Cryptography The Key to Securing Sensitive

Electronic Communications

Readings for Next Class

• Signing by FAX

• Secure Email

• Biometrics

• All articles are located in the September 18 folder

OverviewWhy is electronic privacy such a hottopic these days?Types of CryptographySteganographyWhat is a digital certificate?What is PKI?Why are these technologies important?Trusted Root AuthoritiesUsing digital certificates for email encryptionKey Escrow, the double edged swordIntegrating digital certificates into email forSecurityNew uses for digital certificatesHow is PKI related to SSL?Using certificates for code signing of softwareNSA conspiracy theoriesReal world issues with PKIComputer lab exercisesDiscussion

Today’s Chocolate Bar – Milky Way

• Created in 1924 by Frank C. Mars• Frank Mars and Milton Hershey were

friends, but their different candy bar ideologies drove them apart.

• Milky Way was the first “filled” candy bar. Previously, all candy bars were flat

• The European version will float in a glass of milk, the American version won’t

• A Milky Way wrapper from 1975 recently sold for $16 in a collector’s magazine

• Originally there were two flavors, dark chocolate and milk chocolate. The dark chocolate version was discontinued in 1979, but came back in 2000 as “Milky Way Midnight Bar”

Is the NSA Watching?• Discussion of the Crypto AG article

• Discussion of NSA_key in Microsoft Operating System

• What about UW-Madison?

Whay is Electronic Privacy Such a Hot Topic Today?

• Evolution of the Internet, commerce, banking, healthcare

• Dependence on Email• Government regulations, SOX,

HIPAA, GLB, PCI, FERPA• Public Image• Business warehousing• Industrial Espionage• The United States government!

Encryption

• To encode information in such a way as to make it unreadable by anyone aside from its intended recipient

• Symmetric Encryption, where a single secret key is used for both encryption and decryption.

• Asymmetric Encryption, where a pair of keys is used -- one for Encryption and the other for Decryption.

Symmetric Encryption

• Simple substitution

C = 5

O = 1

W = 7

517 = COW• Shifting

Add two letters to each character (letter + 2)

AMU = COW (A + 2 = C, M + 2 = 0, etc)

Hmm, everything appears to = COW

Advantages and Disadvantages of Symmetric Encryption

• Easy to use• Decryption key can be memorized

• Easy to determine patterns and guess decryption key (frequency of letters in the English language)

• Anyone with the key can decrypt the message even if it was not intended for them

Asymmetric Encryption

• Uses one key to encrypt and a different key to decrypt

• Public key to encrypt

• Private key to decrypt

• Keys are related, but not the same

Advantages and Disadvantages of Asymmetric Encryption• Much stronger, more complex keys than

used in symmetric encryption• Only the intended recipient can REALLY

read the message since only they possess the private key

• Far more complex than symmetric encryption, requires larger infrastructure to manage

• If private key is lost, you are out of luck

Yesterday’s Extra Credit

• Take a bow James Loethen, Jeff Roller and Zach Tranmer! I admire your investigative abilities

• Decrypted message was: “the secret agent is a Holstein cow”

• This was symmetric encryption, where the key was known to the application

• http://www.yellowpipe.com/yis/tools/encrypter/index.php

Overt vs. Covert Encryption• When the US government intercepts

“VGhlIHNlY3JldCBhZ2VudCBpcyBhI

hvbHN0ZWluIGNvdyE=“, from Kemps Ice Cream factory email system, they know that a sneaky cow is up to no good.

This message is overtly encrypted

Covert Encryption

• What happens when the US government just sees this?

Covert Encryption

• Covertly encrypted messages are much harder to discover

• This one was encoded in a graphics file

• With overt encryption it is evident that you are up to something that you want to keep secret

• With covert encryption, nobody suspects anything is wrong

Covert Encryption is Known as Steganography

• Not related to Stegosaurus, which was a dinosaur!

Steganography

• Steganography is the art and science of writing hidden messages in such a way that no one apart from the sender and intended recipient even realizes there is a hidden message

How to Determine if Steganography is Being employed

• Compare sizes of graphics relative to resolution.

• A low resolution graphic with a large file size is a good hint that Steganography is being used

• Image of cow and dolphin

• 71 KB vs 616 KB……Hmmmmm

http://www.kwebbel.net/stega/enindex.php

Discussion Topic One• Do you think the threat of Email

eavesdropping is real?• What about the government’s argument

about Email being like a “postcard?”• Should Target be allowed to look at

Walmart emails on a public network?• Are you angry now, or just afraid?• Who has the responsibility in this

situation?

What is a Digital Certificate?

Digital Certificates Do a Couple of Things

•Authentication

•Digital signing

•Encryption

Authentication

Digital Signing

Encryption

Digital Certificates Continued

Digital CertificateElectronic Passport

Good for authentication

Good non-repudiation

Proof of authorship

Proof of non-altered content

Encryption!

Better than username - password

What is in a Certificate?

Public and Private Keys

The digital certificate has two parts, aPUBLIC key and a PRIVATE keyThe Public Key is distributed toeveryoneThe Private Key is held very closelyAnd NEVER sharedPublic Key is used for encryption andverification of a digital signaturePrivate Key is used for Digital signing anddecryption

Public Key Cryptography

Getting Someone’s Public Key

The Public Key must be shared to beUsefulIt can be included as part of yourEmail signatureIt can be looked up in an LDAPDirectoryCan you think of the advantages anddisadvantages of each method?

Who Could This Public Key Possibly Belong To?

What is PKI?

• PKI is an acronym for Public Key Infrastructure

• It is the system which manages and controls the lifecycle of digital certificates

• The PKI has many features

What Is In a PKI?

