SlideShare a Scribd company logo

128 BIT WHAT?

Razorpoint Security
Razorpoint Security

Your data is encrypted. So what? Are you using SSL, AES, 3DES, or something else? Can your data be compromised with a cryptographic attack? What key length are you using? This paper attempts to shed a bit of light on the myths and misconceptions when dealing with encryption.

Technology
1 of 8
Download to read offline
Author: Dr. Kent D. Boklan Director, Security Research Razorpoint Security Technologies, Inc. Version: 1.1 Date of current version: 2007–05/18 Date of original version: 2007–01/10 Copyright © 2007 Razorpoint Security Technologies, Inc. All Rights Reserved. 128 bit what? [ WHITE PAPER ] ™
Table of Contents: Introduction. ................................................................................................................................................. i The Strongest Available. ............................................................................................................................. 1 Modern Cryptography. ................................................................................................................................. 1 Real World Use. ............................................................................................................................................ 2 Block Cipher Encryption Diagram. ............................................................................................................ 2 It’s Encrypted. Isn’t It? .............................................................................................................................. 3 Some Common Cryptography Terms. ...................................................................................................... 3 About Razorpoint Security. ......................................................................................................................... 4 ™ May 18, 2007 128 Bit What? [v1.1] 31 east 32nd street, sixth floor | new york city, new york 10016–5509 usa | tel: 212.744.6900 | fax: 212.744.6344 | www.razorpoint.com | secure.now@razorpoint.com Copyright © 2007 Razorpoint Security Technologies, Inc. All Rights Reserved.
Introduction. Your data is encrypted. So what? Is the encryption you used a block cipher or a symmetric cipher? Maybe SSL, AES, or 3DES? Can your data be compromised with known cryptographic attacks? What key length are you using with your encryption? And, what does that mean? Is 56 bits enough? What about 128 or 256? Buzzwords abound when it comes to security, and encryption is an area with a set all its own. This paper attempts to shed a bit of light on the myths and misconceptions when dealing with encryption, and hopefully helps focus on what matters through all the noise. Gary C. Morse, CISSP, CISM President / Founder Razorpoint Security Technologies, Inc. ™ May 18, 2007 128 Bit What? [v1.1] Page i of i 31 east 32nd street, sixth floor | new york city, new york 10016–5509 usa | tel: 212.744.6900 | fax: 212.744.6344 | www.razorpoint.com | secure.now@razorpoint.com Copyright © 2007 Razorpoint Security Technologies, Inc. All Rights Reserved.
128 bit what? The Strongest Available. When I moved to Manhattan in the summer of 2002, I opened a checking account at a major bank. I was asked by the financial manager if I wished to set up the account for online access. I replied by asking about the security mechanisms that were in place for online banking. The woman with whom I was speaking tried to assure me with waives of her hands that the bank used “really good methods” but I asked for a more detailed assessment. She telephoned one of the bank’s experts in such matters (so she told me) and, after a few minutes on hold and small talk about my move to New York, she got through to the person that I can only suppose was a lead in the bank’s IT department. He told her – and she relayed to me – that they used “really strong encryption.” I asked for more details and he told her that he would connect her to the person who really knew what they used. A few embarrassing minutes later, she got the answer, they used, “128 bit encryption.” I directly inquired, “128 bit what?” and she repeated this question into the telephone receiver. The person on the other end was silent for a few moments and then admitted they did not know more than that – but it was 128 bit encryption – “the strongest available.” Today, we are inundated with media pronouncements of “strong security” with such ubiquitous buzz phrases as “128 bit encryption.” The cipher mechanisms and associated data security technologies almost always come directly out of the black boxes of commercial software. To maintain the confidentiality of data, the encrypting (and the decrypting) is performed invisibly to the user who must go on faith that best practices are employed, and that strongest means best. Unfortunately, the security of encrypted data is not simply a matter of the number of bits, 128 or otherwise. The answer is not simple because the question is ill–posed. It’s not the strength of the algorithms that should be the concern, it’s how they are implemented, how the cryptographic keys are generated, how the keys are managed and how they are stored. And that’s not all. Modern Cryptography. Modern cryptography is founded upon two essentially different types of schema: public key methods and private key methods. Public key cryptography is relatively new. Whereas private key methods date back centuries, public key techniques were “invented” in the public sector in the 1970s and, recently disclosed, at the UK’s Government Communications Headquarters (GCHQ) a decade earlier (but they had been classified). In a public key system, the sender of a message looks up some public information for the person to whom they wish to send a message. That person – and hopefully only that person – is in possession of some private key that allows them to read any message that is encrypted with the public information. For this reason, public key cryptography is also known as asymmetric cryptography. As a simple example of the public key concept, imagine an open lock and an open box. These represent the public information for a particular person. To send a message securely to this person, put the message into the box and lock the box with the lock. Only the person with the key to that lock can read the message. (This means that once you lock the box, you can’t get to the message either.) Public key algorithms are rarely used for encryption – they are almost exclusively employed to create digital signatures and to send very short pieces of data – like keys to be used in private key methods and personal identifiers for use with e-commerce sites. Roughly, the major public key systems run at about 10,000 times slower than private key algorithms. Public key methods are usually based upon mathematical operations and, as such, are very slow. In private key cryptography (also called symmetric key cryptography), a key – a string of zeros and ones – is shared exclusively amongst those who employ the secret key to encrypt and decrypt their communications. The technique to do the encrypting (and decrypting) is some chosen algorithm that is used in conjunction with that secret key. Following the example in the previous paragraph, in private key systems we have the concept of a box and a lock which those involved in the secret communications all have a key to open. Most often, this key is a session key, generated for a single session of communication between two users. The key is then discarded and the next time (for example, the next time you bank online), a new session key is created. The protocol for key establishment and key exchange is a cryptographic procedure that is usually performed inside the link that is established between the entities involved (like you and your bank’s website). Many symmetric encryption algorithms have been proposed over the years and are out there, but only a few have gained acceptance by experts, governments and industry as “secure” and of these, fewer still are widely used. Symmetric algorithms come in two varieties: block ciphers and stream ciphers. Stream ciphers are used when you need to encrypt in real time. It’s done one bit at a time – telephone communication is a good example. Stream ciphers are very infrequently used on the Internet. Block ciphers, on the other hand, are used for essentially all bulk data encryption. They do almost all of the work in the digital world today. When you download a file through secure means or when you bank online, it’s a block cipher that encrypts and protects the confidentiality of your data. It’s a block cipher in which you trust. Block ciphers encrypt blocks of bits at a time, the number of which depends on the algorithm. Some act on 64 bits, and some take 128 bits at a time; but this is not the 128 bits in “128 bit encryption.” May 18, 2007 128 Bit What? [v1.1] Page 1 of 5 31 east 32nd street, sixth floor | new york city, new york 10016–5509 usa | tel: 212.744.6900 | fax: 212.744.6344 | www.razorpoint.com | secure.now@razorpoint.com Copyright © 2007 Razorpoint Security Technologies, Inc. All Rights Reserved. ™
Real World Use. Perhaps the most famous example of a symmetric key cipher is the Data Encryption Standard, DES, which served as a global workhorse for twenty years since it’s adoption by the U.S. Government as a standard in the mid 1970s. It’s a block cipher, and the key in DES is 56 bits long. DES performs, one could say, “56 bit encryption.” A key size of k bits is equivalent to having 2k possible keys. A good block cipher design does not yield to any attack other than what is called brute force1 . This means, essentially, that all 2k possible (encryption) keys are tried and whichever provides recognizable language output is the right one. With computers growing increasingly powerful, DES has been rendered vulnerable. 256 is just not as big as it once was. To compensate, a good (secure) alternative is to employ 3DES (read, “triple-DES”) which uses a much larger key size2 . Multiple encryption applications, such as 3DES, can be made secure but one must be careful. 3DES is just DES 3 times, with 2 or 3 different keys. 2DES (“double DES”), however, is no more secure than DES because it falls to an attack called a “meet in the middle.” There are other options for block ciphers aside from multiple encryption approaches, of course. Over the Internet today, most encryption is accomplished in a manner in which the user is passive. The only notification the user may receive may be a picture of a lock on a browser screen suggesting a secure channel or “secure page.” Is this a sign that you are using 128 bit encryption? 128 isn’t a magical number of bits. It doesn’t mean anything about how something is encrypted. 128 bit encryption is almost certainly a statement about the key size in the block cipher that’s being used. The block cipher itself could be the new Advanced Encryption Standard (AES), formerly known as Rijndael3 . The Rijndael cipher comes in three flavors: 128, 196 and 256 bit key versions. IDEA is another block cipher that has a key size of 128 bits and so is CAST. IDEA is used in PGP, Pretty Good Privacy, the popular email encryption program. CAST is a Canadian design that’s widely employed. There are quite a few other block ciphers that have passed muster in the cryptoanalytic community that can use a 128 bit key but that’s not really the point. What 128 bit encryption is not is a key size for a public key algorithm. RSA4 is an example of a well-known public key cryptosystem and if your data was being encrypted by 128 bit RSA, you should be very concerned. 128 bit RSA is not even close to being secure. You’d want at least 1,024 bits today. Public key sizes (for the secret key) are invariably much larger than symmetric key sizes. Classically, there are better than brute force attacks against public key algorithms due to their highly mathematical nature. My bank was using, quite probably, the AES scheme. That wasn’t my security concern, however. Block Cipher Encryption Diagram. The following diagram illustrates the basic process of block cipher encryption. Notice how the original plain text message is broken into separate blocks. The encryption algorithm, with the use of the encryption key, then encrypts the blocks. Finally, the encrypted blocks are reassembled into the cipher (encrypted) text. May 18, 2007 128 Bit What? [v1.1] Page 2 of 5 31 east 32nd street, sixth floor | new york city, new york 10016–5509 usa | tel: 212.744.6900 | fax: 212.744.6344 | www.razorpoint.com | secure.now@razorpoint.com Copyright © 2007 Razorpoint Security Technologies, Inc. All Rights Reserved. 1. This is not to say that new attacks can not or will not be found, but the theory of attacks is quite well-developed and it is unlikely that any shocking breakthroughs in attacking a block cipher directly will be made. 2. 3DES uses a key size of either 112 or 168 bits, depending on the variant. 3. The U.S. government selected Rijndael after a three-year international search for a new encryption standard. It was developed by two Belgian computer scientists. 4. RSA stands for Rivest Shimar Adleman. The company is now owned by EMC. 128 bit Encryption Key Plain Text Blocks Cipher Text Blocks Encryption Algorithm (AES,3DES,IDEA,DES) Plain Text Cipher Text
