Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Rothke Info Security Canada 2007 Final


Published on

Presentation from Infosecurity Canada by Ben Rothke on Everything an Audit Professional needs to know about encryption in 50 minutes

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Rothke Info Security Canada 2007 Final

  1. 1. Everything an Audit Professional needs to know about encryption in 50 minutes <ul><li>Session 2F </li></ul><ul><li>Ben Rothke, CISSP CISM </li></ul><ul><li>Security Consultant </li></ul><ul><li>BT INS </li></ul><ul><li>Thursday June 14, 2007 </li></ul><ul><li>11:00 – 11:50AM </li></ul>
  2. 2. About me <ul><li>Ben Rothke, CISSP CISM </li></ul><ul><li>Security Consultant – BT INS </li></ul><ul><li>Previously with AXA, ThruPoint, Baltimore Technologies, Ernst & Young, Citibank </li></ul><ul><li>Have worked in the information technology sector since 1988 and information security since 1994 </li></ul><ul><li>Frequent writer and speaker </li></ul><ul><li>Author of Computer Security: 20 Things Every Employee Should Know (McGraw-Hill 2006) </li></ul>
  3. 3. Full disclosure <ul><li>This session is: </li></ul><ul><li>An introduction of the fundamentals of cryptography, encryption and digital signatures </li></ul><ul><li>This session is not: </li></ul><ul><li>A comprehensive overview about cryptography </li></ul><ul><li>Heavy mathematics and science of cryptography </li></ul><ul><li>Moral, legal, privacy, social and political issues </li></ul>
  4. 4. Key Points <ul><li>Need for cryptography has never been greater </li></ul><ul><ul><li>eroding levels of security and privacy that is occurring. </li></ul></ul><ul><li>Aspects of cryptography are indeed rocket science. </li></ul><ul><ul><li>Average person, who wants to utilize the security that cryptography provides, they can ignore the deep mathematics, and focus on the basics of what cryptography can provide them. </li></ul></ul>
  5. 5. Topics to be discussed <ul><li>What and why’s of cryptography </li></ul><ul><li>Brief history of cryptography </li></ul><ul><li>Symmetric and asymmetric cryptography </li></ul><ul><li>Keys and key sizes </li></ul><ul><li>Digital Signatures and Certificates </li></ul><ul><li>Advanced Encryption Standard </li></ul>
  6. 6. What is cryptography? <ul><li>Cryptography is: </li></ul><ul><ul><li>science of using mathematics to encrypt and decrypt data </li></ul></ul><ul><ul><li>ensuring that communications are private </li></ul></ul><ul><li>Branch of cryptology dealing with the design of algorithms for encryption and decryption; used to ensure the secrecy and authenticity of data. </li></ul><ul><li>Study of transforming information into a form that makes it unreadable to those without the appropriate permission to view it </li></ul><ul><li>Derived from the Greek kryptos , meaning hidden. </li></ul>
  7. 7. Why is cryptography so important? <ul><li>Allows people to have the same level of trust and confidence that exists in the physical world with their data in the digital world. </li></ul><ul><li>Enables interaction via e-mail, e-commerce, ATM machines, cell phones, etc. </li></ul><ul><li>Continual increase of data transmitted electronically has lead to an increased need and reliance on cryptography. </li></ul><ul><li>Until January 2000, the US Government considered strong cryptography to be an export-controlled munition, much like an M-16 or F-18. </li></ul>
  8. 8. Uses of cryptography <ul><li>Network and operating systems security </li></ul><ul><ul><li>Logins, data encryption, file system encryption </li></ul></ul><ul><li>Private Internet, telephone communications </li></ul><ul><li>Electronic payments </li></ul><ul><ul><li>Secure web transactions, SSL, ATM </li></ul></ul><ul><li>Database security </li></ul><ul><li>Software protection </li></ul><ul><ul><li>Music, DRM, DVD </li></ul></ul><ul><li>Pay television </li></ul><ul><li>Confidential military communications </li></ul>
  9. 9. Four objectives of cryptography <ul><li>Confidentiality – Data can’t be read by anyone for whom it wasn’t intended </li></ul><ul><li>Integrity – Data can’t be altered in storage or transit between sender and intended receiver without the alteration being detected. </li></ul><ul><li>Authentication - Sender and receiver can confirm each other’s identity </li></ul><ul><li>Non-repudiation – Inability to deny at a later time one’s involvement in a cryptographic process </li></ul>
  10. 10. Objectives of cryptography Confidentiality Integrity Authentication Interception Modification Fabrication Are my communications private? Has my communication been altered? Who am I dealing with?
