Cryptography Flashcards
Confidentiality
Only authorized parties can access data.
Integrity
Verifying data has not been altered in transit.
Authentication
Verifying the sender is who they say they are.
Non-Repudiation
Prevents one party from denying actions they carried out.
Cryptography
“Science of secret writing”
Cryptanalysis
Study and practice of finding weaknesses in ciphers
Algorithm
“Formulas to encrypt data”
Cipher
Method used to encode characters to hide their value
Plain Text/Clear Text
Info which is transferred or stored without crypto protection
Cipher text
Result of encryption performed on plaintext using an algorithm.
Substitution Cipher
One character or symbol into another
Substitution Code
Substitution at the level of words or phrases
Transposition
Changing the positions of plaintext letters within a sentence.
eg. meet me at noon = noontaemteem
Exclusive-OR (XOR) Operation
Binary mathematical operation
If values are the same = 0
If values are different = 1
Used in One-Time Pad
One-Time Pad
Considered Unbreakable
3 Requirements:
- Made up of truly random values and used only once
- Must be at least as long as the message
- Securely distributed to destination and protected at sender’s and receiver’s sights.
Cons: More overhead, needs to be received in a secure fashion, sender/receiver must be perfectly synched.
Frequency Analysis
Study of the frequency of letters or groups of letters in a cipher text.
Eg. Wheel of Fortune
Initialization Vectors
Random values used with algorithms to ensure patterns are not created during encryption process.
Not encrypted when being sent
Used in WEP
Steganography
Electronic Watermarking
Hiding one’s message in another in order to prevent it from being detected.
Graphics/Sound Files
ADS
Alternate Data Streams
Adds a program on to another to help it work across multiple platforms.
Can be used for evil.
Eg. Drive in movie with someone in the trunk.
Quantum Cryptography
Message is sent in a series of photons. Receiver must know sequence and polarity of photons to decode message.
If someone intercepts, some of the photons will change polarity and message will be altered.
Hashing
Used for Integrity
One-way encryption function. Takes variable-length input and makes a fixed-length output.
Hash collision happens when different inputs create the same hash value. Collision detection prevents this.
MD5
Message Digest 5
Hash Function (Cisco)
Digest Size: 128 bits
SHA-1
Secure Hashing Algorithm
Hash Function
Digest Size: 160 bits
SHA-2/SHA-224/256
Secure Hashing Algorithm
Hash Function
Digest Sizes: 224, 256 bits
SHA-2/SHA-384/512
Secure Hashing Algorithm
Hash Function
Digest Size: 512 bits
RIPEMD-160
Hash Function
Digest Sizes: 128, 160, 256, 320 bits
HAVAL
Hash Function
Digest Sizes: 128, 160, 192, 224, 256 bits
Whirlpool
Hash Function
Digest Size: 512
Brute Force Attacks
Applying every possible combination of characters that could be the key.
Time may be a factor/not fast enough
Dictionary Attack
Uses dictionary of common words (to include proper nouns)
Rainbow Table/Crack
Uses a lookup table comprised of pre-calculated hash from common words.
Birthday Attack
Probability that someone has the same hash that attacker has already figured out.
SALT
Randomly generated value that is calculated into the hashing process
eg. Table Salt
MAC
Message Authentication Code
Verifies integrity and origin
Symmetric Key
HMAC
Hashed Message Authentication Code
Hash function added to MAC
Adds symmetric key to data to be hashed.
Used in IPSec, SSL/TLS, SSH
Symmetric Cryptography
- Uses one key to encrypt/decrypt info
- Both parties share same key
- Best for bulk encryption; faster (smaller key) than asymmetric
- AKA: secret key, private key, shared key, same key, single key, session key
Stream Cipher
Symmetric Encryption Method
- Bit by bit
- Keystream
- Hardware
- No memory
- On-the-fly
- Very fast
Block Cipher
Symmetric Encryption Method
- Software
- Fixed-length blocks
- Block-by-block
- Uses substitution/transposition ciphers
- Stronger than stream-based
- Slow/resource intensive
Symmetric Encryption Methods
Stream Cipher and Block Cipher
Pros:
- Less computationally intensive
- Produces smaller file size
- Faster transmissions
Cons:
- Key distribution security
- Needs to be trust between parties
- Key management (n(n-1)/2=# keys needed
- No “non-repudiation”
Symmetric Key Algorithms
C - CAST 3 - 3DES 2 - Twofish B - Blowfish R - RC4, 5, 6 A - AES I - IDEA D - DES S - SAFER (+, ++)
DES
Data Encryption Standard/Symmetric
Based on IBM’s Lucifer algorithm
64-bit Block (56-bit key + 8 bits for parity)
Algorithm: DEA (Data Encryption Algorithm)
Easily Broken
3DES
Triple DES/Symmetric
Upgrade of DES (still in use)
Applies DES three times
168-bit key (+24 bits for parity)
AES
Advanced Encryption Standard/Symmetric
