Security+ Guide to Network Security Fundamentals, 2e
Chapter 8
Scrambling Through Cryptography
At a Glance
Instructor’s Notes

Chapter Overview

Chapter Objectives

Technical Notes

Lecture Notes

Quick Quizzes

Discussion Questions

Additional Activities
8-1
Security+ Guide to Network Security Fundamentals, 2e
8-2
Instructor’s Notes
Chapter Overview
In this chapter, students will learn about how encryption can be used to protect data. They will first review the basics
of cryptography and learn its common terminology. Then students will examine how to harden data using
algorithms. Finally, they will see how to use cryptography to keep a network secure.
Chapter Objectives
After reading this chapter, students will be able to:





Define cryptography
Secure with cryptography hashing algorithms
Protect with symmetric encryption algorithms
Harden with asymmetric encryption algorithms
Explain how to use cryptography
Technical Notes
HANDS-ON
PROJECTS
Project 8-1
Project 8-2
Project 8-3
HARDWARE
DEVICES REQUIRED
Computer PC
Computer PC
Computer PC
OPERATING SYSTEM
REQUIRED
Windows XP Professional
Windows XP
Windows XP or Linux
Project 8-4
Computer PC
Windows XP
OTHER RESOURCES
Internet connectivity
Internet connectivity
Internet connectivity and
FTP
None
This chapter should not be completed in one class session. It is recommended that you split the chapter into at least
two class sessions, if possible. The amount of subject matter to be covered can be covered in anywhere between a 2to 4-hour period, plus any at-home exercises you wish to assign.
Lecture Notes
Defining Cryptography
The science of encrypting messages can range from very basic to extremely complicated.
Cryptography Terminology
Students should understand cryptography terminology before using it to protect digital information.






Cryptography is the science of transforming information so that it is secure while it is being transmitted or
stored.
Steganography attempts to hide the existence of the data.
Encryption is changing the original text to a secret message using cryptography.
Decryption is the reverse process of encryption.
The process of encrypting and decrypting information is based on a mathematical procedure called an
algorithm.
A value that is used by an algorithm to encrypt or decrypt a message is known as a key.
Security+ Guide to Network Security Fundamentals, 2e




