CEH.v10: Cryptography, and Hacking Web Servers
Types of Ciphers
Classical Ciphers -Substitution cipher -Transposition cipher Modern Cipher o Based on key used - Private key - Public key o Based on input -Block cipher -Stream Cipher
Web Server Operations
Components of a Web Server -Document Root -Server Root -Virtual Document Tree -Virtual Hosting -Web Proxy
Cryptography
Converting data into scrambled code for confidentiality. Symmetric uses one key (secret, shared & private). Asymmetric (public key) uses different keys for encryption vs decryption.
KeyCzar
Cryptography Toolkit An open source cryptographic toolkit designed to make it easier and safer for developers to use cryptography in their applications. It supports authentication and encryption with both symmetric and asymmetric keys. Features: o Key rotation and versioning o Safe default algorithms, modes, and key lengths o Automated generation of initialization vectors and ciphertext signatures o Java, Python, and C++ implementations o International support in Java
OpenSSL
Cryptography Toolkit An open source cryptography toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) network protocols and related cryptography standards required by them. The openssl program is a command line tool for using the various cryptography functions of OpenSSL's crypto library from the shell. Can be used for: o Creation and management of private keys, public keys, and parameters o Public key cryptographic operations o Creation of X.509 certificates, CSRs, and CRLs o Calculation of Message Digests o Encryption and Decryption with Ciphers o SSL/TLS Client and Server Tests o Handling of S/MIME signed or encrypted mail o Time Stamp requests, generation, and verification
Modern Ciphers
Designed to withstand a wide range of attacks. Provide message secrecy, integrity, and authentication of the sender. The user can calculate this with the help of a one-way mathematical function that is capable of factoring large prime numbers. Types o Based on key used - Private key - Public key o Based on input -Block cipher -Stream Cipher
Twofish
Feistel cipher with 128-bit blocks & up to 256-bit keys
MD5 Tool : Onlinemd5
Generates and checks file integrity by secure time-proven algorithms like MD5, SHA-1 and SHA-256. One can create checksums (the digital fingerprints) of files and verify their integrity in the future using this online tool.
Chosen-plaintext Attack
In this attack, the attacker obtains the ciphertexts corresponding to a set of plaintexts of his own choosing
Known-plaintext Attack
In this attack, the only information available to the attacker is some plaintext blocks along with corresponding ciphertext and algorithm used to encrypt and decrypt the text. This attack works on block ciphers and is an example of linear cryptanalysis.
Chosen-key Attack
In this type of attack, an attacker not only breaks a ciphertext but also breaks into a bigger system, which is dependent on that ciphertext. Attacker usually breaks an n bit key cipher into 2 n/2 number of operations.
AES Pseudocod
Initially, the system copies the cipher input into the internal state and then adds an initial round key. The system transforms the state by iterating a round function in a number of cycles. Depending on the block size and key length, the number of cycles may vary. After completing rounding, the system copies the final state into the cipher out
SHA-1
It is a 160-bit hash function that resembles the former MD5, produces a 160-bit digest from a message with a maximum length of (264 − 1) bits. -It is most commonly used in security protocols such as PGP, TLS, SSH, and SSL. -Helps against brute force -As of 2010, SHA-1 is no longer approved for cryptographic use because of cryptographic weaknesses.
Timing Attack
It is based on repeatedly measuring the exact execution times of modular exponentiation operations. Attacker tries to break the ciphertext by analyzing the time taken to execute the encryption and decryption algorithm for various inputs.
Ciphertext-only Attack
Less effective and much more likely for the attacker. The attacker only has access to a collection of cipher texts
Examples of RSA algorithms
P = 61<= first prime number (destroy this after computing E and D) Q = 53<= second prime number (destroy this after computing E and D) PQ = 3233<= modulus (give this to others) E = 17<= public exponent (give this to others) D = 2753<= private exponent (keep this secret) Your public key is (E,PQ) Your private key is D The encryption function is: encrypt(T) = (T^E) mod PQ = (T^17) mod 3233 The decryption function is: decrypt(C) = (C^D) mod PQ = (C^2753) mod 3233
TLS Handshake Protocol
Protocol allows the client and server to authenticate each other and to select an encryption algorithm and cryptographic keys prior to data exchange by the application protocol It provides connection security that has three basic properties: o The peer's identity can be authenticated using asymmetric cryptography. This can be made optional but mostly required for at least one of the peers. o The negotiation of a shared secret is secure. o The negotiation is reliable (*note* - l operates on top of the TLS record layer and is responsible to produce cryptographic parameters of the session state.)
