This document provides an overview of cryptography and PKI concepts. It introduces cryptography, hashing, encryption, and digital signatures. It discusses symmetric and asymmetric encryption algorithms like AES, RSA and protocols like TLS. It also explores components of PKI including certificates, certificate authorities, registration, revocation and validation.
2. Introduction
• Introducing cryptography concepts
• Providing integrity with hashing
• Providing confidentiality with
encryption
• Using cryptographic protocols
• Exploring PKI components
3. Cryptograph
y Concepts -
Integrity
• Provides assurances that data has
not been modified
• Hashing ensures that data has
retained integrity
• A hash is a number derived from
performing a calculation on data
• If the data is unchanged the hash
will always be the same number
• Common hashing algorithms
include MD5, SHA, HMAC
• Each algorithm creates a fixed size
string of bits
– Example: MD5 creates a hash of 128
bits
4. Cryptography
Concepts -
Confidentiality
• Ensures only authorized users can view data
• Encryption protects the confidentiality of
data
• Encryption ciphers data to make it
unreadable
• Encryption normally includes algorithm and
key
• Symmetric encryption
- Uses the same key to encrypt and decrypt
data
• Asymmetric encryption
- Uses two keys (public and private) created
as a matched pair
6. Cryptography
Concepts
• Authentication validates an identity
• Non-repudiation
- Prevents a party from denying an action
• Digital signatures
- Provide authentication, non-repudiation,
and integrity
- Users sign emails with a digital signature
• Digital signature is a hash of an email
message encrypted with the sender’s
private key
• Only the sender’s public key can
decrypt the hash
• Provides verification it was encrypted
with the sender’s private key
7. Providing
Integrity
with Hashing
• Hashing provides integrity for data
- Email, downloaded files, files stored on a
disk
- A one-way function that creates a string of
characters
• A hash is a number
- Sometimes called a checksum
- You cannot reverse the hash
- You cannot re-create the original data from
the hash
- Created with a hashing algorithm
• Message Digest 5 (MD5)
• Secure Hash Algorithm (SHA) family
• HMAC
8. Hashing
Protocols
• To verify integrity
- MD5 (use is discouraged)
- SHA (SHA-3 previously known as Keccak)
• To verify integrity and authenticity
- HMAC (HMAC-MD5 and HMAC-SHA1)
• Uses a shared secret
• IPsec and TLS use HMAC-MD5 and
HMAC-SHA1
10. Hashing
Passwords
• Passwords often stored as hashes
• Password attacks attempt to discover
passwords
- Guess a password
- Hash the guessed password
- Compare the hash to the original hash
11. Cryptography
• Key stretching
- Bcrypt and PBKDF2
- Help prevent brute force and rainbow
table attacks
- Both salt the password with additional bits
• Advanced techniques add pepper
15. Providing
Confidentiality
with
Encryption
• Encryption provides confidentiality
– Helps ensure only authorized users can
view data
– Applies to any type of data
• Data-at-rest (files, in a database, and
so on)
• Data-in-transit (sent over a network)
– Data-in-use
• Not encrypted while in use
• If sensitive should be purged after use
16. Providing
Confidentiality
with
Encryption
• Two basic components of encryption
– Algorithm
• Performs mathematical calculations
on data
• Algorithm always the same
– Key
• A number that provides variability
• Either kept private and/or changed
frequently
17. Encryption
Terms
• Random and pseudo-random numbers
• Initialization vector (starting value)
• Nonce (number used once)
• XOR (logical operation comparing two inputs)
