Beruflich Dokumente
Kultur Dokumente
Security in:
Client / Workstation / Terminal
Intra-networks
Inter-networks
In terms of:
Physical Security
Non-Physical Security
Hackers
Crackers
Script Kiddies
Unethical Employees (logic bombs, backdoor,)
Cyberterrorists
Corporate Spy
Worm / Virus / Trojan (incl. keyloggers,)
Spoofing / Sniffing / Phishing
DoS / DDoS attacks
Hoax / Spam
...
Examples:
Examples (cont):
Virtual Private Network (VPN)
Example of Phishing:
Comfort Level
Responsible presentation
Defining Cryptography
Objectives
Define cryptography
Describe hashing
List the basic symmetric cryptographic
algorithms
Describe how asymmetric cryptography
works
List types of file and file system
cryptography
What Is Cryptography?
Cryptography - scrambles data
The science of transforming information into
an unintelligible form while it is being
transmitted or stored so that unauthorized
users cannot access it
Steganography - hides data
Hides the existence of the data
What appears to be a harmless image can
contain hidden data embedded within the
image
Can use image files, audio files, or even video
files to contain hidden information
Steganography
Caesar Cipher
Used by Julius Caesar
Caesar shifted each letter of
his messages to his generals
three places down in the
alphabet
So BURN THE BRIDGE
becomes
EXUQ WKH EUKFIG
AD
B E
CF
DG
EH
FI
G J
HK
Information Protection by
Cryptography
Cryptographic Algorithms
Cryptographic Algorithms
There are three categories of
cryptographic algorithms:
Hashing algorithms
Symmetric encryption
algorithms
Asymmetric encryption
algorithms
Hashing Algorithms
Hashing Algorithms
Hashing is a one-way process
Link Ch 11a
Preventing a Man-in-the-Middle
Attack with Hashing
Message Digest
Also known as hash function or oneway transformation.
Transforms a message of any length
and computes a fixed length string.
We want it to be hard to guess what
the message was given only the digest.
Guessing is always possible.
75
Three versions
Password Hashes
Another use for hashes is in storing passwords
Symmetric Cryptographic
Algorithms
Symmetric Cryptographic
Algorithms
Symmetric cryptographic algorithms
Stream cipher
Substitution cipher
Substitution Cipher
XOR
Block Cipher
Information Protections by
Symmetric Cryptography
Other Algorithms
Several other symmetric
cryptographic algorithms are also
used:
Rivest Cipher (RC) family from RC1
to RC6
International Data Encryption
Algorithm (IDEA)
Blowfish
Twofish
Asymmetric Cryptographic
Algorithms
Asymmetric Cryptographic
Algorithms
Asymmetric cryptographic algorithms
Also known as public key
cryptography
Uses two keys instead of one
The public key is known to everyone and
can be freely distributed
The private key is known only to the
recipient of the message
Hello Bob,
Wanna get together?
Alice
Bob
97
OK Alice,
Your place or mine?
Alice
Bob
98
Bobs Dilemma
Nobody can read the message from
Alice, but anyone could produce it.
How does Bob know that the message
was really sent from Alice?
100
Digital Signature
A digital signature can:
Verify the sender
Prove the integrity of the message
Prevent the sender from disowning
the message (non-repudiation)
Information Protections by
Asymmetric Cryptography
RSA
The most common asymmetric cryptography
algorithm
RSA makes the public and private keys by
multiplying two large prime numbers p and q
To compute their product (n=pq)
It is very difficult to factor the number n to find
p and q
Finding the private key from the public key
would require a factoring operation
RSA is complex and slow, but secure
100 times slower than DES
Diffie-Hellman
A key exchange algorithm, not an
encryption algorithm
Allows two users to share a secret key
securely over a public network
Once the key has been shared
Then both parties can use it to encrypt
and decrypt messages using symmetric
cryptography
HTTPS
Secure Web Pages typically use RSA,
Diffie-Hellman, and a symmetric algorithm
like RC4
RSA is used to send the private key for the
symmetric encryption
Understanding Cryptographic
Attacks
Sniffing and port scanning are passive
attacks just watching
Active attacks attempt to determine the
secret key being used to encrypt plaintext
Cryptographic algorithms are usually
public
Follows the open-source culture
Except the NSA and CIA and etc.
116
Birthday Attack
If 23 people are in the room, what is the
chance that they all have different
birthdays?
365 364 363 363 361 360
343
x
x
x
x
x
x...
365 365 365 365 365 365
365
= 49%
So theres a 51% chance that two of them
have the same birthday
117
Birthday Attack
If there are N possible hash values,
Youll find collisions when you have
calculated 1.2 x sqrt(N) values
118
Mathematical Attacks
Properties of the algorithm are attacked by
using mathematical computations
Categories
Ciphertext-only attack
The attacker has the ciphertext of several
messages but not the plaintext
Attacker tries to find out the key and algorithm
used to encrypt the messages
Attacker can capture ciphertext using a sniffer
program such as Ethereal or Tcpdump
119
Mathematical Attacks
Categories
Known plaintext attack
The attacker has messages in both encrypted form
and decrypted forms
This attack is easier to perform than the ciphertextonly attack
Looks for patterns in both plaintext and ciphertext
Chosen-plaintext attack
The attacker has access to plaintext and ciphertext
Attacker has the ability to choose which message
to encrypt
120
Mathematical Attacks
Categories (continued)
Chosen-ciphertext attack
The attacker has access to the ciphertext to be
decrypted and to the resulting plaintext
Attacker needs access to the cryptosystem to
perform this type of attack
121
122
Man-in-the-Middle Attack
Victim
Attacker
Server
Dictionary Attack
Attacker uses a dictionary of known words
to try to guess passwords
There are programs that can help attackers
run a dictionary attack
125
Replay Attack
The attacker captures data and attempts
to resubmit the captured data
The device thinks a legitimate connection is in
effect
Password Cracking
Password cracking is illegal in the United
States
It is legal to crack your own password if you
forgot it
128