Cryptography

Table of Contents

• Cryptography | Cryptography | Cryptography | Cryptography
• Cryptographic Controls (ISO 27001-2013: Appendix A.10)

Chapter Summary

This chapter tracks the ISO 27001-2013 appendix 10 which focuses on cryptographic controls. The chapter starts with a top level overview of cryptography and addresses topics from symmetrical key cryptography to public key cryptography, various encryption standards and also various cryptographic libraries. Two sections focus on the two key areas addressed in the ISO document; policy on the use of cryptography, and key management.

Overview

The art of secret writing underpins many of the controls used in computer and communication systems to achieve the various requirements for data and communication security and privacy; confidentiality, integrity, and availability. Cryptographic protocol usually require the use of cryptographic keys which may be shared, and are used in encryption protocols to encrypt data and or communication channels, and also to decrypt encrypted data or communication channels.

Cryptographic protocols are typically measured by the effective length of the cryptographic keys. Prior to the early 1980s and the widespread use of public key cryptography, the same cryptographic key is usually used for both encryption and decryption of data. This creates challenge for key exchange necessary for practical applications from military use to banking. With the advent of public key cryptography, and the elegant solution of key exchange using RSA, and later various other protocols, secure data communication has become tremendously easier, benefiting the explosive growth of the internet and its application in many industry including in higher education. However, as cryptographic protocols gain more currency, defeating them has become more lucrative for attackers who will benefit from gaining unauthorized access to information ranging from personal PHIs, PHIs and other private data, as well as organization and government secret.

The strength of cryptographic protocols, defined in terms of the equivalent synchronous cryptography protocol key strength is a measure of the level of difficulty in deciphering an encrypted text, without first gaining access to the key. The most common approach to breaking cryptographic protocols, or cryptanalysis is by use of brute force. This technique relies on the number of trials that can be conducted in a given amount of time, and the sample space of the key, which is a measure of the number of bits of the equivalent synchronous key. Today, given the advances in computing and cryptanalysis techniques, 128 bit is considered a floor for cryptographic key strengths and 256 bits is usually considered acceptable.

Cryptography covers encryption, digital signature, and decryption. It is usually defined as the art and or science of secret (code) writing. Applied properly, cryptography can provide protection for the confidentiality, integrity, and privacy of data or information at rest or in transit. Encryption can be synchronous or asynchronous.  Synchronous cryptography is mostly used for data at rest, and also for digital signature. Asynchronous cryptography is usually used for data in transit and in cases where encryption and decryption keys need to be shared or exchanged.

Cryptographic standards are designed to optimize encryption, while making decryption without access to a key nearly impossible. For example, encrypting with DES using readily available computer in 1980 takes few milliseconds, but a brute-force attack against DES, which could include a complete search of all possible keys, using similar computer in 1980 will take many years. In general, cryptographic key length provides a measure of strength since they determine the key-space over which a brute force attack must be done. It is important to note that crypt-analysis as a field of study aims to identify weaknesses in a cryptographic protocol so as the reduce the need for, or scope of brute-force attack. The security of a cryptographic implementation is no stronger than the security of the key.

Applied properly, cryptographic controls provide effective mechanisms for protecting the confidentiality, authenticity and integrity of information. An institution should develop policies on the use of encryption, including proper key management. Disk Encryption is one way to protect data at rest.Data in transit can be protected from alteration and unauthorized viewing using SSL certificates issued through a Certificate Authority that has implemented a Public Key Infrastructure.

Encryption based transport protocols such as SSL and IPSec can be used for securing virtual private networks. Encryption is also used in DNSSEC to protect the integrity of DNS and DNS handshake. SSL and TLS certificates are used to protect email in transit.

Cryptography of page

Standards

Cryptography of page

Cryptography of page

Cryptographic Controls (ISO 10.1)

Certain data, by their nature, require particular confidentiality protection that can be provided by encryption techniques. Additionally, there may be contractual or other legal penalties for failure to maintain proper confidentiality - when Social Security Numbers are involved, for example. Parties who may acquire unauthorized access to the data but who do not have access to the encryption key - the "password" that encrypted the data - cannot feasibly decipher the data.

Data exist in one of three states: at rest; in transit; or undergoing processing. Data are particularly vulnerable to unauthorized access when in transit or at rest. Portable computers (holding data at rest) are a common target for physical theft, and data in transit over a network may be intercepted. Unauthorized access may also occur while data are being processed, but here the security system may rely on the processing application to control, and report on, such access attempts. When used appropriately, encryption is a powerful tool to prevent unauthorized access to data at rest or in transit.

The following campus case studies are included in Encryption 101, a basic guide to encryption concepts.
Campus Case Study: Implementing Whole Disk Encryption with Microsoft Windows Vista Bitlocker - McIntire School of Commerce, UVA
Campus Case Study: Whole Disk Encryption Evaluation and Deployment - Baylor University
Campus Case Study: Developing a Certification Authority for PKI at Virginia Tech - Virginia Tech

Full disk encryption (FDE) can be used to mitigate the risk of data exposure, but the security is only in place when the computer is turned off. FDE may be most effective when used on laptops that, when stolen or lost, are often powered off. See Introduction to Full Disk Encryption (FDE) for an overview of FDE.

