ñòð. 4 |

Chip unique key is XOR of 2 components

Each encrypted and stored in escrow with separate escrow agent

Both needed to construct chip unique key and decrypt

Release to authorized government agent for authorized surveillance.

Shipjack Algorithm

Transform 64 bit input block into 64 bit output block

80 bit key length

Same operating modes as DES (4 of them)

Classified to prevent implementing (in either software or hardware) without LEAF

RSA Crypto FAQ:

The Clipper chip contains an encryption algorithm called Skipjack. Each chip contains a unique 80-bit unit key U, which is escrowed in two parts at two escrow agencies; both parts must be known in order to recover the key. Also present is a serial number and an 80-bit "family key" F; the latter is common to all Clipper chips. The chip is manufactured so that it cannot be reverse engineered; this means that the Skipjack algorithm and the keys cannot be recovered from the chip.

Skipjack is the encryption algorithm contained in the Clipper chip, designed by the NSA (see Question 6.2.2). It uses an 80-bit key to encrypt 64-bit blocks of data. Skipjack is expected to be more secure than DES in the absence of any analytic attack since it uses 80-bit keys. By contrast, DES uses 56-bit keys.

Initially the details of Skipjack were classified and the decision not to make the details of the algorithm publicly available was widely criticized. Some people were suspicious that Skipjack might not be secure, either due to an oversight by its designers, or by the deliberate introduction of a secret trapdoor. Since Skipjack was not public, it could not be widely scrutinized and there was little public confidence in the cipher.

Aware of such criticism, the government invited a small group of independent cryptographers to examine the Skipjack algorithm. They issued a report [BDK93] which stated that although their study was too limited to reach a definitive conclusion, they nevertheless believed Skipjack was secure.

In June of 1998 Skipjack was declassified by the NSA. Early cryptanalysis has failed to find any substantial weakness in the cipher.

Describe the elements of the Electronic Data Security Act of 1997

CISSP Seminar:

To be completed????

Electronic Data Security Act 1997:

The Electronic Data Security Act states it’s goals as:

To enable the development of a key management infrastructure for public-key-based encryption and attendant encryption products that will assure that individuals and businesses can transmit and receive information electronically with confidence in the information's confidentiality, integrity, availability, and authenticity, and that will promote timely lawful government access.

Describe the basis of Public-Key Algorithms

CISSP Seminar:

Factoring large prime numbers

RSA

Discrete log problem (difficulty of taking logarithms in finite fields)

El Gamal encryption scheme and signature algorithm

Schnorr’s signature algorithm

Nybergrueppel’s signature algorithm

Station-to-Station protocol for key agreement (STS)

Digital Signature Algorithm (DSA)

Elliptic Curve Crypto (ECC)

RSA Crypto FAQ:

Public-key cryptosystems are based on a problem that is in some sense difficult to solve. Difficult in this case refers more to the computational requirements in finding a solution than the conception of the problem. These problems are called hard problems. Some of the most well known examples are factoring, theorem-proving, and the "traveling salesman problem" - finding the route through a given collection of cities which minimizes the total length of the path.

Factoring is the underlying, presumably hard problem upon which several public-key cryptosystems are based, including the RSA algorithm. Factoring an RSA modulus would allow an attacker to figure out the private key; thus, anyone who can factor the modulus can decrypt messages and forge signatures. The security of the RSA algorithm depends on the factoring problem being difficult and the presence of no other types of attack.

In general the larger the number the more time it takes to factor it. Of course if you have a number like 2^100 it is easier to factor than say, a number with half as many digits but the product of two primes of about the same length. This is why the size of the modulus in RSA determines how secure an actual use of RSA is; the larger the modulus, the longer it would take an attacker to factor, and thus the more resistant the RSA modulus is to an attack.

Define Elleptic Curve Cryptosystems (ECC)

CISSP Seminar:

Uses algebraic system defined on points of elliptic curve to provide public-key algorithms.

