ISA 3100 CHP 8
Digital Signature Standard
(DSS)
asymmetric encryption or public key encryption
-A cryptographic method that incorporates mathematical operations involving both a public key and a private key to encipher or decipher a message. Either key can be used to encrypt a message, but then the other key is required to decrypt it.
Some applications hide messages in
.bmp, .wav, .mp3, and .au files, as well as in unused space on CDs and DVDs
Typical PKI solution protects the transmission and reception of secure information by integrating:
A certificate authority (CA) A registration authority (RA) Certificate directories Management protocols Policies and procedures
A typical PKI solution protects the transmission and reception of secure information by integrating the following components:
A certificate authority (CA), which issues, manages, authenticates, signs, and revokes users' digital certificates. These certificates typically contain the user name, public key, and other identifying information. A registration authority (RA), which handles certification functions such as verifying registration information, generating end-user keys, revoking certificates, and validating user certificates, in collaboration with the CA. Certificate directories, which are central locations for certificate storage that provide a single access point for administration and distribution. Management protocols, which organize and manage communications among CAs, RAs, and end users. This includes the functions and procedures for setting up new users, issuing keys, recovering keys, updating keys, revoking keys, and enabling the transfer of certificates and status information among the parties involved in the PKI's area of authority. Policies and procedures, which assist an organization in the application and management of certificates, in the formalization of legal liabilities and limitations, and in actual business use.
Private key encryption or symmetric encryption -
A cryptographic method in which the same algorithm and secret key are used both to encipher and decipher the message.
transposition cipher
A cryptographic operation that involves simply rearranging the values within a block based on an established pattern. Also known as a permutation cipher.
Vernam cipher
A cryptographic technique developed at AT&T and known as the "one-time pad," this cipher uses a set of characters for encryption operations only one time and then discards it.
exclusive OR operation (XOR)
A function within Boolean algebra used as an encryption function in which two bits are compared. If the two bits are identical, the result is a binary 0; otherwise, the result is a binary 1
Diffie-Hellman key exchange-
A hybrid cryptosystem that facilitates exchanging private keys using public-key encryption.
secret key-
A key that can be used in symmetric encryption both to encipher and decipher the message.
message authentication code (MAC)-
A key-dependent, one-way hash function that allows only specific recipients (symmetric key holders) to access the message digest.
Secure Electronic Transactions (SET) -
A protocol developed by credit card companies to protect against electronic payment fraud.
Secure Sockets Layer (SSL)-
A security protocol developed by Netscape to use public-key encryption to secure a channel over the Internet.
Secure Multipurpose Internet Mail Extensions (S/MIME)-
A security protocol that builds on the encoding format of the Multipurpose Internet Mail Extensions (MIME) protocol and uses digital signatures based on public-key cryptosystems to secure e-mail.
Link Encryption:
A series of encryptions and decryptions between a number of systems, wherein each system in a network decrypts the message sent to it and then reencrypts the message using different keys and sends it to the next neighbor. This process continues until the message reaches the final destination.
Secure Hash Standard (SHS) -
A standard issued by the National Institute of Standards and Technology (NIST) that specifies secure algorithms, such as SHA-1, for computing a condensed representation of a message or data file.
Privacy-Enhanced Mail (PEM) -
A standard proposed by the Internet Engineering Task Force (IETF) that uses 3DES symmetric key encryption and RSA for key exchanges and digital signatures.
polyalphabetic substitutions -
A substitution cipher that incorporates two or more alphabets in the encryption process.
monoalphabetic substitution-
A substitution cipher that only incorporates a single alphabet in the encryption process.
message digest or hash value-
A value representing the application of a hash algorithm on a message that is transmitted with the message so it can be compared with the recipient's locally calculated hash of the same message. If both hashes are identical after transmission, the message has arrived without modification. Also known as a hash value.
Cryptographic Tools Potential areas of use include:
Ability to conceal the contents of sensitive messages Verify the contents of messages and the identities of their senders
Asymmetric Encryption
Also known as public-key encryption Uses two different but related keys Either key can encrypt or decrypt message
Vigenère cipher -
An advanced type of substitution cipher that uses a simple polyalphabetic code.
substitution cipher-
An encryption method in which one value is substituted for another.
Bit Stream Cipher:
An encryption method that involves converting plaintext to ciphertext one bit at a time.
Block Cipher:
An encryption method that involves dividing the plaintext into blocks or sets of bits and then converting the plaintext to ciphertext one block at a time.
Secure HTTP (S-HTTP) -
An extended version of Hypertext Transfer Protocol that provides for the encryption of protected Web pages transmitted via the Internet between a client and server.
