CISSP Cryptography - Domain 5 Flashcards
Q
A
Cryptography goals - Confidentiality
Unauthorized parties cannot access information.
Cryptography goals - Authenticity
Validating the source of the message to ensure the sender is properly identified.
Cryptography goals - Integrity
Assurance that the message was not modified during transmission, accidentally or intentionally.
Cryptography goals - Non-repudiation
A sender cannot deny sending the message at a later date.
Binary operations and Key components -Key
Just a string of bits: 1. May be a single large number or group of numbers. 2. Possible length 2N.
Binary operations and Key components - Plain text
Digital representation of data - ASCII, MS Word, Excel, Email, etc.
Binary operations and Key components - Encryption and Decryption operations
- Bit-wise operations-XOR, shift left/right, substitutions or permeations. 2. Mod N arithmetic using numerical values - add, sub, mult, div, raise to the power.
Keyspace
- Range of possible values that can be used to construct a key. 2. The larger the keycap, the more possible key values, and the more random the whole process, which increases the cryptosystem’s strength.
Symmetric Keyspace
- For a small 16-bit key, the key is 2 to the power of 16 or 65536 keys. 2. For DES (56 bits) it is 2 to the power of 56 or 72 quadrillion keys.
Strength of a Cryptosystem
- Algorithm, secrecy of key, length of key. 2. Strength of the protection mechanism should be used in correlation to the sensitivity of the data being encrypted. 3. Even if the algorithm is very complex and thorough, there are other issues within encryption that can weaken the strength of encryption methods.
Symmetric Ciphers (Algorithms)
- Stream Ciphers - Exclusive OR (XOR). 2. Block Ciphers - a. Substitution ciphers - replacing one value for another b. Transposition/permutation ciphers - change in relative position.
Asymmetric Ciphers
Public Key Cryptography - public/private key pairs.
Cryptosystem solutions
- Confusion - hiding patterns in the plaintext by substitution. 2. Diffusion - transposing the plain text through cipher text. 3. Avalanche - a change in one bit of the plaintext causes a change in half the resultant ciphertext.
History of Cryptography - Hieroglyphics
- 2000 B.C.. 2. First known cryptographic method. 3. Not really for secrecy. 4. Use of “non-standard” hierglyphics.
History of Cryptography - Scythe Cipher
Spartans wrapped papyrus around a rod to encrypt and decrypt a message: 1. 400 B.C. 2. Used to convey military directives.
History of Cryptography - Substitution Cipher
- One character is replaced with another. 2. When only one set of characters is used for substitution it is a mono-alphabetic algorithm. 3. Caesar also used a similar algorithm that sifted characters three places.
History of Cryptography - Vigenere Cipher (Polyalphabetic)
- Vigenere Cipher - proposed by Blaise de Vigenere from the court of Henry III of France in the 16th century. 2. Polyalphabetic is using two or more cipher alphabets.
History of Cryptography - Cryptography in War
Enigma: 1. Used in WWII to encrypt telegraphic comms. 2. Rotor cipher machine that used polyalphabetic substitution. 3. Key was the orignal setting of the rotors and the sequence of advancement for each rotor. 4. Individual rotors are connected in a bank. 5. Character entered and substituted by each rotor for encryption.
Cryptography Definitions - Cryptography
Science of hiding meaning in communications.
Cryptography Definitions - Cryptanalysis
Science of studying and breaking the secrecy of encryption algorithms and their necessary pieces.
Cryptography Definitions - Cryptosystem
Mechanism that carries out the encryption process.
Cryptography Definitions - Work Factor
The amount of time and resources needed to overcome protective measures of a crypto system: “breaking” is decreasing the work factor to a reasonable level.
Cryptography Definitions - Cryptographic Algorithm (Cipher)
Procedure to encrypt plaintext into ciphertext and vice versa.
Cryptography Definitions - Cryptovariable (key)
A variable used in conjunction with an algorithm to encrypt and decrypt data.
