Cryptography and PKI for Cryptography and PKI for Passive SecurityPassive Security
Rafal LukawieckiRafal Lukawiecki
Strategic Consultant, Project Botticelli LtdStrategic Consultant, Project Botticelli Ltd
22
ObjectivesObjectives
Overview the basis of passive security Overview the basis of passive security mechanisms that primarily protect the mechanisms that primarily protect the data layerdata layer: : cryptographycryptography
Discuss all currently used algorithms from an IT Discuss all currently used algorithms from an IT Professional’s perspectiveProfessional’s perspective
Make some simple recommendationsMake some simple recommendations
Warn against typical misconceptions and weak Warn against typical misconceptions and weak algorithmsalgorithms
33
Session AgendaSession Agenda
Foundational ConceptFoundational Concept
Common AlgorithmsCommon Algorithms
PKI and SignaturesPKI and Signatures
RecommendationsRecommendations
44
Foundational Foundational ConceptsConcepts
55
Defense in DepthDefense in Depth
Policies, Procedures, & Awareness
Policies, Procedures, & Awareness
Physical SecurityPhysical Security
PerimeterPerimeter
Internal NetworkInternal Network
HostHost
ApplicationApplication
DataData
66
What is Really Secure?What is Really Secure?
Look for systemsLook for systems
From well-know partiesFrom well-know parties
With published (not secret!) algorithmsWith published (not secret!) algorithms
That generate a lot of interestThat generate a lot of interest
That have been hacked for a few yearsThat have been hacked for a few years
That have been analysed mathematicallyThat have been analysed mathematically
Absolutely Absolutely do notdo not “improve” algorithms yourself “improve” algorithms yourself
Unless this is your specialityUnless this is your speciality
77
Don’t Take Crypto For GrantedDon’t Take Crypto For Granted
Classic failures:Classic failures:
DVD content encryptionDVD content encryption
GSMGSM
WiFiWiFi
Good example of mis-use of crypto with WEPGood example of mis-use of crypto with WEP
Followed by a round of fixes, such as Mirosoft 802.1xFollowed by a round of fixes, such as Mirosoft 802.1x
Finally followed by a more reasonable solution, WPAFinally followed by a more reasonable solution, WPA
88
Symmetric Key CryptographySymmetric Key Cryptography
EncryptionEncryption
““The quick The quick brown fox brown fox jumps over jumps over the lazy the lazy dog”dog”
““AxCv;5bmEseTfid3)AxCv;5bmEseTfid3)fGsmWe#4^,sdgfMwifGsmWe#4^,sdgfMwir3:dkJeTsY8R\s@!r3:dkJeTsY8R\s@!q3%”q3%”
““The quick The quick brown fox brown fox jumps over jumps over the lazy the lazy dog”dog”
DecryptionDecryption
Plain-text inputPlain-text input Plain-text outputPlain-text outputCipher-textCipher-text
Same keySame key(shared secret)(shared secret)
99
Symmetric Pros and ConsSymmetric Pros and Cons
Strength:Strength:
Simple and really very fast (order of 1000 to 10000 Simple and really very fast (order of 1000 to 10000 faster than asymmetric mechanisms)faster than asymmetric mechanisms)
Super-fast (and somewhat more secure) if done in Super-fast (and somewhat more secure) if done in hardware (DES, Rijndael)hardware (DES, Rijndael)
Weakness:Weakness:
Must agree the key beforehandMust agree the key beforehand
Securely pass the key to the other partySecurely pass the key to the other party
1010
Public Key CryptographyPublic Key Cryptography
Knowledge of the Knowledge of the encryptionencryption key doesn’t give key doesn’t give you knowledge of the you knowledge of the decryptiondecryption key key
Receiver of information generates a pair of keys Receiver of information generates a pair of keys
Publish the public key in a directoryPublish the public key in a directory
Then anyone can send him messages that only Then anyone can send him messages that only she can readshe can read
1111
Public Key EncryptionPublic Key Encryption
EncryptionEncryption
““The quick The quick brown fox brown fox jumps over jumps over the lazy the lazy dog”dog”
““Py75c%bn&*)9|Py75c%bn&*)9|fDe^bDFaq#xzjFr@gfDe^bDFaq#xzjFr@g5=&nmdFg$5knvMd’r5=&nmdFg$5knvMd’rkvegMs”kvegMs”
““The quick The quick brown fox brown fox jumps over jumps over the lazy the lazy dog”dog”
DecryptionDecryption
Clear-text InputClear-text Input Clear-text OutputClear-text OutputCipher-textCipher-text
DifferentDifferent keys keys
