Section 8: Cryptographiv Solutions

ROT13 cipher

rotate 13 spots

• ex. pelcgbtencul vf sha —> cryptography is fun

symmmetric vs asymmetric encryption

use the same key for encryption and decryption vs public key encryption and private key decryption

• 1 key vs 2 keys

symmetric algorithm (private key)

both the sender and receiver must know the same shared secret using a privately held key

ex. house key

assymmetric algorithms (public key)

different keys are used to encrypt and decrypt the data

• does not require a shared secret key

common asymmetric encryption algorithms

• diffie-hellman

• RSA

• elliptic curve cryptography (ECC)

hybrid implementation

utilizes asymmetric encryption to securely transfer a private key that can then be used with symmetric encryption

stream cipher

utilizes a keystream generator to encrypt data bit by bit using a XOR function to creatte the ciphertext

• symmetric algo

block cipher

breaks the input into fixed-length blocks of data and performs the encryption on each block

• 64, 128, or 256 bit block size

common symmetric algorithms

• DES

• triple DES

• IDEA

• AES

• blowfish

• twofish

• rivest cipher

data encryption standard (DES)

encrypts data in 64 bit blocks through 16 rounds of transposition and substitution to create ciphertext using an effective key strength of 56 bits

• 70’s-00’s

triple DES (3DES)

uses three separate 56-bit symmetric keys to encrypt, decrypt, then encrypt the plaintext into ciphertext in order to increase the strength of DES

• 112 bit key strength but slower than DES

international data encryption algorithm (IDEA)

symmetric block cipher with a 64 bit block size to encrypt plaintext into ciphertext

• 128 bit key size

advanced encryption standard (AES)

symmetric block cipher that uses 128, 192, or 256 bit block size to encrypt plaintext into ciphertext

• replaced DES and 3DES as US govt encryption standard

blowfish

symmetric block cipher that uses 64 bit blocks and a variable length encryption key to encrypt plaintext into ciphertext

• key sizes range from 32-448 bits

twofish

open source symmetric block cipher supporting 128 bit blocks in its encryption algorithm and uses 128, 192, or 256 bit encryption keys

RC cipher suite (Rivest Cipher)

created by Ron RIvest

originally 6 but only 3 were released and used

• RC4

• RC5

• RC6

RC4

symmetric stream cipher with variable key sizes from 40-2048

• used in SSL and WEP

RC5

block cipher with key sizes up to 2048 bits

RC6

based on RC5 and was co sidered as a DES replacement

digital signature

hash digest of a message encrypted with the sender’s private key to let the recipient know the document was created and ent by the person claiming to have sent it

diffie-hellman (DH)

asymmetric alogrithm used to conduct key exchanges and secure key distribution over an unsecure network

• commonly used in VPN tunnel establishment (IPSec)

• vulnerable to man-in-the-middle attacks

RSA

asymmetric algorithm that relies on the mathematical difficulty of factoring large prime numbers

• used for key exchange, encryption, and digital signatures

• one time use keys (MFA)

elliptic curve cryptography (ECC)

heavily used in mobile and low-power computing devices and it’s based on the algebraic structure of elliptical curves over finite fields to define its keys

ECC variants

• ECDH (elliptic curve diffie-hellman)

• ECDHE (elliptic curve diffie-hellman ephermeral)

• ECDSA (elliptic curve digital signature algorithm)

hash digest

fixed-length digital fingerprint for the original data

common hashing algorithms

• MD5

• SHA family (1, 2, 3)

• RIPEMD

• HMAC

MD5

creates a 128 bit hash value that is unique to the input file

-limited unique values, leading to collisions (same hash digest values)

SHA-1

produces a 160-bit hash digest, less prone to collisions than MD5

SHA-2

offers longer hash digests

• SHA-224, 256, 384, 512

SHA-3

uses 224-512 bit hash digests with 120 rounds of comptuations

• more secure

RACE integrity primitive evaluation message digest (RIPEMD)

open source competitor to SHA but less popular

• 160 (most coomon), 256, and 320 bit versions

hash based message authentication code (HMAC)

used to check the integrity oif a message and provides some level of assurance that its authenticity is real

