Everything an Audit Professional needs to know about encryption 50 minutes

1
Everything an Audit Professional needs to know
about encryption 50 minutes

• Session 2F
• Ben Rothke, CISSP CISM
• Security Consultant
• BT INS
• Thursday June 14, 2007
• 1100 1150AM

2
About me

• Ben Rothke, CISSP CISM
• Security Consultant BT INS
• Previously with AXA, ThruPoint, Baltimore
  Technologies, Ernst Young, Citibank
• Have worked in the information technology sector
  since 1988 and information security since 1994
• Frequent writer and speaker
• Author of Computer Security 20 Things Every
  Employee Should Know (McGraw-Hill 2006)

3
Full disclosure

• This session is
• An introduction of the fundamentals of
  cryptography, encryption and digital signatures
• This session is not
• A comprehensive overview about cryptography
• Heavy mathematics and science of cryptography
• Moral, legal, privacy, social and political
  issues

4
Key Points

• Need for cryptography has never been greater
• eroding levels of security and privacy that is
  occurring.
• Aspects of cryptography are indeed rocket
  science.
• Average person, who wants to utilize the security
  that cryptography provides, they can ignore the
  deep mathematics, and focus on the basics of what
  cryptography can provide them.

5
Topics to be discussed

• What and whys of cryptography
• Brief history of cryptography
• Symmetric and asymmetric cryptography
• Keys and key sizes
• Digital Signatures and Certificates
• Advanced Encryption Standard

6
What is cryptography?

• Cryptography is
• science of using mathematics to encrypt and
  decrypt data
• ensuring that communications are private
• Branch of cryptology dealing with the design of
  algorithms for encryption and decryption used to
  ensure the secrecy and authenticity of data.
• Study of transforming information into a form
  that makes it unreadable to those without the
  appropriate permission to view it
• Derived from the Greek kryptos, meaning hidden.

7
Why is cryptography so important?

• Allows people to have the same level of trust and
  confidence that exists in the physical world with
  their data in the digital world.
• Enables interaction via e-mail, e-commerce, ATM
  machines, cell phones, etc.
• Continual increase of data transmitted
  electronically has lead to an increased need and
  reliance on cryptography.
• Until January 2000, the US Government considered
  strong cryptography to be an export-controlled
  munition, much like an M-16 or F-18.

8
Uses of cryptography

• Network and operating systems security
• Logins, data encryption, file system encryption
• Private Internet, telephone communications
• Electronic payments
• Secure web transactions, SSL, ATM
• Database security
• Software protection
• Music, DRM, DVD
• Pay television
• Confidential military communications

9
Four objectives of cryptography

• Confidentiality Data cant be read by anyone
  for whom it wasnt intended
• Integrity Data cant be altered in storage or
  transit between sender and intended receiver
  without the alteration being detected.
• Authentication - Sender and receiver can confirm
  each others identity
• Non-repudiation Inability to deny at a later
  time ones involvement in a cryptographic process

10
Objectives of cryptography
Integrity
Confidentiality
Modification
Interception
Are my communications private?
Has my communication been altered?
Authentication
Fabrication
Who am I dealing with?
11
History of cryptography

• Usually dated from about 2000 BC, with Egyptian
  hieroglyphics.
• Consisted of complex pictograms, the full meaning
  of which was only known to an elite few.
• First known use of a modern cipher was by Julius
  Caesar (100 BC - 44 BC)
• Caesar didnt trust his messengers when
  communicating with his governors and officers.
• He created a system with each character replaced
  by a character three positions ahead of it in the
  Roman alphabet.

12
History of cryptography

• Benedict Arnold, Mary Queen of Scotts Abraham
  Lincoln all used ciphers.
• Cryptography has long been a part of war,
  diplomacy and politics.
• Development and growth of cryptography in the
  last 20 years is directly tied to the development
  of the microprocessor
• Cryptography is computationally intensive
• Without the PC revolution ubiquitous x86
  processor, there would have never been a vehicle
  where cryptography could have been economically
  and reasonably deployed.