Transposition cipher
Rearranging letters in the plain text, according to a regular system produces the cipher text. For example, "CRYPTOGRAPHY" when encrypted becomes "AOYCRGPTYRHP." Examples include Rail Fence Cipher, Route cipher, and Myszkowski transposition.
Related-Key Attack
Similar to the chosen plaintext attack, except the attacker can obtain ciphertexts encrypted under two different keys. Need to obtain the plaintext and matching ciphertext to use it The attack requires that the differing keys be closely related
Secure Hashing Algorithm (SHA)
Slightly slower than MD5, but its larger message digest makes it more secure against brute-force collision and inversion attacks o SHA-0: 160-bit hash function which was withdrawn from the trade due to undisclosed "significant flaw" o SHA-1: It is a 160-bit hash function protect against for brute force o SHA-2: SHA2 is a family of two similar hash functions, with different block sizes, namely, -SHA-256, which uses 32-bit words, -SHA-512, which uses 64-bit words. Truncated versions of each standard are SHA-224 and SHA-384. o SHA-3: uses the sponge construction XORed message blocks which the algorithm then invertibly permutes. - two similar hash functions, with different block sizes, namely, differs in its internal structure considerably from rest of the SHA family.
RC6
Symmetric key block cipher that uses integer multiplication & 4-bit working registers symmetric key block cipher derived from RC5 Two deference o integer multiplication (which is used to increase the diffusion achieved in fewer rounds and increased speed of the cipher o Uses Four 4-bit registers in place of the two 2-bit registers because the block size of the AES is 128 bits.
Meet-in-the-Middle Attack on Digital Signature Schemes
The best attack method for cryptographic algorithms using multiple keys for encryption. This attack reduces the number of brute force permutations needed to decode text encrypted by more than one key and conducted mainly for forging signatures on mixed type digital signatures. A meet-in-the-middle attack uses space-time trade-off
RSA signature scheme
The first technique used to generate digital signatures. It is a deterministic digital signature scheme that provides message recovery from the signature itself, making it the most practical and versatile technique available.
Government Access to Keys (GAK)
The government promise of secure key storage, the only stated exception being a warrant Refers to statutory obligation of individuals and organizations to disclose their cryptographic keys to government agencies.
Classical Ciphers
The most basic type of ciphers, which operate on alphabets (A-Z). Implementation of these ciphers is generally either by hand or with simple mechanical devices. Because these ciphers are easily deciphered, they are generally unreliable. Two types -Substitution cipher -Transposition cipher
Cryptanalysis
The study of ciphers, cipher text, or cryptosystems with the ability to identify vulnerabilities in them that allows to extract plaintext from the ciphertext even if the cryptographic key or algorithm used to encrypt the plaintext is unknown
Message Digest (One-way Hash) Functions
They produce values that are almost impossible to invert, resistant to attack, mostly unique, and widely distributed. They enable creation of digital signatures and message authentication codes (MACs), and the derivation of encryption keys from passphrases. Include the following algorithms: o MD5 o SHA
Integral Cryptanalysis
This attack is particularly useful against block ciphers based on substitution-permutation networks as an extension of differential cryptanalysi Looks at pairs of inputs that differ in only one-bit position, with all other bits being identical. For k = 1, this is just differential cryptanalysis, but with k > 1, it is a new techniqu
Hash Collision Attack
This attack is performed by finding two different input messages that result into same hash output. most popular hash function is SHA-1, which is widely used as a digital signature algorithm. SHA-1 algorithm converts input message into constant length of unstructured strings of numbers and alphabets,
Cross certification
This enables entities in one PKI to trust entities in another PKI. The agreement establishes the responsibilities and liability of each party. A mutual trust relationship between two CAs requires that each CA issues a certificate to the other to establish the relationship in both the directions.
Symmetric Encryption
This encryption requires that both the sender and the receiver of the message possess the same encryption key The sender uses a key to encrypt the plaintext and sends the resultant cipher text to the recipient, who uses the same key (used for encryption) to decrypt the cipher text into plain text. When setting up a wireless network, an administrator enters a preshared key for security, the key entered is a symmetric key used to encrypt the wireless data.
