CISSP - Certified Information Systems Security Professional Study Guide, 2nd Edition (2004)
.pdf
Applied Cryptography |
301 |
distribute identity credentials using digital certificates. You should now feel comfortable with the basics of cryptography and prepared to move on to higher-level applications of this technology to solve everyday communications problems. In the following sections, we’ll examine the use of cryptography to secure electronic mail, web communications services, electronic commerce, and networking.
Electronic Mail
One of the most demanded applications of cryptography is the encryption and signing of electronic mail messages. Until recently, encrypted e-mail required the use of complex, awkward software that required manual intervention and complicated key exchange procedures. An increased emphasis on security in recent years resulted in the implementation of strong encryption technology in mainstream electronic mail packages. Next, we’ll look at some of the secure electronic mail standards in widespread use today.
Pretty Good Privacy
Phil Zimmerman’s Pretty Good Privacy (PGP) secure e-mail system appeared on the computer security scene in 1991. It is based upon the “web of trust” concept, where you must become trusted by one or more PGP users to begin using the system. You then accept their judgment regarding the validity of additional users and, by extension, trust a multilevel “web” of users descending from your initial trust judgments. PGP initially encountered a number of hurdles to widespread use. The most difficult obstruction was the U.S. government export regulations, which treated encryption technology as munitions and prohibited the distribution of strong encryption technology outside of the United States. Fortunately, this restriction has since been repealed and PGP may be freely distributed to most countries.
PGP is available in two versions. The commercial version uses RSA for key exchange, IDEA for encryption/decryption, and MD5 for message digest production. The freeware version uses Diffie-Hellman key exchange, the Carlisle Adams/Stafford Tavares (CAST) 128-bit encryption/ decryption algorithm, and the SHA-1 hashing function.
Privacy Enhanced Mail
The Privacy Enhanced Mail (PEM) standard addresses implementation guidelines for secure electronic mail in a variety of Internet Request for Comments (RFC) documents. RFC 1421 outlines an architecture that provides the following services:
Disclosure protection
Originator authenticity
Message integrity
Nonrepudiation (if asymmetric cryptography is used)
However, the same RFC also notes that PEM is not intended to provide the following services:
Access control
Traffic flow confidentiality
302 Chapter 10 PKI and Cryptographic Applications
Address list accuracy
Routing control
Assurance of message receipt and nondeniability of receipt
Automatic association of acknowledgments with the messages to which they refer
Replay protection
Security administrators who desire any of the services just listed should implement additional controls over and above those provided by a PEM-compliant electronic mail system. An important distinction between PEM and PGP is that PEM uses a CA-managed hierarchy of digital certificates whereas PGP relies upon the “web of trust” between system users.
MOSS
Another Request for Comments document, RFC 1848, specifies the MIME Object Security Services (MOSS), yet another standard for secure electronic mail, designed to supercede Privacy Enhanced Mail. Like PGP, MOSS does not require the use of digital certificates and provides easy associations between certificates and e-mail addresses. It also allows the secure exchange of attachments to e-mail messages. However, MOSS does not provide any interoperability with PGP or PEM.
S/MIME
The Secure Multipurpose Internet Mail Extensions (S/MIME) protocol has emerged as a likely standard for future encrypted electronic mail efforts. S/MIME utilizes the RSA encryption algorithm and has received the backing of major industry players, including RSA Security. S/MIME has already been incorporated in a large number of commercial products, including these:
Microsoft Outlook and Outlook Express
Netscape Communicator
Lotus Notes
VeriSign Digital ID
Eudora WorldSecure
S/MIME relies upon the use of X.509 certificates for the exchange of cryptographic keys. The public keys contained in these certificates are used for digital signatures and for the exchange of symmetric keys used for longer communications sessions. RSA is the only public key cryptographic protocol supported by S/MIME. The protocol supports the following symmetric encryption algorithms:
DES
3DES
RC2
The strong industry support for the S/MIME standard makes it likely that S/MIME will be widely adopted and approved as an Internet standard for secure electronic mail by the Internet Engineering Task Force (IETF) in the near future.
