Encryption and
• Describe the role encryption plays in a
firewall architecture
• Explain how digital certificates work and
why they are important security tools
• Analyze the workings of SSL, PGP, and
other popular encryption schemes
• Discuss Internet Protocol Security (IPSec)
and identify its protocols and modes
Firewalls and Encryption
• Hackers take advantage of a lack of
• Encryption:
– Preserves data integrity
– Increases confidentiality
– Is relied upon by user authentication
– Plays a fundamental role in enabling VPNs
Hacker and an Unencrypted
Hacker and an Encrypted
The Cost of Encryption
• CPU resources and time
• Bastion host that hosts the firewall should
be robust enough to manage encryption
and other security functions
• Encrypted packets may need to be
padded to uniform length to ensure that
some algorithms work effectively
• Can result in slowdowns
• Monitoring can burden system
Preserving Data Integrity
• Even encrypted sessions can go wrong as
a result of man-in-the-middle attacks
• Encryption can perform nonrepudiation
using a digital signature
Maintaining Confidentiality
• Encryption conceals information to render
it unreadable to all but intended recipients
Authenticating Network
• Firewalls need to trust that the person’s
claimed identity is genuine
• Firewalls that handle encryption can be
used to identify individuals who have
“digital ID cards” that include encrypted
– Digital signatures
– Public keys
– Private keys
Enabling Virtual Private
Networks (VPNs)
• As an integral part of VPNs, encryption:
– Enables the firewall to determine whether the
user who wants to connect to the VPN is
actually authorized to do so
– Encodes payload of information to maintain
Principles of Cryptography
• Encryption: the process of converting an original
message into a form that cannot be understood
by unauthorized individuals
• Cryptology, the science of encryption,
encompasses two disciplines:
– Cryptography: describes the processes involved in
encoding and decoding messages so that others
cannot understand them
– Cryptanalysis: the process of deciphering the original
message (plaintext) from an encrypted message
(ciphertext) without knowing the algorithms and keys
used to perform the encryption
Encryption Definitions
• Algorithm: the mathematical formula or
method used to convert an unencrypted
message into an encrypted message
• Cipher: the transformation of the individual
components (characters, bytes, or bits) of
an unencrypted message into encrypted
• Ciphertext or cryptogram: the unintelligible
encoded message resulting from an
Encryption Definitions
• Cryptosystem: the set of transformations
necessary to convert an unencrypted message
into an encrypted message
• Decipher: to decrypt or convert ciphertext to
• Encipher: to encrypt or convert plaintext to
• Key or cryptovariable: the information used in
conjunction with the algorithm to create the
ciphertext from the plaintext; it can be a series of
bits used in a mathematical algorithm or the
knowledge of how to manipulate the plaintext 13
Encryption Definitions
• Keyspace: the entire range of values that
can possibly be used to construct an
individual key
• Plaintext: the original unencrypted
message that is encrypted and results
from successful decryption
• Steganography: the process of hiding
messages, usually within graphic images
Encryption Definitions
• Work factor: the amount of effort (usually
expressed in units of time) required to
perform cryptanalysis on an encoded
Cryptographic Notation
M represents original message; C
represents ciphertext; E represents
encryption process; D represents the
decryption process; K represents a key
E(M) = C encrypting a message results in cyphertext
D(C) = M and D[E(M)] = M
E(M,K) = C specifies encrypting the message with a key;
keys can be annotated K1, K2, etc. in the case of
multiple keys
Common Ciphers
• In encryption, the most commonly used
algorithms include three functions:
substitution, transposition, and XOR
• In a substitution cipher, you substitute one
value for another; a monoalphabetic
substitution uses only one alphabet and a
polyalphabetic substitution use two or
more alphabets
• The transposition cipher (or permutation
cipher) simply rearranges the values
within a block to create the ciphertext; this
can be done at the bit level or at the byte
(character) level
Common Ciphers (continued)
• In the XOR cipher conversion, the bit stream is
subjected to a Boolean XOR function against
some other data stream, typically a key stream
• XOR works as follows:
with ‘0’ results in a ‘0’ (0  0 = 0)
with ‘1’ results in a ‘1’ (0  1 = 1)
with ‘0’ results in a ‘1’ (1  0 = 1)
with ‘1’ results in a ‘0’ (1  1 = 0)
• Simply put, if the two values are the same, you
get “0”; if not, you get “1”
• This process is reversible; that is, if you XOR the
ciphertext with the key stream, you get the
Vernam Cipher
• Also known as the one-time pad, the
Vernam cipher was developed at AT&T
and uses a set of characters that are used
for encryption operations only one time
and then discarded
• The values from this one-time pad are
added to the block of text, and the
resulting sum is converted to text
Book or Running Key Cipher
• Another method, used in the occasional
spy movie, is the use of text in a book as
the algorithm to decrypt a message
• The key relies on two components:
– Knowing which book to use
– A list of codes representing the page number,
line number, and word number of the plaintext
Symmetric Encryption
• The previous methods of
encryption/decryption require the same
algorithm and key be used to both
encipher/decipher the message
• This is known as private key encryption or
symmetric encryption
• In this approach, the same key—a secret
key—is used to encrypt and decrypt the
Symmetric Encryption
