Lesson 4: Explaining Basic Cryptography Concepts

Question 1

Cryptography

Answer 1

powerful and complex weapon in the fight to maintain computer security. Cryptography is the basis for many of the security systems you will be implementing and configuring. (literally meaning “secret writing”) as been around for thousands of years. It is the art of making information secure. This stands in opposition to the concept of security through obscurity. Security through obscurity means keeping something a secret by hiding it.

Question 2

Plaintext (or cleartext)

Answer 2

unencrypted message

Question 3

Ciphertext

Answer 3

encrypted message

Question 4

Cipher

Answer 4

process (or algorithm) used to encrypt and decrypt a message

Most ciphers use a key to increase the security of the encryption process. For example, if you consider the Caesar cipher ROT13, you should realize that the key is 13. You could use 17 to achieve a different ciphertext from the same method. The key is important because it means that even if the algorithm or cipher method is known, a message still cannot be decrypted without knowledge of the specific key. This is particularly important in modern cryptography. Attempting to hide details of the cipher (a secret algorithm) amounts to “security by obscurity.” Modern ciphers are made stronger by being open to review (cryptanalysis) by third-party researchers.

The range of key values available to use with a particular cipher is called the keyspace. The keyspace is roughly equivalent to two to the power of the size of the key. However, some keys within the keyspace may be considered easy to guess (“weak”) and should not be used. Using a longer key (2048 bits rather than 1024 bits, for instance) makes the encryption scheme stronger. You should realize that key lengths are not equivalent when comparing different algorithms, however. Recommendations on minimum key length for any given algorithm are made by identifying whether the algorithm is vulnerable to cryptanalysis techniques and by the length of time it would take to “brute force” the key, given current processing resources.

Question 5

Cryptanalysis

Answer 5

the art of breaking or “cracking” cryptographic systems

Question 6

transport encryption

Answer 6

With transport encryption, for instance, confidentiality means that a message cannot be deciphered without having the appropriate cipher and key (or alternatively the means to crack the cipher).

Question 7

Non-repudiation

Answer 7

linked to identification and authentication. It is the concept that the sender cannot deny sending the message. If the message has been encrypted in a way known only to the sender, it follows that the sender must have composed it.

Question 8

resilient

Answer 8

As well as providing integrity at the level of individual messages, cryptography can be used to design highly resilient control systems. A control system is one with multiple parts, such as sensors, workstations, and servers, and complex operating logic. Such a system is resilient if compromise of a small part of the system is prevented from allowing compromise of the whole system. Cryptography assists this goal by ensuring the authentication and integrity of messages delivered over the control system.

Question 9

Obfuscation

Answer 9

the art of making a message difficult to understand. The term is often used in conjunction with the source code used to design computer applications. Obfuscated source code is rewritten in a way that does not affect the way the computer compiles or executes the code but makes it difficult for a person reading the code to understand how it works. Cryptography is a very effective way of obfuscating a message but unfortunately it is too effective in the case of source code because it means the code cannot be understood (executed) by the computer either. At some point the code has to be decrypted to be executed. The key used for decryption must usually be bundled with the source code and this means that you are relying on security by obscurity rather than strong cryptography. Attempts to protect an embedded key while preserving the functionality of the code (known as white box cryptography) have all been broken. There are no commercial solutions currently available to overcome this problem but the subject is one of much research interest. As well as protecting source code, white box cryptography would offer much better Digital Rights Management (DRM) protection for copyright content such as music, video, and books.

Question 10

substitution cipher

Answer 10

involves replacing units (a letter or blocks of letters) in the plaintext with different ciphertext. Simple substitution ciphers rotate or scramble letters of the alphabet. For example, ROT13 (an example of a Caesarian cipher) rotates each letter 13 places (so A becomes N for instance). The ciphertext “Uryyb Jbeyq” means “Hello World”.

Question 11

transposition cipher

Answer 11

In contrast to substitution ciphers, the units in a transposition cipher stay the same in plaintext and ciphertext, but their order is changed, according to some mechanism. See if you can figure out the cipher used on the following example: “HLOOLELWRD”.

Note: If you’re having trouble with the transposition cipher, try arranging groups of letters into columns. It’s called a rail fence cipher.

Question 12

frequency analysis

Answer 12

Basic substitution and transposition ciphers are vulnerable to cracking by frequency analysis. Frequency analysis depends on the fact that some letters and groups of letters appear more frequently in natural language than others.

Question 13

Frequency analysis depends on the fact that some letters and groups of letters appear more frequently in natural language than others. These patterns can be identified in the ciphertext, revealing the cipher and key used for encryption. As described by Claude Shannon in 1949, a secure cipher must exhibit the properties of confusion and diffusion.

