Download presentation

Presentation is loading. Please wait.

Published byAdrian Shaw Modified about 1 year ago

1
Cryptography & Security Presented April 16, 2010 By Dave Stycos, Zocalo Data Systems

2

3
Security Goals Confidentiality Integrity Availability

4
Security’s Methods Authentication Access Control Accountability

5
Discussion Overview Algorithms Protocols Implementations Resources

6
Classes of Encryption Symmetric Encryption Hashing Random Number Generation Asymmetric Encryption (Public Key)

7
Symmetric Algorithms Use a secret key to both encrypt and decrypt Are fast Operate on fixed-size blocks (8 or 16 bytes) DES, Triple-DES, AES, RC4, Blowfish

8
NIST National Institute of Standards and Technology Computer Security Resource Center (CSRC) Federal Information Processing Standards (FIPS) Special Publication 800 (SP-800)

9
Symmetric Modes Electronic Code Book (ECB) Cipher Block Chaining (CBC) Output Feedback (OFB) Cipher Feedback (CFB) Counter (CTR) More …

10
Electronic Code Book (ECB)

11

12
Encrypted Using ECB Mode

13
Cipher Block Chaining (CBC)

14
Encrypted Using CBC Mode

15
Initialization Vector Not secret Must be unique for each stream or file. Reused IVs reveal patterns in the first blocks of ciphertext.

16
Common File Headers PDFs %PDF-1.3 JPEG JFIF EXE MZ Therefore, IVs must be unique for each key!

17
CBC Weaknesses One bad block corrupts the chain Only sequential access Unsuitable for stream ciphers

18
Block vs. Stream Ciphers Block Ciphers –Operate on data of known, finite size –Files, hard drives Stream Ciphers –Operate on data of unknown, indefinite size –Network flow, media

19
Cipher Feedback (CFB) Symmetric cipher is a pseudo-random number generator. Plaintext XOR’ed with PRN, not encrypted by cipher.

20
CFB Weaknesses One bad block corrupts the chain. Only sequential access. Can’t be computed in parallel.

21
Counter (CTR)

22
Common Weaknesses Key Secrecy Key Quality

23
Key Management Locking Is EasyKey Management Is Hard

24
What Is Key Quality? Computational infeasibility of brute-force attack

25
What Is Key Quality? Computational infeasibility of brute-force attack DES Key: 56-bits = 72,057,594,037,927,936 keys

26
What Is Key Quality? Computational infeasibility of brute-force attack DES Key: 56-bits = 72,057,594,037,927,936 keys How secure? Security measured in time. “When” not “if”

27
Security of 56 Bit DES? 29 PCBs of 64 ASICs = 1856 ASICs! Checked +90b keys/s 9 days Built by EFF in 1998 for $250,000

28
Advanced Encryption Standard (AES) AES Key: 128-bits = e+38 = 340,282,366,920,938,463,463,374,607,431,770,000,000

29
Advanced Encryption Standard (AES) AES Key: 128-bits = e+38 = 340,282,366,920,938,463,463,374,607,431,770,000,000 AES Key: 192-bits = e+57 = 6,277,101,735,386,680,763,835,789,423,207,700,000,000, 000,000,000,000,000,000

30
Advanced Encryption Standard (AES) AES Key: 128-bits = e+38 = 340,282,366,920,938,463,463,374,607,431,770,000,000 AES Key: 192-bits = e+57 = 6,277,101,735,386,680,763,835,789,423,207,700,000,000, 000,000,000,000,000,000 AES Key: 256-bits = e+77 = 115,792,089,237,316,195,423,570,985,008,690,000,000,00 0,000,000,000,000,000,000,000,000,000,000,000,000

31
Advanced Encryption Standard (AES) AES Key: 128-bits = e+38 = 340,282,366,920,938,463,463,374,607,431,770,000,000 AES Key: 192-bits = e+57 = 6,277,101,735,386,680,763,835,789,423,207,700,000,000, 000,000,000,000,000,000 AES Key: 256-bits = e+77 = 115,792,089,237,316,195,423,570,985,008,690,000,000,00 0,000,000,000,000,000,000,000,000,000,000,000,000 Mass of all visible matter in the universe equiv. 4.0 e+78 hydrogen atoms!

