Chapter 8: Cryptography
The TLC Connection process
1.Session Establishment 2. Cryptography/Key Exchange 3. TLS Session Established.
End-Entity Certificate
Is issued by a CA to an end entity. A system that doesn't issue certificates but merely uses them.
Key Escrow
Addresses the possibility that a cryptograph key may be lost. Used to recover lost keys
CA Certificate
Is issued by one CA another CA. The second CA, in turn can then issue certificates to an end entity.
National Security Agency (NSA)
Is responsible for obtaining foreign intelligence and supplying it to the various U.S. government agencies that need it.
Downgrade Attack
Is sometimes used agains secure communications such as TLS in an attempt to get the user to shift to less secure modes. >
The Rail Fence Cipher
A classic example of a transportation cipher. This method you write the message letters out diagonally over a number of rows and then read off cipher row by row.
Salt
A countermearsure, which refers to the addition of bits at key locations, either before or after the hash.
Cryptographic Hash
A function that is one-way (nonreversible), has a fixed length output, and is collision resistant.
Public Key Infrastructure X.509 (PKIX)
A group formed by the IETF to develop standards and models for the PKI environment. PKIX working group is responsible for the X.509 standard.
Certificate
A mechanism that associate the public key with an individual. It contains a great deal of information about the user.
Certification Revocation List
A mechanism to find out if a key is still valid. This is a list of certificates that a specific CA states should not longer be used. Is not being replaced by a real-time protocol called Online Certificate Status Protocol. (OCSP).
Cipher
A method used to scramble or obfuscate characters to hide their value.
Stapling
A method used with OSCP, which allows a web server to provide information on the validity of its own certificate.
Public Key Cryptography Standards (PKCS)
A set of voluntary standards created by RSA by and security leaders. Early members of this group includes Apple, Microsoft, DEC, now HP, Lotus, Sun, and MIT.
Rainbow Table
A table of precomputed hashes used to guess passwords by searching for the hash of a password.
Substitution Cipher
A type of coding or ciphering system that changes one character or symbol into another.
RACE Integrity Primitives Evaluation Message Digest (RIPEMD)
Algorithm was based on MD4. There were questions regarding its security, and it has been replaced by RIPEMD-160, which uses 160 bits.
Block Cipher
Algorithm works on chunks of data, encrypting one and then moving to the next.
Preshared key
All of the clients and the access point share the same key.
Registration Authority
An RA system operates as an intermediary in the process: It can distribute keys, accepts registrations for the CA, and Validate identities. The RA doesn't issue certificates; thats responsibility remains with the CA.
Challenge Handshake Authentication Protocol (CHAP)
An authentication protocol that periodically reauthenticates
Institute of Electrical and Electronic Engineers (IEEE)
An international organization focused on technology and related standards.
Certificate Authority (CA)
An organization that is responsible for issuing, revoking, and distributing certificates.
Symmetric Cipher
Any cryptographic algorithm that uses that same key to encrypt, decrypt, DES, AES, and Blowfish are examples.
Rainbow Table
Are all of the possible hashes are computed in advance. A series of tables are created and each has the possible two-letter, three-letter, four-letter, and so forth combination and the hash of the combination, using a known hashing algorithm like SHA-2. Now if you search the table for a given hash, the letter combination in the table produced the hash must be the password that you seeking.
Ron Rivest
Author of the Ron's Cipher the current levels are RC4, RC5 and RC6. RC5 uses a key size of up to 2,048 bits. RC4 is popular with wireless and WEP/WPA encryption.
Salt
Bit added to a hash to make it resistant to rainbow table attacks.
WPA
Couples the RC4 encryption algorithm with TKIP (Temporal Key Integrity Protocol).
Message Digest Algorithm (MD)
Creates a hash value and uses a one-way hash. The hash value is used to help maintain integrity. There are several versions of MD; the most are MD5, MD4, and MD2. MD4 was used by NTLM to compute the NT Hash.
Asymmetric Cipher
Cryptographic algorithms that use two different keys--one key to encrypt and another to decrypt. Also called public key cryptography.
Data in Use
Data encrypted when in use
Data in Transmit
Data is being transmitted from point A to point B.
Data at Rest
Data simply stored on hard drive
X.509 Standards
Defines the certificate formats and fields for public keys. It also defines the procedures that should be used to distribute public keys. Current version 3.
Advanced Encryption Standard (AES)
Developed by Joan Daemen and Vincent Rijmen. Has replaced DES as the current standard, and it uses the Rijndale algorithm. It's also the current product used by U.S. governmental agencies. It supports key sizes of 128m, 192, and 256 bits, with 128 bits being the default.
