Beruflich Dokumente
Kultur Dokumente
Chapter Seven
Cryptographic Systems
MARS
Firewall
VPN
IPS
CSA
CSA
CSA
Web Email
Server Server DNS
• An ATM Personal
Information Number (PIN)
is required for
authentication.
• The PIN is a shared
secret between a bank
account holder and the
financial institution.
• Julius Caesar
would send
encrypted
messages to his
I O D Q N H D V W generals in the
battlefield.
D W W D F N D W G D Z Q • Even if
intercepted, his
enemies usually
could not read, let
alone decipher,
the messages.
Vigenère table
1
FLANK EAST The clear text message would be
ATTACK AT DAWN encoded using a key of 3.
Clear Text
2
F...K...T...T...A...W.
.L.N.E.S.A.T.A.K.T.A.N Use a rail fence cipher and a
..A...A...T...C...D... key of 3.
3
FKTTAW The clear text message would
LNESATAKTAN
AATCD appear as follows.
Ciphered Text
1
FLANK EAST The clear text message would be
ATTACK AT DAWN encoded using a key of 3.
Clear text
3
IODQN HDVW The clear text message would
DWWDFN DW GDZQ be encrypted as follows using a
key of 3.
Cipherered text
1
FLANK EAST The clear text message would be
ATTACK AT DAWN encoded using a key of 3.
Clear text
2
Shifting the inner wheel by 3, then
the A becomes D, B becomes E,
and so on.
3
IODQN HDVW The clear text message would
DWWDFN DW GDZQ appear as follows using a key of 3.
Cipherered text
Cryptanalysis is from the Greek words kryptós (hidden), and analýein (to loosen or to
untie). It is the practice and the study of determining the meaning of encrypted
information (cracking the code), without access to the shared secret key.
Known Ciphertext
Successfully
Unencrypted
Key found
MATCH of
Ciphertext!
Key found
Cryptology
Cryptography Cryptanalysis
Arbitrary X
length text Why is x not in
Parens?
h = H (x)
Hash
Function
(H)
Why is H in
Parens?
Hash h e883aa0b24c09f
Value
•Vulnerabl
e to man-in-the-middle attacks
- Hashing does not provide security to transmission.
•Well-
known hash functions I would like to
- MD5 with 128-bit hashes cash this
- SHA-1 with 160-bit hashes check.
Internet
Pay to Terry Smith Pay to Alex Jones
$100.00 $1000.00
One Hundred and xx/100 One Thousand and xx/100
Dollars Dollars
4ehIDx67NMop9 12ehqPx67NMoX
Match = No changes
No match = Alterations
© 2009 Cisco Learning Institute. 26
MD5
HMAC HMAC
(Authenticated 4ehIDx67NMop9 (Authenticated 4ehIDx67NMop9
Fingerprint) Fingerprint)
e883aa0b24c09f
Fixed-Length Hash
Value
Entity Authentication
Key
Management Key Storage
Key Exchange
11111111111111111111111111111111
Twice as
57-bit 257 144,000,000,000,000,000 much time
111111111111111111111111
Protection up
to 3 years 80 1248 160 160
Protection up
to 10 years 96 1776 192 192
Protection up
to 20 years 112 2432 224 224
Protection up
to 30 years 128 3248 256 256
Protection against
quantum computers 256 15424 512 512
Calculations are based on the fact that computing power will continue to
grow at its present rate and the ability to perform brute-force attacks will
grow at the same rate.
Note the comparatively short symmetric key lengths illustrating that
symmetric algorithms are the strongest type of algorithm.
© 2009 Cisco Learning Institute. 35
Key Properties
Pre-shared
Key key Key
Encrypt Decrypt
$1000 $!@#IQ $1000
Plain Text 1 1 0 1 0 0 1 1
Key (Apply) 0 1 0 1 0 1 0 1
XOR (Cipher 1 0 0 0 0 1 1 0
Text)
Key (Re-Apply) 0 1 0 1 0 1 0 1
XOR (Plain Text) 1 1 0 1 0 0 1 1
Encrypt Decrypt
$1000 %3f7&4 $1000
3DES 112 and 168 Based on using DES three times which means that the input data is encrypted
three times and therefore considered much stronger than DES.
However, it is rather slow compared to some new block ciphers such as AES.
AES 128, 192, and 256 Fast in both software and hardware, is relatively easy to implement, and
requires little memory.
As a new encryption standard, it is currently being deployed on a large scale.
Software Encryption 160 SEAL is an alternative algorithm to DES, 3DES, and AES.
Algorithm (SEAL) It uses a 160-bit encryption key and has a lower impact to the CPU when
compared to other software-based algorithms.
The RC series RC2 (40 and 64) A set of symmetric-key encryption algorithms invented by Ron Rivest.
RC4 (1 to 256) RC1 was never published and RC3 was broken before ever being used.