Cryptography Definitions - Key Space
The range of available key values to be used by an algorithm..
Encryption
The process of turning plain text into ciphertext.
Decryption
The process of turning cipher text into plain text.
Encryption/Decryption process requires:
- An algorithm. 2 A key.
Two types of encryption operations:
- Symmetric and 2. Asymmetric.
Cryptography Definitions - Vernam Cipher (aka One-time pad)
- Devised by Vernam in 1917 - uses a one-time random “pad” that is at least as long as the message to be encrypted. 1. One-time pads are used in pairs - a. one copy is used by sender and the other is used by the recipient b. should only be used once.
Binary Mathematics - Exclusive OR
- Binary mathematical operation that is applied to two bits. 2. Two rules; a. If both bits are the same, the result is zero -or- b. if both bits are different the result is one. 3. Logical “either/or”: a. output is true if either, but not both inputs, are true. b. output is false, if both inputs are false or bot inputs are true.
Running Key Cipher aka Book Cipher
- Uses a key that does not require an electronic algorithm and bit alterations, but clever steps in the physical world. 2. Book number, page number, line number, and word number. 3. Example - 3rd book, page 112, line 4, 6th word is “informative”.
Symmetric Stream Cipher
- Can be much faster than a block cipher. 2. Operates on smaller units of plaintext, while block ciphers work on much larger. 3. More suited for hardware implementation than a block cipher.
Strength of a stream cipher depends on:
- Long periods of no repeating patterns within key stream values. 2. Statistically unpredictable. 3. The key stream is not linearly related to the key. 4. Statistically unbiased key stream ( as many 0’s as 1’s). 5. Used for secure wireless communications: RC4 cipher (WEP and WPA) Bluetooth “E0” cipher.
Symmetric Block Cipher
- Message is divided into blocks and put through mathematical functions called Substitution Boxes (S-Boxes). 2. Algorithm dictates all possible functions, and the key determines which of these possibilities will be used and in what order. 3. Each function performs a different mathematical operation. 4. Cipher should contain confusion and diffusion.
Clipper Chip
- Protects private communications. 2. Agents can obtain the “keys” upon “legal authorization”. 3. Keys are held by two government “escrow agents”. 4. Developed by NSA. 5. Skipjack algorithm was classified as secret. 6. Precluded any public scrutiny. 7. 80 bit key. 8. 16 bit checksum. 9. Several deficiencies. 10. Mainly a backdoor into your private data. 11. Started in ’93. Dead in ’96.
Data Encryption Standard (DES)
- IBM submitted Lucifer algorithm for the NSA DES standard in 1974. 2. Original Lucifer algorithm used 48 to 128 bit keys and NSA implemented the 64-bit key-56 bits for the key and 8 for parity. 3. Lucifer was altered and called Data Encryption Algorithm (DEA).
Data Encryption Standard (DES) Technical
- Block symmetric Algorithm. 2. Blocks of 64 bits are put through 16 rounds of transposition and substitution functions - order and type of functions is dictated by the key value. 3. For GOV agencies. 4. Double DES. 5. Triple DES.
Modes of Block Cipher - Electronic Code Book (ECB)
- Same cypher text is always produced for the same plaintext. 2. Easier to identify patterns. 3. It is best used on small amounts of data. 4. Each key indicates a different code book. 5. Uses MAC for integrity and authentication. DES has 5 modes.
Modes of Block Cipher - Cipher block chaining (CBC)
- Encryption is dependent on values from the previously encrypted block. 2. First block will be XORed against the IV as no previous cipher text exist for the first block. 3. Each block of encrypted cipher text is XOR’ed with the next plaintext block to be encrypted.
Modes of Block Cipher - Cipher Feedback mode (CFB)
- Previous cipher text is used to encrypt the next block of data. 2. Often used to encrypt individual characters (terminals).
