CISSP Cryptography 1 Cryptographic Life Cycle Cryptography Components Symmetric Asymmetric PKI Hashing Key Management Processes Digital Signatures and Non-Repudiation Types of Attacks Protection of data at rest (data resident on a hard drive) Protection of data in transit (data being transmitted across the network) Authentication of origin (source) Authentication of data (data integrity) Limited by its key length, key management practices (expiration periods) and algorithm weaknesses Strong keys are long and must not produce a predictable output NIST tests and approves cryptographic algorithms for government use (i.e. Federal Information Processing Standard (FIPS) 1402) Describes the security requirements that will be satisfied by crypto modules protecting sensitive but unclassified material (SBU) ◦ Key generation ◦ Physical chip security ◦ Key storage Provides 4 increasing levels of security (Level 1, 2, 3, 4) Tokens must be hardware cryptographic modules validated at Level 2 or higher, with at least Level 3 security Requires expensive testing and certification processes Cryptography - creates ciphertext out of plaintext using cryptographic algorithms Cryptanalysis – science of breaking cryptographic messages ◦ Work factor – Estimated time, effort, and resources necessary to break a cryptosystem Cryptology – science of secure communications (encompasses both Cryptography and Cryptanalysis) from Latin/Greek meaning.. To hide/conceal Algorithm – mathematical formula, or rules, used to encrypt/decrypt Key – cryptovariable – value that comprises a large sequence of random bits Keyspace – rage of values that can be used to construct a key ◦ Larger keyspace provides for more possible keys so is stronger ◦ 512 bits provides 2 to the power of 512 possible combinations The strength of the encryption comes not from keeping the algorithm secret – but from the size , randomness, and secrecy of the key!!!!! Encryption Process: ◦ Plaintext + ( ) algorithm = Ciphertext ◦ This is our battle plan = b21faa1379fb7a776509b2e0586 Decryption Process: ◦ Ciphertext+ ( ) algorithm = Plaintext ◦ b21faa1379fb7a776509b2e0586 = This is our battle plan Encryption can provide the following security services: ◦ Confidentiality ◦ Integrity ◦ Authenticity ◦ Non-repudiation (what is this?!) Substitution Cipher - each bit, character, block is replaced with another bit, character, or block Caesar Cipher Standard Alphabet: ABCDEFGHIJKLMNOPQRSTUVWXYZ Caesar Alphabet: XYZABCDEFGHIJKLMNOPQRSTUVW http://www.nsa.gov/kids/games/games00010.shtml http://donpiorsuerte.wordpress.com/2010/05/21/vigenere-cipher/ Monoalphabetic cipher – uses one alphabet (Caesar) Monoalphabetic ciphers are susceptible to frequency analysis Substitution and Transposition ciphers vulnerable to Frequency Analysis Polyalphabetic cipher (Vignere – named after Blaise Vignere in the 1500s, however his was a modification from an early system) Uses multiple alphabets: E may be substituted for X in one round and then S in the next round The Enigma machine is an example of a polyalphabetic cipher system Transposition cipher More complicated stream cipher Rearranges letters without changing them AKA Vernam cipher – a symmetrical stream cipher Basis for modern-day crypto algorithms Doesn’t shift alphabet Combines key with a plaintext via XOR function to create ciphertext Uses a binary mathematic function called Exclusive OR (XOR) ◦ When combining two bits, if both values are the same, the result is 0, if they are different, the result is a 1 Must be: ◦ Made up of random values ◦ Used only one time ◦ Securely distributed to its destination ◦ Secured at sender’s and receivers sites ◦ PAD must be as long as the message One-way encryption only – never reverse engineered Used to provide integrity If the plaintext changes, the hash changes Used to verify file integrity (i.e. products such as TripWire and other file integrity checkers), as well as with digital signatures Secure Hash Algorithm (SHA-1) – designed by NSA – 160-bit hash Message Digest 5 (MD5) – 128-bit hash – created by Ron Rivest Both have had issues with “collisions” Newer: MD6 SHA – 2 – includes SHA-224, SHA-256, SHA-384, and SHA-512 HAVAL – Hash of Variable Length – creates MDs of 128, 160, 192, 224, or 256 bits in length, using 3, 4, or 5 rounds Birthday attack Named after birthday