13
PGP History

• 1991 v1.0 written by Phil Zimmerman ships. RSA
  files suit against Zimmerman
• 1992 v2.0 ships. Bass-O-Matic replaced by IDEA
• 1993 FBI investigates Zimmerman for possible
  ITAR violations
• 1994 v2.4 ViaCrypt starts commercial
  distribution
• 1996 - PGP Inc. created. Legal case against Phil
  Zimmermann dropped.
• 1997 v5.0 released by PGP Inc.
• 1997 PGP Inc. acquired by Network Associates
• 1998 v6.0 ships
• 1999 PGP, Inc. rolled out as separate division
  of NAI
• 2000 v7.0 ships
• 2000 RSA patents expired on September 20, 2000
• 2000 - Bowing to intense pressure from Silicon
  Valley Clinton administration eliminates most
  restrictions on the export of data-encryption
  technology
• 2001 Phil Zimmerman leaves NAI for Hush
  Communications
• 2002 - PGP Corp. buys back PGP products and
  intellectual property from NAI
• 2004 - PGP Desktop v.8.1 released
• 2005 - PGP Desktop v.9.0 released (May 2007
  current version - 9.6)

14
History of cryptography

• The Codebreakers The Comprehensive History of
  Secret Communication from Ancient Times to the
  Internet David Kahn
• The Code Book The Science of Secrecy from
  Ancient Egypt to Quantum Cryptography - Simon
  Singh
• ICSA Guide to Cryptography - Randall Nichols
• Applied Cryptography - Bruce Schneier, CTO BT
  Counterpane

15
Everything You Need to Know about Cryptography
16
Six fundamental cryptography terms

• Encryption Conversion of data into a pattern,
  called ciphertext, rendering it unreadable.
• Decryption Process of converting ciphertext
  data back into its original form, so it can be
  read.
• Algorithm - formula used to transform the
  plaintext into ciphertext. Also called a cipher.
• Key Complex sequence of alpha-numeric
  characters, produced by the algorithm, that
  allows you to encrypt and decrypt data
• Plaintext Decrypted or unencrypted data
• Ciphtertext Data that has been encrypted

17
Advanced cryptography terms(that you dont need
to know)
ASN.1
FIPS
EAL
BSAFE
Adaptive-chosen-ciphertext attach
RSA Factoring Challenge
Dictionary attack
One-time pad
Fields and rings
Brute force attack
Modular arithmetic
NSA
differential cryptanalysis
Operational policy and procedures
Diffie-Hellman key exchange
ANSI X9.24
Capstone
multiple polynomial quadratic sieve
PKCS
Random number generation
Factoring methods
Factoring methods
X.509v3
CRL
CAPI
Session key
ICV
IDEA
block cipher
discrete logarithm
SKPI
Covert channel
Kerberos
Quantum cryptography
Prime numbers
Random numbers
Galois field
Threshold cryptography
Discrete logarithms
Exclusive-OR
Cryptographic tokens
General purpose factoring algorithm
Blind signature scheme
chosen ciphertext attack
Key Management
linear cryptanalysis
Vector spaces and lattices
Iterated block cipher
One-way function
meet-in-the-middle attack
Boolean expressions
key escrow
Pollard Rho method
tamper resistant
Root CA
CP CPS
key recovery
Goppa code
PRNG
chosen plaintext attack
Elliptic curve discrete logarithm problem
Number field sieve
Private exponent
Provably secure
General purpose factoring algorithm
18
Paper based trust

• In a paper based society, we
• Write a letter and sign it
• Have a witness verify that the signature is
  authentic
• Put the letter in an envelope and seal it
• Send it by certified mail
• This gives the recipient confidence that the
• Contents had not been read by anyone else
• Contents of the envelope were intact
• Letter came from the person who claimed to have
  sent it
• Person who sent it could not easily deny having
  sent it

19
Paper vs. Electronic trust
20
Symmetric Cryptography

• Oldest form of cryptography
• Single key is used both for encryption and
  decryption

21
Symmetric Cryptography
22
Asymmetric (Public-Key Cryptography)

• Form of encryption based on the use of two
  mathematically related keys (the public key and
  the private key) such that one key cannot be
  derived from the other.
• Public key encrypts data and verifies digital
  signature
• Private key decrypts data and digitally signs a
  document

23
PKC concepts

• You publish your public key to the world while
  keeping your private key secret.
• Anyone with a copy of your public key can then
  encrypt information that only you can read, even
  people you have never met.
• No one can deduce the private key from the public
  key.
• Anyone who has a public key can encrypt
  information but cannot decrypt it.
• Only the person who has the corresponding private
  key can decrypt the information.