Answer 13

• Confusion means that the key should not be derivable from the ciphertext. If one bit in the key changes, many bits in the ciphertext should change (each plaintext bit should have a 50% chance of flipping). Also, the same key should not be used by the algorithm in a predictable way when outputting ciphertexts from different plaintexts. Confusion is achieved by using complex substitutions, employing both the whole key and parts of the key to output ciphertext blocks. Confusion prevents attackers from selectively generating encrypted versions of plaintext messages and looking for patterns in their relationship to try to derive the key.
• Diffusion means that predictable features of the plaintext should not be evident in the ciphertext. If one bit of the plaintext is changed, many bits in the ciphertext should change as a result. Diffusion is obtained through transposition. Diffusion prevents attackers from selectively determining parts of the message. Modern ciphers must use both substitution and diffusion to resist cryptanalysis attacks.

Interest in information theory and the use of computers led to the development of increasingly sophisticated ciphers based on mathematical algorithms to perform irreversible transpositions and substitutions. These are the ciphers in widespread use today. The basis of mathematical ciphers is to use an operation that is simple to perform one way (when all the values are known) but difficult to reverse. These are referred to as trapdoor functions. The aim is to reduce the attacker to blindly guessing the correct value. Given a large enough range of values, this type of attack can be rendered computationally impossible.

Question 14

one-time pad

Answer 14

The one-time pad, invented by Gilbert Vernan in 1917, is an unbreakable encryption mechanism. The one-time pad itself is the encryption key. It consists of exactly the same number of characters as the plaintext and must be generated by a truly random algorithm. To encode and decode the message, each character on the pad is combined with the corresponding character in the message using some numerical system. For example, a binary message might use an XOR bitwise operation. XOR produces 0 if both values are the same and 1 if the values are different, or, put another way, an XOR operation outputs to true only if one input is true and the other input is false. The advantage of XOR compared to an AND or an OR operation is that XOR has a 50% chance of outputting one or zero, whereas AND is more likely to output zero and OR is more likely to output one. This property makes the ciphertext harder to analyze.

Apart from the requirements to be the same length as the message and truly random, each pad must only ever be used once. Re-using a pad makes ciphertexts susceptible to frequency analysis. If used properly, one-time pads are unbreakable. Unlike a cipher employing transposition and/or substitution, there are no clues about the plaintext stored within the ciphertext, apart from its length. However, the size (for anything but short messages) and secure distribution of the pad make it an unsuitable method for modern cryptography. The method is still in use where no means of computer-assisted cryptography is available, though. Also, the operation of some modern cipher types is similar to that of a one-time pad.

Question 15

To resist cryptanalysis, many cryptographic modules need to apply a value to the data being encrypted to ensure that if two identical plaintexts are used as input, the output is never the same. The value is usually applied using an XOR operation. The value does not have to be kept secret. The value can have different properties depending on the type of cryptography being used:

Answer 15

• Nonce—the principal characteristic of a nonce is that it is never reused (“number used once”) within the same scope (that is, with the same key value). It could be a random or pseudo-random value, or it could be a counter value.
• Initialization vector (IV)—the principal characteristic of an IV is that it be random (or pseudo-random). There may also be a requirement that an IV not be reused (as with a nonce), but this is not the primary characteristic.
• Salt—this is also a random or pseudo-random number or string. The term salt is used specifically in conjunction with cryptographically hashing password values.

Question 16

Malicious attacks on encryption systems are generally made for two reasons:

Answer 16

• To decipher encrypted data without authorization.

* To impersonate a person or organization by appropriating their encryption keys.

Question 17

weak cipher suites and implementations

Answer 17

Use of weak cipher suites and implementations can represent a critical vulnerability for an organization. It means that data that it is storing and processing may not be secure. It may also allow a malicious attacker to masquerade as it, causing huge reputational damage. A weak cipher is one that cannot use long keys. For example, legacy algorithms such as MD5, 3DES, and RC4 cannot use key sizes larger than 128 bits. That makes them susceptible to brute force attacks. Additionally, analysis methods might demonstrate ways that a cipher can malfunction, such as showing that the substitution and transposition operations are not sufficient to resist analysis.

Question 18

The inputs available for cryptanalysis are as follows:

Answer 18

• Known ciphertext—the analyst has obtained the ciphertext but has no additional information about it. The attacker may use statistical methods such as frequency analysis to try to break the encryption.
• Known plaintext—the attacker knows or can guess some of the plaintext present in a ciphertext, but not its exact location or context. This can greatly assist with analysis.
• Chosen plaintext—the attacker can submit plaintexts to the same cryptographic process to derive corresponding ciphertexts, facilitating analysis of the algorithm and potentially recovery of the key.
• Chosen ciphertext—the attacker can submit ciphertexts to the same cryptographic process to derive corresponding plaintexts. The aim of this type of attack is to deduce the key used for decryption.

