Cryptography and The Internet

Cryptography and the Internet
BRKSEC-3009
BRKSEC-3009 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
Overview
Background
Next Generation Encryption
Suite B, FIPS-140-2011
Issues
Crypto Globalization
Quantum Computers
Quantum Cryptography
Post-Quantum Cryptography
Recommendations
BRKSEC-3009 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Background
How to detect attacks?
Malware Broken encryption
How to detect attacks?
Malware Broken encryption

Host Process Monitoring
Network Monitoring
Tripwire
Antivirus
Antimalware
Product Security Bulletins
Cryptography Protects Data on
Untrusted Networks
Untrusted Networks
Untrusted Networks
Untrusted Networks
Snooping
Untrusted Networks
Spoofing and Tampering
Untrusted Networks
Key Establishment
Digital Signatures
Cryptographic Mechanisms
Encryption
Data Authentication
Key Establishment
Signatures
Hashing
Secret Key Encryption
Key Key
Data Data
Encrypted Data
Public Key Encryption
Public Key Private Key
Data Data
Encrypted Data
Public Key Encryption
Public Key Private Key
Data Data
Encrypted Data
Protecting a Packet
VIHL TOS Length
ID F Offset
IP TTL Proto Checksum

Source IP Address
Destination IP Address
IP Options Padding
Source Port Dest Port
UDP UDP Length UDP Chksm
V X PT Seq Num
SSRC
Timestamp
CSRC
SRTP
Data
Authentication Tag
Encryption
VIHL TOS Length
ID F Offset

Source IP Address
IP Options Padding
V X PT Seq Num
SSRC
Timestamp
CSRC
SRTP
Data
Authentication Tag
Authentication
VIHL TOS Length
ID F Offset

Source IP Address
IP Options Padding
V X PT Seq Num
SSRC
Timestamp
CSRC
SRTP
Data
Authentication Tag
Authenticated Encryption
Header Data
Header Ciphertext
Authenticated Encryption with
Associated Data (AEAD)
Tight binding prevents subtle attacks
BEAST, Padding Oracle,
RFC 5116, An Interface and Algorithms for
Authenticated Encryption
Standards
TLS 1.2 (RFCs 5288, 5289), IKE (RFC 5282), SSH (RFC
5647), SRTP, JSON
Compatible with ESP (RFC 4106) and 802.1AE
draft-mcgrew-aead-aes-cbc-hmac-sha2-00
Digital Signatures
Private Key
Message Signature
Public Key
Message
0/1
Signature
Digital Signatures
Private Key
Message Signature
Public Key
Message
0/1
Signature
Hashing
Message Hash
Collision
Message1
Hash
Message 2
Collision Resistance
Message1
Hash
Message 2
Second Preimage Resistance
Message1
Hash
Message 2
Hash Function Attacks
Collision resistance
Failures: MD4, MD5, SHA-0, SHA-1
Second preimage resistance (digital signatures)
Failure: MD4
HMAC Message Authentication Code
Failures: MD4, SHA-0
Diffie Hellman
Alice Bob
Diffie Hellman
g is number < p
Alice Bob
Diffie Hellman
g is number < p
Alice Bob
x = random
gx mod p
Diffie Hellman
g is number < p
Alice Bob
x = random
gx mod p
y = random
gy mod p
(gy)x mod p (gx)y mod p
Diffie Hellman
g is number < p
Alice Bob
x = random
gx mod p
y = random
gy mod p
(gy)x mod p = (gx)y mod p
Security at Different Layers
Security at Different Layers
802.11i WPA2 Wireless Security
Application 802.11i
Presentation
Session
Transport
Network
Link
Physical
Ethernet MACsec
Application
Presentation
Session
MACsec
Transport
Network
Link
Physical
IPsec
Application IPsec
Presentation
Session
Transport
Network
Link
Physical
Transport Layer Security (TLS)
Application
Presentation
Session
Transport TLS
Network
Link
Physical
Secure Shell (SSH)
Application
Presentation
Session
Transport
Network
SSH
Link
Physical
Secure RTP
Application
Presentation
Session
Transport SRTP
Network
Link
Physical
Defense in Depth
Application 802.11i
IPsec
Presentation
Session
MACsec
Transport TLS SRTP
Network
SSH
Link
Physical
Certificates and Passwords
Entity Authentication
Certificate
Self-Signed Certificate
Password Based Keys
Password Data
abnegator
Encrypted Data
Dictionary Attack
abluent Data
ablush Format
ablution Match
ablutionary ?
abluvion
ably
abhmo
Abnaki
abnegate
abnegator
Encrypted Data
Dictionary Attack
ablush Data
ablution Format
ablutionary Match
abluvion ?
ably
abhmo
Abnaki
abnegate
abnegator
Encrypted Data
Dictionary Attack
ablution Data
ablutionary Format
abluvion Match
ably ?
abhmo
Abnaki
abnegate
abnegator
Encrypted Data
Time-Memory Tradeoff
Cain and Abel

