Security Basics

1,116 views

Published on

The basic terminology widely usable in DRM and Information Security community

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,116
On SlideShare
0
From Embeds
0
Number of Embeds
8
Actions
Shares
0
Downloads
40
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Security Basics

  1. 1. Guided Dictionary of Content Protection and Data Security Basics This paper is referencing publicly available information such as WikipediA and others BASIC TERMS OF INFORMATION SECURITY AND CRYPTOGRAPHY Any introduction to the subject of information security must include a discussion of confidentiality, integrity and availability. These three are also known as the CIA Triad. authorization. It also means that data stored in one part Confidentiality Information that is considered to be confidential in of a database system is in agreement with other related nature must only be accessed, used, copied, or data stored in another part of the database system (or disclosed by persons who have been authorized to another system). For example: a loss of integrity can access, use, copy, or disclose the information, and then occur when a database system is not properly shut only when there is a genuine need to access, use, copy down before maintenance is performed or the database or disclose the information. A breach of confidentiality server suddenly loses electrical power. occurs when information that is considered to be confidential in nature has been, or may have been, Availability The concept of availability means that the information, accessed, used, copied, or disclosed to, or by, someone the computing systems used to process the information, who was not authorized to have access to the and the security controls used to protect the information. information are all available and functioning correctly when the information is needed. The opposite of Integrity In information security, integrity means that data availability is denial of service (DOS). cannot be created, changed, or deleted without Access to protected information must be restricted to people who are authorized to access the information. The computer programs, and in many cases the computers that process the information, must also be authorized. This requires that mechanisms be in place to control the access to protected information. The sophistication of the access control mechanisms should be in parity with the value of the information being protected – the more sensitive or valuable the information, the stronger the control mechanisms need to be. The foundation, on which access control mechanisms are built, starts with identification and authentication. After a person, program or computer has successfully been identified and authenticated then it must be determined what informational resources they are permitted to access and what actions they will be allowed to perform (run, view, create, delete, or change). This is called authorization. Identification Identification is an assertion of who someone is or verify a person's identity for security purposes, is what something is. If a person makes the statement called an authentication factor. The authentication quot;Hello, my name is John Doe.quot; they are making a factors for humans are generally classified into four claim of who they are. However, their claim may or cases: Something the user is (e.g., fingerprint or retinal may not be true. Before John Doe can be granted pattern, DNA sequence (there are assorted access to protected information it will be necessary to definitions of what is sufficient), voice pattern verify that the person claiming to be John Doe really is (again several definitions), signature recognition, John Doe. unique bio-electric signals produced by the living body, or other biometric identifier) Authentication Authentication is the act of verifying a claim of Something the user has (e.g., ID card, security identity. When John Doe goes into a bank to make a token, software token or cell phone) withdrawal, he tells the bank teller he is John Doe (a Something the user knows (e.g., a password, a claim of identity). The bank teller asks to see a photo pass phrase or a personal identification number ID, so he hands the teller his driver’s license. The bank (PIN)) Something the user does (e.g., voice recognition, teller checks the license to make sure it has John Doe signature, or gait) printed on it and compares the photograph on the Sometimes a combination of methods is used, e.g., a license against the person claiming to be John Doe. If bank card and a PIN, in which case the term 'two-factor the photo and name match the person, then the teller authentication' is used. has authenticated that John Doe is who he claimed to be. In authentication, a piece of information used to georgiysh@gmail.com Georgiy Shenderovich Page 1/9 http://www.linkedin.com/in/gsarch February 22, 2009
  2. 2. Guided Dictionary of Content Protection and Data Security Basics This paper is referencing publicly available information such as WikipediA and others Information security uses cryptography to transform usable information into a form that renders it unusable by anyone other than an authorized user; this process is called encryption. Information that has been encrypted (rendered unusable) can be transformed back into its original usable form by an authorized user who possesses the cryptographic key through the process of decryption. Cryptography is used in information security to protect information from unauthorized or accidental discloser while the information is in transit (either electronically or physically) and while information is in storage. Cryptography provides information security with other useful applications as well, including improved authentication methods like message digests, digital signatures and encrypted network communications. impossible to counterfeit, plus it attests to the contents Cryptographic Key A key is a piece of information that controls the of the information as well as to the identity of the operation of a cryptography algorithm. In encryption, a signer. Digital signatures use asymmetric key key specifies the particular transformation of plaintext algorithms and often use public key