Recipient’s Recipient’s public keypublic key
Recipient’s Recipient’s private keyprivate key
privatprivatee
publicpublic
1212
Public Key Pros and ConsPublic Key Pros and Cons
Weakness:Weakness:
Extremely slowExtremely slow
Susceptible to “known ciphertext” attackSusceptible to “known ciphertext” attack
Problem of trusting public key (see later on PKI)Problem of trusting public key (see later on PKI)
StrengthStrength
Solves problem of passing the keySolves problem of passing the key
Allows establishment of trust context between Allows establishment of trust context between partiesparties
1313
Hybrid Encryption (Real World)Hybrid Encryption (Real World)
As above, repeated As above, repeated for other recipientsfor other recipientsor recovery agentsor recovery agents
DigitalDigitalEnvelopeEnvelope
Other recipient’s or Other recipient’s or agent’s agent’s publicpublic key key (in certificate)(in certificate)in recovery policyin recovery policy
Launch keyLaunch keyfor nuclearfor nuclear
missile missile ““RedHeat” RedHeat”
is...is...
Symmetric key Symmetric key encrypted asymmetrically encrypted asymmetrically
(e.g., RSA)(e.g., RSA)
Digital Digital EnvelopeEnvelope
User’sUser’spublicpublic key key(in certificate)(in certificate)
RNGRNG
Randomly-Randomly-Generated Generated symmetricsymmetric“session” key “session” key
SymmetricSymmetric encryption encryption(e.g. DES)(e.g. DES)
*#$fjda^j*#$fjda^ju539!3tu539!3t
t389E *&\@t389E *&\@5e%32\^kd5e%32\^kd
1414
*#$fjda^j*#$fjda^ju539!3tu539!3t
t389E *&\@t389E *&\@5e%32\^kd5e%32\^kd
Launch keyLaunch keyfor nuclearfor nuclear
missile missile ““RedHeat” RedHeat”
is...is...
Launch keyLaunch keyfor nuclearfor nuclear
missile missile ““RedHeat” RedHeat”
is...is...
SymmetricSymmetricdecryption decryption (e.g. DES)(e.g. DES)
Digital Digital EnvelopeEnvelope
Asymmetric Asymmetric decryption of decryption of
“session” key (e.g. RSA)“session” key (e.g. RSA)
Symmetric Symmetric “session” key“session” key
Session key must be Session key must be decrypted using the decrypted using the recipient’s recipient’s private private keykey
Digital envelope Digital envelope contains “session” contains “session” key encrypted key encrypted using recipient’s using recipient’s public keypublic key
Recipient’s Recipient’s privateprivate keykey
Hybrid DecryptionHybrid Decryption
1515
Common AlgorithmsCommon Algorithms
1616
DES, IDEA, RC2, RC5, TwofishDES, IDEA, RC2, RC5, TwofishSymmetricSymmetric
DES (Data Encryption Standard) is still the most popularDES (Data Encryption Standard) is still the most popular
Keys very short: 56 bitsKeys very short: 56 bits
Brute-force attack took 3.5 hours on a machine costing US$1m in Brute-force attack took 3.5 hours on a machine costing US$1m in 1993. Today it is done real-time1993. Today it is done real-time
Triple DES (3DES) more secure, but better options aboutTriple DES (3DES) more secure, but better options about
Just say no, unless value of data is minimalJust say no, unless value of data is minimal
IDEA (International Data Encryption Standard)IDEA (International Data Encryption Standard)
Deceptively similar to DES, and “not” from NSADeceptively similar to DES, and “not” from NSA
128 bit keys128 bit keys
RC2 & RC5 (by R. Rivest)RC2 & RC5 (by R. Rivest)
RC2 is older and RC5 newer (1994) - similar to DES and IDEARC2 is older and RC5 newer (1994) - similar to DES and IDEA
Blowfish, TwofishBlowfish, Twofish
B. Schneier’s replacement for DES, followed by Twofish, one of the B. Schneier’s replacement for DES, followed by Twofish, one of the NIST competition finalistsNIST competition finalists
1717
Rijndael (AES)Rijndael (AES)
Standard replacement for DES for US government, and, Standard replacement for DES for US government, and, probably for all of us as a result…probably for all of us as a result…
Winner of the AES (Advanced Encryption Standard) Winner of the AES (Advanced Encryption Standard) competition run by NIST (National Institute of Standards and competition run by NIST (National Institute of Standards and Technology in US) in 1997-2000Technology in US) in 1997-2000
Comes from Europe (Belgium) by Joan Daemen and Vincent Comes from Europe (Belgium) by Joan Daemen and Vincent Rijmen. “X-files” stories less likely (unlike DES). Rijmen. “X-files” stories less likely (unlike DES).
