Share


Share

Share it !



share/bookmark

I Know What You Did Last Session: Basic Applied Cryptography


While Janet was sitting in a cyber café sending emails to friends and surfing the web, there was a person sitting three tables away reading each email she sent before they ever got to the email server. During this period of time, the thief was able to get access to her bank account, passwords to several business websites, and her credit card number. Now imagine that you were the on sitting in the café. This scenario is not far from reality and is the main reason that using cryptography is so important in today's technological world. Identity theft is a growing problem and there are ways you can help protect yourself frombecoming the victim.

Most people think that cryptography is an island in the magical land of make believe. However, cryptography is very real and not as complex as most would believe. If you use the Internet, you are likely to use applied cryptography in your day-to-day functions. This can be accessing you bank account to retrieve your monthly balance to purchasing automotive parts from a warehouse or manufacturer. Companies use cryptography to make sure sensitive data stays confidential between the intended parties and the data stays intact. Cryptography is the art of converting messages into a secret code or cipher. This process alters a plaintext message using an algorithm to create a ciphertext/encrypted message.

History of Ciphers

Cryptography has been in use for thousands of years. In fact, it was in use before 2000 B.C. Egypt in the form of hieroglyphs. The Greeks even used encryption referred to as the Scytale cipher and was worn as a belt by couriers. The Scytale was designed a combination of a long strip of leather with writing on it and a specific sized staff. This leather strip would be wrapped around the staff to decrypt the ciphertext. Julius Caesar also used a cryptographic algorithm referred to as ROT-3. This encryption shifts the alphabet three spaces to the right and was very effective at the time.

Applied Cryptography

Ok, but how does it affect you? The basic uses of cryptography are to provide confidentially (secrecy of the data), integrity (protection from intentional or unintentional alteration), and authentication (prove you are who you say you are). Some forms even allow for Nonrepudiation services that prove that the message was written, sent, or received. We will briefly discuss the most commonly used cryptographic schemes that you may use every day while leaving the trivial details out.

You will hear the terms X.509 and digital certificates (used in digital signatures) throughout this paper. Digital certificates are used in the same way a real signature is used as a verification of endorsement. The most well know companies that sell these certificates are:

o Verisign - http://www.verisign.com/

o Thwarte - http://www.thawte.com/

(Offers free personal email digital certificates)

Internet traffic (Securing website traffic and email)

HTTPS: Hypertext Transfer Protocol over Secured Socket Layer. Do not mistake HTTPS with SSL. This is a common misnomer that is spread by those that do not understand SSL. HTTPS uses SSL to create an encrypted tunnel between a client and a server. This tunnel lasts the entire connection and is the most common website security feature on the Internet. This form of encryption is established by the use of a server side X.509 certificate that digitally signs the message.

S/MIME: Secure Multipurpose Internet Mail Exchange. S/MIME uses two X.509 certificates (also called digital signature) and both signs and encrypts the email. The author digitally signs the email with their private key. Once this happens, the message is then encrypted with the recipient's public key and sent. When the message reaches the recipient the message is decrypted with the recipient's private key, and then verified using the author's public key. This ensures that people using a packet sniffer (a program that allows a person to view traffic crossing the network) do not see your account information. Email clients like Netscape Communicator and Microsoft Outlook can use S/MIME with little setup required.

S-HTTP: Secured HTTP. The benefit of S-HTTP over HTTPS is the fact that each message is encrypted rather then using a tunnel that is vulnerable to both a man-in-the-middle and a session hijack attack. Another advantage of S-HTTP is that it allows for two-way client/server authentication

Tunneling encryption (Securing network traffic)

IPSec: IP Security Protocol is the most commonly used network encryption for the corporate world. When most people in the computer industry think about Virtual Private Networks (VPN)s, they immediately think of IPSec. Companies that use IPSec need an encrypted tunnel that allows all network traffic to flow through. Unlike SSL, IPSec is not limited to a port. Once the IPSec tunnel has been established, the system should have the same network access that it would have at the physical location. This offers far more power, but also requires far more overhead. Another issue is security. The more open the network, the more vulnerable it is. This is another reason why VPNs are usually on the outside of a firewall. Vulnerabilities to IPSec include session hijacking, and replay attacks.

SSH: Secure Shell provides a terminal like tunnel that protects the data crossing the network and should replace clear text protocols like Telnet and FTP. This allows you to connect to a server over the Internet securely over the Internet and administer remote systems without allowing the rest of the world to see everything you are doing. One of the most popular windows SSH clients is Putty.

SSL: Secured Socket Layer can be used to create a single port/socket Virtual Private Network (VPN) using a server side X.509 certificate. The most common use of SSL is webpage traffic over HTTP or HTTPS. SSL is vulnerable to man-in-the-middle attacks. Anyone can create a CA to distribute certificates, but keep in mind that a digital certificate is only as trustworthy as the CA that controls the certificate.

