Encryption standards[edit]
·
OpenPGP
Hash standards[edit]
Digital signature standards[edit]
·
RSA
Public-key infrastructure (PKI) standards[edit]
Wireless Standards[edit]
The MD5 message-digest algorithm is a widely
used cryptographic hash function that produces a 128-bit (16-byte) hash value. MD5 has been utilized in a wide
variety of security applications, and is also commonly used to check data integrity. MD5 was
designed by Ron Rivest in 1991 to
replace an earlier hash function, MD4. An MD5 hash value is typically expressed as a hexadecimal number, 32
digits long.
However, it has since been shown that MD5 is not collision resistant;[3] as such, MD5
is not suitable for applications like SSL certificates or digital signatures that rely on
this property. In 1996, a flaw was found with the design of MD5, and while it
was not a clearly fatal weakness, cryptographers began recommending the use of
other algorithms, such as SHA-1—which has since been found to be vulnerable as well. In
2004, more serious flaws were discovered in MD5, making further use of the
algorithm for security purposes questionable—specifically, a group of researchers
described how to create a pair of files that share the same MD5 checksum.[4][5] Further
advances were made in breaking MD5 in 2005, 2006, and 2007.[6] In December
2008, a group of researchers used this technique to fake SSL certificate
validity,[7][8] and CMU
Software Engineering Institute now says that
MD5 "should be considered cryptographically broken and unsuitable for
further use",[9] and most U.S.
government applications now require the SHA-2family of hash functions.[10]
Data Encryption
Standard
DES is now considered
insecure because a brute force attack is possible (see EFF DES cracker). As of
2008, the best analytical attack is linear cryptanalysis, which requires 243
known plaintexts and has a time complexity of 239–43 (Junod, 2001).
The Data Encryption
Standard (DES, /ˌdiːˌiːˈɛs/ or /ˈdɛz/) is a previously predominant algorithm
for the encryption of electronic data. It was highly influential in the
advancement of modern cryptography in the academic world. Developed in the early
1970s at IBM and based on an earlier design by Horst Feistel, the algorithm was
submitted to the National Bureau of Standards (NBS) following the agency's
invitation to propose a candidate for the protection of sensitive, unclassified
electronic government data. In 1976, after consultation with the National
Security Agency (NSA), the NBS eventually selected a slightly modified version,
which was published as an official Federal Information Processing Standard
(FIPS) for the United States in 1977. The publication of an NSA-approved
encryption standard simultaneously resulted in its quick international adoption
and widespread academic scrutiny. Controversies arose out of classified design
elements, a relatively short key length of the symmetric-key block cipher
design, and the involvement of the NSA, nourishing suspicions about a backdoor.
The intense academic scrutiny the algorithm received over time led to the
modern understanding of block ciphers and their cryptanalysis.
DES is now considered
to be insecure for many applications. This is chiefly due to the 56-bit key
size being too small; in January, 1999, distributed.net and the Electronic
Frontier Foundation collaborated to publicly break a DES key in 22 hours and 15
minutes (see chronology). There are also some analytical results which
demonstrate theoretical weaknesses in the cipher, although they are infeasible
to mount in practice. The algorithm is believed to be practically secure in the
form of Triple DES, although there are theoretical attacks. In recent years,
the cipher has been superseded by the Advanced Encryption Standard (AES).
Furthermore, DES has been withdrawn as a standard by the National Institute of
Standards and Technology (formerly the National Bureau of Standards).
Some documentation
makes a distinction between DES as a standard and DES as an algorithm,
referring to the algorithm as the DEA (Data Encryption Algorithm).
History of DES[edit]
The origins of DES go
back to the early 1970s. In 1972, after concluding a study on the US government's
computer security needs, the US standards body NBS (National Bureau of
Standards) — now named NIST (National Institute of Standards and Technology) —
identified a need for a government-wide standard for encrypting unclassified,
sensitive information.[1] Accordingly, on 15 May 1973, after consulting with
the NSA, NBS solicited proposals for a cipher that would meet rigorous design
criteria. None of the submissions, however, turned out to be suitable. A second
request was issued on 27 August 1974. This time, IBM submitted a candidate
which was deemed acceptable — a cipher developed during the period 1973–1974
based on an earlier algorithm, Horst Feistel's Lucifer cipher. The team at IBM
involved in cipher design and analysis included Feistel, Walter Tuchman, Don
Coppersmith, Alan Konheim, Carl Meyer, Mike Matyas, Roy Adler, Edna Grossman,
Bill Notz, Lynn Smith, and Bryant Tuckerman.
