Cr ypt ogra phy a nd

Se c urit y Se r vic e s:

M e c ha nism s a nd Applic a t ions

  

Manuel Mogollon

Un vers ty of Dallas, USA Cybe r t e ch Publishing Acquisition Editor: Kristin Klinger Senior Managing Editor: Jennifer Neidig Managing Editor: Sara Reed Development Editor: Kristin M. Roth Assistant Development Editor: Meg Stocking Editorial Assistant: Deborah Yahnke Copy Editor: Erin Meyer Typesetter: Jeff Ash Cover Design: Lisa Tosheff Printed at: Yurchak Printing Inc.

  Published in the United States of America by CyberTech Publishing (an imprint of IGI Global) 701 E. Chocolate Avenue Hershey PA 17033 Tel: 717-533-8845 Fax: 717-533-8661 E-mail: cust@igi-pub.com Web site: http://www.cybertech-pub.com and in the United Kingdom by CyberTech Publishing (an imprint of IGI Global)

  3 Henrietta Street Covent Garden London WC2E 8LU Tel: 44 20 7240 0856 Fax: 44 20 7379 0609 Web site: http://www.eurospanonline.com

  

Copyright © 2007 by IGI Global. All rights reserved. No part of this book may be reproduced in any form or by

any means, electronic or mechanical, including photocopying, without written permission from the publisher. Product or company names used in this book are for identification purposes only. Inclusion of the names of

the products or companies does not indicate a claim of ownership by IGI Global of the trademark or registered

trademark. Library of Congress Cataloging-in-Publication Data Mogollon, Manuel.

  Cryptography and security services : mechanisms and applications / Manuel Mogollon. p. cm. Summary: "This book addresses cryptography from the perspective of security services and mechanisms

available to implement them: discussing issues such as e-mail security, public-key architecture, virtual private

networks, Web services security, wireless security, and confidentiality and integrity. It provides scholars and practitioners working knowledge of fundamental encryption algorithms and systems supported in information technology and secure communication networks"--Provided by publisher. Includes bibliographical references and index.

  ISBN 978-1-59904-837-6 (hardcover) -- ISBN 978-1-59904-839-0 (ebook) 1. Computers--Access control. 2. Data encryption (Computer science) I. Title. QA76.9.A25M663 2007 005.8--dc22 British Cataloguing in Publication Data A Cataloguing in Publication record for this book is available from the British Library.

All work contributed to this book is original material. The views expressed in this book are those of the authors,

but not necessarily of the publisher.

  

Cr ypt ogra phy a nd Se c urit y

Sevic e s:

M e c ha nism s a nd Applic a t ions

  

Ta ble of Cont e nt s

Foreword......................................................................................................................... x

Preface............................................................................................................................xi

Acknowledgment.......................................................................................................... xv

Chapter.I..Classic.Cryptography................................................................................. 1

Classic Cryptography ..................................................................................................... 1

Objectives ........................................................................................................................ 1

Introduction ..................................................................................................................... 1

Classic Cipher Techniques .............................................................................................. 3

Early Cipher Machines ................................................................................................... 6

Cryptanalysis in World War II ...................................................................................... 12

Summary ....................................................................................................................... 12

Learning Objectives Review ......................................................................................... 13

References ..................................................................................................................... 14

Chapter.II..Information.Assurance............................................................................ 15

Information Assistance .................................................................................................. 15

Objectives ...................................................................................................................... 15

Introduction ................................................................................................................... 15

Computer Network Architecture ................................................................................... 16

  v

The OSI Model .............................................................................................................. 17

The TCP/IP Model ........................................................................................................ 20

Security Policies, Services, and Mechanisms ............................................................... 22

Placeholder Names Used in Cryptography .................................................................. 26

The Transformation of the Crypto Industry .................................................................. 27

U.S. Export Regulations for Encryption Equipment ..................................................... 29

Summary ....................................................................................................................... 30

Learning Objectives Review ......................................................................................... 31

References ..................................................................................................................... 32

Chapter.III..Number.Theory.and.Finite.Fields........................................................ 33

Number Theory and Finite Fields ................................................................................. 33

Objectives ...................................................................................................................... 33

Introduction ................................................................................................................... 33

Principle of Counting .................................................................................................... 34

Exponentiation and Prime Numbers ............................................................................. 35

The Euclidean Algorithm .............................................................................................. 35

Congruence Arithmetic ................................................................................................. 36

Summary of Properties .................................................................................................. 41

Calculation of the Reciprocal (Multiplicative Inverse) ................................................ 42

Multiplication and Exponentiation in Modulo p ........................................................... 43

