Thông tin tài liệu
1 - 1
Encryption and Exploits - SANS
©2001
1
Security Essentials
Day 4
Security Essentials
The SANS Institute
1 - 2
Encryption I - SANS
©2001
2
Agenda
• Encryption 101
– 3 types of encryption
– Symmetric encryption
• Encryption 102
– Examples of encryption
– Asymmetric encryption
• Virtual Private Networks (VPNs)
–How they work
– PKI (public key infrastructure)
This page intentionally left blank.
1 - 3
Encryption I - SANS
©2001
3
Agenda (cont.)
• Steganography
– What it is?
– How it works?
•Malware
– Viruses
– Virus protection
•Wireless
– How it works?
– Security issues
– Defenses
This page intentionally left blank.
1 - 4
Encryption and Exploits - SANS
©2001
4
Introduction to Encryption I
Security Essentials
The SANS Institute
Hello, welcome to Introduction to Encryption I. This is one of the most important classes we have
the privilege to teach as part of the SANS’ Security Essentials course. Encryption is real, it is
crucial, it is a foundation of so much that happens. I guess you know that one of the SANS mottos is,
“Never teach anything in a class the student can’t use at work the next day.” One of our goals in this
course is to help you be aware of how cryptography is used in our world. But we are going to share
a lot of hard-earned pragmatic lessons and we hope they will help you. Without cryptography there
is no e-commerce, no military presence on the Internet, and no privacy for the citizens of the world.
Encryption plays a key role in the current security landscape and anyone that works in the field of
security must have a good understanding of what encryption is and how it works.
1 - 5
Encryption I - SANS
©2001
5
What is Cryptography?
• Cryptology means “hidden writing”
• Encryption is coding a message in such a way
that its meaning is concealed
• Decryption is the process of transforming an
encrypted message into its original form
• Plaintext is a message in its original form
• Ciphertext is a message in its encrypted form
Since this course is an introduction to encryption, we should cover what it is. Cryptography means
“hidden writing”, and various forms of hidden writing have been used throughout history. One of the
main goals of cryptography is to communicate with another party in such a way that if anyone else is
listening, they cannot understand what you are saying. So, in its most basic form, cryptography
garbles text in such a way that anyone that intercepts the message cannot understand it. An excellent
source to get a better appreciation for this field of study is The Code Breakers
by David Kahn. This
book gives a great background of how hidden writing has been used throughout history. Just to show
you how far back this field goes, one of the first people to use encryption was Julius Caesar, and the
original cipher was called the Caesar cipher. He used a basic substitution similar to the encryption
schemes that are used on the back of kids’ cereal boxes. But without the help of computers, they
were very difficult to break.
Now that we understand what the field of cryptography is, lets cover some basic terms. Encryption
or encryption algorithms are used to code a message in such a way that its meaning is concealed.
Once a message has been transformed with an encryption algorithm, the resulting message is called
ciphertext. Since ciphertext contains a message in its encrypted form, the message does not “mean”
anything, since it cannot be read in its native form. In order for the recipient of the ciphertext to be
able to read the message, they need to decrypt the message. Decryption is the process of
transforming an encrypted message back into its original plaintext form.
1 - 6
Encryption I - SANS
©2001
6
Why Do I Care About Crypto?
• It plays a key part in defense in depth
• Encryption helps solve a lot of security issues
• Department of Commerce no longer supports
DES
• NIST just announced the new AES (Advanced
Encryption Standard)
• The “bad” guys are using it
– Distributed Denial of Service daemons protected
by blowfish
• Anyone working in security must understand
encryption
Encryption is important since it plays a key role in the protection of a company’s resources. If more
people and companies used encryption on a regular basis, a lot of the security issues that we have today
would go away. Remember, one of the golden rules of information security is defense in depth. The
principle highlights the fact that you should never rely on a single mechanism to protect the security of
your site. You need to use several defense mechanisms in conjunction, to have the proper level of security
at your company. A firewall is a good starting point, but it needs to be combined with intrusion detection
systems, host protection, virtual private networks, and encryption.
As we write this course, there are a number of contemporary news stories about cryptography. England
and Ireland can’t agree on a standard for instance, but that is hardly news. Export encryption laws are
being relaxed, NIST announced the winner for its advanced encryption standard (AES), the patent expired
on RSA, and the US Department of Commerce no longer supports DES! So if you have been staying up
on the latest security news, you can’t but notice how important encryption is from an information security
perspective.
Almost every bank uses DES hardware to protect their financial transactions. These networks have
been put in place for years and all of a sudden the hardware is invalid! What happened? One thing that
happened is that there have been plans available on the Internet for years to build near-real-time
decryption of DES. With the P6 chip, you can do this for an investment of $200K. If $200K can attack
billions and billions of dollars, it might just be worth it. What do you think? But the banks…how fast can
they react? How fast can they replace their infrastructure? How exposed are they? Well the handwriting
has been on the wall for awhile now. In 1997, Rocke Verser broke a 56-bit challenge. At first blush, it
seemed DES was safe. This effort took four months to complete. This was only the beginning – in 1998
the Electronic Freedom Foundation computer nailed this key length in 56 hours. And the beat goes on.
