CHAPTER 12
CRYPTOGRAPHY
After reading this chapter and completing the activities, you will be able to:
Summarize the history and principles of cryptography
Describe symmetric and asymmetric encryption algorithms
Explain public key infrastructure (PKI)
Describe possible attacks on cryptosystems
Protecting data as it traverses a network or while it’s stored on a computer is one of a network security professional’s most important jobs. Companies as well as users don’t want others to be able to view confidential documents and files.
In this chapter, you examine the cryptography technologies that security professionals use to protect a company’s data. You see how information can be converted into an unreadable format and how only those with the correct key or “decoder” can read the message. You also look at cryptography attacks and some of the tools used to conduct these attacks.
UNDERSTANDING CRYPTOGRAPHY BASICS
Cryptography is the process of converting plaintext, which is readable text, into ciphertext, which is unreadable or encrypted text. Cryptography can be used on data that people or organizations want to keep private or data that should be accessible to only certain users. In other words, cryptography is used to hide information from unauthorized users. Decryption is the process of converting ciphertext back to plaintext (also called cleartext). As a kid, you might have had a decoder ring from a box of cereal that you could use to write a letter to a friend in secret code. If your friend had the same decoder ring, he or she could decode your letter and read it.
History of Cryptography
Cryptography has been around for thousands of years. For example, some Egyptian hieroglyphics on ancient monuments were encrypted. The Book of Jeremiah was written by using a cipher, or key, known as Atbash. This simple cipher reversed the alphabet—replacing A with Z, for example—and only the person who knew the mapping could decipher (decrypt) the message. This type of cryptography is called a substitution cipher. Julius Caesar developed a similar substitution cipher for encrypting messages by shifting each letter of the alphabet three positions. For example, A was encoded as the letter D. Every culture seems to have used some form of hiding or disguising plaintext. The Kama Sutra, written by the Indian scholar Vatsyayana almost 2000 years ago, recommends that men and women learn and practice the art of cryptography, which it defines as “the art of understanding writing in cipher and the writing of works in a peculiar way.”
Note
You can find an excellent timeline of cryptography in The Codebreakers: The Comprehensive History of Secret Communication from Ancient Times to the Internet, Revised Edition, written by David Kahn (Scribner, 1996, ISBN 0684831309).
As long as people attempt to create encryption algorithms to protect data, others will endeavor to break them. The study of breaking encryption algorithms is called cryptanalysis. It’s taught in universities and by government agencies, but hackers also find the challenge of breaking an encryption algorithm intriguing and continue to force developers of encryption algorithms to push the envelope in finding harder-to-break algorithms. When a new encryption algorithm is developed, cryptanalysis is used to ensure that breaking the code is impossible or would take so much time and so many resources that the attempt would be impractical. In other words, if breaking an encryption algorithm requires the processing power of a $500 million supercomputer and 500 years, the algorithm can be considered secure enough for practical purposes. When cryptanalysis is feasible with a reasonable amount of computing power, however, an attack on the algorithm is deemed “practical,” and the algorithm is considered weak.
The War Machines
The most famous encryption device was the Enigma machine, developed by Arthur Scherbius and used by the Germans during World War II. Most books on cryptography discuss this device. How did it work? The operator typed a letter to be encrypted, and the machine displayed the substitution character for the letter. The operator then wrote down this substitution character and turned a rotor or switch. He or she then entered the next letter and again wrote down the substitution character Enigma displayed. When the message was completely encrypted, it was transmitted over the airwaves. Of course, the message could be decrypted only by the Enigma machine at the other end, which knew in what positions to shift the rotors. The code was broken first by a group of Polish cryptographers, and then by the British and Americans. The machine British and American cryptologists used for breaking the code, developed by British mathematician Alan Turing, was called the Bombe.
During World War II, the Japanese developed another notable war machine, called the Purple Machine, that used techniques discovered by Herbert O. Yardley. A team led by William Frederick Friedman, a U.S. Army cryptanalyst known as the Father of U.S. Cryptanalysis, broke the code. The FBI had employed Mr. Friedman and his wife to assist in decrypting radio messages sent by bootleggers and smugglers during the 1930s. These encryption codes proved to be more difficult and complex than those used during wartime.
The main purpose of cryptography is to hide information from others, and there are methods of hiding data that don’t use encryption. One is steganography, a way of hiding data in plain view in pictures, graphics, or text. For example, a picture of a man standing in front of the White House might have a hidden message embedded that gives a spy information about troop movements. In 1623, Sir Francis Bacon used a form of steganography by hiding bits of information in variations of the typeface used in books.
Security Bytes
Did you know that Thomas Jefferson invented a wheel cipher in the 18th century that the Navy redeveloped and used during World War II and named M-138-A? The more things change, the more they remain the same.
UNDERSTANDING SYMMETRIC AND ASYMMETRIC ALGORITHMS
Modern cryptography uses encryption algorithms to encrypt data, banking transactions, online Web transactions, wireless communication (WEP and WPA encryption), and so on. An encryption algorithm is a mathematical function or program that works with a key. The algorithm’s strength and the key’s secrecy determine how secure the encrypted data is. In most cases, the algorithm isn’t a secret; it’s known to the public. What is secret is the key. A key is a sequence of random bits generated from a range of allowable values called a keyspace, which is contained in the algorithm. The larger the keyspace, the more random sequenced keys can be created. For example, an algorithm with a 56-bit keyspace has 256 possible keys. The more random keys that can be created, the more difficult it is for hackers to guess which key was used to encrypt the data. Of course, using only eight random keys (as shown in Figure 12.1) makes the algorithm too easy to crack and is shown as an example only.