Symmetric block-cipher (128, 192 or 256 bits) with Symmetric block-cipher (128, 192 or 256 bits) with variable keys (128, 192 or 256 bits, too)variable keys (128, 192 or 256 bits, too)
Fast and a lot of good properties, such as good immunity Fast and a lot of good properties, such as good immunity from timing and power (electric) analysisfrom timing and power (electric) analysis
Construction, again, deceptively similar to DES (S-Construction, again, deceptively similar to DES (S-boxes, XORs etc.) but boxes, XORs etc.) but reallyreally different different
1818
CAST and GOSTCAST and GOST
CASTCAST
Canadians Carlisle Adams & Stafford TavaresCanadians Carlisle Adams & Stafford Tavares
64 bit key and 64 bit of data64 bit key and 64 bit of data
Chose your S-boxesChose your S-boxes
Seems resistant to differential & linear cryptanalysis and only Seems resistant to differential & linear cryptanalysis and only way to break is brute force (but key is a bit short!)way to break is brute force (but key is a bit short!)
GOSTGOST
Soviet Union’s “version” of DES but with a clearer design and Soviet Union’s “version” of DES but with a clearer design and many more repetitions of the processmany more repetitions of the process
256 bit key but really 610 bits of secret, so pretty much “tank 256 bit key but really 610 bits of secret, so pretty much “tank quality”quality”
Backdoor? Who knows…Backdoor? Who knows…
1919
Use CryptosystemsUse Cryptosystems
Indeed: never use just an algorithm, but an entire Indeed: never use just an algorithm, but an entire cryptosystemcryptosystem
For example:For example:
If you use DES etc. in a simple “loop” to encrypt a stream of If you use DES etc. in a simple “loop” to encrypt a stream of data you literally lose all securitydata you literally lose all security
Instead: use a technique designed for adapting an algorithm to Instead: use a technique designed for adapting an algorithm to a streams of data, such as CBC (Cipher Block Chaining)a streams of data, such as CBC (Cipher Block Chaining)
In turn, this means you have to select and transmit an In turn, this means you have to select and transmit an Initialization Vector (IV) – how?Initialization Vector (IV) – how?
Use a well-known cryptosystem for itUse a well-known cryptosystem for it
Microsoft never implement just an algorithm – always a Microsoft never implement just an algorithm – always a complete cryptosystem, e.g. RSA-OAEP etc.complete cryptosystem, e.g. RSA-OAEP etc.
2020
Dangerous ImplementationsDangerous Implementations
Cryptographic applications from not-well-known Cryptographic applications from not-well-known sourcessources
““Just downloaded libraries” used by your in-Just downloaded libraries” used by your in-house developershouse developers
Insist on using built-in systems where possible:Insist on using built-in systems where possible:
Microsoft OS: CAPI, CAPICOM, MS CSP etc.Microsoft OS: CAPI, CAPICOM, MS CSP etc.
Smartcards: built-in well-known CSPsSmartcards: built-in well-known CSPs
Elsewhere: FIPS-compliant implementationsElsewhere: FIPS-compliant implementations
2121
RC4RC4
SymmetricSymmetricFast, streaming encryptionFast, streaming encryption
R. Rivest in 1994R. Rivest in 1994Originally secret, but “published” on sci.cryptOriginally secret, but “published” on sci.crypt
Related to “one-time pad”, theoretically most secureRelated to “one-time pad”, theoretically most secure
But!But!
