Security Systems for Digital Data - Paper

  • 1,418 views
Uploaded on

This is the paper to the presentation I held last year during my exchange semester at the University of Nebraska at Omaha.

This is the paper to the presentation I held last year during my exchange semester at the University of Nebraska at Omaha.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,418
On Slideshare
0
From Embeds
0
Number of Embeds
2

Actions

Shares
Downloads
22
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Bernhard Hofer CIST 3100 03/10/08 University of Nebraska at Omaha Management Information Systems Spring 2008 Bernhard Hofer Individual Presentation – Security Systems for Digital Data CIST 3100 – Organizations, Applications & Technology Instructor: Victoria Badura Date: 03/10/08 Presentation Assignment Page 1 of 17
  • 2. Bernhard Hofer CIST 3100 03/10/08 Table of Contents Introduction .................................................................................................................... 3 A Brief history about cryptography ................................................................................. 4 Terminology of cryptography.......................................................................................... 6 Encrypting Digital Data................................................................................................... 7 General Information .................................................................................................... 7 Symmetric key system (private key)............................................................................ 8 Block ciphers........................................................................................................... 8 Stream cipher .......................................................................................................... 9 Asymmetric key system (public key)......................................................................... 10 Problems with one way asymmetric encryption ..................................................... 11 The solution .......................................................................................................... 11 The Internet – Big Brother is watching YOU................................................................. 13 Requirements for secure interaction........................................................................... 14 Useful applications.................................................................................................... 15 Protect Your Password .............................................................................................. 16 The Future: Quantum Cryptography.............................................................................. 16 Presentation Assignment Page 2 of 17
  • 3. Bernhard Hofer CIST 3100 03/10/08 Introduction Nowadays, nobody would send important information over the Internet without securing them properly. Nobody? That is the big question of this paper. The Internet is grown to the largest information network in the world and that nearly over night, in the last century. A lot of people use it and don’t think about the consequences it has to send important and/or confidential information over the public network Internet. This paper and the corresponding slides should give an insight into how data could be secured, in particular, how data could be encrypted to use the Internet as an information channel for important data. This document is a combination of the slides and a description of the mentioned topics in more detail. Every information provided in this document is related to a slide of the presentation to show the connection. Furthermore, this presentation is not held for IT specialists and contains no detailed information about the algorithms and background knowledge about ciphering systems. Again, the main purpose of this document is to give an overview of the bandwidth of the field cryptography and how everybody, even for private purposes, could use technology to secure data. To take a single example, the goal is to tell people how to send an encrypted email to other people. By this way, I hope I could galvanize the audience and give some basic information about the most common cipher methods used in the modern information world, the Internet. Presentation Assignment Page 3 of 17
  • 4. Bernhard Hofer CIST 3100 03/10/08 A Brief history about cryptography From the beginning people always want to share information private. Ronald Rivest, the founder of RSA, describes it that way “Encryption is the standard means of rendering a communication private” (R. Rivest, A. Shamir, L. Adleman. A Method for Obtaining Digital Signatures and Public-Key Cryptosystems. Communications of the ACM, Vol. 21 (2), pp.120–126. 1978). This matter of fact has not changed over the times. One of the first documented use of a form of cryptography was in Egypt’s Old Kingdom over 4.500 years ago. It was a very easy system, but definitely efficient. They used non-standard hieroglyphs to communicate in privacy with each other. As nearly every technological development was made by the military, also this method was used for military purposes. The Greeks of Classical times enhanced cryptography and were the first people, who used a key to encrypt and decrypt messages also known as transcription cipher (Wikipedia, http://en.wikipedia.org/wiki/Transposition_cipher, 03/10/08 9:45am). They Presentation Assignment Page 4 of 17
