ISMN modules 24-32
what does cryptography detect
-tampering -injection of false data -deletion of data
Data in unscrambled form
Plaintext/Cleartext
The most important goal of any physical security is:
Preserve human life
stream mode cipher •Variable key size
RC4
block mode cipher •Variable block & key size
RC5 and RC6
Digital signatures don't allow for what? • Authentication of the sender • Confidentiality of the message • 3rd party verification of the sender • Detection of modification of a message
Confidentiality of the message
uses several different alphabets to defeat frequency analysis
Polyalphabetic ciphers
Usually 8 byte (64 bit) ASCII text in block ciphers with length a multiple of 8 bits
block cipher
stream ciphers = block ciphers=
both symmetric key ciphers
• Authentication tool to verify a message origin and sender identity. - Resolve authentication issues.
digital signatures
cipher method that uses 1s and 0s
stream ciphers
what are the strengths of symmetric keys
• Very fast which allows for large amounts of data to be encrypted in very little time • Very difficult to break data encrypted with large keys. • Availability - Algorithms and tools used for symmetric encryption are freely available
what is the purpose of cryptography
•Protect sensitive info from disclosure •Identify the corruption/ unauthorized change of info •Make compromise too expensive or time consuming
All of the following are goals of physical security, EXCEPT Detain Delay Detect Deter
Detain (the goals are deter, delay, detect, assess, respond)
A camera located outside a server room door supports which of the following physical security objectives? Process Delay Detect Review Detect
Detect
• A mathematical function that is easier to compute in one direction (forward direction) than in the opposite direction (inverse direction). • Forward direction could take seconds, the inverse could take months.
One Way Function (asymmetric)
The most important goal of any BCP is: -Preserve human life -Ensure the survivability of the business -Provide clear guidance for defining a disaster -Minimize the downtime of critical systems
Preserve human life
which cipher mode is better for discrete data
block cipher (discrete & unstructured dat)
• Operates on fixed size text blocks - Usually 8-byte (64-bit) ASCII text in block ciphers with length a multiple of 8 bits • Block mode ciphers are generally slower than stream mode • Data Encryption Standard (DES) is best-known block cipher
block ciphers
List of words/phrases (code) with corresponding random groups of numbers/letters (code groups) - Colored flags for navy ships - Morse Code
codes
symmetric key can provide what security function_
only encrypt data and restrict its access. It doesn't provide proof of origin or non-repudiation
Uses several different alphabets to defeat frequency analysis
polyalphabetic cipher
what was cryptography originally used for
secrecy
what does the strength of the encryption (DES) rely on
secrecy of the key
Crypto digital "signature" is made by who
sender's private key
The cryptography domain addresses _____ to ensure its Confidentiality, Integrity, Authenticity, Non-repudiation
the principles, means, and methods of disguising information
Higher the key size #,
the stronger the symmetric algorithm
what are the characteristics of stream ciphers
· Long periods with no repeating · Functionally complex · Statistically unpredictable · Statistically unbiased key stream (as many 0s as 1s) · Key stream not linearly related to key
asymmetric key weaknesses
• Computationally intensive • Slow (1000 or more times slower than symmetric)
Why is simple MIC (message integrity controls) (checksum/parity) a weak form of integrity control - Only detects accidental alteration; forgery possible - Algorithm examines bitstream and calculates MIC value; output appended to bitstream - Receiver must generate new MIC and compare with the original • Addition of Cryptographic functions resists intentional attack
- Only detects accidental alteration; forgery possible - Algorithm examines bitstream and calculates MIC value; output appended to bitstream - Receiver must generate new MIC and compare with the original • Addition of Cryptographic functions resists intentional attack
how is a digital signature created
by encrypting a digest or hash value of a message with senders private key
- The most commonly implemented stream cipher - Variable key size - Highly efficient, much faster than any block cipher - Stream ciphers can be difficult to implement correctly