Digital signature

Secret key distribution

Confidential info transmission

First proposed by Victor Miller (IBM/CRD) 1985 & Neal koblitz ( Washington univ)

RSA Crypto FAQ:

Elliptic curve cryptosystems were first proposed independently by Victor Miller [Mil86] and Neal Koblitz [Kob87] in the mid-1980s. At a high level, they are analogs of existing public-key cryptosystems in which modular arithmetic is replaced by operations defined over elliptic curves. The elliptic curve cryptosystems that have appeared in the literature can be classified into two categories according to whether they are analogs to RSA or discrete logarithm based systems.

Describe the advantages of Elliptic Curves Cryptosystems (ECC)

CISSP Seminar:

Highest strength/bit of public key systems

Big saving over other public key systems

Computation

Bandwidth

Storage

Bandwith reduced

Short signature and certificates

Fast encryption and signature speed

Hardware and software

Ideal for very small hardware implementations

Smart card

Encryption and digital signatures stages separable to simplify export

RSA Crypto FAQ:

Presently, the methods for computing general elliptic curve discrete logs are much less efficient than those for factoring or computing conventional discrete logs. As a result, shorter key sizes can be used to achieve the same security of conventional public-key cryptosystems, which might lead to better memory requirements and improved performance. One can easily construct elliptic curve encryption, signature, and key agreement schemes by making analogs of ElGamal, DSA, and Diffie-Hellman. These variants appear to offer certain implementation advantages over the original schemes, and they have recently drawn more and more attention from both the academic community and the industry.

The main attraction of elliptic curve cryptosystems over other public-key cryptosystems is the fact that they are based on a different, hard problem. This may lead to smaller key sizes and better performance in certain public-key operations for the same level of security.

Very roughly speaking, when this FAQ was published elliptic curve cryptosystems with a 160-bit key offer the same security of RSA and discrete logarithm based systems with a 1024-bit key. As a result, the length of the public key and private key is much shorter in elliptic curve cryptosystems. In terms of speed, however, it is quite difficult to give a quantitative comparison, partly because of the various optimization techniques one can apply to different systems. It is perhaps fair to say the following: Elliptic curve cryptosystems are faster than the corresponding discrete logarithm based systems. Elliptic curve cryptosystems are faster than RSA in signing and decryption, but slower than RSA in signature verification and encryption. For more detailed comparisons, see the survey article by Matt Robshaw and Yiqun Lisa Yin [RY97].

With academic advances in attacking different hard mathematical problems both the security estimates for various key sizes in different systems and the performance comparisons between systems are likely to change.

Identify the standards Activities Involving Elliptic Curve Cryptosystems (ECC)

CISSP Seminar:

IEEE, P1363 (public-key crypto)

Covers main public key techniques

RSA, ECC, El Gamal, Diffie-Hellman

ANSI X9

Elliptic curve Digital Signature Algorithm

(ECDSA) proposed work item

ANSI ASC X9

Elliptic curve key agreement and key management proposed work item

ISO/IEC CD 148883 "Digital Signature with appendix"

Variety of digital signature mechanisms

RSA Crypto FAQ:

The IEEE P1363 is an emerging standard that aims to provide a comprehensive coverage of established public-key techniques. It continues to move toward completion, with balloting expected later this year. The project, begun in 1993, has produced a draft standard covering public-key techniques from the discrete logarithm, elliptic curve, and integer factorization families. Contributions are currently solicited for an addendum, IEEE P1363a, which will cover additional public-key techniques. The project is closely coordinated with emerging ANSI standards for public-key cryptography in banking, and forthcoming revisions of RSA Laboratories' Public-Key Cryptography Standards will also be aligned with IEEE P1363.

American National Standards Institute (ANSI) is broken down into committees, one being ANSI X9. The committee ANSI X9 develops standards for the financial industry, more specifically for personal identification number (PIN) management, check processing, electronic transfer of funds, etc. Within the committee of X9, there are subcommittees; further broken down are the actual documents, such as X9.9 and X9.17.

The International Organization for Standardization, (ISO), is a non-governmental body promoting standardization developments globally. Altogether, ISO is broken down into about 2700 Technical Committees, subcommittees and working groups. ISO/IEC (International Electrotechnical Commission) is the joint technical committee developing the standards for information technology. One of the more important information technology standards developed by ISO/IEC is ISO/IEC 9798 [ISO92a]. This is an emerging international standard for entity authentication techniques. It consists of five parts. Part 1 is introductory, and Parts 2 and 3 define protocols for entity authentication using secret-key techniques and public-key techniques. Part 4 defines protocols based on cryptographic checksums, and part 5 addresses zero-knowledge techniques.