Triple DES
From
Wikipedia, the free encyclopedia
In cryptography, Triple DES is the common name for the Triple Data Encryption Algorithm (TDEA or Triple
DEA) block cipher, which applies
theData Encryption Standard (DES) cipher algorithm three times to each data block.
The
original DES cipher's key size of 56 bits
was generally sufficient when that algorithm was designed, but the availability
of increasing computational power made brute-force attacks feasible. Triple DES provides a relatively simple method of
increasing the key size of DES to protect against such attacks, without the
need to design a completely new block cipher algorithm.
The Advanced Encryption Standard (AES)
is a specification for the encryption of electronic data established by the U.S. National
Institute of Standards and Technology (NIST) in 2001.[4] It is based on the Rijndael cipher[5] developed by two Belgian cryptographers, Joan Daemenand Vincent Rijmen, who submitted a proposal to NIST during the
AES selection process.[6] Rijndael is a family of ciphers with different key and block
sizes. For AES, NIST selected three members of the Rijndael family, each with a
block size of 128 bits, but three different key lengths: 128, 192 and 256 bits.
AES has been adopted by the U.S.
government and is now used
worldwide. It supersedes the Data Encryption
Standard (DES),[7] which
was published in 1977. The algorithm described by AES is a symmetric-key algorithm, meaning the same key is used for both
encrypting and decrypting the data.
In the United States, AES was announced by the NIST as U.S. FIPS PUB 197 (FIPS 197) on November 26, 2001.[4] This announcement followed a five-year standardization
process in which fifteen competing designs were presented and evaluated, before
the Rijndael cipher was selected as the most suitable (see Advanced
Encryption Standard process for more details). It became effective as a federal
government standard on May 26, 2002 after approval by the Secretary
of Commerce. AES is included in the
ISO/IEC 18033-3 standard. AES is available in many different encryption
packages, and is the first publicly accessible and open cipher approved by the National Security
Agency (NSA) for top secret information when used in an NSA approved
cryptographic module (see Security of AES, below)
RSA is an algorithm for public-key cryptography that is based on the presumed difficulty
of factoring large integers, the factoring problem. RSA stands for Ron Rivest, Adi Shamir and Leonard Adleman, who first publicly described the algorithm in
1977. Clifford Cocks, an English mathematician, had developed an
equivalent system in 1973, but it wasn't declassified until 1997.[1]
A user of RSA creates and then publishes the
product of two large prime numbers, along with an auxiliary value, as their public
key. The prime factors must be kept secret. Anyone can use the public key to
encrypt a message, but with currently published methods, if the public key is
large enough, only someone with knowledge of the prime factors can feasibly
decode the message.[2] Whether breaking RSA encryption is as hard as factoring is an open question known as
the RSA problem.
Pretty Good Privacy (PGP) is a data encryption and decryption computer program that provides cryptographic privacy and authentication for data communication. PGP is often used
for signing, encrypting, and decrypting texts, e-mails, files, directories, and
whole disk partitions to increase the security of e-mail communications. It was
created by Phil Zimmermann in 1991.
CipherSaber is a simple symmetric
encryption protocol based on the RC4 stream cipher. Its goals are both
technical and political: it gives reasonably strong protection of
message confidentiality, yet it's designed to be simple enough that even novice programmers can memorize the algorithm and implement
it from scratch. According to the designer, a CipherSaber version in the QBASIC
programming language takes just sixteen lines of code. Its
political aspect is that because it's so simple, it can be reimplemented
anywhere at any time, and so it provides a way for users to communicate
privately even if government or other controls make distribution of
normal cryptographic software completely impossible.
In cryptography, SHA-1 is a cryptographic hash
function designed by the
United States National Security
Agency and published by
the United StatesNIST[2] as a U.S. Federal
Information Processing Standard.
SHA-1 produces a 160-bit (20-byte) hash value. A SHA-1 hash value is typically
expressed as a hexadecimal number, 40 digits long.
