Module Objectives | Staf of EC-Council - Ethical Hacking Student Courseware. Certidied Ethical Hacker-Exam 312-50 (EC-Council E-Business Certification Series)

Having dealt with various security concerns and countermeasures in the preceding modules, it is obvious that cryptography as a security measure is here to stay. In this module we will try to understand the use of cryptography over the Internet through:

Public Key Infrastructure (PKI)
RSA
MD-5
Secure Hash Algorithm (SHA)
Secure Socket Layer (SSL)
Pretty Good Privacy (PGP)
SSH

We will also be looking at the effort required to crack these encryption techniques and explore attacker methodologies if any that are relevant to the discussion.

It is to be noted that encryption is no longer an exemptible option when conducting ecommerce. Given the importance it bears on ecommerce, it is one area that will have its share of security concerns as well. Encryption on its own cannot guarantee foolproof security. It must be combined with good security policies and practices if an organization needs to protect its information assets and extend it to its stakeholders.

Public-key Cryptography

Public-key cryptography was invented in 1976 by Whitfield Diffie and Martin Hellman.
In this system, each person gets a pair of keys, called the public key and the private key.
Each person's public key is published while the private key is kept secret.
Anyone can send a confidential message just using public information, but it can only be decrypted with a private key that is in the sole possession of the intended recipient.

Cryptography can be classified as the study of techniques and applications that depend on the existence of difficult problems. A cryptanalyst attempts to compromise cryptographic mechanisms, and cryptology (from the Greek krypt ³s l ³gos, meaning "hidden word") is the discipline of cryptography and cryptanalysis combined.

Note

The concept of public-key cryptography was introduced in 1976 by Whitfield Diffie and Martin Hellman in order to solve the key management problem. In their concept, each person gets a pair of keys, one called the public key and the other called the private key. Each person's public key is published while the private key is kept secret. This eliminates the need for the sender and receiver to share secret information, as all communications involve only public keys, and no private key is ever transmitted or shared. This option also secured the communication against eavesdropping or betrayal.

The only requirement is that public keys must be associated with their users in a trusted manner. With PKI, anyone can send a confidential message by using public information, though the message can only be decrypted with a private key, which is in the possession of the intended recipient. Furthermore, public-key cryptography meets the need for privacy and authentication.

Working of Encryption

When Alice wishes to send a secret message to Bob, she looks up Bob's public key in a directory, uses it to encrypt the message and sends it off. Bob then uses his private key to decrypt the message and read it. No one listening in can decrypt the message. Anyone can send an encrypted message to Bob but only Bob can read it. Thus, although many people may know the public key of a Bob and use it to verify Bob's signatures, they cannot discover Bob's private key and use it to forge digital signatures. This is referred to as the principle of "irreversibility."

To sign a message, Alice does a computation involving both her private key and the message itself; the output is called the digital signature and is attached to the message, which is then sent. If Bob wants to verify the signature, he does some computation involving the message, the purported signature, and Alice's public key. If the result holds properly in a simple mathematical relation, the signature is verified as being genuine ; otherwise , the signature may be fraudulent or the message might have been altered .

Digital Signature

Concept

What is a digital signature?

A digital signature is a cryptographic means of authentication. Public key cryptography that uses an asymmetric key algorithm is used for creating the digital signature. The complementary keys are termed the private key (which is known only to the signer and used to create the digital signature), and the public key (which is more widely known and is used by a relying party to verify the digital signature).

Another process, termed a "hash function," is used in both creating and verifying a digital signature. A hash function is an algorithm which creates a digital representation or " fingerprint " in the form of a "hash value" or "hash result" of a standard length which is usually much smaller than the message but unique to it. Any change to the message invariably produces a different hash result when the same hash function is used. In the case of a secure hash function, termed a "one - way hash function," it is not possible to derive the original message from the hash value.

Verification of a digital signature is accomplished by computing a new hash result of the original message by means of the same hash function used to create the digital signature. Then, using the public key and the new hash result, the verifier checks: (1) whether the digital signature was created using the corresponding private key; and (2) whether the newly computed hash result matches the original hash result which was transformed into the digital signature during the signing process.

To associate a key pair with a prospective signer, a certification authority issues a certificate, which is an electronic record that lists a public key as the subject of the certificate, and confirms that the signer identified in the certificate holds the corresponding private key. The prospective signer is termed as the subscriber.

A certificate's principal function is to bind a key pair with a particular subscriber. The recipient of the certificate desiring to rely upon a digital signature created by the subscriber named in the certificate can use the public key listed in the certificate to verify that the digital signature was created with the corresponding private key.

The certification authority digitally signs the certificate to assure authenticity of both the message and identity in the certificate. The issuing certification authority's digital signature on the certificate can be verified by using the public key of the certification authority listed in another certificate by another certificate authority and that other certificate can in turn be authenticated by the public key listed in yet another certificate, and so on.

To make a public key and its identification with a specific subscriber readily a vailable for use in verification, the certificate may be published in a repository. Repositories are on-line databases of certificates and other information available for retrieval and use in verifying digital signatures. Retrieval can be accomplished automatically by having the verification program directly inquire of the repository to obtain certificates as needed.