Applied Cryptography |
303 |
Web
Although secure electronic mail is still in its early days, secure web browsing has achieved widespread acceptance in recent years. This is mainly due to the strong movement toward electronic commerce and the desire of both e-commerce vendors and consumers to securely exchange financial information (such as credit card information) over the Web. We’ll look at the two technologies that are responsible for the small lock icon at the bottom of web browsers—Secure Sockets Layer (SSL) and Secure HTTP (S-HTTP).
Secure Sockets Layer
Secure Sockets Layer (SSL) was developed by Netscape to provide client/server encryption for web traffic. SSL operates above the TCP/IP protocol in the network stack. Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS) uses port 443 to negotiate encrypted communications sessions between web servers and browser clients. Although SSL originated as a standard for Netscape browsers, Microsoft also adopted it as a security standard for its popular Internet Explorer browser. The incorporation of SSL into both of these products made it the de facto Internet standard.
SSL relies upon the exchange of server digital certificates to negotiate RSA encryption/ decryption parameters between the browser and the web server. SSL’s goal is to create secure communications channels that remain open for an entire web browsing session.
SSL forms the basis for a new security standard, the Transport Layer Security (TLS) protocol, specified in RFC 2246. TLS is expected to supersede SSL as it gains in popularity.
Be certain to know the differences between HTTPS and S-HTTP.
Secure HTTP
Secure HTTP (S-HTTP) is the second major protocol used to provide security on the World Wide Web. S-HTTP is not nearly as popular as SSL, but it has two major differences:
S-HTTP secures individual messages between a client and server rather than creating a secure communications channel as SSL does.
S-HTTP supports two-way authentication between a client and a server rather than the server-only authentication supported by SSL.
Steganography
Steganography is the art of using cryptographic techniques to embed secret messages within another message. Steganographic algorithms work by making alterations to the least significant bits of the many bits that make up image files. The changes are so minor that there is no appreciable effect on the viewed image. This technique allows communicating parties to hide messages in plain sight—such as embedding a secret message within an illustration on an otherwise innocent web page.
304 Chapter 10 PKI and Cryptographic Applications
Steganographers often embed their secret messages within images or WAV files. These files are often so large that the secret message would easily be missed by even the most observant inspector.
E-Commerce
As mentioned in the previous section, the rapid growth of electronic commerce led to the widespread adoption of SSL and HTTPS as standards for the secure exchange of information through web browsers. Recently, industry experts have recognized the added security necessary for electronic transactions. In the next section, we’ll explore the Secure Electronic Transaction (SET) protocol designed to add this enhanced security.
Secure Electronic Transactions
The Secure Electronic Transaction (SET) standard was originally developed jointly by Visa and MasterCard—the two largest providers of credit cards in the United States—as a means for securing e-commerce transactions. When they outlined the business case for SET, the two vendors identified the following seven requirements:
Provide confidentiality of payment information and enable confidentiality of order information transmitted along with the payment information.
Ensure the integrity of all transmitted data.
Provide authentication that a cardholder is a legitimate user of a branded payment card account.
Provide authentication that a merchant can accept branded payment card transactions through its relationship with an acquiring financial institution.
Ensure the use of the best security practices and system design techniques to protect all legitimate parties in an electronic commerce transaction.
Create a protocol that neither depends on transport security mechanisms nor prevents their use.
Facilitate and encourage interoperability among software and network providers.
For more information on SET, including the complete text of the specification and a developer’s toolkit, visit the website www.setco.org.
SET utilizes a combination of RSA public key cryptography and DES private key cryptography in conjunction with digital certificates to secure electronic transactions. The original SET standard was published in 1997.
Applied Cryptography |
305 |
MONDEX
The MONDEX payment system, owned by MasterCard International, uses cryptographic technology to allow electronic commerce users to store value on smart chips in proprietary payment cards. The value can then be instantly transferred to a vendor at the point of purchase.
Networking
The final application of cryptography we’ll explore in this chapter is the use of cryptographic algorithms to provide secure networking services. In the following sections, we’ll take a brief look at two methods used to secure communications circuits, as well as IPSec and the ISAKMP protocol. We’ll also look at some of the security issues surrounding wireless networking.
Circuit Encryption
Security administrators use two types of encryption techniques to protect data traveling over networks—link encryption and end-to-end encryption.