RC4 (symmetric)
Features data dependant rotations, variable block size, variable key size, variable number of rounds
RC5 and RC6 (symmetric)
what are the characteristics of block ciphers
· Operates on fixed size text blocks o Usually 8 byte (64 bit) ASCII text in block ciphers with length a multiple of 8 bits · Block mode ciphers are generally slower than stream mode · Data encryption standard (DES) is best known block cipher
what are the security requirements for encrypted email
•Privacy- only the intended recipient can read the message •Integrity- the message cannot have been changed •Authentication-we know the message is from who we expected it from •Non-repudiation- originator cannot deny having sent a message
• DSS (Digital Signature Standard) - DSA (Digital Signature Algorithm) • Uses Secure Hash Algorithm (SHA-1). - Condenses message to 160 bits. • Others include RSA, Nyberg-Rueppel, El Gamal, Fiat-Shamir, and Schnorr
Digital Signatures Schemes
• RSA Message Digest • MD2, MD4 and MD5 algorithms • Secure Hash Algorithm - SHA-1, SHA-256, SHA-384, SHA-512 • RIPE MD-160, RIPE MD-128 • TIGER • HAVAL - Supports different Message Digest output sizes between 128 and 256 bits
Hashing Functions - Examples
will use each technology where it is best suited. - Symmetric key algorithm for bulk data encryption. - Asymmetric key algorithm for automated key distribution.
Hybrid systems
• Instead of a single key, there is a 'key pair.' • The two keys are related to each other mathematically. • One of the keys is kept secret (Private key). • The other is made available to everyone (Public key). • 'Computationally infeasible' to derive the private key from knowledge of the public key. • When data is encrypted with either one of the keys, the other key is the only one that can decrypt the ciphertext
asymmetric key cryptograpahy
· Classical substitution ciphers- original Caesar cipher (shift or scramble alphabet) · Transportation (permutation) ciphers- rearranging the letters · Polyalphabetic ciphers- uses several different alphabets to defeat frequency analysis · Running key cipher · One- time pad · Concealment- true letters of plaintext hidden/ disguised by device or algorithm · Steganography- art of hiding communications · Codes- list of words/ phrases (code) with corresponding random groups of numbers/ letters (code groups)
basic methods of encryption
· Operate on fixed size blocks of plain text · More suitably implemented in software than to execute on general-purpose computer · Overlap when block operated as stream
block ciphers
• Operate on fixed size blocks of plain text • More suitably implemented in software to execute on general-purpose computer • Overlap when block operated as stream
block ciphers
- Block of data attached to message (document, file, record, etc.). • Binds message to individual whose signature can be verified. - By receiver or third party. - Difficult to forge.
digital signatures
• Used to condense arbitrary length messages and produce fixed-size representation of message. • Used for subsequent signature by a digital signature algorithm.
hash function
- Should be one-way (messages cannot be generated from their signature) - It should be computationally infeasible to compute the same hash value on two different messages - Should resist birthday attacks
hash functions
-means that the hash function should be designed in such a way that it is computationally difficult for an attacker to find two different inputs that produce the same hash value (a collision). -This concept is related to the birthday paradox or birthday problem, which describes the likelihood of two people in a group sharing the same birthday
meaning to, hash functions should be able to resist birthday attacks
• Art of hiding communications - Deny message exists - Data hidden in picture files, sound files, slack space on floppies • i.e., least significant bits of bitmap image can be used to hide messages, usually without material change to original file
steganography
· operate on continuous streams of plain text (as 1's and 0's) · Usually implemented in hardware · Well suited for serial communications
stream ciphers
• Operate on continuous streams of plain text (as 1's and 0's). • Usually implemented in hardware. • Well suited for serial communications.
stream ciphers
• Also referred to as private key/single key/secret key • Uses a single key shared by originator and receiver • Algorithms include: Rijndael, DES, Triple DES, Blowfish, IDEA, RC4, RC6, SAFER, Serpent, Twofish, etc.