These attacks are the reason it is important for a cryptographic system to use IVs or salts to ensure that identical plaintexts produce different ciphertexts.

Question 19

weak key

Answer 19

A weak key is one that produces ciphertext that is easy to cryptanalyze. If a cipher produces weak keys, the technology using the cipher should prevent use of these keys. DES, RC4, IDEA, and Blowfish are examples of algorithms known to have weak keys. The way a cipher is implemented in software may also lead to weak keys being used.

Question 20

Random Number Generator (RNG) module in the cryptographic implementation is critical to its strength. There are two principal ways for an RNG to work:

Answer 20

• True random number generator (TRNG)—sample some sort of physical phenomena, such as atmospheric noise, with a high rate of entropy (lack of order). This method is slow but considered much stronger.
• Pseudorandom number generator (PRNG)—uses software routines to simulate randomness. The generator usually uses data from the system, such as mouse and keyboard input timing, process IDs, and hard drive samples, as a seed. The seed state is then passed through a mathematical formula in order to output a pseudorandom number.

Question 21

side channel attacks

Answer 21

represent a completely different approach to cryptanalysis. The theory is that by studying physical properties of the cryptographic system, information may be deduced about how it works. Launching a side channel attack means monitoring things like timing, power consumption, and electromagnetic emanation. Obviously, it is necessary to obtain a physical copy of the cryptographic system or to have some extremely sophisticated monitoring equipment installed.

Question 22

Resource versus security constraints

Answer 22

the comparative strength of one cipher over another largely depends on the bit-strength of the key and the quality of the algorithm. Some algorithms have known weaknesses and are deprecated for use in particular contexts.

Note: Cipher strength cannot depend on keeping the operation of the cipher a secret (security by obscurity). To do so breaks Schneier’s Law: “Anyone, from the most clueless amateur to the best cryptographer, can create an algorithm that he himself can’t break. It’s not even hard. What is hard is creating an algorithm that no one else can break, even after years of analysis. And the only way to prove that is to subject the algorithm to years of analysis by the best cryptographers around.”

Question 23

Low power devices

Answer 23

some technologies require more processing cycles and memory space. This makes them slower and means they consume more power. Consequently, some algorithms and key strengths are unsuitable for handheld devices and embedded systems, especially those that work on battery power. Another example is a contactless smart card, where the card only receives power from the reader and has fairly limited storage capacity, which might affect the maximum key size supported.

Question 24

Low latency uses

Answer 24

if cryptography is deployed with a real time-sensitive channel, such as voice or video, the processing overhead on both the transmitter and receiver must be low enough not to impact the quality of the signal.

Question 25

Data can be described as being in one of three states: Data at rest

Answer 25

this state means that the data is in some sort of persistent storage media. Examples of types of data that may be at rest include financial information stored in databases, archived audiovisual media, operational policies and other management documents, system configuration data, and more. In this state, it is usually possible to encrypt the data, using techniques such as whole disk encryption, database encryption, and file- or folder-level encryption. It is also possible to apply permissions—access control lists (ACLs)—to ensure only authorized users can read or modify the data. ACLs can be applied only if access to the data is fully mediated through a trusted OS.

Question 26

Data can be described as being in one of three states:

Data in transit (or data in motion)

Answer 26

this is the state when data is transmitted over a network. Examples of types of data that may be in transit include website traffic, remote access traffic, data being synchronized between cloud repositories, and more. In this state, data can be protected by a transport encryption protocol, such as TLS or IPSec.

Question 27

Data can be described as being in one of three states: Data in use

Answer 27

this is the state when data is present in volatile memory, such as system RAM or CPU registers and cache. Examples of types of data that may be in use include documents open in a word processing application, database data that is currently being modified, event logs being generated while an operating system is running, and more. When a user works with data, that data usually needs to be decrypted as it goes from in rest to in use. The data may stay decrypted for an entire work session, which puts it at risk. However, some mechanisms, such as Intel Software Guard Extensions (https://software.intel.com/en-us/sgx/details) are able to encrypt data as it exists in memory, so that an untrusted process cannot decode the information.

Question 28

Three different types of cryptographic algorithms are used in computer security systems:

Answer 28

hash functions, symmetric encryption, and asymmetric encryption.

Question 29

cryptographic primitive

Answer 29

A single hash function, symmetric cipher, or asymmetric cipher is called a cryptographic primitive. A complete cryptographic system or product is likely to use multiple cryptographic primitives.

Question 30

crypto module or API (application programming interface)

Answer 30

The algorithms underpinning cryptography must be interpreted and packaged as a computer program (or programming library). This can be described as a crypto module or API (application programming interface). The crypto module will support commands generated from other applications, such as “Create a hash of this data,” “Encrypt this data with this algorithm,” or “Decrypt this data using this key.” In Windows®, the program that makes these calls is referred to as a cryptographic service provider (CSP). A CSP makes use of the Windows crypto module (CryptoAPI or CryptoNG [next generation]) to perform encryption and/or authentication services. A CSP might be implemented in software or it might run as firmware (a smart card, for instance).

