Public Key Infrastructure Public Key Infrastructure – tell me in plain English AND THEN – tell me in plain English AND THEN deep technical how PKI worksdeep technical how PKI works

Steve LambSteve Lamb

stephlam@microsoft.comstephlam@microsoft.com

http://blogs.technet.com/steve_lambhttp://blogs.technet.com/steve_lamb

IT Pro Security EvangelistIT Pro Security Evangelist

Microsoft LtdMicrosoft Ltd

ObjectivesObjectives

Demystify commonly used terminologyDemystify commonly used terminology

Explain how PKI worksExplain how PKI works

Get you playing with PKI in the labGet you playing with PKI in the lab

Make some simple recommendationsMake some simple recommendations

AgendaAgenda

Foundational Concept (level 200)Foundational Concept (level 200)

PKI and Signatures (level 330)PKI and Signatures (level 330)

Recommendations (level 310)Recommendations (level 310)

Reference material Reference material

Common Algorithms (level 360)Common Algorithms (level 360)

What can PKI enable?What can PKI enable?

Secure Email – sign and/or encrypt messages

Secure browsing – SSL – authentication and encryption

Secure code – authenticode

Secure wireless – PEAP & EAP-TLS

Secure documents – Rights Management

Secure networks – segmentation via IPsec

Secure files – Encrypted File System(EFS)

Foundational ConceptsFoundational Concepts

Encryption vs. AuthenticationEncryption vs. Authentication

Encrypted information cannot be automatically Encrypted information cannot be automatically trustedtrusted

You still need authenticationYou still need authentication

Which we can implement using encryption, of Which we can implement using encryption, of coursecourse

AssetsAssets

What we are securing?What we are securing?

DataData

Services (i.e. business etc. applications or their Services (i.e. business etc. applications or their individually accessible parts)individually accessible parts)

This session is not about securing:This session is not about securing:

People (sorry), cables, carpets, typewriters and People (sorry), cables, carpets, typewriters and computers (!?)computers (!?)

Some assets are Some assets are key assetskey assets

Passwords, private keys etc…Passwords, private keys etc…

Digital Security as Extension of Digital Security as Extension of Physical Security of Physical Security of Key AssetsKey Assets

Strong PhysicalStrong PhysicalSecurity of KASecurity of KA

Strong DigitalStrong DigitalSecuritySecurity

Good SecurityGood SecurityEverywhereEverywhere

Weak PhysicalWeak PhysicalSecurity of KASecurity of KA

Strong DigitalStrong DigitalSecuritySecurity

InsecureInsecureEnvironmentEnvironment

Strong PhysicalStrong PhysicalSecurity of KASecurity of KA

Weak DigitalWeak DigitalSecuritySecurity

InsecureInsecureEnvironmentEnvironment

Symmetric Key CryptographySymmetric Key Cryptography

EncryptionEncryption

““The quick The quick brown fox brown fox jumps over jumps over the lazy the lazy dog”dog”

““AxCv;5bmEseTfid3)AxCv;5bmEseTfid3)fGsmWe#4^,sdgfMwifGsmWe#4^,sdgfMwir3:dkJeTsY8R\s@!r3:dkJeTsY8R\s@!q3%”q3%”

““The quick The quick brown fox brown fox jumps over jumps over the lazy the lazy dog”dog”

DecryptionDecryption

Plain-text inputPlain-text input Plain-text outputPlain-text outputCipher-textCipher-text

Same keySame key(shared secret)(shared secret)

Symmetric Pros and ConsSymmetric Pros and Cons

Strength:Strength:

Simple and really very fast (order of 1000 to 10000 Simple and really very fast (order of 1000 to 10000 faster than asymmetric mechanisms)faster than asymmetric mechanisms)

Super-fast (and somewhat more secure) if done in Super-fast (and somewhat more secure) if done in hardware (DES, Rijndael)hardware (DES, Rijndael)

Weakness:Weakness:

Must agree the key beforehandMust agree the key beforehand

Securely pass the key to the other partySecurely pass the key to the other party

Public Key CryptographyPublic Key Cryptography

Knowledge of the Knowledge of the encryptionencryption key doesn’t give key doesn’t give you knowledge of the you knowledge of the decryptiondecryption key key

Receiver of information generates a pair of keys Receiver of information generates a pair of keys

Publish the public key in a directoryPublish the public key in a directory

Then anyone can send him messages that only Then anyone can send him messages that only she can readshe can read

Public Key EncryptionPublic Key Encryption

EncryptionEncryption

““The quick The quick brown fox brown fox jumps over jumps over the lazy the lazy dog”dog”

