C839 Module 4
NSA Type 2 Algorithms
-Used for unclassified cryptographic equipment, assemblies, or components -Use in telecommunications and automated information systems for the protect of NSA
Kerberos Authentication Process
-Uses symmetric cryptography -Authentication is UDP port 88
Wi-Fi Encryption
-WEP (Wired Equivalent Privacy) - use the stream cipher RC4 (128 bit or 256 bit) -WPA Wi-Fi Protected Access - Pre-shared key (PSK), designed for home and small office networks -WPA 2- Implements the mandatory elements of 802.11i, introduces CCMP, a new AES-based encryption mode
X.509
- An international standard for the format and information contained in a digital certificate - The most common type of digital certificate in the world
PKCS (Public Key Cryptography Standards)
- Are in place by RSA to ensure uniform certificate management throughout the internet A certificate is a digital representation of information that identifies you as a relevant entity by a Trusted third party (TTP)
Microsoft Certificate Services
- Certificate Authority - Web Enrollment - Online Responder - Network Device Enrollment
Windows Certificates
- Certmgr.msc
NSA and Cryptography
- De facto standard for cryptography - They classify cryptography as first Suite A or Suite B 1. Suite A are not published Contains classified algorithms that will not be released These algorithms are used to encrypt especially sensitive information 2. Suite B are published AES with key sizes of 128 and 256 bits For traffic, AES should be used with the Galois/Counter Mode (GCM)- symmetric encryption Elliptic-Curve Digital Signature Algorithm (ECDSA)- digital signatures Elliptic-Curve Diffie-Hellman (ECDH)- Key agreement Secure Hash Algorithm 2 (SHA-256 and SHA-384)- message digest 3. Even the algorithms used in Suite A are classified
Class 1
- For individuals, intended for email
Class 4
- For online business transaction between companies
Class 2
- For organizations for which proof of identity for required
Class 5
- For private organizations or governmental security
Class 3
- For servers and software signing, for which independent verification and checking of identity and authority is done by the issuing CA
Certificate and Web Servers
- HTTPS means HTTP secured with either SSL (older) or TLS (newer) - The certificate must be installed on the web server for the website to use HTTPS
PKI (Public Key Infrastructure)
- How are digital certificates distributed? By a public key infrastructure (PKI). This is a network of trusted certificate authority servers and is the infrastructure for distributing digital certificates that contain public keys. - Uses asymmetric key pairs and combines software, encryption and services to provide a means of protecting the security of business communication and transactions
What is a Digital Certificate?
- It is a digital 'document' that contains a public key and some information to allow your system to verify where that key came from
Chi-Square Analysis
- It measures theoretical vs. calculated population difference
CRL (Certificate Revocation List)
- List of certificates issued by a CA that are no longer valid, distributed in two main way: 1. Push model: CA automatically sends the CRL out a regular interval 2. Pull model: The CRL is downloaded from the CA by those who want to see it to verify a certificate. End user is responsible
Encrypting Files
- Microsoft 1. EFS 2. NTFS - BitLocker Encrypting partitions or entire drives TPM (Trusted Platform Module)
Audio Steganalysis
- Noise distortion could indicate the presence of a hidden signal
Unbreakable Encryption
- One Time Pad (OTP) - OTP is a separate substitution for each character. In other words, the key is as long as the text - No substitution is used more than once - The key is only used one time, is kept secret, and is destroyed after use
.pfx
- PFX, predecessor of PKCS#12 (usually contains data in PKCS#12 format, e.g., with PFX files generated in IIS)
.p12
- PKCS#12, may contain certificate(s) (public) and private keys (password protected)
.p7b, .p7c
- PKCS#7 SignedData structure without data, just certificate(s) or CRL(s)
Steganography Terms
- Payload The data to be covertly communicated, the message you wish to hide - Carrier The signal, stream, or data file into which the payload is hidden - Channel The type of medium used. This may be still photos, video, or sound files
.pem
- Privacy Enhanced Mail, Base64 encoded DER certificate
CP (Certificate Policy)
- Set of rules that defines how a certificate may be used
Detection Tools
- StegSpy - Stegdetect
Steganalysis
- Task usually done by software - By analyzing changes in an image's close color pairs, the steganalyst can determine if LSB substitution was used
Steganography Details
- The most common steganography method is Least Significant Bits (LSB) How to Embed? - Sequential - Random - Specific
CA (Certification Authority)
- The primary role of the CA is to digitally sign and publish the public key bound to a given user. - Entity trusted by one or more users to manage certificates
RA (Registration Authority)
- Used to take the burden off of a CA by handling verification prior to certificates being issued. - RA acts as a proxy between user and CA. RA receives request, authenticates it and forwards it to the CA.
