6.1
Understand block ciphers
A block cipher is a solution that works against a complete static data set. That data set is broken into fixed-length segments called blocks, and each block is encrypted separately.
Understand digital signatures
A digital signature is an electronic mechanism used to prove that a message was sent from a specific user and that the message wasn't changed while in transit. Digital signatures operate using a hashing algorithm and either a symmetric or an asymmetric encryption solution.
Understand password crackers
A password cracker is a tool used to reverse-engineer the secured storage of passwords in order to gain (or regain) access to an unknown or forgotten password. There are four well-known types of password-cracking techniques: dictionary, brute force, hybrid, and precomputed hash.
Understand software key storage
A software solution offers flexible storage mechanisms and, often, customizable options. However, a software solution is vulnerable to electronic attacks (viruses or intrusions), may not properly control access (privilege-elevation attacks), and may be deleted or destroyed. Most software solutions rely on the security of the host OS, which may not be sufficient.
Understand stream ciphers
A stream cipher is a solution that works against data that is constantly being produced on the fly. Stream ciphers can operate on a bit, character, or buffer basis of encrypting data in real time. A buffer, much like a block, waits to be filled by data as it's produced. When the buffer block is full, that block is encrypted and then transmitted to the receiver.
Understand VPNs
A virtual private network (VPN) is a communication tunnel between two entities across an intermediary network. In most cases, the intermediary network is an untrusted network, such as the Internet, and therefore the communication tunnel is also encrypted.
Know how cryptosystems can be used to achieve authentication goals
Authentication provides assurances as to the identity of a user. One possible scheme that uses authentication is the challenge-response protocol, in which the remote user is asked to encrypt a message using a key known only to the communicating parties. Authentication can be achieved with both symmetric and asymmetric cryptosystems.
Understand centralized key management
Centralized key management gives complete control of cryptographic keys to the organization and takes control away from the end users. In a centralized management solution, copies of all cryptographic keys are stored in escrow.
Understand the role confidentiality plays in cryptosystems
Confidentiality is one of the major goals of cryptography. It protects the secrecy of data while it's at rest and in transit. Confidentiality can be assured by both symmetric and asymmetric cryptosystems.
Understand key storage
Cryptographic keys and digital certificates should be stored securely. If a private key (asymmetric) or a secret key (symmetric) is ever compromised, then the security of all data encrypted with the key is lost.
Understand hardware key storage
Hardware solutions aren't as flexible as software solutions; however, they're more reliable and more secure. Hardware solutions may be expensive and are subject to physical theft. If a user isn't in physical possession of the hardware storage solution, they can't gain access to the secured or encrypted resources. Some common examples of hardware key storage solutions include smart cards and flash memory drives.
Understand the role integrity plays in cryptosystems
Integrity provides the recipient of a message with the assurance that data wasn't altered (intentionally or unintentionally) between the time it was created and the time it was accessed. Integrity can be assured by both symmetric and asymmetric cryptosystems.
Understand key escrow
Key escrow is a storage process in which copies of private keys and/or secret keys are retained by a centralized management system. This system securely stores the encryption keys as a means of insurance or recovery in the event of a lost or corrupted key.
Understand L2TP
Layer Two Tunneling Protocol (L2TP) is based on PPTP and L2F, supports any LAN protocol, uses UDP port 1701, and often uses IPsec for encryption.
Know VPN protocols
PPTP, L2TP, and IPsec are VPN protocols.
Know the Advanced Encryption Standard (AES)
The Advanced Encryption Standard (AES) utilizes the Rijndael algorithm and is the U.S. government standard for the secure exchange of sensitive but unclassified data. AES uses key lengths and block sizes of 128, 192, and 256 bits to achieve a much higher level of security than that provided by the older DES algorithm.
Understand birthday attacks
The birthday attack exploits a mathematical property that if the same mathematical function is performed on two values and the result is the same, then the original values are the same. This concept is often represented with the syntax f(M)=f(M') then M=M'.