May 18, 2007 128 Bit What? [v1.1] Page 3 of 5 31 east 32nd street, sixth floor | new york city, new york 10016–5509 usa | tel: 212.744.6900 | fax: 212.744.6344 | www.razorpoint.com | secure.now@razorpoint.com Copyright © 2007 Razorpoint Security Technologies, Inc. All Rights Reserved. It’s Encrypted. Isn’t It? The widespread use of Secure Socket Layer (SSL) technology to protect data confidentiality, to secure data transmissions over unsecured networks, like the Internet, only goes to reinforce the rhetoric that the future of encryption is through automated software. From a cryptographic standpoint, the concern is not the block cipher or the key length options one may have, it’s how the key bits are generated and if they are based on your password – and if so, the password length and entropy1 . Some questions to consider: Can your key be found? Is your block cipher being used in the proper mode? (And what is a block cipher mode?) Default settings aren’t always best and appropriate for one’s needs and applications. Are issues of data integrity addressed? Is the data signed so you can trust its origin? Is 128 bits right for you? If you use the AES method with a 256 bit key, is that 128 bits more secure than with a 128 bit key? These are all important questions and only some of the issues that really need to be addressed. It’s just not as simple as using something called strong encryption. The strength of data security is not all in the key and it’s not about breaking the crypto, it’s about exploiting the system. Bigger (keys) doesn’t necessarily mean better; just don’t use single DES. If your key size for your symmetric method, for your block cipher, is at least 100 bits long, you’re secure for quite a long time, a few decades. Predicting secure key sizes far into the future is a diviner’s art and it’s difficult to do with any sense of surety. (How strong are the methods that are never announced publicly? Why would anyone who has a good attack disclose it?) Moore’s Law, which has held up very well for decades, suggests that processing power doubles every 18 months. If we accept this – and that large-scale quantum computers do not exist2 - a block cipher that’s secure with a margin of 20 bits should be good for at least another 30 years. That means that, if done correctly, 128 bit encryption, using a respectable and vetted block cipher, should withstand attack for about 70 years. And 3DES is good for at least another 50. Secure key sizes for public key algorithms (like RSA) are a whole other matter. Roughly speaking, an 80 bit key length for a block cipher is about equivalent in strength to a 1,024 bit RSA key, and a 128 bit key length for a block cipher to about a 3,000 bit RSA key3 . A strong algorithm poorly implemented is susceptible to compromise and attack. For a given secure key, even one 128 bits long, every time you encrypt your bank account number it looks the same. Every time you withdraw one hundred dollars, the encrypted version of your transaction is identical. This kind of “leakage” of confidential information – even though no one can tell it’s $100 you’re taking out – is unacceptable. Recognizable patterns like this can be exploited. There are means and best practices to block these weaknesses, but these are topics for another paper. Some Common Cryptography Terms. Key: The secret that, in combination with an encryption algorithm, allows you to encrypt data. Key Length: The number of bits in the key. The key length is a measure of the strength of your encryption. Block Cipher: An algorithm that encrypts data, one block of data at a time. The size of the block varies algorithm to algorithm, but is usually 64 or 128 bits. Stream Cipher: A block cipher with a block length of 1. These algorithms are used for speedy, real-time encryption (e.g., cellular phone calls). 128 Bit Encryption: Block cipher encryption with a key length of 128 bits. 1. In this situation, we may consider the entropy to be a measure of the amount of randomness. 2. And even if they do, symmetric methods do not fall as easily as the asymmetric do. 3. The primary reason for this disparity is that, roughly, public key methods are more sensitive to advances in Mathematics.
The Network Security Challenge The number of companies relying on the Internet for mission-critical business has skyrocketed. And, while this growth has intensified the need for network hardware, software and personnel, it has also increased the need for dynamic, effective network security. New security vulnerabilities are released daily, and maintaining a secure operating environment is a complex and costly process. Some analysts claim 3 of every 4 business web sites are vulnerable to attack, and by the end of 2006 Internet fraud could surpass credit card fraud. Cyberattacks are now routine in today’s electronic landscape, and cybercrime is no longer a future threat; it is here, now. Public, Private & Proprietary We categorize security vulnerabilities into three areas: public, private, and proprietary. Public vulnerabilities are those reported in the mass media and are usually the most easily corrected. These include viruses, worms, misconfiguration notices, and other general security issues. Private vulnerabilities are lesser known and usually held more closely within the underground hacker community. Private vulnerabilities are almost always more lethal, much less publicized and can cause more damage to online networks. Proprietary vulnerabilities are those uncovered and developed at Razorpoint Security. We utilize all of these during our security engagements to ensure that our clients get the most comprehensive assessments possible. A Process, Not A Product While many installations employ similar hardware and software products, not all networks are alike. All too often misconfigured machines are put behind firewalls (“a product”) giving a false sense of security. Hackers use their unlimited time resources to find small idiosyncrasies in perimeter security (e.g. firewalls) to obtain minimal access to internal machines (e.g. mail server, web server, etc.) usually undetected. Once limited access is established, hackers simply exploit vulnerabilities on the internal, misconfigured machines to obtain Superuser (root) access. That’s it. That’s all it takes. Your entire network is compromised. This simplistic scenario illustrates how someone, with enough time and skill, can bypass a product-based security solution and wreak havoc on a live network. Security needs to be monitored, maintained, and updated constantly to meet the ever-changing security landscape (a.k.a. “threatscape”). Proper security includes well-designed infrastructures, firewalls, “hardened” operating systems, good passwords, intrusion detection, and above all, awareness — all of which must be continuously updated. This ongoing “process” is what keeps environments secure and minimizes unauthorized access by malicious intruders. There is no magic bullet. There is no shrink-wrapped package. And, there is no universally applicable product that ensures the security of a network environment. If there is one concept Razorpoint Security Technologies stresses to its clients, it’s that “network security is a process, not a product.” Razorpoint Security Technologies, Inc. specializes in network security, attack / penetration testing and identifying potentially disastrous security vulnerabilities especially as they relate to Internet solutions and web applications. We offer security services that focus the view of your network environments and e-business ventures. Razorpoint Security offers business leaders and corporate clients the necessary security services and solutions that help keep corporate networks secure. While many security firms provide singular penetration tests with limited documentation, Razorpoint offers a year-round assessment schedule and customized documentation deliverables that help keep clients up to date. Our assessments go well beyond the average “port scan” or “vulnerability scan” exercises. We look at your network through the eyes of those looking to do you harm. We know what they know, we know what they see, and we know what they do. What is secure? Products alone do not secure data. Processes do. R a z o r p o i n t ’s c o m p r e h e n s i v e security services identify real world vulnerabilities and help keep data secure. www.razorpoint.com and, how do you know?
The RazorBASE New security vulnerabilities, tools and exploits are released every day. The task of cataloging, maintaining and applying these to achieve effective security assessments is nearly an impossible task. That is why we have created a customized database that enables us to collect, index and retrieve relevant information easily and effectively. We call it The RazorBASE. You can think of it as one of the most comprehensive repositories of network security information ever compiled. It is one way we can ensure our security assessments are as focused as possible for our varying client environments. This proprietary resource is tapped for every Razorpoint project and is constantly updated with new tools, techniques and documentation to help keep Razorpoint’s staff on top of the latest security developments. annual assessment scheduleattack / penetration testing Let us work with you to review an upcoming technology rollout or an existing infrastructure from the security point-of-view. We can help you uncover security vulnerabilities before malicious attackers do. Whether it’s firewalls, routers, intrusion detection systems, or modem/PBX systems, security should always be a top concern. Razorpoint can help you configure, deploy and troubleshoot your technology to help eliminate security vulnerabilities that go undetected. security technology consultingsecurity design review Why did that hacker get into your network even though you’ve got a firewall? Internally or externally, we offer comprehensive attack/ penetration tests that look at your network through the eyes of those looking to do you harm. A 12 month schedule of quarterly attack/penetration tests, with monthly security advisories. This complete offering keeps your organization regularly updated on the latest security vulnerabilities, techniques and countermeasures. Our Services Razorpoint Security’s services are designed to give our clients the most comprehensive security analysis of their network operating environments. Our expertise helps identify vulnerabilities, uncover potentially disastrous security holes, plan for future growth from a security point of view, and maintain ongoing security with regular assessments. Below are each of our speciality areas in more detail: 31 east 32nd street, sixth floor | new york city, new york 10016-5509 usa | office: 212.744.6900 | fax: 212.744.6344 | www.razorpoint.com | secure.now@razorpoint.com copyright © 2001-2007 razorpoint security technologies, inc. all rights reserved. Razorpoint Security Technologies, Inc. FEATURED ON Our expertise makes Razorpoint Security a prime media source on information security. We have been featured by CNN, CNBC, Forbes, The New York Times Magazine, MSNBC, WiredNews, Crain’s, CBS, Fox5, ABC/CourtTV and many others.