Web Server
This is a computer system that stores, processes, and delivers web pages to the global clients via HTTP protocol. Depending on the request, the this collects the requested information/content from the data storage or from the application servers and responds to the client's request with an appropriate HTTP response. If it cannot find the requested information, then it generates an error message
Virtual Hosting
This is a technique of hosting multiple domains or websites on the same server. This allows sharing of resources between various servers. It is employed in large-scale companies where the company resources are intended to be accessed and managed globally. Types: o Name-based hosting o IP-based hosting o Port-based hosting
Document Root
This is one of the web server's root file directories that stores critical HTML files related to the web pages of a domain name that will serve in response to the requests.
Server Root
This is the top-level root directory under the directory tree in which the server's configuration and error, executable, and log files are stored. It consists of the code that implements the server. In general, it consists of four files where one file is dedicated to the code that implements the server and other three are subdirectories, namely, -conf, -logs, and -cgi-bin used for configuration information, store logs, and executables, respectively.
Virtual Document Tree
This provides storage on a different machine or a disk after the original disk is filled-up. It is case sensitive and can be used to provide object-level security.
Web Proxy
This sits in between the web client and web server. Due to the placement, all the requests from the clients will be passed on to the web server through this. They are used to prevent IP blocking and maintain anonymity.
Adaptive Chosen plaintext attack
To perform this attack, an attacker needs to interact with the encryption device. In this type of attack, an attacker has a complete access to the plaintext message including its encryption, and he/she can also modify the content of the message by making series of interactive queries, choosing subsequent plaintext blocks based on the information from the previous encryption queries and functions.
Chosen-ciphertext Attack
To perform this attack, the attacker must have access to communication channel between the sender and the receiver Attacker obtains the plaintexts corresponding to an arbitrary set of ciphertexts of his own choosing. Using this information, the attacker tries to recover the key used to encrypt the plaintext. There are two variants of this attack: o Lunchtime or Midnight Attack: In this attack, the attacker can have access to the system for only a limited amount of time or can access only few plaintext-ciphertext pairs. o Adaptive Chose-ciphertext Attack: In this attack, the attacker selects a series of cipertexts and then observes the resulting plaintext blocks.
Cryptanalysis Tools
Tools to analyze and break the ciphers o CrypTool -project develops e-learning programs in the area of cryptography and cryptanalysis. It consists of e-learning software (CT1, CT2, JCT, and CTO). o CryptoBench o Cryptol o Ganzúa o EverCrack o AlphaPeeler o Mediggo o SubCyphe
Digital Signature
Uses asymmetric cryptography to simulate the security properties of a signature in digital, rather than written form. A cryptographic means of authentication. Public-key cryptography uses asymmetric encryption and helps the user to create a digital signature. The two types of keys in public key cryptography are the private key (only signer knows this key and uses it to create digital signature) and the public key (more widely known and a relying party uses it to verify the digital signature).
