Chapter 8: Cryptography Flashcards
Substitution Ciphers
You change one symbol with another.
- The Caesar Cipher shifted 3 letters to the right in Latin.
- The less cryptotext that’s available, the harder it is to decrypt
Multi-Alphabet Substitution Cipher
Maybe shifting differently, say 3 to the right, 2 to the right, 1 to the left, in that order.
- Vigenère Cipher
- You had a table of letters matched up to keywords
Transposition Ciphers
Take separate blocks of text and scramble them all differently
Rot13
Rotates every letter 13 places in the alphabet
The Enigma Machine
A typewriter that used a different substitute or alphabet for each keystroke
-Contained 26 different alphabets and was very hard to break back in the day.
Steganography
Hiding a message within an image, audio file, or some other file
- Least significant bit is the most common
- You change the last bit in every byte
- Invisible secrets is a good application for steganography
How to encrypt in SUSE
Login as root and start YaST
System->partitioner
Answer yes, select filesystem, click edit
Select encrypt
Symmetric encryption algorithm
- Both ends of the message must have the same key and processing algorithms
- Generates a (symmetric, secret, private) key that’s disclosed only to those who need to know
- faster than asymmetric, just as secure with smaller key size
- Problem is, if you need to share the key, how do you do it securely?
Block Cipher
Algorithm works on chunks of data
Stream Cipher
Algorithm works by bit or by byte
in-band vs. out of band Key Exchange
In-band
-Key is included with the data stream (IPSec)
Out of Band
-Another channel shares the key
Key Exchange Forward Secrecy
- Ensures that if one key is compromised, subsequent keys will not be
- Perfect forward secrecy is when a key is unbreakable
Data Encryption Standard (DES)
-Was the standard used by government from the 70s until it was replaced by AES
-It was based on a 56-bit key
Symmetric Encryption
Triple-DES (3DES)
-Uses 3 56-bit DES keys; 168 bits
-Pretty decent, though AES is still generally preferred
Symmetric Encryption
Advanced Encryption Standard (AES)
-Uses the Rijndael algorithm, developed by Daemen and Rijma
-128 bit key is standard, 192 and 256 are optional
-256 bit is for DoD TS information
Symmetric Encryption
Carlisle Adams and Stafford Tavares (CAST)
-Used by MS and IBM
-Fast, efficient 40-128 bit key
-128 and 256 exist, too
Symmetric Encryption
Ron’s Cipher (RC)
-Developed by RSA, it’s very strong. RC4, 5, and 6. 6 is up to 2-48 bit
-RC4 is popular with wireless encryption. Streaming cipher with 40-2048 bits
-used in SSL and TLS
-Used for downloading Bittorrent files, too
Symmetric Encryption
Blowfish and Twofish
Blowfish, 64 bit block cipher, very fast
-Symmetric block cipher, 32-448 bit keys
Two fish works on 128-bit blocks. Complex key schedule
Symmetric Encryption
international Data Encryption Algorithm (IDEA)
-Developed by the Swiss. 128-bit key
-Used by PGP
Symmetric Encryption
One-Time Pads
The key’s as long as a plaintext message
-The key can only be used once, then it’s discarded
Rivest, Shamir, Adleman (RSA)
Pretty much the standard for Asymmetric encryption, as old as it is
Diffie-Hellman
Founders of public/private keys
-Only used for the creation of a symmetric key between two parties
Asymmetric Encryption
<b>If you’re asked about insecure key exchange, it’s this or IPSec</b>
Elliptic Curve Cryptography (ECC)
-Smaller keys than RSA, same level of security
-This may start replacing RSA as the de facto standard
Asymmetric Encryption
ElGamal
Uses an ephemeral key, one that lasts only for one session
Kerchoff’s Principle
The security depends on the secrecy of the key, no the algorithm
Hashing Algorithms
- Cannot be reversible
- No matter how many characters you input, the hash size is the same
- Few/no collisions
Secure Hashing Algorithm (SHA)
- 160-bit, used with encryption protocols
- SHA-2: 224, 256, 334, 512 bit
- SHA-3 is out, but SHA-2 is pretty much flawless, so…
Message Digest Algorithm (MD)
Used to maintain integrity
- MD5, 4, 2. MD4 was used by NTLM
- MD5 produces a 128-bit hash, but it’s very secure. Doesn’t have strong collision resistance, so don’t use it
RIPEMD (160, 256, 320)
Based on MD4
GOST
Old soviet symmetric cipher modded to work as a 256-bit hash
LANMAN
Pre-NT was a protocol used for authentication. It used LM Hash and two DES keys on the side
NTLM
Replaced LANMAN
-Still pretty common despite MS wanting to employ Kerberos
Rainbow Tables and Salt
A rainbow table is when you put in a password, get all of its possible hashes, find the hash of a stored password, and connect the two.
