Moudle 15-16 Cryptographic Services
Public Key Infrastructure (PKI)
Asymmetric encryption algorithm based on the assumption that the two communicating parties have not previously shared a secret key
Brute-force method
Attack tries every possible key knowing that eventually one of them will work
Guarantees that a message comes from the source that it claims to come from
Authentication
In banking, it can be achieved by requiring a secure personal identification number (PIN) at an ATM
Authentication
Three primary objectives of securing communications?
Authentication, Integrity, Confidentiality
Key Generation
Automated generation of akey.
Symmetric keys
Can be exchanged between two routers supporting a VPN
Frequency analysis of English alphabet
Characters in the English alphabet that is used more often than others. The letters E,T,A are the most popular letters The letters J,Q,X,Z are the least popular.
OTP inner workings
Combines character by character with the plaintext message to produce the ciphertext. To decipher the ciphertext, the same paper tape key was again combined character by character, producing the plaintext. It's only supposed to used once, if used correctly it's immune to an cryptanalytic attack.
A key is required to encrypt and decrypt a message
Confidentiality
Encryption and hashing are used to make certain that only authorized entities can read the message
Confidentiality
Ensures privacy so that only receiver can read the message.
Confidentiality
SHA-1
Creates a 160-bit hashed message is slightly slower than MD5. Known flaws and is a legacy algorithm
Ciphertext
Encrypted version is called encrypted text
Key
Encrypts and decrypts a message.
Hash function
Ensures data confidentiality, transforms a string of characters into a usually shorter, fixed-length value or key that represents the original string
Refer to Chart 3. What is the plaintext value for the encrypted text FMVMXIBKGVW?
F = U M = N V = E M = N X = C I = R B = Y K = P G = T V = E W D UNENCRYPTED
Ex key length and key size
2^2 bit (2^2 key length) and has a key space of 4 because 4 possible keys
keyspace and key length examples
3 bit (2^3) key length increase = keyspace of 8. Eight possible keys. (000, 001, 010, 011, 100, 101, 110, 111) 4-bit (2^4) key length = keyspace of 16 possible keys 40-bit(2^40) key length = keyspace of 1,099,511,627,776 possible keys.
Confidentiality algorithms
3DES (legacy), Advanced Encryption Security (AES)
DES keyspace
56 bits keys has a keyspace of more than 72,000,000,000,000,000.
Refer to Chart 2 What is the encrypted text for the word AUTHENCITY?
A = U U = O T = N H = B E = Y N = H C = W I = C T = N Y = S
MD5 hashing
Guarantees that no one intercepted the message and altered it
Data Confidentiality
Guarantees that only authorized users can read the message. Implemented using symmetric and asymmetric encryption.
Most attacks are focused on ___
The key management level, rather than at the cryptographic algorithm itself
What happens when the key length increases?
The keyspace also increase. 2bit (2^2) key length has a keyspace of 4.
Confidentiality
This guarantees that if the message if captured, it cannot be deciphered. The receiver can read the message. This is provided using symmetric or asymmetric encryption algorithms
Complex Substitution cipher
Using the Vigenere Cipher Table, you can use a secret key (SECRETKEY) and then intersect those letters with your plain text, which creates a cipher text The F(Flank is encoded by looking at the intersection of column F and the row starting with S (SECRETKEY), resulting in the cipher letter x.
History of cryptanalysis
Vigenere was broken in the 19th century by English cryptographer Charles Babbage Mary Queen of Scots was plotting to overthrow Queen Elizabeth I from the throne, her scheme was found out and was beheaded in 1587. Enigma-encrypted communications were used by the Germans to navigate and direct their U-boats in the Atlantic.
Key Verification
Weak keys can be identified and regenerated to provide a more secure encryption.
Storing between hashing and encryption
With encrypted text, data can be decrypted with a key. With the hash function, after the data is entered and converted using the hash function, the plaintext is gone. Hashed data is there for comparison. Ex. User enters a password, password is hashed and then compared to the stored hashed value. If user forgets the password, it is impossible to decrypt the stored value, and the password must be reset.
A web server administrator is configuring access settings to require users to authenticate first before accessing certain web pages. Which requirement of information security is addressed through the configuration?
confidentiality
What objective of secure communications is achieved by encrypting data?
confidentiality
What is the practice and study of determining the meaning of encrypted information, without access to the shared secret key?
cryptanalysis
What is the term for when a device cannot refute the validity of a message that it has received?
non repudiation
Methods of cracking code
Brute-force method Ciphertext method Known-Plaintext method Chosen-Plaintext method Chosen-Ciphertext method Meet-int-the-Middle method
authenticity versus non repudiation
Data exchange between two computer of the same company versus a data exchange between a customer and an e-commerce website
What are two objectives of ensuring data integrity?
