Cryptograhy Flashcards
Cryptography
Encrypting data
Cryptanalysis
Breaking encryption
Cryptography Algorithm
A set of rules performing the locking/encryption and unlocking/decryption of data/information
Cryptography Key
A value used with the algorithm to lock and unlock information
Key Space
The maximum number of keys possible
e.g. key space of particular character set (e.g. 0-9)
Entropy
Is high or low entropy desired for crypto key?
A measure of how random or unpredictable something is
e.g. using only lowercase letters a key would result in low entropy
using mix of upper, lower, numbers and special chars would result in high entropy
High entropy is desired, it would make it harder for an attacker to guess your keu
Cryptoperiod
Length of time a particular crypto key may be used
Work Factor
Estimated time or effort needed to break the encryption, usually measured by timing of brute force approach
The larger the key size, the greater the key space, the more secure your key becomes
Avalanche Effect?
What methods does it apply to? Why?
Minor changes to the either the key or plaintext will result in a large change to the ciphertext
Important for both encryption and hashing
Prevents reversing ciphertext
Kerckhoff’s Principle
The strength of your encryption should not rely on keeping your algorithm secret
It should rely instead on keeping the encryption keys a secret, as long as you can change them when needed
If keys compromised, just make a new one - cheap and easy
If algorithm is compromised - this is costly and complicated, all HW and SW that rely on encryption algorithm would need to be updated
Symmetric Encryption
Advantage/Disadvantage
AKA
One key is used with the algorithm to encrypt and decrypt data
Only benefits confidentiality
Advantages: very fast and cheep
Disadvantages: key management is difficult because you have to distribute the key to decrypt; usually done using asymmetric encryption or out of band
AKA - Secret key, Single Key, Shared Key, Session Key
List types of Ciphers
Steam
Block
Block Mode
Stream Mode
Stream Ciphers
Generates ciphertext bit by bit or byte by byte
Used for encrypted data in transit
Popular Algorithms:
RC4 - old and not used anymore
Salsa and ChaCha commonly used in TLS
Block Ciphers
Examples
Block ciphers can work in two modes: Stream or Block Mode
Block Mode - encrypts data at rest
Stream Mode - encrypts data in transit
Examples - AES, DES, 2DES, 3DES
Twofish, Blowfish
IDEA
RC2, RC5, RC6, RC7
Asymmetric Encryption
Using a key pair (Public key and Private key)
The public key can be used by anyone
The private key is held by the subject that created the key pair and is kept PRIVATE. It should not be given to anyone.
List Asymmetric Algorithm
RSA ElGamal ECC (Elliptic-Curve Cryptography) Diffie-Hellman Digital Sigital Algorithm
RSA (Rivest-Shamir-Adleman)?
Use?
Asymmetric Algorithm
Encrypts tiny quantities of data
ElGamal
Use
Asymmetric Algorithm
Exchanging a symmetric key
ECC (Elliptic-Curve Cryptography)
Use
Asymmetric Algorithm
Creating digital signatures
Diffie-Hellman
Use
Asymmetric Algorithm
A key agreement algorithm
DH is ued to negotiate symmetric keys between
Digital Signature Algorithm
Use
Asymmetric Encryption
Designed by NIST to create digital signatures
NOT capable of exchanging symmetric keys
Hashing
irreversible, one way function
We utilize hashes for integrity through the ability to detect any changes in a data set through the change in a hash
Salt
something that should be added to passwords/passphrases before being hashed
makes password resistant to rainbow table and other attacks on hashes
Which OS CANNOT salt passwords/passphrases
Microsoft Windows
SYSKEY in prior versions could encrypt hashes in the SAM file
Microsoft recommends mitigation: use Bitlocker to encrypt drive and protect SAM file from attackers
Describe how Hash Algorithms work?
Take input file/data
Split the file/data into blocks, take first block and XOR with next and continue until the end block
The result is a hash or digest
Common Hashing Algorithms?
MD2, 4, 5 - 128 bit
MD6 - 512 bit
SHA 1 - 160 bit
SHA2/3 - 224, 256, 384, 512
Public Key Infrastructure
CA’s generate certificates containing the public keys of the users (or servers).
Users then distribute these certs to the people they want to communicate with.
Certificate recipients validate a certificate using the CA’s public key, which is pre-installed in their device from the operating system vendor, browser vendor or organization.
Registration Authority (RA)
An authority in a network that verifies user request for a digital certificate and tells the CA to issue it.
The RA VERIFIES user credentials (verifies username/password conducts a background check, etc.)
Certificate Authority
Signs, issues and manages certificates.
The CA users the subject’s Certificate Signing Request (CSR) to sign the subject’s certificate.