-Salt is when the OS adds bits to combat this
Key Stretching
Strengthening a weak key, usually by making it longer
- PBKDF2
- Applies some function (hash or HMAC) plus Salt to get a good password
- Bcrypt
- Used with passwords, blowfish for hashing plus Salt
Frequency Analysis
Analyze blocks for common patterns. Does not work on modern algorithms
Chosen Plaintext
Comparing cypher text to plaintext to crack the algorithm. Once you do, that key is now yours.
Related Key Attack
Like a chosen plaintext attack, but you obtain cipher text encrypted under two different keys.
Brute Force
Brute force (also known as brute force cracking) is a trial and error method used by application programs to decode encrypted data such as passwords or Data Encryption Standard (DES) keys, through exhaustive effort (using brute force) rather than employing intellectual strategies.
Message Authentication Code (MAC)
Gives you a value to check with the message
-HMAC hashes
Digital Signatures
Validates the integrity of message and sender
-The private key could be an example
Nonrepudiation
- Determining that someone is telling the truth
- Certificate authorities certify people with public keys legitimately
Key Escrow
Keys are kept safe in case a 3rd party (generally the government or your employer) needs it
Key Recovery Agent
Used to access information encrypted with older keys
Key Registration
Providing Certificates. The RA hands these over to the CA
Certificate Revocation List (CRL)
If your term expires, you’re added to the CRL and your certificate is no longer valid, usually after an hour or a day or something, but if OCSP is in action, then it’ll be pretty immediately
National Security Agency (NSA)
Creates code, breaks code, and codes for the government
- Thought to be the world’s largest employer of mathematicians
- All missions are extremely highly classified
- Enemies of EFF, Tor Project, Freenet, and I2P
NSA/CSS
Helps coordinate DoD branch activities
National Instutute of Standards and Technology (NIST)
involved in many standards, but it is primarily concerned with government systems
Request For Comments (RFC)
This is how you propose a new standard
American Bankers Association (ABA)
Concerned with the world of financial security
Internet Engineering Task Force (IETF)
Improving the internet and computer security
Internet Society (ISOC)
Experts who oversee committees such as the IETF
World Wide Web Consortium (W3C)
Standardization of the WWW. Primary sponsor of XML
International Telecommunications Union (ITU)
Responsible for pretty much all telecommunications and radio communication standards on Earth
- ITU-R: Radio
- ITU-T: Telecommunications
- ITU-D: Expanding telecommunications in developing nations
- Headquartered in Switzerland and sponsored by the UN
Institute of Electrical and Electronics Engineers (IEEE)
PKC, wireless, networking protocol standards
Public-Key Infrastructure X.509 (PKIX)/PK Cryptography Standards (PKCS)
PKIX formed by IETF to develop PKI standards
PKCS, voluntary standards created by a ton of organizations and coordinated through the RSA
X.509
Certificate formats for public keys and how we should distribute said keys
- end-entity certificate
- most common, issued by CA to a system that uses, not issues, certificates
CA Certificate
A certificate that’s issued by one CA to another
What do all X.509 certificates have?
