The term cryptography is derived from a Greek word that means "hidden." In computing, cryptography refers to the methods used to "hide," or secure, communications from unauthorized access. Cryptography is also known as encryption. Encryption is done using established encryption algorithms or procedures. These algorithms may include symmetric, asymmetric, or hashing algorithms. Encryption algorithms further lay the foundation for a PKI, which is one of the widely used methods to secure network communications. This section includes a discussion of important encryption terms, algorithms, and Public Key Infrastructure.
An algorithm is defined as a procedure or a well-defined set of instructions to accomplish a task when the initial state of the problem is given. In encryption methods, the term encryption algorithm is used to define the process of creating a scrambled or unreadable text (known as cyphertext), from a given readable text (known as plaintext), using the defined procedure. Encryption is used as a protective cover for the data transmitted over network media from one computer to another. Encryption keeps the data secure from unauthorized access by users and by professional hackers. Encryption algorithms lay the foundation for such security mechanisms as confidentiality, authentication, digital signatures, and public key cryptography. They are used to calculate a secret key, which is used to encrypt and decrypt messages. Only the persons who possess the key can encrypt or decrypt messages. Encryption algorithms fall into the following main categories:
Symmetric algorithms
Asymmetric algorithms
Hashing algorithms
Symmetric algorithms, or symmetric key algorithms, use one key for both encryption and decryption of messages. One copy of the key is known to each end of the communication. It is also commonly known as secret key encryption, or shared secret encryption. In some implementations, and for the Security+ exam, symmetric key encryption is referred to as private key encryption. Symmetric key encryption is widely used for encryption because of its simplicity, ease of implementation, and speed. The strength of the key is determined by its size. The larger the key, the stronger the encryption.
Symmetric algorithms are prone to brute force attacks. In a brute force attack, the attacker attempts to break the key by guessing it. He may use a number of mechanisms to guess the key until the key is able to decrypt the message. Symmetric algorithms are also vulnerable to plain-text attacks. The keys need to be chosen, stored, and distributed using secure methods. Symmetric keys must be changed frequently to protect them from being compromised.
Symmetric algorithms are divided into stream ciphers and block ciphers. Stream ciphers encrypt bits of the message, one at a time. Block ciphers take blocks of bits, usually 64 bits at a time, and encrypt them as one unit. Some of the popular symmetric algorithms are DES, 3DES, AES, and IDEA, as discussed in the following sections.
DES is one of the oldest symmetric encryption algorithms. It works on block ciphers of fixed length. DES uses a single 64-bit block of plain text for encryption. It also uses a 64-bit key, and out of these, 56 bits are used for data and 8 bits are used for checking parity. The actual length of the key is thus only 56-bits. The DES key is broken into 16 48-bit subkeys, one for each round, known as feistel function. DES is known for its weak encryption security due to the small size of the key (56 bits). It is prone to brute force attacks, and in some cases, it has taken less than 24 hours for attackers to break the key.
DES has been replaced by Triple DES (written as 3DES or TDES). 3DES uses the same 56-bit key three times to make the key size larger. Two or three 56-bit keys are connected to form 112- or 168-bit keys respectively. The resulting ciphertext is far more secure than the DES encryption and can prevent more brute force and MITM attacks.
AES is also known as Rijndael (pronounced "rain dall") and is the most widely used block cipher symmetric encryption standard. This is mainly due to its support for large ranges of text blocks and key sizes. It supports key sizes of 128, 192, and 256 bits. It is stronger and faster than 3DES and consumes less processing power and memory. The number of bits used for a data block is 128 broken into four groups of 32 bits. Instead of using feistel cycles, it uses iterative rounds for keys. The number of rounds depends on the size of the key. The 128-bit key has 10 rounds, the 192-bit key has 12 rounds, and the 256-bit key has 14 rounds.
The only known successful attack against AES is a side-channel attack, an attack based on information gained from physical implementation of an encryption mechanism instead of the weakness of the algorithm. Another type of known attack is called cache-timing attack (or simply timing attack), which takes advantage of the time taken to perform encryption. Since AES uses 10, 12, or 14 rounds, the last known attack has been on 7 rounds. As a result, AES is considered to be a strong encryption algorithm.
IDEA is a faster and more secure algorithm than DES. This is due to the fact that each round consists of more simple operations than feistel cycles in DES. IDEA operates on 64-bit blocks with a 128-bit subkey. The encryption and decryption process uses eight rounds with 16-bit subkeys per round. IDEA is used as one of the components of PGP for secure messaging.