Figure 12.1
Selecting random keys from a keyspace
Courtesy Course Technology/Cengage Learning
Most attempts to break a cryptosystem are related to guessing the key. No matter how strong the algorithm or how large the keyspace, if the key isn’t protected, an attacker can decrypt the message. If users share their keys with someone, all bets are off! Table 12.1 summarizes the three types of algorithms.
Having a cryptologist’s skills isn’t necessary for security testers, but understanding basic cryptology terms is helpful. For example, if you see the description “Blowfish is a block cipher with a key size up to 448 bits,” you want to know enough to understand what it means. The following sections examine these algorithm types in more detail and explain some basic terms.
Table 12.1 Symmetric, asymmetric, and hashing algorithms
Symmetric Algorithms
Cryptosystems using symmetric algorithms have one key that encrypts and decrypts data. If a user wants to send a message to a colleague, he or she encrypts the message with the secret key, and the colleague, who must have a copy of the same key, decrypts the message. If the user wants to encrypt a different message and send it to another colleague, a different secret key must be used. If hundreds of colleagues are placed in the equation, keeping track of which secret key to use becomes a big problem. To calculate the number of keys needed to support a symmetric system, you use the formula n (n −1) / 2. For example, if five users need to use secret keys to transmit data, you need 5(5 − 1) / 2 keys, or 10 keys.
Another problem with secret keys is how to send one to the colleague decrypting your message. E-mailing it can be dangerous because the message can be intercepted. You can try putting the secret key on a CD-R or USB drive, but either medium can be misplaced or stolen.
Because two users share the same key in symmetric algorithms, there’s no way to know which user sent the message. In other words, symmetric algorithms don’t support authentication and nonrepudiation (covered in more detail in “Asymmetric Algorithms”).
As you can see, there are some problems with symmetric algorithms, but as Table 12.1 states, they’re fast. They’re perfect mechanisms for encrypting large blocks of data quickly and are difficult to break if a large key size is used. The advantages of symmetric algorithms are as follows:
Much faster than asymmetric algorithms
Difficult to break if a large key size is used
Only one key needed to encrypt and decrypt data
Symmetric algorithms have the following disadvantages:
Require each pair of users to have a unique secret key, making key management a challenge
Difficult to deliver keys without risk of theft
Don’t provide authentication or nonrepudiation for users
Two types of symmetric algorithms are used currently: stream ciphers and block ciphers. Stream ciphers operate on plaintext one bit at a time. Messages are treated as a stream of bits, and the stream cipher performs mathematical functions on each bit, which makes these algorithms great candidates for hardware or chip-level encryption devices. Block ciphers operate on blocks of bits. These blocks are used as input to mathematical functions that perform substitution and transposition of the bits, making it difficult for someone to reverse-engineer which mathematical functions were applied to the blocks of bits.
In the following sections, you take a look at some of the symmetric algorithms that have become standards in the industry. Regardless of the standard, however, symmetric algorithms rely on one and the same key to encrypt and decrypt data.
Activity 12.1: Hacking DVD Encryption Methods
Time Required: 20 minutes
Objective: Use the Internet to find information on DVD encryption methods.
Description: In this activity, you use the Internet to research the encryption method used for DVDs.
1. In Windows, start a Web browser, go to any search engine, and type DeCSS for the search keyword. How does DeCSS relate to DVD encryption?
2. On the search page, type Why the DVD Hack was a Cinch as the search phrase. It should take you to an article at www.wired.com by Andy Patrizio. Read the two-page article. What does CSS stand for?
3. Go to several other links related to CSS encryption. Were any lawsuits brought against the DeCSS program? If yes, describe them briefly.
4. Exit your Web browser, and log off Windows for the next activity.
Data Encryption Standard
A discussion of symmetric algorithms must include Data Encryption Standard (DES). The National Institute of Standards and Technology (NIST) wanted a means of protecting sensitive but unclassified data, so in the early 1970s, it invited vendors to submit data encryption algorithms. The best algorithm would become the standard encryption method for government agencies and private-sector companies. IBM had already created a 128-bit algorithm called Lucifer. NIST accepted it as the standard encryption algorithm; however, the National Security Agency (NSA) wanted to make some modifications before allowing it to be used. The NSA decided to reduce the key size from 128 bits to 64 bits and named it Data Encryption Algorithm (DEA). To be clear, DES is the standard, and DEA is the encryption algorithm used for the standard. DEA isn’t the most creative name, but the NSA probably thought the name Lucifer didn’t have an official government ring to it. The reason the NSA reduced the algorithm’s keyspace isn’t known. What is known is that 128-bit encryption is far more difficult to crack than 64-bit encryption.
Note
Even though DEA uses 64-bit encryption, only 56 bits are effectively used. Eight of the 64 bits are used for parity (error correction).