  11. 11. History of cryptography <ul><li>Usually dated from about 2000 BC, with Egyptian hieroglyphics. </li></ul><ul><ul><li>Consisted of complex pictograms, the full meaning of which was only known to an elite few. </li></ul></ul><ul><li>First known use of a modern cipher was by Julius Caesar (100 BC - 44 BC) </li></ul><ul><ul><li>Caesar didn’t trust his messengers when communicating with his governors and officers. </li></ul></ul><ul><ul><li>He created a system with each character replaced by a character three positions ahead of it in the Roman alphabet. </li></ul></ul>
  12. 12. History of cryptography <ul><li>Benedict Arnold, Mary Queen of Scotts & Abraham Lincoln all used ciphers. </li></ul><ul><li>Cryptography has long been a part of war, diplomacy and politics. </li></ul><ul><li>Development and growth of cryptography in the last 20 years is directly tied to the development of the microprocessor </li></ul><ul><ul><li>Cryptography is computationally intensive </li></ul></ul><ul><ul><li>Without the PC revolution & ubiquitous x86 processor, there would have never been a vehicle where cryptography could have been economically and reasonably deployed. </li></ul></ul>
  13. 13. PGP History <ul><li>1991 – v1.0 written by Phil Zimmerman ships. RSA files suit against Zimmerman </li></ul><ul><li>1992 – v2.0 ships. Bass-O-Matic replaced by IDEA </li></ul><ul><li>1993 – FBI investigates Zimmerman for possible ITAR violations </li></ul><ul><li>1994 – v2.4 – ViaCrypt starts commercial distribution </li></ul><ul><li>1996 - PGP Inc. created. Legal case against Phil Zimmermann dropped. </li></ul><ul><li>1997 – v5.0 released by PGP Inc. </li></ul><ul><li>1997 – PGP Inc. acquired by Network Associates </li></ul><ul><li>1998 – v6.0 ships </li></ul><ul><li>1999 – PGP, Inc. rolled out as separate division of NAI </li></ul><ul><li>2000 – v7.0 ships </li></ul><ul><li>2000 – RSA patents expired on September 20, 2000 </li></ul><ul><li>2000 - Bowing to intense pressure from Silicon Valley Clinton administration eliminates most restrictions on the export of data-encryption technology </li></ul><ul><li>2001 – Phil Zimmerman leaves NAI for Hush Communications </li></ul><ul><li>2002 - PGP Corp. buys back PGP products and intellectual property from NAI </li></ul><ul><li>2004 - PGP Desktop v.8.1 released </li></ul><ul><li>2005 - PGP Desktop v.9.0 released (May 2007 – current version - 9.6) </li></ul>
  14. 14. History of cryptography <ul><li>The Codebreakers: The Comprehensive History of Secret Communication from Ancient Times to the Internet David Kahn </li></ul><ul><li>The Code Book : The Science of Secrecy from Ancient Egypt to Quantum Cryptography - Simon Singh </li></ul><ul><li>ICSA Guide to Cryptography - Randall Nichols </li></ul><ul><li>Applied Cryptography - Bruce Schneier, CTO BT Counterpane </li></ul>
  15. 15. Everything You Need to Know about Cryptography
  16. 16. Six fundamental cryptography terms <ul><li>Encryption – Conversion of data into a pattern, called ciphertext , rendering it unreadable. </li></ul><ul><li>Decryption – Process of converting ciphertext data back into its original form, so it can be read. </li></ul><ul><li>Algorithm - formula used to transform the plaintext into ciphertext. Also called a cipher. </li></ul><ul><li>Key – Complex sequence of alpha-numeric characters, produced by the algorithm, that allows you to encrypt and decrypt data </li></ul><ul><li>Plaintext – Decrypted or unencrypted data </li></ul><ul><li>Ciphtertext – Data that has been encrypted </li></ul>
