4. Introduction>Cryptography for Security
Confidentiality
Encryption/Decryption
Integrity
Hashing
Keyed Hashing or MAC (Message
Authentication Code)
Digital Signatures
Authentication
Keyed Hashing or MAC (Message
Authentication Code)
Digital Signatures
Hashing
Non-Repudiation
Digital Signatures
4
10. Symmetric Cryptography>Block Ciphers
DES (Data Encryption Standard)
56 bit key size
Secure? NO!
3DES (Triple DES)
56-bit key size. 1 or 2 or 3 keys used. Max: 168 bits
Secure? ALMOST (using 3 different keys)
AES (Advanced Encryption Standard) or Rijndael [rɛindal]
128/192/256 bit key size
Secure? 128 bit – for dynamic data, 192 bit – ALMOST, 256 – YES (Currently)
6 times faster than 3DES !!!
RC2
Variable key size
Secure? Vulnerable to related key attack using 2^34 chosen plaintexts
10
11. Symmetric Cryptography>Stream Ciphers
RC4
Variable key size (typically 40-256 bit)
eSTREAM Portfolio
HC-256 (256 bit key size)
Rabbit (128 bit key size)
Salsa20 (256 bit key size)
SOSEMANUK (128-256 bit key size, use 128)
11
12. Symmetric Cryptography>Hash Functions
The ideal hash function properties:
easy to compute the hash for any given data
extremely difficult to construct a text that has a given
hash
extremely difficult to modify a given text without changing
its hash
extremely unlikely that two different messages will have
the same hash
SHA-1 (160 bit)
MD5 (128 bit)
SHA-2 (SHA-256/224, SHA-512/384)
SHA-3 (In development)
SHA-1
fox:
the quick red fox:
the quick red box:
ff0f0a8b656f0b44c26933acd2e367b6c1211290
0fa561fd7e9cf714d5f94c422106ec8979c0c147
a6b613310c301411300cc742ac5bf205728b78cb
12
30. Email Security>S/MIME and OpenPGP
Mandatory features
S/MIME v3
OpenPGP
Message format
Binary, based on CMS
Binary, based on previous PGP
Certificate format
Binary, based on X.509v3
Binary, based on previous PGP
Symmetric encryption
algorithm
TripleDES (DES EDE3 CBC)
TripleDES (DES EDE3 Eccentric
CFB)
Signature algorithm
Diffie-Hellman (X9.42) with
DSS or RSA
ElGamal with DSS
Hash algorithm
SHA-1
SHA-1
MIME encapsulation of
signed data
Choice of multipart/signed or
CMS format
multipart/signed with ASCII
armor
MIME encapsulation of
encrypted data
application/pkcs7-mime
multipart/encrypted
30
34. Cryptography Technical Choices
Use a hash when you want a way of verifying that data has not been
tampered with in transit.
Use a keyed hash when you want to prove that an entity knows a secret
without sending the secret back and forth, or you want to defend against
interception during transit by using a simple hash.
Use encryption when you want to hide data when being sent across an insecure
medium or when making the data persistent.
Use a certificate when you want to verify the person claiming to be the owner
of the public key.
Use symmetric encryption for speed and when both parties share the key in
advance.
Use asymmetric encryption when you want to safely exchange data across an
insecure medium.
Use a digital signature when you want authentication and non-repudiation.
Use a salt value (a cryptographically generated random number) to defend
against dictionary attacks.
34
38. Appendix>References and Resources
Wikipedia
Information Security
Network Security
Cryptography
SANS Software Security Institute
Application Security Resources
Research Library
Microsoft Patterns & Practices
Security Guidance
Michael Howard's Web Log
J.D. Meier's Blog
OWASP
38