Network Security: Standards and Cryptography

2,745 views

Published on

The absolute minimum that every software developer absolutely, positively must know about network data security.

Published in: Technology, Education
1 Comment
2 Likes
Statistics
Notes
No Downloads
Views
Total views
2,745
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
1
Likes
2
Embeds 0
No embeds

No notes for slide
  • Under Windows in C#, the RSA andRSACryptoServiceProvider classes provide key-pair creation and RSA encryption/decryption functionality. Symmetric encryption is supported through the DES, TripleDES, AES classes In Windows, the “sn –k <filename>” can be used to create key pairs, or programmatically through the RSA and RSACryptoProvider classes.
  • Under Windows in C#, the RSA andRSACryptoServiceProvider classes provide key-pair creation and RSA encryption/decryption functionality. Symmetric encryption is supported through the DES, TripleDES, AES classes In Windows, the “sn –k <filename>” can be used to create key pairs, or programmatically through the RSA and RSACryptoProvider classes.
  • Under Windows in C#, the RSA andRSACryptoServiceProvider classes provide key-pair creation and RSA encryption/decryption functionality. Symmetric encryption is supported through the DES, TripleDES, AES classes In Windows, the “sn –k <filename>” can be used to create key pairs, or programmatically through the RSA and RSACryptoProvider classes.
  • Under Windows in C#, the RSA andRSACryptoServiceProvider classes provide key-pair creation and RSA encryption/decryption functionality. Symmetric encryption is supported through the DES, TripleDES, AES classes In Windows, the “sn –k <filename>” can be used to create key pairs, or programmatically through the RSA and RSACryptoProvider classes.
  • Under Windows in C#, the RSA andRSACryptoServiceProvider classes provide key-pair creation and RSA encryption/decryption functionality. Symmetric encryption is supported through the DES, TripleDES, AES classes In Windows, the “sn –k <filename>” can be used to create key pairs, or programmatically through the RSA and RSACryptoProvider classes.
  • “ Shared-Key” aka “session-key” The use of symmetric together asymmetric encryption is beneficial since symmetric encryption being 1000+ times faster than asymmetric encryption.
  • “ Shared-Key” aka “session-key” The use of symmetric together asymmetric encryption is beneficial since symmetric encryption being 1000+ times faster than asymmetric encryption.
  • Network Security: Standards and Cryptography

    1. 1. Network Security: Standards and Cryptography Jack Davis
    2. 2. The Absolute Minimum Every Software Developer Absolutely, Positively Must Know About Network Data Security (No Excuses!)
    3. 3. Too Frequent “ Bank of America says at least 1.2 million federal employee credit card accounts may be exposed to theft or hacking.” Time, Feb 25, 2005 “ 40M credit cards hacked Breach at third party payment processor affects 22 million Visa cards and 14 million MasterCards.” CNN Money, July 27, 2005 “ Data Losses Hit Four More Another day, another security breach: In the last 48 hours, Visa, Wachovia, Equifax, and the U.S. Department of Agriculture have joined a growing list ….” June 22, 2006 http://www.privacyrights.org/ar/ChronDataBreaches.htm
    4. 4. Technical Pillars of Data Security <ul><li>Cryptographic Hashing </li></ul><ul><li>Data Encryption Symmetric-Key Encryption Asymmetric-Key Encryption </li></ul><ul><li>HTTPS Transport Layer Security (TLS) Secure Sockets Layer (SSL) </li></ul><ul><li>Email, attachment, and Instant Message Protection </li></ul>Data Integrity Information Protection <ul><li>Server File and Folder Security </li></ul><ul><li>Digital Signatures </li></ul><ul><li>X.509 Digital Certificates </li></ul><ul><li>Digital Rights Management </li></ul>
    5. 5. Data Integrity <ul><li>Simple physical loss (lost bits during transfer or on a physical store) </li></ul><ul><li>Intentional malicious “hacker” action (a database of student grades is always a prime target) </li></ul>How can we know if data transferred across a network or stored on server hasn’t changed? Changes to data can occur either due to:
    6. 6. Data Integrity <ul><li>“ I agree to pay $5000 in 2 years.” CRC32 = xFFE </li></ul><ul><li>“ I agree to pay $500 in 20 years.” CRC32 = xFFE </li></ul>Checksums and CRCs Opps
    7. 7. Checksums and CRCs <ul><li>Easy to calculate. </li></ul><ul><li>Useful in detecting bit errors in transmission or storage. </li></ul><ul><li>Can be used in non-security applications. </li></ul><ul><li>Not good for detecting intentional or malicious changes. </li></ul><ul><li>Not suitable for security. </li></ul>
    8. 8. Two Types of “Hash” Functions <ul><li>Hash functions for Hash Tables (re. CSS 343) </li></ul><ul><li>Hash functions for “digital fingerprints” - Cryptographic Hash (aka “message digests”, “message signatures”) </li></ul>
    9. 9. Cryptographic Hash Properties <ul><li>Given h , it should be very hard (impossible) to recompute the original m , where h = hash( m ). </li></ul>One Way Unique Fixed Length <ul><li>Different message data should never generate the same hash. </li></ul><ul><li>Given two different data messages, m 1 and m 2 , hash(m 1 ) != hash(m 2 ). </li></ul><ul><li>Regardless of the length of the data message, the hash value for a given algorithm is always fixed-length. </li></ul><ul><li>Algorithms: 128, 160, 256, 512 bits. </li></ul>
    10. 10. Cryptographic Hash Examples <ul><li>SHA1(&quot;&quot;) </li></ul><ul><li>= DA39A3EE 5E6B4B0D 3255BFEF 95601890 AFD80709 // = 20 bytes (160 bits) </li></ul>Zero-Length Data SHA1(&quot;The quick brown fox jumps over the bog.&quot;) = E66BEDD4 E0B96081 01F86FE8 4A9B91D2 A3EA0D14 // = 20 bytes (160 bits) // 'b' = x62 SHA1(&quot;The quick brown fox jumps over the cog.&quot;) = 68B51796 CB6A01AF FBECA374 56C72F83 76D67BF4 // = 20 bytes (160 bits) // 'c' = x63 1-bit change! Simple String “ Avalanche Effect”
    11. 11. Applications of Cryptographic Hashes <ul><li>Password storage and validation (only the hash for the password is stored) </li></ul><ul><li>Verifying message integrity </li></ul><ul><li>Verifying file integrity </li></ul><ul><li>Digital Certificates (digital authentication) </li></ul><ul><li>Digital Signatures </li></ul><ul><li>Rights Management </li></ul>
    12. 12. Digital Signature using Cryptographic Hash <ul><li>Signer’s “public key” is used to decrypt the digital signature. </li></ul><ul><li>When the decrypted digital signature matches the document hash, the document is unaltered and the signature is valid. </li></ul>
    13. 13. Common Cryptographic Hash Algorithms MD, Message Digest SHA, Secure Hash Algorithm Hash Algorithm Hash Size bits (bytes) Date Published Collisions (Cracked) MD4 128 (16) 1990 RFC1186  MD5 128 (16) 1992 RFC1321  SHA-0 160 (20) 1993  SHA-1 160 (20) 1995 RFC3174  SHA-256 256 (32) 2002 RFC4634 SHA-512 512 (64) 2002 RFC4634
    14. 14. Information Protection through Data Encryption <ul><li>Private-Key Encryption </li></ul><ul><li>Same key is used to both encrypt and decrypt. </li></ul><ul><li>Public/Private-Key Encryption </li></ul><ul><li>Two different keys: One key used to encrypt Other key used to decrypt </li></ul>Symmetric-Key Encryption Asymmetric-Key Encryption Common property of encryption: Encrypted message size = Clear-text message size (There’s no size penalty for encrypting data.)
    15. 15. Symmetric-Key Algorithms DES, Data Encryption Standard Triple-DES, DES applied three times (key 168 bits = 3 x 56 bits) FIPS, Federal Information Processing Standard AES, Advanced Encryption Standard (more secure, 6x faster than Triple-DES) NSA rates AES-128 for “SECRET”, AES-192 and AES-256 for “TOP SECRET”. Encryption Algorithm Key Size bits (bytes) Date Published Date Withdrawn DES 56 (7) 1976 FIPS46 1999 Triple-DES 168 (21) 1999 FIPS46-3 2005 AES 128, 192, 256 2001 FIPS197