If the subscriber loses control of the private key, the certificate becomes unreliable, and the certification authority may suspend or revoke the certificate.

RSA (Rivest Shamir Adleman)

RSA is a public-key cryptosystem developed by MIT professors Ronald L Rivest, Adi Shamir, Leonard M Adleman in 1977 in an effort to help ensure internet security.
RSA uses modular arithmetic and elementary number theory to do computation using two very large prime numbers .
RSA encryption is widely used and is the 'defacto' encryption standard.

Note

RSA is a public-key cryptosystem for both encryption and authentication which was invented in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman. In practice, the RSA system is often used together with a secret-key cryptosystem, such as DES. The RSA system is used widely in a wide variety of products, platforms, and industries. The RSA algorithm is built into current operating systems by Microsoft, Apple, Sun, and Novell. In hardware, the RSA algorithm can be found in secure telephones, on Ethernet network cards, and on smart cards.

If Alice wishes to send an encrypted message to Bob, she will first encrypt the message with DES, using a randomly chosen DES key. Then she will look up Bob's public key and use it to encrypt the DES key. The DES-encrypted message and the RSA-encrypted DES key together form the RSA digital envelope which is sent to Bob. When Bob receives the digital envelope, he will decrypt the DES key with his private key, and then use the DES key to decrypt the message itself. This combines the high speed of DES with the key management convenience of the RSA system.

RSA works as follows : two large prime numbers are taken (say a and b), and their product is determined (c = ab, where c is called the modulus ). A number (e) is chosen such that it is less than c and relatively prime to (a-1) (b-1), which means that e and (a-1) (b-1) have no common factors except 1. Apart from this, another number f is chosen such that (ef - 1) is divisible by (a-1) (b-1). The values e and f are called the public and private exponents, respectively. The public key is the pair (c, e); the private key is (c, f).

It is considered to be difficult to obtain the private key f from the public key. However if someone can factor c into a and b, then he / she can decipher the private key f. Thus the security of the RSA system is based on the assumption that factoring is difficult to carry out and therefore the cryptographic technique safe.

Example of RSA algorithm

RSA retains its security from the apparent difficulty in factoring very large composites. However it is possible that an advance in number theory may lead to the discovery of a polynomial time factoring algorithm. There are three factors that can aggravate the path towards compromising RSA security. These are advances in factoring technique, computing power and the decrease in the cost of computing hardware. Let us look at an example to illustrate the working of RSA as discussed before. For P = 61 and Q = 53, PQ = 3233. Taking a public exponent E = 17 and a private exponent D = 2753, we can encrypt a plain text 123 as shown below:

The encryption function is:

 encrypt {T} = {T^E} mod PQ

The decryption function is:

 decrypt {C} = {C^D} mod PQ                          = {C^2753} mod 3233

To encrypt the plaintext value 123, do this:

 encrypt{123} = {123^17} mod 3233                       = 337587917446653715596592958817679803 mod 3233                       = 855

To decrypt the ciphertext value 855, do this:

 decrypt {855} = {855^2753} mod 3233                              = 123

RSA Attacks

Brute forcing RSA factoring
Esoteric attack
Chosen cipher text attack
Low encryption exponent attack
Error analysis
Other attacks

Brute Force RSA Factoring

This is possible when an attacker has access to the public-key. This implies that the attacker has e and n. The goal is to obtain the private key d. To get d, n needs to be factored (which will yield p and q, which can then be used to calculate d). Factoring n is the best known attack against RSA to date. Some of the algorithms used for factoring are as follows:

Trial division: The oldest and least efficient. Exponential running time. Try all the prime numbers less than sqrt (n).
Quadratic Sieve (QS): The fastest algorithm for numbers smaller than 110 digits.
Multiple Polynomial Quadratic Sieve (MPQS): Faster version of QS.
Double Large Prime Variation of the MPQS: Faster still.
Number Field Sieve (NFS): Currently the fastest algorithm known for numbers larger than 110 digits.

These algorithms represent the state of the art in warfare against large composite numbers. The table below estimates the effort required to factor some common PGP-based RSA public-key modulus lengths using the General Number Field Sieve:

KeySize	MIPS- years required to factor

512	30,000
768	200,000,000
1024	300,000,000,000
2048	300,000,000,000,000,000,000

The next chart shows some estimates for the equivalences in brute force key searches of symmetric keys and brute force factoring of asymmetric keys, using the NFS.

Symmetric	Asymmetric

56-bits	384-bits
64-bits	512-bits
8o-bits	768-bits
112-bits	1792-bits
128-bits	2304-bits

Esoteric RSA attacks

These attacks depend on the weakness in certain implementations of the RSA protocol.

Chosen cipher-text attack

An attacker listens in on the insecure channel in which RSA messages are passed. The attacker collects an encrypted message c, from the target (destined for some other party). The attacker wants to be able to read this message without having to mount a serious factoring effort. In other words, he wants m=c^d.

To recover m, the attacker first chooses a random number, r < n. (The attacker has the public-key (e, n).) The attacker computes:

x=r^e mod n (He encrypts r with the target's public-key)

y=xc mod n (Multiplies the target ciphertext with the temp)

t=r^-1 mod n (Multiplicative inverse of r mod n)

The attacker counts on the fact that: If x=r^e mod n, Then r=x^d mod n

The attacker then gets the target to sign y with her private-key, (which actually decrypts y) and sends u=y^d mod n to the attacker. The attacker simply computes:

tu mod n = (r^-1) (y^d) mod n = (r^-1)(x^d)(c^d) mod n = (c^d) mod n = m

To foil this attack do not sign some random documents presented. Sign a one-way hash of the message instead.

Low encryption exponent e

If the encryption exponent is small (common values are 3, 17, and 65537) then public-key operations are significantly faster. The only problem lies in using small values for e as a public exponent for encrypting small messages. For instance, if e is 3 and m is a smaller number than the cubic root of n, then the message can be recovered simply by taking the cubic root of m because:

m [for m < 3rdroot(n)] ^3 mod n will be equivalent to m^3

therefore:

3rdroot(m^3) = m.

To defend against this attack, simply pad the message with a nonce before encryption, such that m^3 will always be reduced mod n.

Error Analysis

Shamir and others have discovered an attack against most cryptosystems (DES, IDEA, and RSA) which can be used if the attacker can somehow force the encryption/decryption engine to make errors. By analyzing the form of the output to known input when the engine is forced to make one bit errors somewhere in its operation, most cryptosystems can be broken easily. Again however this is primarily of interest to people who use some encryption scheme where the input, output, and encryption is accessible to the attacker.

Other RSA attacks

There are other attacks against RSA, such as the common modulus attack in which several users share n, but have different values for e and d. Sharing a common modulus with several users, can enable an attacker to recover a message without factoring n. If d is up to one quarter the size of n and e is less than n, d can be recovered without factoring. PGP does not choose small values for the decryption exponent.

MD5

The MD5 algorithm takes as input a message of arbitrary length and produces as output a 128-bit "fingerprint" or "message digest" digest of the input.
The MD5 algorithm is intended for digital signature applications, where a large file must be "compressed" in a secure manner before being encrypted with a private (secret) key under a public-key cryptosystem such as RSA.

Concept

A hash function H is a transformation that takes a variable-size input m and returns a fixed-size string, which is called the hash value h (that is, h = H(m)). The basic requirements for a cryptographic hash function are:

the input can be of any length,
the output has a fixed length,
H(x) is relatively easy to compute for any given x,
H(x) is one-way,
H(x) is collision-free.

A hash function H is said to be one-way if it is hard to invert, where "hard to invert" means that given a hash value h, it is computationally infeasible to find some input x such that H(x) = h.

If, given a message x, it is computationally infeasible to find a message y not equal to x such that H(x) = H(y) then H is said to be a weakly collision-free hash function.

A strongly collision-free hash function H is one for which it is computationally infeasible to find any two messages x and y such that H(x) = H(y).

The main role of a cryptographic hash function is in the provision of digital signatures. Since hash functions are generally faster than digital signature algorithms, it is typical to compute the digital signature to some document by computing the signature on the document's hash value, which is small compared to the document itself. Additionally, a digest can be made public without revealing the contents of the document from which it is derived.

MD2, MD4, and MD5 are message-digest algorithms developed by Rivest. They are meant for digital signature applications where a large message has to be "compressed" in a secure manner before being signed with the private key. All three algorithms take a message of arbitrary length and produce a 128-bit message digest. While the structures of these algorithms are somewhat similar, the design of MD2 is quite different from that of MD4 and MD5 and MD2 was optimized for 8-bit machines, whereas MD4 and MD5 were aimed at 32-bit machines.

MD4 was developed by Rivest in 1990. The message is padded to ensure that its length in bits plus 448 is divisible 512. A 64-bit binary representation of the original length of the message is then concatenated to the message. Attacks on versions of MD4 were developed very quickly and Dobbertin showed how collisions for the full version of MD4 could be found in under a minute on a typical PC.

MD5 was developed by Rivest in 1991. It is basically MD4 with "safety-belts" and while it is slightly slower than MD4, it is more secure. The algorithm consists of four distinct rounds, which have a slightly different design from that of MD4. Message-digest size, as well as padding requirements, remains the same.

Brute Force of MD5

The strength of any one-way hash is defined by how well it can randomize an arbitrary message and produces a unique output. There are two types of brute force attacks against a one-way hash function, normal brute force and the birthday attack.

SHA (Secure Hash Algorithm)

The SHA algorithm takes as input a message of arbitrary length and produces as output a 160-bit" fingerprint" or "message digest" of the input.
The algorithm is slightly slower than MD5, but the larger message digest makes it more secret against brute-force collision and inversion attacks.

Note

The Secure Hash Algorithm (SHA), the algorithm specified in the Secure Hash Standard(SHS), was developed by NIST and published as a federal information processing standard (FIPS PUB 180). SHA-1 was a revision to SHA that was published in 1994. The revision corrected an unpublished flaw in SHA. Its design is very similar to the MD4 family of hash functions developed by Rivest.

SHA is a cryptographic message digest algorithm similar to the MD4 family of hash functions developed by Rivest. The algorithm takes a message of less than 2 64 bits in length and produces a 160-bit message digest which is designed so that it should be computationally expensive to find a text which matches a given hash. The algorithm is slightly slower than MD5, but the larger message digest makes it more secure against brute-force collision and inversion attacks.

