Cryptography

<presenter>
What Is Cryptography?
Cryptography is the science of
encoding data
It can be used to
Protect a users identity or data
Verify possession of data without the
original data itself
Verify data originates from a certain
user
This session covers cryptography at
a very high level
How Does Cryptography
Help?
Types of Threats Examples
Digital signatures can help prevent
Spoofing users from masquerading as others
Hashes can help prevent tampering
by providing a quick & easy way to
Tampering compare before & after data
snapshots
Digital signatures can help prevent
Repudiation users from denying actions
Information Encryption can help protect data
disclosure from being viewed by 3rd parties
Denial of service
Elevation of
privilege
Applications Of
Cryptography
Symmetric Encryption
Protects data between parties with a
shared key
Asymmetric Encryption
Protects data between parties without
shared keys (public/private key)
Hashes
Distills data into a small, repeatable
value
Digital Signatures
Validates source of data by using
How Does Symmetric
Encryption Work?
You use the same encryption
algorithm and key to encrypt and
decrypt the data
It is fast and efficient
It is difficult to safely exchange keys,
so they change
Private key isoften
known by
the sender and recipient

Data Data

Encrypt Decrypt (same as Encrypt)

Symmetric Encryption
Algorithm Sampling
DES (Data Encryption Standard)
Developed by IBM in 1973 and approved as a
Federal Information Processing Standard in
1976
Triple DES (aka 3DES)
Published in 1978 to apply DES three times,
each pass with a unique key, in order to
strengthen protection
RC2
Designed by Ronald Rivest in 1987 as a
custom cipher for Lotus that would meet the
US governments strict export restrictions
Rijndael
Published in 1998 and adopted as Advanced
Demo: Symmetric
Encryption
How Does Asymmetric
Encryption Work?
Each user has both a private and a
public key
Messages encrypted with the public
key can be decrypted only by using
the private key

Public key Private Key

Data Data

Encrypt Decrypt
Asymmetric Encryption
Caveats
Size limitations
Can only encrypt ~100 bytes at a time
Computationally expensive
Some algorithms require multiple
passes on the data
Asymmetric encryption is often used
to exchange symmetric session
keys
All data transfer is then done via
symmetric encryption
Asymmetric Encryption
Algorithm Sampling
RSA (surnames of inventors Rivest,
Shamir, and Adleman)
Published in 1977 as the first
asymmetric system useful for both
encryption and signing
Yes, this is the same Rivest as from RC2
DSA (Digital Signature Algorithm)
Proposed by the National Security
Agency in 1991 for use in digital
signatures and asymmetric
cryptography
Demo: Asymmetric
Encryption
How Do Hashes Work?
User A User B

Data Hash Value

If hash values
Hash Algorithm match, data is valid
Hash Algorithm

Data
Data
Hash Value Hash Value

User A sends data and hash

value to User B
Hashing Algorithm Sampling

MD (Message-Digest Algorithm)
The most recent (MD5) was designed by
Ronald Rivest in 1991 (yes, this is the same
Rivest as from RC2 & RSA)
Flaws discovered in 2004 have called the
security of this algorithm into question
SHA (Secure Hash Algorithm)
Published in 1993 by the NSA and currently
available for increased output ranges,
including SHA-1, SHA-224, SHA-256, SHA-384,
and SHA-512
Currently the recommended hashing algorithm
Demo: Hashes
Using Digital Signatures
User A User B
Hash
Algorithm
Data
Data

Hash
Algorithm
User A
Public
Key
Hash Value

Hash Value
If hash values
User A match, data came
Private from the owner of
Hash Value the private key and
key is valid
Digital Signature Algorithm
Sampling
Same algorithms as asymmetric
encryption
RSA
DSA
Demo: Digital Signatures
The Importance Of Key
Length
Current cryptosystems rely on the length of the
key (as opposed to algorithm secrecy) to protect
data
Key lengths eventually lose their effectiveness
40 bits was the standard for export symmetric
encryption, but can now be broken with a home PC
This limitation has since been removed, with caveats
The US government now requires at least 192-bit keys
for encrypting Top Secret data
Asymmetric encryption requires longer keys than
symmetric
RSA Security claims 1024-bit asymmetric keys will be
breakable sometime during 2006-2010
Data required to be safe until 2030 should use 2048-bit
keys
Data security needs beyond 2030 should use 3072-bit
keys
Randomness
Many applications rely on random variables to prevent
attackers from easily guessing their way past security
Unfortunately, most random number generation methods
ultimately rely on the C rand() method, which is not random
rand() uses the most recently generated random value,
multiplies it by 214013, adds 2531011 to the result, and ANDs it
with 0x7FFF
// From Visual C++ runtime librarys rand.c (Windows SDK)
int __cdecl rand (void) {
_ptiddata ptd = _getptd();
return( ((ptd->_holdrand = ptd->_holdrand * 214013L + 2531011L) >> 16)
& 0x7fff );
}
Figuring out one random number (at any time) can compromise
the randomness of the rest of your application
More secure alternatives are available that rely on
environmental entropy, such as system information
Win32s CryptGenRandom() or rand_s()
.NET Frameworks RNGCryptoServiceProvider class
Still not perfectly secure, but much better
Review
Cryptography can help mitigate
many application threats
Symmetric and asymmetric encryption
for data security
Hashing for data validation
Digital signatures for data verification
Selecting and protecting keys is the
primary concern
If your application requires
randomness, make sure your random
Additional Resources
MSDN Secure Coding Center
http://msdn.microsoft.com/security/securecode
Writing Secure Code (Microsoft Press)
http://www.microsoft.com/mspress/books/5957.asp
University Of Washington Online Materials (Slides & Videos)
http://www.cs.washington.edu/education/courses/csep590/06wi/lectur
es/
.NET Framework Cryptography Overview
http://msdn.microsoft.com/library/en-us/cpguide/html/cpconcryptographyoverview.asp
NISTs Recommendation For Key Management, Part 1
http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part1.pdf
US governments commercial encryption export controls
http://www.bis.doc.gov/Encryption/EncFAQs6_17_02.html
RSA guidance on key size
http://www.rsasecurity.com/rsalabs/node.asp?id=2004
Caesar Cipher on wikipedia
http://en.wikipedia.org/wiki/Caesar_cipher
Q&A