Sec+ Chapter 10: Understanding Cryptography
Two common key stretching techniques:
1. bcrypt -based on the Blowfish block cipher, bcrypt is used on many Unix and Linux distributions to protect the passwords stored in the shadow password file. Bcrypt salts the password by adding additional bits before encrypting with Blowfish. 2. PBKDF2 -many algorithms such as WPA2, iOS, and Cisco OSs use PBKDF2 to increase the security of passwords. -adds a salt of at least 64 bits.
Message Digest 5/MD5
A common hashing algorithm that produces a 128-bit hash. Commonly shown in hexadecimal format instead of a stream of 1s and 0s.
Data Encryption Standard/DES
A symmetric block cipher used for many years, dating back to the 1970s. Method: 64 bit block cipher. Key size: 56 bit key Not recommended for current use. Can be broken with brute force attacks.
Rivest Cipher/RC4
A symmetric stream cipher that has seen heavy use in SSL and TLS when encrypting HTTPS traffic online. Method: stream cipher Key size: 40 to 2,048 bits. Experts have speculated that the NSA can break RC4, even when implemented correctly, so they recommend switching to AES.
LANMAN disabled by default on OSs:
Windows Vista Windows 7 Windows 8 Windows Server 2008 Windows Server 2008 R2 Windows Server 2012 Windows Server 2012 R2
Authentication
Validates an identity.
Revoking Certificates
Certificates can be revoked before they expire on their Valid To date. Examples: -if a private key is publicly available, the key pair is compromised. -if the CA is compromised through a security breach, any certificates issued by the CA may be compromised. -change of affiliation -superseded -cease of operation -certificate hold CAs use certificate revocation lists (CRLs) to revoke a certificate. The CRL is a version 2 certificate that includes a list of revoked certificates by serial number.
HMAC-MD5
Creates 128-bit hashes. Provides integrity and authenticity.
HTTPS Encryption Steps
1. Client requests secure session. -by entering an HTTPS address or clicking on an HTTPS link. 2. Server responds with a certificate. -certificate includes the server's public key, the matching private key is on the server and only accessible by the server. 3. Client creates symmetric key and encrypts it with public key. 4. Encrypted symmetric key sent to the server. -only the server's private key can decrypt this. 5. Server decrypts symmetric key with private key. -at this point, both the client and server know the session key. 6. The session is encrypted with the session key using symmetric encryption.
Example of how a large certificate trust chain works:
1. The root CA issues certificates to intermediate CAs. 2. Intermediate CAs issue certificates to child CAs. 3. Child CAs issue certificates to devices or end users.
Cipher implementation examples
1. You need to configure transport encryption to protect data to and from a server hosting financial data, what would you choose? A. You would want to use TLS instead of SSL because it is an update to SSL and TLS is stronger. 2. You are configuring a web site to use HTTPS. A. You would implement both TLS and SSL with a preference for TLS. This ensures all clients can connect, even if their systems don't support TLS.
Signing Email with Digital Signatures
A digital signature is an encrypted hash of a message, encrypted with the sender's private key. If the recipient of a digitally signed email can decrypt the hash, it provides the following security benefits: Authentication -identifies the sender of the email, giving the recipient assurances the email actually came from who it appears to be coming from. Non-repudiation -the sender cannot deny sending the message. -sometimes required with online transactions Integrity -provides assurances that the message has not been modified or corrupted. -recipients know that the message they received is the same as the sent message
Public Key Infrastructure/PKI Components
A group of technologies used to request, create, manage, store, distribute, and revoke digital certificates. Primary benefit of PKI is that it allows two people/entities to communicate securely without knowing each other previously. I.e. it allows them to communicate securely through an insecure public medium such as the internet.
One-Time Pad cipher
A hard copy printout of keys in a pad of paper. Each piece of paper in the pad has a single key along with a serial number that identifies the page. Considered to be one of the most secure algorithms, though it is labor intensive. E.g. Lisa & Bart are spies that have matching one-time pads. Lisa can create a message and encrypt it with a key from one of her pages in her pad. She includes the serial number of the page and sends the encrypted message and the serial number to Bart. She then destroys the page she used to create the message. Bart then takes the serial number and finds the decryption page. After decrypting the message, he destroys the key page as well.
Certificates
A key element of asymmetric encryption. A certificate is a digital document that includes the public key and information on the owner of the certificate. Certificate Authorities (CAs) issue and manage certificates. Used in a variety of ways, including encryption, authentication, and digital signatures.