  17. 17. Advanced cryptography terms (that you don’t need to know) RSA Factoring Challenge PKCS Discrete logarithms Root CA block cipher One-time pad Factoring methods Covert channel Blind signature scheme chosen ciphertext attack key escrow Pollard Rho method discrete logarithm Kerberos CP & CPS Capstone meet-in-the-middle attack linear cryptanalysis Adaptive-chosen-ciphertext attach Operational policy and procedures One-way function tamper resistant Exclusive-OR multiple polynomial quadratic sieve differential cryptanalysis Diffie-Hellman key exchange Iterated block cipher Factoring methods Key Management General purpose factoring algorithm CAPI Dictionary attack Random numbers SKPI Private exponent chosen plaintext attack Elliptic curve discrete logarithm problem NSA General purpose factoring algorithm Brute force attack CRL Session key Prime numbers Quantum cryptography Fields and rings Vector spaces and lattices Boolean expressions Number field sieve Provably secure Threshold cryptography key recovery Modular arithmetic Galois field Goppa code Random number generation Cryptographic tokens X.509v3 ANSI X9.24 ICV PRNG ASN.1 FIPS EAL BSAFE IDEA
  18. 18. Paper based trust <ul><li>In a paper based society, we: </li></ul><ul><ul><li>Write a letter and sign it </li></ul></ul><ul><ul><li>Have a witness verify that the signature is authentic </li></ul></ul><ul><ul><li>Put the letter in an envelope and seal it </li></ul></ul><ul><ul><li>Send it by certified mail </li></ul></ul><ul><li>This gives the recipient confidence that the: </li></ul><ul><ul><li>Contents had not been read by anyone else </li></ul></ul><ul><ul><li>Contents of the envelope were intact </li></ul></ul><ul><ul><li>Letter came from the person who claimed to have sent it </li></ul></ul><ul><ul><li>Person who sent it could not easily deny having sent it </li></ul></ul>
  19. 19. Paper vs. Electronic trust
  20. 20. Symmetric Cryptography <ul><li>Oldest form of cryptography </li></ul><ul><li>Single key is used both for encryption and decryption </li></ul>
  21. 21. Symmetric Cryptography Q4 sales well below forecast “ BxWv;5df~TmWe#4^,sdgfMwir3:dkJeTsYs@!q3” Q4 sales well below forecast Same Key (Secret) Encrypt Decrypt
  22. 22. Asymmetric (Public-Key Cryptography) <ul><li>Form of encryption based on the use of two mathematically related keys (the public key and the private key ) such that one key cannot be derived from the other. </li></ul><ul><ul><li>Public key encrypts data and verifies digital signature </li></ul></ul><ul><ul><li>Private key decrypts data and digitally signs a document </li></ul></ul>
  23. 23. PKC concepts <ul><li>You publish your public key to the world while keeping your private key secret. </li></ul><ul><li>Anyone with a copy of your public key can then encrypt information that only you can read, even people you have never met. </li></ul><ul><li>No one can deduce the private key from the public key. </li></ul><ul><li>Anyone who has a public key can encrypt information but cannot decrypt it. </li></ul><ul><li>Only the person who has the corresponding private key can decrypt the information. </li></ul>
