Cryptography

1
Cryptography

• What it means, what it does, how to do it, and
  none of the math

2
Introduction

• Who am I?
• Just some guy who likes security
• Head of IT for a mid-sized company
• Goals of this presentation
• Show you what can be done
• Show you why you might want it
• Show you the tools used to do it
• Not bore you with inane specifics

3
What is Crypto? PAIN.

• Crypto is the use of difficult math to achieve
  things normally done by the difficulty of making
  physical copies of thingsin spite of malicious
  attempts to thwart it
• Privacy (can anyone else hear our secrets?)
• Authentication (are you who you claim to be?)
• Integrity (has this message been altered?)
• Non-repudiation (can they avoid accountability?)

4
Goals Privacy

• What does it mean?
• Make eavesdropping irrelevant
• Anonymity to outsiders
• How long does it have to last?
• As long as the data must remain private
• This can mean minutes
• This can mean years

5
Goals Authentication

• What does it mean?
• Verification that someone is who they claim to be
• Also referred to as Identity
• How long does it have to last?
• As long as the identity is valid
• Meaning as long as it can still be used

6
Goals Integrity

• What does it mean?
• Verification that the data is unmodified
• Also called Authenticity
• How long does it have to last?
• As long as data integrity matters
• This isnt very long for check once applications

7
Goals Non-Repudiation

• What does it mean?
• No going back on your word
• Verification that data hasnt been fabricated
• How long does it have to last?
• As long as accountability for the data does

8
Physical Examples

• Whispering behind locked doors (privacy)
• But all network traffic is equally loud
• Handwritten Signatures (authentication)
• But digital signatures are trivial to copy
• Paper and Ink Documents (integrity)
• But paper and ink dont transmit over a wire
• Certified Mail (non-repudiation)
• But theres no paper trail for network traffic
• Sneakernet (all four)
• If you were face-to-face, thered be no network

9
Good Cryptography

• Easy for good guys (people with keys)
• Takes little time to encrypt/sign with key
• Takes little time to decrypt/verify with key
• Easy to make and securely swap keys
• Hard for bad guys (people without keys)
• Takes long time to encrypt/sign without key
• Takes long time to reverse/verify without key
• Hard to guess or obtain keys

10
Good Context-Dependent

• Constraints on easy
• How fast must it be computed?
• How long would it take to compute with the key?
• Constraints on hard
• How long does the security have to last?
• How long would it take to break without the key?
• Really, its a balancing act
• Too hard means things take too long
• Too easy means things arent secure

11
Tools of Cryptography

• Irreversible Functions
• Hash Functions
• Random Number Generators
• One-way Translations
• Key-reversible functions
• Encryption
• Signing
• Key Systems
• Symmetric Keys
• Asymmetric Keys

12
Tools Hash Functions

• Calculates a constant-sized hash of data
• Same data always produces same hash
• Hard to find collisions
• Hashes are referred to in many ways
• Message Digests
• Fingerprints
• Cryptographic Checksums
• Message Integrity Check
• Manipulation Detection Code
• Examples
• Crypt, MD5, SHA, RND, CRC, Parity
• not cryptographically secure

13
Tools Random Numbers

• Strong Random Number Generators
• Entropy-based (irreproducible) random number
  streams
• Pseudo Random Functions
• Seeded random number generators
• Generates same numbers with same seed
• Used for synchronized random streams between
  two hosts
• Examples
• HMAC, PRF, /dev/random, /dev/urandom

14
Tools One-way Translate

• Translations that cannot be reversed
• Like a hash function except for size
• Size of translation depends on data size
• Useful for making keys or keypairs
• Examples
• Diffie-Hellman key exchange, DSA keygen

15
Tools Encryption

• Convert data into apparent noise
• Doesnt give hints about the encrypted data
• Eavesdroppers wont know your sensitive data
• Trapdoor one-way translation
• You can only reverse it if you have the key
• Eavesdroppers (hopefully) dont have the key

