<<

. 4
( 5 .)



>>

Regardless of session key
Chip unique key is XOR of 2 components
Each encrypted and stored in escrow with separate escrow agent
Both needed to construct chip unique key and decrypt
Release to authorized government agent for authorized surveillance.
Shipjack Algorithm
Transform 64 bit input block into 64 bit output block
80 bit key length
Same operating modes as DES (4 of them)
Classified to prevent implementing (in either software or hardware) without LEAF
RSA Crypto FAQ:
The Clipper chip contains an encryption algorithm called Skipjack. Each chip contains a unique 80-bit unit key U, which is escrowed in two parts at two escrow agencies; both parts must be known in order to recover the key. Also present is a serial number and an 80-bit "family key" F; the latter is common to all Clipper chips. The chip is manufactured so that it cannot be reverse engineered; this means that the Skipjack algorithm and the keys cannot be recovered from the chip.
Skipjack is the encryption algorithm contained in the Clipper chip, designed by the NSA (see Question 6.2.2). It uses an 80-bit key to encrypt 64-bit blocks of data. Skipjack is expected to be more secure than DES in the absence of any analytic attack since it uses 80-bit keys. By contrast, DES uses 56-bit keys.
Initially the details of Skipjack were classified and the decision not to make the details of the algorithm publicly available was widely criticized. Some people were suspicious that Skipjack might not be secure, either due to an oversight by its designers, or by the deliberate introduction of a secret trapdoor. Since Skipjack was not public, it could not be widely scrutinized and there was little public confidence in the cipher.
Aware of such criticism, the government invited a small group of independent cryptographers to examine the Skipjack algorithm. They issued a report [BDK93] which stated that although their study was too limited to reach a definitive conclusion, they nevertheless believed Skipjack was secure.
In June of 1998 Skipjack was declassified by the NSA. Early cryptanalysis has failed to find any substantial weakness in the cipher.

Describe the elements of the Electronic Data Security Act of 1997
CISSP Seminar:
To be completed????
Electronic Data Security Act 1997:
The Electronic Data Security Act states it’s goals as:
To enable the development of a key management infrastructure for public-key-based encryption and attendant encryption products that will assure that individuals and businesses can transmit and receive information electronically with confidence in the information's confidentiality, integrity, availability, and authenticity, and that will promote timely lawful government access.

Describe the basis of Public-Key Algorithms
CISSP Seminar:
Factoring large prime numbers
RSA
Discrete log problem (difficulty of taking logarithms in finite fields)
El Gamal encryption scheme and signature algorithm
Schnorr’s signature algorithm
Nybergrueppel’s signature algorithm
Station-to-Station protocol for key agreement (STS)
Digital Signature Algorithm (DSA)
Elliptic Curve Crypto (ECC)
RSA Crypto FAQ:
Public-key cryptosystems are based on a problem that is in some sense difficult to solve. Difficult in this case refers more to the computational requirements in finding a solution than the conception of the problem. These problems are called hard problems. Some of the most well known examples are factoring, theorem-proving, and the "traveling salesman problem" - finding the route through a given collection of cities which minimizes the total length of the path.
Factoring is the underlying, presumably hard problem upon which several public-key cryptosystems are based, including the RSA algorithm. Factoring an RSA modulus would allow an attacker to figure out the private key; thus, anyone who can factor the modulus can decrypt messages and forge signatures. The security of the RSA algorithm depends on the factoring problem being difficult and the presence of no other types of attack.
In general the larger the number the more time it takes to factor it. Of course if you have a number like 2^100 it is easier to factor than say, a number with half as many digits but the product of two primes of about the same length. This is why the size of the modulus in RSA determines how secure an actual use of RSA is; the larger the modulus, the longer it would take an attacker to factor, and thus the more resistant the RSA modulus is to an attack.

Define Elleptic Curve Cryptosystems (ECC)
CISSP Seminar:
Uses algebraic system defined on points of elliptic curve to provide public-key algorithms.
Digital signature
Secret key distribution
Confidential info transmission
First proposed by Victor Miller (IBM/CRD) 1985 & Neal koblitz ( Washington univ)

RSA Crypto FAQ:
Elliptic curve cryptosystems were first proposed independently by Victor Miller [Mil86] and Neal Koblitz [Kob87] in the mid-1980s. At a high level, they are analogs of existing public-key cryptosystems in which modular arithmetic is replaced by operations defined over elliptic curves. The elliptic curve cryptosystems that have appeared in the literature can be classified into two categories according to whether they are analogs to RSA or discrete logarithm based systems.

