INMT Exam 2 Module 6 (cryptography)
Studied by 0 people
Call Kai
Learn
Practice Test
Spaced Repetition
Match
Flashcards
Knowt Play1/87
There's no tags or description
Looks like no tags are added yet.
Name | Mastery | Learn | Test | Matching | Spaced |
|---|
No study sessions yet.
88 Terms
Cyptography
The practice of transforming information into a secure form so that unauthorized persons cannot access it
Cryptography can provide confidentiality, integrity, authentication, nonrepudiation, and obfuscation
One variation of a cryptographic algorithm is based on the device that is used in the cryptographic process
Another variation is the amount of data that is processed at a time
Hashing
creates a unique digital fingerprint called a digest, which represents the contents of the original material.
Symmetric Cryptography
Also called private key cryptography and uses a single key to encrypt and decrypt a message.
Asymmetric Cryptography
This is also known as public key cryptography and uses two keys instead of one.
Because cryptography provides a high degree of protection, it remains under attack.
Digital certificate
A digital certificate is the user’s public key that has been digitally signed by a trusted third party who verifies both the owner and the owner’s possession of the public key.
Domain Validation (DV) digital certificate
digital certificates verify the identity of the entity that has control over the domain name but indicate nothing regarding the trustworthiness of the individuals behind the site.
Public Key Infrastructure (PKI)
A public key infrastructure (PKI) is the underlying infrastructure for key management of public keys and digital certificates.
Data-in-use
data actions being performed by endpoint devices (e.g., printing a report)
Data-in-transit:
Actions that transmit data across a network (e.g., sending an attachment via email)
Data-at-rest:
data stored on electronic media
Encryption:
involves changing original text into a secret message using cryptography.
Decryption:
entails changing secret messages back to the original form.
Cleartext:
Readable data stored or transmitted without encryption.
Plaintext:
Ordinary readable text before it is encrypted or after it is decrypted. Plaintext data is input into a cryptographic algorithm
Algorithm:
Consists of procedures based on a mathematical formula used to encrypt and decrypt data
Ciphertext:
A series of randomized letters and numbers that cannot be understood. It is also the encrypted text (the output)
Key:
A mathematical value entered into the algorithm to produce ciphertext (encrypted data). The reverse process uses the key to decrypt the message.
Ensuring confidentiality (What Cryptography Ensures)
Only authorized users can view the information. An example of this is encryption.
Ensuring Integrity (What Cryptography Ensures)
Information will not be altered by unauthorized users. An example of this is hashing.
Ensuring non-repudiation
This proves that a user performed an action. An example of this is a digital signature.
ROT13:
a simple letter substitution cipher that replaces a letter with the 13th letter after it.
XOR Cipher
Based on the binary operation (comparing two characters at once), the plaintext is XORed by a keystream.
Stream cipher
First, the plaintext is converted into a list of its corresponding ASCII byte values. Then, it takes one plaintext digit and replaces it with another. The plaintext digits are XORed with a key stream, which is based on a random seed value. RC4 (which is used in WEP) is an example stream cipher algorithm.
Block Cipher
It encrypts a fixed size of n-bits of data in plaintext—known as a block—at one time, and it usually uses block sizes: 64 bits, 128 bits, and 256 bits.
A block cipher eliminates the one-to-one correspondence between the plaintext and ciphertext, thus making it difficult for an attacker to decipher the ciphertext. In most real-world scenarios, the plaintext data won't be an exact multiple of the block size.
Electronic Code Book (ECB)
This is the simplest mode and is NOT recommended anymore. In this mode, the message is divided into blocks, and each block is encrypted separately.
Cipher Block Chaining (CBC)
to produce the first block of ciphertext, an initialization vector (IV) is XORed with the first block of plaintext.
Three Categories of Cryptographic
Hash algorithms
Symmetric cryptographic algorithms
Asymmetric cryptographic algorithms
Hashing
is a cryptographic technique used to transform any form of data into a special text string and it is the most basic type of cryptographic algorithm
Hash Algorithms
A hash function or hash algorithm usually resembles letters, numbers, or both jumbled up together in a way that the human mind cannot comprehend.
