2/26/2019 L06 – Applied Cryptography

APPLIED CRYPTOGRAPHY

© Robert F. Kelly, 2012-2019 ISE331 – Computer Security 2

Reading

• Chapter 6 • Wiki pages for various attack strategies

http://en.wikipedia.org/wiki/Rainbow_table http://en.wikipedia.org/wiki/Trusted_Platform_Module

1 2/26/2019 L06 – Applied Cryptography

© Robert F. Kelly, 2012-2019 ISE331 – Computer Security 3

Objectives

• Learn the elements involved in the correct use of cryptography • Understand cryptography attack methods

© Robert F. Kelly, 2012-2019 ISE331 – Computer Security 4

Cryptography in Use

• Confidentiality – keep data a secret • Integrity – message not altered in transmission • Authentication – match a user to an account through previously shared credentials • Nonrepudiation – message sender cannot deny that they sent the message Availability (an important security concept is not addressed through cryptography

2 2/26/2019 L06 – Applied Cryptography

© Robert F. Kelly, 2012-2019 ISE331 – Computer Security 5

Two Way Communication

Public Key B Private KeyB

Plaintext Ciphertext Plaintext Encryption Decryption

Ciphertext Plaintext Decryption Encryption

Public Key Private KeyA A

© Robert F. Kelly, 2012-2019 ISE331 – Computer Security 6

Hybrid Techniques We cover TLS and SSL in the “Standards & Protocols” session Message Encrypted message

Symmetric Symmetric encryption decryption Symmetric key symmetric key

Public Key Encryption Public key decryption Message

Recipient’s public key Private key

3 2/26/2019 L06 – Applied Cryptography

© Robert F. Kelly, 2012-2019 ISE331 – Computer Security 7

Digital Signatures

• A cryptographic implementation designed to demonstrate authenticity and identity associated with a message • Important in implementing paperless document flow • Based on • hashing codes – assurance of integrity • Asymmetric cryptography – authentication and nonrepudiation

© Robert F. Kelly, 2012-2019 ISE331 – Computer Security 8 Digital Signatures

Message Message

Hash function Hash function

Private Message key digest Signature Encryption Signature Decryption Public Actual key digest Expected Vulnerable to collision attacks digest

4 2/26/2019 L06 – Applied Cryptography

© Robert F. Kelly, 2012-2019 ISE331 – Computer Security 9 Note that CDs had no Digital Rights Management (DRM) protection when standardized • Addresses protection of electronic copyright material • Analog or print material was much more difficult to copy and distribute • Many attempts at digital copyright protection have failed • DVD Content Scramble System (CSS) – encryption algorithm licensed to every DVD player Hackers usually identify • AACS –Blu-Ray disks use AES keys the keys and distribute • Various game industry approaches on the internet • Recent Satellite TV smart cards have been successful

© Robert F. Kelly, 2012-2019 ISE331 – Computer Security 10

Cryptographic Applications

• Filesystem encryption – hard drives are available with built-in AES encryption • Database encryption • 3DES and AES used to encrypt data stored in DB • Protection managed by row and column

5 2/26/2019 L06 – Applied Cryptography

© Robert F. Kelly, 2012-2019 ISE331 – Computer Security 11

Cipher Suites

• A collection of cryptographic functions • Authentication • Symmetric cipher and key size • Hash algorithms • Example – JCA • Java Cryptography Architecture • Interface that can be implemented by commercial SW providers • Set of APIs for various purposes (e.g., encryption, key generation and management, secure random-number generation, certificate validation, etc. )

© Robert F. Kelly, 2012-2019 ISE331 – Computer Security 12

A Changing Technology

• Need to be aware of ciphers in use and current status of each • Referred to as strong vs. weak ciphers, based on known attack vulnerabilities • Example • SSL V3 – vulnerable to attack • TLS - currently considered stronger

6 2/26/2019 L06 – Applied Cryptography

© Robert F. Kelly, 2012-2019 ISE331 – Computer Security 13

Key Exchange

• Maintaining the secrecy of the key is a critical part of cryptographic mechanisms • Early exchanges based on trusted couriers • Public key crypto techniques change the problem into one of techniques for key publication

© Robert F. Kelly, 2012-2019 ISE331 – Computer Security 14

Key Escrow

• How can users guard against loss of a key • Could lead to critical data not being accessible • Key escrow is the practice of keeping a key with a trusted third party (e.g., law enforcement) • An issue subject to debate

7 2/26/2019 L06 – Applied Cryptography

© Robert F. Kelly, 2012-2019 ISE331 – Computer Security 15

Cryptographic Applications

• A few applications can be used to encrypt data conveniently on your personal computer. • Pretty Good Privacy (PGP) • TrueCrypt is an open source solution for encryption. • FreeOTFE offers “on-the-fly” disk encryption as an open source. • GnuPG, or Gnu Privacy Guard, is an open source implementation of the OpenPGP standard.

© Robert F. Kelly, 2012-2019 ISE331 – Computer Security 16

Steganography

• Offshoot of cryptography technology • Greek word steganos, meaning secret writing • Commonly hiding text or an image within an image file • Images do not attract attention. • Applications • Digital watermark (anti-piracy) • Secret communications • Difficult to detect • Tools to detect steganography: • Stegdetect, StegSecret, SegSpy, and SARC tools

8 2/26/2019 L06 – Applied Cryptography

© Robert F. Kelly, 2012-2019 ISE331 – Computer Security 17

Have You Achieved the Objectives?

• Learn the elements involved in the correct use of cryptography • Understand cryptography attack methods

9