The CA also maintains the Certificate Revocation List (CRL)
Certificate Revocation List
Contains serial numbers of the public certificates that have been revoked and should no longer be trusted
Certificate revocation reason codes
KeyCompromise CAcomprimise affiliationChanged Superseded CessationOfOperation CertificateHold
Online Certificate Status Protocol (OCSP)
Check revoked certificates online in real time
X.509 Certificate
Standard format or layout of a digital certificate, which includes:
- CA’s unique name
- Subject’s public key
- Subject’s X.500 name
- Unique certificate serial number given by the CA
- Beginning and ending dates (validity dates)
- CRL location
- CA’s digital signature
Certificate Practices Statement
This outlines the CA’s rule of issuance of a certificate
Certificate Signing Request
Used to request a digital certificate from RA
Certificate Signing Request Process
- The subject creates their public/private key pair
- The subject generates a CSR and digitally signs it with their private key This contains a description of the subject as well as their public key and is sent to the RA
- RA verifies the subjects identity. Once verified the RA sends the subjects key to the CA
- The CA issues the subjects public key and a unique serial number, that validity date and the CRL/OCSP
- The CA creates a digital signature on the subject’s public key
- The subject’s public key is sent back to the subject
Encryption Implementation - Data At Rest
For data lifecycle phases: store and archive (retention of data), use symmetric encryption
Encryption Implementation - Data in Motion/Transit
For data lifecycle phases: share, can use IPSec, VPN and TLS
Encryption Implementation - Data in Use
For data lifecycle phases: use, focuses on DRM
Typically the most difficult phase of data to protect
Quantum Crytography
Use quantum physics for encryption purposes. Very new technology, with limited applications and expensive to implement.
Homomorphic encryption
Homomorphic encryption is a theoretical phenomenon that would allow processing of encrypted material without needing to first decrypt it.
What data encryption is available with possibly IaaS?
What data/access is protected and what is not?
basic storage level encryption - encryption is performed on the cloud storage solution with keys maintained by the CSP
only protects from media theft or loss but not CSP insider
volume storage encryption - encrypted data resides on volume storage via an encrypted container and will protect against physical loss or theft, external admins (CSP, MSP, CSB) accessing data, snapshot being taken or removed
will not protect against access attempts made through the instance
How can volume level storage encryption be implemented
What cloud service model is it applicable to?
- Instance based encryption - encryption engine on image and keys are managed externally
- Proxy based image - encryption engine runs on proxy instance and handles cryptographic processing along with key management and storage
- Oject-storage encryption - offers server-side encryption but less effective so encrypt data before it arrives to the cloud
Applicable to IaaS
What data encryption is available with possibly PaaS and SaaS?
File level encryption
Application level encryption
Database encryption which offers
- File level encryption
- Transparent encryption
- Application level encryption
- Proxy Level encryption
Describe File level encryption?
What cloud service model is it applicable to?
encryption engine implemented at client level using IRM and/or DRM
PaaS and SaaS
Describe Application level encryption?
What cloud service model is it applicable to?
encryption engine resides in the application that utilizes object storage and encrypts the data before the data reaches the cloud
PaaS and SaaS
Describe Database File level encryption?
What cloud service model is it applicable to?
The volume or folder of the database gets encrypted and the key resides on the instance
PaaS and SaaS
Describe Database Transparent encryption?
What cloud service model is it applicable to?
The DBMS can encrypt specific portions of the DB like tables, rows/tuples, columns/attributes or the entire DB
The encryption engine and Keys reside within the DB and is encryption is transparent to the application
PaaS and SaaS
Describe Database Application level encryption?
What cloud service model is it applicable to?
Encryption engine and keys reside within the application that is using the DB
PaaS and SaaS
Describe Database Proxy level encryption?
What cloud service model is it applicable to?