  • 5. Bernhard Hofer CIST 3100 03/10/08 had a wood stock and wrapped a piece of paper around it. Then a message was written on this piece of paper and after unwrapping it, the message was delivered to the receiver. The receiver had the same wood stick and by wrapping the piece of paper on his stick, the receiver could decrypt the message. The important thing is the usage of a key, which produces a message, which is not readable for anybody without the key. The key in this case is the diameter of the wood stick. Another common technique was to replace a text letter by letter with some fixed number of positions further down the alphabet. This method was called Caesar cipher, because the emperor used it so sent encrypted messages to his generals on the battlefield. For instance, if there is the world “hello”, Caesar replaced each letter with three further down the alphabet. “hello” becomes “khoor” (regarding David Kahn, The Codebreakers — The Story of Secret Writing, 1967). After this early development the next big steps were done during World War I and World War II. Cryptography became a hard science and a lot of new technologies got developed. For example the Enigma machine of the Germans, which was an elaborate system to encrypt and decrypt messages. But the big problem with all these developments was that if the adversary gets the wood stick, knows the number of shifts in the alphabet or has an Enigma machine every message could be decrypted and, of course, wrong messages can be encrypted to confuse the other party. It was not until 1976, however, that in a groundbreaking paper, Whitfield Diffie and Martin Hellman proposed the notion of public-key (also, more generally, called asymmetric key) cryptography in which two different but mathematically related keys are used — a public key and a private key. From this time on, the world of cryptography changed a lot from it’s beginnings and opened the door for a whole bunch of new technologies (Whitfield Diffie and Martin Hellman, “Multi-user cryptographic techniques", AFIPS Proceedings 45, pp109–112, 1976). Presentation Assignment Page 5 of 17
  • 6. Bernhard Hofer CIST 3100 03/10/08 Terminology of cryptography The word cryptography or cryptology derived from Greek κρύπτω kryptó "hidden" and the verb γράφω gráfo "to write" or λέγειν legein "to speak". Which has a combined meaning of “secret writing” (Liddell and Scott's Greek-English Lexicon, Oxford University Press, 1984). There are some other important terms provided on this slide above. “Until modern times, cryptography referred almost exclusively to encryption, the process of converting ordinary information (plaintext) into unintelligible gibberish (ciphertext)” (David Kahn, The Codebreakers — The Story of Secret Writing, 1967). Decryption is the reverse, moving from unintelligible ciphertext to plaintext. A cipher is a pair of algorithms, which creates the encryption and the reversing decryption. The detailed operation of a cipher is controlled both by the algorithm and, in each instance, by a key. This is a secret parameter (ideally, known only to the communicants) for a specific message exchange Presentation Assignment Page 6 of 17
  • 7. Bernhard Hofer CIST 3100 03/10/08 context. Keys are important, as ciphers without variable keys are trivially breakable and therefore less than useful for most purposes. Historically, ciphers were often used directly for encryption or decryption, without additional procedures such as authentication or integrity checks (regarding Wikipedia, http://en.wikipedia.org/wiki/Cryptography, 03/10/08 10:23am). Encrypting Digital Data General Information Again I would like to cite Ronald Rivest, who said that “Cryptography is about communication in the presence of adversaries” (Ronald Rivest, "Cryptography" From the Handbook of Theoretical Computer Science, edited by J. van Leeuwen, Elsevier Science Publishers B.V., 1990). Modern cryptography is spliced into two big parts of how to encrypt data. At the one hand there are symmetric methods. By this method both, the sender and the receiver, share the same key to encrypt and decrypt a message. “This was the only kind of encryption publicly known until June 1976” (Whitfield Diffie and Martin Hellman, "New Directions in Cryptography", IEEE Transactions on Information Theory, vol. IT-22, Nov. 1976, pp: 644–654). On the other hand there are the asymmetric methods, which consists of two different keys. These two different keys are mathematically related to each other, but you can’t encrypt and decrypt a message with only one of them. On the following pages, these two methods are described in more detail. Presentation Assignment Page 7 of 17
  • 8. Bernhard Hofer CIST 3100 03/10/08 Symmetric key system (private key) As mentioned before, the sender and the receiver share the same key. The big advantage of this method is that it is very fast and don’t need a lot of hardware resources. On the other side the really big disadvantage is that if the key get lost or fall into the wrong hands, this method is not secure any more. There are two methods how to encrypt/decrypt a message with symmetric key systems, in particular block and stream ciphers. Block ciphers A block cipher is a symmetric key cipher, which operates on fixed-length groups of bits, with an unvarying transformation. When encrypting, a block cipher might take a (for instance) 128-bit block of plaintext as input, and output a corresponding 128-bit block of Presentation Assignment Page 8 of 17
  • 9. Bernhard Hofer CIST 3100 03/10/08 cipher text. The exact transformation is controlled using a second input — the secret key. The decryption process is similar, the decryption algorithm takes, in this example, a 128- bit block of cipher text together with the secret key, and yields the original 128-bit block of plaintext. To encrypt messages longer than the block size (128 bits in the above example), a mode of operation is used (regarding Wikipedia, http://en.wikipedia.org/wiki/Block_ciphers, 03/10/08 11:43am). The most common block cipher systems are DES, AES, IDEA, Camellia and Twofish. Stream cipher A stream cipher is a symmetric cipher where plaintext bits are combined with a pseudorandom cipher bit stream (keystream), typically by an exclusive-or (xor) operation. In a stream cipher the plaintext digits are encrypted one at a time, and the transformation of successive digits varies during the encryption. An alternative name is a state cipher, as the encryption of each digit is dependent on the current state. In practice, the digits are typically single bits or bytes (regarding Wikipedia, http://en.wikipedia.org/wiki/Stream_cipher, 03/10/08 11:43am). An example is the following: Plaintext: Hello Cipher: cist Cipher text: Kne fr The really big problem with stream cipher is that if you have the plaintext and the cipher text it is very easy to find out the cipher algorithm and/or the key, which is used. This problem is very relevant on WEP encryption standard for Wireless LAN. The most common stream cipher systems are RC4, SEAL, A5 and Bluetooth-Standard E0. Presentation Assignment Page 9 of 17