Know common hash algorithms
The common hash algorithms are Secure Hash Algorithm (SHA-1), which is a 160-bit hash value; Message Digest 5 (MD5), which is a 128-bit hash value; Message Digest 4 (MD4), which is a 128-bit hash value; and Message Digest 2 (MD2), which is a 128-bit hash value.
Know common symmetric cryptography solutions
The common symmetric solutions are Advanced Encryption Standard (AES), Triple Data Encryption Standard (3DES), Data Encryption Standard (DES), International Data Encryption Algorithm (IDEA), Blowfish, Twofish, Rivest Cipher 5 (RC5), and Carlisle Adams/Stafford Tavares (CAST-128).
Understand ephemeral keys
An ephemeral key is a key generated at the time of need for use in a short or temporary time frame. An ephemeral key might be used only once or could be used for a communication session before being discarded. Most session keys are (or at least should be) ephemeral.
Understand asymmetric cryptography
Asymmetric cryptography is also called public-key cryptography. It uses key pairs consisting of a public key and a private key. Each communication partner in an asymmetric cryptography solution needs only a key pair.
Know the strengths and weaknesses of asymmetric cryptography
Asymmetric cryptography is scalable. The private key of the key pair must be kept private and secure. The public key of the key pair is distributed freely and openly. Possession of the public key doesn't allow someone to generate the private key. Asymmetric cryptography is much slower than symmetric cryptography. It provides three security services: authentication, integrity protection, and non-repudiation.
Know how brute-force and dictionary attacks work
Brute-force and dictionary attacks are carried out against a password database file or the logon prompt of a system. They're designed to discover passwords. In brute-force attacks, all possible combinations of keyboard characters are used, whereas a predefined list of possible passwords is used in a dictionary attack.
Understand hashing attacks
Hashing can be attacked using reverse engineering, reverse hash matching, or a birthday attack. These attack methods are commonly used by password-cracking tools.
Understand hashing
Hashing is used to produce a unique data identifier. Hashing takes a variable-length input and produces a fixed-length output. It can be performed in only one direction. The hash value is used to detect violations of data integrity.
Understand IPsec
IPsec is a security architecture framework that supports secure communication over IP. IPsec establishes a secure channel in either transport mode or tunnel mode. It can be used to establish direct communication between computers or to set up a VPN between networks. IPsec uses two protocols: Authentication Header (AH) and Encapsulating Security Payload (ESP).
Understand M of N control
If the environment doesn't warrant the trust of a single key-recovery agent, a mechanism known as M of N control can be implemented. M of N control indicates that there are multiple key-recovery agents (M) and that a specific minimum number of these key-recovery agents (N) must be present and working in tandem in order to extract keys from the escrow database.
Understand private-key protection
In a symmetric system, all entities in possession of the shared secret key must protect the privacy and secrecy of that key. If the key is compromised anywhere or by anyone, the entire solution (all entities using the same key) is compromised (everything protected by that key).
Understand decentralized key management
In decentralized key management, end users generate their keys (whether symmetric or asymmetric) and submit keys only as needed to centralized authorities. The end user's private key is always kept private, so they're the only entity in possession of it.
Understand authentication
In relation to cryptography, authentication is the security service that verifies the identity of the sender or receiver of a message.
Understand the use of multiple key pairs
In some situations, you may use multiple key pairs. One key set might be used for authentication and encryption and the other for digital signatures. This allows the first key pair to be escrowed and included on data backups of a centralized key-management scheme. The second key set is then protected from compromise, and the privacy of the owner's digital signature is protected, preventing misuse and forgery.
Know key-management basics
Keys should be long enough to provide the necessary level of protection, should be stored and transmitted securely, should be random, and should use the full spectrum of the keyspace. In addition, they should be escrowed, be properly destroyed at the end of their lifetime, be used in correspondence with the sensitivity of the protected data, and have a shortened use lifespan if they're used repeatedly.