It relies on a really good random number generatorIt relies on a really good random number generatorAnd that is the problemAnd that is the problem
Nowadays, we tend to use block ciphers in modes of Nowadays, we tend to use block ciphers in modes of operation that work for streamsoperation that work for streams
2222
RSA, DSA, ElGamal, ECCRSA, DSA, ElGamal, ECCAsymmetricAsymmetric
Very slow and computationally expensive – need a computerVery slow and computationally expensive – need a computer
Very secureVery secure
Rivest, Shamir, Adleman – 1978Rivest, Shamir, Adleman – 1978Popular and well researchedPopular and well researched
Strength in today’s inefficiency to factorise into prime numbersStrength in today’s inefficiency to factorise into prime numbers
Some worries about key generation process in some implementationsSome worries about key generation process in some implementations
DSA (Digital Signature Algorithm) – NSA/NIST thingDSA (Digital Signature Algorithm) – NSA/NIST thingOnly for digital signing, not for encryptionOnly for digital signing, not for encryption
Variant of Schnorr and ElGamal sig algorithmVariant of Schnorr and ElGamal sig algorithm
ElGamalElGamalRelies on complexity of discrete logarithmsRelies on complexity of discrete logarithms
ECC (Elliptic Curve Cryptography)ECC (Elliptic Curve Cryptography)Really hard maths and topologyReally hard maths and topology
Improves RSA (and others)Improves RSA (and others)
2323
Quantum CryptographyQuantum Cryptography
Method for generating and passing a secret key or a random streamMethod for generating and passing a secret key or a random stream
Not for passing the actual data, but that’s irrelevantNot for passing the actual data, but that’s irrelevant
Polarisation of light (photons) can be detected only in a way that Polarisation of light (photons) can be detected only in a way that destroys the “direction” (basis)destroys the “direction” (basis)
So if someone other than you observes it, you receive nothing useful So if someone other than you observes it, you receive nothing useful and you know you were buggedand you know you were bugged
Perfectly doable over up-to-120km dedicated long fibre-optic linkPerfectly doable over up-to-120km dedicated long fibre-optic link
Seems pretty perfect, if a bit tedious and slowSeems pretty perfect, if a bit tedious and slow
Practical implementations still use AES/DES etc. for actual encryptionPractical implementations still use AES/DES etc. for actual encryption
Magiq QPN: Magiq QPN: http://www.magiqtech.com/press/qpn.pdfhttp://www.magiqtech.com/press/qpn.pdf
Don’t confuse it with quantum computing, which won’t be with us for Don’t confuse it with quantum computing, which won’t be with us for at least another 50 years or so, or maybe longer…at least another 50 years or so, or maybe longer…
2424
MD5, SHAMD5, SHA
Hash functions – part of the digital signatureHash functions – part of the digital signature
Goals:Goals:
Not reversible: can’t obtain the message from its hashNot reversible: can’t obtain the message from its hash
Hash much shorter than original messageHash much shorter than original message
Two messages won’t have the same hashTwo messages won’t have the same hash
MD5 (R. Rivest)MD5 (R. Rivest)
512 bits hashed into 128512 bits hashed into 128
Mathematical model still unknownMathematical model still unknown
Recently (July 2004) broken, do not use on its ownRecently (July 2004) broken, do not use on its own
SHA (Secure Hash Algorithm)SHA (Secure Hash Algorithm)
US standard based on MD5US standard based on MD5
SHA-0 broken (July 2004), SHA-1 probably too weak (partly broken), SHA-0 broken (July 2004), SHA-1 probably too weak (partly broken), use use SHA-256 at leastSHA-256 at least
2525
Diffie-Hellman, “SSL”, CertsDiffie-Hellman, “SSL”, Certs
Methods for key generation and exchangeMethods for key generation and exchange
DH is clever since you always generate a new “key-pair” DH is clever since you always generate a new “key-pair” for each asymmetric sessionfor each asymmetric session