Message Digest 5 (MD5) (Hash Algorithm)
One of the earliest hash algorithms, which is no longer considered secure. This algorithm is especially vulnerable to collision attacks, which will be discussed later.
Secure Hash Algorthm (SHA) (Hash Algorithm)
This algorithm was developed by the National Security Agency (NSA) and the National Institute of Standards and Technology (NIST). It is a compact algorithm and suitable for low-power devices. SHA-3 is the latest version (introduced in 2015).
RIPEMD
RIPEMD or RIPE Message Digest conducts parallel chains of hash computation affiliated with the European Union and has been widely used in Bitcoin. As you can see in the table below, more modern algorithms have longer and more complicated digests.
Collion Attacks
two inputs of a hash function that produce the same digest, Weak hash algorithms like MD5 that produce short digests are especially prone to this attack. The example below showcases expected behavior for different hashes and collision attacks for the same hashes.
Symmetric Cryptographic Algorithms
Symmetric cryptography, also called private key cryptography, uses the same single key to encrypt and decrypt a document. The key is kept private between sender and receiver, and unlike hashing, it is two-way.
Data Encryption Standard (DES)
Originally designed in the early 1970s
Uses a block size of 64 bits
Key size: 56 bits
Triple Data Encyption Standard (3DES)
Designed to replace DES
Uses a block size of 64 bits
Applies the DES cipher algorithm three times to each data block
Performs better in hardware than in software
Advanced Encryption Standard (DES)
Approved by the NIST in 2000
Official encryption standard used by the U.S. government
Uses block size of 128 bits
Key sizes up to 256 bits
Longer keys are more resistant to brute-force attacks.
Key size options offer flexibility.
Main Steps in AES algorithm
Key Expansion:
The original encryption key (128, 192, or 256 bits) is used to generate a series of round keys. These round keys are needed for each round of encryption.
Initial Round (AddRoundKey):
The data to be encrypted (plaintext) is arranged into a 4x4 matrix of bytes (called the state).
The first round key is combined with the state by XORing.
Main Rounds (Multiple Iterations):
AES performs multiple rounds of transformations. The number of rounds depends on the key size (10 rounds for 128-bit, 12 for 192-bit, and 14 for 256-bit). Each round consists of these four steps:
SubBytes: Each byte in the state is replaced with another byte according to a fixed lookup table. This adds non-linearity to the encryption.
ShiftRows: The rows of the state matrix are shifted cyclically to the left.
MixColumns: The columns of the state matrix are mixed using a mathematical operation.
AddRoundKey: The current round key is combined with the state by XORing.
Final Round (Modified):
The final round is similar to the main rounds, but the MixColumns step is omitted.
Output (Ciphertext):
The final state matrix is converted back into a sequence of bytes, which is the encrypted data.
Rivest Cipher (RC)
It is a stream cipher that accepts keys up to 128 bits.
Blowfish and Twofish
Blowfish is a symmetric-key block cipher that accepts keys up to 448 bits and block size of 64. Twofish is a more recent version of Blowfish and uses a block size of 128. Compared to AES, Twofish is slower in software and less popular.
Asymmetric Cryptographic Algorithms
One of the major weaknesses of symmetric algorithms is distributing and maintaining a secure single key among multiple users distributed.
Asymmetric cryptographic algorithms, also known as public key cryptography, uses two mathematically-related keys.
Public key available to everyone
Private key is known only to the individual to whom it belongs.
The sender uses the receiver’s public key to encrypt the message. The receiver uses their private key to decrypt it.
Rivest-Shamir-Adelman (RSA)
is a public-key algorithm that is widely used for secure data transmission. Developed by MIT in 1983, it is the most common asymmetric algorithm. It is based on using large prime numbers to create the mathematically-related keys. So far, there are no published methods to defeat the system if a large enough key is used.
RSA is a relatively slow algorithm and is not widely used for encryption. Instead, it is mostly used in conjunction with other encryption methods and key exchange between users.
Elliptic Curve Cryptography (ECC)
Instead of using prime numbers, ECC uses sloping curves. By adding two values of two points on the curve, a third point can be derived, and the inverse is used to generate keys.
ECC is recommended for mobile and wireless devices because it is a good fit for their limited computing power (low-power devices).
