Add to collection(s) Add to saved
  1. Business
  2. Economics
  3. Macroeconomics

Cryptographic Security

advertisement 
Cryptographic Security
Presented by:
Josh Baker
October 9th, 2012
CS5204 – Operating Systems
1
Cryptographic Security
Overview







What is cryptographic security?
Uses
Main Points
What is a “Key/Certificate”?
Implementations
CAC based PKI Demonstration
References
CS5204 – Operating Systems
2
Cryptographic Security
What is it?

Cryptographic Security:
Leveraging a standardized system that uses a set
of operations that are publicly available in order
to authenticate identities, securely share data, or
irrefutably sign data.
def Cryptography: cryp∙tog ∙ra ∙phy[3]
:the enciphering and deciphering of messages in secret code or cipher;
also : the computerized encoding and decoding of information
CS5204 – Operating Systems
3
Cryptographic Security
Uses

Establishing Transport Layer Security (TLS/SSL)





HTTPS
SFTP
Data Encryption / Decryption
Digital Signature
Login / Authentication Protocols

Relies on digital signature
CS5204 – Operating Systems
4
Cryptographic Security
Main Points


Use of a publicly formalized system
Centers around a third party “Certificate
Authority”





Certify Identities
Manage (create, distribute, revoke) Keys
Eliminates many security vulnerabilities
Can be used to enforce least privilege, separation
of duties, economy of mechanism, and complete
mediation while being an open design.
Heavy use of hashing algorithms (sha1, MD5,…)
CS5204 – Operating Systems
5
Cryptographic Security
What is a “Key”?

Cryptographic Key:
A set of 2 integers that can be used with a
cryptographic algorithm in order to encrypt or
decrypt data.

Two types of cryptographic systems:



Private Key – using only one secret key (symmetric)
Public Key – using two keys, a secret key and a
shared key (asymmetric)
RSA and NIST recommend using at least:


112 bit symmetric keys (harder to break, efficient)
2048 bit asymmetric keys
CS5204 – Operating Systems
6
Cryptographic Security
What is a “Certificate”?

Cryptographic Certificate:
The combination of identity information with
cryptographic information.
Identity of the certificate owner
 Identity of the certificate authority (issuer)
 Dates that the certificate is valid for
 Which cryptographic algorithms are used
 Key information


One owner may have multiple certificates for
various uses: authentication, encryption, signature
CS5204 – Operating Systems
7
Cryptographic Security
TLS / SSL

Used for transporting data securely over nonsecure channels, most namely the internet.

Uses Handshaking:




Employs both Symmetric and Asymmetric keys
Symmetric keys are smaller than asymmetric keys
and provide improved performance
A secure channel must be established using
asymmetric keys in order to transmit the shared
secret symmetric key
“Nonces” are used to defend against replay attacks
CS5204 – Operating Systems
8
Cryptographic Security
TLS / SSL
source: [9]
CS5204 – Operating Systems
9
Cryptographic Security
Encryption / Decryption

Private Key Encryption (symmetric):






Encrypting local files
Must share the key in order to share the data
Cannot use private key from PKI
Group Authentication
Cipher: stream/block
AES 128 bit block
CS5204 – Operating Systems
Source:[7]
10
Cryptographic Security
Encryption / Decryption


Provides confidentiality but not authentication
Public Key Encryption (asymmetric):
source:[8]
CS5204 – Operating Systems
11
Cryptographic Security
Encryption / Decryption

The RSA Cryptosystem:

Developed by Rivest, Shamir, and Adleman in 1977
The de facto standard for PKI
The encryption key is public (E)
The decryption key is private (D)

The Message M can be calculated by:



M = D(E(M))
 M = E(D(M))

CS5204 – Operating Systems
12
Cryptographic Security
Encryption / Decryption

RSA Algorithm details (generate keys)


1. Find 2 unique large prime numbers
2. Calculate n
n=p∙q

3. Pick a large random integer d that is relatively
prime to (p-1)∙(q-1) such that
gcd(d, (p-1)∙(q-1)) = 1

4. Calculate e
e ∙ d = 1∙(mod (p1)∙(q1))
CS5204 – Operating Systems
13
Cryptographic Security
Encryption / Decryption

RSA Algorithm details (encrypt/decrypt)

Encryption:
Given message M create ciphertext C
 C = E(M) = Me (mod n)


Decryption:
Given ciphertext C create message M
 M = D(C) = Cd (mod n)


Can be calculated quickly using modular
exponentiation (repeated squaring)
CS5204 – Operating Systems
14
Cryptographic Security
Digital Signature




Not “electronic signature” which is typically
implemented with a digital representation of a
hand signature or acknowledgment gesture.
Provides non-repudiation, irrefutably evidence
that the signature was created by the identified
party.
Provides data integrity validation
Provides authentication but not confidentiality
CS5204 – Operating Systems
15
Cryptographic Security
Digital Signature
source:[8]
CS5204 – Operating Systems
16
Cryptographic Security
Digital Signature

RSA Digital Signature details:

A message M is signed using the private key


S = D(M)
A digital signature is validated using the public key
M = E(S)
 Decryption of the message can be used to prove the
identity of a user, authentication
 Validating a digital signature also validates the data by
comparing the hash values

CS5204 – Operating Systems
17
Cryptographic Security
CAC PKI



Common Access Card (CAC) aka Smart Card
Utilized extensively by the DoD
Enforces two factor authentication





Something you have – CAC
Something you know – PIN
Can be used for three factor authentication with
addition of finger print reader (something you are)
Newer generation cards can also be used with
proximity based passive RFID readers
Great for enforcing separation of duties and least
privilege
CS5204 – Operating Systems
18
Cryptographic Security
CAC PKI Demo

One last note, using an in house certificate
authority (CA) and a smart card enabled PKI
cryptosystem throughout an organization can
enable greater PII (Personally Identifiable
Information) security by replacing things like
SSNs with othewise meaningless unique
identifiers like the DoD EDIPI (Electronic Data
Interchange Personal Identifier).
CS5204 – Operating Systems
19
Cryptographic Security
References









1. “A Method for Obtaining Digital Signatures and Public-Key Cryptosystems”, Rivest et al
2. “Introduction to Algorithms, Second Edition”, Cormen et al
3. Merriam-Webster dictionary, term: cryptography, (www.merriam-webster.com)
4. National Institute for Standards and Technology, (www.nist.gov)
5. http://blog.securism.com/2009/01/summarizing-pki-certificate-validation/
6. RSA Laboratories, (www.rsa.com)
7. http://www.itportal.in/2011/12/encryption-decryption-information.html
8. http://gdp.globus.org/gt4-tutorial/multiplehtml/ch09s03.html
9. http://technet.microsoft.com/en-us/library/cc783349(v=ws.10).aspx
CS5204 – Operating Systems
20
Related documents
Faster Methods of Generating Certain Cryptographic Keys
Faster Methods of Generating Certain Cryptographic Keys
Document Security System
Document Security System
Reksoft at a glance
Reksoft at a glance
CCNA Security – Chapter 7 Case Study © 2009 Cisco Learning
CCNA Security – Chapter 7 Case Study © 2009 Cisco Learning
the new formal method calculus for cryptographic protocols
the new formal method calculus for cryptographic protocols
CS4153-SS - TU Department of Mathematical and Computer
CS4153-SS - TU Department of Mathematical and Computer
Center for Network Centric Technologies (CENTech)
Center for Network Centric Technologies (CENTech)
Download
advertisement