Disk Encryption Tools
VeraCrypt - is a software for establishing and maintaining an on-the-fly-encrypted volume (data storage device) Symantec Drive Encryption - (formerly PGP Whole Disk Encryption) provides organizations with complete, transparent drive encryption for all data (user files, swap files, system files, hidden files, etc.) on laptops, desktops, and removable media. BitLocker Drive Encryption - is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. o Gillsoft Full Disk Encryption o Endpoint Full Disk Encryption o Dell Data Protection | Encryption o AxCrypt o Folder Lock o Full Disk Encryption Software o SafeGuard Encryption
Certification Authority (CA)
a trusted third party that issues digital certificates
Self-Signed Certificates
an identity certificate signed by the same entity whose identity it certifies they are widely used for testing servers
Triple Data Encryption Standard (3DES)
it does DES three times with three different keys. 3DES uses a "key bundle" which comprises three DES keys, K1, K2, and K3 DES encrypt with K1, DES decrypt with K2, then DES encrypt with K3 Each key is standard 56-bit DES key
How to Defend Against Cryptographic Attacks
o Access of cryptographic keys should be given to the application or to the user directly. o Intrusion detection system should be deployed to monitor exchanging and access of keys. o Passphrases and passwords must be used to encrypt the key, if stored in disk. o Keys should not be present inside the source code or binaries. o For certificate signing, transfer of private keys should not be allowed. o For symmetric algorithms, key size of 168 bits or 256 bits should be preferred for a secure system, especially in case of large transactions. o Message authentication must be implemented for encryption of protocols. symmetric-key o For asymmetric algorithms, key size of 1536 bits and 2048 bits should be considered for secure and highly protected application. o In case of hash algorithm, key size of 168 or 256-bit should be considered. o Only recommended tools or products should be preferred rather than creating self-engineered crypto algorithms or functions. o Put a limit on number of operations per key. o The output of the hash function should have larger bit length that makes it hard to decryp
Cryptography Tools
o Advanced Encryption Package 2017 - is file encryption software for Windows used for secure file transfer, batch file encryption, and encrypted backups o BCTextEncoder -utility software simplifies the encoding and decoding of text data. o AxCrypt o Folder Lock o CryptoExpert 8 o CertainSafe o VeraCrypt o Cryptainer LE Free Encryption Software o CryptoForge o winAES
Code Breaking Methologies
o Brute Force o Frequency Analysis - the study of the frequency of letters or groups of letters in a ciphertext. o Trickery and Deceit - It involves the use of social engineering techniques to extract cryptography keys. o One-Time pad - s mostly a non-repeating set of letters or numbers, which the system chooses randomly. The user writes them on small sheets of paper and then pastes them together in a pad
Components of Public Key Infrastructure (PKI)
o Certificate Management System: Generates, distributes, certificates o Digital Certificates: Establishes transactions credentials of a person when doing online o Validation Authority (VA): Stores certificates (with their public keys) o Certificate Authority (CA): Issues and verifies digital certificates o End User: Requests, manages, and uses certificates o Registration Authority (RA): Acts as the verifier for the certificate authority
Cryptography Attacks
o Ciphertext-only Attack o Adaptive Chosen-plaintext Attack o Chosen-plaintext Attack o Related-Key Attack o Dictionary Attack o Known-plaintext Attack o Chosen-ciphertext Attack o Rubber Hose Attack o Chosen-key Attack o Timing Attack o Main-in-the-Middle Attack
Popular Certification Authority
o Comodo - offers a range of PKI digital certificates with strong SSL encryption available 128/256 with SGC (Server-Gated Cryptography) o IdenTrust - a trusted third party that provides certification authority services for many sectors like banks, corporate, government, and healthcare. o Symantec Corporation (NASDAQ: SYMC) - provides solutions that allow companies and consumers to engage in communications and commerce online with confidence. o GoDaddy - SSL Certificates offer a complete range of certificates that comply with CA/Browser Forum guidelines
Asymmetric Encryption Strength
o Convenient to use as distribution of keys to encrypt the messages is not required o Enhanced security as one need not share or transmit private keys to anyone o Provides digital signatures that can't be repudiated
Symmetric Encryption Strengths
o Faster and easier to implement as same key is used to encrypt and decrypt data and also requires less processing power. Could be implemented in Application Specific Integrated Chip (ASIC). o Prevents widespread message security compromise as different secret key is used to communicate with different party o Key is not bound to the data being transferred on the link; therefore, even if data is intercepted it is not possible to decrypt it.
What does TLS Record Protocol Manage
o Fragments outgoing data into manageable blocks and reassembles incoming data o Optionally compresses outgoing data and decompresses incoming data o Applies Message Authentication Code (MAC) to the outgoing data and uses MAC to verify the incoming data o Encrypts outgoing data and decrypts incoming dat (*note* - The record protocol sends the outgoing encrypted data to TCP layer for transport.)