symmetric key cryptography
Crypto digital "signature" is decrypted by who
the sender's public key
encryption systems subtopics
• Classical substitution ciphers • Transposition (permutation) ciphers • Polyalphabetic ciphers • Running key cipher • One-time pad • Concealment • Steganography • Codes
what are the weaknesses of symmetric keys
• Key management and implementation - Ensure that sender and receiver can agree upon a key, and how they exchange a key. • Key Distribution - Same key used to both encrypt and decrypt. - Requires very secure mechanism for key distribution. - Keys and data must be delivered separately. • Scalability - Since a unique symmetric key must be used between the sender and each recipient, number of keys grows exponentially with the number of users : N (N-1) / 2 • Limited security - Symmetric keys only encrypt data and restrict its access. - Does not provide proof of origin or non-repudiation.
asymmetric key strengths
• Provides efficient encryption and digital signature services • Efficient symmetric key distribution • Scalability - Only two keys needed per user • 1,000 people need total of 2,000 keys (easier to manage than the 499,500 needed for symmetric)
what are digital signature benefits
• Provides non-repudiation. - Ensures that the sender cannot deny sending the message. - Recipient cannot claim receiving a different message than the original. • Used to authenticate software, data, images, users, machines. - Protects software against viruses. - A smart card with a digital signature can verify a user to a computer. (non-repudiation & authentication)
what are symmetric and asymmetric algorithms good at
• Symmetric algorithms: fast and strong (given sufficiently long keys). • Asymmetric algorithms: good at key management, but terribly slow.
asymmetric key can provide what security elements
•Confidentiality/Privacy (Data cannot be decrypted without the appropriate private key) • Access Control (The private key should be limited to one person) • Authentication (Identity of sender is confirmed) • Integrity (Data has not been tampered with) • Non-repudiation (Sender cannot deny sending)
asymmetric key can provide what security function
•Confidentiality/Privacy (Data cannot be decrypted without the appropriate private key) • Access Control (The private key should be limited to one person) • Authentication (Identity of sender is confirmed) • Integrity (Data has not been tampered with) • Non-repudiation (Sender cannot deny sending)
what does cryptography prevent
-unauthorized disclosure of info -unauthorized access to info, computers, websites, applications, etc. -repudiation
how many bits is a block cipher typically
64 bits (8 bits that uses 8 bytes)
Which of the following examples would best fit the "Deter" goal of physical security? -A ultrasonic sensor system that is deployed on the loading dock at the rear of a manufacturing facility -A biometric lock system installed at an entry door in a building -A dry pipe sprinkler systems that is installed in a data center server room -A sign on a fence that reads "WARNING: Electrified Fence" that is installed around the HVAC system on the side of a building
A sign on a fence that reads "WARNING: Electrified Fence" that is installed around the HVAC system on the side of a building
Asymmetric key cryptography is based on what
'trap-door one way functions'
DES cryptanalysis assumptions
- Algorithm is known by the adversary. The strength of the encryption relies on the secrecy of the key (Kerckhoff's Principle). - Adversary must try all possible keys to find which one was used.
Good cryptographic hash functions should have the following properties:
- Be unable to compute hash value of two messages combined given their individual hash values. - Hash should be computed on the entire message
asymmetric algorithms using discrete logarithms in a finite field problem
- Diffie-Hellman - ECC (Elliptic Curve Cryptosystems) - DSS (Digital Signature Standard) - El Gamal - LUC
Public key (asymmetric) systems are based on problems that are difficult to solve (hard problems):
- Factoring the product of large prime integers - Discrete log problem (difficulty of taking logarithms in finite fields)
A stream cipher algorithm should have these features:
- Long periods with no repeating - Functionally complex - Statistically unpredictable - Statistically unbiased keystream • As many 0's as 1's - Keystream not linearly related to key
how do you verify a message using digital signature
- Receiver computes digest of received message - Decrypts the signature with the sender's public key to extract the original sender's digest - Verifies if the recomputed and decrypted digests match
example of Concealment Cipher
-Example: divide message • Use 1 word at a time • Have it appear as every sixth word in a sentence • Message: "Buy gold now" • Sentence "I have been trying to BUY you a nice gift like GOLD or an antique but prices NOW are really high.
