Cryptography & Digital certificate
Download as PPT, PDF2 likes2,106 views
More damage can be done through a mouse click than a bomb. Cybersecurity differs from conventional security in key ways: identities and messages can be spoofed or intercepted, compromising privacy, integrity, and non-repudiation. The pillars of reliable e-security are authentication, privacy, authorization, integrity, and non-repudiation. Cryptography uses encryption to scramble messages so only authorized parties can read them, and decryption to retrieve the hidden message. Symmetric encryption uses a shared secret key while asymmetric encryption uses public-private key pairs. Digital signatures provide authentication by encrypting a message digest with a private key.
![2) Asymmetric Key Encryption: [Public-Private key pairs]
• No shared secret
• Bob has two co m plim e ntary ke ys
• What one key encrypts, only the other key can
decrypt
• Bob keeps one key private (Private Key).
• Bob shares the other key (Public Key).](https://image.slidesharecdn.com/cryptographyanddigitalsignature-140419012421-phpapp02/85/Cryptography-Digital-certificate-17-320.jpg)
![Asymmetric Key Encryption: Public-Private key pairs
Scenario 1
If Alice needs to send Bob a message:
- Alice encrypts message with Bob’s public key,
- Bob decrypts message with his private key
Problem:
• How would Bob ensure that the message has been sent by Alice?How would Bob ensure that the message has been sent by Alice?
• Anybody can encrypt the message using Bob’s public key as this key is publicly available.Anybody can encrypt the message using Bob’s public key as this key is publicly available.
[[Alice’s key not used at all]Alice’s key not used at all]
CiphertextCiphertext
B's public keyB's public key B's private keyB's private key
DecryptDecrypt
BobBob
#d%G
*!ki4i
EncryptEncrypt
PlaintextPlaintext
AliceAlice
Hi Bob
Alice
Hi
Bob
Alice](https://image.slidesharecdn.com/cryptographyanddigitalsignature-140419012421-phpapp02/85/Cryptography-Digital-certificate-18-320.jpg)
Cryptography & Digital certificate
- 1. ““More damage could be done by a mouse click than a bomb”More damage could be done by a mouse click than a bomb” ……………………. Are we. Are we reallyreally prepared ??prepared ?? Cryptography
- 2. Why Encryption needed ?Why Encryption needed ? How Does CyberSecurity Differs Fromconventional security?How Does CyberSecurity Differs Fromconventional security? • The parties to the transaction cannot be certain of each other’s identities – Email addresses can be spoofed • They cannot be sure that the messages between themhave not been intercepted by third parties – Confidentiality(privacy) of the transaction (read by outsiders) – Integrity of the transaction (changed by outsiders) • How do we achieve unequivocal agreement? – Both parties have the authority to do the transaction – Assurance that neither side can later repudiate the transaction – How do the parties sign their acceptance of the deal? • Do we have adequate evidence to the transaction?
- 3. Pillars of reliable e- SecurityPillars of reliable e- Security Security Infrastructure Security Policies Authentication Privacy Authorization Integrity ofData Non- Repudiation Reliable e-Transaction/ e-Business Technology Management
- 4. A PAIN …. Authentication • be sure you know who you are communicating with Privacy (Confidentiality) • keep secrets secret Authorization(Access Control) • ensure users do not exceed their allowed authority Integrity (of the Data) • be sure nothing is changed behind your back Non-Repudiation • have the evidence in the event of a dispute Pillars of reliable e- SecurityPillars of reliable e- Security
- 5. Cryptography Principles • The science of scrambling a message so that only authorized parties can read it • Process must be reversible – Hiding is called e ncryptio n – Retrieving the hidden message is de cryptio n • Converts the original message (“plaintext”) into a scrambled message (“cipher text”)
