Cryptography: Securing the Information Age

Source: www.viisage.com

Cryptography: Securing the Information Age

Source: www.aep.ie/product/ technical.html

http://images.google.com/imgres?imgurl=www.aep.ie/images/gifs/encryption.gif&imgrefurl=http://www.aep.ie/product/technical.html&h=160&w=160&prev=/images%3Fq%3Dencryption%26start%3D20%26svnum%3D10%26hl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26sa%3DN

Source: www.zonezero.com

Agenda• Definitions

• Why cryptography is important?

• Available technologies

• Benefits & problems

• Future of cryptography

• Houston resources


Essential Terms• Cryptography

• EncryptionPlain text Cipher text

• DecryptionCipher text Plain text

• Cryptanalysis

• Cryptology Source: http://www.unmuseum.org/enigma.jpg


Information Security for…• Defending against external/internal hackers• Defending against industrial espionage• Securing E-commerce• Securing bank accounts/electronic transfers• Securing intellectual property• Avoiding liability


Threats to Information Security• Pervasiveness of email/networks• Online storage of sensitive

information • Insecure technologies (e.g.

wireless)• Trend towards paperless society• Weak legal protection of email

privacy


Types of Secret Writing

Secret writing

Steganography Cryptography

Steganography

• Steganography – covered writing – is an art of hiding information

• Popular contemporary steganographic technologies hide information in images

New York Times, August 3rd, 2001http://www.nytimes.com/images/2001/10/30/science/sci_STEGO_011030_00.jpg

Hiding information in pictures

Image in which to hide another image

Image to hide within the other image

http://www.cl.cam.ac.uk/~fapp2/steganography/image_downgrading/

Retrieving information from pictures

http://www.cl.cam.ac.uk/~fapp2/steganography/image_downgrading/

Image with other hidden within

Recreated image

Digital Watermarks

Source: http://www.digimarc.com


Types of Secret WritingSecret writing

Steganography Cryptography

Substitution Transposition

Code

Cipher


Public Key Cryptography• Private (symmetric, secret) key – the same

key used for encryption/decryption• Problem of key distribution• Public (asymmetric) key cryptography – a

public key used for encryption and private key for decryption

• Key distribution problem solved


Currently Available Crypto Algorithms (private key)

• DES (Data Encryption Standard) and derivatives: double DES and triple DES

• IDEA (International Data Encryption Standard)

• Blowfish• RC5 (Rivest Cipher #5)• AES (Advance Encryption Standard)


• RSA (Rivest, Shamir, Adleman)• DH (Diffie-Hellman Key Agreement

Algorithm)• ECDH (Elliptic Curve Diffie-Hellman Key

Agreement Algorithm) • RPK (Raike Public Key)

Currently Available Crypto Algorithms (public key)


PGP (Pretty Good Privacy) – a hybrid encryption technology– Message is encrypted using a private key

algorithm (IDEA)– Key is then encrypted using a public key

algorithm (RSA)– For file encryption, only IDEA algorithm is used– PGP is free for home use

Currently Available Technologies


Authentication and Digital Signatures

• Preventing impostor attacks• Preventing content tampering• Preventing timing modification• Preventing repudiation

By:• Encryption itself• Cryptographic checksum and hash

functions


Digital Signatures

• Made by encrypting a message digest (cryptographic checksum) with the sender’s private key

• Receiver decrypts with the sender’s public key (roles of private and public keys are flipped)


PKI and CA

• Digital signature does not confirm identity • Public Key Infrastructure provides a trusted

third party’s confirmation of a sender’s identity

• Certification Authority is a trusted third party that issues identity certificates


Problems with CAs and PKI

• Who gave CA the authority to issue certificates? Who made it “trusted”?

• What good are the certificates?• What if somebody digitally signed a binding

contract in your name by hacking into your system?

• How secure are CA’s practices? Can a malicious hacker add a public key to a CA’s directory?


