Security+ Guide to Network Security Fundamentals, Fourth Edition
Chapter 11
Basic Cryptography
At a Glance
Instructor’s Manual Table of Contents

Overview

Objectives

Teaching Tips

Quick Quizzes

Class Discussion Topics

Additional Projects

Additional Resources

Key Terms
11-1
Security+ Guide to Network Security Fundamentals, Fourth Edition
11-2
Lecture Notes
Overview
Cryptography is the technology that we most closely associate with the concept of
confidentiality. Cryptography is the art of hiding information for the purpose of
protecting that information from discovery from unauthorized users. The chapter covers
various schemes and methods of encryption as well as ways of exchanging keys.
Chapter Objectives



Define cryptography
Describe hash, symmetric, and asymmetric cryptographic algorithms
List the various ways in which cryptography is used
Teaching Tips
Defining Cryptography
1. Mention defining cryptography involves understanding what it is and what it can do. It
also involves understanding how cryptography can be used as a security tool to protect
data.
What Is Cryptography?
1. Define cryptography as the science of transforming information into an unintelligible
form while it is being transmitted or stored so that unauthorized users cannot access it.
2. Explain that steganography hides the existence of the data. What appears to be a
harmless image can contain hidden data embedded within the image. Steganography
can use image files, audio files, or even video files to contain hidden information. Use
Figure 11-1 to illustrate your explanation.
3. Mention that one of the most famous ancient cryptographers was Julius Caesar. Caesar
shifted each letter of his messages to his generals three places down in the alphabet.
4. Use Figure 11-2 to describe the cryptography process.
Cryptography and Security
1. Explain that cryptography can provide basic security protection for information:
a. Cryptography can protect the confidentiality of information.
b. Cryptography can protect the integrity of the information.
c. Cryptography can help ensure the availability of the data.
d. Cryptography can verify the authenticity of the sender.
Security+ Guide to Network Security Fundamentals, Fourth Edition
11-3
e. Cryptography can enforce non-repudiation.
2. Use Table 11-1 to describe the information protections provided by cryptography.
Teaching
Tip
It is generally recognized that cryptography is too important to allow the use of
untested algorithms and that using proven technologies is important. However,
this does not mean that older algorithms are necessarily more secure than newer
ones. Each must be evaluated for its own strength.
Cryptographic Algorithms
1. This section describes the following three categories of cryptographic algorithms:
a. Hashing algorithms
b. Symmetric encryption algorithms
c. Asymmetric encryption algorithms
Hashing Algorithms
1. Define hashing, also called a one-way hash, as a process for creating a unique digital
fingerprint for a set of data. This fingerprint, called a hash, represents the contents.
2. Explain that a hashing algorithm is considered secure if it has these characteristics:
a. The ciphertext hash is a fixed size.
b. Two different sets of data cannot produce the same hash, which is known as a
collision.
c. It should be impossible to produce a data set that has a desired or predefined
hash.
d. The resulting hash ciphertext cannot be reversed.
3. Mention that a hash created from a set of data cannot be reversed.
4. Explain that hashing is used for integrity to ensure that the information is in its original
form and that no unauthorized person or malicious software has altered the data. Use
Figure 11-4 to illustrate your explanation.
Teaching
Tip
Hashing is not the same as creating a checksum. True checksums, such as a
Cyclic Redundancy Check (CRC) and parity bits, are designed to catch datatransmission errors and are not deliberate attempts to tamper data.
5. Explain that hash values are often posted on Internet sites in order to verify the file
integrity of files that can be downloaded. Use Figure 11-5 to illustrate your explanation.
6. Use Table 11-2 to describe the protections provided by hashing.
Security+ Guide to Network Security Fundamentals, Fourth Edition
11-4
7. Define Message Digest (MD) algorithm as one common hash algorithm.
8. Describe the following three versions of MD algorithms:
a. Message Digest 2 (MD2)
b. Message Digest 4 (MD2)
c. Message Digest 5 (MD2)
9. Explain that Secure Hash Algorithm (SHA) is a more secure hash than MD. SHA is a
family of hashes.
10. Describe the following versions of SHA:
a. SHA-1
b. SHA-2
11. Define Whirlpool as a relatively recent cryptographic hash function that has received
international recognition and adoption by standards organizations. It creates a hash of
512 bits.
Teaching
Tip
According to its creators, Whirlpool will not be patented and can be freely used
for any purpose.
12. Explain that the primary design feature of RIPEMD is two different and independent
parallel chains of computation, the results of which are then combined at the end of the
process.
13. Mention that another use for hashes is in storing passwords. When a password for an
account is created, the password is hashed and stored.
