Network Security: Standards and Cryptography

Network Security: Standards and Cryptography

• 1.
  Network Security: Standards and Cryptography Jack Davis
• 2.
  The Absolute MinimumEvery Software Developer Absolutely, Positively Must Know About Network Data Security (No Excuses!)
• 3.
  Too Frequent “Bank of America says at least 1.2 million federal employee credit card accounts may be exposed to theft or hacking.” Time, Feb 25, 2005 “ 40M credit cards hacked Breach at third party payment processor affects 22 million Visa cards and 14 million MasterCards.” CNN Money, July 27, 2005 “ Data Losses Hit Four More Another day, another security breach: In the last 48 hours, Visa, Wachovia, Equifax, and the U.S. Department of Agriculture have joined a growing list ….” June 22, 2006 http://www.privacyrights.org/ar/ChronDataBreaches.htm
• 4.
  Technical Pillars ofData Security Cryptographic Hashing Data Encryption Symmetric-Key Encryption Asymmetric-Key Encryption HTTPS Transport Layer Security (TLS) Secure Sockets Layer (SSL) Email, attachment, and Instant Message Protection Data Integrity Information Protection Server File and Folder Security Digital Signatures X.509 Digital Certificates Digital Rights Management
• 5.
  Data Integrity Simplephysical loss (lost bits during transfer or on a physical store) Intentional malicious “hacker” action (a database of student grades is always a prime target) How can we know if data transferred across a network or stored on server hasn’t changed? Changes to data can occur either due to:
• 6.
  Data Integrity “I agree to pay $5000 in 2 years.” CRC32 = xFFE “ I agree to pay $500 in 20 years.” CRC32 = xFFE Checksums and CRCs Opps
• 7.
  Checksums and CRCsEasy to calculate. Useful in detecting bit errors in transmission or storage. Can be used in non-security applications. Not good for detecting intentional or malicious changes. Not suitable for security.
• 8.
  Two Types of“Hash” Functions Hash functions for Hash Tables (re. CSS 343) Hash functions for “digital fingerprints” - Cryptographic Hash (aka “message digests”, “message signatures”)
• 9.
  Cryptographic Hash PropertiesGiven h , it should be very hard (impossible) to recompute the original m , where h = hash( m ). One Way Unique Fixed Length Different message data should never generate the same hash. Given two different data messages, m 1 and m 2 , hash(m 1 ) != hash(m 2 ). Regardless of the length of the data message, the hash value for a given algorithm is always fixed-length. Algorithms: 128, 160, 256, 512 bits.
• 10.
  Cryptographic Hash ExamplesSHA1("") = DA39A3EE 5E6B4B0D 3255BFEF 95601890 AFD80709 // = 20 bytes (160 bits) Zero-Length Data SHA1("The quick brown fox jumps over the bog.") = E66BEDD4 E0B96081 01F86FE8 4A9B91D2 A3EA0D14 // = 20 bytes (160 bits) // 'b' = x62 SHA1("The quick brown fox jumps over the cog.") = 68B51796 CB6A01AF FBECA374 56C72F83 76D67BF4 // = 20 bytes (160 bits) // 'c' = x63 1-bit change! Simple String “ Avalanche Effect”
• 11.
  Applications of Cryptographic Hashes Password storage and validation (only the hash for the password is stored) Verifying message integrity Verifying file integrity Digital Certificates (digital authentication) Digital Signatures Rights Management
• 12.
  Digital Signature using Cryptographic Hash Signer’s “public key” is used to decrypt the digital signature. When the decrypted digital signature matches the document hash, the document is unaltered and the signature is valid.
• 13.
  Common Cryptographic HashAlgorithms MD, Message Digest SHA, Secure Hash Algorithm Hash Algorithm Hash Size bits (bytes) Date Published Collisions (Cracked) MD4 128 (16) 1990 RFC1186  MD5 128 (16) 1992 RFC1321  SHA-0 160 (20) 1993  SHA-1 160 (20) 1995 RFC3174  SHA-256 256 (32) 2002 RFC4634 SHA-512 512 (64) 2002 RFC4634
• 14.
  Information Protection throughData Encryption Private-Key Encryption Same key is used to both encrypt and decrypt. Public/Private-Key Encryption Two different keys: One key used to encrypt Other key used to decrypt Symmetric-Key Encryption Asymmetric-Key Encryption Common property of encryption: Encrypted message size = Clear-text message size (There’s no size penalty for encrypting data.)
• 15.
