Why Cryptography ❚ Because it is Private ❚ It’s not anyone else’s business ❚ You must protect yourself Quadralay Cryptography Archive
Internet Privacy Coalition
Crypto-Log
Paradigm Shift ❚ Telephone network ❙ Owned by few ❙ Effectively managed
❚ Traditional LAN ❙ Owned by an organization ❙ Centrally managed
❚ The Internet ❙ No one owns it ❙ Management anarchy
Therefore, cryptograph y is important!!
Internet Reality ❚ ❚ ❚ ❚ ❚
Anyone can be intercepting your data Ethernets are easy to “spy” on Most of today’s attacks are kids Professionals are coming Many internet links travel on microwaves
Americans for Computer Privacy
Cryptography ❚ Art of enciphering information to render it meaningless to all but a few ❙ It is still an “art”
❚ Third oldest profession ❙ After tattoo artistry The Center for Democracy and Technology
Secret Key Cryptosystems “Conventional” ciphers use the same key for encryption and decryption
Secret Key Cryptosystems (Real Audio)
Public Key Cryptosystems “Public key” ciphers use a pair of keys (one public, one private)
Public Key Cryptosystems (Real Audio)
Problems of Cryptography ❚ ❚ ❚ ❚
Develop cryptographic algorithm Generate “strong” keys Distribute keys securely Develop protocol for interaction Security Pitfalls in Cryptography
Develop Algorithms ❚ Easiest step: ❙ Don’t do it!
❚ If you must… ❙ Spend 10 years breaking other people’s algorithms ❙ Get other people to attack your design
❚ Plenty of good algorithms exist ❙ People are busy attacking them
ALGORITHMS ❚ DES ❙ IBM/NSA - 56bit keys (dented, but not broken)
❚ IDEA ❙ 128 bit keys; not feasibly broken by brute force
❚ RC-5 ❙ Can be licensed from RSA data security ❙ Used by many commercial products
Problems of Cryptography ❚ ❚ ❚ ❚
Develop cryptographic algorithm Generate “strong” keys Distribute keys securely Develop protocol for interaction Security Pitfalls in Cryptography
Generate Strong Keys ❚ Very hard, many systems attacked this way ❙ Netscape (10/95) ❙ Kerberos (2/96)
❚ Cryptographic “random” numbers have to be unpredictable ❚ Tighter requirements than for statistical uses ❚ Computers are VERY VERY NON-random devices
Problems of Cryptography ❚ ❚ ❚ ❚
Develop cryptographic algorithm Generate “strong” keys Distribute keys securely Develop protocol for interaction Security Pitfalls in Cryptography
Distribute Keys ❚ Another way to crack systems ❚ Interception of keys in transit, or storage
Problems of Cryptography ❚ ❚ ❚ ❚
Develop cryptographic algorithm Generate “strong” keys Distribute keys securely Develop protocol for interaction Security Pitfalls in Cryptography
Develop Protocol Careful not to negotiate insecurity Example: Cannot ask untrusted endpoint for name of authentication domain • Until you have a secure association, you can’t negotiate security
Internet Security Principles ❚ Protect yourself ❚ Help others ❚ Remember which of these is first!! Competing Internet Privacy Initiatives (Real Audio)
DES
Data Encryption Standard
❚ Developed by IBM, refined by NSA ❚ 56 bit keys, 64 bit blocks ❙ OK for 1977, but a little short today
❚ “Dented” but not broken ❚ Key length too short for much longevity ❙ Brute force can be used successfully
❚ Fast in hardware, slow in software
IDEA
International Data Encryption Algorithm
❚ Developed by Xuejia Lai and James L. Massey of ETH Zurich ❚ Published in 1990, 128 bit keys ❚ Fast in software ❚ 128 bit keys can not feasibly be broken by brute force ❙ Would require all the energy output of the earth for 500-600 years
❚ Patented, but licensing not difficult
3DES
Triple DES
❚ Three passes of DES ❙ Encrypt with key 1 ❙ Decrypt with key 2 ❙ Encrypt with key 3
❚ ❚ ❚ ❚
Has 112 bits of strength Slow (3 times DES) Freely available (no patent issues) Very strong ❙ Could follow with IDEA encryption
RC5 ❚ Ron Cipher #5 ❚ Trade secret ❙ Publicly released ❙ Reverse engineering partially successful
❚ Very fast stream cipher ❚ Variable key length ❚ Believed to be “good” but only recently studied ❚ Can be licensed from RSA data security ❚ Used by many commercial products