Cryptography Flashcards
PAIN
PAIN – Privacy, Authenticity, Integrity, Non-Repudiation
Cryptography
Cryptography: Science of protecting information by encoding it into an unreadable form
Cryptoanalysis
Cryptoanalysis: The science of breaking the secrecy of encryption algorithms.
Cryptology
Cryptology: The study of both cryptography and cryptoanalysis
Ciphertext
Ciphertext: Data that has been encrypted
Plaintext
Plaintext: Data in readable format, also referred to as cleartext
Encipher
Encipher: Act of transforming data into an unreadable format
Decipher
Decipher: Act of transforming data into a readable format
Key
Key: Secret sequence of bits and instructions that governs the act of encryption and decryption. Also called a cryptovariable
cryptovariable
Secret sequence of bits and instructions that governs the act of encryption and decryption.
Key Clustering
Key Clustering: Instance when two different keys generate the same ciphertext from the same plaintext
Key Zeroization
Key Zeroization: The process of properly destroying keys at the end of their useful life
Keyspace
Keyspace: A large set of possible values used to construct keys
Work factor
Work factor: Estimated time, effort, and resources necessary to break a cryptosystem
Nonrepudiation
Nonrepudiation: A principle can not deny an action they have done
Substitution Cipher
Substitution Cipher: Replaces bits, characters or character blocks with different values. An early version of this was the Julius Caesar substitution cipher
Transposition Cipher
Transposition Cipher: Rearranges the bits, characters or character blocks
Frequency Analysis
Frequency Analysis: Looks for patterns in the ciphertext to try and discover the key. Originally based on the concept that certain letters, words and phrases occur more frequently than others in a language
XOR
Exclusively ORed (XOR): An operation in binary mathematics that is applied to two bits. If the bits are the same (both 1s or both 0s) then a “0” bit is generated and if they are different a “1” bit is generated. This process is commonly used in Stream Ciphers.
Block Ciphers
Block Ciphers: Operates on fixed blocks (e.g. 64 bits) of plaintext to produce the corresponding ciphertext. The Key determines what S-boxes (math functions) are used for encryption. Typically implemented in software solutions. Generally stronger that Stream Ciphers. E.g. AES, 3DES, RC5, RC6
Stream Ciphers
Stream Ciphers: Operates in real-time on a continuous stream of data, typically bit-by-bit.
Stream ciphers are faster than block ciphers but not as strong. Typically implemented in hardware solutions. E.g. RC4
Clipper Chip
Clipper Chip: An NSA designed chip that was to be placed in all US made communication devices to support public encryption. The government maintained keys that would allow it to decrypt any messages encrypted with this device. The Clipper Chip was never deployed, due to public push back.
• Used the classified SkipJack algorithm, which had an 80 bit key
• Used Key Escrow to split the government’s key into two pieces that were managed by two different organizations. Law enforcement could obtain both pieces if required. The concept of Key Escrow is often used by businesses to maintain keys for recovery purposes.
Symmetric Key Cryptography
Symmetric Key Cryptography: Both parties will be using the same key for encryption and decryption.
Symmetric Algorithms
Symmetric Algorithms Include:
• Advanced Encryption Standard – AES (Use Rijndael algorithm), most popular
• Data Encryption Standard – DES, 3DES
• International Data Encryption Algorithm – IDEA
• Blowfish
• RC4
Symmetric Key Pros/Cons
Strengths:
• Faster than Asymmetric Algorithms.
• Stronger encryption than Asymmetric Algorithms, for the same sized keys
Weaknesses:
• Scalability/key management. The number of keys required is (n x (n-1))/2 where n is the number of users. For example if you had 10 users it would requires (10 x (10-1))/2 or 45 keys.
• Key distribution
• Can not provide Authentication, Integrity or Nonrepudiation.
Asymmetric Key Cryptography
Asymmetric Key Cryptography: Uses two different keys that are mathematically related. One key is used to encrypt and the other to decrypt information. These two keys are usually referred to as Private (secret key) and Public (shared key)
Asymmetric Key Pros/Cons
Weaknesses:
• Requires longer key lengths
• Much slower than Symmetric systems
Strengths:
• Better key distribution
• Better scalability. Number of keys required is equal to (2 x n), where “n” is the number of users.
• Can provide confidentiality, authentication, integrity and Nonrepudiation.
Asymmetric Key Algorithms
- RSA (most popular)
- Diffie-Hellman
- El Gamal
- Elliptical Curve Cryptosystem (ECC)
Hybrid Key Cryptography
Hybrid Key Cryptography: Combines the strengths of both asymmetric and symmetric systems. It uses Symmetric keys to encrypt the bulk of the data and uses Asymmetric keys to distribute the symmetric keys.
