Ch 6 - Cryptography and Symmetric Key Algorithms
Recovery Agent
The third party in a key escrow who is able to retrieve the keys.
Data at rest attack
Theft of physical device
Kerckhoff's Principle
Concept that an algorithm should be known and only the keys should be kept secret. "The enemy knows the system." Belief that public exposure produces more activity and exposes weaknesses more readily.
Goals of Cryptography
Confidentiality, integrity, authentication, and nonrepudiation.
Asymmetric Key Algorithms
Contains two keys; a public key which is shared with all users and a private key which is a secret and only known to the user. Opposite and related keys used in tandem to perform encryption operations. Support digital signature technology. Public key algorithms most common ex.
Cryptographic Keys
Used in encrypting and decrypting information, there are private keys and public keys. The longer the key, the more difficult it is to brute force. Increases in computing power makes it easier break current encryption keys over time, so you must stay ahead of the modern technology.
Postwhitening
Uses a similar operation to prewhitening after the 16th round of encryption.
Counter Mode (CTR)
Uses a stream cipher similar to CFB and OFB. Instead of creating the seed value for each operation from the results of the previous seeds, it uses a simple counter to increment. Does not propagate errors. An unauthenticated mode.
Transposition Cipher
Uses an encryption algorithm to rearrange the letters of a plaintext message, forming the ciphertext message. Decryption algorithm simply reverse the encryption transformation to retrieve plaintext message
Encrypt
Using a cryptographic algorithm to take a plaintext message and produce a ciphertext message. This is represented by the letter C.
Authentication
Verifies the claimed identify of a system users and is a major function of cryptosystems.
Key Escrow
When a cryptographic key is stored with a third party for safekeeping. Key is retrieved when certain circumstances are met and the third party uses the key to restore and authorized user's access, or decrypt the file.
Split Knowledge
When the information or privilege required to perform an operation is divided among multiple users, no single person has sufficient privileges to compromise the security of an environment. Example is key escrow. Special arrangements have to be made to prevent abuse where multiple agents are required to decrypt.
Columnar Transposition
A form of cryptographic transposition based on arranging plain text in a form that generates columns; then the columns are extracted as the cipher text.
Rivest Cipher 5 (RC5)
A block cipher of variable block sizes (32, 64, or 128) bits that uses key sizes between 0 and 2040 bits.
Twofish
A block cipher that operates on 128-bit blocks of data and is capable of using cryptographic keys up to 256 bits in length. Uses prewhitening and postwhitening techniques not found in other algorithms.
Blowfish
A block cipher that operates on 64-bit blocks and can have a variable key length from 32 to 448 bits. Expands on IDEA's key strength by allowing keys up to 448 bits. Build into a number of commercial software products. and is available for public use.
Diffusion
A change in the plaintext results in multiple change spread throughout the ciphertext.
Diffie-Hellman
A cryptographic algorithm that allows two users to share a secret key securely over a public network. Used when there was no public key exchange available.
Frequency Analysis
A deciphering technique that is based on how frequently certain letters appear in English versus others. Caesar cipher is easy to break because of this.
One-way function
A mathematical operation that easily produces output values for each possible combination of inputs but makes it impossible to retrieve the input values. Public key cryptosystems are based on these.
Vigenere Cipher
A method of encrypting text by applying a series of Caesar ciphers based on the letters of a keyword. More difficult to crack with the key addition.
Digital Signatures
A method of ensuring message integrity is enforced through the use of encrypted message digests that are created upon transmission of a message.
Galois/Counter Mode (GCM)
A mode of operation used for encryption. It combines the Counter (CTM) mode and adds authentication tags controls to the mix. This provides recipients with assurance of integrity.
Triple DES (3DES)
A more-secure variant of DES that repeatedly encodes the message using three separate DES keys. No longer considered secure. DES-EEE3 is only variant considered secure by NIST. Effectively have a 112 bit key but it's theoretically 168 bits.
Cipher Block Chaining (CBC)
A process in which each block of unencrypted text is XORed with the block of cipher text immediately preceding it before it is encrypted. Uses an IV for first block and produces unique output each time used. IV must be passed to recipient. Errors propagate-if one block is corrupted, it becomes impossible to decrypt that block and the next one. An unauthenticated mode.
