ISA 3100 CHP 8

Digital Signature Standard

(DSS)

asymmetric encryption or public key encryption

-A cryptographic method that incorporates mathematical operations involving both a public key and a private key to encipher or decipher a message. Either key can be used to encrypt a message, but then the other key is required to decrypt it.

Some applications hide messages in

.bmp, .wav, .mp3, and .au files, as well as in unused space on CDs and DVDs

Typical PKI solution protects the transmission and reception of secure information by integrating:

A certificate authority (CA) A registration authority (RA) Certificate directories Management protocols Policies and procedures

A typical PKI solution protects the transmission and reception of secure information by integrating the following components:

A certificate authority (CA), which issues, manages, authenticates, signs, and revokes users' digital certificates. These certificates typically contain the user name, public key, and other identifying information. A registration authority (RA), which handles certification functions such as verifying registration information, generating end-user keys, revoking certificates, and validating user certificates, in collaboration with the CA. Certificate directories, which are central locations for certificate storage that provide a single access point for administration and distribution. Management protocols, which organize and manage communications among CAs, RAs, and end users. This includes the functions and procedures for setting up new users, issuing keys, recovering keys, updating keys, revoking keys, and enabling the transfer of certificates and status information among the parties involved in the PKI's area of authority. Policies and procedures, which assist an organization in the application and management of certificates, in the formalization of legal liabilities and limitations, and in actual business use.

Private key encryption or symmetric encryption -

A cryptographic method in which the same algorithm and secret key are used both to encipher and decipher the message.

transposition cipher

A cryptographic operation that involves simply rearranging the values within a block based on an established pattern. Also known as a permutation cipher.

Vernam cipher

A cryptographic technique developed at AT&T and known as the "one-time pad," this cipher uses a set of characters for encryption operations only one time and then discards it.

exclusive OR operation (XOR)

A function within Boolean algebra used as an encryption function in which two bits are compared. If the two bits are identical, the result is a binary 0; otherwise, the result is a binary 1

Diffie-Hellman key exchange-

A hybrid cryptosystem that facilitates exchanging private keys using public-key encryption.

secret key-

A key that can be used in symmetric encryption both to encipher and decipher the message.

message authentication code (MAC)-

A key-dependent, one-way hash function that allows only specific recipients (symmetric key holders) to access the message digest.

Secure Electronic Transactions (SET) -

A protocol developed by credit card companies to protect against electronic payment fraud.

Secure Sockets Layer (SSL)-

A security protocol developed by Netscape to use public-key encryption to secure a channel over the Internet.

Secure Multipurpose Internet Mail Extensions (S/MIME)-

A security protocol that builds on the encoding format of the Multipurpose Internet Mail Extensions (MIME) protocol and uses digital signatures based on public-key cryptosystems to secure e-mail.

Link Encryption:

A series of encryptions and decryptions between a number of systems, wherein each system in a network decrypts the message sent to it and then reencrypts the message using different keys and sends it to the next neighbor. This process continues until the message reaches the final destination.

Secure Hash Standard (SHS) -

A standard issued by the National Institute of Standards and Technology (NIST) that specifies secure algorithms, such as SHA-1, for computing a condensed representation of a message or data file.

Privacy-Enhanced Mail (PEM) -

A standard proposed by the Internet Engineering Task Force (IETF) that uses 3DES symmetric key encryption and RSA for key exchanges and digital signatures.

polyalphabetic substitutions -

A substitution cipher that incorporates two or more alphabets in the encryption process.

monoalphabetic substitution-

A substitution cipher that only incorporates a single alphabet in the encryption process.

message digest or hash value-

A value representing the application of a hash algorithm on a message that is transmitted with the message so it can be compared with the recipient's locally calculated hash of the same message. If both hashes are identical after transmission, the message has arrived without modification. Also known as a hash value.

Cryptographic Tools Potential areas of use include:

Ability to conceal the contents of sensitive messages Verify the contents of messages and the identities of their senders

Asymmetric Encryption

Also known as public-key encryption Uses two different but related keys Either key can encrypt or decrypt message

Vigenère cipher -

An advanced type of substitution cipher that uses a simple polyalphabetic code.

substitution cipher-

An encryption method in which one value is substituted for another.

Bit Stream Cipher:

An encryption method that involves converting plaintext to ciphertext one bit at a time.

Block Cipher:

An encryption method that involves dividing the plaintext into blocks or sets of bits and then converting the plaintext to ciphertext one block at a time.

Secure HTTP (S-HTTP) -

An extended version of Hypertext Transfer Protocol that provides for the encryption of protected Web pages transmitted via the Internet between a client and server.