Recommended

Jehyuk jang and heung no lee ieee double spend
Jehyuk jang and heung no lee ieee double spendJehyuk jang and heung no lee ieee double spend
Jehyuk jang and heung no lee ieee double spendIT Strategy Group
 
Jehyuk jang and heung no lee ieee
Jehyuk jang and heung no lee ieeeJehyuk jang and heung no lee ieee
Jehyuk jang and heung no lee ieeeIT Strategy Group
 
cryptography
cryptographycryptography
cryptographyBalaji Ravi
 
CAN BLOCKCHAIN PRIVATE KEY BE HACKED?
CAN BLOCKCHAIN PRIVATE KEY BE HACKED?CAN BLOCKCHAIN PRIVATE KEY BE HACKED?
CAN BLOCKCHAIN PRIVATE KEY BE HACKED?Blockchain Council
 
Privacy Preserving Paradigms of Blockchain Technology
Privacy Preserving Paradigms of Blockchain TechnologyPrivacy Preserving Paradigms of Blockchain Technology
Privacy Preserving Paradigms of Blockchain TechnologyGokul Alex
 
The ultimate privacy guide
The ultimate privacy guideThe ultimate privacy guide
The ultimate privacy guideJD Liners
 
How encryption works
How encryption worksHow encryption works
How encryption worksRaxTonProduction
 
Grid security seminar mohit modi
Grid security seminar mohit modiGrid security seminar mohit modi
Grid security seminar mohit modiMohit Modi
 

Recommended

Jehyuk jang and heung no lee ieee double spend
Jehyuk jang and heung no lee ieee double spendJehyuk jang and heung no lee ieee double spend
Jehyuk jang and heung no lee ieee double spendIT Strategy Group
 