paradox – fact that in a room with 23 people or more, the odds are greater than 50% that two will share the same birthday Attacker attempts to force a collision (an attack on integrity) Reason we now use SHA-256 for government use as the output length of the hash function must be large enough so that finding two different documents with the same “hash” or MD becomes computationally infeasible. AKA “Secret Key” (Sometimes also called “Private Key” Uses same key (one key) to encrypt and decrypt Fast!! “Key Exchange” is a problem Steam Cipher – each bit is independently encrypted in a stream ◦ Require more randomness and processing power than block ciphers ◦ Fast when plaintext is short, but more prone to attack because the engine that generates the stream does not vary Block ciphers encrypt blocks of data each round (DES and AES) Plaintext message is divided into separate blocks of 8 – 16 bytes and then each block is encrypted independently Cipher is reset to its original state after each block is processed Can be easily implemented at the software level Considered more secure because the output is more random Symmetric Encryption Algorithms Designed by IBM, based on Lucifer symmetric cipher Uses a 64-bit block size (encrypts 64-bits each round) – however the 8-bit parity is ignored so the effective key length is only 56 bits Note: May also be DEA on the exam! Can use 5 different modes to encrypt Basic differences are ◦ block versus emulated stream ◦ use of initialization vectors (random values used with keys to ensure patterns are not created during the encryption process) – prevent two messages encrypted with same key from producing the same ciphertext ◦ How errors in encryption propagate to subsequent blocks Electronic Code Book (ECB) ◦ Simplest and weakest for of DES ◦ No Initialization vector or chaining ◦ Two plaintexts with partial identical portions (i.e. a letter header) encrypted with the same key have partial identical ciphertext portions ◦ Can also leave plaintext patterns evident in the ciphertext Cipher Block Chaining (CBC) ◦ Block mode that XORs the previous encrypted block to the next block of plaintext to be encrypted ◦ 1st encrypted block is an initialization vector that contains random data ◦ Chaining destroys patterns ◦ Encryption errors propagate Cipher Feedback (CFB) ◦ Similar to CBC, except is a stream mode cipher and uses feedback to destroy patters Output Feedback (OFB) ◦ Same as CFB, but uses a subkey before it is XORed to the plaintext so errors do not propagate Counter ◦ Similar to OFB, but uses a counter as the “feedback” that can be an ascending number Mode Type Initialization Error Vector Propagation ECB Block No No CBC Block Yes Yes CFB Block that functions as a stream Yes Yes OFB Block that functions as a stream Yes No CTR Block that functions as a stream Yes No Original DES (encrypting 64-bit blocks of data with a 56-bit key using 16 rounds of encryption Work factor became the issue as technology advanced, making it vulnerable to brute force key attack ◦ 1998 – cracked in 56 hours using multiple PCs by Electronic Frontier Foundation (EFF) by “Deep Crack” DES….3 times per block (three iterations of DES) Uses three unique keys (1TDES EDE (Encrypt, Decrypt, Encrypt order), 2TDES EDE, and 3TDES EDE) – note the differences on page 710 Recommended standard in 1999 Current US Symmetric Encryption Standard Block cipher Encrypts 128-bit blocks of data 128-bit keys (10 rounds of encryption) 192-bit keys (12 rounds of encryption) 256-bit keys (14 rounds of encryption) Used in Pretty Good Privacy (PGP) Open algorithms, unpatented and freely available - created by Bruce Schneirer Blowfish ◦ Uses 32-bit through 448-bit keys (default is 128) ◦ Encrypts 64-bit blocks Twofish ◦ AES finalist ◦ Encrypts 128-bit blocks using 128-bit through 256-bit keys ◦ http://en.wikipedia.org/wiki/Bruce_Schneier Developed by RSA Labs RC5 ◦ 32-bit (testing purposes), 64-bit (replacement for DES), or 12-bit blocks with key size ranges from 0 – 2040 bits RC6 ◦ AES finalist based on RC5 ◦ Stronger than RC5 ◦ Encrypts 128-bit blocks using 128, 192, or 256-bit keys Rijndael DES as the government symmetric standard (approved by NIST in Approved by NIST in 2000 Block cipher supporting 128-, 192-, and 256-bit encryption ◦ AES performs three steps on every block (128 bits) of plaintext ◦ Within Step 2, multiple rounds are performed depending on the key size ◦ Within each round, bytes are substituted and rearranged, then special multiplication is performed based on the new arrangement Asymmetric Encryption First to solves the key exchange problem!!!! Allows 2 parties to security agree on a symmetric key via a public channel with no prior key exchange Created in 1976 Uses discrete logarithms Ralph Merkle, Martin Hellman, Whitfield Diffie Merkle-Hellman knapsack cryptosystem, developed by Ralph Merkle and Martin Hellman in 1978 was one of the first ◦ Faster than RSA ◦ Ooopss….broken Uses 2 keys ◦ Public and private Public – anyone can know Private – guard with your life ◦ Mathematically-related – can’t “reverse engineer” one to derive the other ◦ What is encrypted by one key can only be decrypted by the opposite key ◦ Relies on prime number factoring and discrete logarithms for its strength Key usage differs depending on whether or not we want to achieve confidentiality, versus authenticity/integrity and, thusly, non-repudiation For Confidentiality: http://www.uic.edu/depts/accc/newsletter/adn26/ figure2.html For Non-Repudiation (Digital Signature) Named after Ron Rivest (RC4 fame), Adi Shamir, and Leonard Adleman and developed at MIT in 1978 Most popular asymmetric algorithm and worldwide de facto standard Used for digital signatures, key exchange, and encryption, providing confidentiality and authenticity Shamir, Rivest, Adleman www.boiledbeans.net Uses a one-way function with discrete logarithms as applied to elliptic curves Much stronger than systems just using discrete logarithms and stronger than factoring prime numbers as there is no known sub-exponential algorithm for it Requires fewer computational sources as shorter keys can be used Often used on lower-power devices The primary payload of a digital certificate is it’s Public Key Because we trust the issuer, we trust the certificate and user Digital Signature = an encrypted message digest The hash (message digest) of the document provides integrity Encrypting the MD using the sender’s private key both protects the hash and also proves authenticates its origin This provides us with nonrepudiation Federal standard for digital signatures Developed by NIST in 1991 Requires the use of DSA, RSA, ECC and SHA DSA developed by NSA, slower than RSA so not used in Federal PKIs Public key algorithm used for digital signatures, encryption, and key exchange Based not on factoring large numbers but on calculating discrete logarithms in a finite field Extension of Diffie-Hellman Used in GNU Privacy Guard software and recent versions of PGP Usually the slowest of asymmetric algorithms Uses both symmetric and asymmetric encryption ◦ Asymmetric for key exchange ◦ Symmetric for bulk data transfer SSL is an example When ready to checkout – Amazon’s digital cert is sent to you Your browser extracts the public key M/S’s cryptomodule generates 4 session keys Encrypting the session keys using Amazon’s public key , your system sends these to Amazon ◦ Amazon extracts the session keys, using its private key ◦ Your system now encrypts the credit card/order info using the sessions keys ◦ ◦ ◦ ◦ MAC concatenates a message with a symmetric key. Provides authentication. Hashed Message Authentication Code (HMAC) concatenates a message with a symmetric key and puts the result through a hashing algorithm. Key exchange is still an issue. IPSec uses HMAC. Provides integrity and authentication. CBC-MAC – Cipher Block Chaining Message Authentication Code (CBC-MAC) uses the CBC mode of symmetric block cipher (i.e. DES) to create a MAC. Provides integrity and authentication. Eavesdropping and sniffing are considered passive attacks Altering messages, modifying system files are considered active attacks Cipher-Only Attacks – attacker has the ciphertext and attempts to derive the key – most difficult Brute Force - brute force – every key is randomly generated and used Known Plaintext –Attacker has samples of both the plaintext (a crib) and the ciphertext and relies on matching to derive the key that was used. Chosen Plaintext – attacker can select the plaintext that will be encrypted in the hopes that the resulting ciphertext may reveal the key ◦ Batch chosen-plaintext – attacker chooses all plaintext before any are encrypted ◦ Adaptive