RSA Algorithm ............................................................................................................... 45

Finite Fields .................................................................................................................. 45

Boolean Binary Expressions ......................................................................................... 48

Summary ....................................................................................................................... 49

Learning Objectives Review ......................................................................................... 49

References ..................................................................................................................... 50

  

Chapter IV. Confidentiality: Symmetric Encryption................................................51

Confidentiality: Symmetric Encryption .........................................................................51

Objectives ...................................................................................................................... 51

Introduction ................................................................................................................... 52

Crypto Systems .............................................................................................................. 54

Stream Cypher Symmetric Encryption .......................................................................... 54

Basic Theory of Enciphering ........................................................................................ 58

Perfect Secrecy .............................................................................................................. 62

Shift Registers ............................................................................................................... 64

Block Encryption Algorithms ........................................................................................ 80

Block Cipher Modes of Operation ................................................................................ 90

Summary ....................................................................................................................... 97

Learning Objectives Review ......................................................................................... 97

References ..................................................................................................................... 99

Chapter V. Confidentiality: Asymmetric Encryption.............................................101

Confidentiality: Asymmetric Encryption .....................................................................101

Objectives .................................................................................................................... 101

Introduction ................................................................................................................. 102

Exponentiation and Public-Key Ciphers .................................................................... 104

  

Pohlig-Hellman Algorithm .......................................................................................... 105

The RSA Algorithm ...................................................................................................... 106

ElGamal Algorithm ..................................................................................................... 109

Key Management ........................................................................................................ 110

Security Services and Public-Key Encryption ............................................................ 110

Combining Asymmetric and Symmetric Ciphers ........................................................ 110

The Diffie-Hellman Key Agreement System .................................................................111

The Diffie-Hellman Key Agreement Method ............................................................... 114

The RSA Key Transport System ................................................................................... 115

Variation of ElGamal System ...................................................................................... 116

Summary ..................................................................................................................... 118

Learning Objectives Review ....................................................................................... 119

References ................................................................................................................... 121

Chapter.VI..Integrity.and.Authentication............................................................... 122

Integrity and Authentication ....................................................................................... 122

Objectives .................................................................................................................... 122

Introduction ................................................................................................................. 123

Message Authentication Code (MAC)......................................................................... 123

Hash Functions ........................................................................................................... 125

Secure Hash Standard ................................................................................................. 127

Secure Hash Algorithm: SHA-1 ..................................................................................131

MD5 Message Digest Algorithm ................................................................................. 137

Keyed-Hash Message Authentication Code (HMAC) ................................................. 138

Authentication (Digital Signatures) ............................................................................ 141

Digital Signature Standard (FIPS 186-2) ................................................................... 143

Digital Signature Algorithm (ANSI X9.30) ................................................................. 143

RSA Digital Signature (ANSI X9.31) .......................................................................... 145

Elliptic Curve Digital Signature Algorithm (ANSI X9.62) .......................................... 146

ElGamal Digital Signature ......................................................................................... 146

Summary ..................................................................................................................... 148

Learning Objectives Review ....................................................................................... 148

References ................................................................................................................... 150

Chapter.VII..Access.Authentication......................................................................... 152

Access Authentication ................................................................................................. 152

Objectives .................................................................................................................... 152

Introduction ................................................................................................................. 153

Authentication Concepts ............................................................................................. 154

  

IEEE 802.1X Authentication ....................................................................................... 155

Extensible Authentication Protocol (EAP) .................................................................. 157

Other Password Mechanisms ...................................................................................... 167

Password Security Considerations ............................................................................. 169

EAP Authentication Servers ........................................................................................ 171

Remote Authentication Dial-In User Service (RADIUS) ............................................ 171

Needham and Schroeder ............................................................................................. 173

Kerberos ...................................................................................................................... 174

  

ITU-T X.509: Authentication Framework ...................................................................177

  

Hash and Encryption Recommendations .................................................................... 182

Summary ..................................................................................................................... 184

Learning Objectives Review ....................................................................................... 185

References ................................................................................................................... 187

  

Chapter VIII. Elliptic Curve Cryptography...........................................................189

Elliptic Curve Cryptography ....................................................................................... 189

Objectives .................................................................................................................... 189

Introduction ................................................................................................................. 190

Finite Fields ................................................................................................................ 192

Elliptic Curves and Points .......................................................................................... 193

Arithmetic in an Elliptic Curve Group over F ........................................................... 194

_{p m}

Arithmetic in an Elliptic Curve Group over F ......................................................... 196

₂ Order of a Point .......................................................................................................... 198

Curve Order ................................................................................................................ 199