• Confusion
– Ciphertext significantly different than
plaintext
• Diffusion
– Small changes in ciphertext result in large
changes in ciphertext
18. Encryption
Terms
• Secret algorithm
– Private instead of published
– Not recommended
• Weak/deprecated algorithms
– Don’t use
• High resiliency
– Refers to security of key even if an attacker
discovers part of the key
19. Block vs.
Stream
Ciphers
• Block ciphers
– Encrypts data in specific sized blocks
• Often 64-bit blocks or 128-bit blocks
– Divides large files or messages into these
blocks
– Encrypts each block separately
• Stream ciphers
– Encrypt data as a single bit or byte at a
time in a stream
– An important principle when using a
stream cipher
• Encryption keys should never be
reused
• If a key is reused, it is easier to crack
the encryption
20. Block Cipher
Modes
• Electronic Codebook (ECB)
– Simplest (deprecated and not
recommended)
• Cipher Block Chaining (CBC)
– Susceptible to pipeline delays
• Counter (CTM)
– Converts a block cipher into a stream
cipher
• Galois/Counter Mode (GCM)
– Combines CTM with hashing techniques
for integrity
21. Symmetric
Encryption
• Uses the same key to encrypt
and decrypt data
– When transmitting encrypted data
• Uses key to encrypt data before
transmission
• Uses same key to decrypt data when
received
• Much more efficient encrypting large
amounts of data than asymmetric encryption
• RADIUS uses symmetric encryption
22. Simple
Symmetric
Encryption
Example
• Encryption algorithm uses substitution cipher
– Move forward ____ spaces to encrypt
– For example, move forward 3 spaces to
encrypt
• Decryption algorithm
– Move back ____ spaces to decrypt
– For example, move back 3 spaces to
decrypt
• With the key of 3
– Message is PASS and encrypted it is SDVV
• ROT13 always uses a key of 13
23. Symmetric
Encryption
• Obfuscation
– Attempts to make something unclear
– Security through obscurity (isn’t secure)
• Compare symmetric encryption
to a door key
– One key can lock door
– Same key can unlock door
– Copy of same key can lock or unlock door
24. Symmetric
Encryption
• Advanced Encryption Standard (AES)
– Fast, efficient, strong symmetric block
cipher
– 128-bit block cipher
– Uses 128-bit, 192-bit, or 256-bit keys
• Widely used
– Provides a high level of confidentiality
– Selected in NIST competition
– Adopted by U.S. Government
25. Symmetric
Encryption
• Data Encryption Standard (DES)
– 64-bit block cipher
– Uses 56-bit keys and should not be used
today
• 3DES
– 64-bit block cipher
– Originally designed as a replacement for
DES
– Uses multiple keys and multiple passes
– Not as efficient as AES
– 3DES is still used in some applications,
such as
when hardware doesn’t support AES
26. Symmetric
Encryption
• RC4
– Symmetric stream cipher
– AES recommended instead of RC4
• Blowfish
– 64-bit block cipher
– Faster than AES in some situations
• Twofish
– 128-bit block cipher
27. Symmetric Encryption
Algorithm Encryption
Type
Method Key Size
AES Symmetric 128-bit block cipher 128-, 192-, or 256-bit key
3DES Symmetric 64-bit block cipher 56-, 112-, or 168-bit key
Blowfish Symmetric 64-bit block cipher 32- to 448-bit key
Twofish Symmetric 128-bit block cipher 128-, 192-, or 256-bit key
RC4* Symmetric Stream cipher 40- to 2,048-bit key
DES* Symmetric 64-bit block cipher 56-bit key
* Don’t use
28. Asymmetric
Encryption
• Private Key / Public Key matched pair
– One key encrypts, the other key decrypts
– Only a private key can decrypt information
encrypted with a matching public key
– Only a public key can decrypt information
encrypted with a matching private key
– Private key stays private
– Public key shared in a certificate
– Asymmetric encryption methods require
certificate and PKI
30. Asymmetric Encryption
• Rayburn box used to send secrets
– Encryption
Rayburn Box Rayburn Box
Locked by one key Unlocked by the other key
31. Asymmetric Encryption
• Rayburn box used for authentication
– Digital signature
Rayburn Box Rayburn Box
Locked by one key Unlocked by the other key
34. Asymmetric
Encryption
• RSA
– Rivest, Shamir, Adleman
– Widely used to protect Internet traffic and
email
– Relies on mathematical properties of
prime numbers when creating public and
private keys
– Public and private keys created as a
matched pair
– Keys commonly used with asymmetric
encryption to privately share a symmetric
key
35. Asymmetric
Encryption
• Static keys
– Semi-permanent
– Stay the same over a long period of time
• Ephemeral keys
– Short lifetimes
– Re-created for each session
– Perfect forward secrecy
36. Other
Encryptions
• Elliptic curve cryptography (ECC)
– Commonly used with small wireless
devices
– Uses smaller key sizes requires less
processing power
• Diffie-Hellman (DH)
– Secure method of sharing symmetric keys
over a public network
– Diffie-Hellman Ephemeral (DHE)
– Elliptic Curve Diffie-Hellman Ephemeral
(ECDHE)
37. Other
Encryptions
• Steganography
– Hides data within data
• Hides data by manipulating bits
• Hides data within white space of a file
– Security professionals use hashing to
detect
– Steganalysis
38. Using
Cryptographic
Protocols
• Email digital signatures
– The sender’s private key encrypts (or signs)
– The sender’s public key decrypts
• Email encryption
– The recipient’s public key encrypts
– The recipient’s private key decrypts
Knowing which key
encrypts and which key
decrypts will help you
answer many questions
39. Using
Cryptographic
Protocols
• Website encryption
– The website’s public key encrypts
It encrypts a symmetric key
– The website’s private key decrypts
It decrypts a symmetric key
– The symmetric key encrypts data in the
website session
Knowing which key
encrypts and which key
decrypts will help you
answer many questions
40. Digital
Signature
• Encrypted hash of a message
– The sender’s private key encrypts the hash
– Recipient decrypts hash with sender’s
public key
– Provides
• Authentication – identifies the sender
• Non-repudiation – prevents the
sender from denying the action
• Integrity – verifies the message has
not been modified
41. Digital Signature
• Signing email with a digital signature
I passed!