Data is not changed by unauthorized entities, Data is unaltered during transit
SHA-2
Developed by the NSA SHA-224(224 bit) SHA-256(256 bits) SHA-384(384 bit) SHA-512(512 bit) The SHA-256, SHA-384, SHA-512 should be used whenever possible
verifying the HMAC value
Digest that is calculated by the receiving device is equal to the digest that was sent, the message has not been altered. Sender can be authenticated, because they have a copy of the shared secret key.
Authentication methods
Entering a PIN, data non repudiation which means that a device cannot repudiate or refute the validity of a message sent.
Key Revocation and Destruction
Erases old keys in a way that malicious attacks can't recover them and also alerts all interested parties that a certain key has been compromised.
Data integrity trivia
European nobility ensured data integrity of documents by creating wax seals to close an envelope, as shown in the figure. The seal was often cretaed using a signet ring. These bore the family crest, initials, a portrait or a personal symbol or motto of the owner of the signet ring.
What is computationally infeasible for hash functions?
For two different sets of data to come up with the same hash output. hash values changes every time the data is changed or altered. Also called digital signatures due to the ability to detect duplicate data files, file version changes, and similar applications.
Origin authentication
Guarantees that the message is not a forgery and does actually comes from whom it states
Data nonrepudiation
Guarantees that the sender cannot repudiate, or refute, the validity of a message sent THEY CANNOT DENY THAT THIS IS NOT THEM
Origin Authentication protocols
HMAC (Hash based message authentication code)
Authenticity Protocols
HMAC-MD5 (legacy), HMAC-SHA-256, RSA and DSA
Refer to chart 3 What is the encrypted value of the word INTEGRITY
I = R N = M T = G E = V G = T R = I I = R T = G Y = B
Brute Force scenarios
If a thief attempted to steal a bicycle secured with the combination lock displayed in the figure, they would have to attempt a maximum of 10,000 different possibilities (0000 to 9999) On average brute-force attacks succeeds about 50 percent of the way throught the keyspace, which the set o fall possible keys
Cryptology
Is the science of making and breaking secret codes. Cryptology = crytography + cryptanalysis
How do you prove that algorithm is secure?
It can proven that it is not vulnerable to known crypt analytic attacks. Therefore there is a need for mathematicians, scholars, and security forensics experts to keep trying to break the encryption methods.
Cryptographic Hash Functions
It's easy to grind coffee beans, but it's impossible to put the tiny pieces back together. Plaintext goes into a hash function which takes this variable block of binary block and produced a fixed-length, condensed representation, called the hash. The resulting hash is also sometimes called message digest, digest or digital fingerprint.
Key length
Key size, measured in hits
What does it mean that the security of the encryption lies within the __
Keys, not the algorithm. With most modern algorithms, successful decryption requires knowledge of the appropriate cryptographic keys.
Integrity Protocols
MD5 (legacy, faster tho), Hash Algorithm 2 (SHA2 or SHA).
Hash functions
MD5 with 128-bit digest Developed by Ron Rivest and used in in variety of internet applications, MD5 is a one-way function that produces a 128-bit hashed message. (SHA-2 or SHA3 should be used)
Key Storage
Modern OS, keys are stored in memory. Possible problem is when a Trojan Horse is installed, the PC of a user could have access to the private keys of the user.
History of cryptology
National security organizations employ practitioners of both disciplines and put them to work against each other. Hundred Years War between France and England, the cryptanalysts were leading the cryptographers, and then the British cracked it. Successful cracking of encrypted codes and messages had a major impact on the outcome of World War II, currently it is believed that cryptographers are in the lead.
Weak keys identification
Producing 16 identical subkeys. This occurs when the key bits are alternating ones and zeroes (0101010101010) Alternating F and E (FEFEFEFEFEFEFE) E0E0E0E0E0E0E0E0 1F1F1F1F1F0E0E0E0E
Difficulties of OTP
Random data isn't truly random, computers have a mathematical foundation and aren't capable of creating random data. Key is easy to break if used more than once, RC4 is an exmaple of this cipher that is widely used on the internet.
Plaintext
Readable data
Key Lifetime
Short key life improves the security of legacy ciphers. In IPsec 24-hours lifetime is typical, however 30 mins improves the security of algorithms as well.
Key Exchange
Should provide a secure key exchange mechanism that allows secure agreement on the keying material with the other party
Chosen-Plaintext method
The attacker chooses which data the encryption device encrypts and observes the ciphertext output
Known-Plaintext method
The attacker has access to the ciphertext of several messages and knows something about the plaintext underlying that ciphertext
Meet-in-the-Middle method
The attacker knows a portion of the plaintext and the corresponding ciphertext
Cryptanalysis
The breaking of these codes
Cryptography
The development and use of codes
What is cryptology?
