Domain 3: Security Architecture and Engineering - Cryptography Flashcards
Caesar Cipher
Simple substitution
Shift Characters, etc. (Caesar was a 3 character shift)
Subject to pattern analysis to crack the cipher
Current example: Rot-13, move characters 13 spaces
Scytale Cipher
Spartans used this cipher to communicate messages to general in the field
Wrapped tape around a rod, then wrote on the tape
Diameter of the rod is the pre-agreed upon secret (key)
Symmetric Cryptography
Same secret is used on both ends
Vignere Cipher
First polyalphabetic cipher
Key word is agreed upon ahead of time
First letter of the key is matched up against first letter of the message and so on
Enigma Machine
Used by Germans in WWII; Japanese had Purple machine
Used a rotor configuration to create a cipher
Vernam Cipher
AkA One Time Pad
Mathematically unbreakable
pad must be as long as the message
pad must be securely distributed and only used once
Services provided by cryptography
PAIN
Privacy: prevents unauthorized disclosure
Authenticity: verifies claimed identity
Integrity: detects modification or corruption
Non-Repudiation: combines authentication and integrity. Sender can’t dispute having sent a message, or contents
Cipher Text Algorithm
Plain Text + Initialization vector + Algorithm (Cipher) + Key = Cipher Text
Initialization Vector
Provides randomness by changing the starting point randomly
Similar to Salt for a password
Cryptographic Algorithms
For data, it is broken into blocks (S-Blocks) and then complex and strong math to substitute the blocks.
Collection of math functions that should be open
Cryptographic Keys
Provide instructions on how to use the math
Should be random
Should be protected
Should be long “enough”
Symmetric Process
single key is shared by both parties and is used to encrypt and decrypt. aka Secret, private, shared, or session key
Symmetric Pro’s
Provides fast data transfer
Good strong privacy
Symmetric Cons
Out of band key distribution
Doesn’t scale well
Doesn’t provide non-repudiation
Asymmetric Cryptography
Every user has a key pair which consists of a public and private key
Anything encrypted with one key can only be decrypted by the other
Symmetric Cipher types
Stream - one bit at a time, uses transposition, substitution, XOR. fast and efficient, not as secure, RC-4
Block - Chunks data and each chunk goes through a series of math functions called S-boxes
Common Symmetric Algorithms
DES 3DES AES RC-4 (Stream) RC-5 Two Fish Blowfish IDEA CAST MARS Skipjack
Private key
Used to encrypt, can prove authenticity because only the public key pair can decrypt it
Public Key
Used to decrypt, shared with other systems
Integrity with Cryptography
Hashing/Checksums is a fixed length representation of the contents of the file. hashing performed on both ends of file transfer to ensure no changes have been made
One way math, cannot be reversed, once it is it is considered cracked
Hashing Algorithms
MD-5 128 bit
SHA-1 160 bit
Sha-2 256, 384, 512, etc
HAVAL, TIGER, RIPEMD are lesser known algorithms
Collision
When two different documents produce the same hash
Birthday attack
Attempt to cause collisions. based on the idea that it is easier to find two hashes that happen to match than to produce a specific hash
Non-Repudiation with cryptography
Encrypting the hash with private key allows for non repudiation. Hash is created, showing integrity. Encrypted with private key. Decrypted with public key. hash is generated for decrypted file, compared to prove who and what.
Digital signatures are a way to do this.
Common Asymmetric Algorithms
DSA and RSA
ECC (Elliptical Curve Cryptography) and El Gamal
Diffie Hellman (DH) and Knapsack
RSA (Rivest, Shamir, Adleman)
Standard for Digital Signatures, replacing DSA
Uses Factorization; Uses the idea that there is no efficient way to factor the product of large prime numbers
Trap-door math
Diffie-Hellman
First Asymmetric algorithm
Secure key-algorithm without pre-shared secrets
Based on discrete logarithms in a finite field
Asymmetric to agree on key, then symmetric for communication
ECC (Elliptical Curve Cryptography)
Based upon plottings points along a curve
Very efficient but only for applicable key agreement, digital signatures, pseudo-random generators and small tasks
Frequently used for handheld devices due to their limited processing capability
Defacto standard for encryption
AES
Exception: PGP for email uses IDEA (Internet Data Exchange Algorithm)
Number of keys in Symmetric Algorithms
N*(N-1)/2
Number of keys in Asymmetric Algorithms
2N
Key sharing for symmetric algorithms
out of band
Key sharing for asymmetric algorithms
public key is shared
Hybrid Cryptography
Goal is to achieve all of PAIN plus Speed
SSL/TLS a good example. Asymmetric Key exchange with goal of creating a Symmetric Session Key for further communication
How SSL/TLS uses Hybrid Cryptography
Message to website
Website responds with public key (Asymmetric)
Client Browser creates a symmetric session key and sends it to the server (Hybrid/Asymmetric)
Server uses its private key to decrypt the symmetric key. Now both parties know the symmetric key and use that to communicate (Symmetric)
Public Key Infrastructure (PKI)
System for web servers to obtain Digital Certificates from trusted Certificate Authorities to generate public/private key pairs to ensure server identity
Certificates
Provides authenticity of a server’s public key
Necessary to avoid MITM attacks
Digitally signed by Certificate Authority
Certificates
Provides authenticity of a server’s public key
Necessary to avoid MITM attacks
Digitally signed by Certificate Authority
Certificate Authority (CA)
entity that stores, signs, and issues digital certificates
Registration Authority (RA)
responsible for accepting requests for digital certificates and authenticating the entity making the request.
