Cryptography and the Internet

Transcription

1

2 Cryptography and the Internet

3 Overview Background Next Generation Encryption Suite B, FIPS Issues Crypto Globalization Quantum Computers Quantum Cryptography Post-Quantum Cryptography Recommendations 3

4 Background

5 How to detect attacks? Malware Broken encryption 5

6 How to detect attacks? Malware Host Process Monitoring Network Monitoring Tripwire Antivirus Antimalware Product Security Bulletins Broken encryption 6

7 Cryptography Protects Data on Untrusted Networks 7

8 Cryptography Protects Data on Untrusted Networks 8

9 Cryptography Protects Data on Untrusted Networks 9

10 Cryptography Protects Data on Untrusted Networks 10

11 Snooping 11

12 Cryptography Protects Data on Untrusted Networks 12

13 Spoofing and Tampering 13

14 Cryptography Protects Data on Untrusted Networks 14

15 Key Establishment 15

16 Digital Signatures 16

17 Cryptographic Mechanisms Encryption Data Authentication Key Establishment Signatures Hashing 17

18 Secret Key Encryption Key Key Data Encrypted Data Data 18

19 Public Key Encryption Public Key Private Key Data Encrypted Data Data 19

20 Public Key Encryption Public Key Private Key Data Encrypted Data Data 20

21 Protecting a Packet IP UDP SRTP VIHL TOS Length ID F Offset TTL Proto Checksum Source IP Address Destination IP Address IP Options Padding Source Port Dest Port UDP Length UDP Chksm V X PT Seq Num SSRC Timestamp CSRC Data Authentication Tag 21

22 Encryption IP UDP SRTP VIHL TOS Length ID F Offset TTL Proto Checksum Source IP Address Destination IP Address IP Options Padding Source Port Dest Port UDP Length UDP Chksm V X PT Seq Num SSRC Timestamp CSRC Data Authentication Tag 22

23 Authentication IP UDP SRTP VIHL TOS Length ID F Offset TTL Proto Checksum Source IP Address Destination IP Address IP Options Padding Source Port Dest Port UDP Length UDP Chksm V X PT Seq Num SSRC Timestamp CSRC Data Authentication Tag 23

24 Authenticated Encryption Header Data Header Ciphertext 24

25 Authenticated Encryption with Associated Data (AEAD) Tight binding prevents subtle attacks BEAST, Padding Oracle, RFC 5116, An Interface and Algorithms for Authenticated Encryption Standards TLS 1.2 (RFCs 5288, 5289), IKE (RFC 5282), SSH (RFC 5647), SRTP, JSON Compatible with ESP (RFC 4106) and 802.1AE draft-mcgrew-aead-aes-cbc-hmac-sha

26 Digital Signatures Private Key Message Signature Public Key Message Signature 0/1 26

27 Digital Signatures Private Key Message Signature Public Key Message Signature 0/1 27

28 Hashing Message Hash 28

29 Collision Message1 Hash Message 2 29

30 Collision Resistance Message1 Hash Message 2 30

31 Second Preimage Resistance Message1 Message 2 Hash 31

32 Hash Function Attacks Collision resistance Failures: MD4, MD5, SHA-0, SHA-1 Second preimage resistance (digital signatures) Failure: MD4 HMAC Message Authentication Code Failures: MD4, SHA-0 32

33 Diffie Hellman Alice Bob 33

34 Diffie Hellman Alice g is number < p Bob 34

35 Diffie Hellman Alice x = random g is number < p g x mod p Bob 35

36 Diffie Hellman Alice x = random g is number < p g x mod p g y mod p Bob y = random (g y ) x mod p (g x ) y mod p 36

37 Diffie Hellman Alice x = random g is number < p g x mod p g y mod p Bob y = random (g y ) x mod p = (g x ) y mod p 37

38 Security at Different Layers

39 Security at Different Layers 39

40 802.11i WPA2 Wireless Security Application i Presentation Session Transport Network Link Physical 40