Describe the advantages of Elliptic Curves Cryptosystems (ECC)
CISSP Seminar:
Highest strength/bit of public key systems
Big saving over other public key systems
Computation
Bandwidth
Storage
Bandwith reduced
Short signature and certificates
Fast encryption and signature speed
Hardware and software
Ideal for very small hardware implementations
Smart card
Encryption and digital signatures stages separable to simplify export
RSA Crypto FAQ:
Presently, the methods for computing general elliptic curve discrete logs are much less efficient than those for factoring or computing conventional discrete logs. As a result, shorter key sizes can be used to achieve the same security of conventional public-key cryptosystems, which might lead to better memory requirements and improved performance. One can easily construct elliptic curve encryption, signature, and key agreement schemes by making analogs of ElGamal, DSA, and Diffie-Hellman. These variants appear to offer certain implementation advantages over the original schemes, and they have recently drawn more and more attention from both the academic community and the industry.
The main attraction of elliptic curve cryptosystems over other public-key cryptosystems is the fact that they are based on a different, hard problem. This may lead to smaller key sizes and better performance in certain public-key operations for the same level of security.
Very roughly speaking, when this FAQ was published elliptic curve cryptosystems with a 160-bit key offer the same security of RSA and discrete logarithm based systems with a 1024-bit key. As a result, the length of the public key and private key is much shorter in elliptic curve cryptosystems. In terms of speed, however, it is quite difficult to give a quantitative comparison, partly because of the various optimization techniques one can apply to different systems. It is perhaps fair to say the following: Elliptic curve cryptosystems are faster than the corresponding discrete logarithm based systems. Elliptic curve cryptosystems are faster than RSA in signing and decryption, but slower than RSA in signature verification and encryption. For more detailed comparisons, see the survey article by Matt Robshaw and Yiqun Lisa Yin [RY97].
With academic advances in attacking different hard mathematical problems both the security estimates for various key sizes in different systems and the performance comparisons between systems are likely to change.

Identify the standards Activities Involving Elliptic Curve Cryptosystems (ECC)
CISSP Seminar:
IEEE, P1363 (public-key crypto)
Covers main public key techniques
RSA, ECC, El Gamal, Diffie-Hellman
ANSI X9
Elliptic curve Digital Signature Algorithm
(ECDSA) proposed work item
ANSI ASC X9
Elliptic curve key agreement and key management proposed work item
ISO/IEC CD 148883 "Digital Signature with appendix"
Variety of digital signature mechanisms
RSA Crypto FAQ:
The IEEE P1363 is an emerging standard that aims to provide a comprehensive coverage of established public-key techniques. It continues to move toward completion, with balloting expected later this year. The project, begun in 1993, has produced a draft standard covering public-key techniques from the discrete logarithm, elliptic curve, and integer factorization families. Contributions are currently solicited for an addendum, IEEE P1363a, which will cover additional public-key techniques. The project is closely coordinated with emerging ANSI standards for public-key cryptography in banking, and forthcoming revisions of RSA Laboratories' Public-Key Cryptography Standards will also be aligned with IEEE P1363.
American National Standards Institute (ANSI) is broken down into committees, one being ANSI X9. The committee ANSI X9 develops standards for the financial industry, more specifically for personal identification number (PIN) management, check processing, electronic transfer of funds, etc. Within the committee of X9, there are subcommittees; further broken down are the actual documents, such as X9.9 and X9.17.
The International Organization for Standardization, (ISO), is a non-governmental body promoting standardization developments globally. Altogether, ISO is broken down into about 2700 Technical Committees, subcommittees and working groups. ISO/IEC (International Electrotechnical Commission) is the joint technical committee developing the standards for information technology. One of the more important information technology standards developed by ISO/IEC is ISO/IEC 9798 [ISO92a]. This is an emerging international standard for entity authentication techniques. It consists of five parts. Part 1 is introductory, and Parts 2 and 3 define protocols for entity authentication using secret-key techniques and public-key techniques. Part 4 defines protocols based on cryptographic checksums, and part 5 addresses zero-knowledge techniques.