““Py75c%bn&*)9|Py75c%bn&*)9|fDe^bDFaq#xzjFr@gfDe^bDFaq#xzjFr@g5=&nmdFg$5knvMd’r5=&nmdFg$5knvMd’rkvegMs”kvegMs”

““The quick The quick brown fox brown fox jumps over jumps over the lazy the lazy dog”dog”

DecryptionDecryption

Clear-text InputClear-text Input Clear-text OutputClear-text OutputCipher-textCipher-text

DifferentDifferent keys keys

Recipient’s Recipient’s public keypublic key

Recipient’s Recipient’s private keyprivate key

privatprivatee

publicpublic

Public Key Pros and ConsPublic Key Pros and Cons

Weakness:Weakness:

Extremely slowExtremely slow

Susceptible to “known ciphertext” attackSusceptible to “known ciphertext” attack

Problem of trusting public key (see later on PKI)Problem of trusting public key (see later on PKI)

StrengthStrength

Solves problem of passing the keySolves problem of passing the key

Allows establishment of trust context between Allows establishment of trust context between partiesparties

Hybrid Encryption (Real World)Hybrid Encryption (Real World)

As above, repeated As above, repeated for other recipientsfor other recipientsor recovery agentsor recovery agents

DigitalDigitalEnvelopeEnvelope

Other recipient’s or Other recipient’s or agent’s agent’s publicpublic key key (in certificate)(in certificate)in recovery policyin recovery policy

Launch keyLaunch keyfor nuclearfor nuclear

missile missile ““RedHeat” RedHeat”

is...is...

Symmetric key Symmetric key encrypted asymmetrically encrypted asymmetrically

(e.g., RSA)(e.g., RSA)

Digital Digital EnvelopeEnvelope

User’sUser’spublicpublic key key(in certificate)(in certificate)

RNGRNG

Randomly-Randomly-Generated Generated symmetricsymmetric“session” key “session” key

SymmetricSymmetric encryption encryption(e.g. DES)(e.g. DES)

*#$fjda^j*#$fjda^ju539!3tu539!3t

t389E *&\@t389E *&\@5e%32\^kd5e%32\^kd

*#$fjda^j*#$fjda^ju539!3tu539!3t

t389E *&\@t389E *&\@5e%32\^kd5e%32\^kd

Launch keyLaunch keyfor nuclearfor nuclear

missile missile ““RedHeat” RedHeat”

is...is...

Launch keyLaunch keyfor nuclearfor nuclear

missile missile ““RedHeat” RedHeat”

is...is...

SymmetricSymmetricdecryption decryption (e.g. DES)(e.g. DES)

Digital Digital EnvelopeEnvelope

Asymmetric Asymmetric decryption of decryption of

“session” key (e.g. RSA)“session” key (e.g. RSA)

Symmetric Symmetric “session” key“session” key

Session key must be Session key must be decrypted using the decrypted using the recipient’s recipient’s private private keykey

Digital envelope Digital envelope contains “session” contains “session” key encrypted key encrypted using recipient’s using recipient’s public keypublic key

Recipient’s Recipient’s privateprivate keykey

Hybrid DecryptionHybrid Decryption

Breaking It on $10 MillionBreaking It on $10 Million

Symme-tric Symme-tric KeyKey

ECC KeyECC Key RSA KeyRSA Key Time to Time to BreakBreak

MachinesMachines MemoryMemory

5656 112112 420420 < 5 mins< 5 mins 1000010000 TrivialTrivial

8080 160160 760760 600 600 monthsmonths

43004300 4GB4GB

9696 192192 10201020 3 million 3 million yearsyears

114114 170GB170GB

128128 256256 16201620 10E16 10E16 yearsyears

0.160.16 120TB120TB

From a report by Robert Silverman, RSA Laboratories, 2000

PKI and SignaturesPKI and Signatures

Public Key Distribution ProblemPublic Key Distribution Problem

We just solved the problem of symmetric key distribution We just solved the problem of symmetric key distribution by using public/private keysby using public/private keys

But…But…

Scott creates a keypair (private/public) and quickly tells Scott creates a keypair (private/public) and quickly tells the world that the public key he published belongs to Billthe world that the public key he published belongs to Bill

People send confidential stuff to BillPeople send confidential stuff to Bill

Bill does not have the private key to read them…Bill does not have the private key to read them…

Scott reads Bill’s messages Scott reads Bill’s messages

Eureka!Eureka!