41 Ethernet MACsec Application Presentation Session Transport MACsec Network Link Physical 41

42 IPsec Application Presentation IPsec Session Transport Network Link Physical 42

43 Transport Layer Security (TLS) Application Presentation Session Transport Network TLS Link Physical 43

44 Secure Shell (SSH) Application Presentation Session Transport Network Link SSH Physical 44

45 Secure RTP Application Presentation Session Transport SRTP Network Link Physical 45

46 Defense in Depth Application Presentation IPsec i Session Transport MACsec TLS SRTP Network Link SSH Physical 46

47 Certificates and Passwords

48 Entity Authentication 48

49 Certificate 49

50 Self-Signed Certificate 50

51 Password Based Keys Password Data abnegator Encrypted Data 51

52 Dictionary Attack abluent ablush ablution ablutionary abluvion ably abhmo Abnaki abnegate abnegator Data Format Match? Encrypted Data 52

53 Dictionary Attack ablush ablution ablutionary abluvion ably abhmo Abnaki abnegate abnegator Data Format Match? Encrypted Data 53

54 Dictionary Attack ablution ablutionary abluvion ably abhmo Abnaki abnegate abnegator Data Format Match? Encrypted Data 54

55 Time-Memory Tradeoff 55

56 Time-Memory Tradeoff 56

57 Time-Memory Tradeoff Cain and Abel Krb5, NTLM, NTLMv2, OSPF, RIPv2, VRRP, VNC, IKE PSK Great Cipher, But Where Did You Get That Key? 57

58 Cryptographic Strength

59 Work Factor 59

60 Key Strength Sources: Lenstra and Verheul, NIST 60

61 Key Strength Sources: Lenstra and Verheul, NIST 61

62 Key Strength Sources: Lenstra and Verheul, NIST 62

63 Key Strength Sources: Lenstra and Verheul, NIST 63

64 Key Strength Sources: Lenstra and Verheul, NIST 64

65 Key Strength Sources: Lenstra and Verheul, NIST 65

66 Key Strength AES-256 AES-128 Sources: Lenstra and Verheul, NIST 66

67 Hacker ($400) 67

68 Medium Organization ($300K) 68

69 Intelligence Agency 69

70 Key Strength 70

71 Key Strength AES-128 3DES RC5-64 DES 71

72 Algorithms Never Get Stronger SHA-1 Sources: FIPS-180-1, Wang, Yin, Yu 05, Cochran 07 72

73 Public Key Strength Sources: RSA Laboratories 73

74 Prevalent AES-128-CBC DH-1024 RSA-1024 SHA-1 74

75 FIPS AES-128 SHA-256 DH-2048 RSA

76 FIPS-140

77 Advanced Encryption Standard Standards Process Three Years, Four Workshops 15 Candidates from around the world (Belgium Won) Most analyzed cryptoalgorithm ever Theoretical Attacks Related-key model AES-256, AES-192 Biclique cryptanalysis Chosen ciphertext attack that shaves two bits off of 128-bit key 77

78 Hash Functions SHA-512 SHA-384 SHA-224 SHA-256 SHA-0 SHA-1 78

79 Suite B

80 Suite B Upgrades the entire Crypto Suite Efficient at high security levels and high speeds USG recommended crypto algorithms Subset of FIPS-140 Selected by US National Security Agency (NSA) Introduced into many standards RFC4869 Suite B Cryptographic Suites for IPsec Approved for SECRET and TOP SECRET 80

81 Suite B ECDSA- AES-128-GCM ECDH-P256 SHA-256 P256 81

82 Suite B 192-bit Profile AES-256-GCM ECDH-P384 ECDSA- P384 SHA

83 Suite B AES Galois/Counter Mode

84 Galois/Counter Mode (GCM) Block cipher mode of operation for Authenticated Encryption with Associated Data (AEAD) High speed, low latency, low cost Most efficient mode for packet networks Widely adopted in the industry Layer 3+: IPSec, TLS, DLTS, SSH, SRTP Layer 2: 802.1AE MACSec, Gigabeam, Storage encryption: , LTO-4 Inside commercial crypto silicon NIST SP D Cisco Nexus 7000 Series 32-Port 10Gb Ethernet Module with 80 Gb bandwidth to the fabric 84

85 AES Counter Mode Pipeline Round 1 Round 1 Round 1 Round 1 Round 2 Round 2 Round 2 Round 2 Round 3 Round 3 Round 3 Round 3 Round 4 Round 4 Round 4 Round 4 Round 5 Round 5 Round 5 Round 5 Round 6 Round 6 Round 6 Round 6 Round 7 Round 7 Round 7 Round 7 Round 8 Round 8 Round 8 Round 8 Round 9 Round 9 Round 9 Round 9 Round 10 Round 10 Round 10 Round 10 85

