CSS 111 - Introduction to Information System Security

Chapter 8, Cryptography

Objectives:

This lesson discusses several topics associated with encryption of data. Objectives important to this lesson:

  1. Identify different technologies in relation to network, data, and application security
  2. Access control, access control models
  3. Authentication
  4. Credentials
  5. Authentication models
  6. Identify types of firewall, intrusion detection, dial-up, and networking analysis tools
  7. Identify types of encryption, cryptography, and trap-and-trace technology.
Concepts:
Chapter 8

The text begins this chapter with a lot of history which will be interesting to people who love cryptography, but it is all background. You may want to know some of the famous concepts, and some vocabulary:

  • plaintext, cleartext - a message that has not been encrypted or has been decrypted
  • encrypt, encipher - to change an ordinary message with a code or cipher system so that the message is unreadable
  • decrypt, decipher - to change and encrypted message to plaintext
  • cipher or code - the difference between a cipher and a code is that a cipher uses one symbol to stand for another, while a code can use a symbol to stand for several symbols or words
  • Caesar cipher - Julius Caesar is famous for several things, one of which is the creation of a substitution cipher that is incredibly easy to crack: he wrote down the Latin alphabet on one line, then wrote it again on a second line, offset by three characters, which was used as an encrypting/decrypting tool. The two lines below show what this would look like in English:
    abcdefghijklmnopqrstuvwxyz
    defghijklmnopqrstuvwxyzabc

The text surveys several cipher methods. You should know some of the concepts in this section:

  • Substitution Cipher - like the Caesar cipher above, it may use one letter to represent another, or it may use a series of such ciphers like the Vigenère Square shown on page 357. To use that cipher, you need to know the pattern to follow, which could be changed from one message to another. The cryptogram example on page 355 uses one simple cipher, that is not an offset. It is a tad harder to crack because it contains an error. If you want to crack it, in the first line, third word, change the second ciphertext character to Y instead of X. The X in the book must be a typo.
  • Transposition Cipher - the text shows us several words whose letters have been rearranged, which is the basic concept. A more advanced concept is described: instead of mixing up the letters, we can follow a pattern that mixes up the bits in each character.
  • Hashing - A hash function takes a plaintext block of any size and converts it to an encrypted block of a specific size. This is often done with passwords and PINs. The idea is to use the same hash function each time a user enters a password, and to compare the hash to a stored version of the hashed password, which is the only version of the password that is saved on the system. This method makes sure that anyone reading the file that holds the hash versions cannot know what the actual passwords are. Hash algorithms work only one way: you can't use the hash algorithm to decrypt the hash output. You can only compare to see if the hash of the user's input matches the saved hash. The text explains that an experienced hacker could use rainbow tables to compare to a captured hash. A rainbow table holds the hash values of known words and numbers. If the hacker finds a match, the password is no longer secret.

The text moves on to discuss symmetric and asymmetric encryption methods.

Symmetric Cryptographic Algorithms

Unlike hashes, cryptographic algorithms are typically meant to be used for encryption and decryption. The methods in this group use the same key to encrypt and to decrypt, which is why they are called symmetric. They are also called private key algorithms because the key must remain private to the users of the system or there is no security. Consider the Enigma machine from chapter 1. Once the encryption and decryption methods are available to your enemy, the code is worthless. (This seems like an obvious point, but we will consider another system where it is not true.)

Stream ciphers encrypt one character at a time (from the flowing stream of data). Block ciphers divide the message into blocks of a specific size, then encrypt each block as a unit. Many variations exist on the methods discussed. The text lists three symmetric algorithms to be aware of:

  • DES - Data Encryption Standard
  • 3DES - Triple Data Encryption Standard
  • AES - Advanced Encryption Standard
Asymmetric Cryptographic Algorithms

It should be obvious that asymmetric (not symmetric) algorithms will use different keys. This method is also called public key cryptography. This name does not describe the method well. A person must have two keys in this system, a public key and a private key. They are created as a pair, so that whatever is encrypted with one must be decrypted with the other. The owner of the keys gives the public key to anyone who wants it, but keeps the private key safe from anyone else.

This is how SSL encryption on a web site works. I connect to a vendor's web site. I obtain the vendor's public key when I make the secure connection. My browser encrypts my credit card data with the vendor's public key and sends the ciphertext to the vendor. If the vendor's private key is secure, the vendor is the only one who can decrypt the data sent through the public key. In this way, a key is made available to anyone who wants it, but using it makes the data unintelligible to everyone who does not have the private key.

Of course, this falls apart if I did not get the vendor's key, or if I got a key from someone who hijacked my connection to the vendor's web site.

The text only discusses one asymmetric algorithm. You should be aware of these three for most certification tests:

  • RSA - named for its creators, so there is no acronym meaning
  • Diffie-Hellman - also named for its creators; does not seem to belong in this group, since it is only used to allow two users to share a key, enabling them to use symmetric cryptography
  • Elliptic Curve Cryptography - the link takes you to an Ars Technica article that reviews all three methods, and may hurt to look at; just know that it exists

Encryption algorithms are mathematical. Keys may be the numbers that are used to start the calculations in the algorithms. The larger the keys are, the better the protection your message will have. Think of the algorithm as the series of steps in the encryption, and the keys as tools that are used in particular steps.

Public Key Infrastructure

The Public Key Infrastructure is a system that includes several parts that have evolved to make the system work. It addresses the concern above about actually getting the right key from the selected vendor.

