Chapter 10 Understanding Cryptography
Certificates
a digital document that includes the public key and information on the owner of the certificate. Certificate authorities (CAs) issue and manage certificates. Certificates are an important part of asymmetric encryption. Certificates include public keys along with details on the owner of the certificate and on the CA that issued the certificate. Certificate owners share their public key by sharing a copy of their certificate.
Blowfish
Blowfish is a strong symmetric block cipher and has a 64-bit block size and a variable key length from 32 bits up to 448 bits.
Encrypting HTTPS Traffic with SSL and TLS
HTTP Secure (HTTPS) is commonly used on the Internet to secure web traffic. HTTPS can use either SSL or TLS to encrypt the traffic, and both use asymmetric and symmetric encryption.
One-Time Pad
One-time pads are hardcopy printouts of keys in a pad of paper. Keys are distributed in these printed pads and keys are destroyed after a single use. Users have a token that displays a number on an LCD display and changes every sixty seconds.
RSA
RSA is widely used to protect Internet traffic, including e-mail. It relies on the mathematical properties of prime numbers when creating public and private keys. These keys are commonly used with asymmetric encryption to privately share a symmetric key.
RACE Integrity Primitives Evaluation Message Digest (RIPEMD)
RIPEMD-160 creates 160-bit fixed size hashes. Other versions create hash sizes of 128 bits, 256 bits, and 320 bits.
Secure Hash Algorithm (SHA)
SHA also verifies file integrity. There are several variations of SHA grouped into three families: SHA-0, SHA-1, SHA-2, and SHA-3. SHA-0 is not used. SHA-1 is an updated version that creates 160-bit hashes. This is similar to the MD5 hash except that it creates 160-bit hashes instead of 128-bit hashes. SHA-2 improved SHA-1 to overcome potential weaknesses. It includes four versions: SHA-224, SHA-256, SHA-384, and SHA-512. The numbers represent the number of bits in the hash. For example, SHA-256 creates 256-bit hashes. SHA-3 is currently in development. The National Institute of Standards and Technology (NIST) is evaluating several potential versions in a NIST hash function competition, and it's expected to pick the winner in 2012.
RC4
Strong symmetric stream cipher. Secure Sockets Layer (SSL) uses RC4 for symmetric encryption in HTTPS connections, and helps secure millions of web connections daily. If RC4 was weak, it wouldn't be used with HTTPS.
LAN Manager (LANMAN)
The LANMAN protocol stores passwords using an LM hash of the password. It first divides the password into two seven-character blocks, and then converts all lower case letters to upper case.
Encrypting E-mail
The recipient's public key encrypts when encrypting an e-mail message. The recipient uses the recipient's private key to decrypt an encrypted e-mail message. In most cases, the public key doesn't actually encrypt the message, but instead encrypts a symmetric key used to encrypt the e-mail. The recipient then uses the private key to decrypt the symmetric key, and then uses the symmetric key to decrypt the e-mail.
New Technology LAN Manager (NTLM)
There are two versions of NTLM: NTLM (or NTLMv1) and NTLMv2. NTLMv2 uses a completely different process and uses the more secure MD5 algorithm. NTLMv2 is significantly complex, making it infeasible to crack using current technologies.
Hash-based Message Authentication Code (HMAC)
a fixed length string of bits similar to other hashing algorithms such as MD5 and SHA-1 (known as HMACMD5 and HMAC-SHA1). However, HMAC also uses a shared secret key to add some randomness to the result and only the sender and receiver know the secret key.
Diffie-Hellman
a key exchange algorithm used to privately share a symmetric key between two parties. Once the two parties know the symmetric key, they use symmetric encryption to encrypt the data.
hash
a number derived from performing a calculation on data, such as a message or file. If the data is unchanged, the hash will always be the same no matter how many times the hash is calculated. You can verify integrity with hashing. The hash is used to verify that data is not modified, tampered with, or corrupted. In other words, you can verify the data has maintained integrity.
3DES (pronounced as Triple DES)
a symmetric block cipher designed as an improvement over the known weaknesses of DES. In basic terms, it encrypts data using the DES algorithm in three separate passes and uses multiple keys. 3DES uses key sizes of 56 bits, 112 bits, or 168 bits.
TwoFish
a symmetric key block cipher with a block size of 128 bits and key sizes up to 256 bits.