  24. 24. PKC Benefits <ul><li>Key management </li></ul><ul><ul><li>Symmetric cryptography is essentially impossible to provide effective key management for large networks. </li></ul></ul><ul><li>Allows people who have no preexisting security arrangement to exchange messages securely. </li></ul><ul><li>Need for sender and receiver to share secret keys via a secure channel is eliminated </li></ul><ul><ul><li>all communications involve only public keys </li></ul></ul><ul><ul><li>no private key is ever transmitted or shared. </li></ul></ul>
  25. 25. PKC history <ul><li>1976 - Conceptual ideas developed by Whitfield Diffie and Martin Hellman to solve two pressing key management problems: </li></ul><ul><ul><li>You need a secure channel to set up a secure channel </li></ul></ul><ul><ul><li>How do you get the key to a recipient without someone intercepting it? </li></ul></ul><ul><li>1977 - First public-key cryptosystem designed by Ron Rivest, Adi Shamir & Len Adlelman (RSA) at MIT </li></ul><ul><ul><li>British developed a PKC first; didn’t publicly acknowledge it. </li></ul></ul>
  26. 26. PKC Process <ul><li>When sending a message to someone, you encrypt the message with their public key. </li></ul><ul><li>Each user has a publicly known encryption key and a corresponding private key known only to that user </li></ul><ul><li>They receive it and decrypt it with their private key </li></ul>
  27. 27. Symmetric vs. Asymmetric Secret-key (symmetric) encryption Public-key (asymmetric) encryption
  28. 28. Public-key Cryptography CFO to resign next week “ BxWv;5df~TmWe#4^,sdgfMwir3:dkJeTsYs@!q3” Encrypt Decrypt CFO to resign next week Public Key of recipient Private Key of recipient
  29. 29. Portrait of a Public Key
  30. 30. The n 2 Problem <ul><li>With symmetric cryptography, as the number of users increase, the number of keys required to provide secure communications among those users increases rapidly. </li></ul><ul><li>For a group of n users, there needs to be 1/2 (n 2 - n) keys for total communications </li></ul><ul><li>As the number of parties increases (i.e., n becomes larger), the number of symmetric keys becomes unreasonably large for practical use. </li></ul><ul><ul><li>This is known as the n 2 Problem </li></ul></ul>
  31. 31. The n 2 Problem
  32. 32. Symmetric vs. Asymmetric <ul><li>From a security functionality perspective, symmetric cryptography is for the most part just as strong as asymmetric cryptography. </li></ul><ul><ul><li>Symmetric is much quicker though </li></ul></ul><ul><li>Where asymmetric shines is in solving the key management issues. </li></ul><ul><li>No key management issues? </li></ul><ul><ul><li>No compelling need to use asymmetric cryptography. </li></ul></ul>
  33. 33. Keys & key sizes <ul><li>Key – A value that works with a cryptographic algorithm to produce a specific ciphertext </li></ul><ul><li>Keys do not encrypt or decrypt data; the algorithm does that. </li></ul><ul><li>Keys are huge numbers measured in bits </li></ul><ul><ul><li>PGP key sizes range from 1024 to 4096 bits </li></ul></ul><ul><ul><li>Key size depends on the data you want to protect and the hardware it is on (cell phone, PDA, server) </li></ul></ul><ul><ul><ul><li>Too big a key, too time-consuming </li></ul></ul></ul><ul><ul><ul><li>Too small a key, too insecure </li></ul></ul></ul>
  34. 34. Keys & key sizes <ul><li>Symmetric and asymmetric key sizes are not equivalent </li></ul><ul><ul><li>80-bit symmetric == 1024-bit asymmetric </li></ul></ul><ul><ul><li>128-bit symmetric == 3000-bit asymmetric </li></ul></ul><ul><li>Caveat: Key sizes are only one aspect of effective security </li></ul><ul><li>Longer keys don’t always mean more security </li></ul><ul><ul><li>Does a longer dead-bolt mean your house is more secure? </li></ul></ul><ul><li>Can build a weak cryptographic system using huge keys. </li></ul>
