Upload
israel-marcus
View
121
Download
0
Embed Size (px)
Citation preview
What is Encryption? תשס"ט
What is Encryption ?
Encryption (enciphering) transforms original information (plaintext) into cipher text (cipher)
The transformed information is called cryptogram
The technique or rules used for encryption are calledencryption algorithm
Encryption provides:
the Confidentiality (keep the information confidential)
the Integrity (keep the accuracy of the information)
the Authenticity (information comes from an authentic source) of a message
Two Basic Types of Encryption
Transposition Ciphers
rearrange the order of the bits or the characters
NUCLEAR → LUCNARE
Substitution Ciphersreplace the actual bits or the characters
with substitutes (next letter in the alphabet) NUCLEAR → OVDMFBS
A Bible Cipherא-ת-ב-ש
a substitution cipher
איך נלכדה ששך, ותתפש תהלת כל הארץ נ"א, מ"א( )ירמיהו
ששך = בבל
Julius Caesar EncryptionA substitution cipher
Susceptible to frequency analysis and brute force attacks
The Vigenère Cipher
French diplomat of the 16th century who invented a substitution cipher using a keyword
Yet easy to crack using the frequency analysis technique
The Enigma MachineA substitution cipher using a set of rotating wheels
Used in WW II by the Germans (U-Boote) and the Japanese
Code was cracked by the Allies in 1941(Alan Turing & Polish mathematicians)
Poor assumption: letters in plain text should not be substituted for the same letter in cipher text
The Protagonists
Alice (wants to talk securely with Bob)
Bob (Alice’s friend)
Eve (eavesdropping the conversation)
Mallory (a malicious person)
Plain text: Bob → Alice “I love you”Cipher text: Nkn → Mgsbc “S gktc wky”
In “Real” Life: Who Are Alice & Bob ?
Web browser/server for electronic transactions (credit cards etc.)
On-line banking applications Routers exchanging tables updates Corporate VPN (virtual private network) E-mails B2B or B2U Wireless connections to the network
There are bad guys out there
What can they (Eve and Mallory) do ?
Eavesdropping (intercept the message)
Spoof the message (faking source or content)
Hijack the communication (insert himself)
Denial of Service (overloading resources)
Sniffing (Packet Analyzing)
Sniffers can capture the packets across the network and analyze their content
Spoofing
Receiver “A” can’t tell if source is spoofed
Modern Ciphers
Four cryptographic primitives:
1. Random number generationused to generate keys
2. Symmetric encryption (private keys) same secret key is used to encrypt and decrypt information
3. Asymmetric encryption (private/public keys)two keys are used: a public key and a private key, each user has both a public key (published) and a private key (secret), public and private key are mathematically related:encrypt with sender’s private key, decrypt with sender’s public key encrypt with recipient’s public key, decrypt with recipient’s private key
4. Hash functionstakes a message of any size and computes a smaller fixed-size message called a digest (used to store passwords and signatures)
Symmetric Key Algorithms
2 types of algorithms used
Stream Cipher: plain text is processed as a stream of data
Block Cipher: plain text is processed through blocks with additional measures to avoid repeating blocks
Diffie-Hellman Shared Symmetric Key Before 1975, all encryption forced the sender and receiver to have the same key
If a thousand users had to share secrets with each other, using a secret-key system, they needed half a million shared-keys (1000 x 1000) / 2 = 500’000 keys
Diffie-Hellman proposed in 1975 a way to exchange secret keys across an unsecured communication channel
How does it work ? First assume that everybody has a three-liter bucket of yellow paint (the shared public encryption key)
If Alice and Bob want to agree on a secret key, each of them adds one liter of their secret color to their own bucket (Alice: pink, Bob: red)
Finally, Alice takes Bob’s mixture and add her secret color and Bob takes Alice’s mixture and adds his own secret color
Alice ends up with yellow + pink + red and Bob with yellow + red + pink in his bucket (the shared secret encryption key)
We have confidentiality but not authentication (everybody has a yellow color bucket)
Asymmetric Keys (public & private)
Encrypting with private key, decrypting with public key provides
authenticity without confidentiality (anyone can access the public key)
Encrypting with public key, decrypting with private key providesconfidentiality without authenticity (anyone can access the public key)
