Chapter 10 - Understanding Cryptography and PKI Flashcards
Integrity
Provides assurances that data hasn’t been modified.
Hashing helps ensure integrity.
Hash
A hash is a number derived from performing a calculation on data, such as a message, patch or file, that helps ensure data integrity.
-Hashing creates a fixed-length string of bits or hexadecimal characters which cannot be reversed or re-create the original idea
-Common hashing algorithm is SHA-3 (Secure Hash Algorithm)
No matter how many times you execute the hashing algorithm against the data, the hash will always be the same if the data is the same.
–> You can download a patch, download the developer’s hash of the patch, then hash the downloaded patch yourself to confirm they match
Hashing algorithms do not encrypt data
Confidentiality
Ensures data is only viewable by authorized users.
Encryption protects the confidentiality of data.
Encryption
Encryption scrambles data to make it unreadable if intercepted.
Encryption normally includes an algorithm and a key.
Symmetric encryption
Uses the same key to encrypt and decrypt data.
Most symmetric algorithms use either a block cipher or stream cipher.
STREAM CIPHER: encrypt data 1 bit at a time
BLOCK CIPHER: encrypt data in blocks, such as 64 or 128 bit blocks.
Stream ciphers are more efficient than block ciphers when encrypting data in a continuous stream.
Asymmetric encryption
Uses two keys (public and private) created as a matched pair.
-Asymmetric encryption require a PKI (public key infrastructure) to issue certificates
-Anything encrypted with the public key can only being decrypted with the matching private key
-Anything encrypted with the private key can only be decrypted with the matching public key
While strong, asymmetric encryption is very resource intensive, taking significant processing power to encrypt and decrypt data, especially when compared with symmetric encryption. Most cryptographic protocols that use asymmetric encryption only use it for key exchange.
Steganography
provides a level of confidentiality by hiding data within other files, such as embedding data within the white space of a picture file.
Digital signature
Provides authentication, non-repudiation, and integrity.
Authentication: validates an identity
Non-repudiation: prevents a party from denying an action
-Users sign emails with a digital signature, which is a has of an email message encrypted with the sender’s private key
-Only the sender’s public key can decrypt the hash, providing verification it was encrypted with the sender’s private ket.
Checksum
Hashes and checksums are similar, but a checksum is typically a small piece of data, sometimes just 1 or 2 bits, and is used to quickly verify the integrity of data.
Used in credit cards, which checks the checksum twice, one without the last bit, one with the last bit.
Not cryptographically secure, designed to just give a quick indication when data integrity is lost.
MD5
Message Digest 5, a common hashing algorithm that produces a 128 bit hash, displayed as 32 hexadecimal characters instead of 128 bits.
Hexadecimal numbers are composed of 4 bits and use the numbers 0-9 and letters A-F (16 total options).
MD5 has since been deemed vulnerable, not recommended for cryptographic hashes, but still is used as a quick checksum
SHA
Secure Hashing Algorithm, a group of hashing algorithms with variations in grouped four familiars: SHA-0, SHA-1, SHA-2, SHA-3
-SHA-0 is not used
-SHA-1 is an updated version that creates 160 bit hashes, is similar to MD5 and considered weak
-SHA-2 improved SHA-1 and contains 256-bit and 512 bit options plus truncated 224 and 384 bit options
-SHA-3 (pka Keccak) is an alternative to SHA-2, was created outside of the NSA
HMAC
Hash-Based Authentication Message, is another method used to provide integrity.
Is a fixed-length string of bits similar to other hashing algorithms such as MD5 and SHA-256). However HMAC also uses a shared secret key to add some randomness to the results and only the sender and receiver know the secret key.
Verifies both the integrity and authenticity of a message with the use of a shared secret. Prevents an attacker from modifying the message in transit.
Passwords are often stored as hashes, and applications often salt passwords with extra characters before hashing them.
You can calculate a hash using sha256sum.exe and then use it as a command.
Collision
A hash collision occurs when the hashing algorithm creates the same hash from different inputs, which is not desirable.
An attacker then doesn’t need to guess the correct password, only a password that creates the same hash. MD5 is highly susceptible to collision attacks
Online vs offline
Online PW attack attempts to discover a password from an online system, such as a brute force attack where they repeatedly guess the username and password. ncrack is a free tool that can be used to run online brute force attacks. An indication is found in system logs that record successful and unsuccessful logons, usually Event ID 4625 and/or several accounts being locked out as Event ID 4740.
Offline PW attacks attempt to discover passwords from a captured database or captured packet scan. If an attacker downloads an entire database from a network, they can then perform offline attacks to discover the passwords contained with these downloaded databases.
Dictionary attack
One of the original password attacks, uses a dictionary of words and attempts every word in the dictionary to see if it works - the dictionary is simply a list of words and character combinations. Thwarted by using complex passwords.
Brute force attack
Attempts to guess all possible character combinations.
You can thwart offline brute force attacks by using complex passwords and storing the passwords in an encrypted or hashed format.