  • 10. Bernhard Hofer CIST 3100 03/10/08 Asymmetric key system (public key) As mentioned before, the Asymmetric key system was founded by Diffie and Hellman in 1976 an opened a completely knew understanding how to encrypt data. This system uses two different keys, which are mathematically related to each other. There is the so-called public key and the private key. This method is deeply based on mathematic and needs a lot of more hardware resources than the symmetric key system. By this matter of fact, asymmetric key systems are very slow in comparison to symmetric key systems. There are two ways how a message could be encrypted. On the one hand the sender could encrypt the message with his private key and the receiver decrypt the message with the public key of the sender. Or on the other hand, the sender encrypt the message with the public key of the receiver and the receiver decrypt the message with his private key. Presentation Assignment Page 10 of 17
  • 11. Bernhard Hofer CIST 3100 03/10/08 Problems with one way asymmetric encryption There is one big problem for each of the mentioned methods how to encrypt data with an asymmetric system above. Firstly there is a confidentiality problem, because everybody with the public key of the sender could encrypt the message. The receiver knows who sent the message, because just the sender could have the private key. But for the sender it is not really secure. Secondly there is an authentication problem, because the sender encrypts the message with the public key of the receiver and so the receiver doesn’t exactly know, from whom the message is. It is guaranteed that the message could just read by the receiver, but the problem here lies in the hands of the receiver, because there is no authentication of the sender possible. The solution Presentation Assignment Page 11 of 17
  • 12. Bernhard Hofer CIST 3100 03/10/08 If the process is repeated twice, every disadvantage of each run could be suspended by the other run. Which means that the sender and the receiver use a double handshake process to verify their authentications and, of course, the confidentiality of their messages. In practical use now message is encrypted by asymmetric systems, because it takes too long and the process needs too much hardware resources as well. The logical solution is that the asymmetric system is used to share a symmetric key between the sender and the receiver. If both know the key, they could communicate secure with a symmetric system. The big problem of symmetric key methods is to share the key, which is eliminated by using the asymmetric key system to share just the symmetric key. A really good example for this combination of the two methods is the Secure Socket Layer (or SSL) protocol, which is used over the Internet to guarantee secure data exchange. The browser and the server, for example of a on-line banking system, exchange a symmetric key by using an asymmetric key system. This happens every day in hour life in the background and works very well. Presentation Assignment Page 12 of 17
  • 13. Bernhard Hofer CIST 3100 03/10/08 The Internet – Big Brother is watching YOU Know the only question is, why are this encryption technologies so important for everybody? The answer is very easy, because the Internet is a big public and local structure. With other words, the Internet is a none secure and open information system for everybody like private people, the public authorities and, of course, economic player. Cryptography is the only way for privacy and protection of personal data over the World Wide Web. This matter of fact makes the whole encryption topic so important for everybody of us. Presentation Assignment Page 13 of 17
  • 14. Bernhard Hofer CIST 3100 03/10/08 Requirements for secure interaction This slide shows the five big points of the prerequisites, which must be accomplished for a secure interaction (Andreas Pfitzmann, “Security in IT Networks: Multilateral Security in Distributed and by Distributed Systems”, 2001). Presentation Assignment Page 14 of 17
  • 15. Bernhard Hofer CIST 3100 03/10/08 Useful applications This is just a short overview of technologies, which enables us to communicate secure over the Internet. One of the most common applications is PGP, which was founded by Phil Zimmermann in 1991. PGP stands for Pretty Good Privacy (Zimmerman, Phil, “Why I Wrote PGP”, 1991). One of the advantages of PGP is that it encrypts emails automatically and shares a key with the receiver of the message. It uses an asymmetric key system (RSA and IDEA) and is also very common for the usage of Digital Signature. Digital Signature is nothing else than a certificate, which guarantees the receiver of a message that the message was sent from the person he expects. It is also part of an asymmetric system. The Secure Socket Layer (SSL) protocol mentioned before one of the big applications, which helps us to communicate in a secure way over unsecured networks as well. Presentation Assignment Page 15 of 17
  • 16. Bernhard Hofer CIST 3100 03/10/08 Protect Your Password The biggest problem is not to hack an encryption method; it is that people use very easy passwords, which are wide opened for Brute-Force-Attacks. There is a whole bunch of other methods to steal passwords from people, which would break the mold of this paper. Just to mention a few of them like Fishing, Sniffing, Cross Side Attacks, etc. The Future: Quantum Cryptography I would like to give a short overview about the upcoming technologies in this area. One of the biggest developments was the use of quantum physics to encrypt data. Basically Quantum cryptography, or quantum key distribution (QKD), uses quantum mechanics to guarantee secure communication. It enables two parties to produce a shared random bit string known only to them, which can be used as a key to encrypt and decrypt messages (H. Chau, Physical Review A 66, 60302, 2002). Presentation Assignment Page 16 of 17
  • 17. Bernhard Hofer CIST 3100 03/10/08 The really cool thing is that if somebody interferes or tries to wiretap the encrypted message, the message itself get destroyed or modified so that the receiver of a message knows, if somebody tried to read it. The Austrian researcher Anton Zeilinger first implemented this technology between BA CA bank and the Vienna City-Hall over a 1,500m FDDA cable in April 2004. This experiment first showed the versatility of this technology in the daily business life and was a forecast for future developments (Will Knight, “Entangled photons secure money transfer”, NewScientist, April 2004). Presentation Assignment Page 17 of 17