Modes of Block Cipher - Output Feedback Mode (OFB)
- The entire output of the previous blocks calculation is used as input for the next block’s encryption. 2. Often used to encrypt satellite comms.
Modes of Block Cipher - Counter Mode (CTR)
- Similar to OFB, but IV’s are successive values of a “counter”. 2. CTR mode is well suited to operation on a multiprocessor machine because the encryption of each block can be performed in parallel. 3. Note the the nonce in this graph is the same thing as the IV in other graphs and is concatenated, added, or XORed with the counter value.
Triple DES
- As processing power increased DES was “broken”. 2. Encrypts messages 3 times with multiple keys: a.DES-EEE3 uses three keys for encryption b. DES-EDE3 uses 3 keys, encrypt decrypt, encrypt. c. DES-EEE2 or EDE2 are the same as EDE3 but first and third operation use the same key. 3. Performance hit.
Advanced Encrypted Standard
- Rijndael Algorithm. 2. U.S. Official standard for sensitive but unclassified data encryption. 3. Block Symmetric encryption algorithm. 4. Key sizes of 128, 192 and 256.
Public Key Ciphers
- Diffie-Helman. 2. RSA. 3. ECC 4. El Gamal 5. DSA.
Asymmetric Algorithms - RSA
- Developed by Rivest, Shamir, and Adleman. 2. Digital Signatures, Key Distribution Encryption. 3. Difficulty of factoring large prime numbers*. 4. Key sizes: 512, 1024, 2048, 4096, 8192.
Asymmetric Algorithms - El Gamal
- Digital Signatures, encryption, and key exchange. 2. Based on calculation discreet logarithms in a finite field.
Asymmetric Algorithms - Elliptic Curve Cryptography
- Digital Signatures, encryption, and key distribution. 2. More efficient than other assym algorithms.
Public Key Cryptography Advantages
- Allows parties to communicate securely without previously sharing secret information. 2. Scales well- 1 user 2 keys. 3. Enables digital signatures.
Public Key Cryptography DisAdvantages
- Very slow compared to symmetric cryptography. 2. Size of encrypted data limited by performance considerations. 3. Asymmetric Algorithms: Diffie-Hellman, RSA, ECC, El Gamal, DSA.
Symmetric vs Asym Key Systems - Keys
Sym-One key is shared between two or more entities Asym-One entity has a public key and the other has a private key
Symmetric vs Asym Key Systems - Key Exchange
Sym-Out-of-band Asym-Symmetric key is encrypted and sent with message;thus, the key is distributed by in-band methods.
Symmetric vs Asym Key Systems - Speed
Sym-Algorithm is less complex and faster Asym-Algorith is more complex and slower.
Symmetric vs Asym Key Systems - Number of Keys
Sym-Grows as number of users grow Asym-Does not grow exponentially.
Symmetric vs Asym Key Systems - Speed
Sym - Algorith is less complex and faster. Asm-Algorithm is more complex and slower.
Symmetric vs Asym Key Systems - Use
Sym-Bulk encryption Asm-Key encryption and distributing keys
Symmetric vs Asym Key Systems - Security Service Provided
Sym-Confidentiality ASym-Confidentiality, authentication and non-repudiation
Addressing Cryptographic Weakness
- Solution to symmetric and public key-combine both techniques in a hybrid approach. 2. Sym Algorithms-a. sym is used to encrypt the bulk of the data usng a session key. b. session keys are randomly generated. 3. Asym Algorithms-a. asylum provides the public and private keys to each party b. recipients public key is used to encrypt the session key to be transmitted with the encrypted message.
Data Integrity - Hashing Alogorithms
- MD2, 4, 5-128 bit digest (5 Rivest-RFC 1321) 2. SHA-1 160 bit digest - NIST also 256, 384 and 512. 3. HAVAL - variation of MD5 (variable length digest). 4. Other hash’s: RIPEMD, Tiger, WHIRLPOOL
Secret Key Authentication
The message is concatenated with the secret key and the hash function is applied to this concatenation called MAC (Message Authentication Code). 1. Waek 2. Receiver computes own MAC to verify. 3. MAC can be based on DES-CBC mode. 4,. Symmetric key is required. 5. Does not provide non-repudiation.
