2.8 Cryptographic Concepts Flashcards
refers to secure information and communication techniques derived from mathematical concepts and a set of rule-based calculations called algorithms, to transform messages in ways that are hard to decipher.
• Greek: “kryptos”
– Hidden, secret
• Confidentiality
– It’s a secret
• Authentication and access control
– I know it’s you. I REALLY know it’s you.
• Non-repudiation - You said it. You can’t deny it.
• Integrity - Tamper-proof
Cryptography
Cryptography terms
• Plaintext - An unencrypted message (in the clear)
• Ciphertext - An encrypted message
• Cipher - The algorithm used to encrypt and/or decrypt
• Cryptanalysis
– The art of cracking encryption
– Researchers are constantly trying to find
weaknesses in ciphers
– A mathematically flawed cipher is bad for everyone
Cryptography terms
a variable value that is applied using an algorithm to a string or block of unencrypted text to produce encrypted text or to decrypt encrypted text. The length of the key is a factor in considering how difficult it will be to decrypt the text in a given message. • Keys – Add the key to the cypher to encrypt – Larger keys are generally more secure • Some encryption methods use one key – Some use more than one key – Every method is a bit different
Cryptographic keys
Give weak keys a workout • A weak key is a weak key – By itself, it’s not very secure • Make a weak key stronger by performing multiple processes – Hash a password. Hash the hash of the password. And continue… – Key stretching, key strengthening • Brute force attacks would require reversing each of those hashes – The attacker has to spend much more time, even though the key is small
Give weak keys a workout
techniques used to make a possibly weak key, typically a password or passphrase, more secure against a brute-force attack by increasing the resources (time and possibly space) it takes to test each possible key.
• Already built for your application
– No additional programming involved
• bcrypt
– Generates hashes from passwords
– An extension to the UNIX crypt library
– Uses Blowfish cipher to perform multiple
rounds of hashing
• Password-Based Key Derivation Function 2 (PBKDF2)
– Part of RSA public key cryptography standards
(PKCS #5, RFC 2898)
Key stretching libraries
an encryption method that features a small footprint and/or low computational complexity. It is aimed at expanding the applications of cryptography to constrained devices and its related international standardization and guidelines compilation are currently underway.
• Powerful cryptography has traditionally
required strength
– A powerful CPU and lots of time
• Internet of Things (IoT) devices have limited power
– Both watts and CPU
• New standards are being created – National Institute of Standards and Technology (NIST) leading the effort – Provide powerful encryption – Include integrity features – Keep costs low
Lightweight cryptography
the conversion of data into ciphertext that can be analyzed and worked with as if it were still in its original form. Homomorphic encryptions allow complex mathematical operations to be performed on encrypted data without compromising the encryption.
• Encrypted data is difficult to work with
– Decrypt the data
– Perform a function
– Encrypt the answer
• Homomorphic encryption
– Perform calculations of data while it’s encrypted
– Perform the work directly on the encrypted data
– The decrypted data can only be viewed with
the private key
• Many advantages
– Securely store data in the cloud
– Perform research on data without viewing the data
Homomorphic encryption (HE)
a type of encryption where only one key (a secret key) is used to both encrypt and decrypt electronic data. The entities communicating via symmetric encryption must exchange the key so that it can be used in the decryption process.
• A single, shared key
– Encrypt with the key
– Decrypt with the same key
– If it gets out, you’ll need another key
• Secret key algorithm
– A shared secret
• Doesn’t scale very well
– Can be challenging to distribute
• Very fast to use
– Less overhead than asymmetric encryption
– Often combined with asymmetric encryption
Symmetric encryption
consisting of a public key and a private key, is a set of security credentials that you use to prove your identity when connecting to an Amazon EC2 instance. Amazon EC2 stores the public key on your instance, and you store the private key. • Asymmetric encryption – Public Key Cryptography • Key generation – Build both the public and private key at the same time – Lots of randomization – Large prime numbers – Lots and lots of math • Everyone can have the public key – Only Alice has the private key
The key pair
a key-based technique for encrypting data. an alternative technique to RSA, is a powerful cryptography approach. It generates security between key pairs for public key encryption by using the mathematics of elliptic curves.
• Asymmetric encryption
– Need large integers composed of two or more large
prime factors
• Instead of numbers, use curves!
– Uses smaller keys than non-ECC asymmetric
encryption
– Smaller storage and transmission requirements
– Perfect for mobile devices
Elliptic curve cryptography (ECC)
a process that uses a pair of related keys – one public key and one private key – to encrypt and decrypt a message and protect it from unauthorized access or use.
• Public key cryptography
– Two (or more) mathematically related keys
• Private key - Keep this private
• Public key - Anyone can see this key - Give it away
• The private key is the only key that can decrypt data
encrypted with the public key
– You can’t derive the private key from the public key
Asymmetric encryption
the process of translating a given key into a code. A hash function is used to substitute the information with a newly generated hash code.
