Send the link below via email or IMCopy
Present to your audienceStart remote presentation
- Invited audience members will follow you as you navigate and present
- People invited to a presentation do not need a Prezi account
- This link expires 10 minutes after you close the presentation
- A maximum of 30 users can follow your presentation
- Learn more about this feature in our knowledge base article
Transcript of Information Security
1 mathematic format and asn.1 structure of Keys and padding
8 Private key
15 Cryptographic Token Information Format Standard
Generate self-signed cert using OpenSsl
Open your cert using ASN.1 Encoder
What is inside of a certificate
A certificate contains a public key.
The certificate, in addition to the public key, contains additional information, such as issuer, what it's supposed to be used for, and any other type of metadata.
The structure of an X.509 v3
is as follows:
Subject Public Key Info
Public Key Algorithm
Subject Public Key
Issuer Unique Identifier (optional)
Subject Unique Identifier (optional)
Certificate Signature Algorithm
There are several implementations like DH, DSA(DSS) and etc but we will focus to RSA
RSA is based on prime numbers (only visible to 1 and it’s self) p and q. If p*q = n finding n is easy but having n and finding p and q is very hard.
It is NOT impossible but takes time!
Assignment! Find prime numbers of 221
Alice and bob
Algorithms for cryptography that use the same
keys for both encryption of
and decryption of
. The keys may be identical or there may be a simple transformation to go between the two keys. The keys, in practice, represent a
between two or more parties that can be used to maintain a private information link. This requirement that both parties have access to the secret key is one of the main drawbacks of symmetric key encryption, in comparison to
Before 1973, every encryption used same key to encrypt and decrypt; if you know the key, you can decrypt any data encrypted with it.
This means that the key must be kept secret—
only people authorized to read the messages must know it
Those people who do know it can read every single message that uses it.
Those keys must be securely transported somehow.
Key Transportation Issue
Key transport wasn't so difficult in the 6th century BC, with Caesar cipher, was invented. If you wanted to share a key with someone, you could just tattoo the key onto the shaved head of a slave, wait for his hair to grow back, and then send the recipient of your message the slave.
Unfortunately no time to wait for slave to go to MayBank2U and not enough slaves
It took 2,500 years of on-and-off cryptography invention and research
one key is designated as the public key and is published widely.
The other is designated the private key and is kept secret.
Symmetric and Asymmetric
Extensions and Files
The first thing we have to understand is what each type of file extension is. There is a lot of confusion about what DER, PEM, CRT, and CER are and many have incorrectly said that they are all interchangeable. While in certain cases some can be interchanged the best practice is to identify how your certificate is encoded and then label it correctly. Correctly labeled certificates will be much easier to manipulat
Encodings (also used as extensions)
.DER = The DER extension is used for binary DER encoded certificates. These files may also bear the CER or the CRT extension. Proper English usage would be “I have a DER encoded certificate” not “I have a DER certificate”.
.PEM = The PEM extension is used for different types of X.509v3 files which contain ASCII (Base64) armored data prefixed with a “—– BEGIN …” line.
.CRT = The CRT extension is used for certificates. The certificates may be encoded as binary DER or as ASCII PEM. The CER and CRT extensions are nearly synonymous. Most common among *nix systems
CER = alternate form of .crt (Microsoft Convention) You can use MS to convert .crt to .cer (.both DER encoded .cer, or base64[PEM] encoded .cer) The .cer file extension is also recognized by IE as a command to run a MS cryptoAPI command (specifically rundll32.exe cryptext.dll,CryptExtOpenCER) which displays a dialogue for importing and/or viewing certificate contents.
.KEY = The KEY extension is used both for public and private PKCS#8 keys. The keys may be encoded as binary DER or as ASCII PEM.
The only time CRT and CER can safely be interchanged is when the encoding type can be identical. (ie PEM encoded CRT = PEM encoded CER)
In the X.509 system, certificate is binding a public key to a particular distinguished name in the X.500 tradition, or to an alternative name such as an e-mail address or a DNS entry.