Digital
Signature
I passed!
Digital
Signature
Encrypted hash
decrypted with
sender’s public key
Hash of message
encrypted with
sender’s private key
Lisa Bart
Sender Recipient
42. Encrypting
Email
• Using only asymmetric
encryption
(Not common)
– Lisa retrieves a copy of Bart’s
certificate that contains his public
key
– Lisa encrypts the email with
Bart’s public key
– Lisa sends the encrypted
email to Bart
– Bart decrypts the email with
his private key
45. Encrypting Email
• Action on the client’s system
Email encrypted
with symmetric key
Asfv32r9h
a39vm94k
asd0f34t
Key encrypted with
recipient’s public key iP@$$3d!
Secrets
in email
Symmetric
key (53)
1
2
3
46. Decrypting Email (cont)
Encrypted message
and encrypted
session key sent to
recipient
Lisa Bart
Asfv32r9h
a39vm94k
asd0f34t
iP@$$3d!
Asfv32r9h
a39vm94k
asd0f34t
iP@$$3d!
Recipient decrypts
session key with
private key and then
decrypts message
4 5
Sender Recipient
47. Protecting
Email
• S/MIME and PGP/GPG
• Both:
– Use RSA algorithm
– Use public and private keys for
encryption and decryption
– Use certificates
– Can digitally sign and encrypt email
• Including email at rest and in
transit
– OpenPGP (PGP-based standard)
48. Transport
Encryption
• Protects confidentiality of transmitted
data
– SSH, IPsec, HTTPS, SSL, and TLS
– IPsec must use HMAC for
authentication and integrity
– IPsec can use either AES or 3DES for
encryption
– IPsec’s ESP encrypts the entire
packet
– Creates an additional IP header
49. TLS and SSL
• TLS is the replacement for SSL
– SSL deprecated
– Both require certificates issued by
CAs
• TLS used in HTTPS
– HTTPS uses a combination of
symmetric and asymmetric
encryption to encrypt HTTPS
sessions
50. 1
2
Client creates
symmetric key
and encrypts it
with public key
53 4
Encrypted
symmetric key
sent to server
Server decrypts
symmetric key
with private key
6
The session is encrypted
with the session key using
symmetric encryption
Client requests
secure session
Server responds
with certificate
UcaNP@$$
Encrypting
HTTPS
traffic with
TLS
52. Implementation
vs Algorithm
Selection
• Crypto module
– A set of hardware, software, and/or
firmware that implements
cryptographic functions
– Includes algorithms for encryption
and hashing, key generation, and
authentication techniques
• Crypto service providers
– A software library of cryptographic
standards and algorithms
– Typically distributed within crypto
modules
53. Downgrade
Attacks
• Exploit weak implementations
of cipher suites
• Uses weakest cipher suite
available
• Padding Oracle On Downgraded
Legacy Encryption (POODLE)
attack
– Downgraded to SSL
– Allowed SSL attacks
54. Exploring PKI
Components
• Public Key Infrastructure
– Includes components required for
certificates
– Allows two entities to privately
share symmetric keys without any
prior communication
• Certificate Authority (CA)
– Issues, manages, validates, and
revokes certificates
56. Trusted
Models
• Certificate chain
• Root CA
• Intermediate Cas
• Child CAs
• All certificates issued by trusted CAs
are trusted
• Errors when a site uses an untrusted
certificate
57. Trusted
Models
• Most trust models are hierarchical and
centralized with a central root CA
• Web-of-trust
– Self-signed certificates
58. Registration
• Certificate signing request (CSR)
– PKCS #10 format
– Create the RSA-based private key, which is used to
create the public key
– Include the public key in the CSR
– The CA will embed the public key
in the certificate.
59. Revoking
Certificates
• Reasons
– Key or CA Compromise Employee Leaves
– Change of Affiliation Superseded
– Cease of Operation Certificate Hold
• Revoked certificates
– Revoked by serial number
– Published in Certificate Revocation List
(CRL)
– Publicly available
64. Certificates
• OCSP Stapling
– Signs OCSP response with digital signature
• Public key pinning
– Helps prevent web site impersonation
65. Certificates
• Key escrow
– Maintains a copy of a private key for
recovery
– Used if the original is lost
• Recovery Agent
– Can recover user messages and data
– In some cases, recovery agents can recover
private keys from a key escrow
67. Certificate
Types
• Wildcard
• Same root domain
• Subject Alternative Name (SAN)
• Different root domains, but
same organization
• Domain validation
• CA takes extra steps to contact
requestor
• Extended validation
• Additional steps beyond
domain validation