RC5 (0 to 2040) RC4 is the world's most widely used stream cipher.
RC6 (128, 192, and RC6, a 128-bit block cipher based heavily on RC5, was an AES finalist
256)
developed in 1997.
© 2009 Cisco Learning Institute. 42
Symmetric Encryption Techniques
Enc
Mes rypted
blank blank 1100101 01010010110010101 sag
e
01010010110010101
Enc
Mes rypted
sag
e
0101010010101010100001001001001 0101010010101010100001001001001
Speed Medium
ECB CBC
Message of Five 64-Bit Blocks Message of Five 64-Bit Blocks
Initialization
Vector
DES
DES
DES
DES
DES
DES
DES
DES
DES
DES
© 2009 Cisco Learning Institute. 46
Considerations
Speed Low
Speed High
An attempt at
deciphering the text
using a lowercase,
and incorrect key
Speed High
Timeline 1976
Speed Slow
Resource Medium
Consumption
1 5, 23 1 5, 23
3
2 6 56mod 23 = 8 8
1. Alice and Bob agree to use the same two numbers. For example, the base number g= 5
and prime number p= 23
2. Alice now chooses a secret number x= 6.
3. Alice performs the DH algorithm: gx modulo p = ( 56 modulo 23) = 8 (Y) and
sends the new number 8 (Y) to Bob.
© 2009 Cisco Learning Institute. 55
Using Diffie-Hellman
Alice Bob
Shared Secret Calc Shared Secret Calc
5, 23 5, 23
6 56mod 23 = 8 8 15 4
19 515 mod 23 = 19
19 mod 23 = 2 2
5
6
6 815 mod 23 =
Encryption Decryption
Key Key
Plain Encryption Encrypted Decryption Plain
text text text
Computer A acquires
Computer B’s public key
Can I get your Public Key please? Bob’s Public
1 Key
Here is my Public Key.
Bob’s Public
Computer A transmits Bob’s Private
2 4
Key The encrypted message Key
Computer
Computer to Computer B Encrypted
Text B
A
Encryption Encryption
Algorithm Algorithm
Encryption
Alice transmits the 4
Alice’s Public
Key
Encrypted
Computer Text
3 Computer Encryption
A B
Algorithm
Digital Signature 512 - 1024 Created by NIST and specifies DSA as the algorithm for digital signatures.
Standard (DSS) and A public key algorithm based on the ElGamal signature scheme.
Digital Signature
Algorithm (DSA) Signature creation speed is similar with RSA, but is slower for verification.
RSA encryption 512 to 2048 Developed by Ron Rivest, Adi Shamir, and Leonard Adleman at MIT in 1977
algorithms Based on the current difficulty of factoring very large numbers
Suitable for signing as well as encryption
Widely used in electronic commerce protocols
Elliptical curve 160 Invented by Neil Koblitz in 1987 and by Victor Miller in 1986.
techniques Can be used to adapt many cryptographic algorithms
Keys can be much smaller
• Authenticates a source,
proving a certain party
has seen, and has signed,
the data in question
• Signing party cannot
repudiate that it signed
the data
• Guarantees that the data
has not changed from the
time it was signed Authenticity
Integrity
Nonrepudiation
Signature Confirm
Key Order 4
____________
Encrypted 0a77b3440…
hash Signature is
2 Signature
Algorithm verified with
The sending device 3 the verification
encrypts only the hash key
0a77b3440…
with the private key
of the signer The signature algorithm Verification
5
Timeline 1994
Timeline 1977
http://www.verisign.com http://www.entrust.com
http://www.verizonbusiness.com/
http://www.novell.com
http://www.rsa.com/
http://www.microsoft.com
X.509
Cisco
Secure
Internet Enterprise ACS
Network
CA
Server
VPN
IPsec Concentrator
CA
Certificate
Signed
Certificate
PKCS#7
Root CA
Subordinate
CA
CA2
CA1
CA3
CA
1 CA
1
Certificate
CA
Certificate
Enterprise Network
2
2
Alice and Bob request the CA certificate Each system verifies the
that contains the CA public key validity of the certificate
© 2009 Cisco Learning Institute. 81
Submitting Certificate Requests
The CA administrator telephones to
The certificate is confirm their submittal and the public
retrieved and the key and issues the certificate by
certificate is installed 2 adding some additional data to the
onto the system request, and digitally signing it all
Out-of-Band Out-of-Band
Authentication of Authentication of
the CA Certificate CA the CA Certificate
Admin
POTS POTS
CA
1 Certificate
3 1 Certificate Request 3
Request
Enterprise Network
Certificate (Bob)
CA Certificate CA Certificate
Each party verifies the digital signature on the certificate by hashing the
plaintext portion of the certificate, decrypting the digital signature using the
CA public key, and comparing the results.