We need PKI to solve that problemWe need PKI to solve that problem

And a few others…And a few others…

How to Verify a Public Key?How to Verify a Public Key?

Two approaches:Two approaches:

1.1. Before you use Bill’s public key, call him or meet Before you use Bill’s public key, call him or meet him and check that you have the right onehim and check that you have the right one

Fingerprint or hash of the key can be checked on the Fingerprint or hash of the key can be checked on the phonephone

2.2. Get someone you already trust to certify that the Get someone you already trust to certify that the key really belongs to Billkey really belongs to Bill

By checking for a trusted digital signature on the keyBy checking for a trusted digital signature on the key

But there has to be one…But there has to be one…

And you have to have friends to trust in first place…And you have to have friends to trust in first place…

Trust ModelsTrust Models

Web-of-Trust (PGP)Web-of-Trust (PGP)

Peer-to-peer modelPeer-to-peer model

Individuals digitally sign each other keysIndividuals digitally sign each other keys

You would implicitly trust keys signed by some of your friendsYou would implicitly trust keys signed by some of your friends

Trusted Authority + Path of Trust (CAs)Trusted Authority + Path of Trust (CAs)

Everyone trusts the root Certificate Authority (Verisign, Everyone trusts the root Certificate Authority (Verisign, Thawte, BT etc.)Thawte, BT etc.)

CA digitally signs keys of anyone having checked their CA digitally signs keys of anyone having checked their credentials by traditional methodscredentials by traditional methods

CA may even nominate others to be CAs – and you would CA may even nominate others to be CAs – and you would trust them automatically, tootrust them automatically, too

Trust Models Issues and FutureTrust Models Issues and Future

Web-of-trust is more, erh, trustworthyWeb-of-trust is more, erh, trustworthy

But it is time-consuming, requires lots of work and general But it is time-consuming, requires lots of work and general public doesn’t understand itpublic doesn’t understand it

CAs tend to be a little bit like a big brother as we all have CAs tend to be a little bit like a big brother as we all have to trust them implicitlyto trust them implicitly

But it is a simpler model, easier to deploy and manageBut it is a simpler model, easier to deploy and manage

Combination strategy?Combination strategy?

Let’s trust a CA that verifies keys by traditional strong methods Let’s trust a CA that verifies keys by traditional strong methods and peer-to-peer recommendationsand peer-to-peer recommendations

Creating a Digital SignatureCreating a Digital Signature

Hash Hash Function Function

(SHA, MD5)(SHA, MD5)

Jrf843kjfgf*Jrf843kjfgf*££$&Hdif*7oU$&Hdif*7oUsd*&@:<CHsd*&@:<CHDFHSD(**DFHSD(**

Py75c%bn&*)9|Py75c%bn&*)9|fDe^bDFaq#xzjFr@gfDe^bDFaq#xzjFr@g5=&nmdFg$5knvMd’r5=&nmdFg$5knvMd’rkvegMs”kvegMs”

This is a This is a really long really long message message about about Bill’s…Bill’s…

AsymmetricAsymmetricEncryptionEncryption

Message or FileMessage or File Digital SignatureDigital Signature128 bits 128 bits Message DigestMessage Digest

Calculate a short Calculate a short message digest from message digest from even a long input even a long input using a one-way using a one-way message digest message digest function (hash)function (hash)

Signatory’s Signatory’s privateprivate key key

privatprivatee

Verifying a Digital SignatureVerifying a Digital Signature

Jrf843kjfJrf843kjfgf*£$&Hdgf*£$&Hdif*7oUsdif*7oUsd

*&@:<CHD*&@:<CHDFHSD(**FHSD(**

Py75c%bn&*)Py75c%bn&*)9|fDe^bDFaq9|fDe^bDFaq#xzjFr@g5=#xzjFr@g5=

&nmdFg$5kn&nmdFg$5knvMd’rkvegMs”vMd’rkvegMs”

Py75c%bn&*)Py75c%bn&*)9|fDe^bDFaq9|fDe^bDFaq#xzjFr@g5=#xzjFr@g5=

&nmdFg$5kn&nmdFg$5knvMd’rkvegMs”vMd’rkvegMs”

AsymmetricAsymmetricdecryption decryption (e.g. RSA)(e.g. RSA)

Everyone has Everyone has access to trusted access to trusted public key of the public key of the signatorysignatory

Signatory’s Signatory’s publicpublic keykey

Digital SignatureDigital Signature

This is a This is a really long really long message message

about Bill’s…about Bill’s…

Same hash functionSame hash function(e.g. MD5, SHA…)(e.g. MD5, SHA…)

Original MessageOriginal Message

Py75c%bn&*)Py75c%bn&*)9|fDe^bDFaq9|fDe^bDFaq#xzjFr@g5=#xzjFr@g5=

&nmdFg$5kn&nmdFg$5knvMd’rkvegMs”vMd’rkvegMs”

Py75c%bn&*)Py75c%bn&*)9|fDe^bDFaq9|fDe^bDFaq#xzjFr@g5=#xzjFr@g5=

&nmdFg$5kn&nmdFg$5knvMd’rkvegMs”vMd’rkvegMs”

? == ?? == ?Are They Same?Are They Same?