SHA is part of the Capstone project. Capstone is the U.S. government's long- term project to develop a set of standards for publicly available cryptography, as authorized by the Computer Security Act of 1987. The primary agencies responsible for Capstone are NIST and the NSA. There are four major components of Capstone: a bulk data encryption algorithm, a digital signature algorithm, a key exchange protocol, and a hash function. The data encryption algorithm is called Skipjack. The digital signature algorithm is DSA and the hash function is SHA.

SSL (Secure Socket Layer)

SSL stands for Secure Sockets Layer, SSL is a protocol developed by Netscape for transmitting private documents via the Internet.
SSL works by using a private key to encrypt data that is transferred over the SSL connection.
SSL Protocol is application protocol independent.

Note	SSL stands for Secure Sockets Layer, SSL is a protocol developed by Netscape for transmitting private documents via the Internet. SSL works by using a private key to encrypt data that is transferred over the SSL connection.

The SSL Protocol is designed to provide privacy between two communicating applications (a client and a server). Second, the protocol is designed to authenticate the server, and optionally the client. SSL requires a reliable transport protocol (e.g. TCP) for data transmission and reception .

The advantage of the SSL Protocol is that it is application protocol independent. A "higher level" application protocol (e.g. HTTP, FTP, TELNET, etc.) can layer on top of the SSL Protocol transparently . The SSL Protocol can negotiate an encryption algorithm and session key as well as authenticate a server before the application protocol transmits or receives its first byte of data. All of the application protocol data is transmitted encrypted, ensuring privacy.

The SSL protocol provides "channel security" which has three basic properties:

The channel is private. Encryption is used for all messages after a simple handshake is used to define a secret key.
The channel is authenticated. The server endpoint of the conversation is always authenticated, while the client endpoint is optionally authenticated.
The channel is reliable. The message transport includes a message integrity check (using a MAC).

An SSL session is stateful. It is the responsibility of the SSL Handshake protocol to coordinate the states of the client and server, thereby allowing the protocol state machines of each to operate consistently, despite the fact that the state is not exactly parallel.

Logically the state is represented twice, once as the current operating state, and again as the pending state. Additionally, separate read and write states are maintained . When the client or server receives a change cipher spec message, it copies the pending read state into the current read state. When the client or server sends a change cipher spec message, it copies the pending write state into the current write state. When the handshake negotiation is complete, the client and server exchange change cipher spec messages, and then communicate using the newly agreed-upon cipher spec.

An SSL session may include multiple secure connections; in addition, parties may have multiple simultaneous sessions. The session state includes the following elements:

Session Identifier - An arbitrary byte sequence chosen by the server to identify an active or resumable session state
Peer Certificate - X509.v3[X509] certificate of the peer. This element of the state may be null.
Compression Method - The algorithm used to compress data prior to encryption.
Cipher Spec - Specifies the bulk data encryption algorithm (such as null, DES, etc.) and a MAC algorithm (such as MD5 or SHA). It also defines cryptographic attributes such as the hash_size.
Master Secret - 48-byte secret shared between the client and server.
Is Resumable - A flag indicating whether the session can be used to initiate new connections.

The connection state includes the following elements:

Server and client random - Byte sequences that are chosen by the server and client for each connection.
Server write MAC secret - The secret used in MAC operations on data written by the server.
Client write MAC secret - The secret used in MAC operations on data written by the client.
Server write key - The bulk cipher key for data encrypted by the server and decrypted by the client.
Client write key - The bulk cipher key for data encrypted by the client and decrypted by the server.
Initialization vectors - When a block cipher in CBC mode is used, an initialization vector (IV) is maintained for each key. This field is first initialized by the SSL handshake protocol. Thereafter the final ciphertext block from each record is preserved for use with the following record.
Sequence numbers - Each party maintains separate sequence numbers for transmitted and received messages for each connection. When a party sends or receives a change cipher spec message, the appropriate sequence number is set to zero. Sequence numbers are of type uint64 and may not exceed 264 -1.

SSL Handshake Protocol Flow

SSL Handshake Protocol operates on top of the SSL Record Layer. When a SSL client and server first start communicating, they agree on a protocol version, select cryptographic algorithms, optionally authenticate each other, and use public-key encryption techniques to generate shared secrets. These processes are performed in the handshake protocol, which can be summarized as follows:

The client sends a client hello message to which the server must respond with a server hello message, or else a fatal error will occur and the connection will fail. The client hello and server hello are used to establish security enhancement capabilities between client and server. The client hello and server hello establish the following attributes: protocol version, session ID, cipher suite, and compression method.
Following the hello messages, the server will send its certificate, if it is to be authenticated. Additionally, a server key exchange message may be sent, if it is required. If the server is authenticated, it may request a certificate from the client, if that is appropriate to the cipher suite selected.
Now the server will send the server hello done message, indicating that the hello-message phase of the handshake is complete. The server will then wait for a client response.
If the server has sent a certificate request message, the client must send either the certificate message or a no certificate alert. The client key exchange message is now sent, and the content of that message will depend on the public key algorithm selected between the client hello and the server hello. If the client has sent a certificate with signing ability, a digitally-signed certificate verifies message is sent to explicitly verify the certificate.
At this point, a change cipher spec message is sent by the client, and the client copies the pending Cipher Spec into the current Cipher Spec. The client then immediately sends the finished message under the new algorithms, keys, and secrets. In response, the server will send its own change cipher spec message, transfer the pending to the current Cipher Spec, and send its Finished message under the new Cipher Spec. At this point, the handshake is complete and the client and server may begin to exchange application layer data.