infrastructure into ciphertext, or vice versa during decryption. Keys (PKI) schemes in which the public key used in the are also used in other cryptographic algorithms, such as signature scheme is tied to a user by a digital identity digital signature schemes and keyed-hash functions certificate issued by a certificate authority. PKI (also known as MACs – message authentication code), systems attempt to unbreakably bind user information often used for authentication. For a well-designed (name, address, phone number, ...) to a public key. A algorithm, enciphering the same plaintext but with a user may digitally sign messages using his private key, different key should produce a totally different and another user can check that signature (using the ciphertext. Similarly, decrypting ciphertext with the public key contained in that user's certificate issued by wrong key should produce random-looking gibberish. a certificate authority within the PKI). This enables (For deniable encryption, 2 keys can produce 2 very two (or more) communicating parties to establish different normal-looking plaintexts). If the decryption confidentiality, message integrity and user key is lost, encrypted data should not in practice be authentication without having to exchange any secret recoverable — at least for high quality encryption information in advance. A digital signature also algorithms and large enough key sizes. provides non-repudiation, which means that it prevents the sender from claiming that he or she did not actually send the information. For digital Message Digest A message digest function is used to turn input of signatures, a message is hashed (using a cryptographic arbitrary length into an output of fixed length. This hash function) and the smaller quot;hash valuequot; is signed; output can then be used in place of the original input. before verifying the signature, the recipient computes This has many advantages. The output always has the the hash of the message himself, and compares this same length, so this can be taken into account when hash value with the signed hash value to check the processing or storing the message digest. Also, the message has not been tampered with. Generally, digital output is much shorter than the input, so that signature schemes include three algorithms: A key generation algorithm processing and storing can be done much quicker. To A signing algorithm make this work, a message digest function should have A verification algorithm two properties: Given a particular message digest, it should be For example, consider a situation in which Bob sends a very difficult to find an input that has the same message to Alice and she wants to be certain it came message digest. from him. Bob sends his message to Alice, attaching a It should be very difficult to find two inputs that digital signature. The digital signature was generated have the same message digest. using Bob's private key, and takes the form of a string The first property prevents people from taking a of bits (normally represented as a string of characters particular digest and using it in connection with (ie, digits and letters)). On receipt, Alice can then another message. You could publish a digest in a check whether the message really came from Bob by newspaper, which proves that you had access to the running the verification algorithm on the message input message on that date. No one else can know the together with the signature, using Bob's public key. If message, because of this first property. The second they match, then Alice can be confident the message property means that if two inputs produce the same really was from Bob, because quality digital signature message digest, they must be the same input as well. algorithms are so designed that it is very difficult to Often the second requirement is taken even further: if a forge a signature to match a given message (unless one message is changed slightly, the message digest of the has knowledge of the private key, which Bob must changed message should have changed a great deal. keep secret). Digital signatures use encryption techniques but the algorithms are not typically suited for direct encryption of bulk plaintexts; more efficient Digital Signature A digital signature serves the same purpose as a methods are available. Of course a signed document handwritten signature. However, a handwritten may be sent encrypted over a public communication signature is easy to counterfeit. A digital signature is channel (e.g., the Internet) just as might be any other superior to a handwritten signature in that it is nearly message. More usually, Bob first applies a quality georgiysh@gmail.com Georgiy Shenderovich Page 2/9 http://www.linkedin.com/in/gsarch February 22, 2009
  3. 3. Guided Dictionary of Content Protection and Data Security Basics This paper is referencing publicly available information such as WikipediA and others cryptographic hash function to the message, and then confidentiality, message integrity and user digitally signs the resulting hash. An insecure hash can authentication without having to exchange any secret compromise the digital signature. For example, if it is information in advance. Most enterprise-scale PKI possible to generate hash collisions, it might be systems rely on certificate chains to establish a party's feasible to forge digital signatures. There are several identity, as a certificate may have been issued by a reasons to sign such a hash (or message digest) instead certificate authority computer whose 'legitimacy' is of the whole document: established for such purposes by a certificate issued by For efficiency: The signature will be much shorter a higher-level certificate authority, and so on. This and thus save time since hashing is generally much produces a certificate hierarchy composed of, at a faster than signing in practice. minimum, several computers, often more than one The document is intended to be read by others: organization, and often assorted interoperating E.g., diplomas, birth certificates, identity software packages from several sources. Standards are certificates, driver's licenses, a contract critical to PKI operation, and public standards are establishing ownership of