8-3
A mathematical key that creates a detectable pattern or structure is called a weak key.
Plaintext is clear text, or the original unencrypted information.
A cipher is an encryption or decryption algorithm tool that is used to create encrypted or decrypted text.
Data that has been encrypted by an encryption algorithm is called ciphertext.
Figure 8-1 on page 273 of the text illustrates the process of cryptography.
How Cryptography Protects
First, cryptography is intended to protect the confidentiality of information. The second function of cryptography is
authentication. Cryptography should ensure the integrity of the information as well. Cryptography should also be
able to enforce nonrepudiation, which is the inability to deny that actions were performed. Finally, cryptography
can be used for access control.
Securing with Cryptography Hashing Algorithms
One of the three categories of cryptographic algorithms is known as hashing.
Defining Hashing
Hashing, also called a one-way hash, creates a ciphertext from plaintext. Cryptographic hashing follows this same
basic approach, which is illustrated in Figure 8-2 on page 275 of the text. Hash algorithms verify the accuracy of a
value without transmitting the value itself and thus subjecting it to attacks. A practical use of a hash algorithm is
with automatic teller machine (ATM) cards.
Hashing is typically used in two ways. First, it determines whether a password a user enters is correct without
transmitting the password itself. Hashing is also used to determine the integrity of a message or contents of a file.
Using hashing for authentication is shown in Figure 8-4 on page 277 of the text.
Quick Reference
Discuss the characteristics that are produced by hash algorithms as listed on
pages 276 and 277 of the text.
Message Digest (MD)
One common hash algorithm is the message digest (MD) algorithm, which has three versions. Message digest 2
(MD2) takes plaintext of any length and creates a hash that is 128 bits long. MD2 divides the message into 128-bit
sections. If the message is less than 128 bits, data known as padding is added.
Message digest 4 (MD4) was developed in 1990 for computers that processed 32 bits at a time. MD4 takes plaintext
and creates a hash of 128 bits. The plaintext message itself is padded to a length of 512 bits instead of 128 bits as
with MD2. The message digest 5 (MD5) is a revision of the MD4 that is designed to address its weaknesses. Like
MD4, the length of a message is padded to 512 bits. The hash algorithm then uses four variables of 32 bits each in a
round-robin fashion to create a value that is compressed to generate the hash.
Secure Hash Algorithm (SHA)
Secure Hash Algorithm (SHA) is patterned after MD4, but creates a hash that is 160 bits in length instead of
128 bits. The longer hash makes it much more resistant to attacks. SHA pads messages less than 512 bits with zeros
and an integer that describes the original length of the message.
Security+ Guide to Network Security Fundamentals, 2e
8-4
Protecting with Symmetric Encryption Algorithms
The second major category of cryptographic algorithms is the most common type. Known as symmetric encryption
algorithms, these algorithms use a single key to encrypt and decrypt a message. Unlike hashing, in which the
ciphertext is not intended to be decrypted, with symmetric encryption algorithms are designed to decrypt the
ciphertext. It is therefore essential that the key be kept confidential: if an attacker secured the key, she could decrypt
any messages. For this reason, symmetric encryption is also called private key cryptography. Symmetric
encryption is illustrated in Figure 8-5 on page 279 of the text.
Symmetric encryption algorithms can be classified into two distinct categories based on the amount of data that is
processed at a time. The first category is known as a stream cipher. The simplest type of stream cipher is a
substitution cipher. Substitution ciphers simply substitute one letter or character for another, as shown in
Figure 8-7 on page 280 of the text. Also known as a monoalphabetic substitution cipher, this stream cipher can be
easy to break. A homoalphabetic substitution cipher maps a single plaintext character to multiple ciphertext
characters. For example, an A may map to BTI.
A more complicated stream cipher is a transposition cipher, which rearranges letters without changing them. With
most symmetric ciphers, the final step is to combine the cipher stream with the plaintext to create the ciphertext, as
shown in Figure 8-9 on page 281 of the text. The other category of symmetric encryption algorithms is known as a
block cipher. Whereas a stream cipher works on one character at a time, a block cipher manipulates an entire block
of plaintext at one time. The plaintext message is divided into separate blocks of 8 to 16 bytes, and then each block
is encrypted independently. For additional security, the blocks can be randomized.
Data Encryption Standard (DES)
One of the most popular symmetric cryptography algorithms is the Data Encryption Standard (DES). DES is a
block cipher and encrypts data in 64-bit blocks. However, the 8-bit parity bit is ignored so the effective key length is
only 56 bits. DES encrypts 64-bit plaintext by executing the algorithm 16 times. The four modes of DES encryption
are summarized in Table 8-2 on pages 282 and 283 of the text.
Quick Quiz
1.
A(n) ____________ is an encryption or decryption algorithm tool that is used to create encrypted or decrypted
text. ANSWER: cipher
2.
A(n) ____________ occurs when two different messages produce the same hash. ANSWER: collision
3.
____________ takes plaintext and creates a hash of 128 bits. ANSWER: Message digest 4 (MD4)
4.
____________ algorithms use a single key to encrypt and decrypt a message. ANSWER: Symmetric
encryption
5.
A(n) ___________ rearranges letters without changing them. ANSWER: transposition cipher
Triple Data Encryption Standard (3DES)
Triple Data Encryption Standard (3DES) uses three rounds of encryption instead of just one. The ciphertext of
one round becomes the entire input for the second iteration. 3DES employs a total of 48 iterations in its encryption
(3 iterations times 16 rounds). The most secure versions of 3DES use different keys for each round, as shown in
Figure 8-10.
Security+ Guide to Network Security Fundamentals, 2e
8-5
Advanced Encryption Standard (AES)
The Advanced Encryption Standard (AES) was approved by the NIST in late 2000 as a replacement for DES. The
process began with the NIST publishing requirements for a new symmetric algorithm and requesting proposals. The
requirements stated that the new algorithm had to be fast and function on older computers with 8-bit processors as
well as current 32-bit and future 64-bit processors.