Initialization Vector (IV)
A random bit string that is the same length as the block size and is XORed with the message. An example of a nonce that is used frequently. Used to create unique ciphertext every time a message is encrypted using the same key.
Algorithm
A set of rules, usually mathematical, that dictates how encryption and decryption processes are to take place.
Ephemeral Key
A type of key used in cryptography that exists only for one single session. Most common example is Transport Level Security (TLS) protocol.
Keys
All cryptographic algorithms rely on this to maintain security. Usually a very large binary number. Keeping these secret is critical to security when they are private.
Key Management Practices
Always store secret keys securely. Select keys using an the entire key space with as much randomness as possible Destroy keys when they are no longer needed.
Challenge-response protocol
An authentication protocol where the verifier sends the claimant a challenge (usually a random value or a nonce) that the claimant combines with a shared secret (often by hashing the challenge and secret together) to generate a response that is sent to the verifier. The verifier knows the shared secret and can independently compute the response and compare it with the response generated by the claimant. If the two are the same, the claimant is considered to have successfully authenticated himself.
cryptovariable
Another name for the key used to perform encryption and decryption activities, especially for US Gov't applications.
Symmetric Key Cryptography Weakness
Key distribution is a major problem Does not implement nonrepudiation Algorithm does not scale Keys must be regenerated often
Asymmetric Key Cryptography Strengths
Scalable-only one private-public keypair per user Ease of removing users-revoke keys Key Generation only needed when private key compromised Provides Integrity, Authentication, Nonrepudiation Key distribution is simple No preexisting links are required
Round
The repeating of encryption operations for a standard. DES does this 16 times. Each time a new key is generated for subsequent passes.
Electronic Code Book Mode (ECB)
Each time the algorithm processes a 64-bit block, it encrypts the block with the chosen security key. Simplest mode and least secure method. A code book could be build to determine all possible values. Impractical for anything but the shortest transmissions so it's typically used for exchanging keys and parameters or to initiate other modes. An unauthenticated mode.
Data in motion attack
Eavesdropping
Prewhitening
Involves XORing the plaintext with a separate subkey before the first round of encryption.
AND operator
Boolean mathematics operator check checks to see weather two values are both true. Uses "^" symbol. Output 0=False or 1=True.
Symmetric Key Algorithm
Any encryption method that uses the same key for both encryption and decryption. Relies on "shared secret". Difficult to break with large keys. Primarily used for bulk encryption. Provides confidentiality only. Relies on out-of-band exchange of key. Not scalable. Aka secret key cryptography, private key cryptography.
Ciphers
Are always meant to hide the true meaning of a message. They use a variety of techniques to alter and/or rearrange the characters or bits of a message to achieve confidentiality. Work on individual characters.
OR operator
Boolean mathematics operator that checks to see if at least one of the input values is true. Only negative when both of the inputs are false. Uses "v" symbol. Output 0=False or 1=True.
NOT operator
Boolean mathematics operator that reverses the value of an input variable. Operates on one variable at a time. Represented by the "~" symbol.
Collisions
Cases where a hash function produces the same value for two different methods. The existence of these typically leads to the deprecation of a hashing algorithm.
Codes
Cryptographic systems of symbols that represent words or phrases, are sometimes secret. Not necessarily mean to provide confidentiality. Work on words on phrases.
Boolean Mathmatics
Defines the rules used for the bits and bytes that form the nervous system of any computer. There are only two possible states-on or off.
CAST-256
Designed by Carlisle Adams, Stafford Tavares, Howard Heys, and Michael Wiener. Operates on 128 bit blocks and has a key size of 128, 160, 192, 224 or 256 bits. Encryption has 48 rounds. A candidate to replace DES but was not selected.
Rivest Cipher 4 (RC4)
Developed in 1987. Symmetric streaming cipher popularly used in WEP, WPA, SSL, and earlier versions of TLS. It uses key sizes that range from 40 to 2,048 bits in length and a single round of encryption. Considered insecure by today's standards.
One-Time Pad Obstacles
Difficulty of generating, distributing, and safeguarding the lengthy keys required. Can used only for short messages because of key lengths. Require physical exchange of the pads.
Integrity
Ensures that data is not altered without authorization.
Confidentiality
Ensuring that data remains private in three different situations: at rest, in transit, and in use. The most widely cited goal of cryptosystems.