Selecting an Elliptic Curve and G, the Generator Point ............................................ 199

Elliptic Curve Domain Parameters ............................................................................ 200

Elliptic Curve Domain Parameters over F ................................................................ 201

_p

_m

Elliptic Curve Domain Parameters over F .............................................................. 202

₂

Cryptography Using Elliptic Curves .......................................................................... 202

Attacks on the Elliptic Curve Discrete Logarithm Problem (ECDLP) ....................... 203

  

Public Key Systems Public Key Size Comparisons ..................................................... 206

Software Implementations ........................................................................................... 207

Key Pair Generation ................................................................................................... 207

Enciphering and Deciphering a Message Using ElGamal ......................................... 208

ECDH Key Agreement ................................................................................................ 210

ECDSA Signature Generation ..................................................................................... 211

ECDSA Signature Verification .................................................................................... 211

EC Cipher Suites ......................................................................................................... 212

Summary ..................................................................................................................... 214

Learning Objectives Review ....................................................................................... 214

References ................................................................................................................... 215

  

Chapter IX. Certificates and Public Key Infrastructure........................................217

Certificates and Public Key Infrastructure .................................................................217

Objectives .................................................................................................................... 217

Introduction ................................................................................................................. 218

X.509 Basic Certificate Fields ....................................................................................219

RSA Certification.........................................................................................................220

Cylink (Seek) Certification ..........................................................................................220

Cylink Certification Based on ElGamal ......................................................................222

Variation of ElGamal Certification .............................................................................223

Public-Key Infrastructure (PKI) ................................................................................. 226

PKI Management Model ............................................................................................. 227

PKI Management Requirements ................................................................................. 230

Certificate Life-Cycle ..................................................................................................231

PKI Management Operations ..................................................................................... 231

CRL Basic Fields ........................................................................................................ 236

  

CA Trust Models ......................................................................................................... 237

Encryption Algorithms Supported in PKI ................................................................... 240

Private Key Proof of Possession (POP) ..................................................................... 242

Two Models for PKI Deployment ................................................................................ 242

Summary ..................................................................................................................... 243

Learning Objectives Review ....................................................................................... 243

References ................................................................................................................... 245

  

Chapter X. Electronic Mail Security........................................................................246

Electronic Mail Security ............................................................................................. 246

Objectives .................................................................................................................... 246

Introduction ................................................................................................................. 247

Pretty Good Privacy (PGP) ........................................................................................ 247

PGP E-Mail Compatibility.......................................................................................... 248

RADIX 64: E-Mail Format Compatibility ..................................................................248

E-Mail Size Compatibility ........................................................................................... 250

Key Rings .................................................................................................................... 250

PGP Digital Certificates .............................................................................................251

Establishment of Trust................................................................................................. 253

Secure MIME (S/MIME) ............................................................................................. 256

S/MIME Message Formats ......................................................................................... 258

Creating a Signed-Only Message ............................................................................... 258

Creating a Enveloped-Only Message ......................................................................... 261

Signed and Enveloped MIME Entities ........................................................................ 262

Summary ..................................................................................................................... 262

Learning Objectives Review ....................................................................................... 263

References ................................................................................................................... 265

Chapter XI. VPNS and IPSEC.................................................................................266

VPNS and IPSEC ........................................................................................................ 266

Objectives .................................................................................................................... 266

Introduction ................................................................................................................. 267

VPN Services ............................................................................................................... 268

IP Tunneling Mechanisms ........................................................................................... 269

IPsec .......................................................................................................................... 269

IPsec Architecture ....................................................................................................... 270

IPsec Protocols ........................................................................................................... 271

IPsec Negotiation ........................................................................................................ 272

Security Associations .................................................................................................. 273

Security Protocols ....................................................................................................... 274

Authentication Header ................................................................................................ 275

Encapsulating Security Protocol (ESP) ...................................................................... 277

AH and ESP Modes of Operation ............................................................................... 280

Algorithms for Encryption and Authentication in IPsec ............................................. 281

Internet Key Exchange (IKE v2) ................................................................................. 281

IKE Message Exchanges ............................................................................................. 283

IKE_SA_INIT .............................................................................................................. 284

IKE_SA_AUTH ........................................................................................................... 285

  

CREATE_CHILD_SAs ................................................................................................ 286

Informational Exchange in IKE .................................................................................. 288

Integrity and Authentication in IKE ............................................................................ 290

Diffie-Hellman Group Descriptors .............................................................................291

  

IPsec and IKE v2 Identifiers .......................................................................................293

Summary ..................................................................................................................... 297

Learning Objectives Review ....................................................................................... 297

