Encryption Dana Scherm Velma DeFee Encryption and Security: Definitions Encryption is a mechanism for hiding information by turning readable text into a stream of gibberish in such a way that someone with the proper key can make it readable again. http://www.beagle-ears.com/lars/engineer/computer/crypto.htm Why is it important? Encryption used to be a word that people linked with government and secret operations, however with the use of computers becoming more and more common, it is necessary for data to be disguised to help protect the user. It keeps outsiders from viewing important company documents It keeps information from being shared between users on the same server or network It can be used to make “keys” to where only certain people can view or access a document History About 1900 BC: Egyptian scribe used non-standard hieroglyphs in an inscription. First documented example of written cryptograph 1500 BC: ancient Assyrian merchants used intaglio, a piece of flat stone carved into a collage of images and some writing to identify themselves in trading transactions. 100-44 BC: Julius Caesar used a simple substitution with the normal alphabet (just shifting the letters a fixed amount) in government communications. 1790 Thomas Jefferson invented his wheel cipher. 1917 William Frederick Friedman was employed as a civilian cryptanalyst at Riverbank Laboratories and performed cryptanalysis for the US Government, which had no cryptanalytic expertise of its own. WFF went on to start a school for military cryptanalysts at Riverbank – later taking that work to Washington and leaving Riverbank http://www.sans.org/reading_room/whitepapers/vpns/history_of_encryption_730?show=730.php&cat=vpns History Continued 1933-1945: The Enigma machine was taken over and improved upon to become the cryptographic workhorse of Nazi Germany. 1976: A design by IBM based on the Lucifer cipher and with changes by the US NSA, was chosen to be the U.S. Data Encryption Standard. It has since found worldwide acceptance, largely because it has shown itself strong against 20 years of attacks. Even some who believe it is past its useful life use it as a component -- e.g., of 3-key triple-DES. 1991 Phil Zimmermann released his first version of PGP (Pretty Good Privacy) in response to the threat by the FBI to demand access to the cleartext of the communications of citizens. PGP offered high security to the general citizen and as such could have been seen as a competitor to commercial products like Mailsafe from RSADSI. Cryptography The study of encryption-the hiding of information, converting it from its “normal, comprehensible form into an obscured guise, unreadable without special knowledge.” www.wikipedia.com The Enigma machine The first Enigma was invented by German engineer Arthur Scherbius at the end of World War I. This model and its variants were used most notably by Nazi Germany before and during World War II. A range of Enigma models was produced, but the German military model, the Wehrmacht Enigma, is the version most commonly discussed. The Enigma Machine How it works: http://russells.freeshell.org/enigma/ When a key is pressed, an electrical current is sent through the machine. The current first passes through the plug board, then through the three rotors, through the reflector which reverses the current, back through the three rotors, back through the plug board and then the encrypted letter is lit on the display. After the display is lit up, the rotors rotate. The rotors rotate similar to an odometer where the right most rotor must complete one revolution before the middle rotor rotated one position and so on. Continued History of the Enigma Machine 1918: Albert Scherbius used his idea of “rotating rotors” to try to come up with a cipher machine. He took his ideas to the German military, but they weren’t interested. He then took his idea to a German Company called Gewerkschaft Securitas, where his patents were bought. 1920s: First enigma machine was produced. The rotating rotors made it a better enciphering machine than any other because of its rotating rotors. 1925: modifications began, and eventually the German Army made modifications too. 1928: The Poles confiscated an Enigma machine in customs. It was on its way to the German Embassy in Warsaw. December 31, 1932: The Poles decrypted the german Enigma signals July 25, 1939: Poles gave the French and the British replicas of the Polish made Enigmas together with the drawings and information on the Enigma, the Bomba (the Polish version of the Enigma), and the decryption information. Morse Code http://www.scoutnet.nl/~inter/morse/mor seform.html •A type of character encoding that transmits telegraphic information using rhythm. •Uses standardized sequence of short and long elements to represent the letters, numerals, punctuation, and special characters of a given message. •The short and long elements can be formed by sounds, marks, or pulses in on/off keying. •Measured in Words Per Minute •Originally created for Samuel F. B. Morse’s electric telegraph in the early 1840s •Also extensively used for early radio communication beginning in the 1890s. •For the first half of the 20th century, the majority of high-speed international communication was conducted in Morse code, using telegraph lines, undersea cables, and radio circuits. However the variable length of the Morst characters made it hard to adapt to automated circuits. •Morse