Your Federal Quarterly Tax Payments are due April 15th Get Help Now >>

cryptography by xiaopangnv

VIEWS: 6 PAGES: 25

									Network Security Layers

      IST 266
        February 10,2004
Agenda…

•   Attendance & Administratriva
•   Review Security Policy
•   Crypto 101
•   Chapter 3 Encryption, Digital Signatures, and
    Certification Authority
•   Chapter 4 Kerberos Key Exchange
•   Reminder Exam next week Chapter 1 - 4, 14



                        2
Cryptography

   Also known as encryption.

   The method of storing and transmitting data in a
    form that only the intended recipient can read or
    process

   The science of secure and secret communications




                          3
History of Cryptography
    • 4000 B.C. hieroglyphics
    • 50 B.C. Julius Caesar
    • Middle Ages to 1400
        4000 B.C. hieroglyphics
    •   400 Battista
      LeonB.C. Spartans Alberti polyalphabetic substitution
        50 B.C. Julius Caesar
    • Thomas Jefferson
        Middle Ages to 1400
        Leon Battista Alberti polyalphabetic substitution
    • 400 B.C. Spartans
        Thomas Jefferson
        1844 Telegraph invention
    • 1844 Telegraph invention Cryptography"
        1920s Herbert Yardley "Father of American
        Lucifer - algorithm chosen by NIST
    • 1920s Herbert Yardley "Father of American
        www.nsa.gov/museum/index.html
      Cryptography"
    • Lucifer - algorithm chosen by NIST

    • www.nsa.gov/museum/index.html



                               4
Benefits of Encryption
        • Confidentiality

        • Authentication
            Confidentiality

                Authentication

        • Integrity
             Integrity

                Nonrepudiation

        •However, it can never provide availability
           Nonrepudiation

However, it can never provide availability




                                                      5
Kinds of Encryption Algorithms
    • Symmetric algorithm
    •           Shared key - private key
    •           Secret key
    • Public key algorithm
    •           Two different keys - public and private
    •Kinds of Encryption Algorithms
                Asymmetric algorithm
    • Primary characteristic - strength or amount of time it takes
       for somebody to turn ciphertext into plaintext
    • Other characteristics
       Speed to execute algorithm
       Memory requirements
       Legal restrictions
       Patented algorithms


                             6
Symmetric Key Encryption
    • Provides confidentiality - both users use the same key to
        encrypt/decrypt
    • With large key size (>128 bits), difficult to break
    • Faster than asymmetric
          Provides confidentiality - both users use the same key to encrypt/decrypt
    • Usedlarge encryptbits), difficult toto break key to encrypt/decrypt
             Provides confidentiality - both users use the same
                   to key size (>128 bits), difficult break
          With large key size (>128 large volumes
             With
          Faster than asymmetric
    • Important to VPNs security. Cannot provide authentication or
             Faster than asymmetric
             Used encrypt large volumesd
          Used toto encrypt large volumes
          nonrepudiationVPNs
    • Limitedsecurity. Cannot a Cannot provide authentication or
             Important to
             Limited security. secure mechanism
          Key distribution. Requires provide authentication or nonrepudiation
             Key distribution. Requires unique pair of keys
   Scalability. Each pair of users needsaasecure mechanism
        nonrepudiation
     Scalability. Each pair of users needs a unique pair of keys
    • Key distribution. Requires a secure mechanism
    • Scalability. Each pair of users needs a unique pair of keys




                                    7
Symmetric Key Algorithms
Data Encryption Standard (DES)
        Cipher block chaining
        Electronic Code Book
        Cipher feedback - stream cipher
        Output feedback - stream cipher
Triple DES
Advanced Encryption Standard - Rijndael
Rivest Cipher Number 2 (RC2) block mode cipher, RC-5, RC-6
RC4 stream cipher
Skipjack
International Data Encryption Algorithm (IDEA)
Blowfish and Twofish
CAST, MARS, Serpent