It is important to realize that just because an algorithm, such as AES, is considered strong does not mean that the implementation of that cipher in a programming library is also strong. The implementation may have weaknesses. It is vital to monitor the status of this type of programming code and apply updates promptly. If a weakness is revealed, any keys issued under the weak version must be replaced and data re-encrypted. Crypto modules meeting the Federal information processing standard (FIPS)

Question 31

checksums

Answer 31

Hashing algorithms are widely used in computer programming to create a short representation of data. These functions are used for things like checksums to ensure the validity of data. Hash functions are used for confidentiality (to store passwords securely) and for authentication, non-repudiation, and integrity (as part of a digital signature). A hash of a file can be used to verify the integrity of that file after transfer. Two of the most commonly used cryptographic hash algorithms are SHA and MD5.

Question 32

message digest

Answer 32

A cryptographic hash algorithm also produces a fixed length string, called a message digest, from a variable length string. The difference is that the function is designed so that it is impossible to recover the original message from the digest (one-way) and so that different messages are unlikely to produce the same digest (a collision).

Question 33

secure hash algorithm (SHA) is one of the Federal Information Processing Standards (FIPS) developed by NIST for the US government

Answer 33

SHA was created to address possible weaknesses in MDA

There are two versions of the standard in common use:

• SHA-1—this was quickly released (in 1995) to address a flaw in the original SHA algorithm. It uses a 160-bit digest. SHA-1 was subsequently found to exhibit weaknesses.
• SHA-2—these are variants using longer digests (notably 256 bits and 512 bits). SHA-2 also addresses the weaknesses found in SHA-1.

There are some concerns about the long-term security of SHA, but it is widely implemented as part of security standards and protocols, such as SSL, IPSec, and the Digital Signature Standard (DSS).

Question 34

Message Digest Algorithm (MDA/MD5)

Answer 34

designed in 1990 by Ronald Rivest, one of the “fathers” of modern cryptography. The most widely used version is MD5, released in 1991, which uses a 128-bit hash value. MD5 is considered a weak algorithm as ways have been found to exploit collisions in the cipher. A collision is where a function produces the same hash value for two different inputs. Consequently, MD5 is no longer considered secure for password hashing or signing digital certificates. Despite this, most forensic tools default to using MD5 as it is a bit faster than SHA, it offers better compatibility between tools, and the chances of an adversary exploiting a collision in that context are remote.

Question 35

Research and Development in Advanced Communications Technologies in Europe (RACE) RACE Integrity Primitives Evaluation Message Digest (RIPEMD)

Answer 35

program set up by the European Union (EU)

The RACE Integrity Primitives Evaluation Message Digest (RIPEMD) was designed as an alternative to MD5 and SHA. RIPEMD-160 offers similar performance and encryption strength to SHA-1.

Question 36

message authentication code (MAC)

Answer 36

a means of proving the integrity and authenticity of a message. To produce a MAC rather than a simple digest, the message is combined with a secret key. As the secret key should be known only to sender and recipient and cannot be recovered from the MAC (the function is one-way), in theory only the sender and recipient should be able to obtain the same MAC, confirming the message’s origin and that it has not been tampered with.

Question 37

hash-based message authentication code (HMAC)

Answer 37

A hash-based message authentication code (HMAC), described in RFC 2104, is a particular means of generating a MAC, using the MD5 (HMAC-MD5), SHA-1 (HMAC-SHA1), or SHA-2 (HMAC-SHA2) algorithm. In an HMAC, the key and message are combined in a way designed to be resistant to “extension” attacks against other means of generating MACs.

Question 38

Symmetric encryption

Answer 38

Symmetric encryption is a two-way encryption algorithm in which encryption and decryption are both performed by a single secret key. Alternatively, there may be two keys or multiple subkeys, but these are easy to derive from possession of the master key. The secret key is so-called because it must be kept secret. If the key is lost or stolen, the security is breached. Symmetric encryption is used for confidentiality only. Because the same key must be used to encrypt and decrypt information, it cannot be used to prove someone’s identity (authentication and non-repudiation). If you tell someone the key to allow them to read a message that you have sent to them, they would gain the ability to impersonate you.

Note: Symmetric encryption is also referred to as single-key or private-key or shared secret. Note that “private key” is also used to refer to part of the public key cryptography process, so take care not to confuse the two uses.

The main problem with symmetric encryption is secure distribution and storage of the key. This problem becomes exponentially greater the more widespread the key’s distribution needs to be. The main advantage is speed, as symmetric key encryption is far faster than asymmetric encryption.

