VIEWS: 38 PAGES: 7 POSTED ON: 5/1/2011
Security+ Guide to Network Security Fundamentals, 2e 8-1 Chapter 8 Scrambling Through Cryptography At a Glance Instructor’s Notes Chapter Overview Chapter Objectives Technical Notes Lecture Notes Quick Quizzes Discussion Questions Additional Activities Security+ Guide to Network Security Fundamentals, 2e 8-2 Instructor’s Notes Chapter Overview In this chapter, students will learn about how encryption can be used to protect data. They will first review the basics of cryptography and learn its common terminology. Then students will examine how to harden data using algorithms. Finally, they will see how to use cryptography to keep a network secure. Chapter Objectives After reading this chapter, students will be able to: Define cryptography Secure with cryptography hashing algorithms Protect with symmetric encryption algorithms Harden with asymmetric encryption algorithms Explain how to use cryptography Technical Notes HANDS-ON HARDWARE OPERATING SYSTEM OTHER RESOURCES PROJECTS DEVICES REQUIRED REQUIRED Project 8-1 Computer PC Windows XP Professional Internet connectivity Project 8-2 Computer PC Windows XP Internet connectivity Project 8-3 Computer PC Windows XP or Linux Internet connectivity and FTP Project 8-4 Computer PC Windows XP None This chapter should not be completed in one class session. It is recommended that you split the chapter into at least two class sessions, if possible. The amount of subject matter to be covered can be covered in anywhere between a 2- to 4-hour period, plus any at-home exercises you wish to assign. Lecture Notes Defining Cryptography The science of encrypting messages can range from very basic to extremely complicated. Cryptography Terminology Students should understand cryptography terminology before using it to protect digital information. Cryptography is the science of transforming information so that it is secure while it is being transmitted or stored. Steganography attempts to hide the existence of the data. Encryption is changing the original text to a secret message using cryptography. Decryption is the reverse process of encryption. The process of encrypting and decrypting information is based on a mathematical procedure called an algorithm. A value that is used by an algorithm to encrypt or decrypt a message is known as a key. Security+ Guide to Network Security Fundamentals, 2e 8-3 A mathematical key that creates a detectable pattern or structure is called a weak key. Plaintext is clear text, or the original unencrypted information. A cipher is an encryption or decryption algorithm tool that is used to create encrypted or decrypted text. Data that has been encrypted by an encryption algorithm is called ciphertext. Figure 8-1 on page 273 of the text illustrates the process of cryptography. How Cryptography Protects First, cryptography is intended to protect the confidentiality of information. The second function of cryptography is authentication. Cryptography should ensure the integrity of the information as well. Cryptography should also be able to enforce nonrepudiation, which is the inability to deny that actions were performed. Finally, cryptography can be used for access control. Securing with Cryptography Hashing Algorithms One of the three categories of cryptographic algorithms is known as hashing. Defining Hashing Hashing, also called a one-way hash, creates a ciphertext from plaintext. Cryptographic hashing follows this same basic approach, which is illustrated in Figure 8-2 on page 275 of the text. Hash algorithms verify the accuracy of a value without transmitting the value itself and thus subjecting it to attacks. A practical use of a hash algorithm is with automatic teller machine (ATM) cards. Hashing is typically used in two ways. First, it determines whether a password a user enters is correct without transmitting the password itself. Hashing is also used to determine the integrity of a message or contents of a file. Using hashing for authentication is shown in Figure 8-4 on page 277 of the text. Quick Reference Discuss the characteristics that are produced by hash algorithms as listed on pages 276 and 277 of the text. Message Digest (MD) One common hash algorithm is the message digest (MD) algorithm, which has three versions. Message digest 2 (MD2) takes plaintext of any length and creates a hash that is 128 bits long. MD2 divides the message into 128-bit sections. If the message is less than 128 bits, data known as padding is added. Message digest 4 (MD4) was developed in 1990 for computers that processed 32 bits at a time. MD4 takes plaintext and creates a hash of 128 bits. The plaintext message itself is padded to a length of 512 bits instead of 128 bits as with MD2. The message digest 5 (MD5) is a revision of the MD4 that is designed to address its weaknesses. Like MD4, the length of a message is padded to 512 bits. The hash algorithm then uses four variables of 32 bits each in a round-robin fashion to create a value that is compressed to generate the hash. Secure Hash Algorithm (SHA) Secure Hash Algorithm (SHA) is patterned after MD4, but creates a hash that is 160 bits in length instead of 128 bits. The longer hash makes it much more resistant to attacks. SHA pads messages less than 512 bits with zeros and an integer that