2. Digital Signature
-a digital signature is intended to be
comparable to a handwritten signature
-provide assurance that the message does
indeed come from the person who claims
to have sent it, it has not been altered,
both parties have a copy of the same
document
3. Digital Signature Standard (DSS)
-FIPS 186
-uses 2 methods for created a signature. The
RSA method and the DSS method
-It will be appended to the message
-Both methods begin by hashing the
message
4. RSA
-RSA will then encrypt the
hash with the sender’s
private key, thus
creating the signature
DSS
-DSS approach is to sign
the hash using DSA.
The DSA uses a
random num to create
a private & public key,
then encrypts the hash
value
6. Methods of Cryptanalytic Attacks
Chosen Plain-Text
-attacker knows the algorithm and is trying to determine
the key
-attacker will put in multiple known inputs and use the
output to determine the key
Social Engineering for Key Discovery
-use of coercion, bribery, befriending people in positions
of powers
7. Brute Force
-trying all possible keys until one is found that decrypt
the ciphertext, this is why length is important
Linear Cryptanalysis
-is a known plaintext attack that uses linear
approximations to describe the behavior of the block
cipher
8. Differential Cryptanalysis (Side Channel Attack)
-complex attack is executed by measuring the exact
execution times and power required by the crypto
device to perform the en/decryption.
-Measuring power consumption, clock cycles, etc makes
it possible to determine the value of the key and
algorithm used
9. Algebraic
-class of techniques that rely for their success on block
ciphers exhibiting a high degree of mathematical
structure
Ciphertext-Only Attack
-attacker only has ciphertext and tries to work
backwards
-the more examples the better chance of success
10. Randow Table
-to determine a given plaintext from its hash one of
these are done:
1) Hash each plaintext until matching hash is found
2) Do 1 but store each generated hash in a table that
can be used for future attacks
11. Known Plaintext
-attack has access to plain and cipher text of the
message
Frequency Analysis
-especially useful when attacking a substitution cipher
where statistics of the plaintext language are known
12. Chosen Cipher-Text
-when attacker has access to the decryption
device/software and decrypts chosen ciphertexts to
discover the key
-RSA gets whooped by this
Birthday Attack
-since a hash is a short representation of a message
there are two messages that will give the same hash
13. Dictionary Attack
-use dictionary words against a password file
Replay Attack
-meant to disrupt and damage processing by the
attacker sending repeated files to the host
Reverse Engineering
14. Factoring Attacks
-aimed at RSA algorithms
-since that algorithm uses the product of prime numbers
to generate the public and private keys, this attack
attempts to find the keys through solving the
factoring of these numbers
15. Attacking the Random Number Generators
-ability to guess nonces will greatly improve the attack
success rate
Temporary Files
-most cryptosystems use temporary files to perform their
calculations if the files are not cleared it may lead to
it being broken
16. Implementation Attacks
☻Side Channel Analysis: rely on physical attributes of
implementation
☻Fault Analysis: attempts to force the system into an
error state
☻Probing Attacks: watch the circuitry surrounding the
crypto module in hopes that the complementing
components will disclose info
17. Network Sec an Cryptography
Virtual Private Networks
-goal of VPN is to provide confidentiality & data integrity
of data transmission
-site to site: deploys 2+ VPN servers or appliances that
securely connect private networks together
-remove access: securely connects a user’s computer to
another user’s computer or VPN server
-each VPN member must be configured to use the same
cryptoparamerters
18. E-Commerce
-crypto continues to enable trust between businesses
and consumers
IPSec
-developed to provide security over Internet connections
and prevent IP spoofing, eavesdropping, and misuse
of IP based authentication
-operates with IPv4 and IPv6
20. Application Security and Crypto
-Email is the most common business communication, so
it is important to secure
Email protocols and standards
☻Privacy Enhanced Mail (PEM) RFC 1421-1424
-provides message integrity; message origin &
authentication; confidentiality, has a sweet
encapsulating boundry
21. ☻Pretty Good Privacy (PGP)
-gives the user a choice of which encryption algorithm to
use i.e. CAST, 3DES
-establishes trust based on relationships
☻Secure/Multipurpose Internet Mail Extension S/MIME
-provides signed & encrypted mail messages
-similar to IPSec & SSL as it uses hash functions &
as/symetric crypto
22. Public Key Infrastructure PKI
-PKI is a set of system, software, and communication
protocols required to use, manage, and control public
key crypto.
It has 3 primary purposes
1. Publish keys/Certs
2. Certify that a key is tied to an individual/entity
3. Provide Verification of the validity of a public key
23. -The CA “signs” an entities digital certificate to certify
that the certificate accurately represents the
certificate owner
-Functions of a CA may be spread among several
servers
-CA can revoke certs & provide an update service to the
other members of the PKI via a certificate revocation
list (CRL), a list of non-valid certs that should not be
accepted by any member of the PKI
24. -Set up a trusted public directory of keys, each user
must register with the directory service, it could
delete & add keys automatically
-use public key certs, this can be done directly or thru a
CA which would act as a trusted 3rd party
25. Certificate Related Issues
-users may/will have to communicate with users from
another CA, so CAs must have a method of crosscertifying one another
-Business agreements & PKI policies are negotiated,
then each CA signs the others public key, or root
cert, thus establishing a cert chain
-3 Basic Ways of constraining trust between CAs
26. 1. Path Length: Orgs can control whether their CA
should trust any cross-cert relationships that have
been established by CAs with orgs have cross-certed
2. Name: In peer-to-peer cross-cert, name constraints
are used to limit trust to a subgroup of cross-certed
CAs based on their distinguished name (DN)
3. Policy: can be used to limit trust only to those users in
another CA who have certain policy values in their
certs
27. Information Hiding Alternatives
Steganography
-hiding a message inside of another medium
Watermarking
-the addition of identifiable info into a file or document,
this is often done to detect the improper copying or
theft of info