Chapter 6 (DOMAIN 3): Cryptography and Symmetric Key Algorithms:
C1. Confidentiality:
Perhaps the most widely cited goal of cryptosystems Ensures that data remains private in three different situations: - when it is at rest, - when it is in transit, and - when it is in use
E4. >. Best practices surrounding the storage of encryption keys - 2).
Principle of split knowledge, For sensitive keys, consider providing two different individuals with half of the key. They then must collaborate to re-create the entire key.
D4. Vernam Ciphers:
Also known as one-time pads, which are keystreams that can be used only once.
M2. A one-way function
1). A mathematical operation that easily produces output values for each possible combination of inputs, - 2). But makes it impossible to retrieve the input values. For example, Many cryptographic algorithms rely on the difficulty of factoring the product of large prime numbers.
B1. > First, Security Professionals Must:
SPECIFYING the CRYPTOGRAPHIC ALGORITHMS (such as AES, 3DES, and RSA) acceptable for use in an organization
C. Encryption:
The sender of a message uses a cryptographic algorithm to perform this on the plaintext message and produce a ciphertext message, represented by the "LETTER C"
H3. RC6
1). Built upon RC5, but it has not been widely adopted. 2). The subject of a massive BRUTE FORCE attack cracking a message encrypted using RC5 with a 64-bit key, 3). This effort took more than four years to crack a single message.
F. Bit Size:
A key space is defined by this. It represents nothing more than the number of binary bits (0s and 1s) in the key.
C8. Period Analysis:
Although polyalphabetic substitution protects against direct frequency analysis, it is vulnerable to this second-order form of frequency analysis which is an examination of frequency based on the repeated use of the key.
C. On Condition:
Computer scientists refer to this condition as a TRUE VALUE.
E. Key Space:
Every algorithm has a specific ( ? ). This area is the range of values that are valid for use as a key for a specific algorithm. The range between the key that has all 0s and the key that has all 1s.
J3. Prewhitening
(Twofish) Involves XORing the plaintext with a separate subkey before the first round of encryption.
J4. Postwhitening
(Twofish) Uses a similar operation after the 16th round of encryption.
G2. Skipjack:
1). Created by NSA 2). 64 bit blocks 3). with 80 bit key 4). Uses Clipper chip 5). Has NSA back door 6). Supports the same 4 modes of operation supported by DES. 7). Has an ADDED TWIST— it supports the escrow of encryption keys.(NIST) and Treasury, hold a portion of the information required to reconstruct a xxxxxx key. When law enforcement authorities obtain legal authorization, they contact the two agencies, obtain the pieces of the key, and are able to decrypt communications between the affected parties.
C0. Data Encryption Standard (DES) 5 Modes Of Operation:
1). ECB: (Electronic Codebook Mode) 2). CBC: (Cipher Block Chaining Mode) 3). CFB: (Cipher Feedback Mode) 4). OFB: (Output Feedback ) 5). CTR: (Counter Mode) No longer secure
F6. >. Key Escrow:
1). It's highly unlikely that government regulators will ever overcome the legal and privacy hurdles necessary to implement this on a widespread basis. 2). The technology is certainly available, but the general public will likely never accept the potential government intrusiveness it facilitates.
Symmetric Key Cryptography Weakness's:
1). KEY DISTRIBUTION is a major problem. 2). Symmetric key cryptography does not implement NONREPUDIATION. 3). The algorithm is not SCALABLE. 4). Keys must be REGENERATED OFTEN.
I3. AES Key 🔑 Length Rule
1). Key length are multiples of 32. 2). AES has 3 key bit lengths: 128, 192, 256. 3). If you ÷ 128 by 32 you get "4", 192 by 32 = "6", 256 by 32 = "8" 4). So remember "32 multiples" and "4-6-8"
B1. >. Offline Distribution:
1). Physical exchange of key material. 2). One party provides the other party with a sheet of paper or piece of storage media containing the secret key. 3). Often key material comes in the form of an electronic device inserted into the encryption device.
Symmetric Key Cryptography Strength:
1). Symmetric Key cryptography VERY FAST, often 1,000 to 10,000 times faster than asymmetric algorithms. 2). Symmetric Key lends itself to hardware implementations, an opportunity for even higher-speed operations.
I2. AES (Advanced Encryption Standard)
1). The Rijndael (pronounced "rhine-doll") block cipher was chosen by NIST In 2000 to replace DES. 2). Mandated by NIST in 2001 ( FIPS 197,) for the encryption of all sensitive but unclassified data by the gov. 3). Allows the use of three key strengths: 128 bits, 192 bits, and 256 bits. 4). Only allows the processing of 128-bit blocks, (Rijndael exceeded this with block sizes = to key length. 5). The number of encryption rounds depends on the key length chosen: - 128-bit keys require 10 rounds of encryption. - 192-bit keys require 12 rounds of encryption. - 256-bit keys require 14 rounds of encryption.
F4. >. Fair Cryptosystems:
1). The secret keys used in a communication are divided into 2 or more pieces, each given to an independent 3rd party. 2). Each piece is useless on its own - but - may be recombined to obtain the secret key. 3). Feds must obtain legal authority to access a particular key, 4). They provide evidence of court order to each of the 3rd party & reassembles the secret key.
C1). Electronic Codebook Mode: (ECB)
1). The simplest DES mode. Each time the algorithm processes a 64-bit block, it simply encrypts the block using the chosen secret key. This mode is considered the least secure and is used only for short messages.
