CSET 170 - Security & Ethics

Encryption and SSL/TLS

CSET 170 - Encryption 101

Encryption at the simplest level is simply obscuring a piece of information using a known mathematical formula.

CSET 170 - Encryption 101

A ‘key’ is a piece of information used to encrypt or decrypt a message.

encrypt(message, key) = encrypted_message

decrypt(encrypted_message, key) = message

When the same key is used for encryption and decryption it is known as ‘symmetric’ encryption.

What might be some weaknesses to using encryption this way?

CSET 170 - Encryption 101

‘Asymmetric’ encryption solves the problem of key sharing by splitting a key into public and private parts.

The public portion of the key can only be used to encrypt information.

The private portion of the key is used to decrypt information encrypted by the public key.

Since the public key can only encrypt, not decrypt, it is safe to share the public key with anyone!

CSET 170 - Encryption 101

An illustration of asymmetric encryption and decryption between two people.

CSET 170 - Encryption 101

Common uses of encryption - are they typically ‘symmetric’ or ‘asymmetric’?

• Hard drive / disk encryption
• Email / secure messages
• SSH (remote server connections)
• SSL/TLS
• Passwords for a webapp stored in a database (you’re not storing them in plain text right?)

CSET 170 - Encryption 101

When we look at the following pseudo-code:

encrypt(message, key) = encrypted_message

‘encrypt’ here uses an algorithm to encrypt the message using the key.

​

CSET 170 - Encryption 101

Some common algorithms:

• Symmetric encryption: Twofish, AES, Blowfish
• Asymmetric encryption: RSA, DSA, ECC

​

Why do we need different algorithms?

CSET 170 - Encryption 101

The computational difficulty (and therefore security) of encryption is determined by both the algorithm and the size of the key used.

Encryption usage is often noted by the algorithm and key strength used.

Symmetric: AES-128, AES-256, Twofish-128

Asymmetric: RSA-2048, RSA-4096, ECDSA-768

CSET 170 - Encryption 101

PGP Demo: https://twit.tv/shows/know-how/episodes/334

(from 0:00 to 23:10)

CSET 170 - Signing and Hashing

What happens when we ‘sign’ a key?

Behind the scenes a unique ‘hash’ is generated, and added as a note to the public key. This hash is a unique sequence generated using another type of algorithm, called a hash function.

CSET 170 - Signing and Hashing

Hash functions are ‘one way’ functions. There’s no way to take a hash and convert it back to the original string, mathematically speaking.

Common hash uses:

File integrity checksums, version control, key signatures, unique identifiers, password storage.

CSET 170 - Signing and Hashing

Like encryption algorithms, hash functions come in different flavors and strengths.

md5, sha1, sha2, sha3

​

Demo and discussion of hash collisions.

md5 -s "hello world"

CSET 170 - Secure Password Storage

Generally speaking, you never want to store your users’ passwords in plain text in your application.

Why?

We can store a hash instead, and use it to verify that a user has entered the correct password.

Unfortunately, just using a hash isn’t good enough.

CSET 170 - Secure Password Storage

We need to add some salt.

Salt is simply an additional random / unpredictable string added to a password before it is hashed. This makes to WAY more difficult to brute force hashes.

CSET 170 - SSL / TLS

From now on, we’ll use the term TLS - Transport Layer Security.

SSL and TLS are often used interchangeably, however they are not the same thing.

These are protocols, and they come in different versions. TLS 1.2/1.3 is the current recommended version to use.

SSL 1, SSL 2, SSL 3, TLS 1.0, TLS 1.1, TLS 1.2, TLS 1.3

CSET 170 - TLS

TLS is a protocol that deals with how client-server applications communicate securely over a network.

Why is it important to have secure (encrypted) communications over a network?

CSET 170 - TLS

Compare these two security indicators in my version of Google Chrome. The site on the left is not using TLS, while the site on the right is.

​

HTTPS stands for HyperText Transfer Protocol Secure, but is often called HTTP over SSL or HTTP over TLS.

CSET 170 - TLS

TLS uses both asymmetric and symmetric encryption.

1

3

5

2

4

1. Request Site

2. Server sends it’s certificate, aka public key

3. Browser creates a shared secret to be used for the session, encrypts it using the server’s public key, and requests connection be encrypted.

4. Server decrypts the symmetric key and confirms that all future communications will be encrypted.

5. Encrypted communication occurs using the symmetric key.

CSET 170 - TLS

How do we know that the ‘certificate’ aka public key we got from the server is the one we want and is valid?

Certificates are public keys that contain additional validation information and are ‘signed’ by Certificate Authorities (CAs).

CSET 170 - TLS

The steps to a new TLS certificate for a public website:

1. Create an asymmetric key pair.
2. Prepare the public key for signing by a CA by creating a Certificate Signing Request (CSR).
3. Send the CSR to the CA.
4. CA returns the signed public key with additional validation information, which is the TLS certificate.
5. Configure server software to use new TLS certificate.

CSET 170 - TLS

Certificates expire and must be renewed periodically.

Discussion of TLS attacks, CAs, and certificate revocation.

CSET 170 - Security Toolkit

Comprehensive list of tools

​

DIY Guide to Feminist Cybersecurity: https://hackblossom.org/cybersecurity/

​

CSET 170 - Lab 02

Portal > CSET 170 > Coursework > Lab 02: Encryption

Due by the end of class.