X.509 also includes standards for certificate revocation list (CRL) implementations, an often neglected aspect of PKI systems. The IETF-approved way of checking a certificate's validity is the Online Certificate Status Protocol (OCSP). Firefox 3 enables OCSP checking by default along with versions of Windows including Vista and later.
In fact, the term X.509 certificate usually refers to the IETF’s PKIX Certificate and CRL Profile of the X.509 v3 certificate standard, as specified in RFC 5280, commonly referred to as PKIX for Public Key Infrastructure (X.509).
It uses Optimal Asymmetric Encryption Padding.
OAEP ends up doing a mixture of permuting the plaintext, and adding pseudo-random noise to it.
It’s a reversible transformation
the process of permutation and random injection performed by the padding has the effect of breaking the properties of RSA that make it easy to attack the system.
it increases the size of the message – which guarantees that the encrypted message is large enough that it will not be easy to use for an attack.
It intersperses pseudo-random information in a way that means that a given plaintext message could be encrypted to a wide range of different ciphertexts, depending on the choices made during padding.
OAEP satisfies the following two goals:
Add an element of randomness which can be used to convert a deterministic encryption scheme (e.g., traditional RSA) into a probabilistic scheme.
Prevent partial decryption of ciphertexts (or other information leakage) by ensuring that an adversary cannot recover any portion of the plaintext without being able to invert the trapdoor one-way permutation . (Implants all-or-nothing transform (AONT))
Standards to implement RSA
ASN.1 is a data definition language defined by ISO 8824
Represents data in machine independent way
Presentation Layer (OSI Layer 6) codes/decodes ASN.1 from/to internal data format
Used by CMIP and SNMP to represent MIB information
Basic encoding rules (BER)
Rules to encode ASN.1 definitions into transfer syntax
Represents ASN.1 in bit patterns
ASN.1 Modules are registered using the ISO Registration Hierarchy
All Network Elements convert their internal data to ASN.1 for transmission
ASN.1 Predefined Data Types
Terms and definitions
Egyptian hieroglyphs at 1900 B.C
World war II
Enigma and Alan Turing story…
Data Encryption Standard (DES) (Keys were know)
Advanced Encryption Standard (AES) (Replacement for DES)
PKI (Early 2000s) added other concepts rather than encryption
Hybrid Crypto Systems (E.g OpenPGP and PKCS#7)
a key encapsulation scheme, which is a public-key cryptosystem, and
a data encapsulation scheme, which is a symmetric-key cryptosystem.
Study the hidden
Areas of Study
Mid-16th: Governments created official organizations to intercept, decipher, read and reseal letters to detect tempering
Mid 19th More complex classification systems were developed to allow governments to manage their information according to the degree of sensitivity. The British Government codified this in the Official Secrets Act in 1889.
World War 1 Multi-tier classification systems were used to communicate information to and from various fronts, which encouraged greater use of code making and breaking sections. In the United Kingdom this led to the creation of the Government Code and Cypher School in 1919.
World War 2 Machines were employed to enc/dec. An arcane range of markings evolved to indicate who could handle and where they should be stored as increasingly complex safes and storage facilities were developed. Procedures evolved to ensure documents were destroyed properly and it was the failure to follow these procedures which led to some of the greatest intelligence coups of the war.
End of the 20th and early years of the 21st century Rapid advancements in telecommunications, computing hardware and software, and data encryption. The academic disciplines of computer security and information assurance emerged along with numerous professional organizations – all sharing the common goals of ensuring the security and reliability of information systems.
(rarely opponent, enemy) is a malicious entity whose aim is to prevent the users of the cryptosystem from achieving their goal (primarily privacy, integrity, and availability of data). An adversary's efforts might take the form of attempting to discover secret data, corrupting some of the data in the system, spoofing the identity of a message sender or receiver, or forcing system downtime. (Eve, Mallory, Oscar and Trudy)
Modern cryptography exists at the intersection of the disciplines of mathematics, computer science, and electrical engineering.
Defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction.