SHA stands for "secure hash algorithm". The four SHA algorithms are structured differently and are distinguished as SHA-0, SHA-1, SHA-2, and SHA-3. SHA-1 is very similar to SHA-0, but corrects an error in the
original SHA hash specification that led to significant weaknesses. The SHA-0
algorithm was not adopted by many applications. SHA-2 on the other hand
significantly differs from the SHA-1 hash function.
SHA-1 is the most widely used of the existing SHA hash functions,
and is employed in several widely used applications and protocols.
In 2005, cryptanalysts found attacks on SHA-1 suggesting that the
algorithm might not be secure enough for ongoing use.[3] NIST required many applications in federal agencies to move
to SHA-2 after 2010 because of the weakness.[4] Although no successful attacks have yet been reported on
SHA-2, they are algorithmically similar to SHA-1. In 2012, following a
long-running competition, NIST selected an additional algorithm, Keccak, for
standardization as SHA-3.[5][6]
SHA-2 is a set of cryptographic hash
functions (SHA-224,
SHA-256, SHA-384, SHA-512) designed by the U.S. National Security
Agency (NSA) and
published in 2001 by the NIST as a U.S. Federal
Information Processing Standard. A hash function is an algorithm that transforms (hashes) an arbitrary set of data elements,
such as a text file, into a single fixed length value (the hash). The computed
hash value may then be used to verify the integrity of copies of the original
data without providing any means to derive said original data. This
irreversibility means that a hash value may be freely distributed or stored, as
it is used for comparative purposes only. SHA stands for Secure Hash Algorithm. SHA-2 includes a significant number of changes
from its predecessor, SHA-1. SHA-2 consists of a set of four hash functions
with digests that are 224, 256, 384 or 512 bits.
The security provided by a hashing algorithm is entirely dependent
upon its ability to produce a unique value for any specific set of data. When a
hash function produces the same hash value for two different sets of data then
a collision is said to occur. Collision raises the possibility that an attacker
may be able to computationally craft sets of data which provide access to
information secured by the hashed values of pass codes or to alter computer
data files in a fashion that would not change the resulting hash value and
would thereby escape detection. A strong hash function is one that is resistant
to such computational attacks. A weak hash function is one where a
computational approach to producing collisions is believed to be possible. A
broken hash function is one where a computational method for producing
collisions is known to exist.
In 2005, security flaws were identified in SHA-1, namely that a
mathematical weakness might exist, indicating that a stronger hash function
would be desirable.[2] Although SHA-2 bears some similarity to the SHA-1 algorithm,
these attacks have not been successfully extended to SHA-2.
The NIST
hash function competition selected a new hash function, SHA-3, in 2012.[3] The SHA-3 algorithm is not derived from SHA-2.
In cryptography, a keyed-hash message authentication code (HMAC)
is a specific construction for calculating amessage authentication
code (MAC) involving
a cryptographic hash
function in combination
with a secret cryptographic key. As with any MAC, it may be used to
simultaneously verify both the data integrity and the authentication of amessage. Any cryptographic hash function, such as MD5 or SHA-1, may be used in the calculation of an HMAC; the
resulting MAC algorithm is termed HMAC-MD5 or HMAC-SHA1 accordingly. The
cryptographic strength of the HMAC depends upon the cryptographic strength of the underlying hash function, the size
of its hash output, and on the size and quality of the key.
An iterative hash function breaks up a message into blocks of a
fixed size and iterates over them with a compression function. For example, MD5 and SHA-1 operate on 512-bit
blocks. The size of the output of HMAC is the same as that of the underlying
hash function (128 or 160 bits in the case of MD5 or SHA-1, respectively),
although it can be truncated if desired.
The definition and analysis of the HMAC construction was first
published in 1996 by Mihir Bellare, Ran Canetti, and Hugo Krawczyk,[1] who
also wrote RFC
2104. This paper also
defined a variant called NMAC that is rarely if ever used. FIPSPUB 198 generalizes and standardizes the use of
HMACs. HMAC-SHA1 and HMAC-MD5 are used within the IPsec andTLS protocols.