F5. >. Escrowed Encryption Standard:
1). This escrow approach provides the government with a technological means to decrypt ciphertext. 2). This standard is the basis behind the Skipjack algorithm.
C2). Cipher Block Chaining Mode: (CBC)
2). A block mode of DES that uses XORs on the previous the previous encrypted block of ciphertext to the next block of plaintext to be encrypted. The first encrypted block is an initialization vector that contains random data
C3). Cipher Feedback Mode: (CFB)
3). A stream mode DES that is basically a stream version of CBC. Uses the CFB uses the previous ciphertext for feedback. The previous ciphertext is the subkey XORed to the plaintext
C4.a). Output Feedback Mode: (OFB)
4). A stream mode of DES that is mode similar to CFB but differs in the way feedback is accomplished. OFB uses the subkey before it is XORed to the plaintext. Since the subkey is not affected by encryption errors, ERRORS WILL NOT PROPAGATE!.
C5). Counter Mode: (CTR)
5). A mode of DES that uses a stream cipher similar to that used in CFB and OFB. However instead of creating the seed value for each operation, it uses a simple counter that increments for each operation. This mode allows you to break an encryption or decryption operation into multiple independent steps. This makes xxx mode well suited for use in PARALLEL COMPUTING.
B3. Columnar Transposition:
A complex Transposition ciphers that involves writing the plaintext out in rows, and then reading the ciphertext off in columns. It usually requires a numbered key word. T R U M P 4 3 5 1 2 I H A T E T H E F A K E N E W S M E D I A becomes "ITKDAHHEMAENETFEDEAWI"
B3. Truth Table:(function of the AND operation)
A function of the AND operation, The truth table that follows illustrates all four possible outputs for the AND function.
C7. The Vigenère Cipher (French pronunciation: [viʒnɛːʁ]):
A method of encrypting alphabetic text by using a series of interwoven Caesar ciphers, based on the letters of a keyword. It is a form of polyalphabetic substitution.
A6. The Purple Machine:
A significant American attack on this cryptosystem resulted in breaking the Japanese code prior to the end of the war. The Americans were aided by the fact that Japanese communicators used very formal message formats that resulted in a large amount of similar text in multiple messages, easing the cryptanalytic effort.
C6. Monoalphabetic Substitution Cipher:
A single alphabet is used to encrypt the entire plaintext message.
A4. Caesar Cipher:
A substitution cipher that is mono-alphabetic.
H2. Rivest Cipher 5 (RC5)
A symmetric algorithm patented by Rivest-Shamir-Adleman (RSA) Data Security, the people who developed the RSA asymmetric algorithm. 1). A block cipher of variable block sizes (32, 64, or 128 bits) that 2). uses key sizes between 0 (zero) length and 2,040 bits. 3). An improvement on an older algorithm called RC2 that is no longer considered secure.
D. Cryptographic Keys:
All cryptographic algorithms rely on these to maintain their security. For the most part, they are nothing more than a number. It's usually a very large binary number, but it's a number nonetheless.
H2. Running Key Ciphers:
Also known as a Book Cipher. Uses the numerical value of letters in the plaintext and is coded and decoded by using a copy of the text in a book as the key. For example, the sender and recipient might agree in advance to use the text of a chapter from Moby-Dick, beginning with the third paragraph, as the key. They would both simply use as many consecutive characters as necessary to perform the encryption and decryption operations.
C3. Caesar Cipher:
An example of a stream cipher. To encrypt a message, you simply shift each letter of the alphabet three places to the right. For example, A would become D, and B would become E. If you reach the end of the alphabet during this process, you simply wrap around to the beginning so that X becomes A, Y becomes B, and Z becomes C. For this reason, this cipher also became known as the ROT3 (or Rotate 3) cipher.
E2. >. Storage and Destruction of Symmetric Keys
Another major challenge with the use of symmetric key cryptography is that all of the keys used in the cryptosystem must be kept secure. This includes following best practices surrounding the storage of encryption keys:
H2. Public key Cryptosystems:
Are all based on some sort of one-way function. In practice, however, it's never been proven that any specific known function is truly one way. Cryptographers rely on functions that they believe are one way, but it's always possible that they might be broken by future cryptanalysts.
A3. >. Creation and Distribution of Symmetric Keys
As previously mentioned, one of the major problems underlying symmetric encryption algorithms is the secure distribution of the secret keys required to operate the algorithms. The three main methods used to exchange secret keys securely are offline distribution, public key encryption, and the Diffie-Hellman key exchange algorithm.
A. Cryptographic Concepts:
As with any science, you must be familiar with certain terminology before studying cryptography. Let's take a look at a few of the key terms used to describe codes and ciphers.
A6. Nonrepudiation:
Asymmetric key algorithms also provide support for digital signature technology. Basically, if Bob wants to assure other users that a message with his name on it was actually sent by him.
