Presented by Josh Baker October 9 th 2012 1 CS5204 Operating Systems CS5204 Operating Systems Overview What is cryptographic security Uses Main Points What is a KeyCertificate ID: 534251
Download Presentation The PPT/PDF document "Cryptographic Security" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Cryptographic Security
Presented by:Josh BakerOctober 9th, 2012
1
CS5204
– Operating SystemsSlide2
CS5204 – Operating Systems
Overview
What is cryptographic security?UsesMain Points
What is a
“
Key/Certificate”?
ImplementationsCAC based PKI DemonstrationReferences
2Slide3
What is it?
Cryptographic Security: Leveraging a standardized system that uses a set of operations that are publicly available in order to authenticate identities, securely share data, or irrefutably sign data
. def
Cryptography:
cryp
∙tog
∙ra ∙
phy
[3]
:the enciphering and deciphering of messages in secret code or cipher; also : the computerized encoding and decoding of information
CS5204 – Operating Systems
3Slide4
Uses
Establishing Transport Layer Security (TLS/SSL)HTTPSSFTPData Encryption / Decryption
Digital SignatureLogin / Authentication ProtocolsRelies on digital signature
CS5204
– Operating Systems
4Slide5
Main Points
Use of a publicly formalized systemCenters around a third party “Certificate Authority”Certify IdentitiesManage (create, distribute, revoke) KeysEliminates many security vulnerabilities
Can be used to enforce least privilege, separation of duties, economy of mechanism, and complete mediation while being an open design.Heavy use of hashing algorithms (sha1, MD5,…)
CS5204
– Operating Systems
5Slide6
What is a “Key
”?Cryptographic Key: A set of 2 integers that can be used with a cryptographic algorithm in order to encrypt or decrypt data.
Two types of cryptographic systems:Private Key – using only one secret key (symmetric)Public Key – using two keys, a secret key and a shared key (asymmetric)
RSA and NIST recommend using at least:
112
bit symmetric
keys (harder to break, efficient)2048 bit asymmetric keys
CS5204
– Operating Systems
6Slide7
What is a “Certificate”?
Cryptographic Certificate: The combination of identity information with cryptographic information. Identity of the certificate ownerIdentity of the certificate authority (issuer)
Dates that the certificate is valid forWhich cryptographic algorithms are usedKey informationOne owner may have multiple certificates for various uses: authentication, encryption, signature
CS5204 – Operating Systems
7Slide8
TLS / SSL
Used for transporting data securely over non-secure channels, most namely the internet.Uses Handshaking:Employs both Symmetric and Asymmetric keys
Symmetric keys are smaller than asymmetric keys and provide improved performanceA secure channel must be established using asymmetric keys in order to transmit the shared secret symmetric key“Nonce
s” are used to defend against replay attacks
CS5204
– Operating Systems
8Slide9
TLS / SSL
CS5204 – Operating Systems
9
source: [9]Slide10
Encryption / Decryption
Private Key Encryption (symmetric):Encrypting local filesMust share the key in order to share the dataCannot use private key from PKIGroup Authentication
Cipher: stream/blockAES 128 bit block
CS5204
– Operating Systems
10
Source:[7]Slide11
Encryption / Decryption
Provides confidentiality but not authenticationPublic Key Encryption (asymmetric):
CS5204
– Operating Systems
11
source:[8]Slide12
Encryption / Decryption
The RSA Cryptosystem:Developed by Rivest, Shamir, and Adleman in 1977The de facto standard for PKIThe encryption key is public (E)The decryption key is private (D)
The Message M can be calculated by:M = D(E(M))
M = E(D(M))
CS5204 – Operating Systems
12Slide13
Encryption / Decryption
RSA Algorithm details (generate keys)1. Find 2 unique large prime numbers2. Calculate nn =
p ∙ q 3. Pick a large random integer d
that is relatively prime to (p-1)∙(q-1) such that
gcd(d, (p-1)∙(q-1)) =
1
4. Calculate e
e ∙ d
=
1∙(mod (p1
)∙(q1))
CS5204 – Operating Systems
13Slide14
Encryption / Decryption
RSA Algorithm details (encrypt/decrypt)Encryption:Given message M create ciphertext C
C = E(M) = Me (mod n)
Decryption
:
Given
ciphertext C create message MM
=
D(C)
= Cd (mod n)
Can be calculated quickly using modular exponentiation (repeated squaring)CS5204 – Operating Systems
14Slide15
Digital Signature
Not “electronic signature” which is typically implemented with a digital representation of a hand signature or acknowledgment gesture.Provides non-repudiation, irrefutably evidence that the signature was created by the identified party.Provides data integrity validationProvides authentication but not confidentiality
CS5204
– Operating Systems
15Slide16
Digital Signature
CS5204 – Operating Systems
16
source:[8]Slide17
Digital Signature
RSA Digital Signature details:A message M is signed using the private keyS = D(M)
A digital signature is validated using the public keyM = E(S)Decryption of the message can be used to prove the identity of a user, authentication
Validating a digital signature also validates the data by comparing the hash values
CS5204 – Operating Systems
17Slide18
CAC PKI
Common Access Card (CAC) aka Smart CardUtilized extensively by the DoDEnforces two factor authenticationSomething you have – CAC
Something you know – PINCan be used for three factor authentication with addition of finger print reader (something you are)Newer generation cards can also be used with proximity based passive RFID
readers
Great for enforcing separation of duties and least privilege
CS5204
– Operating Systems
18Slide19
CAC PKI Demo
One last note, using an in house certificate authority (CA) and a smart card enabled PKI cryptosystem throughout an organization can enable greater PII (Personally Identifiable Information) security by replacing things like SSNs with othewise meaningless unique identifiers like the DoD EDIPI (Electronic Data Interchange
Personal Identifier).CS5204
– Operating Systems
19Slide20
References
1. “A Method for Obtaining Digital Signatures and Public-Key Cryptosystems”, Rivest et al
2. “Introduction to Algorithms, Second Edition”, Cormen et al3. Merriam-Webster dictionary, term: cryptography, (
www.merriam-webster.com
)
4. National Institute for Standards and Technology, (
www.nist.gov)5. http://blog.securism.com/2009/01/summarizing-pki-certificate-validation
/
6. RSA Laboratories, (
www.rsa.com)7.
http://www.itportal.in/2011/12/encryption-decryption-information.html8.
http://
gdp.globus.org/gt4-tutorial/multiplehtml/ch09s03.html
9. http://technet.microsoft.com/en-us/library/cc783349(v=ws.10).aspx
CS5204
– Operating Systems
20