16
Tools Signing

• Create a hash using data and key
• Hash can be used to verify data and key
• Can be implemented as hashing data appended with
  a key
• Can be implemented as encrypting hash of data
• Kind of like hash function
• Gives a constant-size result (almost always
  small)
• Unlike a hash function
• Often partially reversible
• Data and key required to verify

17
Tools Key Systems

• Symmetric Cryptography
• Same key used for both directions
• Any string of bits can be a key (so keys are
  small)
• Recipient must know same key
• Asymmetric Cryptography
• Keys are created in pairs
• Forward key is different than reverse key
• Not every string of bits can be a key (so keys
  are bigger)
• Recipient must know corresponding key

18
Asymmetric Cryptography

• Call one key public and one private
• Public key
• Anyone can know the public key
• Can only be reversed using the private key
• Private key
• Never have to share the private key
• Can only be reversed using the public key
• Not all asymmetric systems are equal
• One way
• Private key is used for signing/decrypting only
• Public key is used for verifying/encrypting only
• Two-way
• Both keys can be used for signing/decrypting or
  verifying/encrypting

19
Meet Mallory, Bad Guy

• Attacks against Protocols
• Eavesdropping (looking)
• Man in the Middle (proxying)
• Replay (copies)
• Cheating (breaking the rules)
• Attacks against Tools
• Cryptanalysis
• Chosen Plaintext
• Chosen Ciphertext

20
Attacks Against Protocols

• Eavesdropping
• Looking at messages in transit
• Solution Make sure it doesnt matter
• Man in the Middle
• Pretending to be the other side to both sides
• Solution Make sure it cant happen
• Replay
• Sending a copy of a previous (encrypted) message
• Solution Make sure it doesnt do anything bad
• Cheating
• Violating protocol to get more information
• Solution Have a failsafe response

21
Attacks Against Tools

• Cryptanalysis
• Getting data or key information from raw
  ciphertext
• Solution Choose stronger algorithms
• Chosen Plaintext
• Getting key information by encrypting specific
  data
• Solution Dont automatically encrypt things for
  others
• Chosen Ciphertext
• Getting key information by decrypting specific
  data
• Solution dont automatically decrypt things for
  others

22
How Things Work! PAIN

• Privacy
• Symmetric encryption with shared key
• Fast and easy to compute with key
• Really hard to reverse without key
• Asymmetric encryption with unshared key
• Slow and hard to compute, even with key
• Insanely hard to reverse without key

23
How Things Work! PAIN

• Authentication
• Shared secret
• If both sides know the same secret
• But eavesdroppers can see it
• Hash of shared secret
• Like above, without giving away the secret
• But eavesdroppers can still see it
• Encryption of challenge data
• If both sides know the same key
• Signing of challenge data
• If both sides have the same (or matching) keys

24
How Things Work! PAIN

• Integrity
• Hash of data
• If other side computes the same value
• No guarantee this wont be forged
• Hash of data shared secret
• If both sides have the same secret
• Encryption of hash of data
• If both sides have the same (or matching) keys
• Signing of data (or hash of data)
• If both sides have the same (or matching) keys

25
How Things Work! PAIN

• Non-Repudiation
• Asymmetric signature
• Only one person can make that sig
• Shared secrets wont work
• Lasts a looooooooong time

26
Practical Considerations

• Lots of steps to keep track of
• Lots of keys to keep track of
• Still have to transfer keys securely
• Humans are lazy
• Algorithms become obsolete
• New algorithms are invented

27
Modular Frameworks

• Does it right
• Makes sure things get done in correct order
• Stops if anything strange happens
• Negotiates connection parameters for you
• Negotiates matching algorithms
• Negotiates shared keys
• Negotiates key exchange methods
• Modular Algorithm Selection
• Can add or remove algorithms without changing
  protocol