Hash (Digest) FunctionsHash (Digest) Functions

MD5 and SHAMD5 and SHA

Just a hash value of between 128 bits (MD5) and Just a hash value of between 128 bits (MD5) and 512 bits of key (SHA512)512 bits of key (SHA512)

Great support in .NET and in CryptoAPI of Great support in .NET and in CryptoAPI of WindowsWindows

.NET Fx also supports shorter SHAs (160, 256, and .NET Fx also supports shorter SHAs (160, 256, and 384 bits)384 bits)

Please don’t use (ever) any function with 64bit Please don’t use (ever) any function with 64bit (or smaller) result(or smaller) result

Message Authentication CodesMessage Authentication Codes

““MACs” – Typically, combination of a hash function and MACs” – Typically, combination of a hash function and a a symmetricsymmetric encryption encryption

Integrity, authenticity but not non-repudiationIntegrity, authenticity but not non-repudiation

Must share the key!Must share the key!

HMACHMACDigest + shared-secret encryption for up to 160 bit resultsDigest + shared-secret encryption for up to 160 bit results

MACTripleDESMACTripleDESEncryption using 8, 16 or 24 bytes of TripleDES key on top of Encryption using 8, 16 or 24 bytes of TripleDES key on top of a hasha hash

64 bit result (ouch!)64 bit result (ouch!)

All of the above implemented in .NET FxAll of the above implemented in .NET FxMany others exist, notably UMACMany others exist, notably UMAC

CertificatesCertificates

The simplest certificate just contains:The simplest certificate just contains:

Information about the entity that is being certified to Information about the entity that is being certified to own a public keyown a public key

That public keyThat public key

And all of this isAnd all of this is

Digitally signed by someone trusted (like your friend Digitally signed by someone trusted (like your friend or a CA)or a CA)

X.509 CertificateX.509 Certificate

Certificate Authority Digital Signature Certificate Authority Digital Signature of All Components Together:of All Components Together:

Serial NumberSerial Number

Issuer X.500 Issuer X.500 Distinguished NameDistinguished Name

Validity PeriodValidity Period

Subject X.500Subject X.500Distinguished NameDistinguished Name

Subject Public KeySubject Public KeyInformationInformation

Key/Certificate UsageKey/Certificate Usage

ExtensionsExtensions

OU=Contoso…OU=Contoso…

The Key or Info About ItThe Key or Info About It

Authentication with CertificatesAuthentication with Certificates

1.1. Melinda gets Bill’s certificateMelinda gets Bill’s certificate

2.2. She verifies its digital signatureShe verifies its digital signature

She can trust that the public key really belongs to BillShe can trust that the public key really belongs to Bill

But is it Bill standing if front of her, or is that Scott?But is it Bill standing if front of her, or is that Scott?

3.3. Melinda challenges Bill to encrypt for her a phrase etc. she just made Melinda challenges Bill to encrypt for her a phrase etc. she just made up (up (“I really need more shoes”“I really need more shoes”))

4.4. Bill has, of course, the private key that matches the certificate, so he Bill has, of course, the private key that matches the certificate, so he responds (responds (“*&$^%£$&£fhsdf*&EHFDhd62^&£”“*&$^%£$&£fhsdf*&EHFDhd62^&£”))

5.5. Melinda decrypts this with the public key she has in the certificate Melinda decrypts this with the public key she has in the certificate (which she trusts) and if it matches the phrase she challenged Bill (which she trusts) and if it matches the phrase she challenged Bill with then it must really be Bill himself! with then it must really be Bill himself!

By the way, that’s the basic concept of how SSL worksBy the way, that’s the basic concept of how SSL works

What’s in the Store?What’s in the Store?