Public key infrastructure (PKI)-

An integrated system of software, encryption methodologies, protocols, legal agreements, and third-party services that enables users to communicate securely through the use of digital certificates

Timing Attacks

Attacker eavesdrops during victim's session Uses statistical analysis of user's typing patterns and inter-keystroke timings to discern sensitive session information Can be used to gain information about encryption key and possibly cryptosystem in use

Dictionary Attacks

Attacker encrypts every word in a dictionary using same cryptosystem used by target

PKI protects information assets in several ways:

Authentication Integrity Privacy Authorization Nonrepudiation

Correlation Attacks

Collection of brute-force methods that attempt to deduce statistical relationships between structure of unknown key and ciphertext

Digital Signatures

Created in response to rising need to verify information transferred using electronic systems

There are a number of popular symmetric encryption cryptosystems. One of the most widely known is the

Data Encryption Standard (DES)

Man-in-the-Middle Attack

Designed to intercept transmission of public key or insert known key structure in place of requested public key

Vernam Cipher

Developed at AT&T,Uses set of characters once per encryption process

IPSec uses several different cryptosystems

Diffie-Hellman key exchange for deriving key material between peers on a public network

IPSec combines several different cryptosystems:

Diffie-Hellman; public key cryptography; bulk encryption algorithms; digital certificates

Transposition Cipher

Easy to understand, but if properly used, produces ciphertext that is difficult to decipher

Digital Certificates

Electronic document containing key value and identifying information about entity that controls key

Digital signatures-

Encrypted message components that can be mathematically proven as authentic.

If Key A encrypts message, only Key B can decrypt

Highest value when one key serves as private key and the other serves as public key

In IPSec,

IP layer security obtained by use of application header (AH) protocol or encapsulating security payload (ESP) protocol

Securing TCP/IP with

IPSec

encapsulating security payload (ESP) protocol -

In IPSec, a protocol that provides secrecy for the contents of network communications as well as system-to-system authentication and data integrity verification.

application header (AH) protocol -

In IPSec, a protocol that provides system-to-system authentication and data integrity verification, but does not provide secrecy for the content of a network communication.

transport mode-

In IPSec, an encryption method in which only a packet's IP data is encrypted, not the IP headers themselves; this method allows intermediate nodes to read the source and destination addresses.

tunnel mode -

In IPSec, an encryption method in which the entire IP packet is encrypted and inserted as the payload in another IP packet. This requires other systems at the beginning and end of the tunnel to act as proxies to send and receive the encrypted packets and then transmit the packets to their ultimate destination.

certificate revocation list (CRL) -

In PKI, a published list of revoked or terminated digital certificates.

certificate authority (CA)-

In PKI, a third party that manages users' digital certificates.

registration authority (RA)-

In PKI, a third party that operates under the trusted collaboration of the certificate authority and handles day-to-day certification functions.

Public-Key Infrastructure (PKI)

Integrated system of software, encryption methodologies, protocols, legal agreements, and third-party services enabling users to communicate securely

session keys-

Limited-use symmetric keys for temporary communications during an online session.

Algorithm is the mechanical process of:

Looking up the references from the ciphertext, Converting each reference to a word by using the ciphertext's value and the key

Hash functions-

Mathematical algorithms that generate a message summary or digest (sometimes called a fingerprint) to confirm message identity and integrity.

Hash Functions

Mathematical algorithms that generate message summary/digest to confirm message identity and confirm no content has changed

Diffie-Hellman Key Exchange method:

Most common hybrid system Provided foundation for subsequent developments in public-key encryption

Cryptographic Algorithms

Often grouped into two broad categories, symmetric and asymmetric

Steganography

Process of hiding information Has been in use for a long time Most popular modern version hides information within files appearing to contain digital pictures or other images

Hash algorithms-

Public functions that create a hash value, also known as a message digest, by converting variable-length messages into a single fixed-length value.

Digital certificates-

Public-key container files that allow PKI system components and end users to validate a public key and identify its owner.

Next Generation Wireless Protocols:

Robust Secure Networks (RSN), AES - Counter Mode Encapsulation, AES - Offset Codebook Encapsulation

S-HTTP is the application of

SSL over HTTP Allows encryption of information passing between computers through protected and secure virtual connection

Decipher:

See Decryption.

Encipher:

See Encryption.

Substitution Cipher

Substitute one value for another

Different client-server applications use different types of digital certificates to accomplish their assigned functions, as follows:

The CA application suite issues and uses certificates (keys) that identify and establish a trust relationship with a CA to determine what additional certificates can be authenticated. Mail applications use Secure/Multipurpose Internet Mail Extension (S/MIME) certificates for signing and encrypting e-mail as well as for signing forms. Development applications use object-signing certificates to identify signers of object-oriented code and scripts. Web servers and Web application servers use Secure Sockets Layer (SSL) certificates to authenticate servers via the SSL protocol in order to establish an encrypted SSL session. The SSL protocol is explained later in this chapter.