PGP is an email encryption and signature algorithm based on public key cryptography. PGP is based on a web of trust model and like other certificate based public key cryptography, it requires a central authority or key repository. PGP now exists in two main versions, the open source version (openPGP) and the version supported by Symantec. Note that Symantec now uses the PGP name to refer to most of its encryption solutions, including its Whole Disk encryption as well as its email encryption solution. 

Cryptography of page

Cryptographic Standards

AES | ENCRYPTION ( Synchronous Cryptography)

The standard for synchronous key cryptography is Rijndael or the Advanced Encryption Standard, so named by by NIST in FIPS 197, published in 2001 as a replacement for the so called Triple Data Encryption Standard (3DES) and its predecessor, the Data Encryption Standard (DES) which was by 2001, almost two decades old. The AES algorithm was designed to enable encryption and decryption of of 128 data blocks with 128, 192, or 256 bit keys. The higher keys require more computation to encrypt and decrypt and are therefore stronger, since they are much harder to break. The AES was the culmination of an international competitive race to find the most difficult to break block encryption algorithm to replace the aging DES algorithm, which by the late 1990s was already succumbing to cryptanalytic techniques including parallelization and distributed attacks. Other finalists in the NIST sponsored selection process includedRC6, MARS, Serpent, and Twofish. 

AES is used to encrypt data at rest, and the NSA recommends its use as part of suite B, specifically AES key size 128 bit for classified information up to the SECRET level, and 254 bit for classified information up to TOP SECRET level.

While AES as an algorithm went through a thorough international review, the implementation in various crypto libraries will determine the true strength and or weakness of a given software or application that claims to support it. This is true for all cryptographic algorithms and libraries, thus it is important to be cautious in selecting and testing cryptographic solutions. Common Criteria provides a framework for evaluating security systems, including crypto systems , crypto libraries and cryptographic software and solutions.

ECDH | KEY EXCHANGE (Asymmetric Cryptography)

Elliptic curve based algorithms is replacing RSA as the de-factor algorithm for public key cryptography. RSA crypto systems depends on the difficulty in factorizing large prime numbers, a difficulty that becomes less so with increasing speed and memory of general purpose computers. Elliptic curve crypto systems on the other hand is based on solving discrete logarithmic problems over an elliptic curve. A key merit of elliptic curve crypto (ECC) systems lies in the limited number of key bits in ECC to obtain a given key strength as is required for RSA. Note that key strength is measured in terms of the comparable synchronous cryptography. For example, 1024 bit RSA (RSA 1024) has a key strength of 80 bits and a 160 bit ECDH (Elliptic Curve Diffie-Hellman) has a key strength of 80 bits.

ECDSA | Digital Signature (Asymmetric Cryptography)

Elliptic Curve Digital Signature Algorithm is a variant of the Digital Signature Algorithm that uses Elliptic Curves, and is based on the ElGamal discrete log algorithm. Digital signature provides a way for third-party to verify the authenticity of a message sent over any channel (regardless of the channel security). Note that digital signature does not require the sharing of keys, unlike, encryption.

Secure Hash Algorithm (SHA)

Hashing is a cryptographic process of turning an arbitrary data block into a fixed sized bit-string. Secure hash algorithms provide a convenient way to validate that a given file has not changed since the hash was last created. This is particularly important when sharing a file (such as an application) in public domain while ensuring the integrity of that file can be validated at any time. Message Digest is another method of providing the same assurance. SHA is a family of cryptographic functions published by NIST. 

References:

• NSA Suite B: http://www.nsa.gov/ia/programs/suiteb_cryptography/  & http://www.nsa.gov/business/programs/elliptic_curve.shtml
• Certicom : https://www.certicom.com/index.php/ecc
• Hankerson, Menezes, Vanstone. Guide to Elliptic Curve Cryptography
• NIST SP 800-56A http://csrc.nist.gov/groups/ST/toolkit/documents/SP800-56Arev1_3-8-07.pdf
• Secure Hash Standard - NIST SP 180-4 http://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf
• Cryptographic Hash Function - Wikipedia http://en.wikipedia.org/wiki/Cryptographic_hash_function

Cryptographic Libraries

Software developers and vendors usually write cryptographic libraries for various platforms. OpenSSL, the open source secure socket layer library is arguable one of the most popular, as well as most widely used cryptographic library. OpenSSL is used as the default cryptographic library for *NIX systems, including all Linux variants, all BSD variants and in Mac. Microsoft Operating Systems use the Microsoft Cryptographic Provider, which is also the foundation for .NET cryptography.Other common cryptographic libraries include the Java Cryptographic Library, Wei Dai C++ Crypto library,

References:

• http://www.cryptopp.com/
• http://msdn.microsoft.com/en-us/library/system.security.cryptography(v=vs.110).aspx
• http://msdn.microsoft.com/en-us/library/ms867086.aspx
• http://php.net/manual/en/refs.crypto.php
• http://docs.oracle.com/javase/7/docs/technotes/guides/security/crypto/CryptoSpec.html
• https://code.facebook.com/posts/1419122541659395/introducing-conceal-efficient-storage-encryption-for-android/
• https://developer.apple.com/library/mac/documentation/security/conceptual/cryptoservices/GeneralPurposeCrypto/GeneralPurposeCrypto.html
• http://bouncycastle.org/

Resources

Cryptography of page

Questions or comments? Contact us.

Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).