RSA Key Generation
o Generate two large distinct primes p and q arbitrarily, each roughly the same bit length o Compute n = pq and φ = (p-1)(q-1)
Symmetric Encryption Weakness
o Lack of secure channel to exchange secret key o Difficult to manage and secure too many shared keys that are generated to communicate with different parties o Provides no assurance about origin and authenticity of a message as same key is used by both sender and receiver o Vulnerable to dictionary attacks and brute-force attacks
Cryptanalysis methods
o Linear o Differential o Integral
Crptography Tools : MD5 Hash Calculators
o MD5 Calculator - allows to calculate the MD5 hash value of the selected file. o HashMyFiles - is small utility that allows to calculate the MD5 and SHA1 hashes of one or more files in the system. o HashCalc o Hash Calculator o HashTool o OnlineMD5.com o MD5 Hash generator
Online MD5 Decryption Tools
o MD5 Decoder o MD5 Decrypt o MD5 Decrypter o MD5Decrypter o OnlineHashCrack.com o HashKiller.co.uk o Md5.My-Addr.com o cmd5.org o CrackStation o md5this o MD5/Sha1 hash cracker
Hash Calculators for mobiles
o MD5 Hash Calculator - for Android is used to generate the MD5 hash of a string in security. It is useful for encoding passwords, credit-card numbers, and other sensitive data into databases (MySQL, MSSQL, Postgress, or others). o Hash Droid utility helps to calculate a hash from a given text or from a file stored on the device. o Hash Calculator allows users to calculate MD5, SHA1 or CRC32 checksum of files o Hash Calc o Hashr - Checksum & Hash Digest Calculator o HashStamp MD5 & SHA1 Checker o Hash Tools o HashCalc
Symmetric encryption algorithms, developed by RSA Security
o RC4 - Symmetric key stream cipher o RC5 - Parameterized algorithm with variable block sizes o RC6 - Symmetric key block cipher that uses integer multiplication & 4-bit working registers
Cryptography Tools for Mobile
o Secret Space Encryptor - is an integrated solution of password manager, message (text) encryption, and file encryption. o Decrypto - is an application that provides a range of encryption and decryption tools. o SealNote - is simple, safe and easy to use notepad application that puts security first. o Encrypt Decrypt o Crypten : Encryption o Cipher Sender
Asymmetric Encryption Weaknesses
o Slow in processing and requires high processing power o Widespread message security compromise is possible (i.e., attacker can read his/her complete messages if private key is compromised) o Messages received cannot be decrypted if the private key is lost o Vulnerable to Man-in-the-Middle and brute-force attacks
Types of Cryptography
o Symmetric Encryption o Asymmetric Encryption
Modern Cipher- Key
o Symmetric key algorithms (*Private-key* cryptography): Uses same key for encryption and decryption. o Asymmetric key algorithms (*Public-key* cryptography): Uses two different keys for encryption and decryption
Side-channel-attack mitigation techniques
o Use Differential Power Analysis (DPA) proof protocols with delimited side-channel leakage characteristics and update keys before leakage accumulation is significant o Use Fixed-time algorithms (i.e., no data-dependent delays) o Mask and blind algorithms using random nonces o Implement differential matching techniques to minimize net data-dependent leakage from logic-level transitions o Pre-charge registers and busses to remove leakage signatures from predictable data transitions o Add amplitude or temporal noise to reduce the attacker's signal-to-noise ratio
SSL protocol also offers _________________ with three basic properties
"channelsecurity" Properties o Private channel - All the messages are encrypted after a simple handshake is used to define a secret key. o Authenticated channel - The server endpoint of the conversation is always encrypted, whereas the client endpoint is optionally authenticated. o Reliable channel -message transfer has an integrity check.
How RSA algorithm generates and verifies RSA signature
1. Signature Generation To sign a message m, entity A should do the following: o Compute m̃ = R(m), an integer in the range [0, n-1] o Compute s = m̃ d mod n o A's signature form is s 2.Signature Verification To verify A's signature s and recover the message m, B should do the following: o Obtain A's authentic public key (n, e) o Compute m̃ = se mod n o Verify that m̃ ∈MR; if not, reject the signature o Recover m = R-1(m
Advanced Encryption Standard (AES)
A National Institute of Standards and Technology (NIST) specification for the encryption of electronic data. o Symmetric key algorithm - both encryption and decryption are performed using the same key o Iterated block cipher - works by repeating the defined steps multiple times o It has a 128-bit block size, with key sizes of 128, 192, and 256 bits o works simultaneously at multiple network layers.
