Date post: | 29-Dec-2015 |
Category: |
Documents |
Upload: | silvester-barber |
View: | 225 times |
Download: | 0 times |
Security+ Guide to Network Security Fundamentals, Third
Edition
Chapter 11Basic Cryptography
Security+ Guide to Network Security Fundamentals, Third Edition
Objectives
• Define cryptography
• Describe hashing
• List the basic symmetric cryptographic algorithms
2
Security+ Guide to Network Security Fundamentals, Third Edition
Objectives (continued)
• Describe how asymmetric cryptography works
• List types of file and file system cryptography
• Explain how whole disk encryption works
3
Security+ Guide to Network Security Fundamentals, Third Edition
Defining Cryptography
• Defining cryptography involves understanding what it is and what it can do
• It also involves understanding how cryptography can be used as a security tool to protect data
4
Security+ Guide to Network Security Fundamentals, Third Edition
What Is Cryptography?
• Cryptography– The science of transforming information into an
unintelligible form while it is being transmitted or stored so that unauthorized users cannot access it
• Steganography– Hides the existence of the data– What appears to be a harmless image can contain
hidden data embedded within the image– Can use image files, audio files, or even video files to
contain hidden information
5
Security+ Guide to Network Security Fundamentals, Third Edition 6
What Is Cryptography? (continued)
Security+ Guide to Network Security Fundamentals, Third Edition
What Is Cryptography? (continued)
• One of the most famous ancient cryptographers was Julius Caesar
• Caesar shifted each letter of his messages to his generals three places down in the alphabet
• Encryption– Changing the original text to a secret message using
cryptography
• Decryption– Change the secret message back to its original form
7
Security+ Guide to Network Security Fundamentals, Third Edition 8
Security+ Guide to Network Security Fundamentals, Third Edition
Cryptography and Security
• Cryptography can provide basic security protection for information:– Cryptography can protect the confidentiality of
information– Cryptography can protect the integrity of the
information– Cryptography can help ensure the availability of the
data– Cryptography can verify the authenticity of the sender– Cryptography can enforce non-repudiation
9
Security+ Guide to Network Security Fundamentals, Third Edition
Cryptography and Security (continued)
10
Security+ Guide to Network Security Fundamentals, Third Edition
Cryptographic Algorithms
• There are three categories of cryptographic algorithms:– Hashing algorithms– Symmetric encryption algorithms– Asymmetric encryption algorithms
11
Security+ Guide to Network Security Fundamentals, Third Edition
Hashing Algorithms
• Hashing– Also called a one-way hash– A process for creating a unique “signature” for a set of
data• This signature, called a hash or digest, represents the
contents
• Hashing is used only for integrity to ensure that:– Information is in its original form– No unauthorized person or malicious software has
altered the data
• Hash created from a set of data cannot be reversed12
Security+ Guide to Network Security Fundamentals, Third Edition
Hashing Algorithms (continued)
13
Security+ Guide to Network Security Fundamentals, Third Edition
Hashing Algorithms (continued)
• A hashing algorithm is considered secure if it has these characteristics:– The ciphertext hash is a fixed size– Two different sets of data cannot produce the same
hash, which is known as a collision– It should be impossible to produce a data set that has
a desired or predefined hash– The resulting hash ciphertext cannot be reversed
• The hash serves as a check to verify the message contents
14
Security+ Guide to Network Security Fundamentals, Third Edition 15
Hashing Algorithms (continued)
Security+ Guide to Network Security Fundamentals, Third Edition
Hashing Algorithms (continued)
• Hash values are often posted on Internet sites– In order to verify the file integrity of files that can be
downloaded
16
Security+ Guide to Network Security Fundamentals, Third Edition 17
Hashing Algorithms (continued)
Security+ Guide to Network Security Fundamentals, Third Edition 18
Hashing Algorithms (continued)
Security+ Guide to Network Security Fundamentals, Third Edition
Message Digest (MD)
• Message Digest (MD) algorithm– One common hash algorithm
• Three versions– Message Digest 2 (MD2)– Message Digest 4 (MD2)– Message Digest 5 (MD2)
19
Security+ Guide to Network Security Fundamentals, Third Edition
Secure Hash Algorithm (SHA)
• Secure Hash Algorithm (SHA)– A more secure hash than MD– A family of hashes