Solution: use a mixture of both (double encryption) for the digital signature and the public key for the message (confidentiality)
Public Key Cryptography
RSA Algorithm For Key Generation Based on large prime numbers:
1. Choose two large prime numbers p, q2. Compute n = pq and z = (p - 1)(q - 1)3. Choose e (e < n) that has no common factors with z
(e and z are relatively prime)4. Choose d such that ed – 1 is exactly divisible by z
i.e. ed (mod z) = 15. Public key KB
+ is (n,e) ; private key KB- is (n,d)
6. Encrypt m with c = me (mod n)7. Decrypt c as m = cd (mod n)
This works because: m = [me (mod n)]d (mod n)
Example of RSA Key Generation
Bob chooses p = 5 and q = 71. then n = 5 * 7 = 35 and z = (5-1)*(7-1) = 242. e = 5 (relatively prime to z)3. d = 29 (ed-1 = 144 exactly divisible by z)4. encrypt the letter l (m = 12):
me = 125 = 248’832c = me (mod n) = 248’832 (mod 35) = 17
5. decrypt (c =17):m = cd (mod n) = 1729 (mod 35) = 4.819686 *1035 (mod 35) = 12
Receiver’s public key
Sender’s public key
` `
Sender’s private key
Receiver’s private key
InternetSenderAlice
ReceiverBob
Get the re
ceiver’s public key
Get the sender’s public key
Encrypt the entire message using the receiver’s public key
Encrypt the signature with the sender’s private key and the receiver’s public key
Signature is double encrypted to ensure confidentiality & authentication
Some Useful Acronyms DES: Data Encryption Standard (60’s – 70’s), improved with triple DES (IBM 1978)
Diffie & Hellman: algorithm for key exchange (1976)
Kerberos: authentication mechanism using authentication and ticket granting server
RSA: Rivest, Shamir & Adleman algorithm, using large prime numbers for the generation of the keys (1982)
X509: International Standard for Certificates (1988)
FIPS140-2: Federal Information Processing Standard (2001)
AES-256: Advanced Encryption Standard (2002), a sophisticated block cipher algorithm
PKI: Public Key Infrastructure
TLS: Transport Layer Security, used for secure Web connections
IPsec: Protocol suite based on IP and encryption standards for use in VPN
IBE: Identity Based Encryption, a simplified method for B2U E-mail encryption
S/MIME: (Secure Multipurpose Internet Mail extensions), for B2B E-mail encryption
PGP: (Pretty Good Privacy), for B2B and B2U E-mail encryption
Some Israeli Cryptographers
Prof. Adi Shamir (Weizmann Institute)
Prof. Dan Boneh (Stanford University)
SSL (Secure Sockets Layer) & TLS (Transport Layer Security)
TLS provides connection securityensuring that the connection is both encrypted and authenticated
Counterparty’s identity is authenticatedusing asymmetric keys
Exchange of the secret symmetric session key is secure
No attacker can modify the negotiated communication without being detected
The SSL Handshake
Certificate Authority (CA) Repository of public keys used for
encrypted connections
Certificate Sample
E-Learning uses TLS
Aventail uses TLS (access the VPN)
Yet another way to access the VPN:Two-Factor Authentication (PIN + Token)
VPN uses IPsec, TLS and RSA
E-mail & Web Security Appliance
Enables to send encrypted E-mails toa particular destination using TLS
ePO server - agent communication uses digital signature(self-signed certificates)
ePO Agent
Hos
t Com
plia
nce
Ant
i-Viru
s
Ant
i-Spy
war
e
Des
ktop
FW
Hos
t IPS
NA
C
Hos
t DLP
Rem
edia
tion
ePOManagementConsole
NetworkVM
SecureGateway
Network IPS
Data LossPrevention
Total Protection…futuretechnologies
ComplianceReporting
HostCompliance
Remediation
Endpoint Device Encryption
Device encryption for PC/Laptop Device encryption for PDA’s Device encryption for Tablet PC
Uses FIPS 140 certified AES-256 algorithm
Encrypted USB Manager
Uses FIPS140-2 certified AES-256 encryption
Wireless 802.11b (Wi-Fi)
Uses radio frequencies (2.4 GHz) Transmission speed 5.5 Mbps (new 54 Mbps)
WEP (Wired Equivalent Privacy) uses a shared key between the mobile station and the base, but has security loopholes
IEEE 802.11i addresses the WEP weaknesses, uses AES and block cipher to encrypt the wireless communication
IronMail from Secure Computing
Policy-Based Protection for Outbound Messages
Business-to-Business (B2B) Encryption – SSL/TLS: Secure Sockets Layer – S/MIME: Secure Multipurpose Internet Mail Extensions – OpenPGP: Pretty Good Privacy for businesses
Business-to-Users (B2U) Encryption– Secure Mail Encryption / Push : attachment with password– Secure Mail Encryption / Pull : mail is in a secure Web site– Voltage IBE Server: Identity Based Encryption– PGP Universal: Pretty Good Privacy for private users
IronMail Compliance Server
World War III via Encrypted E-mail