Diffie-Hellman
A key exchange algorithm used to privately share a symmetric key between two parties over a public network. Once the two parties know the symmetric key, they use symmetric encryption to encrypt the data. Diffie-Hellman methods support both static keys and ephemeral keys. RSA is based on the Diffie-Hellman key exchange concepts using static keys. Two Diffie-Hellman methods that use ephemeral keys are: 1. DHE/Diffie-Hellman Ephemceral -uses ephemeral keys, generating different keys for each session. -could also be listed as Ephemeral Diffie-Hellman (EDH) 2. ECDHE/Elliptic Curve Diffie-Hellman Ephemeral -uses ephemeral keys generated using ECC. -another version, Elliptic Curve Diffie-Hellman (ECDH) uses static keys.
Recovery Agent
A key recovery agent is a designated individual who can recover or restore cryptographic keys. In the context of PKI, a recovery agent can recover private keys to access encrypted data. In some cases, a recovery agent can recover encrypted data using a different key. E.g. Microsoft's BitLocker supports encryption of entire drives, and it's possible to add a data recovery agent field when creating a BitLocker encrypted drive.
Hash
A number derived from performing a calculation on data, such as a message, patch, or update file. Sometimes listed as a checksum. Creates a fixed-size string of bits or hexadecimal characters, which cannot be reversed to re-create the original data. No matter how many times you execute the hashing algorithm against the data, the hash will always be the same as long as the data is the same.
TLS/Transport Layer Security
A replacement for SSL. TLS 1.0 is based on SSL 3.0, and is referred to as SSL 3.1. Similarly, each update to TLS indicates it is an update to SSL. E.g. TLS 1.1 = SSL 3.2, TLS 1.2 = SSL 3.3. Also provides certificate-based authentication and uses both asymmetric and symmetric encryption. Uses asymmetric encryption to privately share a symmetric key and uses symmetric encryption to encrypt data in the web session. A CA (certificate authority) is required to support TLS and SSL. Many other applications use TLS, such as FTP and SMTP just as SSL does.
Blowfish
A strong symmetric block cipher still widely used today. Designed to replace DES. Method: 64 bit block cipher Key size: 32 to 448 bits Can be faster than AES, especially AES-256 since it encrypts data in 64 bit blocks, and AES encrypts in 128 bit blocks.
Advanced Encryption Standard/AES
A strong symmetric block cipher that encrypts data in 128-bit blocks. Method: 128 bit block cipher Key size: 128, 192, or 256 bit key AES can use key sizes of 128, 192, or 256 bits, and sometimes referred to as AES-128, AES-192, or AES-256 to identify how many bits are used in the key.
Triple Data Encryption Standard/3DES
A symmetric block cipher designed as an improvement over the weaknesses of DES. Encrypts data in three separate passes with the DES algorithm, and uses multiple keys. Method: 64 bit block cipher Key size: 56, 112, or 168 bit key More resource intensive than AES.
Key stretching
A technique used to increase the strength of stored passwords (AKA salting passwords by adding extra bits). Helps to prevent brute force and rainbow table attacks.
RSA
An asymmetic encryption method using both a public key and a private key in a matched pair. Widely used on the internet due to its strong security to protect data such as email and other data. Uses static keys. E.g. email applications often use RSA to privately share a symmetric key between two systems. The application uses the recipient's public key to encrypt a symmetric key, and the recipient's private key decrypts it.
SSL/Secure Sockets Layer
An encryption protocol used to encrypt Internet traffic. HTTPS uses SSL in secure web browser sessions. SSL can encrypt other transmissions such as File Transfer Protocol Secure (FTPS). Provides certificate-based authentication and encrypts data with a combination of both symmetric and asymmetric encryption during a session. Uses asymmetric encryption to privately share a session key and symmetric encryption to encrypt data displayed on the web page and transmitted during the session. A CA (certificate authority) is required to support SSL.
Hash-based Message Authentication Code/HMAC
Another method used to provide integrity and authenticity. Is a fixed-length string of bits similar to other hashing algorithms. Also uses a shared secret key to add some randomness to the result and only the sender and receiver know the secret key. IPsec and TLS often use a version of HMAC such as HMAC-MD5 and HMAC-SHA1.