The science of making and breaking secret codes
Integrity
This guarantees that no one intercepted the message and altered it; similar to a checksum function in a frame. This is provided by the implementing the SHA-2 or SHA-3 family of hash-generating algorithms
Authentication
This guarantees that the message is not a forgery and actually comes from the authentic source. Modern networks ensure authentication using hash message authentication code (HMAC)
What is the purpose of a nonrepudiation service in secure communications?
To ensure that the source of the communications is confirmed
Refer to Chart 1. What is the encrypted text for the term ENCRYPTION?
Top row is cleartext encoded text values are in the bottom row e = a n = j c = Y r = N y = U p = L t = P i = E o = K n = J
What cipher method does 3DES use as part of the algorithm?
Transposition
Refer to the exhibit which type of cipher method is depicted?
Transposition cipher, no letters are replaced, they are simply rearranged.
Data integrity protocols
Use Secure Hash Algorithm (SHA-2 or SHA-3 ) The MD5 message digest algorithm is still widely in use. However, it is inherently insecure and creates vulnerabilities in a network. Note that MD5 should be avoided
Data Confidentiality algorithms
Using asymmetric algorithms, including Rivest, Shamir, and Adleman (RSA) and the public key infrastructure (PKI) .
What is the focus of cryptanalysis?
breaking encrypted codes
What is a method of cryptanalysis in which an attacker tries every possible key knowing that eventually one of them will work?
brute-force
As data is being stored on a local hard disk, which method would secure the data from unauthorized access?
data encryption
A network security specialist is tasked to implement a security measure that monitors the status of critical files in the data center and sends an immediate alert if any file is modified. Which aspect of secure communications is addressed by this security measure?
data integrity
Hash algorithm equation
h = H(x) H takes a input from x and returns a fixed string h.
Why would HMAC be used to help used to secure the data as it travels across various links
it's a hashing algorithm used to guarantee that the message is not a forgery and actually comes from the authentic source
Which type of attack allows an attacker to use a brute force approach?
password cracking, social engineering, brute-force attacks, network sniffing
Only the sender and the receiver knows the
secret key, and the output of the hash function now depends on the input data and the secret key. If two parties share a secret key and use HMAC functions for authentication, a properly constructed HMAC digest of a message that a party has received indicates that the other party was the originator of the message.
Substitution ciphers
Substitute one letter for another. Retains the letter frequency of the original message. Caesar cipher was a simple substitution cipher. Basically shifting the letters by left or right (depending on the key)
What is a cipher that replaces one letter for another, possibly retaining the letter frequency of the original message?
Substitution
Ciphertext method
The attacker has the ciphertext of several encrypted messages but no knowledge of the underlying plaintext
Chosen-Ciphertext method
The attacker can choose different ciphertext to be decrypted and has access to the decrypted plaintext
Hash algorithm equation properties
Input can be any length, output is a fixed league. It's relatively easy to compute for any given x, H(x) is one way and not reversible, It's collision free, meaning that two different input values will result in different hash values.
Ensures that messages that are not altered in transit
Integrity
The receiver can verify that the received message is identical to the sent message and that no manipulation occurred.
Integrity
OTP (one-Time pad ciphers)
Invented by Gilber Vernam at AT&T Bell Labs in 1917, invented and patented the stream cipher, co-invented the one-time pad cipher
Advanced Encryption Standard (AES)
Is a popular symmetric encryption algorithm where each communicating partly needs to know the pre-shared key
SHA-3
Newest hashing algorithm and was introduced by the National Institute of Standard of Technology and as an alternative for SHA-2 SHA-3 includes SHA-3-224 (224bit) SHA3-256 (256 bits) SHA3-384(384 bits) SHA3-512(512 bit) Should be used whenever possible Cannot be used to guard against deliberate changes that are made by a threat actor. It's vulnerable to MITM attacks, the threat actor can intercept a message, change it, recalculate the hash, and append it to the message. We need origin authentication as well.
Transposition ciphers
No letters are replaced, but rearranged. Also known as rail fence cipher. Modern encryption block cipher algorithms such as AES and legacy 3DES use transposition as part of the algorithm
Keyspace
Number of possibilities that can be generated by a specific key length
Vigenere cipher
Polyalphabetic ciphers was orignally by Giovan Battista Bellaso in 1553, but the scheme was later misattributed to the Frnech diplomat and cryptographer, Balise de Vigenere
What is an example of the transposition cipher?
Rail fence