Public key infrastructure (PKI)-
An integrated system of software, encryption methodologies, protocols, legal agreements, and third-party services that enables users to communicate securely through the use of digital certificates
Timing Attacks
Attacker eavesdrops during victim's session Uses statistical analysis of user's typing patterns and inter-keystroke timings to discern sensitive session information Can be used to gain information about encryption key and possibly cryptosystem in use
Dictionary Attacks
Attacker encrypts every word in a dictionary using same cryptosystem used by target
PKI protects information assets in several ways:
Authentication Integrity Privacy Authorization Nonrepudiation
Correlation Attacks
Collection of brute-force methods that attempt to deduce statistical relationships between structure of unknown key and ciphertext
Digital Signatures
Created in response to rising need to verify information transferred using electronic systems
There are a number of popular symmetric encryption cryptosystems. One of the most widely known is the
Data Encryption Standard (DES)
Man-in-the-Middle Attack
Designed to intercept transmission of public key or insert known key structure in place of requested public key
Vernam Cipher
Developed at AT&T,Uses set of characters once per encryption process
IPSec uses several different cryptosystems
Diffie-Hellman key exchange for deriving key material between peers on a public network
IPSec combines several different cryptosystems:
Diffie-Hellman; public key cryptography; bulk encryption algorithms; digital certificates
Transposition Cipher
Easy to understand, but if properly used, produces ciphertext that is difficult to decipher
Digital Certificates
Electronic document containing key value and identifying information about entity that controls key
Digital signatures-
Encrypted message components that can be mathematically proven as authentic.
If Key A encrypts message, only Key B can decrypt
Highest value when one key serves as private key and the other serves as public key
In IPSec,
IP layer security obtained by use of application header (AH) protocol or encapsulating security payload (ESP) protocol
Securing TCP/IP with
IPSec
encapsulating security payload (ESP) protocol -
In IPSec, a protocol that provides secrecy for the contents of network communications as well as system-to-system authentication and data integrity verification.
application header (AH) protocol -
In IPSec, a protocol that provides system-to-system authentication and data integrity verification, but does not provide secrecy for the content of a network communication.
transport mode-
In IPSec, an encryption method in which only a packet's IP data is encrypted, not the IP headers themselves; this method allows intermediate nodes to read the source and destination addresses.
tunnel mode -
In IPSec, an encryption method in which the entire IP packet is encrypted and inserted as the payload in another IP packet. This requires other systems at the beginning and end of the tunnel to act as proxies to send and receive the encrypted packets and then transmit the packets to their ultimate destination.
certificate revocation list (CRL) -
In PKI, a published list of revoked or terminated digital certificates.
certificate authority (CA)-
In PKI, a third party that manages users' digital certificates.
registration authority (RA)-
In PKI, a third party that operates under the trusted collaboration of the certificate authority and handles day-to-day certification functions.
Public-Key Infrastructure (PKI)
Integrated system of software, encryption methodologies, protocols, legal agreements, and third-party services enabling users to communicate securely
session keys-
Limited-use symmetric keys for temporary communications during an online session.
Algorithm is the mechanical process of:
Looking up the references from the ciphertext, Converting each reference to a word by using the ciphertext's value and the key
Hash functions-
Mathematical algorithms that generate a message summary or digest (sometimes called a fingerprint) to confirm message identity and integrity.
Hash Functions
Mathematical algorithms that generate message summary/digest to confirm message identity and confirm no content has changed
Diffie-Hellman Key Exchange method:
Most common hybrid system Provided foundation for subsequent developments in public-key encryption
Cryptographic Algorithms
Often grouped into two broad categories, symmetric and asymmetric
Steganography
Process of hiding information Has been in use for a long time Most popular modern version hides information within files appearing to contain digital pictures or other images
Hash algorithms-
Public functions that create a hash value, also known as a message digest, by converting variable-length messages into a single fixed-length value.
Digital certificates-
Public-key container files that allow PKI system components and end users to validate a public key and identify its owner.
Next Generation Wireless Protocols:
Robust Secure Networks (RSN), AES - Counter Mode Encapsulation, AES - Offset Codebook Encapsulation
S-HTTP is the application of
SSL over HTTP Allows encryption of information passing between computers through protected and secure virtual connection
Decipher:
See Decryption.
Encipher:
See Encryption.
Substitution Cipher
Substitute one value for another
Different client-server applications use different types of digital certificates to accomplish their assigned functions, as follows:
The CA application suite issues and uses certificates (keys) that identify and establish a trust relationship with a CA to determine what additional certificates can be authenticated. Mail applications use Secure/Multipurpose Internet Mail Extension (S/MIME) certificates for signing and encrypting e-mail as well as for signing forms. Development applications use object-signing certificates to identify signers of object-oriented code and scripts. Web servers and Web application servers use Secure Sockets Layer (SSL) certificates to authenticate servers via the SSL protocol in order to establish an encrypted SSL session. The SSL protocol is explained later in this chapter.