DES
Data Encryption Standard – DES:
o Key type = Symmetric, Block (with Stream)
o Key length = 56 bit
o Process = 16 rounds of transposition and substitution
5 Modes of DES
o Electronic Code Book - ECB: The WEAKEST. This is the native mode for DES. The exact same key is applied to each block. The is a weakness because two identical Plaintext blocks will encrypt into two identical Ciphertext blocks. Usually used for encrypting small amounts of data, like keys.
o Cipher Block Chaining - CBC: The first Plaintext block is XORed with a randomly generated block of bits called an “Initialization Vector” to produce Ciphertext. This Ciphertext is then XORed with the second Plaintext block and so on.
o Cipher Feedback - CFB: operates like a stream cipher; works on individual bits to encrypt individual characters. Feedback is using previous cyphertext.
o Output feedback - OFB: Like CFB but feedback is using previous plaintext.
o Counter- CTR: like CFB/OFB but uses a counter as feedback.
3DES
o Key type = Symmetric, Block (with Stream)
o Key length = 3 * 56 bit = 168 bits
o Process = 48 rounds of transposition and substitution
AES
Advanced Encryption Standard ( AES ) – Rijndael:
o Key type = Symmetric, Block
o Key length = variable 128, 192 or 256 bits
o Process = variable 10 - 14 rounds of transposition and substitution
Selected by the National Institute of Standards and Technology (NIST) as the new standard to replace DES.
IDEA
IDEA:
o Key type = Symmetric, Block
o Key length = variable 128 bits
o Process = 8 rounds of transposition and substitution
A patented algorithm used in the Pretty Good Protection (PGP) email encryption system
RC5
RC5:
o Key type = Symmetric, Block
o Key length = variable up to 2,048 bits
o Process = 8 rounds of transposition and substitution
Developed and patented by RSA Data Security
Diffie-Hellman
Diffie-Hellman:
o Key type = Asymmetric
o Key length = 768 or 1024 bits
This was the first public key algorithm and was design to facilitate symmetric key exchange. Uses a process call “Key Agreement Procedure”.
**Vulnerability – Subject to Man-in-the-middle attacks
ElGamal
El Gammal is based on Diffie-Hellman, but extends its capabilities with digital signatures:
o Key type = Asymmetric
o Key length = 768 or 1024 bits
RSA
RSA:
o Key type = Asymmetric
o Key length = 768 or 1024 bits
Designed to facilitate symmetric key exchange. The letters RSA come from the first initials of the three inventors. It is based on the difficulty of factoring a number that is the product of two large prime numbers. Used for symmetric key exchange, encryption and digital signatures.
Elliptic Curve
Elliptic Curve:
Uses properties of elliptical curves for encrypting data. This method is much more efficient than other asymmetric algorithms and can use much smaller keys. Because it is fast and has low overhead it is often used to support wireless devices encryption
Message Digest
The results of a hashing algorithms taking the entire contents of the original message and condensing it into a fixed length variable that acts like a finger print of the original message
Hashing Collisions
When two different messages result in the same Message Digest.
MAC
Message Authentication Code (MAC): Provides message authenticity by combining the original text with a symmetric key and then hashing the result. Does not provide non-repudiation like digital signatures.
MD5
MD5: Hashing produces a 128 bit digest. Performs 4 rounds of calculations on 512 bit blocks
SHA-1
Secure Hash Algorithm (SHA-1): Produces 160 bit digest. Processes text in 512 bit blocks
SHA-2
SHA 256, Digest sizes: 224, 256, 384, or 512 bits
CA
Certificate Authority – do the following:
o Digitally sign certificates
o Deliver certificates
o Maintain certificates and the Certificate Revocation Lists
RA
Registration Authority – RA: Assists the CA and takes some of the workload.
o Receives the certification request
o Verify an individual’s identity for the CA prior to forwarding the request.
CRL
CRL (Certificate Revocation List): CA publishes CRL. Client is responsible for downloading to see if a certificate has been revoked
OCSP
OCSP (Online Certificate Status Protocol) Streamlines the process of verifying whether or not a certificate has been revoked
Seven Key Management Functions
There are Seven Key Management Functions:
- Generation
- Distribution
- Installation
- Storage
- Change
- Control
- Disposal
PEM
Privacy-Enhanced Mail (PEM):
Provided authentication, message integrity, encryption and key management.
Used DES, MD5 for hashing, & PKI infrastructure.
