Computer Security - Discussion
182
Chap ter 7 PKI and Cryp to graphic Ap pli ca tions
THE CISSP EXAM TOP ICS COV ERED IN THIS CHAP TER IN CLUDE:
Do main 3: Se cu rity Ar chi tec ture and En gi neer ing 3.9 Ap ply cryp tog ra phy
3.9.1 Cryp to graphic life cy cle (e.g., key man age ment, al go rithm se lec tion)
3.9.2 Cryp to graphic meth ods
3.9.3 Pub lic Key In fra struc ture (PKI)
3.9.4 Key man age ment prac tices
3.9.5 Dig i tal sig na tures
3.9.6 Non re pu di a tion
3.9.7 In tegrity
3.9.8 Un der stand meth ods of crypt an a lytic at tacks
3.9.9 Dig i tal Rights Man age ment (DRM)
In Chap ter 6, “Cryp tog ra phy and Sym met ric Key Al go rithms,” we in tro duced ba sic cryp tog ra phy con cepts and ex plored a va ri ety of pri vate key cryp tosys tems. These sym met ric cryp tosys tems of fer fast, se cure com mu ni ca tion but in tro duce the sub stan tial chal lenge of key ex change be tween pre vi ously un re lated par ties.
This chap ter ex plores the world of asym met ric (or pub lic key) cryp tog ra phy and the pub lic-key in fra struc ture (PKI) that sup ports world wide se cure com mu ni ca tion be tween par ties that don’t nec es sar ily know each other prior to the com mu ni ca tion. Asym met ric al go rithms pro vide con ve nient key ex change mech a nisms and are scal able to very large num bers of users, both chal lenges for users of sym met ric cryp tosys tems.
This chap ter also ex plores sev eral prac ti cal ap pli ca tions of asym met ric cryp tog ra phy: se cur ing email, web com mu ni ca tions, elec tronic com merce, dig i tal rights man age ment, and net work ing. The chap ter con cludes with an ex am i na tion of a va ri ety of at tacks ma li cious in di vid u als might use to com pro mise weak cryp tosys tems.
Asym met ric Cryp tog ra phy The sec tion “Mod ern Cryp tog ra phy” in Chap ter 6 in tro duced the ba sic prin ci ples be hind both pri vate
(sym met ric) and pub lic (asym met ric) key cryp tog ra phy. You learned that sym met ric key cryp tosys tems re quire both com mu ni cat ing par ties to have the same shared se cret key, cre at ing the prob lem of se cure key dis tri bu tion. You also learned that asym met ric cryp tosys tems avoid this hur dle by us ing pairs of pub lic and pri vate keys to fa cil i tate se cure com mu ni ca tion with out the over head of com plex key dis tri bu tion sys tems. The se cu rity of these sys tems re lies on the dif fi culty of re vers ing a one-way func tion.
In the fol low ing sec tions, we’ll ex plore the con cepts of pub lic key cryp tog ra phy in greater de tail and look at three of the more com mon pub lic key cryp tosys tems in use to day: Rivest–Shamir–Adle man (RSA), El Gamal, and the el lip tic curve cryp tog ra phy (ECC).
Pub lic and Pri vate Keys
Re call from Chap ter 6 that pub lic key cryp tosys tems rely on pairs of keys as signed to each user of the cryp tosys tem. Ev ery user main tains both a pub lic key and a pri vate key. As the names im ply, pub lic key cryp tosys tem users make their pub lic keys freely avail able to any one with whom they want to com mu ni cate. The mere pos ses sion of the pub lic key by third par ties does not in tro duce any weak nesses into the cryp tosys tem. The pri vate key, on the other hand, is re served for the sole use of the in di vid ual who owns the keys. It is never shared with any other cryp tosys tem user.
183
Nor mal com mu ni ca tion be tween pub lic key cryp tosys tem users is quite straight for ward. Fig ure 7.1 shows the gen eral process.
FIG URE 7.1 Asym met ric key cryp tog ra phy
No tice that the process does not re quire the shar ing of pri vate keys. The sender en crypts the plain text mes sage (P) with the re cip i ent’s pub lic key to cre ate the ci pher text mes sage (C). When the re cip i ent opens the ci pher text mes sage, they de crypt it us ing their pri vate key to re-cre ate the orig i nal plain text mes sage.
Once the sender en crypts the mes sage with the re cip i ent’s pub lic key, no user (in clud ing the sender) can de crypt that mes sage with out know ing the re cip i ent’s pri vate key (the sec ond half of the pub lic-pri vate key pair used to gen er ate the mes sage). This is the beauty of pub lic key cryp tog ra phy—pub lic keys can be freely shared us ing un se cured com mu ni ca tions and then used to cre ate se cure com mu ni ca tions chan nels be tween users pre vi ously un known to each other.
You also learned in the pre vi ous chap ter that pub lic key cryp tog ra phy en tails a higher de gree of com pu ta tional com plex ity. Keys used within pub lic key sys tems must be longer than those used in pri vate key sys tems to pro duce cryp tosys tems of equiv a lent strengths.
RSA The most fa mous pub lic key cryp tosys tem is named af ter its cre ators. In 1977, Ronald Rivest, Adi Shamir,
and Leonard Adle man pro posed the RSA pub lic key al go rithm that re mains a world wide stan dard to day. They patented their al go rithm and formed a com mer cial ven ture known as RSA Se cu rity to de velop main stream im ple men ta tions of their se cu rity tech nol ogy. To day, the RSA al go rithm has been re leased into the pub lic do main and is widely used for se cure com mu ni ca tion.
The RSA al go rithm de pends on the com pu ta tional dif fi culty in her ent in fac tor ing large prime num bers. Each user of the cryp tosys tem gen er ates a pair of pub lic and pri vate keys us ing the al go rithm de scribed in the fol low ing steps:
1. Choose two large prime num bers (ap prox i mately 200 dig its each), la beled p and q.
2. Com pute the prod uct of those two num bers: n = p * q.
3. Se lect a num ber, e, that sat is fies the fol low ing two re quire ments:
a. e is less than n.
b. e and (p – 1)(q – 1) are rel a tively prime—that is, the two num bers have no com mon fac tors other than 1.
4. Find a num ber, d, such that (ed – 1) mod (p – 1)(q – 1) = 1.
5. Dis trib ute e and n as the pub lic key to all cryp tosys tem users. Keep d se cret as the pri vate key.
If Al ice wants to send an en crypted mes sage to Bob, she gen er ates the ci pher text (C) from the plain text (P) us ing the fol low ing for mula (where e is Bob’s pub lic key and n is the prod uct of p and q cre ated dur ing the key gen er a tion process):
C = Pe mod n
When Bob re ceives the mes sage, he per forms the fol low ing cal cu la tion to re trieve the plain text mes sage:
P = Cd mod n
184
Merkle-Hell man Knap sack
An other early asym met ric al go rithm, the Merkle-Hell man Knap sack al go rithm, was de vel oped the year af ter RSA was pub li cized. Like RSA, it’s based on the dif fi culty of per form ing fac tor ing op er a tions, but it re lies on a com po nent of set the ory known as su per-in creas ing sets rather than on large prime num bers. Merkle-Hell man was proven in ef fec tive when it was bro ken in 1984.
Im por tance of Key Length
The length of the cryp to graphic key is per haps the most im por tant se cu rity pa ram e ter that can be set at the dis cre tion of the se cu rity ad min is tra tor. It’s im por tant to un der stand the ca pa bil i ties of your en cryp tion al go rithm and choose a key length that pro vides an ap pro pri ate level of pro tec tion. This judg ment can be made by weigh ing the dif fi culty of de feat ing a given key length (mea sured in the amount of pro cess ing time re quired to de feat the cryp tosys tem) against the im por tance of the data.
Gen er ally speak ing, the more crit i cal your data, the stronger the key you use to pro tect it should be. Time li ness of the data is also an im por tant con sid er a tion. You must take into ac count the rapid growth of com put ing power—Moore’s law sug gests that com put ing power dou bles ap prox i mately ev ery two years. If it takes cur rent com put ers one year of pro cess ing time to break your code, it will take only three months if the at tempt is made with con tem po rary tech nol ogy about four years down the road. If you ex pect that your data will still be sen si tive at that time, you should choose a much longer cryp to graphic key that will re main se cure well into the fu ture.
Also, as at tack ers are now able to lever age cloud com put ing re sources, they are able to more ef fi ciently at tack en crypted data. The cloud al lows at tack ers to rent scal able com put ing power, in clud ing pow er ful graphic pro cess ing units (GPUs) on a per-hour ba sis, and of fers sig nif i cant dis counts when us ing ex cess ca pac ity dur ing non peak hours. This brings pow er ful com put ing well within the reach of many at tack ers.
The strengths of var i ous key lengths also vary greatly ac cord ing to the cryp tosys tem you’re us ing. The key lengths shown in the fol low ing ta ble for three asym met ric cryp tosys tems all pro vide equal pro tec tion:
Cryp tosys tem Key length RSA 1,024 bits DSA 1,024 bits El lip tic curve 160 bits
El Gamal In Chap ter 6, you learned how the Diffie–Hell man al go rithm uses large in te gers and mod u lar arith metic
to fa cil i tate the se cure ex change of se cret keys over in se cure com mu ni ca tions chan nels. In 1985, Dr. T. El Gamal pub lished an ar ti cle de scrib ing how the math e mat i cal prin ci ples be hind the Diffie–Hell man key ex change al go rithm could be ex tended to sup port an en tire pub lic key cryp tosys tem used for en crypt ing and de crypt ing mes sages.
At the time of its re lease, one of the ma jor ad van tages of El Gamal over the RSA al go rithm was that it was re leased into the pub lic do main. Dr. El Gamal did not ob tain a patent on his ex ten sion of Diffie-Hell man, and it is freely avail able for use, un like the then-patented RSA tech nol ogy. (RSA re leased its al go rithm into the pub lic do main in 2000.)
How ever, El Gamal also has a ma jor dis ad van tage—the al go rithm dou bles the length of any mes sage it en crypts. This presents a ma jor hard ship when en crypt ing long mes sages or data that will be trans mit ted over a nar row band width com mu ni ca tions cir cuit.
El lip tic Curve
Also in 1985, two math e ma ti cians, Neal Koblitz from the Uni ver sity of Wash ing ton and Vic tor Miller from IBM, in de pen dently pro posed the ap pli ca tion of el lip tic curve cryp tog ra phy (ECC) the ory to de velop se cure cryp to graphic sys tems.
185
The math e mat i cal con cepts be hind el lip tic curve cryp tog ra phy are quite com plex and well
be yond the scope of this book. How ever, you should be gen er ally fa mil iar with the el lip tic curve al go rithm and its po ten tial ap pli ca tions when pre par ing for the CISSP exam. If you are in ter ested in learn ing the de tailed math e mat ics be hind el lip tic curve cryp tosys tems, an ex cel lent tu to rial ex ists at https://www.cer ti com.com/con tent/cer ti com/en/ ecc-tu to rial.html.