Digital Signature Standard (DSS) -
The NIST standard for digital signature algorithm usage by federal information systems. DSS is based on a variant of the ElGamal signature scheme.
Work Factor:
The amount of effort (usually expressed in units of time) required to perform cryptanalysis on an encoded message.
Advanced Encryption Standard (AES) -
The current federal standard for the encryption of data, as specified by NIST. AES is based on the Rijndael algorithm, which was developed by Vincent Rijmen and Joan Daemen.
Keyspace:
The entire range of values that can be used to construct an individual key.
Key or Cryptovariable:
The information used in conjunction with the algorithm to create the ciphertext from the plaintext; it can be a series of bits used in a mathematical algorithm or the knowledge of how to manipulate the plaintext. Sometimes called a cryptovariable.
Algorithm:
The mathematical formula or method used to convert an unencrypted message into an encrypted message. This sometimes refers to the programs that enable the cryptographic processes.
Plaintext or Cleartext:
The original unencrypted message that is encrypted and is the result of successful decryption.
To perform Vernam Cipher:
The pad values are added to numeric values that represent the plaintext that needs to be encrypted, Each character of the plaintext is turned into a number and a pad value for that position is added, The resulting sum for that character is then converted back to a ciphertext letter for transmission, If the sum of the two values exceeds 26, then 26 is subtracted from the total
IP Security (IPSec) -
The primary and now dominant cryptographic authentication and encryption product of the IETF's IP Protocol Security Working Group. A framework for security development within the TCP/IP family of protocol standards, IPSec provides application support for all uses within TCP/IP, including virtual private networks.
Decryption:
The process of converting an encoded or enciphered message (ciphertext) back to its original readable form (plaintext). Also referred to as deciphering.
Encryption:
The process of converting an original message (plaintext) into a form that cannot be used by unauthorized individuals (ciphertext). Also referred to as enciphering.
Code:
The process of converting components (words or phrases) of an unencrypted message into encrypted components.
Steganography:
The process of hiding messages; for example, hiding a message within the digital encoding of a picture or graphic so that it is almost impossible to detect that the hidden message even exists.
nonrepudiation -
The process of reversing public-key encryption to verify that a message was sent by the sender and thus cannot be refuted.
Ciphertext or Cryptogram:
The unintelligible encrypted or encoded message resulting from an encryption.
Symmetric Encryption
Uses same "secret key" to encipher and decipher message
Book or Running Key Cipher
Uses text in book as key to decrypt a message
Cipher:
When used as a verb, the transformation of the individual components (characters, bytes, or bits) of an unencrypted message into encrypted components or vice versa (see decipher and encipher); when used as a noun, the process of encryption or the algorithm used in encryption, and a term synonymous with cryptosystem.
Vigenère cipher:
advanced cipher type that uses simple polyalphabetic code; made up of 26 distinct cipher alphabets
RSA
algorithm
Once encryption successfully broken,
attacker may launch a replay attack (an attempt to resubmit recording of deciphered authentication to gain entry into secure source)
From victim's perspective, encrypted communication appears to be occurring normally, but in fact,
attacker receives each encrypted message, decodes, encrypts, and sends to originally intended recipient
Web clients use client SSL certificates to
authenticate users, sign forms, and participate in single sign-on solutions via SSL.