Most certificates are “safe”Most certificates are “safe”

No need to protect them too much, as they are digitally signed No need to protect them too much, as they are digitally signed and only contain publicly available informationand only contain publicly available information

Store anywhere, a file or a “dumb” memory-only smartcardStore anywhere, a file or a “dumb” memory-only smartcard

Private keys (and certs that include them) that match the Private keys (and certs that include them) that match the public key are extremely vulnerablepublic key are extremely vulnerable

It is a Key AssetIt is a Key Asset

You must protect them wellYou must protect them well

Store in “Protected Storage” on your OS or a “smart” Store in “Protected Storage” on your OS or a “smart” smartcard that will have crypto functionality on boardsmartcard that will have crypto functionality on board

Axalto’s .NET-enabled smart cards for instanceAxalto’s .NET-enabled smart cards for instance

Word About SmartcardsWord About Smartcards

Some smartcards are “dumb”, i.e. they are only a memory Some smartcards are “dumb”, i.e. they are only a memory chipchip

Not recommended for storing a private key used in a challenge Not recommended for storing a private key used in a challenge test (verifying identity)test (verifying identity)

Anyway, they are still better than leaving keys on a floppy disk or Anyway, they are still better than leaving keys on a floppy disk or on the hard driveon the hard drive

Cryptographically-enabled smartcards are more expensive Cryptographically-enabled smartcards are more expensive but they give much more securitybut they give much more security

Private key is secure and used as neededPrivate key is secure and used as needed

Additional protection (password, biometrics) is possibleAdditional protection (password, biometrics) is possible

Hardware implements some algorithmsHardware implements some algorithms

Self-destruct is possibleSelf-destruct is possible

Certification HierarchyCertification Hierarchy

Most organisations do not use just one root key for Most organisations do not use just one root key for signing certificatessigning certificates

Dangerous, if that one key is compromisedDangerous, if that one key is compromised

Does not scale to large organisationsDoes not scale to large organisations

Difficulty in managing responsibilityDifficulty in managing responsibility

Certificate HierarchiesCertificate HierarchiesStart with CA root certStart with CA root cert

Create more levels in your organisation (for departments etc.)Create more levels in your organisation (for departments etc.)

Validating a cert possibly involves validating a path of Validating a cert possibly involves validating a path of trusttrust

Cross-certification is also possibleCross-certification is also possible

This is the heart of “Planning of PKI”This is the heart of “Planning of PKI”

Certificate ValidationCertificate Validation

Essentially, this is just checking the digital signatureEssentially, this is just checking the digital signature

ButBut

You may have to “walk the path” of all subordinate You may have to “walk the path” of all subordinate authorities until you reach the rootauthorities until you reach the root

Unless you explicitly trust a subordinate CAUnless you explicitly trust a subordinate CA

I: PB CAI: PB CAS: RafalS: Rafal

I: Xanadu RootI: Xanadu RootS: PB CAS: PB CA

I: Xanadu RootI: Xanadu RootS: Xanadu RootS: Xanadu Root

Check DS of Check DS of OCG CAOCG CA

Check DS of Check DS of XanaduXanadu

““In Xanadu We Trust”In Xanadu We Trust”

(installed root CA (installed root CA certificate)certificate)

RecommendationsRecommendationsDon’t be scared of PKI!Don’t be scared of PKI!

Set up a test environment to enable hyou to Set up a test environment to enable hyou to “play”“play”

Minimise the scope of your first implementationMinimise the scope of your first implementation

Read up on CP & CPSRead up on CP & CPS

Document the purpose and operating Document the purpose and operating procedures of your PKIprocedures of your PKI

SummarySummary

Cryptography is a rich and amazingly mature Cryptography is a rich and amazingly mature fieldfield

We all rely on it, everyday, with our livesWe all rely on it, everyday, with our lives

Know the basics and make good choices Know the basics and make good choices avoiding common pitfallsavoiding common pitfalls

Plan your PKI earlyPlan your PKI early

Avoid very new and unknown solutionsAvoid very new and unknown solutions

ReferencesReferences

Visit Visit www.microsoft.com/securitywww.microsoft.com/security

Read sci.crypt (incl. archives)Read sci.crypt (incl. archives)

Attend SEC499 for “Encryption in Detail” on Friday at Attend SEC499 for “Encryption in Detail” on Friday at 14.45 in Room 114.45 in Room 1

For more detail, read:For more detail, read:Cryptography: An Introduction, Cryptography: An Introduction, N. Smart, McGraw-Hill, ISBN 0-07-709987-7N. Smart, McGraw-Hill, ISBN 0-07-709987-7

Practical Cryptography, Practical Cryptography, N. Ferguson & B. Schneier, Wiley, ISBN 0-471-22357-3N. Ferguson & B. Schneier, Wiley, ISBN 0-471-22357-3