Jehyuk jang and heung no lee ieee
Jehyuk jang and heung no lee ieeeJehyuk jang and heung no lee ieee
Jehyuk jang and heung no lee ieeeIT Strategy Group
 
cryptography
cryptographycryptography
cryptographyBalaji Ravi
 
CAN BLOCKCHAIN PRIVATE KEY BE HACKED?
CAN BLOCKCHAIN PRIVATE KEY BE HACKED?CAN BLOCKCHAIN PRIVATE KEY BE HACKED?
CAN BLOCKCHAIN PRIVATE KEY BE HACKED?Blockchain Council
 
Privacy Preserving Paradigms of Blockchain Technology
Privacy Preserving Paradigms of Blockchain TechnologyPrivacy Preserving Paradigms of Blockchain Technology
Privacy Preserving Paradigms of Blockchain TechnologyGokul Alex
 
The ultimate privacy guide
The ultimate privacy guideThe ultimate privacy guide
The ultimate privacy guideJD Liners
 
How encryption works
How encryption worksHow encryption works
How encryption worksRaxTonProduction
 
Grid security seminar mohit modi
Grid security seminar mohit modiGrid security seminar mohit modi
Grid security seminar mohit modiMohit Modi
 
Iceic2019 final presented
Iceic2019 final presentedIceic2019 final presented
Iceic2019 final presentedHeung-No Lee
 
fucking shit
fucking shitfucking shit
fucking shiteyalrav
 
Computer System Security (UNIT IV) For AKTU Lucknow
Computer System Security (UNIT IV) For AKTU LucknowComputer System Security (UNIT IV) For AKTU Lucknow
Computer System Security (UNIT IV) For AKTU LucknowBrijesh Vishwakarma
 
CGI White Paper - Key Incryption Mechanism
CGI White Paper - Key Incryption MechanismCGI White Paper - Key Incryption Mechanism
CGI White Paper - Key Incryption MechanismAmit Singh
 
Basic concept of pki
Basic concept of pkiBasic concept of pki
Basic concept of pkiPrabhat Goel
 
POST-QUANTUM CRYPTOGRAPHY
POST-QUANTUM CRYPTOGRAPHYPOST-QUANTUM CRYPTOGRAPHY
POST-QUANTUM CRYPTOGRAPHYPavithra Muthu
 
Networksecurity1 1
Networksecurity1 1 Networksecurity1 1
Networksecurity1 1 lakshmansoft7
 
Comparative study of private and public key cryptography algorithms a survey
Comparative study of private and public key cryptography algorithms a surveyComparative study of private and public key cryptography algorithms a survey
Comparative study of private and public key cryptography algorithms a surveyeSAT Publishing House
 
Analysis of Cryptographic Algorithms for Network Security
Analysis of Cryptographic Algorithms for Network SecurityAnalysis of Cryptographic Algorithms for Network Security
Analysis of Cryptographic Algorithms for Network SecurityEditor IJCATR
 
Data Encryption : A Powerful and an Approachable Technology!
Data Encryption : A Powerful and an Approachable Technology! Data Encryption : A Powerful and an Approachable Technology!
Data Encryption : A Powerful and an Approachable Technology! Sai Natkar
 
Some Thoughts On Bitcoin
Some Thoughts On BitcoinSome Thoughts On Bitcoin
Some Thoughts On BitcoinDan Kaminsky
 
Blockchain and Cryptography - A Primer
Blockchain and Cryptography - A PrimerBlockchain and Cryptography - A Primer
Blockchain and Cryptography - A PrimerGokul Alex
 
DOCS ON NETWORK SECURITY
DOCS ON NETWORK SECURITYDOCS ON NETWORK SECURITY
DOCS ON NETWORK SECURITYTuhin_Das
 
Brief Introduction to Blockchain Security
Brief Introduction to Blockchain SecurityBrief Introduction to Blockchain Security
Brief Introduction to Blockchain SecurityJohnson, Chuan Zhang CISM CCSK OSCP
 
Security Model of Blockchain
Security Model of BlockchainSecurity Model of Blockchain
Security Model of Blockchainsaficus
 
Ijaiem 2014-11-30-122
Ijaiem 2014-11-30-122Ijaiem 2014-11-30-122
Ijaiem 2014-11-30-122Sathya Madhesh
 
International Journal of Engineering Research and Development (IJERD)
International Journal of Engineering Research and Development (IJERD)International Journal of Engineering Research and Development (IJERD)
International Journal of Engineering Research and Development (IJERD)IJERD Editor
 
Marco Casassa Mont: Pki overview
Marco Casassa Mont: Pki overviewMarco Casassa Mont: Pki overview
Marco Casassa Mont: Pki overviewInformation Security Awareness Group
 
IDC - Blockchain Threat Model
IDC - Blockchain Threat ModelIDC - Blockchain Threat Model
IDC - Blockchain Threat ModelPeteLind
 
Komodo Blockchain Security Service Brochure
Komodo Blockchain Security Service BrochureKomodo Blockchain Security Service Brochure
Komodo Blockchain Security Service BrochureJean-Phi N✅
 
Cryptointro
CryptointroCryptointro
Cryptointrolosalamos
 
One Time Pad Journal
One Time Pad JournalOne Time Pad Journal
One Time Pad JournalAmirul Wiramuda
 

More Related Content

What's hot

Iceic2019 final presented
Iceic2019 final presentedIceic2019 final presented
Iceic2019 final presentedHeung-No Lee
 
fucking shit
fucking shitfucking shit
fucking shiteyalrav
 
Computer System Security (UNIT IV) For AKTU Lucknow
Computer System Security (UNIT IV) For AKTU LucknowComputer System Security (UNIT IV) For AKTU Lucknow
Computer System Security (UNIT IV) For AKTU LucknowBrijesh Vishwakarma
 
CGI White Paper - Key Incryption Mechanism
CGI White Paper - Key Incryption MechanismCGI White Paper - Key Incryption Mechanism
CGI White Paper - Key Incryption MechanismAmit Singh
 
Basic concept of pki
Basic concept of pkiBasic concept of pki
Basic concept of pkiPrabhat Goel
 
POST-QUANTUM CRYPTOGRAPHY
POST-QUANTUM CRYPTOGRAPHYPOST-QUANTUM CRYPTOGRAPHY
POST-QUANTUM CRYPTOGRAPHYPavithra Muthu
 
Comparative study of private and public key cryptography algorithms a survey
Comparative study of private and public key cryptography algorithms a surveyComparative study of private and public key cryptography algorithms a survey
Comparative study of private and public key cryptography algorithms a surveyeSAT Publishing House
 
Analysis of Cryptographic Algorithms for Network Security
Analysis of Cryptographic Algorithms for Network SecurityAnalysis of Cryptographic Algorithms for Network Security
Analysis of Cryptographic Algorithms for Network SecurityEditor IJCATR
 
Data Encryption : A Powerful and an Approachable Technology!
Data Encryption : A Powerful and an Approachable Technology! Data Encryption : A Powerful and an Approachable Technology!
Data Encryption : A Powerful and an Approachable Technology! Sai Natkar
 
Some Thoughts On Bitcoin
Some Thoughts On BitcoinSome Thoughts On Bitcoin
Some Thoughts On BitcoinDan Kaminsky
 
Blockchain and Cryptography - A Primer
Blockchain and Cryptography - A PrimerBlockchain and Cryptography - A Primer
Blockchain and Cryptography - A PrimerGokul Alex
 
