-What appears to be a harmless image can contain hidden data embedded within the image
-Can use image files, audio files, or even video files to contain hidden information
What is encryption?
-It is the process of converting an original message into a form that cannot be understood by unauthorized individuals.
-Encrypt/encipher: to encrypt or convert plaintext to cipher text.
What is decryption?
-Change the secret message back to its original form
-Decipher/decrypt: to decrypt or convert cipher text to plaintext
Encryption Definitions:
Plaintext?
the original unencrypted message that is encrypted and results from successful decryption. Readable data (by person or computer).
Encryption definitions:
Cipher?
The transformation of the individual components (characters, bytes, or bits) of an encrypted message into encrypted components.
Encryption definitions
Ciphertext or cryptogram
the unintelligible encrypted or encoded message resulting from an encryption. Neither human or machine can properly process it until it is decrypted.
Encryption definitions:
Algorithm
the mathematical formula or method used to convert an unencrypted message into an encrypted message. Set of rules that determines how enciphering and deciphering take place
Encryption definitions:
Key
the information used in conjunction with the algorithm to create the ciphertext from the plaintext; it can be a series of bits used in a mathematical algorithm, or the knowledge of how to manipulate the plaintext.
Encryption definitions:
Keyspace
A range or values that can be used to construct a key. Larger keyspace means more possible keys (and therefore harder to break).
Common Ciphers:
substition cipher
you substitute one value for another:
-a mono-alphabetic substitution used only one alphabet
-a polyalphabetic substitution uses two or more alphabets
Common Ciphers: Transposition
or permutation cipher simply rearranges as the values within a block to create the cipher
-Caesar cipher
Simple substitution and transposition ciphers are vulnerable to frequency analysis
Vernam Cipher
-Also known as the one-time pad, the Vernam cipher was developed at AT&T and uses a set of characters that are used for encryption operations only one time and then discarded
-the values from this one-time pad are added to the block of text, and the resulting sum is converted to text
One Time Pad
Unbreakable if
-pad must be used only one time (otherwise patterns are introduced)
-pad must be at least as long as the message (again patterns)
-pad much be securely distributed and protected at its destination
Pad must be securely distributed & protected at its destination & must be made up of truly random values/OTP is impractical in most situations
Book or Running Key Cipher
Another method used in the occasional spy movie, its the use of text in a book as the algorithm to decrypt a message.
The key relies on 2 components:
-knowing which book to use
-a list of codes representing the page #, line #, and word # of the plaintext word.
Stream cipher
-Takes one character and replaces it with one character.
-Subtraction cipher is the simplest type of stream cipher
Advantages and Disadvantages:
-fast when the plaintext is short
-more prone to attach because the engine that generates the stream does not vary
What are the 3 categories of Cryptographic Algorithms?
1. Hashing algorithms
2. Symmetric encryption algorithms
3. Asymmetric encryption algorithms
Explain Hashing
-also called one-way hash (you can hash, but you can't un-hash)
-a process for creating a unique "signature" for a set of data (this signature called a hash or digest represents the contents)
-hashing is used only for integrity to ensure that:
-information is in its orginal form
-no unauthorized person or malicious software has altered the data
-hash created from a set of data cannot be reversed
use of hashes: at ATM's
A hashing algorithm is considered secure if it has these characteristics:
-the ciphertext hash is a fixed size (regardless of plaintext size)
-two different sets of data cannot produce the same hash, which is known as a collision
-it should be impossible to produce a data set that has a desired or predefined hash
-the resulting hash ciphertext cannot be reversed-the hash serves as a check to verify the message contents.
-hash values are often posted on Internet sites (in order to verify the file integrity of files that can be downloaded)
Hashing Algorithms and CIA+2
Confidentiality: no
Integrity: yes
Availability: no
Authenticity: no
Non-repudiation: no
Secure Hash Algorithm (SHA)
-A more secure hash than Message Digest, as a longer hash is harder to attack
-A family of hashes (SHA-0, SHA-1, SHA-2)
-SHA-3 is currently under development
Message Digest Algorithm
-one common hash algorithm
-three versions:
1. Message Digest 2 (MD2)-developed in 1989, now considered too slow
2. Message Digest 4 (MD4)-flawed, too easy to generate collisions
3. Message Digest 5 (MD5)-created in 1991. Successfully attacked in 2004.
Password Hashes
Another use for hashes is in storing passwords
-when a password for an account is created, the password is hashed and stored
-not really a true hash, but really a one-way function
-in LM hashes, the password itself is the key
Symmetric Encryption
-Each of the methods of encryption and decryption described requires that the same algorithm and key are used to both encipher and decipher the message.