Modern Cryptography
Divided into three major areas: Symmetric cryptography, asymmetric cryptography and hashing algorithms.
Wired Equivalent Privacy (WEP)
Encryption was an early attempt to add security, but it fell short because of weakness in the way the encryption algorithm is employed.
WPA2
Favors Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP).
National Institute of Standards and Technology (NIST)
Formerly known as the National Bureau of Standards (NBS), has been involved in developing and supporting standards for the U.S. government for over 100 years.
GOST
Gosudarstvennyy Standard, which translates into English as "state standard". It uses a 64-bit block and a key of 256 bits. It is a 32-round Feistel cipher
SHA2
Has serval sizes: 224, 256,334, and 512 bit. Is the most widely used
Internet Engineering Task Force (IETF)
International community of computer professionals that includes network engineers, vendors, administrator, and researchers.
Transposition Cipher
Involve transporting or scrambling the letters in a certain manner. Typically a message is broken into blocks of equal size, and each block is then scrambled.
Dictionary Attack
Involves attempting common words (such as words in a dictionary) that might be sued as a password, hoping it will work.
Frequency Analysis
Involves looking at the blocks of an encrypted message to determine if any common patterns exist. Doesn't try to break the code but looks at the patterns in the message.
A cipher suite
Is a combination of methods, such as an authentication, encryption, and message authentication code (MAC) algorithms used together. Many cryptographic protocols such as TLS this.
Pretty Good Privacy (PGP)
Is a freeware email encryption system. PGP was in the early 1990s, and it's considered to be a very good system. It's widely used for email security.
Transport Layer Security (TLS)
Is a security protocol that expands on SSL. Though many people still say "SSL". It is highly unlikely you are actually using SSL, as TLS has been around since 1999.
GOST
Is a symmetric cipher developed in the old Soviet Union that has been modified to work as a hash function. Processes a variable-length message into a fixed-length output of 256 bits.
The Vernam Cipher
Is a type of One-time pad.
CAST
Is an Algorithm developed by Carlisle Adams and Stafford Tavares. It's used in some products by Microsoft and IBM. Uses a 40-bit to 128-key, and it's very fast and efficient.
GPG (GNU Privacy Guard)
Is an alternative to the freeware PGP. It's a part of the GUN project by the Free Software Foundation, and it is interoperable with PGP. It's considered a hybrid program since it uses a combination of symmetric and public key cryptography. It's a free download.
Blowfish
Is an encryption system invented by a team led by Bruce Scheiner that performs a 64-bit cipher at very fast speeds. It is a symmetric block cipher that can use variable-length keys (from 32 bits to 448 bits).
National Security Agency/Central Security Service (NSA/CSS).
Is an independently functioning part of the NSA. It was created in the early 1970s to help standardize and support Department of Defense (DoD) activities.
MD5
Is the new version of the algorithm. It produces 128-bit hash, but the algorithm is more complex than its predecessors and offers greater security. It's biggest weakness is that it does not have strong collision resistance, and thus it is no longer recommended use.
Key Registration
Is the process of providing certificates to users , and a registration authority (RA) typically handles this function when the load must be lifted from a CA.
Authentication
Is the process of verifying that the sender is who they say they are.
Secure Socket Layer (SSL)
Is used to establish a secure communication connection between two TCP-based machines. This protocol uses the handshake method of establishing a session.
SHA1 issues
Issues found in 2016 and it is recommended that you use SHA-2 instead.
Password-Based Key Derivation Function 2
It applies some function (like a hash or HMAC) to the password or passphrase along with Salt to produce a derived key.
Cryptanalysis
The study of how to break cryptographic algorithms.
Vigenere Cipher
It was used to decrypt crypted messages. It used a keyword to look up the cipher text in a table. The user would take the first letter in the text they wanted to encrypt then go to the Vigenere Table and match that with the letter from the key word in order to find the cipher text letter. This would continue until the entire message is revealed.
International Data Encryption Algorithm (IDEA)
It's an algorithm that uses a 128-bit key. This product is similar in speed and capability to DES, but it is more secure.
Captive Portal
It's common to launch a web page when users first connect. The web page may list acceptable use policies or require some authentication. This page must be navigated before full access to network resources is granted.
PBKDF2 and Bcrypt
Methods of Key Stretching
TKIP
Mixes a root key with an initialization vector. This key mixing means that there is effectively a new key for each packet.
X.509
Most widely used standard for digital certificates.
Collision
Occurs when two different inputs to a hashing algorithm produce the same output.