Quantum Cryptography
- Set of protocols, systems, and procedures that can be used to create and distribute secret keys. 2. Secret keys can be used in traditional crypto systems. 3. It is not used encryption, transferring encrypted data, or to store encrypted data. 4. Allow secure key exchange with complete security. 5. Solve the key exchange problem. 6. It can detect an attacker trying to gain knowledge of the keys exchanged. 7. It is called Quantum Key Cryptography.
Protocols Exchanging Keys
- A key exchange protocol uses a series of steps to agree upon a shared secret key. 2. This does not require a previous relationship between the two parties. 3. Key exchange can be done in a secure manner. 4. Diffie-Hellman - first sym algorithm. (Agreeing upon a secret key.)
Asymmetric Algorithms - Diffie-Hellman
- First asym protocol. 2. Allow users to agree on sum key over nonsecure medium. 3. Does not provide data encryption or digital signatures. 4. Security based on calculating discrete logarithms in a finite field. 5. Vulnerable to MITM attacks.
Session Keys
- Secret sym key used to encrypt messages. 2. Only good for one session then destroyed. If same key is used again could be compromised.
Key Recovery
- A copy is encrypted with the public key of a pair for recovery. 2. Copy kept somewhere secure and decrypted when needed. 3. Private key can be broken down into several pieces and given to different people in the company.
IPsec Key Management - Manual
Administrator configures each system with keying material and security association information.
IPsec Key Management - Internet Key Exchange (IKE)
- Negotiation of service is automatic. 2. Hybrid of Internet Security Association and Key Managment Protocol (ISAKMP) and Oakley key exchange-a. phase one: IKE peers establish a secure, authenticated channel so that the IPsec negotiation can take place. b. phase 2: SA’s are negotiated for keying material and parameter negotiation.
Trusted Platform Module - Facilities
The TPM offers facilities for the secure generation of cryptographic keys and limitations of their use in addition to a hardware pseudo-random number generator. It includes capabilities such as remote attestation and sealed storage.
Trusted Platform Module - Authentication
Software can use a TPM to authenticate hardware devices. Since each TPM chip has a unique and secret RSA key burned in as it is produced, it is capable of performing platform authentication. It can be used to verify that a system seeking access is the expected system.
Electronic Signing - Digital Signatures
- Authentication tool used to verify sender of message. 2. Message digest is created - input into a digital signature algorithm. 3. Encrypting a hash value with a private key performs signing. 4. Public key verifies signature.
Digital Signature Standard - DSS
- Developed by NIST for digital signatures to be used within GOV facilities-SHA used for message digest-integrity. 2. Digital Signature Algorithm (DSA) to sign message digest - auth and non-repudiation. 3. Private key is used for signing, and public key is used for signature verification. 4. DSS can now use DSA, RSA, and ECDSA (ECDSA-elliptic curve digital signature algorithm - used with SHA-1).
SHA - Hashing Algorithym for Digital Signatures
- Some government documentation requires more secure digital signatures. 2. NIST and NSA developed SHA to be used in their DSS. 3. SHA computes a 160-bit hash value, which is then inout into the DSA.
Attacking Encryption Systems - Brute Force Attack
- If the cryptographic algorithm is strong, the only way of deafening it is through brute force. 2. The attacker attempts all possible combinations of a given keycap to derive the key. 3. Most systems are created so that even identifying half of the possibilities is impossible with todays processing power.
Attacking Encryption Systems - Frequency Analysis Attack
- Calculating the frequency characteristics in a particular language helps to break substitution and transposition crypto systems. 2. Common pattern of messages, sentences, words, and characters helps attackers calculate plaintext from ciphertext.