Krb5, NTLM, NTLMv2, OSPF, RIPv2, VRRP, VNC, IKE PSK
Great Cipher, But Where Did You Get That Key?
Cryptographic Strength
Work Factor
Key Strength
Sources: Lenstra and Verheul, NIST

Key Strength

Key Strength

Key Strength

Key Strength

Key Strength

Key Strength
AES-256
AES-128

Hacker ($400)
Medium Organization ($300K)
Intelligence Agency
Key Strength
Key Strength
AES-128
3DES
RC5-64
DES
Algorithms Never Get Stronger
SHA-1
Sources: FIPS-180-1, Wang, Yin, Yu 05, Cochran 07

Public Key Strength
Sources: RSA Laboratories

Prevalent
AES-128-CBC
DH-1024 RSA-1024
SHA-1
FIPS-140 2011
AES-128 SHA-256
DH-2048 RSA-2048
FIPS-140
Advanced Encryption Standard
Standards Process
Three Years, Four Workshops
15 Candidates from around the world (Belgium Won)
Most analyzed cryptoalgorithm ever
Theoretical Attacks
Related-key model
AES-256, AES-192
Biclique cryptanalysis
Chosen ciphertext attack that shaves two bits off of 128-bit key
Hash Functions
SHA-512
SHA-384
SHA-256
SHA-224
SHA-0 SHA-1
Suite B
Suite B
Upgrades the entire Crypto Suite

Efficient at high security levels and high speeds
USG recommended crypto algorithms
Subset of FIPS-140
Selected by US National Security Agency (NSA)
Introduced into many standards
RFC4869 Suite B Cryptographic Suites for IPsec
Approved for SECRET and TOP SECRET
Suite B
ECDSA-
AES-128-GCM ECDH-P256 SHA-256
P256
Suite B 192-bit Profile
AES-256-GCM
ECDSA-
ECDH-P384 SHA-384
P384
Suite B AES Galois/Counter Mode
Galois/Counter Mode (GCM)
Block cipher mode of operation for Authenticated Encryption

with Associated Data (AEAD)
High speed, low latency, low cost
Most efficient mode for packet networks
Widely adopted in the industry
Layer 3+: IPSec, TLS, DLTS, SSH, SRTP
Layer 2: 802.1AE MACSec, Gigabeam, 802.11
Storage encryption: 1619.1, LTO-4
Inside commercial crypto silicon
NIST SP 800-38D
Cisco Nexus 7000 Series 32-Port 10Gb Ethernet Module with 80 Gb bandwidth to the fabric
AES Counter Mode Pipeline
0000001 0000002 0000003 0000004
Round 1 Round 1 Round 1 Round 1

AES Counter Mode Pipeline
0000011 0000012 0000013 0000014

P0 P1 P2 P3
C0 C1 C2 C3
AES GCM
0000001 000002 000003
AES AES AES
P0 P1 P2
C0 C1 C2
MUL MUL MUL
Cipher Block Chaining (CBC)
P0 P1 P2
Round 1 Round 1 Round 1

C0 C1 C2
Cipher Block Chaining (CBC)
P0 P1 P2

C0 C1 C2
Suite B Elliptic Curve Cryptography
Elliptic Curve Cryptography
Alternative crypto mathematics

Invented in 1985
Used and endorsed by NSA
Adopted in some niches (e.g. Smart Grid)
More efficient than RSA at higher security levels
Current commercial security (96 or 112 bits) - ECC
slower
128 bits strength ECC operations faster
256 bits strength ECC much faster
ECC Efficient at High Security
Integer
Computational
Cost
ECC
Security
ECC History
Many ECC patents