Asymmetric algorithms are commonly used for public key cryptography. Asymmetric algorithms use two keys—one for encryption (public key) and the other for decryption (private key). The encryption key can be freely distributed, but the private key must be held in strict confidence. The two keys are generated together, but the private key cannot be derived from a public key. Figure 11-14 shows how message encryption and decryption are accomplished using public key cryptography.
Asymmetric algorithms are much slower than symmetric algorithms. The process puts a significant load on the computer's processor and memory. Aside from this, the keys used for asymmetric encryption are much larger than those used for symmetric encryption. Asymmetric keys are used only for encrypting small amounts of data. The most common application of asymmetric keys is for ensuring confidentiality of data. Public key digital signatures are used for authentication and non-repudiation of the sender. These terms are explained later in the section "Concepts of Cryptography."
The sections that follow cover asymmetric encryption algorithms.
The Diffie-Hellman algorithm, or the Diffie-Hellman key exchange, is used for a secure key exchange. It allows two parties to establish a shared secret key over an insecure communication channel. This key can then be used to establish a secure encrypted communication using a symmetric key encryption. The messages encrypted by one party can be decrypted only by the other party that possesses the secret key. This algorithm is used only for the transportation of secret keys and not for encrypting data. The following steps are involved in a key exchange:
The two parties agree on two numbers: a large prime number and a small integer number.
The two parties separately generate another number, equivalent to a private key, which is kept secret. Both parties make calculations involving the private key and the previously agreed numbers. The result of the calculation (the public key) is sent to the other party.
The two parties then exchange their public keys. Each party then makes another calculation using its private key and the other party's public key to produce another number known as the session key. The session key that is calculated by each party should be the same.
The session key can then be used as a secret key for further encryption. No third party can decrypt the message without knowing the secret key.
If the initial numbers are chosen carefully, the Diffie-Hellman key exchange can be a strong algorithm for protecting the shared secret key because both the private key and the public key are actually very large integers. IPSec uses the Diffie-Hellman key exchange along with RSA authentication for exchanging session keys. This algorithm is considered secure against eavesdropping and MITM attacks.
The RSA algorithm was developed by Rivest, Shamir, and Adleman (hence the name RSA) as another public key encryption system. It shares many similarities with Diffie-Hellman but is much faster. However, it is much slower than DES. RSA was the first asymmetric algorithm found to be suitable for digital signatures as well as for encryption. RSA also involves two keys: a private key and a public key. With RSA encryption, the key distribution must be handled by a PKI to protect it from MITM attacks.
The ElGamal asymmetric key encryption algorithm is an extended and improved version of the Diffie-Hellman key exchange algorithm. Practically, this algorithm is considered as secure as RSA. ElGamal produces large sizes of ciphertext and can be used on fast WAN links only. It is used in some recent versions of PGP. Digital Signature Algorithm (DSA) is a variant of the ElGamal signature scheme and is based on the ElGamal algorithm.
A hashing algorithm (also called a hash function) is the process of creating a small and unique digital "fingerprint" from any kind of data. The fingerprint is known as the hash value. The hash value is represented as a short string of random letters and numbers. If the original data changes even by one character, the hash function will produce a different hash value. Thus, the receiver will know that original data has changed. The hash function is also known as a one-way process, because it is not possible to create the original text using any reverse hashing function. Figure 11-15 shows an example of the hashing function.
Hashing algorithms are used to provide integrity and authentication of data sent over network media from one computer to another. A good hashing algorithm is the one that will not produce the same hash values for any two inputs, which is a property known as collisions.
It is common to store encrypted passwords as hashes in secure networks. When a user sets her password, it is passed through a hashing function, and only the encrypted hash is stored. When the user logs on to the network, her password is hashed again and the two hash values are compared. If a match is found, the user is granted access; otherwise, she is denied. The following are two commonly used hashing algorithms:
- Message Digest5 (MD5)
MD5 is a widely used hashing algorithm with a 128-bit hash value. This algorithm is mainly used for digital signatures to check the integrity of data. The older version, MD4, also used a 128-bit hash value but this had flaws in it.
- Secure Hash Algorithm-1 (SHA-1)
SHA-1 was developed by the National Security Agency (NSA). It uses a 160-bit key hash value and is considered more secure than MD5. It is commonly used with IPSec installations.
Tip
At the time of this writing, SHA-2 is the current version of SHA. SHA-2 is a collection of four variations that include SHA-224, SHA-256, SHA-384, and SHA-512. The Security+ exam covers only the SHA-1 algorithm. Also remember that creating a hash value using a hashing algorithm is a one-way process.
