zzDomain 3 - Cryptographic concepts | Crypto Attacks | PKI Infrastructure Flashcards
Symmetric Encryption - Strengths
Speed, and strength per bit of key
Symmetric Encryption - Weakness
Key must be shared securely
Symmetric Encryption - Stream Cipher
Each bit is independently encrypted
Symmetric Encryption - Block cipher
Blocks of data are encrypted
Initialization Vector
Symmetric Encryption
Encryption step. Used on Symmetric ciphers to ensure that the first block of data is random
Cipher Block Chaining (feedback in stream modes)
Uses the previous ciphertext from the previous block, and uses it to XOR’ the next block.
First block uses an Initialization Vector.
DES Encryption type
Symmetric
DES
Data Encryption Standard
DES Encryption dates
1976 US Fed standard
DES Encryption, who designed
IBM, based on older lucifer symmetric cipher
DES Encryption, block size
64 bit
DES Encryption, key size
56 bit
DES Modes
5 modes: Electronic Code Book - ECB Cipher Block Chaining - CBC Cipher Feedback - CFB Output Feedback - OFB Counter Mode - CTR
DES ECB
Electronic Code Book
No initialization vector
susceptible to replay attacks.
DES CBC
Cipher Block Chaining
- Block Mode
- XORs previous block as seed to next block
- First encrypted block is IV for next.
- Errors propogate. An error in one block propagates everywhere
DES CFB
Cipher Feedback
- Stream
- Uses feedback to destroy patterns
- Uses IV
- Errors propogate
DES - OFB
Output Feedback
- XORs previous block as seed to next block
- Stream cipher
- Uses subkey before it is XORed to plaintext
- Subkey is not affected by Encryption errors
- errors don’t propagate
DES CTR
Counter
- Uses a counter
- Errors don’t propogate
Double DES
Repeat the process twice
Triple DES
Applies DES three times per block before moving to next block
2TDES
Two triple DES. Uses 1 key to encrypt, another to ‘decrypt’ and again key 1 to encrypt.
Key length of 112 bits
3TDES
Strongest form, three triple des
168 bits in key length
IDEA Encryption/Cipher Type
International Data Encryption Algorithm.
Symmetric Block Cipher
IDEA Key Size
128
IDEA block size
64 bit
IDEA - good or bad?
Held up to cryptanalysis
IDEA - drawback
Patent encumbrance and slow speed
AES
Advanced Encryption Standard
AES Key Size
128 bit with 10 rounds of encryption
192 bit with 12 rounds of encryption
256 bit with 14 rounds of encryption
AES Block size
128 bit
AES Functions
Subbytes
ShiftRows
MixColumns
AddRoundKey
AES data State
4 Rows of 4, 16 byte blocks
AES SubBytes
Uses substitution to add confusion
AES ShiftRows
Shifts the rows to add confusion
AES MixColumns
Provides diffusion by mixing the columns fo the state via finite field mathematics.
AES AddRoundKey
Final function
XORs the state with the subkey
Blowfish cipher type
symmetric
Blowfish Key size and block
default 128. variable 32 through 448
64 bit blocks
Twofish
128 bit blocks
128-256 bit keys
RC5 and RC6 designed by
RSA LAbs
RC5 block size
32, 64, 128
RC5 key size
0 -2040 bits
RC6
Based on RC5
128 bit blocks
RC6 key size
128, 192, 256
Asymmetric Encryption Pros
Solves issues around preshared keys
Asymmetric key how many
two. Public/private key pair
Asymmetric one-way functions
easy to compute one way. VERY difficult to reverse
Asymmetric, factoring prime numbers
Relies on strength of composite number. Example: 6269 x 7883 = 49418527.
To crack, you must factor 49418527 to find which two prime numbers are factors.
Discrete logarithm
Basis of the Diffie-hellman and ElGamal asymmetric algs
Diffie-Hellman Key agreement protocol
Allows two parties to securely agree on a symmetric key via a public channel
Diffie-hellman
Type of key exchange that is secure. If an attacker sniffs the whole conversation, they still can’t obtain the key.
Elliptic Curve Cryptography
Type of encryption.
Uses One way function that uses discrete logaratinms
Stronger than discrete logarithms
Uses less computational power
Asymmetric and Symmetric tradeoffs
Asymmetric - slower, weaker on equal sized keys. Pro no need for preshared key
Both types are often used together
Symmetric - faster, weak due to pre-shared keys.
Hash Functions
Encryption using algorithm and NO KEY
One Way. Because impossible to reverse
Variable length plaintext is hashed into a fixed length hash
Collisions
This is what happens if two separate, and non-identical inputs to a hash algorithm result in identical hashes.
MD5
Message Digest 5
128 bit hash value based on any input length. Prone to collisions
MD5 creator
Ronald Rivest
MD6
Message Digest 6
Newest version of the MD family of hashes - published in 2008
SHA - Secure Hash Alg
Series of Hash algs
SHA1
160 bit hash value
SHA3
announced as successor in 2015
HAVAL
Hash of variable length. Uses design principles of MD family
HAVAL Hash lengths
128, 160, 192, 224, 256
HAVAL number of rounds
3, 4, 5
Crypto attacks
used by cryptanalysts to recover plaintext
Brute force
trying every possible combination. Will work eventually
Known Plaintext
If I know an input and output. I can potentially guess a key.
Chosen Plaintext and adaptive chosen plaintext
analyst chooses plaintext to be encrypted.
Analyst then changes further rounds of encryption based on previous round
Chosen Ciphertext adaptive chosen cipher text
Mirror version of chosen plaintext/adaptive plaintext
meet in the middle attack
Read up on this.
