Knight Talks Tech

Introduction to cyber security – Week 5, Cryptography

Specialised area of mathematics concerned with protecting information.
Anything that can be represented as 0s and 1s can be encrypted.
Applications for cryptography include:

  • Secure banking and payment systems
  • Protecting conversations over mobile telephones
  • Safeguarding wireless networks
  • Securing files on hard disks and memory keys
  • Authenticating electronic documents
  • Electronic voting
  • Securing media files – Digital Rights Management (DRM)

Terminology

  • Plaintext
    • Information directly readable by human and computer
  • Ciphertext
    • Encrypted data
  • A cipher
    • Algorithm used to convert plaintext to ciphertext and back
  • Encryption
    • Process of converting plaintext to ciphertext
  • Decryption
    • Process of converting ciphertext to plaintext

Encryption keys

Key

  • Determines output from encryption/decryption process.
  • String of bits
  • Each additional bit doubles number of possible values, e.g. 2key length

Ciphers widely available in press and documentation – allows for checking of security and for weaknesses.
Short keys are vulnerable to brute force attacks just as passwords are.

The key distribution problem

Symmetric encryption requires either sender or recipient to create key and send to other party. Key could be intercept and copied during transit.
For each pair of parties wanting to communicate with each other a pair of keys would be required. n(n-1)/2 where n is number of parties.
So, for 10 parties to communicate 45 key pairs would be required.
10(10-1)/2 = (10*9)/2 = 45
Method developed in 1970 of distributing keys without actually sending them.

Asymmetric, or, public key cryptography

Key pair – one public key shared with anyone, one private key kept safe & never distributed.
Cannot determine value of one key from the other.
Private key required to decrypt ciphertext encrypted with public key.
Public key required to decrypt ciphertext encrypted with private key.
Public key can be distributed via email of key chain server.
No initial exchange of secret keys required.
Slower than symmetric encryption.

Why isn’t the internet encrypted?

Encryption and decryption requires certain amount of processing power which comes at a cost.
Some websites do not need encryption such as news sites.

Putting cryptography to use

Collection of cryptographic tools commonly known as Pretty Good Privacy (PGP).
PGP includes algorithms for symmetric and asymmetric cryptography.
OpenPGP – standard to be used by vendors.
Email encryption tools include:

  • GPG4Win – standalone tools for encryption and digital signing of documents, emails etc.
  • GPGMail – integrates with Apple Mail, encryption and digital signature.
  • Enigmail for Thunerbird – requires manual installation of GNUPG software.
  • Mailvelope – Google Chrome plug-in, implements OpenPGP, works with web mail.

Comparing different cryptographic techniques

DES (Data Encryption Standard)

  • 56-bit symmetric cypher.
  • Vulnerable to brute force attacks due to short key length
  • Triple DES uses three rounds of DES encryption and three separate 56-bit DES keys.

AES (Advanced Encryption Standard)

  • Uses combination of symmetric ciphers,
  • Uses either 128, 192 or 256-bit key.

Blowfish

  • Supports key lengths from 1 to 448 bit.
  • No known breaches of correctly implemented encryption.

Using cryptography to prove identity

Hashing

  • Mathematical process of converting data of any size into fixed length piece of data known as hash.
  • Used to verify that a file is as supplied by comparing hashes.
  • Algorithms include:
    • MD5
    • SHA-1
    • SHA-2
  • MD5 and SHA-1 can generate “broken” hashes and neither should be used.

Digital signatures and certificates

Digital signature uses public key to encrypt the hash.
As the encrypted hash decrypted by public key would only be verifiable if it were encrypted using private key this provides authentication.
Malicious individual could pretend to be sender and make their own key pair and digitally sign document.
Digital certificate – binds public keys to their owners.
Issued by Certificate Authorities (CAs) who validate owners of keys.
Once validate, CAs bind the public key to a digital certificate and digitally sign it with their private key.

Encrypted network connections

Secure Socket Layer (SSL) protocol.
SSL now replaced by Transport Layer Security (TLS) – allows web browsers to securely exchange data.
TLS/SSL

  • Uses combination of symmetric and asymmetric encryption
  • Browser connects to server and requests secure communication – handshake – and agrees type of cryptography to use
  • Server sends public key and digital certificate to user’s computer
  • Digital certificate then checked to ensure it is genuine and has not expired
  • User’s computer generates master password, encrypts with server’s public key and sends back
  • Server decrypt encrypted master secret with its private key
  • Both computers generate identical copy of symmetric encryption key
  • At end of session both computers delete symmetric session key

Use of TLS/SSL means user can benefit from confidentiality and integrity.

Posted

in

by

John

Tags:

, , , , , , , , , ,

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *