Cryptography and Security Services Mechanisms and Applications
Cr ypt ogra phy a nd
Se c urit y Se r vic e s:
M e c ha nism s a nd Applic a t ions
Manuel Mogollon
Un vers ty of Dallas, USA Cybe r t e ch Publishing Acquisition Editor: Kristin Klinger Senior Managing Editor: Jennifer Neidig Managing Editor: Sara Reed Development Editor: Kristin M. Roth Assistant Development Editor: Meg Stocking Editorial Assistant: Deborah Yahnke Copy Editor: Erin Meyer Typesetter: Jeff Ash Cover Design: Lisa Tosheff Printed at: Yurchak Printing Inc.
Published in the United States of America by CyberTech Publishing (an imprint of IGI Global) 701 E. Chocolate Avenue Hershey PA 17033 Tel: 717-533-8845 Fax: 717-533-8661 E-mail: cust@igi-pub.com Web site: http://www.cybertech-pub.com and in the United Kingdom by CyberTech Publishing (an imprint of IGI Global)
3 Henrietta Street Covent Garden London WC2E 8LU Tel: 44 20 7240 0856 Fax: 44 20 7379 0609 Web site: http://www.eurospanonline.com
Copyright © 2007 by IGI Global. All rights reserved. No part of this book may be reproduced in any form or by
any means, electronic or mechanical, including photocopying, without written permission from the publisher. Product or company names used in this book are for identification purposes only. Inclusion of the names ofthe products or companies does not indicate a claim of ownership by IGI Global of the trademark or registered
trademark. Library of Congress Cataloging-in-Publication Data Mogollon, Manuel.Cryptography and security services : mechanisms and applications / Manuel Mogollon. p. cm. Summary: "This book addresses cryptography from the perspective of security services and mechanisms
available to implement them: discussing issues such as e-mail security, public-key architecture, virtual private
networks, Web services security, wireless security, and confidentiality and integrity. It provides scholars and practitioners working knowledge of fundamental encryption algorithms and systems supported in information technology and secure communication networks"--Provided by publisher. Includes bibliographical references and index.ISBN 978-1-59904-837-6 (hardcover) -- ISBN 978-1-59904-839-0 (ebook) 1. Computers--Access control. 2. Data encryption (Computer science) I. Title. QA76.9.A25M663 2007 005.8--dc22 British Cataloguing in Publication Data A Cataloguing in Publication record for this book is available from the British Library.
All work contributed to this book is original material. The views expressed in this book are those of the authors,
but not necessarily of the publisher.
Cr ypt ogra phy a nd Se c urit y
Sevic e s:M e c ha nism s a nd Applic a t ions
Ta ble of Cont e nt s
Foreword......................................................................................................................... x
Preface............................................................................................................................xi
Acknowledgment.......................................................................................................... xv
Chapter.I..Classic.Cryptography................................................................................. 1
Classic Cryptography ..................................................................................................... 1
Objectives ........................................................................................................................ 1
Introduction ..................................................................................................................... 1
Classic Cipher Techniques .............................................................................................. 3
Early Cipher Machines ................................................................................................... 6
Cryptanalysis in World War II ...................................................................................... 12
Summary ....................................................................................................................... 12
Learning Objectives Review ......................................................................................... 13
References ..................................................................................................................... 14
Chapter.II..Information.Assurance............................................................................ 15
Information Assistance .................................................................................................. 15
Objectives ...................................................................................................................... 15
Introduction ................................................................................................................... 15
Computer Network Architecture ................................................................................... 16
v
The OSI Model .............................................................................................................. 17
The TCP/IP Model ........................................................................................................ 20
Security Policies, Services, and Mechanisms ............................................................... 22
Placeholder Names Used in Cryptography .................................................................. 26
The Transformation of the Crypto Industry .................................................................. 27
U.S. Export Regulations for Encryption Equipment ..................................................... 29
Summary ....................................................................................................................... 30
Learning Objectives Review ......................................................................................... 31
References ..................................................................................................................... 32
Chapter.III..Number.Theory.and.Finite.Fields........................................................ 33
Number Theory and Finite Fields ................................................................................. 33
Objectives ...................................................................................................................... 33
Introduction ................................................................................................................... 33
Principle of Counting .................................................................................................... 34
Exponentiation and Prime Numbers ............................................................................. 35
The Euclidean Algorithm .............................................................................................. 35
Congruence Arithmetic ................................................................................................. 36
Summary of Properties .................................................................................................. 41
Calculation of the Reciprocal (Multiplicative Inverse) ................................................ 42
Multiplication and Exponentiation in Modulo p ........................................................... 43
RSA Algorithm ............................................................................................................... 45
Finite Fields .................................................................................................................. 45
Boolean Binary Expressions ......................................................................................... 48
Summary ....................................................................................................................... 49
Learning Objectives Review ......................................................................................... 49
References ..................................................................................................................... 50
Chapter IV. Confidentiality: Symmetric Encryption................................................51
Confidentiality: Symmetric Encryption .........................................................................51Objectives ...................................................................................................................... 51
Introduction ................................................................................................................... 52
Crypto Systems .............................................................................................................. 54
Stream Cypher Symmetric Encryption .......................................................................... 54
Basic Theory of Enciphering ........................................................................................ 58
Perfect Secrecy .............................................................................................................. 62
Shift Registers ............................................................................................................... 64
Block Encryption Algorithms ........................................................................................ 80
Block Cipher Modes of Operation ................................................................................ 90
Summary ....................................................................................................................... 97
Learning Objectives Review ......................................................................................... 97
References ..................................................................................................................... 99
Chapter V. Confidentiality: Asymmetric Encryption.............................................101
Confidentiality: Asymmetric Encryption .....................................................................101Objectives .................................................................................................................... 101
Introduction ................................................................................................................. 102
Exponentiation and Public-Key Ciphers .................................................................... 104
Pohlig-Hellman Algorithm .......................................................................................... 105
The RSA Algorithm ...................................................................................................... 106
ElGamal Algorithm ..................................................................................................... 109
Key Management ........................................................................................................ 110
Security Services and Public-Key Encryption ............................................................ 110
Combining Asymmetric and Symmetric Ciphers ........................................................ 110
The Diffie-Hellman Key Agreement System .................................................................111
The Diffie-Hellman Key Agreement Method ............................................................... 114
The RSA Key Transport System ................................................................................... 115
Variation of ElGamal System ...................................................................................... 116
Summary ..................................................................................................................... 118
Learning Objectives Review ....................................................................................... 119
References ................................................................................................................... 121
Chapter.VI..Integrity.and.Authentication............................................................... 122
Integrity and Authentication ....................................................................................... 122
Objectives .................................................................................................................... 122
Introduction ................................................................................................................. 123
Message Authentication Code (MAC)......................................................................... 123
Hash Functions ........................................................................................................... 125
Secure Hash Standard ................................................................................................. 127
Secure Hash Algorithm: SHA-1 ..................................................................................131
MD5 Message Digest Algorithm ................................................................................. 137
Keyed-Hash Message Authentication Code (HMAC) ................................................. 138
Authentication (Digital Signatures) ............................................................................ 141
Digital Signature Standard (FIPS 186-2) ................................................................... 143
Digital Signature Algorithm (ANSI X9.30) ................................................................. 143
RSA Digital Signature (ANSI X9.31) .......................................................................... 145
Elliptic Curve Digital Signature Algorithm (ANSI X9.62) .......................................... 146
ElGamal Digital Signature ......................................................................................... 146
Summary ..................................................................................................................... 148
Learning Objectives Review ....................................................................................... 148
References ................................................................................................................... 150
Chapter.VII..Access.Authentication......................................................................... 152
Access Authentication ................................................................................................. 152
Objectives .................................................................................................................... 152
Introduction ................................................................................................................. 153
Authentication Concepts ............................................................................................. 154
IEEE 802.1X Authentication ....................................................................................... 155
Extensible Authentication Protocol (EAP) .................................................................. 157
Other Password Mechanisms ...................................................................................... 167
Password Security Considerations ............................................................................. 169
EAP Authentication Servers ........................................................................................ 171
Remote Authentication Dial-In User Service (RADIUS) ............................................ 171
Needham and Schroeder ............................................................................................. 173
Kerberos ...................................................................................................................... 174
ITU-T X.509: Authentication Framework ...................................................................177
Hash and Encryption Recommendations .................................................................... 182
Summary ..................................................................................................................... 184
Learning Objectives Review ....................................................................................... 185
References ................................................................................................................... 187
Chapter VIII. Elliptic Curve Cryptography...........................................................189
Elliptic Curve Cryptography ....................................................................................... 189Objectives .................................................................................................................... 189
Introduction ................................................................................................................. 190
Finite Fields ................................................................................................................ 192
Elliptic Curves and Points .......................................................................................... 193
Arithmetic in an Elliptic Curve Group over F ........................................................... 194
p mArithmetic in an Elliptic Curve Group over F ......................................................... 196
2 Order of a Point .......................................................................................................... 198Curve Order ................................................................................................................ 199
Selecting an Elliptic Curve and G, the Generator Point ............................................ 199
Elliptic Curve Domain Parameters ............................................................................ 200
Elliptic Curve Domain Parameters over F ................................................................ 201
p
m
Elliptic Curve Domain Parameters over F .............................................................. 202
2
Cryptography Using Elliptic Curves .......................................................................... 202Attacks on the Elliptic Curve Discrete Logarithm Problem (ECDLP) ....................... 203
Public Key Systems Public Key Size Comparisons ..................................................... 206
Software Implementations ........................................................................................... 207
Key Pair Generation ................................................................................................... 207
Enciphering and Deciphering a Message Using ElGamal ......................................... 208
ECDH Key Agreement ................................................................................................ 210
ECDSA Signature Generation ..................................................................................... 211
ECDSA Signature Verification .................................................................................... 211
EC Cipher Suites ......................................................................................................... 212
Summary ..................................................................................................................... 214
Learning Objectives Review ....................................................................................... 214
References ................................................................................................................... 215
Chapter IX. Certificates and Public Key Infrastructure........................................217
Certificates and Public Key Infrastructure .................................................................217Objectives .................................................................................................................... 217
Introduction ................................................................................................................. 218
X.509 Basic Certificate Fields ....................................................................................219
RSA Certification.........................................................................................................220
Cylink (Seek) Certification ..........................................................................................220
Cylink Certification Based on ElGamal ......................................................................222
Variation of ElGamal Certification .............................................................................223
Public-Key Infrastructure (PKI) ................................................................................. 226
PKI Management Model ............................................................................................. 227
PKI Management Requirements ................................................................................. 230
Certificate Life-Cycle ..................................................................................................231
PKI Management Operations ..................................................................................... 231
CRL Basic Fields ........................................................................................................ 236
CA Trust Models ......................................................................................................... 237
Encryption Algorithms Supported in PKI ................................................................... 240
Private Key Proof of Possession (POP) ..................................................................... 242
Two Models for PKI Deployment ................................................................................ 242
Summary ..................................................................................................................... 243
Learning Objectives Review ....................................................................................... 243
References ................................................................................................................... 245
Chapter X. Electronic Mail Security........................................................................246
Electronic Mail Security ............................................................................................. 246Objectives .................................................................................................................... 246
Introduction ................................................................................................................. 247
Pretty Good Privacy (PGP) ........................................................................................ 247
PGP E-Mail Compatibility.......................................................................................... 248
RADIX 64: E-Mail Format Compatibility ..................................................................248
E-Mail Size Compatibility ........................................................................................... 250
Key Rings .................................................................................................................... 250
PGP Digital Certificates .............................................................................................251
Establishment of Trust................................................................................................. 253
Secure MIME (S/MIME) ............................................................................................. 256
S/MIME Message Formats ......................................................................................... 258
Creating a Signed-Only Message ............................................................................... 258
Creating a Enveloped-Only Message ......................................................................... 261
Signed and Enveloped MIME Entities ........................................................................ 262
Summary ..................................................................................................................... 262
Learning Objectives Review ....................................................................................... 263
References ................................................................................................................... 265
Chapter XI. VPNS and IPSEC.................................................................................266
VPNS and IPSEC ........................................................................................................ 266Objectives .................................................................................................................... 266
Introduction ................................................................................................................. 267
VPN Services ............................................................................................................... 268
IP Tunneling Mechanisms ........................................................................................... 269
IPsec .......................................................................................................................... 269
IPsec Architecture ....................................................................................................... 270
IPsec Protocols ........................................................................................................... 271
IPsec Negotiation ........................................................................................................ 272
Security Associations .................................................................................................. 273
Security Protocols ....................................................................................................... 274
Authentication Header ................................................................................................ 275
Encapsulating Security Protocol (ESP) ...................................................................... 277
AH and ESP Modes of Operation ............................................................................... 280
Algorithms for Encryption and Authentication in IPsec ............................................. 281
Internet Key Exchange (IKE v2) ................................................................................. 281
IKE Message Exchanges ............................................................................................. 283
IKE_SA_INIT .............................................................................................................. 284
IKE_SA_AUTH ........................................................................................................... 285
CREATE_CHILD_SAs ................................................................................................ 286
Informational Exchange in IKE .................................................................................. 288
Integrity and Authentication in IKE ............................................................................ 290
Diffie-Hellman Group Descriptors .............................................................................291
IPsec and IKE v2 Identifiers .......................................................................................293
