10 - Cryptography Flashcards
Authentication
Assurane that communicating entity is the one claimed
Access Control
prevention of the unauthorised use of resource
Data Confidentiality
Protection of data from unauthorised disclosure
Data Integrity
Assurance that data received is as sent by an authorised entity
Non-Repudiation
Protection against denial by one of the parties in a communication
Availability
resource accessible
Problems without Cryptography (4)
- Copy data from disk storage for remote analysis
- Passively listen on broadcast channels
- Aggressively monitor traffic through intermediate routers or workstations
- Actively replay, modify or insert their own messages into the message stream
Solutions to lack of Cryptography (4)
- User encrypt of files
- DL and NL: in switches and router (VPN)
- SL: end-to-end data conversion (SSL)
- AL: in programs such as email agents (PGP)
Ciphertext
Encrypted Plaintext
Plaintext
Decrypted CipherText
Symmetric Encryption
Encryption where the same key is used for encryption and decryption
Asymmetric Cryptography
Use of public key cryptography
- pub key used to encrypt and check signatures
- private key used to decrypt and sign
Hash
A “fingerprint” of a piece of text that will show if it has been altered
Digital Signature
A “fingerprint” that is produced with a private key of a pub/priv key pair
Ceaser Cipher Method
Each letter in the original message is replaced w/ a letter corresponding to a certain number of letters up/down the alphabet.
Mono alphabetic Substitution
uses fixed substitution one the entire message vs poly alphabetic substitution cipher which uses a number of substitutions at different positions in the message
One-Time Pad (3)
- Uses one-time pre shared key
- plaintext is encrypted by combining it w/ corresponding bit or character from the pad using modular add
- Theoretically unbreakable if pad is generated randomly
Types of Symmetric Cryptography
- DES (56 bit)
- 3DES (168 bit)
- AES (curent standard)
AES
- keys
- data operation
- Key Expansions
- Rounds
- Keys are 128, 192 or 256 bits
- Data operation on 4x4 matrix known as “state”
- KeyExp; round keys are derived from primary key
- Rounds
- ->SubBytes: each byte is replaced w/ mother from lookup table
- ->ShiftRows: last 3 rows of state are shifted a number of steps
- ->MixColumns: combining of 4 bytes in each column
- ->AddRoundKey
- ->Drop MixColumns
Key Exchange Method (6)
Diffie-Hellman Key Exchange
- Alice choose prime num g & p, tells Bob
- Bob picks secret, a, computes g^a mod p, sends result A to Alice
- Alice picks secret, b, computes g^b mod p, send result B to Bob
- Bob computes B^a mod p
- Alice computes A^b mod p
- Both results are the same, known as the session key used to encrypt private key
Public Key Cryptography (3)
- Key Gen: Create pub/priv key pair
- Encrypt message with pub key
- Decrypt message with private key
RSA Pub/Priv Key Gen
PUB - prime num p & q - n=p*q - z = (p-1)*(q-1) - k = prime number that is co-prime to z (not divisible by k) - k, n are pub keys PRIV - k*j = 1 (mod z) - j,n are priv keys
Hash Function (2)
- Maps data of arbitrary size to a bit string of a fixed size
- Designed to operate only one way
Properties of Hash Function (5)
- deterministic, same message = same hash
- fast to compute
- very difficult to generate a message from its hash
- small changes result in large changes to hash
- two different message unlikely to generate same hash
Other Hashing functions (2)
MAC & Digital Signature
Digital Certificate
An electronic document that proves ownership of pub key
Contents of Dig Cert (3)
- Pub key
- ID of owner (subject)
- CA digital signature
Format of Dig Cert
ISO X.509
- Data encoded using Abstract Syntax Notation (ASN.1)
Certificate Path Validation Reason?
To verify that certificate path is valid from subject’s certificate up to a trusted root cert issued by a trusted CA
Trusting a Certificate (4)
- Root CA such as Google
- Subjects identified by range of different mean
- Still possible for rogue SSL cert
- Certificate Transparency
Revoking Certificates Problems (2)
CRLs published as soon as a cert is revoked
- CRLs impose overhead in downloading and processing
- Subject to DoS attacks
Alternative to CRL
Online Certificate Status Protocol (OCSP)
