[CISSP] Domain Crytography

Domain Crytography

Symmetric keys: secret keys. When using symmetric algorithms, the sender and receiver use the same key for encryption and decryption functions.

Strengths:

• Much faster than asymmetric systems
• Hard to break if using a large key size

Weaknesses:

• Requires a secure mechanism to deliver keys properly(out-of-band method) .
• Each pair of users needs a unique pair of keys, so the number of keys grows, and key management can become overwhelming.
• Provide confidentiality, but not authenticity or nonrepudiation.

Algorithms:

• Data Encryption Standard(DES)
• Triple-DES (3DES)
• Blowfish
• IDEA
• RC4, RC5, AND RC6
• Advanced Encryption Standard(AES)

Block Cipher: work on blocks(64 bits) of plaintext and ciphertext

Stream Cipher: work on streams of plaintext and ciphertext, one bit at a time. It is using keystream generator. Because stream ciphers encrypt and decrypt one bit at a time, they are more suitable for hardware implementations.

Asymmetric keys: public and private keys. Asymmetric systems use two different keys for encryption and decryption purposes.

For confidentiality-> encrypt the file with receiver's public key. This is called a secure message format.

For authentication-> encrypt the data with sender's private key. This is called an open message format.

For confidentiality and authentication -> encrypt the sender's private key and then encrypt it again with receiver's public key. This is called a secure and signed format.

Strengths:

• Better key distribution than symmetric systems
• Better scalability than symmetric systems
• Can provide authentication and nonrepudiation

Weaknesses:

• Works much more slowly than symmetric systems
• Mathematically intensive tasks

Algorithms:

• RSA(is used often in webbrowsers with SSL)
• Elliptic Curve Cryptosystem(ECC)
• Diffie-Hellman(Electronic key distribution, first asymmetirc algorithm)
• El Gamal
• Digital Signature Algorithm(DSA)
• knapsack

Link encryption happens at lower layers and encrypts headers and trailers of the packet. It would be considered the more secured encryption method acorss a single link.

End-to-end encryption happens at higher layers and does not encrypt headers and trailers.

Public key Infrastructure(PKI)

is a hybrid system of symmetric and asymmetric key algorithms and methods.

Message Integrity

Digital Signature

is a hash value that has been encrypted with the sender's private key. Provides authentication(knowing who really sent the message), integrity(because a hashing algorithm is onvolved), and nonrepudiation(sender cannot deny sending the message). Accountability(?)

One-way hasing

Creates a fingerprint of the message so it can more easily identify and monitor the message to see if it has been altered. It takes a variable-length string(the message) and generates a fixed-length value(message digest). It provide integrity of a message.

Message Authentication Code(MAC)

A user would like to send a message and allow only one other person to verify the integrity of the message.

• A symmetric key is combined with the message before being put through a hashing algorithm.
• It provides integrity and data origin authentication.

One-time pad

are basically stream ciphers considered impossible to break if implemented and maintained properly. A stream algorithm generates a keystream that is XORed to the plaintext. A one-time pad is made up of random values(just like a key stream), which is used to XOR to plaintext data.

Data Encryption Standard(DES)

Key size of 64 bits
(8 bits used for parity, resulting in an effective key length of 56 bits)->DEA
Replace by the Rijndael algorithm as the Advanced Encryption Standard(AES) BY NIST

How Does DES Work?

Electronic Code Book(ECB) Mode

This mode is usually used for small amounts of data like encrypting and protecting encryption keys. It is uese for challenge-response encryption operations and some key managements tasks. It is also used to encrypt personal identification number(PINs) in ATM machines for financial institutions.

Cypher Block Chaining(CBC) Mode

Ciphertext from the pervious block of data is used in encrypting the next block of data.

Advanced Encryption Standard(AES)

The AES was to be a symmetric block cypher algorithm supporting keys sizes of 128, 192, and 256 bits keys.

Rijndael was NIST's choice in replacing DES. It is a block cipher with a variable block length and key length.

Pretty Good Privacy (PGP)

It was the first widespread public key encryption program. It uses passphrases. The passphrase is used to encrypt the user's private key that is stored on her hard drive. PGP does not have a central leader, like a CA, certain standardized functionality is harder to accomplish. PGP is considered a cryptosystem. PGP is web of trust structure and using session key.

S-HTTP is a technology that protects each message that is sent between two computers.

HTTPS protects the communication channel between two computers, messages and all.

SSL works on transport layer. It protects a communication channel instead of individual messages. The client creates a session key and encrypts it with a public key and need PKI(CA).

Secure Electronic Transaction (SET) is a security technology proposed by Visa and MasterCard.

Cookie

Secure Shell (SSH) functions as a type of tunneling mechnism that provides terminal-like access to remote computers.

Internet Protocol Security(IPSec)

is a method of setting up a secure channel for protected data exchange between two divices. IPSec uses two basic security protocols: Authentication header(AH) and the Encapsulating Security Payload(ESP). It provide integrity and system authentication.

Transport mode:

Where the payload of message is protected.

Tunnel mode:

Where the payload and the routing and header information is also protected.

Zero knowledge proof means that someone can tell you something without telling you more information than you need to know. In cryptography it means to prove that you have a specific key without sharing that key or showing it to anyone.

Concealment ciphers disguise messages within the text or body of a message, such as using every other word in a sentence to form a different message.