Any el lip tic curve can be de fined by the fol low ing equa tion:
y2 = x3 + ax + b
In this equa tion, x, y, a, and b are all real num bers. Each el lip tic curve has a cor re spond ing el lip tic curve group made up of the points on the el lip tic curve along with the point O, lo cated at in fin ity. Two points within the same el lip tic curve group (P and Q) can be added to gether with an el lip tic curve ad di tion al go rithm. This op er a tion is ex pressed, quite sim ply, as fol lows:
P + Q
This prob lem can be ex tended to in volve mul ti pli ca tion by as sum ing that Q is a mul ti ple of P, mean ing the fol low ing:
Q = xP
Com puter sci en tists and math e ma ti cians be lieve that it is ex tremely hard to find x, even if P and Q are al ready known. This dif fi cult prob lem, known as the el lip tic curve dis crete log a rithm prob lem, forms the ba sis of el lip tic curve cryp tog ra phy. It is widely be lieved that this prob lem is harder to solve than both the prime fac tor iza tion prob lem that the RSA cryp tosys tem is based on and the stan dard dis crete log a rithm prob lem uti lized by Diffie–Hell man and El Gamal. This is il lus trated by the data shown in the ta ble in the side bar “Im por tance of Key Length,” which noted that a 1,024-bit RSA key is cryp to graph i cally equiv a lent to a 160-bit el lip tic curve cryp tosys tem key.
Hash Func tions Later in this chap ter, you’ll learn how cryp tosys tems im ple ment dig i tal sig na tures to pro vide proof that a
mes sage orig i nated from a par tic u lar user of the cryp tosys tem and to en sure that the mes sage was not mod i fied while in tran sit be tween the two par ties. Be fore you can com pletely un der stand that con cept, we must first ex plain the con cept of hash func tions. We will ex plore the ba sics of hash func tions and look at sev eral com mon hash func tions used in mod ern dig i tal sig na ture al go rithms.
Hash func tions have a very sim ple pur pose—they take a po ten tially long mes sage and gen er ate a unique out put value de rived from the con tent of the mes sage. This value is com monly re ferred to as the mes sage di gest. Mes sage di gests can be gen er ated by the sender of a mes sage and trans mit ted to the re cip i ent along with the full mes sage for two rea sons.
First, the re cip i ent can use the same hash func tion to re com pute the mes sage di gest from the full mes sage. They can then com pare the com puted mes sage di gest to the trans mit ted one to en sure that the mes sage sent by the orig i na tor is the same one re ceived by the re cip i ent. If the mes sage di gests do not match, that means the mes sage was some how mod i fied while in tran sit. It is im por tant to note that the mes sages must be ex actly iden ti cal for the di gests to match. If the mes sages have even a slight dif fer ence in spac ing, punc tu a tion, or con tent, the mes sage di gest val ues will be com pletely dif fer ent. It is not pos si ble to tell the de gree of dif fer ence be tween two mes sages by com par ing the di gests. Even a slight dif fer ence will gen er ate to tally dif fer ent di gest val ues.
Sec ond, the mes sage di gest can be used to im ple ment a dig i tal sig na ture al go rithm. This con cept is cov ered in “Dig i tal Sig na tures” later in this chap ter.
The term mes sage di gest is used in ter change ably with a wide va ri ety of syn onyms,
in clud ing hash, hash value, hash to tal, CRC, fin ger print, check sum, and dig i tal ID.
In most cases, a mes sage di gest is 128 bits or larger. How ever, a sin gle-digit value can be used to per form the func tion of par ity, a low-level or sin gle-digit check sum value used to pro vide a sin gle in di vid ual point of ver i fi ca tion. In most cases, the longer the mes sage di gest, the more re li able its ver i fi ca tion of in tegrity.
Ac cord ing to RSA Se cu rity, there are five ba sic re quire ments for a cryp to graphic hash func tion:
186
The in put can be of any length.
The out put has a fixed length.
The hash func tion is rel a tively easy to com pute for any in put.
The hash func tion is one-way (mean ing that it is ex tremely hard to de ter mine the in put when pro vided with the out put). One-way func tions and their use ful ness in cryp tog ra phy are de scribed in Chap ter 6.
The hash func tion is col li sion free (mean ing that it is ex tremely hard to find two mes sages that pro duce the same hash value).
In the fol low ing sec tions, we’ll look at four com mon hash ing al go rithms: se cure hash al go rithm (SHA), mes sage di gest 2 (MD2), mes sage di gest 4 (MD4), and mes sage di gest 5 (MD5). Hash mes sage au then ti ca tion code (HMAC) is also dis cussed later in this chap ter.
There are nu mer ous hash ing al go rithms not ad dressed in this exam. But in ad di tion to SHA,
MD2, MD4, MD5, and HMAC, you should rec og nize HAVAL. Hash of Vari able Length (HAVAL) is a mod i fi ca tion of MD5. HAVAL uses 1,024-bit blocks and pro duces hash val ues of 128, 160, 192, 224, and 256 bits.
SHA The Se cure Hash Al go rithm (SHA) and its suc ces sors, SHA-1, SHA-2, and SHA-3, are gov ern ment
stan dard hash func tions pro moted by the Na tional In sti tute of Stan dards and Tech nol ogy (NIST) and are spec i fied in an of fi cial gov ern ment pub li ca tion—the Se cure Hash Stan dard (SHS), also known as Fed eral In for ma tion Pro cess ing Stan dard (FIPS) 180.
SHA-1 takes an in put of vir tu ally any length (in re al ity, there is an up per bound of ap prox i mately 2,097,152 ter abytes on the al go rithm) and pro duces a 160-bit mes sage di gest. The SHA-1 al go rithm pro cesses a mes sage in 512-bit blocks. There fore, if the mes sage length is not a mul ti ple of 512, the SHA al go rithm pads the mes sage with ad di tional data un til the length reaches the next high est mul ti ple of 512.
Crypt an a lytic at tacks demon strated that there are weak nesses in the SHA-1 al go rithm. This led to the cre ation of SHA-2, which has four vari ants:
SHA-256 pro duces a 256-bit mes sage di gest us ing a 512-bit block size.
SHA-224 uses a trun cated ver sion of the SHA-256 hash to pro duce a 224-bit mes sage di gest us ing a 512- bit block size.
SHA-512 pro duces a 512-bit mes sage di gest us ing a 1,024-bit block size.
SHA-384 uses a trun cated ver sion of the SHA-512 hash to pro duce a 384-bit di gest us ing a 1,024-bit block size.
Al though it might seem triv ial, you should take the time to mem o rize the size of the mes sage
di gests pro duced by each one of the hash al go rithms de scribed in this chap ter.
The cryp to graphic com mu nity gen er ally con sid ers the SHA-2 al go rithms se cure, but they the o ret i cally suf fer from the same weak ness as the SHA-1 al go rithm. In 2015, the fed eral gov ern ment an nounced the re lease of the Kec cak al go rithm as the SHA-3 stan dard. The SHA-3 suite was de vel oped to serve as drop-in re place ment for the SHA-2 hash func tions, of fer ing the same vari ants and hash lengths us ing a more se cure al go rithm.
MD2
The Mes sage Di gest 2 (MD2) hash al go rithm was de vel oped by Ronald Rivest (the same Rivest of Rivest, Shamir, and Adle man fame) in 1989 to pro vide a se cure hash func tion for 8-bit pro ces sors. MD2 pads the mes sage so that its length is a mul ti ple of 16 bytes. It then com putes a 16-byte check sum and ap pends it to the end of the mes sage. A 128-bit mes sage di gest is then gen er ated by us ing the en tire orig i nal mes sage along with the ap pended check sum.
Crypt an a lytic at tacks ex ist against the MD2 al go rithm. Specif i cally, Nathalie Ro gier and Pas cal Chau vaud dis cov ered that if the check sum is not ap pended to the mes sage be fore di gest com pu ta tion, col li sions may
187
oc cur. Fred eric Mueller later proved that MD2 is not a one-way func tion. There fore, it should no longer be used.
MD4 In 1990, Rivest en hanced his mes sage di gest al go rithm to sup port 32-bit pro ces sors and in crease the level
of se cu rity. This en hanced al go rithm is known as MD4. It first pads the mes sage to en sure that the mes sage length is 64 bits smaller than a mul ti ple of 512 bits. For ex am ple, a 16-bit mes sage would be padded with 432 ad di tional bits of data to make it 448 bits, which is 64 bits smaller than a 512-bit mes sage.
The MD4 al go rithm then pro cesses 512-bit blocks of the mes sage in three rounds of com pu ta tion. The fi nal out put is a 128-bit mes sage di gest.
The MD2, MD4, and MD5 al go rithms are no longer ac cepted as suit able hash ing func tions.
How ever, the de tails of the al go rithms may still ap pear on the CISSP exam be cause they may still be found in use to day.
Sev eral math e ma ti cians have pub lished pa pers doc u ment ing flaws in the full ver sion of MD4 as well as im prop erly im ple mented ver sions of MD4. In par tic u lar, Hans Dob bertin pub lished a pa per in 1996 out lin ing how a mod ern per sonal com puter could be used to find col li sions for MD4 mes sage di gests in less than one minute. For this rea son, MD4 is no longer con sid ered to be a se cure hash ing al go rithm, and its use should be avoided if at all pos si ble.
MD5
In 1991, Rivest re leased the next ver sion of his mes sage di gest al go rithm, which he called MD5. It also pro cesses 512-bit blocks of the mes sage, but it uses four dis tinct rounds of com pu ta tion to pro duce a di gest of the same length as the MD2 and MD4 al go rithms (128 bits). MD5 has the same pad ding re quire ments as MD4 —the mes sage length must be 64 bits less than a mul ti ple of 512 bits.
MD5 im ple ments ad di tional se cu rity fea tures that re duce the speed of mes sage di gest pro duc tion sig nif i cantly. Un for tu nately, re cent crypt an a lytic at tacks demon strated that the MD5 pro to col is sub ject to col li sions, pre vent ing its use for en sur ing mes sage in tegrity. Specif i cally, Ar jen Lenstra and oth ers demon strated in 2005 that it is pos si ble to cre ate two dig i tal cer tifi cates from dif fer ent pub lic keys that have the same MD5 hash.
Ta ble 7.1 lists well-known hash ing al go rithms and their re sul tant hash value lengths in bits. Ear mark this page for mem o riza tion.
TA BLE 7.1 Hash al go rithm mem o riza tion chart
Name Hash value length Hash of Vari able Length (HAVAL)—an MD5 vari ant 128, 160, 192, 224, and 256 bits Hash Mes sage Au then ti cat ing Code (HMAC) Vari able Mes sage Di gest 2 (MD2) 128 Mes sage Di gest 4 (MD4) 128 Mes sage Di gest 5 (MD5) 128 Se cure Hash Al go rithm (SHA-1) 160 SHA2-224/SHA3-224 224 SHA2-256/SHA3-256 256 SHA2-384/SHA3-384 384 SHA2-512/SHA3-512 512
Dig i tal Sig na tures Once you have cho sen a cryp to graph i cally sound hash ing al go rithm, you can use it to im ple ment a dig i tal
sig na ture sys tem. Dig i tal sig na ture in fra struc tures have two dis tinct goals:
Dig i tally signed mes sages as sure the re cip i ent that the mes sage truly came from the claimed sender. They en force non re pu di a tion (that is, they pre clude the sender from later claim ing that the mes sage is a forgery).