When the client and server decide to resume a previous session or duplicate an existing session (instead of negotiating new security parameters) the message flow is as follows:

The client sends a client hello using the Session ID of the session to be resumed. The Server then checks its session cache for a match. If a match is found, and the server is willing to re-establish the connection under the specified session state, it will send a server hello with the same Session ID value. At this point, both client and server must send change cipher spec messages and proceed directly to finished messages. Once the re-establishment is complete, the client and server may begin to exchange application layer data. If a Session ID match is not found, the server generates a new session ID and the SSL client and server perform a full handshake.

RC5

RC5 is a fast block cipher designed by RSA Security in 1994.
It is a parameterized algorithm with a variable block size, a variable key size and a variable number of rounds. The key size is 128 bit.
RC6 is a block cipher based on RC5. Like RC5, RC6 is a parameterized algorithm where the block size, the key size and the number of rounds are variable again. The upper limit on the key size is 2040 bits.

Note

RC5 is a fast block cipher designed by Ronald Rivest for RSA Data Security (now RSASecurity) in 1994. It is a parameterized algorithm with a variable block size, a variable key size, and a variable number of rounds. Allowable choices for the block size are 32 bits (for experimentation and evaluation purposes only), 64 bits (for use a drop-in replacement for DES), and 128 bits. The number of rounds can range from 0 to 255, while the key can range from 0 bits to 2040 bits in size. Such built-in variability provides flexibility at all levels of security.

There are three routines in RC5: key expansion, encryption, and decryption. In the key-expansion routine, the user -provided secret key is expanded to fill a key table whose size depends on the number of rounds. The key table is then used in both encryption and decryption. The encryption routine consists of three primitive operations: integer addition, bitwise XOR, and variable rotation. The exceptional simplicity of RC5 makes it easy to implement and analyze. Indeed, like the RSA system, the encryption steps of RC5 can be written on the "back of an envelope".

The heavy use of data-dependent rotations and the mixture of different operations provide the security of RC5. RC6 is a block cipher based on RC5 and designed by Rivest, Sidney, and Yin for RSA Security. Like RC5, RC6 is a parameterized algorithm where the block size, the key size, and the number of rounds are variable; again, the upper limit on the key size is 2040 bits. There are two main new features in RC6 compared to RC5: the inclusion of integer multiplication and the use of four b /4-bit working registers instead of two b /2-bit registers as in RC5 ( b is the block size). Integer multiplication is used to increase the diffusion achieved per round so that fewer rounds are needed and the speed of the cipher can be increased. The reason for using four working registers instead of two is technical rather than theoretical. Namely, the default block size of the AES is 128 bits; while RC5 deals with 64-bit operations when using this block size, 32-bit operations are preferable given the intended architecture of the AES.

What is SSH?

The program SSH (Secure Shell) is a secure replacement for telnet and the Berkeley r-utilities (rlogin, rsh, rcp and rdist).
It provides an encrypted channel for logging into another computer over a network, executing commands on a remote computer, and moving files from one computer to another.
SSH provides a strong host-to host and user authentication as well as secure encrypted communications over an insecure internet.
SSH2 is a more secure, efficient and portable version of SSH that includes SFTP, an SSH2 tunneled FTP.

Note

Secure Shell is a program to log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another. It provides strong authentication and secure communications over unsecure channels. It i s intended as a replacement for telnet, rlogin, rsh, and rcp. For SSH2, there is a replacement for FTP: sftp.

Additionally, Secure Shell provides secure X connections and secure forwarding of arbitrary TCP connections. The difference between SSH1 and SSH2 is they are two entirely different protocols. SSH1 and SSH2 encrypt at different parts of the packets, and SSH1 uses server and host keys to authenticate systems where SSH2 only uses host keys. SSH2 is a complete rewrite of the protocol, and it does not use the same networking implementation that SSH1 does. Also, SSH2 is more secure. It should be noted that the SSH1 and SSH2 protocols are in fact different and not compatible with each other. In a nutshell , SSH2 is a rewrite of the SSH1 protocol, with improvements to security, performance, and portability.

The SSH1 protocol is not being developed anymore, as SSH2 is being developed as the standard.

