6.1 Summarize general cryptography concepts
Hashing
A hash is a generated summary from a mathematical rule or algorithm and is used commonly as a "digital fingerprint" to verify the integrity of files and messages and to ensure message integrity and provide authentication verification. In other words, hashing algorithms are not encryption methods but offer additional system security via a "signature" for data confirming the original content. Hash functions work by taking a string (for example, a password or email) of any length and producing a fixed-length string for output. Keep in mind that hashing is one way. Although you can create a hash from a document, you cannot re-create the document from the hash. If this all sounds confusing, the following example should help clear things up. Suppose you want to send an email to a friend, and you also want to ensure that during transit it cannot be read or altered. You would first use software that generates a hash value of the message to accompany the email and then encrypt both the hash and the message. After receiving the email, the recipient's software decrypts the message and the hash and then produces another hash from the received email. The two hashes are then compared, and a match indicates that the message was not tampered with. (Any change in the original message produces a change in the hash.)
Understand key storage.
Cryptographic keys and digital certificates should be stored securely. If a private key (asymmetric) or a shared secret key (symmetric) is ever compromised, then the security of all data encrypted with the key is lost.
Understand software key storage.
A software solution offers flexible storage mechanisms and often, customizable options. However, a software solution is vulnerable to electronic attacks (viruses or intrusions), may not properly control access (privilege-elevation attacks), and may be deleted or destroyed. Most software solutions rely on the security of the host OS, which may not be sufficient.
Cipher Text
An encrypted message.
Plain-text
An unencrypted message (in the clear).
Know the strengths and weaknesses of asymmetric cryptography.
Asymmetric cryptography is scalable. The private key of the key pair must be kept private and secure. The public key of the key pair is distributed freely and openly. Possession of the public key doesn't allow someone to generate the private key. Asymmetric cryptography is much slower than symmetric cryptography. It provides three security services: authentication, integrity protection, and non-repudiation.
Know how cryptosystems can be used to achieve authentication goals.
Authentication provides assurances as to the identity of a user. One possible scheme that uses authentication is the challenge-response protocol, in which the remote user is asked to encrypt a message using a key known only to the communicating parties. Authentication can be achieved with both symmetric and asymmetric cryptosystems.
Two primary types of Symmetric encryption methods for encrypting plain-text data
Block Cipher and Stream Cipher
Know how brute-force and dictionary attacks work.
Brute-force and dictionary attacks are carried out against a password database file or the logon prompt of a system. They are designed to discover passwords. In brute-force attacks, all possible combinations of keyboard characters are used, whereas a predefined list of possible passwords is used in a dictionary attack.
Understand hardware key storage.
Hardware solutions aren't as flexible as software solutions; however, they're more reliable and more secure. Hardware solutions may be expensive and are subject to physical theft. If a user isn't in physical possession of the hardware storage solution, they can't gain access to the secured or encrypted resources. Some common examples of hardware key storage solutions include smart cards and flash memory drives.
Understand hashing attacks.
Hashing can be attacked using reverse engineering, reverse hash matching, or a birthday attack. These attack methods are commonly used by password-cracking tools.
Understand M of N control.
If the environment doesn't warrant the trust of a single key recovery agent, a mechanism known as M of N control can be implemented. M of N control indicates that there are multiple key recovery agents (M) and that a specific minimum number of these key recovery agents (N) must be present and working in tandem in order to extract keys from the escrow database.
Understand private key protection.
In a symmetric system, all entities in possession of the shared secret key must protect the privacy and secrecy of that key. If the key is compromised anywhere or by anyone, the entire solution (all entities using the same key) is compromised (everything protected by that key).
Understand the use of multiple key pairs.
In some situations, you may use multiple key pairs. One key set might be used for authentication and encryption and the other for digital signatures. This allows the first key pair to be escrowed and included on data backups of a centralized key management scheme. The second key set is then protected from compromise, and the privacy of the owner's digital signature is protected, preventing misuse and forgery.
Know key management basics.
Keys should be long enough to provide the necessary level of protection, should be stored and transmitted securely, should be random, and should use the full spectrum of the keyspace. In addition, they should be escrowed, properly destroyed at the end of their lifetime, used in correspondence with the sensitivity of the protected data, and have a shortened use lifespan if they're used repeatedly.
Block cipher
Plain-text is encrypted in blocks, which is a fixed-length group of bits. The block of plain-text is encrypted into a corresponding block of ciphertext. Thus, a 64-bit block of plain-text would output as a 64-bit block of ciphertext.
VPN protocols
Point-to-Point Tunneling Protocol (PPTP), Layer Two Tunneling Protocol (L2TP), Internet Protocol Security (IPSec)
Know the strengths and weaknesses of symmetric cryptography.
Symmetric cryptography is very fast when compared to asymmetric cryptography. It provides for strong encryption protection when larger keys are used. However, the protection is secure only as long as the keys are kept private. Key exchange under symmetric cryptography is a common problem. Symmetric cryptography isn't scalable when used alone.
Stream cipher
The plain-text bits are encrypted a single bit at a time. These bits are also combined with a stream of pseudorandom characters. It is known for their speed and simplicity. The initialization vector should never be the same twice
Know the differences between symmetric and asymmetric cryptosystems.
Symmetric key cryptosystems (or secret key cryptosystems) rely upon the use of a shared secret key. They are much faster than asymmetric algorithms, but they lack support for scalability, easy key distribution, and non-repudiation. Asymmetric cryptosystems use public-private key pairs for communication between parties but operate much more slowly than symmetric algorithms.
Cipher
The algorithm used to encrypt and/or decrypt
Cryptanalysis
The art of cracking an encryption. Reseachers are constantly trying to find weakness in cipher. A mathematical flawed cipher is bad for everyone.
Know the common applications of cryptography to secure web activity.
The de facto standard for secure web traffic is the use of HTTP over Secure Sockets Layer (SSL), otherwise known as HTTPS. Secure HTTP (S-HTTP) also plays an important role in protecting individual messages. Most web browsers support both standards.
Know the common applications of cryptography to secure electronic mail.
The emerging standard for encrypted messages is the Secure/Multipurpose Internet Mail Extensions (S/MIME) protocol. Other popular email security protocol is Phil Zimmerman's Pretty Good Privacy (PGP).
Quantum cryptography
instead relies upon physics. Although slower, the primary advantage provided by it is increased security. Its mechanics protects against data being disturbed because one cannot measure the quantum state of the photons. The mere observation of a quantum system changes the system.
Asymmetric cryptography
each user has 2 keys: a private key and a public key. Sending an encrypted message requires you to encrypt the message with the recipient's public key. The public key is made available to whoever is going to encrypt the data sent to the holder of the private key. The message in turn gets decrypted by the recipient with his or her private key. Often referred to as public key algorithms because of their use of the public key as the focal point for the algorithm. Imagine a postal mailbox that enables the letter carrier to insert your mail via an open slot, but only you have the key to get the mail out. This is analogous to an asymmetric system in which the open slot is the public key.
Decentralized key management
end users generate their keys (whether symmetric or asymmetric) and submit keys only as needed to centralized authorities. The end user's private key is always kept private so they are the only entity in possession of it.
Confidentiality in relation to cryptography
ensures that data remains private while at rest, such as when stored on a disk, or in motion, such as during transmission between two or more parties.
The birthday attack
exploits a mathematical property that states that if the same mathematical function is performed on two values and the result is the same, then the original values are the same. This concept is often represented with the syntax f(M)=f(M') therefore M=M'.
Centralized key management
gives complete control of cryptographic keys to the organization and takes control away from the end users. In a centralized management solution, copies of all cryptographic keys are stored in escrow.
Elliptic Curve Algorithm (ECC)
is a public-key cryptosystem based upon complex mathematical structures. It uses smaller key sizes than traditional public-key cryptosystem. It uses asymmetric encryption. As a result, it is faster and consumes fewer resources, making it more ideal for mobile and wireless devices. It is commonly used with small wireless devices since it doesn't take much processing power to achieve the desired security.