what is cryptography originally used for now
-Prevent unauthorized disclosure of information -Prevent unauthorized access to information, computers, web sites, applications, etc. - Detect tampering - Detect injection of false data - Detect deletion of data - Prevent repudiation
what should good hash functions be able and unable to do
-Unable to: compute hash value of two messages combined given their individual hash values. -Able to: be computed on the entire message
what are hash functions used for
-condense arbitrary length messages and produce fixed-size representation of message -subsequent signature by a digital signature algorithm
list of the weaknesses of symmetric keys
-key management & implementation -key distribution -scalability -limited security
block mode cipher •128, 192, and 256 bits- block size •128, 192, and 256 bits- key size
AES
What is the initial requirement to be performed in establishing a business continuity plan? -Agree on the scope of the plan -Determine the site to be used during a disaster -Demonstrate adherence to standard disaster recovery process -Identify the applications to be run during a disaster
Agree on the scope of the plan
Mathematical function that takes plaintext and a key as input and produces ciphertext as output
Algorithm
set of rules which enciphering and deciphering is done
Algorithm
block mode cipher •64- bit block size •448- bit key size •32-bit microprocessor
Blowfish
- Highly efficient block cipher - Key length up to 448 bits - 64 bit block size - Optimized for 32 bit microprocessors
Blowfish (symmetric)
Scrambled data
Ciphertext/Cryptogram
original Caesar cipher (shift or scramble alphabet)
Classical substitution ciphers
list of words/ phrases (code) with corresponding random groups of numbers/ letters (code groups)
Codes
true letters of plaintext hidden/ disguised by device or algorithm
Concealment
True letters of plaintext hidden/disguised by device or algorithm
Concealment Cipher
Reduction or solution of secret messages without knowledge of the system or the key or the possession of a code book
Cryptanalysis
practice of defeating attempts to hide information
Cryptanalysis
- Art and science of writing secrets. - Storing and transmitting information in a form that allows it to be revealed only to those intended. - Accomplished by crypto system.
Cryptography
includes both cryptography and cryptanalysis
Cryptology
Best known block cipher
DES
block mode cipher •64-bit block size •56-bit key size plus 8 parity bits •16 rounds transposition & substitution
DES
first cryptographic process created. all other processes are based off of this
DES
Descrambling with key
Decipher/Decrypt/Decode
Act of scrambling using key
Encipher/Encrypt/Encode
Using asymmetric (public key) encryption to provide the recipient of a message with "proof of origin" requires that the sender -Encrypt the message with the sender's private key -For asymmetric encryption, the sender's private key is encrypted with a digital signature -The recipient verifies the digital signature by decrypting the sender's public key -Sender uses their private key to create digital signature not to encrypt the message. This allows the recipient to verify the authenticity which provides proof of origin
Encrypt the message with the sender's private key If the entire message was encrypted with the sender's private key rather than public > the contents of the message would have to be disclosed Using asymmetric (private key) encryption to provide the recipient of a message with "proof of origin" usually isn't used
A stream mode cipher would be most applicable for which of the following tasks? -Encrypting a real-time broadcast of a digital video conference between heads of state -Encrypting intra-company emails that contain proprietary information regarding the development of a new product -Encrypting electronic transactions between consumers and an e-commerce website -Encrypting the transmission of a downloadable corporate payroll file to an outsource payroll processor
Encrypting a real-time broadcast of a digital video conference between heads of state
Which of the following best describes a hot site? •Fully equipped back up center with external interfaces (power, water etc.) and telecommunications, as well as complete computing resources on site •Parallel processing location with actively running identical systems •Prepared off site storage location containing basic facilities such as data connections and telecommunications but no computing resources •Relocation of equipment during critical times
Fully equipped back up center with external interfaces (power, water etc.) and telecommunications, as well as complete computing resources on site
