23-03-2011, 11:24 AM
[attachment=10806]
• Essential Terms
• Cryptography
• Encryption
Plain text à Cipher text
• Decryption
Cipher text à Plain text
• Cryptanalysis
• Cryptology
• Information Security for…
• Defending against external/internal hackers
• Defending against industrial espionage
• Securing E-commerce
• Securing bank accounts/electronic transfers
• Securing intellectual property
• Avoiding liability
• Threats to Information Security
• Pervasiveness of email/networks
• Online storage of sensitive information
• Insecure technologies (e.g. wireless)
• Trend towards paperless society
• Weak legal protection of email privacy
• Types of Secret Writing
• Steganography
• Steganography – covered writing – is an art of hiding information
• Popular contemporary steganographic technologies hide information in images
• Hiding information in pictures
• Retrieving information from pictures
• Digital Watermarks
• Types of Secret Writing
• Public Key Cryptography
• Private (symmetric, secret) key – the same key used for encryption/decryption
• Problem of key distribution
• Public (asymmetric) key cryptography – a public key used for encryption and private key for decryption
• Key distribution problem solved
• Currently Available Crypto Algorithms (private key)
• DES (Data Encryption Standard) and derivatives: double DES and triple DES
• IDEA (International Data Encryption Standard)
• Blowfish
• RC5 (Rivest Cipher #5)
• AES (Advance Encryption Standard)
• Currently Available Crypto Algorithms (public key)
• RSA (Rivest, Shamir, Adleman)
• DH (Diffie-Hellman Key Agreement Algorithm)
• ECDH (Elliptic Curve Diffie-Hellman Key Agreement Algorithm)
• RPK (Raike Public Key)
• Currently Available Technologies
PGP (Pretty Good Privacy) – a hybrid encryption technology
– Message is encrypted using a private key algorithm (IDEA)
– Key is then encrypted using a public key algorithm (RSA)
– For file encryption, only IDEA algorithm is used
– PGP is free for home use
• Authentication and Digital Signatures
• Preventing impostor attacks
• Preventing content tampering
• Preventing timing modification
• Preventing repudiation
By:
• Encryption itself
• Cryptographic checksum and hash functions
• Digital Signatures
• Made by encrypting a message digest (cryptographic checksum) with the sender’s private key
• Receiver decrypts with the sender’s public key (roles of private and public keys are flipped)
• PKI and CA
• Digital signature does not confirm identity
• Public Key Infrastructure provides a trusted third party’s confirmation of a sender’s identity
• Certification Authority is a trusted third party that issues identity certificates
• Problems with CAs and PKI
• Who gave CA the authority to issue certificates? Who made it “trusted”?
• What good are the certificates?
• What if somebody digitally signed a binding contract in your name by hacking into your system?
• How secure are CA’s practices? Can a malicious hacker add a public key to a CA’s directory?
• Currently Available Technologies
• MD4 and MD5 (Message Digest)
• SHA-1 (Secure Hash Algorithm version 1)
• DSA (The Digital Signature Algorithm)
• ECDSA (Elliptic Curve DSA)
• Kerberos
• OPS (Open Profiling Standard)
• VeriSign Digital IDs
• JAVA and XML Cryptography
• java.security package includes classes used for authentication and digital signature
• javax.crypto package contains Java Cryptography Extension classes
• XML makes it possible to encrypt or digitally sign parts of a message, different encryption for different recipients, etc.
• XML Crypto Document
• XML Crypto document
• Benefits of Cryptographic Technologies
• Data secrecy
• Data integrity
• Authentication of message originator
• Electronic certification and digital signature
• Non-repudiation
• Potential Problems with Cryptographic Technologies?
• False sense of security if badly implemented
• Government regulation of cryptographic technologies/export restrictions
• Encryption prohibited in some countries
• How Secure are Today’s Technologies?
• $250,000 machine cracks 56 bit key DES code in 56 hours
• IDEA, RC5, RSA, etc. resist complex attacks when properly implemented
• distributed.net cracked 64 bit RC5 key (1,757 days and 331,252 people) in July, 2002
• A computer that breaks DES in 1 second will take 149 trillion years to break AES!
• Algorithms are not theoretically unbreakable: successful attacks in the future are possible
• How Secure are Today’s Technologies?
• Encryption does not guarantee security!
• Many ways to beat a crypto system NOT dependent on cryptanalysis, such as:
• Viruses, worms, hackers, etc.
• TEMPEST attacks,
• Unauthorized physical access to secret keys
• Cryptography is only one element of comprehensive computer security
• The Future of Secret Writing
Quantum cryptanalysis
– A quantum computer can perform practically unlimited number of simultaneous computations
– Factoring large integers is a natural application for a quantum computer (necessary to break RSA)
– Quantum cryptanalysis would render ALL modern cryptosystems instantly obsolete
– When will it happen?
• 2004 – 10-qubit special purpose quantum computer available
• 2006 – factoring attacks on RSA algorithm
• 2010 through 2012 – intelligence agencies will have quantum computers
• 2015 – large enterprises will have quantum computers
Source: The Gartner Group
• What is to be done?
The Gartner Group recommends:
• Develop migration plans to stronger crypto by 2008
• Begin implementation in 2010
• The Future of Secret Writing (continued)
Quantum encryption
– No need for a quantum computer
– A key cannot be intercepted without altering its content
– It is theoretically unbreakable
– Central problem is transmitting a quantum message over a significant distance
– Houston Resources
University of Houston
− Crypto courses
− Ernst Leiss
Rice University: Computer Science Dept
− Crypto research and offers crypto training
− Dan Wallach (security of WAP, WEP, etc.)
Companies
− EDS
− RSA Security
− Schlumberger
− SANS Institute