something, etc... These critical to PKIs intended for extensive operation. Much documents will be in cleartext, but an of the standardization in this area is done by the IETF accompanying digital signature can be used to PKIX working group. Enterprise PKI systems are often verify that they are neither forged nor altered. closely tied to an enterprise's directory scheme, in For integrity: Without the hash function, the text which each employee's public key is often stored quot;to be signedquot; must be split (separated) in blocks (embedded in a certificate), together with other with a size shorter than the length of the private personal details (phone number, email address, key. Then each block has to be signed and sent to location, department, ...). Today's leading directory the receiver. However, the receiver of the signed technology is LDAP and in fact, the most common blocks is not able to recognize if one or more certificate format (X.509) stems from its use in LDAP's blocks have been erased during the transmission. predecessor, the X.500 directory schema. Asymmetric Key Digital Identity Certificate Public key cryptography, also known as asymmetric In cryptography, a public key certificate (or identity cryptography, is a form of cryptography in which a certificate) is a certificate which uses a digital signature user has a pair of cryptographic keys - a public key and to bind together a public key with an identity — a private key. The private key is kept secret, while the information such as the name of a person or an public key may be widely distributed. The keys are organization, their address, and so forth. The certificate related mathematically, but the private key cannot be can be used to verify that a public key belongs to an practically derived from the public key. A message individual. In a typical public key infrastructure (PKI) encrypted with the public key can only be decrypted scheme, the signature will be of a certificate authority with the corresponding private key. The two main (CA). In a web of trust scheme, the signature is of branches of public key cryptography are: either the user (a self-signed certificate) or other users public key encryption – a message encrypted with (quot;endorsementsquot;). In either case, the signatures on a a user's public key cannot be decrypted by anyone certificate are attestations by the certificate signer that except the user possessing the corresponding the identity information and the public key belong private key. This is used to ensure confidentiality. together. A certificate typically includes: digital signatures – a message signed with a user's The public key being signed. private key can be verified by anyone who has A name, which can refer to a person, a computer access to the user's public key, thereby proving or an organization. that the user signed it and that the message has not A validity period. The location (URL) of a revocation center. been tampered with. This is used to ensure The digital signature of the certificate produced by authenticity. the CA's private key. The most common certificate standard is the ITU-T Public Key Infrastructure PKI arrangements enable computer users to be X.509. X.509 is being adapted to the Internet by the authenticated to each other, and to use the information IETF PKIX working group. in identity certificates (i.e., each other's public keys) to encrypt and decrypt messages traveling to and from. In Non-repudiation In a cryptographic context, the word repudiation refers general, a PKI consists of client software, server to the act of disclaiming responsibility for a message software such as a certificate authority, hardware (e.g., (i.e., claiming it was sent by some third party, certainly smart cards) and operational procedures. A user may not me; quot;I repudiate this message and its contents!quot;). A digitally sign messages using his private key, and message's recipient may insist the sender attach a another user can check that signature (using the public signature in order to make later repudiation more key contained in that user's certificate issued by a difficult, since the recipient can show the signed certificate authority within the PKI). This enables two message to a third party (e.g., a court) to reinforce a (or more) communicating parties to establish georgiysh@gmail.com Georgiy Shenderovich Page 3/9 http://www.linkedin.com/in/gsarch February 22, 2009
  4. 4. Guided Dictionary of Content Protection and Data Security Basics This paper is referencing publicly available information such as WikipediA and others claim as to its signatories and integrity. However, loss An attacker who can do either of these things might, of control over a user's private key will mean that all for example, use them to substitute an unauthorized digital signatures using that key, and so ostensibly message for an authorized one. Ideally, it should not 'from' that user, are suspect. Noticing that such a loss even be feasible to find two messages whose digests of control has occurred is not a cryptographic problem, are substantially similar; nor would one want an but a human space one, and is unsolved. Short of attacker to be able to learn anything useful about a special purpose protocols to address this issue, digital message given only its digest besides the digest itself. signatures alone cannot provide inherent non- repudiation. Hash Function A hash function (or hash algorithm) is a reproducible method of turning data (usually a message or a file) Cryptographic Hash Function In cryptography, a cryptographic hash function is a into a number suitable to be handled by a computer. hash function with certain additional security These functions provide a way of creating a small properties to make it suitable for use as a primitive in digital quot;fingerprintquot; from any kind of data. The various information security applications, such as function chops and mixes (i.e., substitutes or authentication and message integrity. A hash function transposes) the data to create the fingerprint, often takes a long string (or 'message') of any length as input called a hash value. The hash value is commonly and produces a fixed length string as output, sometimes represented in hexadecimal