CSEC 701 Cryptography Review

confidentiality

keeping information secret, avoiding disclosure vulnerabilities

integrity

protecting information from improper changes, avoiding forgery, subversion, and masquerade attacks

availability

keeping systems available and in operation, avoiding denial of service attacks

authentication

assurance that communicating entity is the one claimed, both peer entity and data origin authenticated

authorization

granting of specific permissions, based on the privileges held by the account

access control

ability to control whether a subject can interact with an object, prevention of the unauthorized

mutual authentication

a process in which each side of an electronic communication verifies the authenticity of the other

non-repudiation

protection against denial by one fo the parties in communication

threat

a potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security or cause harm

vulnerability

weakness in the system that might be exploited

attack

an intelligent act that is a deliberate attempt to evade security services and violate the security policies of a system

control

an action, device, procedure, or technique that removes or reduces a vulnerability

zero day

vulnerabilities that are newly discovered and not yet addressed by a patch

NIST CSF

It provides a common taxonomy and mechanism to assist in aligning management practices with existing standards, guidelines, and practices. (govern, identify, protect, detect, respond, and recover)

MITRE ATT&CK framework

documents attacker tactics and techniques based on real world observations

MITRE D3FEND

detection, denial, and disruption framework empowering network defense

storage state

data at rest, data not being processed

processing state

data in use, being used by an active process

transmission state

data in transit, being moved from one place to another

defense in depth

the use of multiple different defense mechanisms with a goal of improving the defensive response to an attack, layered security

least privilege

subject should only have the necessary rights and privileges to perform its task with no additional permissions

complete mediation

each and every request should be verified

open design

the protection of an object should not rely upon the secrecy of the protection mechanism itself (cryptography)

kerckhoffs principle

cryptosystem should be secure even if everything about the system, except the key, is public knowledge

security through obscurity

not a security principle, illusion of protection by making protection mechanisms not generally known

economy of mechanism

always using the simple solutions when available

diversity of defense

making each layer of security different and diverse

fail-safe defaults

when something fails, it should do so to a safe state; default deny

cryptography early era

spartan scytale, substitution (Caeser), cipher alphabets, polyalphabets ciphers

cryptography mechanical era

1790 Jefferson stack of 26 disks, WWI & WWII coding machines, enigma, purple machine

cryptography modern era

IBM, Diffie-Helman public key, RSA, IDEA, AES

cryptography

converting plaintext to ciphertext (encryption and decryption)

key

info used in cipher only known to sender/reciever

keyless cipher

substitution, transposition

symmetric key

same key for encryption and decryption, shared common but private key

symmetric key challenges

key distribution, massive key requirements, unlimited compromising power one broken

asymmetric key

different keys for encryption and decryption

stream cipher

converts one symbol of plaintext immediately into a symbol of ciphertext

block cipher

encrypts a group of plaintext as one blobk

substitution

replacing an item with a different item

transposition

permutation, changing the order of items