Describe Pretty Good Privacy (PGP)
CISSP Seminar:
Created by Phil Zimmerman
Random prime number + pass phrase
Key crunching generates key
Convert passphrase into bitsteam
For random key, passphrase must be long
Theory: number of passphrase characters = numbers of bits in key
RSA Crypto FAQ:
PGP (Pretty Good Privacy) is a software package originally developed by Phil Zimmerman that provides cryptographic routines for e-mail, file transfer, and file storage applications. Zimmerman used existing cryptographic algorithms and protocols and developed a system that can run on multiple platforms. It provides message encryption, digital signatures, data compression, and e-mail compatibility.
The algorithms used by PGP have changed over its various versions. Versions prior to 5.0 used RSA for key exchange, MD5 for digital signatures, and IDEA for bulk encryption of messages and files. Version 5.0 added Diffie-Hellman (El Gamal) for key exchange, RIPEMD-160 and SHA-1for digital signatures, and 3DES and CAST for bulk encryption of messages and files.
All versions of PGP have incorporated the routines from the freeware program ZIP (which uses routines that are comparable to the routines used in PKZip) to compress data before encryption. This is done to add security to the cryptographic implementation, as well as minimize the transmission time of the encrypted data. E-mail compatibility is achieved by Radix-64 conversion of the binary data.
PGP is bound by Federal export laws due to its usage of the RSA, IDEA, Diffie-Hellman, 3DES and CAST algorithms. The source code to PGP was legally exported in book form, and is available (along with binary distributions of the program for use outside of the USA) at http://www.pgpi.com

Define the four (4) types of PGP certificates
CISSP Seminar:
Make up yourself
Provided commercially
Vouching on business relationship
Authenticated individual activity
RSA Crypto FAQ:

Compare and contrast El Gamal and Diffie-Hellman Algorithms
CISSP Seminar:
El Gamal
Unpatented, public-key algorithm used for both digital signatures and encryption
Security stems from difficulty in calculating discrete logarithms in a finite field
First public-key crypto algorithm suitable for encryption and digital signatures unencumbered by patents in U.S.
Diffie-Hellman
Invented in 1976 – First public key algorithm
Security stems from difficulty in calculating discrete logarithms in a finite field
Used for key distribution but not for message encryption/decryption
Patent expired in 1997
Bryce Hendrix paper on Cryptography:
El Gamal
Another popular system is the El Gamal algorithm, which relies on the difficulty of discrete logarithms. The algorithm is based on the problem of exponentiation as follows: given a modulus q and some b < q, a character x can be encrypted as integer y is the condition by ? x mod q. The integer y should not be easily computable, providing security through the unfeasibility of complicated discrete logarithms.
The actual El Gamal algorithm requires, for a secure system, that everyone agrees on a large prime modulus, q. A number g is chosen such that, ideally, the order of g is q-1. The user generates a private key, y, then uses that private key to generate the public key, gy; additionally public key must be congruent to 1 mod q. For El Gamal to be secure, y must be difficult to compute from gy. Suppose Alice now wishes to encrypt a message M for Bob using his public key. Since both g and gy are known to Alice, she then computes the kth power of each and sends Bob gk and Mgy^k. Since Bob knows y, he can then reconstruct M by finding the inverse of gy^k and multiplying Mgy^k by the inverse to attain M [Achter].
Comparing the El Gamal algorithm with the RSA algorithm, it is noted that both employ exponentiation, so they can be assumed to have comparable speed in encryption and decryption as well as key gener ation. RSAs security is based on factorization, which has been studied comprehensively over the past two hundred years. El Gamal, on the other hand, relies on solving by discrete logarithms, which remains fairly unstudied. By varying g and the inverse function simultaneously an attack that has a complexity lower than solving by discrete logarithms or factoring, not it can be said that El Gamal is at best no more secure than RSA and possibly much less secure [Nechvatal]. It should also be pointed out that El Gamal requires two values to be sent, the encrypted method and a message dependent large integer- For this reason, El Gamal is said to be less space efficient than RSA, although it may present better security against some attacks, especially if k is different for gk and Mgy^k [Nechvatal].
Milgo Solution:
Diffie Hellman
Diffie Hellman was the first public key algorithm ever developed. It is still extremely popular and highly recommended for key exchange. Its primary advantage over RSA, the most widely used public key algorithm, is that Diffie Hellman is a negotiated key generation while RSA is a master/slave key generation.
The public portions of Diffie Hellman are:
Modulus = m
Integer = g
Two parties, Alice and Bob, who want to negotiate a key that only they will know, perform the following:
1.Alice generates a large random number a and computes X = ga mod m
2.Bob generates a large random number b and computes Y = gb mod m
3.Alice sends X to Bob.
4.Bob computes Key 1 = Xb mod m
5.Bob sends Y to Alice.
6.Alice computes Key 2 = Ya mod m
Both Key 1 and Key 2 are equal to gab mod m. No one besides Alice and Bob is able to generate this value. Only someone who knows a or b is able to generate the key. Therefore Diffie Hellman public key is a means for two parties who have never met to be able to negotiate a key over a public channel.
The security of Diffie Hellman revolves around the choice of the public parameters m and g. Modulus m should be a prime number and (m-1)/2 should also be a prime number. Finally modulus m should be large because the security is related to finding the discrete logarithm in a finite field of size m. SafeDial uses a 1024-bit modulus, which is considered to be highly secure by most experts.

