Chapter 15 Cryptography
Chosen key
A chosen key attack is a type of attack where a hacker not only breaks a ciphertext, but also breaks into a bigger system, which is dependent on that ciphertext.
Algorithm
A cipher or algorithm is the process or formula used to convert a message or otherwise hide its meaning. Examples of algorithms include:
Key
A key is a variable in a cipher used to encrypt or decrypt a message. The key should be kept secret. The key space is the range of the possible values that can be used to construct a key. Generally speaking, the longer the key space, the stronger the cryptosystem.
Symmetric encryption algorithms
Block Stream
Asymmetric encryption algorithms
Challenge handshake authenication protocol CHAP diffie hellman key exchange digital signature algorithm DSA elliptic curve cryptography ECC extensible authentication protocol EAP Message digest function MD5 Rivest, Shamir, Adleman RSA secure hashing algorithm SHA
Ciphertext
Ciphertext is the encrypted form of a message that makes it unreadable to all but those the message is intended for.
Cryptanalysis
Cryptanalysis is the method of recovering original data that has been encrypted without having access to the key used in the encryption process. This can be done to measure and validate the strength of a cryptosystem. It can also be done to violate the confidentiality and/or integrity of a cryptosystem.
Decryption
Decryption is the procedure used to convert data from ciphertext into plain text.
Asymmetric encryption
Diffie hellman secrecy and security of private keys 2 keys used public key encryption two keys mathematically related both called keypair trapdoor function easy to create difficult to reverse
Digital certificates
Digital certificates are electronic passwords. They associate the identity of a person or entity with a public/private key pair.
Two implementations of 3DES
EDE2 EEE3
Encryption
Encryption is the process of using an algorithm to transform data from plain text to ciphertext in order to protect the confidentiality, integrity, and authenticity of the message.
Adaptive chosen plain text
In a adaptive chosen plain text method, the hacker makes a series of interactive queries, choosing subsequent plain texts based on the information from the previous encryptions.
Chosen ciphertext
In a chosen ciphertext attack, the hacker analyzes the plain texts corresponding to an arbitrary set of ciphertexts the hacker chooses. Early versions of RSA used in SSL were vulnerable to this attack.
Chosen plain text
In a chosen plain text attack, the hacker creates plain text, feeds it into the cipher, and analyzes the resulting ciphertext. The chosen plain text attack occurs when the hacker can choose the information to be encrypted. The idea is to find patterns in the cryptographic output that might uncover a vulnerability or reveal the cryptographic key.
Dictionary
In a dictionary attack, the attacker constructs a dictionary of plain text along with its corresponding ciphertext collected over a period of time.
Related key
In a related key attack, the hacker obtains ciphertexts encrypted under two different keys. This attack is useful if the hacker can obtain the plain text and matching ciphertext.
Rubber hose
In a rubber hose attack, a hacker extracts cryptographic secrets, such as the password to an encrypted file, by coercion or torture.
Known plain text
In this attack, the only information available to the attacker is some plain text blocks, the corresponding ciphertext, and the algorithm used to encrypt and decrypt the text. This attack requires the hacker to have both the plain text and ciphertext of one or more messages. Together, these two items can be used to extract the cryptographic key and decrypt the remaining encrypted files.
Hybrid Cryptography (Asymmetric)
OS, apps, components use hybrid system combines symmetric and asymmetric combines symmetric systems to process large amounts of data and asymmetric to securely distribute keys
Plain text
Plain text is the readable form of an encrypted message. The term plain text should not be confused with the term clear text, which is information that is not encrypted. Plain text is information that will eventually be input into an encryption algorithm.
Common Symmetric cryptography methods
Ron's cipher v4 RC5 most common Ron's cipher v5 RC5 Rons cipher v6 RC6 international data encryption algorithm IDEA data encryption standard DES triple DES 3DES advanced encryption standard AES blowfish twofish
Digital Signature Algorithm (DSA)
Signature algorithm authentication, integrity, non-repudiation 1994 as FIPS 186 by NIST signs messages with singers private key verified by signers corresponding public key
Blowfish
Symmetric block cipher answer to IDEA and DES secret key to en/decrypt data 64-bit blocks 32-448 bit key no effective known cyptanalsis does not use a variable block length
Certificate authority (CA)
The certificate authority is the organization that issues the digital certificate. The CA is also the controller of the PKI certificates. The CA, in a sense, mints the certificate and specifies critical pieces of information such as the organization name and the certificate expiration date. The private key certificate on the hosted website is checked against the CA to ensure it is valid and authentic. If the certificate is expired or the company name is different, the user will receive a warning stating the site failed the authenticity check.