14. Explain that the Microsoft NT family of Windows operating systems hashes passwords
in two different forms:
a. LM (LAN Manager) hash
b. NTLM (New Technology LAN Manager) hash
15. Mention that most Linux systems use password-hashing algorithms such as MD5.
Apple Mac OS X uses SHA-1 hashes.
Quick Quiz 1
1. ____ is the science of transforming information into an unintelligible form while it is
being transmitted or stored so that unauthorized users cannot access it.
Answer: Cryptography
2. Whereas cryptography scrambles a message so that it cannot be viewed, ____ hides the
existence of the data.
Security+ Guide to Network Security Fundamentals, Fourth Edition
11-5
Answer: steganography
3. Changing the original text to a secret message using cryptography is known as ____.
Answer: encryption
4. A(n) ____ is a mathematical value entered into the algorithm to produce ciphertext, or
text that is “scrambled.”
Answer: key
Symmetric Cryptographic Algorithms
1. Explain that symmetric cryptographic algorithms use the same single key to encrypt and
decrypt a message. They are also called private key cryptography. Use Figure 11-6 to
illustrate your explanation.
2. There are two types of symmetric cryptographic algorithms: stream ciphers and block
ciphers.
3. Explain that a stream cipher takes one character and replaces it with one character. Use
Figure 11-7 to illustrate your explanation.
4. Define a substitution cipher as the simplest type of stream cipher. It simply substitutes
one letter or character for another. Use Figure 11-8 to illustrate your explanation.
5. Define a transposition cipher as a more complicated stream cipher. It rearranges letters
without changing them. Use Figure 11-9 to illustrate your explanation.
6. Explain that with most symmetric ciphers, the final step is to combine the cipher stream
with the plaintext to create the ciphertext. The process is accomplished through the
exclusive OR (XOR) binary logic operation. Use Figure 11-10 to illustrate your
explanation.
7. Explain that a one-time pad (OTP) cipher combines a truly random key with the
plaintext.
Teaching
Tip
If the pad is a random string of numbers that is kept secret and not reused then an
OTP can be considered secure. OTPs are rarely used and are more theoretical
than practical.
8. Explain that a block cipher manipulates an entire block of plaintext at one time. The
plaintext message is divided into separate blocks of 8 to 16 bytes and then each block is
encrypted independently.
Security+ Guide to Network Security Fundamentals, Fourth Edition
11-6
9. Describe the following advantages and disadvantages of the stream cipher:
a. Fast when the plaintext is short, but can consume much more processing power
if the plaintext is long.
b. More prone to attack because the engine that generates the stream does not vary
10. Describe the following advantages and disadvantages of the block cipher:
a. It is considered more secure because the output is more random.
b. Cipher is reset to its original state after each block is processed. This results in
the ciphertext being more difficult to break.
11. Use Table 11-3 to show the information protections provided by symmetric
cryptography.
12. Define Data Encryption Standard (DES) as one of the first widely popular symmetric
cryptography algorithms.
13. Note that the U.S. government officially adopted DES as the standard for encrypting
nonclassified information.
14. Explain that Triple Data Encryption Standard (3DES) was designed to replace DES. It
uses three rounds of encryption instead of just one. Use Figure 11-11 to illustrate your
explanation.
15. Explain that the Advanced Encryption Standard (AES) was approved by the NIST in
late 2000 as a replacement for DES.
16. AES performs three steps on every block (128 bits) of plaintext. Within Step 2, multiple
rounds are performed depending upon the key size. Within each round, bytes are
substituted and rearranged, and then special multiplication is performed based on the
new arrangement.
Teaching
Tip
Vincent Rijmen, one of the co-creators of AES, is also one of the designers of
Whirlpool.
Other Algorithms
1. Describe the following additional symmetric encryption algorithms:
a. Rivest Cipher (RC) family from RC1 to RC6
b. International Data Encryption Algorithm (IDEA)
c. Blowfish
d. Twofish
Security+ Guide to Network Security Fundamentals, Fourth Edition
11-7
Asymmetric Cryptographic Algorithms
1. Explain that asymmetric cryptographic algorithms, also known as public key
cryptography, use two keys instead of one. The public key is known to everyone and
can be freely distributed, while the private key is known only to the recipient of the
message. Use Figure 11-12 to illustrate your explanation.
2. Mention that asymmetric cryptography can also be used to create a digital signature. A
digital signature can:
a. Verify the sender
b. Prevent the sender from disowning the message
c. Prove the integrity of the message
3. Use Figure 11-13 to describe the steps for creating a digital signature.
Teaching
Tip
Using a digital signature does not encrypt the message itself. If Bob wants to
ensure the privacy of the message, he must also encrypt it using Alice’s public
key.
4. Use Table 11-4 to explain various asymmetric cryptography practices.