Caesar Cipher
One of the oldest known substitution ciphers. It was purportedly used by Julius Caesar. The simple involves simply shifting all letters a certain number of spaces in the alphabet. Used a shift of three to the right.
Request for Comments (RFC)
Originated in 1969, is the mechanism used to propose a standard. It's a document-creation process with a set of practice, informational, experimental, or historic.
PBKDF2
Password-Based Key Derivation Function 2
OphCrack
Popular password cracking tools,
LANMAN
Prior to the release of Windows NT, Microsoft's OS this protocol for authentication. While functioning only as an authentication protocol. It used LM Hash and two DES keys. It was replaced by the NT LAN Manager (MNTLM) with the release of Windows NT.
PRNG
Pseudo-random number generator. It's an algorithm used to generate a number that is sufficiently random for cryptographic purposes.
Certificate Chaining
Refers to the fact that certificates are handled by a chain of trust.
Key Stretching
Refers to the processes used to take a key that might be a bit weak and make it stronger, usually by making it longer.
NTLM (NTLAN Manager)
Replaced LANMAN protocol. Uses MD4/MD5 hashing Algorithms. Several versions of the protocol list v1, v2
Symmetric Algorithms
Requires both the sender and receiver of an encrypted message to have the same key and process algorithms. Sometime referred to as a Secret Key or Private Key
SHA2
Standard was published in 2012, but still not widely used.
Chosen Plain Text
The attacker obtains the cipher texts corresponding to a set of plain texts of their own choosing. This allows the attacker to attempt to derive they key used and thus decrypt other message encrypted with that key.
Stream Cipher
The data is encrypted one bit, or byte, a time.
Certificate-Signing Request (CSR)
The first step in getting a certificate. The request is formatted for CA. This request will have the public key that you wish to use and your fully distinguished name (often a domain name). The CA will use this to process your request for a digital certificate.
Ciphering
The process of using a cipher to do that type of scrambling to a message.
Cryptography
The science of altering information so that it cannot be decoded without a key. It is a practice of protecting information through encryption and transformation.
SHA1
This algorithm produces a 160-bit hash value.
Known Plain Text
This attack relies on the attacker having pairs of known plaintext along with the corresponding cipher text.
Related Key Attack
This is a like a chosen plain-text attack, except the attacker can obtain cipher texts encrypted under two different keys. This is actually a useful attack if you can obtain the plain text and matching cipher text.
Birthday Attack
This is an attack on cryptographic hashes, based on something called the birthday theorem. The more you have the better your odds. This 49 percent is the probability that 23 people will not have any birthdays in common; there is a 51 percent (better than even odds) chance that 2 of the 23 will have a birthday in common.
Brute Force
This method simply involves trying every possible key.
Key Recovery agent
This person could potentially access all of the keys for a given key escrow.
One-Timed Pads
Truly completely secure cryptographic implementations. Not pattern in the key application for an attacker to use. Uses a key as long as a plan-text message. Keys are used once and discarded
Substitution and Transposition
Two primary types of non-mathematical cryptography, or ciphering methods.
Atbash Cipher
Used by the Hebrews scribes coping the book Jeremiah. Just reverse the order of the letters of the alphabet. ex. A becomes Z, B becomes Y, C becomes X, and so forth.
Data Encryption Standard (DES)
Used since the mid-1970s The primary standard used in government and industry until it was replaced by AES. It's based on a 56-bit key, and it has several modes that offer security and integrity.It's now considered insecure because of the small key size. Actually generates a 64-bit key, but 8 of those bits are just for error correction and only the 56 bits are the actual key.
Bcrypt
Used with passwords, and it essentially uses a derivation of the Blowfish algorithm converted to a hashing algorithm to a hash password and add salt to it.
Counter Mode with Cipher Block Chaining Message Authentication Code Protocol. (CCMP)
Uses 128-bit AES. Fully implements the 802.11i Wi-Fi security standards.
Enigma Machine
Was essentially a typewriter that implemented a multi-alphabet substitution cipher. When each key was hit, a different substitution alphabet was used.
Replay Attack
When a user sends their login information, even if it is encrypted, the attacker captures it and later sends the same information. The user never decrypted that login information; they simple replayed it.
Collision
When two different inputs into a cryptographic hash produce the same output, this is known as a collision.
Secure Hash Algorithm (SHA)
e. It's a one-way hash that provides a hash value that can be used with an encryption protocol. Designed to ensure the integrity of a message.
Triple-DES
is a technological upgrade to DES. 3DES is considerably harder to break than many other systems, and it's more secure than DES. It increase the key length to 168 bits (using three 56-bit DES keys)
Twofish
is quite similar, and it works on 128-bit blocks.