notation. A good hash termed a message digest or a digital fingerprint. In function is one that yields few hash collisions in various standards and applications, the two most- expected input domains. In hash tables and data commonly used hash functions are MD5 and SHA-1. processing, collisions inhibit the distinguishing of data, In 2005, security flaws were identified in both making records more costly to find. A fundamental algorithms. Broadly speaking, a cryptographic hash property of all hash functions is that if two hashes function should behave as much as possible like a (according to the same function) are different, then the random function while still being deterministic and two inputs are different in some way. This property is a efficiently computable. A cryptographic hash function consequence of hash functions being deterministic. On is considered insecure if either of the following is the other hand, a function is not injective, i.e. the computationally feasible: equality of two hash values ideally strongly suggests, Finding a (previously unseen) message that but does not guarantee, the equality of the two inputs. matches a given digest If a hash value is calculated for a piece of data, and Finding quot;collisionsquot;, wherein two different then one bit of that data is changed, a hash function messages have the same message digest. with a strong mixing property usually produces a completely different hash value. georgiysh@gmail.com Georgiy Shenderovich Page 4/9 http://www.linkedin.com/in/gsarch February 22, 2009
  5. 5. Guided Dictionary of Content Protection and Data Security Basics This paper is referencing publicly available information such as WikipediA and others One of the most important aspects of any cryptographic system is key management. Unfortunately, it is also the aspect which is most often neglected. A very common mistake is mixing different key types and reusing the same key for different purposes. According to NIST SP 800-57 there are the following types of keys: Private signature key – Private signature keys are the private keys of asymmetric (public) key pairs that are used by public key algorithms to generate digital signatures with possible long-term implications. When properly handled, private signature keys can be used to provide authentication, integrity and non-repudiation. Public signature verification key – A public signature verification key is the public key of an asymmetric (public) key pair that is used by a public key algorithm to verify digital signatures, either to authenticate a user's identity, to determine the integrity of the data, for non-repudiation, or a combination thereof. Symmetric authentication key – Symmetric authentication keys are used with symmetric key algorithms to provide assurance of the integrity and source of messages, communication sessions, or stored data. Private authentication key – A private authentication key is the private key of an asymmetric (public) key pair that is used with a public key algorithm to provide assurance as to the integrity of information, and the identity of the originating entity or the source of messages, communication sessions, or stored data. Public authentication key – A public authentication key is the public key of an asymmetric (public) key pair that is used with a public key algorithm to determine the integrity of information and to authenticate the identity of entities, or the source of messages, communication sessions, or stored data. Symmetric data encryption key – These keys are used with symmetric key algorithms to apply confidentiality protection to information. Symmetric key wrapping key – Symmetric key wrapping keys are used to encrypt other keys using symmetric key algorithms. Key wrapping keys are also known as key encrypting keys. Symmetric and asymmetric random number generation keys – These keys are keys used to generate random numbers by pseudo-random number generator (PRNG) or cryptographically secure pseudo-random number generator (CSPRNG). Symmetric master key – A symmetric master key is used to derive other symmetric keys (e.g., data encryption keys, key wrapping keys, or authentication keys) using symmetric cryptographic methods. Private key transport key – Private key transport keys are the private keys of asymmetric (public) key pairs that are used to decrypt keys that have been encrypted with the associated public key using a public key algorithm. Key transport keys are usually used to establish keys (e.g., key wrapping keys, data encryption keys or MAC keys) and, optionally, other keying material (e.g., initialization vectors). Public key transport key – Public key transport keys are the public keys of asymmetric (public) key pairs that are used to encrypt keys using a public key algorithm. These keys are used to establish keys (e.g., key wrapping keys, data encryption keys or MAC keys) and, optionally, other keying material (e.g., Initialization Vectors). Symmetric key agreement key – These symmetric keys are used to establish keys (e.g., key wrapping keys, data encryption keys, or MAC keys) and, optionally, other keying material (e.g., Initialization Vectors) using a symmetric key agreement algorithm. Private static key agreement key – Private static key agreement keys are the private keys of asymmetric (public) key pairs that are used to establish keys (e.g., key wrapping keys, data encryption keys, or MAC keys) and, optionally, other keying material (e.g., Initialization Vectors). Public static key agreement key – Public static key agreement keys are the public keys of asymmetric (public) key pairs that are used to establish keys (e.g., key wrapping keys, data encryption keys, or MAC keys) and, optionally, other keying material (e.g., Initialization Vectors). Private ephemeral key agreement key – Private ephemeral key agreement keys are the private keys of asymmetric (public) key pairs that are used only once to establish one or more keys (e.g., key wrapping keys, data encryption keys, or MAC keys) and, optionally, other keying material (e.g., Initialization Vectors). Public ephemeral key agreement key – Public ephemeral key agreement keys are the public keys of asymmetric key pairs that are used in a single key