As with most things, time took its toll on DES. In 1988, NSA thought the standard was at risk of being broken because of its longevity and the increasing power of computers. Any system, no matter how secure, is vulnerable when hackers have years to look for holes. NSA proved to be correct in its assumption. The increased processing power of computers soon made it possible to break DES encryption. In fact, in 1998 a computer system was designed that was able to break the encryption key in only 3 days. There are also examples of hackers combining the processing power of thousands of computers (without the system owners’ knowledge) over the Internet to crack complex encryption algorithms. Many cryptologists are too quick to claim that it would take several Cray supercomputers 200 years to figure out the secret key in their encryption algorithms, when only a few years of improvements in processor speed prove it can be done with just a powerful laptop and access to the Internet.
Triple DES
A new standard was needed because DES was no longer the solution. Triple Data Encryption Standard (3DES) served as a quick fix for the vulnerabilities of DES. To make it more difficult for attackers to crack the encryption code, 3DES performs the original DES computation three times with different keys. This more complex computation on data makes 3DES much stronger than DES. This improvement did have a price in performance, however. 3DES takes longer to encrypt and decrypt data than its predecessor did, but that’s a small price to pay for far better security.
Advanced Encryption Standard
Eventually, NIST decided that 3DES was just a stop-gap measure for a weak algorithm and a new standard was in order: Advanced Encryption Standard (AES). In 1997, NIST put out another request to the public for a new encryption standard, asking for a symmetric block cipher capable of supporting 128-, 192-, and 256-bit keys. There were five finalists, but NIST chose Rijndael, developed by Joan Daemen and Vincent Rijmen, because of its improvements in security, efficiency, performance, and flexibility. The other four finalists were MARS, RC6, Serpent, and Twofish. (See http://csrc.nist.gov for more details.) AES-256, part of the NSA’s Suite B set of cryptographic algorithms, is one of the only commercial algorithms validated as strong enough to protect classified information. For more information, see www.nsa.gov/ia/programs/suiteb_cryptography.
International Data Encryption Algorithm
International Data Encryption Algorithm (IDEA) is a block cipher that operates on 64-bit blocks of plaintext. It uses a 128-bit key and is used in PGP encryption software (covered later in “Asymmetric Algorithms”). IDEA was developed by Xuejia Lai and James Massey to work more efficiently in computers used at home and in businesses. It’s free for noncommercial use, but a license must be purchased for commercial use. Currently, it’s patented in the United States and most European countries, but the patent is set to expire in 2010–2011.
Blowfish
Blowfish is another block cipher that operates on 64-bit blocks of plaintext. However, the key length is variable, from 48 bits up to 448 bits. It was developed as a public-domain algorithm by Bruce Schneier, a leading cryptologist and the author of Applied Cryptography: Protocols, Algorithms, and Source Code in C, Second Edition (Wiley, 1996, ISBN 0471117099), which is highly recommended for those who want to learn more about the algorithm and view its C source code.
RC4
RC4, the most widely used stream cipher, is used in WEP wireless encryption. It’s because of the way RC4 is implemented in WEP that finding the key with air-cracking programs, for example, is so easy. The algorithm was created by Ronald L. Rivest in 1987 for RSA Security (www.rsa.com).
RC5
RC5 is a block cipher that can operate on different block sizes: 32, 64, or 128 bits. The key size can reach 2048 bits. The algorithm was created by Ronald L. Rivest in 1994 for RSA Security.
Asymmetric Algorithms
Instead of the single key used in symmetric algorithms, asymmetric algorithms use two mathematically related keys, so data encrypted with one key can be decrypted only with the other key. Another name for asymmetric algorithms is public key cryptography, and these terms are often used interchangeably. A public key is openly available; in many cases, public keys can be downloaded from Web sites for the public to use. A private key is the secret key known only by the key owner and should never be shared. Even if people know the public key used to encrypt a message, they can’t figure out the key owner’s private key. So with asymmetric cryptosystems, a public key being intercepted in transmission isn’t a concern. In addition, asymmetric algorithms are more scalable than symmetric algorithms because one public key can be used by thousands of users; however, these algorithms require more processor resources, so they’re slower.
Before examining some widely used asymmetric algorithms, take a look at a simple example of public key cryptography. There are different ways to encrypt a message with asymmetric algorithms, depending on whether the goal is to provide authentication and nonrepudiation. Authentication verifies that the sender or receiver (or both) is who he or she claims to be. Nonrepudiation ensures that the sender and receiver can’t deny sending or receiving the message. These two functions aren’t supported in symmetric algorithms.
If User A encrypts a message with her private key and sends the message to User B, User B can decrypt the message with User A’s public key. A user’s private and public keys are mathematically related, meaning a public key can decrypt only a message that has been encrypted with the corresponding private key.
If confidentiality is a major concern for User A, she encrypts the message with the recipient’s public key. That way, only the recipient can decrypt the message with his private key. If User A wants to assure User B that she is indeed the person sending the message (authentication), she can encrypt the message with her private key. After all, she’s the only person who possesses her private key.
RSA
RSA was developed in 1978 by three MIT professors: Ronald L. Rivest, Adi Shamir, and Leonard M. Adleman. It’s the first algorithm used for both encryption and digital signing and is still widely used, particularly in e-commerce. The authors offered their findings to anyone who sent them a self-addressed envelope. The NSA took a jaundiced view of this approach and suggested the professors cease and desist. When questioned about the legality of its request, however, NSA didn’t respond, and the algorithm was published.
