Chapter 10 - Cryptography 101 Flashcards
Confidentiality
encryption helps provide confidentiality because only those with the key can view it
Integrity
Hashes ensure that message hasn’t been altered
Nonrepudiation
way for recipient to ensure the identity of the sender and neither party can deny having sent or received the message
substitution
transposition
substitution replaces bits with other bits
transposition doesn’t replace anything, it changes their order
Stream Ciphers
data is encrypted as a continuous stream
readable bits in their regular pattern are fed into the cipher and encrypted one at a time, usually by an Exclusive Or (XOR).
Very fast
Block Ciphers
data bits are split into blocks and fed into the cipher
each block (usually 64 bits) is encrypted with the key and algorithm, using methods like substitution and transposition.
Considered simpler and slower than stream ciphers
Exclusive Or (XOR)
at the core of a lot of computing
requires 2 inputs. For encryption algorithms they are the data bits and key bits.
each bit is fed into the operation, one from data, one from key and then XOR makes determination:
if bits match the output is 0
if bits don’t match output is 1
see table pg 342
0 0 0
0 1 1
1 0 1
1 1 1
how important is key length to pure XOR ciphers?
very.
if key is smaller than the data, the cipher will be vulnerable to frequency attacks.
Since key is used repeatedly, its frequency makes guessing it easier
Symmetric Encryption Benefits
aka
Single Key / Shared Key
one key is used to encrypt and decrypt
Simplicity is its greatest asset
Great for for bulk encryption
Formula for calculating how many key pairs needed for symmetric key encryption
N(N - 1) / 2
N=number of nodes in network
if you have 2 people to communicate with, there are 3 lines of communication.
Add a person and now there are 6 lines
Symmetric Algorithms
DES 3DES AES IDEA Twofish Blowfish RC (Rivest Cipher)
DES 3DES AES IDEA Twofish Blowfish RC (Rivest Cipher)
DES
block cipher. uses 56 bit key with 8 reserved for parity
outdated
3DES
block cipher. uses 168 bit key. Can use 3 keys in multiple encryption method.
AES (Advanced Encryption Standard)
block cipher. uses 128, 192 or 256 bit key. Much faster than DES or 3DES
IDEA (International Data Encryption Algorithm)
block cipher. uses 128 bit key. designed to replace DES. Originally used in PGP. Was patented and used mainly in Europe
Twofish
block cipher. uses up to 256 bits
Blowfish
fast block cipher, largely replaced by AES.
uses 64 bit block size and a key from 32 to 448 bits.
Public domain
RC (Rivest Cipher)
several versions from RC2 to RC6
block cipher that uses variable key length up to 2040 bits.
RC6 uses 128 bit blocks and 4 bit registers
RC5 uses variable block sizes (32, 64 or 128) and 2 bit registers
Symmetric Key Cons
doesn’t help with nonrepudiation
Key distribution and management is difficult.
Scaling out number of users means number of keys needed presents a problem
Asymmetric Encryption
Built to make sharing keys efficient
Encryption Key is the Public Key. Can be sent anywhere
Decryption Key is the Private Key. Kept secure
Fixes key distribution, management, scalability and nonrepudiation problems from symmetric encryption
Asymmetric Algorithms
Diffie-Helman
Elliptic Curve Cryptosystem (ECC)
El Gamal
RSA
Diffie-Helman
developed as a key exchange protocol. Used in SSL and IPSEC. Can be vulnerable to MITM if not using digital signatures.
Elliptic Curve Cryptosystem (ECC)
Uses less processing power than other methods, so good for mobile devices.
El Gamal
Doesn’t use prime number factoring, instead solves logarithm problems.
RSA
strong encryption through using 2 large prime numbers. Factoring them creates keys up to 4096 bits. Modern de factor standard
What’s the downside to asymmetric encryption?
performance is slower than symmetric
processing power is higher, more suitable for smaller amounts of data
Hash algorithms
one-way function that takes input and produces a fixed-length string (hash)
Purpose is to verify the integrity of a piece of data
4 Hash algorithms
MD5 (Message Digest)
SHA-1
SHA-2
SHA-3
MD5 - produces 128bit hash value as a 32 bit hex number
flaws made it obsolete in 2010, but still in some use
SHA1 - produces 160 bit output. Flaws made it obsolete in 2005. US Govt recommends replacing with SHA2.
SHA2 - produces 224, 256, 384, 512 bit outputs. Still not as popular as SHA1
SHA3 - uses “sponge construction” where data is absorbed into sponge by XOR and squeezed out
Collission Attack
Successful if two or more files created the same output
If attacker can get a file to look the same as the original, many possibilities for harm exist. ex password hashes
Possible with all algorithms
Collision Attack
Successful if two or more files created the same output
If attacker can get a file to look the same as the original, many possibilities for harm exist. ex password hashes
Possible with all algorithms
Salt
collection of random bits that are used as a key in addition to the hashing algorithm. Each bit adds a power of 2 to the complexity of computation
A good salt makes a collision attack more difficult
Steganography
concealing a message inside another medium, so only the sender and recipient are aware of its exisitence
Exam Tip
3 ways tell if a file contains steganography
Text File - look at character positions, patterns, unusual blank spaces, language anomalies
Image file - weird color pallet faults, larger file size
audio and video files - require statistical analysis, specific tools
3 Image Steganography Techniques
least significant bit insertion
masking and filtering
algorithmic transformation
masking and filtering is done on grayscale images. Masking hides data similarly as a watermark but it modifies the luminescence
Algo Tranformation hides data in the mathematical functions of image compression
Audio steganography
uses frequencies that the human ear can’t pick up, phase encoding, tone insertion
Public Key Infrastructure (PKI)
Structure designed to verify and authenticate identity of individuals in an organization taking part in a data exchange
Consists of hardware, software and policies that create, manage, store distribute and revoke keys and digital certificates.