Encryption engine is separate from the application or DB or using a 3rd party vendor tor MSSP
PaaS and SaaS
Best practices particular to cloud with Key Management
Keys should be separate from CSP
What are the challenges with Encryption Management in the Cloud
Access to keys; should not be accessible by CSP
Key storage; It is difficult to securely store keys in the cloud
Backup and replication: data can be backed up and replicated across different formats, affects the ability of short and long term keys to maintained and managed effectively
Key Management Options in the Cloud
- XML Key Management Specification (XKMS 2.0)
- Key Management Interoperability Protocol (KMIP)
- Trusted Platform Module (TPM)
- Hardware Security Module (HSM)
- Key Escrow
Describe XML Key Management Specification (XKMS 2.0)
defines protocols for distributing and registering public keys (used for XML encryption and digital signature) and key management
Describe Key Management Interoperability Protocol (KMIP)
An open source communication protocol that defines message formats for the manipulation of keys on a key management server
Describe Trusted Platform Module (TPM)
A crypto chip on the main board of a device that can GENERATE and STORE encryption keys, as well as perform hardware based encryption/decryption
It can also allow cloud based applications to authenticate hardware devices
(Think Tiny Platform Module)
How does TPM interact with the host device
3 Roots of Trust (which can be externally authenticated by means of a Certificate Authority)
- Root of Trust for Measurement - first set of instructions executed when a chain of trust is established
- Root of Trust for Storage - The TPM memory is shielded from access by any entity other than the TPM
- Root of Trust for Reporting - Typically, a digitally signed digest of the contents of selected values within a TPM
Describe Hardware Security Module (HSM)
A physical device that can be added to a computer or attached to the network
can provide crypto processing, manage keys for encryption and authentication and can securely store keys
Think Humongous Security Module
Describe Key Escrow
3rd party maintains a copy of keys
Key escrow implements M of N - requires some number (M) of the total number of (N) agents to perform the task, e.g. retrieve or copy key; e.g. 2 of 8 recovery agents are required to restore a user’s private key from key escrow
M of N AKA - Dual Control or TPI (Two Person Integrity)
List cloud common key management approaches
Remote KMS
Client-side Key Management
Remote Key Management System (KMS)
The cloud customer owns, operates and maintains the KMS on premise
A remote key management service is one that is owned, operated, and maintained on premises by the customer. This configuration gives the customer complete control over who can generate or access cryptographic keys.
What is required to maintain CIA?
Remote KMS requires constant network connectivity between the cloud customer and CSP; disruptions in connectivity may prevent encryption and decryption functions from operating.
Client-side Key Management
KMS is provided by CSP and is shipped to the customer to reside on premise
The keys are generated, held, and retained by the cloud customer
Assures better integration with the cloud environment.
Mainly used for SaaS
Options for Key Storage in the Cloud
Internally Managed
Externally Managed
Managed by 3rd party
Internally Managed Key Storage
keys are stored on the VM or application component that is acting as the encryption engine
used for storage level, internal database or backup application encryption
Externally Managed Key Storage
keys are maintained SEPARATELY from the encryption engine
3rd Party Managed Keys
a trusted 3rd party provides key escrow service
Quantum Computing
uses PHYSICS and quantum science, and instead of bits, it uses qubits (0,1, or both), to allow quantum computers to compute multiple data states at the same time
Neural Networks
computing systems inspired by how human and/or animal brains work
Bit Spliting
Types of Bit Splitting
Splitting up the encrypted data into bits and storing this information across several cloud storage services
An erasure coding encryption implementation
2 Types of Bit Splitting
- Secret Sharing Made Short (SSMS) - better availability
- All-Or-Nothing-Transform-with-Reed-Solomon (AONT-RS) - more confidential
Benefits of Bit Splitting
-Better confidentiality
-Harder to acquire the data for legal process as the data is distributed between different geographies or jurisdictions
Scalable and reduce the risk of vendor lock-in
Challenges of Bit Splitting
- Increase processing overhead
- Data in transit needs to be available and uphold confidentiality
- Availability risks
- Cost increase
- Storage requirements
Bit Splitting Methods
Secret Sharing Made Short
All-or-Nothing-Transform with Reed-Solomon (AONT-RS)
Secret Sharing Made Short (SSMS)
3 Phases:
- Encrypt information
- Use Information Disperse Algorithm (IDA) - splits the data using erasure coding into fragments
- Splits the crypto key using the secret sharing algorithm
What is the advantage of using you own key management system vs a public CSP’s?
When using public cloud, customers often want to use their own key management system as an added layer of privacy and control over their data. In doing so, customers remove dependency on the cloud provider to manage their keys and also avoid potential vendor lock-in due to using a CSP’s proprietary key management platform.
Increase portability
cryptographic module
module is simply any hardware, software, and/or firmware combination that performs encryption, decryption, or other cryptographic functions.
Encryption Challenges?
- Data Analysis requires unencrypted data
- Encryption keys are cached in memory when in use - CSPs must protect keys in multi-tenant env
- Cloud data is often replicated making encryption and key management challenging - most CSPs mitigate by replicating encrypted data if it is encrypted at rest
- Throughout data lifecycle data is changing which requires encryption along the way - mitigate by designing end to end encryption solution
- Encryption addresses confidentiality but not integrity
- Encryption is only as secure as the key management - if key is compromised all data is potentially compromised
How do you implement a secure key management strategy?
- Ensure keys are generated within a trusted secure cryptographic module (e.g. FIPS 140-2 compliant)
- Secure key distribution - common practice to encrypt keys with a separate key when distributing
- Secure key storage - both in volatile and persistent memory; keys should be stored internally on VM or other integrated app, externally and separate from data itself or managed by trusted 3rd party (key escrow service)
- Key destruction or deletion when key is no longer needed
Key destruction
Key deletion
Key destruction is the removal of an encryption key from its operational location.
Key deletion takes it a step further and also removes any information that could be used to reconstruct that key.
