Lesson 5 Basic Cryptography Concepts Flashcards
Cryptographic systems do what?
Cryptography encodes data in a way only authorized users can decode
It is NOT security by obscurity, which merely keeps something secret by hiding it
Encryption is not cryptography, it is a type of cryptography
Cryptographic algorithms
Hashing algorithms
symmetric encryption algorithm
asymmetric encryption algorithm
Hashing
like a fingerprint, one way, anti-collision
used mainly to store pass words
MD5 (message digest) older method of hashing; depricated
SHA (Security Hashing Algorithm) newer using more bits
NOT encryption
collision is when different inputs produce the same outputs - this is BAD
CAT and RAT using MD5 causes a collision and why MD5 is depricated
hashing algorithm
used to prove integrity
comparing passwords after transfer
comparing files after transfer
Hashing facts
prove integrity by:
identical inputs = identical outputs
Good:
longer outputs = less chance for collisions
longer input = less chance for collisions and more strength against cracking
salt - adding something to make password more secure against crackers, rainbow tables, collisions
Bad:
collisions - two different inputs with same output
Considered one-way encryption
Symmetric Encryption
Uses the same key to encrypt and decrypt, similar to a house key
flaw: how to share key w/out compromise
can NOT be used for authentication or integrity because the same secret can be created from the same key, both parties know the key as well
an attacker only needs to intercept the key to unlock the cypher
useful for ‘bulk’ encrypting because it is much faster then asymmetrical encryption
also called single key or shared key or private key (not asymmetrical)
Stream Ciphers
symmetrical encryption technique to encrypt streams of data
good for when message length in unknown
Block Cipher
symmetrical encryption technique dividing plaintext in to equal sized blocks of data
AES
Advanced Encryption Standard for block ciphers
Asymmetrical Encryption
Used to prove identity, authentication, non-repudiation, key agreement and key exchange
Uses key pairs and is aka Public Key exchange
important: Each key is capable of reversing the operation of its pair (private/public)
The keys are linked in such a way as to make it impossible to derive one from the other, allowing users to share the public key; private key is kept secret
- Both parties trade their public keys
- Sending encrypted messages:
Sender encrypts message with recipients public key
Recipient decrypts message with recipients private key - Signing:
Sender encrypts signature with senders private key
Recipient decrypts with senders public key
Symmetrical vs Asymmetrical - Pros/cons
Symmetrical
Pro: Much more efficient/much faster; key lengths are 128-256 bits
Con: need direct access for keys, impossible to have secure exchange
Asymmetrical
Pro: Good for unsecured connection, good key exchange; provides authentication and non-repudiation
Con: Much, much slower; key lengths are 1024-2048 bits
Do bulk in symmetrical
Do keys in asymmetrical
RSA
Algorithm for deriving key pairs and performing encrypt/decrypt operations
RSA - Rivest/Shamir/Adleman published in 1977
Also called a trapdoor function as it is easy to perform using the public key but difficult to reverse without knowing the private key
ECC
Elliptic Curve Cryptography which is also a trapdoor function
no known shortcuts to cracking the cypher as there are with RSA
can user smaller keys to obtain same security as RSA
Digital Signature
Using public key crypto with hashing
Provides integrity, authentication and non-repudiatioin
uses RSA
- sender creates hash of message and encrypts hash with private key
- sender attaches digital signature to original message
- recipient decrypts the signature using sender public key, resulting in original hash
- recipient calculates own checksum for the message, and compares the two hashes
if hashes match means message has not been altered
Sender identity is also proven, authenticated
DSA
Another digital signature algorithm but using ECC instead of RSA
Digital Envelops and key exchanges
Process to overcome the deficiencies of asymmetrical and symmetrical encryption techniques
- Sender obtains recipient (rec) public key
- Sender encrypts message using her symmetrical key (private/secret key) Also known as a session key
- Sender encrypts the session key with recipient public key (asymmetrical encryption)
- Sender attaches encrypted session key to the cipher text message in a digital envelope and sends to the recipient
- Recipient uses his private key to decrypt the session key (asymmetrical encryption)
- Recipient uses the session key to decrypt the cipher text message (symmetrical encryption)
Digital Certificate
A method for ensuring identity of the person or server issuing a public key
Uses a CA (certificate authority) as a third party to validate the owner of a public key
The CA issues a certificate signed by the CA
If the recipient trusts the CA, they can trust the public key wrapped in the subjects certificate
This process is known as PKI - public key infrastructure
Perfect Forward Secrecy
Allows two parties to derive the same secret value that an attacker cannot guess
mitigates the issue of a private key being compromised allowing previously captured transmissions to be deciphered
uses Diffie-Hellman (D-H) key agreement protocols
Cipher Suite
a signature algorithm to prove messages were created by the server
used to bulk encrypt data
uses session keys to keep data confidential
Bulk Encryption
uses symmetrical encryption AES
Key Exchange
uses asymmetrical encryption (RSA/D-H/ECC)
Signature
uses asymmetrical encryption (DSA)
Unauthenticated
does not use a hash
cannot prove integrity
vulnerable to insertion and modification attacks
Authenticated
uses a hash of the combination of the message and a shared secret
Message Authentication Code (MAC)
vulnerable to padding oracle attacks
AEAD
Authenticated Encryption with Additional Data
associates message with context to prevent replay
Hybrid encryption
Makes use of asymmetrical and symmetrical encryption
bulk uses symmetrical and protected by the public key (asymmetrical ) cryptography
File Encryption
private key encrypts the symmetric key
use of key is locked to a users account credential
Transport encryption
uses a session key exchange/agreement
MitM
Man in the Middle aka On Path Attack
interferes with public key presented to the client
Downgrade Attack
Forces server into using weak protocol versions and ciphers
Key stretching
Taking a key generated from a users password and repeatedly converts it to a longer and more random key
Uses hashing to do this
Slows the attacker down
Password-Based Key Derivation Function 2 (PBKDF2) is widely used for this purpose
PBDKDF2 is used in wifi protected Access (WPA)
Salting
a method of adding additional information to a password prior to hashing
increases difficulty for attack to ‘guess’ the password by comparing to known hash values such as dictionary words
The salt is no kept secret as the system verifying the hash must know it
Birthday attack
a brute force attack aimed at exploiting collisions in a hash function
The time is takes to create a message with the same hash as the original message does not take a much time as one might think, similar to the odds of a room of people and two people having the same birthday
Homomorphic encryption
Allows a user to decrypt the needed data without decrypting the sensitive data, like PII, allowing for user to perform actions on the data
Blockchain
uses a public ledger which is encrypted, based on non-repudiation
the ledger is shared to all users
Steganography
utilize obfuscation to hide data in plain site, such as text in an image file
