1 / 58

Basic Security Cryptography, Concepts and IPsec

Basic Security Cryptography, Concepts and IPsec. Security. What do we require from a data security system? Confidentiality Only the intended recipient can read the data Integrity No one can change data in transit Authentication I am who I say I am Non Repudiation

ailis
Download Presentation

Basic Security Cryptography, Concepts and IPsec

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. BasicSecurityCryptography, Concepts and IPsec

  2. Security What do we require from a data security system? Confidentiality Only the intended recipient can read the data Integrity No one can change data in transit Authentication I am who I say I am Non Repudiation Proof of message sent or received

  3. Encryption Solution  Encryption Take the message (plain text) Apply some algorithm to each of the letters (the cipher) Generate the encrypted message (cipher text)

  4. Simple Encryption

  5. Method and Key Encryption has two major components Method This is publicly known Key This is a secret known only to the two parties who are communicating

  6. Simple Encryption Substitution Caesar Cipher Replace each letter in the plain text by another letter from ‘n’ places up in the alphabet Encryption method Substitution Encryption key N=3 Veni, vidi, vici

  7. Caesar’s 26 keys

  8. Simple Encryption Problems Simple encryption systems can be broken by statistical analysis The letter ‘e’ occurs 13% in English texts Distribution statistics exist for all the letters in an alphabet/language With the power of computing, easy to try several alternatives With Ceasar’s there were only 26 possible keys.

  9. Making it harder to crack Polyalphabetic substitution ciphers Rotate the key in use Means each time a specific letter occurs it may be substituted by a different letter Hence it is more complex to analysis

  10. Polyalphabetic substitution Keyword BED Use 1, 4, 3, 1, 4, 3……

  11. Polyalphabetic substitution Keyword is BED Encryption method Substitution Encryption key 1, 4 , 3 and then repeat

  12. Polyalphabetic substitution How to crack this? Statistical analysis Guess the codeword length ..say 4 Analyse every 4th letter for a distribution If no pattern emerges try every 3rd…. Etc With the power of computing, easy to try several alternatives Again with modern computing we can analyse the cipher text and crack the code

  13. Other Encryption Systems Transposition ciphers Re-order the letters in the message Use a key to specify the re-ordering sequence

  14. Transposition ciphers Message :- I CAME I SAW I CONQUERED Write the message into the box ignoring the spaces. Insert random characters at the end of message to fill grid Chose the KEY 3, 2, 4, 1, 5 Read out the letters in column order CSOR AANE MWQD IICE EIUZ

  15. Breaking Transposition ciphers 2 1 3 Look for common letter groups “THE” “ING” “RED” “CH” at regular spacing e.g. 4 When finding a pattern, look with same spacing for other groups SAW 2 1 3 RED

  16. Confusion and Diffusion Cracking substitution relies on spotting letter frequency and knowing the letters are in the correct position Cracking transposition relies on knowing we have the correct letters and moving the letters into the correct place When used together to produce a cipher that is ‘virtually impossible’ to crypt analysis We break these by brute force Try all possible keys Bigger keys (more bits) takes longer to break.

  17. Cipher Machines Down the ages cipher machines were developed such as the famous German Enigma machine

  18. Security Data Encryption Standard (DES) Uses substitution and transposition Initial proposal used 128 bit key US NSA requested key to be reduced to 56 bits With enough computing power this can now be broken in less than 3 hours by brute force attack Replaced with Triple DES Uses cascaded DES encryption 3 * 56 bit key = 168 bit key 2 key version 1013 times stronger then DES

  19. Symmetric encryption In a shared key encryption, a single key is used for both encryption and decryption of the data Only the trusted parties must know the shared secret key DES, 3DES, IDEA, and Blowfish are examples of shared key encryption

  20. Does this encryption system solve all our requirements? Confidentiality Yes Integrity No Message may be incorrect We can use a hash algorithm Authentication Yes Assuming no one has stolen the key

  21. Problems with symmetric encryption Two big problems exist: Scalability For each secure channel we need a unique pair. Key distribution How do we distribute the key to the two ends of the link? What if I want 1 million secure links?

