9 Cryptographical Strength • Cryptographical strength needed today • Equivalent cryptographical strength 9.1 NSA Suite B • NSA Suite B with 128 bit strength • NSA Suite B with 192 bit strength • Microsoft Windows with suite B support • strongSwan VPN solution with suite B support 9.2 Elliptic Curves • What are elliptic curves? • Cryptographic applications for elliptic curves • ECDH, ECDSA, ECIES 9.3 Authenticated Encryption with Associated Data (AEAD) • Highly parallel encryption and authentication in a single pass • AES-GCM, AES-CCM, CAMELLIA-GCM, CAMELLIA-CCM • AES-GMAC (Authentication only with NULL encryption) 9.4 Practical Passwords • Random passwords with 128 bits of entropy • Practical passwords

1

2

4 NSA Suite B Homepage • http://www.nsa.gov/ia/programs/suiteb_cryptography/

Abbreviations • GOTS Government Off-The-Shelf • COTS Commercial Off-The-Shelf

5

6

7 Introducing Compliance to Suite B Cryptography • http://technet.microsoft.com/en-us/library/dd566200%28WS.10%29.aspx netsh Commands for Windows Firewall with Advanced Security • http://technet.microsoft.com/en-us/library/cc771920%28WS.10%29.aspx

8 strongSwan Open Source Project • http://www.strongswan.org

Suite B Interoperability with Microsoft Windows • http://wiki.strongswan.org/wiki/strongswan/WindowsSuiteB

9

10

Cryptographic Applications • The following ECC algorithms have been defined: • ECDH (Elliptic Curve Diffie-Hellman) for secret key exchange • ECIES (Elliptic Curve Integrated Encryption Scheme) for public key encryption • ECDSA (Elliptic Curve Algorithm) for digital signatures • Elliptic curve certificates based on the X.509 standard can either be ordered from several trust centers (e.g. Certicom) or can be generated with OpenSSL 0.9.8. • A set of 5 prime-based elliptic curves have been standardized by NIST: http://csrc.nist.gov/groups/ST/toolkit/documents/dss/NISTReCur.pdf • Several ECC cipher suites based on the NIST curves have been defined for the TLS secure transport layer and for IPsec.

19 NIST Special Publication 800-38D: Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC, November 2007 http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf This Recommendation specifies an algorithm called Galois/Counter Mode (GCM) for authenticated encryption with associated data. GCM is constructed from an approved symmetric key block cipher with a block size of 128 bits, such as the Advanced Encryption Standard (AES) algorithm. Thus, GCM is a mode of operation of the AES algorithm. GCM provides assurance of the confidentiality of data using a variation of the Counter mode of operation for encryption. GCM provides assurance of the authenticity of the confidential data (up to about 64 gigabytes per invocation) using a universal hash function that is defined over a binary Galois (i.e., finite) field. GCM can also provide authentication assurance for additional data (of practically unlimited length per invocation) that is not encrypted. If the GCM input is restricted to data that is not to be encrypted, the resulting specialization of GCM, called GMAC, is simply an authentication mode on the input data. In the rest of this document, statements about GCM also apply to GMAC. The two functions of GCM are called authenticated encryption and authenticated decryption. Each of these functions is relatively efficient and parallelizable; consequently, high-throughput implementations are possible in both hardware and software. IPsec ESP Overhead: 8 octet IV, 16/12/8 octet authentication tag • RFC 4106 “The Use of Galois/Counter Mode (GCM) in IPsec ESP” • RFC 4309 “Using AES CCM Mode with IPsec ESP“ • RFC 4312 “The Camellia Cipher Algorithm and Its Use With IPsec”

20

21 Entropy of random passwords • If we assume that each symbol in a given set of symbols occurs with the same probability then the entropy per symbol can computed with the following formula:

Entropy/symbol = log2 (Number of symbols in set) [bits/symbol]

• Example: Set of 16 hexadecimal symbols: 0..9, A..F:

Entropy/symbol = log2 (16) = 4 bits/symbol

22

23