There are structural weaknesses in SSH1 which leave it open to additional attacks
SSH1 is subject to a man-in-the-middle attack
SSH1 has more supported platforms
SSH1 supports .rhosts authentication (it's against the draft for SSH2
SSH1 has more diverse authentication support (AFS, Kerberos, etc.)
Performance for SSH2 is not equal to SSH1

SSH Communications Security is the developer of Secure Shell (secsh) protocol and maintains the releases of SSH1 and SSH2. Secure Shell authenticates using one or more of the following:

Password (the /etc/passwd or /etc/shadow in UNIX)
User public key (RSA or DSA, depending on the release)
Kerberos (for SSH1)
Hostbased (.rhosts or /etc/ hosts . equiv in SSH1 or public key in SSH2)

Secure Shell protects against:

IP spoofing, where a remote host sends out packets which pretend to come from another, trusted host. Ssh even protects against a spoofer on the local network, who can pretend he is your router to the outside.
IP source routing, where a host can pretend that an IP packet comes from another, trusted host.
DNS spoofing, where an attacker forges name server records
Interception of cleartext passwords and other data by intermediate hosts
Manipulation of data by people in control of intermediate hosts
Attacks based on listening to X authentication data and spoofed connection to the X11 server

Government Access to Keys(GAK)

Government Access to Keys ( also known as key escrow) means that software companies will give copies of all keys ( or at least enough of the key that the remainder could be cracked very easily) to the government.
The government promises that they would hold the keys in a secure way and only use them to crack keys when a court issues a warrant to do so.
To the government, this issue is similar to the ability to wiretap phones.

Government access to decryption keys is considered by many to be the overriding desire of most national security agencies. It is a continuing battleground between law enforcement agencies (LEAs) and civil liberty groups.

Note

A key escrow encryption system (or, simply escrowed encryption system) is an encryption system with a backup decryption capability that allows authorized persons, under certain prescribed conditions, to decrypt ciphertext with the help of information supplied by one or more trusted parties who hold special data recovery keys.

The data recovery keys are not normally the same as those used to encrypt and decrypt the data, but rather provide a means of determining the data encryption/decryption keys. The term key escrow is used to refer to the safeguarding of these data recovery keys. Other terms used include key archive, key backup, and data recovery system.

Key recovery systems have gained prominence due to the desire of government intelligence and law enforcement agencies to guarantee that they have access to encrypted information without the knowledge or consent of encryption users. A properly designed cryptosystem makes it essentially impossible to recover encrypted data without knowledge of the correct key. In some cases this creates a potential problem for the users of encryption themselves ; the cost of keeping unauthorized parties out is that if keys are lost or unavailable at the time they are needed, the owners of the encrypted data will be unable to make use of their own information.

The ultimate goal of government-driven key recovery encryption, as stated in the U.S. Department of Commerce's recent encryption regulations, "envisions a worldwide key management infrastructure with the use of key escrow and key recovery encryption items."

The Clipper Chip is a cryptographic device supposedly intended to protect private communications while at the same time permitting government agents to obtain the "keys" upon presentation of what has been vaguely characterized as "legal authorization." The "keys" are held by two government "escrow agents " and would enable the government to access the encrypted private communication. While Clipper would be used to encrypt voice transmissions, a similar chip known as Capstone would be used to encrypt data.

The underlying cryptographic algorithm, known as Skipjack, was developed by the National Security Agency (NSA), a super-secret military intelligence agency responsible for intercepting foreign government communications and breaking the codes that protect such transmissions. The Skipjack algorithm uses 8o-bit keys. If it is as good as NSA claims, cryptanalyzing it will require searching through all these keys or doing about a million billion billion encryptions. This makes it sixteen million times as hard to break as DES. From the viewpoint of a user, any key escrow system diminishes security. It puts potential for access to the user's communications in the hands of an escrow agent who's intentions, policies, security capabilities, and future cannot be entirely known.

RSA Challenge

The RSA Factoring challenge is an effort, sponsored by RSA Laboratories, to learn about the actual difficulty of factoring large numbers of the type used in RSA keys.
A set of eight challenge numbers, ranging in size from 576 bits to 2048 bits are given.

The RSA Factoring challenge is an effort, sponsored by RSA Laboratories, to learn about the actual difficulty of factoring large numbers of the type used in RSA keys. A set of eight challenge numbers, ranging in size from 576 bits to 2048 bits are given. Each number is the product of two large primes, similar to the modulus of an RSA key pair.

The RSA challenge numbers were generated using a secure process that guarantees that the factors of each number cannot be obtained by any method other than factoring the published value. No one, not even RSA Laboratories, knows the factors of any of the challenge numbers.

The generation took place on a Compaq laptop PC with no network connection of any kind . The factoring of a challenge-number of specific length does not mean that the RSA cryptosystem is "broken." It does not even mean, necessarily , that keys of the same length as the factored challenge number must be discarded. It simply gives us an idea of the amount of work required to factor a modulus of a given size. This can be translated into an estimate of the cost of breaking a particular RSA key pair.

The table below provides an estimate of the resources required to factor numbers of various bit lengths in a time period of one year. The Machines column is the number of 500 MHz Pentium (or comparable) machines needed. The Memory column is the amount of RAM required in each machine.

Number Length (bits)	Machines	Memory
430	1	trivial
760	215,000	4 Gb
1020	342,000,000	170 Gb
1620	1.6 x 10 ¹⁵	120 Tb

As shown, to factor a 760-bit number in one year would require 215,000 Pentium-class machines, each with 4 Gigabytes of physical RAM.

