03. Cryptography (299) Flashcards
Cryptography
- Cryptography is the practice of hiding information in plain sight.
- Encryption is the application of cryptography that converts data into code
299
Cryptography
Original, unencrypted message or file
300
PLAINTEXT
Cryptography
A message or file that has been transformed by encryption algorithm
300
CIPHERTEXT
Cryptography
Process of transforming plaintext into ciphertext
300
ENCRYPTION
Cryptography
Cyptographic operation on a block of data that returns a fixed-length string of characters.
Verifies the integrity of a message
301
HASH FUNCTION
Cryptography
The output from a cryptographic hash function
301
MESSAGE DIGEST
Cryptography
The result of encrypting the hash of a message with the originators private encryption key
Used to prove authenticity and integrity of a message
301
DIGITAL SIGNATURE
Cryptography
Mathematical formula used to perform encryption, decryptiong, message digests, and digital signatures
302
ALGORITHM
Cryptography
Process of transforming ciphertext into plaintext
302
DECRYPTION
Cryptography
An attack on a cryptosystem where the attack is attempting to determine the encryptiong key used to encrypt messages
302
CRYPTANALYSIS
Cryptography
Block of characters used with an encryption algorithm to encrypt and decrypt a block of data
302
ENCRYPTION KEY
Cryptography
An encryption key used to encrypt another encryption key
302
KEY-ENCRYPTING KEY
Cryptography
The size of an encryption key measured in bits
302
ENCRYPTION LENGTH
Cryptography
An encryption algorithm that operates on blocks of data
302
BLOCK CIPHER
Cryptography
A type of encryption algorithm that operates on a continuous stream of data i.e. video stream
302
STREAM CIPHER
Cryptography
Random number required by some encryption algorithms to being the encryptiong process
302
INITIALIZATION VECTOR (IV)
Cryptography
A method of encryption and decryption where sender and received must posess the same encryption key
302
SYMMETRIC ENCRYPTION
Cryptography
A use of public key and private key to encrypt and decrypt messages and digital signatures
ASYMMETRIC ENCRYPTION
aka
PUBLIC KEY CRYPTOGRAPHY
Cryptography
A technique used by two parties to establish a symmetric encryptiong key when there is no secure channel available
KEY EXCHANGE
Cryptography
The property of encryption and digital signatures that make it difficult/impossible for a sender to deny having sent a digitally signed message
NON-REPUDIATION
Private Key Cryptosystem
- Based on symmetric cryptographic algorithm
- Neccessary for both parties to possess a common encryption key
- 2 main challenges associated with this cryptosystem;
Key Exchange
Requires an out of band method i.e. telephone, fax, any means that is not over the same media you are transmitting message on
Scalability
Each sender-receiver pair exchange an encryption key
Communities of 1000+ users would require thousands of keys
303
Private Key Algorithms
- Advanced Encryptiong Standard (AES)
- Blowfish
- Data Encryption Standard (DES)
- Triple DES
- Serpent
- Twofish
303
Secure Key Exchange
- Secure Key Exchange - method used by 2 parties to establish a symmetric encryption key securely without transmitting the key over a channel
- Algorithms used for secure key exchange utilize information known by each parties but not transmitted between them
Example
* 2 routers using encryption on routing protocols will both have the key in their configurtaion so both ends known the key
303
Secure Key Exchange
The most popular secure key exchange algorithm is Diffie-Hellman key exchange protocol
303
Public Key Cryptosystem
- Public Key Cryptosystems are based on asymmetric, or public key cryptographic algorithms
- Two-part encryption keys, public key and private key
- Ideal cryptography for securing message i.e. email
304
Public Key Cryptosystem - Key Pair
- Encryption keys used in public key cryptography are known as Public key and Private key
- Public key - can openly be distributed
- Private key - must be kept secure and private
Public Key Cryptography
Encryption of message, but not verifying authenticity;
- User B publishes their public key
- User A retrieves User B’s public key
- User A creates a message and encrypts it with user B’s public key and sends the encrypted message to User NB
- User B decrypts the message with their private key
304
Public Key Cryptography
Very authenticity and integrity, but message not encrypted;
- User A publishes their public key
- User B retrieves User A’s public key
- User A creates a message and digitally signs it with their private key and sends message to User B
- User B verifies the digitial signature using User A’s public key
305
Public Key Cryptography
Encrypt and digitally sign a message;
- User A and User B publish their public encryption keys
- User A and User B retrieve each others public keys
- User A creates a message, signs it with their private key and encrypts the message with User B’s public key and sends message
- User B decrypts message with their private key and verifies the digitial signature with User A’s public key