28
Examples The List

• IPSec
• Securing traffic at the IP level
• X.509 Certificates
• A strong authentication framework
• SSL/TLS
• Securing traffic at the socket level
• ISAKMP
• Automatic keying of cryptographic services
• Others
• Kerberos, PGP summaries

29
IPSec General Concepts

• Provide privacy, authentication, and integrity to
  IP
• Uses symmetric and one-way cryptography
• Uses IP Address for endpoint authentication
• Uses sequence numbers to prevent replay
• Security Associations specify which algorithms
  to use
• Security Associations and keys must be specified
  at both ends
• Uses Security Policies for security enforcement

30
IPSec Protocols

• Encapsulating Security Payload (ESP)
• Provides privacy for IP data
• Provides integrity for IP data
• Verifies identity of IP data source
• Authentication Header (AH)
• Provides authentication for IP packet
• Verifies identity of IP packet source

31
IPSec The ESP Protocol

• Encryption
• Symmetric cipher with shared key
• Adds ESP Header after IP header
• Encrypts IP data and ESP Trailer
• Leaves the IP Header alone
• Authentication
• Keyed Hash function with shared key
• Adds ESP Auth trailer at and
• Authenticates ESP header and encrypted data
• Leaves the IP Header alone
• Verifying integrity has the side effect of
  verifying identity

32
IPSec The ESP Protocol

• BEFORE APPLYING ESP
• ----------------------------
• IPv4 orig IP hdr
• (any options) TCP Data
• ----------------------------
• AFTER APPLYING ESP
• ------------------------------------------
  -------
• IPv4 orig IP hdr ESP ESP
  ESP
• (any options) Hdr TCP Data
  Trailer Auth
• ------------------------------------------
  -------
• lt----- encrypted
  ----gt
• lt------ authenticated
  -----gt
• Diagram from RFC 2406 IP Encapsulating Security
  Payload

33
IPSec The AH Protocol

• Not intended for Privacy
• Protects against packet injection
• Protects against Man in the Middle
• Authentication
• Keyed Hash function with shared key
• Adds AH header after IP header
• Authenticates entire IP packet
• Does not authenticate mutable IP fields
• Verifying integrity has the side effect of
  verifying identity

34
IPSec The AH Protocol

• BEFORE APPLYING AH
• ----------------------------
• IPv4 orig IP hdr
• (any options) TCP Data
• ----------------------------
• AFTER APPLYING AH
• ---------------------------------
• IPv4 orig IP hdr
• (any options) AH TCP Data
• ---------------------------------
• lt------- authenticated -------gt
• except for mutable fields

35
IPSec Drawbacks

• Need to set up each SA manually
• Endpoint IPs
• Protocol
• Encryption Algorithm
• Authentication Algorithm
• Keys
• Only does authentication at IP granularity
• Cannot distinguish between different users
• Roadwarrior setups are impossible in vanilla
  IPSec
• Live re-keying is impossible
• Have to manually re-key both endpoints

36
X.509 Certificates General Concepts

• ID Card replacement using asymmetric key pair
• Public key is on the cert itself, i.e. printed
  on the ID
• Private key is kept private, i.e. the ability to
  sign
• Uses private key as proof of ID ownership
• Akin to comparing your face to the picture on an
  actual ID
• Uses signature of an authority as proof of
  validity
• Akin to checking the watermark on an actual ID
• Potentially used for all kinds of PAIN
• Privacy, Authentication, Integrity,
  Non-repudiation

37
X.509 Certs Format

• File Format Data
• Version
• Serial number
• Issuer Data
• Issuer signing algorithm and parameters
• Issuer ID information (company, host, etc)
• Expiration
• Owner Data
• Owner ID information (company, host, etc)
• Owner signing algorithm, parameters, and key
• Extensions (somewhat optional)
• Fingerprints
• Usage constraints (including if it can certify
  other certs)
• Comments
• Anything else
• Signature
• Issuers signature of all of the above