24
PKC Benefits

• Key management
• Symmetric cryptography is essentially impossible
  to provide effective key management for large
  networks.
• Allows people who have no preexisting security
  arrangement to exchange messages securely.
• Need for sender and receiver to share secret keys
  via a secure channel is eliminated
• all communications involve only public keys
• no private key is ever transmitted or shared.

25
PKC history

• 1976 - Conceptual ideas developed by Whitfield
  Diffie and Martin Hellman to solve two pressing
  key management problems
• You need a secure channel to set up a secure
  channel
• How do you get the key to a recipient without
  someone intercepting it?
• 1977 - First public-key cryptosystem designed by
  Ron Rivest, Adi Shamir Len Adlelman (RSA) at
  MIT
• British developed a PKC first didnt publicly
  acknowledge it.

26
PKC Process

• When sending a message to someone, you encrypt
  the message with their public key.
• Each user has a publicly known encryption key and
  a corresponding private key known only to that
  user
• They receive it and decrypt it with their private
  key

27
Symmetric vs. Asymmetric
Secret-key (symmetric) encryption
Public-key (asymmetric) encryption
28
Public-key Cryptography
29
Portrait of a Public Key
30
The n2 Problem

• With symmetric cryptography, as the number of
  users increase, the number of keys required to
  provide secure communications among those users
  increases rapidly.
• For a group of n users, there needs to be 1/2 (n2
  - n) keys for total communications
• As the number of parties increases (i.e., n
  becomes larger), the number of symmetric keys
  becomes unreasonably large for practical use.
• This is known as the n2 Problem

31
The n2 Problem
32
Symmetric vs. Asymmetric

• From a security functionality perspective,
  symmetric cryptography is for the most part just
  as strong as asymmetric cryptography.
• Symmetric is much quicker though
• Where asymmetric shines is in solving the key
  management issues.
• No key management issues?
• No compelling need to use asymmetric
  cryptography.

33
Keys key sizes

• Key A value that works with a cryptographic
  algorithm to produce a specific ciphertext
• Keys do not encrypt or decrypt data the
  algorithm does that.
• Keys are huge numbers measured in bits
• PGP key sizes range from 1024 to 4096 bits
• Key size depends on the data you want to protect
  and the hardware it is on (cell phone, PDA,
  server)
• Too big a key, too time-consuming
• Too small a key, too insecure

34
Keys key sizes

• Symmetric and asymmetric key sizes are not
  equivalent
• 80-bit symmetric 1024-bit asymmetric
• 128-bit symmetric 3000-bit asymmetric
• Caveat Key sizes are only one aspect of
  effective security
• Longer keys dont always mean more security
• Does a longer dead-bolt mean your house is more
  secure?
• Can build a weak cryptographic system using huge
  keys.

35
How secure is good cryptography?

• If the underlying application software is
  configured correctly very secure.
• Brute-force key search
• IDEA uses 128-bit keys for 2128 possible
  combinations.
• If a special purpose chip (FPGA) could perform
  one billion decryptions per second, and the
  server had a billion chips running in parallel,
  it would still require over 1012 years to try all
  of the possible keys, which is about a thousand
  times the age of the universe.

36
Cryptographic Algorithms

• An algorithm is a formula used to transform the
  plaintext into ciphertext
• Two types of algorithms
• Symmetric
• Asymmetric
• Criteria
• Degree of security
• Speed required
• Hardware platform

37
Symmetric Algorithms

• Identical keys used for encryption and decryption
• Examples
• DES, Triple-DES, AES, IDEA, Blowfish, CAST, MARS,
  Twofish, Rijndael, RC2, RC4, RC6, A5, A5/1,
  Serpent, Skipjack, DEAL, SAFER

38
DES

• Most popular crypto standard ever
• Still used worldwide in myriad different
  scenarios
• Data Encryption Standard
• Uses DEA (Data Encryption Algorithm)
• Developed by IBM in 1975 and adopted by NIST in
  1977
• Key size 56-bits 256 possible keys or
  72,057,594,037,927,936 keys
• 256 possible keys was a enormous amount in 1977
• By 1997, an attack against all 256 possible keys
  was easily possible and carried out.

