2/26/2019 L06 – Applied Cryptography APPLIED CRYPTOGRAPHY © Robert F. Kelly, 2012-2019 ISE331 – Computer Security 2 Reading • Chapter 6 • Wiki pages for various attack strategies http://en.wikipedia.org/wiki/Rainbow_table http://en.wikipedia.org/wiki/Trusted_Platform_Module 1 2/26/2019 L06 – Applied Cryptography © Robert F. Kelly, 2012-2019 ISE331 – Computer Security 3 Objectives • Learn the elements involved in the correct use of cryptography • Understand cryptography attack methods © Robert F. Kelly, 2012-2019 ISE331 – Computer Security 4 Cryptography in Use • Confidentiality – keep data a secret • Integrity – message not altered in transmission • Authentication – match a user to an account through previously shared credentials • Nonrepudiation – message sender cannot deny that they sent the message Availability (an important security concept is not addressed through cryptography 2 2/26/2019 L06 – Applied Cryptography © Robert F. Kelly, 2012-2019 ISE331 – Computer Security 5 Two Way Communication Public Key B Private KeyB Plaintext Ciphertext Plaintext Encryption Decryption Ciphertext Plaintext Decryption Encryption Public Key Private KeyA A © Robert F. Kelly, 2012-2019 ISE331 – Computer Security 6 Hybrid Techniques We cover TLS and SSL in the “Standards & Protocols” session Message Encrypted message Symmetric Symmetric encryption decryption Symmetric key symmetric key Public Key Encryption Public key decryption Message Recipient’s public key Private key 3 2/26/2019 L06 – Applied Cryptography © Robert F. Kelly, 2012-2019 ISE331 – Computer Security 7 Digital Signatures • A cryptographic implementation designed to demonstrate authenticity and identity associated with a message • Important in implementing paperless document flow • Based on • hashing codes – assurance of integrity • Asymmetric cryptography – authentication and nonrepudiation © Robert F. Kelly, 2012-2019 ISE331 – Computer Security 8 Digital Signatures Message Message Hash function Hash function Private Message key digest Signature Encryption Signature Decryption Public Actual key digest Expected Vulnerable to collision attacks digest 4 2/26/2019 L06 – Applied Cryptography © Robert F. Kelly, 2012-2019 ISE331 – Computer Security 9 Note that CDs had no Digital Rights Management (DRM) protection when standardized • Addresses protection of electronic copyright material • Analog or print material was much more difficult to copy and distribute • Many attempts at digital copyright protection have failed • DVD Content Scramble System (CSS) – encryption algorithm licensed to every DVD player Hackers usually identify • AACS –Blu-Ray disks use AES keys the keys and distribute • Various game industry approaches on the internet • Recent Satellite TV smart cards have been successful © Robert F. Kelly, 2012-2019 ISE331 – Computer Security 10 Cryptographic Applications • Filesystem encryption – hard drives are available with built-in AES encryption • Database encryption • 3DES and AES used to encrypt data stored in DB • Protection managed by row and column 5 2/26/2019 L06 – Applied Cryptography © Robert F. Kelly, 2012-2019 ISE331 – Computer Security 11 Cipher Suites • A collection of cryptographic functions • Authentication • Symmetric cipher and key size • Hash algorithms • Example – JCA • Java Cryptography Architecture • Interface that can be implemented by commercial SW providers • Set of APIs for various purposes (e.g., encryption, key generation and management, secure random-number generation, certificate validation, etc. ) © Robert F. Kelly, 2012-2019 ISE331 – Computer Security 12 A Changing Technology • Need to be aware of ciphers in use and current status of each • Referred to as strong vs. weak ciphers, based on known attack vulnerabilities • Example • SSL V3 – vulnerable to attack • TLS - currently considered stronger 6 2/26/2019 L06 – Applied Cryptography © Robert F. Kelly, 2012-2019 ISE331 – Computer Security 13 Key Exchange • Maintaining the secrecy of the key is a critical part of cryptographic mechanisms • Early exchanges based on trusted couriers • Public key crypto techniques change the problem into one of techniques for key publication © Robert F. Kelly, 2012-2019 ISE331 – Computer Security 14 Key Escrow • How can users guard against loss of a key • Could lead to critical data not being accessible • Key escrow is the practice of keeping a key with a trusted third party (e.g., law enforcement) • An issue subject to debate 7 2/26/2019 L06 – Applied Cryptography © Robert F. Kelly, 2012-2019 ISE331 – Computer Security 15 Cryptographic Applications • A few applications can be used to encrypt data conveniently on your personal computer. • Pretty Good Privacy (PGP) • TrueCrypt is an open source solution for encryption. • FreeOTFE offers “on-the-fly” disk encryption as an open source. • GnuPG, or Gnu Privacy Guard, is an open source implementation of the OpenPGP standard. © Robert F. Kelly, 2012-2019 ISE331 – Computer Security 16 Steganography • Offshoot of cryptography technology • Greek word steganos, meaning secret writing • Commonly hiding text or an image within an image file • Images do not attract attention. • Applications • Digital watermark (anti-piracy) • Secret communications • Difficult to detect • Tools to detect steganography: • Stegdetect, StegSecret, SegSpy, and SARC tools 8 2/26/2019 L06 – Applied Cryptography © Robert F. Kelly, 2012-2019 ISE331 – Computer Security 17 Have You Achieved the Objectives? • Learn the elements involved in the correct use of cryptography • Understand cryptography attack methods 9.