Slow adoption
RFC 6090 Fundamental Algorithms of ECC
Subset of basic ECC that predates patents
Simplifies IPR analysis
Closely based on pre-1994 references
Security: survived > 18 years of review
Timeline
Meta
Homogeneous ElGamal
EC ElGamal Coordinates Signatures
[K1987] [KMOV1991] [HMP1994]
1985 1986 1987 1988 1989 1990 1991 1992 1993 1994 1995
ECC invented ECC Abbreviated

ECDH Implementation EC ElGamal
[M1985] [BC1989] Signatures
[KT1994]
EC ElGamal
Signatures
[A1992]
Cisco Next Generation Encryption
Future Ready
Meets security and scalability requirements of next two decades
Communications and IT infrastructures must be defended against attack
and exploitation
Attackers are persistent and well-funded
Computing advances driving a move to higher cryptographic strengths
Next Generation Encryption
Authenticated
AES-128-GCM
Encryption
Authentication HMAC-SHA-256
Key Establishment ECDH-P256 Suite B
Digital Signatures ECDSA-P256
Hashing SHA-256
Entropy SP800-90
Protocols TLSv1.2, IKEv2,
Security Problems Solved by NGE
3DES 1GB limit
HMAC-MD5 HMAC-SHA-256
DH, RSA 1024-bit at risk Suite B
RSA, DSA 1024-bit at risk
MD5, SHA-1 Collision attacks
Entropy Inconsistent quality
TLS1.0, IKEv1 Flaws, lack of AE
Cisco NGE ASR
ISR
ASA
Now 2013
AnyConnect
Trends and Issues
Quantum Computers: Threat
Quantum Cryptography: Defense
Post-Quantum Cryptography:
Better Defense
Quantum Computers
Could break RSA-2048, DH-2048 by factoring 2048-

bit integers
Could break AES-128 in time 264, AES-256 in 2128
May prove impossible
Active area of research
Quantum Computers
Could break RSA-2048, DH-2048 by factoring 2048-

bit integers
Could break AES-128 in time 264, AES-256 in 2128
May prove impossible
Active area of research
Quantum Factoring Record: 15 = 3 x 5
Point-to-point encryption over optical fiber

Quantum mechanics eavesdropping detectable
Random Random
Source Source
X X
0,1 0,1
+ +
Bit Selection Bit Selection

& Privacy & Privacy
Amplification Amplification
key courier
Shared Secret Shared Secret
Limitations
Relies on initial pre-shared secret
Compares unfavorably to other cryptosystems
Less assurance, less flexibility, higher cost
Laughable data rates (< 1 kbit/sec)
Quantum PHY attacks are serious threat
QC is point-to-point and requires dedicated PHY
QC cannot cross routing or switching
QC has little value to most networks
AES-256-GCM SHA-512
McEliece-
AES-256-GCM SHA-512
120K
McEliece- Lamport-SHA-
AES-256-GCM SHA-512
120K 512
3DES
AES
Camellia
GOST-89 CLEFIA
KCipher2
3DES
AES
SEED
SMS4 ARIA
How Many Do We Need?
Single Alternate Cipher

Provide fallback against cryptanalytic progress on AES
Algorithm Diversity
Different technical lineage than AES
Focus on 192, 256-bit key strength
Stronger key schedule
A single alternative could be chosen as SHOULD
implement cipher
Extensive Public Review
Open standards processes
Background: draft-irtf-cfrg-cipher-catalog-00
Recommendations
Recommendations
Now
AES-128-GCM,
AES-128-CCM
HMAC-SHA-256
DH-2048,
RSA-2048
RSA-2048
SHA-256
Recommendations
Now
AES-128-GCM,
AES-128-CCM
HMAC-SHA-256
DH-2048,
RSA-2048
RSA-2048
SHA-256
Recommendations
Now Soon
AES-128-GCM, AES-128-GCM,
AES-128-CCM AES-128-CCM
HMAC-SHA-256 HMAC-SHA-256
DH-2048,
ECDH-P256
RSA-2048
RSA-2048 ECDSA-P256
SHA-256 SHA-256
Other Recommendations
Use Certificates
Manually installed or authenticated good for transition
Audit how your organization uses uncertified public keys
Do not use password based keys
Generate with tool if need be
Other Recommendations
Use Certificates
Manually installed or
authenticated good for
transition
Audit how your organization
uses uncertified public keys
Do not use password based
keys
Generate with tool if need be
Use Authenticated Encryption
What to Avoid
GOST 28147-89, RC4, 3DES at high data rates
XCBC-MAC, HMAC-MD5
DH-1024, RSA-1024
RSA-1024
MD5, SHA-1
Complete Your Online
Session Evaluation
Give us your feedback and you
could win fabulous prizes.
Winners announced daily.
Receive 20 Passport points for each
session evaluation you complete.
Complete your session evaluation
online now (open a browser through
our wireless network to access our Dont forget to activate your
portal) or visit one of the Internet Cisco Live Virtual account for access to
stations throughout the Convention all session material, communities, and
on-demand and live activities throughout
Center. the year. Activate your account at the
Cisco booth in the World of Solutions or visit
www.ciscolive.com.
Final Thoughts
Get hands-on experience with the Walk-in Labs located in World of