Known Key
Analyst knows something about the key, and can use that to reduce efforts used to attack it.
Differential Cryptanalysis
Seeks to find the difference between related plaintexts that are encrypted. Uses stat analysis to search for signs of non-randomness.
Linear Cryptanalysys
when you have a lot of plaintext and ciphertext - pairs are studied to find information about the key.
Side Channel Attacks
USe physical data to break cryptosystem. Monitoring CPU cycles or power consumption used while encrypting/decrypting.
Birthday Attack
Create hash collisions and break the key
Key clustering
two different symmetric keys on same plaintext produce same ciphertext
Digital signatures
Method of authentication and non-repudiation.
Process:
- Sender hashes their message, and appends hash to email
- Sender then encrypts entire email using their private key.
- Receiver decrypts message using public key (they now know the sender is authentic - only the sender could have encrypted).
- Receiver then hashes the message on their own - if the hash is the same as appended to the email they know that integrity has been preserved.
HMAC
READ UP ON
PKI Public Key Infrastructure
leverages all three forms of encryption. Digital certs.
Cert Authorities
Digitals certs are signed by CAs
They authenticate identity of orgs before issuing a certs
May be private, or public
Cert Revocation lists
Lists revoked certs. Maintained by CAs
IPSec
Suite of protocols to provide cryptographic IPV4 and v6. Used to build VPNs
IPSec primary protocols
AH - Authentication Header
ESP - Encapsulating Security Payload
IPSec Supporting protocols
ISAKMP, and IKE
ISAKMP
internet security assoc and key mgmt protocol
IKE
Internet key exchange
AH
Authentication header provides authentication and integrity for each packet of net data.
NO CONFIDENTIALITY
ESP
provides confidentiality by encrpyting packet data
IPSec Security Association (ISAKMP)
one way/simplex connection used to negotiate ESP or AH Parameters. Each ESP and AH session results in a Security Associatin (so, up to 4 SAs may be in each two-way VPN)
ISAKMP is the protocol that manages SA creation.
SA Identification index
Identifies the SA. 32 bits
ESP Tunnel mode
Encrypts everything
ESP Transport mode
only encrypts data, not IP headers. May use AH to authenticate the un-encrypted headers.
IKE vs ISAKMP
IKE - Encryption algorithm negotiation protocol. Allows both sided so select and agree upon the best encryption that both sides support.
ISAKMP - Manages Security Associations.
IKE
Another way to manage key exchanges. Both sides will use IKE to negotiate fastes and highes sec level.
SSL and TLS
TSL succeeds SSL. Commonly used for HTTPS. Encrypted out of the gate. Uses Asymmetric encryption to exchange a key, for a subsequent symmetric session.
PGP
pretty good privacy.
PGP year
1991
PGP
uses web-of-trust instead of cert authority.
S/MIME
Email encryption and authentication
Escrowed Encryption
splits private key into two or more parts. Will only release their part of the key on a court order.
Clipper Chip
Name of tech used in the Escrowed Encryption Standard. Allows backdoor to govt while encrypting voice.
Steganography
Science of hidden communication. Hiding information into other media.
Digital watermaks
encode data in a file. Watermark is probably hidden
Mantrap
Two doors requireing separate authentication to open
Bollard
Post designed to stop a car
Smart card
physical access card containing integrated circuit
tailgating
following an auth person into building w/o providing creds
Perimeter defenses
fence doors, walls, locks
Class 1 gate
residential
class 2 gate
Commercial, general access
Class 3 gate
industrial limited access - loading dock for 18 wheeler
Class 4 gate
restricted access. Prison or airport
Lights
detective and/or deterrant
vigenere cipher
- Vigenère cipher
o Polyalphabetic
o Repeated 26 times to form a matrix
Jefferson disks
o Tommy J
o 36 wooden disks
Caesar cipher
- Caesar cipher
o Monoalphabetic
o Simple substitution
o Rotated 3 times
book cipher and running key cipher
- Book cipher and running key cipher
o Use well known texts as the basis for keys
Codebooks
assign codeword for important people/locations/terms
one time pad
o one time pad uses identical paird pads one page is used to encrypte same page to decrypt pages are then discarded, never reused only one mathematically proven to be secure
vernam cipher
o First known one time pad
o Named after gilbert vernam
o Used bits before computer
o One-time pad bits were also XORed to the plaintext bits
project VERONA
o Broke KGB encryption in 1940s
o KGB used one time pads
o KGB violated one of the three rules though
o Reused pads.
Hebern Machines and PURPLE
o Class of cryptographic devices
o Large manual typewriter looking devices electrified with rotors
o Used through WWII
ENIGMA
doi
SIGABA
o Rotor machine used by US through 1950s
o More complex and covered weaknesses of the Enigma
o Large complex and heavy
o Never known to be broken
PURPLE
japanese version of enigma
COCOM
o Coordinating comeittee for multilateral export controls
Designed to control export of critical technologies to iron curtain countries
Wassenaar arrangement
o After COCOM ended
o Created in 1996
o Many iron curtain countries included
o Relaxed restriction on exporting cryptography.
DEA
Data Encryption Algorithm described by DES (Data Encryption Standard)
PKI standard
X.509
CAs and ORAs
Certificate Authority (Issues Certs)
Organizational Registration Authority (authenticates client certs)
OCSP
Online Certificate Status Protocol - Replacement for CRL (Cert Revocation Lists). Scales beeter than CRL
CRL
Certificate Revocation Lists
PGP encryption type
Symmetric