- 6. CONSEQUENCES OF WEAKENCRYPTION …. • World War I, Russian Army at Tannenberg – Two Russian armies couldn’t communicate securely – Germans could read their communications and attack them separately – Result: defeat! • Allied cracked German Enigma Cipher machine in World War 2 – Montgomery (Monty) often read Rommel’s (Desert Fox) orders before he did – Result: tide turned in North Africa • U.S. Navy cryptographers cracked Japanese convoy codes (“Purple”)WW2 – U.S. subs could destroy Japanese submarine ships – Surprise attack on Midway Pacific Island • Germans also cracked Allied codes – U-boats were devastated in the Atlantic
- 8. Ancient Encryption Techniques A. Secret/Symmetric Key Cryptography Uses a secret key known to both parties (“symmetric”) 1) Caesar Cipher: (Skip 2 letters) A Þ D, B Þ E, etc. - Easy to “crack” by elementary cryptanalyst 2) Mono-Alphabetic Substitution: A long sequence of key consisting of 26 alphabets. Alphabets : a b c d e f … k t .. z Key : Q W E R A B S N C eg: Plain Text a t t a c k Cipher Text Q N N Q E S
- 10. • Symmetric/Secret Key Cryptography(Modern) – DES (Data Encryption Standard) – Triple DES – AES (Advanced Encryption Standard) – SkipJack – RC2, RC4, RC5, RC6(Rivest Ciphers) • Asymmetric Cryptography -Public Private Key Pairs Cryptography Encryption Techniques (Modern)Encryption Techniques (Modern)
- 11. Common Symmetric Key Algorithms Algorithm Supporter Length Availability Comments DES NSA, NIST, 40 & 56 bits Public Domain Most widely used; ANSI now too weak Triple-DES - same - 80 & 112 bits Public Domain Stronger variant of DES Skipjack NSA 80 bits Recently Planned for the declassified US Govt’s Clipper RC2, RC4 RSA variable Proprietary Very strong; Websites: rsasecurity.com, nsa.com, nist.com NSA: Netwk Security Agency NIST: National Institute of Standarad & Technology ANSI: American National Standards Institute. SHA: Secure Hash Algo NSI :Netwk Solutions Incorporation
- 12. Symmetric/Secret Cryptography System EncryptEncrypt Symmetric key (sharedSymmetric key (shared secret,secret, known to A & B)known to A & B) DecryptDecrypt CiphertextCiphertext aN!3q * nB5+ C=E(M, K) C = Ciphertext M= Message (plaintext) K= Secret Key E = Encryption function AliceAlice PlaintextPlaintext Hi Bob Alice !!?? EavesdropperEavesdropper M=D(C, K) D= Decryption function BobBob PlaintextPlaintext Hi Bob Alice
- 13. Strength OF Symmetric Key Encryption Method ? • Strength of encryption = difficulty of cracking • Length of key (Modern Symmetric Key Encryption uses 128, 256, 1024 bits as key) • Strength of the mathematical algorithm (Modern method uses Hash function) Cracking Symmetric Key EncryptionCracking Symmetric Key Encryption Brute Force = Exhaustive search, trying all possible keys, starts at 0000…..1, etc. • Successful attacks are now possible by using thousands of networked computers linked on the Internet
- 14. Digital signatures vs Digital certificate Digital certificate is a form of an electronic credential for the Internet. Similar to a driver's license, employee ID card, a Digital certificate is issued by a trusted third party to establish the identity of the certificate holder. The third party who issues the Digital Certificate is known as the Certifying Authority (CA). Digital signatures are electronically generated and can be used to ensure the integrity and authenticity of some data, such as an e-mail message and protect against non-repudiation
- 15. Key Size No of Possible Keys Crack Time(*) 40 bits 1 x 1012 (1 trillion) 2 hours 56 7 x 1016 20 hrs (12/98) 64 2 x 1019 9 years 112 5 x 1033 1015 years 128 3 x 1038 1019 years 256 1 x 1077 1058 years * Time required for a “brute force” attack, using a hypothetical special- purpose, “cracking” computer Strength of Symmetric Key EncryptionStrength of Symmetric Key Encryption
- 16. Quote “The problem with bad cryptography is that it looks just like good cryptography” - Bruce Schneider
- 17. 2) Asymmetric Key Encryption: [Public-Private key pairs] • No shared secret • Bob has two co m plim e ntary ke ys • What one key encrypts, only the other key can decrypt • Bob keeps one key private (Private Key). • Bob shares the other key (Public Key).