DOCS ON NETWORK SECURITY
DOCS ON NETWORK SECURITYDOCS ON NETWORK SECURITY
DOCS ON NETWORK SECURITYTuhin_Das
 
Security Model of Blockchain
Security Model of BlockchainSecurity Model of Blockchain
Security Model of Blockchainsaficus
 
International Journal of Engineering Research and Development (IJERD)
International Journal of Engineering Research and Development (IJERD)International Journal of Engineering Research and Development (IJERD)
International Journal of Engineering Research and Development (IJERD)IJERD Editor
 
IDC - Blockchain Threat Model
IDC - Blockchain Threat ModelIDC - Blockchain Threat Model
IDC - Blockchain Threat ModelPeteLind
 
Komodo Blockchain Security Service Brochure
Komodo Blockchain Security Service BrochureKomodo Blockchain Security Service Brochure
Komodo Blockchain Security Service BrochureJean-Phi N✅
 

What's hot (20)

Iceic2019 final presented
Iceic2019 final presentedIceic2019 final presented
Iceic2019 final presented
 
fucking shit
fucking shitfucking shit
fucking shit
 
Computer System Security (UNIT IV) For AKTU Lucknow
Computer System Security (UNIT IV) For AKTU LucknowComputer System Security (UNIT IV) For AKTU Lucknow
Computer System Security (UNIT IV) For AKTU Lucknow
 
CGI White Paper - Key Incryption Mechanism
CGI White Paper - Key Incryption MechanismCGI White Paper - Key Incryption Mechanism
CGI White Paper - Key Incryption Mechanism
 
Basic concept of pki
Basic concept of pkiBasic concept of pki
Basic concept of pki
 
POST-QUANTUM CRYPTOGRAPHY
POST-QUANTUM CRYPTOGRAPHYPOST-QUANTUM CRYPTOGRAPHY
POST-QUANTUM CRYPTOGRAPHY
 
Networksecurity1 1
Networksecurity1 1 Networksecurity1 1
Networksecurity1 1
 
Comparative study of private and public key cryptography algorithms a survey
Comparative study of private and public key cryptography algorithms a surveyComparative study of private and public key cryptography algorithms a survey
Comparative study of private and public key cryptography algorithms a survey
 
Analysis of Cryptographic Algorithms for Network Security
Analysis of Cryptographic Algorithms for Network SecurityAnalysis of Cryptographic Algorithms for Network Security
Analysis of Cryptographic Algorithms for Network Security
 
Data Encryption : A Powerful and an Approachable Technology!
Data Encryption : A Powerful and an Approachable Technology! Data Encryption : A Powerful and an Approachable Technology!
Data Encryption : A Powerful and an Approachable Technology!
 
Some Thoughts On Bitcoin
Some Thoughts On BitcoinSome Thoughts On Bitcoin
Some Thoughts On Bitcoin
 
Blockchain and Cryptography - A Primer
Blockchain and Cryptography - A PrimerBlockchain and Cryptography - A Primer
Blockchain and Cryptography - A Primer
 
DOCS ON NETWORK SECURITY
DOCS ON NETWORK SECURITYDOCS ON NETWORK SECURITY
DOCS ON NETWORK SECURITY
 
Brief Introduction to Blockchain Security
Brief Introduction to Blockchain SecurityBrief Introduction to Blockchain Security
Brief Introduction to Blockchain Security
 
Security Model of Blockchain
Security Model of BlockchainSecurity Model of Blockchain
Security Model of Blockchain
 
Ijaiem 2014-11-30-122
Ijaiem 2014-11-30-122Ijaiem 2014-11-30-122
Ijaiem 2014-11-30-122
 
International Journal of Engineering Research and Development (IJERD)
International Journal of Engineering Research and Development (IJERD)International Journal of Engineering Research and Development (IJERD)
International Journal of Engineering Research and Development (IJERD)
 
Marco Casassa Mont: Pki overview
Marco Casassa Mont: Pki overviewMarco Casassa Mont: Pki overview
Marco Casassa Mont: Pki overview
 
IDC - Blockchain Threat Model
IDC - Blockchain Threat ModelIDC - Blockchain Threat Model
IDC - Blockchain Threat Model
 
Komodo Blockchain Security Service Brochure
Komodo Blockchain Security Service BrochureKomodo Blockchain Security Service Brochure
Komodo Blockchain Security Service Brochure
 

Similar to 128 BIT WHAT?

International Refereed Journal of Engineering and Science (IRJES)
International Refereed Journal of Engineering and Science (IRJES)International Refereed Journal of Engineering and Science (IRJES)
International Refereed Journal of Engineering and Science (IRJES)irjes
 
Cryptoandnetworksecuritylitreview
CryptoandnetworksecuritylitreviewCryptoandnetworksecuritylitreview
CryptoandnetworksecuritylitreviewFaith Nweke
 
How Encryption Works
How Encryption WorksHow Encryption Works
How Encryption Worksray0510711s
 
10.11648.j.ijdst.20160204.12
10.11648.j.ijdst.20160204.1210.11648.j.ijdst.20160204.12
10.11648.j.ijdst.20160204.12Arindam Paul
 
Comparison of Various Encryption Algorithms and Techniques for improving secu...
Comparison of Various Encryption Algorithms and Techniques for improving secu...Comparison of Various Encryption Algorithms and Techniques for improving secu...
Comparison of Various Encryption Algorithms and Techniques for improving secu...IOSR Journals
 

Similar to 128 BIT WHAT? (12)

Cryptointro
CryptointroCryptointro
Cryptointro
 
One Time Pad Journal
One Time Pad JournalOne Time Pad Journal
One Time Pad Journal
 
Week 12 slide
Week 12 slideWeek 12 slide
Week 12 slide
 
Week 12 slide
Week 12 slideWeek 12 slide
Week 12 slide
 
International Refereed Journal of Engineering and Science (IRJES)
International Refereed Journal of Engineering and Science (IRJES)International Refereed Journal of Engineering and Science (IRJES)
International Refereed Journal of Engineering and Science (IRJES)
 
Cryptoandnetworksecuritylitreview
CryptoandnetworksecuritylitreviewCryptoandnetworksecuritylitreview
Cryptoandnetworksecuritylitreview
 
Week12 b
Week12 bWeek12 b
Week12 b
 
How Encryption Works
How Encryption WorksHow Encryption Works
How Encryption Works
 
s117
s117s117
s117
 
Sw2
Sw2Sw2
Sw2
 
10.11648.j.ijdst.20160204.12
10.11648.j.ijdst.20160204.1210.11648.j.ijdst.20160204.12
10.11648.j.ijdst.20160204.12
 
Comparison of Various Encryption Algorithms and Techniques for improving secu...
Comparison of Various Encryption Algorithms and Techniques for improving secu...Comparison of Various Encryption Algorithms and Techniques for improving secu...
Comparison of Various Encryption Algorithms and Techniques for improving secu...
 

