Cryptography: Securing the

Information Age

Source: [Link]/product/ [Link]

Information Systems Research Center

October 17, 2002 Future Technology Briefing

 Agenda
• Definitions
• Why cryptography is important?
• Available technologies
• Benefits & problems
• Future of cryptography
• Houston resources
Information Systems Research Center

October 17, 2002 Future Technology Briefing

 Essential Terms
• Cryptography
• Encryption
Plain text  Cipher text
• Decryption
Cipher text  Plain text
• Cryptanalysis
• Cryptology Source: [Link]

Information Systems Research Center

October 17, 2002 Future Technology Briefing

 Information Security for…
• Defending against external/internal hackers
• Defending against industrial espionage
• Securing E-commerce
• Securing bank accounts/electronic transfers
• Securing intellectual property
• Avoiding liability

Information Systems Research Center

October 17, 2002 Future Technology Briefing

 Threats to Information Security
• Pervasiveness of email/networks
• Online storage of sensitive
information
• Insecure technologies (e.g.
wireless)
• Trend towards paperless society
• Weak legal protection of email
privacy

Information Systems Research Center

October 17, 2002 Future Technology Briefing

 Types of Secret Writing
Secret writing

Steganography Cryptography

Information Systems Research Center

October 17, 2002 Future Technology Briefing

 Steganography

• Steganography –
covered writing –
is an art of hiding
information
• Popular
contemporary
steganographic
technologies hide New York Times, August 3rd, 2001

information in [Link]

images Information Systems Research Center

October 17, 2002 Future Technology Briefing

 Hiding information in pictures

Image in which to hide Image to hide within the

another image other image
Information Systems Research Center

[Link] /
October 17, 2002 Future Technology Briefing
 Retrieving information from
pictures

Image with other Recreated image

hidden within
Information Systems Research Center

[Link] /
October 17, 2002 Future Technology Briefing
 Digital Watermarks

Information Systems Research Center

Source: [Link]

October 17, 2002 Future Technology Briefing

 Types of Secret Writing
Secret writing

Steganography Cryptography

Substitution Transposition

Code

Cipher
Information Systems Research Center

October 17, 2002 Future Technology Briefing

 Public Key Cryptography
• Private (symmetric, secret) key – the same
key used for encryption/decryption
• Problem of key distribution
• Public (asymmetric) key cryptography – a
public key used for encryption and private
key for decryption
• Key distribution problem solved

Information Systems Research Center

October 17, 2002 Future Technology Briefing

 Currently Available Crypto
Algorithms (private key)
• DES (Data Encryption Standard) and
derivatives: double DES and triple DES
• IDEA (International Data Encryption
Standard)
• Blowfish
• RC5 (Rivest Cipher #5)
• AES (Advance Encryption Standard)
Information Systems Research Center

October 17, 2002 Future Technology Briefing

 Currently Available Crypto
Algorithms (public key)
• RSA (Rivest, Shamir, Adleman)
• DH (Diffie-Hellman Key Agreement
Algorithm)
• ECDH (Elliptic Curve Diffie-Hellman Key
Agreement Algorithm)
• RPK (Raike Public Key)

Information Systems Research Center

October 17, 2002 Future Technology Briefing

 Currently Available Technologies

PGP (Pretty Good Privacy) – a hybrid

encryption technology
– Message is encrypted using a private key
algorithm (IDEA)
– Key is then encrypted using a public key
algorithm (RSA)
– For file encryption, only IDEA algorithm is used
– PGP is free for home use
Information Systems Research Center

October 17, 2002 Future Technology Briefing

 Authentication and Digital
Signatures
• Preventing impostor attacks
• Preventing content tampering
• Preventing timing modification
• Preventing repudiation
By:
• Encryption itself
• Cryptographic checksum and hash
functions
Information Systems Research Center

October 17, 2002 Future Technology Briefing

 Digital Signatures

• Made by encrypting a message digest

(cryptographic checksum) with the sender’s
private key
• Receiver decrypts with the sender’s public
key (roles of private and public keys are
flipped)

Information Systems Research Center

October 17, 2002 Future Technology Briefing

 PKI and CA

• Digital signature does not confirm identity

• Public Key Infrastructure provides a trusted
third party’s confirmation of a sender’s
identity
• Certification Authority is a trusted third party
that issues identity certificates

Information Systems Research Center

October 17, 2002 Future Technology Briefing

 Problems with CAs and PKI
• Who gave CA the authority to issue
certificates? Who made it “trusted”?
• What good are the certificates?
• What if somebody digitally signed a binding
contract in your name by hacking into your
system?
• How secure are CA’s practices? Can a
malicious hacker add a public key to a CA’s
directory? Information Systems Research Center

October 17, 2002 Future Technology Briefing

 Currently Available Technologies

• MD4 and MD5 (Message Digest)