Describe Pretty Good Privacy (PGP)

CISSP Seminar:

Created by Phil Zimmerman

Random prime number + pass phrase

Key crunching generates key

Convert passphrase into bitsteam

For random key, passphrase must be long

Theory: number of passphrase characters = numbers of bits in key

RSA Crypto FAQ:

PGP (Pretty Good Privacy) is a software package originally developed by Phil Zimmerman that provides cryptographic routines for e-mail, file transfer, and file storage applications. Zimmerman used existing cryptographic algorithms and protocols and developed a system that can run on multiple platforms. It provides message encryption, digital signatures, data compression, and e-mail compatibility.

The algorithms used by PGP have changed over its various versions. Versions prior to 5.0 used RSA for key exchange, MD5 for digital signatures, and IDEA for bulk encryption of messages and files. Version 5.0 added Diffie-Hellman (El Gamal) for key exchange, RIPEMD-160 and SHA-1for digital signatures, and 3DES and CAST for bulk encryption of messages and files.

All versions of PGP have incorporated the routines from the freeware program ZIP (which uses routines that are comparable to the routines used in PKZip) to compress data before encryption. This is done to add security to the cryptographic implementation, as well as minimize the transmission time of the encrypted data. E-mail compatibility is achieved by Radix-64 conversion of the binary data.

PGP is bound by Federal export laws due to its usage of the RSA, IDEA, Diffie-Hellman, 3DES and CAST algorithms. The source code to PGP was legally exported in book form, and is available (along with binary distributions of the program for use outside of the USA) at http://www.pgpi.com

Define the four (4) types of PGP certificates

CISSP Seminar:

Make up yourself

Provided commercially

Vouching on business relationship

Authenticated individual activity

RSA Crypto FAQ:

Compare and contrast El Gamal and Diffie-Hellman Algorithms

CISSP Seminar:

El Gamal

Unpatented, public-key algorithm used for both digital signatures and encryption

Security stems from difficulty in calculating discrete logarithms in a finite field

First public-key crypto algorithm suitable for encryption and digital signatures unencumbered by patents in U.S.

Diffie-Hellman

Invented in 1976 – First public key algorithm

Security stems from difficulty in calculating discrete logarithms in a finite field

Used for key distribution but not for message encryption/decryption

Patent expired in 1997

Bryce Hendrix paper on Cryptography:

El Gamal

Another popular system is the El Gamal algorithm, which relies on the difficulty of discrete logarithms. The algorithm is based on the problem of exponentiation as follows: given a modulus q and some b < q, a character x can be encrypted as integer y is the condition by ? x mod q. The integer y should not be easily computable, providing security through the unfeasibility of complicated discrete logarithms.

The actual El Gamal algorithm requires, for a secure system, that everyone agrees on a large prime modulus, q. A number g is chosen such that, ideally, the order of g is q-1. The user generates a private key, y, then uses that private key to generate the public key, gy; additionally public key must be congruent to 1 mod q. For El Gamal to be secure, y must be difficult to compute from gy. Suppose Alice now wishes to encrypt a message M for Bob using his public key. Since both g and gy are known to Alice, she then computes the kth power of each and sends Bob gk and Mgy^k. Since Bob knows y, he can then reconstruct M by finding the inverse of gy^k and multiplying Mgy^k by the inverse to attain M [Achter].

Comparing the El Gamal algorithm with the RSA algorithm, it is noted that both employ exponentiation, so they can be assumed to have comparable speed in encryption and decryption as well as key gener ation. RSAs security is based on factorization, which has been studied comprehensively over the past two hundred years. El Gamal, on the other hand, relies on solving by discrete logarithms, which remains fairly unstudied. By varying g and the inverse function simultaneously an attack that has a complexity lower than solving by discrete logarithms or factoring, not it can be said that El Gamal is at best no more secure than RSA and possibly much less secure [Nechvatal]. It should also be pointed out that El Gamal requires two values to be sent, the encrypted method and a message dependent large integer- For this reason, El Gamal is said to be less space efficient than RSA, although it may present better security against some attacks, especially if k is different for gk and Mgy^k [Nechvatal].

Milgo Solution:

Diffie Hellman

Diffie Hellman was the first public key algorithm ever developed. It is still extremely popular and highly recommended for key exchange. Its primary advantage over RSA, the most widely used public key algorithm, is that Diffie Hellman is a negotiated key generation while RSA is a master/slave key generation.

The public portions of Diffie Hellman are:

Modulus = m

Integer = g

Two parties, Alice and Bob, who want to negotiate a key that only they will know, perform the following:

1.Alice generates a large random number a and computes X = ga mod m

2.Bob generates a large random number b and computes Y = gb mod m

3.Alice sends X to Bob.

4.Bob computes Key 1 = Xb mod m

5.Bob sends Y to Alice.

6.Alice computes Key 2 = Ya mod m

Both Key 1 and Key 2 are equal to gab mod m. No one besides Alice and Bob is able to generate this value. Only someone who knows a or b is able to generate the key. Therefore Diffie Hellman public key is a means for two parties who have never met to be able to negotiate a key over a public channel.

The security of Diffie Hellman revolves around the choice of the public parameters m and g. Modulus m should be a prime number and (m-1)/2 should also be a prime number. Finally modulus m should be large because the security is related to finding the discrete logarithm in a finite field of size m. SafeDial uses a 1024-bit modulus, which is considered to be highly secure by most experts.

Compare and contrast Cryptographic Module Configurations

CISSP Seminar:

There is four type of modules: inline, offline, enbedded, stand-alone

Inline

Front end configuration

Module capable of accepting plaintext from source

Performing crypto processing

Passing processed data directly to communications equipment

Without passing back to source

May also decrypt reverse process

Data cannot leave host without passing through module

Comm equip in module or external to host

Offline

Back end configuration

Module capable of accepting data from source

Performing crypto processing

Passing processed data back to source

Source responsible for storage and further transmission

Maintaining separation between protected and unprotected data

Ideal for local file encryption

Comm boards may be internal to host

Embedded

Module physically enclosed within and interfaces with computer

Either inline or offline

Less expensive

Physical security (temper protection and detection) questionable

Standalone

Module contained in own physical enclosure

Outside host computer

Either inline or offline

Identify the Activities Related to Key management

CISSP Seminar:

Key management

Key change

Key disposition

Key recovery

Control of crypto keys

RSA Crypto FAQ:

Key management deals with the secure generation, distribution, and storage of keys. Secure methods of key management are extremely important. Once a key is randomly generated (see Question 4.1.2.2), it must remain secret to avoid unfortunate mishaps (such as impersonation). In practice, most attacks on public-key systems will probably be aimed at the key management level, rather than at the cryptographic algorithm itself.

Users must be able to securely obtain a key pair suited to their efficiency and security needs. There must be a way to look up other people's public keys and to publicize one's own public key. Users must be able to legitimately obtain others' public keys; otherwise, an intruder can either change public keys listed in a directory, or impersonate another user. Certificates are used for this purpose. Certificates must be unforgeable. The issuance of certificates must proceed in a secure way, impervious to attack. In particular, the issuer must authenticate the identity and the public key of an individual before issuing a certificate to that individual.

If someone's private key is lost or compromised, others must be made aware of this, so they will no longer encrypt messages under the invalid public key nor accept messages signed with the invalid private key. Users must be able to store their private keys securely, so no intruder can obtain them, yet the keys must be readily accessible for legitimate use. Keys need to be valid only until a specified expiration date but the expiration date must be chosen properly and publicized in an authenticated channel.