More from Razorpoint Security

CIDR / VLSM REPRESENTATION GUIDE
CIDR / VLSM REPRESENTATION GUIDECIDR / VLSM REPRESENTATION GUIDE
CIDR / VLSM REPRESENTATION GUIDERazorpoint Security
 
HOW I BROKE THE CONFEDERATE CODE (137 YEARS TOO LATE)
HOW I BROKE THE CONFEDERATE CODE (137 YEARS TOO LATE)HOW I BROKE THE CONFEDERATE CODE (137 YEARS TOO LATE)
HOW I BROKE THE CONFEDERATE CODE (137 YEARS TOO LATE)Razorpoint Security
 
10 KEYS TO EFFECTIVE NETWORK SECURITY
10 KEYS TO EFFECTIVE NETWORK SECURITY10 KEYS TO EFFECTIVE NETWORK SECURITY
10 KEYS TO EFFECTIVE NETWORK SECURITYRazorpoint Security
 

More from Razorpoint Security (6)

PASSWORD BEST PRACTICES
PASSWORD BEST PRACTICESPASSWORD BEST PRACTICES
PASSWORD BEST PRACTICES
 
RAZORPOINT SECURITY GLOSSARY
RAZORPOINT SECURITY GLOSSARYRAZORPOINT SECURITY GLOSSARY
RAZORPOINT SECURITY GLOSSARY
 
CIDR / VLSM REPRESENTATION GUIDE
CIDR / VLSM REPRESENTATION GUIDECIDR / VLSM REPRESENTATION GUIDE
CIDR / VLSM REPRESENTATION GUIDE
 
RAZORPOINT TCP/UDP PORTS LIST
RAZORPOINT TCP/UDP PORTS LISTRAZORPOINT TCP/UDP PORTS LIST
RAZORPOINT TCP/UDP PORTS LIST
 
HOW I BROKE THE CONFEDERATE CODE (137 YEARS TOO LATE)
HOW I BROKE THE CONFEDERATE CODE (137 YEARS TOO LATE)HOW I BROKE THE CONFEDERATE CODE (137 YEARS TOO LATE)
HOW I BROKE THE CONFEDERATE CODE (137 YEARS TOO LATE)
 
10 KEYS TO EFFECTIVE NETWORK SECURITY
10 KEYS TO EFFECTIVE NETWORK SECURITY10 KEYS TO EFFECTIVE NETWORK SECURITY
10 KEYS TO EFFECTIVE NETWORK SECURITY
 

Recently uploaded

"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 

Recently uploaded (20)

