Video Content Lesson 3 Flashcards
Julius Caesar’s Cryptography was known as
ROT3 (Rotate 3 characters)
Famous German Encryption Machine
Enigma
Japanese Encryption Machine
Purple Machine
Current Goals of Cryptography
Ensure Confidentiality (private messages stay private even during transmission) Provide Integrity (ensure message hasn't been changed in transmission--digital signature does this) Provide Authentication (Validates claimed identity of message's sender, uses encrypted challenge phrases to ensure other party knows appropriate key--similar to non-repudiation) Provides Nonrepudiation (provides assurance that message came from who it says it came from, validates that message has not been spoofed)
Cryptographic Uses
Email
Protocols and standards (PGP Pretty Good Privacy; S/MIME Secure/Multipurpose Internet Mail Extension; IPSec Internet connection security; SSL/TLS Secure Socket Layer/Transport Layer Security)
Concepts and Methodologies
Cryptography Terms Tranposition Cipher Subtitution Cipher Cipher Categories Cipher Process Symmetric Algorithms Asymmetric Algorithms Message Authentication
Cryptography Terms
plaintext-Original message- readable
Ciphertext-encrypted message- only readable if first decrypted
Cipher-process of rearranging or altering a plantext message so it is unreadable
Tranposition Cipher
Start with a keyword
List the ordinal values, based on a letter’s position in the alphabet
Write plaintext message in tabular form
Read individual columns
Substitution Cipher
replaces each character of a plaintext message
All that is needed is a table of plaintext characters and their associated substitute characters
A simple algorithm can be created
Both sender and receiver must use same
One-Time Pad (OTP) (only known unconditionally secure cipher)
Never reuse a OTP
Cipher Categories
Stream Cipher (each character is encrypted-example substitution cipher) Block Cipher (works on a chunk/block of plaintext-example transposition cipher)
Cipher Process
One-way function (function that is relatively easy to use to produce output values AND impossible (or nearly so) to deduce the input values from the output values)
Algorithm is sequence of steps used to encrypt plaintext
Key is some value used by the algorithm to encrypt plaintext
Symmetric Algorithms
Secret Key Algorithm (same key used to encrypt and decrypt a message
Weaknesses (Key Distribution, lacking nonrepudiation, not scalable (to lots of people)
Main Strength (Fast)
Asymmetric Algorithms
Public Key Algorithm (public and private key)
Sender encrypts the message with the receiver’s public key
Receiver decrypts the message with his own private key
Strengths (user maintenance and key management is easy, supports nonrepudiation, key distribution is simple)
Weakness (Slow)
Message Authentication
Hashing (mathmatical process that produces a digest of a message (similar to checksums); when the message changes, the digest changes as well; extremely unlikely for two messages to produce the same digest
Hashing allows the receiver to verify authenticity of the message
Digital signatures are used to verify the authenticity of a message
Cryptopraphic Algorithms
Binary math used in most cryptographic algorithms (AND, OR, XOR) (most typically used XOR) DES Triple DES IDEA-Blowfish-Skipjack AES RSA-El Gamal Hashing Algorithms Other Hashing Algorithms
DES
Symetrical Coding
Data Encryption Standard (DES)
Published in 1977
Adopted by US government as a standard for all data communications
64-bit block cipher
Key is 56-bit key (remaining 8 bits are parity bits)
4 DES modes
1-Electronic Codebook (ECB) (each 64-bit plaintext block is encrypted with the key)
2-Cipher Block Chaining (CBC) (the XOR operator is used to combine each plaintext block and the preceeding block before encryption)
3-Cipher Feedback (CFB) (the XOR operator is used to combine each plaintext block and the preceeding block after encryption)
4-Output Feedback (OFB) (similart to CFB, but the plaintext is combined with a seed value using the XOR operator
Triple DES
Double DES (2DES)--No stronger than DES Triple DES (3DES) More secure implementation of the DES algorithm Exists in three versions (all versions are equally secure) Ecryption algorithm is the same as DES E(K1,E(K2,E(K3,P))) 168 bits E(K1,E(K2,E(K1,P))) 112 bits E(K1,D(K2,E(K1,P))) 112 bits E-encryption algorithm D-decryption algormithm K1, K2, K3-encryption keys P-plaintext
IDEA
IDEA - International Data Encryption Algorithm (stronger alternative to DES)
Works on 64-bit blocks
Key starts at 128-bits
Key is broken into 52 16-bit subkeys
Subkeys are used to encrypt the plaintext
Very secure (used in commercial business)
Blowfish
Developed by Bruce Schneider as an alternative to DES and IDEA
Operates on 64-bit blocks
Key can vary from 32 bits to 448 bits
Skipjack
Block cipher operates on 64-bit blocks
Uses 80-bit key
Used in Clipper and Capstone high-speek encryption chips
Supports key escrow
AES
Advanced Encryption Standard (AES) (Symetrical)
Based on Rijndael cipher
Allows three key strengths
128-bit key (requires 9 rounds of encryption)
192-bit key (requires 11 rounds of encryption)
256-bit key (requires 13 rounds of encryption)
Uses three transformation layers (Linear, nonlinear, key additional transform)
RSA
Asymetrical have at least two key (public and private)
RSA created (1977) by (Ronald Rivest, Adi Shamire, and Leonard Adleman)
Most Popular
Depends on difficulty in factoring very large prime numbers
El Gamal
1985 by Dr. T. El Gamal
Uses large integers and modular mathmetics to calculate keys
Hashing Algorithms
a hash is taking a block of code and creating an output string of a block of code that represents a digest
SHA-1 (Secure Hash Algorithm)
developed by the National Institute of Standards and Technology (NIST)
Input any size
Always generates a 160-bit digest
MD2, MD4, and MD5 (Message Digest)
MD5 was developed by Ronald Rivest in 1991
Uses 4 computation rounds and produces a 12-bit digest
Other Hashing Algorithms
Haval (univeristy of Wallongong, Australia variable length output 128, 160, 192, 224, or 256 bits AND variable number of rounds 3, 4, or 5)
RIPEMD-160 (European RACE Integrity Primitives Evaluation project with 160 bit output AND 5 paired rounds of 16 steps each)
Cryptographic Practices
Digital Signatures Signature Types Key Distribution Stenganography PKI
Digital Signatures
provides assurance that the message came from the stated sender AND did not change while in transit (Nonrepudiation and integrity)
Signature Types
Hashed Message Authentication Code (HMAC) (Uses shared secret keys, so it does NOT provide nonrepudiation BUT it is more efficient thatn public key encryption schemes
Digital Signature Algorithm (DSA) (Asymmetric algorithm , Variable-length key size 512 and 1024 bits, works with SHA-1 digests
Digital Signature Standard (DSS) (Documentation or standatd set forth by NIST that sets standards for all government cryptography usage, Standard states that DSA is used for digital signatures and SHA-1 for hashing)
Key Distribution
how distribute keys?