Summary ..................................................................................................................... 297
Learning Objectives Review ....................................................................................... 297
References ................................................................................................................... 299
Chapter XII. TLS, SSL, and SET.............................................................................300
TLS, SSL, and SET ...................................................................................................... 300Objectives .................................................................................................................... 300
Introduction ................................................................................................................. 301
Transport Layer Security (TLS) .................................................................................. 302
Handshake Protocol .................................................................................................... 305
Alert Message Protocol ............................................................................................... 312
Change Cipher Spec Protocol ..................................................................................... 313
Application Protocol ................................................................................................... 313
SSL VPN ...................................................................................................................... 314
Secure Electronic Transaction Protocol (SET) ........................................................... 315
Summary ..................................................................................................................... 330
Learning Objectives Review ....................................................................................... 331
References ................................................................................................................... 332
Chapter XIII. Web Services Security.......................................................................334
Web Services Security ................................................................................................. 334Objectives .................................................................................................................... 334
Web Services ............................................................................................................... 335
Extensible Markup Language, XML ........................................................................... 338
Simple Object Access Protocol (SOAP) ...................................................................... 341
Universal Discovery, Description, and Integration (UDDI) ...................................... 342
Web Services Description Language, WSDL .............................................................. 343
Web Services Security ................................................................................................. 344
XML Security............................................................................................................... 345
XML Encryption .......................................................................................................... 345
XML Signature ............................................................................................................ 361
XML Key Management Specification ..........................................................................375
Security Assertion Markup Languages (SAML).......................................................... 389
Web Services Security Language (WS-Security) ......................................................... 395
Summary ..................................................................................................................... 405
Learning Objectives Review ....................................................................................... 406
References ................................................................................................................... 407
Chapter XIV. Wireless Security................................................................................409
Wireless Security ......................................................................................................... 409Objectives .................................................................................................................... 409
Introduction ................................................................................................................. 409
WIMAX (IEEE 802.16e) Security ............................................................................... 412
Wi-Fi .......................................................................................................................... 420
IEE802.11 Wireless LAN ............................................................................................. 422
802.11i: WLAN Security Enhancement .......................................................................424
Wi-Fi Protected Access (WPA or WPA1) and WPA2 ................................................... 425
Bluetooth ..................................................................................................................... 436
Summary ..................................................................................................................... 443
Learning Objectives Review ....................................................................................... 444
References ................................................................................................................... 445
Glossary.of.Terms...................................................................................................... 447
About.the.Author....................................................................................................... 467
Index............................................................................................................................ 468
Fore w ord
Having spent most of my adult life working with the design, development, production, and deployment of secure communications equipment and networks used by over 90 countries and many multinationals, it is an honor and pleasure to write this foreword. It is quite striking that as I draft this piece, TJX Companies, Inc. revealed some 45.6 million credit and debit card numbers were stolen from two of its systems over the better part of two years. This happening in fact is just one in a long series of information compromises—al- beit a big one—that could have been mitigated via the application of cryptographic tools, policies, and procedures. Because we live in a world today where we basically have a ONE to ALL relationship via the interconnectivity of the Internet, the two fundamentals of good security—BORDERS AND TRUST—take on new meaning. This new dynamic in security requires the applica- tion of cryptographic tools and practices regarding information, and the access, use, storage, transmission, and destruction of that information over its life cycle. In fact this problem will only grow as: (1) assets move from the physical to the virtual realm (bits and bytes), (2) information grows at a rate of 2+ exabytes a year—a “target rich” environment, and (3) more and more of the world’s population becomes “connected.” As most professionals know, comprehensive, understandable, and easy to read treatises on complex, mathematically based subject matter are usually few and far between. So too with cryptography. However, with this volume professor Mogollon not only addresses the historical foundations of cryptographic tools and methods, but delivers a very clear and understandable picture of the breadth and depth of secure communications today. And he does this while providing very clear graphics on how historical and modern approaches and systems work. The clarity of these examples and the understanding they impart is unparal- leled in technical literature.
This book is a must read for all professionals as the application of the tools and methods discussed herein are a required “best practice” today. And it will serve as a useful reference for years to come.
Dr. John H. Nugent, CPA, CFE, CISM, FCPA Director of the Center of Information Assurance, University of Dallas
Pre fa c e
Information assurance, the body of knowledge, policies, processes, practices, and tools that provide reasonable assurance that one’s information and communications are used only as intended and only by authorized parties, has become a complex discipline. Today, because of Internet interconnectivity, we live in a world where one may reach all. Such interconnectivity and attendant vulnerabilities require that IT managers and end-users have an understanding of the risks and solutions available to better protect their information and operations. This volume was written to address these issues.