Solutions, booth 1042
Come see demos of many key solutions and products in the main Cisco
booth 2924
Visit www.ciscoLive365.com after the event for updated PDFs, on-
demand session videos, networking, and more!
Follow Cisco Live! using social media:
Facebook: https://www.facebook.com/ciscoliveus
Twitter: https://twitter.com/#!/CiscoLive
LinkedIn Group: http://linkd.in/CiscoLI
BRKSEC-3009 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
Contact me: mcgrew@cisco.com
Backup
Export Restricted Zone
Export Restricted Zone
Export
The EU License-Free Zone is the group of

countries to which Cisco can export all goods,
including strong encryption (restricted) items. This
includes government or military end-users that if
outside the zone would require a license.
Any government or military end customer outside
the EU License free zone and US embargoed
countries will require a US export license. Written
Assurance required for other end customers in
Export Restricted zone
Prohibited Zone - No product can be shipped to
U.S.-embargoed countries
Attacks
Attacks on IPsec
Padding
Attacks on TLS
Bleichenbacher chosen ciphertext attack
Renegotiation attack
Side channels
Timing attacks
Why is Crypto Hard?
Breaks liberal in what you accept

Encapsulation, ordering, additions
Breaks Metcalfs law
Cant assume that any two devices can talk
Public Key Sizes
30x
Source: RFC3766, Determining Strengths For Public Keys Used For Exchanging Symmetric Keys

Cryptography and The Internet - BRKSEC-3009

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Cryptography and The Internet - BRKSEC-3009

Caricato da

Copyright:

Formati disponibili

Malware Broken encryption

Malware Broken encryption

Public Key Private Key

Public Key Private Key

IP TTL Proto Checksum

IP TTL Proto Checksum

IP TTL Proto Checksum

(gy)x mod p (gx)y mod p

(gy)x mod p = (gx)y mod p

Cain and Abel

Great Cipher, But Where Did You Get That Key?

Sources: Lenstra and Verheul, NIST

Sources: Lenstra and Verheul, NIST

Sources: Lenstra and Verheul, NIST

Sources: Lenstra and Verheul, NIST

Sources: Lenstra and Verheul, NIST

Sources: Lenstra and Verheul, NIST

Sources: Lenstra and Verheul, NIST

Sources: FIPS-180-1, Wang, Yin, Yu 05, Cochran 07

Sources: RSA Laboratories

Upgrades the entire Crypto Suite

Block cipher mode of operation for Authenticated Encryption

Round 1 Round 1 Round 1 Round 1

Round 1 Round 1 Round 1 Round 1

0000001 000002 000003

AES AES AES

MUL MUL MUL

Round 1 Round 1 Round 1

Round 1 Round 1 Round 1

Alternative crypto mathematics

Many ECC patents

ECC invented ECC Abbreviated

Key Establishment ECDH-P256 Suite B

Digital Signatures ECDSA-P256

Protocols TLSv1.2, IKEv2,

3DES 1GB limit

DH, RSA 1024-bit at risk Suite B

RSA, DSA 1024-bit at risk

MD5, SHA-1 Collision attacks

Entropy Inconsistent quality

TLS1.0, IKEv1 Flaws, lack of AE

Quantum Cryptography: Defense

Could break RSA-2048, DH-2048 by factoring 2048-

Could break RSA-2048, DH-2048 by factoring 2048-

Quantum Factoring Record: 15 = 3 x 5

Point-to-point encryption over optical fiber

Bit Selection Bit Selection

Single Alternate Cipher

GOST 28147-89, RC4, 3DES at high data rates

Get hands-on experience with the Walk-in Labs located in World of

Export Restricted Zone

The EU License-Free Zone is the group of

Breaks liberal in what you accept

Potrebbero piacerti anche