Securing the data. Authentication: The message comes from whom it states HMAC(Hash-based Message Authentication Code)

Transcription

1 Securing the data A network infrastructure can be secured through device hardening, AAA access control, firewall features, and IPS implementations But how is network traffic protected when traversing the public Internet? Answer: Cryptographic methods

2 Securing the data Authentication: The message comes from whom it states HMAC(Hash-based Message Authentication Code) Integrity: Guarantee that no one intercepted it MD5(Message-Digest algorithm 5) SHA-1 (Secure Hash Algorithm) Confidentiality: If captured; it cannot be deciphered. Symmetric: DES (Data Encryption Standard) 3DES AES (Advanced Encryption Standard) Asymmetric : RSA Public key infrastructure (PKI)

3 Confidentiality Encryption Key - Decryption Hashing(grinding coffe) password hashed compared to a stored hashed value Password lost reset!!

4 Cryptographic Hashes Hashes are used for integrity assurance. Hashes are based on one-way functions. The hash function hashes arbitrary data into a fixed-length digest known as the hash value, message digest, digest, or fingerprint. Detect duplicate data files, file version changes

5 Cryptographic Hashes Proof of authenticity used with a symmetric secret authentication key, such as IP Security (IPsec) or routing protocol authentication. To provide authentication by generating one-time and one-way responses to challenges in authentication protocols such as the PPP Challenge Handshake Authentication Protocol (CHAP). To provide a message integrity check proof, such as those used in digitally signed contracts, and public key infrastructure (PKI) certificates Accessing a secure site using a browser.

6 Cryptographic Hashes

7 Cryptographic Hashes Vulnerable to man-in-the-middle attacks. Does not provide security to transmission. These are two well-known hash functions: Message Digest 5 (MD5) with 128-bit digests Secure Hash Algorithm 1 (SHA-1) with 160-bit digests

8 MD-5 MD-5(Message digest algorithm) Ron Rivest One-way function Collision resistant, Complex sequence of simple binary operations, such as exclusive or (xors) and rotations produces a 128-bit hash Considered less secure than SHA-1

9 SHA-1 Input message of < 2^64 bits => 160-bit message digest. Slightly slower than MD5. Sha-224, SHA-256, SHA-384, SHA-512 Newer, more secure versions of SHA-1 Collectively known as SHA-2.

10 MD-5 vs. SHA-1 Digest length Steps Buffer Speed MD slow SHA fast

11 HMAC/ KHMAC Keyed/Hashed Message Authentication Code KHMACs use an additional secret key as input to the hash function adding authentication to integrity assurance. The secret key is known to the sender and receiver and defeats man-in-the-middle attacks. KHMAC is based on existing hash functions, such as MD5 and SHA-1.

12 HMAC/ KMAC

13 Key management Generation Automated Random number generators Equally generated Unpredictable

14 Key management Verification Weak keys that should not be used DES weak keys are those that produce 16 identical subkeys Alternating ones plus zeros ( ) Alternating F plus E (FEFEFEFEFEFEFEFE) E0E0E0E0F1F1F1F1 1F1F1F1F0E0E0E0E Caesar cipher, using a key of 0 or 25 does not encrypt the message

15 Key management Storage Stored in memory Problem Swapped to the disk Trojan horse

16 Key management Exchange provide secure key exchange probably over an untrusted medium.

17 Key management Revocation and Destruction Notification Destruction in a secure manner

18 Key length Key space Key length = n Key space = 2n strength of protection length of the key "the longer the key, the better" is valid, except for possible performance reasons.

19 Symmetric encryption Best known as shared-secret key algorithms. The usual key length is bits. A sender and receiver must share a secret key. They are usually quite fast (wire speed) because these algorithms are based on simple mathematical operations. Symmetric encryption algorithms are DES(Data Encryption Standard) 3DES(Tripple DES) AES(Advanced Encryption Standard ) IDEA RC2/4/5/6 (Ron Rivest, Rons code) Blowfish.

20 Asymmetric encryption Asymmetric encryption algorithms are best known as public key algorithms. The usual key length is bits. A sender and receiver do not share a secret key. These algorithms are relatively slow because they are based on difficult computational algorithms. Examples of asymmetric encryption algorithms are RSA ElGamal Elliptic curves DH.

21 DES Change keys frequently Use a secure channel to communicate the DES key from the sender to the receiver. Test a key to see if it is a weak key before using it. DES has 4 weak keys and 12 semi-weak keys.