The terms cryptography and encryption are used interchangeably. Encryption is the process of applying a procedure, known as an algorithm, to plain text in order to produce an unreadable text. This unreadable text can be read only if someone has the key to decrypt the message and convert it back to plain text. For all others, the encrypted text remains useless. The following are some of the concepts behind using encryption in network transmissions.
The main idea behind encryption is to ensure the confidentiality of messages that travel from one computer to another. Confidentiality means that only the intended recipient can decrypt the message and read its contents. Confidentiality of network transmissions can be assured only when users keep their secret keys (used in symmetric algorithms) and private keys (used in asymmetric algorithms) really secret. They are not supposed to, and should not, give their keys to anyone else. If the secret key or the private key is lost or compromised, confidentiality of messages from the sender cannot be assured.
The integrity of a message ensures that the message has not been intercepted, modified, or altered while it traveled from one point to another. In cryptography, most asymmetric encryption algorithms have built-in mechanisms to ensure the integrity of messages (simply called Data Integrity). Digital signature is one of the methods to ensure data integrity and non-repudiation. Digital signatures are helpful in protecting messages against MITM attacks.
Digital signatures are used to provide data integrity and non-repudiation of data. These ensure that the data sent was not intercepted or modified on its way from the source to the destination. When the message is sent, it is subject to a hash using one of the hashing algorithms to produce a hash value. The hash is further encrypted using the sender's private key, and appended to the message. The receiver uses the sender's public key to decrypt the hash created by the sender. The receiver also creates a hash of the message, and the two hash values are compared. If the receiver's hash value matches the sender's, the receiver is ensured that the message has not been modified on its way.
Authentication refers to verification of the sender of the message. Symmetric encryption algorithms do not provide authentication mechanisms. Asymmetric algorithms have built-in mechanisms to provide authenticity of the messages or data. In asymmetric encryption, the message is encrypted using the sender's private key, and, because each person is responsible for maintaining his private key, the receiver is assured that by decrypting the message using the sender's public key that only the intended sender has sent the message. This proves the authenticity of the message.
Asymmetric encryption algorithms ensure that the sender of the message cannot deny that he has sent the digitally signed message. The process is known as non-repudiation. This relies on the fact that the sender keeps his private key truly private—this private key should not be given to anyone else. The receiver can be assured that only the sender has a specific private key and that he has sent the message. Once again, digital signatures are used to ensure non-repudiation in addition to providing the integrity of the message.
A PKI enables an organization to securely exchange messages through the insecure public network (such as the Internet). It enables users to securely exchange confidential data using public and private keys obtained through a trusted authority. This section covers a summary of different terms and concepts used in the public key cryptography infrastructure.
A certificate, or a digital certificate, is based on the X.509 standard and is used to identify an individual or an organization. It is issued by a CA to bind a public key to an individual or an organization. The name of the individual or the organization appears as a distinguished name, an email address, or a DNS name. An organization may use certificates for a variety of purposes such as encryption of email messages, doing business on the Internet, or digitally signing software applications.
When downloading software from the Internet or when making online purchases, you may check the validity of the digital certificate of the organization (or its web site) by clicking the little lock sign that appears on the righthand bottom corner of the web browser. Follow the steps given here to view the details of a digital certificate:
Open a web site where you can do some online shopping. For example, go to www.oreilly.com.
Choose a book and click the Add to Cart button. You are taken to the secure web site, https://epoch.oreilly.com.
The next page shows a little yellow lock sign in the righthand bottom corner of the web browser.
Double-click the lock sign. This opens the Certificate window and displays the general properties of the certificate.
Click the Details tab to view the details of the certificate.
Click OK to close the window.
Figure 11-16 shows a sample certificate issued to O'Reilly's web site, www.oreilly.com.
A certificate provides critical information about the certificate, its owner, and the issuing authority. The essential components of information provided on the certificate is as follows:
- Version
- Serial number
A unique number that identifies the certificate.
- Signature algorithm
The algorithm used to create the signature.
- Valid from
The date and time of the certificate's issue.
- Valid to
The date and time of the certificate's expiration.
- Public key
- Enhanced key usage
The purpose for which the key is issued.
- CRL distribution point
The URL of the web site that can provide information about the Certificate Revocation List (CRL). CRL is discussed later in this section.
- Thumbprint algorithm
The algorithm used to create the unique value of the certificate.
- Thumbprint
The unique value that identifies the certificate. This can be checked with the issuer of the certificate.
Tip
Make sure that you know what information is provided on a digital certificate, as shown in Figure 11-16. This is a common Security+ exam question. You must also be able to single out any piece of information that the certificate does not provide.