5. Use Table 11-5 to show the information protections offered by asymmetric
cryptography.
6. Define RSA as the most common asymmetric cryptography algorithm.
7. Explain how RSA works.
8. Explain that elliptic curve cryptography uses elliptic curves. An elliptic curve is a
function drawn on an X-Y axis as a gently curved line. By adding the values of two
points on the curve, you can arrive at a third point on the curve.
9. Mention that the public aspect of an elliptic curve cryptosystem is that users share an
elliptic curve and one point on the curve.
10. Discuss quantum cryptography attempts to use the unusual and unique behavior of
microscopic objects to enable users to securely develop and share keys as well as to
detect eavesdropping.
11. Describe NTRUEncrypt, which is a relatively new asymmetric cryptographic algorithm
that uses a different foundation than prime numbers (RSA) or points on a curve(ECC).
Security+ Guide to Network Security Fundamentals, Fourth Edition
Teaching
Tip
11-8
Elliptic curve cryptography has not been as fully scrutinized as other types of
asymmetric algorithms because the concept is still new. The studies that have
been performed so far have indicated that elliptic curve cryptography may be a
promising technology.
Using Cryptography
1. Mention that cryptography should be used to secure any and all data that needs to be
protected including individual files or databases that are stored on standard desktop
computers, servers, removable media, or mobile devices.
2. Mention that cryptography can be applied through either software or hardware.
Encryption Through Software
1. Software can be used to encrypt individual files or it can be used to encrypt the file
system or the entire disk drive.
2. Define a file system as a method used by operating systems to store, retrieve, and
organize files.
3. Define Pretty Good Privacy (PGP) as one of the most widely used asymmetric
cryptography system for files and e-mail messages on Windows systems. GNU Privacy
Guard (GPG) is a similar open-source program.
4. Mention that PGP and GPG use both asymmetric and symmetric cryptography.
5. Define Microsoft Windows Encrypting File System (EFS) as a cryptography system for
Windows operating systems that use the Windows NTFS file system.
6. Explain that because EFS is tightly integrated with the file system, file encryption and
decryption are transparent to the user. EFS encrypts the data as it is written to disk.
Teaching
Tip
EFS files are encrypted with a single symmetric key, and then the symmetric key
is encrypted twice: once with the user’s EFS public key (to allow transparent
decryption), and once with the recovery agent’s key to allow data recovery.
7. Define whole disk encryption as cryptography applied to entire disks.
8. Define Windows BitLocker as a hardware-enabled data encryption feature. It can
encrypt the entire Windows volume, which includes Windows system files as well as all
user files.
Security+ Guide to Network Security Fundamentals, Fourth Edition
11-9
9. Explain that BitLocker encrypts the entire system volume, including the Windows
Registry and any temporary files that might hold confidential information.
10. Emphasize that software encryption suffers from the same fate as any application
program: it can be subject to attacks to exploit its vulnerabilities.
11. Note that hardware encryption can be applied to USB devices and standard hard drives.
12. Mention that the more sophisticated hardware encryption options include the trusted
platform module and the hardware security model.
13. Emphasize that many instances of data leakage are the result of USB flash drives being
lost or stolen.
14. Discuss the differences between a standard USB flash drive and encrypted hardwarebased USB devices.
15. Note that just as an encrypted hardware-based USB flash drive will automatically
encrypt any data stored on it, self-encrypting hard disk drives (HDDs) can also protect
all files stored on them.
16. Define Trusted Platform Module (TPM) as a chip on the motherboard of the computer
that provides cryptographic services.
17. Explain that TPM includes a true random number generator. Also, TPM can measure
and test key components as the computer is starting up.
18. Mention that if the computer does not support hardware-based TPM then the encryption
keys for securing the data on the hard drive can be stored by BitLocker on a USB flash
drive.
19. Define a Hardware Security Module (HSM) as a secure cryptographic processor.
20. Note that an HSM includes an onboard key generator and key storage facility,
accelerated symmetric and asymmetric encryption, and can even back up sensitive
material in encrypted form.
Quick Quiz 2
1. ____ cryptographic algorithms use the same single key to encrypt and decrypt a
message.
Answer: Symmetric
2. The ____ was approved by the NIST in late 2000 as a replacement for DES.
Answer: Advanced Encryption Standard (AES)
Advanced Encryption Standard
Security+ Guide to Network Security Fundamentals, Fourth Edition
11-10
AES
3. Cryptography can also be applied to entire disks. This is known as ____.
Answer: whole disk encryption
4. ____ is essentially a chip on the motherboard of the computer that provides
cryptographic services.
Answer: Trusted Platform Module (TPM)
Trusted Platform Module
TPM
Class Discussion Topics
1. What are the advantages of hashing passwords?
2. What are the main differences between symmetric and asymmetric cryptographic
algorithms?
Additional Projects
1. Ask your students to read an article about Microsoft’s BitLocker at
http://www.schneier.com/blog/archives/2006/05/bitlocker.html and write a report
summarizing its most important points.
2. Ask your students to read more about the Data Encryption Standard (DES) algorithm
and write a report summarizing explaining how it works. Use the following link as a
starting point: http://www.itl.nist.gov/fipspubs/fip46-2.htm.
Additional Resources
1. Advanced Encryption Standard
http://en.wikipedia.org/wiki/Advanced_Encryption_Standard
2. Symmetric cryptography
http://www.ibm.com/developerworks/library/s-crypt02.html
3. Asymmetric cryptography
http://www.digitalcomputersecurity.com/Encryption/asymmetric.html
4. PGP Corporation
http://www.pgp.com/
5. Windows Trusted Platform Module Management Step-by-step Guide
http://technet.microsoft.com/en-us/library/cc749022(WS.10).aspx
Security+ Guide to Network Security Fundamentals, Fourth Edition
11-11
Key Terms
 Advanced Encryption Standard (AES) A symmetric cipher that was approved by the
NIST in late 2000 as a replacement for DES.
 algorithm Procedures based on a mathematical formula; used to encrypt data.
 asymmetric cryptographic algorithm Encryption that uses two mathematically related
keys.
 block cipher A cipher that manipulates an entire block of plaintext at one time.
 Blowfish A block cipher that operates on 64-bit blocks and can have a key length from
32 to 448 bits.
 ciphertext Data that has been encrypted.
 cleartext Unencrypted data.
 cryptography The science of transforming information into a secure form while it is
being transmitted or stored so that unauthorized persons cannot access it.
 Data Encryption Standard (DES) A symmetric block cipher that uses a 56-bit key and
encrypts data in 64-bit blocks.
 decryption The process of changing ciphertext into plaintext.
 digital signature An electronic verification of the sender.
 elliptic curve cryptography (ECC) An algorithm that uses elliptic curves instead of
prime numbers to compute keys.
 encryption The process of changing plaintext into ciphertext.
 GNU Privacy Guard (GPG) Free and open-source software that is commonly used to
encrypt and decrypt e-mail messages.
 Hardware Security Module (HSM) A secure cryptographic processor.
 hash The unique digital fingerprint created by a hashing algorithm.
 Hashed Message Authentication Code (HMAC) A variation of a hash that encrypts
the hash with a shared secret key before transmitting it.
 hashing The process for creating a unique digital fingerprint signature for a set of data.
 key A mathematical value entered into the algorithm to produce ciphertext.
 Message Digest (MD) A common hash algorithm of several different versions.
 Message Digest 5 (MD5) A revision of MD4 that is designed to address its weaknesses.
 nonrepudiation The process of proving that a user performed an action.
 NTLM (New Technology LAN Manager) hash A password hash for Microsoft
Windows systems that is no longer recommended for use.
 NTLMv2 (New Technology LAN Manager Version 2) hash An updated version of
NTLM that uses HMAC with MD5.
 one-time pad (OTP) Using a unique truly random key to create ciphertext.
 plaintext Data input into an encryption algorithm.
 Pretty Good Privacy (PGP) A commercial product that is commonly used to encrypt
e-mail messages.
 private key An asymmetric encryption key that does have to be protected.
 private key cryptography Cryptographic algorithms that use a single key to encrypt
and decrypt a message.
 public key An asymmetric encryption key that does not have to be protected.
 public key cryptography Encryption that uses two mathematically related keys.
 quantum cryptography An asymmetric cryptography that attempts to use the unusual
and unique behavior of microscopic objects to enable users to securely develop and
share keys.
Security+ Guide to Network Security Fundamentals, Fourth Edition
11-12
 RACE Integrity Primitives Evaluation Message Digest (RIPEMD) A hash algorithm
that uses two different and independent parallel chains of computation and then
combines the result at the end of the process.
 RC4 An RC stream cipher that will accept keys up to 128 bits in length.
 Rivest Cipher (RC) A family of cipher algorithms designed by Ron Rivest.
 RSA An asymmetric algorithm published in 1977 and patented by MIT in 1983.
 Secure Hash Algorithm (SHA) A secure hash algorithm that creates hash values of
longer lengths than Message Digest (MD) algorithms.
 steganography Hiding the existence of data within a text, audio, image, or video file.
 stream cipher An algorithm that takes one character and replaces it with one character.
 symmetric cryptographic algorithm Encryption that uses a single key to encrypt and
decrypt a message.
 Triple Data Encryption Standard (3DES) A symmetric cipher that was designed to
replace DES.
 Trusted Platform Module (TPM) A chip on the motherboard of the computer that
provides cryptographic services.
 Twofish A later derivation of the Blowfish algorithm that is considered to be strong.
 whole disk encryption Cryptography that can be applied to entire disks.