Compare and contrast Cryptographic Module Configurations
CISSP Seminar:
There is four type of modules: inline, offline, enbedded, stand-alone
Inline
Front end configuration
Module capable of accepting plaintext from source
Performing crypto processing
Passing processed data directly to communications equipment
Without passing back to source
May also decrypt reverse process
Data cannot leave host without passing through module
Comm equip in module or external to host
Offline
Back end configuration
Module capable of accepting data from source
Performing crypto processing
Passing processed data back to source
Source responsible for storage and further transmission
Maintaining separation between protected and unprotected data
Ideal for local file encryption
Comm boards may be internal to host
Embedded
Module physically enclosed within and interfaces with computer
Either inline or offline
Less expensive
Physical security (temper protection and detection) questionable
Standalone
Module contained in own physical enclosure
Outside host computer
Either inline or offline

Identify the Activities Related to Key management
CISSP Seminar:
Key management
Key change
Key disposition
Key recovery
Control of crypto keys
RSA Crypto FAQ:
Key management deals with the secure generation, distribution, and storage of keys. Secure methods of key management are extremely important. Once a key is randomly generated (see Question 4.1.2.2), it must remain secret to avoid unfortunate mishaps (such as impersonation). In practice, most attacks on public-key systems will probably be aimed at the key management level, rather than at the cryptographic algorithm itself.
Users must be able to securely obtain a key pair suited to their efficiency and security needs. There must be a way to look up other people's public keys and to publicize one's own public key. Users must be able to legitimately obtain others' public keys; otherwise, an intruder can either change public keys listed in a directory, or impersonate another user. Certificates are used for this purpose. Certificates must be unforgeable. The issuance of certificates must proceed in a secure way, impervious to attack. In particular, the issuer must authenticate the identity and the public key of an individual before issuing a certificate to that individual.
If someone's private key is lost or compromised, others must be made aware of this, so they will no longer encrypt messages under the invalid public key nor accept messages signed with the invalid private key. Users must be able to store their private keys securely, so no intruder can obtain them, yet the keys must be readily accessible for legitimate use. Keys need to be valid only until a specified expiration date but the expiration date must be chosen properly and publicized in an authenticated channel.