Many Web browsers using the Secure Sockets Layer (SSL) protocol use the RSA algorithm, which is based on the difficulty of factoring large numbers. It’s important to understand that RSA uses a one-way function—a mathematical formula that’s easy to compute in one direction but difficult or nearly impossible to compute in the opposite direction—to generate a key. For example, multiplying two large prime numbers to determine their product is easy, but when you’re given only the product, determining what numbers were used in the calculation is difficult. A simple analogy is making a smoothie. It’s easy to blend a banana, strawberries, and ice cubes in a blender, but if you have to reconstruct the banana, strawberries, and ice cubes into their original state after blending them, you might find the task impossible.
Diffie-Hellman
This algorithm was developed in 1976 by Whitfield Diffie and Martin Hellman, originators of the public and private key concept. It doesn’t provide encryption but is used to establish the secret key shared between two parties. Although it’s often thought of as a key exchange, each party actually generates a shared key based on a mathematical key-agreement relationship. If a key is intercepted during transmission, the network is vulnerable to attack, so key management is an important component of securing data. With a method of sharing a secret key, users can secure their electronic communication without the fear of interception.
Elliptic Curve Cryptography
Elliptic curve cryptography (ECC), developed in 1985, is used for encryption as well as digital signatures and key exchange. It’s an efficient algorithm requiring few resources (memory, disk space, bandwidth, and so on), so it’s a perfect candidate for wireless devices and cell phones. The NSA has included ECC in its Suite B cryptographic algorithms.
EIGamal
EIGamal is an asymmetric algorithm used to generate keys and digital signatures and encrypt data. Developed by Taher Elgamal in 1985, the algorithm uses discrete logarithms that are complex to solve. Solving a discrete logarithm can take many years and require CPU-intensive operations.
Digital Signatures
Asymmetric algorithms have a useful feature that enables a public key to decrypt a message encrypted with a private key, or vice versa. A public key can decrypt a message that has been encrypted with a private key only if the message was encrypted by the corresponding private key’s holder. Figure 12.2 shows a message and hash value encrypted with a private key to ensure authentication and nonrepudiation. This type of encryption is called a digital signature.
Figure 12.2
Using a digital signature
Courtesy Course Technology/Cengage Learning
Digital Signature Standard
In 1991, NIST established the Digital Signature Standard (DSS) to ensure that digital signatures could be verified. The federal government specified using RSA and Digital Signature Algorithm (DSA) for all digital signatures and using a hashing algorithm to ensure the message’s integrity (meaning verifying that it hasn’t been tampered with). NIST requires using Secure Hash Algorithm (SHA), covered later in “Understanding Hashing Algorithms.” Basically, a digital signature can be created by using only a user’s private key, and the user’s signature can be verified by anyone using this user’s public key.
Pretty Good Privacy
Pretty Good Privacy (PGP) was developed by Phil Zimmerman as a free e-mail encryption program that allowed typical users to encrypt e-mails. Sounds harmless, but Zimmerman was almost arrested for his innovation. The Justice Department initiated an investigation into whether offering the PGP program to the public was a crime. In the mid-1990s, any kind of “unbreakable” encryption was considered a weapon and compared with selling arms to the enemy.
PGP has evolved considerably since it was created. The Internet standard for PGP messages is now called OpenPGP. OpenPGP uses certificates similar to those in public key infrastructure (PKI), but because a centralized certification authority (CA) isn’t used, verification of a CA isn’t as efficient as in PKI. OpenPGP can use AES, IDEA, RSA, DSA, and SHA algorithms for encrypting, authenticating, verifying message integrity, and managing keys. The most common free version of OpenPGP is GNU Privacy Guard (GnuPG or GPG; www.gnupg.org). It’s now the standard for validating and distributing all open-source Linux downloads. If you run any version of Linux, GPG ensures that the software packages and updates you install haven’t been tampered with by an intruder or a hacker. GPG is useful for learning how a public key encryption algorithm is used, and best of all, it’s free. Although the commercial PGP version (available at www.pgp.com) is compliant with the OpenPGP standard, it’s no longer free. However, like many commercial products, PGP provides technical support and has more features, making it suitable for large enterprise networks.
Secure Multipurpose Internet Mail Extension
Secure Multipurpose Internet Mail Extension (S/MIME) is another public key encryption standard for encrypting and digitally signing e-mail. It can also encrypt e-mails containing attachments and use PKI certificates for authentication. (See RFC-2311 for details on S/MIME version 2 and RFC-2633 for information on S/MIME version 3.) One reason that S/MIME is widely used for e-mail encryption is that it’s built into Microsoft Outlook. Because Outlook is included in the Microsoft Office suite, organizations already using Microsoft Office don’t need to install additional software to have e-mail encryption capability. Enigmail also supports S/MIME.
Note
Privacy Enhanced Mail (PEM) and MIME Object Security Services (MOSS) are older e-mail encryption standards that have been abandoned because of incompatibility with the OpenPGP and S/MIME standards.
Sensitive Data Encryption
As a security tester, often you communicate with clients by e-mail. However, sending test results that reveal vulnerabilities of your client’s network via unencrypted e-mail, which is subject to interception, can result in a serious vulnerability. Don’t contribute to your client’s network security problems by introducing one yourself. Following good security principles increases clients’ trust in your work. Therefore, make it a policy to exchange any test results or other sensitive documents in encrypted form. If your client doesn’t use encrypted e-mail, you should make doing so one of your first recommendations.
