Question 132 : What’s the difference between Diffie-Hellman and RSA

téléchargementRSA encryption  is an asymmetric cryptography algorithm, widely used in electronic commerce and more generally to exchange confidential data on the Internet. Ron Rivest, Adi Shamir, and Leonard Adleman developed RSA, and it is named from the first letters of their last names (RSA). This algorithm was described in 1977 and has been patented by the Massachusetts Institute of Technology (MIT) in 1983 in the United States. The patent expired on 21 September 2000: This description responds to the fifth question our list of ” 300 infoSec Questions”:Question 5 What does RSA stand for ?

I do not know about you, but I thought in my head: they are still alive? when I saw Adi Shamir, Ronald Rivest, Whitfield Diffie, in the cryptographers’ Panel  at the RSA Conference 2015. Not that I wish they are no longer of this world, but instead, it’s just that when you have learned from books inventions and scope, subconsciously you think that inventors are certainly no longer alive, I do not know why but there is the impression we have. So I wish long life to these Gents !

Going back to our definition ; RSA is a cryptosystem for public-key encryption , and it is widely used on the internet and elsewhere due to its strong security . Asymmetric encryption methods use RSA : For example, e-mail applications often use RSA to privately share a symmetric key between two systems. The application uses the recipient’s public key to encrypt a symmetric key, and the recipient’s private key decrypts it.

Diffie–Hellman  (Whitfield Diffie – Martin Hellman ) key exchange is based on the premise that two correspondents, Alice and Bob, wish to communicate a secret number, but must do so on an insecure channel. An unauthorized user, Eve, is trying to intercept the message over the unsafe channel. If Eve obtains the message containing the key, all integrity and confidentiality is lost. This issue is resolved by masking the key using modular arithmetic. Diffie – Hellman is used to generate a shared secret in public for later symmetric (“private-key”) encryption.

 Remember this

RSA is an asymmetric algorithm used to encrypt data and digitally sign transmissions.. RSA is widely used to protect Internet traffic, including e-mail. RSA relies on the mathematical properties of prime numbers when creating public and private keys.These keys are commonly used with asymmetric encryption to privately share a symmetric key .Diffie-Hellman addresses key management and provides another method to privately share a symmetric key between two parties.

Dig Deeper  

(Those who knows Insanity Workout with Shaun T. knows what’s Dig deeper mean …so instead to dig deep in our body’s resources we have to Dig deep in our brain !!! 😉 )

RSA udownloadses the mathematical properties of prime numbers to generate secure public and private keys. Specifically, RSA relies on the fact that the product of two large prime numbers can’t be easily factored. The strength of the RSA depends on the difficulty of the prime number factorization. For applications with high-level security, the number of the decryption key bits should be greater than 512 bits.  The math is complex and intriguing to mathematicians, but you don’t have to understand the math to understand that RSA is secure.

For example, researchers published a paper in 2010 identifying how long it took to factor a 232-digit number (768 bits). They wrote that it took them about two and a half years using hundreds of systems. They estimated that if a single 2.2 GHz computer was used, it would take fifteen hundred years to complete. RSA is used on the Internet as one of the protections for credit card transactions. It’s safe to say that today’s credit card information won’t be of much value in fifteen hundred years.

RSA uses at least 1024-bit keys today. RSA Security (a company that frequently tests the security of RSA) recommends using key sizes of at least 2048 bits long, and 3072-bit keys are on the horizon.

RSA is used to come up with a public/private key pair for asymmetric (“public-key”) encryption:

RSA:

  • Used to perform “true” public-key cryptography
  • Key identity: (me)d = m   (mod n)   (lets you recover the encrypted message)
  • Where:
    • n = prime1 × prime2    (n is publicly used for encryption)
    • φ = (prime1 – 1) × (prime2 – 1)   (Euler’s totient function)
    • e is such that 1 < e < φ, and (e, φ) are coprime    (e is publicly used for encryption)
    • d × e = 1   (mod φ)    (the modular inverse d is privately used for decryption)

Diffie-Hellman is a key exchange algorithm used to privately share a symmetric key between two parties. Once the two parties know the symmetric key, they use symmetric encryption to encrypt the data.