In the meantime the underground uses cryptography to protect what they are doing. For instance, the
DDoS systems that attacked numerous businesses, such as yahoo, used encryption to protect their covert
communication channels. If the bad guys are using it to break into sites, shouldn’t the good guys be using
it to the protect their sites?
Defenders and attackers alike, the information operations cyberscape of century 2K will rely on
cryptography!
1 - 7
Encryption I - SANS
©2001
7
• Case Studies
• The Challenge That We Face
• Cryptosystems Fundamentals
• Types of Cryptosystems
• Real-world Implementations
Course Objectives
So let’s get into it! Who uses cryptography? Who needs crypto? After we firmly establish the who
and why, we will discuss the what! We will also cover how they work and the different types of
systems.
In this first course, we will learn the requirements of a crypto system. We will look at some of the
classic weaknesses. We will walk through some basic algorithms and we will learn a number of
terms.
Cryptography is more than the science of applying ciphers, it must also be an art. The devil is in the
details in this sport.
A cryptosystem is the algorithm, the keys, the plaintext…the whole nine yards!
1 - 8
Encryption I - SANS
©2001
8
•Case-in-point: DVD “Encryption”
• Proprietary algorithms are high-risk
• “Tamperproof” hardware can be
defeated with sufficient effort
• Technical solutions usually do not
satisfactorily address legal issues
Security By Obscurity Is No Security!
Gotta love DVD! It really brings “The Matrix” to full intensity. But there is a cryptography story
here that has a couple of important lessons for all of us:
- Never, ever believe in a “secret” cryptographic algorithm (unless you work for NSA).
- Never, ever rely on technology (or anything else) as your only wall of defense.
- Above all, do not ever attempt to write your own encryption system! You aren’t that smart!
So what happened? The motion picture industry spent years developing a standard for encryption.
Then they released it. Not the standard for review, but the product (DVD) that relied on the
standard. Very quickly thereafter a couple technologists who go by the handles “Canman” and
“SoupaFr0g” decoded the magic algorithm and released a program, a very popular program in some
circles, called DeCSS 1.2b that allows one to pull the decrypted data off the DVD disk and store and
play it like any other multimedia file. Don’t want to pay $20.00 for “The Matrix”? No problem!
Now, that really is what I call walking the path!
And what to do now? Do you sue Canman for $63 quadrillion?
1 - 9
Encryption I - SANS
©2001
9
Beware of Over-confidence
•Case-In-Point: Large Key-Lengths
• Simply using popular cryptographic
algorithms, with large key lengths does not
make your system secure!
• What’s the weakest link?
• Cryptanalytic compromises usually come
from totally unexpected quarters!
Case 2: In 1998, Stephen Northcutt served as the technical analyst to support a team of law
enforcement agents to detect, investigate, apprehend, and convict a child pornographer. The
interesting thing was the perpetrator used cryptography to transmit the data right past Stephen’s
intrusion detection systems and evade the signature matching system.
How did he get caught? It wasn’t hard. In Stephen’s classes, for years he as been trying to teach that
“size does matter”! The first clue was that too much data was being transmitted. That stands out like
a sore thumb. The next clue is that well-encrypted traffic has a signature – it is blander than vanilla
pudding. You can detect an encrypted bitstream simply by sorting the bits and seeing if you have an
even distribution. A good encryption algorithm enforces randomness to be resistant to known-
plaintext and chosen-plaintext attacks. But if you examine the content, the payload bits in a normal
connection, they are anything but random. So detection was easy. How do you attack the
cryptography?
You can imagine the agents! It is encrypted, we are done for, let’s just bring him in and question
him, maybe we will get lucky! Lucky was much easier than that – we tossed one of his supplier
machines and he had hard-coded his key. Game over! Key discipline is everything in this sport!
1 - 10
Encryption I - SANS
©2001
10
Simplicity is a “Good Thing”
•Case-in-point: eCommerce & eBusiness
• Morphing your business into a dot.com
can be a complex undertaking
• Taking shortcuts in **any** aspect of
the development of your eCommerce
systems can introduce weak links
• Security is a “process” not a product!
We can divide the students in this class into two primary groups: those who use government
sponsored and developed encryption and those who don’t. The United States military uses NSA-
developed encryption for all classified and some additional communications. NSA provides more
than just encryption hardware, they provide the keys and the rules. They have an entire infrastructure
because they know there is more to protected communications than algorithms resistant to
cryptanalysis.
Then there is the rest of us, including most of the US military. We are all becoming “.coms” in some
sense. Traditional catalog retailers are rushing to establish an Internet presence, universities rushing
to offer on-line courses and exams, and on it goes. Just like our criminal example on the previous
slide, there are a number of places where things can go wrong when protecting information in transit
and at rest. Cryptography provides us with a suite of tools that can help us with Confidentiality and
Integrity. Somehow people feel safer when the key is solid on their https connection, and so they are
more willing to use their credit card. Personally, I am more concerned about the clerical worker
being paid minimum wage to process all the orders at the end of the day with access to thousands of
credit card numbers than I am about sniffers, but that is just me.