STS, MTI, and certs make it even saferSTS, MTI, and certs make it even safer
Certs (certificates) are the most common way to Certs (certificates) are the most common way to exchange public keysexchange public keys
Foundation of Public Key Infrastructure (PKI)Foundation of Public Key Infrastructure (PKI)
SSL uses a protocol to exchange keys safelySSL uses a protocol to exchange keys safely
See laterSee later
2626
CryptanalysisCryptanalysis
Brute forceBrute force
Good for guessing passwords, and some 40-bit symmetric keys (in Good for guessing passwords, and some 40-bit symmetric keys (in some cases needed only 27 attempts)some cases needed only 27 attempts)
Frequency analysisFrequency analysis
For very simple methods only (US mobiles)For very simple methods only (US mobiles)
Linear cryptanalysisLinear cryptanalysis
For stronger DES-like, needs 243 plain-cipher pairsFor stronger DES-like, needs 243 plain-cipher pairs
Differential cryptanalysisDifferential cryptanalysis
Weaker DES-like, needs from 214 pairsWeaker DES-like, needs from 214 pairs
Power and timing analysisPower and timing analysis
Fluctuations in response times or power usage by CPUFluctuations in response times or power usage by CPU
Useful for breaking a stolen smartcardUseful for breaking a stolen smartcard
2727
Breaking It on $10 MillionBreaking It on $10 Million
Symme-tric Symme-tric KeyKey
ECC KeyECC Key RSA KeyRSA Key Time to Time to BreakBreak
MachinesMachines MemoryMemory
5656 112112 420420 < 5 mins< 5 mins 1000010000 TrivialTrivial
8080 160160 760760 600 600 monthsmonths
43004300 4GB4GB
9696 192192 10201020 3 million 3 million yearsyears
114114 170GB170GB
128128 256256 16201620 10E16 10E16 yearsyears
0.160.16 120TB120TB
From a report by Robert Silverman, RSA Laboratories, 2000
2828
PKI and SignaturesPKI and Signatures
2929
Public Key Distribution ProblemPublic Key Distribution Problem
We just solved the problem of symmetric key distribution We just solved the problem of symmetric key distribution by using public/private keysby using public/private keys
But…But…
Scott creates a keypair (private/public) and quickly tells Scott creates a keypair (private/public) and quickly tells the world that the public key he published belongs to Billthe world that the public key he published belongs to Bill
People send confidential stuff to BillPeople send confidential stuff to Bill
Bill does not have the private key to read them…Bill does not have the private key to read them…
Scott reads Bill’s messages Scott reads Bill’s messages
3030
Eureka!Eureka!
We need PKI to solve that problemWe need PKI to solve that problem
And a few others…And a few others…
3131
How to Verify a Public Key?How to Verify a Public Key?
Two approaches:Two approaches:
1.1. Before you use Bill’s public key, call him or meet Before you use Bill’s public key, call him or meet him and check that you have the right onehim and check that you have the right one
Fingerprint or hash of the key can be checked on the Fingerprint or hash of the key can be checked on the phonephone
2.2. Get someone you already trust to certify that the Get someone you already trust to certify that the key really belongs to Billkey really belongs to Bill
By checking for a trusted digital signature on the keyBy checking for a trusted digital signature on the key
But there has to be one…But there has to be one…
And you have to have friends to trust in first place…And you have to have friends to trust in first place…
3232
Trust ModelsTrust Models
Web-of-Trust (PGP)Web-of-Trust (PGP)
Peer-to-peer modelPeer-to-peer model
Individuals digitally sign each other keysIndividuals digitally sign each other keys
You would implicitly trust keys signed by some of your friendsYou would implicitly trust keys signed by some of your friends
Trusted Authority + Path of Trust (CAs)Trusted Authority + Path of Trust (CAs)
Everyone trusts the root Certificate Authority (Verisign, Everyone trusts the root Certificate Authority (Verisign, Thawte, BT etc.)Thawte, BT etc.)
