Intro to Crypto - New Era · 2014-01-22 · – The longer a hash the lower the probability to...

IBM Americas, ATS, Washington Systems Center

© 2014 IBM Corporation

Intro to Crypto

Greg Boyd ([email protected])

of 32

IBM ATS, Washington Systems Center

Intro to Crypto January, 2014 © 2014 IBM Corporation

Agenda – Intro To Crypto

Some background

Crypto Functions

–Symmetric algorithms

–Asymmetric algorithms

–Hashes

–Digital Signatures & Certificates

–PIN Support

Upcoming topics

of 32



What is Cryptography?

Cryptography (or cryptology; from Greek κρυπτός, kryptos, "hidden, secret"; and γράφω, gráphō, "Iwrite", or -λογία, -logia, respectively)[1] is thepractice and study of hiding information. In moderntimes cryptography is considered a branch of bothmathematics and computer science and is affiliatedclosely with information theory, computer securityand engineering.

From Wikipedia

of 32



Business Requirements

Trust (Integrity)

Confidentiality

–Trade Secrets

–Business transactions

–Privacy (Personal Information)

Accountability/ Auditability

of 32



Crypto Functions

Data Confidentiality

– Symmetric – DES/TDES, AES

– Asymmetric – RSA,Diffie-Hellman, ECC

Data Integrity

– Modification Detection

– Message Authentication

– Non-repudiation

Financial Functions

Key Security & Integrity

of 32



Data Confidentiality – TDES

Data Key =>

Encrypt EncryptDecryptEncrypted

KeyEncrypted

Key

K E Y

EncryptedKey

Encryption Using Triple-DES outer feedback

8-bytesof key

of 32



Data Confidentiality - AES

Rijndael Algorithm

– Block Cipher (16-byte blocks)

– 128-, 192-, 256-bit key length

– 128 bit key=> 3.4x10**38 (340Undecillion)

– 192 bit key=> 6.2x10**57 (6.2Octodecillion)

– 256 bit key=> 1.1x10**77 (almost aGoogol)

– Multiple round

– Four steps per round (Byte substitution,shift row, mix column, add round key)

Image from http://www.esat.kuleuven.ac.be/~rijmen/rijndael

of 32



Electronic Codebook (ECB) Mode

Images from Wikipedia

of 32



Cipher Block Chaining (CBC) Mode

Images from Wikipedia

of 32



Asymmetric Algorithms

Public Key Architecture - PKA

–RSA

–Diffie-Hellman

–Elliptic Curve

ABCD @!&1 ABCD

Public key Private key

Encryption Decryption

Plain text Plain textCipher text

of 32



RSA Public Key Cryptography

Generate 2 prime numbers P = 7 Q = 17

(each over 100 digits long)

Multiply primes to get modulus, N N = 7 x 17 = 119

Select odd number, E, that will E = 5

be the second part of the public key

Public Key (N E) 119 5

Compute second part of private key, D

(P-1) x (Q-1) x (E-1) (7-1) x (17-1) x (5-1) = 384

Add 1 to result 384 + 1 = 385

Divide by E to get D D = 385/5 = 77

Private Key (N D) 119 77

=

of 32



Encipher Message ‘SELL’

P = 7; Q = 17; N = 119; E = 5; D = 77



Convert characters to numeric 19 5 12 12

E.g. A=1, B=2, C=3 ….

Raise that character value to power E (‘S’ => 19**5 =>) 2476099

Divide by first part Public Key, get the Modulus 2476099 MOD 119 = 66

ePublicKey(S) => 66

ePublicKey(E) => 31

ePublicKey(L) => 3

Ciphertext 66 31 3 3

=

of 32



Decipher Message ’66 31 3 3’

P = 7; Q = 17; N = 119; E = 5; D = 77



Raise ciphertext to power D 66**77 = 1273160…..

Divide by first half of private key, get the modulus 1273160….. MOD 119 = 19

Convert numeric back to character 19 5 12 12

dPrivateKey(66) => “S”

dPrivateKey(31) => “E”

dPrivateKey(3) => “L”

Plaintext 19 5 12 12 or C’S E L L’

=

of 32



ECC – Why is it important?

Elliptic Curve Support

–ECDSA

–New ECC Master Key

Effective Key Size Security

Symmetric RSA Key ECC Key

Key Size Size Size

80 1024 163

112 2048 224

128 3072 256

192 7680 384

256 15360 512

Image from DeviceForge and other sites

From NIST SP 800-57 Part 1 (Table 2) atwww.nist.gov

of 32



Why Asymmetric and Symmetric Keys?

Asymmetric

– plus - its strength, can be used to establish asecret between two parties

– minus – expensive in terms of performance

Symmetric

– plus - less resource intensive

– minus - requires key to be shared securely

=≠

of 32



Data Integrity – Modification Detection Code

Has the message changed?