In cryptography, a key
derivation function (or KDF)
derives one or more secret
keys from
a secret value such as a master key or other known information such as a password or passphraseusing a pseudo-random
function.[1][2] Keyed cryptographic
hash functions are popular examples of pseudo-random
functions used for key derivation.[3]
The Digital Signature Algorithm (DSA) is
a Federal
Information Processing Standard for digital signatures. It was proposed by the National
Institute of Standards and Technology (NIST) in August 1991 for use in their Digital
Signature Standard (DSS) and adopted as FIPS 186 in 1993.[1] Four revisions to the initial specification have been
released: FIPS 186-1 in 1996,[2] FIPS 186-2 in 2000,[3] FIPS 186-3 in 2009,[4] and FIPS 186-4 in 2013.[5]
DSA is covered by U.S.
Patent 5,231,668,
filed July 26, 1991 and attributed to David W. Kravitz,[6] a
former NSA employee. This patent was given to
"The United States of America as represented by the Secretary of Commerce,
Washington, D.C.", and NIST has made this patent available worldwide royalty-free.[7] Claus P. Schnorr claims that his U.S.
Patent 4,995,082(expired)
covered DSA; this claim is disputed.[8] DSA is a variant of the ElGamal Signature Scheme
n cryptography, X.509 is an ITU-T standard for a public
key infrastructure (PKI) and Privilege Management Infrastructure (PMI). X.509 specifies, amongst other
things, standard formats for public
key certificates, certificate
revocation lists, attribute
certificates, and a certification path validation algorithm.
Wired Equivalent Privacy (WEP) is a security algorithm for IEEE 802.11 wireless networks. Introduced as part of the original 802.11 standard ratified in
September 1999, its intention was to provide data confidentiality comparable to that of a traditional
wired network.[1] WEP, recognizable by the key of 10 or 26 hexadecimal digits, was at one time widely in use and was often the
first security choice presented to users by router configuration tools.[2][3]
Although its name implies that it is as secure as a wired
connection, WEP has been demonstrated to have numerous flaws and has been
deprecated in favour of newer standards such as WPA2. In 2003 the Wi-Fi Alliance announced that WEP had been superseded
by Wi-Fi Protected Access (WPA). In 2004, with the ratification of
the full 802.11i standard (i.e. WPA2), the IEEE declared that both WEP-40 and
WEP-104 "have been deprecated as they fail to meet their security
goals".[4]
Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access II (WPA2)
are two security protocols and security certification programs developed by
the Wi-Fi Alliance to secure wireless computer networks. The
Alliance defined these in response to serious weaknesses researchers had found in
the previous system, WEP (Wired Equivalent
Privacy).[1]
WPA (sometimes referred to as the draft IEEE 802.11i standard)
became available in 2003. The Wi-Fi Alliance intended it as an intermediate
measure in anticipation of the availability of the more secure and complex
WPA2. WPA2 became available in 2004 and is a common shorthand for the full IEEE
802.11i (or IEEE 802.11i-2004) standard.
A flaw in a feature added to Wi-Fi, called Wi-Fi Protected Setup, allows WPA and WPA2 security to be bypassed
and effectively broken in many situations.[2] WPA and WPA2 security implemented without using the Wi-Fi
Protected Setup feature are unaffected by the security vulnerability.
WPA[edit]
The Wi-Fi
Alliance intended WPA as an intermediate measure to take the place of WEP
pending the availability of the full IEEE 802.11i standard. WPA could
be implemented through firmwareupgrades on wireless
network interface cards designed for WEP
that began shipping as far back as 1999. However, since the changes required in
the wireless access points (APs) were more extensive than those needed on the network
cards, most pre-2003 APs could not be upgraded to support WPA.
The WPA
protocol implements much of the IEEE 802.11i standard. Specifically, the Temporal
Key Integrity Protocol (TKIP) was adopted
for WPA. WEP used a 40-bit or 104-bit encryption key that must be manually
entered on wireless access points and devices and does not change. TKIP employs
a per-packet key, meaning that it dynamically generates a new 128-bit key for
each packet and thus prevents the types of attacks that compromised WEP.[3]
WPA also
includes a message integrity check. This is designed to prevent an attacker
from capturing, altering and/or resending data packets. This replaces the cyclic redundancy check (CRC) that was used by the WEP standard. CRC's main flaw
was that it did not provide a sufficiently strong data integrity guarantee for
the packets it handled.[4] Well tested message authentication
codes existed to solve these problems, but they required too much
computation to be used on old network cards. WPA uses a message integrity check
algorithm called Michael to verify the integrity of the packets. Michael is much
stronger than a CRC, but not as strong as the algorithm used in WPA2.