Currently Available Technologies

• MD4 and MD5 (Message Digest)• SHA-1 (Secure Hash Algorithm version 1) • DSA (The Digital Signature Algorithm) • ECDSA (Elliptic Curve DSA) • Kerberos • OPS (Open Profiling Standard) • VeriSign Digital IDs


JAVA and XML Cryptography

• java.security package includes classes used for authentication and digital signature

• javax.crypto package contains Java Cryptography Extension classes

• XML makes it possible to encrypt or digitally sign parts of a message, different encryption for different recipients, etc.


XML Crypto DocumentListing 1. Information on John Smith showing his bank, limit of $5,000, card number, and expiration date

<?xml version='1.0'?>

<PaymentInfo xmlns='http://example.org/paymentv2'>

<Name>John Smith<Name/>

<CreditCard Limit='5,000' Currency='USD'>

<Number>4019 2445 0277 5567</Number>

<Issuer>Bank of the Internet</Issuer>

<Expiration>04/02</Expiration>

</CreditCard>

</PaymentInfo>

(Source: http://www-106.ibm.com/developerworks/xml/library/s-xmlsec.html/index.html)


XML Crypto documentListing 2. Encrypted document where all but name is encrypted

<?xml version='1.0'?>

<PaymentInfo xmlns='http://example.org/paymentv2'>

<Name>John Smith<Name/>

<EncryptedData Type='http://www.w3.org/2001/04/xmlenc#Element'

xmlns='http://www.w3.org/2001/04/xmlenc#'>

<CipherData><CipherValue>A23B45C56</CipherValue></CipherData>

</EncryptedData>

</PaymentInfo>

(Source: http://www-106.ibm.com/developerworks/xml/library/s-xmlsec.html/index.html)


Benefits of Cryptographic Technologies• Data secrecy• Data integrity • Authentication of

message originator• Electronic certification

and digital signature• Non-repudiation

Source: http://www.princeton.edu/~hos/h398/matrix.jpg


Potential Problems with Cryptographic Technologies?

• False sense of security if badly implemented

• Government regulation of cryptographic technologies/export restrictions

• Encryption prohibited in some countries Source: http://www.tudor-portraits.com/Mary%20Scots%20B.jpg


How Secure are Today’s Technologies?

• $250,000 machine cracks 56 bit key DES code in 56 hours

• IDEA, RC5, RSA, etc. resist complex attacks when properly implemented

• distributed.net cracked 64 bit RC5 key (1,757 days and 331,252 people) in July, 2002

• A computer that breaks DES in 1 second will take 149 trillion years to break AES!

• Algorithms are not theoretically unbreakable: successful attacks in the future are possible


How Secure are Today’s Technologies?

• Encryption does not guarantee security!• Many ways to beat a crypto system NOT dependent

on cryptanalysis, such as:– Viruses, worms, hackers, etc.– TEMPEST attacks,– Unauthorized physical access to secret keys

• Cryptography is only one element of comprehensive computer security


The Future of Secret Writing

Quantum cryptanalysis– A quantum computer can perform

practically unlimited number of simultaneous computations

– Factoring large integers is a natural application for a quantum computer (necessary to break RSA)

– Quantum cryptanalysis would render ALL modern cryptosystems instantly obsolete

Source: http://www.media.mit.edu/quanta/5-qubit-molecule.jpg


When will it happen?• 2004 – 10-qubit special purpose quantum

computer available• 2006 – factoring attacks on RSA algorithm• 2010 through 2012 – intelligence agencies

will have quantum computers• 2015 – large enterprises will have quantum

computersSource: The Gartner Group


What is to be done?The Gartner Group recommends:

• Develop migration plans to stronger crypto by 2008

• Begin implementation in 2010


Quantum encryption– No need for a quantum computer

– A key cannot be intercepted without altering its content

– It is theoretically unbreakable

– Central problem is transmitting a quantum message over a significant distance

Source: http://qubit.nist.gov/Images/OptLat.jpg

The Future of Secret Writing (continued)

Documents

Cryptography: Securing the Information Age