• Usually extremely efficient, requiring
simple processing to encrypt or decrypt
the message
• Main challenge is getting a copy of the key
to the receiver, a process that must be
conducted out-of-band to avoid
Symmetric Encryption
The Technology of Symmetric
• Data Encryption Standard (DES)
– Developed in 1977 by IBM
– Based on the Data Encryption Algorithm (DEA), which
uses a 64-bit block size and a 56-bit key
– Federally approved standard for nonclassified data
– Cracked in 1997 when developers of a new algorithm,
Rivest-Shamir-Aldeman, offered $10,000 to
whomever was first to crack it
– Fourteen thousand users collaborated over the
Internet to finally break the encryption
• Triple DES (3DES) was developed as an
improvement to DES and uses as many as three
keys in succession
The Technology of Symmetric
Encryption (continued)
• Advanced Encryption Standard (AES)
– Successor to 3DES
– Based on Rijndael Block Cipher, which
features a variable block length and a key
length of either 128, 192, or 256 bits
• In 1998, it took a special computer
designed by the Electronic Freedom
Frontier more than 56 hours to crack DES;
it would take the same computer
approximately 4,698,864 quintillion years
to crack AES
Asymmetric Encryption
Also known as public key encryption
Uses two different but related keys
Either key can be used to encrypt or decrypt
If Key A is used to encrypt message, then only
Key B can decrypt; if Key B is used to encrypt
message, then only Key A can decrypt
• This technique is most valuable when one of the
keys is private and the other is public
• Problem: it requires four keys to hold a single
conversation between two parties, and the
number of keys grows geometrically as parties
are added
Public Key Encryption
Digital Signatures
• When asymmetric process is reversed,
that the message was sent by organization
owning the private key cannot be refuted
• Digital signatures: encrypted messages
verified as authentic by independent
facility (registry)
Digital Signatures (continued)
• Digital certificate: electronic document,
similar to digital signature, attached to file
certifying that file is from the organization it
claims to be from and has not been
modified from original format
• Certificate Authority (CA): agency that
manages issuance of certificates and
serves as electronic notary public to verify
their origin and integrity
Digital Signatures (continued)
Public Key Infrastructure
• Public key infrastructure (PKI) is the entire
set of hardware, software, and
cryptosystems necessary to implement
public key encryption
• Systems are based on public key
cryptosystems and include digital certificates
and certificate authorities
Public Key Infrastructure
• Can increase an organization’s ability to
protect its information assets by providing:
– Authentication: digital certificates authenticate
identity of each party in an online transaction
– Integrity: digital certificate asserts content signed by
the certificate has not been altered in transit
– Confidentiality: keeps information confidential by
ensuring it is not intercepted during transmission
– Authorization: digital certificates can replace user IDs
and passwords, enhance security, and reduce
– Nonrepudiation: certificates validate actions
Hybrid Systems
• Pure asymmetric key encryption not widely
used except in area of certificates; instead,
typically employed in conjunction with
symmetric key encryption, creating a
hybrid system
• Hybrid process currently in use is based
on Diffie-Hellman key exchange, which
provides method to exchange private keys
using public key encryption without
exposure to third parties
Hybrid Systems (continued)
• In this method, asymmetric encryption is
used to exchange symmetric keys, so two
entities can conduct quick, efficient,
secure communications based on
symmetric encryption; Diffie-Hellman
provided the foundation for subsequent
developments in public key encryption
Hybrid Encryption
Using Cryptographic Controls
• Generation of unbreakable ciphertext is possible
only if proper key management infrastructure
has been constructed and cryptosystems are
operated and managed correctly
• Cryptographic controls can be used to support
several aspects of business:
– Confidentiality and integrity of e-mail and its
– Authentication, confidentiality, integrity, and
nonrepudiation of e-commerce transactions
– Authentication and confidentiality of remote access
through VPN connections
– Higher standard of authentication when used to
supplement access control systems
E-mail Security
• Secure Multipurpose Internet Mail Extensions
(S/MIME) builds on Multipurpose Internet Mail
Extensions (MIME); adds encryption and
authentication via digital signatures
• Privacy Enhanced Mail (PEM) proposed by
Internet Engineering Task Force (IETF) as a
standard that will function with public key
cryptosystems; uses 3DES and RSA for key
exchanges and digital signatures
• Pretty Good Privacy (PGP): uses IDEA Cipher, a
128-bit symmetric key block encryption algorithm
with 64-bit blocks for message encoding; RSA for
symmetric key exchange and digital signatures
Securing the Web
• Secure Electronic Transactions (SET)
– Developed by MasterCard and VISA in 1997 to
provide protection from electronic payment fraud
– Encrypts credit card transfers with DES and uses
RSA for key exchange
• Secure Sockets Layer (SSL)
– Developed by Netscape in 1994 to provide security
for online electronic commerce transactions
– Uses several algorithms; mainly relies on RSA for key
transfer and IDEA, DES, or 3DES for encrypted
symmetric key-based data transfer
Securing the Web
• Secure Hypertext Transfer Protocol (SHTTP)
– An encrypted version of HTTP
– Provides secure e-commerce transactions and
encrypted Web pages for secure data transfer over