Which of the following best explains BIA (business impact analysis)? -It is the process of analyzing all business functions to determine the effect of IT outages in the business -It is the process of updating the functions of the business after a disaster -It is the process of documenting events during a disaster -It is the process of managing the recovery at non-primary business sites
It is the process of analyzing all business functions to determine the effect of IT outages in the business
Which of the following is NOT a key strategy for developing a physical security program? -Surveillance with high visual control -Management support for physical measurements of security -Controlled flow of movement through limited access -Territoriality culture among employees
Management support for physical measurements of security
In order of least allowable downtime to most allowable downtime, rank these recovery strategies: -Mirror Site, Hot Site, Warm Site, Cold Site -Warm Site, Cold Site, Hot Site, Mirror Site -Mirror Site, Cold Site, Warm Site, Hot Site -Cold Site, Warm Site, Hot Site, Mirror Site
Mirror Site, Hot Site, Warm Site, Cold Site
parallel processing location with actively running identical systems
Mirror site
- Public key: gives info about the function. - Private key: gives info about the trap door. - Whoever knows the trap door can compute function easily in both directions. - Anyone lacking trap door can only go easily in the forward direction. - Forward direction used for encryption and signature verification - Inverse direction used for decryption and signature generation
One Way Function
Examples of types of physical access controls include all of the following EXCEPT: Passwords Gates Locks Guard stations
Passwords (technical or logical)
asymmetric algorithms using factoring problem
RSA
• Block cipher that can be implemented very efficiently on a wide variety of processors and hardware. • Supports block and key sizes of 128, 192, and 256 bits . • Under FIPS 197, a block size of 128 and a key length of 128, 192 and 256 are approved for use. • Variable number of rounds, each round containing 4 steps (Byte Sub, Shift Row, Mix Column, Add Round Key).
Rijndael (AES)
identifies sender and verifies integrity of the message
Signature decryption
What is a weak form of integrity control
Simple MIC (message integrity controls) checksum/parity
art of hiding communications
Steganography
Which of the following is true regarding symmetric cryptography? · In large groups of users, it's easy to manage the keys · The same key is used by both the sender (encryptor) and receiver (decryptor) · The key must be made available to a 3rd party escrow authority · Symmetric cryptography supports non-repudiation
The same key is used by both the sender (encryptor) and receiver (decryptor) Key escrow is typically associated with asymmetric cryptography (managing private key) Non-repudiation is associated with asymmetric cryptography
Algorithm is known by the adversary (threat). The strength of the encryption relies on the secrecy of the key (Kerckhoff's Principle)
cryptanalysis
rearranging the letters
Transportation (permutation) ciphers
a one way function for which the inverse direction is easily given a piece of information
Trap-door one way function
Prepared off site storage location containing basic facilities such as data connections and telecommunications but no computing resources
Warm site
- Mathematical Problems - One Way Functions - Secure Message - Open Message - Secure and Signed Message - RSA - Elliptic Curve (ECC) - Diffie-Hellman - El Gamal - Others
asymmetric encryption systems subtopics
- trying to break cryptography - practice of defeating attempts to hide information - reduction or solution of secret messages without knowledge of the system or the key or the possession of a code book
cryptanalysis (cracking the code)
Storing and transmitting information in a form that allows it to be revealed only to those intended
cryptography
combination of applying cryptography techniques and breaking cryptography techniques through cryptanalysis
cryptology
• Block mode cipher • 64-bit input and output block size • 56-bit true key plus 8 parity bits - Seventy-two quadrillion possible keys • 16 rounds of transposition and substitution to encrypt and decrypt
data encryption standard (DES)
- Each user has public-private key pair • Private key signs (creates signature), public key verifies it. - A digital signature is created by encrypting a digest or hash value of a message with the senders private key
digital signature
• To "sign" a message - Sender computes digest of message • Using public hash function - Crypto "signature" is made by sender's private key • Applied to digest creates digital signature - Digital signature sent along with message - The message itself is not made private
digital signature operation