CA digitally signs keys of anyone having checked their CA digitally signs keys of anyone having checked their credentials by traditional methodscredentials by traditional methods
CA may even nominate others to be CAs – and you would CA may even nominate others to be CAs – and you would trust them automatically, tootrust them automatically, too
3333
Creating a Digital SignatureCreating a Digital Signature
Hash Hash Function Function
(SHA, MD5)(SHA, MD5)
Jrf843kjfgf*Jrf843kjfgf*££$&Hdif*7oU$&Hdif*7oUsd*&@:<CHsd*&@:<CHDFHSD(**DFHSD(**
Py75c%bn&*)9|Py75c%bn&*)9|fDe^bDFaq#xzjFr@gfDe^bDFaq#xzjFr@g5=&nmdFg$5knvMd’r5=&nmdFg$5knvMd’rkvegMs…”kvegMs…”
This is a This is a really long really long message message about about Bill’s…Bill’s…
AsymmetricAsymmetricEncryptionEncryption
Message or FileMessage or File Digital SignatureDigital Signature256 bits 256 bits Message DigestMessage Digest
Calculate a short Calculate a short message digest from message digest from even a long input even a long input using a one-way using a one-way message digest message digest function (hash)function (hash)
Signatory’s Signatory’s privateprivate key key
privatprivatee
3434
Verifying a Digital SignatureVerifying a Digital Signature
Jrf843kjfJrf843kjfgf*£$&Hdgf*£$&Hdif*7oUsdif*7oUsd
*&@:<CHD*&@:<CHDFHSD(**FHSD(**
Py75c%bn&*)Py75c%bn&*)9|fDe^bDFaq9|fDe^bDFaq#xzjFr@g5=#xzjFr@g5=
&nmdFg$5kn&nmdFg$5knvMd’rkvegMs”vMd’rkvegMs”
Py75c%bn&*)Py75c%bn&*)9|fDe^bDFaq9|fDe^bDFaq#xzjFr@g5=#xzjFr@g5=
&nmdFg$5kn&nmdFg$5knvMd’rkvegMs”vMd’rkvegMs”
AsymmetricAsymmetricdecryption decryption (e.g. RSA)(e.g. RSA)
Everyone has Everyone has access to trusted access to trusted public key of the public key of the signatorysignatory
Signatory’s Signatory’s publicpublic keykey
Digital SignatureDigital Signature
This is a This is a really long really long message message
about Bill’s…about Bill’s…
Same hash functionSame hash function(e.g. MD5, SHA…)(e.g. MD5, SHA…)
Original MessageOriginal Message
Py75c%bn&*)Py75c%bn&*)9|fDe^bDFaq9|fDe^bDFaq#xzjFr@g5=#xzjFr@g5=
&nmdFg$5kn&nmdFg$5knvMd’rkvegMs”vMd’rkvegMs”
Py75c%bn&*)Py75c%bn&*)9|fDe^bDFaq9|fDe^bDFaq#xzjFr@g5=#xzjFr@g5=
&nmdFg$5kn&nmdFg$5knvMd’rkvegMs”vMd’rkvegMs”
? == ?? == ?Are They Same?Are They Same?
3535
Message Authentication CodesMessage Authentication Codes
““MACs” – Typically, combination of a hash function and MACs” – Typically, combination of a hash function and a a symmetricsymmetric encryption encryption
Integrity, authenticity but not non-repudiationIntegrity, authenticity but not non-repudiation
Must share the key!Must share the key!
HMACHMAC
Digest + shared-secret encryption for up to 160 bit resultsDigest + shared-secret encryption for up to 160 bit results
MACTripleDESMACTripleDES
Encryption using 8, 16 or 24 bytes of TripleDES key on top of Encryption using 8, 16 or 24 bytes of TripleDES key on top of a hasha hash
64 bit result (generally insufficent)64 bit result (generally insufficent)
Frequently used in transactions and databasesFrequently used in transactions and databases
3636
CertificatesCertificates
The simplest certificate just contains:The simplest certificate just contains:
Information about the entity that is being certified to Information about the entity that is being certified to own a public keyown a public key
That public keyThat public key
And all of this isAnd all of this is
Digitally signed by someone trusted (like a CA)Digitally signed by someone trusted (like a CA)
3737
X.509 CertificateX.509 Certificate
Certificate Authority Digital Signature Certificate Authority Digital Signature of All Components Together:of All Components Together:
Serial NumberSerial Number
Issuer X.500 Issuer X.500 Distinguished NameDistinguished Name
Validity PeriodValidity Period
Subject X.500Subject X.500Distinguished NameDistinguished Name
Subject Public KeySubject Public KeyInformationInformation
Key/Certificate UsageKey/Certificate Usage
ExtensionsExtensions
OU=Project OU=Project Botticelli…Botticelli…
The Key or Info About ItThe Key or Info About It
3838
Authentication with CertificatesAuthentication with Certificates
1.1. Melinda gets Bill’s certificateMelinda gets Bill’s certificate
2.2. She verifies its digital signatureShe verifies its digital signature
She can trust that the public key really belongs to BillShe can trust that the public key really belongs to Bill
But is it Bill standing if front of her, or is that Scott?But is it Bill standing if front of her, or is that Scott?
