MODULE 21 - CERTIFICATION CYBER OPS ASSOCIATE Flashcards by Guapa Guapa | Brainscape

Q

Integrity and Authenticity Securing Communications Organizations must provide support to secure the data as it travels across links.

This may include internal traffic, but it is even more important to protect the data that travels outside of the organization to branch sites, telecommuter sites, and partner sites.

A

These are the four elements of secure communications:

Data Integrity - Guarantees that the message was not altered.

Any changes to data in transit will be detected. Integrity is ensured by implementing either of the Secure Hash Algorithms (SHA-2 or SHA-3).

The MD5 message digest algorithm is still widely in use, however it is inherently insecure and creates vulnerabilities in a network.

The use of MD5 should be avoided. Origin Authentication - Guarantees that the message is not a forgery and does actually come from whom it states.

Many modern networks ensure authentication with algorithms such as hash-based message authentication code (HMAC).

Data Confidentiality - Guarantees that only authorized users can read the message. If the message is intercepted, it cannot be deciphered within a reasonable amount of time.

Data confidentiality is implemented using symmetric and asymmetric encryption algorithms.

Data Non-Repudiation - Guarantees that the sender cannot repudiate, or refute, the validity of a message sent.

Nonrepudiation relies on the fact that only the sender has the unique characteristics or signature for how that message is treated.

How well did you know this?

1

Not at all

2

3

4

5

Perfectly

Q

These are the four elements of secure communications:

Data Integrity - Guarantees that the message was not altered.

Any changes to data in transit will be detected. Integrity is ensured by implementing either of the Secure Hash Algorithms (SHA-2 or SHA-3).

The MD5 message digest algorithm is still widely in use, however it is inherently insecure and creates vulnerabilities in a network.

The use of MD5 should be avoided. Origin Authentication - Guarantees that the message is not a forgery and does actually come from whom it states.

Many modern networks ensure authentication with algorithms such as hash-based message authentication code (HMAC).

Data Confidentiality - Guarantees that only authorized users can read the message. If the message is intercepted, it cannot be deciphered within a reasonable amount of time.

Data confidentiality is implemented using symmetric and asymmetric encryption algorithms.

Data Non-Repudiation - Guarantees that the sender cannot repudiate, or refute, the validity of a message sent.

Nonrepudiation relies on the fact that only the sender has the unique characteristics or signature for how that message is treated.

A

Data Integrity :

Guarantees that the message was not altered. Any changes to data in transit will be detected.

Integrity is ensured by implementing either of the Secure Hash Algorithms (SHA-2 or SHA-3).

The MD5 message digest algorithm is still widely in use, however it is inherently insecure and creates vulnerabilities in a network.

The use of MD5 should be avoided.

How well did you know this?

1

Not at all

2

3

4

5

Perfectly

Q

These are the four elements of secure communications:

Data Integrity - Guarantees that the message was not altered.

Any changes to data in transit will be detected. Integrity is ensured by implementing either of the Secure Hash Algorithms (SHA-2 or SHA-3).

The MD5 message digest algorithm is still widely in use, however it is inherently insecure and creates vulnerabilities in a network.

The use of MD5 should be avoided. Origin Authentication - Guarantees that the message is not a forgery and does actually come from whom it states.

Many modern networks ensure authentication with algorithms such as hash-based message authentication code (HMAC).

Data Confidentiality - Guarantees that only authorized users can read the message. If the message is intercepted, it cannot be deciphered within a reasonable amount of time.

Data confidentiality is implemented using symmetric and asymmetric encryption algorithms.

Data Non-Repudiation - Guarantees that the sender cannot repudiate, or refute, the validity of a message sent.

Nonrepudiation relies on the fact that only the sender has the unique characteristics or signature for how that message is treated.

A

Origin Authentication :

Guarantees that the message is not a forgery and does actually come from whom it states.

Many modern networks ensure authentication with algorithms such as hash-based message authentication code (HMAC).

How well did you know this?

1

Not at all

2

3

4

5

Perfectly

Q

These are the four elements of secure communications:

Data Integrity - Guarantees that the message was not altered.

Any changes to data in transit will be detected. Integrity is ensured by implementing either of the Secure Hash Algorithms (SHA-2 or SHA-3).

The MD5 message digest algorithm is still widely in use, however it is inherently insecure and creates vulnerabilities in a network.

The use of MD5 should be avoided. Origin Authentication - Guarantees that the message is not a forgery and does actually come from whom it states.

Many modern networks ensure authentication with algorithms such as hash-based message authentication code (HMAC).

Data Confidentiality - Guarantees that only authorized users can read the message. If the message is intercepted, it cannot be deciphered within a reasonable amount of time.

Data confidentiality is implemented using symmetric and asymmetric encryption algorithms.

Data Non-Repudiation - Guarantees that the sender cannot repudiate, or refute, the validity of a message sent.

Nonrepudiation relies on the fact that only the sender has the unique characteristics or signature for how that message is treated.

A

Data Confidentiality - :

Guarantees that only authorized users can read the message.

If the message is intercepted, it cannot be deciphered within a reasonable amount of time.

Data confidentiality is implemented using symmetric and asymmetric encryption algorithms.

How well did you know this?

1

Not at all

2

3

4

5

Perfectly

Q

These are the four elements of secure communications:

Data Integrity - Guarantees that the message was not altered.

Any changes to data in transit will be detected. Integrity is ensured by implementing either of the Secure Hash Algorithms (SHA-2 or SHA-3).

The MD5 message digest algorithm is still widely in use, however it is inherently insecure and creates vulnerabilities in a network.

The use of MD5 should be avoided. Origin Authentication - Guarantees that the message is not a forgery and does actually come from whom it states.

Many modern networks ensure authentication with algorithms such as hash-based message authentication code (HMAC).

Data Confidentiality - Guarantees that only authorized users can read the message. If the message is intercepted, it cannot be deciphered within a reasonable amount of time.

Data confidentiality is implemented using symmetric and asymmetric encryption algorithms.

Data Non-Repudiation - Guarantees that the sender cannot repudiate, or refute, the validity of a message sent.

Nonrepudiation relies on the fact that only the sender has the unique characteristics or signature for how that message is treated.

A

Data Non-Repudiation -

Guarantees that the sender cannot repudiate, or refute, the validity of a message sent.

Non-repudiation relies on the fact that only the sender has the unique characteristics or signature for how that message is treated.

Cryptography can be used almost anywhere that there is data communication. In fact, the trend is toward all communication being encrypted.

How well did you know this?

1

Not at all

2

3

4

5

Perfectly

Q

Cryptographic Hash Functions

Hashes are used to verify and ensure data integrity.

Hashing is based on a one-way mathematical function that is relatively easy to compute, but significantly harder to reverse.

A

Grinding coffee is a good analogy of a one-way function.

It is easy to grind coffee beans, but it is almost impossible to put all of the tiny pieces back together to rebuild the original beans.

The cryptographic hashing function can also be used to verify authentication.

https://snipboard.io/I3FfsM.jpg

How well did you know this?

1

Not at all

2

3

4

5

Perfectly

Q

Cryptographic Hash Functions Grinding coffee is a good analogy of a one-way function.

It is easy to grind coffee beans, but it is almost impossible to put all of the tiny pieces back together to rebuild the original beans.

The cryptographic hashing function can also be used to verify authentication.

https://snipboard.io/I3FfsM.jpg

A

As shown in the figure,

https://snipboard.io/I3FfsM.jpg a hash function takes a variable block of binary data, called the message, and produces a fixed-length, condensed representation, called the hash.

The resulting hash is also sometimes called the message digest, digest, or digital fingerprint.

How well did you know this?

1

Not at all

2

3

4

5

Perfectly

Q

Cryptographic Hash Functions

As shown in the figure,

https://snipboard.io/I3FfsM.jpg a hash function takes a variable block of binary data, called the message, and produces a fixed-length, condensed representation, called the hash.

The resulting hash is also sometimes called the message digest, digest, or digital fingerprint.

A

With hash functions, it is computationally infeasible for two different sets of data to come up with the same hash output.

Every time the data is changed or altered, the hash value also changes.

Because of this, cryptographic hash values are often called digital fingerprints.

They can be used to detect duplicate data files, file version changes, and similar applications.

These values are used to guard against an accidental or intentional change to the data, or accidental data corruption.

How well did you know this?

1

Not at all

2

3

4

5

Perfectly

Q

Cryptographic Hash Functions

With hash functions, it is computationally infeasible for two different sets of data to come up with the same hash output.

Every time the data is changed or altered, the hash value also changes.

Because of this, cryptographic hash values are often called digital fingerprints.

They can be used to detect duplicate data files, file version changes, and similar applications. These values are used to guard against an accidental or intentional change to the data, or accidental data corruption.

A

The cryptographic hash function is applied in many different situations for entity authentication, data integrity, and data authenticity purposes.

How well did you know this?

1

Not at all

2

3

4

5

Perfectly

Q

Cryptographic Hash Operation Mathematically, the equation h= H(x) is used to explain how a hash algorithm operates.

As shown in the figure, a hash function H takes an input x and returns a fixed-size string hash value h.

https://snipboard.io/tYNFW4.jpg

A

The example in the figure

https://snipboard.io/tYNFW4.jpg summarizes the mathematical process.

A cryptographic hash function should have the following properties:

The input can be any length. The output has a fixed length. H(x) is relatively easy to compute for any given x.

H(x) is one way and not reversible.

H(x) is collision free, meaning that two different input values will result in different hash values.

If a hash function is hard to invert, it is considered a one-way hash.

Hard to invert means that given a hash value of h, it is computationally infeasible to find an input for x such that h=H(x).

How well did you know this?

1

Not at all

2

3

4

5

Perfectly

Q

MD5 and SHA Hash functions are used to ensure the integrity of a message.

They ensure data has not changed accidentally or intentionally. In the figure, the sender is sending a $100 money transfer to Alex.

The sender wants to ensure that the message is not accidentally altered on its way to the receiver.

Deliberate changes that are made by a threat actor are still possible.

https://snipboard.io/Mkg3cB.jpg

A

MD5 and SHA Hash functions are used to ensure the integrity of a message.

They ensure data has not changed accidentally or intentionally. In the figure, the sender is sending a $100 money transfer to Alex.

The sender wants to ensure that the message is not accidentally altered on its way to the receiver.

Deliberate changes that are made by a threat actor are still possible.

https://snipboard.io/Mkg3cB.jpg

How well did you know this?

1

Not at all

2

3

4

5

Perfectly

Q

There are four well-known hash functions:

MD5 with 128-bit digest SHA-1 SHA-2 SHA-3

A

MD5 with 128-bit digest :

Developed by Ron Rivest and used in a variety of internet applications, MD5 is a one-way function that produces a 128-bit hashed message.

MD5 is considered to be a legacy algorithm and should be avoided and used only when no better alternatives are available.

It is recommended that SHA-2 or SHA-3 be used instead.

How well did you know this?

1

Not at all

2

3

4

5

Perfectly

Q

There are four well-known hash functions:

MD5 with 128-bit digest SHA-1 SHA-2 SHA-3

A

SHA-1 :

Developed by the U.S. National Security Agency (NSA) in 1995.

It is very similar to the MD5 hash functions. Several versions exist.

SHA-1 creates a 160-bit hashed message and is slightly slower than MD5.

SHA-1 has known flaws and is a legacy algorithm.

How well did you know this?

1

Not at all

2

3

4

5

Perfectly

Q

There are four well-known hash functions:

MD5 with 128-bit digest SHA-1 SHA-2 SHA-3

A

SHA-2 :

Developed by the NSA.

It includes SHA-224 (224 bit),

SHA-256 (256 bit),

SHA-384 (384 bit), and

SHA-512 (512 bit). If you are using SHA-2, then the SHA-256, SHA-384,

and SHA-512 algorithms should be used whenever possible.

How well did you know this?

1

Not at all

2

3

4

5

Perfectly

Q

There are four well-known hash functions:

MD5 with 128-bit digest SHA-1 SHA-2 SHA-3

A

SHA-3 :

SHA-3 is the newest hashing algorithm and was introduced by NIST as an alternative and eventual replacement for the SHA-2 family of hashing algorithms.

SHA-3 includes SHA3-224 (224 bit),

SHA3-256 (256 bit),

SHA3-384 (384 bit),

and SHA3-512 (512 bit).

The SHA-3 family are next-generation algorithms and should be used whenever possible.

How well did you know this?

1

Not at all

2

3

4

5

Perfectly

Q

SHA-3 :

SHA-3 is the newest hashing algorithm and was introduced by NIST as an alternative and eventual replacement for the SHA-2 family of hashing algorithms.

SHA-3 includes SHA3-224 (224 bit),

SHA3-256 (256 bit),

SHA3-384 (384 bit), and

SHA3-512 (512 bit).

The SHA-3 family are next-generation algorithms and should be used whenever possible.

A

While hashing can be used to detect accidental changes, it cannot be used to guard against deliberate changes that are made by a threat actor.

There is no unique identifying information from the sender in the hashing procedure.

This means that anyone can compute a hash for any data, as long as they have the correct hash function.

How well did you know this?

1

Not at all

2

3

4

5

Perfectly

Q

While hashing can be used to detect accidental changes, it cannot be used to guard against deliberate changes that are made by a threat actor.

There is no unique identifying information from the sender in the hashing procedure.

This means that anyone can compute a hash for any data, as long as they have the correct hash function.

A

For example, when the message traverses the network, a potential attacker could intercept the message, change it, recalculate the hash, and append it to the message.

The receiving device will only validate against whatever hash is appended.

Therefore, hashing is vulnerable to man-in-the-middle attacks and does not provide security to transmitted data.

To provide integrity and origin authentication, something more is required.

How well did you know this?

1

Not at all

2

3

4

5

Perfectly

Q

Origin Authentication To add origin authentication and integrity assurance, use a keyed-hash message authentication code (HMAC).

HMAC uses an additional secret key as input to the hash function.

Note: Other Message Authentication Code (MAC) methods are also used.

However, HMAC is used in many systems including SSL, IPsec, and SSH.

A

– HMAC HASHING ALGORITHM

– CREATING THE HMAC VALUE

– VERIFYING THE HMAC VALUE

– CISCO ROUTER HMAC EXAMPLE

How well did you know this?

1

Not at all

2

3

4

5

Perfectly

Q

– HMAC HASHING ALGORITHM

– CREATING THE HMAC VALUE

– VERIFYING THE HMAC VALUE

– CISCO ROUTER HMAC EXAMPLE

A

HMAC HASHING ALGORITHM :

As shown in the figure, an HMAC is calculated using any cryptographic algorithm that combines a cryptographic hash function with a secret key. Hash functions are the basis of the protection mechanism of HMACs.

Only the sender and the receiver know the secret key, and the output of the hash function now depends on the input data and the secret key.

Only parties who have access to that secret key can compute the digest of an HMAC function.

This defeats man-in-the-middle attacks and provides authentication of the data origin.

If two parties share a secret key and use HMAC functions for authentication, a properly constructed HMAC digest of a message that a party has received indicates that the other party was the originator of the message.

This is because the other party possesses the secret key.

https://snipboard.io/EMQSXa.jpg

How well did you know this?

1

Not at all

2

3

4

5

Perfectly

Q

– HMAC HASHING ALGORITHM

– CREATING THE HMAC VALUE

– VERIFYING THE HMAC VALUE

– CISCO ROUTER HMAC EXAMPLE

A

CREATING THE HMAC VALUE:

As shown in the figure, the sending device inputs data (such as Terry Smith’s pay of $100 and the secret key) into the hashing algorithm and calculates the fixed-length HMAC digest.

This authenticated digest is then attached to the message and sent to the receiver.

https://snipboard.io/lPLZDO.jpg

How well did you know this?

1

Not at all

2

3

4

5

Perfectly

Q

– HMAC HASHING ALGORITHM

– CREATING THE HMAC VALUE

– VERIFYING THE HMAC VALUE

– CISCO ROUTER HMAC EXAMPLE

A

VERIFYING THE HMAC VALUE :

In the figure, the receiving device removes the digest from the message and uses the plaintext message with its secret key as input into the same hashing function.

If the digest that is calculated by the receiving device is equal to the digest that was sent, the message has not been altered.

Additionally, the origin of the message is authenticated because only the sender possesses a copy of the shared secret key.

The HMAC function has ensured the authenticity of the message.

https://snipboard.io/1yULY4.jpg

How well did you know this?

1

Not at all

2

3

4

5

Perfectly

Q

– HMAC HASHING ALGORITHM

– CREATING THE HMAC VALUE

– VERIFYING THE HMAC VALUE

– CISCO ROUTER HMAC EXAMPLE

A

CISCO ROUTER HMAC EXAMPLE :

The figure shows how HMACs are used by Cisco routers that are configured to use Open Shortest Path First (OSPF) routing authentication.

R1 is sending a link state update (LSU) regarding a route to network 10.2.0.0/16: R1 calculates the hash value using the LSU message and the secret key.

The resulting hash value is sent with the LSU to R2. R2 calculates the hash value using the LSU and its secret key.

R2 accepts the update if the hash values match. If they do not match, R2 discards the update.

https://snipboard.io/Loy6am.jpg

How well did you know this?

1

Not at all

2

3

4

5

Perfectly

Q

Confidentiality Data Confidentiality

There are two classes of encryption used to provide data confidentiality;

asymmetric and symmetric.

These two classes differ in how they use keys.

A

Symmetric encryption algorithms such as Data Encryption Standard (DES), 3DES, and Advanced Encryption Standard (AES) are based on the premise that each communicating party knows the pre-shared key.

Data confidentiality can also be ensured using asymmetric algorithms, including Rivest, Shamir, and Adleman (RSA) and the public key infrastructure (PKI).

How well did you know this?

1

Not at all

2

3

4

5

Perfectly

Q

Symmetric encryption algorithms such as Data Encryption Standard (DES), 3DES, and Advanced Encryption Standard (AES) are based on the premise that each communicating party knows the pre-shared key.

Data confidentiality can also be ensured using asymmetric algorithms, including Rivest, Shamir, and Adleman (RSA) and the public key infrastructure (PKI).

A

Note:

DES is a legacy algorithm and should not be used. 3DES should be avoided if possible. The figure highlights some differences between symmetric and asymmetric encryption.

https://snipboard.io/dO0W7S.jpg

How well did you know this?

1

Not at all

2

3

4

5

Perfectly

Q

Symmetric Encryption Symmetric algorithms use the same pre-shared key to encrypt and decrypt data.

A pre-shared key, also called a secret key, is known by the sender and receiver before any encrypted communications can take place.

A

To help illustrate how symmetric encryption works, consider an example where Alice and Bob live in different locations and want to exchange secret messages with one another through the mail system.

In this example, Alice wants to send a secret message to Bob.

How well did you know this?

1

Not at all

2

3

4

5

Perfectly

Q

Symmetric Encryption To help illustrate how symmetric encryption works, consider an example where Alice and Bob live in different locations and want to exchange secret messages with one another through the mail system.

In this example, Alice wants to send a secret message to Bob.

A

In the figure, Alice and Bob have identical keys to a single padlock.

These keys were exchanged prior to sending any secret messages. Alice writes a secret message and puts it in a small box that she locks using the padlock with her key. She mails the box to Bob.

The message is safely locked inside the box as the box makes its way through the post office system.

When Bob receives the box, he uses his key to unlock the padlock and retrieve the message.

Bob can use the same box and padlock to send a secret reply back to Alice.

https://snipboard.io/XpOlrK.jpg

How well did you know this?

1

Not at all

2

3

4

5

Perfectly

Q

Symmetric Encryption In the figure, Alice and Bob have identical keys to a single padlock. These keys were exchanged prior to sending any secret messages.

Alice writes a secret message and puts it in a small box that she locks using the padlock with her key. She mails the box to Bob.

The message is safely locked inside the box as the box makes its way through the post office system. When Bob receives the box, he uses his key to unlock the padlock and retrieve the message.

Bob can use the same box and padlock to send a secret reply back to Alice.

https://snipboard.io/XpOlrK.jpg

A

Today, symmetric encryption algorithms are commonly used with VPN traffic.

This is because symmetric algorithms use less CPU resources than asymmetric encryption algorithms. This allows the encryption and decryption of data to be fast when using a VPN.

When using symmetric encryption algorithms, like any other type of encryption, the longer the key, the longer it will take for someone to discover the key.

Most encryption keys are between 112 and 256 bits. To ensure that the encryption is safe, a minimum key length of 128 bits should be used. Use a longer key for more secure communications.

How well did you know this?

1

Not at all

2

3

4

5

Perfectly

Q

Symmetric Encryption Today, symmetric encryption algorithms are commonly used with VPN traffic. This is because symmetric algorithms use less CPU resources than asymmetric encryption algorithms.

This allows the encryption and decryption of data to be fast when using a VPN. When using symmetric encryption algorithms, like any other type of encryption, the longer the key, the longer it will take for someone to discover the key.

Most encryption keys are between 112 and 256 bits. To ensure that the encryption is safe, a minimum key length of 128 bits should be used. Use a longer key for more secure communications.

A

Symmetric encryption algorithms are sometimes classified as either a block cipher or a stream cipher.

Click the buttons to learn about these two cipher modes.

How well did you know this?

1

Not at all

2

3

4

5

Perfectly

Q

Symmetric Encryption Symmetric encryption algorithms are sometimes classified as either a block cipher or a stream cipher.

Click the buttons to learn about these two cipher modes. :

BLOCK CIPHERS AND STREAM CIPHERS

A

BLOCK CIPHERS :

Block ciphers transform a fixed-length block of plaintext into a common block of ciphertext of 64 or 128 bits.

Common block ciphers include DES with a 64-bit block size and AES with a 128-bit block size.

https://snipboard.io/wNjKdT.jpg

How well did you know this?

1

Not at all

2

3

4

5

Perfectly

Q

Symmetric Encryption Symmetric encryption algorithms are sometimes classified as either a block cipher or a stream cipher.

Click the buttons to learn about these two cipher modes. :

BLOCK CIPHERS AND STREAM CIPHERS

A

STREAM CIPHERS :

Stream ciphers encrypt plaintext one byte or one bit at a time. Stream ciphers are basically a block cipher with a block size of one byte or bit.

Stream ciphers are typically faster than block ciphers because data is continuously encrypted.

Examples of stream ciphers include RC4 and A5 which is used to encrypt GSM cell phone communications.

https://snipboard.io/UHZFBO.jpg

How well did you know this?

1

Not at all

2

3

4

5

Perfectly

Q

Well-known symmetric encryption algorithms are described below:

Symmetric Encryption Algorithms:

A

Well-known symmetric encryption algorithms are described below:

Symmetric Encryption Algorithms:

– Data Encryption Standard (DES)

– 3DES (Triple DES)

– Advanced Encryption Standard (AES)

– Software-Optimized Encryption Algorithm (SEAL)

– Rivest ciphers (RC) series algorithms

How well did you know this?

1

Not at all

2

3

4

5

Perfectly

Q

Well-known symmetric encryption algorithms are described below:

Symmetric Encryption Algorithms:

– Data Encryption Standard (DES)

– 3DES (Triple DES)

– Advanced Encryption Standard (AES)

– Software-Optimized Encryption Algorithm (SEAL)

– Rivest ciphers (RC) series algorithms

A

Data Encryption Standard (DES) :

This is a legacy symmetric encryption algorithm. It uses a short key length that makes it insecure for most current uses.

How well did you know this?

1

Not at all

2

3

4

5

Perfectly

Q

Well-known symmetric encryption algorithms are described below:

Symmetric Encryption Algorithms:

– Data Encryption Standard (DES)

– 3DES (Triple DES)

– Advanced Encryption Standard (AES)

– Software-Optimized Encryption Algorithm (SEAL)

– Rivest ciphers (RC) series algorithms

A

3DES (Triple DES) :

The is the replacement for DES and repeats the DES algorithm process three times.

It should be avoided if possible as it is scheduled to be retired in 2023.

If implemented, use very short key lifetimes.

How well did you know this?

1

Not at all

2

3

4

5

Perfectly

Q

Well-known symmetric encryption algorithms are described below:

Symmetric Encryption Algorithms:

– Data Encryption Standard (DES)

– 3DES (Triple DES)

– Advanced Encryption Standard (AES)

– Software-Optimized Encryption Algorithm (SEAL)

– Rivest ciphers (RC) series algorithms

A

Advanced Encryption Standard (AES)

AES is a popular and recommended symmetric encryption algorithm.

It offers combinations of 128-, 192-, or 256-bit keys to encrypt 128, 192, or 256 bit-long data blocks.

How well did you know this?

1

Not at all

2

3

4

5

Perfectly

Q

Well-known symmetric encryption algorithms are described below:

Symmetric Encryption Algorithms:

– Data Encryption Standard (DES)

– 3DES (Triple DES)

– Advanced Encryption Standard (AES)

– Software-Optimized Encryption Algorithm (SEAL)

– Rivest ciphers (RC) series algorithms

A

Software-Optimized Encryption Algorithm (SEAL) SEAL is a faster alternative symmetric encryption algorithm to AES.

SEAL is a stream cypher that uses a 160-bit encryption key and has a lower impact on the CPU compared to other software-based algorithms.

How well did you know this?

1

Not at all

2

3

4

5

Perfectly

Q

Well-known symmetric encryption algorithms are described below:

Symmetric Encryption Algorithms:

– Data Encryption Standard (DES)

– 3DES (Triple DES)

– Advanced Encryption Standard (AES)

– Software-Optimized Encryption Algorithm (SEAL)

– Rivest ciphers (RC) series algorithms

A

Rivest ciphers (RC) series algorithms This algorithm was developed by Ron Rivest.

Several variations have been developed, but RC4 was the most prevalent in use.

RC4 is a stream cipher that was used to secure web traffic.

It has been found to have multiple vulnerabilities which have made it insecure.

RC4 should not be used.

How well did you know this?

1

Not at all

2

3

4

5

Perfectly

Q

Asymmetric Encryption

Asymmetric algorithms, also called public-key algorithms, are designed so that the key that is used for encryption is different from the key that is used for decryption, as shown in the figure.

The decryption key cannot, in any reasonable amount of time, be calculated from the encryption key and vice versa.

A

Asymmetric algorithms, also called public-key algorithms, are designed so that the key that is used for encryption is different from the key that is used for decryption, as shown in the figure.

The decryption key cannot, in any reasonable amount of time, be calculated from the encryption key and vice versa.

Asymmetric Encryption Example

https://snipboard.io/6HFTSI.jpg

How well did you know this?

1

Not at all

2

3

4

5

Perfectly

Q

Asymmetric Encryption Asymmetric algorithms use a public key and a private key.

Both keys are capable of the encryption process, but the complementary paired key is required for decryption.

The process is also reversible.

Data that is encrypted with the public key requires the private key to decrypt.

Asymmetric algorithms achieve confidentiality and authenticity by using this process.

A

Because neither party has a shared secret, very long key lengths must be used.

Asymmetric encryption can use key lengths between 512 to 4,096 bits.

Key lengths greater than or equal to 2,048 bits can be trusted, while key lengths of 1,024 or shorter are considered insufficient.

How well did you know this?

1

Not at all

2

3

4

5

Perfectly

Q

Asymmetric Encryption

Because neither party has a shared secret, very long key lengths must be used.

Asymmetric encryption can use key lengths between 512 to 4,096 bits.

Key lengths greater than or equal to 2,048 bits can be trusted, while key lengths of 1,024 or shorter are considered insufficient.

A

Because neither party has a shared secret, very long key lengths must be used.

Asymmetric encryption can use key lengths between 512 to 4,096 bits.

Key lengths greater than or equal to 2,048 bits can be trusted, while key lengths of 1,024 or shorter are considered insufficient.

Examples of protocols that use asymmetric key algorithms include:

– Internet Key Exchange (IKE)

– Secure Socket Layer (SSL)

– Secure Shell (SSH)

– Pretty Good Privacy (PGP)

How well did you know this?

1

Not at all

2

3

4

5

Perfectly

Q

Because neither party has a shared secret, very long key lengths must be used.

Asymmetric encryption can use key lengths between 512 to 4,096 bits.

Key lengths greater than or equal to 2,048 bits can be trusted, while key lengths of 1,024 or shorter are considered insufficient.

Examples of protocols that use asymmetric key algorithms include:

– Internet Key Exchange (IKE)

– Secure Socket Layer (SSL)

– Secure Shell (SSH)

– Pretty Good Privacy (PGP)

A

Internet Key Exchange (IKE) :

This is a fundamental component of IPsec VPNs.

How well did you know this?

1

Not at all

2

3

4

5

Perfectly

Q

Because neither party has a shared secret, very long key lengths must be used.

Asymmetric encryption can use key lengths between 512 to 4,096 bits.

Key lengths greater than or equal to 2,048 bits can be trusted, while key lengths of 1,024 or shorter are considered insufficient.

Examples of protocols that use asymmetric key algorithms include:

– Internet Key Exchange (IKE)

– Secure Socket Layer (SSL)

– Secure Shell (SSH)

– Pretty Good Privacy (PGP)

A

Secure Socket Layer (SSL) :

This is now implemented as IETF standard Transport Layer Security (TLS).

How well did you know this?

1

Not at all

2

3

4

5

Perfectly

Q

Because neither party has a shared secret, very long key lengths must be used.

Asymmetric encryption can use key lengths between 512 to 4,096 bits.

Key lengths greater than or equal to 2,048 bits can be trusted, while key lengths of 1,024 or shorter are considered insufficient.

Examples of protocols that use asymmetric key algorithms include:

– Internet Key Exchange (IKE)

– Secure Socket Layer (SSL)

– Secure Shell (SSH)

– Pretty Good Privacy (PGP)

A

Secure Shell (SSH):

This protocol provides a secure remote access connection to network devices.

How well did you know this?

1

Not at all

2

3

4

5

Perfectly

Q

Because neither party has a shared secret, very long key lengths must be used.

Asymmetric encryption can use key lengths between 512 to 4,096 bits.

Key lengths greater than or equal to 2,048 bits can be trusted, while key lengths of 1,024 or shorter are considered insufficient.

Examples of protocols that use asymmetric key algorithms include:

– Internet Key Exchange (IKE)

– Secure Socket Layer (SSL)

– Secure Shell (SSH)

– Pretty Good Privacy (PGP)

A

Pretty Good Privacy (PGP):

This computer program provides cryptographic privacy and authentication.

It is often used to increase the security of email communications.

How well did you know this?

1

Not at all

2

3

4

5

Perfectly

Q

Asymmetric Encryption

Asymmetric algorithms are substantially slower than symmetric algorithms.

Their design is based on computational problems, such as factoring extremely large numbers or computing discrete logarithms of extremely large numbers.

A

Because they are slow, asymmetric algorithms are typically used in low-volume cryptographic mechanisms, such as digital signatures and key exchange.

However, the key management of asymmetric algorithms tends to be simpler than symmetric algorithms, because usually one of the two encryption or decryption keys can be made public.

How well did you know this?

1

Not at all

2

3

4

5

Perfectly

Q

Asymmetric Encryption

Because they are slow, asymmetric algorithms are typically used in low-volume cryptographic mechanisms, such as digital signatures and key exchange.

However, the key management of asymmetric algorithms tends to be simpler than symmetric algorithms, because usually one of the two encryption or decryption keys can be made public.

A

Because they are slow, asymmetric algorithms are typically used in low-volume cryptographic mechanisms, such as digital signatures and key exchange.

However, the key management of asymmetric algorithms tends to be simpler than symmetric algorithms, because usually one of the two encryption or decryption keys can be made public.

Common examples of asymmetric encryption algorithms are described below:

– Diffie-Hellman (DH)

– Digital Signature Standard (DSS) and Digital Signature Algorithm (DSA)

– Rivest, Shamir, and Adleman encryption algorithms (RSA)

– EIGamal

– Elliptic curve techniques

Q

Because they are slow, asymmetric algorithms are typically used in low-volume cryptographic mechanisms, such as digital signatures and key exchange.

However, the key management of asymmetric algorithms tends to be simpler than symmetric algorithms, because usually one of the two encryption or decryption keys can be made public.

Common examples of asymmetric encryption algorithms are described below:

– Diffie-Hellman (DH)

– Digital Signature Standard (DSS) and Digital Signature Algorithm (DSA)

– Rivest, Shamir, and Adleman encryption algorithms (RSA)

– EIGamal

– Elliptic curve techniques

A

Diffie-Hellman (DH) :

Key Length : 512, 1024, 2048, 3072, 4096

The Diffie-Hellman algorithm allows two parties to agree on a key that they can use to encrypt messages they want to send to each other.

The security of this algorithm depends on the assumption that it is easy to raise a number to a certain power, but difficult to compute which power was used given the number and the outcome.

Q

Because they are slow, asymmetric algorithms are typically used in low-volume cryptographic mechanisms, such as digital signatures and key exchange.

However, the key management of asymmetric algorithms tends to be simpler than symmetric algorithms, because usually one of the two encryption or decryption keys can be made public.

Common examples of asymmetric encryption algorithms are described below:

– Diffie-Hellman (DH)

– Digital Signature Standard (DSS) and Digital Signature Algorithm (DSA)

– Rivest, Shamir, and Adleman encryption algorithms (RSA)

– EIGamal

– Elliptic curve techniques

A

Digital Signature Standard (DSS) and Digital Signature Algorithm (DSA)

Key Length : 512 - 1024 DSS specifies DSA as the algorithm for digital signatures.

DSA is a public key algorithm based on the ElGamal signature scheme. Signature creation speed is similar to RSA, but is 10 to 40 times slower for verification.

Q

Because they are slow, asymmetric algorithms are typically used in low-volume cryptographic mechanisms, such as digital signatures and key exchange.

However, the key management of asymmetric algorithms tends to be simpler than symmetric algorithms, because usually one of the two encryption or decryption keys can be made public.

Common examples of asymmetric encryption algorithms are described below:

– Diffie-Hellman (DH)

– Digital Signature Standard (DSS) and Digital Signature Algorithm (DSA)

– Rivest, Shamir, and Adleman encryption algorithms (RSA)

– EIGamal

– Elliptic curve techniques

A

Rivest, Shamir, and Adleman encryption algorithms (RSA):

Key Length : 512 to 2048 RSA is for public-key cryptography that is based on the current difficulty of factoring very large numbers.

It is the first algorithm known to be suitable for signing, as well as encryption.

It is widely used in electronic commerce protocols and is believed to be secure given sufficiently long keys and the use of up-to-date implementations.

Q

Because they are slow, asymmetric algorithms are typically used in low-volume cryptographic mechanisms, such as digital signatures and key exchange.

However, the key management of asymmetric algorithms tends to be simpler than symmetric algorithms, because usually one of the two encryption or decryption keys can be made public.

Common examples of asymmetric encryption algorithms are described below:

– Diffie-Hellman (DH)

– Digital Signature Standard (DSS) and Digital Signature Algorithm (DSA)

– Rivest, Shamir, and Adleman encryption algorithms (RSA)

– EIGamal

– Elliptic curve techniques

A

EIGamal :

Key Length : 512 - 1024

An asymmetric key encryption algorithm for public-key cryptography which is based on the Diffie-Hellman key agreement.

A disadvantage of the ElGamal system is that the encrypted message becomes very big, about twice the size of the original message and for this reason it is only used for small messages such as secret keys.

Q

Because they are slow, asymmetric algorithms are typically used in low-volume cryptographic mechanisms, such as digital signatures and key exchange.

However, the key management of asymmetric algorithms tends to be simpler than symmetric algorithms, because usually one of the two encryption or decryption keys can be made public.

Common examples of asymmetric encryption algorithms are described below:

– Diffie-Hellman (DH)

– Digital Signature Standard (DSS) and Digital Signature Algorithm (DSA)

– Rivest, Shamir, and Adleman encryption algorithms (RSA)

– EIGamal

– Elliptic curve techniques

A

Elliptic curve techniques

Key Length : 224 or higher Elliptic curve cryptography can be used to adapt many cryptographic algorithms, such as Diffie-Hellman or ElGamal.

The main advantage of elliptic curve cryptography is that the keys can be much smaller.

Q

Asymmetric Encryption -

Confidentiality Asymmetric algorithms are used to provide confidentiality without pre-sharing a password.

The confidentiality objective of asymmetric algorithms is initiated when the encryption process is started with the public key.

A

Asymmetric algorithms are used to provide confidentiality without pre-sharing a password.

The confidentiality objective of asymmetric algorithms is initiated when the encryption process is started with the public key.

The process can be summarized using the formula: Public Key (Encrypt) + Private Key (Decrypt) = Confidentiality

Q

Asymmetric Encryption -

Confidentiality Asymmetric algorithms are used to provide confidentiality without pre-sharing a password.

The confidentiality objective of asymmetric algorithms is initiated when the encryption process is started with the public key.

The process can be summarized using the formula: Public Key (Encrypt) + Private Key (Decrypt) = Confidentiality

A

When the public key is used to encrypt the data, the private key must be used to decrypt the data.

Only one host has the private key; therefore, confidentiality is achieved.

If the private key is compromised, another key pair must be generated to replace the compromised key.

Click the buttons to view how the private and public keys can be used to provide confidentiality to the data exchange between Bob and Alice.

Q

When the public key is used to encrypt the data, the private key must be used to decrypt the data.

Only one host has the private key; therefore, confidentiality is achieved.

If the private key is compromised, another key pair must be generated to replace the compromised key.

Click the buttons to view how the private and public keys can be used to provide confidentiality to the data exchange between Bob and Alice.

A

Alice acquires Bob’s public key:

Alice requests and obtains Bob’s public key.

https://snipboard.io/Mbz9Cs.jpg

Q

Alice acquires Bob’s public key: Alice requests and obtains Bob’s public key.

https://snipboard.io/Mbz9Cs.jpg

A

Alice acquires Bob’s public key:

Alice requests and obtains Bob’s public key.

https://snipboard.io/Mbz9Cs.jpg

Alice uses Bob’s public key to encrypt a message using an agreed-upon algorithm.

Alice sends the encrypted message to Bob.

https://snipboard.io/3oHi9E.jpg

Q

Alice acquires Bob’s public key:

Alice requests and obtains Bob’s public key.

https://snipboard.io/Mbz9Cs.jpg

Alice uses Bob’s public key to encrypt a message using an agreed-upon algorithm.

Alice sends the encrypted message to Bob.

https://snipboard.io/3oHi9E.jpg

A

Alice acquires Bob’s public key:

Alice requests and obtains Bob’s public key :

https://snipboard.io/Mbz9Cs.jpg

Alice uses Bob’s public key to encrypt a message using an agreed-upon algorithm. Alice sends the encrypted message to Bob.

https://snipboard.io/3oHi9E.jpg

Bob decrypts message with private key: Bob then uses his private key to decrypt the message.

Since Bob is the only one with the private key, Alice’s message can only be decrypted by Bob and thus confidentiality is achieved.

https://snipboard.io/ZGeTB4.jpg

Q

Asymmetric Encryption - Authentication The authentication objective of asymmetric algorithms is initiated when the encryption process is started with the private key.

The process can be summarized using the formula:

Private Key (Encrypt) + Public Key (Decrypt) = Authentication

A

When the private key is used to encrypt the data, the corresponding public key must be used to decrypt the data.

Because only one host has the private key, only that host could have encrypted the message, providing authentication of the sender.

Typically, no attempt is made to preserve the secrecy of the public key, so any number of hosts can decrypt the message.

When a host successfully decrypts a message using a public key, it is trusted that the private key encrypted the message, which verifies who the sender is.

This is a form of authentication.

Q

Asymmetric Encryption -

Authentication When the private key is used to encrypt the data, the corresponding public key must be used to decrypt the data.

Because only one host has the private key, only that host could have encrypted the message, providing authentication of the sender.

Typically, no attempt is made to preserve the secrecy of the public key, so any number of hosts can decrypt the message.

When a host successfully decrypts a message using a public key, it is trusted that the private key encrypted the message, which verifies who the sender is.

This is a form of authentication.

A

Alice uses her private key Alice encrypts a message using her private key.

Alice sends the encrypted message to Bob. Bob needs to authenticate that the message did indeed come from Alice.

https://snipboard.io/zftL2Z.jpg

Bob requests the public key: In order to authenticate the message, Bob requests Alice’s public key.

https://snipboard.io/GvDpJU.jpg

Bob decrypts using the public key: Bob uses Alice’s public key to decrypt the message.

https://snipboard.io/nmKYRt.jpg

Q

Asymmetric Encryption -

Integrity Combining the two asymmetric encryption processes provides message confidentiality, authentication, and integrity.

A

The following example will be used to illustrate this process.

In this example, a message will be ciphered using Bob’s public key and a ciphered hash will be encrypted using Alice’s private key to provide confidentiality, authenticity, and integrity.

Q

Asymmetric Encryption -

Integrity Combining the two asymmetric encryption processes provides message confidentiality, authentication, and integrity.

The following example will be used to illustrate this process. In this example, a message will be ciphered using Bob’s public key and a ciphered hash will be encrypted using Alice’s private key to provide confidentiality, authenticity, and integrity.

A

Alice sus Bob’s public key : Alice wants to send a message to Bob ensuring that only Bob can read the document.

In other words, Alice wants to ensure message confidentiality. Alice uses the public key of Bob to cipher the message.

Only Bob will be able to decipher it using his private key.

https://snipboard.io/ZNF4fa.jpg

Alice encrypts a hash using her private key: Alice also wants to ensure message authentication and integrity.

Authentication ensures Bob that the document was sent by Alice, and integrity ensures that it was not modified Alice uses her private key to cipher a hash of the message.

Alice sends the encrypted message with its encrypted hash to Bob.

https://snipboard.io/aRldo5.jpg

Bobs uses Alice’s public key to decrypt the hash: Bob uses Alice’s public key to verify that the message was not modified.

The received hash is equal to the locally determined hash based on Alice’s public key. Additionally, this verifies that Alice is definitely the sender of the message because nobody else has Alice’s private key.

https://snipboard.io/P1ov5r.jpg

Bob uses his private key to decrypt the message: Bob uses his private key to decipher the message.

https://snipboard.io/er6PCc.jpg

Q

Diffie-Hellman Diffie-Hellman (DH) is an asymmetric mathematical algorithm that allows two computers to generate an identical shared secret without having communicated before.

The new shared key is never actually exchanged between the sender and receiver.

However, because both parties know it, the key can be used by an encryption algorithm to encrypt traffic between the two systems.

A

Here are two examples of instances when DH is commonly used:

Data is exchanged using an IPsec VPN SSH data is exchanged To help illustrate how DH operates, refer to the figure.

https://snipboard.io/d2Lcgn.jpg

Q

Diffie-Hellman Here are two examples of instances when DH is commonly used:

Data is exchanged using an IPsec VPN SSH data is exchanged To help illustrate how DH operates, refer to the figure.

https://snipboard.io/d2Lcgn.jpg

A

The colors in the figure will be used instead of complex long numbers to simplify the DH key agreement process.

The DH key exchange begins with Alice and Bob agreeing on an arbitrary common color that does not need to be kept secret. The agreed-on color in our example is yellow.

Next, Alice and Bob will each select a secret color. Alice chose red while Bob chose blue.

These secret colors will never be shared with anyone. The secret color represents the chosen secret private key of each party.

Q

Diffie-Hellman The colors in the figure will be used instead of complex long numbers to simplify the DH key agreement process.

The DH key exchange begins with Alice and Bob agreeing on an arbitrary common color that does not need to be kept secret. The agreed-on color in our example is yellow.

Next, Alice and Bob will each select a secret color. Alice chose red while Bob chose blue. These secret colors will never be shared with anyone.

The secret color represents the chosen secret private key of each party.

A

Alice and Bob now mix the shared common color (yellow) with their respective secret color to produce a public color.

Therefore, Alice will mix the yellow with her red color to produce a public color of orange. Bob will mix the yellow and the blue to produce a public color of green.

Alice sends her public color (orange) to Bob and Bob sends his public color (green) to Alice.

Alice and Bob each mix the color they received with their own, original secret color (Red for Alice and blue for Bob.).

The result is a final brown color mixture that is identical to the partner’s final color mixture. The brown color represents the resulting shared secret key between Bob and Alice.

Q

Diffie-Hellman Alice and Bob now mix the shared common color (yellow) with their respective secret color to produce a public color. Therefore, Alice will mix the yellow with her red color to produce a public color of orange.

Bob will mix the yellow and the blue to produce a public color of green. Alice sends her public color (orange) to Bob and Bob sends his public color (green) to Alice.

Alice and Bob each mix the color they received with their own, original secret color (Red for Alice and blue for Bob.).

The result is a final brown color mixture that is identical to the partner’s final color mixture. The brown color represents the resulting shared secret key between Bob and Alice.

A

The security of DH is based on the fact that it uses very large numbers in its calculations.

For example, a DH 1024-bit number is roughly equal to a decimal number of 309 digits.

Considering that a billion is 10 decimal digits (1,000,000,000), one can easily imagine the complexity of working with not one, but multiple 309-digit decimal numbers.

Q

Diffie-Hellman The security of DH is based on the fact that it uses very large numbers in its calculations.

For example, a DH 1024-bit number is roughly equal to a decimal number of 309 digits.

Considering that a billion is 10 decimal digits (1,000,000,000), one can easily imagine the complexity of working with not one, but multiple 309-digit decimal numbers.

A

Diffie-Hellman uses different DH groups to determine the strength of the key that is used in the key agreement process. The higher group numbers are more secure, but require additional time to compute the key.

The following identifies the DH groups supported by Cisco IOS Software and their associated prime number value:

DH Group 1: 768 bits

DH Group 2: 1024 bits

DH Group 5: 1536 bits

DH Group 14: 2048 bits

DH Group 15: 3072 bits

DH Group 16: 4096 bits

Note: A DH key agreement can also be based on elliptic curve cryptography. DH groups 19, 20, and 24, which are based on elliptic curve cryptography, are also supported by Cisco IOS Software.

Q

Diffie-Hellman uses different DH groups to determine the strength of the key that is used in the key agreement process.

The higher group numbers are more secure, but require additional time to compute the key.

The following identifies the DH groups supported by Cisco IOS Software and their associated prime number value:

DH Group 1: 768 bits

DH Group 2: 1024 bits

DH Group 5: 1536 bits

DH Group 14: 2048 bits

DH Group 15: 3072 bits

DH Group 16: 4096 bits

Note: A DH key agreement can also be based on elliptic curve cryptography. DH groups 19, 20, and 24, which are based on elliptic curve cryptography, are also supported by Cisco IOS Software.

A

Unfortunately, asymmetric key systems are extremely slow for any sort of bulk encryption.

This is why it is common to encrypt the bulk of the traffic using a symmetric algorithm, such as 3DES or AES and use the DH algorithm to create keys that will be used by the encryption algorithm.

Q

Public Key Cryptography

Using Digital Signatures Digital signatures are a mathematical technique used to provide authenticity, integrity, and nonrepudiation.

Digital signatures have specific properties that enable entity authentication and data integrity.

In addition, digital signatures provide nonrepudiation of the transaction. In other words, the digital signature serves as legal proof that the data exchange did take place.

Digital signatures use asymmetric cryptography.

A

explore properties of digital signatures.:

– AUTHENTIC

– UNALTERABLE

– NOT REAUSABLE

– NON-REPUDIATED

Q

Public Key Cryptography

Using Digital Signatures Digital signatures are a mathematical technique used to provide authenticity, integrity, and nonrepudiation.

Digital signatures have specific properties that enable entity authentication and data integrity. In addition, digital signatures provide nonrepudiation of the transaction.

In other words, the digital signature serves as legal proof that the data exchange did take place.

Digital signatures use asymmetric cryptography. explore properties of digital signatures.:

– AUTHENTIC

– UNALTERABLE

– NOT REAUSABLE

– NON-REPUDIATED

A

AUTHENTIC :

The signature cannot be forged and provides proof that the signer, and no one else, signed the document.

Q

Public Key Cryptography

Using Digital Signatures Digital signatures are a mathematical technique used to provide authenticity, integrity, and nonrepudiation.

Digital signatures have specific properties that enable entity authentication and data integrity. In addition, digital signatures provide nonrepudiation of the transaction.

In other words, the digital signature serves as legal proof that the data exchange did take place.

Digital signatures use asymmetric cryptography. explore properties of digital signatures.:

– AUTHENTIC

– UNALTERABLE

– NOT REAUSABLE

– NON-REPUDIATED

A

UNALTERABLE :

After a document is signed, it cannot be altered.

Q

Public Key Cryptography

Using Digital Signatures Digital signatures are a mathematical technique used to provide authenticity, integrity, and nonrepudiation.

Digital signatures have specific properties that enable entity authentication and data integrity. In addition, digital signatures provide nonrepudiation of the transaction.

In other words, the digital signature serves as legal proof that the data exchange did take place.

Digital signatures use asymmetric cryptography. explore properties of digital signatures.:

– AUTHENTIC

– UNALTERABLE

– NOT REAUSABLE

– NON-REPUDIATED

A

NOT REAUSABLE :

The document signature cannot be transferred to another document.

Q

Public Key Cryptography

Using Digital Signatures Digital signatures are a mathematical technique used to provide authenticity, integrity, and nonrepudiation.

Digital signatures have specific properties that enable entity authentication and data integrity. In addition, digital signatures provide nonrepudiation of the transaction.

In other words, the digital signature serves as legal proof that the data exchange did take place.

Digital signatures use asymmetric cryptography. explore properties of digital signatures.:

– AUTHENTIC

– UNALTERABLE

– NOT REAUSABLE

– NON-REPUDIATED

A

NON-REPUDIATED :

The signed document is considered to be the same as a physical document.

The signature is proof that the document has been signed by the actual person.

Q

Digital signatures are commonly used in the following two situations:

– Code signing

– Digital certificates

A

Code signing:

This is used for data integrity and authentication purposes.

Code signing is used to verify the integrity of executable files downloaded from a vendor website.

It also uses signed digital certificates to authenticate and verify the identity of the site that is the source of the files.

Q

Digital signatures are commonly used in the following two situations:

– Code signing

– Digital certificates

A

Digital certificates:

These are similar to a virtual ID card and used to authenticate the identity of system with a vendor website and establish an encrypted connection to exchange confidential data.

Q

There are three Digital Signature Standard (DSS) algorithms that are used for generating and verifying digital signatures:

– Digital Signature Algorithm (DSA)

– Rivest-Shamir Adelman Algorithm (RSA)

– Elliptic Curve Digital Signature Algorithm (ECDSA)

A

Digital Signature Algorithm (DSA) :

DSA is the original standard for generating public and private key pairs, and for generating and verifying digital signatures.

Q

There are three Digital Signature Standard (DSS) algorithms that are used for generating and verifying digital signatures:

– Digital Signature Algorithm (DSA)

– Rivest-Shamir Adelman Algorithm (RSA)

– Elliptic Curve Digital Signature Algorithm (ECDSA)

A

Rivest-Shamir Adelman Algorithm (RSA) :

RSA is an asymmetric algorithm that is commonly used for generating and verifying digital signatures.

Q

There are three Digital Signature Standard (DSS) algorithms that are used for generating and verifying digital signatures:

– Digital Signature Algorithm (DSA)

– Rivest-Shamir Adelman Algorithm (RSA)

– Elliptic Curve Digital Signature Algorithm (ECDSA)

A

Elliptic Curve Digital Signature Algorithm (ECDSA) :

ECDSA is a newer variant of DSA and provides digital signature authentication and non-repudiation with the added benefits of computational efficiency, small signature sizes, and minimal bandwidth.

In the 1990s, RSE Security Inc. started to publish public-key cryptography standards (PKCS). There were 15 PKCS, although 1 has been withdrawn as of the time of this writing.

RSE published these standards because they had the patents to the standards and wished to promote them.

PKCS are not industry standards, but are well recognized in the security industry and have recently begun to become relevant to standards organizations such as the IETF and PKIX working-group.

Q

Digital Signatures for Code Signing

Digital signatures are commonly used to provide assurance of the authenticity and integrity of software code.

Executable files are wrapped in a digitally signed envelope, which allows the end user to verify the signature before installing the software.

A

Digitally signing code provides several assurances about the code:

The code is authentic and is actually sourced by the publisher.

The code has not been modified since it left the software publisher.

The publisher undeniably published the code.

This provides nonrepudiation of the act of publishing.

Q

Digital Signatures for Code Signing

The US Government Federal Information Processing Standard (FIPS) Publication 140-3, specifies that software available for download on the internet is to be digitally signed and verified.

A

The purpose of digitally signed software is to ensure that the software has not been tampered with, and that it originated from the trusted source as claimed.

Digital signatures serve as verification that the code has not been tampered with by threat actors and malicious code has not been inserted into the file by a third party.

Q

The purpose of digitally signed software is to ensure that the software has not been tampered with, and that it originated from the trusted source as claimed.

Digital signatures serve as verification that the code has not been tampered with by threat actors and malicious code has not been inserted into the file by a third party.

Click the buttons to access the properties of a file that has a digitally signed certificate.

A

Click the buttons to access the properties of a file that has a digitally signed certificate. :

– File Properties

– Digital Signatures

– Digital Signatures Details

– Certificate Information

– Certification Path

Q

Click the buttons to access the properties of a file that has a digitally signed certificate. :

– File Properties

– Digital Signatures

– Digital Signatures Details

– Certificate Information

– Certification Path

A

File Properties :

This executable file was downloaded from the internet.

The file contains a software tool from Cisco Systems.

https://snipboard.io/A0WHML.jpg

Q

Click the buttons to access the properties of a file that has a digitally signed certificate. :

– File Properties

– Digital Signatures

– Digital Signatures Details

– Certificate Information

– Certification Path

A

Digital Signatures :

Clicking the Digital Signatures tab reveals that the file is from a trusted organization, Cisco Systems Inc.

The file digest was created with the sha256 algorithm.

The date on which the file was signed is also provided.

Clicking Details opens the Digital Signatures Details window.

https://snipboard.io/WLy2qC.jpg

Q

Click the buttons to access the properties of a file that has a digitally signed certificate. :

– File Properties

– Digital Signatures

– Digital Signatures Details

– Certificate Information

– Certification Path

A

Digital Signatures Details :

The Digital Signature Details window reveals that the file was signed by Cisco Systems, Inc in October of 2019.

This was verified by countersignature provided by Entrust Time Stamping Authority on the same day as it was signed by Cisco.

Click View Certificate to see the details of the certificate itself.

https://snipboard.io/OGXTlY.jpg

Q

Click the buttons to access the properties of a file that has a digitally signed certificate. :

– File Properties

– Digital Signatures

– Digital Signatures Details

– Certificate Information

– Certification Path

A

Certificate Information

The General tab provides the purposes of the certificate, who the certificate was issued to, and who issued the certificate.

It also displays the period for which the certificate is valid. Invalid certificates can prevent the file from running.

https://snipboard.io/PkY2ob.jpg

Q

Click the buttons to access the properties of a file that has a digitally signed certificate. :

– File Properties

– Digital Signatures

– Digital Signatures Details

– Certificate Information

– Certification Path

A

Certification Path :

Click the Certification Path tab to see the file was signed by Cisco Systems, as verified to DigiCert.

In some cases an additional entity may independently verify the certificate.

https://snipboard.io/456d8p.jpg

Q

Digital Signatures for Digital Certificates

A digital certificate is equivalent to an electronic passport. It enables users, hosts, and organizations to securely exchange information over the Internet.

Specifically, a digital certificate is used to authenticate and verify that a user who is sending a message is who they claim to be.

Digital certificates can also be used to provide confidentiality for the receiver with the means to encrypt a reply.

A

Digital certificates are similar to physical certificates.

For example, the paper-based Cisco Certified Network Associate Security (CCNA-S) certificate in the figure identifies who the certificate is issued to, who authorized the certificate, and for how long the certificate is valid.

Digital certificates also provide similar information.

https://snipboard.io/L27hwq.jpg

Q

Digital certificates are similar to physical certificates.

For example, the paper-based Cisco Certified Network Associate Security (CCNA-S) certificate in the figure identifies who the certificate is issued to, who authorized the certificate, and for how long the certificate is valid.

Digital certificates also provide similar information.

https://snipboard.io/L27hwq.jpg

A

The digital certificate independently verifies an identity.

Digital signatures are used to verify that an artifact, such as a file or message, is sent from the verified individual.

In other words, a certificate verifies identity, a signature verifies that something comes from that identity.

Q

The digital certificate independently verifies an identity.

Digital signatures are used to verify that an artifact, such as a file or message, is sent from the verified individual.

In other words, a certificate verifies identity, a signature verifies that something comes from that identity.

A

This scenario will help you understand how a digital signature is used.

Bob is confirming an order with Alice. Alice is ordering from Bob’s website.

Alice has connected with Bob’s website, and after the certificate has been verified, the Bob’s certificate is stored on Alice’s website.

The certificate contains Bob’s public key. The public key is used to verify the Bob’s digital signature. Refer to the figure to see how the digital signature is used.

https://snipboard.io/lIw2kQ.jpg

Q

Authorities and the PKI Trust System

Public Key Management Internet traffic consists of traffic between two parties.

When establishing an asymmetric connection between two hosts, the hosts will exchange their public key information.

A

An SSL certificate is a digital certificate that confirms the identity of a website domain. To implement SSL on your website, you purchase an SSL certificate for your domain from an SSL Certificate provider.

The trusted third party does an in-depth investigation prior to the issuance of credentials. After this in-depth investigation, the third-party issues credentials (i.e. digital certificate) that are difficult to forge.

From that point forward, all individuals who trust the third party simply accept the credentials that the third-party issues.

When computers attempt to connect to a web site over HTTPS, the web browser checks the website’s security certificate and verifies that it is valid and originated with a reliable CA.

This validates that the website identify is true. The certificate is saved locally by the web browser and is then used in subsequent transactions.

The website’s public key is included in the certificate and is used to verify future communications between the website and the client.

Q

An SSL certificate is a digital certificate that confirms the identity of a website domain. To implement SSL on your website, you purchase an SSL certificate for your domain from an SSL Certificate provider.

The trusted third party does an in-depth investigation prior to the issuance of credentials. After this in-depth investigation, the third-party issues credentials (i.e. digital certificate) that are difficult to forge.

From that point forward, all individuals who trust the third party simply accept the credentials that the third-party issues.

When computers attempt to connect to a web site over HTTPS, the web browser checks the website’s security certificate and verifies that it is valid and originated with a reliable CA.

This validates that the website identify is true. The certificate is saved locally by the web browser and is then used in subsequent transactions.

The website’s public key is included in the certificate and is used to verify future communications between the website and the client.

A

These trusted third parties provide services similar to governmental licensing bureaus. The figure illustrates how a driver’s license is analogous to a digital certificate.

https://snipboard.io/Diwbd5.jpg

The Public Key Infrastructure (PKI) consists of specifications, systems, and tools that are used to create, manage, distribute, use, store, and revoke digital certificates.

The certificate authority (CA) is an organization that creates digital certificates by tying a public key to a confirmed identify, such as a website or individual.

The PKI is an intricate system that is designed to safeguard digital identities from hacking by even the most sophisticated threat actors or nation states.

Some examples of Certificate Authorities are IdenTrust, DigiCert, Sectigo, GlobalSign, and GoDaddy. These CAs charge for their services.

Let’s Encrypt is a non-profit CA that offers certificates free of charge.

Q

The Public Key Infrastructure PKI is needed to support large-scale distribution and identification of public encryption keys.

The PKI framework facilitates a highly scalable trust relationship.

A

It consists of the hardware, software, people, policies, and procedures needed to create, manage, store, distribute, and revoke digital certificates.

The figure shows the main elements of the PKI.

https://snipboard.io/r4XEZy.jpg

Q

It consists of the hardware, software, people, policies, and procedures needed to create, manage, store, distribute, and revoke digital certificates.

The figure shows the main elements of the PKI.

https://snipboard.io/r4XEZy.jpg

The next figure shows how the elements of the PKI interoperate: In this example, Bob has received his digital certificate from the CA.

This certificate is used whenever Bob communicates with other parties. Bob communicates with Alice.

When Alice receives Bob’s digital certificate, she communicates with the trusted CA to validate Bob’s

identity. https://snipboard.io/zbHier.jpg

A

The next figure shows how the elements of the PKI interoperate: In this example, Bob has received his digital certificate from the CA.

This certificate is used whenever Bob communicates with other parties. Bob communicates with Alice. When Alice receives Bob’s digital certificate, she communicates with the trusted CA to validate Bob’s identity.

https://snipboard.io/zbHier.jpg

Note: Not all PKI certificates are directly received from a CA. A registration authority (RA) is a subordinate CA and is certified by a root CA to issue certificates for specific uses.

Q

The PKI Authorities System Many vendors provide CA servers as a managed service or as an end-user product.

Some of these vendors include Symantec Group (VeriSign), Comodo, Go Daddy Group, GlobalSign, and DigiCert among others. Organizations may also implement private PKIs using Microsoft Server or Open SSL.

CAs, especially those that are outsourced, issue certificates based on classes which determine how trusted a certificate is.

A

The table provides a description of the classes. The class number is determined by how rigorous the procedure was that verified the identity of the holder when the certificate was issued.

The higher the class number, the more trusted the certificate.

Therefore, a class 5 certificate is trusted much more than a lower-class certificate.

CLASS 0 - Used for testing in situations in which no checks have been performed.

CLASS 1 - Used by individuals who require verification of email.

CLASS 2 - Used by organizations for which proof of identity is required.

CLASS 3 - Used for servers and software signing. Independent verification and checking of identity and authority is done by the certificate authority.

CLASS 4 - Used for online business transactions between companies.

CLASS 5 - Used for private organizations or government security.

Q

The table provides a description of the classes. The class number is determined by how rigorous the procedure was that verified the identity of the holder when the certificate was issued. The higher the class number, the more trusted the certificate.

Therefore, a class 5 certificate is trusted much more than a lower-class certificate.

CLASS 0 - Used for testing in situations in which no checks have been performed.

CLASS 1 - Used by individuals who require verification of email.

CLASS 2 - Used by organizations for which proof of identity is required.

CLASS 3 - Used for servers and software signing. Independent verification and checking of identity and authority is done by the certificate authority.

CLASS 4 - Used for online business transactions between companies.

CLASS 5 - Used for private organizations or government security.

A

For example, a class 1 certificate might require an email reply from the holder to confirm that they wish to enroll. This kind of confirmation is a weak authentication of the holder.

For a class 3 or 4 certificate, the future holder must prove identity and authenticate the public key by showing up in person with at least two official ID documents.

Some CA public keys are preloaded, such as those listed in web browsers. The figure displays various VeriSign certificates contained in the certificate store on the host.

Any certificates signed by any of the CAs in the list will be seen by the browser as legitimate and will be trusted automatically.

https://snipboard.io/slWPNU.jpg

Note: An enterprise can also implement PKI for internal use. PKI can be used to authenticate employees who are accessing the network. In this case, the enterprise is its own CA.

Q

The PKI Trust System PKIs can form different topologies of trust.

The simplest is the single-root PKI topology.

A

As shown in the figure below, a single CA, called the root CA, issues all the certificates to the end users, which are usually within the same organization.

The benefit to this approach is its simplicity.

However, it is difficult to scale to a large environment because it requires a strictly centralized administration, which creates a single point of failure.

Single-Root PKI Topology:

https://snipboard.io/wPmzc0.jpg

Q

On larger networks, PKI CAs may be linked using two basic architectures:

Cross-certified CA topologies - As shown in the figure below, this is a peer-to-peer model in which individual CAs establish trust relationships with other CAs by cross-certifying CA certificates.

Users in either CA domain are also assured that they can trust each other.

This provides redundancy and eliminates the single-point of failure.

Cross-Certified CA:

https://snipboard.io/rGH7ek.jpg

A

On larger networks, PKI CAs may be linked using two basic architectures:

Cross-certified CA topologies - As shown in the figure below, this is a peer-to-peer model in which individual CAs establish trust relationships with other CAs by cross-certifying CA certificates.

Users in either CA domain are also assured that they can trust each other.

This provides redundancy and eliminates the single-point of failure.

Cross-Certified CA:

https://snipboard.io/rGH7ek.jpg

Q

Hierarchical CA topologies - As shown in the figure below, the highest-level CA is called the root CA.

It can issue certificates to end users and to a subordinate CA. The sub-CAs could be created to support various business units, domains, or communities of trust.

The root CA maintains the established “community of trust” by ensuring that each entity in the hierarchy conforms to a minimum set of practices.

The benefits of this topology include increased scalability and manageability. This topology works well in most large organizations.

However, it can be difficult to determine the chain of the signing process. A hierarchical and cross-certification topology can be combined to create a hybrid infrastructure.

An example would be when two hierarchical communities want to cross-certify each other in order for members of each community to trust each other.

Hierarchical CA:

https://snipboard.io/blWPO1.jpg

A

Hierarchical CA topologies - As shown in the figure below, the highest-level CA is called the root CA.

It can issue certificates to end users and to a subordinate CA. The sub-CAs could be created to support various business units, domains, or communities of trust.

The root CA maintains the established “community of trust” by ensuring that each entity in the hierarchy conforms to a minimum set of practices.

The benefits of this topology include increased scalability and manageability. This topology works well in most large organizations.

However, it can be difficult to determine the chain of the signing process. A hierarchical and cross-certification topology can be combined to create a hybrid infrastructure.

An example would be when two hierarchical communities want to cross-certify each other in order for members of each community to trust each other.

Hierarchical CA:

https://snipboard.io/blWPO1.jpg

Q

Interoperability of Different PKI

Vendors Interoperability between a PKI and its supporting services, such as Lightweight Directory Access Protocol (LDAP) and X.500 directories, is a concern because many CA vendors have proposed and implemented proprietary solutions instead of waiting for standards to develop.

Note: LDAP and X.500 are protocols that are used to query a directory service, such as Microsoft Active Directory, to verify a username and password.