Not widely adopted due to PKI requirements and abandoned for PGP and S/MIME
Legacy is X.509 certs
PGP
Pretty Good Privacy (PGP):
PGP is an email encryption application that was originally distributed as freeware. It has the following features.
• Uses a “Web of Trust” model instead of a central certification authority.
• Uses asymmetric RSA algorithm for key distribution and digital signatures.
• Uses the symmetric IDEA algorithm to and “Session Keys” for message encryption.
SET
Secure Electronic Transaction (SET): A specification developed by MasterCard and Visa to support secure e-commerce. Uses a combination of DES, RSA and x.509 certificates.
SSL
Secure Socket Layer (SSL): A protocol developed by Netscape to provide session based encryption and authentication to secure communications between clients and servers on the internet. Both the server and browser must be SSL enabled. SSL is used by HTTPS to encrypt all communications during a session
S-HTTP
Secure Hypertext Transfer Protocol (S-HTTP): A protocol developed to support secure communication with a web server. It is unique in that it encrypts individual messages instead of the entire session.
IPSec
Internet Protocol Security (IPSec): Is a method of setting up a secure channel for protected data exchange between two devices. It is usually used to establish a VPN.
IPSec’s two protocols
IPSec has two basic security protocols:
• Authentication Header (AH): Is an authenticating protocol.
• Encapsulating Security Payload (ESP): Is an authenticating and encrypting protocol.
IPSec’s two modes
- Transport Mode: only the payload (message) is encrypted
* Tunnel Mode: The payload, routing and header information are all encrypted; used commonly security gateways
SA
Security Association (SA): Is a one way connection between two parties (e.g. IPSec). A minimum of two SAs are required for a two way communication. An SA describes how services are to be deployed to secure communication between the two nodes. ISAKMP manages the SA creation.
SPI
Security Parameter Index (SPI): Used in IPSec to keep track of the different SAs terminating at the same destination.
IKE
Internet Key Exchange (IKE):
• Creates the tunnel between the two nodes.
• Negotiates an SA for the IPSec services
WDE
Whole Disk Encryption (WDE): Protect Hard Drive in the event the disk is stolen. Uses encryption within the operating system, ex: EFS, TPM
EFS
EFS (Encrypted File System): Windows environment; encrypts personal files and folders one-by-one and doesn’t encrypt the entire contents of a drive; encrypts files based on the user account associated with it. does not require or use any special hardware.
TPM
TPM (Trusted Platform Module)- Bitlocker; encrypts all personal and system files on the operating system drive, fixed data drives, and removable data drives; TPM microchip that supports advanced security features to encrypt the operating system drive
Caesar Cipher
Caesar Cipher- Simple Substitution e.g. shift characters 3 spaces (A=D, B=E, C=F, etc). Substitution Ciphers are subject to pattern analysis
Scytale
Scytale- Spartans used this cipher to communicate messages to generals in the field. Wrapped tape around a rod; the diameter of the rod is the pre-agreed upon secret (key)
Vignere
Vignere- First polyalphabetic cipher. Key word is agreed upon ahead of time and each letter of the key is matched up against each letter of the message on a vignere table.
Enigma (Purple) Machine
Enigma Machine/Purple Machine- Used by the Germans/Japanese in WWII. Breaking the cryptography of these devices is credited with reducing the length of the war.
Vernam Cipher
Vernam Cipher- uses One Time Pad and is the only mathematically unbreakable form of cryptography.
• Key must be used only once;
• Pad must be at least as long as the message;
• Key pad is statistically unpredictable;
• Key Pad must be delivered and stored securely
S/MIME
Secure/Multipurpose Internet Mail Extensions leverages PKI to encrypt and authenticate MIME-encoded email.
Diffusion
the order of the plaintext is diffused or dispersed in the cyphertext
Confusion
relationship between plaintext and ciphertext is as random as possible
Permutation
Aka transposition provides diffusion by rearranging the characters of the text (e.g. anagram- ATTACKATDAWN => CAAKDTANTATW)
Wassenaar Arrangement
1996 munitions (including cryptography) law that followed COCOM (Committee for Multilateral Export Controls)
Differential cryptanalysis
Differential cryptanalysis seeks to find the difference between related plaintexts that
are encrypted. The plaintexts may differ by a few bits. It is usually launched as an
adaptive chosen plaintext attack; the attacker chooses the plaintext to be encrypted (but does not know the key) and then encrypts related plaintexts.
Linear cryptanalysis
Linear cryptanalysis is a known plaintext attack where the cryptanalyst finds ‘large
amounts’ of plaintext/ciphertext pairs created with the same key. The pairs are studied to derive information about the key used to create them.
