Cryptographic Methods: Why Use Cryptography?
Total Page:16
File Type:pdf, Size:1020Kb
Cryptographic methods: Why use cryptography? PacNOG I Workshop Can offer genuinely secure solutions to important security problems Presented by Hervey Allen Some governments forbid it Materials originally by Confidentiality Brian Candler ¡ Can I be sure no-one else can see my data? (e.g. sniffing) ¡ Integrity Recommended reading: Has my data been modified? Applied Cryptography, Bruce Schneier ¡ Authentication 1. "Private key" or "symmetric" We assume an eavesdropper is ciphers able to intercept the ciphertext How can they recover the cleartext? cipher text clear clear text k k text The same key is used to encrypt the document before sending and decrypt it at the far end Examples of symmetric ciphers Features of symmetric ciphers DES - 56 bit key length, designed by US Fast to encrypt and decrypt, suitable for security service large volumes of data 3DES - effective key length 112 bits A well-designed cipher is only subject to brute-force attack; the strength is AES (Advanced Encryption Standard) - 128 therefore directly related to the key length to 256 bit key length Current recommendation is a key length of at least 90 bits Blowfish - 128 bits, optimised for fast ¡ i.e. to be fairly sure that your data will be safe operation on 32-bit microprocessors for at least 20 years http://www.schneier.com/paper-keylength.html IDEA - 128 bits, patented (requires a licence for commercial use) Problem - how do you distribute the keys? 2. "Hashing" - one-way Examples encryption ¡ Unix crypt() function, based on DES ¡ MD5 (Message Digest 5) - 128 bit hash ¡ SHA1 (Secure Hash Algorithm) - 160 bits ¡ Collisions have been found for SHA1/MD5. Some Fixed length "hash" discussions here: hashing http://en.wikipedia.org/wiki/SHA-1 clear or "message digest" http://www.cits.rub.de/MD5Collisions/ function http://www.schneier.com/blog/archives/2005/03/more_hash_funct.html text ¡ Almost no two documents have been discovered Munging the document gives a short which have the same MD5 digest "message digest" (checksum). Not possible to go ¡ So far, no feasible method to create any document back from the digest to the original document. which has a given MD5 digest So what use is that? Exercise a. Integrity checks Exercise: on your machine type You can run many megabytes of data ¡ through MD5 and still get only 128 bits to cat /etc/motd check Look at your neighbour's machine. Is their file exactly the same as yours? Can you be It is difficult for an attacker to modify your sure? file and leave it with the same MD5 checksum md5sum /etc/motd Compare the result with your neighbour Gives your document an almost unique "fingerprint" Now change ONE character in /etc/motd and repeat the md5sum test Software announcements often So what use is that? contain an MD5 checksum b. Encrypted password storage ¡ It's trivial to check We don't want to keep cleartext passwords if possible; the password file would be far too Protects you against hacked FTP servers attractive a target and download errors ¡ Store hash(passwd) in /etc/master.passwd (shadow password in Linux) $ md5 exim-4.50_1.tbz MD5 (exim-4.50_1.tbz) = 1884ca8e48536a087b86c279de5c9e69 ¡ $ When user logs in, calculate the hash of the password they have given, and compare it to the hash in the password file Two Considerations: 1. Could the attacker have modified the original email ¡ If the two hashes match, the user must have announcment? entered the correct password 2. You need to keep the md5sum file on a separate server from the software being downloaded. ¡ Can an attacker still recover the password? So what use is that? Generating encryption keys c. Generating encryption keys for symmetric ciphers ¡ Users cannot remember 128 bit binary encryption keys ¡ However they can remember "passphrases" Passphrase 128-bit ¡ entered by A hash can be used to convert a passphrase into a user key fixed-length encryption key MD5 hash ¡ The longer the passphrase, the more "randomness" it contains and the harder to guess. English text is typically only 1.3 bits of randomness per character. Every passphrase generates a http://www.cranfield.ac.uk/docs/email/pgp/pgp-attack-faq.txt different 128-bit key http://www.schneier.com/paper-personal-entropy.html Example: 3. "Public key" ciphers GPG with symmetric cipher # vi foobar.txt # gpg -c foobar.txt Enter passphrase: ding/dong 479 fruitbat Repeat passphrase: ding/dong 479 fruitbat cipher # ls foobar.txt* text foobar.txt foobar.txt.gpg clear clear # rm foobar.txt text text rm: remove regular file `foobar.txt'? y k1 k2 # gpg foobar.txt.gpg (public key) (private key) gpg: CAST5 encrypted data Enter passphrase: ding/dong 479 fruitbat (public key) (private key) # cat foobar.txt One key is used to encrypt the document, a different