  35. 35. How secure is good cryptography? <ul><li>If the underlying application software is configured correctly – very secure . </li></ul><ul><li>Brute-force key search </li></ul><ul><ul><li>IDEA uses 128-bit keys for 2 128 possible combinations. </li></ul></ul><ul><li>If a special purpose chip (FPGA) could perform one billion decryptions per second, and the server had a billion chips running in parallel, it would still require over 10 12 years to try all of the possible keys, which is about a thousand times the age of the universe. </li></ul>
  36. 36. Cryptographic Algorithms <ul><li>An algorithm is a formula used to transform the plaintext into ciphertext </li></ul><ul><li>Two types of algorithms: </li></ul><ul><ul><li>Symmetric </li></ul></ul><ul><ul><li>Asymmetric </li></ul></ul><ul><li>Criteria: </li></ul><ul><ul><li>Degree of security </li></ul></ul><ul><ul><li>Speed required </li></ul></ul><ul><ul><li>Hardware platform </li></ul></ul>
  37. 37. Symmetric Algorithms <ul><li>Identical keys used for encryption and decryption </li></ul><ul><li>Examples: </li></ul><ul><ul><li>DES, Triple-DES, AES, IDEA, Blowfish, CAST, MARS, Twofish, Rijndael, RC2, RC4, RC6, A5, A5/1, Serpent, Skipjack, DEAL, SAFER </li></ul></ul>
  38. 38. DES <ul><li>Most popular crypto standard ever </li></ul><ul><ul><li>Still used worldwide in myriad different scenarios </li></ul></ul><ul><li>Data Encryption Standard </li></ul><ul><ul><li>Uses DEA (Data Encryption Algorithm) </li></ul></ul><ul><li>Developed by IBM in 1975 and adopted by NIST in 1977 </li></ul><ul><li>Key size 56-bits = 2 56 possible keys or 72,057,594,037,927,936 keys </li></ul><ul><li>2 56 possible keys was a enormous amount in 1977 </li></ul><ul><li>By 1997, an attack against all 2 56 possible keys was easily possible and carried out. </li></ul>
  39. 39. Asymmetric Algorithms <ul><li>Different keys used for encryption & decryption </li></ul><ul><li>Examples: </li></ul><ul><ul><li>RSA, DSA, Diffie-Hellman, ElGamal, Elliptic curve </li></ul></ul><ul><li>Private-key and Public-key </li></ul><ul><li>Keys are directly related </li></ul>
  40. 40. Digital Signatures & Certificates <ul><li>Digital Certificate - An electronic credential </li></ul><ul><ul><li>Used to authenticate the identity of the message sender or the signer of a document </li></ul></ul><ul><ul><li>Ensures that the original content of the message or document has not be altered. </li></ul></ul><ul><ul><li>Shows that the contents of the information signed has not been modified. </li></ul></ul><ul><ul><li>Value determined by issuing certificate authority </li></ul></ul><ul><li>Digital Signature – binding of a private key to a message. </li></ul>
  41. 41. Digital Signatures & Certificates
  42. 42. What’s in the digital certificate? <ul><li>User’s name </li></ul><ul><li>Public key of the user </li></ul><ul><ul><li>Required so that others can verify the user’s digital signature </li></ul></ul><ul><li>Validity period (lifetime) of the certificate </li></ul><ul><ul><li>Start & end date </li></ul></ul><ul><li>Approved operations </li></ul><ul><ul><li>For which the public key is to be used (whether for encrypting data, verifying digital signatures, or both) </li></ul></ul>