Certificate management system
The certificate management system is the primary component of PKI. It manages the certificate process and creates key pairs, which consist of public and private keys. It stores the private key for the host and helps to ensure private key safety. It distributes the public key to those who will access the system. PKI works to ensure the continued authenticity of the keys and verifies certificates.
End user
The end user is the consumer who requests and uses certificates. Most of the activities involved in PKI are transparent to the user. For example, an individual might go to a website and completes a transaction, such as online banking or shopping, without being aware of the processes that take place to secure the transaction.
Ciphertext-only
The goal of this attack type is to recover the encryption key from the ciphertext. This attack requires a hacker to obtain encrypted messages that have been encrypted using the same encryption algorithm. Ciphertext attacks don't require the hacker to have the plain text; the statistical analysis might be enough.
Registration authority (RA)
The registration authority acts as the verifier for the CA. While, in many instances, the CA handles certificate registration, the CA may offload its registration and validation when an organization is geographically dispersed or PKI resources increase.
Timing
The timing attack is based on repeatedly measuring the exact execution times of modular exponentiation operations.
Validation authority (VA)
The validation authority is used to verify the validity of a digital certificate using the X.509 standard and RFC 5280. The VA also stores certificates with their public/private keys.
Disk encryption tools
Vera crypt semantec Dr incription windows encrypting file system EFS BitLocker
Steganography
Which literally translates to "concealed writing," hides data or a message so that only the sender or the recipient suspects that the hidden data exists. Stenographic messages are in clear text. They are not encrypted, only hidden. Examples of steganography include: Embedding, hiding, watermaking, microdots
Hiding text messages or hiding alternate images within a photograph
With this method, data is distributed inside the last two bits of each color. When viewed normally, the hidden information cannot be detected. Using special tools, the data in the last two bits of each color is extracted to recreate the original.
Message Digest Function (MD5)
algorithm produces a value of 128 bits with 32 hexadecimal characters not collision resistant still used for digital signature apps, file integrity checking, storing passwords
Triple DES (3DES)
applies DES three times 168-bit key IPsec strongest/slowest encipherment large amounts of data creates patterns in ciphertext
Adaptive chosen plaintext
attacker makes series of interactive queries then chooses plain text based on information from previous encryption
Diffie hellman use as base
authenticated protocols use as base ephemeral mode (EDH DHE) provides TLS with perfect forward secrecy
codebreaking methods
brute force frequency analysis trickery and deceit
Confidentiality
by ensuring that only authorized parties can access data.
Authentication
by proving the identity of the sender or receiver.
Non-repudiation
by validating that communications have come from a particular sender at a particular time.
Integrity
by verifying that data has not been altered in transit.
Challenge-Handshake Authentication Protocol (CHAP)
challenge/response three way handshake to protect passwords username and password authentication only remote access authentication protocol ensures same client/system exists through session repeatedly and randomly retesting
Data Encryption Standard (DES)
created by NSA first symmetric encryption methods now obsolete sensitive but unclassified encryption 56-bit key (weak) 8-bit parity 64-bit block 16 rounds of substitution and transportation IPsec weakest/fastest encipherment easily broken does not use a variable block length
Secure Hashing Algorithm (SHA)
cryptographic hash function secure one way hash NIST 160-bit digest maximum length of 2^64-1 resembles MD5 family includes SHA-256 (32-bit words), SHA-2 (security apps) SHA-3 uses sponge construction, message blocks are XORed into initial bits of state
Skipjack
does not use a variable block length
DES modes
electronic code book ECB, run through of DES small amounts of data cipher block chaining CBC increases randomness output feedback stream emulation works with block cipher cipher feedback increase randomness and variability of cipher text
EDE2
encrypt 1 key decrypt key2 encrypts again key1
EEE3
encrypt key1 encrypt key2 encrypt key3
Symmetric encryption
faster than asymmetric confidentiality with weak form of authentication/integrity bulk encryption of less sensitive CPU intensive both parties exchange shared secret key out of band distribution in band distribution everyone requires unique shared key (grows exponentially) keyspace is short (56 to 512) having 2+ copies of keys less secure
HashMyFiles
free utility that calculates the MD5 and SHA1 hashes of files.
