Cryptography

Transcript

1. Cryptography Understanding the need and purpose behind cryptography

2. • If the confidentiality or accuracy of your information is

   of any value at all, it should be protected to an appropriate level. • If the unauthorised disclosure or alteration of the information could result in any negative impact, it should be secured. • These are simple and widely accepted facts. However, the means to achieve the requisite protection are usually far from obvious. Why have cryptography?

3. • A number of mechanisms are commonly employed: • Controlling

   access to the computer system or media. For instance, through 'logon' authentication (e.g: via passwords). • Employing an access control mechanism (such as profiling) • Restricting physical access (e.g: keeping media locked away or preventing access to the computer itself). Why have cryptography?

4. Why have cryptography? • All these approaches can be valuable

   and effective, but equally all can have serious shortcomings. A more fundamental approach to data security is cryptography. • Conventional access control mechanisms can often be bypassed, for instance via hacking. • In addition, what if data has to be transmitted, or if the data media (e.g: usb stick) has to be moved outside the secure environment? • What if a number of people are sharing the computer environment? Cryptography (encryption and decryption) is a technique designed to protect your information in ALL such situations.

5. Symmetric encryption • This kind of encryption uses the same

   key to encrypt a file as to decrypt it. • If you know the key, you can decrypt any encrypted file and this is one of the main problems with this kind of encryption. • There is a distinct possibility that the key can be stolen or intercepted in transit as it is being shared.

6. Symmetric encryption • Keys can be very simple. For example,

   you might have a key for a text file that says, 'Replace each letter with the one two positions further along in the alphabet'. So DAVID becomes FCXKF. • To decrypt the message, you just need to know the key (the rule that describes how the file was encrypted originally). If a key is as simple as the one above, and you have enough data to work with, it wouldn't take you very long to work out how to break the code and find out what they was. • In practice, therefore, symmetric encryption uses codes that are a little more sophisticated than the one in this example. However, because of the fantastic processing power of computers, you can still crack many codes using symmetric encryption eventually using brute force – trying out every possible combination of a key until you find the correct one.

7. Symmetric encryption • The most important early symmetric algorithm was

   called the Data Encryption Standard (DES) and was developed in the 1970s. • This uses a 56-bit key, giving 70,000,000,000,000,000 (70 quadrillion) possible combinations. • This is now considered inadequate as modern computers can find the key for the reasons just given. • AES uses up to 256-bits, giving far more combinations and is considered far more secure (at the moment).

8. Asymmetric encryption - PGP • Pretty Good Privacy, or PGP,

   is an example of asymmetric encryption and is a very secure method of encrypting data. • It takes a message and applies some complex maths to it to scramble the data. PGP is freeware so you can download a copy and try it out. • There are lots of people interested in PGP - if you do a search for it on the Internet, you will find a lot of information about PGP. It is very easy to set up (it's all automated usually) and you can then encrypt anything that's digital, from emails you send to files you store on a computer or on a pen drive. • There are encryption programs available for mobile phones, too.

9. Asymmetric encryption - PGP • Another very useful application is

   a tool for remembering lots of different logins and passwords. • You put all of your different accounts' details into this program and it encrypts them. • You can get access to all of your accounts' details by entering in just one password. • You don't have to keep remembering logins and passwords each time you set up a new account for something! • An excellent program that does this and is free is called Keepass.

10. Using PGP How does a pupil called Max use PGP

    to send a secure message to his friend David? • David and Max both download and set up the PGP program. • When David sets up the PGP program on his computer, the program generates two software keys for him. These are known as his public key and his private key and they work together to encrypt and decrypt files. • The private key stays with David on his computer. He sends the public key to whomever he wants to communicate with, in this case, Max. It doesn’t matter if this key is intercepted by anyone. It is a ‘public’ key.

11. Using PGP • Now when Max wants to send a

    secure message to David, Max writes his email and then using his PGP program and David's public key, he encrypts it. Then he sends the encrypted message. • David receives an encrypted message from Max. • David uses his PGP program and his own private key to decrypt and read the message. • If David wants to return a secure message, he must ask Max to send him his Public Key first. The really big advantage of this system over symmetric encryption is that the key used to encrypt any message doesn't have to be sent to the person you want to read the message.

12. Symmetrical vs Asymmetric encryption • The key difference between asymmetric

    and symmetric encryption is that symmetric encryption uses one secret key that has to be shared among the sender and recipient of the message, while asymmetric encryption utilizes a private key and a public key to decrypt and encrypt messages during communication. • A major shortcoming of symmetric encryption is that security is entirely dependent on how well the sender and receiver protect the encryption key. If the key is jeopardized, intruders can decrypt and gain access to all messages encrypted with the key. • Asymmetric encryption is more secure because it relies on digital certificates. Both the private and public keys are related, but cannot be derived from each other. If either of the keys is compromised, the intruder cannot use it find the other key.

13. MD5 – Message Digest algorithm 5 • MD5 algorithm is

    used as a cryptographic hash function or a file fingerprint. • Often used to encrypt password in database, MD5 can also generate a fingerprint file to ensure that a file is the same after a transfer for example. • You can have a look at a MD5 enrypt/decrypt messages, search for MD5 online. • As it is easy to generate MD5 collisions, it is possible for the person who created the file to create a second file with the same checksum, so this technique cannot protect against some forms of malicious tampering. In some cases, the checksum cannot be trusted (for example, if it was obtained over the same channel as the downloaded file), in which case MD5 can only provide error-checking functionality: it will recognize a corrupt or incomplete download, which becomes more likely when downloading larger files.

14. MD5 – Example • The 128-bit (16-byte) MD5 hashes (also

    termed message digests) are typically represented as a sequence of 32 hexadecimal digits. The following demonstrates a 43-byte ASCII input and the corresponding MD5 hash: • Even a small change in the message will (with overwhelming probability) result in a mostly different hash, due to the avalanche effect. For example, adding a full stop to the end of the sentence: