InfoSec Training Encryption Copyright Justin Klein Keane <jukeane@sas.upenn.edu Terminology Plaintext Ciphertext Encrypt Decrypt Copyright Justin Klein Keane <jukeane@sas.upenn.edu About Encryption Idea is to obscure messages from observation Encryption can be used to protect secrets but also: To verify identity To verify authenticity To verify integrity To verify authorization Copyright Justin Klein Keane <jukeane@sas.upenn.edu Not Encryption - Encoding Encoding is a method to alter data Follows a set of guidelines about how to represent data in a specific format Encoding is formatting, not data hiding Copyright Justin Klein Keane <jukeane@sas.upenn.edu Not Encryption - Hashing Hashing uses a one way mathematical algorithm to take an input and generate a seemingly random, unique, output Hashing the same input twice produces the same output There is no way to reverse a hash (i.e. You can't go from a hash value to an original value) Collisions – when two different inputs produce the same hash Copyright Justin Klein Keane <jukeane@sas.upenn.edu How Encryption works Take data Apply an algorithm to the data Use a key so that the process can be repeated Output should be unintelligible Copyright Justin Klein Keane <jukeane@sas.upenn.edu Good Encryption There is no good “proprietary” encryption The best encryption schemes use open standards and protocols The standards and protocols are all well understood, verified, reviewed and vetted The secrecy is in the keys used Copyright Justin Klein Keane <jukeane@sas.upenn.edu Encryption Types Symmetric (two way encryption) Shared key Asymmetric (one way encryption) Public key (think RSA and PGP) Copyright Justin Klein Keane <jukeane@sas.upenn.edu Symmetric Encryption Same key used to encrypt and decrypt Very fast and computationally non-intensive Issue is sharing the key How do two parties trade keys in the presence of an adversary? Diffie-Hellman key exchange allows this Copyright Justin Klein Keane <jukeane@sas.upenn.edu Asymmetric Encryption RSA is best example Public and private keys are used Public key used to encrypt Private key used to decrypt Thus public keys can be shared, private keys are held closely Key management is still an issue (is the public key you have for John the right one?) Copyright Justin Klein Keane <jukeane@sas.upenn.edu Digital Signing Uses public key crypto A message is signed by turning it into a number, and running an operation on the number using the private key Anyone with the public key can reverse the operation and compare the numbers This allows assertions that the holder of the private key sent the message, and it was not changed in transit Copyright Justin Klein Keane <jukeane@sas.upenn.edu Attacks on Crypto Brute force (a lot trickier than you'd think) Chosen plaintext attacks Chosen ciphertext attacks Birthday attack Dictionary (precomputation) attack Differential cryptoanalysis Copyright Justin Klein Keane <jukeane@sas.upenn.edu Digital Certificates Used to validate the source of an encrypted message Certificate is passed to and verified by the client Let's you know you're talking to the “real” bank that you use Certificate Authorities (CA's) are supposed to verify identity before issuing certificates Stolen certs are a very bad thing Signing certs allow holders to issue sub-certs Copyright Justin Klein Keane <jukeane@sas.upenn.edu Real World Crypto Whole disk encryption HTTPS/SSL SSH PGP VPN Hashing Two factor authentication Copyright Justin Klein Keane <jukeane@sas.upenn.edu