Create Presentation
Download Presentation

Download Presentation
## Computer Security: Principles and Practice

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -

**Computer Security: Principles and Practice**Chapter 2 – Cryptographic Tools First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown**Cryptographic Tools**• cryptographic algorithms important element in security services • review various types of elements • symmetric encryption • public-key (asymmetric) encryption • digital signatures and key management • secure hash functions • example is use to encrypt stored data**Attacking Symmetric Encryption**• cryptanalysis • rely on nature of the algorithm • plus some knowledge of plaintext characteristics • even some sample plaintext-ciphertext pairs • exploits characteristics of algorithm to deduce specific plaintext or key • brute-force attack • try all possible keys on some ciphertext until get an intelligible translation into plaintext**DES and Triple-DES**• Data Encryption Standard (DES) is the most widely used encryption scheme • uses 64 bit plaintext block and 56 bit key to produce a 64 bit ciphertext block • concerns about algorithm & use of 56-bit key • Triple-DES • repeats basic DES algorithm three times • using either two or three unique keys • much more secure but also much slower**Advanced Encryption Standard (AES)**• needed a better replacement for DES • NIST called for proposals in 1997 • efficiency, security, HW/SW suitability, 128, 256, 256 keys • selected Rijndael in Nov 2001 • symmetric block cipher • uses 128 bit data & 128/192/256 bit keys • now widely available commercially**Message Authentication**• protects against active attacks • verifies received message is authentic • contents unaltered • from authentic source • timely and in correct sequence • can use conventional encryption • only sender & receiver have key needed • or separate authentication mechanisms • append authentication tag to cleartext message**Hash Function Requirements**• applied to any size data • H produces a fixed-length output. • H(x) is relatively easy to compute for any given x • one-way property • computationally infeasible to find x such that H(x) = h • weak collision resistance • computationally infeasible to find y ≠ x such tha H(y) = H(x) • strong collision resistance • computationally infeasible to find any pair (x, y) such that H(x) = H(y)**Hash Functions**• two attack approaches • cryptanalysis • exploit logical weakness in alg • brute-force attack • trial many inputs • strength proportional to size of hash code (2n/2) • SHA most widely used hash algorithm • SHA-1 gives 160-bit hash • more recent SHA-256, SHA-384, SHA-512 provide improved size and security**Public Key Authentication**Authentication and/or data integrity**Public Key Requirements**• computationally easy to create key pairs • computationally easy for sender knowing public key to encrypt messages • computationally easy for receiver knowing private key to decrypt ciphertext • computationally infeasible for opponent to determine private key from public key • computationally infeasible for opponent to otherwise recover original message • useful if either key can be used for each role**Public Key Algorithms**• RSA (Rivest, Shamir, Adleman) • developed in 1977 • only widely accepted public-key encryption alg • given tech advances need 1024+ bit keys • Diffie-Hellman key exchange algorithm • only allows exchange of a secret key • Digital Signature Standard (DSS) • provides only a digital signature function with SHA-1 • Elliptic curve cryptography (ECC) • new, security like RSA, but with much smaller keys**Public KeyCertificates**See textbook figure p.63**Digital Envelopes**Another application of public key alg**Random Numbers**• random numbers have a range of uses • requirements: • randomness • based on statistical tests for uniform distribution and independence • unpredictability • successive values not related to previous • clearly true for truly random numbers • but more commonly use generator**Pseudorandom verses Random Numbers**• often use algorithmic technique to create pseudorandom numbers • which satisfy statistical randomness tests • but likely to be predictable • true random number generators use a nondeterministic source • e.g. radiation, gas discharge, leaky capacitors • increasingly provided on modern processors**Practical Application: Encryption of Stored Data**• common to encrypt transmitted data • much less common for stored data • which can be copied, backed up, recovered • approaches to encrypt stored data: • back-end appliance (hardware device close to data storage; encrypt close to wire speed) • library based tape encryption (co-processor board embedded in tape drive) • background laptop/PC data encryption**Summary**• introduced cryptographic algorithms • symmetric encryption algorithms for confidentiality • message authentication & hash functions • public-key encryption • digital signatures and key management • random numbers