2. Learning Intentions
By the end of this lesson learners will be able to:
❏ Describe what is meant by Encryption
❏ Discuss the purpose of Digital Certificates and Digital Signatures
❏ Describe the purpose of server side validation of form data
3. Encryption
Encryption is when data is encoded into another form.
This means that even if data is intercepted then the data is meaningless until it is
deciphered using a key.
4. How encryption works
Lets look at a basic cypher
A Caesar(shift) cypher
A B C D E F G H I
Z A B C D E F G H I J
So DAD would be CZC
5. The Key
The key is the secret to encryption
Encryption
Key
Decryption
6. Encryption
There are two main methods to encrypt data
Symmetric Key - Secret Key
Asymmetric Key - Private key/public key
7. Symmetric Encryption
Data Encryption Standard (DES) was created in 1977
Used a 56 bit key
Approx. 72,000,000,000,000,000 combinations (256)
Advanced Encryption Standard (AES)
Used by the US government
Offers 128,192 or 256 bit encryption
2256 combinations (1.15e+77)
RSA (Ron Rivest, Adi Shamir and Leonard Adleman)
1024 - 2048 bit
10. Encryption and Digital Rights Management
CSS (Content Scramble System) encryption was used as the original Digital Rights
Management system on DVD’s in 1996
Used a 40 bit cipher
Compromised in 1999
11. Pros and Cons – Symmetric Encryption
✓ The key doesn’t have to be sent with the
message
✓ The system is usually more straight
forward/faster
✘ The key has to be installed with the receiver
before transmission
✘ If the key is compromised both sent AND
received messages can be decyphered
For Against
12. Asymmetric Key
Asymmetric Key or public key encryption is when there are two keys.
A public key is made freely available to anyone who might want to send you a
message.
A second, private key is kept secret and used to decrypt received mesages
14. Which key and when?
The sender uses the public key to:
Encrypt any messages to recipient
The recipient uses the private key to:
Decrypt any messages from sender
15. Pros and Cons – Asymmetric Encryption
✓ The Private key never needs to be distributed
✓ Can be used to implement digital signatures
✘ Is slower than symmetric encryption.
✘ It requires far more processing power to
encrypt and decrypt the content of the
message.
For Against
16. How do you get the keys?
To use asymmetric encryption then there has to be a way to distribute the public keys.
And to verify the authenticity of the sender
Digital Certificates are a useful tool for this.
17. Public Key Encryption & Malware
Some malware (ransomware) such as CryptoLocker will encrypt the contents of
infected machines
It uses RSA encryption
Will only decrypt the drive once payment has been made
The key is held on a private server
Further reading:
https://traxarmstrong.com/free-tool-remove-cryptorbit-ransomware/#gsc.tab=0
18. Basic RSA Encryption Example
To encrypt a message such as HELLO, we will first turn it into numbers
Our public key is 33,3
This consists of two prime numbers
H E L L O
8 5 12 12 15
19. RSA Encryption Example
Our public key is 33,3
So we raise the number to the power of 3
Original H E L L O
Original 8 5 12 12 15
^3 512 125 1,728 1,728 3,375
20. RSA Encryption Example
Our public key is 33,3
Then we will perform our number mod 33 (the remainder after dividing by 11)
Original H E L L O
Original 8 5 12 12 15
^3 512 125 1,728 1,728 3,375
%33 17 26 12 12 9
21. RSA Decryption Example
Our private key is 33,7
We will raise our number to the power of 7
Original H E L L O
Original 8 5 12 12 15
Cipher 17 26 12 12 9
^7 410338673 8031810176 35831808 35831808 4782969
22. RSA Decryption Example
Our private key is 33,7
Then we will perform our number mod 33 (the remainder after dividing by 11)
Original H E L L O
Original 8 5 12 12 15
Cipher 8 26 12 12 9
^7 410338673 8031810176 35831808 35831808 4782969
%33 8 5 12 12 15
24. How strong is the encryption?
The Key size is the size in bits of the key used in the algorithm that encrypts the data
Assume that a 40 bit key has been cracked
May have been brute forced
Then an example 128 bit key may only actually provide 88 bits of encryption
25. Cracking Encryption
512 bit keys were broken in 1999
Encryption has even been compromised by listening to the sound the CPU makes.
It was conducted with one of the co-inventors of the RSA algorithm
Further reading:
https://www.extremetech.com/extreme/173108-researchers-crack-the-worlds-
toughest-encryption-by-listening-to-the-tiny-sounds-made-by-your-computers-cpu
26. Unbreakable codes?
There is a lot of research going on into Quantum cryptography
Relies on physics and not maths
Data is transmitted using light
The main theory behind this is that when the light is intercepted then it is changed
This uses Heisenberg's uncertainty principle
Image CC BY-SA 3.0
BigRiz -en:Wikipedia
27. Identifying yourself
In real life if you are proving your identity you can use multiple forms of ID
Passport
Drivers License
How can prove the identity of senders of emails/providers of websites?
28. Proving your identity
A digital certificate is the digital version of a passport or driving license
They are issued by a central certification authority
Many digital certificates conform to the X.509 standard.
