Transcript Security+ - Chuck Easttom

CRYPTOGRAPHY
How does it impact cyber security and
why you need to know more?
y2 = x3 + Ax + B
WHAT YOU DON'T KNOW ABOUT
CRYPTOGRAPHY
And why it can hurt you
Alice computes gab = (gb)a mod p, and Bob computes gba = (ga)b
mod p

19 Books

29 industry certifications

2 Masters degrees

6 Computer science related patents

Over 20 years experience, over 15 years
teaching/training

Helped create CompTIA Security+, Linux+, Server+.
Helped revise CEH v8

Frequent consultant/expert witness

Teaches crypto around the world
www.chuckeasttom.com
[email protected]
WHO IS THE SPEAKER?

Provide data Confidentiality

Data integrity

Identification and Authentication

Non- repudiation
WHAT DOES CRYPTO DO FOR
YOU?

General description of symmetric crypto (AES,
DES, Blowfish)

General description of assymetric (Diffie Hellman,
RSA, DSA, and maybe ECC)

General description of digital signatures

General description of digital certificates

General description of protocols such as TLS
WHAT ARE THE LIMITS OF MOST
SECURITY PROFESSIONALS CRYPTO
KNOWLEDGE

Why learn crypto?

Kerkhoff’s principle

Bad crypto solutions

Dual_EC_DRBG backdoor

Is RSA Secure enough?
WHY?

“A cryptosystem should be secure even if
everything about the system, except the key, is
public knowledge”

-August Kerkhoff

The EnigmaDS story
http://money.cnn.com/2011/09/02/technology/un
hackable_code/
KERKHOFF’S PRINCIPLE

Windows SALT

What is SALT And why hashing needs it?

How does it go wrong?

Keep it secret

Has to be simple enough to be fast

Has to be complex enough to not be ‘guessable’

Poor random number generators

How to select hard drive/file encryption
BAD CRYPTO SOLUTIONS


In 2013 Edward Snowden revealed that it had a
backdoor however:

In 2004 suspicions of this where around the crypto
community

In 2006 multiple papers are published suggesting
this.

In 2006 Bruce Schneier blogged about it.
The Cyber Security community may have been in
the dark on this issue, but the crypto community
was not.
DUAL_EC_DRBG BACKDOOR

What can you do?

Can you prevent them even if you don’t know
they are there?
WHAT ABOUT CRYPTOGRAPHIC
BACKDOORS?

The most widely used asymmetric cryptographic
algorithm, may not be secure enough.
PROBLEMS WITH RSA




Heninger and Shacham
Zhao and Qi
Yeh, Huang, Lin, and Chang
Hinek
IS RSA STILL SECURE?

Heninger and Shacham (2009) found that RSA
implementations that utilized a smaller modulus
were susceptible to cryptanalysis attacks. A
smaller modulus can increase the efficiency of
an RSA implementation, but as Heninger and
Shacham (2009) showed, it may also decrease
the efficacy.
HENINGER AND SHACHAM

Heninger and Shacham (2009) utilized the fact of
the smaller modulus to reduce the set of possible
factors, thus decreasing the time needed to
factor the public key of an RSA implementation.
It is in fact a common practice to use a specific
modulus e = 216 + 1= 65537 (Heninger &
Shacham, 2009). If an RSA Implementation is
using this common value for e, then factoring the
public key is a much simpler process
HENINGER AND SHACHAM

Zhao and Qi (2007) also utilized implementations
that have a smaller modulus operator. The
authors of this study also applied modular
arithmetic, a subset of number theory, to
analyzing weaknesses in RSA. Many
implementations of RSA use a shorter modulus
operator in order to make the algorithm execute
more quickly.
ZHAO AND QI

Hinek, M. (2009). Cryptanalysis of RSA and its variants.
England: Chapman and Hall.

Heninger, N., Shacham, H. (2009). Reconstructing RSA
private keys from random key bit. Advances in
Cryptology Lecture Notes in Computer Science, 1 (1).
doi:10.1007/978-3-642-03356-8_1.

Yeh, Y., Huang, T., Lin, H., Chang, Y. (2009). A study on
parallel RSA factorization. Journal of Computers, 4 (2),
112-118. doi:10.4304/jcp.4.2.112-118

Zhao, Y., Qi, W. (2007). Small private-exponent attack on
RSA with primes sharing bits. Lecture Notes in Computer
Science, 2007, 4779 (2007) 221-229. doi: 10.1007/978-3540-75496-1_15
RSA RESOURCES

http://www.cryptocorner.com/

Professor Dan Boneh’s course online
https://class.coursera.org/crypto-preview/lecture

Modern Cryptography: Applied Mathematics for
Encryption and Information Security by Chuck
Easttom from McGraw Hill (out by August 2015)

Applied Cryptography: Protocols, Algorithms, and
Source Code in C by Bruce Schneier

Secret History: The Story of Cryptography by Bauer

Modern Cryptanalysis: Techniques for Advanced
Code Breaking by Swenson
HOW TO LEARN MORE?