Link encryption protects entire communications circuits by creating a secure tunnel between two points using either a hardware or a software solution that encrypts all traffic entering one end of the tunnel and decrypts all traffic entering the other end of the tunnel. For example, a company with two offices connected via a data circuit might use link encryption to protect against attackers monitoring at a point in between the two offices.
End-to-end encryption protects communications between two parties (e.g., a client and a server) and is performed independently of link encryption. An example of end-to-end encryption would be the use of Privacy Enhanced Mail to pass a message between a sender and a receiver. This protects against an intruder who might be monitoring traffic on the secure side of an encrypted link or traffic sent over an unencrypted link.
The critical difference between link and end-to-end encryption is that in link encryption, all the data, including the header, trailer, address, and routing data, is also encrypted. Therefore, each packet has to be decrypted at each hop so it can be properly routed to the next hop and then reencrypted before it can be sent along its way, which slows the routing. End-to-end encryption does not encrypt the header, trailer, address, and routing data, so it moves faster from point to point but is more susceptible to sniffers and eavesdroppers. When encryption happens at the higher OSI layers, it is usually end-to-end encryption, and if encryption is done at the lower layers of the OSI model, it is usually link encryption.
Secure Shell (SSH) is a good example of an end-to-end encryption technique. This suite of programs provide encrypted alternatives to common Internet applications like FTP, Telnet, and rlogin. There are actually two versions of SSH. SSH1 (which is now considered insecure) supports the DES, 3DES, IDEA, and Blowfish algorithms. SSH2 drops support for DES and IDEA but adds support for several other algorithms.
306 Chapter 10 PKI and Cryptographic Applications
IPSec
The IP Security (IPSec) protocol provides a complete infrastructure for secured network communications. IPSec has gained widespread acceptance and is now offered in a number of commercial operating systems out of the box. IPSec relies upon security associations, and there are four main components:
The Authentication Header (AH) provides assurances of message integrity and nonrepudiation.
The Encapsulating Security Payload (ESP) provides confidentiality of packet contents.
The IP Payload Compression (IPcomp) protocol allows IPSec users to achieve enhanced performance by compressing packets prior to the encryption operation.
The Internet Key Exchange (IKE) protocol provides for the secure exchange of cryptographic keys between IPSec participants.
IPSec provides for two discrete modes of operation. When IPSec is used in transport mode, only the packet payload is encrypted. This mode is designed for peer-to-peer communication. When it’s used in tunnel mode, the entire packet, including the header, is encrypted. This mode is designed for gateway-to-gateway communication.
IPSec is an extremely important concept in modern computer security. Be certain that you’re familiar with the four component protocols and the two modes of IPSec operation.
Further details of the IPSec algorithm are provided in Chapter 3, “ISO Model, Network Security, and Protocols.”
ISAKMP
The Internet Security Association and Key Management Protocol (ISAKMP) provides background security support services for IPSec. As you learned in the previous section, IPSec relies upon a system of security associations (SAs). These SAs are managed through the use of ISAKMP. There are four basic requirements for ISAKMP, as set forth in Internet RFC 2408:
Authenticate communicating peers.
Create and manage security associations.
Provide key generation mechanisms.
Protect against threats (e.g., replay and denial of service attacks).
Wireless Networking
The widespread rapid adoption of wireless networks poses a tremendous security risk. Many traditional networks do not implement encryption for routine communications between hosts on the local network and rely upon the assumption that it would be too difficult for an attacker to gain physical access to the network wire inside a secure location to eavesdrop on the network. However, wireless networks transmit data through the air, leaving them extremely vulnerable to interception.
Cryptographic Attacks |
307 |
The security community responded with the introduction of Wired Equivalent Privacy (WEP), which provides 40-, 64-, and 128-bit encryption options to protect communications within the wireless LAN. WEP is described in IEEE 802.11 as an optional component of the wireless networking standard. Unfortunately, there are several vulnerabilities in this protocol that make it a less than desirable choice for many security administrators.
Remember that WEP is not an end-to-end security solution. It encrypts traffic only between a mobile computer and the nearest wireless access point. Once the traffic hits the wired network, it’s in the clear again.