Contemporary Cryptography, Contemporary Cryptography, R. Oppliger, Artech House, ISBN 1-58053-642-5 (to R. Oppliger, Artech House, ISBN 1-58053-642-5 (to be published May 2005, see be published May 2005, see http://http://www.esecurity.ch/Books/cryptography.htmlwww.esecurity.ch/Books/cryptography.html))

Applied CryptographyApplied Cryptography, B. Schneier, John Wiley & Sons, ISBN 0-471-11709-9, B. Schneier, John Wiley & Sons, ISBN 0-471-11709-9

Handbook of Applied CryptographyHandbook of Applied Cryptography, A.J. Menezes, CRC Press, ISBN 0-8493-, A.J. Menezes, CRC Press, ISBN 0-8493-8523-7, 8523-7, www.cacr.math.uwaterloo.ca/hacwww.cacr.math.uwaterloo.ca/hac (free PDF) (free PDF)PKI, PKI, A. Nash et al., RSA Press, ISBN 0-07-213123-3A. Nash et al., RSA Press, ISBN 0-07-213123-3

Foundations of CryptographyFoundations of Cryptography, O. Goldereich, , O. Goldereich, www.eccc.uni-trier.de/eccc-local/ECCC-Books/oded_book_readme.htmlwww.eccc.uni-trier.de/eccc-local/ECCC-Books/oded_book_readme.html

Cryptography in C and C++Cryptography in C and C++, M. Welschenbach, Apress, , M. Welschenbach, Apress, ISBN 1-893115-95-X (includes code samples CD)ISBN 1-893115-95-X (includes code samples CD)

DemonstrationsDemonstrationsSecure Email – sign and/or encrypt messages

Secure browsing – SSL – auth and encryption

Secure code – authenticode - sigcheck

Secure wireless – PEAP & EAP-TLS

Secure documents – Rights Management

Secure networks – segmentation via IPsec

Secure files – Encrypted File System(EFS)

Copyright 2004 © Project Botticelli Ltd & Microsoft Corp. E&OE. For informational purposes only. No warranties of Copyright 2004 © Project Botticelli Ltd & Microsoft Corp. E&OE. For informational purposes only. No warranties of any kind are made and you have to verify all information before relying on it. You can re-use this presentation as any kind are made and you have to verify all information before relying on it. You can re-use this presentation as

long as you read, agree, and follow the guidelines described in the “Comments” field in File/Properties.long as you read, agree, and follow the guidelines described in the “Comments” field in File/Properties.

Thanks to Rafal Lukawiecki for providing some of the content Thanks to Rafal Lukawiecki for providing some of the content for this presentation deck – his contact details are as for this presentation deck – his contact details are as follows…follows…

rafal@projectbotticelli.co.ukrafal@projectbotticelli.co.uk

Strategic Consultant, Project Botticelli LtdStrategic Consultant, Project Botticelli Ltd

Common AlgorithmsCommon Algorithms

DES, IDEA, RC2, RC5, TwofishDES, IDEA, RC2, RC5, TwofishSymmetricSymmetric

DES (Data Encryption Standard) is still the most popularDES (Data Encryption Standard) is still the most popular

Keys very short: 56 bitsKeys very short: 56 bits

Brute-force attack took 3.5 hours on a machine costing US$1m in Brute-force attack took 3.5 hours on a machine costing US$1m in 1993. Today it is done real-time1993. Today it is done real-time

Triple DES (3DES) more secure, but better options aboutTriple DES (3DES) more secure, but better options about

Just say no, unless value of data is minimalJust say no, unless value of data is minimal

IDEA (International Data Encryption Standard)IDEA (International Data Encryption Standard)

Deceptively similar to DES, and “not” from NSADeceptively similar to DES, and “not” from NSA

128 bit keys128 bit keys

RC2 & RC5 (by R. Rivest)RC2 & RC5 (by R. Rivest)

RC2 is older and RC5 newer (1994) - similar to DES and IDEARC2 is older and RC5 newer (1994) - similar to DES and IDEA

Blowfish, TwofishBlowfish, Twofish

B. Schneier’s replacement for DES, followed by Twofish, one of the B. Schneier’s replacement for DES, followed by Twofish, one of the NIST competition finalistsNIST competition finalists

Rijndael (AES)Rijndael (AES)

Standard replacement for DES for US government, and, Standard replacement for DES for US government, and, probably for all of us as a result…probably for all of us as a result…

Winner of the AES (Advanced Encryption Standard) Winner of the AES (Advanced Encryption Standard) competition run by NIST (National Institute of Standards and competition run by NIST (National Institute of Standards and Technology in US) in 1997-2000Technology in US) in 1997-2000

Comes from Europe (Belgium) by Joan Daemen and Vincent Comes from Europe (Belgium) by Joan Daemen and Vincent Rijmen. “X-files” stories less likely (unlike DES). Rijmen. “X-files” stories less likely (unlike DES).