Dig i tally signed mes sages as sure the re cip i ent that the mes sage was not al tered while in tran sit be tween the sender and re cip i ent. This pro tects against both ma li cious mod i fi ca tion (a third party al ter ing the
188
mean ing of the mes sage) and un in ten tional mod i fi ca tion (be cause of faults in the com mu ni ca tions process, such as elec tri cal in ter fer ence).
Dig i tal sig na ture al go rithms rely on a com bi na tion of the two ma jor con cepts al ready cov ered in this chap ter—pub lic key cryp tog ra phy and hash ing func tions.
If Al ice wants to dig i tally sign a mes sage she’s send ing to Bob, she per forms the fol low ing ac tions:
1. Al ice gen er ates a mes sage di gest of the orig i nal plain text mes sage us ing one of the cryp to graph i cally sound hash ing al go rithms, such as SHA3-512.
2. Al ice then en crypts only the mes sage di gest us ing her pri vate key. This en crypted mes sage di gest is the dig i tal sig na ture.
3. Al ice ap pends the signed mes sage di gest to the plain text mes sage.
4. Al ice trans mits the ap pended mes sage to Bob.
When Bob re ceives the dig i tally signed mes sage, he re verses the pro ce dure, as fol lows:
1. Bob de crypts the dig i tal sig na ture us ing Al ice’s pub lic key.
2. Bob uses the same hash ing func tion to cre ate a mes sage di gest of the full plain text mes sage re ceived from Al ice.
3. Bob then com pares the de crypted mes sage di gest he re ceived from Al ice with the mes sage di gest he com puted him self. If the two di gests match, he can be as sured that the mes sage he re ceived was sent by Al ice. If they do not match, ei ther the mes sage was not sent by Al ice or the mes sage was mod i fied while in tran sit.
Dig i tal sig na tures are used for more than just mes sages. Soft ware ven dors of ten use dig i tal
sig na ture tech nol ogy to au then ti cate code dis tri bu tions that you down load from the in ter net, such as ap plets and soft ware patches.
Note that the dig i tal sig na ture process does not pro vide any pri vacy in and of it self. It only en sures that the cryp to graphic goals of in tegrity, au then ti ca tion, and non re pu di a tion are met. How ever, if Al ice wanted to en sure the pri vacy of her mes sage to Bob, she could add a step to the mes sage cre ation process. Af ter ap pend ing the signed mes sage di gest to the plain text mes sage, Al ice could en crypt the en tire mes sage with Bob’s pub lic key. When Bob re ceived the mes sage, he would de crypt it with his own pri vate key be fore fol low ing the steps just out lined.
HMAC The hashed mes sage au then ti ca tion code (HMAC) al go rithm im ple ments a par tial dig i tal sig na ture—it
guar an tees the in tegrity of a mes sage dur ing trans mis sion, but it does not pro vide for non re pu di a tion.
Which Key Should I Use?
If you’re new to pub lic key cryp tog ra phy, se lect ing the cor rect key for var i ous ap pli ca tions can be quite con fus ing. En cryp tion, de cryp tion, mes sage sign ing, and sig na ture ver i fi ca tion all use the same al go rithm with dif fer ent key in puts. Here are a few sim ple rules to help keep these con cepts straight in your mind when pre par ing for the CISSP exam:
If you want to en crypt a mes sage, use the re cip i ent’s pub lic key.
If you want to de crypt a mes sage sent to you, use your pri vate key.
If you want to dig i tally sign a mes sage you are send ing to some one else, use your pri vate key.
If you want to ver ify the sig na ture on a mes sage sent by some one else, use the sender’s pub lic key.
These four rules are the core prin ci ples of pub lic key cryp tog ra phy and dig i tal sig na tures. If you un der stand each of them, you’re off to a great start!
HMAC can be com bined with any stan dard mes sage di gest gen er a tion al go rithm, such as SHA-3, by us ing a shared se cret key. There fore, only com mu ni cat ing par ties who know the key can gen er ate or ver ify the
189
dig i tal sig na ture. If the re cip i ent de crypts the mes sage di gest but can not suc cess fully com pare it to a mes sage di gest gen er ated from the plain text mes sage, that means the mes sage was al tered in tran sit.
Be cause HMAC re lies on a shared se cret key, it does not pro vide any non re pu di a tion func tion al ity (as pre vi ously men tioned). How ever, it op er ates in a more ef fi cient man ner than the dig i tal sig na ture stan dard de scribed in the fol low ing sec tion and may be suit able for ap pli ca tions in which sym met ric key cryp tog ra phy is ap pro pri ate. In short, it rep re sents a half way point be tween un en crypted use of a mes sage di gest al go rithm and com pu ta tion ally ex pen sive dig i tal sig na ture al go rithms based on pub lic key cryp tog ra phy.
Dig i tal Sig na ture Stan dard The Na tional In sti tute of Stan dards and Tech nol ogy spec i fies the dig i tal sig na ture al go rithms ac cept able
for fed eral gov ern ment use in Fed eral In for ma tion Pro cess ing Stan dard (FIPS) 186-4, also known as the Dig i tal Sig na ture Stan dard (DSS). This doc u ment spec i fies that all fed er ally ap proved dig i tal sig na ture al go rithms must use the SHA-3 hash ing func tions.
DSS also spec i fies the en cryp tion al go rithms that can be used to sup port a dig i tal sig na ture in fra struc ture. There are three cur rently ap proved stan dard en cryp tion al go rithms:
The Dig i tal Sig na ture Al go rithm (DSA) as spec i fied in FIPS 186-4
The Rivest–Shamir–Adle man (RSA) al go rithm as spec i fied in ANSI X9.31
The El lip tic Curve DSA (ECDSA) as spec i fied in ANSI X9.62
Two other dig i tal sig na ture al go rithms you should rec og nize, at least by name, are Schnorr’s
sig na ture al go rithm and Ny berg-Ruep pel’s sig na ture al go rithm.
Pub lic Key In fra struc ture The ma jor strength of pub lic key en cryp tion is its abil ity to fa cil i tate com mu ni ca tion be tween par ties
pre vi ously un known to each other. This is made pos si ble by the pub lic key in fra struc ture (PKI) hi er ar chy of trust re la tion ships. These trusts per mit com bin ing asym met ric cryp tog ra phy with sym met ric cryp tog ra phy along with hash ing and dig i tal cer tifi cates, giv ing us hy brid cryp tog ra phy.
In the fol low ing sec tions, you’ll learn the ba sic com po nents of the pub lic key in fra struc ture and the cryp to graphic con cepts that make global se cure com mu ni ca tions pos si ble. You’ll learn the com po si tion of a dig i tal cer tifi cate, the role of cer tifi cate au thor i ties, and the process used to gen er ate and de stroy cer tifi cates.
Cer tifi cates Dig i tal cer tifi cates pro vide com mu ni cat ing par ties with the as sur ance that the peo ple they are
com mu ni cat ing with truly are who they claim to be. Dig i tal cer tifi cates are es sen tially en dorsed copies of an in di vid ual’s pub lic key. When users ver ify that a cer tifi cate was signed by a trusted cer tifi cate au thor ity (CA), they know that the pub lic key is le git i mate.
Dig i tal cer tifi cates con tain spe cific iden ti fy ing in for ma tion, and their con struc tion is gov erned by an in ter na tional stan dard—X.509. Cer tifi cates that con form to X.509 con tain the fol low ing data:
Ver sion of X.509 to which the cer tifi cate con forms
Se rial num ber (from the cer tifi cate cre ator)
Sig na ture al go rithm iden ti fier (spec i fies the tech nique used by the cer tifi cate au thor ity to dig i tally sign the con tents of the cer tifi cate)
Is suer name (iden ti fi ca tion of the cer tifi cate au thor ity that is sued the cer tifi cate)
Va lid ity pe riod (spec i fies the dates and times—a start ing date and time and an end ing date and time— dur ing which the cer tifi cate is valid)
Sub ject’s name (con tains the dis tin guished name, or DN, of the en tity that owns the pub lic key con tained in the cer tifi cate)
Sub ject’s pub lic key (the meat of the cer tifi cate—the ac tual pub lic key the cer tifi cate owner used to set up se cure com mu ni ca tions)
The cur rent ver sion of X.509 (ver sion 3) sup ports cer tifi cate ex ten sions—cus tom ized vari ables con tain ing data in serted into the cer tifi cate by the cer tifi cate au thor ity to sup port track ing of cer tifi cates or var i ous
190
ap pli ca tions.
If you’re in ter ested in build ing your own X.509 cer tifi cates or just want to ex plore the
in ner work ings of the pub lic key in fra struc ture, you can pur chase the com plete of fi cial X.509 stan dard from the In ter na tional Telecom mu ni ca tions Union (ITU). It’s part of the Open Sys tems In ter con nec tion (OSI) se ries of com mu ni ca tion stan dards and can be pur chased elec tron i cally on the ITU web site at www.itu.int.
Cer tifi cate Au thor i ties Cer tifi cate au thor i ties (CAs) are the glue that binds the pub lic key in fra struc ture to gether. These neu tral
or ga ni za tions of fer no ta riza tion ser vices for dig i tal cer tifi cates. To ob tain a dig i tal cer tifi cate from a rep utable CA, you must prove your iden tity to the sat is fac tion of the CA. The fol low ing list in cludes some of the ma jor CAs that pro vide widely ac cepted dig i tal cer tifi cates:
Syman tec
Iden Trust
Ama zon Web Ser vices
Glob al Sign
Co modo
Cer tum
Go Daddy
Dig iCert
Secom
En trust
Ac talis
Trust wave
Noth ing is pre vent ing any or ga ni za tion from sim ply set ting up shop as a CA. How ever, the cer tifi cates is sued by a CA are only as good as the trust placed in the CA that is sued them. This is an im por tant item to con sider when re ceiv ing a dig i tal cer tifi cate from a third party. If you don’t rec og nize and trust the name of the CA that is sued the cer tifi cate, you shouldn’t place any trust in the cer tifi cate at all. PKI re lies on a hi er ar chy of trust re la tion ships. If you con fig ure your browser to trust a CA, it will au to mat i cally trust all of the dig i tal cer tifi cates is sued by that CA. Browser de vel op ers pre con fig ure browsers to trust the ma jor CAs to avoid plac ing this bur den on users.
Reg is tra tion au thor i ties (RAs) as sist CAs with the bur den of ver i fy ing users’ iden ti ties prior to is su ing dig i tal cer tifi cates. They do not di rectly is sue cer tifi cates them selves, but they play an im por tant role in the cer ti fi ca tion process, al low ing CAs to re motely val i date user iden ti ties.
