Cryptography Part 1 Flashcards
Notes on Cryptography
- Lots of security is founded on cryptography
- Render information unreadable to those without the necessary keys
- A necessary, but insufficient, technology
- One part of a secure system
- …but only one part, not enough on its own
- Important to understand the basics of how crypto contributes to security
What is meant by Cryptography?
Meaning: A method of scrambling a message so that its contents can only be read by the intended recipient.
- Ensures Confidentiality and Integrity
Note: Also has other uses
- The ability to encrypt or decrypt may identify someone, and provide authentication – and therefore non-repudiation
- Secure data at rest and in-flight (Sending data/message) (probably with different mechanisms)
What is the goals of Cryptography?
- Take a block (or a stream) of data and make it computationally infeasible to read it in an appropriate interval
Note: Cracking / Breaking cryptography is infeasible, not impossible.
- All encryption schemes can be broken in theory – but perhaps only by testing all the possibilities (which takes too much time)
Notes on Cryptography
Scenario:
3 Participants (Alice, Bob and Calvin the Hacker)
Goals: Send secure message through an insecure channel.
Plaintext: Message being sent
Ciphertext: Encrypted Message
Key: information needed to decipher the ciphertext
Process: Encrypt plaintext into ciphertext, send message over channel to recipient bob. If hacker intercepts message, he can’t read it because it is encrypted (has jargon).
- Where are the keys kept?
Cipher Styles:
* Stream: data encrypted as it is generated
- Note: suited to network transactions.
* Block: data encrypted all in one go
- Note: Naturally suited to files.
Name three (3) types of encryption
Encryption meaning: A method of scrambling a message so that its contents can only be read by the intended recipient. (Same definition as Cryptography)
Note: Algorithm is known to everyone.
Note: (Some) keys are kept secret.
Symmetric-key encryption:
- Encryption and decryption key are the same.
- A method of encryption that uses the same key to both encrypt and decrypt a message.
- Often very fast, can encrypt on the fly, (Most secure network protocols – notably TLS – use symmetric-key encryption).
- Problem: Don’t know exactly who sent the message if lots of people use the same key.
Asymmetric-key encryption:
- Two different keys, with a relationship
Public-key encryption (example of Asymmetric-key encryption):
- Two keys per participant, one public (published openly), one private (kept secret).
- A message encrypted with the public key (recipients) can be decrypted using the private key (recipients).
- Critically, you cannot decrypt a message encrypted with the public key using the public key.
- Strengths: Confidentiality (Message can’t be read unless attacker gets access to receiver’s private key), Key Distribution is easy (Widely share public keys, Keep private keys private, i.e., not distributed at all)
Note: Both types (Symmetric and Asymmetric) requires keys to be kept private.
Note: Ciphers are very specialised and are very hard to create.
Note: Public-key cryptography can be used to authenticate users as well as encrypt traffic.
Note: Public key’s are much longer in length.
What is meant by “signing”?
Meaning: a method for authenticating the sender of the data (files, information, etc). i.e., an assertion of something.
- “I created this”
- “I confirm the following is true”.
Note: Create a web of trust with machine-readable assertions and machine-readable “proofs” that specific individuals made those assertions.
Note: The same keypairs and algorithms can give us both confidentiality and authentication.
What is meant by key management?
Meaning: the management of cryptographic keys in a cryptosystem.
Note: private keys in a public-key encryption system must be kept private.
Note: Possession of the private key lets the owner sign messages as the participant.
Note: Non-repudiation makes this as binding as a physical signature.
- In reality a digital signature is far more reliable than a physical signature, and so should be trusted more.
Note: Some jurisdictions (i.e., the EU) recognise digital signatures for (most) legal purposes.
Keynote: A possible attack vector is to attack the key server, and replace the recipients public key with the attackers.
Name ways to attack a crypto system?
From hardest to simplest:
- Attack the algorithm
* This is unlikely to work against a modern crypto system, since the algorithms are mainly open source and extensively studied.
- Attack the implementation
* All code has bugs that go hidden until exploited (“zero day” exploits).
- Attack the human side (OpSec)
* People always make mistakes in the use of systems
Notes on Security in depth
There’s a tendency to think that encryption is the magic bullet of security. But cryptography is just one part of a secure system (A component).
Various attack vectors to be considered.
- Technical: against the algorithms, the infrastructure,
- Social: against how individuals use the system, against how they obtain the information they need
- Model and analyse them together
Summary on Cryptography Part 1
Goals of Encryption
- Confidentiality, authentication, non-repudiation, efficiency, …
- Often a trade-off between the two
Core crypto concepts
- Messages, plaintext, ciphertext
- Keys, symmetric, asymmetric, public-key
- Key management and infrastructure