A

To address this interoperability concern, the IETF published the Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework (RFC 2527).

The X.509 version 3 (X.509 v3) standard defines the format of a digital certificate.

Refer to the figure for more information about X.509 v3 applications.

As shown in the figure, the X.509 format is already extensively used in the infrastructure of the internet. X.509v3 Applications

https://snipboard.io/aYrfqV.jpg

Q

Certificate Enrollment, Authentication, and Revocation The first step in the CA (CERTIFICATE AUTHORITY) authentication procedure is to securely obtain a copy of the CA’s public key.

All systems that leverage the PKI must have the CA’s public key, which is called the self-signed certificate.

The CA public key verifies all the certificates issued by the CA and is vital for the proper operation of the PKI.

Note: Only a root CA can issue a self-signed certificate that is recognized or verified by other CAs within the PKI.

A

For many systems such as web browsers, the distribution of CA certificates is handled automatically.

The web browser comes pre-installed with a set of public CA root certificates.

Organizations and their website domains push their public certificates to website visitors.

CAs and certificate domain registrars create and distribute private and public certificates to clients that purchase certificates.

Q

For many systems such as web browsers, the distribution of CA certificates is handled automatically.

The web browser comes pre-installed with a set of public CA root certificates.

Organizations and their website domains push their public certificates to website visitors.

CAs and certificate domain registrars create and distribute private and public certificates to clients that purchase certificates.

A

The certificate enrollment process is used by a host system to enroll with a PKI. To do so, CA certificates are retrieved in-band over a network, and the authentication is done out-of-band (OOB) using the telephone.

The system enrolling with the PKI contacts a CA to request and obtain a digital identity certificate for itself and to get the CA’s self-signed certificate.

The final stage verifies that the CA certificate was authentic and is performed using an out-of-band method such as the Plain Old Telephone System (POTS) to obtain the fingerprint of the valid CA identity certificate.

Q

The certificate enrollment process is used by a host system to enroll with a PKI. To do so, CA certificates are retrieved in-band over a network, and the authentication is done out-of-band (OOB) using the telephone.

The system enrolling with the PKI contacts a CA to request and obtain a digital identity certificate for itself and to get the CA’s self-signed certificate.

The final stage verifies that the CA certificate was authentic and is performed using an out-of-band method such as the Plain Old Telephone System (POTS) to obtain the fingerprint of the valid CA identity certificate.

A

Authentication no longer requires the presence of the CA server, and each user exchanges their certificates containing public keys.

Certificates must sometimes be revoked.

For example, a digital certificate can be revoked if key is compromised or if it is no longer needed.

Here are two of the most common methods of revocation: Certificate Revocation List (CRL) Online Certificate Status Protocol (OCSP)

Q

Authentication no longer requires the presence of the CA server, and each user exchanges their certificates containing public keys.

Certificates must sometimes be revoked.

For example, a digital certificate can be revoked if key is compromised or if it is no longer needed.

Here are two of the most common methods of revocation: Certificate Revocation List (CRL) Online Certificate Status Protocol (OCSP)

A

Certificate Revocation List (CRL) :

A list of revoked certificate serial numbers that have been invalidated because they expired.

PKI entities regularly poll the CRL repository to receive the current CRL.

Q

Authentication no longer requires the presence of the CA server, and each user exchanges their certificates containing public keys.

Certificates must sometimes be revoked.

For example, a digital certificate can be revoked if key is compromised or if it is no longer needed.

Here are two of the most common methods of revocation:

Certificate Revocation List (CRL)

Online Certificate Status Protocol (OCSP)

A

Online Certificate Status Protocol (OCSP) :

An internet protocol used to query an OCSP server for the revocation status of an X.509 digital certificate.

Revocation information is immediately pushed to an online database.

Q

Applications and Impacts of Cryptography PKI Applications Where can PKI be used by an enterprise?

The following provides a short list of common uses of PKIs:

SSL/TLS certificate-based peer authentication

Secure network traffic using IPsec VPNs HTTPS

Web traffic Control access to the network using 802.1x authentication

Secure email using the S/MIME protocol

Secure instant messaging

Approve and authorize applications with Code Signing Protect user data with the Encryption File System (EFS)

Implement two-factor authentication with smart cards

Securing USB storage devices

A

Applications and Impacts of Cryptography PKI Applications Where can PKI be used by an enterprise?

The following provides a short list of common uses of PKIs:

SSL/TLS certificate-based peer authentication

Secure network traffic using IPsec VPNs HTTPS

Web traffic Control access to the network using 802.1x authentication

Secure email using the S/MIME protocol

Secure instant messaging

Approve and authorize applications with Code Signing Protect user data with the Encryption File System (EFS)

Implement two-factor authentication with smart cards

Securing USB storage devices

Q

Encrypted Network Transactions

A security analyst must be able to recognize and solve potential problems related to permitting PKI-related solutions on the enterprise network.

Consider how the increase of SSL/TLS traffic poses a major security risk to enterprises because the traffic is encrypted and cannot be intercepted and monitored by normal means.

Users can introduce malware or leak confidential information over an SSL/TLS connection.

A

Threat actors can use SSL/TLS to introduce regulatory compliance violations, viruses, malware, data loss, and intrusion attempts in a network.

Other SSL/TLS-related issues may be associated with validating the certificate of a web server.

When this occurs, web browsers will display a security warning.

PKI-related issues that are associated with security warnings include:

– Validity date range

– Signature validation error

Q

Threat actors can use SSL/TLS to introduce regulatory compliance violations, viruses, malware, data loss, and intrusion attempts in a network.

Other SSL/TLS-related issues may be associated with validating the certificate of a web server.

When this occurs, web browsers will display a security warning.

PKI-related issues that are associated with security warnings include:

– Validity date range

– Signature validation error

A

Validity date range :

The X.509v3 certificates specify “not before” and “not after” dates.

If the current date is outside the range, the web browser displays a message.

Expired certificates may simply be the result of administrator oversight, but they may also reflect more serious conditions.

Q

Threat actors can use SSL/TLS to introduce regulatory compliance violations, viruses, malware, data loss, and intrusion attempts in a network.

Other SSL/TLS-related issues may be associated with validating the certificate of a web server.

When this occurs, web browsers will display a security warning.

PKI-related issues that are associated with security warnings include:

– Validity date range

– Signature validation error

A

Signature validation error :

If a browser cannot validate the signature on the certificate, there is no assurance that the public key in the certificate is authentic.

Signature validation will fail if the root certificate of the CA hierarchy is not available in the browser’s certificate store.

Q

Encrypted Network Transactions

The figure shows an example of a signature validation error with the Cisco AnyConnect Mobility VPN Client.

Signature Validation Error

A

Encrypted Network Transactions

The figure shows an example of a signature validation error with the Cisco AnyConnect Mobility VPN Client.

Signature Validation Error

https://snipboard.io/PECwqX.jpg

Q

Encrypted Network Transactions The figure shows an example of a signature validation error with the Cisco AnyConnect Mobility VPN Client.

Signature Validation Error

https://snipboard.io/PECwqX.jpg

A

Some of these issues can be avoided due to the fact that the SSL/TLS protocols are extensible and modular.

This is known as a cipher suite.

The key components of the cipher suite are the Message Authentication Code Algorithm (MAC), the encryption algorithm, the key exchange algorithm, and the authentication algorithm.

These can be changed without replacing the entire protocol. This is very helpful because the different algorithms continue to evolve.

As cryptanalysis continues to reveal flaws in these algorithms, the cipher suite can be updated to patch these flaws.

When the protocol versions within the cipher suite change, the version number of SSL/TLS changes as well.

Q

Encryption and Security Monitoring

Network monitoring becomes more challenging when packets are encrypted.

However, security analysts must be aware of those challenges and address them as best as possible.

For instance, when site-to-site VPNs are used, the IPS should be positioned so it can monitor unencrypted traffic.

A

However, the increased use of HTTPS in the enterprise network introduces new challenges.

Since HTTPS introduces end-to-end encrypted HTTP traffic (via TLS/SSL), it is not as easy to peek into user traffic.

Q

Encryption and Security Monitoring Security analysts must know how to circumvent and solve these issues.

Here is a list of some of the things that a security analyst could do: Configure rules to distinguish between SSL and non-SSL traffic, HTTPS and non-HTTPS SSL traffic.

Enhance security through server certificate validation using CRLs and OCSP. Implement antimalware protection and URL filtering of HTTPS content.

Deploy a Cisco SSL Appliance to decrypt SSL traffic and send it to intrusion prevention system (IPS) appliances to identify risks normally hidden by SSL.

A

Cryptography is dynamic and always changing.

A security analyst must maintain a good understanding of cryptographic algorithms and operations to be able to investigate cryptography-related security incidents.

Q

There are two main ways in which cryptography impacts security investigations.

First, attacks can be directed to specifically target the encryption algorithms themselves.

After the algorithm has been cracked and the attacker has obtained the keys, any encrypted data that has been captured can be decrypted by the attacker and read, thus exposing private data. S

econdly, the security investigation is also affected because data can be hidden in plain sight by encrypting it.

A

For example, command and control traffic that is encrypted with TLS/SSL most likely cannot be seen by a firewall.

The command and control traffic between a command and control server and an infected computer in a secure network cannot be stopped if it cannot be seen and understood.

The attacker would be able to continue using encrypted commands to infect more computers and possibly create a botnet.

This type of traffic can be detected by decrypting the traffic and comparing it with known attack signatures, or by detecting anomalous TLS/SSL traffic.

This is either very difficult and time consuming, or a hit-or-miss process.