AES performs three steps on every block (128 bits) of plaintext. Within step 2, multiple rounds are performed
depending upon the key size: a 128-bit key performs 9 rounds, a 192-bit key performs 11 rounds, and a 256-bit key
uses 13 rounds.
Rivest Cipher (RC)
Rivest Cipher (RC) is a family of cipher algorithms designed by Ron Rivest. He developed six ciphers, ranging
from RC1 to RC6, but did not release RC1 and RC3. RC2 is a block cipher that processes blocks of 64 bits. RC4 is
a stream cipher that accepts keys up to 128 bits in length.
International Data Encryption Algorithm (IDEA)
The International Data Encryption Algorithm (IDEA) algorithm dates back to the early 1990s and is used in
European nations. It is a block cipher that processes 64 bits with a 128-bit key with eight rounds.
Blowfish
The algorithm blowfish is a block cipher that operates on 64-bit blocks and can have a key length from 32 to 448
bits.
Hardening with Asymmetric Encryption Algorithms
The primary weakness of symmetric encryption algorithms is keeping the single key secure. This weakness, known
as key management, poses a number of significant challenges. Another approach to cryptography is asymmetric
encryption, or public key cryptography. Asymmetric encryption uses two keys instead of one. One of the keys,
known as the private key, typically is used to encrypt the message. The second key, called the public key, decrypts
the message. Asymmetric encryption is illustrated in Figure 8-11 on page 287 of the text.
RSA
The asymmetric algorithm RSA (Rivest Shamir Adleman) was published in 1977 and was patented by MIT in
1983. The RSA algorithm is the most common asymmetric encryption and authentication algorithm and is included
as part of the Web browsers from Microsoft and Netscape as well as other commercial products. The RSA algorithm
multiples two large prime numbers
Diffie-Hellman
Unlike RSA, the Diffie-Hellman algorithm does not encrypt and decrypt text. Rather, the strength of DiffieHellman is that it allows two users to share a secret key securely over a public network. Once the key has been
shared, both parties can use it to encrypt and decrypt messages using symmetric cryptography.
Security+ Guide to Network Security Fundamentals, 2e
8-6
Elliptic Curve Cryptography
Elliptic curve cryptography was first proposed in the mid-1980s. Instead of using prime numbers as with RSA,
elliptic curve cryptography uses elliptic curves. An elliptic curve is a function drawn on an X-Y axis as a gently
curved line. By adding the values of two points on the curve, you can arrive at a third point on the curve.
Understanding How to Use Cryptography
Cryptography can provide a major defense against attackers. If an e-mail message or data stored on a file server is
encrypted, even a successful attempt to steal that information will be of no benefit if the attacker cannot read it.
Digital Signatures
A digital signature is an encrypted hash of a message that is transmitted along with the message. A digital signature
helps to prove that the person sending the message with a public key is actually whom he or she claims to be. It also
proves that the message was not altered, and that it was sent in the first place.
Benefits of Cryptography
Confidentiality, authentication, integrity, nonrepudiation, and access control are five key elements that properly
configured cryptographic systems can provide. The benefits of cryptography and how they can be implemented are
summarized in Table 8-4 on page 291 of the text.
Implementations of Cryptography
You can use cryptography in many practical ways to enhance security.
Pretty Good Privacy (PGP) and GNU Privacy Guard (GPG)
Perhaps the most widely used asymmetric cryptography system for encrypting e-mail messages on Windows
systems is a commercial product called Pretty Good Privacy (PGP). A similar program, known as GNU Privacy
Guard (GPG), is a free product. GPG versions run on Windows, UNIX, and Linux operating systems. PGP and
GPG use both asymmetric and symmetric cryptography. PGP can use either RSA or the Diffie-Hellman algorithm
for the asymmetric encryption and IDEA for the symmetric encryption.
Microsoft Windows Encrypting File System (EFS)
Microsoft’s Encrypting File System (EFS) is an encryption scheme for Windows 2000, Windows XP Professional,
and Windows 2003 Server operating systems that use the NTFS file system. EFS uses asymmetric cryptography and
a per-file encryption key to encrypt and decrypt data. When a user encrypts a file, EFS generates a file encryption
key (FEK) to encrypt the data. The FEK is encrypted with the user’s public key, and the encrypted FEK is then
stored with the file. EFS is enabled by default.
Quick Reference
Discuss the recommended tasks when using Microsoft EFT as illustrated on
page 293 of the text.
Security+ Guide to Network Security Fundamentals, 2e
8-7
UNIX Pluggable Authentication Modules (PAM)
When UNIX was originally developed, the task of authenticating a user was accomplished by requesting a password
from the user and then checking whether the entered password corresponded to the encrypted official password
stored in the user database ?etc/passwd. Each new authentication scheme requires all the necessary programs, such
as login and ftp, to be rewritten to support it. The solution is to use pluggable authentication modules (PAMs).
PAM provides a way to develop programs that are independent of the authentication scheme.
Linux Cryptographic File System (CFS)
Linux users can add one of several cryptographic systems to encrypt files. One of the most common is the
Cryptographic File System (CFS).
Quick Reference
Discuss the list of Linux cryptographic options on pages 294 and 295 of the
text.
Quick Quiz
1.
__________ is an optional cryptography algorithm for IP security. ANSWER: Triple Data Encryption Standard
(3DES)
2.
___________ performs three steps on every block (128 bits) of plaintext. ANSWER: Advanced Encryption
Standard (AES)
3.
The algorithm ___________ is a block cipher that operates on 64-bit blocks and can have a key length from
32 to 448 bits. ANSWER: blowfish
4.
The ___________ algorithm does not encrypt and decrypt text. ANSWER: Diffie-Hellman
5.
When users open a file, it is decrypted by ___________ as data is read from a disk; when they save the file, it
encrypts the data as it is written to disk. ANSWER: Encrypting File System (EFS)
Discussion Questions
1.
Discuss the future developments for data encryption.
2.
Discuss the advantages and disadvantages of PAM.
Additional Activities
1.
Have students conduct research on the advancement of hashing algorithms and prepare a summary of what they
find.
2.
Have students conduct research on the advancement of encryption and prepare a summary of what they find.