Uploaded by eusebio.a95

08-Cryptography

advertisement
IT & Security Fundamentals
Module VII
Cryptography Essentials
The CIA Triad
• Confidentiality
• Integrity
• Availability
Confidentiality
Information
Security
Availability
Integrity
2
The CIA Triad
Confidentiality
• The objective of Confidentiality is to protect data secrecy and
privacy, preventing unauthorized access to it
• Measures like encryption and access controls are taken in
order to ensure those goals
• Intellectual property, businesses’ secrets, Personal
Identifiable Information (PII) and other sensitive data (ex:
health - PHI), must be protected in order to avoid disclosure
and financial losses, as well as (heavy) penalties (ex: GDPR)
3
The CIA Triad
Confidentiality
• Encryption is the use of key(s) and cryptographic algorithms
to a given set of data in order to make it imperceptible
• A little and simple exercise (Caesar Cipher):
WKLV LV D VHFUHW PHVVDJH
(Offset +3)
“Key”!
(ABCDEFGHIJKLMOPQRSTUVWXYZ)
THIS IS A SECRET MESSAGE
http://www.simonsingh.net/The_Black_Chamber/caesar.html
4
The CIA Triad
Confidentiality
• Access controls are used in order to ensure that only
authorized users have access to data:
- Identification: user presents a unique identity, like a
username or e-mail address
- Authentication: user must prove his/her identity, normally
through a password or PIN
- Authorization: access is given to certain resources (and
just the necessary ones), according to a set of pre-established
rules of access, like permissions
5
The CIA Triad
Integrity
• As the name implies, it ensures that the data has not been
changed, corrupted or subject to any kind of unauthorized or
unexpected alteration (while in transit or at rest)
• The use of Hashing techniques is the mean to ensure these
goals; it is a one way function
• A Hash is a result of a hashing algorithm (ex: MD-5, SHA-1)
applied to a certain set of data; if the data doesn’t change, the
hash will always be the same
http://crypto.hurlant.com/demo/
6
The CIA Triad
Availability
• Ensures that the data, systems, infrastructures, etc. are
available (and updated) for utilization
• Solutions like the following are normally used:
- Redundancy (systems, communications, storage, …)
- Fault tolerant mechanisms, UPSs, redundant sites
- Backups
- Patching
- Hardenning
7
The CIA Triad
CIA
• To summarize:
Confidentiality
Encryption (Sym. & Asym.),
Access Control
Integrity
Hashing
Availability
Redund., Fault Tolerance,
Backups, Patching/Hardening
8
Security Goals
Information Security Goals
Cryptography Goals
• Confidentiality
• Confidentiality
• Integrity
• Integrity
• Availability
• Authentication
• Non-repudiation
9
Symmetric Encryption
• An encryption algorithm, or cipher, is a means of
transforming plaintext into ciphertext under the
control of a secret key.
• This process is called encryption or encipherment.
• Note that the encryption and decryption algorithms
might be public, the secrecy of the cyphertext
depends totally on the secrecy of the key.
10
Symmetric Encryption
• It is an older and simpler method of encrypting
information.
• Both the sender and the receiver of the message
have the same key.
• All symmetric algorithms are based upon this shared
secret principle.
• A cryptographic key is involved in symmetric
encryption, so there must be a mechanism for key
management.
11
Symmetric Key Cryptography
Plain-text input
Plain-text output
Cipher-text
“The quick
brown fox
jumps over
the lazy
dog”
“The quick
brown fox
jumps over
the lazy
dog”
“AxCv;5bmEseTfid3)f
GsmWe#4^,sdgfMwir3
:dkJeTsY8R\s@!q3%”
Encryption
Decryption
Same key
(shared secret)
12
Symmetric Encryption Algorythms
Some symmetric encryption algorithms:
• DES (Data Encryption Standard) – 64 bit block, 56 bit key
• 3DES – 64 bit block in 3 separate steps using several keys
• AES (Advanced Encryption Standard) – block encryption with
key sizes of 128/192/256 bits (respectively AES-128,
AES-192 and AES-256); based on the Rijndael Algorythm and
adopted by NIST
• RC4 (Ron Rivest, Rivest Cipher/Code) – stream cipher,
40-2048 bits
• Blowfish – 64 bit block, key sizes from 32 to 448 bits
• Twofish – 128 bit block, 128/192/256 bits
13
Symmetric Encryption Summary
• Symmetric algorithms are important because:
– They are comparatively fast.
– Have few computational requirements
• Their main weaknesses:
– Two geographically distant parties both need to have a key
that matches the other key exactly.
– Simple keys can quickly be brute-forced.
– Secure key exchange can be an issue.
14
Symmetric Encryption Summary
Exemplo didático
chave simétrica:
PERNAMBUCO
1234567890
Mensagem original:
Eu sou o Groot
Mensagem Cifrada:
27 s98 0 G300t
15
Asymmetric Cypher
• Invented by Whitfield Diffie and Martin Hellman in 1975 - published
an asymmetrical key exchange technique to privately share a
symmetric key – DH algorithm.