CP is a set of rules that defines how the CA will issue the certificates. Certificate Policies are defined in the X.509v3 standard as a "named set of rules that indicates the applicability of a certificate to a particular community and/or class of application with common security requirements."
A CPS is a document written in plain text that describes how the CA plans to manage the certificates that it issues. Organizations that want to subscribe to a third-party CA usually ask for the CPS document from the organization running the CA. These applications may include the following:
Providing digital signatures for email (or use of S/MIME).
Verification of the identity of a web site.
Encryption of data.
Further issuance of certificates (delegation of control to subordinate CAs).
Certificate policies may be marked as critical or noncritical, in order to limit the liability of the CA. Each CP is a plain-text document and sustained a unique object identifier.
PKI can be implemented in one of the following trust models:
Single CA model
Hierarchical model
Web of trust model
In a Single CA model, there is only one CA in the entire PKI. Anyone who needs to use the CA is given the CA's public key. Another CA, known as the Registration Authority (RA), is used for identification and verification of the digital certificates' subscriber. The RA is responsible for setting up the necessary trust between the CA and the end user.
The Hierarchical model is comprised of a root CA, subordinate CAs, leaf CAs, and end users. The root CA, also known as the enterprise CA, issues a self-signed certificate to itself and makes it available to all users including the subordinate CAs and leaf CAs. The root CA is followed in the hierarchy by subordinate CAs, which are also known as intermediate CAs. Intermediate CAs issue certificates to leaf CAs that are next to them in the hierarchy. Finally, the leaf CAs issue certificates to end users. Figure 11-17 shows a hierarchical CA trust model.
Hierarchical CA trust models are suitable for very large-scale organizations where thousands of end users require digital certificates. Key management in such a model is easy due to the fact that it can be decentralized with a number of administrators delegated the duty of CAs at various levels.
PKI standards are defined by RSA Security in documents known as Public Key Cryptography Standards (PKCS). These standards are used as the basis for designing and implementing PKI. As of this writing, there are about 15 standards named from PKCS#1 to PKCS#15. Most notable of these are PKCS#1, #3, and #5. PKCS#1 defines the usage of RSA Cryptography standards. PKCS#3 is based on the Diffie-Hellman key exchange standard, and PKCS#5 is a password-based cryptography standard.
There are a number of tasks associated with the creation and management of certificates and keys. The tasks related to the entire lifecycle of keys include storage, distribution, revocation, suspension, expiration, and renewal of certificates, are jointly known as key management. The administrators managing the CAs are responsible for key management processes.
Management of keys can be accomplished in a centralized or in a decentralized manner. In a centralized method, all certificates and keys are stored in a centralized location and managed from a single point of administration. In large organizations, where the number of users requiring certificates and keys is very large, the management of keys is a daunting task. In such situations, the key management tasks can be decentralized. For example, if an organization has over 10,000 employees, it will not be possible to manage keys from a single location. The organization can decentralize the key management functions based on the locations of the organization or on different units of the organization.
Storage of certificate keys is considered one of the most critical aspects of maintaining a PKI. Depending on how the PKI is implemented and administered, keys can be stored in hardware devices such as smart cards, or they can be stored on network servers. There are two main methods for storing keys, as follows:
- Hardware key storage
Private keys can be stored on hardware devices such as smart cards, PCMCIA cards, and other hardware devices. These devices are commonly known as hardware storage modules (HSM). Limitations of hardware storage include the chances of key theft and ageing after a certain time has passed. Smart cards are considered to be the best method of hardware key storage due to their reliability, but they are expensive.
- Software key storage
Software storage of private keys is not considered a secure storage method compared to hardware storage. Some network operating systems, such as Microsoft's Windows Server 2003, can be used to store private keys in the Active Directory database. This allows administrators to set filesystem permissions to restrict access to keys. But, at the same time, administrators have to regularly monitor a variety of network activities to prevent misuse or compromise of the keys.
Escrow is used for the storage of keys in order to make them more secure. In this arrangement, the private keys are stored with two different companies, each one holding only a part of the keys. This arrangement falls in line with separation of duties because no single company can misuse the keys to decrypt messages or compromise the private keys in any way. Key escrow also enables government agencies to obtain and decrypt encrypted messages when they suspect any criminal activity that is against national security.
When a CA issues a certificate, it assigns its validity dates. These dates appear as "Valid from" and "Valid to" on the certificate. The certificate and the key pairs are valid only between these dates. The CA has the authority to verify the certificate during this period of time. When the certificate nears the expiry date, it should either be renewed or destroyed.