Organizations might also need to encrypt data at rest, which means any data not moving through the network or being used by the OS; the term usually refers to data stored on workstations, servers, removable drives, backup media, and laptop computers. Many organizations are required by law to encrypt confidential and financial information and report to authorities if this information is unencrypted and has been lost or stolen. Loss of this information usually proves expensive not only in costs of replacing it, but also in bad publicity. Many commercial programs can encrypt data at rest efficiently, and free programs, such as Truecrypt (www.truecrypt.org), are available, too. Truecrypt uses strong encryption algorithms, such as AES-256, an algorithm that’s authorized to protect U.S. government classified information.
Hashing Algorithms
Several hashing algorithms are in use today; Table 12.2 summarizes some of the most common. A hashing algorithm is a function that takes a variable-length string or message and produces a fixed-length hash value, also called a message digest, used to verify integrity of the data or message. In a sense, it’s like a fingerprint of a message. For example, if the message “How are you?” is changed later to “Who are you?” the hash value also changes so that the recipient knows the original message changed during transmission. Two different messages producing the same hash value results in a collision. Therefore, a good hashing algorithm is one that’s collision free.
The two most commonly used hashing algorithms are Message Digest 5 (MD5) and the much stronger Secure Hash Algorithm (SHA). With a reasonable amount of computing power, MD5 hash collisions can be found in a few days. Attacks on SHA-1, the 160-bit version of SHA, are now considered more practical, and researchers have been publishing attack methods. For example, researchers from Shandong University in eastern China showed that a key hash function in state-of-the-art encryption might be less resistant to attacks than had been thought. For sensitive applications, NIST recommends not using SHA-1. Federal agencies have been instructed to remove SHA-1 from future applications and replace it with the longer digest versions of SHA, collectively known as SHA-2. As you can see, security professionals must be vigilant in keeping aware of changes. Banks, e-commerce Web sites, credit card companies, and the military have used SHA for many years. For this reason, NIST announced a contest, similar to the AES contest discussed previously, to replace SHA instead of just increasing its digest length. As of this writing, the contest is in its second round, with 14 candidates remaining. The winning algorithm is expected to be named the official SHA-3 algorithm in 2012.
UNDERSTANDING PUBLIC KEY INFRASTRUCTURE
A discussion of public key encryption can’t take place without mentioning public key infrastructure (PKI). PKI is not an algorithm; it’s a structure consisting of programs, protocols, and security policies for encrypting data and uses public key cryptography to protect data transmitted over the Internet. The topic of PKI can take up an entire book, so this section just gives you an overview of its major components and how PKI is used in creating certificates.
Components of PKI
Another way authentication can take place over a communication channel is with certificates. A certificate is a digital document verifying that the two parties exchanging data over the Internet are really who they claim to be. Each certificate contains a unique serial number and must follow the X.509 standard that describes creating a certificate. SSL and S/MIME, for example, are Internet standards that use X.509 certificates.
Public keys are issued by a certification authority (CA). The CA vouches for the company you send your credit card number to when ordering that Harley-Davidson motorcycle online. You probably want to know that the company you’re ordering the bike from is valid, not someone who started a bogus Web site to collect credit card numbers from unsuspecting victims. Think of a CA as a passport agency. When U.S. citizens show their passports to enter a foreign country, the Customs agents viewing the passport don’t necessarily trust the passport holders. They do, however, trust the passport agency that issued the passports, so the U.S. citizens are allowed to enter the country.
A certificate that a CA issues to a company binds a public key to the recipient’s private key. In this way, if you encrypt an e-mail message with the public key of your friend Sue, you know only she can decrypt the message with her private key that’s mathematically related to her public key. You also know that the public key you used is indeed Sue’s public key because you trust the CA that issued it.
Expiring, Revoking, and Suspending Certificates
A certificate issued by a CA is assigned a period of validity, and after that date, the certificate expires. If the keys are still valid and remain uncompromised, the certificate can be renewed with a new expiration date assigned.
At times, a certificate might need to be suspended or revoked before its expiration date, as in the following circumstances:
A user leaves the company.
A hardware crash causes a key to be lost.
A private key is compromised.
The company that was issued the certificate no longer exists.
The company supplied false information when requesting the certificate.
The CA compiles a certificate revocation list (CRL) containing all revoked and suspended certificates. A certificate might be suspended when parties fail to honor agreements set forth when the certificate was issued. Instead of the certificate being revoked, it can be suspended so that it’s easier to restore if the parties come to an agreement later. If you want to check whether a certificate is still valid, you can download the CRL from the URL specified in the certificate. For CAs that might have a lot of revoked certificates, you can use Online Certificate Status Protocol (OCSP) instead of downloading the CRL. With OCSP, you (or a device) can check a certificate’s status without having to download and examine the entire CRL.
Backing Up Keys
Backing up keys is just as critical as backing up data. If keys are destroyed and not backed up correctly, encrypted business-critical information might be irretrievable. The CA is usually responsible for backing up keys and creating a key recovery policy. There are too many CAs to list in this book, but you can research companies that offer CA services and see the types of certificates they issue.