establishment transaction to establish one or more keys (e.g., key wrapping keys, data encryption keys, or MAC keys) and, optionally, other keying material (e.g., Initialization Vectors). Symmetric authorization key – Symmetric authorization keys are used to provide privileges to an entity using a symmetric cryptographic method. The authorization key is known by the entity responsible for monitoring and granting access privileges for authorized entities and by the entity seeking access to resources. Private authorization key – A private authorization key is the private key of an asymmetric (public) key pair that is used to provide privileges to an entity. Public authorization key – A public authorization key is the public key of an asymmetric (public) key pair that is used to verify privileges for an entity that knows the associated private authorization key. number generators only approximate some of the Pseudorandom Number Generator (PRNG) A pseudorandom number generator (PRNG) is an properties of random numbers. As John von Neumann algorithm that generates a sequence of numbers which put it, quot;Anyone who considers arithmetical methods of are not truly random. The outputs of pseudorandom producing random digits is, of course, in a state of sin.” georgiysh@gmail.com Georgiy Shenderovich Page 5/9 http://www.linkedin.com/in/gsarch February 22, 2009
  6. 6. Guided Dictionary of Content Protection and Data Security Basics This paper is referencing publicly available information such as WikipediA and others Although truly random numbers are believed to be the reverse is not true. CSPRNG requirements fall into generatable using hardware random number generators, two groups: first, that their statistical properties are pseudo-random numbers are important in practice for good (passing statistical randomness tests); and simulations (e.g., of physical systems with the Monte secondly, that they hold up well under serious attack, Carlo method), and are central in the practice and so in even when part of their initial or running state becomes the theory of cryptography. Careful mathematical available to an attacker. Every CSPRNG should satisfy the quot;next-bit testquot;. analysis is required to have any confidence a PRNG The next-bit test is as follows: Given the first k generates numbers that are sufficiently quot;randomquot; to bits of a random sequence, there is no polynomial- suit the intended use. Most pseudo-random generator time algorithm that can predict the (k+1)th bit with algorithms produce sequences which are uniformly probability of success higher than 50%. Andrew distributed by any of several tests. Common classes of Yao proved in 1982 that a generator passing the these algorithms are linear congruent generators, next-bit test will pass all other polynomial-time lagged Fibonacci generators, linear feedback shift statistical tests for randomness. registers and generalized feedback shift registers. Every CSPRNG should withstand 'state Recent instances of pseudo-random algorithms include compromise extensions'. In the event that part or Blum Blum Shub, Fortuna, and the Mersenne twister. all of its state has been revealed (or guessed correctly), it should be impossible to reconstruct Cryptographically Secure Pseudorandom Number the stream of random numbers prior to the Generator (CSPRNG) A cryptographically secure pseudo-random number revelation. Additionally, if there is an entropy generator (CSPRNG) is a pseudo-random number input while running, it should be infeasible to use generator (PRNG) with properties that make it suitable knowledge of the input's state to predict future for use in cryptography. Many aspects of cryptography conditions of the CSPRNG state. Example: If the CSPRNG under require random numbers, for example: consideration produces output by Key generation computing some function of the next digit Nonces of π, it may well be random, as π appears Salts in certain signature schemes, including to be a random sequence. However, this ECDSA, RSASSA-PSS. does not satisfy the next-bit test, and thus One-time pads is not cryptographically secure. There The quot;qualityquot; of the randomness required for these exist algorithms that will predict the next applications varies. For example creating a nonce in bit; examples include looking up digits or some protocols needs only uniqueness. On the other computing them ad hoc. hand, generation of a master key requires a higher Most PRNGs are not suitable for use as CSPRNGs and quality, such as more entropy. And in the case of one- will fail on both counts. time pads, the information-theoretic guarantee of First, while most PRNGs outputs appear random perfect secrecy only holds if the key material is to assorted statistical tests, they do not resist obtained from a true random source with high entropy. determined reverse engineering. Specialized Ideally, the generation of random numbers in statistical tests may be found specially tuned to CSPRNGs uses entropy obtained from a high quality such a PRNG that shows the random numbers not source, which might be a hardware random number to be truly random. generator or perhaps unpredictable system processes — Second, for most PRNGs, when their state has though unexpected correlations have been found in been revealed, all future random numbers can be several such ostensibly independent processes. From predicted. an information theoretic point of view, the amount of CSPRNGs are designed explicitly to resist this type of randomness, the entropy that can be generated is equal cryptanalysis. CSPRNG designs are divided into three to the entropy provided by the system. But sometimes, classes: 1) those based on block ciphers, 2) those based in practical situations, more random numbers are upon 'hard' mathematical problems, and 3) special- needed than there is entropy available. Also the purpose designs. processes to extract randomness from a running system A secure block cipher can be converted into a are slow in actual practice. In such instances, a CSPRNG by running it in counter mode. This is CSPRNG can sometimes be used. A CSPRNG can done by choosing a random key and encrypting a quot;stretchquot; the available entropy over more bits. When all zero, then encrypting a 1, then encrypting a 2, etc. the entropy we have is available before algorithm The counter can also be started at an arbitrary execution begins, we really have a stream cipher. number other than zero. Obviously, the period will However some crypto system designs allow for the be 2n for an n-bit block cipher; equally obviously addition of entropy during execution, in which case it that the initial values (ie, key and quot;plaintextquot;) must is not a stream cipher equivalent and cannot be used as not become known to an attacker, otherwise, all one. Stream cipher and CSPRNG design is thus closely security might be lost thought this good CSPRNG related. The requirements of an ordinary PRNG are construction. also satisfied by a cryptographically secure PRNG, but georgiysh@gmail.com Georgiy Shenderovich Page 6/9 http://www.linkedin.com/in/gsarch February 22, 2009