key is used to decrypt it ("gpg --version" shows the ciphers available) Public key and Private key Use for authentication: reverse the roles of the keys The Public key and Private key are mathematically related (generated as a pair) It is easy to convert the Private key into the cipher Public key. It is not easy to do the reverse. text clear clear text text Key distribution problem is solved: you can k2 k1 post your public key anywhere. People can use it to encrypt messages to you, but only (private key) (public key) the holder of the private key can decrypt them. If you can decrypt the document with the public key, it proves it was written by the Examples: RSA, Elgamal (DSA) owner of the private key (and was not changed) Key lengths Protecting the private key* Attacks on public key systems involve The security of the private key is paramount: mathematical attempts to convert the keep it safe! public key into the private key. This is more Keep it on a floppy or a smartcard? efficient than brute force. Prefer to keep it encrypted if on a hard drive 512-bit has been broken That means you have to decrypt it (using a Recent developments suggest that 1024-bit passphrase) each time you use it keys might not be secure for long An attacker would need to steal the file containing the private key, AND know or Recommend using 2048-bit keys* guess the passphrase. *http://www.rsasecurity.com/rsalabs/node.asp?id=2218 *Some disagree with this notion... Protecting the private key Public key cryptosystems are important But they require a lot of computation symmetric k cipher (expensive in CPU time) 2 k2 (encrypted ready So we use some tricks to minimise the on disk) for use amount of data which is encrypted key Passphrase entered by user hash When encrypting: When authenticating: Use a symmetric cipher with a random key Take a hash of the document and encrypt (the "session key"). Use a public key cipher only that. An encrypted hash is called a to encrypt the session key and send it along "digital signature" with the encrypted document. hash hash cipher ks text ks random COM PARE session key s encrypted s digital session key signature (public) (private) (private) (public) k1 k2 k2 k1 Digital Signatures have many Do public keys really solve the uses, for example: key distribution problem? E-commerce. An instruction to your bank Often we want to communicate securely to transfer money can be authenticated with a remote party whose key we don't with a digital signature. know ¡ Legislative regimes are slow to catch up We can retrieve their public key over the A trusted third party can issue declarations network such as "the holder of this key is a person who is legally known as Alice Hacker" But what if there's someone in between ¡ like a passport binds your identity to your face intercepting our traffic? Such a declaration is called a "certificate" public key You only need the third-party's public key to check the signature The "man in the middle" attack Digital Certificates can solve the Passive sniffing is no problem man-in-the-middle problem Problem: I have no prior knowledge of the But if they can modify packets, they can remote side's key substitute a different key But someone I trust can check who they The attacker uses separate encryption keys are to talk to both sides The trusted third party can vouch for the You think your traffic is secure, but it isn't! remote side by signing a certificate which contains the remote side's name and key 1 key 2 public key I can check the validity of the certificate Attacker sees all traffic in plain text using the trusted third party's public key - and can modify it! Example: TLS (SSL) web server When a client's web browser with digital certificate connects to me with HTTPS: ¡ I generate a private key on my webserver They negotiate an encrypted session with ¡ me, during which they learn my public key I send my public key plus my identity (my webserver's domain name) to a certificate I send them the certificate authority (CA) ¡ The CA manually checks that I am who I say I am, They verify the certificate using the CA's i.e. I own the domain public key, which is built-in to the browser ¡ They sign a certificate containing my public key, If the signature is valid, the domain name my domain name, and an expiration date (Q: why in the URL matches the domain name in is an expiration date included?) the certificate, and the expiration date has ¡ not passed, they know the connection is I install the certificate on my web server secure The security of TLS depends on: PGP takes a different view Your webserver being secure We don't trust anyone except our friends ¡ So nobody else can obtain your private key (especially not big corporate monopolies) The CA's public key being in all browsers You sign your friends' keys to vouch for them The CA being