  22. New Solutions Public-Private Keys Diffie-Hellman Key Exchange Developed by Mathematicians who focussed on prime numbers, modular arithmetic and one way functions

  23. Public Key Encryption Ron Rivest, Adi Shamir and Lenard Adleman produced a popular encryption method called RSA, using modular mathematics they generated two inter-related keys: Public key Private key

  24. Public Key Encryption Keys are generated as a pair Public Key Private Key Given one key, the other key cannot be derived Data encrypted with one key can only be decrypted with the other key

  25. Public Key Encryption A pri A pub A pub Pay to Terry Smith £100.00 One Hundred and xx/100 Pounds Pay to Terry Smith £100.00 One Hundred and xx/100 Pounds KJklzeAidJfdlwiej47 DlItfd578MNSbXoE Encrypt Decrypt Alice Bob

  26. Does this encryption system solve all our requirements? Confidentiality Yes Integrity No Message may be incorrect Unless we use a hash algorithm Authentication No Our public key is publicly available

  27. How to make Authentication with Public and Private Keys Use your own private key to encrypt your ‘signature’ Digital signature You’re the only one with your private key Hence the message can be authenticated The recipient can check your signature by ‘decrypting’ it with your public key

  28. Public Key Encryption with Signatures B pub B pri A pub A pub Pay to Terry Smith £100.00 ( 12 ) ‘signature’ From Bob (12) Fhlkdhfakjs asjfa1 KJklzeAidJfdlwiej47 DlItfd578MNSbXoE Encrypt Encrypt + Bob

  29. Public Key Decryption with Signatures B pub B pub A pri A pub Pay to Terry Smith £100.00 ( 12 ) ‘signature’ From Bob (12) Fhlkdhfakjs asjfa1 KJklzeAidJfdlwiej47 DlItfd578MNSbXoE Decrypt Decrypt + Alice

  30. Message in transit to Alice B pub B pri A pri A pub Fhlkdhfakjs asjfa1 KJklzeAidJfdlwiej47 DlItfd578MNSbXoE Signature encrypted (signed) with Message encrypted with MESSAGE SIGNATURE Message decrypted with Apri. Only Alice can do this. Anyone could have encrypted it Signature decrypted with Bpub Anyone with Bpub can do this, but only the one with Bpri key could have signed it

  31. Is this secure? Relies on knowing you have Bpub and it really is Bob’s public Key Need to be sure so get Bob’s public key from a trusted source Key must be signed by someone you already trust You must have the signer’s public key to check their signature A trusted key authority (Certificate Authority) This is called a digital certificate

  32. Digital Certificate Bob’s public Key AHGAH AJAHJ AGJAG AKKUH AKKGK AKAKG GKAKK KGKJG Signed CA private key

  33. RSA Algorithm and Prime numbers Relies on not being able to derive one key from the other. Based on Prime numbers and modular arithmetic.

  34. Prime number basics. Prime numbers A whole number that can only be divided by itself and 1. 2,3,5,7,11,13,17,19,23,……. Do primes go on to infinity? Can we use a formulae to calculate the list of prime numbers? Is there any pattern to their position in the set of natural numbers.

  35. Primes in cryptography Prime numbers and Cryptography RSA relies on equations that are easy to compute in one direction, but very difficult in the other. For example 34 * 24 = 816. What two numbers when multiplied give 816? Multiple solutions – factorise answer to solve. What happens when numbers are primes? 19*23 = 437. What two numbers when multiplied give 437? There is only one solution. How can we find it? What about the product 1506181? Can you solve it?

  36. Cryptanalysis of RSA One method of cracking RSA encryption tries to factorise these very large products of two primes Understanding the distribution of primes may be the ‘key’ to solving this problem. Many number theorists have tried to understand how primes are distributed. One such theory that may help is the Riemann Hypothesis The hypothesis concerns the distribution of zeros in Riemann’s zeta function. The distribution of zeros has been proved to be the same as the distribution of primes. Proving this hypothesis and thus understanding the distribution of primes, could lead to being able to crack RSA encryption.