In the introduction to this section, the text lists five kinds of security that cryptography might provide, and notes that not all kinds of cryptography provide all five features. PKI typically addresses all of them.

  • authentication - each party in a transaction provides an assurance of their identity
  • integrity - the certificates used in the transactions are protected from changes
  • privacy - encrypted transactions are remain private
  • authorization - a secure algorithm keeps the session encrypted and removes the need to authenticate each message
  • nonrepudiation - the encryption may prove who did something and when it was done

This leads us to an industry that supports verified identities by the use of digital certificates. There are companies whose business is to create key pairs and to provide the appropriate keys to vendors and their customers. Verisign and Entrust are examples.

Some terms associated with PKI:

  • certificate authority (CA) - an agency that issues digital certificates; the CA may create key pairs for users or accept them from users who create them; the CA is responsible for verifying the identity of the key owner; organizations with the proper software can act as their own internal CA
  • registration authority (RA) - an entity that takes on some of the tasks of a CA and operates on their behalf; think of them like a subcontractor
  • certificate revocation list (CRL) - a list of certificates that are no longer valid for various reasons
  • certificate repository (CR), certificate directory (CD) - a public directory of valid certificates; may contain invalid certificates as well or may link to a CRL
  • S/MIME - may be used by mail applications or applications that use secure forms; it stands for Secure Multipurpose Internet Mail Extension
  • SSL - Secure Sockets Layer certificates are used for transactions on the world wide web

The text moves on to discuss another type of digital certificates, a digital signature. It mentions that this kind of certificate supports nonrepudiation.

On page 378, the text mentions Pretty Good Privacy (PGP) as a popular certificate creation tool. This is a tool you have to purchase. An Open Source version is called GPG, Gnu Privacy Guard.

Everyone who uses PGP will have a public key that is freely available, a private key that remains secure, and everyone can generate new keys as needed.

  1. When I want to send a message to you, I generate a new symmetric key for that message.
  2. I encrypt the message with the symmetric key.
  3. I encrypt the symmetric key with your public key. (Which I got from your CA).
  4. I send the encrypted message and the encrypted key to you.
  5. You are the only person who can decrypt the encrypted key, by using your private key.
  6. You then use the decrypted symmetric key to decrypt the message.

In this way, PGP (and GPG) can use both symmetric and asymmetric keys.

On page 380, the text has a pretty good explanation of steganography, hiding a message in an image. The short form is that an image typically has three bytes (RGB) of color information for each pixel in it. It is unlikely that anyone just looking at an image could tell the difference between pixels that are true to color and those that have had each of their least significant color bits changed as needed to hide/provide data. If you change one bit per color, you can hide one byte every three pixels.

Imagine that the table below represents a series of pixels. I have used cells in a table to make the idea more visual. I have put a reference color in the first cell: hex code 58C314 stands for 111, because I chose that color as the key. I have modified the color in each of the other cells in the second row to indicate three bits. The bits are indicated by the color's deviation from the key color.

58c314
refcolor
57c313
58c213
58c313
58c314
57c313
57c214
58c213
58c214
57c314
58c214
58c213
58c313
57c313
58c213
111 010 100 110 111 010 001 100 101 011 101 100 110 010 111

The binary code for that sequence, which would have taken 15 pixels, is:

  • first three ones are reference
  • 010 100 11
  • 0 111 010 0
  • 01 100 101
  • 011 101 10
  • 0 110 010 1
  • last two ones are padding

This example used seven variations on one color. The sender could send an image in which every pixel was modified if the receiver already had a reference copy to the image for comparison. I have done this by hand: an application that encrypts a message in an image or audio file would be much faster.

The text considers some methods that make the things we do safer.

  • We have already seen that Secure Sockets Layer (SSL) should be used to conduct encrypted transactions over the web. When you are using SSL, you are using HTTPS instead of HTTP
  •  S-HTTP is not the same as HTTPS. S-HTTP is another version of HTTP that supports transferring files with encryption, digital certificates, or both. This article on Wikipedia discusses the differences between HTTPS and S-HTTP.
  • We have discussed using S/MIME to encrypt email. The text also mentions using Privacy Enhanced Mail (PEM) and PGP (discussed above).

The text turns to wireless networks for a moment, and mentions two widely used standards, WEP and WPA. You should know that WEP is no longer considered secure and should not be used. Note the comparison of WEP and WPA on page 385. When you set up a wireless access point, WEP is still offered as an encryption choice. Don't use it. Use WPA2 instead, unless you have to provide access to devices that do not speak it.

Bluetooth is discussed on page 386. It is for short range communications. The text says 30 feet or less. 10 feet may be a more probable limit. The problem with Bluetooth is that it is not secure, so eavesdropping and worse are possible for any device that has Bluetooth enabled and accepts pairing requests.

Assignment 1: Chapter 8 review questions

  1. Review Questions for chapter 8 start on page 393. Answer numbers 3, 4, 5, 7, 12, and 13.

Assignment 2: Social Engineering

  1. Read page 8 of the handout on the social engineering competition.
  2. Work in a group of at least 3 people. People must be named on your submission.
  3. Pick at least three items from page 8 of the pdf. Create a strategy in your group to obtain this information from a hypothetical target company.
  4. Submit your strategies, along with your ideas about what the selected information could be good for.