Attack on Hashing Functions - Birthday Attack
- How many people must be in the room to have the same birthday as you? 253. 2. How many people must be in the room to have the same birthday? 23.
Attacks on Cryptosystems - Ciphertext only
- Captured cipher text only. 2. Most common attack.
Attacks on Cryptosystems - Known plain text
Captured ciphertext and plaintext.
Attacks on Cryptosystems - Chosen plaintext attack
- Captured ciphertext and plaintext and can choose what plain text gets encrypted. 2. Attacker sends a message they think the victim will encrypt and send out to others.
Attacks on Cryptosystems - Chosen ciphertext attack
- Attacker can choose the ciphertext to be decrypted and has access to the resulting decrypting plain text.
Attacks on Cryptosystems - Replay attack
- Attacker obtains a set of credentials and sends them to an authentication service - capture username, password, token, ticket. 2. Timestamps and sequence numbers are used to protect against this attack.
Attacks on Cryptosystems - Man in the Middle
- Attacker injects itself between two users and reds messages going back and forth or manipulates the message. 2. Sequence numbers and digital signatures are used as countermeasures to this attack.
Attacks on Cryptosystems - Meet in the Middle
An attack designed to compose algorithms that use multiple keys, such as 3DES.
Link encryption
- Payload, headers, and trailers are encrypted-all data along comm path (T1). 2. Usully provided by service providers. 3. Each hop has to decrypt headers - if a node is compromised, all traffic going through that node can be comprimised.
End-to-end encryption
- Only payload is encrypted. 2. Headers and trailers are not encrypted. 3. Hops do not need to decrypt headers.
Steps of setting up an SSL connection
- Client initiates connection to server. 2. Server sends client the servers cert. 3. Client checks to see if signing CA is in trusted list in browser. 4. Client commutes hash of cert and compares message digest of cert by decrypting with CA’s public key (CA signed the certificate). 5. Client checks validity dates in certificate. 6. Client wil check URL in certificate compared to the URL it is communicating. 7. Client extracts servers public key for certificate. 8. Client createds a session key (symmetric). 9. Client encrypts session key with servers pubic key and sends it over. 10 Server decrypts with private key.
Other Network Security Technologies - DNSSEC
- Domain Name Service Security (DNSSEC). 2. DNS Server distributes public keys. 2. Secure distributed name services.
Other Network Security Technologies - GSSAPI
- Generic Security Services API. 2. Key exchange, generic authentication, provides encryption interface for different authentication methods and systems.
Other Network Security Technologies - S-RPC
- Secure Remote Procedure Call for computer to computer communications. 2. Security protocol that uses DES to encrypt messages. 3. Uses Diffe-Hellman to create key pair.
SSH Security Protcol
- Secure terminal sessions. 2. Functions like a tunneling protocol. 3. Provides terminal like access to remote systems. 4. Should be used instead of telnet, UNIX r-utilities.
IPsec
- Framework of open standards for ensuring secure communications over IP networks. 2. Network layer security. 3. Security between two nodes instead of two applications, as seen in SSL. 4. Uses public key cryptography. 6. Transport mode-payload is protected. 7. Tunnel mode - entire packet is protected..8. Can provide host to host, host to subnet and subnet to subnet links.
IPSec Components
- Security Association (SA) defines parameters for one specific active connection.* 2. Security Parameter Index (SPI) - points to the correct SA. 3. SPI holds SA information and is put into header so both sides know what parameters to use to communicate.
IPSec - Authentication Header (AH) Protocol
Computes an Integrity Check Value (ICV) over entire IP packet except header field value that might change: a. integrity through ICV b. data origin through MAC. c. Relay protection through sequence numbers.
IPSec - Encapsulating Security Payload (ESP)
Similar function to AH but adds encryption - adds confidentiality service.