86 AES Counter Mode Pipeline Round 1 Round 2 Round 3 Round 4 Round 5 Round 6 Round 7 Round 8 Round 9 Round 10 P 0 C Round 1 Round 2 Round 3 Round 4 Round 5 Round 6 Round 7 Round 8 Round 9 Round 10 P 1 C Round 1 Round 2 Round 3 Round 4 Round 5 Round 6 Round 7 Round 8 Round 9 Round 10 P 2 C Round 1 Round 2 Round 3 Round 4 Round 5 Round 6 Round 7 Round 8 Round 9 Round 10 P 3 C 3 86

87 AES GCM AES AES AES P 0 C 0 P 1 C 1 P 2 C 2 MUL MUL MUL 87

88 Cipher Block Chaining (CBC) P 0 P 1 P 2 Round 1 Round 2 Round 3 Round 4 Round 5 Round 6 Round 7 Round 8 Round 9 Round 10 Round 1 Round 2 Round 3 Round 4 Round 5 Round 6 Round 7 Round 8 Round 9 Round 10 Round 1 Round 2 Round 3 Round 4 Round 5 Round 6 Round 7 Round 8 Round 9 Round 10 C 0 C 1 C 2 88

89 Cipher Block Chaining (CBC) P 0 P 1 P 2 Round 1 Round 2 Round 3 Round 4 Round 5 Round 6 Round 7 Round 8 Round 9 Round 10 Round 1 Round 2 Round 3 Round 4 Round 5 Round 6 Round 7 Round 8 Round 9 Round 10 Round 1 Round 2 Round 3 Round 4 Round 5 Round 6 Round 7 Round 8 Round 9 Round 10 C 0 C 1 C 2 89

90 Suite B Elliptic Curve Cryptography

91 Elliptic Curve Cryptography Alternative crypto mathematics Invented in 1985 Used and endorsed by NSA Adopted in some niches (e.g. Smart Grid) More efficient than RSA at higher security levels Current commercial security (96 or 112 bits) - ECC slower 128 bits strength ECC operations faster 256 bits strength ECC much faster 91

92 ECC Efficient at High Security Integer Computational Cost ECC Security 92

93 ECC History Many ECC patents Slow adoption RFC 6090 Fundamental Algorithms of ECC Subset of basic ECC that predates patents Simplifies IPR analysis Closely based on pre-1994 references Security: survived > 18 years of review 93

94 Timeline EC ElGamal [K1987] Homogeneous Coordinates [KMOV1991] Meta ElGamal Signatures [HMP1994] ECC invented ECDH [M1985] ECC Implementation [BC1989] Abbreviated EC ElGamal Signatures [KT1994] EC ElGamal Signatures [A1992] 94

95 Cisco Next Generation Encryption Future Ready Meets security and scalability requirements of next two decades Communications and IT infrastructures must be defended against attack and exploitation Attackers are persistent and well-funded Computing advances driving a move to higher cryptographic strengths 95

96 Next Generation Encryption Authenticated Encryption Authentication AES-128-GCM HMAC-SHA-256 Key Establishment ECDH-P256 Suite B Digital Signatures ECDSA-P256 Hashing SHA-256 Entropy SP Protocols TLSv1.2, IKEv2, 96

97 Security Problems Solved by NGE 3DES 1GB limit HMAC-MD5 DH, RSA HMAC-SHA bit at risk Suite B RSA, DSA 1024-bit at risk MD5, SHA-1 Collision attacks Entropy Inconsistent quality TLS1.0, IKEv1 Flaws, lack of AE 97

98 Cisco NGE ASR ISR ASA Now 2013 AnyConnect 98

99 Trends and Issues

100 Quantum Computers: Threat Quantum Cryptography: Defense Post-Quantum Cryptography: Better Defense 100

101 Quantum Computers Could break RSA-2048, DH-2048 by factoring bit integers Could break AES-128 in time 2 64, AES-256 in May prove impossible Active area of research 101

102 Quantum Computers Could break RSA-2048, DH-2048 by factoring bit integers Could break AES-128 in time 2 64, AES-256 in May prove impossible Active area of research Quantum Factoring Record: 15 = 3 x 5 102

