Cryptography and Internet
Download
Report
Transcript Cryptography and Internet
Cryptography and
the Internet
Daryl Banttari
[email protected]
Introduction
Cryptography
‘There
are two kinds of
cryptography in this world:
cryptography that will stop your kid
sister from reading your files, and
cryptography that will stop major
governments from reading your
files. This book is about the latter.’
--Bruce Schneier, preface, “Applied Cryptography, Second Ed”
http://www.counterpane.com/actoc.html
Topics of Discussion
Types of Cryptography
Applications to the Internet
SSL
Digital
Signatures
Digital Signatures and SSL
E-Mail Encryption and
Authentication (PGP)
Types of Cryptography
Cryptographically Strong “Hash”
Functions (MD5)
Symmetric Key (Conventional)
Encryption
Public Key Encryption
The MD5 Hash
Algorithm
Hash("Hello1"):
7A6D1B13498FB5B3085B2FD887933575
Hash("Hello2"):
B83099B8CE596F31F2F60C8FD4D72826
Hash("Hello3"):
E1C0F8926581BE86F96BD0007371CCA0
Turns an arbitrary string into a 128-bit
“Message Digest” or “Hash”
Always creates the same hash when
given the same string
Impossible* to create a string from a
hash or to alter a string and produce the
same hash
Commonly used to verify that files are
unaltered
*Impossible: read “Practically Impossible.” It is believed to require 2128 operations to
produce a message that would create a given digest.
http://www.faqs.org/rfcs/rfc1321.html
Symmetric Encryption
Proven and Secure
Fast
Uses the same key to decrypt as
was used to encrypt
Requires “out of band”
communication to exchange the
key
Public Key Encryption
Pioneered by Whitfield Diffie and Martin
Hellman in 1975.
Data encrypted with the Public key can
only be decrypted with the Private key,
even by the encrypter
Data encrypted with Private key can only
be decrypted by the Public key
Commonly used to exchange a
conventional “session” key
Public key encryption algorithms include
RSA, DSA, Diffie-Hellman, Blowfish
SSL
Secure Server gives its Public key
to the client
The client generates a
conventional Session key
The client encrypts Session key
with server’s Public key
The rest of the communication
uses Session key for speed
http://developer.netscape.com/docs/manuals/security/sslin/contents.htm
Digital Signatures
MD5 Hash created of document
Hash in encrypted with Private key and
appended to document
If the hash you decrypt using the
sender’s Public key matches your own
hash of the document:
The document must have been unaltered
in transit
The document must have come from the
sender
The combination of hash and private key
is a Digital Signature
SSL Certificate Signing
Encryption does not equal authentication
Some means needed of ensuring
consumer that they are sending their
credit card number to the people they
expect, not some lookalike Web server
Verisign et al diligently ensure the public
key belongs to a given organization
Attach organization info and expiration
date to public key
Digitally sign public key with attached info
Public key of major certificate signers
shipped with browsers
E-Mail Encryption and/or
Authentication
PGP is an open, reasonably easy method of
applying digital signatures and encryption to email
People and organizations can sign a message
that can then can be verified for authenticity by
their public key
PGP uses session keys like SSL, so messages
can be encrypted to multiple recipients without
multiplying size of message- think of a keyed
safe with multiple lock-boxes attached
You must have public key of recipient to encrypt
an e-mail to them, which makes encryption to
mailing lists, newsgroups, etc. unfeasible
http://www.pgpi.org/doc/pgpintro/
PGP “Web of Trust”
Anyone can upload keys to “Key
Servers”-- even fake keys
If you can verify that a key belongs to its
owner, you can sign that key, indicating
that you have verified ownership
The Web of Trust is established by
people signing other people’s keys; if
you trust Person A to diligently verify
identity of keys, and Person A signed
Person B’s key, then you can trust that
Person B’s key is authentic
ColdFusion’s hash()
Function
Hash("Hello1"):
7A6D1B13498FB5B3085B2FD887933575
Hash("Hello2"):
B83099B8CE596F31F2F60C8FD4D72826
Hash("Hello3"):
E1C0F8926581BE86F96BD0007371CCA0
Available with CF4.5
Generates md5 hashes of strings
in hex format (use char(32) to
store)
Useful for storing passwords so
they can’t be read or recreated
Append an arbitrary string to “salt”
the password hash to prevent
“hash dictionary” attacks
Summary
An understanding of why
encryption works is not necessary
for an understanding of how it
works
Although encryption and digital
signature technology seem
daunting, the processes are
conceptually simple
What do I do with this
info?
Hash passwords
Use encryption and authentication
methods for secure processes
Evangelize!