[...]... the inputs is TRUE 1 - 26 Breaking Type 7 Ciphers CIPHER: 06070D2 248 4B0F1E0D Start this many characters into IV Byte-by-byte XOR of password with IV XOR 0 1 0 0 1 1 1 0 IV: d s f d ; k f o A , i y e w r k l d J K D H S U B IV: 0x 647 366 643 b6b666f412c2e69796577726b6c 644 a4b 444 8535 542 CIPHER: 070D2 248 4B0F1E0D XOR -PASSWORD: 0x 616263 646 5666768 PASSWORD: a b c d e f g h Encryption I - SANS ©2001 27... the PalmOS written by Mudge (although it has at least two bugs) Finally, some other examples of Type 7 passwords and their substitution are: ciphertext: 115 948 5 744 465E5A537272 ciphertext: 00 544 2 545 70F5E50587915 plaintext: 012 345 6789 plaintext: 012 345 6789 1 - 27 Kerberos • Secret-key protocol and distributed service, for third-party authentication • Kerberos KDC is trusted intermediary • Confidentiality:... dsfd;kfoA,.iyewrkldJKDHSUBsgvca69834nc So how do we use this? Our sample encrypted password is 06070D2 248 4B0F1E0D This means that we start at the 6th character into the IV, which is the 2nd "f" in the string above To decrypt, we XOR the ASCII "f" (0x66) with 0x07; the result is 0x61 (ASCII "a") We would next XOR ASCII "o" (0x6f) with 0x0d, resulting in 0x62 (ASCII "b") Continuing, we XOR the ASCII string "A,.iye" (0x412c2e697965)... line vty 0 4 password 7 06070D2 248 4B0F1E0D login – Type 7 encryption is a simple XOR of the password offset into an initial vector (IV) Encryption I - SANS ©2001 26 Cisco Systems' IOS router operating system sometimes uses a weak substitution stream cipher to encrypt passwords Consider, for example, entering a remote logon password of abcdefgh when entering the following commands: line vty 0 4 password... Change 1 2 3 4 5 to 3 5 2 1 4 – So order becomes drroe • Very easy to break • Substitution and permutation can be combined together Encryption I - SANS ©2001 18 Permutation does not actually change the letters like substitution does, it just changes the order So if the original order was x y z the new order might be z x y So lets look at an example Our original order for a word is of course 1 2 3 4 5, so... So lets look at an example Our original order for a word is of course 1 2 3 4 5, so our new order might be 3 5 2 1 4 If we take the word “order” and run it through our 3 5 2 1 4 permutation, we would get an encrypted message of “drroe” To decrypt the message, we would reapply the 3 5 2 1 4 permutation and get back our original message of “order” Just like substitution, permutation is also very easy to... Trojanized zombie systems to work on the problem…how long do you think the symmetric key length needs to be?” In 1997, a 40 -bit RSA challenge key fell in 3.5 hours using 250 computers Keep Moore’s law in mind, computation speed doubles every 18 months 40 bits is probably a bit short for today’s threat environment All that said, the bigger issue with secret keys is managing the key creation and exchange... result is 0x61 (ASCII "a") We would next XOR ASCII "o" (0x6f) with 0x0d, resulting in 0x62 (ASCII "b") Continuing, we XOR the ASCII string "A,.iye" (0x412c2e697965) with ciphertext 0x2 248 4b0f1e0d, resulting in 0x63 646 5666768 (ASCII "cdefgh") We have now recovered the original password There are many programs available on the Internet (including one from the author of this text; see http://www.garykessler.net/download/cisco7.zip)... value from an arbitrary-length message, designed for smart cards • MD4: Similar to MD2, designed specifically for fast processing in software Developed by cryptographer Ron Rivest • MD5: Similar to MD4 but slower because the data is manipulated more Developed by cryptographer Ron Rivest after potential weaknesses were reported in MD4 • Secure Hash Algorithm (SHA): Proposed by NIST for their Secure Hash... mod 11 = 4 and for this to work Alice knows her private key xa (3) and Bob’s public key (5) so k = ybxa mod n, with numbers that is 53 mod 11 = 4 as well 1 - 35 Diffie-Hellman Key Exchange Alice and Bob agree on the value of a large prime number, N and a generator, G Each calculates a private key (X) and public key (Y) The secret key (K) is derived from X and the other person's Y Select N=7, G =4 Choose . 1 - 1
Encryption and Exploits - SANS
©2001
1
Security Essentials
Day 4
Security Essentials
The SANS Institute
1 - 2
Encryption I - SANS
©2001
2
Agenda
•. works?
– Security issues
– Defenses
This page intentionally left blank.
1 - 4
Encryption and Exploits - SANS
©2001
4
Introduction to Encryption I
Security Essentials
The
Ngày đăng: 17/01/2014, 07:20
Xem thêm: Tài liệu Security Essentials Day 4 docx, Tài liệu Security Essentials Day 4 docx