    16. 16. The Problem with Symmetric-Key Encryption <ul><li>If you want to send encrypted data, </li></ul><ul><li>how do you get the key to the other party? </li></ul>
    17. 17. Asymmetric-Key Encryption <ul><li>Also known as “Public-key”, “Public/Private-key”, or “RSA*” encryption. </li></ul><ul><li>Uses two different keys: One “public-key” One “private-key” </li></ul><ul><li>The public-key and private-key pairs can be used in different ways to perform different operations. </li></ul>*RSA, from last name initials of original inventors Ron Rivest, Adi Shamir, Len Adleman.
    18. 18. Asymmetric-Key Creation <ul><li>A large random number is used to seed the Key-Making function. (In Windows, keys can be created manually with the sn.exe utility.) </li></ul><ul><li>The Key-Making function creates two keys, a “public-key” and a “private-key”. </li></ul>
    19. 19. Sending Encrypted Data <ul><li>Public-keys can be freely distributed. </li></ul><ul><li>If someone wishes to send private data, the sender encrypts the data using the recipient's public-key. </li></ul><ul><li>Only the recipient’s private-key can decrypt the data (secrecy depends on the security of the private-key). </li></ul>
    20. 20. Encrypting Digital Signatures <ul><li>The use of public and private keys can also be reversed, such as for digital signatures. </li></ul><ul><li>Signer encrypts document with private-key. </li></ul><ul><li>Using the signer’s public-key, recipients can decrypt to view the original signed document. </li></ul>
    21. 21. Signing a Document versus Signing a Hash <ul><li>Document hashes can also be used for signing. </li></ul>
    22. 22. The Problem with Asymmetric-Key Encryption If Asymmetric-Key Encryption is so flexible, why bother with Symmetric-Key Encryption at all? <ul><ul><li>Asymmetric-Key encryption is over 1000+ times slower than Symmetric-Key encryption! </li></ul></ul><ul><li>What to do now? </li></ul>
    23. 23. Combining Asymmetric and Symmetric Encryption <ul><li>Use Asymmetric Encryption to encrypt and exchange a shared Symmetric-Key. </li></ul><ul><li>Use Symmetric Encryption to then encrypt and exchange data. </li></ul>Asymmetric Encrypt Symmetric Encrypt
    24. 24. PGP Encryption (Pretty Good Privacy) <ul><li>Email messages and attachments. </li></ul><ul><li>Digital Signatures </li></ul><ul><li>Full disk encryption </li></ul><ul><li>File and folder security </li></ul><ul><li>File transfer encryption </li></ul><ul><li>Web server files and folders </li></ul>RFC2440, PGP is an open standard that can be used to encrypt and decrypt data for a wide variety of uses: PGP uses a combination of Symmetric-Key cryptography together with Asymmetric-Key cryptography that use public-keys stored on publicly accessible “key servers”.
    25. 25. Steps in PGP Encryption/Decryption <ul><li>Sender creates a “session-key&quot; that is used to encrypt the message data using Symmetric encryption such as AES. </li></ul><ul><li>The sender uses the recipient's &quot;public-key&quot; to encrypt the “session-key&quot; through Asymmetric encryption. </li></ul><ul><li>Both the Symmetric-encrypted message data and Asymmetric-encrypted “session-key&quot; are sent to the recipient. </li></ul><ul><li>Using their &quot;private-key&quot;, the recipient decrypts the asymmetric-encrypted “session-key&quot;. </li></ul><ul><li>Using the decrypted “session-key&quot;, the recipient then decrypts the symmetric-encrypted message data. </li></ul>(Above operations are performed automatically within PGP.)
    26. 26. Transport Layer Security (TLS) & Secure Sockets Layer (SSL) Protocols <ul><li>Algorithm Negotiation </li></ul><ul><ul><li>Asymmetric-Key algorithms </li></ul></ul><ul><ul><li>Symmetric-Key algorithms </li></ul></ul><ul><ul><li>Hash algorithms </li></ul></ul>Negotiation Asymmetric Encryption Symmetric Encryption <ul><li>Certificate-based authentication </li></ul><ul><li>Asymmetric encryption and exchange of a Symmetric “session-key”. </li></ul><ul><li>Bulk message and data exchange using the Symmetric “session-key” to encrypt/decrypt. </li></ul>
    27. 27. Security Guidelines <ul><li>For storage, encrypt sensitive data using a Symmetric-Key cipher such as AES. Remember – HTTPS (TLS/SSL) only guarantees security during transport. Unless somehow further protected (encrypted), information stored at either the source or destination is susceptible to attack and access. </li></ul><ul><li>To exchange a Symmetric-Key, encrypt it using your Asymmetric “private-key”. </li></ul><ul><li>Do not store keys in code. </li></ul><ul><li>Do not store keys in plain text. Password encrypt any file containing keys and place it on a removable media. </li></ul><ul><li>Use a cryptographic hash, such as SHA-1, to verify data integrity or as a Digital Signature. </li></ul>
    28. 28. Pillars of Data Security <ul><li>Cryptographic Hashing </li></ul><ul><li>Data Encryption Symmetric-Key Encryption Asymmetric-Key Encryption </li></ul>Data Integrity Information Protection

    ×