Researchers have since discovered a flaw in WPA that relied on older weaknesses
in WEP and the limitations of Michael to retrieve the keystream from short
packets to use for re-injection and spoofing.[5]
WPA2[edit]
Main
article: IEEE 802.11i-2004
WPA2 has
replaced WPA. WPA2, which requires testing and certification by the Wi-Fi
Alliance, implements the mandatory elements of IEEE 802.11i. In particular, it
introduces CCMP, a newAES-based encryption mode with strong security.[6] Certification began
in September, 2004; from March 13, 2006, WPA2 certification is mandatory for
all new devices to bear the Wi-Fi trademark.[7]
Hardware support[edit]
WPA was
specifically designed to work with wireless hardware that was produced prior to
the introduction of the WPA protocol[8] which had only
supported inadequate security through WEP. Some of these devices support the security protocol only
after a firmware upgrade. Firmware
upgrades are not available for some legacy devices.[8]
Wi-Fi
devices certified since 2006 support both the WPA and WPA2 security protocols.
WPA2 may not work with some older network cards.
Security[edit]
Pre-shared key mode (PSK, also
known as Personal mode) is designed
for home and small office networks that don't require the complexity of an 802.1X authentication server.[9] Each wireless
network device encrypts the network traffic using a 256 bit key. This key may be entered either as a string of 64 hexadecimal digits, or as a passphrase of 8 to 63 printable ASCII characters.[10] If ASCII characters
are used, the 256 bit key is calculated by applying the PBKDF2 key derivation function to the passphrase, using the SSID as the salt and 4096 iterations of HMAC-SHA1.[11]
Weak password[edit]
Shared-key
WPA remains vulnerable to password cracking attacks if users
rely on a weak password or passphrase.
To protect against a brute force attack, a truly random passphrase of 13 characters (selected from the set of 95 permitted
characters) is probably sufficient.[12] To further protect
against intrusion, the network's SSID should not match any entry in the top
1000 SSIDs[13]as downloadable rainbow tables have been
pre-generated for them and a multitude of common passwords.[14]
WPA short packet spoofing[edit]
In November
2008 Erik Tews and Martin Beck, researchers at two German technical
universities (TU Dresden and TU Darmstadt), uncovered
a WPA weakness[15] which relies on a
previously known flaw in WEP that can be exploited only for the TKIP algorithm
in WPA. The flaw can only decrypt short packets with mostly known contents,
such as ARP messages. The attack requiresQuality of Service (as defined in 802.11e) to be enabled, which allows packet prioritization as
defined. The flaw does not lead to recovery of a key, but only to recovery of a
keystream that was used to encrypt a particular packet, and which can be reused
as many as seven times to inject arbitrary data of the same packet length to a
wireless client. For example, this allows someone to inject faked ARP packets,
making the victim send packets to the open Internet. Two Japanese computer
scientists, Toshihiro Ohigashi and Masakatu Morii, further optimized the
Tews/Beck attack;[16] they showed that,
when using a man-in-the-middle position, the attack doesn't require Quality of Service to
be enabled. In October 2009, Halvorsen with others made further progress,
enabling attackers to inject larger malicious packets (596 bytes in size)
within approximately 18 minutes and 25 seconds.[17] In February 2010
Martin Beck described a vulnerability which allows an attacker to decrypt all
traffic towards the client, though he did not implement and test it.[18] In May 2013 Mathy
Vanhoef and Frank Piessens build on the ideas of Martin Beck and implemented
three additional attacks. They demonstrated how fragmentation can be used to
inject an arbitrary amount of packets, and showed in practice how to decrypt
all traffic sent to a client.[19] Their attacks do not
require QoS to be enabled and do not require a man-in-the-middle position. The authors say using a short rekeying interval
can prevent some attacks but not all, and strongly recommend switching from
TKIP to AES-based CCMP.
The
vulnerabilities of TKIP are significant in that WPA-TKIP had been held to be an
extremely safe combination; indeed, WPA-TKIP is still a configuration option
upon a wide variety of wireless routing devices provided by many hardware vendors.