  Symmetric-Key Algorithms DES,Data Encryption Standard Triple-DES, DES applied three times (key 168 bits = 3 x 56 bits) FIPS, Federal Information Processing Standard AES, Advanced Encryption Standard (more secure, 6x faster than Triple-DES) NSA rates AES-128 for “SECRET”, AES-192 and AES-256 for “TOP SECRET”. Encryption Algorithm Key Size bits (bytes) Date Published Date Withdrawn DES 56 (7) 1976 FIPS46 1999 Triple-DES 168 (21) 1999 FIPS46-3 2005 AES 128, 192, 256 2001 FIPS197
• 16.
  The Problem withSymmetric-Key Encryption If you want to send encrypted data, how do you get the key to the other party?
• 17.
  Asymmetric-Key Encryption Alsoknown as “Public-key”, “Public/Private-key”, or “RSA*” encryption. Uses two different keys: One “public-key” One “private-key” The public-key and private-key pairs can be used in different ways to perform different operations. *RSA, from last name initials of original inventors Ron Rivest, Adi Shamir, Len Adleman.
• 18.
  Asymmetric-Key Creation Alarge random number is used to seed the Key-Making function. (In Windows, keys can be created manually with the sn.exe utility.) The Key-Making function creates two keys, a “public-key” and a “private-key”.
• 19.
  Sending Encrypted DataPublic-keys can be freely distributed. If someone wishes to send private data, the sender encrypts the data using the recipient's public-key. Only the recipient’s private-key can decrypt the data (secrecy depends on the security of the private-key).
• 20.
  Encrypting Digital SignaturesThe use of public and private keys can also be reversed, such as for digital signatures. Signer encrypts document with private-key. Using the signer’s public-key, recipients can decrypt to view the original signed document.
• 21.
  Signing a Documentversus Signing a Hash Document hashes can also be used for signing.
• 22.
  The Problem withAsymmetric-Key Encryption If Asymmetric-Key Encryption is so flexible, why bother with Symmetric-Key Encryption at all? Asymmetric-Key encryption is over 1000+ times slower than Symmetric-Key encryption! What to do now?
• 23.
  Combining Asymmetric andSymmetric Encryption Use Asymmetric Encryption to encrypt and exchange a shared Symmetric-Key. Use Symmetric Encryption to then encrypt and exchange data. Asymmetric Encrypt Symmetric Encrypt
• 24.
  PGP Encryption (PrettyGood Privacy) Email messages and attachments. Digital Signatures Full disk encryption File and folder security File transfer encryption Web server files and folders RFC2440, PGP is an open standard that can be used to encrypt and decrypt data for a wide variety of uses: PGP uses a combination of Symmetric-Key cryptography together with Asymmetric-Key cryptography that use public-keys stored on publicly accessible “key servers”.
• 25.
  Steps in PGPEncryption/Decryption Sender creates a “session-key" that is used to encrypt the message data using Symmetric encryption such as AES. The sender uses the recipient's "public-key" to encrypt the “session-key" through Asymmetric encryption. Both the Symmetric-encrypted message data and Asymmetric-encrypted “session-key" are sent to the recipient. Using their "private-key", the recipient decrypts the asymmetric-encrypted “session-key". Using the decrypted “session-key", the recipient then decrypts the symmetric-encrypted message data. (Above operations are performed automatically within PGP.)
• 26.
  Transport Layer Security(TLS) & Secure Sockets Layer (SSL) Protocols Algorithm Negotiation Asymmetric-Key algorithms Symmetric-Key algorithms Hash algorithms Negotiation Asymmetric Encryption Symmetric Encryption Certificate-based authentication Asymmetric encryption and exchange of a Symmetric “session-key”. Bulk message and data exchange using the Symmetric “session-key” to encrypt/decrypt.
• 27.
  Security Guidelines Forstorage, encrypt sensitive data using a Symmetric-Key cipher such as AES. Remember – HTTPS (TLS/SSL) only guarantees security during transport. Unless somehow further protected (encrypted), information stored at either the source or destination is susceptible to attack and access. To exchange a Symmetric-Key, encrypt it using your Asymmetric “private-key”. Do not store keys in code. Do not store keys in plain text. Password encrypt any file containing keys and place it on a removable media. Use a cryptographic hash, such as SHA-1, to verify data integrity or as a Digital Signature.
• 28.
  Pillars of DataSecurity Cryptographic Hashing Data Encryption Symmetric-Key Encryption Asymmetric-Key Encryption Data Integrity Information Protection