Period Analysis
Examining a cryptographic text for patterns that repeat based on the length of the key. The key length is the period of the repetition. How polyalphabetic ciphers can be deciphered.
One-Time Pad
Extremely powerful type of substitution cipher (unbreakable) which uses a different substitution alphabet for each letter of the plaintext message. Also called Vernam ciphers and relies on the following: +Key is as long as the message itself +Can only be used once +Must be randomly generated +Must be physically protected from disclosure. C=(P+K) mod 26
Symmetric Key Cryptography Strengths
Great speed at which it can operate. 1000 to 10000 times quicker than asymmetric methods. Can be implemented in hardware easily..
Plaintext
Information that is readable without performing any cryptographic operations. Represented by letter P.
Cryptographic Lifecycle
Knowing that cryptographic systems have a limited life span, select appropriate controls to ensure algorithms, protocols, and key lengths suit org. needs.
Output feedback (OFB)
Makes a block cipher into a synchronous stream cipher, generates keystream blocks, which are then XORed with the plain text blocks with a seed value to get the cipher text. No chaining function so transmission errors are not propagated. An unauthenticated mode.
Exclusive OR operator (XOR)
Most common Boolean mathematics operator used in cryptographic applications. Returns a true value when only one of the input values is true. If both values input are true or both are false, then XOR returns false. Represented by + insides of a O symbol.
Encryption Keys Best Practices
Never store key on same system where encrypted data resides. For sensitive keys, split it among two trusted users. Change keys anytime person with access leaves org.
Stream Cipher
Operate on one char/bit of a message at a time like Caesar Cipher or One-Time Pad. Can function as a block cipher if they fill a buffer up with data to encrypt all at once.
Block Cipher
Operates on "chunks" of a message and apply the encryption algorithm to the entire message block at the same time. Transposition Ciphers are examples of these. Used by most modern encryption algorithms.
Hardware based key storage
Physical devices dedicated to manage cryptographic keys. May be USB drives, smartcards, or secure modules. More complex and expensive to implement but do offer additional security.
Zero Knowledge Proof
Prove knowledge of a fact to a third party without revealing the fact itself. Often done with passwords or other secret authentications. Done using complex mathematical operations.
Nonrepudiation
Provides assurance to the recipient that the message was originated by the sender and not someone masquerading as the sender. Secret key, symmetric key systems cannot guarantee this. Public key or asymmetric systems can provide this.
Escrowed Encryption Standard
Provides the govt with a technological means to decrypt ciphertext.
Data Encryption Standard (DES)
Published in 1977 as a proposed standard cryptosystem for government communications. No longer considered secure. A 64-bit block chain cipher that has 5 modes of operation: ECB, CBC, CFB, OFB, CTR. All modes operate on 64 bits of plaintext to generate 64-bit blocks of ciphertexts. The key is is 56 bits long.
Security through obscurity
Relying upon the secrecy or complexity of an item as its security, instead of practicing solid security practices. Used in early cryptography.
Modulo Function
Reminder value left over after division operation is performed. Usually abbreviated by mod or sometimes "%" symbol.
Advanced Encryption Standard (AES)
Replacement for DES. A block cipher created in the late 1990s that uses a 128-bit block size and a 128-, 192-, or 256-bit key size. Number of rounds depends on key length used (128-10, 192-12, 256-14). Its use is mandated by NIST FIPS 197.
M of N Control
Requires that a minimum number of agents (M) out of the total number of agents (N) work together to perform high-security tasks. This helps to ensure no one recovery agent is rogue and able to fraud the system. -M is always less than or equal to N -ex: implementing 3/8 controls requires 3 of the 8 with the assigned work task.
Rivest Ciphers
Ron Rivest of Rivest-Sharmir-Adleman (RSA) Data Security created a series of symmetric ciphers over the years known as this.
Cryptoanalysis
The study of methods to defeat codes and ciphers.
Cipher Block Chaining Message Authentication Code (CCM)
Similar to GCM with the use of a data authenticity process. Used only with block ciphers that have a 128-bit block length and require the use of a nonce that must be changed for each transmission.
Asymmetric Key Cryptography Weakness
Slow speed of operation.
Cryptosystems
Specific implementations of a code or cipher in hardware and software.