Can contain the following information
❏ Public Key
❏ Owners Name
❏ Expiration and Issuer
29. Digital Signatures
A digital signature is a method of ensuring that a message is authentic (unaltered)
1. You obtain a message hash
A mathematical summary of the contents of the message
2. You can encrypt this message hash with your private key
3. This ‘signature’ is attached to a message
31. How long to crack a digital
certificate?
https://www.digicert.com/TimeTravel/
32. Hashing
In Feb 2017 - Google broke the SHA1 hashing system
Further reading: https://security.googleblog.com/2017/02/announcing-first-sha1-
collision.html
The computations involved in this was::
❏ Nine quintillion (9,223,372,036,854,775,808) SHA1 computations in total
❏ 6,500 years of CPU computation to complete the attack first phase
❏ 110 years of GPU computation to complete the second phase
33. Moving on from SHA1
MD5 (1992) produces 128 bit outputs
SHA-0 (1993) produces 160 bit outputs
SHA-1 (1995) produces 160 bit outputs
SHA-2 (2001) produces 224-512 bit outputs
Further reading:
https://en.wikipedia.org/wiki/Secure_Hash_Algorithms
http://borjournals.com/a/index.php/jecas/article/viewFile/1807/1127
34. At the other side
1. The recipient has to apply the same mathematical hash of the received message
2. The encrypted message hash is then decrypted
3. If both of the hashes match then the message is valid and authentic
MD5 Hash Generator:
http://www.md5.cz
36. Computer Misuse Act
This has 3 main sections
1. Unauthorised access to computer material.
Basic Hacking. Getting access to a system without permission.
2. Unauthorised access with intent to commit or facilitate commission of further
offences
Helping to commit a crime.
3. Unauthorised acts with intent to impair, or with recklessness as to impairing,
operation of computer, etc.
Expert Hacking. Modification of data without permission, planting viruses,
deletion or modification of other users files.
37. Section 1- Unauthorised access to computer material
June 2015 - Norwich
Teaching Assistant hacked into the school email system at Ormiston Victory Academy
and used pupil's account to send email "There will be a bomb in school Monday".
Guilty plea to one count of communicating false information and one count of
unauthorised computer access.
Sentence: 15 months imprisonment
October 2015
Former Met Police detective used Police computer systems for 230 searches between
2009 and 2013 for private use.
Sentence: 9 months in prison.
38. Section 2- Unauthorised access with intent
For example, if you penetrated a bank's computer system intending to move £10,000 to
another account, you would still be guilty of an offence under section 2.
July 2015
Senior Internal Auditor at Morrisons supermarket accessed and uploaded confidential
personal data of nearly 100,000 employees to newspaper and data sharing websites.
Data breach cost the company more than £2m to rectify.
Sentence: 8 years
39. Aiding a Crime
Authorised US American Express credit analyst gained access to unauthorised credit
card accounts and PINs.
Accomplice Allison used forged Amex cards in London in ATM machines US$ 1M fraud.
40. Section 3 –Unauthorised or reckless acts
A person is guilty of an offence if:
he does any unauthorised act in relation to a computer
Offences could be:
❏ to impair the operation of any computer;
❏ to prevent or hinder access to any program or data held in any computer
❏ to impair the operation of any such program or the reliability of any such data
❏ to enable any of the things mentioned in the above bullet points
41. Section 3 –Unauthorised or reckless acts
Aug 2015
Revenge attacks by ex-Director on former network security company Esselar and its
client Aviva over five months. 900 Aviva employees' phones hacked. Esselar Twitter
account defaced. Esselar lost the Aviva contract.
Pleaded guilty to four counts of unauthorised or reckless acts with intent to impair
computer operation. Actions had "damaged confidence and reputations in a way that
can be far-reaching and serious".
Sentence: 18 months.
Other cases can be found at:
http://www.computerevidence.co.uk/Cases/CMA.htm
42. Subsections
Unauthorised acts causing, or creating risk of, serious damage
Such as damage to:
❏ human welfare
❏ environment of any place
❏ economy of any country
❏ national security of any country
Making, supplying or obtaining articles for use in offence
Such as creating software viruses etc.
43. Penalties Under The Act
Gaining unauthorised access (or trying to):
Up to 12 months and/or a £5,000 fine
Above + intent to commit further offences:
Up to 10 years and/or fine
Causing unauthorised modifications:
Up to 5 years and/or fine
44. Computer Misuse Act
What if your phone’s voicemail was hacked?
More cases:
http://www.computerevidence.co.uk/Cases/CMA.htm
Editor's Notes
R v Bow Street Magistrates Court and Allison ex parte Government of USAHouse of Lords 05/08/1999 The Times 7 September 1999; [1999] 4 All E R 1; [1999] 3 WLR 620; [1999] Masons CLR 380 [1998] 3 WLR 1156; [1998] Masons CLR 234; The Times 2 June 1998. [1999] C&L Oct/Nov, 21 Computer Misuse Act 1990, ss 1, 2, 15, 17(5) Unauthorised access - Authority - Meaning of "control access" in s 17(5) - Extradition – ConspiracyAuthorised US American Express credit analyst gained access to unauthorised credit card accounts and PINs. Accomplice Allison used forged Amex cards in London in ATM US$ 1M fraud. Held - unauthorised access applies to the use of a computer to obtain unauthorised access to data. "Hacking" held to refer to all forms of unauthorised access whether by insiders or outsiders. Comments of House of Lords in R v Bignell on meaning of "control access" in Computer Misuse Act 1990 s.17 (5) distinguished. Habeas corpus denied.
http://www.theregister.co.uk/2012/07/02/ebanking_fraudsters_jailed/Pavel Cyganok was jailed for five years. Ilja Zakrevski for four years.
http://www.theregister.co.uk/2012/07/02/ebanking_fraudsters_jailed/Pavel Cyganok was jailed for five years. Ilja Zakrevski for four years.