• pairs with other algos

  • HMAC-MD5, HMAC-SHA256

digital security standard (DSS)

relies upon a 160 bit message digest created by the Digital Security Algorithm

2 common types of hashing attacks

1. pass the hash attack

2. birthday attack

pass the hash attack

hacking technique that allows the attacker to authenticate to a remote server or service by using the underlying hash of a user’s password instead of requiring the associated plaintext password

mimikatz

provides the ability to automate the process of harvesting the hashes and conducting the attack

birthday attack

occurs when two different messages result in the same hash digest (collison)

• collisons can be exploited by attackers to bypass authentication systems

methods to increase hash security

• key stretching

• salting

• nonces

• limiting failed login attempts

key stretching

technique used to mitigate a weaker key bycreating longer and more secure keys in order to increase the time needed to crack it

salting

adding random data into a one-way cryptographic hash to help protect against password cracking techniques

• protects against dictionary, brute force, and drainbow table attacks

dictionary attack

when an attacker tries every word from a predefined list

brute force attack

when an attacker tries every possible password combo

rainbow table attack

precomputed tables for reversing cryptographic hash functions

nonce

“number used once”

a unique, often random number that is added to password-based authentication process

• prevents attackers from reusing stolen authentication data

public key infrastructure (PKI)

an entire system of hardware, software, policies, procedures, and people that is based on asymmetric encryption

• facilitates secure data transfer, authentication, and encrypted communication

PKI vs public key cryptography

encompasses entire system vs the encryption/decryption process using public and private keys

• public key cyrptography is only a part of the overall PKI architecture

certificate authority

issues digital certificates and keeps the level of trust between all of the certificate authorities around the world

key escrow

process where cryptographic keys are stored in a secure, third-party location (escrow)

digital certificate

digitally signed electronic document that binds a public key with a user’s identity

X.509 standard

commonly used standard for digital certs within PKI and contains owner/user’s info and cert authority details

wildcard certificates

allows all of the subdomains to use the same public key cer and have it displayed as valid

subject alternate name SAN field

cert that specifies what additional domains and IP addresses are going to be supported

single-sided certificate

only requres the server to be validated

dual-sided certificate

requires both the server and the user to be validated

• used in high security environments

self-signed certificate

digitial cer that is signed by the same entity whose identity it certifies

third-party certificate

digital cert issued and signed by a trusted certificate authority (CA)

root of trust (chain of trust)

each cert is validated using this concept

• highest level of trust in cert validation

certificate authority

trusted third party who is going to issue the digital certs

regristration authority

requests identifying info from the user and forwards that certificate request up to the certificate authority to create the digital certificate

certificate signing request

a block of encoded text that contains info about the entity requesting the certificate

certificate revocation list

online list of digital certs that the cert authority has already revoked

OCSP

determines cert revocation status or any digital cert using the cert’s serial number

OCSP stapling

allows the cert holder to get the OCSP record from the server at regular intervals

public key pinning

allows an HTTPS website to resist impersonation attacks from users who are trying to present fraudulent certs

key recovery agent

specialized software that allows the restoration of a lost or corrupted key to be performed

blockchain

a shared immutable ledger for recording transactions, tracking assets, and building trust

public ledger

record keeping system that maintains participants’ identities in a secure and anonymous format

smart contracts

self executing contracts where terms of agreement or conditions are written directly into lines of code

permissioned blockchain

used fir business transactions and it promotes new levels of trust and transparency using public ledgers

encryption tools to protect enterprise networks and systems

• TPM

• HSM

• key management systems

• secure enclave

trusted platform module (TPM)

dedicated microcontroller designed to secure hardware through integrated cryptographic keys

hardware security module (HSM)

physical device that safeguards and manages digital keys, primarily used for mission critical situations like financial transactions

key management system

generating, distributing, and managing cryptographic keys for devices and applications

secure enclave

co-processor integrated into the main processor of some devices, designed with the sole purpose of ensuring data protection

types cryptographic attacks

1. downgrade

2. collison

3. quantum computing

downgrade attack

aims to force a system into using a weaker or older cryptographic standard or protocol than what it is currently using

post-quantum cryptography

new kind of cryptographic algorithm that can be implemented using today’s classical computers but is also impervious to attacks from future quantum computers

NIST selected 4 post quantum cryptography standards

CRYSTALS-Kyber algorithm

digital signatures:

• CRYSTALS-Dilithium

• FALCON

• SPHINCS+ (hashing)