Caesar cipher was made in 50 B.C
It was simply shifting of Alphabets
It was used in military
It is unknown how effective the Caesar cipher was at the time, but it is likely to have been reasonably secure, not least because most of Caesar's enemies would not be able to read and write and others were thinking it is written in a foreign Language!
Defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction.
In Greek and consists of "hidden, secret” and "study”. Respectively) it is the practice and study of techniques for secure communication in the presence of third parties
Is Cryptography same as encryption?
The algorithms can be categorized in many different ways, but perhaps the most fundamental is the distinction between symmetric and asymmetric encryption.
A model designed to guide policies for information security within an organization.
Three most crucial components of security
Asymmetric VS Symmetric
Not resource intensive
GOOD FOR small and large messages
Need to send the key to the other side
No need to send the whole key to other side
Can be used for validation (as well as encryption)
Very resource intensive (Not applicable for large messages)
A public key infrastructure (PKI) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates.
This is crucial for secure transactions over the Internet. Additionally, asymmetric/public-key encryption will provide us with a mechanism to digitally "sign" files, which allows us to provide Non-Repudiation.
In asymmetric encryption, both communicating parties (i.e. both Alice and Bob) have two keys of their own (four keys total).
Each party has their own public key, which they share with the world,
private key which they ... well, which they keep private, of course, but more than that, which they keep as a closely guarded secret. The magic of public key cryptography derives from three important points: A message may be encrypted with a private key and then decrypted with the corresponding (paired) public key, OR it can be encrypted with a public key and then decrypted with the corresponding private key.
A message encrypted with a certain public key can ONLY be correctly decrypted with the corresponding private key, and vice versa.
Because only the private key needs to be protected, public keys can be shared openly (even to Eve), and therefore the limitation of symmetric encryption is alleviated.
In this scenario, Alice encrypts her message with Bob's public key, and Bob decrypts the message with his private key. Alice can rest assured that only Bob can decrypt the message she sends, because she has encrypted it with his public key. Only Bob's private key can correctly decrypt the message.
Alice and BOB
All those efforts just for these?
PKCS standards giving the detail of what is in certs, keys, signing and encryption results in ASN.1 Standard
X.509 (PKCS#6’s Alternative) describes a certificate
Public Key Cryptography Standards are defining how to implement RSA
Abstract Syntax Notation One (ASN.1) is used to describe protocols.
PKCS#1 defines the mathematical properties of public and private keys, primitive operations for encryption and signatures, secure cryptographic schemes, and related ASN.1 syntax representations.
PKCS#8 is defining Private Key
PKCS#12 is defining key pairs (PFX files)
Standards to implement RSA
1- User Generates KeyPair
2- User generates CSR
CSR contains user public key
CSR is signed by user’s private key
CSR MIGHT have other identification details and proofs of credentials (depends on CA)
CA receives the CSR
CA parses the CSR and verifies the identity of user
CA signs the public key of user with it’s own private key and sends back the signed certificate
User get’s the signed certificate
How Alice and Bob are trusting each other
What do we do?
Review of standards
Why it matters?
Signing texts (PKCS#7)
Suppose Alice sends a contract agreement to Bob. To avoid legal troubles, we'd like this communication of contracts to have the property of non-repudiation — Bob should be assured that Alice can't back out of the deal by claiming she never sent the contract. Likewise, we want the property of integrity — Alice should be assured that Bob can't modify the contract and claim that the modified version is what Alice sent him. There's a nice technique called a digital signature that provides these guarantees.
Alice does the following:
Computes the hash of the contract agreement
Encrypts that hash with her private key
Sends the result (which is the "digital signature"), along with the contract (which itself need not be encrypted), to Bob.
The Check. Anyone can take the contract, hash it, and compare the result with what you get when you decrypt the digital signature with Alice's public key. If it matches then the contract must be exactly the same as what Alice sent, because:
Alice must've sent it, because only Alice can encrypt something that decrypts properly with Alice's public key.
The contract can't have been modified, because the hash value would've changed.
PKCS#11 and CSP
What is TOKEN?
How to have certificates in tokens?