Cipher Suites
Are a combination of cryptographic algorithms that provide several layers of security for TLS and SSL. When two systems connect, they identify a cipher suite that is acceptable to both systems and then use the protocols within that suite, but picking the common suite that is ranked the highest on their lists. The protocols within the suite provide three primary cryptographic solutions which are: 1. Encryption -provides confidentiality of the data. -TLS and SSL use asymmetric cryptography to privately exchange a symmetric key and then encrypt the data with a symmetric algorithm. -TLS and SSL support several types of symmetric encryption, including RC4, 3DES, and AES. 2. Authentication -TLS and SSL use certificates for authentication. -Clients can verify the authenticity of the certificate by querying the CA that issued the certificate. 3. Integrity -TLS and SSL use a message authentication code (MAC) for integrity. -e.g. they can use HMAC-MD5 or HMAC-SHA1
Out-of-Band Key Exchange example
Asymmetric encryption methods share the session key using an out-of-band exchange method (with the session key privately shared via asymmetric encryption, and then the data in a different communication channel of symmetric encryption).
DigSig Example
Authentication: Lisa sends a message to Bart. The public key can only decrypt something encrypted with the private key, and only Lisa has the private key. If the decryption succeeded, Lisa's private key must have encrypted the hash. On the other hand, if another key was used to encrypt the hash, Lisa's public key (that the recipient has) could not decrypt it. In this case, Bart (the recipient) will see an error indicating a problem with the digital signature. Non-repudiation: Lisa cannot later deny sending the message. Only Lisa has her private key and if the public key decrypted the hash, the hash must have been encrypted with her private key. Integrity: Because the hash of the sent message matches the hash of the received message, the message has maintained integrity. It hasn't been modified.
Quantum Cryptography
Based on quantum physics and photons, the smallest measure of light. Some applications use quantum cryptography to transmit an encryption key as a series of photons. Photons are modified so that they spin and emit light in a single direction, such as up and down or side to side. It's then possible to assign a value for the direction. When a photon is read or measured, it changes direction. If a third party reads any of the photons in the stream, it will be obvious to the two parties trying to exchange the key. When the two parties realize someone is eavesdropping, they won't exchange secure data until the third party is removed.
Encrypting HTTPS traffic with TLS or SSL
Because asymmetric encryption isn't efficient to encrypt large amounts of data, symmetric encryption is used to encrypt the session data, however both the server and client must know what this symmetric key is before they can use it. HTTPS uses asymmetric encryption to securely transmit a symmetric key. It then uses the symmetric key with symmetric encryption to encrypt all the data in the HTTPS session.
Validating Certificates
Before clients use a certificate, they first verify it is valid. The first check is to ensure it isn't expired. If the certificate is expired, the computer system typically gives the user an error indicating the certificate is not valid. Clients also validate certificates through the CA. First they verify that the certificate was issued by a trusted CA, then query the CA to verify the CA hasn't revoked the certificate. Can also validate through the Online Certificate Status Protocol (OCSP), which allows the client to query the CA with the serial number of the certificate. The CA responds with either 'good', 'revoked', or 'unknown.' A response of 'unknown' could mean the certificate is a forgery. OCSP can be more efficient, especially if the CRL includes a large number of revoked certificates.
Block vs. Stream Ciphers
Both are symmetric, so they both use the same key to encrypt and decrypt data, but the data is divided in different ways. A block cipher encrypts dat in specific-sized blocks, such as 64-bit blocks or 128-bit blocks. The block cipher divides large files or messages into these blocks and then encrypts each individual block separately. Stream ciphers encrypt data as a stream of bits or bytes rather than dividing it into blocks. Stream ciphers are more efficient than block ciphers when the size of the data is unknown or sent in a continuous stream, such as when streaming audio and video over a network. Block ciphers are more efficient when the size of the data is known, such as when encrypting a file or a specific-sized database field.
Certificate Trust Paths and Trust Models
CAs are trusted by placing a copy of their root certificate into a trusted root CA store. The root certificate is the first certificate created by the CA that identifies it, and the store is just a collection of these root certificates. If the CAs root certificate is placed in this store, all certificates issued by this CA are trusted. Public CAs such as VeriSign negotiate with web browser developers to have their certificates included with the web browser. This way, any certificates that they sell to businesses are automatically trusted. Hierarchical trust model (AKA centralized trust model) -most common trust model -in this model, the public CA creates the first CA, known as the root CA. If the organization is large, it can create child CAs. -In a small organization, the root CA can simply issue certificates to the devices and end users. It's not necessary to have intermediate and child CAs. Web of trust/decentralized trust model -sometimes used with PGP and GPG -web of trust uses self-signed certificates, and a third party vouches for these certificates. -e.g. if five of your friends trust a certificate, you can trust the certificate. -if the third party is a reliable source, the web of trust provides a secure alternative. -however, if the third party does not adequately verify certificates, it can result in the use of certificates that shouldn't be trusted.