chosen plaintext- interactive process, choosing subsequent plaintexts based on previous encyrptions Known key – game up Differential cryptanalysis – seeks to find the difference between related encrypted plaintexts – goal is to find the key Linear cryptanalysis – attacker carries out a known plaintext attack on several different messages encrypted with the same key, evaluating the probability of input values ending up in a specific combination Side-channel attack – uses physical data to break a cryptosystems, such as monitoring CPU cycles or power consumption used while encrypting or decrypting Replay Attacks – passive – attacker resubmits captured data Public Key Infrastructure - programs, data formats, procedures, communication protocols, security policies, and public key cryptographic mechanisms that establish trust levels for communication Digital certificates – signed with the CA’s digital signature Digital Signature Standard (DSS) – NIST standard that specifies the algorithms strong enough to satisfy government use. Certificate Authorities (CAs) – Entities (internal or external) that authenticate the identity of the person or organization before issuing a certificate. Certificate Revocation List (CRL) – a list that contains the certificates that have been revoked (not expired). Located in the Repository with the Digital Certificates. Online Certificate Status Protocol (OCSP) – online revocation checking Registration Authority – (RA) – Performs the registration duties/identity-proofing duties for the CA Why do you escrow keys used for confidentiality? Why don’t you escrow keys used for digital signing? What do you call it when a subscriber loses control of his or her private key? What is the difference between suspension and revocation? What version of certificate standard are we presently using? Expired certificates get placed onto a _____? Addresses: ◦ Key Escrow ◦ Key Backup ◦ Key Expiration/Rollover ◦ Key Storage ◦ Key Length ◦ Key Lifetime Use long keys – the longer the better (but computationally slower) Change the keys often (but not too often as you risk losing access to previously encrypted data). The more the key is used, the more frequently it should be changed. Store and transmit securely Keys should be backed up and escrowed. Keys should be properly destroyed when no longer in use (?!?!?) How does Alice get Bob’s Public Key? ◦ Certificate Authority (CA) Repository ◦ Out-of-band transaction ◦ In a digital certificate exchange (i.e. SSL) Isn’t this prone to a Man-in-the-Middle attack? ◦ Only if the recipient is being stupid and not paying attention to the error messages (i.e. BurpProxy) What can defeat non-repudiation? ◦ Not protecting the private key’s authentication information (i.e. a soft token/password activated) ◦ Key loggers with soft tokens ◦ Incorrect time stamps (use NTP) So why don’t we just use Asymmetric Encryption? ◦ Slower!!! Assume Bob and Alice have exchanged public keys (remembering that they zealously guard their private keys) If Bob wants to send Alice a love letter via interoffice mail, which key is used to ensure confidentiality? If he wants to make certain that Alice knows it came from him, which key is used to ensure authenticity? If a symmetric key is encrypted with a receiver’s public key, what security service is provided? If data is encrypted with sender’s private key, which security service is provided? If sender encrypts data with recipient’s private key, which security service is provided? Link Encryption (online encryption) ◦ provided by service providers ◦ encrypts all of the data along a communications path ◦ protects against packet sniffers - routing needs to decrypt headers End-to-end encryption ◦ headers, addresses, routing, and trailer information are not encrypted Multipurpose Internet Mail Extension (MIME) – dictates how email attachments are handled Secure MIME (S/MIME) – standard for digitally encrypting and signing email Privacy-Enhanced Mail (PEM) – standard for providing secure email over the Internet Message Security Protocol (MSP) – PEM for military used to secure email messages Pretty Good Privacy – (PGP) ◦ Developed by Phil Zimmerman in 1991 ◦ Public Key Encryption for email ◦ Each user generates and distributes his or her public key and users sign each other’s public keys, creating a web of trust ◦ Uses