Hashing algorithms
always provide a fixed size bit-string regardless of the size of the hashed data. By comparing the hashes at two different times, you can verify integrity of the data.
Message Digest 5 (MD5)
common hashing algorithm that produces a 128-bit hash.
Elliptic curve cryptography (ECC)
commonly used with small wireless devices since it doesn't take much processing power to achieve the desired security. It uses smaller key sizes and requires less processing power than many other encryption methods.
Stream ciphers
encrypt data as a stream of bits rather than dividing it into blocks. An important principle when using a stream cipher is that encryption keys should never be reused. If a key is reused, it is easier to crack the encryption.
digital signature
encrypted hash of a message. The sender's private key encrypts the hash of the message to create the digital signature. The recipient decrypts the hash with the sender's public key, and, if successful, it provides authentication, non-repudiation, and integrity. Authentication identifies the sender. Integrity verifies the message has not been modified. Non-repudiation is used with online transactions and prevents the sender from later denying they sent the e-mail.
Secure Sockets Layer (SSL)
encryption protocol used to encrypt Internet traffic. SSL provides certificate-based authentication and encrypts data with a combination of both symmetric and asymmetric encryption during a session. It uses asymmetric encryption to privately share a session key, and symmetric encryption to encrypt data displayed on the web page and transmitted during the session.
block cipher
encrypts data in specific sized blocks, such as 64-bit blocks or 128-bit blocks. The block cipher divides large files or messages into these blocks and then encrypts each individual block separately.
Public Key Infrastructure (PKI)
group of technologies used to request, create, manage, store, distribute, and revoke digital certificates. A primary benefit of a PKI is that it allows two people or entities to communicate securely without knowing each other previously. In other words, it allows them to communicate securely through an insecure public medium such as the Internet.
Steganography
hides data inside other data, or, as some people have said, it hides data in plain sight. Security professionals use hashing to detect changes in files that may indicate the use of steganography.
Advanced Encryption Standard (AES)
is a strong symmetric block cipher. AES can use key sizes of 128 bits, 192 bits, or 256 bits and it's sometimes referred to as AES-128, AES-192, or AES-256 to identify how many bits are used in the key. When more bits are used, it makes it more difficult to discover the key. AES-128 provides strong protection but AES-256 provides stronger protection.
Pretty Good Privacy (PGP)
method used to secure e-mail communication. It can encrypt, decrypt, and digitally sign e-mail. Each of the PGP versions use the RSA algorithm and public and private keys for encryption and decryption. Just like S/MIME, PGP uses both asymmetric and symmetric encryption.
Secure/Multipurpose Internet Mail Extensions (S/MIME)
one of the most popular standards used to digitally sign and encrypt e-mail. S/MIME uses RSA for asymmetric encryption and AES for symmetric encryption. It can encrypt e-mail at rest (stored on a drive) and in transit (data sent over the network). Since S/MIME uses RSA for asymmetric encryption, it requires a PKI to distribute and manage certificates.
Data Encryption Standard (DES)
only 56 bits and can be broken with brute force attacks.
Transport Layer Security (TLS)
replacement for SSL and is widely used in many different applications. TLS provides certificate-based authentication and uses both asymmetric and symmetric encryption. It uses asymmetric encryption to privately share a symmetric key and uses symmetric encryption to encrypt data in the web session. Both TLS and SSL require certificates issued by certificate authorities (CAs).
Symmetric encryption
uses the same key to encrypt and decrypt data. Symmetric encryption is also called secret-key encryption or session-key encryption. For example, when transmitting encrypted data, symmetric encryption algorithms use the same key to encrypt and decrypt data at both ends of the transmission media. Symmetric encryption is much more efficient at encrypting large amounts of data than asymmetric encryption. Similarly, symmetric encryption uses a single key to encrypt and decrypt data. If a copy of the symmetric key is shared, others that have the key can also encrypt and decrypt data.
Asymmetric Encryption
uses two keys in a matched pair to encrypt and decrypt data—a public key and a private key. There are several important points to remember with these keys: If the public key encrypts information, only the matching private key can decrypt the same information. If the private key encrypts information, only the matching public key can decrypt the same information. Private keys are always kept private and never shared. Public keys are freely shared by embedding them in a certificate. Some protocols that use asymmetric cryptography include: SSL and TLS RSA and Diffie Hellman S/MIME and PGP/GPG Elliptic curve cryptography