CISSP Chapter 6 - Cryptography & Symmetric Key Algorithms
Serpent Block Cipher
- 128, 192, and 256 bit keys that operate on 128 bit data blocks - Uses 32 rounds working with a block of 4 32-bit words - Each round applies 1 of 8 4-bit to 4-bit S-boxes 32 times in parallel
ECB (Electronic Code Book)
- A most basic encryption mode - Message is divided into blocks encrypted separately - Same text always gives same cipher - Attackers can analyze to derive the key
Attacks on Cryptosystems
- Ciphertext only attacks - Known Plaintext Attack - Chosen Plaintext Attack - Man In the Middle Attack - Dictionary Attack - Side Channel Side Channel
Blowfish Block Cipher
- Designed by Bruce Schneier - Optimized for applications where key doesn't change often - VARIABLE length keys (32 to 448 bits) and operates on 64-bit data blocks
ARIA Block Cipher
- Designed by South Korea in 2004 - Similar to AES - 128, 192, and 256 bit keys that operate on 128 bit data blocks
Skipjack Block Cipher
- Designed for the Clipper Chip - Clipper chip has built-in encryption meant for law enforcement to decrypt data if needed - 80-bit keys and operates on 64-bit data blocks
PGP (Pretty Good Privacy)
- Free low cost email encryption - Uses symmetric and asymmetric encryption - Generates self-signed certificates
IDEA Block Cipher
- International Data Encryption Algorithm (IDEA) - Designed by Xuejia Lai and James Massey - 128-bit keys and operates on 64-bit data blocks - Faster than DES and quite secure
RSA Encryption
- Rivest, Shamir, and Adleman. - An asymmetric algorithm used to encrypt data and digitally sign transmissions. - Uses both a public key and a private key in a matched pair.
Three phases of the key lifecycle
- Setup and installation - Administration - Cancellation
Popular Symmetric Block Encryption Algorithms
- The Feistel Network - DES - 3DES - AES - Blowfish - Skipjack - IDEA - Serpent
Randomly selected Public Key (e) condition
1) Must be between 1 and value of < 0(n) OR 2) The GCD(e, 0(n)) must = 1
Trust models
1. Single Authority 2. Hierarchical 3. Web of Trust
Cipher
An algorithm that transforms plaintext to ciphertext
Rainbow Tables
In password cracking, a set of precalculated encrypted passwords located in a lookup table.
Key
Information used in a cipher that is known only to the sender or receiver
PKI
Involves: - Public-key cryptography standards - Trust models - Key management
encipher
To convert plaintext to ciphertext by means of a cryptographic system.
Decryption formula
m = c to the power of d mod n
PKCS (Public Key Cryptography Standards)
A set of protocol standards developed by a consortium of vendors to send information over the Internet in a secure manager using a PKI.
AES Block Cipher
Advanced Encryption Standard for US Govt - Replaces DES and specifies 3 key sizes: - 128, 192, and 256 bit keys that operate on 128 bit data blocks
ElGamal
Based on Diffie-Helmann and was invented in 1984 by Taher Elgamal. Comprised of 3 parts: - Key generator - Encryption algorithm - Decryption algorithm
Encryption formula
C = m to the power of e mod n
single-sided certificate
Contains both the signature and encryption information
Atbash Cipher
Invented by the Hebrew. Single substitution monoalphabetic cipher that substitutes each letter with it's reverse (a and z, b and y, etc).
Diffie-Hellman key exchange
Invented in the 1970s, it was the first practical asymmetric method for establishing a shared secret key over an unprotected communications channel.
ROT13 cipher
This more recent cipher uses the same mechanism as the Caesar cipher but moves each letter 13 places forward
Decipher
To recover plaintext from ciphertext
RSA Concepts
To understand RSA , you need to understand 4 concepts: - Prime - Co-Prime - Euler's Totient - Modulus operation
Key Space
Total number of possible values of keys
SHA-2
Two similar hash functions with different block sizes known as SHA-256 and SHA-512 - SHA-256 (32 byte word sizes or 256 bits) - SHA-512 (64 bytes word sizes or 512 bits) Also truncated versions SHA-224 and SHA-384 exist
Plaintext
normal text that has not been encrypted
TPM Trusted Platform Module
A chip on a motherboard that holds an encryption key required at startup to access encrypted data on the hard drive. Windows BitLocker Encryption can use the TPM chip.
Block Cipher
A cipher that manipulates entire blocks or chunks consisting of many bytes of plaintext at one time.
digital certificate
A data file that identifies individuals or organizations online and is comparable to a digital signature.
dual-sided certificate
A digital certificate in which the functionality is split between two certificates, the signing and encryption certificates.
Certificate Practice Statement (CPS)
A document that describes in detail how a CA uses and manages certificates, as well as how end users register for a digital certificate.
Initialization Vector (IV)
A fixed-size input to a cryptographic primitive that is typically required to be random or pseudorandom.
Cryptographic hash
A function that is one-way (nonreversible), has a fixed length output, and is collision resistant.