Elliptic Curve Cryptography/ECC
Commonly used with small wireless devices because it doesn't take much processing power to achieve the desired security. Uses mathematical equations to formulate an elliptical curve, then graphs points on the curve to create keys.
HMAC-SHA1
Creates 160-bit hashes. Provides integrity and authenticity.
Strong ciphers vs. Weak ciphers
Due to hardware and software restrictions, some systems do not support some of the stronger ciphers. Additionally, all data isn't in the same, in that you would use the strongest cipher to encrypt Top Secret data, but this isn't needed to encrypt data with a lower classification level. Admins then configure systems to use specific cipher suites based on their needs.
Which key encrypts and which decrypts???
Email digital signatures -The sender's private key encrypts (or signs) -The sender's public key decrypts Email encryption -The recipient's public key encrypts -The recipient's private key decrypts Web site encryption -The web site's public key encrypts (a symmetric key) -The web site's private key decrypts (a symmetric key) -The symmetric key encrypts data in the web site session
Block ciphers
Encrypt data in blocks.
Transport Encryption
Encrypt data in transit to ensure transmitted data remains confidential, including data transported over the Internet and on internal networks. Examples: SSH/Secure Shell -used to encrypt a wide variety of traffic, such as Secure File Transport Protocol (SFTP) Secure Copy (SCP), and Telnet. -uses port 22 HTTPS -uses either TLS or SSL to encrypt web traffic over port 443.
Stream ciphers
Encrypt data one bit at a time.
IPsec
Encrypts data in Tunnel mode with VPNs such as with L2TP/IPsec. Also encrypts data in Transport mode between two systems. IPsec also uses an Authentication Header (AH) to provide authentication and integrity. Request for Comments 4835 (RFC 4835) mandates the use of HMAC for AH. Routers and firewalls identify AH traffic with protocol ID 51. Can also use Encapsulating Security Payload (ESP) to provide confidentiality, in addition to the authentication and integrity provided by AH. RFC 4835 mandates the use of AES or 3DES as the symmetric encryption algorithm. Routers and firewalls identify ESP traffic with protocol ID 50. When IPsec uses ESP, it encapsulates the entire IP packet and adds an additional IP header. The original IP header includes information such as destination ports, which can give attackers clues to what type of data is in the payload. But by encapsulating the original IP header and creating a new one, attackers can only see that the packet is IPsec with ESP.
Confidentiality
Ensures that data is only viewable by authorized users. Encryption protects the confidentiality of data.
Example of Encrypting an Email with Only Asymmetric Encryption
Example of Lisa sending an encrypted message to Bart: 1. Lisa retrieves a copy of Bart's certificate that contains the public key. 2. Lisa encrypts the email with Bart's public key. 3. Lisa sends the encrypted email to Bart. 4. Bart decrypts the email with his private key. Attackers could not decrypt the message because only Bart has the private key. In most cases, the public key doesn't actually encrypt the message, but instead encrypts a symmetric key that is then used to encrypt the email. The recipient then uses the private key to decrypt the symmetric key, and then uses the symmetric key to decrypt the email.
Strengths of AES
Fast -uses elegant mathematical formulas and only requires one pass to encrypt and decrypt data. Efficient -is less resource intensive than other encryption algorithms such as #DES. -encrypts and decrypts quickly even when ciphering data on small devices, such as USB flash drives. Strong -provides strong encryption of data providing a high level of confidentiality.
Secure Hash Algorith/SHA
Grouped into four families: SHA-0 -is not used SHA-1 -updated version that creates 160 bit hashes SHA-2 -improved over SHA-1 to overcome potential weaknesses -has itself four versions (with the #s representing the amount of bits): --SHA-224, SHA-256, SHA-384, and SHA-512 SHA-3 -uses a different method than SHA-2 -includes multiple versions with hashes of 224 bits, 256 bits, 384 bits, and 512 bits.
Digital signatures consist of:
Hashing -they start by creating a hash of the message. Certificates -digital signatures need certificates, and certificates include the sender's public key. Public/private keys -In a DigSig, the sender uses their private key to encrypt the hash of the message. The recipient then uses the sender's public key to decrypt the hash of the message. -NOTE: the content of the message is never encrypted, only the hash of the message. Because DigSigs are used to verify the sender of the message, not encrypt the content.
Hashing Messages
Hashing provides integrity for messages, and provides assurance to someone receiving a message that the message has not been modified. When receiving a message with the original hash, and then a program on your computer calculates its own hash and it is different, the message has changed in transit.
Examples of steganography
Hide data by manipulating bits. -one method of embedding data in large files is modifying the least significant bit in some bytes. Hide data in the white space of a file. -many files have unused space (called white space) at the end of file clusters, such as a 6KB file stored in two 4KB clusters, leaving 2KBs left over.
Steganography
Hides data inside other data with the goal to hide it in such a way that no one suspects there is a hidden message. It does NOT encrypt the data.
In-Band vs. Out-of-Band Key Exchange
In-band key exchange -indicates that two parties share an encryption key in the same communication channel as the encrypted data. -risky because anyone who captures the exchange will have the key and can decrypt the data. Out-of-band key exchange -indicates that the two parties share the symmetric key in one communication channel and then exchange the encrypted data in a separate communication channel.
Certificate Authority/CA
Issues, manages, validates, and revokes certificates. CAs can be very large, such as VeriSign, which is a public CA. A CA can also be very small, such as a single service running on a server in a domain. Certificates are trusted just like how a driver's license is trusted for identification. Businesses trust the DMV, so they trust the driver's license.
Self-Signed Certificates
It is possible to create a CA and use self-signed certificates. E.g. an admin can use Active Directory Certificate Services (AD CS) on Windows Server 2008 to create a CA and issue certificates to company owned web servers. This is less expensive than purchasing certificates from a public CA. However, certificates issues by this CA will not be trusted by default. This isn't acceptable for an e-commerce web site. Instead, an admin can copy the CA's root certificate to the user's computer. Web browsers will then trust the certificate from the company web site.
LANMAN
LAN Manager is a very old authentication protocol used to provide backward compatiblity to Windows 95, 98, and ME clients. Has significant weaknesses with how it stores the password. Cannot handle passwords of 15 characters or more. Its passwords are always stored as 14 characters. If the password is less than 14 characters, it pads the password with trailing spaces. It then converts all lowercase characters to uppercase and creates a hash on each of 7-character strings. The two hashes are stored locally as a single string. The passwords can easily be cracked with password cracking tools such as L0phtCrack to discover the actual password. LANMAN should be disabled on all computers within a network.
Example of Encrypting Email with Asymmetric and Symmetric Encryption
Lisa is sending Bart and encrypted message. 1. Lisa identifies a symmetric key to encrypt her email, and let's assume it's a simplistic symmetric key of 53, though a symmetric algorithm like AES would use 128-bit or larger keys. 2. Lisa encrypts the email contents with the symmetric key of 53. 3. Lisa retrieves a copy of Bart's certificate which contains his public key. 4. She uses Bart's public key to encrypt the symmetric key of 53. 5. Lisa sends the encrypted email and the encrypted symmetric key to Bart. 6. Bart decrypts the symmetric key with his private key. 7. Bart then decrypts the email with the decrypted symmetric key. Attackers who intercept the email sent by Lisa won't be able to read it because it's encrypted with the symmetric key. Additionally, they can't read the symmetric key because it's encrypted with Bart's public key, and only Bart's private key can decrypt it.
Common hashing algorithms?
MD5 (message digest 5) SHA (secure hash algorithm).
Encrypting an Email with Asymmetric and Symmetric Encryption
Most email applications combine both asymmetric and symmetric encryption. Also remember, that asymmetric is slow, and symmetric is very quick. Most email applications use asymmetric encryption to privately share a session key. They then use symmetric encryption to encrypt the data.
NTLM
NT Lan Manager introduced as an improvement over LANMAN. Two versions: NTLM (NTLMv1), and NTLMv2. NTLMv1 uses an MD4 hash of the user's password, and for backward compatibility it also uses the LANMAN hash if the password is 14 characters or less. NTLMv1 is also considered compromised with LANMAN. NTLMv2 uses a completely different process and uses the more secure MD5 algorithm, making it infeasible to crack using current technologies.
