Презентация Key Management. Cryptography applications онлайн

Содержание слайда: Key Management. Cryptography applications.

Содержание слайда: Cryptanalysis – Code Breaking A number of code breaking (cryptanalysis) methods exist, such as brute-force, ciphertext, and known-plaintext, among others.

Содержание слайда: Keys With modern technology, security of encryption lies in the secrecy of the keys, not the algorithm. Two terms that are used to describe keys are: Key length - Also called the key size, this is measured in bits. In this course, we will use the term key length. Keyspace - This is the number of possibilities that can be generated by a specific key length. As key length increases, the keyspace increases exponentially.

Содержание слайда: Integrity and Authenticity Cryptographic Hash Functions Cryptographic hashes are used to verify and ensure data integrity. Hashing is based on a one-way mathematical function that is relatively easy to compute, but significantly harder to reverse. The cryptographic hashing function can also be used to verify authentication. A hash function takes a variable block of binary data, called the message, and produces a fixed-length, condensed representation, called the hash. The resulting hash is also sometimes called the message digest, digest, or digital fingerprint. With hash functions, it is computationally infeasible for two different sets of data to come up with the same hash output. Every time the data is changed or altered, the hash value also changes. 

Содержание слайда: Integrity and Authenticity Cryptographic Hash Operation Mathematically, the equation h= H(x) is used to explain how a hash algorithm operates. A cryptographic hash function should have the following properties: The input can be any length. The output has a fixed length. H(x) is relatively easy to compute for any given x. H(x) is one way and not reversible. H(x) is collision free, meaning that two different input values will result in different hash values.

Содержание слайда: Integrity and Authenticity MD5 and SHA Hash functions are used to ensure the integrity of a message. They ensure data has not changed accidentally or intentionally. Three well-known hashing algorithms are 128-bit MD5, SHA-1, and SHA-2. MD5 with 128-bit digest - A one-way function that produces a 128-bit hashed message. MD5 is considered to be a legacy algorithm. It is recommended that SHA-2 be used instead. SHA-1 – Very similar to the MD5 hash functions. Several versions exist. SHA-1 creates a 160 bit hashed message and is slightly slower than MD5. SHA-1 has known flaws and is a legacy algorithm. SHA-2 –Next-generation algorithm and should be used whenever possible. While hashing can be used to detect accidental changes, it cannot be used to guard against deliberate changes. There is no unique identifying information from the sender in the hashing procedure. 

Содержание слайда: Integrity and Authenticity Hash Message Authentication Code To add authentication to integrity assurance, a keyed-hash message authentication code (HMAC) is used. To add authentication, HMAC uses an additional secret key as input to the hash function. Only the sender and the receiver know the secret key, and the output of the hash function now depends on the input data and the secret key.  Only parties who have access to that secret key can compute the digest of an HMAC function.  If the digest that is calculated by the receiving device is equal to the digest that was sent, the message has not been altered. 

Содержание слайда: Public Key Cryptography Using Digital Signatures

Содержание слайда: Public Key Cryptography Digital Signatures for Code Signing

Содержание слайда: Public Key Cryptography Digital Signatures for Digital Certificates

Содержание слайда: Authorities and the PKI Trust System Public Key Management When establishing an asymmetric connection between two hosts, the hosts will exchange their public key information. Trusted third parties on the Internet validate the authenticity of these public keys using digital certificates. The third party issues credentials that are difficult to forge. From that point forward, all individuals who trust the third party simply accept the credentials that the third party issues.

Содержание слайда: Authorities and the PKI Trust System The Public Key Infrastructure

Содержание слайда: Authorities and the PKI Trust System The PKI Authorities System

Содержание слайда: Authorities and the PKI Trust System The PKI Trust System

Содержание слайда: Authorities and the PKI Trust System Interoperability of Different PKI Vendors Interoperability between a PKI and its supporting services is a concern because many CA vendors have proposed and implemented proprietary solutions instead of waiting for standards to develop. To address this interoperability concern, the IETF published the Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework (RFC 2527). The X.509 version 3 (X.509v3) standard defines the format of a digital certificate.

Содержание слайда: Authorities and the PKI Trust System Certificate Enrollment, Authentication, and Revocation All systems that leverage the PKI must have the CA’s public key, called the self-signed certificate. The CA public key verifies all the certificates issued by the CA and is vital for the proper operation of the PKI. The certificate enrollment process begins when CA certificates are retrieved in-band over a network, and the authentication is done out-of-band (OOB) using the telephone. The system enrolling with the PKI contacts a CA to request and obtain a digital identity certificate for itself and to get the CA’s self-signed certificate. The final stage verifies that the CA certificate was authentic and is performed using an OOB method such as the Plain Old Telephone System (POTS) to obtain the fingerprint of the valid CA identity certificate. A digital certificate can be revoked if key is compromised or if it is no longer needed.

Содержание слайда: Applications and Impacts of Cryptography PKI Applications Some of the many applications of PKIs are: SSL/TLS certificate-based peer authentication Secure network traffic using IPsec VPNs HTTPS Web traffic Control access to the network using 802.1x authentication Secure email using the S/MIME protocol Secure instant messaging Approve and authorize applications with Code Signing Protect user data with the Encryption File System (EFS) Implement two-factor authentication with smart cards Securing USB storage devices

Содержание слайда: P Applications and the Impacts of Cryptography Encrypting Network Transactions Threat actors can use SSL/TLS to introduce regulatory compliance violations, viruses, malware, data loss, and intrusion attempts in a network. Other SSL/TLS-related issues may be associated with validating the certificate of a web server. When this occurs, web browsers will display a security warning. PKI-related issues that are associated with security warnings include: Validity date range - The X.509v3 certificates specify “not before” and “not after” dates. If the current date is outside the range, the web browser displays a message. Signature validation error - If a browser cannot validate the signature on the certificate, there is no assurance that the public key in the certificate is authentic.

Содержание слайда: P Applications and Impacts of Cryptography Encryption and Security Monitoring Network monitoring becomes more challenging when packets are encrypted.  Because HTTPS introduces end-to-end encrypted HTTP traffic (via TLS/SSL), it is not as easy to peek into user traffic. Here is a list of some of the things that a security analyst could do: Configure rules to distinguish between SSL and non-SSL traffic, HTTPS and non-HTTPS SSL traffic. Enhance security through server certificate validation using CRLs and OCSP. Implement antimalware protection and URL filtering of HTTPS content. Deploy a Cisco SSL Appliance to decrypt SSL traffic and send it to intrusion prevention system (IPS) appliances to identify risks normally hidden by SSL.