Scribd Logo
Upload

Welcome to Scribd!

  • Topic 7 - Cryptography & PKI

    Uploaded by

    s.l.mills86
    6 views33 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    6 views33 pages

    Topic 7 - Cryptography & PKI

    Uploaded by

    s.l.mills86

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 33

    ITI581 CYBER SECURITY FUNDAMENTALS

    Topic 7
    Cryptography & PKI
    Topic Reading

    • Chapter 7: Cryptography and Public Key Infrastructure

    • Interact content.
    Cryptography

    • “the science or study of the techniques of secret writing, especially code


    and cipher systems, methods, and the like”.

    • At its simplest it deals with keeping secrets secret – confidentiality.

    • More complex cryptography techniques also provide integrity of data.


    Cryptography (crypto)

    • Crypto is an essential in contemporary communications but often not used


    outside of the military, education or other big business.

    • Crypto generally thought of as being good.


    – Securing nuclear launch codes.
    – Protecting financial, medical or other personal details.

    • Crypto can be easily used by criminals for hiding their activities!


    Definitions
    Crypto Goals 1

    Confidentiality
    • Protect information from casual prying eyes or deliberate attempts to steal.

    • Information doesn’t always have to be of significant value to anyone other


    than an individual.

    • Common layman definition of security is confidentiality.

    • Crypto directly addresses this issue by scrambling plain text into something
    that only the intended recipient can unscramble.
    Crypto Goals 2

    Integrity
    • Some components of crypto perform verification and validation of data.

    • Fundamentally digitally signs data with any changes to the signature


    indicating a change to the underlying data; integrity compromised.

    • Attacks on integrity of data can be more dangerous as they can be difficult


    to confirm and generally are designed to result in unexpected, but
    seemingly legitimate, results.
    Crypto Goals 3

    Availability
    • A major component of the CIA triangle but unfortunately not something
    crypto can help with.

    • This point is important because it confirms that crypto is not a complete


    security solution but rather part of a good defense in depth strategy.

    Authentication
    • Confirmation that the person you think sent the information really
    did…clearly important for commercial transactions.
    Crypto Goals 4

    Non-repudiation
    • Ability to prove who signed information & that that signature has not been
    spoofed.

    • Without this digital signatures & contracts would be meaningless.


    Crypto Primitives

    • Crypto can be better understood through four primitives:


    – Generation of random numbers.
    – Symmetric encryption.
    – Asymmetric encryption.
    – Hashing.

    • Primitives can be used singularly for some purposes but are usually used
    together.
    Random Numbers

    • Actual random strings of bits.

    • Truly random numbers are not possible using algorithms alone.

    • Value is in generate pseudo-random numbers to provide keys for crypto


    algorithms.

    • For this purpose numbers need only be unpredictable not totally random.
    Symmetric Encryption

    • Same key for encryption/decryption.

    • Also known as classical, conventional or single-key encryption.

    • Oldest type of encryption.

    • Only type until the 1970’s.

    • Still the most widely used.


    Symmetric Encryption
    Symmetric Encryption

    • Uses the notion of “computationally secure”…

    • That is…
    – The time it would take to compute all possible key combinations is so
    large that it cannot be achieved within the time frame that the encrypted
    information is useful to.

    • Not worth the effort!


    Symmetric Encryption

    • Ability to use ciphers is hamstrung by the fact that communicating parties


    must both know the shared key.

    • How do we keep this secure?

    • Must be shared by another means prior to encryption.


    – Secure post, secure phone.
    – Not with e-mail or yellow sticky notes!

    • Can also use a trusted third party.


    Asymmetric Encryption
    Asymmetric Encryption

    • The concept of public key cryptography evolved from an attempt to attack


    two of the most difficult problems associated with symmetric encryption:

    • Whitfield Diffie and Martin Hellman from Stanford University achieved a


    breakthrough in 1976 by coming up with a method that addressed both
    problems and was radically different from all previous approaches to
    cryptography.
    Asymmetric Encryption

    • A public-key system has 6 ingredients:


    Asymmetric Encryption
    Hash Functions

    • A hash function (H) takes variable-length blocks of data (M) as input and
    outputs a fixed-size hash value.
    • h = H(M)
    • Primary objective is to ensure data integrity.

    • Cryptographic hash function is:


    • An algorithm for which it is CI to find:
    – A data object that maps to a pre-specified hash result (1-way
    property).
    – Two data objects that map to the same hash result (collision-free
    property).
    Hash Function; h=H(M)
    L Bits

    Message or data block M (variable length) P, L

    Hash value h
    (fixed length)

    P, L = padding plus length field.


    Applications
    Application of Encryption

    • There are many useful applications of cryptographic theories.

    • Some of commonly used and others should be commonly used!

    • Following slides look at the most common.


    E-Mail Privacy

    • Not so commonly used by the average e-mail user.

    • Both POP and IMAP have crypto features built in.

    • PGP also a good option for e-mail encryption.


    – Digital sigs, confidentiality, message compression, format conversion.
    VPN

    • Probably the most popular use of crypto technology.

    • Connecting offices, users and partners securely using public infrastructure.

    • IPSec or SSL based are best.

    • PPTP really legacy but still widely used.

    • Can be point-to-point for static offices.

    • Remote access for teleworkers & road warriors.


    SSL/TLS

    • Encrypts between clients and servers.

    • Most common tool for secure websites.

    • Uses asymmetric encryption.

    • Supported by all browsers and many e-mail clients.

    • Used in VPNs to provide web based portals.


    Public Key Infrastructure (PKI)
    PKI

    • A group of technologies for secure communications using asymmetric


    public key encryption.

    • Provides:
    – Confidentiality, integrity, authentication and non-repudiation.
    PKI – Explained in 5….
    Common Challenges PKI solves….

    • MiTM attacks.

    • Management of certificates.

    • Distribution and use of certificate services.

    • Maintenance of security in a digital world.


    Common uses of PKI

    • SSL/TLS certificates to secure web browsing experiences and


    communications.

    • Digital signatures on software.

    • Restricted access to enterprise intranets and VPNs.

    • Password-free Wi-Fi access based on device ownership.

    • Email and data encryption.


    Big Picture

    • Cryptography is a vital weapon in your cybersecurity armory.

    • Touches almost every other area of security.

    • Supports C, I, A and non-repudiation.

    • Secrecy of the key is the single most important thing.


    Thanks for watching!

    You might also like