Note: The problem of key distribution is usually solved by exchanging the keys using asymmetric encryption. Alternatively, an offline (or out-of-band) method can be used, such as using a courier service to deliver the key on a disk.

Question 39

stream cipher

Answer 39

• In a stream cipher, each byte or bit of data in the plaintext is encrypted one at a time. This is suitable for encrypting communications where the total length of the message is not known. Like a one-time pad, the plaintext is combined with a separate randomly generated message. Unlike a one-time pad, this is not predetermined but calculated from the key (keystream generator) and an Initialization Vector (IV). The IV ensures the key produces a unique ciphertext from the same plaintext. As with a one-time pad, the keystream must be unique, so an IV must not be reused with the same key. The recipient must be able to generate the same keystream as the sender and the streams must be synchronized. Stream ciphers might use markers to allow for synchronization and retransmission. Some types of stream ciphers are made self-synchronizing.
• Rivest Ciphers (or Ron’s Code) are a family of different encryption technologies designed by Ron Rivest (https://www.rsa.com). The RC4 cipher (often referred to as Arcfour) is a stream cipher using a variable length key (from 40 to 128 bits). RC4 was used in Secure Sockets Layer (SSL) and Wired Equivalent Privacy (WEP) but is now usually deprecated in favor of more modern ciphers.

Question 40

block cipher

Answer 40

In a block cipher, the plaintext is divided into equal-size blocks (usually 64- or 128-bit). If there is not enough data in the plaintext, it is padded to the correct size using some string defined in the algorithm. For example, a 1200-bit plaintext would be padded with an extra 80 bits to fit into 10 x 128-bit blocks. Each block is then subjected to complex transposition and substitution operations, based on the value of the key used.

Most ciphers increase security by encrypting the data more than once (rounds). Each round uses a separate key, though these are ultimately derived from the master key.

Question 41

symmetric block cipher algorithms

Answer 41

Popular symmetric block cipher algorithms include AES, Blowfish/Twofish, and DES/ 3DES.

Question 42

DES/TRIPLE DES (3DES) Data Encryption Standard

Answer 42

The Data Encryption Standard cipher was developed in the 1970s by IBM for the NSA. The cipher used in DES is based on IBM’s Lucifer cipher. It is a block cipher using 64-bit blocks and a 56-bit key. DES was shown to be flawed, prompting the development (in 1998) of Triple DES (3DES), where the plaintext is encrypted three times using different subkeys. In 2-key 3DES, there is one round with key1 then a round with key2, then a final round with key1 again, making the key size 112-bit. Another mode uses three different keys, for an overall key size of 168 bits. 3DES is deprecated for most applications. It has been replaced by the faster and more secure AES.

Question 43

AES/AES256 Advanced Encryption Standard (AES)

Answer 43

The Advanced Encryption Standard (AES) was adopted as a replacement for 3DES by NIST in 2001. It is faster and more secure than 3DES. AES is also a block cipher with a block size of 128 bits and key sizes of 128, 192, or 256 bits. AES is the preferred choice for many new applications. As an open standard it is patent-free. Note that while the 168-bit overall key length of 3-key 3DES is nominally larger than 128-bit AES, the way the keys are used makes a 3DES ciphertext more vulnerable to cryptanalysis than an AES-128 one.

Question 44

Blowfish

Answer 44

developed in 1993 by Bruce Schneier (http://schneier.com). It uses 64-bit blocks and variable key sizes (32—448 bits). Blowfish is both secure and fast.

Question 45

Twofish

Answer 45

related cipher to Blowfish, Twofish was developed by an extended team to enter the AES competition. Twofish uses a larger block size (128-bit) and keys up to 256 bits long. Both Blowfish and Twofish were made available copyright- and patent-free by their inventors.

Question 46

block cipher can be used in different modes of operation:

Answer 46

refers to the way a cryptographic product processes multiple blocks. The simplest mode of operation is called Electronic Code Book (ECB). ECB simply applies the same key to each plaintext block. This means that identical plaintext blocks can output identical ciphertexts, making the ciphertext vulnerable to cryptanalysis.

Cipher Block Chaining (CBC) mode improves ciphertext integrity by applying an Initialization Vector (IV) to the first plaintext block to ensure that the key produces a unique ciphertext from any given plaintext. The output of the first ciphertext block is then combined with the next plaintext block using an XOR operation. This process is repeated through the full “chain” of blocks, which (again) ensures that no plaintext block produces the same ciphertext. The problem with CBC is that the “chain” nature of the algorithm means that it must be processed serially when performing encryption operations and cannot take advantage of the ability of modern CPUs to process information in parallel. Decryption can be performed in parallel.

The problem of parallelism is addressed by counter mode (referred to as CTM in the in the exam blueprint, but more commonly CTR or CM). CTR actually functions in much the same way as a stream cipher. Each block is combined with a nonce (or non-repeating) counter value. This ensures unique ciphertexts from identical plaintexts and allows each block to be processed individually and consequently in parallel, improving performance.

Most modern systems use a type of counter mode called Galois/counter mode (GCM). Symmetric algorithms do not natively provide message integrity. The Galois function addresses this by combining the ciphertext with a type of message authentication code (GMAC), similar to an HMAC. Where CBC is only considered secure when using a 256-bit key, GCM can be used with a 128-bit key to achieve the same level of security.

Question 47

public and private keys in a key pair

Answer 47

With an asymmetric algorithm, operations are performed by two different but related public and private keys in a key pair. Each key is capable of reversing the operation of its pair. For example, if the public key is used to encrypt a message, only the paired private key can decrypt the ciphertext produced. The public key cannot be used to decrypt the ciphertext, even though it was used to encrypt it. The keys are linked in such a way as to make it impossible to derive one from the other. This means that the key holder can distribute the public key to anyone he or she wants to receive secure messages from. No one else can use the public key to decrypt the messages; only the linked private key can do that. Asymmetric encryption is often referred to as public key cryptography.

The problem with asymmetric encryption is that it involves quite a lot of computing overhead. The message cannot be larger than the key size. Where a large amount of data is being encrypted on disk or transported over a network, asymmetric encryption is inefficient. Consequently, asymmetric encryption is mostly used for authentication and non-repudiation (digital signatures) and for key agreement or exchange (settling on a secret key to use for symmetric encryption that is known only to the two communicating parties).

Question 48

public key cryptography products

Answer 48

based on the RSA algorithm. Ron Rivest, Adi Shamir, and Leonard Adleman published the RSA cipher in 1977 (https://www.rsa.com). RSA is widely deployed as a solution for creating digital signatures and key exchange. RSA block sizes and key lengths are variable according to the application, with larger keys offering more security. RSA can only be used to encrypt short messages. The maximum message size is the key size (in bytes) minus 11. For example, a key size of 2048 bits allows a maximum message size of 245 bytes: (2048/8)

Question 49

digital signature

Answer 49

A digital signature is used to prove the identity of the sender of a message and to show that a message has not been tampered with since the sender posted it. This provides authentication, integrity, and non-repudiation. To create a digital signature using RSA encryption, the private key is used to encrypt the signature; the public key is distributed to allow others to read it.

example:

1. The sender (Alice) creates a digest of a message, using a pre-agreed secure hash algorithm, such as SHA256, and then encrypts the digest using her private key.
2. This digital signature is attached to the original document and delivered.
3. The recipient (Bob) decrypts the signature using Alice’s public key, resulting in the original hash.
4. Bob then calculates his own message digest of the document (using the same algorithm as Alice) and compares it with Alice’s digest.
5. If the two digests are the same, then the data has not been tampered with during transmission, and Alice’s identity is guaranteed. If either the data had changed or a malicious user (Mallory) had intercepted the message and used a different private key, the digests would not match.

Note: It is important to remember that a digital signature is a hash that is then encrypted using a private key. Without the encryption, another party could easily intercept the file and the hash, modify the file and compute a new hash, and then send the modified file and hash to the recipient. It is also important to realize that the recipient must have some means of validating that the public key really was issued by Alice.

Question 50

Secret key (symmetric) encryption is generally faster than public key cryptography, but public key cryptography can provide higher levels of convenience and security. Therefore, often, both are used. This type of key exchange system is known as a digital envelope. It works as follows:

Answer 50

1. Alice encrypts the message using a secret key cipher, such as AES or Blowfish.
2. The secret key itself is encrypted using public key cryptography (with Bob’s public key) then attached to the encrypted message and sent to Bob. In this context, the secret key is referred to as a session key.

Note: It is important that a new session key be generated for each session and destroyed at the end of a session.

3. Bob uses his private key to decrypt the secret key.
4. Bob uses the secret key to decrypt the message.

Note that in this process, it is the recipient’s public key that is used to perform encryption and the recipient’s private key that is used for decryption. The validity of the whole “digital envelope” can be proved by signing it, as above.

Note: In all these implementations, it is critical that the private key be kept secure and available only to the authorized user.

Question 51

certificate authority (CA)

Answer 51

When using public/private key pairs, a subject will make his or her public key freely available. This allows recipients of his or her messages to read the digital signature. Similarly, he or she uses the recipient’s public key to encrypt a message via a digital envelope. This means that no one other than the intended recipient can read the message. The question then arises of how anyone can trust the identity of the person or server issuing a public key. One solution is to have a third party, referred to as a certificate authority (CA), validate the use of the public key by issuing the subject with a certificate. The certificate is signed by the CA. If the client trusts the CA, they can also trust the public key wrapped in the subject’s certificate. The process of issuing and verifying certificates is called Public Key Infrastructure (PKI).