Another commonly used wireless security standard, IEEE 802.1x, provides a flexible framework for authentication and key management in wireless networks. It greatly reduces the burden inherent in changing WEP encryption keys manually and supports a number of diverse authentication techniques.
Cryptographic Attacks
As with any security mechanism, malicious individuals have found a number of attacks to defeat cryptosystems. It’s important that you, as a security administrator, understand the threats posed by various cryptographic attacks to minimize the risks posed to your systems:
Brute force Brute force attacks are quite straightforward. They involve using massive amounts of processing power to randomly guess the key used to secure cryptographic communications. For a non-flawed protocol, the average amount of time required to discover the key through a brute force attack is directly proportional to the length of the key.
Known plaintext In the known plaintext attack, the attacker has a copy of the encrypted message along with the plaintext message used to generate the ciphertext (the copy). This knowledge greatly assists the attacker in breaking weaker codes. For example, imagine the ease with which you could break the Caesar cipher described in Chapter 9 if you had both a plaintext and a ciphertext copy of the same message.
Chosen ciphertext In a chosen ciphertext attack, the attacker has the ability to decrypt chosen portions of the ciphertext message and use the decrypted portion of the message to discover the key.
Chosen plaintext In a chosen plaintext attack, the attacker has the ability to encrypt plaintext messages of their choosing and can then analyze the ciphertext output of the encryption algorithm.
Meet-in-the-middle Attackers might use a meet-in-the-middle attack to defeat encryption algorithms that use two rounds of encryption. This attack is the reason that Double DES (2DES) was quickly discarded as a viable enhancement to the DES encryption in favor of Triple DES (3DES). In the meet-in-the-middle attack, the attacker uses a known plaintext message. The plaintext is then encrypted using every possible key (k1), while the equivalent ciphertext is decrypted using all possible keys (k2). When a match is found, the corresponding
308 Chapter 10 PKI and Cryptographic Applications
pair (k1, k2) represents both portions of the double encryption. This type of attack generally takes only double the time necessary to break a single round of encryption (or 2n rather than the anticipated 2n * 2n) , offering minimal added protection.
Man-in-the-middle In the man-in-the-middle attack, a malicious individual sits between two communicating parties and intercepts all communications (including the setup of the cryptographic session). The attacker responds to the originator’s initialization requests and sets up a secure session with the originator. The attacker then establishes a second secure session with the intended recipient using a different key and posing as the originator. The attacker can then “sit in the middle” of the communication and read all traffic as it passes between the two parties.
Be careful not to confuse the meet-in-the-middle attack with the man-in-the- middle attack. They sound very similar!
Birthday The birthday attack (also known as a collision attack) seeks to find flaws in the one- to-one nature of hashing functions. In this attack, the malicious individual seeks to substitute in a digitally signed communication a different message that produces the same message digest, thereby maintaining the validity of the original digital signature.
Replay The replay attack is used against cryptographic algorithms that don’t incorporate temporal protections. In this attack, the malicious individual intercepts an encrypted message between two parties (often a request for authentication) and then later “replays” the captured message to open a new session. This attack can be defeated by incorporating a time stamp and expiration period into each message.
Summary
Public key encryption provides an extremely flexible infrastructure, facilitating simple, secure communication between parties that do not necessarily know each other prior to initiating the communication. It also provides the framework for the digital signing of messages to ensure nonrepudiation and message integrity. This chapter explored public key encryption, which is made possible by the public key infrastructure (PKI) hierarchy of trust relationships. We also described some popular cryptographic algorithms, such as link encryption and end-to-end encryption. Finally, we introduced you to the public key infrastructure, which uses certificate authorities (CAs) to generate digital certificates containing the public keys of system users and digital signatures, which rely upon a combination of public key cryptography and hashing functions.
We also looked at some of the common applications of cryptographic technology in solving everyday problems. You learned how cryptography can be used to secure electronic mail (using PGP, PEM, MOSS, and S/MIME), web communications (using SSL and S-HTTP), electronic commerce (using steganography and SET), and both peer-to-peer and gateway-to-gateway networking (using IPSec and ISAKMP) as well as wireless communications (using WEP).