passphrases to encrypt the users private key that is stored on the hard drive ◦ Users keep a keyring of public keys HTTPS/SSL (Secure Sockets Layer) ◦ Developed by Netscape ◦ SSL v3 is TLS ◦ Secures Web servers as well as used for VPNs S-HTTP ◦ secures individual messages sent between computers Secure Electronic Transaction (SET) ◦ Proposed by VISA and M/C to send encrypted credit card numbers of the Internet Secure Shell (SSH) ◦ Tunneling protocol for connecting to a remote computer (used to secure Telnet, rlogin, FTP, etc.) Hiding Alternatives Steganography Digital Watermarking A “concealment” cipher Greek steganos (covered or secret) and -graphy (writing or drawing) and thus means, literally, covered writing. The ability to hide data inside another file. Using stego tools today, suspects can hide data and files in jpgs and wav files. One of the following images has the airport map hidden below – can you detect which image is the “carrier” file with the hidden data? Image A: Image B: If you guessed Image A – you’d be correct. Image A is a JPEG stego file containing btv_map.gif using a tool called “Camouflage”. Many work by replacing the “least significant bits” in the carrier file with the bits from the target file “Digital Watermarking” – embedded logo – used to verify the owner of the file. ◦ Visible Watermarking – logos or “Draft” ◦ Invisible Watermarking – uses steganography Pictures, by the way, were retrieved from an excellent Internet Protocol Security – suite of protocols for securing IPv4 and IPv6 and setting up Virtual Private Network Includes 2 protocols: ◦ Authentication Header (AH) – provides authentication and integrity ◦ Encapsulating Security Payload (ESP) - encryption Each that can be used in 2 modes: ◦ Tunnel mode – used by gateways, encrypts entire packet ◦ Transport mode – only encrypts the data (not the header information AH is used with ESP in transport mode as the original headers are not encrypted Tunnel mode typically uses ESP alone Each device has at least one Security Association (SA) that is used to negotiate the ESP or AH parameters Each SA connection is identified by a unique 32-bit number known as the Security Parameter Index (SPI). The SA process is managed by the Internet Security Association and Key Management Protocol (ISAKMP) Key exchange protocol used is IKE – Internet Key Exchange An employee allows another employee to have access to his digital signature password. What do you do to his certificate? ◦ ◦ ◦ ◦ A. Suspend it B. Destroy it C. Revoke it D. Transfer it An employee allows another employee to have access to his digital signature password. What do you do to his certificate? ◦ ◦ ◦ ◦ A. Suspend it B. Destroy it C. Revoke it D. Transfer it Which algorithm provides for key distribution, but does not provide for integrity or nonrepudiation? ◦ ◦ ◦ ◦ A. Diffie-Helman B. RSA C. AES D. ElGamal Which algorithm provides for key distribution, but does not provide for integrity or nonrepudiation? ◦ ◦ ◦ ◦ A. Diffie-Helman B. RSA C. AES D. ElGamal Which type of encryption only uses one shared key to encrypt and decrypt? ◦ ◦ ◦ ◦ A. B. C. D. Public key Asymmetric Symmetric TCB Key Which type of encryption only uses one shared key to encrypt and decrypt? ◦ ◦ ◦ ◦ A. B. C. D. Public key Asymmetric Symmetric TCB Key Which type of cipher operates in real time on a single character or single bits of data? A. Block B. Rolling C. Stream D. Continuous Which type of cipher operates in real time on a single character or single bits of data? A. Block B. Rolling C. Stream D. Continuous Which of the following is not a good choice to secure email? A. PGP B. SSH C. S/MIME D. PEM Which of the following is not a good choice to secure email? A. PGP B. SSH C. S/MIME D. PEM Which of the following is NOT an example of symmetric encryption? A. B. C. D. Merkle-Hellman IDEA RC5 Twofish HINT….. Which of the following is NOT an example of symmetric encryption? A. B. C. D. Merkle-Hellman IDEA RC5 Twofish Ralph Merkle, Martin Hellman, Whitfield Diffie A birthday attack requires a good deal of diligence. What would be the attacker’s goal? A. Facilitate a replay attack in order to authenticate to a system B. Gain unauthorized access to confidential data C. Make undetected changes to a document D. Spoof the source of origin of the sender A birthday attack requires a good