Transcript Cryptography and Internet

Cryptography and
the Internet
Daryl Banttari
[email protected]
Introduction

Cryptography
 ‘There
are two kinds of
cryptography in this world:
cryptography that will stop your kid
sister from reading your files, and
cryptography that will stop major
governments from reading your
files. This book is about the latter.’
--Bruce Schneier, preface, “Applied Cryptography, Second Ed”
http://www.counterpane.com/actoc.html
Topics of Discussion


Types of Cryptography
Applications to the Internet
 SSL
 Digital
Signatures
 Digital Signatures and SSL
 E-Mail Encryption and
Authentication (PGP)
Types of Cryptography



Cryptographically Strong “Hash”
Functions (MD5)
Symmetric Key (Conventional)
Encryption
Public Key Encryption
The MD5 Hash
Algorithm



Hash("Hello1"):
7A6D1B13498FB5B3085B2FD887933575
Hash("Hello2"):
B83099B8CE596F31F2F60C8FD4D72826
Hash("Hello3"):
E1C0F8926581BE86F96BD0007371CCA0

Turns an arbitrary string into a 128-bit
“Message Digest” or “Hash”
Always creates the same hash when
given the same string
Impossible* to create a string from a
hash or to alter a string and produce the
same hash
Commonly used to verify that files are
unaltered
*Impossible: read “Practically Impossible.” It is believed to require 2128 operations to
produce a message that would create a given digest.
http://www.faqs.org/rfcs/rfc1321.html
Symmetric Encryption




Proven and Secure
Fast
Uses the same key to decrypt as
was used to encrypt
Requires “out of band”
communication to exchange the
key
Public Key Encryption





Pioneered by Whitfield Diffie and Martin
Hellman in 1975.
Data encrypted with the Public key can
only be decrypted with the Private key,
even by the encrypter
Data encrypted with Private key can only
be decrypted by the Public key
Commonly used to exchange a
conventional “session” key
Public key encryption algorithms include
RSA, DSA, Diffie-Hellman, Blowfish
SSL




Secure Server gives its Public key
to the client
The client generates a
conventional Session key
The client encrypts Session key
with server’s Public key
The rest of the communication
uses Session key for speed
http://developer.netscape.com/docs/manuals/security/sslin/contents.htm
Digital Signatures



MD5 Hash created of document
Hash in encrypted with Private key and
appended to document
If the hash you decrypt using the
sender’s Public key matches your own
hash of the document:
The document must have been unaltered
in transit
 The document must have come from the
sender


The combination of hash and private key
is a Digital Signature
SSL Certificate Signing



Encryption does not equal authentication
Some means needed of ensuring
consumer that they are sending their
credit card number to the people they
expect, not some lookalike Web server
Verisign et al diligently ensure the public
key belongs to a given organization
Attach organization info and expiration
date to public key
 Digitally sign public key with attached info
 Public key of major certificate signers
shipped with browsers

E-Mail Encryption and/or
Authentication




PGP is an open, reasonably easy method of
applying digital signatures and encryption to email
People and organizations can sign a message
that can then can be verified for authenticity by
their public key
PGP uses session keys like SSL, so messages
can be encrypted to multiple recipients without
multiplying size of message- think of a keyed
safe with multiple lock-boxes attached
You must have public key of recipient to encrypt
an e-mail to them, which makes encryption to
mailing lists, newsgroups, etc. unfeasible
http://www.pgpi.org/doc/pgpintro/
PGP “Web of Trust”



Anyone can upload keys to “Key
Servers”-- even fake keys
If you can verify that a key belongs to its
owner, you can sign that key, indicating
that you have verified ownership
The Web of Trust is established by
people signing other people’s keys; if
you trust Person A to diligently verify
identity of keys, and Person A signed
Person B’s key, then you can trust that
Person B’s key is authentic
ColdFusion’s hash()
Function



Hash("Hello1"):
7A6D1B13498FB5B3085B2FD887933575
Hash("Hello2"):
B83099B8CE596F31F2F60C8FD4D72826
Hash("Hello3"):
E1C0F8926581BE86F96BD0007371CCA0

Available with CF4.5
Generates md5 hashes of strings
in hex format (use char(32) to
store)
Useful for storing passwords so
they can’t be read or recreated
Append an arbitrary string to “salt”
the password hash to prevent
“hash dictionary” attacks
Summary


An understanding of why
encryption works is not necessary
for an understanding of how it
works
Although encryption and digital
signature technology seem
daunting, the processes are
conceptually simple
What do I do with this
info?



Hash passwords
Use encryption and authentication
methods for secure processes
Evangelize!