Wildcard Certificates
Organizations choose to use wildcard certificates to reduce the management burden associated with certificates. Organizations can get a wildcard certificate for *.GetCertifiedGetAhead.com which will be valid for other domains such as train.GetCertifiedGetAhead.com & blogs.GetCertifiedGetAhead.com The * in the wildcard certificate will work for any single name added onto the domain name. It only works for one level of domain names. It wouldn't be valid for north.train.GetCertifiedGetAhead.com.
PGP/GPG
PGP = Pretty good privacy. -a method used to secure email communication. -can encrypt, decrypt, and digitally sign email. -currently purchased by Symantec Corporation. OpenPGP -a PGP-based standard created to avoid any conflict with existing licensing; i.e. users have no obligation to pay licensing fees to use it. Some versions of PGP follow S/MIME standards, and other versions follow OpenPGP standards. Each of the PGP versions uses the RSA algorithm and public and private keys for encryption and decryption. Just like S/MIME, PGP uses both asymmetric and symmetric encryption. GPG = GNU Privacy Guard -free software based on the OpenPGP standard.
Hashing Passwords
Passwords are often stored as hashes. When a user creates a new password, the system calculates the hash for the password and then stores the hash. Later, when the user authenticates by entering a username and password, the system calculates the hash of the entered password, and then compares it with the stored hash. If the hashes are the same, it indicates the user entered the correct password. Additionally, applications often salt passwords with extra characters before hashing them.
Non-repudiation
Prevents a party from denying an action.
Digital signatures
Provide authentication, non-repudiation, and integrity. Users sign emails with a digital signature, which is a hash of an email message encrypted with the sender's private key. Only the sender's public key can decrypt the hash, providing verification it was encrypted with the sender's private key.
Steganography
Provides a level of confidentiality by hiding data within other files. E.g. it's possible to embed data into the white space in a picture.
Integrity
Provides assurances that data has not been modified. Hashing ensures that data has retained integrity.
RIPEMD
RACE Integrity Primitives Evaluation Message Digest is another hash function. RIPEMD-160 creates 160 bit hashes, and other versions create hash sizes of 128 bits, 256 bits, and 320 bits.
Twofish
Related to Blowfish. Method: 128 bit block cipher Key size: 128, 192, or 256 bit key
Encryption
Scrambles/ciphers data to make it unreadable if intercepted. Encryption normally includes an algorithm and a key.
S/MIME
Secure/Multipurpose Internet Mail Extensions. One of the world's most popular standards to digitally sign and encrypt email. Most email applications that support encryption and digital signatures use S/MIME standards. S/MIME uses RSA for asymmetric encryption and AES for symmetric encryption. It can encrypt email at rest (stored on a drive) and in transit (data sent over the network). Because S/MIME uses RSA for asymmetric encryption, it requires a PKI to distribute and manage certificates.
Common elements within a certificate:
Serial number -uniquely identifies the certificate Issuer -identifies the CA that issued the certificate Validity dates -certificates include 'Valid from' and 'Valid to' dates that ensures the certificate expires at some point Subject -identifies the owner of the certificate Public key -RSA asymmetric encryption uses the public key combination with the matching private key. Usage -some certificates are only for encryption or authentication, whereas other certificates support multiple usages.
Assymetric Keys: Static vs. Ephemeral
Static keys are semipermanent and stay the same over a long period of time. Ephemeral keys have very short lifetimes and are re-created for each session. E.g. RSA uses static keys. A certificate includes an embedded public key matched to a private key and this key pair is valid for the lifetime of the certificate, such as a year. Certificates have expiration dates and systems continue to use these keys until the certificate expires. An ephemeral key pair includes a private ephemeral key and a public ephemeral key. However, systems use these key pairs for a single session and then discard them. Ephemeral keys have an important characteristic they comply with called 'perfect forward secrecy'. Perfect forward secrecy indicates that a cryptographic system generates random public keys for each session and it doesn't use a deterministic algorithm to do so. I.e. given the same input, the algorithm will create a different public key. This helps ensure that systems do not reuse keys.
TLS with EAP
The Extensible Authentication Protocol/EAP increases wireless security by adding authentication with an 802.1x server. Protected EAP (PEAP) and EAP-Tunneled TLS (EAP-TTLS) require 802.1x servers to have a certificate. EAP-TLS is the most secure method because it requires both servers and clients to use certificates. TLS is used during the authentication process.