3.3. Melinda challenges Bill to encrypt for her a phrase etc. she just made Melinda challenges Bill to encrypt for her a phrase etc. she just made up (up (“I really need more shoes”“I really need more shoes”))
4.4. Bill has, of course, the private key that matches the certificate, so he Bill has, of course, the private key that matches the certificate, so he responds (responds (“*&$^%£$&£fhsdf*&EHFDhd62^&£”“*&$^%£$&£fhsdf*&EHFDhd62^&£”))
5.5. Melinda decrypts this with the public key she has in the certificate Melinda decrypts this with the public key she has in the certificate (which she trusts) and if it matches the phrase she challenged Bill (which she trusts) and if it matches the phrase she challenged Bill with then it must really be Bill himself! with then it must really be Bill himself!
By the way, that’s the basic concept of how SSL worksBy the way, that’s the basic concept of how SSL works
3939
What’s in the Store?What’s in the Store?
Most certificates are “safe”Most certificates are “safe”
No need to protect them too much, as they are digitally signed No need to protect them too much, as they are digitally signed and only contain publicly available informationand only contain publicly available information
Store anywhere, a file or a “dumb” memory-only smartcardStore anywhere, a file or a “dumb” memory-only smartcard
Private keys (and certs that include them) that match the Private keys (and certs that include them) that match the public key are extremely vulnerablepublic key are extremely vulnerable
It is a Key AssetIt is a Key Asset
You must protect them wellYou must protect them well
Store in “Protected Storage” on your OS or a “smart” Store in “Protected Storage” on your OS or a “smart” smartcard that will have crypto functionality on boardsmartcard that will have crypto functionality on board
Axalto’s .NET-enabled smart cards for instanceAxalto’s .NET-enabled smart cards for instance
4040
Word About SmartcardsWord About Smartcards
Some smartcards are “dumb”, i.e. they are only a memory Some smartcards are “dumb”, i.e. they are only a memory chipchip
Not recommended for storing a private key used in a challenge Not recommended for storing a private key used in a challenge test (verifying identity)test (verifying identity)
Anyway, they are still better than leaving keys on a floppy disk or Anyway, they are still better than leaving keys on a floppy disk or on the hard driveon the hard drive
Cryptographically-enabled smartcards are more expensive Cryptographically-enabled smartcards are more expensive but they give much more securitybut they give much more security
Private key is secure and used as neededPrivate key is secure and used as needed
Additional protection (password, biometrics) is possibleAdditional protection (password, biometrics) is possible
Hardware implements some algorithmsHardware implements some algorithms
Self-destruct is possibleSelf-destruct is possible
4141
Certification HierarchyCertification Hierarchy
Most organisations do not use just one root key for Most organisations do not use just one root key for signing certificatessigning certificates
Dangerous, if that one key is compromisedDangerous, if that one key is compromised
Does not scale to large organisationsDoes not scale to large organisations
Difficulty in managing responsibilityDifficulty in managing responsibility
Certificate HierarchiesCertificate Hierarchies
Typically 3 tiers: 2 offline and 1 onlineTypically 3 tiers: 2 offline and 1 online
Validating a cert possibly involves validating a path of Validating a cert possibly involves validating a path of trusttrust
Cross-certification (“mesh”, “web”) is possibleCross-certification (“mesh”, “web”) is possible
4242
RecommendationsRecommendations
4343
Strong SystemsStrong Systems
It is always a mixture! Changes all the time…It is always a mixture! Changes all the time…
Symmetric:Symmetric:
AES, min. 128 bits for RC2 & RC5, 3DES, IDEA, AES, min. 128 bits for RC2 & RC5, 3DES, IDEA, carefully analysed RC4, 256 bit bettercarefully analysed RC4, 256 bit better
Asymmetric:Asymmetric:
RSA, ElGamal, Diffie-Hellman (for keys) with RSA, ElGamal, Diffie-Hellman (for keys) with minimum 1024 bits (go for the maximum, typically minimum 1024 bits (go for the maximum, typically 4096, if you can afford it)4096, if you can afford it)
Hash:Hash:
SHA with at least 256 bitsSHA with at least 256 bits
4444
Weak SystemsWeak Systems
Anything with 40-bits (including 128 and 56 bit versions with Anything with 40-bits (including 128 and 56 bit versions with the remainder “fixed”)the remainder “fixed”)
Most consider DES as fairly weak algorithmMost consider DES as fairly weak algorithm
CLIPPERCLIPPER
A5 (GSM mobile phones outside US)A5 (GSM mobile phones outside US)
Vigenère (US mobile phones)Vigenère (US mobile phones)
Dates from 1585!Dates from 1585!