Cer tifi cate Path Val i da tion
You may have heard of cer tifi cate path val i da tion (CPV) in your stud ies of cer tifi cate au thor i ties. CPV means that each cer tifi cate in a cer tifi cate path from the orig i nal start or root of trust down to the server or client in ques tion is valid and le git i mate. CPV can be im por tant if you need to ver ify that ev ery link be tween “trusted” end points re mains cur rent, valid, and trust wor thy.
This is sue arises from time to time when in ter me di ary sys tems’ cer tifi cates ex pire or are re placed; this can break the chain of trust or the ver i fi ca tion path. By forc ing a rever i fi ca tion of all stages of trust, you can reestab lish all trust links and prove that the as sumed trust re mains as sured.
Cer tifi cate Gen er a tion and De struc tion The tech ni cal con cepts be hind the pub lic key in fra struc ture are rel a tively sim ple. In the fol low ing sec tions,
we’ll cover the pro cesses used by cer tifi cate au thor i ties to cre ate, val i date, and re voke client cer tifi cates.
En roll ment
191
When you want to ob tain a dig i tal cer tifi cate, you must first prove your iden tity to the CA in some man ner; this process is called en roll ment. As men tioned in the pre vi ous sec tion, this some times in volves phys i cally ap pear ing be fore an agent of the cer ti fi ca tion au thor ity with the ap pro pri ate iden ti fi ca tion doc u ments. Some cer tifi cate au thor i ties pro vide other means of ver i fi ca tion, in clud ing the use of credit re port data and iden tity ver i fi ca tion by trusted com mu nity lead ers.
Once you’ve sat is fied the cer tifi cate au thor ity re gard ing your iden tity, you pro vide them with your pub lic key. The CA next cre ates an X.509 dig i tal cer tifi cate con tain ing your iden ti fy ing in for ma tion and a copy of your pub lic key. The CA then dig i tally signs the cer tifi cate us ing the CA’s pri vate key and pro vides you with a copy of your signed dig i tal cer tifi cate. You may then safely dis trib ute this cer tifi cate to any one with whom you want to com mu ni cate se curely.
Ver i fi ca tion
When you re ceive a dig i tal cer tifi cate from some one with whom you want to com mu ni cate, you ver ify the cer tifi cate by check ing the CA’s dig i tal sig na ture us ing the CA’s pub lic key. Next, you must check and en sure that the cer tifi cate was not re voked us ing a cer tifi cate re vo ca tion list (CRL) or the On line Cer tifi cate Sta tus Pro to col (OCSP). At this point, you may as sume that the pub lic key listed in the cer tifi cate is au then tic, pro vided that it sat is fies the fol low ing re quire ments:
The dig i tal sig na ture of the CA is au then tic.
You trust the CA.
The cer tifi cate is not listed on a CRL.
The cer tifi cate ac tu ally con tains the data you are trust ing.
The last point is a sub tle but ex tremely im por tant item. Be fore you trust an iden ti fy ing piece of in for ma tion about some one, be sure that it is ac tu ally con tained within the cer tifi cate. If a cer tifi cate con tains the email ad dress ([email protected]) but not the in di vid ual’s name, you can be cer tain only that the pub lic key con tained therein is as so ci ated with that email ad dress. The CA is not mak ing any as ser tions about the ac tual iden tity of the [email protected] email ac count. How ever, if the cer tifi cate con tains the name Bill Jones along with an ad dress and tele phone num ber, the CA is vouch ing for that in for ma tion as well.
Dig i tal cer tifi cate ver i fi ca tion al go rithms are built in to a num ber of pop u lar web brows ing and email clients, so you won’t of ten need to get in volved in the par tic u lars of the process. How ever, it’s im por tant to have a solid un der stand ing of the tech ni cal de tails tak ing place be hind the scenes to make ap pro pri ate se cu rity judg ments for your or ga ni za tion. It’s also the rea son that, when pur chas ing a cer tifi cate, you choose a CA that is widely trusted. If a CA is not in cluded in, or is later pulled from, the list of CAs trusted by a ma jor browser, it will greatly limit the use ful ness of your cer tifi cate.
In 2017, a sig nif i cant se cu rity fail ure oc curred in the dig i tal cer tifi cate in dus try. Syman tec, through a se ries of af fil i ated com pa nies, is sued sev eral dig i tal cer tifi cates that did not meet in dus try se cu rity stan dards. In re sponse, Google an nounced that the Chrome browser would no longer trust Syman tec cer tifi cates. As a re sult, Syman tec wound up sell ing off its cer tifi cate-is su ing busi ness to Dig iCert, which agreed to prop erly val i date cer tifi cates prior to is suance. This demon strates the im por tance of prop erly val i dat ing cer tifi cate re quests. A se ries of seem ingly small lapses in pro ce dure can dec i mate a CA’s busi ness!
Re vo ca tion
Oc ca sion ally, a cer tifi cate au thor ity needs to re voke a cer tifi cate. This might oc cur for one of the fol low ing rea sons:
The cer tifi cate was com pro mised (for ex am ple, the cer tifi cate owner ac ci den tally gave away the pri vate key).
The cer tifi cate was er ro neously is sued (for ex am ple, the CA mis tak enly is sued a cer tifi cate with out proper ver i fi ca tion).
The de tails of the cer tifi cate changed (for ex am ple, the sub ject’s name changed).
The se cu rity as so ci a tion changed (for ex am ple, the sub ject is no longer em ployed by the or ga ni za tion spon sor ing the cer tifi cate).
The re vo ca tion re quest grace pe riod is the max i mum re sponse time within which a CA will
per form any re quested re vo ca tion. This is de fined in the Cer tifi cate Prac tice State ment (CPS). The CPS states the prac tices a CA em ploys when is su ing or man ag ing cer tifi cates.
192
You can use two tech niques to ver ify the au then tic ity of cer tifi cates and iden tify re voked cer tifi cates:
Cer tifi cate Re vo ca tion Lists Cer tifi cate re vo ca tion lists (CRLs) are main tained by the var i ous cer tifi cate au thor i ties and con tain the se rial num bers of cer tifi cates that have been is sued by a CA and have been re voked along with the date and time the re vo ca tion went into ef fect. The ma jor dis ad van tage to cer tifi cate re vo ca tion lists is that they must be down loaded and cross-ref er enced pe ri od i cally, in tro duc ing a pe riod of la tency be tween the time a cer tifi cate is re voked and the time end users are no ti fied of the re vo ca tion. How ever, CRLs re main the most com mon method of check ing cer tifi cate sta tus in use to day.
On line Cer tifi cate Sta tus Pro to col (OCSP) This pro to col elim i nates the la tency in her ent in the use of cer tifi cate re vo ca tion lists by pro vid ing a means for real-time cer tifi cate ver i fi ca tion. When a client re ceives a cer tifi cate, it sends an OCSP re quest to the CA’s OCSP server. The server then re sponds with a sta tus of valid, in valid, or un known.
Asym met ric Key Man age ment When work ing within the pub lic key in fra struc ture, it’s im por tant that you com ply with sev eral best
prac tice re quire ments to main tain the se cu rity of your com mu ni ca tions.
First, choose your en cryp tion sys tem wisely. As you learned ear lier, “se cu rity through ob scu rity” is not an ap pro pri ate ap proach. Choose an en cryp tion sys tem with an al go rithm in the pub lic do main that has been thor oughly vet ted by in dus try ex perts. Be wary of sys tems that use a “black-box” ap proach and main tain that the se crecy of their al go rithm is crit i cal to the in tegrity of the cryp tosys tem.
You must also se lect your keys in an ap pro pri ate man ner. Use a key length that bal ances your se cu rity re quire ments with per for mance con sid er a tions. Also, en sure that your key is truly ran dom. Any pat terns within the key in crease the like li hood that an at tacker will be able to break your en cryp tion and de grade the se cu rity of your cryp tosys tem.
When us ing pub lic key en cryp tion, keep your pri vate key se cret! Do not, un der any cir cum stances, al low any one else to gain ac cess to your pri vate key. Re mem ber, al low ing some one ac cess even once per ma nently com pro mises all com mu ni ca tions that take place (past, present, or fu ture) us ing that key and al lows the third party to suc cess fully im per son ate you.
Re tire keys when they’ve served a use ful life. Many or ga ni za tions have manda tory key ro ta tion re quire ments to pro tect against un de tected key com pro mise. If you don’t have a for mal pol icy that you must fol low, se lect an ap pro pri ate in ter val based on the fre quency with which you use your key. You might want to change your key pair ev ery few months, if prac ti cal.
Back up your key! If you lose the file con tain ing your pri vate key be cause of data cor rup tion, dis as ter, or other cir cum stances, you’ll cer tainly want to have a backup avail able. You may want to ei ther cre ate your own backup or use a key es crow ser vice that main tains the backup for you. In ei ther case, en sure that the backup is han dled in a se cure man ner. Af ter all, it’s just as im por tant as your pri mary key file!
Hard ware se cu rity mod ules (HSMs) also pro vide an ef fec tive way to man age en cryp tion keys. These hard ware de vices store and man age en cryp tion keys in a se cure man ner that pre vents hu mans from ever need ing to work di rectly with the keys. HSMs range in scope and com plex ity from very sim ple de vices, such as the Yu biKey, that store en crypted keys on a USB drive for per sonal use to more com plex en ter prise prod ucts that re side in a data cen ter. Cloud providers, such as Ama zon and Mi cro soft, also of fer cloud-based HSMs that pro vide se cure key man age ment for IaaS ser vices.
Ap plied Cryp tog ra phy Up to this point, you’ve learned a great deal about the foun da tions of cryp tog ra phy, the in ner work ings of
var i ous cryp to graphic al go rithms, and the use of the pub lic key in fra struc ture to dis trib ute iden tity cre den tials us ing dig i tal cer tifi cates. You should now feel com fort able with the ba sics of cryp tog ra phy and be pre pared to move on to higher-level ap pli ca tions of this tech nol ogy to solve ev ery day com mu ni ca tions prob lems.
In the fol low ing sec tions, we’ll ex am ine the use of cryp tog ra phy to se cure data at rest, such as that stored on por ta ble de vices, as well as data in tran sit, us ing tech niques that in clude se cure email, en crypted web com mu ni ca tions, and net work ing.
Por ta ble De vices The now ubiq ui tous na ture of note book com put ers, net books, smart phones, and tablets brings new risks
to the world of com put ing. Those de vices of ten con tain highly sen si tive in for ma tion that, if lost or stolen, could cause se ri ous harm to an or ga ni za tion and its cus tomers, em ploy ees, and af fil i ates. For this rea son, many or ga ni za tions turn to en cryp tion to pro tect the data on these de vices in the event they are mis placed.
193
Cur rent ver sions of pop u lar op er at ing sys tems now in clude disk en cryp tion ca pa bil i ties that make it easy to ap ply and man age en cryp tion on por ta ble de vices. For ex am ple, Mi cro soft Win dows in cludes the Bit Locker and En crypt ing File Sys tem (EFS) tech nolo gies, Mac OS X in cludes Fil e Vault en cryp tion, and the Ve r aCrypt open-source pack age al lows the en cryp tion of disks on Linux, Win dows, and Mac sys tems.