Substitution cipher
A block of plaintext is replaced with ciphertext Units may be single letters, pairs of letters, or combinations of them, and so forth. The recipient performs inverse substitution to decipher the text. Examples include Beale cipher, autokey cipher, Gronsfeld cipher, and Hill cipher
Key escrow
A component of public key infrastructure (PKI) where a copy of a private key is stored to provide third-party access and to facilitate recovery operations
Diffie-Hellman
A cryptographic protocol that allows two parties to establish a shared key over an insecure channel The system has two parameters called p and g o Parameter p is a prime number and o Parameter g (usually called a generator) is an integer less than p, with the following property: for every number n between 1 and p-1 inclusive, there is a power k of g such that n = g kmod p
DUHK (Don't Use Hard-Coded Keys)
A cryptographic vulnerability that allows attackers to obtain encryption keys used to secure VPNs and web sessions. This attack mainly affects any hardware/software using ANSI X9.31 Random Number Generator (RNG). The Pseudorandom number generators (PRNGs) generate random sequences of bits based on the initial secret value called a seed and the current state
RC5
A fast symmetric-key block cipher designed by Ronald Rivest for RSA Data Security (now RSA security) parameterized algorithm with a variable block size, variable key size, and a variable number of rounds block sizes can be 32, 64, or 128 bits. The range of the rounds can vary from 0 to 255, Routines o key expansion - secret key that a user provides is expanded to fill the key table o encryption - has three fundamental operations: integer addition, bitwise XOR, and variable rotatio o decryption
Differential Cryptanalysis
A form of cryptanalysis applicable to symmetric key algorithm it is the examination of differences in an input and how that affects the resultant difference in the output. It originally worked only with chosen plaintext. It could also work with known plaintext and ciphertext
MD4
A message digest algorithm that produces a 128-bit hash value and performs only 3 rounds of computations. It is used to verify data integrity through the creation of a 128-bit message digest from data input.
Stream ciphers
A moderm symmetric key ciphers are plaintext digits combined with a key stream (pseudorandom cipher digit stream). the user applies the key to each bit, one at a time -Examples include RC4, SEAL, etc.
Block ciphers
A modern cipher that deterministic algorithm operating on block (group of bits) of fixed size with an unvarying transformation specified by a symmetric key. These are widely used to encrypt bulk data -Examples include DES, AES, IDEA, etc
RACE Integrity Primitives Evaluation Message Digest (RIPEMD-160)
A more secure version of the RIPEMED algorithm. In this algorithm, the compression function consists of 80 stages made up of 5 blocks that execute 16 times each. This process repeats twice by combining the results at the bottom using modulo 32 addition.
Birthday Attack
A name used to refer to a class of brute-force attacks against cryptographic hashes that makes the brute forcing easier. Birthday paradox is the probability that two or more people in a group of 23 share the same birthday is greater than 1⁄2.
Side Channel Attack
A physical attack performed on a cryptographic device/cryptosystem to gain sensitive information. Cryptography is generally part of the hardware or software that runs on physical devices such as semi-conductors (includes resistor, transistor, and so on) those interact with and affect various environmental factors
Pretty Good Privacy (PGP)
A protocol used to encrypt and decrypt data that provides authentication and cryptographic privacy It is often used for data compression, digital signing, encryption and decryption of messages, emails, files, directories, and to enhance privacy of email communications. The algorithm used for message encryption is RSA for key transport and IDEA for bulk-message encryption. It uses RSA for computing digital signatures and MD5 for computing message digests.
Transport Later Security (TLS)
A protocol used to establish a secure connection between a client and a server and ensure privacy and integrity of information during transmission. uses symmetric key for bulk encryption, asymmetric key for authentication and key exchange, and message authentication codes for message integri It uses the RSA algorithm with 1024-and 2048-bit strengths. protocol consists of two layers; TLS Record Protocol and TLS Handshake Protocol.
Rivest Shamir Adleman (RSA)
A public-key cryptosystem for Internet encryption and authentication Uses modular arithmetic and elementary number theories to perform computations with two large prime numbers Microsoft, Apple, Sun, and Novell build this algorithms into their operating systems
Public Key Infrastructure (PKI)
A security architecture developed to increase the confidentiality of information exchanged over the insecure Internet. It includes hardware, software, people, policies, and procedures required to create, manage, distribute, use, store, and revoke digital certificates. In cryptography, this helps to bind public keys with corresponding user identities by means of a Certificate Authority (CA). cryptosystems distribute them within digital signatures.