Key Escrow
The process of placing a copy of a private key in a safe environment, which is useful for recovery. If the original is lost, the organization retrieves the copy of the key to access the data. Key escrow isn't required, but if an organization determines that data loss is unacceptable, it will implement a key escrow process. In some cases, the organization provides a copy of the key to a third party. Also, another method is to designate employees in the organization who will be responsible for key escrow.
Examples of Cipher Suite identification
There are over 200 named cipher suites, and systems identify them with a cipher identifier as a string of hexadecimal characters and a coded name. Examples: 0x00C031. TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 0x00003C. TLS_RSA_WITH_AES_128_CBC_SHA256 Translation for the above examples: Protocol -both using TLS. If using SSL, it would say SSL or SSL2. Key exchange method -first one using ECDH and the second one is using RSA. Authentication -Both are using RSA, but the second example shortened the code not listing RSA twice. Encryption -both are using 128-bit AES but in different modes (GCM and CBC) <don't have to know for the exam Integrity -both are using the SHA256 hashing algorithm.
Using HMAC
This prevents someone from intercepting data, inserting their own calculated hash as the original so it would match up with the changed data hash for the receiver. The attacker wouldn't know the shared secret, so their hash would still be different than the receiver's HMAC hash.
How is steganography detected?
Through steganalysis techniques, most common method is hashing. If a single bit of the file is modified, the hashing algorithm creates a different hash. By regularly taking the hashes of different files and comparing them with previous hashes, it's easy to detect when a file has been modified.
Encrypting Email
Used when you want to ensure that email messages are only readable by authorized users. You can encrypt email and just as any other time encryption is used, encrypting an email provides confidentiality. Sender's keys are not used in this process, ONLY the recipient's keys.
Certificates: Registration
Users and systems request certificates from a CA using a registration process. In some cases, a user enters information manually into a web site form. In other cases, a user sends a specifically formatted file to the CA. E.g. you want to purchase a certificate for MarkKelley.com for secure HTTPS sessions. You would first create a public and private key pair, using many available programs such as OpenSSL. You would then put together a certificate signing request (CSR) for the certificate, including the purpose of the certificate and information about the web site, the public key, and yourself. Most CAs require CSRs to be formatted using public-key cryptography standards (PKCS) #10 specification. You then send the CSR to the CA. The CA validates your identity and create a certificate with the public key embedded. You then register the certificate with your web site along with the private key. Any time someone initiates a secure HTTPS connection, the web site sends the certificate with the public key and the TLS/SSL session creates the session. In large organizations, a registration authority (RA) can assist the CA by collecting registration information.
Symmetric Encryption
Uses the same key to encrypt and decrypt data. AKA secret-key encruption or session-key encryption. However, it doesn't mean the keys never change. Symmetric encryption algorithms change keys often. RADIUS uses symmetric encryption.
Symmetric encryption
Uses the same key to encrypt and decrypt the data.
Asymmetric Encryption
Uses two keys (private and public) in a matched pair to encrypt and decrypt data. If the public key encrypts information, only the matching private key can decrypt the same information. If the private key encrypts information, only the matching public key can decrypt the same information. Private keys are always kept private and never shared. Public keys are shared freely by embedding them in a certificate. Require a certificate and a PKI. More resource intensive than symmetric encryption.
Asymmetric encryption
Uses two keys (public and private) created as a matched pair. Anything encrypted with the public key can only be decrypted with the matching private key. Anything encrypted with the private key can only be decrypted with the matching public key.
Validating Certificates: examples
Validating through a CA: 1. The client initiates a session requiring a certificate, such as an HTTPS session. 2. The server responds with a copy of the certificate that includes the public key. 3. The client queries the CA for a copy of the CRL. 4. The CA responds with a copy of the CRL. 5. The client then checks the serial number of the certificate against the list of serial numbers in the CRL.
Outdated Certificates
When an organization issues a user a new certificate, such as with a new smart card, the user needs to publish it within the organization, such as via a global address list. Otherwise, other people in the organization use the original certificate.
Important principle with Stream Ciphers
You should never reuse encryption keys. If a key is reused, it is easier to crack the encryption. WEP (used RC4 stream cipher) for symmetric encryption. If wireless systems generate enough traffic, WEP reuses keys for RC4.