-this is known as private key encryption, secret key, or symmetric encryption
-in this approach to encryption, the same key-a secret key-is used to encrypt and decrypt the message
Symmetric Encryption
-Symmetric encryption methods are usually extremely efficient, requiring easily accomplished processing to encrypt or decrypt the message.
-need separate key for each person you want to communicate with.
-biggest challenge in symmetric key encryption:
1. getting a copy of the key to the receiver, process that must be conducted out-of-band to avoid interception
Symmetric encryption flow:
1. Plaintext to encryption (key) to cipher-text transmitted to remote user as cipher-text to decryption algorithm (key) to plaintext again.
Symmetric Cryptograhic Algorithums and CIA+2
Confidentiality: yes
Integrity: yes (by incorporating a hash)
Availability: yes
Authenticity: no (a true digital signature would give authenticity and non-repudiation)
Non-repudiation: no (you can't tie it to a specific individual-do you know that it's John on the other end?)
Symmetric Cryptographic Algorithms, continued
Data Encryption Standard:
-one of the first widely used popular symmetric cryptography algorithms
-DES is a block cipher and encrypts data in 64-bit blocks
-DES is a federally approved standard for nonclassified data, it was cracked in 1997 when the developers of a new algorithm, Rivest-Shamir-Aldeman offered a $10,000 reward for the first person or team to crack the algorithm, 14,000 users collaborated over the Internet to finally break the encryption, it took 3 days & 1536 microprocessors.
Symmetric Crypto Algorithm, cont.
Triple Data Encryption Standard (3DES)
-designed to replace DES
-uses 3 rounds of encryption instead of just one, 16 iterations within each round
-2^56 times stronger than DES (Data Encryption Standard)
Symmetric Crypto Algorithms, cont.
Advanced Encryption Standard
-approved by the NIST in late 2000 as a replacement for DES (data encryption standard)
-AES (Advanced Encryption Standard) performs 3 steps on every block (128 bits) of plaintext
-in 1998 it took a special computer designed by the Electronic Freedom Frontier more than 56 hours to crack DES
-it would take the same computer approximately 4,698,864 quintillion years to crack AES.
What does it mean to say the algorithm is broken?
-someone was unable to uncover a key that was used during the encryption process (one key used for one instance of encryption)
-is the algorithm worthless if it has been broken?
-depends on who your enemies are and how valuable your info is
Asymmetric Cryptographic Algorithms
Asymmetric cryptographic algorithms
-AKA: public key cryptography
-uses two keys instead of one
-the public key is known to everyone and can be freely distributed
-the private key is known only to the recipient of the message
-either key can be used to encrypt or decrypt the message
-however, if Key A is used to encrypt the message, then only Key B can decrypt it; conversely, if Key B is used to encrypt a message, then only Key A can decrypt it
-if the private key locks, the public key unlocks
-if the public key locks, the private unlocks
Characteristics of Asymmetric Cryptographic Algorithms
-slower than symmetric
-better key distribution than symmetric
-better scalability
-can also provide authentication and nonrepudiation
Flow of Asymmetric Crypto Algorithms:
Plaintext
Encryption Algorithm (public key of receiver)
cipher text
transmitted to remote user
in cipher text
Decryption Algorithm (Private key of receiver)
Plaintext message
Asymmetric Crypto can also be used to create a _____________signature.
DIGITAL
A digital signature can:
-verify the sender (authentication)
-prove the integrity of the message
-prevent the sender from disowning the message (nonrepudiation)
Asymmetric Cryptographic Algorithms and CIA+2
Confidentiality-yes
Integrity-yes
Availability-yes
Authentication-yes
Non-Repudiation-yes
Digital Signatures
-When the asymmetric process is reversed, the private key encrypts a message, and the public key decrypts it. - The fact that the message was sent by the organization that owns the private key cannot be refuted
-this nonrepudiation is the foundation of digital signatures
-often a digital signature is a hash value that has been encrypted by a sender's private key
-digital signatures are independently verified by a central facility (registry) as authentic
-using a digital signature doesn't encrypt the message itself. To ensure privacy of the message, it must also be encrypted using the receivers public key.
-with a digital signature, I'm not releasing/revealing my private key, I'm just using it to encrypt something.
Digital Signature Flow
Bob sending Confidential email in plaintext
Hash algorithm (key)
Hash
Encryption Algorithm ( Bob's private key)
Digital Signature
Transmitted to Alice
Encryption algorithm (Bob's public key)
Hash
Hash Algorithm (key)
Hash (they match)
Alice receives
Action
B wants to send A encrypted msg.
A wants to read encrypted msg from B
B wants to send a copy to himself of e. msg he sent A
B receives an encrypted reply msg from A
B wants C to read A's reply that he received
B wants to send A a msg with a digital signature
A wants to see B's digital signature
Whose key to use? Which key? Why?