Microsoft Root CA
Microsoft includes features in its server OSs for configuring a server as a CA instead of using a third-party CA. For example, in the Windows Server 2008 Add Roles Wizard, an administrator selects Active Directory Certificate Services, as shown in Figure 12.3.
Figure 12.3
Selecting Active Directory Certificate Services in the Add Roles Wizard
Courtesy Course Technology/Cengage Learning
Selecting this option displays a warning that after a server takes on the role of a CA, there’s no turning back: The domain settings and server name can’t be changed. After clicking Next, the administrator can view the details of what will be installed on the server. Figure 12.4 shows the role services to install. The Certification Authority role shown in the figure is used to issue and manage digital certificates.
When selecting a CA type, an administrator can choose an enterprise or a stand-alone CA as the general type, and then select root or subordinate as the specific type (see Figure 12.5). A root CA issues its own certificate, and a subordinate gets its certificate from another CA higher up in the PKI structure.
If an administrator selects the stand-alone root CA type and the option “Create a new private key,” the window shown in Figure 12.6 is displayed. You can select three settings for generating certificates: the cryptographic service provider (CSP), the hashing algorithm, and the key length. In this figure, the default CSP is RSA# Microsoft Software Key Storage Provider, SHA-1 is the hashing algorithm, and the default key length is 2048 bits. Of the 14 CSPs available in Windows Server 2008, five allow weak hashing algorithms, such as MD2, MD4, and MD5. The RSA#Microsoft CSP does allow a digest length up to SHA-512, however.
Figure 12.4
Selecting role services to install
Courtesy Course Technology/Cengage Learning
No matter which CA a company chooses, you should be aware of the type of algorithm used so that you know whether the company is vulnerable to attack if information about the algorithm is compromised. Certificates at risk of being compromised can create a major security flaw for a company and shouldn’t be overlooked when conducting a security test.
Figure 12.5
Specifying a CA type
Courtesy Course Technology/Cengage Learning
Figure 12.6
Configuring cryptography settings for a CA
Courtesy Course Technology/Cengage Learning
Activity 12.2: Creating a Rogue Server Certificate by Breaking a Hashing Algorithm
Time Required: 30 minutes
Objective: Investigate what attackers can do with the results of an MD5 collision.
Description: Collisions for hashing algorithm have been more of a theoretical threat, but computing power that could find collisions is getting closer to being a reality. As of this writing, the Cray Jaguar Linux system is the world’s fastest supercomputer, capable of trillions of calculations per second. A single hash computation, however, takes many hundreds of calculations, and finding a full SHA-1 collision would take roughly 263 (about 9 million trillion) computations. The Jaguar would still have to churn away for a long time to find one. For this reason, a collision for a SHA-1 hash has yet to be announced. Weaknesses in MD5 have been demonstrated for more than a decade, however. Until recently, even some well-known CAs used MD5 to generate Web server SSL certificates. In this activity, you research what’s possible when smart researchers decide to call attention to a major security problem on the Internet.
1. Start your Web browser in Windows, and go to www.google.com.
2. Type creating a rogue ca certificate and press Enter. Click the first link in the search results, which should take you to the Rogue CA research page at the Phreedom.org Web site. (If not, go to www.phreedom.org and do a search on rogue CAs.)
3. Read the paragraphs summarizing the researchers’ findings. Then click the Slides from the 25c3 presentation link and download the PowerPoint presentation, which you use to answer the following questions:
The researchers collected 30,000 Web site certificates in 2008. How many were signed with MD5?
What kind of hardware was used to generate the chosen-prefix collision? How much money did the researchers spend on certificates?
What was the impact of generating a rogue CA certificate? What would this certificate allow someone with malicious intentions to do?
Which hashing algorithm were CAs forced to use after their signing method was demonstrated as not secure?
According to the researchers, what’s the only way you can effect change and secure the Internet? What URL can be used to examine the forged certificate?
4. Close all open windows.
UNDERSTANDING CRYPTOGRAPHY ATTACKS
In cryptography attacks, using tools to eavesdrop (such as Tcpdump and Wireshark) or perform port scanning (Nmap, Unicornscan, Hping, and so on) are considered passive attacks because the attacker isn’t affecting the algorithm (key), message, or any parts of the encryption system.
Active attacks attempt to determine the secret key used to encrypt plaintext. Remember: The culprit and the general public usually know the algorithm because companies developing encryption algorithms realize that the public might discover vulnerabilities that the company’s programmers missed. Software engineers who develop open-source code products follow this philosophy. Because they release their source code to the public, suggestions can be made, and users have the freedom to modify or add to the programming code. Ostensibly, making source code available can create a better product. Agencies such as the NSA and CIA don’t release information on all the encryption algorithms they’re using, however. The following sections describe some common active attacks.
Birthday Attack
You’ve probably heard the old adage that if 23 people are in a room, the probability that two will share the same birthday is about 50%. Birthday attacks are used to find the same hash value for two different inputs and reveal any mathematical weaknesses in a hashing algorithm. For example, if an attacker has one hash value and wants to find another message that creates the same hash value, he or she could possibly do so in a couple of hours if the hashing algorithm is weak. SHA-1, discussed previously, uses a 160-bit digest. Theoretically, finding a collision for a different message (the same birthday for a different person, in this analogy) would require 263 computations.