Understand non-repudiation
Non-repudiation prevents the sender of a message or the perpetrator of an activity from being able to deny that they sent the message or performed the activity.
Understand the importance of providing non-repudiation capability in cryptosystems
Non-repudiation provides undeniable proof that the sender of a message actually authored it. It prevents the sender from subsequently denying that they sent the original message. Non-repudiation is possible only with asymmetric cryptosystems.
Understand password guessing
Password guessing is an attack aimed at discovering the passwords employed by user accounts. It's often called password cracking. There are two primary categories of password-guessing tools based on the method used to select possible passwords for a direct logon prompt or birthday attack procedure: brute force and dictionary.
Understand perfect forward secrecy
Perfect forward secrecy is a means of ensuring that the compromise of an entity's digital certificates or public/private key pairs don't compromise the security of any session's keys. Perfect forward secrecy is implemented by using ephemeral keys for each and every session; these keys are generated at the time of need and used for only a specific period of time or volume of data transfer before being discarded and replaced.
Understand PPTP
Point-to-Point Tunneling Protocol (PPTP) is based on PPP, is limited to IP traffic, and uses TCP port 1723. PPTP supports PAP, SPAP, CHAP, EAP, and MS-CHAP v.1 and v.2.
Be familiar with the three major public-key cryptosystems
RSA is the most famous public-key cryptosystem; it was developed by Rivest, Shamir, and Adleman in 1977. It depends on the difficulty of factoring the product of prime numbers. ElGamal is an extension of the Diffie-Hellman key-exchange algorithm that depends on modular arithmetic. The elliptic curve algorithm depends on the elliptic curve discrete logarithm problem and provides more security than other algorithms when both are used with keys of the same length.
Understand session keys
Session keys are encryption keys used for a communications session. Typically, session keys are randomly selected (or generated) and then used for only one session.
Understand steganography
Steganography is a process by which one communication is hidden inside another communication.
Understand symmetric cryptography
Symmetric cryptography is also called private-key cryptography or secret-key cryptography. Symmetric cryptography uses a single shared encryption key to encrypt and decrypt data. It provides the security service with confidentiality protection.
Know the strengths and weaknesses of symmetric cryptography
Symmetric cryptography is very fast when compared to asymmetric cryptography. It provides for strong encryption protection when larger keys are used. However, the protection is secure only as long as the keys are kept private. Key exchange under symmetric cryptography is a common problem. Symmetric cryptography isn't scalable when used alone.
Know the differences between symmetric and asymmetric cryptosystems
Symmetric-key cryptosystems (or secret-key cryptosystems) rely on the use of a shared secret key. They're much faster than asymmetric algorithms, but they lack support for scalability, easy key distribution, and non-repudiation. Asymmetric cryptosystems use public-private key pairs for communication between parties but operate much more slowly than symmetric algorithms.
Know the common applications of cryptography to secure web activity
The de facto standard for secure web traffic is the use of HTTP over Secure Sockets Layer (SSL), otherwise known as HTTPS. Secure HTTP (S-HTTP) also plays an important role in protecting individual messages. Most web browsers support both standards.
Know the common applications of cryptography to secure electronic mail
The emerging standard for encrypted messages is the Secure/Multipurpose Internet Mail Extensions (S/MIME) protocol. The other popular email security protocol is Phil Zimmerman's Pretty Good Privacy (PGP).
Be familiar with the basic terminology of cryptography
When a sender wants to transmit a private message to a recipient, the sender takes the plaintext (unencrypted) message and encrypts it using an algorithm and a key. This produces a ciphertext message that is transmitted to the recipient. The recipient then uses a similar algorithm and key to decrypt the ciphertext and re-create the original plaintext message for viewing.
Understand in-band vs
out-of-band key exchange.In-band key exchange takes place in the existing and established communication channel or pathway. Out-of-band key exchange takes place outside of the current communication channel or pathway, such as through a secondary channel, via a special secured exchange technique in the channel, or with a complete separate pathway technology.