305
Verifying Public Keys
4 methods of verifying public keys
Certificate Authority (CA)
Public key obtained from a trusted, reputable CA is considered genuine
E-mail address
Public keys for email can include the users email address. Considered a weak method
Directory Infrastructure
Directory services infrastructure i.e. AD, Light Weight Directory Access Protocol (LDAP) can be used to verify users public key
Key Fingerprint
User retrieves a public key and calculates the key’s fingerprint. The owner of the public key can verify the calculation by checking the calculations match
306
Hashing and Message Digests
- Hashing is the process of applying a cryptographic algorithm on a block of information that results in a fixed length digest
- Provides a unique and compact “fingerprint” for the message
- Can be used to verify the integrity of a large file
306
Digital Signature
- Cryptographic operation where sender applies their digital identity to a message or file
- Purpose is to authenticate a message and its integrity
- Does not protect confidentiality of the message, as encryption is not performed
307
- Sender publishes public key
- Recipient retrieves public key
- Sender creates message and computes message digest (hash) and encrypts with their private key
- Sender sends file plus encrytped hash
- Recipient computes a message digest (hash) then decrypts the senders hash using the public key.
- Hashes are both compared, if they match, recipient knows the message is the same as the one sent by the sender
Digital Envelopes
Digital envelope utilizes the convenience of public key cryptography with the** lower overhead of private key cryptography, known as “hybrid cryptography**”
307
- Sender agrees with recipient to send a large message
- Sender creates a symmetric encryption key known as a session key
- Session key is encrypted with the recipients public key
- Sender encrypts the message with the session key
- Sender sends encrypted message and encrypted session key
- Receipient decrypts session key with their private key
- Recipient decrypts message with the session key
Public Key Infrastructure (PKI)
A PKI is a centralised function used to store and publish public keys
308
Public Key Infrastructure (PKI)
Services provided by a PKI;
Digital Certificates
Digital credential conssiting of public key and block of information to idetnify the owner of the certificate
Certificate Authority (CA)
Business entity that issues digital certificates and publishes them in the PKI.
The CA vouches for the identity of each digital certificate in a PKI
Registration Authority (RA)
Operates to vet requests to verify authenticity of person making request
Certificate Revocation List (CRL)
An electronic list of digital certificates that have been revoked prior to expiration date
Certificate Practice Statement (CPS)
Published statement describes the practices used by the CA
308
Key Management
Key managment is the various processes and procedures used by an organisation to generate, protect, use, and dispose of encryption keys throughout their lifetime
308
Key Management
Associated practices with key management;
Key Generation
Encryption key lifecycle starts with key generation. The process must take place in a highly protected system. A compromised system means keys can be compromised from point of creation
Key Protection
Private keys used in public key cryptosystems and keys used in symmetric cryptosystems must be continuously protected. Keys must be accessible only to the parties that are authorised to use them
Key-Encrypting Keys
The process of encrypting an encryption key to provide it additional protection.
Key Custody
Policies, processes, and procedures regarding management of keys. Focuses on who manages keys and where they are kept
Key Rotation
Process of issuing a new encryption key and re-encrypting data protected with the new key
Key Disposal
Process of decommissioning encryption keys
308-310
Key rotation will typically occur under the following 3 circumstances;
- Key Compromise
- Key Expiration
- Rotation of Staff
Secure Socket Layer and Transport Layer Security (SSL/TLS)
- SSL and TLS are encryption protocols used to encrypt web pages requested in HTTPS protocol
- Provide cryptographic functions; Public Key encryptiong, Private Key Encryption, hash functions
310
Secure Multipurpose Internet Mail Extensions (S/MIME)
Secure Multipurpose Internet Mail Extensions (S/MIME) is an email security protocol that provides sender and reipient authentication and encryption of message content and attachments.
310
Secure Shell
Secure Shell is used to create a secure channel between 2 systems.
310
Internet protocol Security (IPSec)
- IPSec is a protocol used to create a secure, authenticated channel between 2 systems.
- Operates at the internet layer in the TCP/IP protocol suite
- Operates in 1 of 2 modes;
Encapsulating Security Payload (ESP)
All encapsulated traffic is encrypted
Authentication Header (AH)
Only IPSec authentication feature is used
311