A's key public an encrypted msg is to be sent the recipients key is always used & never the senders'
A's key private an encrypted msg can only be read by using the recipients' key
B key public to encrypt, private to decrypt an encrypted msg can only be read by rec. private key.
B's key Private the recipients private key is used to decrypt received msgs.
S's key public the msg should be encrypted w/ S's key for her to decrypt & read w/ her private key
B's key private Bob's private key is used to encrypt the hash
B's key public key because B's public & private keys are mathematically related Alice can use his public key to decrypt the hash.
RSA
-the most common asymmetric cryptography algorithm
-1st public key encryption algorithm developed for commercial use
Hybrid Crypto Systems
-Pure asymmetric key encryption is not widely used except in the area of certificates, instead, it is typically employed in the area of conjunction with symmetric key encryption, creating a hybrid system.
-the hybrid process in current use is based on the Diffie-Hellman key exchange method, which provides a way to exchange private keys using public key encryption without exposure to any third parties.
-In this method, asymmetric encryption is used to exchange secret key securely over a public network.
-Once the key has been shared, then both parties can use it to encrypt and decrypt messages using symmetric cryptography
-Diffie-Hellman provided the foundation for subsequent developments in public key encryption.
Uses of Cryptology
file encryption
disk encryption
e-mail security
web browsing
remote network access
Cryptology Summary
-Cryptology is the science of transforming information into a secure form while it is being transmitted or stored so that unauthorized users cannot access it.
-hashing creates a unique signature, called a hash or digest, which represents the contents of the original text
-symmetric cryptography, also called private key cryptography, uses a single key to encrypt and decrypt a message
-asymmetric cryptography, also known as public key cryptology, uses two keys instead of one.
-cryptology can also be used to protect large numbers of files on a system or an entire disk
Digital Certificates
-Digital Certificate is an electronic document, similar to a digital signature, attached to a file certifying that the file is from the organization it claims to be from and has not been modified from the original format.
-a Certificate Authority (CA) is an agency that manages the issuance of certificates and serves as the electronic notary public to verify their origin and integrity
A digital signature typically contains the following information:
-owner's name or alias
-owner's public key
-name of the issuer
-digital signature of the issuer
-serial number of the digital certificate
-expiration date of the public key
Certificate Authority
Certificate Authority
-an entity that issues digital certificates for others
-a user provides info to a CA that verifies her identity
-the CA inserts this public key into the certificate
Registration Authority
Registration Authority
-handles some Certificate Authority tasks such as processing certificate requests and authenticating user
-a sub-entity of the CA (Certificate Authority)
Certificate Revocation List (CRL)
Certificate Revocation List
-lists revoked certificates
-can be assessed to check the certificate status of other users
-most CRLs can either be viewed or downloaded directly into the user's Web browser
Certificate Repository
Certificate repository
-a publicly accessible directory that contains the certificates and CRLs published by a CA
-CRs are often available to all users through a Web browser interface
3 types of Digital Certificates
1. Persona digital certificates (mostly used for email)
-a framework for all of the entities involved in digital certificates to create, store, distribute, and revoke digital certificates (includes hardware, software, people, policies, and procedures)
-PKI is digital certificate management
Certificate Life Cycle
1. Creation: certificate created & issued, user positively id'd
2. suspension
3. Revocation
4. Expiration-every certificate issued by a CA must have an expiration date.
Key Management
Proper Key Management includes key storage, key usage, and key handling procedures
Key Storage
-public keys can be stored by embedding them within digital signatures
-private keys can be stored on the user's local system
-private keys can be stored on smart cards or in tokens
Key Handling Procedures
Procedures include:
-Escrow: keys are managed by a third party
-Expiration
-Renewal
-Revocation
-Recovery
-Suspension
-Destruction
Trust Models
Trust may be defined as confidence in or reliance on another person or entity.
Trust model
-refers to the type of trusting relationship that can exist between individuals or entities
Direct Trust
-a relationship exists between 2 individuals because one person knows the other person
Third Party Trust
-refers to a situation in which two individuals trust each other because each trusts a third party
Trust Models
Direct trust is not feasible when dealing with multiple users who each have digital certificates
Three PKI trust models that use CA
-Hierarchical Trust Model (I trust the certificates the CA issues)
-Distributed trust model (CA issues certificates for other CA's, creating a trust chain)
-Bridge Trust Model (creates a peer to peer relationship between root CA'/a CA exists that does not sign certificates, they just serve as a facilitator to interconnect other CA's)
Managing Cryptographic Controls
-Don't lose your keys
-Know who you are communicating with (verify keys)
-It may be illegal to use a specific encryption technique when communicating to some nations
-Every crypto-system has weaknesses
-Give access only to those with a business need
-When placing trust into a certificate authority, ask "who watches the watchers?"