• In 1977, Ron Rivest, Adi Shamir and Leonard Adleman (all from
MIT) published RSA, an asymmetrical encryption method using a
Public and a Private keys.
• It uses two paired keys instead of one.
• Commonly known as public key cryptography.
• The system uses a pair of keys:
– A private key that is kept secret.
– A public key that can be sent to anyone.
• Security relies upon resistance to deducing one key, given the other.
16
Public Key Encryption
Clear-text Input
Cipher-text
“The quick
brown fox
jumps over
the lazy
dog”
“The quick
brown fox
jumps over
the lazy
dog”
“Py75c%bn&*)9|fDe^
bDFaq#xzjFr@g5=&n
mdFg$5knvMd’rkveg
Ms”
Encryption
public
Recipient’s
public key
Clear-text Output
Decryption
Different keys
private
Recipient’s
private key
17
Asymmetric Encryption Summary
Message encrypted with
SENDER’S PRIVATE KEY
Open
Message
Format
Authenticity
Message encrypted with
RECIPIENT’S PUBLIC KEY
Secure
Message
Format
Confidentiality
Message encrypted with
SENDER’S PRIVATE KEY
and then with
RECIPIENT’S PUBLIC KEY
Secure
Signed
Format
Authenticity
and
Confidentiality
18
Hash Functions
• A cryptographic hash function is a special class of
hash function that has certain properties which make
it suitable for use in cryptography.
• It’s a mathematical algorithm that maps data of
arbitrary size to a bit string of a fixed size (a hash
function)
• It is designed to also be a one-way function, that is, a
function which is infeasible to invert.
19
Hash vs Encryption
• Hashes are "digests", not "encryption"
• This is a common confusion, especially because all
these words are in the category of "cryptography",
but it's important to understand the difference.
20
Hash vs Encryption
• Encryption transforms data from a cleartext to
ciphertext and back (given the right keys), and the
two texts should roughly correspond to each other in
size: big cleartext yields big ciphertext, and so on.
– Encryption is a two-way operation
• Hashes, on the other hand, compile a stream of data
into a small digest (a summarized form). All hashes
of the same type have the same size no matter how
big the inputs are.
– Hashing is strictly a one way operation
21
Hash Functions
22
Hashing Algorithms
Some hashing algorithms:
• MD5 (Message Digest 5) – produces a 128 bit hash.
• SHA (Secure Hash Algorithm):
✔ SHA-1 generates 160 bit hashes
✔ SHA-2 includes 4 types of bit/length hashes generation:
SHA-224, SHA-256, SHA-384 and SHA-512
✔ SHA-3 is a different method from the previous one and
generates multiple versions of 224, 256, 384 and 512 bits
• HMAC (Hashed-based Message Authentication Code) –
produces a fixed length of bits using some of the previous
algorithms (ex: SHA-1) and adds a key to complete another
calculation of the hash (HMAC-SHA1)
http://crypto.hurlant.com/demo/
23
Hashing
• Hashing functions are very common, and they play
an important role in security.
– Storing passwords
– Signing messages
– Maintaining message integrity
• By computing a digest of the message, less data
needs to be signed by the more complex asymmetric
encryption.
24
Using Hashes
• Storing passwords
• Checking a file’s integrity
25
Digital Signatures
• A digital signature (not to be confused with a digital
certificate) is a mathematical technique used to
validate the authenticity and integrity of a
message, software or digital document.
• It is a digital code that can be attached to an
electronically transmitted message that uniquely
identifies the sender.
• Like a written signature, the purpose of a digital
signature is to guarantee that the individual sending
the message really is who he or she claims to be.
26
Digital Signatures
Sending a digitally signed message
27
Digital Signatures
• The digital signature is simply a small block of data
that is attached to documents you sign.
– Can also be applied to applications, files or e-mail
A digital signature is the hash code of
the original information, encrypted with
the private key of the sender.
28
Several Signatures
Signature types
29
Cryptography Summary
30
Key Exchange
• For messages to be exchanged, the sender and
receiver need the right cryptographic keys
Sender
Symmetric cipher:
Same key
Receiver
Asymmetric cipher:
Each other’s public key
31
Key Exchange
• In symmetric encryption systems, the problem of
sharing the secret key between two entities is solved
by using a Key Distribution Center (KDC)
• In asymmetric encryption systems, the problem of
distributing the public keys in a reliable way is solved
by using a Public Key Infrastructure (PKI)
32
Kerberos
33
Certificates and PKI
• Certificates prove the identity of a server or user
– Contain encryption keys
• Certificates are managed by the PKI
– Public Key Infrastructure
– A group of companies that issue and verify certificates
– Analogous to credit card companies
User with Certificate
Device with Certificate
34
Basics of Public Key Infrastructures
• PKI environments use entities called registration
authorities (RAs) and certificate authorities (CAs).
