1.4 Explain the importance of using appropriate cryptographic solutions.

Question 1

Symmetric vs Asymmetric Encryption

Answer 1

• Symmetric Encryption:
  
  • How it Works: Uses one key for both encryption and decryption.
  • Challenge: Sharing the key securely with many people is difficult.
  • Examples:
    
    • AES: Fast, widely used. block cipher. STANDARD
    • Triple DES: DES applied three times. Worse than AES. block cipher
    • Blowfish/Twofish: Fast, ideal for smaller data sizes.
    • IDEA: Used in PGP encryption.
    • DES: Old, weak.
    • RC4: Found in older systems.
  • Stream Cipher: Encrypts data bit-by-bit, ideal for real-time data (e.g., video).
  • Block Cipher: Encrypts data in fixed-size chunks, making it easier to manage.
• Asymmetric Encryption:
  
  • How it Works: Uses a public key to encrypt and a private key to decrypt.
  • Advantage: No need to share secret keys.
  • Disadvantage: Slower than symmetric encryption.
  • Examples:
    
    • Diffie-Hellman: Shares keys over a network.
    • RSA: Uses large prime numbers for security. 1024-4096 bits
    • ECC: Small keys, efficient for mobile devices.
  • Concepts:
    
    • Confidentiality: Only the private key decrypts data.
    • Non-Repudiation: Sender’s private key verifies message origin.
    • Integrity & Authentication: Digital signatures confirm sender identity and message integrity.
• Hybrid Approach:
  
  • Uses asymmetric encryption to protect the key and symmetric encryption to protect the data.
  • Benefit: Combines speed with security.

S/MIME for Secure Email

• S/MIME: Secures email with encryption and digital signatures
  
  • Uses certificates and relies on PKI
• Deployment Ports:
  
  • Port 587: SMTP-over-TLS
  • Port 993: IMAP-over-TLS

Question 2

Common Hashing Algorithms

Answer 2

• MD5
  • Creates a 128-bit hash.
  • Summary: No longer secure due to collisions, unsuitable for sensitive data.
• SHA Family (Secure Hash Algorithm)
  
  • SHA-1: Produces a 160-bit hash.
    
    • Summary: Safer than MD5 but outdated and insecure.
  • SHA-2: Versions include SHA-224, SHA-256, SHA-384, SHA-512.
    
    • Summary: Stronger, widely used today for secure hashing.
  • SHA-3: Provides 224-512-bit hashes with more rounds.
    
    • Summary: Most secure, offering better protection.
• RIPEMD
  
  • Open-source alternative to SHA with 160, 256, and 320-bit versions.
  • Summary: Less common but still useful for secure hashing.
• HMAC (Hash-based Message Authentication Code)
  
  • Uses a hash function (e.g., MD5, SHA-1) with a secret key for integrity and authenticity.
  • Summary: Ensures messages are unchanged and from the correct sender.

Question 3

Increasing Hash Security

Answer 3

• Pass the Hash Attack
  
  • How it Works: Uses a stolen password hash to log in without cracking the password.
  • can be detected in Event ID 4624 with a Logon Process of NTLMSSP and/or an Authentication Package of NTLM.
  • Tools: Exploits Windows vulnerabilities; Mimikatz automates the attack.
  • Prevention:
    
    • Use trusted OS versions and apply patches.
    • Enforce MFA.
    • Limit privileges.
    • Ensure proper domain trusts.
• Birthday Attack
  
  • How it Works: Exploits hash collisions where two different messages produce the same hash.
  • Mitigation: Use stronger hashes (e.g., SHA-256) to reduce collision risks.
• Increasing Hash Security:
  
  • Key Stretching: Extends weak keys to longer, secure ones, making cracking harder. Used in WPA, WPA2, and PGP systems. Bcrypt, PBKDF2, and Argon2 are key stretching techniques that help prevent brute force and rainbow table attacks. They salt the password with additional bits and then send the result through a cryptographic algorithm.
  • Salting: This method adds random data (salt) to passwords before hashing. It prevents the reuse of hashed passwords in attacks like rainbow tables.
  • Nonces: Uses unique numbers in authentication to prevent replay attacks (where attackers reuse old valid credentials).
  • Limiting Failed Login Attempts: Locks account after multiple incorrect attempts to deter brute-force attacks.

Question 4

Public Key Infrastructure (PKI)

Answer 4

• PKI Components: System involving hardware, software, policies, and people, based on asymmetric encryption. Facilitates secure data transfer, authentication, and encryption, used in HTTPS connections.
• Establishing a Secure Connection:
  
  • The browser requests the server’s public key from a trusted certificate authority.
  • A shared secret key is generated and encrypted using the server’s public key.
  • The server decrypts the shared key with its private key.
  • Both parties use the shared secret (e.g., AES) to create a secure communication tunnel with symmetric encryption.
• Security Benefits:
  
  • Confidentiality: Data encrypted with the shared secret.
  • Authentication: Verified using the server’s private key.
  • Visual Indicators: Padlock icon shows a secure connection.
• PKI vs. Public Key Cryptography:
  
  • PKI: Manages key pairs, policies, and trust for encryption and authentication.
  • Public Key Cryptography: Encryption and decryption using public/private keys; part of PKI.
• Key Escrow:
  
  • Stores cryptographic keys securely with a third party for retrieval if lost or for investigations.
  • Concerns: Requires strong access controls to prevent unauthorized decryption.

