Chapter 17 Flashcards
"Security"
encryption
process of changing plain text into cipher text
cipher text
data after encryption
plain text
data before encryption
public key
an encryption key that is shared with everyone involved in the process
private key
- an encryption key that is not shared with anyone
- it is used to decrypt data that was encrypted with its matching public key
similarities between private and public key
both used in asymmetric encryption
a pair of keys is required//matching pair
both are hashing algorithms
difference between private and public keys
private key is only known to the owner of the key pair, public key is available for everyone
public key is for encryption, private key is for decryption
purpose of encryption
to provide better security,
ensure the authenticity of the message
non-repudiation, neither sender nor receiver can deny the transmission’s occurrence
symmetric encryption
one key is used for both encryption and decryption
asymmetric encryption
two different keys are used for encryption and decryption, one private and one public.
- the message to be sent is encrypted using the receiver’s public key
- the message is decrypted using the receiver’s matching private key
- as the receiver is the only one with that private key, only the receiver can read the message.
explain the difference between symmetric and asymmetric encryption
- Symmetric cryptography uses a single key to encrypt and decrypt messages, Asymmetric cryptography uses two.
- The symmetric key is shared, whereas with asymmetric, only the public key is shared (and the private key isn’t).
- …asymmetric encryption is more secure.
- Symmetric cryptography is a simple process that can be carried out quickly, but asymmetric is more complex, so slower.
- The length of the keys in symmetric encryption are (usually) shorter than those for asymmetric (128/256 bits v 2048 bits).
security concerns for encryption
confidentiality = the receiver should be the only one to decipher the cipher text
authenticity = the receiver should be certain who sent the ciphertext
integrity = ensuring the cipher text has not been altered during transmission
handshake
when a device initiates communication with another device
handshake protocol
requests from the server its SSL certificate which is a digital certificate that confirms its identity. a session key is established that is used for the duration of the connection.
long answer:
client requests server’s digital certificate and public key
client validates certificate and sends their certificate (if requested)
client sends an encrypted message to the server (using server’s public key) to establish session key
session begins
security parameters determined during the handshake protocol
- which protocol will be used
- session ID (uniquely identifies the messages sent)
- encryption method
- compression method to be used
secure socket layer (SSL) protocol
when a user logs onto a website, SSL encrypts the data and only the client’s computer and the webserver are able to make sense of what is being transmitted
initiates handshake protocol
during this process the client and browser establish a session key that they use for the duration of their connection
ssl process
handshake protocol first establishes a connection and confirms identity - the client browser requests its SSL certificate (a digital certificate confirming its identity) and its public key
- if the digital certificate is valid (checks cert through list of certificate authorities) then the session is created, if it is invalid the website is rejected.
client browser then creates and sends the server a symmetric session key using the server’s public key
server uses their private key to decrypt the session key, and sends an acknowledgement (encrypted)
- the session key is used to encrypt the data throughout session
function of ssl
created to reassure a user when a client-server application is underway. its purpose is:
- Encryption of data
- Compression of data
- Integrity checking of data
transport layer security (TLS)
provides secure communication over a network.
maintains data integrity and adds a layer of security (more secure than SSL)
composed of two layers - record protocol and handshake protocol
record protocol (not in spec?)
contains the data being transmitted over the network
differences between SSL and TLS
it’s possible to extend TLS by adding new authentication methods unlike SSL
TLS separates the handshaking process from the record protocol layer where all data is held
examples of when ssl/tls is used:
banking
private/secure email
online shopping
secure file transfer
using a social networking site - audio chatting, instant messaging.
digital signature
an agreed hash function is applied to a message (creating a digest), which is then encrypted using the sender’s private key to form a digital signature. used to identify a sender
digital signature process
- Cryptographic one-way hashing algorithm (agreed upon hashing algorithm) is used on the message to create a message digest
- The sender’s private key is then used to encrypt the message digest, which becomes the digital signature.
- the message and digital signature are encrypted with the receiver’s public key (asymmetric), and are sent
- The receiver decrypts the message and digital signature using the receiver’s private key (asymmetric)
- the digital signature is then decrypted with the sender’s public key to recover the message digest
- The receiver uses the same hash function on the decrypted message and compares the two
- If they are identical, the sender’s identity is verified and the message has not been altered.
digital certificate
a data file that provides authentication through the CA.
how is a digital certificate obtained
- an application is filed to the local CA (certificate authority)
- with some proof of identity e.g. organization name and the information required by the CA
- organization also hands over its public key (depends on question)
- identity is checked by a registration authority
- if it’s verified, the CA generates the certificate, with the CA’s digital signature and name verifying the certificate.
- the digital certificate is issued and handed back to be used.
items in the digital certificate
serial number (unique)
certificate authority that issued certificate
certificate authority digital signature
name of the owner of certificate
the owner’s public key
period of validity of certificate
agreed hashing algorithm
how is a digital certificate used to create a digital signature?
Instead of making the public key available for everyone, the sender could send the public key to a CA for optimum security.
the CA creates a digital certificate which contains the public key with proof of ownership of the public key
Anyone wishing to use the public key obtains it from the digital certificate
a message encrypted with the public key could be sent to the owner of the private key
that owner could use it to create a digital signature that can be used to authenticate a message
purpose of quantum cryptography
- to send virtually un-hackable messages …
- … by using the laws / principles of quantum mechanics / properties of photons
- detects eavesdropping …
- …because the properties of the photons change
- to protect security of data transmitted over fibre optic cables
- to enable the use of longer keys.
quantum cryptography
(the direction each photon vibrates in is called its polarisation. A photon can polarised to represent a value for a bit - two ways to represent a 1 and two ways to represent a 0.)
process:
Sender generates photons
Sender sends photons through a random sequence of polarizers
Receiver sends photons to a randomly generated sequence of beam splitters
sender informs receiver of used sequence (polarisation basis)
the receiver informs which ones matched.
for each matched value there is now a stored bit.
receiver then discards other photon signals
benefits of quantum cryptography
- impossible to intercept without alterting either side that there has been an interception due to the nature of the photons/laws of physics
- furthermore photons would be destroyed by the attempt (more secure)
- performance of quantum cryptography is continuously improved
- integrity of the key once transferred can be guaranteed
- longer keys can be used
- eavesdropping can be detected (changes the state of photon)
drawbacks of quantum cryptography
- requires dedicated quantum fibre optic line and specialist equipment which are difficult and expensive to implement.
- has a limited range - currently only works over relatively short distances
- polarisation of light can change during the transmission due to poor conditions
- can be utilized by criminals to hide their activities