A2. Asymmetric Key Algorithms:
Asymmetric key algorithms, also known as public key algorithms, provide a solution to the weaknesses of symmetric key encryption. In these systems, each user has two keys: a public key, which is shared with all users, and a private key, which is kept secret and known only to the user. But here's a twist: opposite and related keys must be used in tandem to encrypt and decrypt. In other words, if the public key encrypts a message, then only the corresponding private key can decrypt it, and vice versa. Figure 6.4 shows the algorithm used to encrypt and decrypt messages in a public key cryptosystem. Consider this example. If Alice wants to send a message to Bob using public key cryptography, she creates the message and then encrypts it using Bob's public key. The only possible way to decrypt this ciphertext is to use Bob's private key, and the only user with access to that key is Bob. Therefore, Alice can't even decrypt the message herself after she encrypts it. If Bob wants to send a reply to Alice, he simply encrypts the message using Alice's public key, and then Alice reads the message by decrypting it with her private key. Each user has two keys: 1). A PUBLIC KEY, which is shared with all users, and a 2). PRIVATE KEY, which is kept secret and known only to the user. Opposite and related keys must be used in tandem to encrypt and decrypt. In other words, if 1). the PUBLIC key ENCRYPTS a MESSAGE, then only 2). the CORRESPONDING PRIVATE key can DECRYPT IT, and vice versa.
A2. >. Symmetric Key Management:
Because cryptographic keys contain information essential to the security of the cryptosystem, it is incumbent upon cryptosystem users and administrators to take extraordinary measures to protect the security of the keying material. These security measures are collectively known as key management practices. They include safeguards surrounding the creation, distribution, storage, destruction, recovery, and escrow of secret keys.
B. Plaintext Message:
Before a message is put into a coded form, it is known as this and is represented by the "LETTER P" when encryption functions are described.
F2. Blowfish:
Bruce Schneier's block cipher is another alternative to DES and IDEA. 1). Operates on 64-bit blocks of text. 2). Extends IDEA's key strength by allowing the variable-length keys 3). from a an insecure 32 bits to 4). a very strong 448 bits. 5). Time trials have established this is a much faster algorithm than both IDEA and DES. 6). Released for public use with no license required. 7). Built into a number of commercial software products and operating systems. 8). A number of libraries are available for software developers.
B. Boolean Mathematics:
COMPUTER SYSTEM: Defines the rules used for the bits and bytes that form the nervous system of any computer. Values of the variables are the truth values true and false, usually denoted 1 and 0 respectively - 0000101111010100010110110101010101111 This system has electrical origins. - In an electrical circuit, there are only two possible states—on (representing the presence of electrical current) and off (representing the absence of electrical current). - All computation performed by an electrical device must be expressed in these terms, giving rise to the use of xxxxxxx computation in modern electronics.
B2. The AND operation (∧ symbol)
Checks to see whether two values are BOTH VALUES ARE TRUE. In Boolean math: 1). There are only 2 possible values for each of these variables, 2). leading to four possible inputs to the ? function. It's this FINITE NUMBER of POSSIBILITIES that makes it EXTREMELY EASY for COMPUTERS to IMPLEMENT LOGICAL FUNCTIONS in HARDWARE.
A2. Ciphers:
Cipher systems have long been used by individuals and governments interested in preserving the confidentiality of their communications. In the following sections, we'll cover the definition of a cipher and explore several common cipher types that form the basis of modern ciphers. It's important to remember that these concepts seem somewhat basic, but when used in combination, they can be formidable opponents and cause cryptanalysts many hours of frustration.
D. Off Condition:
Computer scientists refer to this condition as a FALSE VALUE.
D2. One-Time Pad:
Considered a perfect encryption scheme because it is considered unbreakable when used properly. There is no repeating pattern of alphabetic substitution, rendering cryptanalytic efforts useless. It is an example of a stream cipher as the algorithm operates on each letter of the plaintext message independently. Requirements: However, several requirements must be met to ensure the integrity of the algorithm. 1). Its main strength ]is derived from the fact that it uses an EXTREMELY LONG KEY. 2). The one-time pad must be RANDOMLY GENERATED. 3). The one-time pad must be PHYSICALLY PROTECTED against disclosure. 4). Each one-time pad must be USED only ONCE. 5). The KEY MUST be at least AS LONG as the MESSAGE to be ENCRYPTED.
F2. >. Key Escrow and Recovery
Cryptography is a powerful tool. Like most tools, it can be used for a number of beneficent purposes, but it can also be used with malicious intent. To gain a handle on the explosive growth of cryptographic technologies, governments around the world have floated ideas to implement key escrow systems. These systems allow the government, under limited circumstances such as a court order, to obtain the cryptographic key used for a particular communication from a central storage facility. There are two major approaches to key escrow that have been proposed over the past decade.
A. Cryptographic Mathematics
Cryptography is no different from most computer science disciplines in that it finds its foundations in the science of mathematics. To fully understand cryptography, you must first understand the basics of binary mathematics and the logical operations used to manipulate binary values. The following sections present a brief look at some of the most fundamental concepts with which you should be familiar.
I2. Nonce:
Cryptography often gains strength by adding randomness to the encryption process. One method by which this is accomplished is through the use of a this function. It generates a random number that acts as a placeholder variable in mathematical functions. When executed, the (xxxxxx) is replaced with a random number generated at the moment of processing for 1-time use. It must be a unique number each time it is used.
B2. Data Encryption Standard (DES):
DES is the data encryption standard, which describes the data encryption algorithm (DEA). DES is a symmetric block encryption algorithm. - 64-bit blocks of plaintext go in, ——— 64-bit blocks of ciphertext come out. It is also a symmetric algorithm, meaning - The same key is used for encryption and decryption. It uses a 64-bit key: - 56 bits make up the true key, and - 8 bits are used for parity. 56 + 8 = 64. DES divides the message into blocks and operates on them one at a time. 1). The blocks are put through 16 ROUNDS of TRANSPOSITION and SUBSTITUTION functions. 2). The order & type of transposition / substitution depends on the Key value. 3). The result is 64-bit blocks of ciphertext.
Symmetric Key Cryptography Weakness's:
DOES NOT SUPPORT NONREPUDIATION.
C7. Eavesdropping Attacks:
Data in motion may be susceptible to this type of attack.
C8. Physical Theft:
Data in motion may be susceptible to this type of attack.
C9. Unauthorized processes if O.S. doesn't implement process isolation;
Data in use may be susceptible to this type of attack.
J2. The Twofish Algorithm:
Developed by Bruce Schneier (also the creator of Blowfish) was another one of the AES finalists. Like Rijndael, Twofish is a block cipher. It operates on 128-bit blocks of data and is capable of using cryptographic keys up to 256 bits in length. Twofish uses two techniques not found in other algorithms: 1). Prewhitening involves XORing the plaintext with a separate subkey before the first round of encryption. 2). Postwhitening uses a similar operation after the 16th round of encryption.
Calculating the number Of Keys for Symmetric Key Algorithms:
Dictated by the formula (n*(n-1))/2, —— so, —— for 10 participants , it would be 10 x (10-1="9") 9 = 90 ÷ 2 = 45
B3. > Third, Security Professionals Must:
ENUMERATING the SECURE TRANSACTION PROTOCOLS (such as SSL and TLS) that may be used
D2. >. Secure RPC (S-RPC)
Employs Diffie-Hellman for key exchange.
D2. Message Integrity:
Enforced through the use of encrypted message digests, known as digital signatures, created upon transmission of a message. The recipient of the message simply verifies that the message's digital signature is valid, ensuring that the message was not altered in transit.
D1. Cryptographic Integrity:
Ensures that data is not altered without authorization. These mechanisms ensure that the message received is identical to the message that was sent. Ensure that stored data was not altered between the time it was created and the time it was accessed. Protect against all forms of alteration
B3. Exam Warning - DES & DEA
Even though DES is commonly referred to as an algorithm, it is technically the name of the published standard that describes DEA. It may sound like splitting hairs, but that is an important distinction to keep in mind on the exam. DEA may be the best answer for a question regarding the algorithm itself.
E2. International Data Encryption Algorithm (IDEA)
Evolved from the Proposed Encryption Standard and the Improved Proposed Encryption Standard (IPES) originally developed in 1990. 1). A block cipher that operates on 64-bit plaintext blocks by using a 128-bit key. 2). Performs eight rounds on 16-bit sub-blocks and 3). Can operate in four distinct modes similar to DES. 4). Provides stronger encryption than RC4 and Triple DES, 5). Because it's patented, it's not widely used today. (patents set to expire in between 2010 and 2012) 6). It is currently used in Pretty Good Privacy (PGP) email.
E. Decimal System:
HUMAN SYSTEM: You're most likely familiar with this. It is a base 10 system in which an integer from 0 to 9 is used in each place and each place value is a multiple of 10. It's likely that our reliance on this system has biological origins—human beings have 10 fingers that can be used to count.
B2. > Second , Security Professionals Must:
IDENTIFYING the ACCEPTABLE KEY LENGTHS for use with each algorithm based on the sensitivity of information transmitted
G. Calculating Key Space:
If a key were eight bits (one byte) long, the keyspace would consist of 28 or 256 possible keys. Advanced Encryption Standard (AES) can use a symmetric key of 256 bits, resulting in a key space containing 2256 (or 1.1579 × 1077) possible keys. Keyspace = 2 to the power of the number of bits, so: 1). 4 bits = so, "2" to the power of "4", i.e: 2x2x2x2 (2, 2x2="4", 2x4="8", 2x8="16") = 16 2). 8 bits= so, so, "2" to the power of "8", i.e: (2x2x2x2x2x2x2x2) = 256 keys
A5. Asymmetric 3). ENCRYPT/REPLY/SEND:
If the receiver "Bob" wants to send a reply to the sender "Alice", he simply encrypts the message using the senders "Alice's" public key.
K2. Zero-Knowledge Proof:
In cryptography, a Knowledge method/protocol is a way by which one party (the prover) can prove to another party (the verifier) that she knows a value X, without conveying any information apart from the fact that she knows the value X.
F3. Cryptographic Nonrepudiation:
Is offered only by public key, or asymmetric, cryptosystems, a topic discussed in greater detail in Chapter 7.
H. Key Security:
It is absolutely critical to protect the security of secret keys. In fact, all of the security you gain from cryptography rests on your ability to keep the keys used private.
D1). Asymmetric Key Cryptography Weakness:
Its slow speed of operation. For this reason, many applications that require the secure transmission of large amounts of data use public key cryptography to establish a connection and then exchange a symmetric secret key.
B2. ((n*(n-1))÷2)
Key Requirements - 5, multiplied by 5 - 1 = (4), "5*4=20", 20 ÷ 2 = "10" 10 Keys.
B4. Output value is true only in columns where both X and Y are true:
Logical operations are often performed on entire Boolean words rather than single values. Take a look at the following example: X: 0 1 1 0 1 1 0 0 Y: 1 0 1 0 0 1 1 1 ___________________________ X ∧ Y: 0 0 1 0 0 1 0 0 Notice that the AND function is computed by comparing the values of X and Y in each column. The output value is true only in columns where both X and Y are true.
Symmetric Key Cryptography Supports:
Of the FOUR FUNDAMENTAL CRYPTOGRAPHIC GOALS: 1). Confidentiality, 2). Integrity, 3). Authentication, and 4). Nonrepudiation Symmetric Key Cryptography supports: 1). Confidentially!
C1. >. Public Key Encryption:
Many communicators want to obtain the speed benefits of secret key encryption without the hassles of key distribution. For this reason, many people use public key encryption to set up an initial communications link. Once the link is successfully established and the parties are satisfied as to each other's identity, they exchange a secret key over the secure public key link. They then switch communications from the public key algorithm to the secret key algorithm and enjoy the increased processing speed. In general, secret key encryption is thousands of times faster than public key encryption.
128-bit key:
Modern cryptographic systems use at least a this long to protect data against prying eyes.
Symmetric Memorization Chart:
Name: Advanced Encryption Standard (AES) Type: Symmetric Key Encryption Algorithm Block Size: 128 Key Size: 128, 192, 256 Name: Rijndael Type: Symmetric Key Encryption Algorithm Block Size: Variable Key Size: 128, 192, 256 Name: Blowfish (often used in SSH) Type: Symmetric Key Encryption Algorithm Block Size: 64 Key Size: 32-448 Name: Data Encryption Standard (DES) Type: Symmetric Key Encryption Algorithm Block Size: 64 Key Size: 56 Name: IDEA (used in PGP) Type: Symmetric Key Encryption Algorithm Block Size: 64 Key Size: 128 Name: Rivest Cipher 2 (RC2) Type: Symmetric Key Encryption Algorithm Block Size: 64 Key Size: 128 Name: Rivest Cipher 5 (RC5) Type: Symmetric Key Encryption Algorithm Block Size: 32, 64, 128 Key Size: 0-2,040 Name: Skipjack Type: Symmetric Key Encryption Algorithm Block Size: 64 Key Size: 80 Name: Triple DES (3DES) Type: Symmetric Key Encryption Algorithm Block Size: 64 Key Size: 112 or 168 Name: Twofish Type: Symmetric Key Encryption Algorithm Block Size: 128 Key Size: 1-256
E3. >. Best practices surrounding the storage of encryption keys - 1).
Never store an encryption key on the same system where encrypted data resides. This just makes it easier for the attacker!
C7). Sharing Keys:
No preexisting communication link needs to exist. Two individuals can begin communicating securely from the moment they start communicating. Does not require a preexisting relationship to provide a secure mechanism for data exchange.
C5). Asymmetric Key Encryption Supports -
Of the FOUR FUNDAMENTAL CRYPTOGRAPHIC GOALS: 1). Confidentiality, 2). Integrity, 3). Authentication, and 4). Nonrepudiation Symmetric Key Cryptography supports: 2). Integrity, 3). Authentication & 4) Nonrepudiation!
C3). Key Regeneration:
Only required only when a user's private key is compromised AND ONLY FOR THAT USER. If a user leaves the community, the system administrator simply needs to invalidate that user's keys. No other keys are compromised and therefore key regeneration is not required for any other user.
I2. Block Ciphers:
Operate on "chunks," or blocks, of a message and apply the encryption algorithm to an entire message block at the same time. Transposition ciphers are examples of this type of cipher.
J2. Stream Ciphers:
Operates on one character or bit of a message (or data stream) at a time. The Caesar cipher is an example of a this type of Cipher as is one-time pad because the algorithm operates on each letter of the plaintext message independently. It can also function as a type of block cipher. In such operations there is a buffer that fills up to real-time data that is then encrypted as a block and transmitted to the recipient.
C4.b. Which(DES) operating mode can be used for large messages with the assurance that an error early in the encryption/decryption process won't spoil results throughout the communication?
Output Feedback (OFB) mode prevents early errors from interfering with future encryption/decryption. - Cipher Block Chaining and Cipher Feedback modes will carry errors throughout the entire encryption/decryption process. - Electronic Codebook (ECB) operation is not suitable for large amounts of data.
F. END-TO-END ENCRYPTION:
Packets are encrypted once at the original encryption source and then decrypted only at the final decryption destination. The advantages of end-to-end encryption are its speed and overall security. However, in order for the packets to be properly routed, only the data is encrypted, not the routing information.
A3. Codes vs. Ciphers:
People often use the words code and cipher interchangeably, but technically, they aren't interchangeable. There are important distinctions between the two concepts.
C2). Removing users:
Provide a KEY REVOCATION MECHANISM that allows a key to be canceled, effectively removing a user from the system.
F2. Cryptographic Nonrepudiation:
Provides assurance to the recipient that the message was originated by the sender and not someone masquerading as the sender. It also prevents the sender from claiming that they never sent the message in the first place (also known as repudiating the message). Secret key, or symmetric key, cryptosystems (such as simple substitution ciphers) do not provide this guarantee of nonrepudiation.
N2. M of N Control - "M = 2" "N = 6":
Requires that a minimum number of agents (M) out of the total number of agents (N) work together to perform high-security tasks. So, implementing three of eight controls would require three people out of the eight with the assigned work task of key escrow recovery agent to work together to pull a single key out of the key escrow database (thereby also illustrating that M is always less than or equal to N).
G. LINK ENCRYPTION:
Requires that each node (for example, a router) has separate key pairs for its upstream and downstream neighbors. Packets are encrypted and decrypted, then re-encrypted at every node along the network path.
Symmetric Key Cryptography, A.K.A:
Secret key cryptography & Private key cryptography
B. Goals of Cryptography:
Security practitioners use cryptographic systems to meet FOUR FUNDAMENTAL GOALS: 1). Confidentiality, 2). Integrity, 3). Authentication, and 4). Nonrepudiation.
B0. > Algorithms & Protocol Governance Controls to Manage The Cryptographic Lifecycle:
Security professionals can use the following algorithm and protocol governance controls:
A2. Historical Milestones in Cryptography
Since the earliest civilizations, human beings have devised various systems of written communication, ranging from ancient hieroglyphics written on cave walls to flash storage devices stuffed with encyclopedias full of information in modern English. As long we've been communicating, we've used secretive means to hide the true meaning of those communications from prying eyes. Ancient societies used a complex system of secret symbols to represent safe places to stay during times of war. Modern civilizations use a variety of codes and ciphers to facilitate private communication between individuals and groups. In the following sections, you'll look at the evolution of modern cryptography and several famous attempts to covertly intercept and decipher encrypted communications.
"Security Through Obscurity."
Some cryptographers thought the best way to keep an encryption algorithm secure was to hide the details of the algorithm from outsiders.
M. Cryptosystems:
Specific implementations of a code or cipher in hardware and software are known as ?
Shared secret:
Symmetric key algorithms rely on a "xxxxx xxxxxxxt" encryption key that is distributed to all members who participate in the communications. This key is used by all parties to both encrypt and decrypt messages, so the sender and the receiver both possess a copy of the shared key. The sender encrypts with the shared secret key and the receiver decrypts with it.
K2. Confusion:
THE SUBSTITUTION INTRODUCES CONFUSION! It is commonly carried out through substitution, (One of the two basic operations Cryptographic algorithms rely to obscure plaintext messages) This occurs when the relationship between the plaintext and the key is so complicated that an attacker can't merely continue altering the plaintext and analyzing the resulting ciphertext to determine the key.
L2. Diffusion:
THE TRANSPOSITION INTRODUCES DIFFUSION! - This occurs when a change in the plaintext results in multiple changes spread throughout the ciphertext. - The single plaintext bit has influence over several of the ciphertext bits. - Changing a plaintext value should change many ciphertext values, not just one. One of the two basic operations Cryptographic algorithms rely to obscure plaintext messages.
I. Kerckhoffs's Principle (a.k.a: Kerckhoffs's assumption):
That a cryptographic system should be secure even if everything about the system, except the key, is public knowledge. The principle can be summed up as "The enemy knows the system."
B1. The AND operation (∧ symbol) "checks to see whether two values are both true"
The AND operation (represented by the ∧ symbol) checks to see whether two values are both true. The truth table that follows illustrates all four possible outputs for the AND function. Remember, the AND function takes only two variables as input. In Boolean math, there are only two possible values for each of these variables, leading to four possible inputs to the AND function. It's this finite number of possibilities that makes it extremely easy for computers to implement logical functions in hardware.
A7. Ultra, Alan Turing & Bletchley Park:
The Allied forces began a top-secret effort known as this code name to attack the Enigma codes. Eventually, their efforts paid off when the Polish military successfully reconstructed an Enigma prototype and shared their findings with British and American cryptology experts.
M2. Key Escrow:
The BEST EXAMPLE of SPLIT KNOWLEDGE is seen in THIS CONCEPT. IN THIS METHOD OF SPLIT KNOWLEDGE, cryptographic keys, digital signatures, and even digital certificates can be stored or backed up in a special database called the key escrow database. In the event a user loses or damages their key, that key can be extracted from the backup. CAUTION: if only a single key escrow recovery agent exists, there is opportunity for fraud and abuse of this privilege.
A2. Logical Operations
The Boolean mathematics of cryptography uses a variety of logical functions to manipulate data. We'll take a brief look at several of these operations.
D2. The NOT operation (the ∼ or ! symbol) - No-oPosite " reverses the value of an input variable, operates on only one variable at a time"
The NOT operation (represented by the ∼ or ! symbol) simply reverses the value of an input variable. This function operates on only one variable at a time. Here's the truth table for the NOT function: From the original: "0 1 1 0 1 1 0 0" To The opposite: ∼ X: "1 0 0 1 0 0 1 1"
C2. The OR operation (∨ symbol)
The OR operation (represented by the ∨ symbol) checks to see whether at least one of the input values is true. Refer to the following truth table for all possible values of the OR function. Notice that the only time the OR function returns a false value is when both of the input values are false:
Symmetric key decryption:
The RECEIVER DECRYPTS with the SHARED SECRET KEY.
Symmetric key encryption:
The SENDER ENCRYPTS with the SHARED SECRET KEY.
C1). Adding new users:
The addition of new users requires the generation of only one public-private key pair.
J. Cryptography:
The art of creating and implementing secret codes and ciphers
E2. The exclusive OR (XOR) function. (the ⊕ symbol).
The final logical function you'll examine in this chapter is perhaps the most important and most commonly used in cryptographic applications—the exclusive OR (XOR) function. It's referred to in mathematical literature as the XOR function and is commonly represented by the ⊕ symbol. The XOR function returns a true value when only one of the input values is true. If both values are false or both values are true, the output of the XOR function is false. Here is the truth table for the XOR operation: 1). if both values are the same, the result is 0 (1 XOR 1 = 0). 2). If the bits are different from each other, the result is 1 (1 XOR 0 = 1). So: X: 0 1 1 0 1 1 0 0 Y: 1 0 1 0 0 1 1 1 = (X ⊕ Y): 1 1 0 0 1 0 1 1
D2. DES-EEE3 (Encrypt-Encrypt-Encrypt)
The first variant of 3DES (XXXX- XXXX) - DES-EEE3 Uses three different keys for encryption, and the data is encrypted, encrypted, encrypted
C0. Major Strengths Of Asymmetric Cryptography:
The following is a list of the major strengths of asymmetric key cryptography:
D5. DES-EDE2 (Encrypt-Decrypt-Encrypt)
The fourth variant of 3DES (XXXX- XXXX) - The same as DES-EDE3, but uses only two keys, and the first and third encryption processes use the same key.
The longer the key.....
The harder it is to break the cryptosystem.
F2. Modulo Function, (%) (mod): "8 mod 6 = 2"
The modulo function is extremely important in the field of cryptography. Think back to the early days when you first learned division. At that time, you weren't familiar with decimal numbers and compensated by showing a remainder value each time you performed a division operation. Computers don't naturally understand the decimal system either, and these remainder values play a critical role when computers perform many mathematical functions. The modulo function is, quite simply, the remainder value left over after a division operation is performed. The modulo function is usually represented in equations by the abbreviation mod, although it's also sometimes represented by the % operator. Here are several inputs and outputs for the modulo function: 8 mod 6 = 2 6 mod 8 = 6 10 mod 3 = 1 10 mod 2 = 0 32 mod 8 = 0
D3. One-Time Pad:
The only cryptographic system that has an unlimited life span.
Moore's Law:
The rapid increase in computing power allows you to use increasingly long keys in your cryptographic efforts. But, this same computing power is also in the hands of cryptanalysts attempting to defeat the algorithms you use.
A4. Asymmetric 2). RECEIVE/DECRYPT:
The receiver "Bob" decrypts the delivered ciphertext using their private key, and the only user with access to that key is "Bob". Therefore, "Alice" (the sender) can't even decrypt the message herself after she encrypts it.
D3. DES-EDE3 (Encrypt-Decrypt-Encrypt)
The second variant of 3DES (XXXX- XXXX) - Uses three different keys for encryption, and the data is encrypted, decrypted, encrypted.
Modern cryptosystems rely on......
The secrecy of one or more cryptographic keys used to personalize the algorithm for specific users or groups of users.
A3. Asymmetric 1). ENCRYPT/SEND:
The sender "Alice" creates the message and then encrypts it using the receivers "Bob" public key.
K. Cryptanalysis:
The study of methods to defeat codes and ciphers.
A3. Caesar Cipher:
The system is extremely simple. To encrypt a message, you simply shift each letter of the alphabet three places to the right. For example, A would become D, and B would become E. If you reach the end of the alphabet during this process, you simply wrap around to the beginning so that X becomes A, Y becomes B, and Z becomes C. For this reason, this cipher also became known as the ROT3 (or Rotate 3) cipher.
D4. DES-EEE2 (Encrypt-Encrypt-Encrypt)
The third version of 3DES (XXXX- XXXX) - Same as DES-EEE3, but uses only two keys, and the first and third encryption processes use the same key
E. CONCEALMENT CIPHERS:
These ciphers include steganography, which we discuss in the section "Steganography: A picture is worth a thousand (hidden) words," later in this chapter.
F3. >. Key Escrow:
These systems allow the government, under limited circumstances such as a court order, to obtain the cryptographic key used for a particular communication from a central storage facility. There are two major approaches to key escrow 1). Fair Cryptosystems, & 2). Escrowed Encryption Standard
N. Federal Information Processing Standard (FIPS) 140-2:r
This document, "Security Requirements for Cryptographic Modules," defines the hardware and software requirements for cryptographic modules that the federal government uses.
G2. One-Way Functions:
This is a function in a mathematical operation that easily produces OUTPUT VALUES for each possible combination of inputs but makes it IMPOSSIBLE to RETRIEVE the INPUT VALUES.
J2. Initialization Vector (IV):
This is one of the more recognizable examples of a Nonce. This example uses random bit string that is the same length as the block size and is XORed with the message. They are used to create unique ciphertext every time the same message is encrypted using the same key.
A5. Enigma:
This machine used a series of three to six rotors to implement an extremely complicated substitution cipher. The only possible way to decrypt the message with contemporary technology was to use a similar machine with the same rotor settings used by the transmitting device.
L. Cryptology:
Together, cryptography and cryptanalysis are commonly referred to as ?
D1. >. Diffie-Hellman:
Two parties might need to communicate with each other, but they have no physical means to exchange key material, and there is no public key infrastructure in place to facilitate the exchange of secret keys. In situations like this, key exchange algorithms like this algorithm prove to be extremely useful mechanisms.
D5. VENONA:
US cryptanalysts broke a top-secret Soviet cryptosystem that relied on the use of one-time pads. A pattern in the way the Soviets generated the key values used in their pads was discovered. The existence of this pattern violated the first requirement of a one-time pad cryptosystem: the keys must be randomly generated without the use of any recurring pattern.
