CISSP (Domain 5 - Cryptography) Flashcards
4 Cryptography Goals
CAIN
- Confidentiality: no unauthorized access (encrypt with public decrypt with private)
- Authenticity: Validate source (encrypt with private decrypt with public)
- Integrity: Message not modified
- Non-repudiation: Sender can’t deny
Hash
Unique digital representation of the “thing”
Symmetric Ciphers (Algorithms)
- Share Key
- Stream/Block Ciphers (XOR/Substitution)
- Ciphered and decrypted with the same key
- Confidentiality but no non-repudiation
- Faster
*DES, 3DES, AES, IDEA, Blowfish, Twofish, RC4, RC5, RC6, CAST, SAFER, Serpent
Asymmetric Ciphers
- PKI (Public/Private key pairs)
- No normal reason to share private key
- Confidentiality, Authentication, non-repudiation
One-Time Pad Encryption
- Key is the same size as the message and only used once
- Impossible to break
- Key exchange is cumbersome
Exclusive OR (XOR)
- Binary mathematical operation applied to two bits
- Key and text turned into binary, then math is done.
+If both bits are the same, result is 0
+If both bits are different, results is 1
Cipher Text
Encrypted text
Stream Cipher (Symmetric) (FSHR)
- Faster than block cipher
- Operates on smaller units of plaintext (bits)
- Good for hardware
- Randomized key string with no repeatable patterns WEP
*Only RC4
Block Cipher (Symmetric) (DLSC)
- Divided into blocks and put through mathematical functions called Substitution Boxes (S-Boxes)
- Operates on larger units of plaintext (64 bits)
- Good for software
- Most Common
*56 Bit DES
Data Encryption Standard (DES)
DType/key/calc/blocks
- Used for sensitive and unclassified data
- *56 bit key with 8 for parity (SBOX)
- *16 rounds of calculations
- *64 bit Blocks
2 Modes for Block Ciphers
CE
- *Cipher Block Chaining: XOR before cipher (Errors)
- Electronic Code Book: Same ciphertext for plaintext
3 Modes of Stream Block Ciphers
COC
- *Cipher Feedback Mode (CFB): Prev ciphertext used to encrypt next block (Errors)
- Output Feedback Mode (OFB): Output of prev block calc is used as imput for next block
- Counter Mode (CRT): AES encryption, IVs are successive values
Triple DES
EC
- Encrypts messages three times with multiple keys
- 48 rounds of computation (256 times stronger)
Advanced Encryption Standard (AES)
RA/BS/KS
- Rijndael Algorithm
- Block Symmetric Encryption Algorithm (Block size 128/192/256)
- Key size of 128/192/256 (Variable)
Calculating the Number of Necessary Keys for Symmetric Encryption (Formula)
Keys = N(N - 1) / 2
3 Symmetric Key Cryptography Issues
DEC
- Distinct key needed for each couple communicating
- The more the key is used to encrypt large amounts of data, the more the key is exposed
- Can’t be used for digital signatures
3 Symmetric Key Cryptography Weaknesses
KD/S/LS
- Key Distribution: secure mechanism needed to deliver keys
- Scalability: Each pair of users needs a unique pair of keys
- Limited Security: No non-repudiation, only confidentiality
Diffie-Hellman
etype/ri,sr,ssk/agr/no/based/vuln
- Asymmetric PK
- Random input, share result, shared session key
- Allows users to agree on a symmetric key over a non-secure medium
- Does not provide data encryption or digital signatures
- Security based on discrete logarithms in a finite field
- Vulnerable to MITM attacks
RSA
type/ds,kd,e/ksize/lpn
- Asymmetric PK
- Digital Signatures, Key distribution, encryption
- Min 1024 key size
- Large prime numbers
El Gamal (type/ds,e,ke/uses)
- Asymmetric PK
- Digital Signatures, encryption, key exchange
- Uses discrete logarithms in a finite field and DH key agreement
Elliptic Curve Cryptography (ECC)
type/ds,kd,e/me/minb
- Asymmetric PK
- Digital Signatures, Key distribution, encryption
- More efficient, limited processing power products
- Min 112 bites
MD5 Hashing Algorithm (bit digest)