  37. With RSA why do we still use a Symmetric System RSA with certificates provides Authentication, Confidentiality, and Integrity However the algorithm is computationally intensive Not suitable for bulk or real time encryption Need Symmetrical encryption for this. DES, 3DES and AES can be done in real time Still need the Shared Secret KEY.

  38. Diffie-Hellman key Exchange The Diffie-Hellman algorithm provides a way for two users, Bob and Alice, to establish a shared secret key that only they know They then use the key for symmetrical encryption (e.g. 3DES) The shared secret key can be established even though Bob and Alice are communicating over an insecure channel

  39. Diffie-Hellman Key Exchange Peer A Peer B 1. Generate large integer q Send q to Peer A Receive p Generate g 1. Generate large integer p Send p to Peer B Receive q Generate g 2. Generate private key XA 2. Generate private key XB 3. Generate public keyYA = g ^ XA mod p 3. Generate public keyYB = g ^ XB mod p 4. Send public key YA 4. Send public key YB 5. Generate shared secret number ZZ= YB^XAmod p 5. Generate shared secret number ZZ= YA^XBmod p 6. Generate shared secret key from ZZ (56-bit for DES, 168-bit for 3DES) 6. Generate shared secret key from ZZ (56-bit for DES, 168-bit for 3DES)

  40. Very Simple Guide to Diffie Hellman (without modular arithmetic) Pub = g Pri Alice Bob Let g = 2 Apri = 3 Choose Private Keys Bpri = 4 Generate public keys Apub = 2 3 = 8 Bpub = 2 4 = 16 Swap public keys Apub = 8 Bpub = 16 SS= ApubBpri = 84= 4096 Remember it is really Pub = g Pri MOD p We can’t go back from public key to work out the private key. Compute shared secret key SS= BpubApri = 163= 4096 Both ends have same shared secret key SS= ( 2Apri)Bpri = ( 23)4 SS= ( 2Bpri)Apri = ( 24)3 How does it work? SS= 2(Bpri * Apri) = 212 =4096

  41. More Realistic Guide to Diffie Hellman Alice Bob Pub = g Pri MOD p Bpri = 15 g = 5; p = 23 Apri = 6 Bpub = 5 15 MOD 23 Apub = 5 6 MOD 23 Bpub = 19 Apub = 8 Remember Pub = g Pri MOD p We can’t go back ! SS= ApubBpr MOD 23 i SS= BpubApri MOD 23 SS= 815 MOD 23 SS= 196 MOD 23 SS= 2 SS= 5(6*15) MOD 23 SS= 2

  42. Problem How can Bob be sure that he is speaking to Alice when running Diffie-Hellman? Some sort of authentication is required Pre-share keys Not scalable Digital certificates Needs a certificate authority Scalable

  43. Virtual Private Networks A connection over a network (such as the internet) between two other networks, that makes the two networks operate as if they were connected. They need not be encrypted, but often are. Not encrypted GRE - VPN Encrypted IPSEC - VPN

  44. Why have VPN’s

  45. IPSEC - VPN IPSEC – VPN Encrypt the whole IP datagram (possibly header and all) Build a tunnel (Embed the packet in a new IP header) Send over insure network to other end of tunnel

  46. IPSEC Virtual Private Networks Use authentication to establish who is at the other end Use Diffie-Hellman to generate shared secret keys Use symmetrical system (DES) to encrypt data

  47. VPN usage scenarios

  48. Pulling it all together IKE – Internet Key Exchange IKE – Phase 1 – Uses ISAKMP IKE – Phase 2 – Uses Transform sets Access list specifies interesting traffic Crypto map – pulls it all together

  49. IPSEC VPN ISAKMP POLICY Authenticate Agree encryption Generate keys (group 1,2 or 5) IPSEC transform set Bulk encryption and authentication method Tunnel / transport mode

  50. IPSEC VPN Interesting Traffic for VPN Specified by an access list Crypto map Pulls it all together Applied on an interface

More Related