Digital Signature Standard (DSS) -

The NIST standard for digital signature algorithm usage by federal information systems. DSS is based on a variant of the ElGamal signature scheme.

Work Factor:

The amount of effort (usually expressed in units of time) required to perform cryptanalysis on an encoded message.

Advanced Encryption Standard (AES) -

The current federal standard for the encryption of data, as specified by NIST. AES is based on the Rijndael algorithm, which was developed by Vincent Rijmen and Joan Daemen.

Keyspace:

The entire range of values that can be used to construct an individual key.

Key or Cryptovariable:

The information used in conjunction with the algorithm to create the ciphertext from the plaintext; it can be a series of bits used in a mathematical algorithm or the knowledge of how to manipulate the plaintext. Sometimes called a cryptovariable.

Algorithm:

The mathematical formula or method used to convert an unencrypted message into an encrypted message. This sometimes refers to the programs that enable the cryptographic processes.

Plaintext or Cleartext:

The original unencrypted message that is encrypted and is the result of successful decryption.

To perform Vernam Cipher:

The pad values are added to numeric values that represent the plaintext that needs to be encrypted, Each character of the plaintext is turned into a number and a pad value for that position is added, The resulting sum for that character is then converted back to a ciphertext letter for transmission, If the sum of the two values exceeds 26, then 26 is subtracted from the total

IP Security (IPSec) -

The primary and now dominant cryptographic authentication and encryption product of the IETF's IP Protocol Security Working Group. A framework for security development within the TCP/IP family of protocol standards, IPSec provides application support for all uses within TCP/IP, including virtual private networks.

Decryption:

The process of converting an encoded or enciphered message (ciphertext) back to its original readable form (plaintext). Also referred to as deciphering.

Encryption:

The process of converting an original message (plaintext) into a form that cannot be used by unauthorized individuals (ciphertext). Also referred to as enciphering.

Code:

The process of converting components (words or phrases) of an unencrypted message into encrypted components.

Steganography:

The process of hiding messages; for example, hiding a message within the digital encoding of a picture or graphic so that it is almost impossible to detect that the hidden message even exists.

nonrepudiation -

The process of reversing public-key encryption to verify that a message was sent by the sender and thus cannot be refuted.

Ciphertext or Cryptogram:

The unintelligible encrypted or encoded message resulting from an encryption.

Symmetric Encryption

Uses same "secret key" to encipher and decipher message

Book or Running Key Cipher

Uses text in book as key to decrypt a message

Cipher:

When used as a verb, the transformation of the individual components (characters, bytes, or bits) of an unencrypted message into encrypted components or vice versa (see decipher and encipher); when used as a noun, the process of encryption or the algorithm used in encryption, and a term synonymous with cryptosystem.

Vigenère cipher:

advanced cipher type that uses simple polyalphabetic code; made up of 26 distinct cipher alphabets

RSA

algorithm

Once encryption successfully broken,

attacker may launch a replay attack (an attempt to resubmit recording of deciphered authentication to gain entry into secure source)

From victim's perspective, encrypted communication appears to be occurring normally, but in fact,

attacker receives each encrypted message, decodes, encrypts, and sends to originally intended recipient

Web clients use client SSL certificates to

authenticate users, sign forms, and participate in single sign-on solutions via SSL.

PGP security solution provides six services:

authentication by digital signatures; message encryption; compression; e-mail compatibility; segmentation; key management

Freeware and low-cost commercial PGP versions are

available for many platforms

Plaintext can be encrypted through bit stream or

block cipher method

Attempts to gain unauthorized access to secure communications have used

brute force attacks (ciphertext attacks)

Secure Multipurpose Internet Mail Extensions (S/MIME):

builds on Multipurpose Internet Mail Extensions (MIME) encoding format by adding encryption and authentication

Bluetooth:

can be exploited by anyone within approximately 30 foot range, unless suitable security controls are implemented

Establishment of public keys with digital signatures

can prevent traditional man-in-the-middle attack

Digital certificates signed by a

certificate authority to act as digital ID cards

Digital signature attached to certificate's container file to

certify file is from entity it claims to be from

Ciphertext contains

codes representing page, line, and word numbers

Function of Boolean algebra; two bits are

compared If two bits are identical, result is binary 0 If two bits not identical, result is binary 1

Encryption:

converting original message into a form unreadable by unauthorized individuals

Rearranges values within a block to

create ciphertext

Triple DES (3DES):

created to provide security far beyond DES

Wi-Fi Protected Access (WPA and WPA2):

created to resolve issues with WEP

Tools must embody

cryptographic capabilities so that they can be applied to the everyday world of computing