Key escrow
is a storage process by which copies of private keys and/or secret keys are retained by a third party. This system securely stores the encryption keys as a means of insurance or recovery in the event of a lost or corrupted key.
Symmetric cryptography
is a system that uses a common shared key between the sender and receiver. It is a single shared encryption key to encrypt and decrypt data. It is often referred to as session key, secret key algorithms, private key algorithms, and shared secret algorithms. The primary advantage to such a system is it is easier to implement than an asymmetric system and is typically faster.
Password cracker
is a tool used to reverse-engineer the secured storage of passwords in order to gain (or regain) access to an unknown or forgotten password. There are four well-known types of password cracking techniques: dictionary, brute force, hybrid, and precomputed hash.
Steganography
is a word of Greek origin meaning "hidden writing." It is a method for hiding messages so that unintended recipients aren't even aware of any message. For example, writing a letter using plain text but in invisible ink is an example of the use of it. Compare this to cryptography, which does not seek to hide the fact a message exists, but rather to just make it unreadable by anyone other than the intended recipients. Of course, it is useless if someone other than the intended recipient knows where to look. Therefore, steganography is best used when combined with encryption. This adds an additional layer of security by not even allowing attackers to attempt to crack encryption into a readable form because they don't even know the message exists in the first place. Modern uses are various, including hiding messages in digital media and digital watermarking. In addition, it has been used by many printers, using tiny dots that reveal serial numbers and time stamps.
Password guessing
is an attack aimed at discovering the passwords employed by user accounts. It's often called password cracking. There are two primary categories of password-guessing tools based on the method used to select possible passwords for a direct logon prompt or birthday attack procedure: brute force and dictionary.
Digital signature
is an electronic mechanism used to prove that a message was sent from a specific user and that the message wasn't changed while in transit. It operate using a hashing algorithm and either a symmetric or an asymmetric encryption solution. It provides integrity, authentication and nonrepudiation with proof of origin. Although authentication and nonrepudiation might appear to be similar, the difference is that with nonrepudiation proof can be demonstrated to a third party.
Point-to-Point Tunneling Protocol (PPTP)
is based on PPP, is limited to IP traffic, and uses TCP port 1723. PPTP supports PAP, SPAP, CHAP, EAP, and MSCHAPv.1 and v.2.
Layer Two Tunneling Protocol (L2TP)
is based on PPTP and L2F, supports any LAN protocol, uses UDP port 1701, and often uses IPSec for encryption.
Authentication in relation to cryptography
is the security service that verifies the identity of the sender or receiver of a message.
Message Authentication Code (MAC)
it is a small piece of data known as an authentication tag, which is derived by applying a message or file combined with a secret key to a cryptographic algorithm. The resulting MAC value can ensure the integrity of the data as well as its authenticity, as one in possession of the secret key can subsequently detect whether there are any changes from the original. It is similar to a hash function but is able to resist forgery and is not open to man-in-the-middle attacks. It can be thought of as an encrypted hash—combining and encryption key and a hashing algorithm.
Non-repudiation
prevents the sender of a message or the perpetrator of an activity from being able to deny that they sent the message or performed the activity. It is possible only with asymmetric cryptosystems.
Transport encryption
protects communication between the client and the server, preventing the disclosure of sensitive data as well as the manipulation of the data. Another advantage is that it prevents redirection in which the communication is no longer taking place between the two expected parties.
Integrity in relation to cryptography
provides assurances that data has not been modified. Hashing ensures that data has retained integrity.
The Advanced Encryption Standard (AES)(Rijndael algorithm)
utilizes the Rijndael algorithm and is the U.S. government standard for the secure exchange of sensitive but unclassified data. It uses key lengths and block sizes of 128, 192, and 256 bits to achieve a much higher level of security than that provided by the older Data Encryption Standard (DES) algorithm.