Security Essentials Day 4

Chia sẻ: Huy Hoang | Ngày: | Loại File: PDF | Số trang:40

0
50
lượt xem
9

Security Essentials Day 4

Mô tả tài liệu

Hello, welcome to Introduction to Encryption I. This is one of the most important classes we have the privilege to teach as part of the SANS’ Security Essentials course. Encryption is real, it is crucial, it is a foundation of so much that happens. I guess you know that one of the SANS mottos is, “Never teach anything in a class the student can’t use at work the next day.” One of our goals in this course is to help you be aware of how cryptography is used in our world.

Chủ đề:

Bình luận(0)

Lưu

Nội dung Text: Security Essentials Day 4

1. Security Essentials Day 4 Security Essentials The SANS Institute Encryption and Exploits - SANS ©2001 1 1-1
2. Agenda • Encryption 101 – 3 types of encryption – Symmetric encryption • Encryption 102 – Examples of encryption – Asymmetric encryption • Virtual Private Networks (VPNs) – How they work – PKI (public key infrastructure) Encryption I - SANS ©2001 2 This page intentionally left blank. 1-2
3. Agenda (cont.) • Steganography – What it is? – How it works? • Malware – Viruses – Virus protection • Wireless – How it works? – Security issues – Defenses Encryption I - SANS ©2001 3 This page intentionally left blank. 1-3
4. Introduction to Encryption I Security Essentials The SANS Institute Encryption and Exploits - SANS ©2001 4 Hello, welcome to Introduction to Encryption I. This is one of the most important classes we have the privilege to teach as part of the SANS’ Security Essentials course. Encryption is real, it is crucial, it is a foundation of so much that happens. I guess you know that one of the SANS mottos is, “Never teach anything in a class the student can’t use at work the next day.” One of our goals in this course is to help you be aware of how cryptography is used in our world. But we are going to share a lot of hard-earned pragmatic lessons and we hope they will help you. Without cryptography there is no e-commerce, no military presence on the Internet, and no privacy for the citizens of the world. Encryption plays a key role in the current security landscape and anyone that works in the field of security must have a good understanding of what encryption is and how it works. 1-4
5. What is Cryptography? • Cryptology means “hidden writing” • Encryption is coding a message in such a way that its meaning is concealed • Decryption is the process of transforming an encrypted message into its original form • Plaintext is a message in its original form • Ciphertext is a message in its encrypted form Encryption I - SANS ©2001 5 Since this course is an introduction to encryption, we should cover what it is. Cryptography means “hidden writing”, and various forms of hidden writing have been used throughout history. One of the main goals of cryptography is to communicate with another party in such a way that if anyone else is listening, they cannot understand what you are saying. So, in its most basic form, cryptography garbles text in such a way that anyone that intercepts the message cannot understand it. An excellent source to get a better appreciation for this field of study is The Code Breakers by David Kahn. This book gives a great background of how hidden writing has been used throughout history. Just to show you how far back this field goes, one of the first people to use encryption was Julius Caesar, and the original cipher was called the Caesar cipher. He used a basic substitution similar to the encryption schemes that are used on the back of kids’ cereal boxes. But without the help of computers, they were very difficult to break. Now that we understand what the field of cryptography is, lets cover some basic terms. Encryption or encryption algorithms are used to code a message in such a way that its meaning is concealed. Once a message has been transformed with an encryption algorithm, the resulting message is called ciphertext. Since ciphertext contains a message in its encrypted form, the message does not “mean” anything, since it cannot be read in its native form. In order for the recipient of the ciphertext to be able to read the message, they need to decrypt the message. Decryption is the process of transforming an encrypted message back into its original plaintext form. 1-5
6. Why Do I Care About Crypto? • It plays a key part in defense in depth • Encryption helps solve a lot of security issues • Department of Commerce no longer supports DES • NIST just announced the new AES (Advanced Encryption Standard) • The “bad” guys are using it – Distributed Denial of Service daemons protected by blowfish • Anyone working in security must understand encryption Encryption I - SANS ©2001 6 Encryption is important since it plays a key role in the protection of a company’s resources. If more people and companies used encryption on a regular basis, a lot of the security issues that we have today would go away. Remember, one of the golden rules of information security is defense in depth. The principle highlights the fact that you should never rely on a single mechanism to protect the security of your site. You need to use several defense mechanisms in conjunction, to have the proper level of security at your company. A firewall is a good starting point, but it needs to be combined with intrusion detection systems, host protection, virtual private networks, and encryption. As we write this course, there are a number of contemporary news stories about cryptography. England and Ireland can’t agree on a standard for instance, but that is hardly news. Export encryption laws are being relaxed, NIST announced the winner for its advanced encryption standard (AES), the patent expired on RSA, and the US Department of Commerce no longer supports DES! So if you have been staying up on the latest security news, you can’t but notice how important encryption is from an information security perspective. Almost every bank uses DES hardware to protect their financial transactions. These networks have been put in place for years and all of a sudden the hardware is invalid! What happened? One thing that happened is that there have been plans available on the Internet for years to build near-real-time decryption of DES. With the P6 chip, you can do this for an investment of $200K. If$200K can attack billions and billions of dollars, it might just be worth it. What do you think? But the banks…how fast can they react? How fast can they replace their infrastructure? How exposed are they? Well the handwriting has been on the wall for awhile now. In 1997, Rocke Verser broke a 56-bit challenge. At first blush, it seemed DES was safe. This effort took four months to complete. This was only the beginning – in 1998 the Electronic Freedom Foundation computer nailed this key length in 56 hours. And the beat goes on. In the meantime the underground uses cryptography to protect what they are doing. For instance, the DDoS systems that attacked numerous businesses, such as yahoo, used encryption to protect their covert communication channels. If the bad guys are using it to break into sites, shouldn’t the good guys be using it to the protect their sites? Defenders and attackers alike, the information operations cyberscape of century 2K will rely on cryptography! 1-6