The best known algorithm for factoring large numbers is the General Number Field Sieve (GNFS). GNFS consists of a sieving phase that searches a fixed set of prime numbers for candidates that have a particular algebraic relationship, modulo the number to be factored. This is followed by a matrix solving phase that creates a large matrix from the candidate values, and then solves it to determine the factors.

The sieving phase may be done in distributed fashion, on a large number of processors simultaneously . The matrix solving phase requires massive amounts of storage and is typically performed on a large supercomputer.

distributed.net

www.distributed.net

An attempt to crack RC5 encryption using network of computers world wide
The client utility when downloaded from distributed.net runs the crack algorithm as screensaver and send results to the distributed.net connected servers.
The challenge is still running...

distributed.net is a non-profit organization committed to serving as a gathering point for topics relating to distributed computing, or the process by which countless computers work together toward solving a particular problem. The history of the organization, the organization's ongoing projects, the individuals involved in the organization and the organization's short term and long term goals all relate to finding new ways for computers connected to the Internet being used during "idle" time. This process is realized through the development of software which allows computers currently not in use to communicate via the Internet allowing an unlimited amount of computers to work toward one common goal.

To date, distributed.net has used its processes and technologies to solve encryption contests on the Internet. It is through the application of this concept that distributed.net has been able to develop and refine these techniques, improving on the range, scope, and variety of tasks which are suitable for this technology. In response to the RC5 -32/12/7 (56 bit) Secret Key Challenge, a contest testing RSA Lab's 56 bit encryption algorithm technology, a group of individuals began development of software tools designed to work towards solving the challenge. A program was created (the client) which was then installed on many machines and performed the complex calculations necessary to solve the challenge. Additionally, a network of servers was designed and created which could coordinate all the client computers. The large task of testing 72 quadrillion keys was then split up and delegated to each client machine. As each client completed its parcel of assigned work, it would report back to the server the results and then be assigned another parcel of work.

In this manner of organized cooperation, many small computers can equal and even surpass the computing power of the largest mainframes. On May 8th, 1997 this effort become distributed.net with Adam L. Beberg acting as founder and chief organizer of this non-profit organization. On July 8th 1997, a new version of the "client" software became available. This version (v2) allowed for easier reporting, faster processing, and much more flexible operation.

On October 22, 1997 after 212 days of work the RC5-56 challenge was solved . At the end of the contest, 4000 active teams of volunteers (in total processing over 7 billion keys each second) at a combined computing power equivalent to more than 26 thousand high-end personal computers, managed to evaluate 46% of the possible solutions. A computer managed by Jo Hermans of Brussels found the solution. Of the $10,000 prize money $8,000 was donated to Project Gutenberg/CMU, $1,000 was awarded Jo Hermans and his teammates, and $1,000 was retained by distributed.net to cover their costs.

After some restructuring and development time, a second project began running on January 13th 1998. The second encryption contest, DES II-1, took only 40 days for completion. DES II-1 was cracked on Feb 23, 1998. The successful completion of this challenge brought a prize of $5,000, of which $3,000 was given to the Free Software Foundation, another non-profit venture.

On January 18, 1999, at 9am, DES III commenced, distributed.net, with the aid of EFF?s Deep Crack in addition to the distributed.net clients , took part and completed this challenge on January 19, 1999 at 7am, less than 24 hours after the challenge commenced.

On November 17, 1999, at midnight, distributed.net started participating in the CSC challenge. CSC is an encryption challenge that is organized by CS Communications and Systems to demonstrate how weak a 56-bit key is against brute force attacks, distributed.net was also successful at this challenge. On January 16, 2000, at 6:30am, the winning key was received.

On July 14, 2002 after 1,757 days and 58,747,597,657 work units tested the RC5-64 challenge was solved when a P3-450 running Windows 2000 in Tokyo returned the winning key to the distributed.net key servers. The task was completed by 331,252 participants . Our peak rate of 270,147,024 kkeys/sec is equivalent to 32,504 800MHz Apple PowerBook G4 laptops or 45,998 2GHz AMD Athlon XP machines or (to use some rc5-56 numbers) nearly a half million Pentium Pro 200s.

Distributed.net is also currently working on OGR-24 (Optimal 24-mark Golomb Ruler), and has resources in place to continue straight onto OGR-25. This is done in the same way as RC5-64, by volunteers using v2.8 or above of the client software.

Volunteer participation in distributed.net is estimated at over 60,000 individuals from nearly every nation and region in the world. With combined resources of as many as 500,000 computers, distributed.net represents the first large-scale collaborative computing effort ever undertaken.

PGP Pretty Good Privacy

Pretty Good Privacy (PGP) is a software package originally developed by Philip R Zimmermann that provides cryptographic routines for emails and file storage applications.
Zimmermann took existing cryptosystems and cryptographic protocols and developed a program that can run on multiple platforms. It provides message encryption, digital signatures, data compression and e-mail compatibility.

Tools

Pretty Good Privacy (PGP) is a software package originally developed by Phil Zimmerman that provides cryptographic routines for e-mail and file storage applications. Zimmerman took existing cryptosystems and cryptographic protocols and developed a freeware program that can run on multiple platforms. It provides message encryption, digital signatures, data compression, and e-mail compatibility.