WEP: Wired Equivalent Privacy. This algorithm uses either a 40-bit key or a 128-bit (24 of the bits is used for the initialization vector) key. Most devices also allow for a wireless access point to filter MAC addresses to increase access controls onto the device. WEP is vulnerable and has been exploited by criminal hackers (crackers) while wardriving since WEP has hit the market. Some of the more popular tools used for wardriving are: Airopeek - a WiFi packet sniffer Airsnort - a WEP encryption key recovery tool Kismet - an 802.11 layer2 wireless network detector Netstumbler - an 802.11 layer2 wireless network detector

WPA: Wi-Fi Protected Access is a new standard that will overtake the old WEP technology in the near future. WPA uses a Pre-Shared Key (PSK) for SOHO networks, and Extensible Authentication Protocol for other wired/wireless networks for authentication. Some cryptoanalysts claimPSK is a weakness due to the fact that a cracker can access the key and brute force the key until it is known. The encryption scheme that is used is Temporal Key Integrity Protocol (TKIP). TKIP ensures more confidentiality and integrity of the data by using a temporal key instead ofthe traditional static key. Most people welcome this technology over the less secure WEP.

File access (Securing individual files)

Stenography: Stenography is the art of concealing files or messages in other media such as a .JPG image or .MPG video. You can add this data in the unused bits of the file that can be seen by using a common hex editor. Stenography is the easiest way to hide a message, but is by far the least secure. Security by obscurity is like a lock on a car door. It is only intended to keep the honest people honest.

PGP: Pretty Good Privacy is a free program that was created by Philip Zimmerman in 1991 and was the first widely accepted public key system. PGP is suite of encryption tools used for encrypting various types of data and traffic. PGP can be used for S/MIME and digitally signing a message. PGP uses a web of trust that allows the community to trust a certificate rather than a hierarchy Certification Authority (CA) to verifythe user's identification. More information can be found at http://web.mit.edu/network/pgp.html

Personal/Freeware: This can be downloaded from MIT for free.

o Diffie-Hellman key exchange

o CAST 128 bit encryption

o SHA-1 hashing function

Commercial: PGP® Software Developer Kit (SDK) 3.0.3 has received Federal Information Processing Standards (FIPS) 140-2 Level 1 validation by the National Institute of Standards and Technology (NIST).

o RSA key exchange

o IDEA encryption

o MD5 hashing function

CryptoAPI: Microsoft's cryptography component that allows developers to encrypt data. Microsoft has also developed an ActiveX control called CAPICOM that will even allow script access to the CryptoAPI.

Each encryption model is vulnerable to one attack or another. Below is a list of attack techniques that are used by cryptoanalysts to break the keys used to protect the messages

Ciphertext-Only: This is the easiest to instigate, but hardest to succeed. The attacker retrieves the ciphertext data through listening to the network traffic. Once the key is has been salvaged, the cracker can attempt to brute force the message until it resembles something legible.

Known-Plaintext: This covers the scenario of the cracker having both the plaintext and corresponding ciphertext of one or more messages. In WWII, the Japanese relied on cryptography, but had a weakness of sending formal messages. These messages were able to be broken because the ciphertext started and ended with the same message. Part of the plaintext was known and cryptoanalysts were able to decipher the message using the known-plaintext method.

Chosen-Plaintext: Similar to the know-plaintext attack, but the attacker can choose the plaintext to be encrypted. An attacker can assume someone else identity and send a message to target that needs to be encrypted. Since the plaintext is chosen and the target sends the encrypted message, the chosen-plaintext attack is successful.

Chosen-Ciphertext: The cryptoanalyst is chooses the ciphertext and has access to the decrypted plaintext.

Birthday Paradox: This attack is successful when a hash value of a plaintext matches the hash value of a completely different plaintext. This anomaly is proven mathematically among 23 people, there are 23*22/2 = 253 pairs, each of which being a potential candidate for a match.

Brute-Force: This form of attack is implemented by passing through every possible solution or combination until the answer is found. This is the most resource and time intensive method of attack

Dictionary: The attacker compares the target hash values with hash values of commonly used passwords. Dictionary files can be downloaded from hundreds of Internet sites.

Man-in-the-Middle: The attacker intercepts messages between two parties without either target knowing that the link between them has been compromised. This allows the attacker to modify the message at will.

Replay: Replay attacks are simply the replay of captured data in an attempt to trick the target into allowing the unauthorized access.

Back at the cyber café, if Janet connected to a secured web server using SSL to do her online banking and used S/MIME to send private email, the cyber thief would have never had a chance of seeing her unmentionables.




About the author: Jeremy Martin CISSP, ISSMP, ISSAP, CEI, CEH, CCNA, Network+, A+ Sr. Information Systems Security Consultant PLUSS Corporation - http://www.pluss.net Information Security - http://www.infosecwriter.com (requires flash)
(800) 835-9609 / (406) 892-8600

Member of:
BECCA ? Business Espionage Controls & Countermeasures Association
ISACAR Information Systems Audit and Control Association
(ISC)2 - International Information Systems Security Certification Consortium
ISSA - Information Systems Security Association
OISSG - Open Information Systems Security Group
YEN NTEA - Young Executives Network