CS459/559 - Network Security - Chapter 5: Encryption
Data Encryption - uses an algorithm which hides the meaning of the text
plaintext _______ ciphertext ________ original
---------------> |_______| -------------->|________| ----------->
plaintext
Why do we need encryption? ---- TRUST
A good cryptographic algorithm:
- Should be simple to use by authorized users
- Should be difficult and time consuming for non-authorized users to decrypt.
- The security of the data should not depend on the secrecy of the algorithm.
- The efficiency and security of the algorithm should not be data dependent.
Encryption Algorithms:
- substitution
- Caesar Cipher - monoalphabetic translation
- Vernam Cipher - uses one-time pad developed using random numbers
- transpositions (permutations)
- Columnar Transpositions
- Double Transpositons
- Public Key Systems - anyone can send a secret message to a user, but only the intended receiver would know how to decrypt the message.
- Merkle-Hellman Knapsacks - encodes a binary message as a solution to the knapsack problem (contains a trapdoor)
- Rivest-Shamir-Adelman(RSA) Encryption - uses number theory and factors of large numbers to encypt the data. (key should be at least 512 bits)
- Data Encryption Standard (DES) - uses 16 cycles of substitution and transposition of 64 bit blocks (uses a 56-bit key) [can be broken by brute force)
- Diffie-Hellman - public key algorithm used in Sun Microsystems RPCs and NFS (raises a constant to a power of a key generating a 192 bit key)
- IDEA (Intenational Data Encryption Algorithm) uses a 128-bit key.
- Public and Private Keys
- authentication - security method that uses digital signatures (provides for nonrepudiation)
- Private Key (symmetric) - sender & recipient must know same secret key (e.g. Kerebos) [DES, IDEA]
- Public Key (asymmetric) - public key is published and private key is kept secret by holder [RSA]
- Encryption Mechanisms
- RSA & DES
- encrypt message with random DES key (fast)
- encrypt DES key with RSA
- transmit DES-encrypted message and RSA-encrypted DES key (RSA digital envelope)
- PGP (Pretty Good Privacy) - public-key system for encrypting e-mail using IDEA & RSA. Encrypts message with a randomly generated IDEA key and then encrypts the key using the recipient's public key.
- IBM's Common Cryptographic Architecture (CCA) - supports DES, RSA, & Commercial Data Masking Facility (CDMF) algorithms across all IBM platforms
- Digital Certificates (digital ID) is a password-protected and encrypted file that contains identification information about its holder, including a public key to verify the sender's digital signature and a unique private key. Requires a third-party sign the key. [ex. Verisign]
X.509 digital signature
- subject's distinguished name(DN) used to identify certficate owner
- issuer's distinguished name (DN) identifies Certificate Authority
- subject's public key
- issuer's digital signature
- validity period
- serial number issued by the C.A.
- Using Verisign for e-commerce using SSL(Secure Sockets Layer)
server sends a digital ID when requested by the client which verifies the ID and the client returns a session key encrypted with the server's public key
- Verisign Class Structure (IDs for individuals, organizations, & software publishers
- Internet Content Certification
- Microsoft's Authenticode
- Netscape Communications' Object Signing
- Sun Microsystems' JavaSecurity
- Digital Postmarks (electronic postmark from U.S. Postal Service)
- Legal Aspects