Certificate Repository
Where certificate is stored on web server
Certificate Revocation List (CRL)
A list published by the CA. Client is responsible for downloading to see if a certificate is revoked
Online Certificate Status Protocol (OCSP )
Streamlines the process of verifying whether or not a certificate has been revoked
Message Authentication Codes (MAC)
Provides reasonable authenticity and integrity not strong enough to be non-repudiation (because it uses a symmetric key)
Between hashing and digital signatures
How MAC Works
Message + Symmetric Number + Hashing Algorithm to produce an HMAC
How it all Fits together (Web Browsing)
(Application) Web Browser requests web traffic
(Protocol) HTTP/HTTPS specifies rules for communication
(Cryptosystem) HTTPS mandates a cryptosystem, SSL/TLS is the framework to provide protection for data
(Algorithm) Provides the math for the actual encryption
How it all fits together (e-Mail)
(Application) Mail Client and Server
(Protocol) Specifies rules for communication - SMTP POP3 or IMAP
(Cryptosystem) Framework to protect data - S/MIME or PGP
(Algorithm) Provides the math for encryption - AES is most popular, IDEA for PGP
IPSec
Integrated with IPv6, backwards compatible with IPv4
Provides framework for services such as encryption, authentication, integrity
Provides encapsulation, not encryption
What is encapsulated can be protected through the protocols within IPSec
Encapsulation
Data is not encrypted, but is wrapped in such a way that the data is protected in transit
Tunnel Mode
Whole packet is encapsulated (IP Header, IP Payload, IP Trailer)
Transport Mode
Only the payload is encapsulated (IP Payload)
IPv4 IPSec packet
IPSec Header -> IP Header -> IP Payload -> IP Trailer -> IPSec Trailer
Authentication Header (AH)
IPSec Sub Protocol
Provides integrity, authenticity, and non-repudiation through the use of an Integrity check Value (ICV)
Not compatible with NAT (Network Access Tunnels)
Encapsulating Security Payload (ESP)
Provides authenticity and integrity through a MAC
Provides Encryption, ICV is run on payload only
Compatible with NAT
Internet Key Exchange (IKE)
No security services
Management for a secure connection
Integrity Check Value (ICV)
Part of Authentication Header (AH)
Hash run on the entire packet (Header, data, trailer) except for particular fields in the header that are dynamic (TTL, Etc).
No Confidentiality
Oakley
IKE service, Uses Diffie Helman to agree upon a key
Internet Security Association and Key Management Protocol (ISAKMP)
Manages Keys and Security Associations
Security Association
Unique identifier for each secure session
Contains Dest Address, Security Parameter Index (SPI), IPSec Transform, Key, Additional SA Attributes (lifetime, etc)
Security parameter Index (SPI)
Way to identify difference of multiple sessions with same destination
Pretty Good Privacy (PGP)
Proprietary protocol for email cryptosystems
Uses web of trust
Passphrases instead of passwords
Learned keys are stored in a key ring
Secure/Multipurpose internet Mail Extensions (S/MIME)
Provides PAIN for email systems, Asymmetric key exchange for Symmetric Message key
Privacy - Receiver’s Public Key
Authenticity - Senders Private Key
Integrity - Hash/Checksum - neither symmetric or asymmetric
Non-Repudiation - Hash encrypted by sender’s private key
S/MIME Process (Digital Envelope)
Message encrypted with Symmetric Key
Symmetric Key added to Message
Symmetric Key encrypted with Receiver’s Public Key
Document gets hashed
Hash gets encrypted with Sender’s Private Key
Ciphertext Only Attack
Attacker has captured encrypted text on the network. Usually means all the attacker can do is brute force the encrypted text
Known Plain Text Attack
Attacker has captured cipher text, but also knows what a portion of the message is in plain text (like automatic signature)
How Allies cracked Enigma machine
Chosen Plaintext Attack
Attacker can see the full text encrypted and decrypted. Attacker has initiated the message (usually)
Chosen Ciphertext Attack
Attacker can see whatever they want in plain or ciphertext. They have compromised a workstation. Sometimes called a lunchtime or midnight attack
Meet in the Middle Attack
Attacks are targeted towards algorithms like 3DES where there are multiple keys. An attacker tries to learn what each key does individually
Highest level of AES
256