Digital Signature Algorithm (DSA)
introduced by NIST and adopted by the U.S. Government. It is mainly used to provide digital proofs, verify message integrity, and ensure non-repudiation.
The process of creating digital signatures is as follows:
The sender generates a digest on the message by hashing
Then encrypts the digest with his or her private key
The encrypted digest is the digital signature for the message
The sender sends both the message and digital signature to the receiver
If the receiver fails to open the document with the sender’s public key, there's a problem with message integrity
Attacks based on misconfiguration (Algorithm Attacks)
Selecting weak algorithms should be avoided since it paves the way for attackers to launch successful attacks.
Known ciphertext attacks (Algorithm Attacks)
Known ciphertext attacks, also referred to as ciphertext-only attacks (COA), are a type of cryptanalysis where the attacker has access only to a set of encrypted messages (ciphertexts) without knowing the corresponding plaintexts or encryption key. For example, attackers might look for patterns in the frequency of certain bytes or blocks.
This attack model is considered one of the weakest in terms of assumptions made and data requirements. Even without knowing the plaintext, attackers might be able to analyze the statistical properties of the ciphertext to gain some information.
Other variations of these attacks are chosen-plaintext/chosen-ciphertext attacks. These attacks involve the attacker having the ability to choose plaintexts or ciphertexts and observe the corresponding outputs. They are used to analyze the behavior of the cryptographic algorithm and potentially reveal the key.
Downgrade Attack
A threat actor forces the system to abandon the current higher security mode of operation and instead “fall back” to implementing an older and less secure mode.
Side-Channel Attacks
These attacks don't target the algorithm directly but rather exploit information leaked during its implementation.
Examples include:
Timing Attacks: Analyze the time taken to execute cryptographic operations.
Power Analysis: Monitor the power consumption of devices performing cryptographic operations.
Diffie-Hellman Ephemeral (DHE)
DHE is similar to DH, but the keys are temporary (or ephemeral) and will be discarded after the session is terminated.
Elliptic Curve Diffie-Hellman (ECDH)
based on Elliptic curve cryptography (ECC) instead of prime numbers and is, therefore, faster.
Perfect forward secrecy (PFS)
is an encryption system that changes the keys to encrypt and decrypt information frequently and automatically. This ongoing process ensures that even if the most recent key is hacked, a minimal amount of sensitive data is exposed.
Digital Certificate Concepts
A digital certificate is an electronic document used to prove the ownership of a public key and is issued by a trusted third-party. A digital certificate can be seen to be similar to a passport. It includes important information, such as the issuer's name, expiration date, and the digital fingerprint or hash.
Certificate authorities (CA)
are responsible for issuing certificates with unique similar numbers. DigiCert, GeoTrust, GlobalSign, and Entrust are some of the leading providers of CA. The image below shows an example of a digital certificate issued by GeoTrust.
Request (CSR) (Entities managing digital certificates)
The user electronically signs the CSR and sends it to an intermediate CA. An intermediate CA processes the CSR and verifies the authenticity of the user.
Intermediate CAs (Entities managing digital certificates)
are subordinate entities designed to handle specific CA tasks, such as processing certificate requests and verifying the individual's identity.
The entity requesting a digital certificate can be authenticated by email, documents, or in person. A common method to ensure the security and integrity of a root CA is to keep it in an offline state from the network (offline CA). It is only brought online (online CA) when needed for specific and infrequent tasks.
Certificate Repository (CR) (Entities managing digital certificates)
is a publicly accessible centralized directory of digital certificates. It can be used to view certificate status. The directory can be managed locally by setting it up as a storage area connected to the CA server.
Certificate Revocation List (CRL) (Entities managing digital certificates)
is a list of digital certificates that have been revoked. The following reasons are viable for certificates to get revoked:
Certificate is no longer used
Details of the certificate have changed, such as user’s address
Private key has been lost or exposed (or suspected lost or exposed)
Online Certificate Status Protocol (OCSP) (entities managing digital certificates)
Online Certificate Status Protocol performs a real-time lookup of a certificate’s status. OCSP is called a request-response protocol. The browser sends the certificate’s information to a trusted entity known as an — responder. The —- responder provides immediate revocation information on that certificate.