Asymmetric encryption features
functionality uses hybrid cryptography implementations management considerations
Ephemeral keys
generated every time key establishment process is executed and exits only for lifetime of specific communication session short life span
Watermarking
hidden data is embedded into an image or a file to prove ownership. Because the file contains the special data sequence, a file with that embedded data could only have come from the original source.
Microdots
images shrunk down to the size of a period, then included in a seemingly harmless message.
Elipticl curve diffie hellman ECDH
implementation of diffie hellman key exchange using elliptic curve cryptography each party has own elliptic curve public/private keypair to generate symmetric keys over insecure channel simuationsuly
BitLocker
is a Windows drive encryption feature that offers additional protection of EFS or non-EFS volumes. Provides the most protection when used with a Trusted Platform Module (TPM). A TPM is used to validate the integrity of system boot components. Encrypts all user and system files, including OS, swap, and hibernation files. Allows recovery keys to be archived to USB, file, print, or Active Directory. Supports multi-factor authentication.
One-time pad
is a cryptography method in which plain text is converted to binary and combined with a string of randomly generated binary numbers (referred to as the pad). It is a form of substitution.
VeraCrypt
is software for establishing and maintaining an encrypted volume for data storage devices. uses on-the-fly encryption, meaning the data is automatically encrypted immediately before it is saved and decrypted immediately after it is loaded. It requires no user intervention.
Advanced Encryption Standard (AES)
iterative symmetric key block replace DES repeats same operation multiple times Rijndael block cipher (resistant to all known attacks) variable length block and key length 128, 192, 256-bit keys stronger/faster than 3DES implemented with large key size (256-bits) sensitive unclassified material selected to replace DES
Diffie-Hellman Key Exchange
key agreement protocol generates symmetric keys at sender/receiver over insecure channels first asymmetric algorithm
Management Considerations (Asymmetric)
keys can be disturbed, no relation required private always secret Asymmetric scalable for large expanding environments, two keys per user keyspace 1k-30k bits slow processing than symmetric ephemeral/static keys
Common certificate authorities
komodo identrust GoDaddy
types of cryptanalysis
linear differential integral
Out of band distribution
manual distribute key USB
Cryptography tools
md5 calculator HashMyFiles
In band distribution
mechanisms Diffie Hellman asymmetric to encrypt key
International Data Encryption Algorithm (IDEA)
orginally called improved PES minor revision of proposed encryption standard PES 64 bit block 128-bit keys Pretty good privacy PGP for email openPGP does not support variable block size
Basic encoding rules BER
original rules for encoding abstract info into concrete data stream set of self identifying/delimiting schemes that allow data blue to be identified, extracted decoded individually
Hybrid system process
plaintext encrypted into ciphertext with symmetric session key session key encrypted with asymmetric using public key session key and ciphertext sent to receiver receiver decrypts symmetric session key with asymmetric private key ciphertext decrypted into plaint text with decrypted session key
Windows Encrypting File System (EFS)
proprietary function of the Windows operating system.
Uses (Asymmetric)
provide confidentiality, strong authentication, and non-repudiation data encryption to secure data digital signing to confirm integrity of message digital signing to confirm authenticity of sender key exchange to ensure keys are secure during transit asymmetric encryption used to securely exchange symmetric keys
Diffie hellman process
provide key distribution does not provide cryptographic services calculates discreet logarithms in finite field used in DES subject to MITM requires strong authentication to validate at end points
Self signed certificates
provide secure communications not vetted visitors to website will get warning common in internal websites and 3rd party tools where SSL is used
Symantec Drive Encryption
provides organizations with complete, transparent drive encryption for all data, including user files, swap files, system files, and hidden files on laptops, desktops, and removable media.