code is designed to be read by humans without a decoding device, making it useful for sending automated digital data in voice channels. • For emergency signaling, Morse code can be sent by way of improvised sources that can be easily "keyed" on and off, making Morse code one of the most versatile methods of Telecommunication in existence. www.wikipedia.com Types of Encryption: 3 Basic Types Manual encryption Completely provided by the user Demands user’s active participation Risky, but reliable Transparent encryption Performed at low-level during ALL operations permanently Difficult to implement correctly Generally doesn’t work well with networking Easy to use, most secure Semi-Transparent (“On the Fly encryption”) Operates not permanently, but before/after access May cause degradation of computer’s efficiency If data to be encrypted is too great, can cause loss of data http://services.devadvisers.net/cryprite/042ETYPE.HTM Authentication and Encryption Authentication and encryption are two intertwined technologies that help to insure that your data remains secure. Authentication is the process of insuring that both ends of the connection are in fact who they say they are. This applies not only to the entity trying to access a service (such as an end user) but to the entity providing the service, as well (such as a file server or Web site). Encryption helps to insure that the information within a session is not compromised. This includes not only reading the information within a data stream, but altering it, as well. While authentication and encryption each has its own responsibilities in securing a communication session, maximum protection can only be achieved when the two are combined. For this reason, many security protocols contain both authentication and encryption specifications. http://technet.microsoft.com/en-us/library/cc750036.aspx Authentication: Three Types • · Single factor authentication • Password • Easy to remember • Easy to crack • People are predictable…passwords are usually a pets name, • a birth date, etc. • · Two factor • Password + token (security device for users to keep in possession) • Safer and more complex than single factor • · Three factor • Password + token + biometric authentication (fingerprint, retinal scan) • Safer and more complex than single or double factor types; used for high • security purposes (ex. Government documents) • A token is a security device for authorized users to keep in possession. Some examples include: • SecurID Card, Challenge/response method, and USB token Symmetric key (private key and public key) Private Key Encryption: Each party has the same key, only this key can decrypt the message. They must keep this key private in order for others to be unable to decrypt the message. Public Key Encryption: Each party has a different key, the first party encrypts the message, and the second party’s key is the only one that can decrypt the message. If the second party encrypts a message only the first party’s key can decrypt the message. Therefore, the keys may be put into the public because the ones that are owned by either party are the only copies. http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/index.jsp?topic=/com.ibm.websphere.express.doc/info/exp/ae/csec_pubki.html SSL Secure Sockets Layer SSLs are “cryptographic protocols that provide security and data integrity for communications” over web sites. (www.wikipedia.com) A person running a web site may buy an SSL certificate in order to ensure that visitors to their website can trust them. It encrypts information that is given to a website and keeps others from viewing the personal information. You may have seen a verisign logo at the bottom of pages where you are entering personal information. They are a company that sells SSL certificates. http vs. https HTTP (Hypertext Transfer Protocol) is an application-level protocol for distributed, collaborative, hypermedia information systems. It operates “at the highest layer of the TCP/IP Internet reference model and network security protocol,” meaning that it works with the highest capability to meet all protocol standards when it comes to transferring information over the internet, as well as working to keep information secure from other users. Its security is not the highest because it works to “encrypt an HTTP message prior to transmission and decrypt a message upon arrival.” This allows anyone to see it. HTTPS (Hypertext Transfer Protocol Secure) is a combination of http and a network security protocol. This means that it strengthens security to keep others from accessing your information. These connections are most likely going to be used during an online transaction and for “sensitive transactions in corporate information systems.” digital signature algorithm An algorithm for creating digital signatures Hash value and hash functions Definition: any well-known procedure for reproducing data into some smaller integer Ideal hash function has four elements Easy to compute for any given message Difficult to find a hash function that has a given hash Difficult to modify Very rare to find two messages with the same hash Visual of Hash Function Government Standards Advanced Encryption Standard (AEP) Is an encryption standard adopted by the U.S. government. It comprises three block ciphers: AES-128, AES-192, and AES-256 Each AES cipher has a 128-bit block size Key sizes of 128, 192, and 256 bits