"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 

128 BIT WHAT?

  • 1. Author: Dr. Kent D. Boklan Director, Security Research Razorpoint Security Technologies, Inc. Version: 1.1 Date of current version: 2007–05/18 Date of original version: 2007–01/10 Copyright © 2007 Razorpoint Security Technologies, Inc. All Rights Reserved. 128 bit what? [ WHITE PAPER ] ™
  • 2. Table of Contents: Introduction. ................................................................................................................................................. i The Strongest Available. ............................................................................................................................. 1 Modern Cryptography. ................................................................................................................................. 1 Real World Use. ............................................................................................................................................ 2 Block Cipher Encryption Diagram. ............................................................................................................ 2 It’s Encrypted. Isn’t It? .............................................................................................................................. 3 Some Common Cryptography Terms. ...................................................................................................... 3 About Razorpoint Security. ......................................................................................................................... 4 ™ May 18, 2007 128 Bit What? [v1.1] 31 east 32nd street, sixth floor | new york city, new york 10016–5509 usa | tel: 212.744.6900 | fax: 212.744.6344 | www.razorpoint.com | secure.now@razorpoint.com Copyright © 2007 Razorpoint Security Technologies, Inc. All Rights Reserved.
  • 3. Introduction. Your data is encrypted. So what? Is the encryption you used a block cipher or a symmetric cipher? Maybe SSL, AES, or 3DES? Can your data be compromised with known cryptographic attacks? What key length are you using with your encryption? And, what does that mean? Is 56 bits enough? What about 128 or 256? Buzzwords abound when it comes to security, and encryption is an area with a set all its own. This paper attempts to shed a bit of light on the myths and misconceptions when dealing with encryption, and hopefully helps focus on what matters through all the noise. Gary C. Morse, CISSP, CISM President / Founder Razorpoint Security Technologies, Inc. ™ May 18, 2007 128 Bit What? [v1.1] Page i of i 31 east 32nd street, sixth floor | new york city, new york 10016–5509 usa | tel: 212.744.6900 | fax: 212.744.6344 | www.razorpoint.com | secure.now@razorpoint.com Copyright © 2007 Razorpoint Security Technologies, Inc. All Rights Reserved.
  • 4. 128 bit what? The Strongest Available. When I moved to Manhattan in the summer of 2002, I opened a checking account at a major bank. I was asked by the financial manager if I wished to set up the account for online access. I replied by asking about the security mechanisms that were in place for online banking. The woman with whom I was speaking tried to assure me with waives of her hands that the bank used “really good methods” but I asked for a more detailed assessment. She telephoned one of the bank’s experts in such matters (so she told me) and, after a few minutes on hold and small talk about my move to New York, she got through to the person that I can only suppose was a lead in the bank’s IT department. He told her – and she relayed to me – that they used “really strong encryption.” I asked for more details and he told her that he would connect her to the person who really knew what they used. A few embarrassing minutes later, she got the answer, they used, “128 bit encryption.” I directly inquired, “128 bit what?” and she repeated this question into the telephone receiver. The person on the other end was silent for a few moments and then admitted they did not know more than that – but it was 128 bit encryption – “the strongest available.” Today, we are inundated with media pronouncements of “strong security” with such ubiquitous buzz phrases as “128 bit encryption.” The cipher mechanisms and associated data security technologies almost always come directly out of the black boxes of commercial software. To maintain the confidentiality of data, the encrypting (and the decrypting) is performed invisibly to the user who must go on faith that best practices are employed, and that strongest means best. Unfortunately, the security of encrypted data is not simply a matter of the number of bits, 128 or otherwise. The answer is not simple because the question is ill–posed. It’s not the strength of the algorithms that should be the concern, it’s how they are implemented, how the cryptographic keys are generated, how the keys are managed and how they are stored. And that’s not all. Modern Cryptography. Modern cryptography is founded upon two essentially different types of schema: public key methods and private key methods. Public key cryptography is relatively new. Whereas private key methods date back centuries, public key techniques were “invented” in the public sector in the 1970s and, recently disclosed, at the UK’s Government Communications Headquarters (GCHQ) a decade earlier (but they had been classified). In a public key system, the sender of a message looks up some public information for the person to whom they wish to send a message. That person – and hopefully only that person – is in possession of some private key that allows them to read any message that is encrypted with the public information. For this reason, public key cryptography is also known as asymmetric cryptography. As a simple example of the public key concept, imagine an open lock and an open box. These represent the public information for a particular person. To send a message securely to this person, put the message into the box and lock the box with the lock. Only the person with the key to that lock can read the message. (This means that once you lock the box, you can’t get to the message either.) Public key algorithms are rarely used for encryption – they are almost exclusively employed to create digital signatures and to send very short pieces of data – like keys to be used in private key methods and personal identifiers for use with e-commerce sites. Roughly, the major public key systems run at about 10,000 times slower than private key algorithms. Public key methods are usually based upon mathematical operations and, as such, are very slow. In private key cryptography (also called symmetric key cryptography), a key – a string of zeros and ones – is shared exclusively amongst those who employ the secret key to encrypt and decrypt their communications. The technique to do the encrypting (and decrypting) is some chosen algorithm that is used in conjunction with that secret key. Following the example in the previous paragraph, in private key systems we have the concept of a box and a lock which those involved in the secret communications all have a key to open. Most often, this key is a session key, generated for a single session of communication between two users. The key is then discarded and the next time (for example, the next time you bank online), a new session key is created. The protocol for key establishment and key exchange is a cryptographic procedure that is usually performed inside the link that is established between the entities involved (like you and your bank’s website). Many symmetric encryption algorithms have been proposed over the years and are out there, but only a few have gained acceptance by experts, governments and industry as “secure” and of these, fewer still are widely used. Symmetric algorithms come in two varieties: block ciphers and stream ciphers. Stream ciphers are used when you need to encrypt in real time. It’s done one bit at a time – telephone communication is a good example. Stream ciphers are very infrequently used on the Internet. Block ciphers, on the other hand, are used for essentially all bulk data encryption. They do almost all of the work in the digital world today. When you download a file through secure means or when you bank online, it’s a block cipher that encrypts and protects the confidentiality of your data. It’s a block cipher in which you trust. Block ciphers encrypt blocks of bits at a time, the number of which depends on the algorithm. Some act on 64 bits, and some take 128 bits at a time; but this is not the 128 bits in “128 bit encryption.” May 18, 2007 128 Bit What? [v1.1] Page 1 of 5 31 east 32nd street, sixth floor | new york city, new york 10016–5509 usa | tel: 212.744.6900 | fax: 212.744.6344 | www.razorpoint.com | secure.now@razorpoint.com Copyright © 2007 Razorpoint Security Technologies, Inc. All Rights Reserved. ™
  • 5. Real World Use. Perhaps the most famous example of a symmetric key cipher is the Data Encryption Standard, DES, which served as a global workhorse for twenty years since it’s adoption by the U.S. Government as a standard in the mid 1970s. It’s a block cipher, and the key in DES is 56 bits long. DES performs, one could say, “56 bit encryption.” A key size of k bits is equivalent to having 2k possible keys. A good block cipher design does not yield to any attack other than what is called brute force1 . This means, essentially, that all 2k possible (encryption) keys are tried and whichever provides recognizable language output is the right one. With computers growing increasingly powerful, DES has been rendered vulnerable. 256 is just not as big as it once was. To compensate, a good (secure) alternative is to employ 3DES (read, “triple-DES”) which uses a much larger key size2 . Multiple encryption applications, such as 3DES, can be made secure but one must be careful. 3DES is just DES 3 times, with 2 or 3 different keys. 2DES (“double DES”), however, is no more secure than DES because it falls to an attack called a “meet in the middle.” There are other options for block ciphers aside from multiple encryption approaches, of course. Over the Internet today, most encryption is accomplished in a manner in which the user is passive. The only notification the user may receive may be a picture of a lock on a browser screen suggesting a secure channel or “secure page.” Is this a sign that you are using 128 bit encryption? 128 isn’t a magical number of bits. It doesn’t mean anything about how something is encrypted. 128 bit encryption is almost certainly a statement about the key size in the block cipher that’s being used. The block cipher itself could be the new Advanced Encryption Standard (AES), formerly known as Rijndael3 . The Rijndael cipher comes in three flavors: 128, 196 and 256 bit key versions. IDEA is another block cipher that has a key size of 128 bits and so is CAST. IDEA is used in PGP, Pretty Good Privacy, the popular email encryption program. CAST is a Canadian design that’s widely employed. There are quite a few other block ciphers that have passed muster in the cryptoanalytic community that can use a 128 bit key but that’s not really the point. What 128 bit encryption is not is a key size for a public key algorithm. RSA4 is an example of a well-known public key cryptosystem and if your data was being encrypted by 128 bit RSA, you should be very concerned. 128 bit RSA is not even close to being secure. You’d want at least 1,024 bits today. Public key sizes (for the secret key) are invariably much larger than symmetric key sizes. Classically, there are better than brute force attacks against public key algorithms due to their highly mathematical nature. My bank was using, quite probably, the AES scheme. That wasn’t my security concern, however. Block Cipher Encryption Diagram. The following diagram illustrates the basic process of block cipher encryption. Notice how the original plain text message is broken into separate blocks. The encryption algorithm, with the use of the encryption key, then encrypts the blocks. Finally, the encrypted blocks are reassembled into the cipher (encrypted) text. May 18, 2007 128 Bit What? [v1.1] Page 2 of 5 31 east 32nd street, sixth floor | new york city, new york 10016–5509 usa | tel: 212.744.6900 | fax: 212.744.6344 | www.razorpoint.com | secure.now@razorpoint.com Copyright © 2007 Razorpoint Security Technologies, Inc. All Rights Reserved. 1. This is not to say that new attacks can not or will not be found, but the theory of attacks is quite well-developed and it is unlikely that any shocking breakthroughs in attacking a block cipher directly will be made. 2. 3DES uses a key size of either 112 or 168 bits, depending on the variant. 3. The U.S. government selected Rijndael after a three-year international search for a new encryption standard. It was developed by two Belgian computer scientists. 4. RSA stands for Rivest Shimar Adleman. The company is now owned by EMC. 128 bit Encryption Key Plain Text Blocks Cipher Text Blocks Encryption Algorithm (AES,3DES,IDEA,DES) Plain Text Cipher Text