- Signature
- Version
- Serial number
- Signature algorithm ID
- Issuer name
- Validity Period
- Subject name
- Subject public-key info
- Issuer unique ID
- Subject unizue ID
- Extensions
SSL
Establishes a secure connection between two TCP machines
- Steps in handshake are between 4 and 9
- Establishes connection with asymmetric encryption, maintains with symmetric
- You need an “up-to-date browser” that supports 128 bit encrypted sessions
TLS
Expands on SSL, and will likely replace it. Should have replaced it long ago.
Certificate Management Protocols (CMP)
- CMP is used for messaging between PKI entities
- XML Key Management Specification (XKMS
- Allow XML programs to access PKI services. Built on CMP
Secure Multipurpose Internet Mail Extensions (S/MIME)
Standard for email encryption. Originally published by RSA
-MIME is email standard. Asymmetric encryption, digital certificates
Secure Electronic Transaction (SET)
- Developed by visa and Mastercard for secure credit card transactions
- Identification through an electric wallet
Secure Shell (SSH)
Tunneling protocol originally used on Unix systems, but works on Windows now
-similar handshake to SSL
Pretty Good Privacy (PGP)
- Freeware email encryption. Introduced in the early 90s
- Uses symmetric and asymmetric systems, which is why it’s so good
- GPG (GNU Privacy Guard) is an alternative
- Session key is encrypted in a public key
HTTP over SSL (HTTPS)
Secures the channel between client and server
-It’s common for secure transactions
Secure HTTP (S-HTTP)
Secure message, not secure channel
-Uses an RSA or digital certificate
IPSec
Built into IPv6, becoming standard for VPN
-Highly secure
Open UDP Port 500 in firewall
Two primary protocols
-Authentication Header (AH) protocol 51
-Encapsulating Security Payload (ESP) protocol 50
PPTP (Point to Point Tunneling Protocol)
Encapsulation from one point to one point
- Encapsulates and encrypts PPP packets
- The negotiation is in the clear, then the channel is encrypted
- A sniffer can get information like this relatively easily
L2F
Developed by Cisco for Dial-up tunneling
-Similar to PPP. Provides authentication, no encryption. Port 1701. TCP
L2TP
Hybrid of PPTP and L2F. Primarily point-to-point
- Can be sued as a bridge across many types of systems
- Not encrypted. uses UDP port 1701
Federal Information Processing Standard (FIPS)
Issued by NIST, establishes guidelines for US federal Information Systems
Public Key Infrastructure (PKI)
Meant to offer security to messages and transactions on a grand scale Two key, asymmetric system with: -Certificate Authority (CA) -Registration Authority (RA) -RSA, for encryption -Digital Certificates Public/Private key system
Certificate Authority (CA)
A CA is an organization who does shit with certificates
- A certificate associates a person with a public key
- To get a certificate, you send a CSR
Registration Authority (RA)
It will act as the middleman and offload work for the CA
- It can distribute keys, accept CSR, and validate identities
- It cannot, however, issue certificates
- A Local RA (LRA) can identify individuals on behalf of the CA
Certificate Policies
- These define what certificates do
- A CA will have policies to give out different kinds of certifications for different applications
- This also helps because the consumer will be able to verify that it’s the right kind of certificate
Certificate Practice Statements (CPS)
This provides the users with information on the CS’s policies, rules, and standards of practice. you should not trust a company without a CPS.
What are the Four Main PKI Trust Models?
Hierarchal
Bridge
Mesh
Hybrid
Hierarchal Trust Models
- A tree model
- Allows tight control, probably the best model
- Intermediate CAs only trust root and each other. Roots can trust roots and intermediate and leaves can trust each other
Bridge Trust Models
- intermediates only trust those above and below them
- Roots trust each other
- Adds flexibility and interoperability, but there’s a lack of trustworthiness.
- good for geographically dispersed or partnered companies
- All of the roots must maintain high security standards
Mesh Trust Models
Expanded bridge, good for when companies need CAs to certify each other