Hashes (and sigs) based on MD5 or SHA-0 (perhaps SHA-1 Hashes (and sigs) based on MD5 or SHA-0 (perhaps SHA-1 too) or 64 bit hashestoo) or 64 bit hashes
Unverified certs with no trustUnverified certs with no trust
Weak certs (as in many “class 1” personal certs)Weak certs (as in many “class 1” personal certs)
4545
ConclusionsConclusions
4646
SummarySummary
Cryptography is a rich and mature fieldCryptography is a rich and mature field
We all rely on it, everyday, with our livesWe all rely on it, everyday, with our lives
Know the basics and make good choices Know the basics and make good choices avoiding common pitfallsavoiding common pitfalls
Plan your PKI earlyPlan your PKI early
Avoid very new and unknown solutionsAvoid very new and unknown solutions
4747
ReferencesReferences
Visit Visit www.microsoft.com/securitywww.microsoft.com/security
Read sci.crypt (incl. archives)Read sci.crypt (incl. archives)
For more detail, read:For more detail, read:Cryptography: An Introduction, Cryptography: An Introduction, N. Smart, McGraw-Hill, ISBN 0-07-709987-7N. Smart, McGraw-Hill, ISBN 0-07-709987-7
Practical Cryptography, Practical Cryptography, N. Ferguson & B. Schneier, Wiley, ISBN 0-471-22357-3N. Ferguson & B. Schneier, Wiley, ISBN 0-471-22357-3
Contemporary Cryptography, Contemporary Cryptography, R. Oppliger, Artech House, ISBN 1-58053-642-5 (to R. Oppliger, Artech House, ISBN 1-58053-642-5 (to be published May 2005, see be published May 2005, see http://http://www.esecurity.ch/Books/cryptography.htmlwww.esecurity.ch/Books/cryptography.html))
Applied CryptographyApplied Cryptography, B. Schneier, John Wiley & Sons, ISBN 0-471-11709-9, B. Schneier, John Wiley & Sons, ISBN 0-471-11709-9
Handbook of Applied CryptographyHandbook of Applied Cryptography, A.J. Menezes, CRC Press, ISBN 0-8493-, A.J. Menezes, CRC Press, ISBN 0-8493-8523-7, 8523-7, www.cacr.math.uwaterloo.ca/hacwww.cacr.math.uwaterloo.ca/hac (free PDF) (free PDF)PKI, PKI, A. Nash et al., RSA Press, ISBN 0-07-213123-3A. Nash et al., RSA Press, ISBN 0-07-213123-3
Foundations of CryptographyFoundations of Cryptography, O. Goldereich, , O. Goldereich, www.eccc.uni-trier.de/eccc-local/ECCC-Books/oded_book_readme.htmlwww.eccc.uni-trier.de/eccc-local/ECCC-Books/oded_book_readme.html
Cryptography in C and C++Cryptography in C and C++, M. Welschenbach, Apress, , M. Welschenbach, Apress, ISBN 1-893115-95-X (includes code samples CD)ISBN 1-893115-95-X (includes code samples CD)