The Diffie–Hellman key exchange is based on the premise that two correspondents, Alice and Bob, wish to communicate a secret number, but must do so on an insecure channel. An unauthorized user, Eve, is trying to intercept the message over the unsafe channel. If Eve obtains the message containing the key, all integrity and confidentiality is lost. This issue is resolved by masking the key using modular arithmetic. Alice and Bob achieve secrecy by agreeing on a large prime number, p, and a base number, n. Alice will choose a personal, private value, a, which remains unknown to Bob.94224Bob will generate a secret value only known to himself, b. It is important that a and b are less than p. Alice and Bob’s respective secret keys should be relatively prime to n, meaning that neither shares common factors with n. Alice’s public value is na mod p and Bob’s is nb mod p. The two correspondents exchange their public values, so that both parties now know both. Alice will compute nab = (nb)a mod p. Bob will compute nba = (na)b mod p. Once both algorithms are computed, each party will have the same number. Alice and Bob are now able to privately communicate on the insecure network.

Diffie-Hellman is used to generate a shared secret in public for later symmetric (“private-key”) encryption:

Diffie-Hellman:

  • Creates a shared secret between two (or more) parties, for subsequent symmetric encryption
  • Key identity: (gens1)s2 = (gens2)s1 = shared secret   (mod prime)
  • Where:
    • gen is an integer whose powers generate all integer in [1, prime)   (mod prime)
    • s1 and s2 are the individuals’ “secrets”, only used to generate the symmetric key

Remember this:

RSA is used to come up with a public/private key pair for asymmetric (“public-key”) encryption.Diffie-Hellman is used to generate a shared secret in public for later symmetric (“private-key”) encryption.

Src: Security+ Study Guide -Darril Gibson ;  Information Security Fundamentals – Peltier, Thomas R.

Cisco Next-Generation Firewall (NGFW)

In our Technomaxresdefaultlogies Category I would like to talk about  Cisco Next Generation Firewalls.

Last year , Cisco gained strength in next-generation firewalls via Sourcefire code.The official acquisition of Sourcefire by Cisco on October 2013, has allowed him to build a firewall unique its kind.

With this acquisition, Cisco has been able to expand its range and skills in security area.  This approach is a vision of security that is to intervene before the attack, during the attack and After attack.

Cisco – SourceFire …

Cisco is historically known for his expertise on before the attack, this is the security access where Cisco  excelled for many years, while SourceFire is rather an expert after the attack, Forensic, the detection of intrusion, the management of security events. So the fusions of two companies in terms of skills and technology solutions provide completeness that can provide new solutions related to the attacks.

Historically …
There’s 10 years iASA 5500-2t was used firewalls that were intended to  open  and control ports because of attacks of the protocols types. But hackers have moved quickly their interest to take part of application vulnerabilities to launch attacks, so we started talking about Application Firewall , Next-Generation Firewall.Today almost all the attacks are carried through illegal and authorized applications. So we must be interested in the threat, to attack itself to be able to make good decisions; just the application control is not enough.

Example …

If weimages (2) imagine an attack whose goal is to exfiltration of data, then the first phase of the attack is to send a phishing email to a user to control his machine.Typically this will pass through an authorized port and an authorized application:email application.

So far there was no Exploit on the mall itself, it’s just the content that contains the threat ; we will have much interest to know the threat in order to make a decision.
As this attack aims to exfiltration information, so hackers will make sure to pass through authorized flows, in order to get out of the network and outputs the data (it will be https, ssh).
Once again as are authorized flows, we will have fewer means to make the right decision based on the application only : It will take several correlate security events that match informations managing the threat. Hence the Firewall Next-Gen with IPS next-Gen.

What is this Firewall ? …

It encompasses several areas, the basic of connection and routing is Cisco ASA technology, which is known for its advanced-threat-security-cyber-security-for-the-real-world-15-638robustness and performance, and is now the most deployed firewall in the world. The part of application control and IPS Next-Gen intelligence are the legacy of SourceFire.

Customers…
All customers who have an ASA X in their network have the ability to implement the full functionality of next generation firewall by upgrading, the aim is to bring more functionality on what already works.

What’s new ?!?!?

images

I assure you, this banner has nothing to do with the themes treated in this blog.

It’s just a small apology for having neglected the blog for a while,for reasons

independent of my will.

I intend to take things in hand and regularly publish as much as possible on this blog.

But I had prepared at least two articles, I could not post unfortunately.

So the next few days I will post them:

  • Cisco next Generation Firewall ( via SourceFire code)
  • Cisco 2015 Champion (Yes I was nominated this year !)

Also follow the posts:

  • Certifications I currently preparing including CEH
  • The recent conferences and events on security and cyber security.
  • Our Traditional answers to “300 infosec Interview Questions”
  • And … Lots of other interesting topics.

So keep in touch !