Encapsulating Security Payload Protocol
- Actual format depends on type of encryption and mode being used. 2. Encryption algorithms (3DES, RC5, IDEA, CAST, Blowfish, and AES). 3. Transport mode - protects upper protocols, but not IP header. 4. Tunnel mode - All of packet including IP heders protected - new IP header made.
Secure Electronic Transaction (SET)
- Developed by Visa and Mastercard to allow for more secure monetary transactions over the Internt. 2. Cryptographic protocol that encrypts and sends credit card numbers over the Internet. 3. Uses public key crypto. 4. Protects payment cards and cardholders data. 5. Was developed to replace SSL, but adoption has been slow. 6. Confidentiality through DES. Digital signatures through RSA.
Email Standards - Privacy Enhanced Email (PEM)
- Internet email standard. 2. Framework that will allow different algorithms to be plugged in.
Email Standards - Message Security Protocol (MSP)
- Military’s PEM. 2. Developed by NSA to provide secure email xchange.
Email Standards - Pretty Good Privacy (PGP)
- Free email security program. 2. Developed by Phil Zimmerman. 3. Uses pass phrases instead of pass words. 4. Web of trust instead of hierarchy of CA’s. 5. Keys are kept in a key ring file.
Secure email - S/MIME
- Secure multipurpose Internet Mail Extension. 2. Application layer protocol. 3. Standard for encrypting and digitally signing email containing attachments. 4. Developed to countermeasure message interception and forgery. 5. Provides data integrity, confidentiality, and authentication.
Secure HTTP
Protects each message - not communication channel.
HTTPS
HTTP plus SSL - protects entire communications channel.
Secure Socket Layer (SSL)
- Developed by Netscape. 2. Uses public key cryptography to protect communications channel. 3. Server authenticates to client, optionally client can authenticate to server. 4. Used for WWW comms. 5. Works at transport layer.
Why have PKI infrastructures?
- Systems can generate their own kept pairs and exchange them. 2. If a public key is stored in a base a hacker can swap it out with theirs and sign and encrypt with hi private key masquerading as the original person. 3. Need a trusted third party to vouch for the identity of the owner of the public key.
What makes up a PKI?
- CA 2. RA. 3 Certifcate repository 4. Certificate Revocation System 5. Key backup and recovery 6. Automatic key update 7. Management of key history 8. Time Stamping 8. Client side software
Security services provided by PKI
- Confidentiality 2. Access Control 3. Integrity 4. Authentication 5. Non-repudiation
PKI certificates are based on what standard
X.509 Rev. 3
CA Hierarchy
- CA delegates authority to subsidiary CA’s 2. Root CA - 3. Sub CA
Root CA
- Initiates all trust paths 2. All certificate holders and relying parties are given self signed root CA certs 3. Verisign Entrust
Sub CA
- Does not begin trust path. 2. May have Sub CA’s to issue certs to.
Cross-certification Structure (PKI)
- Two PKI’s are established between organizations. 2. Nonhierarchical trust path-mutual trust. 3. Develop a cross certification agreement.
Components of a PKI- Directory
- Storage of certificates. 2. No required directory standard. Notes vs MS. X.500 and stored with other network data. 3. Clients can locate and access directories via LDAP.
Components of a PKI- CRL
- CRL is a signed data structure containing a time-stamp list of revoked certificates 2. If a cert has been revoked it will be listed in the CRL . 3. When a users identity is verified through a CA, the CRL is checked to make sure it is valid.
PKI and Trust
- A certain level of trust is required to complete transactions reliably.
PKI Trust Model
- The CA 2. The steps the CA goes through to identify the individual. 3. Use of the digital cert. 4. Protection and security of private keys.
Concealment (Null) Cipher
True letters are hidden or disguised by device or algorithm.
Steganography
- Hiding the very existence of data within another message or media. 2. Digital watermark to detect illegal copies of digital images. 3. No algorithm or key; just placing data in a place where people would not look.