CRL (Certificate Revocation List)
A list of certificates that are no longer valid.
Triple DES (3DES) Block Cipher
A more-secure variant of DES that repeatedly encodes the message using three separate DES keys (168-bit long). More secure than DES but considerably slower.
Message Authentication Code (MAC)
A small block of data that is generated using a secret key and then appended to the message to protect integrity. Types include: - HMAC - CBC-MAC
Ciphertext
A string of text that has been converted to a secure form using encryption.
Certificate Authority (CA)
A trusted third-party agency that is responsible for issuing digital certificates.
Asymmetric Encryption
A type of encryption based on algorithms that require two keys; one of which is secret (or private) and one of which is public (freely known to others).
Elliptical Curve Cryptography (ECC)
An algorithm that combines plane geometry with algebra to achieve stronger authentication with smaller keys compared to traditional methods, such as RSA, which primarily use algebraic factoring. Smaller keys are more suitable to mobile devices.
PRNG (Pseudo Random Number Generator)
An algorithm that generates a sequence of numbers that seems random but is actually completely predictable. PRNGs are used as: - The nonce in a stream cipher - The cipher key in a block cipher - The input for a MAC
Digital Signature
An encrypted code that a person, website, or organization attaches to an electronic message to verify the identity of the message sender. Encryption of a message performed using the sender's private key. The recipient uses the sender's public key to verify the message.
Symmetric Encryption
An encryption method in which the same key is used to encrypt and decrypt a message. Also known as private-key encryption.
Stream Cipher
An encryption method that encrypts a single bit at a time. Popular when data comes in long streams (such as with older wireless networks or cell phones).
PKI (Public Key Infrastructure)
An encryption system that is composed of a CA, certificates, software, services, and other cryptographic components, for the purpose of verifying authenticity and enabling validation of data and entities.
Scytale Cipher
Ancient encryption tool that used a type of paper and rod used by Greek military factions.
Rail Fence Cipher
Ciphers that write message letters out diagonally over a number of rows then read off cipher row by row. E I T E I Y X T H C T Ciphertext = EITEIYXTHCT Plaintext = Exit the city
DES Block Cipher
Data Encryption Standard - the most popular symmetric block encryption cipher in the past, developed by IBM and the US Govt. Now considered weak - 56-bit key
PGP Certificate Components
Defines its own format. A single key can contain multiple signatures. - PGP version number - Certificate holder's public key - Certificate holder's information - Digital signature of certificate owner - Certificate validity period - Preferred symmetric encryption algorithm for the key
DSA
Digital Signature Algorithm
File and drive encryption
FDE - Full disk encryption SED - Self encrypting drive HSM - Hardware security module (a physical device that safeguards and manages digital keys)
FIPS
Federal Information Processing Standards FIPS 140 - Cryptographic modules FIPS 186 - Digital signatures FIPS 197 - AES FIPS 201 - Identity verification
Digital certificate management
For Alice and Bob to use asymmetric cryptography: - Alice and Bob must generate a public and private key - A CA or RA must verify their identities - The certificates must be placed in a CR - When they expired they must be placed on a CRL All these are done by PKI
Calculate the value of the Private Key (d) where K < e
Formula for each iteration (K): d = (1 + K * 0(n) ) / e
Prime Numbers, Modulus, Totient
Prime: Choose 2 large primer numbers (factors are 1 and itself only) (p,q) Modulus: n = pxq Totient 0(n) = (p-1) x (q-1)
Hash - Salt
Random bits added to further secure encryption or hashing, most often encountered with hashing to prevent rainbow table attacks.
The Enigma Machine
Rotor-based cipher system used by Germans in WWI and WWII. Operator would pass a key and the encrypted ciphertext for the plaintext was altered each time. A multi-alphabet cipher consisting of 26 possible alphabets.
Cryptology
The discipline of both Cryptography and Cryptanalysis
SHA-3
The most recent iteration of SHA. It was developed by private designers for a public competition in 2012. SHA-3 is very different in design from SHA-2, even though it uses the same 256- and 512-bit hash lengths.
X.509
The most widely accepted format for digital certificates as defined by the International Telecommunication Union (ITU).
Cryptography
The study and use of encryption principles and methods
Cryptoanalysis
The study of principles and methods of deciphering ciphertext without knowing the key
Vigenère cipher (Vee-zha-nair)
a method of encrypting text by applying a series of Caesar ciphers based on the letters of a keyword. Example: https://www.geeksforgeeks.org/vigenere-cipher/
Caesar Cypher
letter-by-letter method to make a cipher. For example, for each letter, substitute another letter 4 letters ahead. For "a", write "d".
Steganography
the art and science of hiding information by embedding messages within other, seemingly harmless messages. The most common implementation utilizes the least significant bit without altering the original file in a notiecable way.
Key stretching/key strengthening
used to ensure that a weak key is not victim of brute force attack. - special algorithm used to convert weak password into stronger keys by "stretching" it longer - common algorithm PBKDF2 and Bcyrpt