22 3DES Encrypting data three times in a row using different 56-bit keys equals a 58-bit key strength. The 3DES-EDE procedure, on the other hand, provides encryption with an effective key length of 168 bits.

23 AES (Advanced Encryption Standard) Key length Speed Efficiency High throughput Low latency Key size (in bits) Time to crack 255 keys per second AES + + Factor , 192, and Trillion years DES/3DES and 168 bits 4.6 Billion years with current technology

24 Diffie-Hellman DH is a mathematical algorithm that allows two computers to generate an identical shared secret on both systems, without having communicated before. The new shared key is never actually exchanged between the sender and receiver. Its security is based on the difficulty of calculating the discrete logarithms of very large numbers. Asymmetric key systems are extremely slow for any sort of bulk encryption, so we use DES, 3DES, or AES and use the DH algorithm to create keys that will be used by the encryption algorithm.

25 Diffie-Hellman

26 Diffie-Hellman

27 Asymmetric keys Internet Key Exchange (IKE), a fundamental component of IPsec VPNs Secure Socket Layer, now implemented as IETF standard TLS SSH Pretty Good Privacy (PGP), a computer program that provides cryptographic privacy and authentication and often used to increase the security of communications

28 Asymmetric keys A public key encrypts the data, private key decrypts the data. A private key encrypts the data, public key decrypts the data. This process enables asymmetric algorithms to achieve authentication, integrity, and confidentiality.

29 Asymmetric keys

30 Asymmetric keys

31 Asymmetric keys

32 Digital Signatures The signature is authentic and not forgeable. The signature is not reusable The signature cannot be repudiated. In some countries, including the United States, digital signatures are considered equivalent to handwritten signatures if they meet certain provisions proper protection of the certificate authority, proper protection of the private keys of the users.

33 Digital Signatures 1. The sending device (signer) creates a hash of the document. 2. The sending device encrypts the hash with the private key of the signer. 3. The encrypted hash, known as the signature, is appended to the document. 4. The receiving device (verifier) accepts the document with the digital signature and obtains the public key of the sending device. 5. The receiving device decrypts the signature using the public key of the sending device. This step unveils the assumed hash value of the sending device. 6. The receiving device makes a hash of the received document, without its signature, and compares this hash to the decrypted signature hash. If the hashes match, the document is authentic; it was signed by the assumed signer and has not changed since it was signed.

34 Digital Signatures

35 Digital Signatures

36 Digital Signatures Digital Signature Algorithm Ron Rivest, Adi Shamir, and Len Adleman invented the RSA algorithm in DSA RSA + - Signature generation is fast Signature verification is slow Signature verification is fast Signature generation is slow

37 PKI - Public key infrastructure All individuals agree to accept the word of a neutral third party Certificate servers are an example of a trusted third party. Driver's License Certificate

38 PKI PKI is a set of components Technical Organizational Legal Large-scale use of public key cryptography to provide Authenticity Confidentiality Integrity Nonrepudiation services.

39 PKI-framework Hardware Software People Policies Procedures Create Manage Store Distribute And revoke digital certificates.

40 PKI-framework Certificate - A document, which binds together the name of the entity and its public key and has been signed by the CA Certificate authority (CA) - The trusted third party that signs the public keys of entities in a PKIbased system

41 Certificates

42 Certificates 1. Alice and Bob request the CA certificate that contains the CA public key. 2. Upon receipt of the CA certificate, each system (of Alice and Bob) verifies the validity of the certificate using public key cryptography. 3. Alice and Bob follow up the technical verification done by their system by telephoning the CA administrator and verifying the public key and serial number of the certificate.

43 Certificates 1. Both systems forward a certificate request which includes their public key along with some identifying information. All of this information is encrypted using the public key of the CA. 2. Upon receipt of the certificate requests, the CA administrator telephones Alice and Bob to confirm their submittal and the public key and issues the certificate by adding some additional data to the certificate request, and digitally signing it all. 3. Either the end user manually retrieves the certificate or SCEP automatically retrieves the certificate, and the certificate is installed onto the system.

44 Certificates 1. Bob and Alice exchange certificates. The CA is no longer involved. 2. Each party verifies the digital signature on the certificate by hashing the plaintext portion of the certificate, decrypting the digital signature using the CA public key, and comparing the results. 1. If the results match, then the certificate is verified as being signed by a trusted third party and the verification by the CA that Bob is Bob and Alice is Alice is accepted.

45 Certificates The disadvantages of using trusted third parties relate to key management: A user certificate is compromised (stolen private key). The certificate of the CA is compromised (stolen private key). The CA administrator makes an error (the human factor).