38
X.509 Certs Issuers

• Anyone can make a cert
• Its just a bunch of data thats been signed
• Issuers are called Certificate Authorities
• Trusted only as much as the Issuer
• Issuer is another certificate with the CA flag
• This flag is just another bit of signed data
• Trusted only as much as their own Issuer
• Eventually, you reach a self-signed Root CA

39
X.509 Certs Hierarchy

• Issuer trust is a tree hierarchy
• This hierarchy is called Public Key
  Infrastructure
• Trust is obtained by Issuer ancestry and settings
• Each ancestor is verified by the one preceding it
• Self-signed CA certs are called Root CA certs.
• Trusted Certificates and Certificate Authorities
• You can limit certificate trust to select tasks
• This can include trusting a CA to issue valid
  certs
• This can include trusting a CA to issue valid CAs

40
X.509 Certs Revocation

• IDs can become invalid before they expire
• Private keys are sometimes compromised
• The CA can realize that they were duped
• Revocation Lists
• Akin to confiscating or destroying a physical ID
• Essentially a signed blacklist of certs
• List must be actively updated and checked

41
X.509 Certs Drawbacks

• Difficult to enforce revocation
• Revocation lists arent pushed to clients
• Cant destroy certs like you can destroy
  physical IDs
• Must guard against forged certs
• Anyone can make a CA and sign certs
• Who decides which CAs to trust, and how much?
• Difficult to specify depth of trusted chain
• Trusting a CA doesnt mean trust completely
• Manually specifying trust for each cert is tedious

42
Example SSL and TLS

• Secure Sockets Layer (SSL)
• Developed by Netscape
• Sets up a secure stream at the socket level
• Its the S in HTTPS, POP3S, IMAPS, etc.
• Uses a different port than insecure versions
• Transport Layer Security (TLS)
• IETF standard to do the same things as SSL
• Backwards compatible to SSLv3
• Can handle secure and insecure on same port
• The S in SMTPS

43
SSLTLS Concepts

• Automatically authenticate using X.509 certs
• Auto-negotiate integrity and privacy algorithms
• Uses asymmetric crypto to transfer session key
• Uses synchronized PRF to generate symmetric keys
• Uses sequence numbers to prevent replay
• Links stages together to avoid connection
  hijacking

44
SSLTLS Overview

• Identity and premaster key exchange
• Agree on how things will be secured
• Authenticate to each other
• Exchange premaster secret
• Master key generation and private stream
• Use premaster secret to generate master secret
• Use master secret to generate algorithm keys
• Start securing everything with generated keys

45
SSLTLS First Stage

• Exchange hello messages
• Sequence number, random number, SSL/TLS version
• Server sends certificate
• If signing only cert, sends DH parameters too
• Client sends back premaster secret
• If cert is encryption cert, uses that
• Otherwise, uses Diffie-Hellman parameters
• If asked, Client sends certificate
• Can send if not asked, but will be ignored

46
SSLTLS Second stage

• Use hash function to generate master key
• premaster, client/server random numbers, master
  secret
• Use master key to seed pseudo random function
• Both sides have same premaster, so same master
  secret
• Use PRF to generate algorithm keys
• Both sides have same PRF and seed, so same keys
• Encrypt all further traffic with symmetric keys
• Generate more pseudo-random bits as algorithm
  requires

47
SSLTLS Drawbacks

• Only has one secret mechanism (master secret)
• Will have to change the protocol to add more
• Cant remove it without destroying the protocol
• No pluggable key exchange mechanisms
• Will have to change the protocol to add more
• Depends on Diffie-Hellman and X.509 keys
• After authenticating, only uses symmetric
  algorithms
• Can only generate symmetric keys
• Cant add asymmetric ciphers without changing
  protocol

48
Example ISAKMP

• Internet Security Association and Key Management
  Protocol
• Configures security sessions for other services
• Usually IPSec, but can be used for nearly
  anything
• Can be used securely over a network
• Port 500/udp, or 4500/udp across a NAT
• Modularly selected key exchange protocols
• Oakley, SKEME, IKE

