Security Flashcards
Symmetric key cryptography
sender n receiver keys identical
public key cryptography
encryption key is public
decryption key is private
block ciphers / transposition ciphers
the plaintext is divided into fixed-size blocks and encrypted one block at a time
DES (Data Encryption Standard)
-symmetric key
-64-bit block size
-56-bit key
-19 stages
(3 stages of transposition)
(16 stages of:
Exclusive ORing with a key (derived from input key)
substitution function
transposition function,
permutation
AES (Advanced Encryption Standard)
- symmetric key
- safer than DES
- 128-bit block size
- more bits in key
- brute force would take trillions of years
IDEA (International Data Encryption Algorithm)
- symmetric key
- 64-bit block size
- 128-bit keys
-8-iteration encryption iterations are: addition multiplications exclusive ORing permutation using different key derived from input key
RSA steps (6)
Public key
SLOW
1) Choose 2 "large" primes: 'p' and 'q' 2) Let n = p*q Let z = (p-1) * (q-1) 3) Let 'e' < n, relatively prime to z 4) Find a number d s.t: e*d = 1 mod z (e*d / z = ? + 1) find d.
5) public key = (e,n)
6) private key = (d, n)
A is relatively prime to Z
A and Z share no common positive factors except for 1.
public key: (e,n)
private key: (d,n)
How to encrypt plaintext block M < n to a Ciphertext block C?
C = M^e mod n
public key: (e,n)
private key: (d,n)
How to decrypt a ciphertext block C < n to a plaintext block M?
M = C^d mod n
How to provide confidentiality AND authentication?
Alice has private key and wants to send to Bob
1) Alice encodes message with private key (Anyone w/ public key can decode this)
2) Alice encodes THIS with public key (Only someone w/ private key can decode this)
3) Bob decodes message with private key
4) Bob decodes THIS with public key. If he gets the message, then it was Alice who sent it (because only she could have encoded something w/ her private key)
Hash function H
-Accepts a message M of any size and produces a fixed size block H(M) [digest of M]
Hash function must be: (3)
- Computationally efficient
- For any digest d, it must be computational infeasible to find an M’ s.t. H(M’) = d
- For any message M, it must be computationally infeasible to find M’ s.t. H(M’) = H(M)
Message Integrity using a Hash Function and Public Key
Encrypt digest with private key.
Decrypt digest with public key
So only small piece of data is using RSA, better performance
Key Distribution Center (KDC)
shares different secret key with each registered user.
Alice and Bob know their own symmetric keys for communicating with KDC
-KDC sends Alice a session key (R1) AND R1 encrypted with Bob’s key
Bob decrypts R1 and knows to use that to communicate with Alice
Certification Authority (CA)
-binds public key to particular entity E (person, router)
- E registers its public key with CA.
- CA creates certificate binding E to its public key and digitally signs it (encrypt)
-When Alice wants Bob’s public key, she gets Bob’s certificate and apply’s CA’s public key to it to get Bob’s public key
packet sniffing
- broadcast media
- promiscuous NIC reads all packets passing by (unencrypted data)
packet sniffing countermeasures
- all hosts run software that checks if host interface is in promiscuous mode
- one host per segment of broadcast media (switched Ethernet at hub)
IP spoofing
cangenerate raw IP packets directly from application, putting any value into IP source address field (pretending to be another thing)
-receiver can’t’ tell if source is spoofed
IP spoofing countermeasures
ingress filtering: routers shouldn’t forward outgoing packets with source addresses not in router’s network
(can’t be done with all networks)
Denial of Service countermeasures
- filter out flooded packets before reaching host: throw out good with bad
- traceback to source of floods (but most likely an innocent, compromised machine)
Pretty Good Privacy (PGP)
complete email security package that provides:
- secrecy
- authentication
- digital signatures
- compression (ie. zip)
- free (not contrlled by gov’t)
Secure Socket layer (SSL) transport layer security services (3)
- server authentication
- data encryption
- client authentication (with client certificates)
server authentication with SSL
- SSL-enabled browser includes public keys for trusted CA’s
- Browser requests server certificate that was issued by trusted CA
- Browser uses CA’s public key to extract server’s public key from certificate