Question 52

Diffie-Hellman (D-H)

Answer 52

a key agreement protocol, published in 1976 by Whitfield Diffie and Martin Hellman. These authors also acknowledge the work of Ralph Merkle and suggest that the protocol be referred to as Diffie-Hellman-Merkle. D-H itself is not used to encrypt messages or to authenticate senders. It is used to securely agree on a key to encrypt messages using a symmetric encryption algorithm, such as AES. The process works (in simple terms) as follows:

1. Alice and Bob agree on shared integers p and q, where p is a large prime number and q is a smaller integer that functions as a base. These values can be known to eavesdroppers without compromising the process.
2. Alice and Bob respectively choose a different private integer (a and b, respectively). These values must not be disclosed to anyone else (Alice does not tell Bob a, and Bob does not tell Alice b).
3. Alice and Bob calculate integers A = qa (mod p) and B = qb (mod p) and send those to one another. mod returns the remainder when qa or qb is divided by p.
4. Alice and Bob now both know p, q, A, and B. Alice knows a and Bob knows b. Alice and Bob use what they know to derive the same shared secret (s). Alice calculates s = Ba (mod p) and Bob calculates s = Ab (mod p). Because of the way the math works, they will calculate the same value!
5. s is then used to generate the session key for another cipher, such as AES.
6. A Man-in-the-Middle (Mallory) trying to interfere with the process might know p, q, A, and B, but without knowledge of a or b cannot derive s.

D-H depends on the use of a group, which can be any mathematical operation with the properties of a trapdoor function. The “classic” or “finite field” D-H described uses an operation called modular exponentiation (as RSA does, though in a different way). The commonly used groups for finite field D-H are group 1 (768-bit), group 2 (1024-bit), group 5 (1536-bit), and group 2048 (2048-bit, obviously).

The most notable use of D-H is in IPSec, as part of the Internet Key Exchange protocol (IKE). D-H can also be used in the Transport Layer Security (TLS) protocol to provide Perfect Forward Secrecy. This is referred to as DHE (Diffie-Hellman ephemeral mode) but is called EDH in some cipher suites.

Question 53

Digital Signature Algorithm (DSA)

Answer 53

An adaptation of ElGamal’s algorithms is used by NIST in its Digital Signature Algorithm (DSA). One of the main advantages of ElGamal over RSA is that it can use elliptic curve cryptography.

Elliptic curve cryptography (ECC) is another type of trapdoor function used to generate public/private key pairs. ECC was published by Neal Koblitz and Victor Miller in 1985, though they arrived at the idea independently of one another. The principal advantage of ECC over RSA’s algorithm is that there are no known “shortcuts” to cracking the cipher or the math that underpins it, regardless of key length. Consequently, ECC used with a key size of 256 bits is very approximately comparable to RSA with a key size of 2048 bits. An elliptic curve is often used with the Diffie-Hellman and ElGamal protocols to generate the parameters on which the system depends. ECC with D-H ephemeral mode (ECDHE) provides a Perfect Forward Secrecy (PFS) mechanism for Transport Layer Security (TLS). The Elliptic Curve Digital Signature Algorithm (ECDSA) uses ElGamal with an elliptic curve operation to implement a digital signature.

Question 54

Transport encryption

Answer 54

refers to encrypting data as it is sent over a network. Examples include IPSec (for any IP-based network) and other encrypted Virtual Private Network (VPN) protocols; Secure Sockets Layer/Transport Layer Security (SSL/TLS) for TCP/IP application protocols, such as HTTPS; and WEP/WPA for wireless networks. Key exchange is the process by which sender and receiver share the key to use for encryption. Symmetric encryption involves the sender and receiver using the same key. In this instance, transmitting the key securely is a huge problem. You could use an out-of-band transmission method, such as sending the key by courier or transmitting it verbally, but these methods increase the risk that the key will be compromised, not to mention introducing an unacceptable delay to the establishment of a secure session. It is also difficult to distribute such a key securely between more than two people.

In asymmetric encryption, because the sender and receiver use public and private keys that are linked but not derivable (no one can obtain the private key from possession of the public key), in-band key exchange (over an unencrypted channel) is straightforward. Bob just tells Alice his public key. Alice uses this public key to encrypt a secret session key and sends it to Bob, confident that only Bob owns the private key that will allow the secret key to be decrypted. Alice and Bob can now send secure messages, encrypted using a symmetric cipher and a secret key that only they know.

Transport encryption often makes use of a different secret key for each session. This type of key is referred to as an ephemeral key. This improves security because even if an attacker can obtain the key for one session, the other sessions will remain confidential. This massively increases the amount of cryptanalysis that an attacker would have to perform to recover an entire “conversation.”

Question 55

perfect forward secrecy (PFS)

Answer 55

In standard SSL/TLS (using RSA key exchange), each session key is signed by the server’s private key. The RSA key pair is used for both authentication and key exchange. This raises the possibility that if a session has been captured by a packet sniffer, and at some point later the server’s private key is compromised, the session could be decrypted.

This risk is mitigated by perfect forward secrecy (PFS). PFS uses Diffie-Hellman key agreement to create ephemeral session keys without using the server’s private key. PFS can be implemented using either the Diffie-Hellman Ephemeral mode (DHE or EDH) or Elliptic Curve Diffie-Hellman Ephemeral mode (ECDHE) cipher. Because the D-H key is truly ephemeral, even if the encrypted session is recorded there will be no way of recovering a key to use to decrypt it at a later date.

However, to use PFS, the server and client must negotiate use of a mutually supported cipher suite. A browser will usually try to select a PFS-compatible suite but may not support one supported by the server. Also, the server is able to “dictate” use of a preferred cipher suite and may not be set to prefer PFS. Use of Diffie-Hellman key agreement is likely to reduce server performance, though as use of PFS becomes more prevalent, faster implementations of the cipher suites are likely to be developed.

Note: In 2014, a “Heartbleed” bug was discovered in the way some versions of OpenSSL work that allows remote users to grab 64K chunks of server memory contents (http:// heartbleed.com). This could include the private key, meaning that any communications with the server could be compromised. The bug had been present for around two years. This illustrates the value of PFS, but ironically many servers would have been updated to the buggy version of OpenSSL to enable support for PFS.

Question 56

Some attacks depend on capturing the communications between two parties. They do not break the cryptographic system but exploit vulnerabilities in the way it is used. A Man-in-the-Middle (MitM) attack is typically focused on public key cryptography:

Answer 56

1. Mallory eavesdrops the channel between Alice and Bob and waits for Alice to request Bob’s public key.
2. Mallory intercepts the communication, retaining Bob’s public key, and sends his own public key to Alice.
3. Alice uses Mallory’s key to encrypt a message and sends it to Bob.
4. Mallory intercepts the message and decrypts it using his private key.
5. Mallory then encrypts a message (possibly changing it) with Bob’s public key and sends it to Bob, leaving Alice and Bob oblivious to the fact that their communications have been compromised.

This attack is prevented by using secure authentication of public keys, such as associating the keys with certificates. This should ensure that Alice rejects Mallory’s public key.

A downgrade attack can be used to facilitate a Man-in-the-Middle attack by requesting that the server use a lower specification protocol with weaker ciphers and key lengths. For example, rather than use TLS 2.0, as the server might prefer, the client requests the use of SSL. It then becomes easier for Mallory to forge the signature of a certificate authority that Alice trusts and have Alice trust his public key.

A replay attack consists of intercepting a key or password hash then reusing it to gain access to a resource, such as the pass-the-hash attack. This type of attack is prevented by using once-only session tokens or timestamping sessions.

Note: Attacks against the cryptographic hashes used to store passwords often depend on the user choosing an unsecure word or phrase, enabling a dictionary attack, or the password being insufficiently long, enabling a brute force attack.

Question 57

birthday attack

Answer 57

a type of brute force attack aimed at exploiting collisions in hash functions. A collision is where a function produces the same hash value for two different plaintexts. This type of attack can be used for the purpose of forging a digital signature. The attack works as follows: the attacker creates a malicious document and a benign document that produce the same hash value. The attacker submits the benign document for signing by the target. The attacker then removes the signature from the benign document and adds it to the malicious document, forging the target’s signature. The trick here is being able to create a malicious document that outputs the same hash as the benign document. The birthday paradox means that the computational time required to do this is less than might be expected.

The birthday paradox asks how large must a group of people be so that the chance of two of them sharing a birthday is 50%. The answer is 23, but people who are not aware of the paradox often answer around 180 (365/2).

The point is that the chances of someone sharing a particular birthday are small, but the chances of any two people sharing any birthday get better and better as you add more people: 1 – (365 * (365-1) * (365 – 2) … * (365 – (N-1)/365N)

To exploit the paradox, the attacker creates multiple malicious and benign documents, both featuring minor changes (punctuation, extra spaces, and so on). Depending on the length of the hash, if the attacker can generate sufficient variations, then the chance of matching hash outputs can be better than 50%. Also, far fewer variations on the message have to be discovered than in a pure brute force attack (launched by testing every possible combination).

This means that to protect against the birthday attack, encryption algorithms must demonstrate collision avoidance (that is, to reduce the chance that different inputs will produce the same output).

The birthday paradox method has been used successfully to exploit collisions in the MD5 function to create fake SSL certificates that appear to have been signed by a CA in a trusted root chain.