IPSec designed to protect

data integrity, user confidentiality, and authenticity at IP packet level

Secure Electronic Transactions (SET):

developed by MasterCard and VISA in 1997 to provide protection from electronic payment fraud Uses DES to encrypt credit card information transfers Provides security for both Internet-based credit card transactions and credit card swipe systems in retail stores

Advanced Encryption Standard (AES):

developed to replace both DES and 3DES

Typical sources are

dictionaries and thesauruses

As the number of threats to the Internet grew, so

did the need for additional security measures

Different client-server applications use

different types of digital certificates to accomplish their assigned functions

Asymmetric encryption processes used to create

digital signatures

Bit stream:

each plaintext bit transformed into cipher bit one bit at a time

Wired Equivalent Privacy (WEP):

early attempt to provide security with the 8002.11 network protocol

Bulk encryption algorithms for

encrypting the data

Both sender and receiver must possess

encryption key If either copy of key is compromised, an intermediate can decrypt and read messages

Secure Hypertext Transfer Protocol (S-HTTP):

extended version of Hypertext Transfer Protocol; provides for encryption of individual messages between client and server across Internet

Today's popular cryptosystems use

hybrid combination of symmetric and asymmetric algorithms

Pretty Good Privacy (PGP):

hybrid cryptosystem designed in 1991 by Phil Zimmermann Combined best available cryptographic algorithms to become open source de facto standard for encryption and authentication of e-mail and file storage applications

Public key cryptography for signing the Diffie- Hellman exchanges to guarantees

identity

For cryptosystems, security of encrypted data is not dependent on

keeping encrypting algorithm secret

Strength of many encryption applications and cryptosystems measured by

key size

Attacker may alternatively conduct

known-plaintext attack or selected-plaintext attach schemes

No matter how sophisticated encryption and cryptosystems have become, if key is discovered,

message can be determined

Block cipher:

message divided into blocks (e.g., sets of 8- or 16-bit blocks) and each is transformed into encrypted block of cipher bits using algorithm and key

Polyalphabetic substitution:

more advanced; uses two or more alphabets

Differential and linear cryptanalysis have been used to

mount successful attacks

A very simple symmetric cipher that is used in many applications where security is

not a defined requirement

Much of the software currently used to protect the confidentiality of information are

not true cryptosystems They are applications to which cryptographic protocols have been added Particularly true of Internet protocols

Except with digital certificates, pure asymmetric key encryption

not widely used

Data Encryption Standard (DES):

one of most popular symmetric encryption cryptosystems 64-bit block size; 56-bit key Adopted by NIST in 1976 as federal standard for encrypting non-classified information

Internet Protocol Security (IPSec):

open source protocol to secure communications across any IP- based network

Key management is not so much management of technology but rather management of

people

Cryptography:

process of making and using codes to secure transmission of information

Cryptanalysis:

process of obtaining original message from encrypted message without knowing algorithms

Privacy Enhanced Mail (PEM):

proposed as standard to function with public-key cryptosystems; uses 3DES symmetric key encryption

PKI systems based on

public-key cryptosystems

Hash algorithms:

publicly known functions that create hash value Use of keys not required Message authentication code (MAC), however, may be attached to a message Used in password verification systems to confirm identity of user

Dictionary attacks can be successful when the ciphertext consists of

relatively few characters (e.g., usernames, passwords)

Encryption methods can be extremely efficient,

requiring minimal processing

Cryptology:

science of encryption; combines cryptography and cryptanalysis

Only defense is

selection of strong cryptosystems, thorough key management, and strict adherence to best practices of cryptography in frequency of changing keys

Cryptosystem security depends on keeping

some or all of elements of cryptovariable(s) or key(s) secret

Asymmetric encryption more often used with

symmetric key encryption, creating hybrid system

Can be done at

the bit level or at the byte (character) level

There are two methods of encrypting plaintext:

the bit stream method or the block cipher method

To make the encryption even stronger,

the keys and block sizes can be made much larger

Decryption:

the process of converting the ciphertext message back into plaintext

Nonrepudiation:

the process that verifies the message was sent by the sender and thus cannot be refuted

Symmetric and asymmetric algorithms distinguished by

types of keys used for encryption and decryption operations

Distinguished name (DN):

uniquely identifies a certificate entity

Pretty Good Privacy (PGP):

uses IDEA Cipher for message encoding

Monoalphabetic substitution:

uses only one alphabet

Secure Socket Layer (SSL) protocol:

uses public key encryption to secure channel over public Internet

When using ciphers, size of cryptovariable or key is

very important