the Web, using several different algorithms
• Secure Shell (SSH)
– Uses tunneling to provide security for remote access
connections over public networks
– Provides authentication services between a client and
a server
– Used to secure replacement tools for terminal
emulation, remote management, and file transfer
Securing the Web
• IP Security (IPSec): primary and now dominant
cryptographic authentication and encryption product
of IETF’s IP Protocol Security Working Group
• IPSec combines several different cryptosystems:
– Diffie-Hellman key exchange for deriving key material
between peers on a public network
– Public key cryptography for signing the Diffie-Hellman
exchanges to guarantee the identity of the two parties
– Bulk encryption algorithms for encrypting the data
– Digital certificates signed by a certificate authority to act
as digital ID cards
Securing the Web
• IPSec has two components:
– The IP Security protocol itself, which specifies
the information to be added to an IP packet
and indicates how to encrypt packet data
– The Internet Key Exchange, which uses
asymmetric key exchange and negotiates the
security associations
Securing the Web
• IPSec works in two modes of operation:
– Transport mode: only IP data is encrypted—not the IP
headers themselves; allows intermediate nodes to
read source and destination addresses
– Tunnel mode: entire IP packet is encrypted and
inserted as payload in another IP packet
• IPSec and other cryptographic extensions to
TCP/IP often used to support a virtual private
network (VPN), a private, secure network
operated over a public, insecure network
Securing Authentication
• A final use of cryptosystems is to provide
enhanced and secure authentication
• One approach to this issue is provided by
Kerberos, which uses symmetric key
encryption to validate an individual user’s
access to various network resources
• It keeps a database containing the private
keys of clients and servers that are in the
authentication domain that it supervises
• Kerberos system knows these private keys
and can authenticate one network node
(client or server) to another
• Kerberos also generates temporary
session keys—that is, private keys given
to the two parties in a conversation
Kerberos (continued)
Kerberos (continued)
Attacks on Cryptosystems
• Historically, attempts to gain unauthorized
access to secure communications have used
brute force attacks in which the ciphertext is
repeatedly searched for clues that can lead to
the algorithm’s structure (ciphertext attacks)
• This process, known as frequency analysis, can
be used along with published frequency of
occurrence patterns of various languages and
can allow an experienced attacker to quickly
crack almost any code if the individual has a
large enough sample of the encoded text
Attacks on Cryptosystems
• Occasionally, an attacker may obtain duplicate
texts, one in ciphertext and one in plaintext,
which enable the individual to reverse-engineer
the encryption algorithm in a known-plaintext
attack scheme
• Alternatively, an attacker may conduct a
selected-plaintext attack by sending a potential
victim a specific text that they are sure the victim
will forward on to others; the attacker then
intercepts the encrypted message and compares
it to the original plaintext
Attacks on Cryptosystems
• Man-in-the-middle attack: method used to
intercept the transmission of a public key
or even to insert a known key structure in
place of the requested public key
• Correlation attacks: collection of bruteforce methods that attempt to deduce
statistical relationships between the
structure of the unknown key and the
ciphertext that is the output of the
Attacks on Cryptosystems
• In a dictionary attack, the attacker
encrypts every word in a dictionary using
the same cryptosystem as used by the
• In a timing attack, the attacker eavesdrops
during a victim’s session and uses
statistical analysis of the user’s typing
patterns and inter-keystroke timings to
discern sensitive session information
Defending from Attacks
• No matter how sophisticated encryption and
cryptosystems have become, however, they
have retained the same flaw that the first
systems contained thousands of years ago: if
you discover the key, that is, the method used to
perform the encryption, you can determine the
• Thus, key management is not so much the
management of technology but rather the
management of people
Chapter Summary
• Encryption: process of rendering information
unreadable to all but the intended recipients;
purpose is to preserve the integrity and
confidentiality of information and/or make the
process of authenticating users more effective
• Firewalls use encryption both to provide
protection for data in transit and to help keep
firewall secure
• Encryption of data incurs costs since it requires
processing time to encrypt and decrypt the data
being protected
Chapter Summary
• Cryptology: science of encryption
• Cryptography: complex process of making and
using codes
• Applying concealing techniques in encryption and
decoding ciphertext is called decryption
• Process used to decrypt data when the process
and/or keys are unknown is called cryptanalysis
• Cryptographic controls: techniques and tools used
to implement cryptographic protections; used to
secure e-mail, Web access, Web applications, file
transfers, remote access procedures like VPNs 53
Chapter Summary
• Cryptographic control systems often subject to
• Many methods of attack have evolved
– Brute computational approaches
– Use of weaknesses often found in implementation of
cryptographic controls
• Some attacks attempt to inject themselves
between the parties of a secured
communication channel
• Other attacks combine multiple brute-force
approaches into one correlation attack

Encryption and Firewalls - California State University