• Credentialing of individuals

• Generating certificates

• Distributing certificates

• Keeping copies of certificates

• Reissuing certificates

• Revoking Certificates

Credentialing

• Non technical, but the most important part of a PKI!

• A certificate is only as trustworthy as the underlying credentialing and management system

• Certificate Policies and Certificate Practices Statement

Certificate Generation and Storage

• How do you know who you are dealing with in the generation process?

• Where you keep the certificate is important

Distributing Certificates

• Can be done remotely – benefits and drawbacks

• Can be done face to face – benefits and drawbacks

Keeping Copies – Key Escrow• Benefit –

Available in case of emergency

• Drawback – Can be stolen

• Compromise is the best!

• Use Audit Trails, separation of duties and good accounting controls for key escrow

Certificate Renewal

• Just like your passport, digital certificates expire

• This is for the safety of the organization and those who do business with it

• Short lifetime – more assurance of validity but a pain to renew

• Long lifetime – less assurance of validity, but easier to manage

• Use a Certificate Revocation List if you are unsure of certificate validity

Trusted Root Authorities

• A certificate issuer recognized by all computers around the globe

• Root certificates are stored in the computer’s central certificate store

• Requires a stringent audit and a lot of money!

It Is All About Trust

Using Certificates to Secure Email

• Best use for certificates, in my opinion

• Digital certificate provides proof that the email did indeed come from the purported sender

• Public key enables encryption and ensures that the message can only be read by the intended recipient

Secure Email is Called S/MIME

• S/MIME = Secure Multipurpose Mail Extensions

• S/MIME is the industry standard, not a point solution, unique to a specific vendor

Digital Signing of Email

• Proves that the email came from you• Invalidates plausible denial• Proves through a checksum that the

contents of the email were not altered while in transit

• Provides a mechanism to distribute your public key

• Does NOT prove when you sent the email

Digital Signatures Do Not Prove When a Message or Document Was Signed

You need a neutral third party time stamping service, similar to how hostages often have their pictures taken in front of a newspaper to prove they are still alive!

Send Me a Signed Email, Please, I Need Your Public Key

Using a Digital Signature for Email Signing

Provides proof that theemail came from thepurported sender…Isthis email really fromVice President Cheney? Provides proof that thecontents of the emailhave not been alteredfrom the originalform…Should wereally invade Canada?

A Digital Signature Can Be Invalid For Many Reasons

Why Is Authenticating the Sender So Important?

What if This Happens at UW-Madison?

Could cause harm in

a critical situation

Case Scenario

Multiple hoax emails sent with Chancellor’s name and email.

When real crisis arrives, people might not believe the warning.

It is all about trust!

Digital Signing Summary

• Provides proof of the author

• Testifies to message integrity

• Valuable for both individual or mass email

• Supported by Wiscmail Web client (used by 80% of students)

What Encryption Does

Encrypting data with a digital certificateSecures it end to end.• While in transit• Across the network• While sitting on email

servers• While in storage• On your desktop

computer• On your laptop

computer• On a server

Encryption Protects the Data At Rest and In Transit

Physical theft from office

Physical theft from airport

Virtual theft over the network

Why Encryption is Important• Keeps private information private• HIPAA, FERPA, SOX, GLB compliance• Proprietary research• Human Resource issues• Legal Issues• PR Issues• Industrial Espionage• Over-intrusive Government• You never know who is

listening and watching!

What does it actually look like in practice? -Sending-

What does it actually look like in practice (unlocking my private key)

-receiving-

What does it actually look like in practice?-receiving- (decrypted)

Digitally signed and verified; Encrypted

What does it look like in practice?-receiving- (intercepted)

Intercepting the Data in Transit

New Applications Coming Online This Summer!

• Bye bye old ID card!• Hello Smartcard!• One card does it all!• Email encryption,

document signing, web access to sensitive applications and whole disk encryption

Digital Certificates For Machines Too

• SSL – Secure Socket Layer

• Protection of data in transit

• Protection of data at rest

• Where is the greater threat?

• Our certs protect both!

Benefits of Using Digital Certificates

Provide global assurance of your identity,both internally and externally to the UW-MadisonProvide assurance of message authenticityand data integrityKeeps private information private, end toend, while in transit and storageYou don’t need to have a digital certificateTo verify someone else’s digital signatureCan be used for individual or generic mailaccounts.

Who Uses Digital Certificates at UW-Madison?

DoITUW Police and SecurityOffice of the RegistrarOffice of Financial AidOffice of AdmissionsPrimate Research LabMedical SchoolBucky Badger, because he’s a teamplayer and slightly paranoid about hisbasketball plays being stolen

Who Uses Digital Certificates Besides UW-Madison?

US Department of DefenseUS Department of HomelandSecurityAll Western European countriesNew US PassportDartmouth CollegeUniversity of Texas at AustinJohnson & JohnsonRaytheonOthers

The Telephone Analogy

When the

telephone was

invented, it was

hard to sell.

It needed to

reach critical

mass and then

everyone wanted

one.

That All Sounds Great in Theory, But Do I Really Need It?• The world seems

to get along just fine without digital certificates…

• Oh, really?• Let’s talk about

some recent stories

We Have Internal Threats Too @ UW-Madison!

How Do Users Feel About the Technology?

• Ease of use

• Challenges

• Changes in how they do their daily work

• Benefits

• Drawbacks

It Really Is Up To You!

• Digital certificates / PKI is not hard to implement

• It provides end to end security of sensitive communications

• It is comprehensive, not a mix of point solutions

• You are the leaders of tomorrow, make your choices count by pushing for secure electronic communications!

Lab Exercises

• Crack a password protected file to show how weak password protection really is

• Digitally sign an email to each other

• Encrypt an email to each other