References ................................................................................................................... 299

  

Chapter XII. TLS, SSL, and SET.............................................................................300

TLS, SSL, and SET ...................................................................................................... 300

Objectives .................................................................................................................... 300

Introduction ................................................................................................................. 301

Transport Layer Security (TLS) .................................................................................. 302

Handshake Protocol .................................................................................................... 305

Alert Message Protocol ............................................................................................... 312

Change Cipher Spec Protocol ..................................................................................... 313

Application Protocol ................................................................................................... 313

SSL VPN ...................................................................................................................... 314

Secure Electronic Transaction Protocol (SET) ........................................................... 315

Summary ..................................................................................................................... 330

Learning Objectives Review ....................................................................................... 331

References ................................................................................................................... 332

Chapter XIII. Web Services Security.......................................................................334

Web Services Security ................................................................................................. 334

Objectives .................................................................................................................... 334

Web Services ............................................................................................................... 335

Extensible Markup Language, XML ........................................................................... 338

Simple Object Access Protocol (SOAP) ...................................................................... 341

Universal Discovery, Description, and Integration (UDDI) ...................................... 342

Web Services Description Language, WSDL .............................................................. 343

Web Services Security ................................................................................................. 344

XML Security............................................................................................................... 345

XML Encryption .......................................................................................................... 345

XML Signature ............................................................................................................ 361

XML Key Management Specification ..........................................................................375

Security Assertion Markup Languages (SAML).......................................................... 389

Web Services Security Language (WS-Security) ......................................................... 395

Summary ..................................................................................................................... 405

Learning Objectives Review ....................................................................................... 406

References ................................................................................................................... 407

Chapter XIV. Wireless Security................................................................................409

Wireless Security ......................................................................................................... 409

Objectives .................................................................................................................... 409

Introduction ................................................................................................................. 409

  

WIMAX (IEEE 802.16e) Security ............................................................................... 412

Wi-Fi .......................................................................................................................... 420

  

IEE802.11 Wireless LAN ............................................................................................. 422

802.11i: WLAN Security Enhancement .......................................................................424

Wi-Fi Protected Access (WPA or WPA1) and WPA2 ................................................... 425

Bluetooth ..................................................................................................................... 436

Summary ..................................................................................................................... 443

Learning Objectives Review ....................................................................................... 444

References ................................................................................................................... 445

Glossary.of.Terms...................................................................................................... 447

About.the.Author....................................................................................................... 467

Index............................................................................................................................ 468

  

Fore w ord

  Having spent most of my adult life working with the design, development, production, and deployment of secure communications equipment and networks used by over 90 countries and many multinationals, it is an honor and pleasure to write this foreword. It is quite striking that as I draft this piece, TJX Companies, Inc. revealed some 45.6 million credit and debit card numbers were stolen from two of its systems over the better part of two years. This happening in fact is just one in a long series of information compromises—al- beit a big one—that could have been mitigated via the application of cryptographic tools, policies, and procedures. Because we live in a world today where we basically have a ONE to ALL relationship via the interconnectivity of the Internet, the two fundamentals of good security—BORDERS AND TRUST—take on new meaning. This new dynamic in security requires the applica- tion of cryptographic tools and practices regarding information, and the access, use, storage, transmission, and destruction of that information over its life cycle. In fact this problem will only grow as: (1) assets move from the physical to the virtual realm (bits and bytes), (2) information grows at a rate of 2+ exabytes a year—a “target rich” environment, and (3) more and more of the world’s population becomes “connected.” As most professionals know, comprehensive, understandable, and easy to read treatises on complex, mathematically based subject matter are usually few and far between. So too with cryptography. However, with this volume professor Mogollon not only addresses the historical foundations of cryptographic tools and methods, but delivers a very clear and understandable picture of the breadth and depth of secure communications today. And he does this while providing very clear graphics on how historical and modern approaches and systems work. The clarity of these examples and the understanding they impart is unparal- leled in technical literature.

  This book is a must read for all professionals as the application of the tools and methods discussed herein are a required “best practice” today. And it will serve as a useful reference for years to come.

  Dr. John H. Nugent, CPA, CFE, CISM, FCPA Director of the Center of Information Assurance, University of Dallas

  

Pre fa c e

  Information assurance, the body of knowledge, policies, processes, practices, and tools that provide reasonable assurance that one’s information and communications are used only as intended and only by authorized parties, has become a complex discipline. Today, because of Internet interconnectivity, we live in a world where one may reach all. Such interconnectivity and attendant vulnerabilities require that IT managers and end-users have an understanding of the risks and solutions available to better protect their information and operations. This volume was written to address these issues.