OCSP Stapling
This is a variation of OCSP where web servers send queries to the OCSP responder server at regular intervals to receive a signed time-stamped response.
Root digital certificates (Types of Digital Certificates)
A root certificate is a public key certificate that identifies a root certificate authority (CA) and is self-signed. It is important to note that the process of verifying if a digital certificate is genuine depends on certificate chaining, which links several certificates together to establish trust between all the certificates involved. The beginning point of the chain is known as a root digital certificate and is created and verified by a CA. The endpoint of the chain is the user's digital certificate itself. The image below illustrates an example of a certificate chain.
Domain Digital Certificates (types of Digital Certificates)
Most digital certificates are web server digital certificates issued from a web server to a client. Web server digital certificates perform two primary functions:
Ensure the authenticity of the web server to the client.
Ensure the authenticity of the cryptographic connection to the web server.
Domain Validation (DV) digital certificates (Type of Domain digital certifcate)
This confirms that the certificate receiver has some control over the domain. A website without a digital certificate will contain a "Not Secure" warning pop-up for example.
Extended Validation (EV) digital certificates (type of domain digital certificate)
In this case, the certificate authority is performing some additional checks of the person that is receiving the certificate. A website with EV looks like the figure below:
Wildcard Digital Certificates (types of domain digital certificates)
A public key certificate can be used with multiple subdomains of a domain.
Subject Alternative Name (SAN) Digital Certificates (types of digital certificate)
It allows users to specify additional host names for a single SSL/TLS certificate. Essentially, it lets one certificate say, "I am valid for these various addresses."
Public Key Infrastructure (PKI)
A public key infrastructure is a set of roles, policies, hardware, software, and procedures needed to create, manage, distribute, use, store and revoke digital certificates. In addition, it is used to manage public-key encryption.
Principles of Public Key Infrastructure (PKI)
Trust: Confidence in or reliance on another person or entity. A trust model refers to the type of trust relationship that can exist between individuals and entities.
Direct trust is a type of trust model where one person knows the other.
Third-party trust refers to a situation where two individuals trust each other because each trusts a third party.
The hierarchical trust model
It assigns a single hierarchy with one master CA called root, which signs all digital certificate authorities with a single key. This model has its limitations. A single CA private key may be compromised rendering all certificates worthless. Also, having a single CA who must verify and sign all digital certificates may create a significant backlog.
The distributed trust model
It involves multiple CAs that sign digital certificates and eliminates the limitations of the hierarchical trust model.
The bridge trust model
It is similar to the distributed trust model. One CA acts as a facilitator to interconnect all other CAs. The facilitator CA does not issue digital certificates, but instead acts as a hub between hierarchical and distributed trust models and thus allows the different models to be linked.
Cryptographic Protocols
Cryptography can also be used to protect data in motion or transit. In the networking context, cryptographic algorithms are also called cryptographic protocols. Some of the most commonly used cryptographic protocols are as follows:
Secure Sockets Layer (SSL) (Cryptographic Protocols)
SSL protocol was developed by Netscape. It uses the Advanced Encryption Standard (AES) to create an encrypted data path between a client and a server. SSL is generally vulnerable to an attack called SSL stripping, which can move a user to an unencrypted HTTP connection without them noticing.
Transport Layer Security (TLS) (Cryptographic Protocols)
TLS is a more secure replacement for SSL. The latest version of TLS is 1.3, which provides faster authentication and uses perfect forward secrecy. Furthermore, TLS uses stronger hash functions than SSL.
Secure Shell (SSH) (Cryptographic Protocols)
Secure Shell (SSH) is a network protocol that provides a secure way to access and manage remote computers. It uses encryption to protect the confidentiality and integrity of data exchanged between a client and a server, enabling secure remote logins, command execution, and file transfers over insecure networks. Note that SSH is session-focused and often used by administrators, whereas VPNs provide broader network-level security and are aimed at protecting overall internet usage. PuTTY and Bitvise SSH Client are examples of free, open-source programs that allow users to connect to remote computers using SSH.