What is PKCS#11?
What does PKCS#11 Provides?
What is CSP?
Token VS SmartCards
PC/SC, Attr and APDU commands
Tokens and Smartcards
Understand what information security is and how it came to mean what it does today.
Comprehend the history of computer security and how it evolved into information security.
Understand the key terms and critical concepts of information security as presented in the chapter.
Upon completion of this chapter
Confidentiality is roughly equivalent to privacy. Measures undertaken to ensure confidentiality are designed to prevent sensitive information from reaching the wrong people, while making sure that the right people can in fact get it: Access must be restricted to those authorized to view the data in question. It is common, as well, for data to be categorized according to the amount and type of damage that could be done should it fall into unintended hands. More or less stringent measures can then be implemented according to those categories.
Sometimes safeguarding data confidentiality may involve special training for those privy to such documents. Such training would typically include security risks that could threaten this information. Training can help familiarize authorized people with risk factors and how to guard against them. Further aspects of training can include strong passwords and password-related best practices and information about social engineering methods, to prevent them from bending data-handling rules with good intentions and potentially disastrous results.
A good example of methods used to ensure confidentiality is an account number or routing number when banking online. Data encryption is a common method of ensuring confidentiality. User IDs and passwords constitute a standard procedure; two-factor authentication is becoming the norm. Other options include biometric verification and security tokens, key fobs or soft tokens. In addition, users can take precautions to minimize the number of places where the information appears and the number of times it is actually transmitted to complete a required transaction. Extra measures might be taken in the case of extremely sensitive documents, precautions such as storing only on air gapped computers, disconnected storage devices or, for highly sensitive information, in hard copy form only.
Integrity is about Modification
Integrity involves maintaining the consistency, accuracy, and trustworthiness of data over its entire life cycle. Data must not be changed in transit, and steps must be taken to ensure that data cannot be altered by unauthorized people (for example, in a breach of confidentiality). These measures include file permissions and user access controls. Version control maybe used to prevent erroneous changes or accidental deletion by authorized users becoming a problem. In addition, some means must be in place to detect any changes in data that might occur as a result of non-human-caused events such as an electromagnetic pulse (EMP) or server crash. Some data might include checksums, even cryptographic check sums, for verification of integrity. Backups or redundancies must be available to restore the affected data to its correct state.
Availability is to make sure data is available
is best ensured by rigorously maintaining all hardware, performing hardware repairs immediately when needed and maintaining a correctly functioning operating system environment that is free of software conflicts. It’s also important to keep current with all necessary system upgrades. Providing adequate communication bandwidth and preventing the occurrence of bottlenecks are equally important. Redundancy, failover, RAID even high-availability clusters can mitigate serious consequences when hardware issues do occur. Fast and adaptive disaster recovery is essential for the worst case scenarios; that capacity is reliant on the existence of a comprehensive disaster recovery plan (DRP). Safeguards against data loss or interruptions in connections must include unpredictable events such as natural disasters and fire. To prevent data loss from such occurrences, a backup copy may be stored in a geographically-isolated location, perhaps even in a fireproof, waterproof safe. Extra security equipment or software such as firewalls and proxy servers can guard against downtime and unreachable data due to malicious actions such as denial-of-service (DoS) attacks and network intrusions.
Identification is nothing more than claiming you are somebody. You identify yourself when you speak to someone on the phone that you don’t know, and they ask you who they’re speaking to. When you say, “I’m Jason.”, you’ve just identified yourself.
Proving you are who you say you are
Claiming Who You Are
i.e. a secret between or presenting something you have, such as a driver’s license, an RSA token, or a smart card or something you are. This is the foundation for biometrics. When you do this, you first identify yourself and then submit a thumb print, a retina scan, or another form of bio-based authentication.
Proving who you are
What you can Do
Authorization is what takes place after a person has been both identified and authenticated; it’s the step determines what a person can then do on the system.
A service that provides proof of the integrity and origin of data.
An authentication that can be asserted to be genuine with high assurance.
We know the relation to prime numbers but what is exactly tuple?