Common Cryptography Mistakes
- Using standard modulus in RSA - Re-using keys - Unsecure key escrow - Using seeds for symmetric algorithms that are not random enough - Hard coded cryptographic secrets/elements - Unsecure cryptographic mode (ECB mode) - Using too short a key - Proprietary cryptographic algorithms
.cert, .crt, .der
- Usually in binary DER form
Digital Signatures
- Usually the encryption of a message or message digest with the sender's private key - To verify the digital signature, the recipient uses the sender's public key - Good digital signature schemes provide: 1. Authentication 2. Integrity 3. Non-repudiation - RSA algorithm, can be used to produce and verify digital signatures; another public-key signature algorithm is DSA
Disk Encryption Software:
- VeraCrypt On-the-fly encryption
Kerberos
- Widely used, particularly with Microsoft operating systems
Steganography
- Writing hidden messages in such way that no one, apart from the sender and intended recipient, suspects the existence of the message, a form of security through obscurity
Online Certificate Status Protocol (OSCP)
- a real-time protocol for verifying certificates
Server-based Certificate Validation Protocol (SCVP)
1. Delegated Path Discovery Determining the path between a X.509 digital certificate and a trusted root 2. Delegated Path Validation The validation of that path according to a particular validation policy
NSA Type 3 Algorithms
-Type 3 product is a device for use with Sensitive But unclassified (SBU) information on non-national security systems
Stealth Files 4
is a tool to hide data in other types of files.
Challenge Handshake Authentication Protocol (CHAP)
-After the link establishment phase is complete, the authenticator sends a "challenge" message to the peer. -The peer responds with a value calculated using a hash function. -The authenticator checks the response against its own calculation of the expected hash value. If the values match, the authentication is acknowledged; otherwise, the connection should be terminated. -At random intervals, the authenticator sends a new challenge to the peer, and repeats steps 1 through 3.
NSA Type 4 Algorithms
-Algorithms that are registered by the NIST but are not FIPS published -Unevaluated commercial cryptographic equipment, assemblies, or components that neither NSA nor NIST certify for any Government usage
SSL
-Developed by Netscape and has been supplanted by TLS. HTTPS
NSA Type 1 Algorithms
-Highest level of encryption algorithms -Used for classified or sensitive U.S. government information, including cryptographic equipment, assembly or component classified
Pretty Good Privacy (PGP)
-Invented by Phillip Zimmerman, early 1900's -Not an algorithm itself, but uses other symmetric and asymmetric -Software product for making encryption and decryption readily usable by end users -Most often associated with email encryption -Can also be used to create certificates -A single certificate can contain multiple signatures -Define its own format
Password Authentication Protocol (PAP)
-Most basic -Username and password are transmitted over network and compared to a table of name-password pairs -Transmission of passwords are in clear text (weakness with PAP) -HTTP uses PAP
Components of Kerberos System
-Principal: A server or client that Kerberos can assign tickets to. Basically, any machine that can be assigned tickets. -Authentication Server (AS): A server that authorizes the principal and connects them to the ticket granting server. -Ticket Granting Server (TGS): Provides tickets. -Key Distribution Center (KDC): A server that provides the initial ticket and handles TGS requests. Often, it runs both AS and TGS services. -Realm: A boundary within an organization. Each realm has its own AS and TGS. -Remote Ticket Granting Server (RTGS): A TGS in a remote realm. -Ticket Granting Ticket (TGT): The ticket that is granted during the authentication process. -Ticket: Used to authenticate to the server. Contains the identity of the client, the session key, the timestamp, and the checksum. It is encrypted with the server's key. -Session key: Temporary encryption key. -Authenticator: Proves session key was recently created. Often expires within five minutes.
Shiva Password Authentication Protocol (SPAP)
-Proprietary version of PAP -Username and password are both encrypted when they are sent unlike PAP
TLS
-Protocol for encrypting transmissions -Negotiate a connection by using a handshaking procedure -Also supports secure bilateral connection mode
Digital Certificate Management
Centralized key-management systems Decentralized key-management systems Three phases of key life cycle Setup and Initialization Administration Cancellation
Layer-2 Tunneling Protocol (L2TP)
· Designed as an enhancement to PPTP · Works at data link layer · Offers five authentication methods · Work over x.25 networks(common protocol in phone systems) · Asynchronous transfer mode (ATM) · Use IPSec for encryption
PPTP offers two different methods of authenticating the user
· Extensible Authentication Protocol (EAP) - designed specifically for PPTP and is not proprietary · Challenge Handshake Authentication Protocol (CHAP)- A three-way process whereby the client sends a code to the server, the server authenticates its, and then the server responds to the client
Internet Protocol Security (IPSec)
· Latest VPN protocol · Encrypts packet data and also header information
SSL/TLS VPN
· VPN is setup through a web browser
Point to point Tunneling Protocol (PPTP)
· Works at data link layer of the OSI model · Encrypting packets and authenticating users to the older PPP protocol