describes the original length of the message. Security+ Guide to Network Security Fundamentals, 2e 8-4 Protecting with Symmetric Encryption Algorithms The second major category of cryptographic algorithms is the most common type. Known as symmetric encryption algorithms, these algorithms use a single key to encrypt and decrypt a message. Unlike hashing, in which the ciphertext is not intended to be decrypted, with symmetric encryption algorithms are designed to decrypt the ciphertext. It is therefore essential that the key be kept confidential: if an attacker secured the key, she could decrypt any messages. For this reason, symmetric encryption is also called private key cryptography. Symmetric encryption is illustrated in Figure 8-5 on page 279 of the text. Symmetric encryption algorithms can be classified into two distinct categories based on the amount of data that is processed at a time. The first category is known as a stream cipher. The simplest type of stream cipher is a substitution cipher. Substitution ciphers simply substitute one letter or character for another, as shown in Figure 8-7 on page 280 of the text. Also known as a monoalphabetic substitution cipher, this stream cipher can be easy to break. A homoalphabetic substitution cipher maps a single plaintext character to multiple ciphertext characters. For example, an A may map to BTI. A more complicated stream cipher is a transposition cipher, which rearranges letters without changing them. With most symmetric ciphers, the final step is to combine the cipher stream with the plaintext to create the ciphertext, as shown in Figure 8-9 on page 281 of the text. The other category of symmetric encryption algorithms is known as a block cipher. Whereas a stream cipher works on one character at a time, a block cipher manipulates an entire block of plaintext at one time. The plaintext message is divided into separate blocks of 8 to 16 bytes, and then each block is encrypted independently. For additional security, the blocks can be randomized. Data Encryption Standard (DES) One of the most popular symmetric cryptography algorithms is the Data Encryption Standard (DES). DES is a block cipher and encrypts data in 64-bit blocks. However, the 8-bit parity bit is ignored so the effective key length is only 56 bits. DES encrypts 64-bit plaintext by executing the algorithm 16 times. The four modes of DES encryption are summarized in Table 8-2 on pages 282 and 283 of the text. Quick Quiz 1. A(n) ____________ is an encryption or decryption algorithm tool that is used to create encrypted or decrypted text. ANSWER: cipher 2. A(n) ____________ occurs when two different messages produce the same hash. ANSWER: collision 3. ____________ takes plaintext and creates a hash of 128 bits. ANSWER: Message digest 4 (MD4) 4. ____________ algorithms use a single key to encrypt and decrypt a message. ANSWER: Symmetric encryption 5. A(n) ___________ rearranges letters without changing them. ANSWER: transposition cipher Triple Data Encryption Standard (3DES) Triple Data Encryption Standard (3DES) uses three rounds of encryption instead of just one. The ciphertext of one round becomes the entire input for the second iteration. 3DES employs a total of 48 iterations in its encryption (3 iterations times 16 rounds). The most secure versions of 3DES use different keys for each round, as shown in Figure 8-10. Security+ Guide to Network Security Fundamentals, 2e 8-5 Advanced Encryption Standard (AES) The Advanced Encryption Standard (AES) was approved by the NIST in late 2000 as a replacement for DES. The process began with the NIST publishing requirements for a new symmetric algorithm and requesting proposals. The requirements stated that the new algorithm had to be fast and function on older computers with 8-bit processors as well as current 32-bit and future 64-bit processors. AES performs three steps on every block (128 bits) of plaintext. Within step 2, multiple rounds are performed depending upon the key size: a 128-bit key performs 9 rounds, a 192-bit key performs 11 rounds, and a 256-bit key uses 13 rounds. Rivest Cipher (RC) Rivest Cipher (RC) is a family of cipher algorithms designed by Ron Rivest. He developed six ciphers, ranging from RC1 to RC6, but did not release RC1 and RC3. RC2 is a block cipher that processes blocks of 64 bits. RC4 is a stream cipher that accepts keys up to 128 bits in length. International Data Encryption Algorithm (IDEA) The International Data Encryption Algorithm (IDEA) algorithm dates back to the early 1990s and is used in European nations. It is a block cipher that processes 64 bits with a 128-bit key with eight rounds. Blowfish The algorithm blowfish is a block cipher that operates on 64-bit blocks and can have a key length from 32 to 448 bits. Hardening with Asymmetric Encryption Algorithms The primary weakness of symmetric encryption algorithms is keeping the single key secure. This weakness, known as key management, poses a number of significant challenges. Another approach to cryptography is asymmetric encryption, or public key cryptography. Asymmetric encryption uses two keys instead of one. One of the keys, known as the private key, typically is used to encrypt the message. The second key, called the public key, decrypts the message. Asymmetric encryption