• SHA-1– Patterned after MD4, but creates a hash that is 160
bits in length instead of 128 bits
• SHA-2– Comprised of four variations, known as SHA-224,
SHA-256, SHA-384, and SHA-512– Considered to be a secure hash
20
Security+ Guide to Network Security Fundamentals, Third Edition
Whirlpool
• Whirlpool– A relatively recent cryptographic hash function– Has received international recognition and adoption by
standards organizations– Creates a hash of 512 bits
21
Security+ Guide to Network Security Fundamentals, Third Edition
Password Hashes
• Another use for hashes is in storing passwords– When a password for an account is created, the
password is hashed and stored
• The Microsoft NT family of Windows operating systems hashes passwords in two different forms– LM (LAN Manager) hash– NTLM (New Technology LAN Manager) hash
• Most Linux systems use password-hashing algorithms such as MD5
• Apple Mac OS X uses SHA-1 hashes
22
Security+ Guide to Network Security Fundamentals, Third Edition
Symmetric Cryptographic Algorithms
• Symmetric cryptographic algorithms – Use the same single key to encrypt and decrypt a
message– Also called private key cryptography
• Stream cipher– Takes one character and replaces it with one
character
• Substitution cipher– The simplest type of stream cipher– Simply substitutes one letter or character for another
23
Security+ Guide to Network Security Fundamentals, Third Edition 24
Security+ Guide to Network Security Fundamentals, Third Edition 25
Symmetric Cryptographic Algorithms (continued)
Symmetric Cryptographic Algorithms (continued)
• Transposition cipher– A more complicated stream cipher– Rearranges letters without changing them
• With most symmetric ciphers, the final step is to combine the cipher stream with the plaintext to create the ciphertext– The process is accomplished through the exclusive
OR (XOR) binary logic operation
• One-time pad (OTP)– Combines a truly random key with the plaintext
Security+ Guide to Network Security Fundamentals 26
Security+ Guide to Network Security Fundamentals, Third Edition 27
Symmetric Cryptographic Algorithms (continued)
Security+ Guide to Network Security Fundamentals, Third Edition 28
Symmetric Cryptographic Algorithms (continued)
Security+ Guide to Network Security Fundamentals, Third Edition
Symmetric Cryptographic Algorithms (continued)
• Block cipher– Manipulates an entire block of plaintext at one time– Plaintext message is divided into separate blocks of 8
to 16 bytes• And then each block is encrypted independently
• Stream cipher advantages and disadvantages– Fast when the plaintext is short– More prone to attack because the engine that
generates the stream does not vary
29
Security+ Guide to Network Security Fundamentals, Third Edition
Symmetric Cryptographic Algorithms (continued)
• Block cipher advantages and disadvantages– Considered more secure because the output is more
random– Cipher is reset to its original state after each block is
processed• Results in the ciphertext being more difficult to break
30
Security+ Guide to Network Security Fundamentals, Third Edition
Symmetric Cryptographic Algorithms (continued)
31
Security+ Guide to Network Security Fundamentals, Third Edition
Symmetric Cryptographic Algorithms (continued)
• Data Encryption Standard (DES)– One of the first widely popular symmetric
cryptography algorithms– DES is a block cipher and encrypts data in 64-bit
blocks• However, the 8-bit parity bit is ignored so the effective
key length is only 56 bits
• Triple Data Encryption Standard (3DES)– Designed to replace DES– Uses three rounds of encryption instead of just one
32
Security+ Guide to Network Security Fundamentals, Third Edition
Symmetric Cryptographic Algorithms (continued)
33
Security+ Guide to Network Security Fundamentals, Third Edition 34
Security+ Guide to Network Security Fundamentals, Third Edition
Symmetric Cryptographic Algorithms (continued)
• Advanced Encryption Standard (AES)– Approved by the NIST in late 2000 as a replacement
for DES– AES performs three steps on every block (128 bits) of
plaintext– Within Step 2, multiple rounds are performed
depending upon the key size– Within each round, bytes are substituted and
rearranged, and then special multiplication is performed based on the new arrangement
35
Security+ Guide to Network Security Fundamentals, Third Edition
Other Algorithms
• Several other symmetric cryptographic algorithms are also used:– Rivest Cipher (RC) family from RC1 to RC6– International Data Encryption Algorithm (IDEA)– Blowfish– Twofish
36
Security+ Guide to Network Security Fundamentals, Third Edition
Asymmetric Cryptographic Algorithms
• Asymmetric cryptographic algorithms– Also known as public key cryptography– Uses two keys instead of one
