18.1 Cryptography Concepts
Case Study: Heartbleed (重要)
- Heartbleed is a security flaw in the OpenSSL cryptographic software library, which allows data traversal over SSL/TLS in plain-text.
- Heartbleed exploits a built-in feature of OpenSSL called heartbeat.
- Attackers exploit this vulnerability to get information such as OpenSSL private keys, OpenSSL secondary keys, up to 64kb of memory from the affected server, usernames and passwords, etc.
- Versions of OpenSSL affected by Heartbleed include 1.0.1 to 1.0.1f.
- Updating OpenSSL to version 1.0.1g or higher resolves the vulnerability.
Case Study: Poodle (重要)
- Poodle (Padding Oracle On Downgraded Legacy Encryption) is a security vulnerability in the design of SSL 3.0.
- Attacker exploits this vulnerability to decrypt ciphertext in transit between a server and a browser, by means of padding oracle side-channel attack.
- Countermeasures:
- Completely disable SSL 3.0 on the client side and the server side.
- Implement anti-POODLE record splitting.
Cryptography
- Cryptography is the conversion of data into a scrambled code that is decrypted and sent across a private or public network.
- Cryptography is used to protect confidential data such as email messages, chat sessions, web transactions, personal data, corporate data, e-commerce applications, etc.
- Objectives:
- Confidentiality
- Integrity
- Authentication
- Non-repudiation
Types of Cryptography
- Symmetric Encryption: Symmetric encryption (secret-key, shared-key, and private-key) uses the same key for encryption as it does for decryption.
Symmetric encryption is also known as secret key cryptography as it uses only one secret key to encrypt and decrypt the data.
- Asymmetric Encryption: Asymmetric encryption (public-key) uses different encryption keys for encryption and decryption. These keys are known as public and private keys.