128-Bit digest
SHA-1 512 (bit digest)
160-Bit digest
Diffie-Hellman Key Agreement (4 steps)
geck
- generate value from random string
- exchange value with other party
- complete calculation using the local value and the received value
- Unique, mathematically identical key is created
Trusted Platform Module (TPM)
gah
- Offers facilities for the generation of cryptographic keys
- Software can use to authenticate hardware devices
- *Hardware Based Encryption
+Real-time protection of data
+AuthN HD to PC
Digital Signature Services
Provides/Enc/Hash/Both
- Provide Integrity, Authentication, Non-repudiation
- If message is encrypted it provides confidentiality
- Hashed message provides integrity
- Message can be digitally signed and encrypted to provide Integrity, Authentication, Non-repudiation, and confidentiality
Hashing Collision
2 messages with the same digest
Ciphertext-Only Attack (Cryptosystems)
- Captured ciphertext only
- Most Common
Known-Plaintext Attack (Cryptosystems)
- Captured ciphertext and plaintext
Link Encryption Advantage/Disadvantage
(a-en/low)
(d-key/dec)
Advantages:
- Encrypts all data in packet (Headers, addresses, routing info)
- Works at lower level of OSI
Disadvantage:
- Key distribution
- Message decrypted at each hop, more points of vulnerability
End-to-End Encryption Advantage/Disadvantage
(a-each/prot/enc)
(d-enc/dec)
Advantages:
- Each hop does not need key to decrypt packet (Mac Header)
- Protects info from start to finish
- Only payload encrypted
Disadvantages:
- Headers, addresses, routing information not encrypted
- Destination system needs to have same encryption mechanism to decrypt
Domain Name Service Security (DNSSEC)
- DNS Server distributes keys
- Secure DNS
Secure Remote Procedure Call (S-RPC)
sec/enc/key
- Secure computer to computer connections
- Uses DES to encrypt message
- Uses Diffie-Hellman to create key pair
Generic Security Services API (GSSAPI)
Key exchange, generic authentication, provides encryption interface for different AuthN methods and systems
Secure Shell (SSH)
- Provides multiplexed encrypted tunnel into several logical channels.
- Server authN to client
- User authentication protocol
Secure Electronic Transaction (SET)
key/con/ds/enc
- PKI
- Confidentiality through DES
- Digital signatures using RSA
- Encrypts payment cards and cardholders’ data
Internet Protocol Security (IPSec)
framew/layer/sec/3con
- Framework to ensure secure communication over IP networks
- Layer 3 (Network)
- Secure between two nodes instead of two applications
- Host to host, Host to subnet, subnet to subnet
IPSec Transfer Mode
- Payload encrypted
- MAC/IP header open
IPSec Tunnel Mode
- Payload and IP header encrypted
- MAC header open
Secure Multipurpose Internet Mail Extensions (S/MIME)
stand/layer/against/prov/need
- Standard for encrypting and digitally signing electronic mail that contains attachments and for providing secure data transmissions.
- Application Layer
- Countermeasure against message interception and forgery
- Provides Data integrity, confidentiality (users enc algorithm), and authentication (X.509 public key)
- Needs key management system
Secure Email Security Services (4 Things)
CIAN
- Confidentiality, Integrity, Authentication, Non-repudiation
Online Certificate Status Protocol (OCSP)
Used to validate authenticity of certificates
X.509
Digital Certificates
X.500
Directory Services
X.400
Electronic Messaging
X.25
Data Communication Protocol
PKI Security Services (5 Things)
CIANA
- Confidentiality, Integrity, Authentication, Non-repudiation, Access Control
Components of PKI
cert/sn/ds
- X.509 v3 Certificates
- Serial number in certificate unique
- All data digitally signed by trusted anchor
Steganography
- Modifies least significant bits
- Hiding a message in an image