Data Encryption Standard (DES)
A standard for data encryption that uses a secret key for both encryption and decryption (symmetric cryptosystem) o Archetypal block cipher o 64-bit secret key of which 56 bits are generated randomly and other 8 bits help in error detection. o Use 3DES for more encryption
Disk Encryption
A technology, which protects the confidentiality of the data stored on disk by converting it into an unreadable code using disk encryption software or hardware, thus preventing unauthorized users from accessing it. It provides confidentiality and privacy using passphrases and hidden volumes. It works in a manner similar to text-message encryption and protects data even when the OS is not active software scrambles the information burned on the disk into an illegible code. It is only after decryption of the disk information that one can read and use it.
Rainbow Table Attack
A type of cryptography attack where an attacker uses a rainbow table for reversing cryptographic hash functions. It uses the cryptanalytic time-memory trade-off technique, which requires less time than some other techniques. It uses already-calculated information stored in memory to crack the cryptography
Hash-based Message Authentication Code (HMAC)
A type of message authentication code (MAC) that uses a cryptographic key along with a cryptographic hash function. It is widely used to verify the integrity of the data and authentication of a message. This algorithm includes an embedded hash function such as SHA-1 or MD5. The strength of the this depends on the embedded hash function, key size, and the size of the hash output.
Blowfish
A type of symmetric block cipher algorithm, designed to replace DES or IDEA algorithms. It is a 16-round Feistel cipher working on 64-bit blocks. However, unlike DES, it can have varying key sizes ranging from 32 bits to 448 bits. Two parts to this algorithm. The first part handles the expansion of the key. The second part actually encrypts the data.
RC4
A variable key-size symmetric-key stream cipher Byte-oriented operations-random permutation the period of the cipher is likely to be greater than 10,100 output byte uses eight to sixteen system operations - cipher has the ability to run fast when used in software Used for file encryption but ideal for software implementation enables safe communications such as traffic encryption (which secures Web sites) and for Web sites that use the SSL protocol.
MD5
A widely used cryptographic hash function that takes a message of arbitrary length as input and generates a 128-bit (16-byte) fingerprint or message digest. This algorithm comes into use in a wide variety of cryptographic applications and is useful for digital signature applications, file integrity checking, and storing passwords. On the other hand, it is not collision resistant and it can be cracked by brute-force attack
Digital Signature Algorithm (DSA)
Adopted as FIPS 186-2 Helps in the generation and verification of digital signatures for sensitive and unclassified applications. It creates a 320-bit digital signature but with 512-1024 bit security. A public-key crypto system as it involves the use of both private and public keys Processes involved in DSA: o Signature Generation Process: The private key is used to know who has signed it. o Signature Verification Process: The public key is used to verify whether the given digital signature is genuine.
Asymmetric Encryption
Also known as public key cryptography, Uses a key pair, one public key available to anyone (encrypt) , and one private key held only by the key owner (decrypt)
Ciphers
An algorithm (a series of well-defined steps) for performing encryption and decryption. (*note* -Encipherment is the process of converting plain text into a cipher or code; the reverse process is called decipherment.)
Secure Socket Layer (SSL)
An application layer protocol developed by Netscape for managing the security of a message transmission on the Internet. A protocol used to provide a secure authentication mechanism between two communicating applications, such as a client and a server Uses RSA asymmetric (public key) encryption to encrypt data transferred over SSL connections. Requires a reliable transport protocol, such as TCP, for data transmission and reception (three-way handshake)
Challenge-Handshake Authentication Protocol (CHAP)
An authentication mechanism used by Point to Point protocol (PPP) servers in order to authenticate or validate the identity of remote clients or network hosts. It is more secure and effective as compared to Password Authentication Procedure (PAP) as it regularly verifies the identity of the client using three-way handshake and provides protection against replay attacks
Extensible Authentication Protocol (EAP)
An authentication protocol that was originally designed for Point-to-Point connections. It is used as an alternative to CHAP and PAP authentication protocols as it is more secure and supports different authentication mechanisms such as passwords, smart tokens, OTPs (one-time passwords), Secure ID card, digital certificates and public key encryption mechanism
Rubber Hose Attack
Attackers extract cryptographic secrets (e.g. the password to an encrypted file) from a person by coercion or torture.
Linear Cryptanalysis
Based on finding affine approximations to the action of a cipher. It is commonly used on block ciphers. It is a known plaintext attack and uses a linear approximation to describe the behavior of the block cipher.