SANS Internet Storm Center

Cyber Security Awareness Month - Day 4: Crypto Standards
Yesterday's announcement of a SHA-3 "winner" gives me a great intro to talk about yet another important security related standard as part of our cyber security awareness month theme. Crypto standards have been critical to develop secure systems for a couple of reasons: Doing cryptography right is hard. Bit buckets are filled daily with bad crypto algorithms and implementations. Standards provide well vetted algorithms and implementations, as well as guidance on how to use these algorithms Over the live time of a complex project, it is very likely that large parts of the code have to be transformed to a new platform or a different language. Using a standard encryption algorithm will make this easier because it is more likely that the algorithm is available in the new platform One characteristic that affects the selection of a standard is performance. But beyond the plain computational "cost" of the algorithm, you may also see standards implemented in hardware (for example the AES opcode in some Intel CPUs). Even if other algorithms are in theory faster, these hardware implementations will likely make up for that difference, and it is unlikely that CPU designers will implement a non-standard algorithm. So what are these standards? Lets break it down into 3 groups: 1 - Symmetric Ciphers In 2001, NIST established the "Advanced Encryption Standard" (AES) [1] . It superseded the DES cipher that was used up to then. AES is also known as "Rijndael" , the name used for this cypher before it became known as AES. The cipher can be used with different length keys depending on the classification of the information. 2 - Asymmetric Ciphers Again referring to NIST [2], there are three standard asymmetric ciphers: DSA: Digital Signature Algorithm ECDSA: Elliptic Curve Digital Signature Algorithm RSA: Rivest, Shamir, Adleman Algorithm Asymmetric Ciphers are much more "expensive" then symmetric ciphers, and require longer keys. As a result, they are usually used to setup symmetric ciphers (like in SSL) or used to encrypt digital signatures. Currently, RSA and DSA are the most commonly used algorithm, but elliptic curve algorithms are getting a lot of attention as they do provide some significant performance advantages. 3 - Hashing Cryptographic hashes are usually used to prevent tampering with documents. Currently, SHA-2 (Secure Hash Algorithm) is the one that is the recommended standard, but as we learned yesterday, SHA-3 has just been announced. At this point of course, you may have a hard time implementing SHA-3. We will have to wait for it to be included in various libraries. A good cryptographic hash makes it very hard to intentionally create two different messages with the same hash value. These collisions are of course unavoidable is the message is larger then the hash, but it should be hard to find these collisions. The big difference between SHA-1 and SHA-2 is that SHA-2 is a set of different hash function s (SHA-224, 256, 384, 512) which can be used depending on the scenario. FIPS-180 suggests the use of SHA-256 for messages smaller then 2⁶⁴ bits [3]. 4- Where to find the standards We probably need a diary about standard bodies as part of this series (maybe tomorrow ;-) ). But just as a quick list of pointers: NIST is probably the best place to look for guidance and details on algorithms. NIST also publishes the "Federal Information Processing Standard" (FIPS) that includes a lot of details on what algorithms to use. Even if you are not US based, or not subject to any of the federal guidance (most private industry is not), you may find that your industry and national standards are closely aligned to the NIST standards. On an international level, ISO (International Organization of Standardization) is coordinating these efforts. The ISO is a member organization with representatives from various national standard bodies (e.g. ANSI in the US). IETF, the Internet Engineering Task Force, covers how these crypto algorithms are used in internet protocols. Below you find links to some of the key standards mentioned here. [1] http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf [2] http://csrc.nist.gov/publications/nistpubs/800-21-1/sp800-21-1_Dec2005.pdf [3] http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf ------ Johannes B. Ullrich, Ph.D. SANS Technology Institute Twitter I will be teaching next: Intrusion Detection In-Depth - SANS Doha March 2022	Johannes 4349 Posts ISC Handler Oct 4th 2012
Thread locked Subscribe	Oct 4th 2012 9 years ago
Please do a diary about standard bodies. I have always had a bit of an issue differentiating exactly what different bodies do, even when browsing to their websites and reading the mission statements. Thanks, Anon	Anonymous
Quote	Oct 4th 2012 9 years ago
Dear Johannes, You say "FIPS-180 suggests the use of SHA-256 for messages smaller then 2^64 bits". That should be "FIPS-180 suggests the use of SHA-256 for messages smaller than 64 bits".	Anonymous
Quote	Oct 5th 2012 9 years ago
As Bruce Schneier says, you are likely to get something wrong, even if following standards; the devil is in the details... You are much better off using off-the-shelf software such as OpenSSL or whatever.	Anonymous
Quote	Oct 5th 2012 9 years ago
The good thing about standards is that there are so many of them. When speaking of crypto you also need to know about the Public-Key Cryptography Standards (PKCS) from RSA. And then you can add all the Banking and PKI standards on top. The Handbook of Applied Cryptography is also an excellent reference (http://cacr.uwaterloo.ca/hac/). For practical purposes google Matasano's and Nate Lawson's old blog post about crypto and all the small details. But don't reinvent the wheel: use existing and proven libraries and APIs when performing crypto.	Anonymous
Quote	Oct 7th 2012 9 years ago