Registration Authorities (RAs)
subordinate Certificate Authorities that handle things internally.
Most Root CAs are removed from network access to protect integrity
Certificate Authority (CA)
Acts as a 3rd party to the organization, like a notary public when it signs something valid that you can trust
Creates and issues digital certificates that can verify identity
Tracks all certificates in the system using a Certificate Management System
Maintains a Certificate Revocation List (CRL)
Validation Authority
in many PKI systems, a VA is used to validate certificates usually via Online Certificate Status Protocol (OCSP)
PKI Trust Model
how an entity deals with keys, signatures and certificates
3 basic models
PKI Trust Model
Web of Trust
multiple entities sign certificates for each other.
Users trust each other based on certificates they get from other users
PKI Trust Model
Single Authority System
Has a CA at the top that creates and issues certificates.
Users trust each other based on the CA
PKI Trust Model
Hierarchical trust system
Has a CA at the top (root CA) and uses one or more Registration Authorities (Subordinate CAs)
this is the most secure because users can track the certificate back to the root to ensure authenticity without a single point of failure
Digital certificate
electronic file used to verify a user’s identity providing nonrepudiation throughout the system
9 Contents of a digital certificate (know for exam)
Version Serial Number Subject Algorithm ID Issuer Valid From, Valid To Key Usage Subject's Public Key Optional Fields
Version - identifies certificate format. Most common is 1
Serial Number - unique ID for the cert
Subject - who or what is identified by the cert
Algorithm ID - algorithm used to create digital signature
Issuer - entity that verifies authenticity of the cert
Valid From, Valid To - dates the cert is good through
Key Usage - purpose that cert was created
Subject’s Public Key - copy of subject’s public key
Optional Fields - issuer unique ID, subject alternate name, extensions
Self-Signed vs Signed Certificates
Self Signed - created internally to an organization, not used in any other situation. Save money and complexity since no need for external authority. Easy to set up.
Signed - indicate that a CA is involved and signature validating the identity is confirmed from an external source
Digital Signature
algorithmic output designed to ensure the authenticity and integrity of the sender. Basically a hash algorithm
Digital Signature / Encrypted message process
Bob creates message to send to Joe
Bob runs it through hash and generates an outcome
Bob encrypts outcome of that hash with his private key and sends the message plus the encrypted hash to Joe
Joe gets message, tries to decrypt with Bob’s public key. If it works, he kknows message came from Bob, since Bob’s public key could only decrypt output of his private key
Data at Rest (DAR)
data that is in a stored state an not currently accessible
Data in a powered-on networked, accessible server’s folder is not at rest, regardless of whether it’s being used or not.
Data on a powers-off laptop is DAR
Data on a backup drive off the network is DAR
Full Disk Encryption
software or hardware based
software can provide central management for key management and recovery actions, like Bitlocker or McAfee Endpoint Protection, Symanentc Drive Encryption
Doesn’t protect the data once the drive is unlocked.
Once computer is running, use another product if necessary to encrypt data
Ways to encrypt communications
SSH (Secure Shell) SSL (Secure Sockets Layer) TLS (Transport Layer Security) IPSEC PGP
SSH - TCP port 22. Uses public key crypto. SSH2 is the latest version, includes SFTP
SSL - encrypts at transport layer and up. Uses RSA and digital certificates. Uses a 6 step process for securing a channel.
TLS - Replaced SSL. Uses RSA 1024 or 2048 bits. Handshake portion allows client and server to authenticate to each other. RLS Record Protocol provides secure communication channel
IPSEC - tunnel or transport mode. AH verifies integrity. ESP encrypts each packet
PGP - hybrid cryptosystem, uses features from conventional and public key crypto
Crypto Attacks 1-3
Known plaintext attack
Chosen plaintext attack
Adaptive chosen plaintext attack
Known plaintext attack
attacker has both plaintext and cypher text messages. Plaintext copies are scanned for repeatable sequences that are compared to ciphertext versions. Over time, this can be used to decipher key
Chosen plaintext attack
attacker encrypts multiple plaintext messages in order to gain the key
Adaptive chosen plaintext attack
Attacker sends series of cipher texts to be decrypted, uses results of them to select different, closely related cipher texts
Crypto Attacks 4-6
ciphertext only attack
replay attack
chosen cipher attack
ciphertext only attack
attacker gains copies of messages encrypted with the same algorithm. Statistical analysis can be used to reveal repeating code which can be used to decode messages later
replay attack
usually performed in MITM scenario. Attacker replays portion of crypto exchange to try and fool the system into setting up a communications channel. Attacker doesn’t have to know data (password), just get the timing righting copying and replaying the bit stream. Mitigate by using session tokens
chosen cipher attack
attacker chooses a ciphertext message and tries to learn the key through a comparative analysis with multiple keys and a plaintext version. RSA is vulnerable to this