                           8
Asymmetrical Algorithm
    Public keys can be known to everyone
    Private key is known and available only to owner
    Public and private keys work together
    Public key cannot be used to reverse engineer private
        key
    Can provide user authentication and nonrepudiation
    Algorithms are more complex and resource intensive
    Most popular and well known involves RSA (Ron
        Rivest, Adi Shamir, Lenoard Adelman)
    Elliptic Curve standardized by FIPS PUB 186-2
    Diffie-Hellman - computing a discrete algorithm




                           9
Diffie-Hellman

Credited with establishing the foundation
RFC 2631
One-way function
Diffie-Hellman algorithm illustrates key
  generation using public key cryptography
Diffie came up with concept of asymmetric
  key
Public keys can be made available to
  anyone, say X.509 directory
                     10
Hash Function

• This function condenses user information
  into a digest
• Digital finger print or message digest (MD)
• Digital Signature used to detect tampering
  of the document
• Provides integrity and authentication
• Diffie-Hellman did not reach a point of
  realizing a one-way function with
  asymmetric ciphers.

                     11
RSA Implementation

• RAS is based on mathematical principal
  called trapdoor one-way function
• RFC 2437
• Uses mod arithmetic and prime numbers
• An example of key transport is use of RSA
  algorithm




                    12
Putting Together the Security
Functions
• Encryption/decryption
• Sender is authenticated
• Public key cryptography is vulnerable to
  compromise, man-in-the-middle attack




                     13
Digital Certificates

Used to publish a pubic key with a certainty
 the public key is genuine, according to the
 Certificate Authority that digitally signs the
 certificate.




                      14
Public Key Infrastructure (PKI)
• Defines the rules and relationships for
  certificates and Certificate Authorities
  (CAs)
• Defines the fields that can/must be in a
  certificate, requirements and restraints for
  a CA in issuing certificates, how certificate
  revocation is handled
• Most Web browsers come preconfigured
  with public keys of common CAs
• Baltimore Technologies, Entrust
  Technologies, VeriSign, Microsoft
                      15
PKI (Continued)

• Key backup and recovery
• Support for non-repudiation of Digital
  Signatures
• Automation update of key pairs and
  certificates
• Management of key histories
• Support for cross-certification



                      16
Three methods for
authentication/integrity
•   Symmetric Key
•   Asymmetric Key
•   Hash Function
    –   Key management
    –   Execution
    –   Encryption
    –   IT objectives
    –   Attack modalities
    –   Export restrictions
                              17
Kerberos-based security system

• Developed in Project Athena at MIT
  (1980's)
• DES cryptography is used
• Provides mutual authentication between
  users and servers
• Assumed goals:
  1. Authentication to prevent fraudulent
    requests/responses
  2. Authorization can be implemented
    independently from authentication
  3. Message confidentiality may be used
                       18
Kerberos (continued)

• Primary source of authentication in
  Windows 2000
• Attempts to solve the problem where a
  client wants to communicate with a server
  over untrusted network
• Client or server don't have to trust each
  other, just Kerberos server



                     19
Kerberos protocol overview

Components
1. Client
2. Server
3. Trusted third party known as Key
  Distribution Center (KDC)
Domain served by a single KDC is a realm
Principal identifier is used to identify client
  and server in a realm

                       20
How it works

• Every principal has a secret shared with
  authentication server
• Secrets are never passed around the
  network unencrypted
• Principals identify each other every time
  they interact
• Every time user makes a request to
  server a ticket is handed to server
• Ticket is specific to user and server

                     21
Phase 1: Authentication service (AS)
exchange
• Initiated by client when it currently holds
  no credentials
• Two messages are exchanged between
  client and AS
• Client asks AS that knows secret keys of
  all clients to authenticate and give it a
  ticket granting ticket (TGT)



                      22
Phase 2: Ticket granting service
exchange
• Used for client to obtain credentials for
  services it wants to use
• Client sends request to ticket granting
  service (TGS) for service ticket




                      23
Phase 3: Client/server authentication
(CS) exchange
• Having a session ticket ready, client can
  communicate with the server providing the
  service.
• Once server has authenticated a client,
  option exists for mutual authentication
• Once CS exchange has completed,
  encryption key shared can be used for on
  going application protocol.


                    24
Next week

•   Review
•   Encryption on the World Wide Web
•   Exam




                     25

								
To top