The algorithms used for message encryption are RSA for key transport and IDEA for bulk encryption of messages. Digital signatures are achieved by the use of RSA for signing and MD5 for computing the message digest. The freeware program ZIP is used to compress messages for transmission and storage. E-mail compatibility is achieved by the use of Radix-64 conversion.

PGP is basically used for 4 things.

Encrypting a message or file so that only the recipient can decrypt and read it. The sender, by digitally signing with PGP, can also guarantee to the recipient, that the message or file must have come from the sender and not an impostor .
Clear signing a plain text message guarantees that it can only have come from the sender and not an impostor. In a plain text message, the text is readable by anyone (i.e. is 'plain') but a PGP digital signature is attached. E.g. News group postings
Encrypting computer files so that they cannot be decrypted by anyone other than the person who encrypted them.
Really deleting files (i.e. overwriting the content so that it can't be recovered and read by anyone else) rather than just removing the file name from a directory/folder.

PGP signature is different for every message the user signs because PGP does a calculation on the message using the user's secret key (which is unique to the user). As every message is different, the signature is different too so nobody can cut and paste signatures from one message to another. Each key is a very long number, such as 1024 bits (around 300 decimal digits) expressed as a paragraph of specially formatted text.

Example:

-----BEGIN PGP PUBLIC KEY BLOCK ” ”

 mQCNAzGvwGAAAAEEAMQXI06gfdoZzy2Ngdqua6Zf6q4Bfdote 8qGHk9RncuEHSBf 2DrqYrkVmn6cANJp/HdBkJH39LcKybOGbxiahmjVnngPp+PzvX8+Wi7kQ5NP267S 0JIituePxuklEQ5pqywHw8yxtOGIqLj kJtb/pRvZyiCOCywlbj nbPFHw2SetAAUR tCZSb2JpbiBXaG10dGxlIDxmaXJzdHByQG96ZWlhaWwuY2 9tLmF1PokAlQMFEDGv WGE52zxR8NknrQEBbVOD/lgJSldscj2bFJOuD9LOY+LSTj71yxdONZ3cycPZ+3zp ShCNcsqNAGvHXDtqcGQrNrxHmYqnKBaJ/+46n/FSkDnt/bvEAbl05m+6T5oTK8h+ MaaVuvdcphwKfIPQbIoI6LcmtwSdOcyBBndp+0+02xOxhcd2Qx7Gni7J+fz8mmOy =Ysjn

-----END PGP PUBLIC KEY BLOCK-----

Hacking Tool: PGP Crack

http://munitions.iglu.cjb.net/ dolphin .cgi?action=render&category=0406

PGP crack is a program designed to brute-force a conventionally encrypted file with PGP or a PGP secret key.
The file "pgpfile" must not be ascii-armored. The file "phraselist" should be a file containing all of the passphrases that will be used to attempt to crack the encrypted file.

Tool

PGPCrack is a program designed to brute-force a conventionally encrypted file encrypted with PGP or a PGP secret key. It relies on a separate dictionary file, trying each word as a potential passphrase. On a conventionally encrypted PGP file, the utility cycled through over 15,000 words a second on a 100 MHz Pentium.

PGPCrack works by reading the first 23 bytes of the file to be cracked. The last 18 bytes of this array are the only bytes used to crack the file. Next it reads each line of the phraselist, removes the newline character, hashes the line with MD5, and uses that as a key to decrypt the ten bytes in IDEA-CFB mode. PGP can detect whether a valid passphrase has been entered by making sure that the 7th and 9th, and the 8th and loth bytes are the same. If it appears that a passphrase is valid, it then uses bytes 0 “7 as an IV to decrypt the next 8 bytes of the file. If the most significant bit of the first byte of this array is 1, then it prints the passphrase.

Secret key cracking works quite a bit differently. After the passphrase is hashed , the IV and each encrypted MPI are decrypted in IDEA-CFB mode. Then a simple checksum is calculated over the plaintext of each MPI (the checksum is not calculated over N and E). The checksum calculation includes the length fields of each MPI. The checksum algorithm consists of a running addition of every byte. The output is a 16-bit integer. The output is then compared with the unencrypted checksum stored in the secret key file. The command line should be the following: pgpcrack [phraselist] [pgpfile] <logfile>

"Phraselist" is a list of passphrases that PGPCrack attempts to use to decrypt the file "pgpfile". "Logfile" is an optional parameter that will specify to what file the cracked password will be written.

Summary

Using Public Key Infrastructure (PKI), anyone can send a confidential message using public in f ormation, which can only be decrypted with a private key in the sole possession of the intended recipient.
RSA encryption is widely used and is a 'de-facto' encryption standard.
The MD5 algorithm is intended for digital signature applications, where a large file must be compressed securely before being encrypted
SHA algorithm takes as input a message of arbitrary length and produces as output a l6o-bit message digest of the input.
Secure Sockets Layer, SSL is a protocol for transmitting private documents via the Internet.
RC5 is a fast block cipher designed by RSA Security.
SSH (Secure Shell) is a secure replacement for telnet and the Berkeley r-utilities and this provides an encrypted channel for logging into another computer over a network, executing commands on a remote computer, and moving files from one computer to another.