2.8 - Summarize the basics of cryptographic concepts. Flashcards
Digital signatures
-uses encrpyed hash of a msg
->hash encrypted wth sender’s PRIVATE key
-digital signature alg relies on public key cryptography + hashing functions
-if recipient can decrypt the hash it provides 3 benefits;
Authentication
->Prove the source of the message/identifies sender of the email
->email came from who it appears to be coming from
Non-repudiation
->Make sure the signature isn’t fake
->sender can’t later deny sending the msg
->sometimes req 4 online transactions
Integrity
->Prove the message was not changed
->provides assurances msg not modified/corrupted
->recipients know the msg is the same as the sent msg
-Sign with the private key
->msg doesn’t need to be encrypted
->Nobody else can sign this (obviously)
Verify with the public key
->Any change in the msg will invalidate the signature
EX:
-Alice encrypts using her private key (encrypted msg = digital signature)
->Bob decrypts digital signature using Alice’s public key
Gibson 370
Chapple 207
- Key length
- Key stretching
*
Already built for your application
– No additional programming involved
*
bcrypt
– Generates hashes from passwords
– An extension to the UNIX crypt library
– Uses Blowfish cipher to perform multiple
rounds of hashing
*
Password-Based Key Derivation Function 2 (PBKDF2)
– Part of RSA public key cryptography standards
(PKCS #5, RFC 2898)
- Salting
Adding some salt
*
Salt
– Random data added to a password when hashing
*
Every user gets their own random salt
– The salt is commonly stored with the password
*
Rainbow tables won’t work with salted hashes
– Additional random value added to the
original password
*
This slows things down the brute force process
– It doesn’t completely stop the reverse engineering
*
Each user gets a different random hash
– The same password creates a different hash
- Hashing
Hashes
-Represent data as a short string of text - A message digest
-One-way trip
–> Impossible to recover the original message from the digest
–> Used to store passwords / confidentiality
-Verify a downloaded document is the same as the original
–> Integrity
-Can be a digital signature
–> Authentication, non-repudiation, and integrity
-Will not have a collision (hopefully)
–> Different messages will not have the same hash
Practical hashing
-Verify a downloaded file
–> Hashes may be provided on the download site
–> Compare the downloaded file hash with the
posted hash value
-Password storage
–> Instead of storing the password, store a salted hash
–> Compare hashes during the authentication process
–> Nobody ever knows your actual password
- Key exchange
*
A logistical challenge
– How do you transfer an encryption key across an
insecure medium without having an encryption key?
*
Out-of-band key exchange
– Don’t send the symmetric key over the ‘net
– Telephone, courier, in-person, etc.
ECC
Elliptic-curve cryptography (gibson 365, chapple 204)
-graphs points on curve to create keys
Instead of numbers, use curves!
– Smaller storage and transmission requirements
– Perfect for mobile devices
-doesn’t take as much processing power as other cryptographic methods
-keys can be much smaller compared to non ECC keys
-common use cases of low power devices
-sometimes used wth smaller wireless devices b/c doesn’t take much processing power to achieve desired security
-use 4 asymmetric encryption
Asymmetric encryption
– Need large integers composed of two or more large prime factors
-256 bit elliptic curve public key = provide same sec benefit of a 3072 key used wth DSA
defined by equation: ysquared = xtothethird + ax + b
PFS
Perfect Forward Secrecy
Change the method of key exchange
– Don’t use the server’s private RSA key
*
Elliptic curve or Diffie-Hellman ephemeral
– The session keys aren’t kept around
*
Can’t decrypt with the private server key
– Every session uses a different private key for the
exchange
*
PFS requires more computing power
– Not all servers choose to use PFS
*
The browser must support PFS
– Check your SSL/TLS information for details
- Communications (Quantum)
- Computing (Quantum)
Post-quantum
Ephemeral
- Authenticated (Modes of operation)
- Unauthenticated (Modes of operation)
- Counter (Modes of operation)
Public ledgers (Blockchain)