Compare and contrast the types of key management
CISSP Seminar:
Link encryption
End-To-End encryption
Key Distribution Center (KDC)
User unique key distributed
Changed infrequently
A calls B
Calling protocol contacts KDC
KDC generates random session key (k)
KDC encrypts k using A’s unique key and sends it to A
KDC encrypts k using B’s unique key and sends it to B
A and B uses k for session

Describe the principle of key management
CISSP Seminar:
Must be fully automated
For key discipline and secrecy
No key in clear outside of crypto device
For secrecy and known plaintext attack resistance
Choose keys randomly from entire key space
Pattern can be exploited by attacker to reduce work
Key encrypting keys must be separate from data keys
Nothing appearing in clear is encrypted with key-encrypting-key
Keep KEK invulnerable to brute force attack
Disguise all pattern in cleartext object before encryption
Format, language, alphabet, public code
To resist ciphertext only attacks
Infrequently use keys with long life
More key is used, more likely a successful attack and greater the consequences

Describe the concept of key recovery and key recovery systems
CISSP Seminar:
Permits recovery of lost or damaged keys without needs to store or escrow them with a third party
Key recovery alliance of vendors formed (10/2/96)
Developed exportable, worldwide approach to strong encryption to enable secure international commerce
Developing modern, high-level crypto "Key recovery" solutions
Meet business requirements
Ease crypto import/export restrictions worldwide
Alliance proposed requirements for ideal key recovery system (9/19/97)
RSA Crypto FAQ:
One of the barriers to the widespread use of encryption in certain contexts is the fact that when a key is somehow "lost", any data encrypted with that key becomes unusable. Key recovery is a general term encompassing the numerous ways of permitting "emergency access" to encrypted data.
One common way to perform key recovery, called key escrow, is to split a decryption key (typically a secret key or an RSA private key) into several parts and distribute these parts to escrow agents or "trustees". In an emergency situation (exactly what defines an "emergency situation" is context-dependent), these trustees can use their "shares" of the keys either to reconstruct the missing key or simply to decrypt encrypted communications directly. This method is used by Security Dynamics' RSA SecurPC product.
Another recovery method, called key encapsulation, is to encrypt data in a communication with a "session key" (which varies from communication to communication) and to encrypt that session key with a trustee's public key. The encrypted session key is sent with the encrypted communication, and so the trustee is able to decrypt the communication when necessary. A variant of this method, in which the session key is split into several pieces, each encrypted with a different trustee's public key, is used by TIS' RecoverKey.
Key recovery can also be performed on keys other than decryption keys. For example, a user's private signing key might be recovered. From a security point of view, however, the rationale for recovering a signing key is generally less compelling than that for recovering a decryption key.

Define Digital Signature as it Pertains to Cryptography
CISSP Seminar:
Authentication tool to verify a message origin and a sender identity
Resolves authentication issues
Block of data attached to message (document, file, record, etc)
Binds message to individual whose signature can be verified
By receiver or third party
Can’t be forged
Each user has public-private key pair.
RSA Crypto FAQ:
The digital signature of a document is a piece of information based on both the document and the signer's private key. It is typically created through the use of a hash function and a private signing function (encrypting with the signer's private key), but there are other methods. Authentication is any process through which one proves and verifies certain information. Sometimes one may want to verify the origin of a document, the identity of the sender, the time and date a document was sent and/or signed, the identity of a computer or user, and so on. A digital signature is a cryptographic means through which many of these may be verified.

Describe the Digital Signature Standard (DSS)
CISSP Seminar:
NIST proposed in 1991
Uses secure hash algorithm (SHA)
Condenses message to 160 bits
Modular arithmetic exponentiations of large numbers
Key size 512-1024 bits
Difficult to invert exponentiations (security)
Equivalent to factoring (RSA)
FIPS 186:
This Standard specifies a Digital Signature Algorithm (DSA) appropriate for applications requiring a digital rather than written signature. The DSA digital signature is a pair of large numbers represented in a computer as strings of binary digits. The digital signature is computed using a set of rules (i.e., the DSA) and a set of parameters such that the identity of the signatory and integrity of the data can be verified. The DSA provides the capability to generate and verify signatures.

Define Operation of the Digital Signature Standard
CISSP Seminar:
To sign a message
Sender computes digest of message
Using public hash function
Crypto signature by sender’s private key
Applied to digest creates digital signature
Digital signature sent with message
To verify a message
Receiver computes digest of message
Verifying functions with sender’s public key
Applied to digest and signature received
Verified if both digest match
Signature decryption identifies sender
RSA Crypto FAQ:

<<

. 4
( 5 .)



>>