• Represent data as a short string of text - A message digest
• One-way trip
– Impossible to recover the original message from the digest
– Used to store passwords / confidentiality
• Verify a downloaded document is the same as the original
– Integrity
• Can be a digital signature
– Authentication, non-repudiation, and integrity
• Will not have a collision (hopefully)
– Different messages will not have the same hash
Hashes
or clash is when two pieces of data in a hash table share the same hash value. The hash value in this case is derived from a hash function which takes a data input and returns a fixed length of bits.
• Hash functions
– Take an input of any size - Create a fixed size string
– Message digest, checksum
• The hash should be unique
– Different inputs should never create the same hash
– If they do, it’s a [this]
• MD5 has a [this] problem
– Found in 1996 - Don’t use MD5
Collision
Practical hashing
• Verify a downloaded file
– Hashes may be provided on the download site
– Compare the downloaded file hash with the
posted hash value
• Password storage
– Instead of storing the password, store a salted hash
– Compare hashes during the authentication process
– Nobody ever knows your actual password
Practical hashing
a technique to protect passwords stored in databases by adding a string of 32 or more characters and then hashing them. [this] prevents hackers who breach an enterprise environment from reverse-engineering passwords and stealing them from the database.
• [this]
– Random data added to a password when hashing
• Every user gets their own random [this]
– The [this] is commonly stored with the password
• Rainbow tables won’t work with [this] hashes
– Additional random value added to the
original password
• This slows things down the brute force process
– It doesn’t completely stop the reverse engineering
• Each user gets a different random hash
– The same password creates a different hash
Adding some salt
a type of electronic signature—is a mathematical algorithm routinely used to validate the authenticity and integrity of a message (e.g., an email, a credit card transaction, or a digital document). • Prove the message was not changed – Integrity • Prove the source of the message – Authentication • Make sure the signature isn’t fake – Non-repudiation • Sign with the private key – The message doesn’t need to be encrypted – Nobody else can sign this (obviously) • Verify with the public key – Any change in the message will invalidate the signature
Digital signatures
a variable value that is applied using an algorithm to a string or block of unencrypted text to produce encrypted text or to decrypt encrypted text. The length of the key is a factor in considering how difficult it will be to decrypt the text in a given message. categorized according to how it will be used and what properties it has. For example, a key might have one of the following properties: Symmetric, Public or Private. Keys may also be grouped into pairs that have one private and one public key, which is referred to as an Asymmetric key pair.
• There’s very little that isn’t known about the
cryptographic process
– The algorithm is usually a known entity
– The only thing you don’t know is the key
• The key determines the output
– Encrypted data
– Hash value
– Digital signature
• Keep your key private!
– It’s the only thing protecting your data
Cryptographic Keys
e first generation of the AES. It is the most basic form of block cipher encryption.
a simple mode of operation with a block cipher that’s mostly used with symmetric key encryption. It is a straightforward way of processing a series of sequentially listed message blocks. The input plaintext is broken into numerous blocks.
• The simplest encryption mode
– Too simple for most use cases
• Each block is encrypted with the same key
– Identical plaintext blocks create identical
ciphertext blocks
ECB (Electronic Code Book)
an advanced form of block cipher encryption. With [this] mode encryption, each ciphertext block is dependent on all plaintext blocks processed up to that point.
a mode of operation for a block cipher – one in which a sequence of bits are encrypted as a single unit, or block, with a cipher key applied to the entire block. [this] uses what is known as an initialization vector (IV) of a certain length.
• A popular mode of operation - Relatively easy to implement
• Each plaintext block is XORed with the previous
ciphertext block
– Adds additional randomization
– Use an initialization vector for the first block
CBC (Cipher Block Chaining)
a mode of operation,
a simple counter based block cipher implementation in cryptography. Each or every time a counter initiated value is encrypted and given as input to XOR with plaintext or original text which results in ciphertext block.
• Block cipher mode / acts like a stream cipher
– Encrypts successive values of a “counter”
• Plaintext can be any size, since it’s part of the XOR i.e., 8 bits
at a time (streaming) instead of a 128-bit block
CTR (Counter)
a form of public ledger, a shared, immutable ledger that facilitates the process of recording transactions and tracking assets in a business network. An asset can be tangible (a house, car, cash, land) or intangible (intellectual property, patents, copyrights, branding). a record-keeping technology designed to make it impossible to hack the system or forge the data stored on it, thereby making it secure and immutable. It is a type of distributed ledger technology (DLT), a digital system for recording transactions and related data in multiple places at the same time. • A distributed ledger – Keep track of transactions • Everyone on the blockchain network maintains the ledger – Records and replicates to anyone and everyone • Many practical applications – Payment processing – Digital identification – Supply chain monitoring – Digital voting
Blockchain