Trusted Plat form Mod ule
Mod ern com put ers of ten in clude a spe cial ized cryp to graphic com po nent known as a Trusted Plat form Mod ule (TPM). The TPM is a chip that re sides on the moth er board of the de vice. The TPM serves a num ber of pur poses, in clud ing the stor age and man age ment of keys used for full disk en cryp tion (FDE) so lu tions. The TPM pro vides the op er at ing sys tem with ac cess to the keys, pre vent ing some one from re mov ing the drive from one de vice and in sert ing it into an other de vice to ac cess the drive’s data.
A wide va ri ety of com mer cial tools are avail able that pro vide added fea tures and man age ment ca pa bil ity. The ma jor dif fer en tia tors be tween these tools are how they pro tect keys stored in mem ory, whether they pro vide full disk or vol ume-only en cryp tion, and whether they in te grate with hard ware-based Trusted Plat form Mod ules (TPMs) to pro vide added se cu rity. Any ef fort to se lect en cryp tion soft ware should in clude an anal y sis of how well the al ter na tives com pete on these char ac ter is tics.
Don’t for get about smart phones when de vel op ing your por ta ble de vice en cryp tion pol icy.
Most ma jor smart phone and tablet plat forms in clude en ter prise-level func tion al ity that sup ports en cryp tion of data stored on the phone.
Email We have men tioned sev eral times that se cu rity should be cost ef fec tive. When it comes to email, sim plic ity
is the most cost-ef fec tive op tion, but some times cryp tog ra phy func tions pro vide spe cific se cu rity ser vices that you can’t avoid us ing. Since en sur ing se cu rity is also cost ef fec tive, here are some sim ple rules about en crypt ing email:
If you need con fi den tial ity when send ing an email mes sage, en crypt the mes sage.
If your mes sage must main tain in tegrity, you must hash the mes sage.
If your mes sage needs au then ti ca tion, in tegrity and/or non re pu di a tion, you should dig i tally sign the mes sage.
If your mes sage re quires con fi den tial ity, in tegrity, au then ti ca tion, and non re pu di a tion, you should en crypt and dig i tally sign the mes sage.
It is al ways the re spon si bil ity of the sender to put proper mech a nisms in place to en sure that the se cu rity (that is, con fi den tial ity, in tegrity, au then tic ity, and non re pu di a tion) of a mes sage or trans mis sion is main tained.
One of the most in-de mand ap pli ca tions of cryp tog ra phy is en crypt ing and sign ing email mes sages. Un til re cently, en crypted email re quired the use of com plex, awk ward soft ware that in turn re quired man ual in ter ven tion and com pli cated key ex change pro ce dures. An in creased em pha sis on se cu rity in re cent years re sulted in the im ple men ta tion of strong en cryp tion tech nol ogy in main stream email pack ages. Next, we’ll look at some of the se cure email stan dards in wide spread use to day.
Pretty Good Pri vacy
Phil Zim mer man’s Pretty Good Pri vacy (PGP) se cure email sys tem ap peared on the com puter se cu rity scene in 1991. It com bines the CA hi er ar chy de scribed ear lier in this chap ter with the “web of trust” con cept— that is, you must be come trusted by one or more PGP users to be gin us ing the sys tem. You then ac cept their judg ment re gard ing the va lid ity of ad di tional users and, by ex ten sion, trust a mul ti level “web” of users de scend ing from your ini tial trust judg ments.
PGP ini tially en coun tered a num ber of hur dles to wide spread use. The most dif fi cult ob struc tion was the U.S. gov ern ment ex port reg u la tions, which treated en cryp tion tech nol ogy as mu ni tions and pro hib ited the dis tri bu tion of strong en cryp tion tech nol ogy out side the United States. For tu nately, this re stric tion has since been re pealed, and PGP may be freely dis trib uted to most coun tries.
PGP is avail able in two ver sions. The com mer cial ver sion uses RSA for key ex change, IDEA for en cryp tion/de cryp tion, and MD5 for mes sage di gest pro duc tion. The free ware ver sion (based on the
194
ex tremely sim i lar OpenPGP stan dard) uses Diffie-Hell man key ex change, the Carlisle Adams/Stafford Tavares (CAST) 128-bit en cryp tion/de cryp tion al go rithm, and the SHA-1 hash ing func tion.
Many com mer cial providers also of fer PGP-based email ser vices as web-based cloud email of fer ings, mo bile de vice ap pli ca tions, or web mail plug-ins. These ser vices ap peal to ad min is tra tors and end users be cause they re move the com plex ity of con fig ur ing and main tain ing en cryp tion cer tifi cates and pro vide users with a man aged se cure email ser vice. Some prod ucts in this cat e gory in clude Start Mail, Mail ve lope, SafeG mail, and Hush mail.
S/MIME
The Se cure/Mul ti pur pose In ter net Mail Ex ten sions (S/MIME) pro to col has emerged as a de facto stan dard for en crypted email. S/MIME uses the RSA en cryp tion al go rithm and has re ceived the back ing of ma jor in dus try play ers, in clud ing RSA Se cu rity. S/MIME has al ready been in cor po rated in a large num ber of com mer cial prod ucts, in clud ing these:
Mi cro soft Out look and Of fice 365
Mozilla Thun der bird
Mac OS X Mail
GSuite En ter prise edi tion
S/MIME re lies on the use of X.509 cer tifi cates for ex chang ing cryp to graphic keys. The pub lic keys con tained in these cer tifi cates are used for dig i tal sig na tures and for the ex change of sym met ric keys used for longer com mu ni ca tions ses sions. RSA is the only pub lic key cryp to graphic pro to col sup ported by S/MIME. The pro to col sup ports the AES and 3DES sym met ric en cryp tion al go rithms.
De spite strong in dus try sup port for the S/MIME stan dard, tech ni cal lim i ta tions have pre vented its wide spread adop tion. Al though ma jor desk top mail ap pli ca tions sup port S/MIME email, main stream web- based email sys tems do not sup port it out of the box (the use of browser ex ten sions is re quired).
Web Ap pli ca tions En cryp tion is widely used to pro tect web trans ac tions. This is mainly be cause of the strong move ment
to ward e-com merce and the de sire of both e-com merce ven dors and con sumers to se curely ex change fi nan cial in for ma tion (such as credit card in for ma tion) over the web. We’ll look at the two tech nolo gies that are re spon si ble for the small lock icon within web browsers—Se cure Sock ets Layer (SSL) and Trans port Layer Se cu rity (TLS).
SSL was de vel oped by Net scape to pro vide client/server en cryp tion for web traf fic. Hy per text Trans fer Pro to col Se cure (HTTPS) uses port 443 to ne go ti ate en crypted com mu ni ca tions ses sions be tween web servers and browser clients. Al though SSL orig i nated as a stan dard for Net scape browsers, Mi cro soft also adopted it as a se cu rity stan dard for its pop u lar In ter net Ex plorer browser. The in cor po ra tion of SSL into both of these prod ucts made it the de facto in ter net stan dard.
SSL re lies on the ex change of server dig i tal cer tifi cates to ne go ti ate en cryp tion/de cryp tion pa ram e ters be tween the browser and the web server. SSL’s goal is to cre ate se cure com mu ni ca tions chan nels that re main open for an en tire web brows ing ses sion. It de pends on a com bi na tion of sym met ric and asym met ric cryp tog ra phy. The fol low ing steps are in volved:
1. When a user ac cesses a web site, the browser re trieves the web server’s cer tifi cate and ex tracts the server’s pub lic key from it.
2. The browser then cre ates a ran dom sym met ric key, uses the server’s pub lic key to en crypt it, and then sends the en crypted sym met ric key to the server.
3. The server then de crypts the sym met ric key us ing its own pri vate key, and the two sys tems ex change all fu ture mes sages us ing the sym met ric en cryp tion key.
This ap proach al lows SSL to lever age the ad vanced func tion al ity of asym met ric cryp tog ra phy while en crypt ing and de crypt ing the vast ma jor ity of the data ex changed us ing the faster sym met ric al go rithm.
In 1999, se cu rity en gi neers pro posed TLS as a re place ment for the SSL stan dard, which was at the time in its third ver sion. As with SSL, TLS uses TCP port 443. Based on SSL tech nol ogy, TLS in cor po rated many se cu rity en hance ments and was even tu ally adopted as a re place ment for SSL in most ap pli ca tions. Early ver sions of TLS sup ported down grad ing com mu ni ca tions to SSL v3.0 when both par ties did not sup port TLS. How ever, in 2011, TLS v1.2 dropped this back ward com pat i bil ity.
In 2014, an at tack known as the Pad ding Or a cle On Down graded Legacy En cryp tion (POO DLE) demon strated a sig nif i cant flaw in the SSL 3.0 fall back mech a nism of TLS. In an ef fort to re me di ate this vul ner a bil ity, many or ga ni za tions com pletely dropped SSL sup port and now rely solely on TLS se cu rity.
195
Even though TLS has been in ex is tence for more than a decade, many peo ple still mis tak enly
call it SSL. For this rea son, TLS has gained the nick name SSL 3.1.
Steganog ra phy and Wa ter mark ing
Steganog ra phy is the art of us ing cryp to graphic tech niques to em bed se cret mes sages within an other mes sage. Stegano graphic al go rithms work by mak ing al ter ations to the least sig nif i cant bits of the many bits that make up im age files. The changes are so mi nor that there is no ap pre cia ble ef fect on the viewed im age. This tech nique al lows com mu ni cat ing par ties to hide mes sages in plain sight—for ex am ple, they might em bed a se cret mes sage within an il lus tra tion on an oth er wise in no cent web page.
Steganog ra phers of ten em bed their se cret mes sages within im ages or WAV files be cause these files are of ten so large that the se cret mes sage would eas ily be missed by even the most ob ser vant in spec tor. Steganog ra phy tech niques are of ten used for il le gal or ques tion able ac tiv i ties, such as es pi onage and child pornog ra phy.
Steganog ra phy can also be used for le git i mate pur poses, how ever. Adding dig i tal wa ter marks to doc u ments to pro tect in tel lec tual prop erty is ac com plished by means of steganog ra phy. The hid den in for ma tion is known only to the file’s cre ator. If some one later cre ates an unau tho rized copy of the con tent, the wa ter mark can be used to de tect the copy and (if uniquely wa ter marked files are pro vided to each orig i nal re cip i ent) trace the of fend ing copy back to the source.
Steganog ra phy is an ex tremely sim ple tech nol ogy to use, with free tools openly avail able on the in ter net. Fig ure 7.2 shows the en tire in ter face of one such tool, iS teg. It sim ply re quires that you spec ify a text file con tain ing your se cret mes sage and an im age file that you wish to use to hide the mes sage. Fig ure 7.3 shows an ex am ple of a pic ture with an em bed ded se cret mes sage; the mes sage is im pos si ble to de tect with the hu man eye.