103 Quantum Cryptography Point-to-point encryption over optical fiber Quantum mechanics eavesdropping detectable Random Source Random Source 0,1 X + X + 0,1 Bit Selection & Privacy Amplification Bit Selection & Privacy Amplification Shared Secret key courier Shared Secret 103

104 Quantum Cryptography Limitations Relies on initial pre-shared secret Compares unfavorably to other cryptosystems Less assurance, less flexibility, higher cost Laughable data rates (< 1 kbit/sec) Quantum PHY attacks are serious threat QC is point-to-point and requires dedicated PHY QC cannot cross routing or switching QC has little value to most networks 104

105 Post-Quantum Cryptography AES-256-GCM SHA

106 Post-Quantum Cryptography AES-256-GCM McEliece- 120K SHA

107 Post-Quantum Cryptography AES-256-GCM McEliece- 120K Lamport-SHA- 512 SHA

108 Crypto Globalization 3DES AES 108

109 Crypto Globalization GOST-89 Camellia CLEFIA KCipher2 3DES AES SMS4 SEED ARIA 109

110 How Many Do We Need? Single Alternate Cipher Provide fallback against cryptanalytic progress on AES Algorithm Diversity Different technical lineage than AES Focus on 192, 256-bit key strength Stronger key schedule A single alternative could be chosen as SHOULD implement cipher Extensive Public Review Open standards processes Background: draft-irtf-cfrg-cipher-catalog

111 Recommendations

112 Recommendations Now AES-128-GCM, AES-128-CCM HMAC-SHA-256 DH-2048, RSA-2048 RSA-2048 SHA

113 Recommendations Now AES-128-GCM, AES-128-CCM HMAC-SHA-256 DH-2048, RSA-2048 RSA-2048 SHA

114 Recommendations Now Soon AES-128-GCM, AES-128-CCM AES-128-GCM, AES-128-CCM HMAC-SHA-256 HMAC-SHA-256 DH-2048, RSA-2048 ECDH-P256 RSA-2048 ECDSA-P256 SHA-256 SHA

115 Other Recommendations Use Certificates Manually installed or authenticated good for transition Audit how your organization uses uncertified public keys Do not use password based keys Generate with tool if need be 115

116 Other Recommendations Use Certificates Manually installed or authenticated good for transition Audit how your organization uses uncertified public keys Do not use password based keys Generate with tool if need be Use Authenticated Encryption 116

117 What to Avoid GOST , RC4, 3DES at high data rates XCBC-MAC, HMAC-MD5 DH-1024, RSA-1024 RSA-1024 MD5, SHA-1 117

118 118

119 Complete Your Online Session Evaluation Give us your feedback and you could win fabulous prizes. Winners announced daily. Receive 20 Passport points for each session evaluation you complete. Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center. Don t forget to activate your Cisco Live Virtual account for access to all session material, communities, and on-demand and live activities throughout the year. Activate your account at the Cisco booth in the World of Solutions or visit 119

120 Final Thoughts Get hands-on experience with the Walk-in Labs located in World of Solutions, booth 1042 Come see demos of many key solutions and products in the main Cisco booth 2924 Visit after the event for updated PDFs, ondemand session videos, networking, and more! Follow Cisco Live! using social media: Facebook: Twitter: LinkedIn Group: 120

121

122 Contact me:

123 Backup

124 Export Restricted Zone Export Restricted Zone 124

125 Export The EU License-Free Zone is the group of countries to which Cisco can export all goods, including strong encryption (restricted) items. This includes government or military end-users that if outside the zone would require a license. Any government or military end customer outside the EU License free zone and US embargoed countries will require a US export license. Written Assurance required for other end customers in Export Restricted zone Prohibited Zone - No product can be shipped to U.S.-embargoed countries 125

126 Attacks Attacks on IPsec Padding Attacks on TLS Bleichenbacher chosen ciphertext attack Renegotiation attack Side channels Timing attacks 126

127 Why is Crypto Hard? Breaks liberal in what you accept Encapsulation, ordering, additions Breaks Metcalf s law Can t assume that any two devices can talk 127

128 Public Key Sizes 30x Source: RFC3766, Determining Strengths For Public Keys Used For Exchanging Symmetric Keys 128