Manual (paper or electronic)
Public key encryption (once public key encryptions is set up, it can be used to exchange private keys)
Diffie-Hellman Exchange (Algorithm used to calculate and exchange values on both sides; uses large integers and modular arithmetic; Each side produces the same large integer which is used as a secret key)
Stenganography
normal cryptography just encrypts a message
Hides the fact that the message exists
In normal use, the message is hidden inside another document
graphics files are common carriers
EX- every 16th bit could be changed without changing the actual image appearance
PKI (Public Key Infrustructure)
Ansymetric keys most common to use
Digital certificate (a copy of a person’s public key that is endorsed by a trusted third party)
Certificate Authorities (CA) (neutral organizations that offer notarization services for digital certificates; the validity of the CA is the trust that users have in them)
If a digital certificate is received from an unknown CA, do not accept it)
Public keys are published as digital certificates
CAs handles the generation and distribution of keys
Trust in the CA provides assurance that the parties presenting the days are who they say they are
System Architecture
PEM MOSS S-MIME SSL HTTPS SET IPSec ISAKMP
PEM
Privacy Enhanced Mail (PEM) (secure e-mail standard that uses CA-managed digital certificates)
MOSS
MIME Object Security Services (MOSS) (suggested replacement for PEM that does NOT use CA digital certificates; provides associations between e-mail addresses and certificates; provides secure exchange of attached documents)
S-MIME
Secure/Multipurpose Internet Mail Extensions (S/MIME) (e-mail encryption standard; Uses X.509 digital certificates to exchange keys; routinely uses both symmetric and asymmetric algorithms; very configurable; very flexible
SSL
Secure Sockets Layer (SSL) (originally developed by Netscape to provide encrypted transfers between a Web client and a Web server; uses certificates; weakness as it provides encryption only to the web server which is usually outside the firewall; TLS should replace SSL)
HTTPS
Secure Hypertext Transfer Protocol (SHTTP/HTTPS) Differs from SSL in that each message is encrypted instead of creating a secure channel; supports 2-way authentication
SET
Secure Electronic Transactions (SET) by Visa and Mastercard
IPSec
IP Security (IPSec) (complete infrastructure for secure network communications; 1-Transport mode - only the payload is encrypted (can be used with VPM); 2-Tunnel mode - entire packet is encrypted, including the header (gateway to gateway connection through a VPN)
ISAKMP
Internet Security Association and Key Management Protocol (ISAKMP) (provides background services for IPSec; provides a method to maintain Security Associations of IPSec machines; provides key management)
Methods of Attack
Brute Force Known Plaintext Chosen Ciphertext Chosen Plaintext Meet-in-the-Middle Man-in-the-Middle Birthday Replay
Brute Force
Exhaustively attempts every possible combination to try to break a key
Consumes substantial computing resources
always look at the safety and security of algorithms as computing power changes
Known Plaintext
The attacker has a copy of the plaintext and ciphertext versions of the protected file; allows the attacker to analyze the relationship between the plaintext and the ciphertext
Chosed Ciphertext
If the attacker can decrypt portions of the encrypted message; the decrypted message fragment can be analyzed to possibly discover the key
Chosen Plaintext
attacker can encrypt palintext message; compare ciphertext with result of another encryption to possibly discover the key by matching the two
Meet-in-the-Middle
MIM attacker uses two simultaneous brute force attacks; works for algorithms that use two rounds of encryption; attacker encrypts a known plaintext with every possible key while decrypting the associated ciphertext with every possible key
attack is successful when a match is found
Man-in-the-Middle
MIM (usual MIM) attacker sits betweeen an intended sender and receiver
Intercepts session initiation and sets up a session from the sender to the attacker, and from the attacker to the receiver
Birthday
based on probability
Also called the collision attack
attempts to find a different message that produces the same digest
If you have a room with at least 23 people there is a 50% chance that there are two people with the same birthday
Replay
Attacker intercepts a session and records it
The session is played back later
different from the MIM in that MIM is active not passive
easily defeated by incorporating time stamps