FIG URE 7.2 Steganog ra phy tool
196
FIG URE 7.3 Im age with em bed ded mes sage
Dig i tal Rights Man age ment Dig i tal rights man age ment (DRM) soft ware uses en cryp tion to en force copy right re stric tions on dig i tal
me dia. Over the past decade, pub lish ers at tempted to de ploy DRM schemes across a va ri ety of me dia types, in clud ing mu sic, movies, and books. In many cases, par tic u larly with mu sic, op po nents met DRM de ploy ment at tempts with fierce op po si tion, ar gu ing that the use of DRM vi o lated their rights to freely en joy and make backup copies of le git i mately li censed me dia files.
As you will read in this sec tion, many com mer cial at tempts to de ploy DRM on a
wide spread ba sis failed when users re jected the tech nol ogy as in tru sive and/or ob struc tive.
Mu sic DRM
The mu sic in dus try has bat tled pi rates for years, dat ing back to the days of home made cas sette tape du pli ca tion and car ry ing through com pact disc and dig i tal for mats. Mu sic dis tri bu tion com pa nies at tempted to use a va ri ety of DRM schemes, but most backed away from the tech nol ogy un der pres sure from con sumers.
The use of DRM for pur chased mu sic slowed dra mat i cally when, fac ing this op po si tion, Ap ple rolled back their use of Fair Play DRM for mu sic sold through the iTunes Store. Ap ple co-founder Steve Jobs fore shad owed this move when, in 2007, he is sued an open let ter to the mu sic in dus try call ing on them to al low Ap ple to sell DRM-free mu sic. That let ter read, in part:
The third al ter na tive is to abol ish DRMs en tirely. Imag ine a world where ev ery on line store sells DRM- free mu sic en coded in open li cens able for mats. In such a world, any player can play mu sic pur chased from any store, and any store can sell mu sic which is playable on all play ers. This is clearly the best al ter na tive for con sumers, and Ap ple would em brace it in a heart beat. If the big four mu sic com pa nies would li cense Ap ple their mu sic with out the re quire ment that it be pro tected with a DRM, we would switch to sell ing only DRM-free mu sic on our iTunes store. Ev ery iPod ever made will play this DRM-free mu sic.
The full es say is no longer avail able on Ap ple’s web site, but an archived copy may be found at http://bit.ly/1TyB m5e.
Cur rently, the ma jor use of DRM tech nol ogy in mu sic is for sub scrip tion-based ser vices such as Nap ster and Kazaa, which use DRM to re voke a user’s ac cess to down loaded mu sic when their sub scrip tion pe riod ends.
Do the de scrip tions of DRM tech nol ogy in this sec tion seem a lit tle vague? There’s a rea son
for that: man u fac tur ers typ i cally do not dis close the de tails of their DRM func tion al ity due to fears that pi rates will use that in for ma tion to de feat the DRM scheme.
Movie DRM
197
The movie in dus try has used a va ri ety of DRM schemes over the years to stem the world wide prob lem of movie piracy. Two of the ma jor tech nolo gies used to pro tect mass-dis trib uted me dia are as fol lows:
High-Band width Dig i tal Con tent Pro tec tion (HDCP) Pro vides DRM pro tec tion for con tent sent over dig i tal con nec tions in clud ing HDMI, Dis play Port, and DVI in ter faces. While this tech nol ogy is still found in many im ple men ta tions, hack ers re leased an HDCP mas ter key in 2010, ren der ing the pro tec tion com pletely in ef fec tive.
Ad vanced Ac cess Con tent Sys tem (AACS) Pro tects the con tent stored on Blu-Ray and HD DVD me dia. Hack ers have demon strated at tacks that re trieved AACS en cryp tion keys and posted them on the in ter net.
In dus try pub lish ers and hack ers con tinue the cat-and-mouse game to day; me dia com pa nies try to pro tect their con tent and hack ers seek to gain con tin ued ac cess to un en crypted copies.
E-book DRM
Per haps the most suc cess ful de ploy ment of DRM tech nol ogy is in the area of book and doc u ment pub lish ing. Most e-books made avail able to day use some form of DRM, and these tech nolo gies also pro tect sen si tive doc u ments pro duced by cor po ra tions with DRM ca pa bil i ties.
All DRM schemes in use to day share a fa tal flaw: the de vice used to ac cess the con tent must
have ac cess to the de cryp tion key. If the de cryp tion key is stored on a de vice pos sessed by the end user, there is al ways a chance that the user will ma nip u late the de vice to gain ac cess to the key.
Adobe Sys tems of fers the Adobe Dig i tal Ex pe ri ence Pro tec tion Tech nol ogy (ADEPT) to pro vide DRM tech nol ogy for e-books sold in a va ri ety of for mats. ADEPT uses a com bi na tion of AES tech nol ogy to en crypt the me dia con tent and RSA en cryp tion to pro tect the AES key. Many e-book read ers, with the no table ex cep tion of the Ama zon Kin dle, use this tech nol ogy to pro tect their con tent. Ama zon’s Kin dle e-read ers use a va ri ety of for mats for book dis tri bu tion, and each con tains its own en cryp tion tech nol ogy.
Video Game DRM
Many video games im ple ment DRM tech nol ogy that de pends on con soles us ing an ac tive in ter net con nec tion to ver ify the game li cense with a cloud-based ser vice. These tech nolo gies, such as Ubisoft’s Up lay, once typ i cally re quired a con stant in ter net con nec tion to fa cil i tate game play. If a player lost con nec tion, the game would cease func tion ing.
In March 2010, the Up lay sys tem came un der a de nial-of-ser vice at tack and play ers of Up lay-en abled games around the world were un able to play games that pre vi ously func tioned prop erly be cause their con soles were un able to ac cess the Up lay servers. This led to pub lic out cry, and Ubisoft later re moved the al ways-on re quire ment, shift ing to a DRM ap proach that only re quires an ini tial ac ti va tion of the game on the con sole and then al lows un re stricted use.
Doc u ment DRM
Al though the most com mon uses of DRM tech nol ogy pro tect en ter tain ment con tent, or ga ni za tions may also use DRM to pro tect the se cu rity of sen si tive in for ma tion stored in PDF files, of fice pro duc tiv ity doc u ments, and other for mats. Com mer cial DRM prod ucts, such as Vit rium and FileOpen, use en cryp tion to pro tect source con tent and then en able or ga ni za tions to care fully con trol doc u ment rights.
Here are some of the com mon per mis sions re stricted by doc u ment DRM so lu tions:
Read ing a file
Mod i fy ing the con tents of a file
Re mov ing wa ter marks from a file
Down load ing/sav ing a file
Print ing a file
Tak ing screen shots of file con tent
DRM so lu tions al low or ga ni za tions to con trol these rights by grant ing them when needed, re vok ing them when no longer nec es sary, and even au to mat i cally ex pir ing rights af ter a spec i fied pe riod of time.
Net work ing The fi nal ap pli ca tion of cryp tog ra phy we’ll ex plore in this chap ter is the use of cryp to graphic al go rithms to
pro vide se cure net work ing ser vices. In the fol low ing sec tions, we’ll take a brief look at two meth ods used to
198
se cure com mu ni ca tions cir cuits. We’ll also look at IPsec and In ter net Se cu rity As so ci a tion and Key Man age ment Pro to col (ISAKMP) as well as some of the se cu rity is sues sur round ing wire less net work ing.
Cir cuit En cryp tion
Se cu rity ad min is tra tors use two types of en cryp tion tech niques to pro tect data trav el ing over net works:
Link en cryp tion pro tects en tire com mu ni ca tions cir cuits by cre at ing a se cure tun nel be tween two points us ing ei ther a hard ware so lu tion or a soft ware so lu tion that en crypts all traf fic en ter ing one end of the tun nel and de crypts all traf fic en ter ing the other end of the tun nel. For ex am ple, a com pany with two of fices con nected via a data cir cuit might use link en cryp tion to pro tect against at tack ers mon i tor ing at a point in be tween the two of fices.
End-to-end en cryp tion pro tects com mu ni ca tions be tween two par ties (for ex am ple, a client and a server) and is per formed in de pen dently of link en cryp tion. An ex am ple of end-to-end en cryp tion would be the use of TLS to pro tect com mu ni ca tions be tween a user and a web server. This pro tects against an in truder who might be mon i tor ing traf fic on the se cure side of an en crypted link or traf fic sent over an un en crypted link.
The crit i cal dif fer ence be tween link and end-to-end en cryp tion is that in link en cryp tion, all the data, in clud ing the header, trailer, ad dress, and rout ing data, is also en crypted. There fore, each packet has to be de crypted at each hop so it can be prop erly routed to the next hop and then re-en crypted be fore it can be sent along its way, which slows the rout ing. End-to-end en cryp tion does not en crypt the header, trailer, ad dress, and rout ing data, so it moves faster from point to point but is more sus cep ti ble to snif fers and eaves drop pers.
When en cryp tion hap pens at the higher OSI lay ers, it is usu ally end-to-end en cryp tion, and if en cryp tion is done at the lower lay ers of the OSI model, it is usu ally link en cryp tion.
Se cure Shell (SSH) is a good ex am ple of an end-to-end en cryp tion tech nique. This suite of pro grams pro vides en crypted al ter na tives to com mon in ter net ap pli ca tions such as File Trans fer Pro to col (FTP), Tel net, and rlogin. There are ac tu ally two ver sions of SSH. SSH1 (which is now con sid ered in se cure) sup ports the Data En cryp tion Stan dard (DES), Triple DES (3DES), and In ter na tional Data En cryp tion Al go rithm (IDEA), and Blow fish al go rithms. SSH2 drops sup port for DES and IDEA but adds sup port for sev eral other al go rithms.
IPsec
Var i ous se cu rity ar chi tec tures are in use to day, each one de signed to ad dress se cu rity is sues in dif fer ent en vi ron ments. One such ar chi tec ture that sup ports se cure com mu ni ca tions is the In ter net Pro to col Se cu rity (IPsec) stan dard. IPsec is a stan dard ar chi tec ture set forth by the In ter net En gi neer ing Task Force (IETF) for set ting up a se cure chan nel to ex change in for ma tion be tween two en ti ties.
The en ti ties com mu ni cat ing via IPsec could be two sys tems, two routers, two gate ways, or any com bi na tion of en ti ties. Al though gen er ally used to con nect two net works, IPsec can be used to con nect in di vid ual com put ers, such as a server and a work sta tion or a pair of work sta tions (sender and re ceiver, per haps). IPsec does not dic tate all im ple men ta tion de tails but is an open, mod u lar frame work that al lows many man u fac tur ers and soft ware de vel op ers to de velop IPsec so lu tions that work well with prod ucts from other ven dors.
IPsec uses pub lic key cryp tog ra phy to pro vide en cryp tion, ac cess con trol, non re pu di a tion, and mes sage au then ti ca tion, all us ing IP-based pro to cols. The pri mary use of IPsec is for vir tual pri vate net works (VPNs), so IPsec can op er ate in ei ther trans port or tun nel mode. IPsec is com monly paired with the Layer 2 Tun nel ing Pro to col (L2TP) as L2TP/IPsec.