  43. 43. Advanced Encryption Standard (AES) <ul><li>AES is a Federal Information Processing Standard (FIPS) that specifies a cryptographic algorithm for use by U.S. Government organizations to protect sensitive (unclassified) information. </li></ul><ul><li>Replaces DES, which is now obsolete. </li></ul><ul><li>Will be widely used on a voluntary basis by organizations, institutions, and individuals outside of the U.S. Government and outside of the U.S. </li></ul>
  44. 44. AES technical details <ul><li>Key sizes: 128, 192 and 256 bits </li></ul><ul><ul><ul><li>Possible 128-bit keys - 340 undecillion </li></ul></ul></ul><ul><ul><ul><li>Possible 192-bit keys - 6.2 octodecillion </li></ul></ul></ul><ul><ul><ul><li>Possible 256-bit keys - Almost a googol </li></ul></ul></ul><ul><li>By comparison, DES keys are 56 bits long, which means there are 2 56 possible DES keys. </li></ul><ul><ul><li>There are 10 21 times more AES 128-bit keys than DES 56-bit keys. </li></ul></ul>
  45. 45. PGP (Pretty Good Privacy) <ul><li>Software package that provides strong cryptographic functionality </li></ul><ul><ul><li>e-mail, file, disk </li></ul></ul><ul><li>Originally developed as freeware, PGP has since become the de facto standard for e-mail security </li></ul><ul><ul><li>Has made cryptography accessible for everyone </li></ul></ul><ul><ul><ul><li>Commercial </li></ul></ul></ul><ul><ul><ul><li>Source code </li></ul></ul></ul>
  46. 46. Using PGP <ul><li>Create your key </li></ul><ul><li>Encrypt/Decrypt file </li></ul><ul><li>Sign/Verify message </li></ul>
  47. 47. PGP keyring of public keys
  48. 48. PGP encryption/decryption
  49. 49. Digital signing
  50. 50. Digital signature verification
  51. 51. Additional References
  52. 52. For further information <ul><li>Bruce Schneier </li></ul><ul><ul><li>Why Cryptography Is Harder Than It Looks </li></ul></ul><ul><ul><ul><li> </li></ul></ul></ul><ul><ul><li>Security Pitfalls in Cryptography </li></ul></ul><ul><ul><ul><li> </li></ul></ul></ul><ul><ul><li>Secrets and Lies : Digital Security in a Networked World </li></ul></ul><ul><ul><li>Applied Cryptography: Protocols, Algorithms, and Source Code </li></ul></ul><ul><li>RSA Cryptography FAQ </li></ul><ul><ul><li> </li></ul></ul><ul><li>Information Security Magazine </li></ul><ul><ul><li> </li></ul></ul>
  53. 53. For further information <ul><li>Steven Levy </li></ul><ul><ul><li>Crypto : How the Code Rebels Beat the Government -- Saving Privacy in the Digital Age </li></ul></ul><ul><li>Simon Singh </li></ul><ul><ul><li>The Code Book : The Science of Secrecy from Ancient Egypt to Quantum Cryptography </li></ul></ul><ul><li>H. X. Mel & Doris Baker </li></ul><ul><ul><li>Cryptography Decrypted: A Pictorial Introduction to Digital Security </li></ul></ul><ul><li>Chey Cobb </li></ul><ul><ul><li>Cryptography for Dummies </li></ul></ul>
  54. 54. Conclusions
  55. 55. Conclusions <ul><li>With Google, spyware, leaky Internet protocols and myriad other threats to security and privacy, cryptography has never been more important. </li></ul><ul><li>While the hidden engine of cryptography uses Ph.d level mathematics, as an end-user, you are shielded from such complexity. </li></ul><ul><li>By knowing what you need to secure, and how to do it, you can use cryptography to the fullest, without needing a Ph.d in applied mathematics. </li></ul>
  56. 56. Thanks for attending <ul><li>Any questions? comments? </li></ul><ul><li>Please fill out your evaluation sheets </li></ul>
  57. 57. Ben Rothke CISSP CISM Security Consultant NY Metro | BT INS [email_address]