32
Measuring Key Quality Entropy The likelihood of selecting any single key out of all possible keys.

33
How to Measure Entropy? 0x F5264

34
How to Measure Entropy? 0x F P a S s W o R d

35
How to Measure Entropy? 0x F P a S s W o R d Many keys are derived from passwords. Memorizable pwds = negative effect on entropy.

36
Entropy of Passwords 64-bits = 1.8 E+19 = 18,446,744,073,709,551,616 keys

37
Entropy of Passwords 64-bits = 1.8 E+19 = 18,446,744,073,709,551,616 keys 8 chars of lower, upper, numeric = 62^8 = 218,340,105,584,896

38
Entropy of Passwords 64-bits = 1.8 E+19 = 18,446,744,073,709,551,616 keys 8 chars of lower, upper, numeric = 62^8 = 218,340,105,584,896 ~ 47 bits

39
Entropy of Passwords 64-bits = 1.8 E+19 = 18,446,744,073,709,551,616 keys 8 chars of lower, upper, numeric = 62^8 = 218,340,105,584,896 ~ 47 bits –Deep Crack Brute Force in 40 minutes!

40
Entropy of Passwords 64-bits = 1.8 E+19 = 18,446,744,073,709,551,616 keys 8 chars of lower, upper, numeric = 62^8 = 218,340,105,584,896 ~ 47 bits –Deep Crack Brute Force in 40 minutes! 8 chars of alpha-only = 52^8 = 53,459,728,531,456 ~ 45 bits

41
Entropy of Passwords 64-bits = 1.8 E+19 = 18,446,744,073,709,551,616 keys 8 chars of lower, upper, numeric = 62^8 = 218,340,105,584,896 ~ 47 bits –Deep Crack Brute Force in 40 minutes! 8 chars of alpha-only = 52^8 = 53,459,728,531,456 ~ 45 bits 8 chars, lower-only = 26^8 = 208,827,064,576 ~ 37 bits

42
Measuring Key Entropy

43

44

45
Dictionary Attacks Reduce entropy by leveraging language patterns

46
Dictionary Attacks Reduce entropy by leveraging language patterns Merriam-Webster: 250,000 words 250,000 special/scientific 250,000 proper nouns (?) - 1,000 words that are <5 characters = 740,000 ~ 19 bits

47
Dictionary Attacks Reduce entropy by leveraging language patterns Merriam-Webster: 250,000 words 250,000 special/scientific 250,000 proper nouns (?) - 1,000 words that are <5 characters = 740,000 ~ 19 bits Random use of upper and lower case –Add one bit per char length (max) Random use of upper, lower and numbers –Add ~1.5 bits per char length (max)

48
Cryptographic Hashing Works like a CRC or checksum Impossible to reverse 128, 160 and 256 bits long Small changes in the plaintext create vast changes in the hash MD5, SHA-1, SHA-256

49
Hashing Applications Validating data –Verifying download packages (md5sum) Increasing key entropy –2 n hash operations adds n bits of entropy Obscuring passwords

50
Sending Passwords in the Clear

51
Obscuring Passwords

52
Replay Attack

53
Zero-Knowledge Proof Proving a user knows a piece of data without divulging that piece of data.

54
Challenge-Response Protocol

55

56

57
NTLM Authentication

58
!

59
Challenge-Response Protocol Vulnerabilities “Stolen Verifier” Attack No Mutual Authentication

60
Implementations SSL IPSec Secure Protocols

61
Recommended Reading “Applied Cryptography” By Bruce Schneier “Practical Cryptography” By Bruce Schneier “Secrets and Lies” By Bruce Schneier “Cryptographic Security Architecture” By Peter Gutmann “Parallelizable Enciphering Mode” By Phillip Rogaway

62
Organizations Commercial –Schneier.com CryptoGram & blog –RSA, Inc. (rsa.com) PKCS –Internet Engineering Taskforce (ietf.org) RFCs –ANSI, ISO, IEEE, W3C Government –Natl. Inst. of Standards & Tech. (nist.gov) FIPS & SP-800 documents –Natl. Security Agency (NSA)

63
Happy Crypting! Presentation Created By Dave Stycos April, 2010 © 2010, Zocalo Data Systems, Ltd.

Similar presentations

© 2016 SlidePlayer.com Inc.

All rights reserved.

Ads by Google