Spraying attacks
A password spraying attack is a special type of brute force or dictionary attack designed to avoid being locked out. An automated program starts with a large list of targeted user accounts, picks a password tries it against every account in the list, then picks another password and loops through the list again, taking a while before hitting the same account twice, exceeding the limit of account lockout settings
Pass the hash attacks
In this attack the attacker discovers the hash of the user’s password and then uses it to log onto the system as the user.
Any authentication protocol that passes the hash over the network in an unencrypted format is susceptible to this attack.
Traditionally used against Microsoft LAN Manager and NT LAN Manager (NTLM).
*An indicator of this attack is the usage of NTML as the Authentication Package and/or logon profess of NtLmSSP shown in Event ID 4624 in the Windows Security log.
Birthday attack
Named after the birthday paradox in mathematical probability that says for any random group of 23 people there is a 50% chance that 2 of them have the same birthday.
In this attack an attacker attempts to create a password that produces the same hash as the user’s actual password, ie a hash collision. The attacker doesn’t need to guess every possible password before discovering a collision - if the PW is only one of 366 possibilities the attacker has a 50% chance of guessing it after only 23 attempts.
Birthday attacks on hashes are thwarted by increasing the number of bits used in the hash to increase the number of possible hashes, ie SHA-3 can use as many as 512 bits.
Rainbow table attacks
Use a huge table of pre-calculated hashes of possible passwords. If an attacker has the has of a password they can:
1. Use application to guess a password
2. The algorithm hashes the guessed password
3. The algorithm compares the original password hash with the guessed PW hash, and if they’re the same the app now knows the password
4. If they aren’t the same the app repeats steps 1-3.
Often performed offline on stolen or compromised databases.
Salting
Adds random data such as 2 additional characters/bits to a password before hashing the PW, adding complexity to the PW and the resulting hash that makes it different from the hash on the original PW. Helps prevent rainbow table and brute force attacks.
Key stretching
An advanced technique to increase the strength of stored passwords by applying a cryptographic stretching algorithm to a salted password, which consumes more time and computing resources for hackers trying to guess passwords.
Common stretching techniques: bcrpy, PBKDF2 (Password Based Key Derivation Function), and Argon2.
Bcrypt salts PWs then encrypts it with Blowfish, and can go through this process multiple times and create a 60 bit string. It will encrypt your PW with bcrypt and a salt and result in 60 characters.
Data at rest, Data in Transit, Data in processing
Data at rest refers to any data stored on media and it’s common to encrypt sensitive data such as individual fields in a database such as those holding PII or credit card information, or individual files, folders or discs.
Data in transit/in motion refers to any data sent over a network and it’s common to encrypt data in transit, like using HTTPS on e-commerce websites to scramble/protect credit card data. If intercepted the attacker can only see ciphertext.
Data in processing (in use) refers to data being used by a computer. Because the computer needs to process the data, it is not encrypted when in use. If data is encrypted, an application will decrypt it and store it in memory when in use. If the application changes the data, it will encrypt it again before saving it, usually taking extra steps to purge memory of sensitive data after processing it.
Encryption provides confidentiality and ensures only authorized users can view data. The process involves an algorithm and a key.
AES
Advanced Encryption Standard, is a strong symmetric block cipher that encrypts data in 128-bit blocks, can also use key sizes of 192 or 256 bits. More bits = harder to discover the key and decrypt the data. Very widely used, including to encrypt USB drives.
Benefits:
-Fast - only requires 1 pass to encrypt/decrypt data
-Efficient. Less resource intensive.
-Strong
3DES
“Triple DES), is a symmetric block cipher designed as an improvement over legacy DES (data encryption standard). It encrypts data using the DES algorithm and 3 separate passes and uses multiple keys, and 64 bit blocks.
Strong but not as efficient as AES, used as alternative, uses 56/112/168 bit key sizes.
Key exchange
Key exchange is a cryptographic method used to share cryptographic keys between 2 entities, where asymmetric encryption uses key exchange to share a symmetric key. The cryptographic protocol then uses the symmetric encryption to encrypt and decrypt data because symmetric encryption is much more efficient.
They key is the 2 entities need to be able to identify a symmetric key that they both know and can use, however the exchange needs to be encrypted so no one else knows the symmetric key.
Certificates
A certificate is a digital document that typically includes the public key and information on the owner of the certificate. CAs (Certificate Authorities) issue and manage certificates, which are used for a variety of purposes, including asymmetric encryption, authentication and digital signatures.
Users and applications share the certificate file to share the public key; they do not share the private key.
Certificates contain details on the owner of the certificate and on the CA that issued the certificate.
Common elements on a certificate:
-Serial number. Uniquely identifies a certificate. CA uses the serial number to validate a certificate. If certificate is revoked, it publishes this serial number in a CRL (certificate revocation list).
-Issuer. Identifies the CA that issued the cert.
-Validity Dates. There are expiration dates
- Subject. Identifies the owner
-Public key
-Usage. Some certs are only for encryption or authentication, others support multiple uses.