Mathematical Attacks
In a mathematical attack, properties of the algorithm are attacked by using mathematical computations. Attackers perform this type of attack in different ways, depending on the information they can access. There are five main categories for this attack:
Ciphertext-only attack—Attackers have the ciphertext of several messages encrypted with the same encryption algorithm but no access to the plaintext, so they must try to figure out the key used to encrypt the data. Getting a copy of ciphertext is usually easy with a sniffer, such as Tcpdump or Wireshark, but this type of attack is by far the most difficult because little or no information is known about the encryption algorithm used.
Known plaintext attack—Attackers have messages in both encrypted and decrypted forms. This attack is easier than the ciphertext-only attack because patterns in the plain-text can be examined. For example, if a bank’s letters to its customers always begin with a particular salutation and end with the familiar “Thanks for your business,” attackers can use reverse-engineering techniques to determine the key used to encrypt the data.
Chosen-plaintext attack—Attackers have access to plaintext and ciphertext and can choose which messages to encrypt. Because the whole plaintext message and ciphertext message are available, determining the key is easier. Attackers can get this information by sending an e-mail message to someone stating that the contents aren’t to be divulged to anyone except, say, Bob Smith. They would most likely spoof the e-mail message so that the recipient believes the message is from someone known and trusted. When the recipient forwards the message as ciphertext, attackers can then sniff the contents to get both the cleartext they wrote and the ciphertext document the user sent.
Chosen-ciphertext attack—Attackers have access to the ciphertext to be decrypted and the resulting plaintext. They also need access to the cryptosystem to perform this type of attack.
Side-channel attack—This attack, which is completely different from the other categories, relies on the attacker analyzing the hardware used for cryptographic operations. Attackers collect data such as operating temperatures, computation times, electromagnetic emissions, noise, vibrations, and even reflections off a cryptosystem user’s eyes to gather information they can use to launch an exploit. Generally, attackers need close proximity to the cryptosystem to collect this information.
Regardless of the type of attack, the attacker builds on the information gained and then conducts another type of attack. Patience and curiosity are usually part of cryptologists’ personalities, whether they’re working for good or bad purposes.
Brute-Force Attack
Despite its name, this type of attack doesn’t require a hammer or martial art skills; it just requires lots of time and patience. A brute-force attack tries all possible keys in a keyspace. One example is using a password-cracking program to attempt every possible combination of characters in an effort to break the password hash. Brute-force attacks can be launched on any kind of message digest, such as a certificate request. If you want to find out how long a brute-force attack might take to crack your password, you can download the brute-force time calculator at Mandylion Labs (www.mandylionlabs.com/documents/BFTCalc.xls).
Man-in-the-Middle Attack
In a man-in-the-middle attack, attackers place themselves between the victim computer and another host computer. They can then intercept messages sent from the victim to the host and pretend to be the host computer. This type of attack follows this process:
1. Gloria sends her public key to Bruce, and you, the attacker, intercept the key and send Bruce your public key. Bruce thinks he just received Gloria’s public key, but he received yours.
2. Bruce sends Gloria his public key. You intercept this key, too, and send Gloria your public key.
3. Gloria sends a message to Bruce, encrypted in what she thinks is Bruce’s public key, but because she’s using yours, you can decrypt the message with your private key.
4. You then can reencrypt the message with Bruce’s public key and send it to Bruce.
5. Bruce answers Gloria by encrypting his message with what he thinks is Gloria’s public key. You intercept the message, decrypt it with your private key, encrypt it with Gloria’s real public key, and then send it to Gloria.
You might have to read these steps a few times to understand how this type of attack works. Using index cards with the names of participants written on them might help you get a clearer picture of what’s taking place.
Dictionary Attack
In a dictionary attack, after attackers have access to a password file, they can run a password-cracking program that uses a dictionary of known words or passwords as an input file. Most of these input files are available on the Internet and can be downloaded free. Remember that unauthorized password-cracking is illegal in most parts of the world, including the United States.
Replay Attack
In a replay attack, the attacker captures data and attempts to resubmit the captured data so that the device, which can be a computer or router, thinks a legitimate connection is in effect. If the captured data is logon information, the attacker could gain access to a system and be authenticated. Many systems have countermeasures to prevent these attacks from occurring, such as packets using sequence numbers that detect when a packet is out of order or not in a correct sequence.
Understanding Password Cracking
As a security professional, you might come across encrypted or password-protected files. Passwords can often be guessed easily, especially when they’re names of pets, relatives, or spouses or anniversary and birth dates. A study conducted by the NSA almost 30 years ago found that 70% of all passwords are written in an area within 4 feet of a user’s computer. Also, to paraphrase a social engineer when asked about cracking passwords, “Why spend time trying to decrypt a password when you can just ask for it?”
In most countries, including the United States, cracking someone else’s passwords is illegal. (You’re allowed to crack your own password if you forget it.) Just an attempt to figure out the encryption method might also be illegal in many countries. For example, DVD movies use encryption to prevent people from making bootleg copies, and it’s illegal to research how this encryption is used.