is illustrated in Figure 8-11 on page 287 of the text. RSA The asymmetric algorithm RSA (Rivest Shamir Adleman) was published in 1977 and was patented by MIT in 1983. The RSA algorithm is the most common asymmetric encryption and authentication algorithm and is included as part of the Web browsers from Microsoft and Netscape as well as other commercial products. The RSA algorithm multiples two large prime numbers Diffie-Hellman Unlike RSA, the Diffie-Hellman algorithm does not encrypt and decrypt text. Rather, the strength of Diffie- Hellman is that it allows two users to share a secret key securely over a public network. Once the key has been shared, both parties can use it to encrypt and decrypt messages using symmetric cryptography. Security+ Guide to Network Security Fundamentals, 2e 8-6 Elliptic Curve Cryptography Elliptic curve cryptography was first proposed in the mid-1980s. Instead of using prime numbers as with RSA, elliptic curve cryptography uses elliptic curves. An elliptic curve is a function drawn on an X-Y axis as a gently curved line. By adding the values of two points on the curve, you can arrive at a third point on the curve. Understanding How to Use Cryptography Cryptography can provide a major defense against attackers. If an e-mail message or data stored on a file server is encrypted, even a successful attempt to steal that information will be of no benefit if the attacker cannot read it. Digital Signatures A digital signature is an encrypted hash of a message that is transmitted along with the message. A digital signature helps to prove that the person sending the message with a public key is actually whom he or she claims to be. It also proves that the message was not altered, and that it was sent in the first place. Benefits of Cryptography Confidentiality, authentication, integrity, nonrepudiation, and access control are five key elements that properly configured cryptographic systems can provide. The benefits of cryptography and how they can be implemented are summarized in Table 8-4 on page 291 of the text. Implementations of Cryptography You can use cryptography in many practical ways to enhance security. Pretty Good Privacy (PGP) and GNU Privacy Guard (GPG) Perhaps the most widely used asymmetric cryptography system for encrypting e-mail messages on Windows systems is a commercial product called Pretty Good Privacy (PGP). A similar program, known as GNU Privacy Guard (GPG), is a free product. GPG versions run on Windows, UNIX, and Linux operating systems. PGP and GPG use both asymmetric and symmetric cryptography. PGP can use either RSA or the Diffie-Hellman algorithm for the asymmetric encryption and IDEA for the symmetric encryption. Microsoft Windows Encrypting File System (EFS) Microsoft’s Encrypting File System (EFS) is an encryption scheme for Windows 2000, Windows XP Professional, and Windows 2003 Server operating systems that use the NTFS file system. EFS uses asymmetric cryptography and a per-file encryption key to encrypt and decrypt data. When a user encrypts a file, EFS generates a file encryption key (FEK) to encrypt the data. The FEK is encrypted with the user’s public key, and the encrypted FEK is then stored with the file. EFS is enabled by default. Discuss the recommended tasks when using Microsoft EFT as illustrated on Quick Reference page 293 of the text. Security+ Guide to Network Security Fundamentals, 2e 8-7 UNIX Pluggable Authentication Modules (PAM) When UNIX was originally developed, the task of authenticating a user was accomplished by requesting a password from the user and then checking whether the entered password corresponded to the encrypted official password stored in the user database ?etc/passwd. Each new authentication scheme requires all the necessary programs, such as login and ftp, to be rewritten to support it. The solution is to use pluggable authentication modules (PAMs). PAM provides a way to develop programs that are independent of the authentication scheme. Linux Cryptographic File System (CFS) Linux users can add one of several cryptographic systems to encrypt files. One of the most common is the Cryptographic File System (CFS). Discuss the list of Linux cryptographic options on pages 294 and 295 of the Quick Reference text. Quick Quiz 1. __________ is an optional cryptography algorithm for IP security. ANSWER: Triple Data Encryption Standard (3DES) 2. ___________ performs three steps on every block (128 bits) of plaintext. ANSWER: Advanced Encryption Standard (AES) 3. The algorithm ___________ is a block cipher that operates on 64-bit blocks and can have a key length from 32 to 448 bits. ANSWER: blowfish 4. The ___________ algorithm does not encrypt and decrypt text. ANSWER: Diffie-Hellman 5. When users open a file, it is decrypted by ___________ as data is read from a disk; when they save the file, it encrypts the data as it is written to disk. ANSWER: Encrypting File System (EFS) Discussion Questions 1. Discuss the future developments for data encryption. 2. Discuss the advantages and disadvantages of PAM. Additional Activities 1. Have students conduct research on the advancement of hashing algorithms and prepare a summary of what they find. 2. Have students conduct research on the advancement of encryption and prepare a summary of what they find.