Compare and contrast the types of key management

CISSP Seminar:

Link encryption

End-To-End encryption

Key Distribution Center (KDC)

User unique key distributed

Changed infrequently

A calls B

Calling protocol contacts KDC

KDC generates random session key (k)

KDC encrypts k using A’s unique key and sends it to A

KDC encrypts k using B’s unique key and sends it to B

A and B uses k for session

Describe the principle of key management

CISSP Seminar:

Must be fully automated

For key discipline and secrecy

No key in clear outside of crypto device

For secrecy and known plaintext attack resistance

Choose keys randomly from entire key space

Pattern can be exploited by attacker to reduce work

Key encrypting keys must be separate from data keys

Nothing appearing in clear is encrypted with key-encrypting-key

Keep KEK invulnerable to brute force attack

Disguise all pattern in cleartext object before encryption

Format, language, alphabet, public code

To resist ciphertext only attacks

Infrequently use keys with long life

More key is used, more likely a successful attack and greater the consequences

Describe the concept of key recovery and key recovery systems

CISSP Seminar:

Permits recovery of lost or damaged keys without needs to store or escrow them with a third party

Key recovery alliance of vendors formed (10/2/96)

Developed exportable, worldwide approach to strong encryption to enable secure international commerce

Developing modern, high-level crypto "Key recovery" solutions

Meet business requirements

Ease crypto import/export restrictions worldwide

Alliance proposed requirements for ideal key recovery system (9/19/97)

RSA Crypto FAQ:

One of the barriers to the widespread use of encryption in certain contexts is the fact that when a key is somehow "lost", any data encrypted with that key becomes unusable. Key recovery is a general term encompassing the numerous ways of permitting "emergency access" to encrypted data.

One common way to perform key recovery, called key escrow, is to split a decryption key (typically a secret key or an RSA private key) into several parts and distribute these parts to escrow agents or "trustees". In an emergency situation (exactly what defines an "emergency situation" is context-dependent), these trustees can use their "shares" of the keys either to reconstruct the missing key or simply to decrypt encrypted communications directly. This method is used by Security Dynamics' RSA SecurPC product.

Another recovery method, called key encapsulation, is to encrypt data in a communication with a "session key" (which varies from communication to communication) and to encrypt that session key with a trustee's public key. The encrypted session key is sent with the encrypted communication, and so the trustee is able to decrypt the communication when necessary. A variant of this method, in which the session key is split into several pieces, each encrypted with a different trustee's public key, is used by TIS' RecoverKey.

Key recovery can also be performed on keys other than decryption keys. For example, a user's private signing key might be recovered. From a security point of view, however, the rationale for recovering a signing key is generally less compelling than that for recovering a decryption key.

Define Digital Signature as it Pertains to Cryptography

CISSP Seminar:

Authentication tool to verify a message origin and a sender identity

Resolves authentication issues

Block of data attached to message (document, file, record, etc)

Binds message to individual whose signature can be verified

By receiver or third party

Can’t be forged

Each user has public-private key pair.

RSA Crypto FAQ:

The digital signature of a document is a piece of information based on both the document and the signer's private key. It is typically created through the use of a hash function and a private signing function (encrypting with the signer's private key), but there are other methods. Authentication is any process through which one proves and verifies certain information. Sometimes one may want to verify the origin of a document, the identity of the sender, the time and date a document was sent and/or signed, the identity of a computer or user, and so on. A digital signature is a cryptographic means through which many of these may be verified.

Describe the Digital Signature Standard (DSS)

CISSP Seminar:

NIST proposed in 1991

Uses secure hash algorithm (SHA)

Condenses message to 160 bits

Modular arithmetic exponentiations of large numbers

Key size 512-1024 bits

Difficult to invert exponentiations (security)

Equivalent to factoring (RSA)

FIPS 186:

This Standard specifies a Digital Signature Algorithm (DSA) appropriate for applications requiring a digital rather than written signature. The DSA digital signature is a pair of large numbers represented in a computer as strings of binary digits. The digital signature is computed using a set of rules (i.e., the DSA) and a set of parameters such that the identity of the signatory and integrity of the data can be verified. The DSA provides the capability to generate and verify signatures.

Define Operation of the Digital Signature Standard

CISSP Seminar:

To sign a message

Sender computes digest of message

Using public hash function

Crypto signature by sender’s private key

Applied to digest creates digital signature

Digital signature sent with message

To verify a message

Receiver computes digest of message

Verifying functions with sender’s public key

Applied to digest and signature received

Verified if both digest match

Signature decryption identifies sender

RSA Crypto FAQ:

ñòð. 4 |