Software based key storage
Store keys as digital objects on the system where they are used. May be specialized applications too. Ex. storing key on local filesystem. Simple to implement but risk of compromise is present.
Cipher Feedback (CFB)
Stream cipher where the cipher text is used as feedback into key generation. errors will propagate. Uses IV for first block and chaining for subsequent characters. Similar to CBC but is a streaming cipher. An unauthenticated mode.
Running Key Cipher
Substitution cipher that creates keystream values (as long as message itself) using commonly from agreed-upon text passages, to be used for encryption purposes. Prevents the need to exchange keys prior to using the cipher like one-time pad.
Message Digest
Summaries of a message's content (not unlike a file checksum) produced by a hashing algorithm. Extremely difficult to derive a message from an ideal hash function. AKA. Hash values or Fingerprints
CAST-128
Symmetric algorithm. Created in 1996 by Carlisle Adams and Stafford Tavares. Operates on 64 bit blocks and has a key size of 40-128 bits. Typically used in GPG and PGP. Encryption is either 12 or 16 rounds.
Skipjack
Symmetric algorithm. Designed by NSA for the clipper chip - a chip with built in encryption. The decryption key was kept in key escrow in case law enforcement needed to decrypt data without the owner's cooperation, making it highly controversial. Uses an 80 bit key to encrypt/decrypt 64 bit data blocks.
Rivest Cipher 6 (RC6)
Symmetric block cipher that was introduced as a replacement for DES but AES was chosen instead. Uses a 128-bit block sizes and allows for 128,192 or 256 bit keys.
International Data Encryption Algorithm (IDEA)
Symmetric block cipher which uses 64-bit blocks to encrypt plaintext into ciphertext. Begins operations with 128-bit key that is broken up into 52 16-bit subkeys. Operates in ECB,CBC,CFB,OFB, and CTR. Patent expired in 2012 so it's publicly available.
Decrypt
Taking a ciphertext message and using the predetermined algorithm to reverse the encryption and retrieve the plaintext message.
Offline Distribution
The most technically simple method of key exchange, it involves the physical exchange of key material. Inherent flaws with this form of key exchange. Cumbersome for end users.
Bit Size
The number of binary bits in the key
Confusion
The relationship between the plaintext and key is so complicated that an attacker can't merely continue altering the plaintext and analyzing the ciphertext to determine the key.
Cryptographic Modes of Operation
These are the different ways that cryptographic algorithms may transform data to achieve sufficient complexity from attack. Electronic Code Book (ECB) Cipher Block Chaining (CBC) Cipher Feedback (CFB) Output Feedback (OFB) Counter Mode (CTR) Galois Counter Mode (GCM) Cipher Block Chaining Message Auth. Code (CCM)
Public Key Encryption
Typically does the first part of a multi-step key exchange given the hassles of symmetric key transmissions. Public key is used to create the link, then secret keys are transferred over the link.
Hybrid Cryptography
Typically used when large amounts of data need to be transmitted. First use Asymmetric cryptography to establish a connection, then use exchange Symmetric Keys that is used to encrypt the bulk of the data.
Symmetric Cryptosystems
Use a shared secret key available to all users of the cryptosystem.
Asymmetric Cryptosystems
Use individual combinations of public and private keys for each user of the system.
Substitution Cipher
Use the encryption algorithm to replace each character of the plaintext message with a different character. Used by Julius Caesar for his mono-alphabetic Caesar Cipher.
Cryptography
art of creating and implementing secret codes and ciphers
Nonce
random number that acts as a placeholder variable in mathematical functions -must be unique number each time it is used
Key Space
range of the possible values that can be used to construct a key for a specific algorithm.
Fair Cryptosystems
secret keys are divided into 2 or more pieces, and given to a 3rd party. -when govt obtains legal authority to access a key, it provides court order to 3rd party, gets keys, and reassembles the secret key
Cryptology
the science of interpreting secret writings, codes, ciphers, and the like. Combines cryptography and cryptoanalysis.
Work Function
time/effort required to perform a brute-force or computed attack against an enc system -the sec and protection offered by a cryptosystem is what this measures -this need only be slightly greater than the time value of the asset (spend no more time to protect an asset than it warrants) -future discoveries may change this value over time