Question 5

Digital Certificates

Answer 5

• Types of Certificates:
  
  • Wildcard Certificate
  • SAN (Subject Alternative Name) Certificate: Supports multiple domains/IPs with different roots.
  • Single-Sided: Validates the server only.
  • Dual-Sided: Both server and user validate each other
  • Self-Signed: Issued by the same entity; used in testing, lacks third-party trust.
  • Third-Party: Issued by trusted CAs; preferred for public-facing websites.
• Key Concepts:
  
  • Root of Trust: Top-level trust with providers like Verisign, forming a trust path.
  • Certificate Authority (CA): Issues, signs, and validates certificates.
  • Registration Authority (RA): Collects user info and assists CA in issuing certificates.
  • Certificate Signing Request (CSR): Encoded request for a certificate with public key info.
  • Certificate Revocation List (CRL): List of revoked certificates maintained by the CA.
  • OCSP: Fast revocation check but less secure than CRL.
  • OCSP Stapling: Server includes OCSP status in the TLS handshake, speeding setup and reducing the traffic.
  • Certificate / Public Key Pinning: Protects against certificate impersonation by ensuring the browser only accepts a specific, known public key for a website, even if a fake certificate is issued.
  • Key Escrow Agents: Secure storage of private keys for recovery.
  • Key Recovery Agents: Restore lost or corrupted keys as CA backups.

Common Certificate Formats and Their Uses

• CER: ASCII format for certificates
• DER: Binary format for certificates
• PEM: Most widely used format; compatible with various certificate types
• P7B: Commonly used to share public keys
• P12/PFX: Commonly used to store private keys

Question 6

Encryption Tools

Answer 6

• TPM (Trusted Platform Module): Full drive encryption. Hardware-level security microcontroller. Микросхема встроенная или внешняя. Bitlocker app enables it in Windows.
• HSM (Hardware Security Module): Physical device for key management, performing encryption in a tamper-proof environment to ensure compliance.
• Key Management System: Centralized control of cryptographic keys, managing key lifecycle, securing data, and automating tasks.
• Secure Enclaves or trusted execution environment (TEE): Isolated coprocessor for secure data processing, protecting sensitive info and preventing unauthorized access (e.g. Face-ID on iPhone). For data-in-use!

Question 7

Obfuscation Techniques

Answer 7

• Steganography: Hides messages inside other data; often paired with encryption for extra security.
• Tokenization: Replaces sensitive data with tokens; real data is stored elsewhere, commonly used in payments.
• Data Masking: Conceals parts of data while keeping it usable, like showing only the last 4 digits of a credit card.

Question 8

Encryption and Digital Signatures

Answer 8

Keys and Encryption for Email, Website, and Digital Signatures

• Email Digital Signature:
  
  • Sender’s Private Key: Encrypts (signs)
  • Sender’s Public Key: Decrypts
• Email Encryption:
  
  • Recipient’s Public Key: Encrypts
  • Recipient’s Private Key: Decrypts
• Website Encryption:
  
  • Website’s Public Key: Encrypts session key
  • Website’s Private Key: Decrypts session key
  • Symmetric Key: Encrypts session data

Purpose and Process of Digital Signatures

• Digital Signature: Encrypted hash of a message
  
  • Provides Authentication: Identifies the sender
  • Ensures Integrity: Confirms the message is unmodified
  • Enables Non-repudiation: Prevents sender from denying they sent the message
• Process:
  
  • Sender’s application hashes the message
  • Sender’s Private Key: Encrypts hash (creates the digital signature)
  • Receiver’s System: Decrypts hash with Sender’s Public Key
  • Verifies by comparing decrypted hash with calculated hash on the message

Asymmetric vs. Combined Encryption in Email

• Asymmetric-Only Encryption:
  
  • Recipient’s Public Key: Encrypts message
  • Recipient’s Private Key: Decrypts message
  • Example: Lisa encrypts email with Bart’s public key; Bart decrypts with his private key
  • Note: Only recipient’s keys are used; sender’s keys are not involved
• Combined Asymmetric and Symmetric Encryption:
  
  • Symmetric Key: Encrypts email contents
  • Recipient’s Public Key: Encrypts the symmetric key
  • Recipient’s Private Key: Decrypts symmetric key
  • Process:
    
    • Sender generates a symmetric key for email encryption
    • Sender encrypts the symmetric key with the recipient’s public key
    • Recipient decrypts symmetric key with private key, then decrypts email
  • Advantage: Faster encryption due to symmetric key use