  7. 7. Guided Dictionary of Content Protection and Data Security Basics This paper is referencing publicly available information such as WikipediA and others A cryptographically secure hash of a counter replay attacks. For instance, nonces are used in HTTP might also act as a good CSPRNG in some cases. digest access authentication to calculate an MD5 digest In this case, it is necessary that the initial value of of the password. The nonces are different each time this counter is random and secret. If the counter is that the 401authentication challenge response code is a bignum, then the CSPRNG could have an presented, and each client request has a unique infinite period. However, there has been little sequence number, thus making the replay attack study of these algorithms for use in this manner, virtually impossible. Some also refer to initialization and at least some authors warn against this use vectors as nonces for the above reasons. To ensure that (Young and Yung, Malicious Cryptography, a nonce is used only once, it should be time-variant Wiley, 2004, sect 3.2). (including a suitably granular timestamp in its value), Most stream ciphers work by generating a or generated with enough random bits to ensure a pseudorandom stream of bits that are combined probabilistically insignificant chance of repeating a (almost always XORed) with the plaintext; this previously generated value. Some authors define stream can sometimes be used as a good CSPRNG pseudorandomness (or unpredictability) as a (though not always: see RC4 cipher). requirement for a nonce. One design in this class is included in the ANSI X9.17 standard (Financial Institution Key Management Initialization Vector (wholesale)), and has been adopted as a FIPS standard In cryptography, an initialization vector (IV) is a block as well. It works as follows: of bits that is required to allow a stream cipher or a input: Date/time information D (in the maximum block cipher executed in any of several streaming resolution available), a 64 bit random seed s, and a modes of operation to produce a unique stream DES EDE key k. independent from other streams produced by the same compute: I = DES_k (D) encryption key, without having to go through a output: Each time a random number is required, (usually lengthy) re-keying process. The size of IV output x=DES_k(I xor s), and update the seed s to depends on the encryption algorithm and on the DES_k(x xor I) cryptographic protocol in use and is normally as large It has been suggested that this algorithm would be as the block or as large as the encryption key. The IV improved by using AES instead of DES (Young and must be known to the recipient of the encrypted Yung, op cit, sect 3.5.1). information to be able to decrypt it. There are a number of ways to ensure that: by transmitting the IV along with the packet, by agreeing on it beforehand during Key Generation Key generation is the process of generating keys for the key exchange or the handshake, by calculating it cryptography. A key is used to encrypt and decrypt (usually incrementally), or by measuring such whatever data is being encrypted/decrypted. Generally parameters as current time (used in hardware with modern advanced cryptographic systems there are authentication tokens such as RSA SecurID, VASCO two keys: an encryption key and a decryption key. The Digipass, etc.), IDs such as sender's and/or recipient's encryption key can also be a public key and the address or ID, file ID, the packet, sector or cluster decryption key can be the private key. This means that number, etc. A number of variables can be combined you can give someone else the public key and they can or hashed together, depending on the protocol. If the give you encrypted data that only you can decrypt with IV is chosen at random, the cryptographer must take your private key. Most of the time these transactions go into consideration the probability of collisions, and if on behind the scenes when you log on to secure an incremental IV is used as a nonce, the algorithm's servers: logging on to your bank or using SSH for resistance to related-IV attacks must also be example. So one might imagine if these keys are considered. IVs are implemented differently in block simple or predictable then the process is pointless so ciphers and in stream ciphers. In straight-forward key generation needs to be difficult to predict. The operation of block ciphers or so-called Electronic Code better keys are usually randomly generated using a Book (ECB) mode, encryption of the same plain text random number generator (RNG) or pseudorandom with the same key results in the same ciphertext, which number generator (PRNG), the latter being a computer is a considerable threat to security. Use of an algorithm that produces data which appears random initialization vector linearly added to (XORed with) the under analysis. Of the PRNGs those which use system first block of plaintext or included in front of the entropy to seed data generally produce better results. plaintext prior to encryption in one of the streaming The other factor is key length, the more data in the key modes of operation resolves this problem. In stream the harder it is to analyze the data and discover the key. ciphers, IVs are loaded into the keyed internal secret state of the cipher, after which a number of cipher Nonce rounds is executed prior to releasing the first bit of In security engineering, a nonce is a number or bit output. For performance reasons, designers of stream string used only once. It is often a random or pseudo- ciphers try to keep that number of rounds as small as random number issued in an authentication protocol to possible, but because determining the minimal secure ensure that old communications cannot be reused in number of rounds for stream ciphers is not a trivial georgiysh@gmail.com Georgiy Shenderovich Page 7/9 http://www.linkedin.com/in/gsarch February 22, 2009