Symmetric block-cipher (128, 192 or 256 bits) with Symmetric block-cipher (128, 192 or 256 bits) with variable keys (128, 192 or 256 bits, too)variable keys (128, 192 or 256 bits, too)

Fast and a lot of good properties, such as good immunity Fast and a lot of good properties, such as good immunity from timing and power (electric) analysisfrom timing and power (electric) analysis

Construction, again, deceptively similar to DES (S-Construction, again, deceptively similar to DES (S-boxes, XORs etc.) but boxes, XORs etc.) but reallyreally different different

CAST and GOSTCAST and GOST

CASTCAST

Canadians Carlisle Adams & Stafford TavaresCanadians Carlisle Adams & Stafford Tavares

64 bit key and 64 bit of data64 bit key and 64 bit of data

Chose your S-boxesChose your S-boxes

Seems resistant to differential & linear cryptanalysis and only Seems resistant to differential & linear cryptanalysis and only way to break is brute force (but key is a bit short!)way to break is brute force (but key is a bit short!)

GOSTGOST

Soviet Union’s “version” of DES but with a clearer design and Soviet Union’s “version” of DES but with a clearer design and many more repetitions of the processmany more repetitions of the process

256 bit key but really 610 bits of secret, so pretty much “tank 256 bit key but really 610 bits of secret, so pretty much “tank quality”quality”

Backdoor? Who knows…Backdoor? Who knows…

Careful with Streams!Careful with Streams!

Do NOT use a block cipher in a loopDo NOT use a block cipher in a loop

Use a crypto-correct technique for treating Use a crypto-correct technique for treating streams of data, such as CBC (Cipher Block streams of data, such as CBC (Cipher Block Chaining)Chaining)

For developers: For developers:

.NET Framework implements it as ICryptoTransform on a .NET Framework implements it as ICryptoTransform on a crypto stream with any supported algorithmcrypto stream with any supported algorithm

RC4RC4

SymmetricSymmetricFast, streaming encryptionFast, streaming encryption

R. Rivest in 1994R. Rivest in 1994Originally secret, but “published” on sci.cryptOriginally secret, but “published” on sci.crypt

Related to “one-time pad”, theoretically most secureRelated to “one-time pad”, theoretically most secure

But!But!

It relies on a really good random number generatorIt relies on a really good random number generatorAnd that is the problemAnd that is the problem

Nowadays, we tend to use block ciphers in modes of Nowadays, we tend to use block ciphers in modes of operation that work for streamsoperation that work for streams

RSA, DSA, ElGamal, ECCRSA, DSA, ElGamal, ECCAsymmetricAsymmetric

Very slow and computationally expensive – need a computerVery slow and computationally expensive – need a computer

Very secureVery secure

Rivest, Shamir, Adleman – 1978Rivest, Shamir, Adleman – 1978Popular and well researchedPopular and well researched

Strength in today’s inefficiency to factorise into prime numbersStrength in today’s inefficiency to factorise into prime numbers

Some worries about key generation process in some implementationsSome worries about key generation process in some implementations

DSA (Digital Signature Algorithm) – NSA/NIST thingDSA (Digital Signature Algorithm) – NSA/NIST thingOnly for digital signing, not for encryptionOnly for digital signing, not for encryption

Variant of Schnorr and ElGamal sig algorithmVariant of Schnorr and ElGamal sig algorithm

ElGamalElGamalRelies on complexity of discrete logarithmsRelies on complexity of discrete logarithms

ECC (Elliptic Curve Cryptography)ECC (Elliptic Curve Cryptography)Really hard maths and topologyReally hard maths and topology

Improves RSA (and others)Improves RSA (and others)

Quantum CryptographyQuantum Cryptography

Method for generating and passing a secret key or a random streamMethod for generating and passing a secret key or a random stream

Not for passing the actual data, but that’s irrelevantNot for passing the actual data, but that’s irrelevant

Polarisation of light (photons) can be detected only in a way that Polarisation of light (photons) can be detected only in a way that destroys the “direction” (basis)destroys the “direction” (basis)