• SHA-1 (Secure Hash Algorithm version 1)
• DSA (The Digital Signature Algorithm)
• ECDSA (Elliptic Curve DSA)
• Kerberos
• OPS (Open Profiling Standard)
• VeriSign Digital IDs
Information Systems Research Center

October 17, 2002 Future Technology Briefing

 JAVA and XML Cryptography

• [Link] package includes classes used

for authentication and digital signature
• [Link] package contains Java
Cryptography Extension classes
• XML makes it possible to encrypt or digitally
sign parts of a message, different encryption
for different recipients, etc.
Information Systems Research Center

October 17, 2002 Future Technology Briefing

 XML Crypto Document
Listing 1. Information on John Smith showing his bank, limit of
$5,000, card number, and expiration date
<?xml version='1.0'?>
<PaymentInfo xmlns='[Link]
<Name>John Smith<Name/>
<CreditCard Limit='5,000' Currency='USD'>
<Number>4019 2445 0277 5567</Number>
<Issuer>Bank of the Internet</Issuer>
<Expiration>04/02</Expiration>
</CreditCard>
Information Systems Research Center

</PaymentInfo>
October 17, 2002 Future Technology Briefing

(Source: [Link]
 XML Crypto document
Listing 2. Encrypted document where all but name is encrypted
<?xml version='1.0'?>
<PaymentInfo xmlns='[Link]
<Name>John Smith<Name/>
<EncryptedData Type='[Link]
xmlns='[Link]

<CipherData><CipherValue>A23B45C56</CipherValue></CipherData>
</EncryptedData>
</PaymentInfo>
Information Systems Research Center

(Source: [Link]

October 17, 2002 Future Technology Briefing

 Benefits of Cryptographic Technologies

• Data secrecy
• Data integrity
• Authentication of
message originator
• Electronic certification
and digital signature
• Non-repudiation
Source: [Link]

Information Systems Research Center

October 17, 2002 Future Technology Briefing

 Potential Problems with Cryptographic
Technologies?
• False sense of security if
badly implemented
• Government regulation of
cryptographic
technologies/export
restrictions
• Encryption prohibited in
some countries Source: [Link]

Information Systems Research Center

October 17, 2002 Future Technology Briefing

 How Secure are Today’s
Technologies?
• $250,000 machine cracks 56 bit key DES code in 56
hours
• IDEA, RC5, RSA, etc. resist complex attacks when
properly implemented
• [Link] cracked 64 bit RC5 key (1,757
days and 331,252 people) in July, 2002
• A computer that breaks DES in 1 second will take
149 trillion years to break AES!
• Algorithms are not theoretically unbreakable: Information Systems Research Center

successful attacks in the future are possible

October 17, 2002 Future Technology Briefing
 How Secure are Today’s
Technologies?
• Encryption does not guarantee security!
• Many ways to beat a crypto system NOT dependent
on cryptanalysis, such as:
– Viruses, worms, hackers, etc.
– TEMPEST attacks,
– Unauthorized physical access to secret keys
• Cryptography is only one element of comprehensive
computer security
Information Systems Research Center

October 17, 2002 Future Technology Briefing

 The Future of Secret Writing
Quantum cryptanalysis
– A quantum computer can perform
practically unlimited number of
simultaneous computations
– Factoring large integers is a
natural application for a quantum
computer (necessary to break
RSA) Source: [Link]

– Quantum cryptanalysis would

render ALL modern
cryptosystems instantly obsolete Information Systems Research Center

October 17, 2002 Future Technology Briefing

 When will it happen?
• 2004 – 10-qubit special purpose quantum
computer available
• 2006 – factoring attacks on RSA algorithm
• 2010 through 2012 – intelligence agencies
will have quantum computers
• 2015 – large enterprises will have quantum
computers
Source: The Gartner Group

Information Systems Research Center

October 17, 2002 Future Technology Briefing

 What is to be done?
The Gartner Group recommends:

• Develop migration plans to stronger

crypto by 2008
• Begin implementation in 2010

Information Systems Research Center

October 17, 2002 Future Technology Briefing

 The Future of Secret Writing
(continued)
Quantum encryption
– No need for a quantum computer
– A key cannot be intercepted without
altering its content
– It is theoretically unbreakable
– Central problem is transmitting a quantum
message over a significant distance
Source: [Link]

Information Systems Research Center

October 17, 2002 Future Technology Briefing

 Houston Resources
University of Houston
− Crypto courses
− Ernst Leiss
Rice University: Computer Science Dept
− Crypto research and offers crypto training
− Dan Wallach (security of WAP, WEP, etc.)
Companies
− EDS
− RSA Security
− Schlumberger
− SANS Institute Information Systems Research Center

October 17, 2002 Future Technology Briefing

 Your questions are welcome!

Information Systems Research Center

October 17, 2002 Future Technology Briefing