SAS InfoSec Training
Download
Report
Transcript SAS InfoSec Training
InfoSec Training
Encryption
Copyright Justin Klein Keane
<[email protected]
Terminology
Plaintext
Ciphertext
Encrypt
Decrypt
Copyright Justin Klein Keane
<[email protected]
About Encryption
Idea is to obscure messages from observation
Encryption can be used to protect secrets but
also:
To verify identity
To verify authenticity
To verify integrity
To verify authorization
Copyright Justin Klein Keane
<[email protected]
Not Encryption - Encoding
Encoding is a method to alter data
Follows a set of guidelines about how to
represent data in a specific format
Encoding is formatting, not data hiding
Copyright Justin Klein Keane
<[email protected]
Not Encryption - Hashing
Hashing uses a one way mathematical
algorithm to take an input and generate a
seemingly random, unique, output
Hashing the same input twice produces the
same output
There is no way to reverse a hash (i.e. You
can't go from a hash value to an original value)
Collisions – when two different inputs produce
the same hash
Copyright Justin Klein Keane
<[email protected]
How Encryption works
Take data
Apply an algorithm to the data
Use a key so that the process can be repeated
Output should be unintelligible
Copyright Justin Klein Keane
<[email protected]
Good Encryption
There is no good “proprietary” encryption
The best encryption schemes use open
standards and protocols
The standards and protocols are all well
understood, verified, reviewed and vetted
The secrecy is in the keys used
Copyright Justin Klein Keane
<[email protected]
Encryption Types
Symmetric (two way encryption)
Shared key
Asymmetric (one way encryption)
Public key (think RSA and PGP)
Copyright Justin Klein Keane
<[email protected]
Symmetric Encryption
Same key used to encrypt and decrypt
Very fast and computationally non-intensive
Issue is sharing the key
How do two parties trade keys in the presence
of an adversary?
Diffie-Hellman key exchange allows this
Copyright Justin Klein Keane
<[email protected]
Asymmetric Encryption
RSA is best example
Public and private keys are used
Public key used to encrypt
Private key used to decrypt
Thus public keys can be shared, private keys
are held closely
Key management is still an issue (is the public
key you have for John the right one?)
Copyright Justin Klein Keane
<[email protected]
Digital Signing
Uses public key crypto
A message is signed by turning it into a number,
and running an operation on the number using
the private key
Anyone with the public key can reverse the
operation and compare the numbers
This allows assertions that the holder of the
private key sent the message, and it was not
changed in transit
Copyright Justin Klein Keane
<[email protected]
Attacks on Crypto
Brute force (a lot trickier than you'd think)
Chosen plaintext attacks
Chosen ciphertext attacks
Birthday attack
Dictionary (precomputation) attack
Differential cryptoanalysis
Copyright Justin Klein Keane
<[email protected]
Digital Certificates
Used to validate the source of an encrypted
message
Certificate is passed to and verified by the client
Let's you know you're talking to the “real” bank
that you use
Certificate Authorities (CA's) are supposed to
verify identity before issuing certificates
Stolen certs are a very bad thing
Signing certs allow holders to issue sub-certs
Copyright Justin Klein Keane
<[email protected]
Real World Crypto
Whole disk encryption
HTTPS/SSL
SSH
PGP
VPN
Hashing
Two factor authentication
Copyright Justin Klein Keane
<[email protected]