WPS PIN recovery[edit]
A more
serious security flaw was revealed in December 2011 by Stefan Viehböck that
affects wireless routers with the Wi-Fi Protected Setup (WPS) feature, regardless of which encryption method they
use. Most recent models have this feature and enable it by default. Many
consumer Wi-Fi device manufacturers had taken steps to eliminate the potential
of weak passphrase choices by promoting alternative methods of automatically
generating and distributing strong keys when users add a new wireless adapter
or appliance to a network. These methods include pushing buttons on the devices
or entering an 8-digit PIN. The Wi-Fi Alliance standardized these methods as Wi-Fi
Protected Setup; however the PIN feature as widely implemented introduced a
major new security flaw. The flaw allows a remote attacker to recover the WPS
PIN and, with it, the router's WPA/WPA2 password in a few hours.[2] Users have been
urged to turn off the WPS feature,[20] although this may
not be possible on some router models. Also note that the PIN is written on a
label on most Wi-Fi routers with WPS, and cannot be changed if compromised.
MS-CHAPv2[edit]
Several
weaknesses have been found in MS-CHAPv2, some of which severely reduce the complexity of
brute-force attacks making them feasible with modern hardware. In 2012 the
complexity of breaking MS-CHAPv2 was reduced to that of breaking a single DES
key, work by Moxie Marlinspike and Marsh Ray. Moxie advised: "Enterprises
who are depending on the mutual authentication properties of MS-CHAPv2 for connection
to their WPA2 Radius servers should immediately start migrating to something
else."[21]
Hole196[edit]
Hole196 is a
vulnerability in the WPA2 protocol that abuses the shared GTK. It can be used
to conduct man-in-the-middle and denial-of-service attacks. [22][23]
WPA terminology[edit]
Different
WPA versions and protection mechanisms can be distinguished based on the
(chronological) version of WPA, the target end-user (according to the method of
authentication key distribution), and the encryption protocol used.
Version[edit]
WPA
Initial WPA version,
to supply enhanced security over the older WEP protocol. Typically uses the
TKIP encryption protocol (see further).
WPA2
Also known as IEEE 802.11i-2004, is the
successor of WPA, adds support for CCMP which is intended to replace TKIP
encryption protocol. Mandatory for Wi-Fi–certified devices since 2006.
Target users (authentication key distribution)[edit]
WPA-Personal
Also referred to as WPA-PSK (Pre-shared key) mode, it is designed
for home and small office networks and doesn't require an authentication
server. Each wireless network device authenticates with the access point using
the same 256-bit key generated from a password or passphrase.
WPA-Enterprise
Also referred to as WPA-802.1X mode, and sometimes
just WPA (as opposed to WPA-PSK). It is
designed for enterprise networks and requires a RADIUS authentication
server. This requires a more complicated setup, but provides additional
security (e.g. protection against dictionary attacks on short passwords). An
Extensible Authentication Protocol (EAP) is used for authentication, which
comes in different flavors.
Note that
the WPA-Personal and WPA-Enterprise modes are available with both WPA and WPA2.
An alternative authentication
key distribution method intended to simplify and strengthen the process, but
which, as widely implemented, creates a major security hole (see above).
Encryption protocol[edit]
TKIP (Temporal Key Integrity Protocol)
The RC4 stream cipher is used with a 128-bit per-packet key,
meaning that it dynamically generates a new key for each packet. Used by WPA.
An AES-based
encryption mechanism that is stronger than TKIP. Used by WPA2. Among informal
names are "AES" and "AES-CCMP". According to the 802.11n
specification, this encryption protocol must be used to achieve the fast 802.11n high bitrate
schemes, though not all implementations
enforce this.[24] Otherwise,
the data rate will not exceed 54 MBit/s.
EAP extensions under WPA and WPA2 Enterprise[edit]
In April
2010, the Wi-Fi Alliance announced the
inclusion of additional Extensible
Authentication Protocol (EAP)[25] types to its
certification programs for WPA- and WPA2- Enterprise certification programs.[26] This was to ensure
that WPA-Enterprise certified products can interoperate with one another.
Previously, only EAP-TLS (Transport Layer Security) was certified by the Wi-Fi alliance.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.