49
ISAKMP Concepts

• Phase 1
• Handled by Key Exchange protocol
• Negotiate how to authenticate ISAKMP endpoints
• Negotiate how to secure ISAKMP traffic
• Authenticate and secure ISAKMP endpoints and
  traffic
• Phase 2
• Format and options depend on service to set up
• Use secured channel to negotiate service security
• Configure service security with new settings

50
ISAKMP Phase 1

• Main mode
• Negotiate how ISAKMP traffic will be secured
• Anonymous encrypted channel set up
• Identities authenticated over private channel
• Aggressive mode
• Identities authenticated over clear channel
• Other than that, same as main mode
• Necessary for shared secrets from unknown IPs

51
ISAKMP Phase 2

• Quick Mode
• Negotiate how SERVICE traffic will be secured
• Sends proposals until one is agreeable
• Uses application APIs to configure service
• Notifies requesting service of completion
• Can be initiated more than once
• More than one phase 2 may use a single phase 1

52
Other Examples

• Kerberos
• Uses a trusted arbitrator to verify all keys
  using only symmetric cryptography
• Uses a centralized list of secrets
• PGP
• Uses asymmetric cryptography to very strongly
  encrypt and authenticate off-line messages
• Uses a trust network to verify identity

53
Skipped Topics

• Perfect Forward Secrecy (PFS)
• Finding one key doesnt give you everything
• Steganography (Stego)
• Hiding data in other data, unnoticed
• Crytanalysis
• Finding weaknesses in the math of algorithms
• Per-Algorithm security requirements
• Constraints on key and data selection

54
One-Way Algorithm List

• Hash Functions
• Crypt, MD2, MD4, MD5, N-Hash, RIPEMD-160, SHA0,
  SHA1, SHA2, MDC-2, MDC-4,
• Pseudo-Random Functions (aka MAC)
• HMAC-MD5, HMAC-SHA1, Keyed-MD5, Keyed-SHA1,
  HMAC-RIPEMD160, AES-XCBC-MAC, TCP-MD5
• One-way Translate Functions
• RSA keygen, DSA keygen, DH paramgen

55
Two-Way Algorithm List

• Encryption
• Symmetric DES, 3DES, Blowfish, Cast5, Rijndael,
  Twofish, AES, RC2, RC4
• Asymmetric RSA, El Gamal
• Signing
• Symmetric any encryption of any hash, any hash
  of data and secret
• Asymmetric DSA, El Gamal, RSA

56
List of Utilities

• OpenSSL
• Commandline openssl utility to manipulate x509
  certificates, hash functions, pseudo-random
  number generators, symmetric ciphers, asymmetric
  ciphers and key generation, and a variety of
  crypto file formats. Used to roll your own PKI,
  among other things.
• GnuPG
• Commandline gpg utility to manipulate
  asymmetric keys and ciphers, trust databases,
  signing, and verification. Used mainly for
  secure email.
• Open/StrongSWAN, KAME
• Commandline setkey utility to manipulate IPSec
  Security Associations and Security Policies.
  Used mainly to set up static IPSec routes.

57
References

• Bruce Schneier, Applied Cryptography, Protocols,
  Algorithms, and Source Code in C, 2nd Edition
• RFC 2411, IP Security Document Roadmap
• RFC 2406, IP Encapsulating Security Payload
• RFC 2402, IP Authentication Header
• RFC 2408, The Internet IP Security Domain of
  Interpretation for ISAKMP
• RFC 2409, The Internet Key Exchange (IKE)
• RFC 2246, The TLS Protocol
• Netscape Communications Corp, The SSL 3.0
  Protocol

58
About the Author

• Robin Battey
• zanfur_at_zanfur.com
• Public Key http//www.zanfur.com/key.txt
• Key ID 0x6A57B07D
• Fingerprint 3914 F63C A99C 8EC1 785B
• 8287 1D8B D2F3 6A57 B07D