39
Asymmetric Algorithms

• Different keys used for encryption decryption
• Examples
• RSA, DSA, Diffie-Hellman, ElGamal, Elliptic curve
  
• Private-key and Public-key
• Keys are directly related

40
Digital Signatures Certificates

• Digital Certificate - An electronic credential
• Used to authenticate the identity of the message
  sender or the signer of a document
• Ensures that the original content of the message
  or document has not be altered.
• Shows that the contents of the information signed
  has not been modified.
• Value determined by issuing certificate authority
• Digital Signature binding of a private key to a
  message.

41
Digital Signatures Certificates
42
Whats in the digital certificate?

• Users name
• Public key of the user
• Required so that others can verify the users
  digital signature
• Validity period (lifetime) of the certificate
• Start end date
• Approved operations
• For which the public key is to be used (whether
  for encrypting data, verifying digital
  signatures, or both)

43
Advanced Encryption Standard (AES)

• AES is a Federal Information Processing Standard
  (FIPS) that specifies a cryptographic algorithm
  for use by U.S. Government organizations to
  protect sensitive (unclassified) information.
• Replaces DES, which is now obsolete.
• Will be widely used on a voluntary basis by
  organizations, institutions, and individuals
  outside of the U.S. Government and outside of the
  U.S.

44
AES technical details

• Key sizes 128, 192 and 256 bits
• Possible 128-bit keys - 340 undecillion
• Possible 192-bit keys - 6.2 octodecillion
• Possible 256-bit keys - Almost a googol
• By comparison, DES keys are 56 bits long, which
  means there are 256 possible DES keys.
• There are 1021 times more AES 128-bit keys than
  DES 56-bit keys.

45
PGP (Pretty Good Privacy)

• Software package that provides strong
  cryptographic functionality
• e-mail, file, disk
• Originally developed as freeware, PGP has since
  become the de facto standard for e-mail security
• Has made cryptography accessible for everyone
• Commercial www.pgp.com/products/index.html
• Source code www.pgp.com/products/sourcecode.html
  

46
Using PGP

• Create your key
• Encrypt/Decrypt file
• Sign/Verify message

47
PGP keyring of public keys
48
PGP encryption/decryption
49
Digital signing
50
Digital signature verification
51
Additional References
52
For further information

• Bruce Schneier
• Why Cryptography Is Harder Than It Looks
• www.schneier.com/essay-037.html
• Security Pitfalls in Cryptography
• www.schneier.com/essay-028.html
• Secrets and Lies Digital Security in a
  Networked World
• Applied Cryptography Protocols, Algorithms, and
  Source Code
• RSA Cryptography FAQ
• www.rsa.com/rsalabs/node.asp?id2152
• Information Security Magazine
• http//infosecuritymag.techtarget.com

53
For further information

• Steven Levy
• Crypto How the Code Rebels Beat the Government
  -- Saving Privacy in the Digital Age
• Simon Singh
• The Code Book The Science of Secrecy from
  Ancient Egypt to Quantum Cryptography
• H. X. Mel Doris Baker
• Cryptography Decrypted A Pictorial Introduction
  to Digital Security
• Chey Cobb
• Cryptography for Dummies

54
Conclusions
55
Conclusions

• With Google, spyware, leaky Internet protocols
  and myriad other threats to security and privacy,
  cryptography has never been more important.
• While the hidden engine of cryptography uses Ph.d
  level mathematics, as an end-user, you are
  shielded from such complexity.
• By knowing what you need to secure, and how to do
  it, you can use cryptography to the fullest,
  without needing a Ph.d in applied mathematics.

56
Thanks for attending

• Any questions? comments?
• Please fill out your evaluation sheets

57
Ben Rothke CISSP CISM Security Consultant NY
Metro BT INS Ben.Rothke_at_bt.com