Curve cryptography:

– Uses secure shorter keys for small storage spaces- smart cards and handhelds

Combining symmetric and asymmetric encryption

• The EFS process:– OS creates a random File Encryption Key– Symmetric algorithm (3DES, DES) used to encrypt the file using the

FEK as the key– OS retrieves the users public key from users profile– OS uses RSA to encrypt the FEK with the users public key and stores in

DDF field of header– OS retrieves the public key for each EFS recovery agent– OS uses RSA to encrypt the FEK of each recovery agent with their

public key and stores in DRF field of file header• To open file:

– OS retrieves users private key – stored on users computer – OS uses RSA with users private key to decrypt DDF and retrieve FEK– OS uses FEK to decrypt the file

Summary

• Why we use encryption• What the term cryptography means and

why we use it in computer security• How symmetric encryption, hash

functions and public key or asymmetric encryption work

• Applying cryptography and uses of cryptographic functions