7. Course Objectives • Case Studies • The Challenge That We Face • Cryptosystems Fundamentals • Types of Cryptosystems • Real-world Implementations Encryption I - SANS ©2001 7 So let’s get into it! Who uses cryptography? Who needs crypto? After we firmly establish the who and why, we will discuss the what! We will also cover how they work and the different types of systems. In this first course, we will learn the requirements of a crypto system. We will look at some of the classic weaknesses. We will walk through some basic algorithms and we will learn a number of terms. Cryptography is more than the science of applying ciphers, it must also be an art. The devil is in the details in this sport. A cryptosystem is the algorithm, the keys, the plaintext…the whole nine yards! 1-7
8. Security By Obscurity Is No Security! • Case-in-point: DVD “Encryption” • Proprietary algorithms are high-risk • “Tamperproof” hardware can be defeated with sufficient effort • Technical solutions usually do not satisfactorily address legal issues Encryption I - SANS ©2001 8 Gotta love DVD! It really brings “The Matrix” to full intensity. But there is a cryptography story here that has a couple of important lessons for all of us: - Never, ever believe in a “secret” cryptographic algorithm (unless you work for NSA). - Never, ever rely on technology (or anything else) as your only wall of defense. - Above all, do not ever attempt to write your own encryption system! You aren’t that smart! So what happened? The motion picture industry spent years developing a standard for encryption. Then they released it. Not the standard for review, but the product (DVD) that relied on the standard. Very quickly thereafter a couple technologists who go by the handles “Canman” and “SoupaFr0g” decoded the magic algorithm and released a program, a very popular program in some circles, called DeCSS 1.2b that allows one to pull the decrypted data off the DVD disk and store and play it like any other multimedia file. Don’t want to pay $20.00 for “The Matrix”? No problem! Now, that really is what I call walking the path! And what to do now? Do you sue Canman for$63 quadrillion? 1-8
9. Beware of Over-confidence • Case-In-Point: Large Key-Lengths • Simply using popular cryptographic algorithms, with large key lengths does not make your system secure! • What’s the weakest link? • Cryptanalytic compromises usually come from totally unexpected quarters! Encryption I - SANS ©2001 9 Case 2: In 1998, Stephen Northcutt served as the technical analyst to support a team of law enforcement agents to detect, investigate, apprehend, and convict a child pornographer. The interesting thing was the perpetrator used cryptography to transmit the data right past Stephen’s intrusion detection systems and evade the signature matching system. How did he get caught? It wasn’t hard. In Stephen’s classes, for years he as been trying to teach that “size does matter”! The first clue was that too much data was being transmitted. That stands out like a sore thumb. The next clue is that well-encrypted traffic has a signature – it is blander than vanilla pudding. You can detect an encrypted bitstream simply by sorting the bits and seeing if you have an even distribution. A good encryption algorithm enforces randomness to be resistant to known- plaintext and chosen-plaintext attacks. But if you examine the content, the payload bits in a normal connection, they are anything but random. So detection was easy. How do you attack the cryptography? You can imagine the agents! It is encrypted, we are done for, let’s just bring him in and question him, maybe we will get lucky! Lucky was much easier than that – we tossed one of his supplier machines and he had hard-coded his key. Game over! Key discipline is everything in this sport! 1-9
14. Goals of Encryption • “Alice” and “Bob” need a cryptosystem which can provide them with: Confidentiality Integrity of Data Authentication Non-repudiation •“Cryptography is about communications in the presence of adversaries” (Rivest,1990) Encryption I - SANS ©2001 14 Bob of course has the same requirements as Alice! On this slide, we sum up our requirements of the system: Confidentiality, integrity, authentication, and non-repudiation. These are the main goals of a good encryption system. It is important to keep in mind that no cryptographic algorithm is known to be “secure.” The first case study discussed a well-known, failed, defeated cryptosystem. The strength of a cryptosystem is its ability to withstand attack. There are a number of attacks against cryptosystems, most of them have to do with using some piece of known unencrypted information (“known plaintext”). A trustworthy algorithm is one that can withstand an attack when the cryptoanalyst is able to know and choose the text to be encrypted. This is the “chosen – known plaintext” attack. The strongest statement that we can make regarding the “trust” that can be reasonably placed in a cryptographic algorithm is that it is not [yet] [publicly] known to have been broken! You can prove that a system is not secure, you just cannot prove that it is secure. Lets briefly cover the four main goals of encryption: Confidentiality, integrity, authentication, and non-repudiation. Confidentiality is concerned with preventing, detecting, or deterring the improper disclosure of information. Basically, you want to prevent someone else from reading a company’s sensitive information. Integrity is concerned with preventing, detecting, or deterring the improper modification of information. An unauthorized person should not be able to modify data, or if they do, it must be detectable. Authentication is involved with identifying who an individual is. If you think you are talking to Eric, you should be able to authenticate that you are really communicating with Eric and that someone is not impersonating him. Non-repudiation deals with how you prove, in a court of law, that someone actually sent a piece of information. This attribute is critical for the success of e-commerce. If I send an email to a supplier and I order 50 widgets for $100 each and 5 days later the market drops on widgets and now I can get the same widget for$1, I would like to deny that I ever sent the order. For e-commerce to work, the supplier must be able to prove that I actually sent the email and that I cannot deny it. In the next section of this course, we will discuss the general types of encryption and then the types of cryptosystems. 1 - 14