A

Message MDCMessage

Characteristics of a goodhash

– Can’t recreate the message fromthe hash

– Two different messages arestatistically unlikely to generatethe same hash value

Hash Algorithm

of 32



Hash Example

SHA1(“The quick brown fox jumps over the lazy dog”)

= A9F1D770 4CA50AC1 504EA60B 12C7AE2D B054AD18

SHA1(“The quick brown fox jumps over the lazy hog”)

= 24120AD2 C337DE18 24E18BF0 C54F0B4F 98592343

of 32



Data Integrity – Message Authentication Code

Has the message changed?

A

Message Message

Hash Algorithm

Key

MAC

of 32



AASignature

Algorithm

Signatures

Message

AHash Algorithm

Message Digest Digital Signature

Signatures are a way to securely associatesomeone with the data they send

AASignature

Algorithm

of 32



Verisign||GregBoyd||ExpDate||Version||Algorithm ||

Data Integrity – Digital Certificates

GregBoyd

Public Key Private Key

CA

Cert=>Verisign||GregBoyd||ExpDate||Version||Algorithm || ||Digital Signature

Signature Algorithm with

PartnerSignature Algorithm with

CA’s Public Key

Digital Signature?=?

CA’s Private Key

A

A

of 32



Financial Services

PIN Generation

PIN Verification

PIN Export/Import

signaturealgorithm

Authentication

Secret PIN

Secret PINcalculating key

Equal/Not equal

of 32



Hash and Key LengthsWhy do we care about lengths a of keys and hashes?

– The longer a key the lower the probability to guess the right key

– The longer a hash the lower the probability to guess a matching text for a given hash

– Key and hash sizes that are considered secure change over time

Crypto Cryptography is not security, it is only low probability!? - But “Low” is “V E R Y L O W”!

Key lengths for symmetric keys are not comparable to those of asymmetric keys

E.g. only a “few” numbers out of 21024 1024-bit numbers are valid keys for RSA

154 digitsSHA-512: 2512 different hashes

about 1082number of atoms in the universe

77 digitsAES-256/SHA-256: 2256 different keys/hashes

58 digitsAES-192: 2192 different keys

about 1.2*1057number of atoms in our solar system

about 1.33*1050number of atoms in the earth

38 digitsAES-128: 2128 different keys

1 in 72,057,594,037,927,936DES: 2256 different keys

1 In 176,000,000MegaMillions (March, 2012) @ $640Million

*Chart adapted fromReinhard Buendgen

of 32



System z Encryption Solutions

Key Storage

Encryptionservicemanagement andoptimization

ICSF, RACF, SMF

Encryption hardware accelerationwith every processor

CryptoExpress

CryptoExpress

zAAP(Java)

Tru

ste

dK

ey

Entr

y

System z Encryption Infrastructure

Tamper-resistantencryption processingKeys are not in the clear

GPProcessor

GPProcessor

z/OS

zIIP(IPSec)

Encryption Solutions

IFL(Virtualization,

Linux)

Crypto access

Linux for System z

CKDS

PKDS TKDS

Encryption Facilityfor z/OS

Tape / DiskEncryption

System SSL

DatabaseEncryption

PKI Services

Java

EKMF (KeyManagement)

PerformanceDisaster

Recovery

Master Keys Master Keys

of 32



References

Cryptography Books

– Bruce Schneier, “Applied Cryptography, Second Edition: Protocols, Algorithms,and Source Code in ‘C’”, Addison Weley Longman, Inc. 1997

– Simon Singh, “The Code Book”, Anchor Books, 1999

– Niels Ferguson, Bruce Schneier, “Practical Cryptography”, Wiley Publishing, Inc.2003

Standards

– http://csrc.nist.gov/ – Computer Security Resource Center of NIST

– http://www.rsa.com/rsalabs/ - Research site for RSA Security

– www.ietf.org – Internet Engineering Task Force

Free Stuff

– www.scmagazine.com/ – SC Magazine

– www.counterpane.com – Bruce Schneier web site with monthly newsletter

of 32



IBM Pubs

ICSF Overview

– z/OS 2.1 SC14-7505

– z/OS 1.13 SA22-7519

ICSF Administrator’s Guide

– z/OS 2.1 SC14-7506

– z/OS 1.13 SA22-7521

ICSF Application Programmer’s Guide

– z/OS 2.1 SC14-7508

– z/OS 1.13 SA22-7522

ICSF System Programmer’s Guide

– z/OS 2.1 SC14-7507

– z/OS 1.13 SA22-7520

of 32



IBM Resources (on the web)

Redbooks – www.redbooks.ibm.com (search on‘crypto’)

– IBM zEnterprise EC12 Configuration Setup, SG24-8034

– IBM zEnterprise EC12 Technical Introduction, SG24-8050

– IBM System EC12 Technical Guide, SG24-8049

ATS TechDocs Website –www.ibm.com/support/techdocs (search on ‘crypto’)

– WP100810 – A Synopsis of System z Crypto Hardware

– WP100647 – A Clear Key / Secure Key /Protected Key Primer

of 32



Questions …

Intro to Crypto - New Era · 2014-01-22 · – The longer a hash the lower the probability to...

Documents

Transcript of Intro to Crypto - New Era · 2014-01-22 · – The longer a hash the lower the probability to...