So if someone other than you observes it, you receive nothing useful So if someone other than you observes it, you receive nothing useful and you know you were buggedand you know you were bugged

Perfectly doable over up-to-120km dedicated long fibre-optic linkPerfectly doable over up-to-120km dedicated long fibre-optic link

Seems pretty perfect, if a bit tedious and slowSeems pretty perfect, if a bit tedious and slow

Practical implementations still use AES/DES etc. for actual encryptionPractical implementations still use AES/DES etc. for actual encryption

Magiq QPN: Magiq QPN: http://www.magiqtech.com/press/qpn.pdfhttp://www.magiqtech.com/press/qpn.pdf

Don’t confuse it with quantum computing, which won’t be with us for Don’t confuse it with quantum computing, which won’t be with us for at least another 50 years or so, or maybe longer…at least another 50 years or so, or maybe longer…

MD5, SHAMD5, SHA

Hash functions – not encryption at all!Hash functions – not encryption at all!

Goals:Goals:

Not reversible: can’t obtain the message from its hashNot reversible: can’t obtain the message from its hash

Hash much shorter than originalHash much shorter than original

Two messages won’t have the same hashTwo messages won’t have the same hash

MD5 (R. Rivest)MD5 (R. Rivest)

512 bits hashed into 128512 bits hashed into 128

Mathematical model still unknownMathematical model still unknown

But it resisted major attacksBut it resisted major attacks

SHA (Secure Hash Algorithm)SHA (Secure Hash Algorithm)

US standard based on MD5US standard based on MD5

Diffie-Hellman, “SSL”, CertsDiffie-Hellman, “SSL”, Certs

Methods for key generation and exchangeMethods for key generation and exchange

DH is very clever since you always generate a new “key-DH is very clever since you always generate a new “key-pair” for each asymmetric sessionpair” for each asymmetric session

STS, MTI, and certs make it even saferSTS, MTI, and certs make it even safer

Certs (certificates) are the most common way to Certs (certificates) are the most common way to exchange public keysexchange public keys

Foundation of Public Key Infrastructure (PKI)Foundation of Public Key Infrastructure (PKI)

SSL uses a protocol to exchange keys safelySSL uses a protocol to exchange keys safely

See laterSee later

CryptanalysisCryptanalysis

Brute forceBrute force

Good for guessing passwords, and some 40-bit symmetric keys (in Good for guessing passwords, and some 40-bit symmetric keys (in some cases needed only 27 attempts)some cases needed only 27 attempts)

Frequency analysisFrequency analysis

For very simple methods only (US mobiles)For very simple methods only (US mobiles)

Linear cryptanalysisLinear cryptanalysis

For stronger DES-like, needs 243 plain-cipher pairsFor stronger DES-like, needs 243 plain-cipher pairs

Differential cryptanalysisDifferential cryptanalysis

Weaker DES-like, needs from 214 pairsWeaker DES-like, needs from 214 pairs

Power and timing analysisPower and timing analysis

Fluctuations in response times or power usage by CPUFluctuations in response times or power usage by CPU

Strong SystemsStrong Systems

It is always a mixture! Changes all the time…It is always a mixture! Changes all the time…

Symmetric:Symmetric:

AES, min. 128 bits for RC2 & RC5, 3DES, IDEA, carefully AES, min. 128 bits for RC2 & RC5, 3DES, IDEA, carefully analysed RC4, 256 bit betteranalysed RC4, 256 bit better

Asymmetric:Asymmetric:

RSA, ElGamal, Diffie-Hellman (for keys) with minimum 1024 RSA, ElGamal, Diffie-Hellman (for keys) with minimum 1024 bits (go for the maximum, typically 4096, if you can afford it)bits (go for the maximum, typically 4096, if you can afford it)

Hash:Hash:

Either MD5 or SHA but with at least 128 bit results, 256 betterEither MD5 or SHA but with at least 128 bit results, 256 better

Weak SystemsWeak Systems

Anything with 40-bits (including 128 and 56 bit versions Anything with 40-bits (including 128 and 56 bit versions with the remainder “fixed”)with the remainder “fixed”)

Most consider DES as fairly weak algorithmMost consider DES as fairly weak algorithm

CLIPPERCLIPPER

A5 (GSM mobile phones outside US)A5 (GSM mobile phones outside US)

Vigenère (US mobile phones)Vigenère (US mobile phones)

Dates from 1585!Dates from 1585!

Unverified certs with no trustUnverified certs with no trust

Weak certs (as in many “class 1” personal certs)Weak certs (as in many “class 1” personal certs)