deal of diligence. What would be the attacker’s goal? A. Facilitate a replay attack in order to authenticate to a system B. Gain unauthorized access to confidential data C. Make undetected changes to a document D. Spoof the source of origin of the sender Ed wants to send Eve a confidential email. Which key is used to accomplish this? ◦ ◦ ◦ ◦ A. B. C. D. Eva’s private key Eva’s public key Ed’s private key Ed’s public key Ed wants to send Eve a confidential email. Which key is used to accomplish this? ◦ ◦ ◦ ◦ A. B. C. D. Eva’s private key Eva’s public key Ed’s private key Ed’s public key Place the following four steps in the proper order to demonstrate how a digital signature works: 1. Encrypt the digest with your private key. 2. Compare the message digest to the one your created. 3. Generate a message digest. Decrypt the signature with the sender’s public key. A. 4, 2, 1,3 B. 1, 4, 3, 2 C. 3, 1, 4, 2 D. 3, 4, 2, 1 Place the following four steps in the proper order to demonstrate how a digital signature works: 1. Encrypt the digest with your private key. 2. Compare the message digest to the one your created. 3. Generate a message digest. 4. Decrypt the signature with the sender’s public key. A. 4, 2, 1,3 B. 1, 4, 3, 2 C. 3, 1, 4, 2 D. 3, 4, 2, 1 Which alogrithms are no longer recommended for use? A. RSA B. DES C. IPSEC D. AES Which algorithms are no longer recommended for use? A. RSA B. DES C. IPSEC D. AES Storing private keys with a third party is referred to as: A. B. C. D. Key backup Key escrow Key caching Key exchange Storing private keys with a third party is referred to as: A. B. C. D. Key backup Key escrow Key caching Key exchange T or F. Digital Certificates contain a public and private key T or F. Digital Certificates contain a public and private key Which key length is not supported by AES? A. B. C. D. 128-bit 192-bit 256-bit 512-bit Which key length is not supported by AES? A. B. C. D. 128-bit 192-bit 256-bit 512-bit Which of the following is not a characteristic of the El Gamal algorithm? A. Slow B. Used for digital signatures, encryption, and key agreement C. A public key algorithm D. Extension of Diffie-Hellman Which of the following is not a characteristic of the El Gamal algorithm? A. Slow B. Used for digital signatures, encryption, and key agreement C. A public key algorithm D. Extension of Diffie-Hellman A differential cryptanalysis is: A. An attack where the attacker uses the mathematical structure of the algorithms to reverse engineer the encryption key. B. An attack on the ciphertext itself. C. An attack where the differences in the plaintext and cipertext are compared to find the key value. D. An attack on the plaintext itself. A differential cryptanalysis is: A. An attack where the attacker uses the mathematical structure of the algorithms to reverse engineer the encryption key. B. An attack on the ciphertext itself. C. An attack where the differences in the plaintext and cipertext are compared to find the key value. D. An attack on the plaintext itself. A control for a replay attack would be: A. B. C. D. Use timestamps and sequence numbers. Use digital certificates and digital signatures. Authenticity and integrity checkers. Use private keys and MACs. A control for a replay attack would be: A. B. C. D. Use timestamps and sequence numbers. Use digital certificates and digital signatures. Authenticity and integrity checkers. Use private keys and MACs. A PKI does NOT include: A. B. C. D. Lightweight Directory Access Protocol (LDAP) Timestamping Internet Key Exchange (IKE) Certificate Revocation A PKI does NOT include: A. B. C. D. Lightweight Directory Access Protocol (LDAP) Timestamping Internet Key Exchange (IKE) Certificate Revocation Asymmetric Cryptography provides which of the following security services? A. B. C. D. Confidentiality Integrity Authenticity Non-repudiation Asymmetric Cryptography provides which of the following security services? A. B. C. D. Confidentiality Integrity Authenticity Non-repudiation Which of the following would be a replacement for Telnet, FTP and other insecure protocols when logging in over an untrusted network? A. B. C. D. rlogin SSH S-Telnet TLS Which of the following would be a replacement for Telnet, FTP and other insecure protocols when logging in over an untrusted network? A. B. C. D. rlogin SSH S-Telnet TLS