• PKI helps prevent a man-in-the-middle attack.
A digital certificate is the subject’s
(company or individual) public key,
digitally signed by a CA.
35
Key Exchange
Kerberos
Represents Symmetric Cryptography.
Tickets are used to authenticate users,
and the tickets are issued via online
Key Distribution Center (KDC).
Password is required to authenticate
users.
PKI
Represents Asymmetric Cryptography.
With such architecture, each user has a
pair of keys, private key and public key.
Where public key is published to users,
the private key is kept secret. Private
key is used to generate a digital
signature, while the public key is used
to verify such signature.
Private Key is used to authenticate
users. The private key is stored on disk,
and maintained by users.
The Key Distribution Center (KDC) must
Pre-registration is not required in this
register every user to able to have
case.
access to the network.
36
Pretty Good Privacy
• PGP is a hybrid cryptosystem, which means that it
uses a combination of symmetric and asymmetric
encryption to accomplish its function.
• PGP uses only public key encryption to create a
session key, which is then used to encrypt the whole
message using traditional symmetric cryptography.
• Most public key cryptosystems use this method to
improve performance.
37
PGP & GnuPG
• Rather than use a hierarquical trust system like
digital certificates and their central certificate
authority, PGP and GnuPG use a Web of Trust
model.
• By signing the keys of people you know, you can
verify that their key is worthy of trust.
– And if they sign other people's keys who you don't know
directly, you create a chain of trust.
• The model is based on the idea of "any friend of
yours is a friend of mine."
38
Web of Trust
39
Encrypting File System
• EFS is a built-in file encryption tool for Windows:
– Enables transparent file encryption and decryption
– Provides for encrypted file recovery
– Allows encrypted files to be shared with other users
• EFS encryption occurs at the file-system level
– If a user attempts to open a file and possesses the necessary
key, the file opens
– If a user does not possess the key, receives an access-denied
message
• EFS-encrypted files do not remain encrypted during
transport if you save them to, or open them from, a folder
on a remote server
– The file is decrypted and then traverses the network in plain text
40
How EFS Works
The process of encrypting a file with EFS:
• A symmetrical key is used to encrypt the file
• Public key encryption protects the symmetrical key
• Decrypting the symmetrical key is necessary to decrypt the file
Only authorized users can decrypt the symmetrical key
by using their private key
Symmetrical key encrypts the file. User’s public
key encrypts the symmetrical key. File is
encrypted.
Authorized user uses a private key to
decrypt the symmetrical key.
File is decrypted.
41
What Is BitLocker?
• BitLocker encrypts the data that is stored on the
operating system and other volumes by:
– Providing offline data protection
– Protecting all data stored on the encrypted volume
– Verifying the integrity of early startup components and boot
configuration data
– Ensuring integrity of the startup process
• BitLocker to Go allows encryption of removable
media such as USB thumb drives
42
BitLocker Requirements
• A BIOS or UEFI environment that is compatible with
a TPM 1.2 or newer device or that supports USB
devices during computer startup.
• Enough space on the hard disk for BitLocker to
create two partitions:
– System partition (EFI)
– Windows Partition
43
BitLocker Modes
Windows 10 supports two modes of BitLocker operation:
• TPM mode:
– Locks the normal startup process until a user optionally
supplies a personal PIN and/or inserts a USB drive that
contains a BitLocker startup key
– Performs system-integrity verification on startup components
• Non-TPM mode:
– Uses Group Policy to allow BitLocker to work without a TPM
– Locks the startup process similar to TPM mode, but the
BitLocker startup key must be stored on a USB drive
– Provides limited authentication
44
The BitLocker Encryption Process
BitLocker:
•
•
•
•
Encrypts entire disk partitions
Protects the integrity of boot files
Requires at least two partitions
Uses encryption keys:
▪ Full Volume Encryption Key
▪ Volume Master Key
45
BitLocker and TPMs
A TPM:
• Is a chip that stores encryption keys and
certificates
• Is used to store the VMK for BitLocker
• Is not present in all computers
46
The SSL Enrollment Process
SSL Enrollment Step
Explanation
1. Request
The client requests a session with the server.
2. Response
The server responds by sending its digital
certificate and public key to the client.
3. Negotiation
The server and client then negotiate an encryption
level.
4. Encryption
Once they agree on an encryption level, the client
generates a session key, encrypts it, and sends it
with the public key from the server.
5. Communication
The session key then becomes the key used in the
conversation.
47
SSL/TLS
48
SSL/TLS
• TLS & SSL are not interchangeable
– TLS is the more modern of the two.
• TLS is superior to SSL since SSL’s use of hashing
forces a reliance on MD5 rather than SHA1.
• TLS is composed of two parts
– Record Protocol
– Handshake Protocol.
49
New TLS 1.3
50
New TLS 1.3
51
New TLS 1.3
• TLS 1.2 ECDHE
• TLS 1.3
52
Questions?
53
Download