  8. 8. Guided Dictionary of Content Protection and Data Security Basics This paper is referencing publicly available information such as WikipediA and others task, and considering other issues such as entropy loss, each password guess once, and compare it to all the unique to each cipher construction, related-IVs and hashes. However, with salts, all the passwords will other IV-related attacks are a known security issue for likely have different salts; so each guess must be stream ciphers, which makes IV loading in stream hashed separately for each salt, which is much slower ciphers a serious concern and a subject of ongoing since hashing is usually very expensive. research. Another (lesser) benefit of a salt is as follows: two users might choose the same string as their password. Salt In cryptography, a salt consists of random bits used as Without a salt, this password would be stored as the one of the inputs to a key derivation function. same hash string in the password file. This would Sometimes the initialization vector, a previously disclose the fact that the two users have the same generated (preferably random) value, is used as a salt. password, allowing each user to access the other's The other input is usually a password or passphrase. account. By salting the password hashes with two The output of the key derivation function is often random characters, even if two users choose the same stored as the encrypted version of the password. A salt password, they cannot discover that they have done so value can also be used as a key for use in a cipher or by reading the password file. other cryptographic algorithm. A salt value is typically used in a hash function. The salt value may, or may Key Derivation Function A Key derivation function (or KDF) is a cryptographic not, be protected as a secret. In either case, the hash function which derives one or more secret keys additional salt data makes it more difficult to conduct a from secret values and/or other known information. dictionary attack against for example a password file, Key derivation functions are often used in conjunction using pre-encryption of dictionary entries. Each bit of with non-secret parameters to derive one or more keys salt used doubles the amount of storage and from a common secret value. Such use may prevent an computation required. In some protocols, the salt is attacker who obtains a derived key from learning transmitted as cleartext with the encrypted data, useful information about either the input secret value or sometimes along with the number of iterations used in any of the other derived keys. A KDF may also be used generating the key (for key strengthening). to ensure that derived keys have other desirable Cryptographic protocols which use salts include SSL properties, such as avoiding quot;weak keysquot; in some and Ciphersaber. Early Unix systems used a 12-bit salt, specific encryption systems. Key derivation functions but modern implementations use larger values. Salt is are often used as components of multi-party key- very closely related to the concept of nonce. agreement protocols. Examples of such key derivation The modern shadow password system, in which functions include KDF1, defined in IEEE Std 1363- password hashes and other security information are 2000, and similar functions in ANSI X9.42. Key stored in a non-public file, somewhat mitigates these derivation functions are also used to derive keys from concerns. However, they remain relevant in multi- secret passwords or passphrases. server installations which use centralized password Key derivation functions are also used in applications management systems to quot;pushquot; password or password to derive keys from secret passwords or passphrases, hashes to multiple systems. In such installations, the which typically do not have the desired properties to be quot;rootquot; account on each individual system may be used directly as cryptographic keys. In such treated as less quot;trustedquot; than the administrators of the applications, it is generally recommended that the key centralized password system, so it remains worthwhile derivation function be made deliberately slow so as to to ensure that the security of the password hashing frustrate brute-force attack or dictionary attack on the algorithm, including the generation of unique quot;saltquot; password or passphrase input value. Such use may be values, is adequate. expressed as DK=KDF(Key,Salt,Iterations) where DK Salts also help protect against rainbow tables as they, is the derived key, KDF is the key derivation function, in effect, extend the length and potentially the Key is the original key or password, Salt is a random complexity of the password. If the rainbow tables do number which acts as cryptographic salt, and Iterations not have passwords the length (e.g. an 8 byte password, refers to the number of iterations of a sub-function. The and 2 bytes salt, is effectively a 10 byte password) and derived key is used instead of the original key or complexity (if the salts aren't alphanumeric, but the password as the key to the system. The values of the database only has alphanumeric passwords) then it will salt and the number of iterations (if it isn't fixed) are not be found. If found, one will have to remove the salt stored with the hashed password or sent as plaintext from the password before it can be used. with an encrypted message. The difficulty of a brute force attack increases with the number of iterations. A Salts also make dictionary attacks and brute-force practical limit on the iteration count is the attacks for cracking large number of passwords much unwillingness of users to tolerate a perceptible delay in slower. Without salts, an attacker who is cracking logging in to a computer or seeing a decrypted many passwords at the same time only needs to hash georgiysh@gmail.com Georgiy Shenderovich Page 8/9 http://www.linkedin.com/in/gsarch February 22, 2009