• The public key is known to everyone and can be freely distributed
• The private key is known only to the recipient of the message
• Asymmetric cryptography can also be used to create a digital signature
37
Security+ Guide to Network Security Fundamentals, Third Edition 38
Security+ Guide to Network Security Fundamentals, Third Edition
Asymmetric Cryptographic Algorithms (continued)
• A digital signature can:– Verify the sender– Prove the integrity of the message– Prevent the sender from disowning the message
39
Security+ Guide to Network Security Fundamentals, Third Edition 40
Security+ Guide to Network Security Fundamentals, Third Edition 41
Security+ Guide to Network Security Fundamentals, Third Edition 42
Asymmetric Cryptographic Algorithms (continued)
Security+ Guide to Network Security Fundamentals, Third Edition
RSA
• The most common asymmetric cryptography algorithm
• RSA multiplies two large prime numbers p and q– To compute their product (n=pq)
• A number e is chosen that is less than n and a prime factor to (p-1)(q-1)
• Another number d is determined, so that (ed-1) is divisible by (p-1)(q-1)
• The public key is the pair (n,e) while the private key is (n,d)
43
Security+ Guide to Network Security Fundamentals, Third Edition
Diffie-Hellman
• Diffie-Hellman– Allows two users to share a secret key securely over
a public network
• Once the key has been shared– Then both parties can use it to encrypt and decrypt
messages using symmetric cryptography
44
Security+ Guide to Network Security Fundamentals, Third Edition
Elliptic Curve Cryptography
• Elliptic curve cryptography– Uses elliptic curves
• An elliptic curve is a function drawn on an X-Y axis as a gently curved line– By adding the values of two points on the curve, you
can arrive at a third point on the curve
• The public aspect of an elliptic curve cryptosystem is that users share an elliptic curve and one point on the curve
45
Security+ Guide to Network Security Fundamentals, Third Edition
Using Cryptography on Files and Disks
• Cryptography can also be used to protect large numbers of files on a system or an entire disk
46
Security+ Guide to Network Security Fundamentals, Third Edition
File and File System Cryptography
• File system– A method used by operating systems to store, retrieve,
and organize files
• Pretty Good Privacy (PGP)– One of the most widely used asymmetric cryptography
system for files and e-mail messages on Windows systems
• GNU Privacy Guard (GPG)– A similar open-source program
• PGP and GPG use both asymmetric and symmetric cryptography
47
Security+ Guide to Network Security Fundamentals, Third Edition
File and File System Cryptography (continued)
• Microsoft Windows Encrypting File System (EFS)– A cryptography system for Windows operating
systems that use the Windows NTFS file system– Because EFS is tightly integrated with the file system,
file encryption and decryption are transparent to the user
– EFS encrypts the data as it is written to disk
48
Security+ Guide to Network Security Fundamentals, Third Edition
Disk Cryptography
• Whole disk encryption– Cryptography applied to entire disks
• Windows BitLocker– A hardware-enabled data encryption feature– Can encrypt the entire Windows volume
• Includes Windows system files as well as all user files
– Encrypts the entire system volume, including the Windows Registry and any temporary files that might hold confidential information
49
Security+ Guide to Network Security Fundamentals, Third Edition
Disk Cryptography (continued)
• Trusted Platform Module (TPM)– A chip on the motherboard of the computer that
provides cryptographic services– Includes a true random number generator– Can measure and test key components as the
computer is starting up
• If the computer does not support hardware-based TPM then the encryption keys for securing the data on the hard drive can be stored by BitLocker on a USB flash drive
50
Security+ Guide to Network Security Fundamentals, Third Edition
Summary
• Cryptography is the science of transforming information into a secure form while it is being transmitted or stored so that unauthorized users cannot access it
• Hashing creates a unique signature, called a hash or digest, which represents the contents of the original text
• Symmetric cryptography, also called private key cryptography, uses a single key to encrypt and decrypt a message
51
Security+ Guide to Network Security Fundamentals, Third Edition
Summary (continued)
• Asymmetric cryptography, also known as public key cryptography, uses two keys instead of one
• Cryptography can also be used to protect large numbers of files on a system or an entire disk
52