Current standard replaced DES
128 bit block
Algorithm: Rijndael
Key Sizes: 128, 192, 256 bits
Blowfish
Symmetric
Fastest of the symmetric
64 bit block cipher
Variable-length keys (32-448 bits)
Twofish
Symmetric
128 bit block cipher
Variable length keys (128, 192, 256 bits)
Finalist for AES
CAST
Carlisle Adams and Stafford Tavares/Symmetric
Used by PGP
CAST-128:
- 64 bit block size
- Variable key lengths (40-128 bits)
CAST-256:
- 128 bit block size
- Variable key lengths (128, 160, 192, 224, 256 bits)
RC
Rivest Cipher/Symmetric
RC4 (stream): Variable key length (0-2048 bits)
RC5 (block): Variable block (32, 64, 128 bits)
* Variable key length (0-2048)
RC6 (block): Variable block (128)
* Variable key length (0-2048)
IDEA
International Data Encryption Algorithm/Symmetric
64 bit block
128 bit key length
Developed by the Swiss
Used in PGP and other encryption software
Skipjack
Symmetric
Block cipher
NSA
Clipper chip
SAFER
Secure And Fast Encryption Routine/Symmetric
Used in Bluetooth
For key derivation NOT for encryption
SAFER+:
* 128 bit block cipher
SAFER++:
* 64, 128 bit block cipher
Asymmetric Cryptography
Public Key Encryption
Each user has two keys: Private/Public
Keys are mathematically related
Pros:
- Key Management (n*2)
- Public key can be freely distributed
- Offers: digital signatures, integrity, key exchange, non-repudiation
Cons:
- Slower than symmetric
- Larger encryption file
Asymmetric Key Algorithms
D- Diffie-Hellman
E- ElGamal
E- ECC
R- RSA
Diffie-Hellman
Asymmetric
Based on difficulty of computing discrete logarithms
Key exchange
Variable key length: 512, 1024-2048 (secure)
Same strength as 3072 bit RSA key
El Gamal
Asymmetric
Encryption, Digital Signatures, Key Exchange
Based on Diffie Hellman
Slow
Open standard/Legacy
RSA
Rivest, Shamir, Adleman/Asymmetric
Encryption, Digital Signatures, Key Exchange
De facto standard
Based on difficulty of factoring N (prod of 2 large prime #)
Variable block and key length
* 512 bit to arbitrarily long
* 1024-2048 considered secure
Used in PGP
ECC
Elliptic Curve Cryptography/Asymmetric
Encryption, Digital Signatures, Key Exchange
Based on using points on a curve to define public/private key
Key of 160 bis is equal to 1024 RSA key
Hardware such as wireless devices and smart cards
Three Things Needed to Create a Digital Signature
- Email message
- Hashing Algorithm
- Sender’s Private Key
Digital Signature Process
Sender:
- Creates email message
- Creates message hash
- Uses private key to encrypt hash
- Hash becomes digital signature and is sent with message
Receiver:
- Hashes received message
- Uses sender’s public key to decrypt
- If hashes match message is valid and sender is verified
DSA
Digital Signature Algorithm
Used only for digital signatures
Does not provide confidentiality
Public key algorithm with var key size from 512-4096 bits
Follows NIST/FIPS DSS and goes up to 1024 bits
Uses SHA-1 for integrity
Faster than RSA at verifying signatures
Two Goals of DSA
Provide authentication and integrity
Hybrid Cryptosystem
Symmetric for data encapsulation
Asymmetric for key encapsulation
Cryptographic hash can be used to provide data integrity
Eg. PGP, S/MIME, TLS, SSH, IPSec
SSL
Secure Socket Layer
Secure connection between two TCP-based machines
Uses X.509v3
TCP Port 443
SSL Vulnerabilities
Small key size
Expired digital certificates
Compromised keys
SSL Provides:
- Confidentiality: AES, IDEA, 3DES, DES, RC4, RC2
- Message Integrity: SSLv3 MAC w/ shared key (similar to HMAC) with MD5 or SHA1
- Key Exchange: RSA, Diffie Hellman
Ability to implement Mutual Authentication
SSL Can Be Used to Secure:
Telnet, NNTP, FTP, HTTP, SMTP, IMAP
TLS
Transport Layer Security
Secure connection between two TCP-based machines
Operates like SSSL
More secure hashing than SSL
TCP Port 443
TLS Provides:
Confidentiality: AES, IDEA, 3DES, DES, RC4, RC2
Message Integrity: HMAC
Key Exchange: RSA and Diffie-Hellman
More alert codes that SSL
HTTPS vs S-HTTP
HTTPS:
- HTTP over SSL
- TCP Port 443
- Encrypts communication channel
S-HTTP:
- Dev by Netscape
- Provides security over standard page requests
- TCP Port 80
- Encrypts INDIVIDUAL MESSAGES
- Does not require client-side public key certs (symmetric key only)
SSH
Secure Shell
Secures remote terminal communications Secure replacement for Telnet and FTP TCP Port 22 Encrypts data w/ symmetric algorithm Est connection and authentication using public key crypto
Eg. PuTTY and OpenSSH
SMTP
Transmits mail from e-mail clients to e-mail servers and between e-mail servers
TCP port 25
POP3
Downloads e-mail from an inbox on an e-mail server to an e-mail client
TCP port 110
IMAP4
Downloads e-mail from an inbox on an e-mail server to an e-mail client
TCP port 143
MIME
Multipurpose Internet Mail Extensions
Defines how e-mail clients handle non-plaintext content.