The IP Se cu rity (IPsec) pro to col pro vides a com plete in fra struc ture for se cured net work com mu ni ca tions. IPsec has gained wide spread ac cep tance and is now of fered in a num ber of com mer cial op er at ing sys tems out of the box. IPsec re lies on se cu rity as so ci a tions, and there are two main com po nents:
The Au then ti ca tion Header (AH) pro vides as sur ances of mes sage in tegrity and non re pu di a tion. AH also pro vides au then ti ca tion and ac cess con trol and pre vents re play at tacks.
The En cap su lat ing Se cu rity Pay load (ESP) pro vides con fi den tial ity and in tegrity of packet con tents. It pro vides en cryp tion and lim ited au then ti ca tion and pre vents re play at tacks.
ESP also pro vides some lim ited au then ti ca tion, but not to the de gree of the AH. Though
ESP is some times used with out AH, it’s rare to see AH used with out ESP.
199
IPsec pro vides for two dis crete modes of op er a tion. When IPsec is used in trans port mode, only the packet pay load is en crypted. This mode is de signed for peer-to-peer com mu ni ca tion. When it’s used in tun nel mode, the en tire packet, in clud ing the header, is en crypted. This mode is de signed for gate way-to-gate way com mu ni ca tion.
IPsec is an ex tremely im por tant con cept in mod ern com puter se cu rity. Be cer tain that you’re
fa mil iar with the com po nent pro to cols and modes of IPsec op er a tion.
At run time, you set up an IPsec ses sion by cre at ing a se cu rity as so ci a tion (SA). The SA rep re sents the com mu ni ca tion ses sion and records any con fig u ra tion and sta tus in for ma tion about the con nec tion. The SA rep re sents a sim plex con nec tion. If you want a two-way chan nel, you need two SAs, one for each di rec tion. Also, if you want to sup port a bidi rec tional chan nel us ing both AH and ESP, you will need to set up four SAs.
Some of IPsec’s great est strengths come from be ing able to fil ter or man age com mu ni ca tions on a per-SA ba sis so that clients or gate ways be tween which se cu rity as so ci a tions ex ist can be rig or ously man aged in terms of what kinds of pro to cols or ser vices can use an IPsec con nec tion. Also, with out a valid se cu rity as so ci a tion de fined, pairs of users or gate ways can not es tab lish IPsec links.
Fur ther de tails of the IPsec al go rithm are pro vided in Chap ter 11, “Se cure Net work Ar chi tec ture and Se cur ing Net work Com po nents.”
ISAKMP
The In ter net Se cu rity As so ci a tion and Key Man age ment Pro to col (ISAKMP) pro vides back ground se cu rity sup port ser vices for IPsec by ne go ti at ing, es tab lish ing, mod i fy ing, and delet ing se cu rity as so ci a tions. As you learned in the pre vi ous sec tion, IPsec re lies on a sys tem of se cu rity as so ci a tions (SAs). These SAs are man aged through the use of ISAKMP. There are four ba sic re quire ments for ISAKMP, as set forth in In ter net RFC 2408:
Au then ti cate com mu ni cat ing peers
Cre ate and man age se cu rity as so ci a tions
Pro vide key gen er a tion mech a nisms
Pro tect against threats (for ex am ple, re play and de nial-of-ser vice at tacks)
Wire less Net work ing
The wide spread rapid adop tion of wire less net works poses a tremen dous se cu rity risk. Many tra di tional net works do not im ple ment en cryp tion for rou tine com mu ni ca tions be tween hosts on the lo cal net work and rely on the as sump tion that it would be too dif fi cult for an at tacker to gain phys i cal ac cess to the net work wire in side a se cure lo ca tion to eaves drop on the net work. How ever, wire less net works trans mit data through the air, leav ing them ex tremely vul ner a ble to in ter cep tion. There are two main types of wire less se cu rity:
Wired Equiv a lent Pri vacy Wired Equiv a lent Pri vacy (WEP) pro vides 64- and 128-bit en cryp tion op tions to pro tect com mu ni ca tions within the wire less LAN. WEP is de scribed in IEEE 802.11 as an op tional com po nent of the wire less net work ing stan dard.
Crypt anal y sis has con clu sively demon strated that sig nif i cant flaws ex ist in the WEP
al go rithm, mak ing it pos si ble to com pletely un der mine the se cu rity of a WEP-pro tected net work within sec onds. You should never use WEP en cryp tion to pro tect a wire less net work. In fact, the use of WEP en cryp tion on a store net work was the root cause be hind the TJX se cu rity breach that was widely pub li cized in 2007. Again, you should never use WEP en cryp tion on a wire less net work.
WiFi Pro tected Ac cess WiFi Pro tected Ac cess (WPA) im proves on WEP en cryp tion by im ple ment ing the Tem po ral Key In tegrity Pro to col (TKIP), elim i nat ing the cryp to graphic weak nesses that un der mined WEP. A fur ther im prove ment to the tech nique, dubbed WPA2, adds AES cryp tog ra phy. WPA2 pro vides se cure al go rithms ap pro pri ate for use on mod ern wire less net works.
Re mem ber that WPA does not pro vide an end-to-end se cu rity so lu tion. It en crypts traf fic
only be tween a mo bile com puter and the near est wire less ac cess point. Once the traf fic hits the wired net work, it’s in the clear again.
200
An other com monly used se cu rity stan dard, IEEE 802.1x, pro vides a flex i ble frame work for au then ti ca tion and key man age ment in wired and wire less net works. To use 802.1x, the client runs a piece of soft ware known as the sup pli cant. The sup pli cant com mu ni cates with the au then ti ca tion server. Af ter suc cess ful au then ti ca tion, the net work switch or wire less ac cess point al lows the client to ac cess the net work. WPA was de signed to in ter act with 802.1x au then ti ca tion servers.
Cryp to graphic At tacks As with any se cu rity mech a nism, ma li cious in di vid u als have found a num ber of at tacks to de feat
cryp tosys tems. It’s im por tant that you un der stand the threats posed by var i ous cryp to graphic at tacks to min i mize the risks posed to your sys tems:
An a lytic At tack This is an al ge braic ma nip u la tion that at tempts to re duce the com plex ity of the al go rithm. An a lytic at tacks fo cus on the logic of the al go rithm it self.
Im ple men ta tion At tack This is a type of at tack that ex ploits weak nesses in the im ple men ta tion of a cryp tog ra phy sys tem. It fo cuses on ex ploit ing the soft ware code, not just er rors and flaws but the method ol ogy em ployed to pro gram the en cryp tion sys tem.
Sta tis ti cal At tack A sta tis ti cal at tack ex ploits sta tis ti cal weak nesses in a cryp tosys tem, such as float ing- point er rors and in abil ity to pro duce truly ran dom num bers. Sta tis ti cal at tacks at tempt to find a vul ner a bil ity in the hard ware or op er at ing sys tem host ing the cryp tog ra phy ap pli ca tion.
Brute Force Brute-force at tacks are quite straight for ward. Such an at tack at tempts ev ery pos si ble valid com bi na tion for a key or pass word. They in volve us ing mas sive amounts of pro cess ing power to me thod i cally guess the key used to se cure cryp to graphic com mu ni ca tions.
For a non flawed pro to col, the av er age amount of time re quired to dis cover the key through a brute-force at tack is di rectly pro por tional to the length of the key. A brute-force at tack will al ways be suc cess ful given enough time. Ev ery ad di tional bit of key length dou bles the time to per form a brute-force at tack be cause the num ber of po ten tial keys dou bles.
There are two mod i fi ca tions that at tack ers can make to en hance the ef fec tive ness of a brute-force at tack:
Rain bow ta bles pro vide pre com puted val ues for cryp to graphic hashes. These are com monly used for crack ing pass words stored on a sys tem in hashed form.
Spe cial ized, scal able com put ing hard ware de signed specif i cally for the con duct of brute-force at tacks may greatly in crease the ef fi ciency of this ap proach.
Salt ing Saves Pass words
Salt might be haz ardous to your health, but it can save your pass word! To help com bat the use of brute-force at tacks, in clud ing those aided by dic tio nar ies and rain bow ta bles, cryp tog ra phers make use of a tech nol ogy known as cryp to graphic salt.
The cryp to graphic salt is a ran dom value that is added to the end of the pass word be fore the op er at ing sys tem hashes the pass word. The salt is then stored in the pass word file along with the hash. When the op er at ing sys tem wishes to com pare a user’s prof fered pass word to the pass word file, it first re trieves the salt and ap pends it to the pass word. It feeds the con cate nated value to the hash func tion and com pares the re sult ing hash with the one stored in the pass word file.
Spe cial ized pass word hash ing func tions, such as PBKDF2, bcrypt, and scrypt, al low for the cre ation of hashes us ing salts and also in cor po rate a tech nique known as key stretch ing that makes it more com pu ta tion ally dif fi cult to per form a sin gle pass word guess.
The use of salt ing, es pe cially when com bined with key stretch ing, dra mat i cally in creases the dif fi culty of brute-force at tacks. Any one at tempt ing to build a rain bow ta ble must build a sep a rate ta ble for each pos si ble value of the cryp to graphic salt.
Fre quency Anal y sis and the Ci pher text Only At tack In many cases, the only in for ma tion you have at your dis posal is the en crypted ci pher text mes sage, a sce nario known as the ci pher text only at tack. In this case, one tech nique that proves help ful against sim ple ci phers is fre quency anal y sis—count ing the num ber of times each let ter ap pears in the ci pher text. Us ing your knowl edge that the let ters E, T, A, O, I, N are the most com mon in the Eng lish lan guage, you can then test sev eral hy pothe ses:
If these let ters are also the most com mon in the ci pher text, the ci pher was likely a trans po si tion ci pher, which re ar ranged the char ac ters of the plain text with out al ter ing them.
201
If other let ters are the most com mon in the ci pher text, the ci pher is prob a bly some form of sub sti tu tion ci pher that re placed the plain text char ac ters.
This is a sim ple over view of fre quency anal y sis, and many so phis ti cated vari a tions on this tech nique can be used against polyal pha betic ci phers and other so phis ti cated cryp tosys tems.
Known Plain text In the known plain text at tack, the at tacker has a copy of the en crypted mes sage along with the plain text mes sage used to gen er ate the ci pher text (the copy). This knowl edge greatly as sists the at tacker in break ing weaker codes. For ex am ple, imag ine the ease with which you could break the Cae sar ci pher de scribed in Chap ter 6 if you had both a plain text copy and a ci pher text copy of the same mes sage.
Cho sen Ci pher text In a cho sen ci pher text at tack, the at tacker has the abil ity to de crypt cho sen por tions of the ci pher text mes sage and use the de crypted por tion of the mes sage to dis cover the key.
Cho sen Plain text In a cho sen plain text at tack, the at tacker has the abil ity to en crypt plain text mes sages of their choos ing and can then an a lyze the ci pher text out put of the en cryp tion al go rithm.
Meet in the Mid dle At tack ers might use a meet-in-the-mid dle at tack to de feat en cryp tion al go rithms that use two rounds of en cryp tion. This at tack is the rea son that Dou ble DES (2DES) was quickly dis carded as a vi able en hance ment to the DES en cryp tion (it was re placed by Triple DES, or 3DES).