Elliptic Curve Cryptography (ECC)
public key cryptography groups of numbers in elliptical curve Koblitz Miller 1985 more efficient algo than others used in conjunction with other methods reduce key size small amounts of data for small devices 160-bit key equivalent to 1024-bit RSA less computational power less memory
Rivest, Shamir, Adleman (RSA)
public key cryptosystem used to secure data transmission factoring large numbers into prime values 1977 widely used defacto encryption standard asymmetric systems based on difficulty of factoring N (product of two large prime numbers, 201) key length 512-bits to 8k bits (2401 digits) modular arithmetic and elementary number theory
Functionality (Asymmetric)
public key made available to anyone private key secret one key encrypts, other key decrypts strength of asymmetric encryption lies in security and security of private key if private key is discovered new key pair required keys created by Local security authority (security kernel and cryptographic service provide CSP Asymmetric key ciphers are two associated algorithms that are inverses computationally infeasible to derive second algo from first without private key
Using longer keys
reduces possibility of successful attack increase possible unique key combination increase symmetric key by one bit doubles effort double key size squares effort
cryptography attack countermeasures
restrict access to cryptographic keys restrict access to cryptographic keys to apps IDs to monitor exchange of keys passwords to encrypt key if stored on disk key should not be present inside source code or binaries for certificates signing transfer of public keys should be prohibited symmetric key size 168 bits for small transactions symmetric key size 256 bytes for large transactions
Static keys
reused multiple communication sessions long lifetime
Email encryption tools
secure sockets layer SSL transport layer security TLS open SSL
Stream cipher
sequence of bits keystream for encryption real time ATM, smartcards small amounts of data <64 bits slower than symmetric block hardware bitwise functions on individual bits in datastream keystream generator to produce long streams with no pattern block cipher emulation for block cipher compatibility
Extensible Authentication Protocol (EAP)
standardised method to negotiate wireless authentication between devices framework variety of methods: passwords, certificates, smart cards alternative to CHAP and PAP more secure and supports different authentication mechanisms
Embedding
still pictures in a video stream. The picture can only be viewed by stepping through the video frame by frame (playing the video in real time hides the image because the eye cannot see one single frame within the video).
Ron's Code v4
stream cipher variable key 256 bits WEP and SSL Key scheduling algorithm KSA pseudo random generation algorithm PRGA Basic Encoding RUles
Cryptanalysis
study of cipher ciphertext cryptosystems verify vulnerabilities extract plaintext from ciphertext even if algorithm used is unknown
Twofish
symmetric block cipher 128-bit block variable key lengths 128 192 256-bit 16 rounds of substitution and transposition runner up to Rijndael in AES algo does not use a variable block length
Ron's Cipher v5 or Ron's Code v5 (RC5)
symmetric key block cipher RSA 32 64 128 bit blocks key size 0 - 2k 255 rounds of substitution and transposition variable bit length keys variable bit block sizes parameters increase variability making harder to crack
Ron's Cipher v6 or Ron's Code v6 (RC6)
symmetric key block cipher RSA added integer multiplication four 4-bit working registers (RC6 used two 2bit)
MD5 Calculator
tool used to create the MD5 hash value of the selected file
Symmetric Block algorithm
transposing plaintext to ciphertext in chucks block by block fast large amounts of data not good for small software substitution and transposition function several alternating rounds show patterns in large amounts of data IV to strengthen
Certificate signing
use common certificate authorities easy straightforward user answers simple questions about company
Implementations (Asymmetric)
used with protocols SSL/TLS IPsec VPN (pptp, l2tp, sstp) S/MIME and PGP for email SSH tunnels
Integral cryptanalysis
useful against block ciphers based on substitution premutation networks extension of differential cryptanalysis
Public key infrastructure PKI procedure
user company or system applies to RA for certificate RA receives request RA verifies subjects identity RA requests CA issue certificate to subject CA issue certificate binding subject identity with public private keys CA sends updated information to validation authority VA
Transposition cipher (also called an anagram)
which changes the position of characters in the plain text message.
Substitution cipher
which replaces one set of characters with symbols or another character set. A code substitutes hidden words with unrelated terms.
Diffie hellman formula
y = large number < p (~301 digits long) p = large prime number mod = modulus (remainder resulting from dividing two numbers)