Sometimes it becomes necessary to revoke the certificate of an individual or an organization. Circumstances that may lead to this include the following:
The private key of an individual has been compromised.
The individual leaves the organization.
The organization has moved to a new location.
The organization has changed the ISP.
When a certificate is revoked, the information is sent to the CA and the CA authenticates the request and advertises the revoked certificate in the Certificate Revocation List (CRL). The administrator of CA can also manually revoke the certificate of a user without receiving or authenticating any request from the user.
The status of certificates can be checked with CAs in one of the two following methods:
- Certificate Revocation List (CRL)
A CRL is maintained by the CA to keep a record of all revoked and suspended certificates. When a certificate is revoked, information in the CRL is updated. There are two main forms of CRLs: Simple and Delta. A Simple CRL contains the list of all revoked certificates, the date and time when the CRL was last published, and the next date and time when the next CRL will be published. Delta CRLs are used in large organizations where the revocation of certificates occurs in large numbers, and the size of the Simple CRL file becomes a limitation. When Delta CRLs are used, a base CRL is sent to all parties to initiate their copies of CRLs. Once this is done, further updates are periodically sent to these parties as Delta CRLs, which contain only the new and updated information.
- Online Certificate Status Protocol (OSCP)
OSCP is a modified method of checking the status of revoked certificates. OSCP eliminates the need to transfer large CRL files when a party needs to check the status of revoked certificates. When the CRL receives a status request for a particular certificate over HTTP protocol, the CA responds only with the status of that particular certificate. The status information contains the status of the certificate (good, revoked, or unknown), the last update on the status, the next update of the status, and the time when the status response was sent to the requesting party. The main limitation of OSCP is that it can return the status of only a single certificate about which information is requested.
A certificate and its associated keys are suspended when the owner will not be using it for a certain period of time. Suspension of keys is helpful in protecting the keys from being misused. The status of a suspended certificate or key is shown as Certification Hold in the CRL. A suspended key should not be confused with a revoked key.
As noted earlier in this section, private keys are stored in safe places. If a user forgets his private key, it becomes necessary to recover his key from storage. In large organizations that are heavily dependent on secure communications using a PKI, there is usually a special server, called the key recovery server, that is used for the sole purpose of backing up and recovering private keys. An administrator is designated as the key recovery agent. In some key recovery configurations, two key recovery agents are required for the process, for added security. Key recovery servers and CAs require some basic information, known as Key Recovery Information (KRI), before a private key is recovered. This information includes the name of the key owner, the time when the key was created, and the name of the issuing server. Once the recovery server verifies this information, the key recovery process begins.
When the key recovery process is broken up into multiple key recovery agents, the process is known as M-of-N Control. The idea behind having multiple recovery agents is to ensure that the key is not compromised during the recovery process. In M-of-N control, N is an integer greater than 1 and M is less than or equal to N. For example, if we have three designated key recovery agents (N), at least two of them must be present (M) to recover the key.
When a key expires or is near its expiration date, it has to be renewed with the CA. One method is to request a key renewal with the same CA using the old key pair. The CA issues a new key based on the trust and good standing of the key owner. Another method is known as key update. In this method, the CA generates a new key pair by modifying the old keys.
When the keys of the CA expire, it also needs to renew its own keys. The key renewal process holds true for the CA also. In most situations, the CA renews its keys using its old keys. Since the CA signs its own keys, there has to be a method to update the subordinate CAs and clients about this information. The process involves the following steps:
The CA creates a self-signed certificate and signs the new public key using the old private key that is due to expire.
The CA then signs the old public keys with the new private key.
Finally, the new public key is signed with the new private key. This key is used when the old private key expires.
This changeover from old keys to new keys at the CA level is transparent to the clients. It is important to remember that the CA signs its own certificates and renews its own keys.
When a key pair is no longer needed, the administrators should destroy all records of the key pair so that the key pair is not misused to generate fake certificates. A common method of key destruction is to deregister the key pair with the CA. When a key pair is deregistered, the association between the CA, the key pair, and the owner of the key is broken.
In most of the PKI-based secure networking environments, a single key pair is used for different functions. A PKI is used for managing communication between servers and clients in VPNs, digital signatures, access control, secure Internet access, and secure email. There may be situations where administrators may need to use dual key pairs. This situation arises when there is a need to back up private keys, but at the same time, the fear of forged digital signatures exists. For example, a backup operator may decide to misuse the private key of the chief of the company for illegal purposes. Many PKI implementations support the use of dual key pairs to protect keys against misuse. In these situations, one key pair is used for encryption and authentication, while the second key pair is used for digital signatures. Each key pair is stored in a different location.