If a password uses common words found in a dictionary, most password-cracking programs can use a dictionary file to speed up the process. Brute force is the usual method for cracking a password, and the best way to speed up a brute-force cracking effort is using a rainbow table. A password-cracking program can use this lookup table of password hash values instead of trying random computations on a password hash’s keyspace. For rainbow tables to be effective, however, they need to store a lot of hash values. For example, a good rainbow table can be hundreds of gigabytes, usually too large to download. To a professional penetration tester or cybercriminal, $500 for a 1.5 TB rainbow table mailed on a hard drive might be a bargain, considering the value of the data a cracked password can reveal. For more information on rainbow tables, visit http://freerainbowtables.com. You can even sign up to contribute unused CPU cycles to the Rainbow Table Generation Project. You can also see how strong your Windows password is by submitting your Windows password hash to the rainbow table cracker at http://cracker.offensive-security.com.
To conduct password cracking, first you must get the password hash from the system that stores usernames and passwords, which varies based on the OS you’re testing. On *nix systems, the password hash is stored in the /etc/shadow file. The Fgdump program extract files from the Security Accounts Manager (SAM) file, where Windows password hashes are stored. Cracking attacks on passwords can be performed with the following programs:
John the Ripper—One of the best programs available for cracking password files; can use dictionary or simple brute-force methods
0phcrack—The first password hash–cracking program to use rainbow tables
EXPECT—A scripting language for Windows and Linux that performs repetitive tasks, such as password cracking
L0phtcrack—The original password-cracking program now used by many government agencies to test password strength; capable of using rainbow tables
Pwdump6—The latest version of the Pwdump program for extracting password hash values of user accounts on a Windows computer
Fgdump—An enhanced Windows hash table extractor that uses Pwdump6 executable files but has more features
A security tester can use the following steps to gather passwords on a Windows computer. Caution : Performing these steps on a computer other than your own can be illegal in most parts of the world. In fact, using password-cracking software on a computer other than yours can be dangerous. In this example, Fgdump and John the Ripper are used to gather passwords from a Windows Server 2008 computer:
1. The security tester runs the Fgdump program to get hash values of user accounts on the Windows computer (see Figure 12.7). Running Fgdump without options dumps the computer’s user accounts to the 127.0.0.1.pwdump file.
Courtesy Course Technology/Cengage Learning
Figure 12.8
Running John the Ripper with the 127.0.0.1.pwdump input file
Courtesy Course Technology/Cengage Learning
2. Using John the Ripper with 127.0.0.1.pwdump as the input file, the security tester can use the command john -f=NT 127.0.0.1.pwdump to conduct a brute-force attack on the hash values discovered with Fgdump. The -f=NT switch is used to specify that passwords are in the NT LAN Manager (NTLM) authentication format. Figure 12.8 shows attempts made to crack the passwords of accounts on the Windows Server 2008 computer.
Figure 12.9 shows some command parameters available in John the Ripper. To see a complete list, you can type the command john without any parameters.
This method isn’t the fastest way to break a password, but it’s effective. Many hackers leave a program such as John the Ripper running for days on a computer devoted to breaking passwords. If an attacker can run password hashes through a rainbow table– enabled cracking program, even strong passwords can be cracked in a short time.
Figure 12.9
Using John the Ripper parameters
Courtesy Course Technology/Cengage Learning
CHAPTER SUMMARY
Cryptography has been in existence for thousands of years, from Egyptian hieroglyphics to the Enigma machine and on to the 21st century.
Ciphertext is data that has been encrypted; plaintext, also called cleartext, is data that can be read by anyone.
Symmetric cryptography uses one key to encrypt and decrypt data. Both sender and receiver must agree on the key before data is transmitted. The two main types of symmetric algorithms are block ciphers and stream ciphers. Block ciphers, such as AES, operate on fixed-length chunks of data, and stream ciphers, such as RC4, operate on one bit of data at a time.
Asymmetric cryptography, also called public key cryptography, uses two keys: one key to encrypt and another to decrypt data. In public key cryptography, a public key can be downloaded from a Web site and is mathematically related to a private key known only to the owner. A private key is never shared.
RSA uses only a one-way function to generate a key. Diffie-Hellman, ECC, and EIGamal use encryption, key distribution, and digital signatures to secure data.
Digital Signature Standard (DSS) ensures that digital signatures can be verified. To create a digital signature, the hash value must be encrypted with the sender’s private key.
OpenPGP is a free public key encryption standard based on the PGP e-mail encryption program. S/MIME is another public key encryption standard, included in Microsoft Outlook, for encrypting e-mail.
Hashing algorithms are used to verify data integrity. SHA-1 is a widely used hashing algorithm, but because of recently discovered weaknesses, NIST no longer recommends using it for sensitive applications, and federal agencies are in the process of switching to SHA-2.
Public key infrastructure (PKI) is a structure made up of several components for encrypting data. PKI includes protocols, programs, and security policies and uses public key cryptography to protect data transmitted over the Internet.
A digital certificate is a file issued by a certification authority (CA) that binds a public key to information about its owner. A CA is a trusted third party that accepts certificate applications from entities, authenticates applications, issues certificates, and maintains information about certificates.
An active attack on a cryptosystem attempts to determine the secret key used to encrypt plaintext. Examples of active attacks are birthday attacks, brute-force attacks, mathematical attacks, man-in-the-middle attacks, replay attacks, and dictionary attacks.
A passive attack on a cryptosystem uses sniffing and scanning tools, such as Wireshark, Tcpdump, Nmap, Unicornscan, and others that don’t affect the algorithm (key), message, or any parts of the encryption system.