- 18. Asymmetric Key Encryption: Public-Private key pairs Scenario 1 If Alice needs to send Bob a message: - Alice encrypts message with Bob’s public key, - Bob decrypts message with his private key Problem: • How would Bob ensure that the message has been sent by Alice?How would Bob ensure that the message has been sent by Alice? • Anybody can encrypt the message using Bob’s public key as this key is publicly available.Anybody can encrypt the message using Bob’s public key as this key is publicly available. [[Alice’s key not used at all]Alice’s key not used at all] CiphertextCiphertext B's public keyB's public key B's private keyB's private key DecryptDecrypt BobBob #d%G *!ki4i EncryptEncrypt PlaintextPlaintext AliceAlice Hi Bob Alice Hi Bob Alice
- 19. Public-Private key pairs: Scenario 2: •Alice encrypts message with her private key & sends to Bob. Identity attached •Bob is confirm that the message is from Alice. The message is authentic. •Message is not confidential as anybody can decrypt it using Alice’s public key. Problem: Bob’s key not used at allBob’s key not used at all
- 20. Putting It All Together Let’s put Encryption and Authentication together
- 21. PROPERTIES OF A MESSAGE DIGEST (MD)/ HASH FUNCTION • Properties of MD (or hash) functions : – Sho rt o utput: reduces a message to a fixed length, say 16 to 20 characters – One way: impractical to determine a message from its hash – Uniq ue : impractical to find 2 messages with the same hash – Se nsitive : checksum changes if one bit changes or one bit is added to or removed from the message Hash Algo: MD-5(128 bits), SHA1(160bits) • An MD is like a fingerprint – Less information than the original (me) – Unique to me – Unlikely to find 2 individuals with identical fingerprints – Given the fingerprint, can’t reconstruct the person
- 22. DIGITAL SIGNATURE WITHA MESSAGE DIGEST Plaintext Alice Hi Bob Alice Plaintext Bob Hi Bob Alice =? Hi Bob Alice A's public key 17648902381764890238 5. Alice’s5. Alice’s Message DigestMessage Digest Encrypted MD (“signature”) Unencrypted message A’s private key Digest 1. Message Digest 17648902381764890238 MD 17648902381764890238 MD 3. Compute the MD Digitally Sign 2.Sign it (Encrypt the MD) Decrypt Alice’s MD Decrypt Alice’s MD 4.
- 23. Certifying Authorities • Certifying Authority is a trusted third party – similar to Passport Office • Certifying Authorities issue digital certificates. Controller of Certifying Authority is the custodian of the following repositories: -National Repository of Digital Certificates -Certificate Revocation List • A certificate contains the following: – Bob’s public key, Bob’s name, address, other info – Expiration date & serial number – The certificate authority’s name, etc. • A digital certificate is “signed” with the Certifying Authority’s private key, to ensure authenticity • Everyone has CA’s public key
- 24. Basic Certificate Contents as perInternational Standard ITU-T X.509 v3 Version Serial number Signature algorithm Issuername Validity period Subject name Subject public key Identifies certificate format Identifies this certificate Algorithm used to sign certificate Name of certification authority Start date and end date Public key value and indicatorof its algorithm Identifies the owner of the key pair Ensures cert. dataEnsures cert. data can’t be changedcan’t be changed
- 25. VERISIGN CERTIFICATE CLASSES 1 Class • email address, charges Rs 500/- • Real name, real address, locale, email address • Verified using a “trusted” database (credentials like ration card, passport ClassClass 22 • Real name, real address, locale, email address • Verified using “trusted” database • Verified in person, with notarization ClassClass 33 https: //www. nco de so lutio ns. co m /ce rtificate s. asp
- 26. CAs licensed underthe Govt. of India IT Act, 2000 (www.cca.gov.in) •Controller of CAs •IDRBT CA(Instt fo r De v & Re se arch in Banking Te ch. , IT Te ch Arm o f RBI) •TCS Certifying Authority (CA) Services •National Informatics Center CA •SafeScrypt •MTNL •Customs & Central Excise •GNFC (n)Code Solutions Ltd., (A division of Gujarat Narmada Valley Fertilizers Company Ltd.)
- 27. Countermeasures Some of the measures that the Government has decided to take up to counterattack Cyber Terrorism are: • Establishment of National Level Cyber Emergency Response Units • Conducting Security Training & Awareness Programs • Developing Indigenous Security Software • Deploying of Cyber Cops or Cyber Cells to keep a track of various online activities • Deployment of PKI Infrastructure
- 28. Tools: 1. Wondercrypt: A PKI Solution (wondercrypt.com) 2. PGP (Pretty Good Privacy) Resources: Wikipedia Webopedia Security fresh Zdnet D3pak KumarD3pak Kumar IT security & Forensic Consultant @D3pak Fb/D3pak [email protected]
- 29. “BETHECHANGEYOU WISHTOSEEIN THISWORLD” - MahatmaGandhi
Editor's Notes
- #10: This graph is based on counts done at ADFA in the late 1980's, and used to develop the tables published in Seberry & Pieprzyk [SEBE89]. Note that all human languages have varying letter frequencies, though the number of letters and their frequencies varies. Seberry & Pieprzyk [SEBE89] Appendix A has graphs for 20 languages (most European & Japanese & Malay).