C2. Symmetric Cryptosystems Confidentially:
Use a shared secret key available to all users of the cryptosystem.
B2. Transposition Ciphers:
Use an encryption algorithm to REARRANGE the LETTERS of a PLAINTEXT MESSAGE, forming the CIPHERTEXT MESSAGE. The decryption algorithm simply reverses the encryption transformation to retrieve the original message. This is a type of block ciphers.
C3. Asymmetric Cryptosystems Confidentially:
Use individual combinations of public and private keys for each user of the system.
C5. Polyalphabetic Substitution Ciphers:
Use multiple alphabets in the same message to hinder decryption efforts.
C2. Substitution Ciphers:
Use the encryption algorithm to replace each character or bit of the plaintext message with a different character. The Caesar cipher discussed in the beginning of this chapter is a good example of a substitution cipher.
C6). Key Distribution:
Users who want to participate in the system simply make their public key available to anyone with whom they want to communicate. There is no method by which the private key can be derived from the public key.
I4. AES (Advanced Encryption Standard)
Uses a 128-bit block size, despite the fact that the Rijndael algorithm it is based on allows a variable block size.
E2. Cryptographic Authentication:
Verifies the claimed identity of system users and is a major function of cryptosystems. For example, suppose that Bob wants to establish a communications session with Alice and they are both participants in a shared secret communications system. Alice might use a CHALLENGE-Response authentication technique to ensure that Bob is who he claims to be.
C3. Output would be if X and Y were fed into the OR function rather than the AND function:
We'll use the same example we used in the previous section to show you what the output would be if X and Y were fed into the OR function rather than the AND function: X: 0 1 1 0 1 1 0 0 Y: 1 0 1 0 0 1 1 1 ___________________________ X ∨ Y: 1 1 1 0 1 1 1 1
C4. Confidentially DATA AT REST:
When developing a cryptographic system for the purpose of providing confidentiality, you must think about maintaining the confidentiality of Data At Rest. Examples of data at rest include data stored on hard drives, backup tapes, cloud storage services, USB devices, and other storage media.
C6. Confidentially DATA IN USE:
When developing a cryptographic system for the purpose of providing confidentiality, you must think about maintaining the confidentiality of Data In Use. Data in use is data that is stored in the active memory of a computer system where it may be accessed by a process running on that system.
C5. Confidentially DATA IN MOTION:
When developing a cryptographic system for the purpose of providing confidentiality, you must think about maintaining the confidentiality of Data in motion, or data on the wire, This is data being transmitted across a network between two systems. Data in motion might be traveling on a corporate network, a wireless network, or the public internet.
L2. Split Knowledge:
When the information or privilege required to perform an operation is divided among multiple users, no single person has sufficient privileges to compromise the security of an environment.
A2. > Cryptographic Lifecycle:
With the exception of the one-time pad, all cryptographic systems have a limited life span. Moore's law, a commonly cited trend in the advancement of computing power, states that the processing capabilities of a state-of-the-art microprocessor will double approximately every two years. This means that, eventually, processors will reach the amount of strength required to simply guess the encryption keys used for a communication. Security professionals must keep this cryptographic lifecycle in mind when selecting an encryption algorithm and have appropriate governance controls in place to ensure that the algorithms, protocols, and key lengths selected are sufficient to preserve the integrity of a cryptosystem for however long it is necessary to keep the information it is protecting secret.
A5. Cipher:
Work on individual characters and bits! Always meant to hide the true meaning of a message. Use a variety of techniques to alter and/ or rearrange the characters or bits of a message to achieve confidentiality. They convert messages from plaintext to ciphertext on: 1). A bit basis (that is, a single digit of a binary code), 2). A character basis (a single character of an American Standard Code for Information Interchange (ASCII) message), 3). A block basis (that is, a fixed-length segment of a message, usually expressed in number of bits).
A4. Codes:
Work on words and phrases! A common example of a code is the "10 system" of communications used by law enforcement agencies. Under this system, the sentence "I received your communication and understand the contents" is represented by the code phrase "10-4." Or a spy might transmit the sentence "The eagle has landed" to report the arrival of an enemy aircraft.
D1. Triple DES: (3DES)
Works in different modes, and the mode chosen dictates the number of keys used and what functions are carried out. 3DES uses three iterations of DES with two or three different keys to increase the effective key strength to 112 or 168 bits, respectively. 1). the Es indicate encryption operations, 2). the numeral 3 indicates that three different keys are used.
C4. ROT # (rotation/shift):
You can express the ROT3 cipher in mathematical terms by converting each letter to its decimal equivalent (where A is 0 and Z is 25). So the ROT12 cipher would turn an A into an M, a B into an N, and so on.
O2. Work Function:
You can measure the strength of a cryptography system by measuring the effort in terms of cost and/ or time using this function or factor. Usually the time and effort required to perform a complete brute-force attack against an encryption system is what this function represents.
A2. Symmetric Cryptography:
You've learned the basic concepts underlying symmetric key cryptography, asymmetric key cryptography, and hashing functions. In the following sections, we'll take an in-depth look at several common symmetric cryptosystems: the Data Encryption Standard (DES), Triple DES (3DES), International Data Encryption Algorithm (IDEA), Blowfish, Skipjack, and the Advanced Encryption Standard (AES).
12. Most modern encryption algorithms...
implement some type of block cipher.