In the meet-in-the-mid dle at tack, the at tacker uses a known plain text mes sage. The plain text is then en crypted us ing ev ery pos si ble key (k1), and the equiv a lent ci pher text is de crypted us ing all pos si ble keys (k2). When a match is found, the cor re spond ing pair (k1, k2) rep re sents both por tions of the dou ble en cryp tion. This type of at tack gen er ally takes only dou ble the time nec es sary to break a sin gle round of en cryp tion (or 2n
rather than the an tic i pated 2n * 2n), of fer ing min i mal added pro tec tion.
Man in the Mid dle In the man-in-the-mid dle at tack, a ma li cious in di vid ual sits be tween two com mu ni cat ing par ties and in ter cepts all com mu ni ca tions (in clud ing the setup of the cryp to graphic ses sion). The at tacker re sponds to the orig i na tor’s ini tial iza tion re quests and sets up a se cure ses sion with the orig i na tor. The at tacker then es tab lishes a sec ond se cure ses sion with the in tended re cip i ent us ing a dif fer ent key and pos ing as the orig i na tor. The at tacker can then “sit in the mid dle” of the com mu ni ca tion and read all traf fic as it passes be tween the two par ties.
Be care ful not to con fuse the meet-in-the-mid dle at tack with the man-in-the-mid dle at tack.
They may have sim i lar names, but they are quite dif fer ent!
Birth day The birth day at tack, also known as a col li sion at tack or re verse hash match ing (see the dis cus sion of brute-force and dic tio nary at tacks in Chap ter 14, “Con trol ling and Mon i tor ing Ac cess”), seeks to find flaws in the one-to-one na ture of hash ing func tions. In this at tack, the ma li cious in di vid ual seeks to sub sti tute in a dig i tally signed com mu ni ca tion a dif fer ent mes sage that pro duces the same mes sage di gest, thereby main tain ing the va lid ity of the orig i nal dig i tal sig na ture.
Don’t for get that so cial en gi neer ing tech niques can also be used in crypt anal y sis. If you’re
able to ob tain a de cryp tion key by sim ply ask ing the sender for it, that’s much eas ier than at tempt ing to crack the cryp tosys tem!
Re play The re play at tack is used against cryp to graphic al go rithms that don’t in cor po rate tem po ral pro tec tions. In this at tack, the ma li cious in di vid ual in ter cepts an en crypted mes sage be tween two par ties (of ten a re quest for au then ti ca tion) and then later “re plays” the cap tured mes sage to open a new ses sion. This at tack can be de feated by in cor po rat ing a time stamp and ex pi ra tion pe riod into each mes sage.
Sum mary Asym met ric key cryp tog ra phy, or pub lic key en cryp tion, pro vides an ex tremely flex i ble in fra struc ture,
fa cil i tat ing sim ple, se cure com mu ni ca tion be tween par ties that do not nec es sar ily know each other prior to ini ti at ing the com mu ni ca tion. It also pro vides the frame work for the dig i tal sign ing of mes sages to en sure non re pu di a tion and mes sage in tegrity.
This chap ter ex plored pub lic key en cryp tion, which pro vides a scal able cryp to graphic ar chi tec ture for use by large num bers of users. We also de scribed some pop u lar cryp to graphic al go rithms, such as link en cryp tion and end-to-end en cryp tion. Fi nally, we in tro duced you to the pub lic key in fra struc ture, which uses cer tifi cate au thor i ties (CAs) to gen er ate dig i tal cer tifi cates con tain ing the pub lic keys of sys tem users and dig i tal sig na tures, which rely on a com bi na tion of pub lic key cryp tog ra phy and hash ing func tions.
202
We also looked at some of the com mon ap pli ca tions of cryp to graphic tech nol ogy in solv ing ev ery day prob lems. You learned how cryp tog ra phy can be used to se cure email (us ing PGP and S/MIME), web com mu ni ca tions (us ing SSL and TLS), and both peer-to-peer and gate way-to-gate way net work ing (us ing IPsec and ISAKMP) as well as wire less com mu ni ca tions (us ing WPA and WPA2).
Fi nally, we cov ered some of the more com mon at tacks used by ma li cious in di vid u als at tempt ing to in ter fere with or in ter cept en crypted com mu ni ca tions be tween two par ties. Such at tacks in clude birth day, crypt an a lytic, re play, brute-force, known plain text, cho sen plain text, cho sen ci pher text, meet-in-the-mid dle, man-in-the-mid dle, and birth day at tacks. It’s im por tant for you to un der stand these at tacks in or der to pro vide ad e quate se cu rity against them.
Exam Es sen tials Un der stand the key types used in asym met ric cryp tog ra phy. Pub lic keys are freely shared among
com mu ni cat ing par ties, whereas pri vate keys are kept se cret. To en crypt a mes sage, use the re cip i ent’s pub lic key. To de crypt a mes sage, use your own pri vate key. To sign a mes sage, use your own pri vate key. To val i date a sig na ture, use the sender’s pub lic key.
Be fa mil iar with the three ma jor pub lic key cryp tosys tems. RSA is the most fa mous pub lic key cryp tosys tem; it was de vel oped by Rivest, Shamir, and Adle man in 1977. It de pends on the dif fi culty of fac tor ing the prod uct of prime num bers. El Gamal is an ex ten sion of the Diffie-Hell man key ex change al go rithm that de pends on mod u lar arith metic. The el lip tic curve al go rithm de pends on the el lip tic curve dis crete log a rithm prob lem and pro vides more se cu rity than other al go rithms when both are used with keys of the same length.
Know the fun da men tal re quire ments of a hash func tion. Good hash func tions have five re quire ments. They must al low in put of any length, pro vide fixed-length out put, make it rel a tively easy to com pute the hash func tion for any in put, pro vide one-way func tion al ity, and be col li sion free.
Be fa mil iar with the ma jor hash ing al go rithms. The suc ces sors to the Se cure Hash Al go rithm (SHA), SHA-1 and SHA-2, make up the gov ern ment stan dard mes sage di gest func tion. SHA-1 pro duces a 160- bit mes sage di gest whereas SHA-2 sup ports vari able lengths, rang ing up to 512 bits. SHA-3 im proves upon the se cu rity of SHA-2 and sup ports the same hash lengths.
Know how cryp to graphic salts im prove the se cu rity of pass word hash ing. When straight for ward hash ing is used to store pass words in a pass word file, at tack ers may use rain bow ta bles of pre com puted val ues to iden tify com monly used pass words. Adding salts to the pass words be fore hash ing them re duces the ef fec tive ness of rain bow ta ble at tacks. Com mon pass word hash ing al go rithms that use key stretch ing to fur ther in crease the dif fi culty of at tack in clude PBKDF2, bcrypt, and scrypt.
Un der stand how dig i tal sig na tures are gen er ated and ver i fied. To dig i tally sign a mes sage, first use a hash ing func tion to gen er ate a mes sage di gest. Then en crypt the di gest with your pri vate key. To ver ify the dig i tal sig na ture on a mes sage, de crypt the sig na ture with the sender’s pub lic key and then com pare the mes sage di gest to one you gen er ate your self. If they match, the mes sage is au then tic.
Know the com po nents of the Dig i tal Sig na ture Stan dard (DSS). The Dig i tal Sig na ture Stan dard uses the SHA-1, SHA-2, and SHA-3 mes sage di gest func tions along with one of three en cryp tion al go rithms: the Dig i tal Sig na ture Al go rithm (DSA); the Rivest, Shamir, Adle man (RSA) al go rithm; or the El lip tic Curve DSA (ECDSA) al go rithm.
Un der stand the pub lic key in fra struc ture (PKI). In the pub lic key in fra struc ture, cer tifi cate au thor i ties (CAs) gen er ate dig i tal cer tifi cates con tain ing the pub lic keys of sys tem users. Users then dis trib ute these cer tifi cates to peo ple with whom they want to com mu ni cate. Cer tifi cate re cip i ents ver ify a cer tifi cate us ing the CA’s pub lic key.
Know the com mon ap pli ca tions of cryp tog ra phy to se cure email. The emerg ing stan dard for en crypted mes sages is the S/MIME pro to col. An other pop u lar email se cu rity tool is Phil Zim mer man’s Pretty Good Pri vacy (PGP). Most users of email en cryp tion rely on hav ing this tech nol ogy built into their email client or their web-based email ser vice.
Know the com mon ap pli ca tions of cryp tog ra phy to se cure web ac tiv ity. The de facto stan dard for se cure web traf fic is the use of HTTP over Trans port Layer Se cu rity (TLS) or the older Se cure Sock ets Layer (SSL). Most web browsers sup port both stan dards, but many web sites are drop ping sup port for SSL due to se cu rity con cerns.
Know the com mon ap pli ca tions of cryp tog ra phy to se cure net work ing. The IPsec pro to col stan dard pro vides a com mon frame work for en crypt ing net work traf fic and is built into a num ber of com mon op er at ing sys tems. In IPsec trans port mode, packet con tents are en crypted for peer-to-peer com mu ni ca tion. In tun nel mode, the en tire packet, in clud ing header in for ma tion, is en crypted for gate way-to-gate way com mu ni ca tions.
203
Be able to de scribe IPsec. IPsec is a se cu rity ar chi tec ture frame work that sup ports se cure com mu ni ca tion over IP. IPsec es tab lishes a se cure chan nel in ei ther trans port mode or tun nel mode. It can be used to es tab lish di rect com mu ni ca tion be tween com put ers or to set up a VPN be tween net works. IPsec uses two pro to cols: Au then ti ca tion Header (AH) and En cap su lat ing Se cu rity Pay load (ESP).
Be able to ex plain com mon cryp to graphic at tacks. Brute-force at tacks are at tempts to ran domly find the cor rect cryp to graphic key. Known plain text, cho sen ci pher text, and cho sen plain text at tacks re quire the at tacker to have some ex tra in for ma tion in ad di tion to the ci pher text. The meet-in-the-mid dle at tack ex ploits pro to cols that use two rounds of en cryp tion. The man-in-the-mid dle at tack fools both par ties into com mu ni cat ing with the at tacker in stead of di rectly with each other. The birth day at tack is an at tempt to find col li sions in hash func tions. The re play at tack is an at tempt to re use au then ti ca tion re quests.
Un der stand uses of dig i tal rights man age ment (DRM). Dig i tal rights man age ment (DRM) so lu tions al low con tent own ers to en force re stric tions on the use of their con tent by oth ers. DRM so lu tions com monly pro tect en ter tain ment con tent, such as mu sic, movies, and e-books but are oc ca sion ally found in the en ter prise, pro tect ing sen si tive in for ma tion stored in doc u ments.
Writ ten Lab
1. Ex plain the process Bob should use if he wants to send a con fi den tial mes sage to Al ice us ing asym met ric cryp tog ra phy.
2. Ex plain the process Al ice would use to de crypt the mes sage Bob sent in ques tion 1.
3. Ex plain the process Bob should use to dig i tally sign a mes sage to Al ice.
4. Ex plain the process Al ice should use to ver ify the dig i tal sig na ture on the mes sage from Bob in ques tion 3.