  • 6. May 18, 2007 128 Bit What? [v1.1] Page 3 of 5 31 east 32nd street, sixth floor | new york city, new york 10016–5509 usa | tel: 212.744.6900 | fax: 212.744.6344 | www.razorpoint.com | secure.now@razorpoint.com Copyright © 2007 Razorpoint Security Technologies, Inc. All Rights Reserved. It’s Encrypted. Isn’t It? The widespread use of Secure Socket Layer (SSL) technology to protect data confidentiality, to secure data transmissions over unsecured networks, like the Internet, only goes to reinforce the rhetoric that the future of encryption is through automated software. From a cryptographic standpoint, the concern is not the block cipher or the key length options one may have, it’s how the key bits are generated and if they are based on your password – and if so, the password length and entropy1 . Some questions to consider: Can your key be found? Is your block cipher being used in the proper mode? (And what is a block cipher mode?) Default settings aren’t always best and appropriate for one’s needs and applications. Are issues of data integrity addressed? Is the data signed so you can trust its origin? Is 128 bits right for you? If you use the AES method with a 256 bit key, is that 128 bits more secure than with a 128 bit key? These are all important questions and only some of the issues that really need to be addressed. It’s just not as simple as using something called strong encryption. The strength of data security is not all in the key and it’s not about breaking the crypto, it’s about exploiting the system. Bigger (keys) doesn’t necessarily mean better; just don’t use single DES. If your key size for your symmetric method, for your block cipher, is at least 100 bits long, you’re secure for quite a long time, a few decades. Predicting secure key sizes far into the future is a diviner’s art and it’s difficult to do with any sense of surety. (How strong are the methods that are never announced publicly? Why would anyone who has a good attack disclose it?) Moore’s Law, which has held up very well for decades, suggests that processing power doubles every 18 months. If we accept this – and that large-scale quantum computers do not exist2 - a block cipher that’s secure with a margin of 20 bits should be good for at least another 30 years. That means that, if done correctly, 128 bit encryption, using a respectable and vetted block cipher, should withstand attack for about 70 years. And 3DES is good for at least another 50. Secure key sizes for public key algorithms (like RSA) are a whole other matter. Roughly speaking, an 80 bit key length for a block cipher is about equivalent in strength to a 1,024 bit RSA key, and a 128 bit key length for a block cipher to about a 3,000 bit RSA key3 . A strong algorithm poorly implemented is susceptible to compromise and attack. For a given secure key, even one 128 bits long, every time you encrypt your bank account number it looks the same. Every time you withdraw one hundred dollars, the encrypted version of your transaction is identical. This kind of “leakage” of confidential information – even though no one can tell it’s $100 you’re taking out – is unacceptable. Recognizable patterns like this can be exploited. There are means and best practices to block these weaknesses, but these are topics for another paper. Some Common Cryptography Terms. Key: The secret that, in combination with an encryption algorithm, allows you to encrypt data. Key Length: The number of bits in the key. The key length is a measure of the strength of your encryption. Block Cipher: An algorithm that encrypts data, one block of data at a time. The size of the block varies algorithm to algorithm, but is usually 64 or 128 bits. Stream Cipher: A block cipher with a block length of 1. These algorithms are used for speedy, real-time encryption (e.g., cellular phone calls). 128 Bit Encryption: Block cipher encryption with a key length of 128 bits. 1. In this situation, we may consider the entropy to be a measure of the amount of randomness. 2. And even if they do, symmetric methods do not fall as easily as the asymmetric do. 3. The primary reason for this disparity is that, roughly, public key methods are more sensitive to advances in Mathematics.
  • 7. The Network Security Challenge The number of companies relying on the Internet for mission-critical business has skyrocketed. And, while this growth has intensified the need for network hardware, software and personnel, it has also increased the need for dynamic, effective network security. New security vulnerabilities are released daily, and maintaining a secure operating environment is a complex and costly process. Some analysts claim 3 of every 4 business web sites are vulnerable to attack, and by the end of 2006 Internet fraud could surpass credit card fraud. Cyberattacks are now routine in today’s electronic landscape, and cybercrime is no longer a future threat; it is here, now. Public, Private & Proprietary We categorize security vulnerabilities into three areas: public, private, and proprietary. Public vulnerabilities are those reported in the mass media and are usually the most easily corrected. These include viruses, worms, misconfiguration notices, and other general security issues. Private vulnerabilities are lesser known and usually held more closely within the underground hacker community. Private vulnerabilities are almost always more lethal, much less publicized and can cause more damage to online networks. Proprietary vulnerabilities are those uncovered and developed at Razorpoint Security. We utilize all of these during our security engagements to ensure that our clients get the most comprehensive assessments possible. A Process, Not A Product While many installations employ similar hardware and software products, not all networks are alike. All too often misconfigured machines are put behind firewalls (“a product”) giving a false sense of security. Hackers use their unlimited time resources to find small idiosyncrasies in perimeter security (e.g. firewalls) to obtain minimal access to internal machines (e.g. mail server, web server, etc.) usually undetected. Once limited access is established, hackers simply exploit vulnerabilities on the internal, misconfigured machines to obtain Superuser (root) access. That’s it. That’s all it takes. Your entire network is compromised. This simplistic scenario illustrates how someone, with enough time and skill, can bypass a product-based security solution and wreak havoc on a live network. Security needs to be monitored, maintained, and updated constantly to meet the ever-changing security landscape (a.k.a. “threatscape”). Proper security includes well-designed infrastructures, firewalls, “hardened” operating systems, good passwords, intrusion detection, and above all, awareness — all of which must be continuously updated. This ongoing “process” is what keeps environments secure and minimizes unauthorized access by malicious intruders. There is no magic bullet. There is no shrink-wrapped package. And, there is no universally applicable product that ensures the security of a network environment. If there is one concept Razorpoint Security Technologies stresses to its clients, it’s that “network security is a process, not a product.” Razorpoint Security Technologies, Inc. specializes in network security, attack / penetration testing and identifying potentially disastrous security vulnerabilities especially as they relate to Internet solutions and web applications. We offer security services that focus the view of your network environments and e-business ventures. Razorpoint Security offers business leaders and corporate clients the necessary security services and solutions that help keep corporate networks secure. While many security firms provide singular penetration tests with limited documentation, Razorpoint offers a year-round assessment schedule and customized documentation deliverables that help keep clients up to date. Our assessments go well beyond the average “port scan” or “vulnerability scan” exercises. We look at your network through the eyes of those looking to do you harm. We know what they know, we know what they see, and we know what they do. What is secure? Products alone do not secure data. Processes do. R a z o r p o i n t ’s c o m p r e h e n s i v e security services identify real world vulnerabilities and help keep data secure. www.razorpoint.com and, how do you know?
  • 8. The RazorBASE New security vulnerabilities, tools and exploits are released every day. The task of cataloging, maintaining and applying these to achieve effective security assessments is nearly an impossible task. That is why we have created a customized database that enables us to collect, index and retrieve relevant information easily and effectively. We call it The RazorBASE. You can think of it as one of the most comprehensive repositories of network security information ever compiled. It is one way we can ensure our security assessments are as focused as possible for our varying client environments. This proprietary resource is tapped for every Razorpoint project and is constantly updated with new tools, techniques and documentation to help keep Razorpoint’s staff on top of the latest security developments. annual assessment scheduleattack / penetration testing Let us work with you to review an upcoming technology rollout or an existing infrastructure from the security point-of-view. We can help you uncover security vulnerabilities before malicious attackers do. Whether it’s firewalls, routers, intrusion detection systems, or modem/PBX systems, security should always be a top concern. Razorpoint can help you configure, deploy and troubleshoot your technology to help eliminate security vulnerabilities that go undetected. security technology consultingsecurity design review Why did that hacker get into your network even though you’ve got a firewall? Internally or externally, we offer comprehensive attack/ penetration tests that look at your network through the eyes of those looking to do you harm. A 12 month schedule of quarterly attack/penetration tests, with monthly security advisories. This complete offering keeps your organization regularly updated on the latest security vulnerabilities, techniques and countermeasures. Our Services Razorpoint Security’s services are designed to give our clients the most comprehensive security analysis of their network operating environments. Our expertise helps identify vulnerabilities, uncover potentially disastrous security holes, plan for future growth from a security point of view, and maintain ongoing security with regular assessments. Below are each of our speciality areas in more detail: 31 east 32nd street, sixth floor | new york city, new york 10016-5509 usa | office: 212.744.6900 | fax: 212.744.6344 | www.razorpoint.com | secure.now@razorpoint.com copyright © 2001-2007 razorpoint security technologies, inc. all rights reserved. Razorpoint Security Technologies, Inc. FEATURED ON Our expertise makes Razorpoint Security a prime media source on information security. We have been featured by CNN, CNBC, Forbes, The New York Times Magazine, MSNBC, WiredNews, Crain’s, CBS, Fox5, ABC/CourtTV and many others.