S/MIME
Secure Multipurpose Internet Mail Extensions
Uses X.509 Standard
Protection for email and attachments
Provides: Authentication, Integrity, Confidentiality, non-repudiation
Uses: AES, 3DES, DES, RC2
Key Exchange: Diffie-Hellman with DSS or RSA
SHA-1 and MD5
x.509 Standard
ITU standard for defining digital certificates
Defines the formats and fields for public keys
Defines procedures for distributing public keys
PGP
Pretty Good Privacy
E-mail encryption system
Web of Trust NOT X.509
GPG = open source version
Asymmetric: RSA, DSS, Diffie-Hellman
Symmetric: AES, IDEA, CAST-128, IDEA, Twofish, 3DES
Hash Coding: SHA-2, SHA-1, MD5 RIPEMD-160
Typical Certificate Contains (6):
Issuer's name Valid date / to date Owner (subject) Subject's public key Time stamp Certificate issuer's digital signature
PKI
Public Key Infrastructure
- Framework for managing private keys and certificates
- Follows X.509 standard
- Standard for key generation, authentication, distribution and storage
- Est who is responsible for authenticating the ID of the owners of the digital certificate
CA
Certificate Authority
Organization responsible for issuing, storing, revoking and distributing certificates
Authenticates the certificates by signing them with their private key
RA
Registration Authority
- Middleman between CA and subscribers
- Can distribute keys, accept registrations for CA and validate identities
- Does not issue certs on their own
Digital Certificate Enrollment Process
- Subject must prove ID to CA before cert is created
- Give info physically appearing w/ and agent ID, credit report data, etc.
- Once satisfied, cert is made containing ID info, public key, etc.
- CA then digitally signs the cert with their private key
CPS
Certificate Practice Statement
How CA is structured How certs will be managed How subscriber's ID is validated How to request revocation Which standards and protocols are used
OCSP
Online Certificate Status Protocol
- Checks for revoked certs
- Queries a CA or RA that maintains a list of expired certs
- Server sends a response with status of valid, suspended or revoked
CRL
Certificate Revocation List
IDs revoked certs
Expired certs not on on the CRL
Certificate Suspension
Certs can be suspended
Ensures key is unusable for a period of time
Suspend rather than expire to make them TEMPORARILY invalid
Certificate Expiration
If a cert expires, a new cert must be issued
NOT added to the CRL
Certificate Renewal
Unexpired certs can be renewed close to the end of the expiring cert’s lifetime
Allows same cert to be used past the original expiry time
Not a good practice
Certificate Destruction
Establish policies for destroying old keys
When key/cert no longer useful, destroy and remove from system
When destroyed, notify CA so CRL and OCSP can be updated
Deregistration should occur when a key is destroyed
Trust Models (4):
Single-Authority (AKA third-party trust)
Hierarchical Trust
Bridge Trust
Web of Trust (AKA peer-to-peer)
Single Authority
Third party signs key/cert
User trusts authority and all keys issued by them
Trust verified by digital sig attached to public key
Hierarchical Trust
Root CA>Intermediate CA>Leaf CA
Bridge Trust
Trust between Root CAs
Web of Trust
All parties involved trust each other
CA does not exist to certify owners
Centralized Key Management
Central entity in charge or issuing keys
CA keeps a copy of the key
Decentralized Key Management
End user generates their own key
Does not provide key escrow (no key recovery)
Two Methods for Key Storage
Software-based:
- Access violations/intrusions
- Easily destroyed
- Subject to security of access control system
Hardware-based:
- Most secure
- More expensive
- Relies on physical security
- Smart cards/flash drives
Key Escrow
Third party may gain access to key storage
Allows for key recovery
Key’s must be secured on escrow network/systems
Recovery Agent
Someone with authority to remove keys from escrow
M of N Control
Requires two or more recovery agents
Must but multiple key escrow recovery agents
Minimum number of agents must work to recover key
Revoking Keys
Conducted when:
- Keys compromised
- Authentication process malfunction
- People transferred/fired
- Other security risks occur
Keeps key from being misused
Suspending Keys
Temporary
Unusable for a period of time
Renewing Keys
Enable key for use after scheduled expiry
Reissued for certain time
Bad practice
TPM
Trusted Platform Module
Hardware
Stream Cipher Encryption
Symmetric