  9. 9. Guided Dictionary of Content Protection and Data Security Basics This paper is referencing publicly available information such as WikipediA and others message. The use of salt prevents the attackers from use keys with the same requirements as OTP keys. precomputing a dictionary of derived keys. One-time pads are used in pairs. The more copies of a given pad, the greater the likelihood is that one may be Modern password-based key derivation functions, such captured, in which case the system is completely as PBKDF2 (specified in RFC 2898), use a broken. One copy of the pad is kept by each user, and cryptographic hash, such as MD5 or SHA1, more salt pads must be exchanged via a secure channel. The pad (e.g. 64 bits) and a high iteration count (often 1000 or is used by XORing every bit of the pad with every bit more). There have been proposals to use algorithms of the original message. Once the message is encoded that require large amounts of computer memory and with the pad, the pad is destroyed and the encoded other computing resources to make custom hardware message is sent. On the recipient's side, the encoded attacks more difficult to mount. message is XORed with the duplicate copy of the pad and the plaintext message is generated. One-time Pad In cryptography, the one-time pad (OTP) is an The theoretical perfect security of the one-time-pad encryption algorithm where the plaintext is combined applies only in a theoretically perfect setting; no real- with a random key or quot;padquot; that is as long as the world implementation of any cryptosystem can provide plaintext and used only once. If the key is truly perfect security because practical considerations random, never reused, and kept secret, the one-time introduce potential vulnerabilities. These practical pad can be proven to be unbreakable. It has also been considerations of security and convenience have meant proven that any theoretically unbreakable cipher must that the one-time-pad is, in practice, little-used. Confidentiality .................................................................................................................................................................. 1 Integrity ............................................................................................................................................................................. 1 Availability ........................................................................................................................................................................ 1 Identification ..................................................................................................................................................................... 1 Authentication................................................................................................................................................................... 1 Cryptographic Key ........................................................................................................................................................... 2 Message Digest .................................................................................................................................................................. 2 Digital Signature ............................................................................................................................................................... 2 Asymmetric Key ............................................................................................................................................................... 3 Public Key Infrastructure................................................................................................................................................ 3 Digital Identity Certificate ............................................................................................................................................... 3 Non-repudiation................................................................................................................................................................ 3 Cryptographic Hash Function......................................................................................................................................... 4 Hash Function ................................................................................................................................................................... 4 Pseudorandom Number Generator (PRNG).................................................................................................................. 5 Cryptographically Secure Pseudorandom Number Generator (CSPRNG) ................................................................ 6 Key Generation ................................................................................................................................................................. 7 Nonce ................................................................................................................................................................................. 7 Initialization Vector.......................................................................................................................................................... 7 Salt ..................................................................................................................................................................................... 8 Key Derivation Function.................................................................................................................................................. 8 One-time Pad..................................................................................................................................................................... 9 georgiysh@gmail.com Georgiy Shenderovich Page 9/9 http://www.linkedin.com/in/gsarch February 22, 2009

×