Yesterday's announcement of a SHA-3 "winner" gives me a great intro to talk about yet another important security related standard as part of our cyber security awareness month theme. Crypto standards have been critical to develop secure systems for a couple of reasons:

Doing cryptography right is hard. Bit buckets are filled daily with bad crypto algorithms and implementations. Standards provide well vetted algorithms and implementations, as well as guidance on how to use these algorithms
Over the live time of a complex project, it is very likely that large parts of the code have to be transformed to a new platform or a different language. Using a standard encryption algorithm will make this easier because it is more likely that the algorithm is available in the new platform
One characteristic that affects the selection of a standard is performance. But beyond the plain computational "cost" of the algorithm, you may also see standards implemented in hardware (for example the AES opcode in some Intel CPUs). Even if other algorithms are in theory faster, these hardware implementations will likely make up for that difference, and it is unlikely that CPU designers will implement a non-standard algorithm.

So what are these standards? Lets break it down into 3 groups:

1 - Symmetric Ciphers

In 2001, NIST established the "Advanced Encryption Standard" (AES) [1] . It superseded the DES cipher that was used up to then. AES is also known as "Rijndael" , the name used for this cypher before it became known as AES. The cipher can be used with different length keys depending on the classification of the information.

2 - Asymmetric Ciphers

Again referring to NIST [2], there are three standard asymmetric ciphers:

DSA: Digital Signature Algorithm
ECDSA: Elliptic Curve Digital Signature Algorithm
RSA: Rivest, Shamir, Adleman Algorithm

Asymmetric Ciphers are much more "expensive" then symmetric ciphers, and require longer keys. As a result, they are usually used to setup symmetric ciphers (like in SSL) or used to encrypt digital signatures. Currently, RSA and DSA are the most commonly used algorithm, but elliptic curve algorithms are getting a lot of attention as they do provide some significant performance advantages.

3 - Hashing

Cryptographic hashes are usually used to prevent tampering with documents. Currently, SHA-2 (Secure Hash Algorithm) is the one that is the recommended standard, but as we learned yesterday, SHA-3 has just been announced. At this point of course, you may have a hard time implementing SHA-3. We will have to wait for it to be included in various libraries. A good cryptographic hash makes it very hard to intentionally create two different messages with the same hash value. These collisions are of course unavoidable is the message is larger then the hash, but it should be hard to find these collisions.

The big difference between SHA-1 and SHA-2 is that SHA-2 is a set of different hash function s (SHA-224, 256, 384, 512) which can be used depending on the scenario. FIPS-180 suggests the use of SHA-256 for messages smaller then 2⁶⁴ bits [3].

4- Where to find the standards

We probably need a diary about standard bodies as part of this series (maybe tomorrow ;-) ). But just as a quick list of pointers:

NIST is probably the best place to look for guidance and details on algorithms. NIST also publishes the "Federal Information Processing Standard" (FIPS) that includes a lot of details on what algorithms to use. Even if you are not US based, or not subject to any of the federal guidance (most private industry is not), you may find that your industry and national standards are closely aligned to the NIST standards. On an international level, ISO (International Organization of Standardization) is coordinating these efforts. The ISO is a member organization with representatives from various national standard bodies (e.g. ANSI in the US). IETF, the Internet Engineering Task Force, covers how these crypto algorithms are used in internet protocols.

Below you find links to some of the key standards mentioned here.

[1] http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
[2] http://csrc.nist.gov/publications/nistpubs/800-21-1/sp800-21-1_Dec2005.pdf
[3] http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Intrusion Detection In-Depth - SANS Doha March 2022

Johannes

4349 Posts
ISC Handler

Oct 4th 2012

Please do a diary about standard bodies. I have always had a bit of an issue differentiating exactly what different bodies do, even when browsing to their websites and reading the mission statements. Thanks,

Anon

Anonymous

Dear Johannes,

You say "FIPS-180 suggests the use of SHA-256 for messages smaller then 2^64 bits".

That should be
"FIPS-180 suggests the use of SHA-256 for messages smaller than 64 bits".

Anonymous

As Bruce Schneier says, you are likely to get something wrong, even if following standards; the devil is in the details... You are much better off using off-the-shelf software such as OpenSSL or whatever.

Anonymous

The good thing about standards is that there are so many of them. When speaking of crypto you also need to know about the Public-Key Cryptography Standards (PKCS) from RSA. And then you can add all the Banking and PKI standards on top.

The Handbook of Applied Cryptography is also an excellent reference (http://cacr.uwaterloo.ca/hac/).

For practical purposes google Matasano's and Nate Lawson's old blog post about crypto and all the small details.

But don't reinvent the wheel: use existing and proven libraries and APIs when performing crypto.

Anonymous