Exam Essentials 309
Finally, we looked at some of the more common attacks used by malicious individuals attempting to interfere with or intercept encrypted communications between two parties. Such attacks include birthday, cryptanalytic, replay, brute force, known plaintext, chosen plaintext, chosen ciphertext, meet-in-the-middle, man-in-the-middle, and birthday attacks. It’s important for you to understand these attacks in order to provide adequate security against them.
Exam Essentials
Understand the key types used in asymmetric cryptography. Public keys are freely shared among communicating parties, whereas private keys are kept secret. To encrypt a message, use the recipient’s public key. To decrypt a message, use your own private key. To sign a message, use your own private key. To validate a signature, use the sender’s public key.
Be familiar with the three major public key cryptosystems. RSA is the most famous public key cryptosystem; it was developed by Rivest, Shamir, and Adleman in 1977. It depends upon the difficulty of factoring the product of prime numbers. El Gamal is an extension of the DiffieHellman key exchange algorithm that depends upon modular arithmetic. The elliptic curve algorithm depends upon the elliptic curve discrete logarithm problem and provides more security than other algorithms when both are used with keys of the same length.
Know the fundamental requirements of a hash function. Good hash functions have five requirements. They must allow input of any length, provide fixed-length output, make it relatively easy to compute the hash function for any input, provide one-way functionality, and be collision free.
Be familiar with the four major hashing algorithms. The Secure Hash Algorithm (SHA) and its successor SHA-1 make up the government standard message digest function. SHA-1 produces a 160-bit message digest. MD2 is a hash function that is designed for 8-bit processors and provides a 16-byte hash. MD4 and MD5 both produce a 128-bit hash, but MD4 has proven vulnerabilities and is no longer accepted.
Understand how digital signatures are generated and verified. To digitally sign a message, first use a hashing function to generate a message digest. Then encrypt the digest with your private key. To verify the digital signature on a message, decrypt the signature with the sender’s public key and then compare the message digest to one you generate yourself. If they match, the message is authentic.
Know the components of the Digital Signature Standard (DSS). The Digital Signature Standard uses the SHA-1 message digest function along with one of three encryption algorithms: the Digital Signature Algorithm (DSA), the Rivest, Shamir, Adleman (RSA), or the Elliptic Curve DSA (ECDSA) algorithm.
Understand the public key infrastructure (PKI) In the public key infrastructure, certificate authorities (CAs) generate digital certificates containing the public keys of system users. Users then distribute these certificates to people with whom they wish to communicate. Certificate recipients verify a certificate using the CA’s public key.
310 Chapter 10 PKI and Cryptographic Applications
Know the common applications of cryptography to secure electronic mail. The emerging standard for encrypted messages is the S/MIME protocol. Other popular e-mail security protocols include Phil Zimmerman’s Pretty Good Privacy (PGP), Privacy Enhanced Mail (PEM), and MIME Object Security Services (MOSS).
Know the common applications of cryptography to secure web activity. The de facto standard for secure web traffic is the use of HTTP over Secure Sockets Layer (SSL), otherwise known as HTTPS. Secure HTTP (S-HTTP) also plays an important role in protecting individual messages. Most web browsers support both standards.
Know the common applications of cryptography to secure electronic commerce. The Secure Electronic Transaction (SET) protocol was developed jointly by Visa and MasterCard to provide end-to-end security for electronic commerce transactions.
Know the common applications of cryptography to secure networking. The IPSec protocol standard provides a common framework for encrypting network traffic and is built in to a number of common operating systems. In IPSec transport mode, packet contents are encrypted for peer-to-peer communication. In tunnel mode, the entire packet, including header information, is encrypted for gateway-to-gateway communications.
Explain common cryptographic attacks Brute force attacks are attempts to randomly find the correct cryptographic key. Known plaintext, chosen ciphertext, and chosen plaintext attacks require the attacker to have some extra information in addition to the ciphertext. The meet-in- the-middle attack exploits protocols that use two rounds of encryption. The man-in-the-middle attack fools both parties into communicating with the attacker instead of directly with each other. The birthday attack is an attempt to find collisions in hash functions. The replay attack is an attempt to reuse authentication requests.