PGP security solution provides six services:
authentication by digital signatures; message encryption; compression; e-mail compatibility; segmentation; key management
Freeware and low-cost commercial PGP versions are
available for many platforms
Plaintext can be encrypted through bit stream or
block cipher method
Attempts to gain unauthorized access to secure communications have used
brute force attacks (ciphertext attacks)
Secure Multipurpose Internet Mail Extensions (S/MIME):
builds on Multipurpose Internet Mail Extensions (MIME) encoding format by adding encryption and authentication
Bluetooth:
can be exploited by anyone within approximately 30 foot range, unless suitable security controls are implemented
Establishment of public keys with digital signatures
can prevent traditional man-in-the-middle attack
Digital certificates signed by a
certificate authority to act as digital ID cards
Digital signature attached to certificate's container file to
certify file is from entity it claims to be from
Ciphertext contains
codes representing page, line, and word numbers
Function of Boolean algebra; two bits are
compared If two bits are identical, result is binary 0 If two bits not identical, result is binary 1
Encryption:
converting original message into a form unreadable by unauthorized individuals
Rearranges values within a block to
create ciphertext
Triple DES (3DES):
created to provide security far beyond DES
Wi-Fi Protected Access (WPA and WPA2):
created to resolve issues with WEP
Tools must embody
cryptographic capabilities so that they can be applied to the everyday world of computing
IPSec designed to protect
data integrity, user confidentiality, and authenticity at IP packet level
Secure Electronic Transactions (SET):
developed by MasterCard and VISA in 1997 to provide protection from electronic payment fraud Uses DES to encrypt credit card information transfers Provides security for both Internet-based credit card transactions and credit card swipe systems in retail stores
Advanced Encryption Standard (AES):
developed to replace both DES and 3DES
Typical sources are
dictionaries and thesauruses
As the number of threats to the Internet grew, so
did the need for additional security measures
Different client-server applications use
different types of digital certificates to accomplish their assigned functions
Asymmetric encryption processes used to create
digital signatures
Bit stream:
each plaintext bit transformed into cipher bit one bit at a time
Wired Equivalent Privacy (WEP):
early attempt to provide security with the 8002.11 network protocol
Bulk encryption algorithms for
encrypting the data
Both sender and receiver must possess
encryption key If either copy of key is compromised, an intermediate can decrypt and read messages
Secure Hypertext Transfer Protocol (S-HTTP):
extended version of Hypertext Transfer Protocol; provides for encryption of individual messages between client and server across Internet
Today's popular cryptosystems use
hybrid combination of symmetric and asymmetric algorithms
Pretty Good Privacy (PGP):
hybrid cryptosystem designed in 1991 by Phil Zimmermann Combined best available cryptographic algorithms to become open source de facto standard for encryption and authentication of e-mail and file storage applications
Public key cryptography for signing the Diffie- Hellman exchanges to guarantees
identity
For cryptosystems, security of encrypted data is not dependent on
keeping encrypting algorithm secret
Strength of many encryption applications and cryptosystems measured by
key size
Attacker may alternatively conduct
known-plaintext attack or selected-plaintext attach schemes
No matter how sophisticated encryption and cryptosystems have become, if key is discovered,
message can be determined
Block cipher:
message divided into blocks (e.g., sets of 8- or 16-bit blocks) and each is transformed into encrypted block of cipher bits using algorithm and key
Polyalphabetic substitution:
more advanced; uses two or more alphabets
Differential and linear cryptanalysis have been used to
mount successful attacks
A very simple symmetric cipher that is used in many applications where security is
not a defined requirement
Much of the software currently used to protect the confidentiality of information are
not true cryptosystems They are applications to which cryptographic protocols have been added Particularly true of Internet protocols
Except with digital certificates, pure asymmetric key encryption
not widely used
Data Encryption Standard (DES):
one of most popular symmetric encryption cryptosystems 64-bit block size; 56-bit key Adopted by NIST in 1976 as federal standard for encrypting non-classified information
Internet Protocol Security (IPSec):
open source protocol to secure communications across any IP- based network
Key management is not so much management of technology but rather management of
people
Cryptography:
process of making and using codes to secure transmission of information
Cryptanalysis:
process of obtaining original message from encrypted message without knowing algorithms
Privacy Enhanced Mail (PEM):
proposed as standard to function with public-key cryptosystems; uses 3DES symmetric key encryption
PKI systems based on
public-key cryptosystems
Hash algorithms:
publicly known functions that create hash value Use of keys not required Message authentication code (MAC), however, may be attached to a message Used in password verification systems to confirm identity of user
Dictionary attacks can be successful when the ciphertext consists of
relatively few characters (e.g., usernames, passwords)
Encryption methods can be extremely efficient,
requiring minimal processing
Cryptology:
science of encryption; combines cryptography and cryptanalysis
Only defense is
selection of strong cryptosystems, thorough key management, and strict adherence to best practices of cryptography in frequency of changing keys
Cryptosystem security depends on keeping
some or all of elements of cryptovariable(s) or key(s) secret
Asymmetric encryption more often used with
symmetric key encryption, creating hybrid system
Can be done at
the bit level or at the byte (character) level
There are two methods of encrypting plaintext:
the bit stream method or the block cipher method
To make the encryption even stronger,
the keys and block sizes can be made much larger
Decryption:
the process of converting the ciphertext message back into plaintext
Nonrepudiation:
the process that verifies the message was sent by the sender and thus cannot be refuted
Symmetric and asymmetric algorithms distinguished by
types of keys used for encryption and decryption operations
Distinguished name (DN):
uniquely identifies a certificate entity
Pretty Good Privacy (PGP):
uses IDEA Cipher for message encoding
Monoalphabetic substitution:
uses only one alphabet
Secure Socket Layer (SSL) protocol:
uses public key encryption to secure channel over public Internet
When using ciphers, size of cryptovariable or key is
very important