2/26/2019 L06 – Applied Cryptography
APPLIED CRYPTOGRAPHY
© Robert F. Kelly, 2012-2019 ISE331 – Computer Security 2
Reading
• Chapter 6 • Wiki pages for various attack strategies
http://en.wikipedia.org/wiki/Rainbow_table http://en.wikipedia.org/wiki/Trusted_Platform_Module
1 2/26/2019 L06 – Applied Cryptography
© Robert F. Kelly, 2012-2019 ISE331 – Computer Security 3
Objectives
• Learn the elements involved in the correct use of cryptography • Understand cryptography attack methods
© Robert F. Kelly, 2012-2019 ISE331 – Computer Security 4
Cryptography in Use
• Confidentiality – keep data a secret • Integrity – message not altered in transmission • Authentication – match a user to an account through previously shared credentials • Nonrepudiation – message sender cannot deny that they sent the message Availability (an important security concept is not addressed through cryptography
2 2/26/2019 L06 – Applied Cryptography
© Robert F. Kelly, 2012-2019 ISE331 – Computer Security 5
Two Way Communication
Public Key B Private KeyB
Plaintext Ciphertext Plaintext Encryption Decryption
Ciphertext Plaintext Decryption Encryption
Public Key Private KeyA A
© Robert F. Kelly, 2012-2019 ISE331 – Computer Security 6
Hybrid Techniques We cover TLS and SSL in the “Standards & Protocols” session Message Encrypted message
Symmetric Symmetric encryption decryption Symmetric key symmetric key
Public Key Encryption Public key decryption Message
Recipient’s public key Private key
3 2/26/2019 L06 – Applied Cryptography
© Robert F. Kelly, 2012-2019 ISE331 – Computer Security 7
Digital Signatures
• A cryptographic implementation designed to demonstrate authenticity and identity associated with a message • Important in implementing paperless document flow • Based on • hashing codes – assurance of integrity • Asymmetric cryptography – authentication and nonrepudiation
© Robert F. Kelly, 2012-2019 ISE331 – Computer Security 8 Digital Signatures
Message Message
Hash function Hash function
Private Message key digest Signature Encryption Signature Decryption Public Actual key digest Expected Vulnerable to collision attacks digest
4 2/26/2019 L06 – Applied Cryptography
© Robert F. Kelly, 2012-2019 ISE331 – Computer Security 9 Note that CDs had no Digital Rights Management (DRM) protection when standardized • Addresses protection of electronic copyright material • Analog or print material was much more difficult to copy and distribute • Many attempts at digital copyright protection have failed • DVD Content Scramble System (CSS) – encryption algorithm licensed to every DVD player Hackers usually identify • AACS –Blu-Ray disks use AES keys the keys and distribute • Various game industry approaches on the internet • Recent Satellite TV smart cards have been successful
© Robert F. Kelly, 2012-2019 ISE331 – Computer Security 10
Cryptographic Applications
• Filesystem encryption – hard drives are available with built-in AES encryption • Database encryption • 3DES and AES used to encrypt data stored in DB • Protection managed by row and column
5 2/26/2019 L06 – Applied Cryptography
© Robert F. Kelly, 2012-2019 ISE331 – Computer Security 11
Cipher Suites
• A collection of cryptographic functions • Authentication • Symmetric cipher and key size • Hash algorithms • Example – JCA • Java Cryptography Architecture • Interface that can be implemented by commercial SW providers • Set of APIs for various purposes (e.g., encryption, key generation and management, secure random-number generation, certificate validation, etc. )
© Robert F. Kelly, 2012-2019 ISE331 – Computer Security 12
A Changing Technology
• Need to be aware of ciphers in use and current status of each • Referred to as strong vs. weak ciphers, based on known attack vulnerabilities • Example • SSL V3 – vulnerable to attack • TLS - currently considered stronger
6 2/26/2019 L06 – Applied Cryptography
© Robert F. Kelly, 2012-2019 ISE331 – Computer Security 13
Key Exchange
• Maintaining the secrecy of the key is a critical part of cryptographic mechanisms • Early exchanges based on trusted couriers • Public key crypto techniques change the problem into one of techniques for key publication
© Robert F. Kelly, 2012-2019 ISE331 – Computer Security 14
Key Escrow
• How can users guard against loss of a key • Could lead to critical data not being accessible • Key escrow is the practice of keeping a key with a trusted third party (e.g., law enforcement) • An issue subject to debate
7 2/26/2019 L06 – Applied Cryptography
© Robert F. Kelly, 2012-2019 ISE331 – Computer Security 15
Cryptographic Applications
• A few applications can be used to encrypt data conveniently on your personal computer. • Pretty Good Privacy (PGP) • TrueCrypt is an open source solution for encryption. • FreeOTFE offers “on-the-fly” disk encryption as an open source. • GnuPG, or Gnu Privacy Guard, is an open source implementation of the OpenPGP standard.
© Robert F. Kelly, 2012-2019 ISE331 – Computer Security 16
Steganography
• Offshoot of cryptography technology • Greek word steganos, meaning secret writing • Commonly hiding text or an image within an image file • Images do not attract attention. • Applications • Digital watermark (anti-piracy) • Secret communications • Difficult to detect • Tools to detect steganography: • Stegdetect, StegSecret, SegSpy, and SARC tools
8 2/26/2019 L06 – Applied Cryptography
© Robert F. Kelly, 2012-2019 ISE331 – Computer Security 17
Have You Achieved the Objectives?
• Learn the elements involved in the correct use of cryptography • Understand cryptography attack methods
9