Secure/Multipurpose Internet Mail Extensions (S/MIME) (Cryptographic Protocols)
This protocol is used for securing email messages in terms of integrity. MIME is a standard for how an electronic message will be organized, so S/MIME describes how encryption information and a digital certificate can be included as part of the message body. S/MIME allows users to send encrypted messages that are also digitally signed.
Secure Real-Time Transport Protocol (SRTP) (Cryptographic Protocols)
SRTP protects data transmission for Voice over IP (VoIP) communications by adding security features such as message authentication and confidentiality for VoIP communications. For example, the Zoom desktop client, mobile app, and web browser/client connections encrypt call media using SRTP with the AES 256-bit encryption algorithm.
Internet Protocol Security (IPsec) (Cryptographic Protocols)
IPsec encrypts and authenticates each IP packet of a network session. While the SL/TLS method is widely deployed in various applications, it is inherently limited in that it is used on the transport OSI layer (or Layer 4), requiring modifications to any application that wants to include the ability to use SSL/TLS.
However, IPsec is used in OSI Layer 3 (i.e., network) and requires modification only to the operating system rather than to the applications that employ IPsec, thus providing better end-to-end security. IPsec is also a great method for creating virtual private networks (VPNs). The tunnel mode is suitable for VPN scenarios where data is passed through a tunnel between networks or between a host and a network. This mode can be used to create site-to-site VPNs. The transport mode is typically used for end-to-end communication between hosts.
Digital Certificate
which contains its public key and a digital signature by a trusted Certificate Authority (CA).
Verifies
the certificate to ensure it is valid and issued by a trusted CA.
Session Key
encrypts it with the received public key, and sends it to the server. The server decrypts the session key with its private key. In older versions of TLS, RSA was used for this purpose.
File and file system cryptography (Encryption through software)
Encryption software can be used to encrypt or decrypt files one by one. Protecting groups of files can take advantage of the OS’s file system. Third-party software tools are also available for encryption, including Gnu Privacy Guard (GnuPG), AxCrypt, Folder Lock, and VeraCrypt. Operating system encryption, such as Microsoft Windows Encrypting File System (EFS), is a cryptography system for Windows. EFS uses the NTFS file system to provide file-level encryption on Windows systems.
Full Disk Encryption (FDE) (encryption through software)
FDE protects all data on a hard drive. For example, BitLocker drive encryption software that is included in Microsoft Windows. BitLocker encrypts the entire system volume, including the Windows registry, and prevents attackers from accessing data by booting from another OS or placing the hard drive in another computer. The following figures depict the process of enabling BitLocker in the Windows environment.
Hardware Encryption
Software encryption can be subject to attacks that intend to exploit its vulnerabilities. Cryptography can be embedded in hardware as it provides a higher degree of security. For instance, it can be applied to USB devices and standard hard drives. Some noteworthy hardware encryption options are discussed below.
USB device encryption (Hardware Encryption)
Encrypted hardware-based flash drives can be used. The USB will not logically connect a computer until the correct password has been provided. All data copied to the drive is automatically encrypted.
Self-Encrypting Drives (SEDs) (Hardware Encryption)
Self-encrypting hard disk drives protect all files stored on them. The drive and host device perform the authentication process during the initial power-up. If authentication fails, the drive can be configured to deny access or even delete encryption keys so all data is permanently unreadable.
Hardware Security Module (HSM)(Hardware Encryption)
HSM is a removable external cryptographic device. It includes an onboard key generator and key storage facility. It performs accelerated symmetric and asymmetric encryption, and it’s difficult for malware to compromise it because it is hardware.
Trusted Platform Module (TPM) (Hardware Encryption)
TPM is a chip on a computer’s motherboard that provides cryptographic services and includes a true random number generator. It is entirely done in hardware so it cannot be subject to software attacks and prevents the computer from booting if files or data have been altered. It prompts for a password if the hard drive is moved to a new computer.
Cryptography vs. Steganography
While the goal of cryptography is to make the information unintelligible to unauthorized users, steganography hides the existence of data. An image, audio, or video file can contain hidden messages embedded in the file. This hiding data technique is achieved by dividing the data and hiding it in unused portions of the file. Steganography can be used in conjunction with cryptography to ensure improved information security. Steganography has several uses, such as digital watermarking, forensics, malware delivery, etc.