class3_securityschool.pdf

CISSP Essentials:Mastering the Common Body of KnowledgeClass 3:CryptographyLecturer Shon Harris,CISSP,MCSEPresident,Logical SecurityCISSP Essentials Library: 3 Quiz: 3 Spotlight: Essentials:Mastering the Common Body of KnowledgeCryptography objectivesHistorical uses of cryptographyFoundational pieces ofcryptographySymmetric and AsymmetricAlgorithmsPublic Key InfrastructureE-mail client encryptionproceduresProtocols that use cryptographyAttacks on cryptographyCryptography uses yesterday and todayIn the pastCryptography was mainly used for providingconfidentialityIt protected sensitive information,mainly duringtransmissionTodayStill used for confidentialityAlso used for:Data integritySource authenticationNon-repudiationKey and algorithm relationshipKeyLong string of random valuesAlgorithmGroup of mathematical equations that can be usedfor the encryption and decryption processesUsed togetherKey values are used by the algorithms to indicatewhich equations to use,in what order and with whatvaluesWhy does a 128-bit key provide moreprotection than a 64-bit key?KeyspaceAll possible values that can be used to generate a keyThe larger the key size,the larger the keyspace264 2128The larger the keyspace,the more values an attacker has tobrute forceStrength of a cryptosystemDetermining strength in cryptographyStrength of a cryptosystem depends uponProper development of the algorithmSecrecy and protection of keyLength of the keyInitialization vectorsHow all of these pieces are implemented and work togetherToday the most successful attacks are against thehuman factor of cryptographyImproper implementation and key managementTypes of ciphers used todayModern cryptographySubstitution methodsTransposition methodsSymmetric ciphersBlock ciphersStream ciphersAsymmetric ciphersSymmetric key cryptographyCharacteristicsSender and receiver use the same key to encrypt anddecrypt a messageProtection depends upon users keeping the symmetric keysecretRequires“out-of-band”exchange of keysSecure courier or sneaker netCan provide confidentiality,but not true authenticity or non-repudiationDoes not scale well in large environmentsWorks well and is hard to break if a large key size is usedCannot be easily used for network or wirelessauthenticationSymmetric algorithm examplesSymmetric algorithmsData encryptionstandard(DES)3DESBlowfishTwofishIDEAInternational dataencryption algorithmRC4,RC5,RC6AESAsymmetric cryptographyAsymmetric key systems characteristicsAlso called public key cryptographyTwo different keys are used=public and privatekeysPublic key can be given to anyonePrivate key is possessed by only one ownerThe public and private keys are mathematicallyrelated,but should not be able to be derived fromeach otherKeys have dual naturesCan encrypt and decryptData encrypted with public key can only be decrypted bycorresponding private keyData encrypted with private key can only be decrypted bycorresponding public keyAsymmetric algorithm examplesAsymmetric algorithmsRSAElliptic Curve Cryptosystem(ECC)Diffie-HellmanEl GamalKnapsackFirst asymmetric algorithmDiffie-HellmanA key agreement protocolAgreement on the symmetric session key that will be used for encryptionpurposesThis does not require a previous relationship between thetwo parties needing to communicateAllows key agreement to happen in a secure mannerSecurity based on calculating discrete logarithms in a finitefieldVulnerable to man-in-the-middle attacks lack ofauthenticationDoes not provide data encryption or digital signaturecapabilitiesAsymmetric algorithm-RSARSADeveloped by Ron Rivest,Adi Shamir and LeonardAdlemanProvides digital signature,key distribution andencryption servicesMathematics=Difficulty of factoring large numbersUses a one-way function=mathematically easy to carry out inone direction,but basically impossible to carry out in reverseEasy direction=multiplying prime numbersHard direction=factoring large number into its original primenumbersDecryption key“knows a secret”to carry out the hard directioneasilySometimes called a trapdoorEvolution of DESTriple DESIn the 1990s,a“DES Cracker”machine was built that couldrecover a DES key in a few hoursDES was broken and we needed a solution before AES was createdand implementedPerformance hit because of extra processingProvides more protection by providing 3 rounds of encryptionThis can take place with two or three different keys,depending on the modeDES-EEE3 uses three keys for encryptionDES-EDE3 uses 3 different keys,encrypts,decrypts and encrypts dataDES-EEE2 and DES-EDE2 are the same as the previous mode,but the first and thirdoperations use the same keySymmetric cipher-AESAdvanced EncryptionStandardReplacement for DESBlock symmetric encryptionalgorithmU.S.official standard forsensitive but unclassifieddata encryptionRijndael algorithmKey sizes of 128,192,256Data integrity mechanismsHashing algorithms:MD2(128-bit digest)MD4(128-bit digest)MD5(128-bit digest)SHA-1(160-bit digest)(NIST)SHA-256(256-bit digest)(NIST)SHA-512(512-bit digest)(NIST)HAVAL(Variable length message digests)Digital signature and MAC comparisonSymmetric cryptographyMAC=hash+symmetric keyAsymmetric cryptographyDigital Signature=hash+asymmetric keyHash Algorithm+Hash Algorithm+Private KeySecret KeyPKI and its componentsComponents in a Public Key InfrastructureCARACertificate repositoryCertificate revocation systemDigital certificatesCharacteristicsCurrently using X.509 version 3Associates public key with ownerDigitally signed by CASecure protocolsSecure Hypertext Transport Protocol(S-HTTP)Protects each message not communication channelOlder,less-used technologyHTTPSHTTP runs on top of SSLProvides a secure communication channelAll messages and other data is protectedSecure Sockets Layer(SSL)Originally developed by NetscapeRequires a PKI to useServer authenticates to client,optionally client canauthenticate to serverClient creates session key and sends to serverWorks at transport layerLink versus end-to-end encryptionLink encryptionFull frames are encryption payload,headers and trailersTelephone circuit,T1,satellite linkUsually provided by service providers over point-to-pointconnectionsUsually uses dedicated link encryption devicesEach hop has to decrypt headers if a hop is compromised,alltraffic going through that hop can be compromisedData link messaging is not encryptedControl information used by dedicated link encryption devicesNetwork layer protectionIPsecDeveloped because IPv4 has no security mechanismsIntegrated in IPv6Sets up a secure channel between computers insteadof applicationsApplication secure channels are usually provided with SSLNetwork layer securityCan provide host-to-host,host-to-subnet,and subnet-to-subnet connectionsIPsec key managementManualEach device is configured with asymmetric key and securityassociation informationInternet Key Exchange(IKE)isthe de facto standardHybrid of Internet SecurityAssociation and Key ManagementProtocol(ISAKMP)and Oakley KeyExchangePhase 1=Establishing the session key toprovide a secure channel forhandshaking to take place securelyPhase 2=SAs are negotiated for keyingmaterial and parameter negotiationCISSP Essentials:Mastering the Common Body of KnowledgeLecturer Shon Harris,CISSP,MCSEPresident,Logical Securitywww.LogicalSShonHarrisLogicalSComing next:Class 4:Security architecture andmodelsRegister at the CISSP Essentials Library: