Date post: | 17-Jan-2016 |
Category: |
Documents |
Upload: | juliet-baker |
View: | 219 times |
Download: | 0 times |
Encryption DomainTerminology / Definitions
Algorithm A mathematical formula or ruleset that determineshow encryption / decryption will be performed. Uses
eithersymmetric / secret or asymmetric / public Keys.
Asymmetric Both sender and receiver use different Keys for encryption Key and decryption.
Cipher The Cryptographic action of transforming charactersor bits (mathematical example is f(x) = y).
Ciphertext Data / text in encrypted format (also known as cryptogram). Mathematically represented by C.
Cryptanalysis The science / study of breaking encryption algorithmsand their components.
Cryptography The science / study of storing and / or transmitting data in a form that only those that it is intended forcan read or use.
Cryptology Encompasses the areas of both Cryptography and Cryptanalysis.
Cryptosystem A system (hardware, software or other) that performsencryption.
Decipher The act of performing Decryption Mathematicallyrepresented as D. Action of decipering is D(C) = M orD(E(M)) = M.
Decryption The process / method of transforming Ciphertext back into
Plaintext.
Encipher The act of performing Encryption Mathematicallyrepresented as E. Action of enciphering is E(M) = C.
Encryption The process / method of transforming original data (plaintext) into an unreadable / random form (ciphertext).
End to End Data is encrypted from origin to destination (no node /Encryption neighbor decryption during transmission).
Fair The practice of dividing a Key or Keys between entities toCryptosystems ensure that no one entity can decrypt information without
all parties involvement. (used mainly with public key software Cryptography).
Key A randomly generated value from a sequence of randombits / input (also known as a Cryptovariable). The Key isinserted into the Algorithm and determines the resultant Ciphertext. Mathematically represented as K. Themathematical action of the Key on Ciphertext is f(K,M) =
C.
Key Escrow The practice of dividing a Key or Keys between entities toensure that no one entity can decrypt information
withoutall parties involvement. EES (Escrowed EncryptionStandard) from NIST was used with ill fated Clipper Chip.Alternate Key Escrow use – data recovery / management.
Key Clustering The instance when two different Keys generate the sameCiphertext.
Keyspace The range of values that can be used to construct the Key.
Link Data is decrypted and re-encrypted at each node along theEncryption transmission path. Each node shares common keys with its
two neighbors.
Plaintext Data is readable and in unencrypted format (also knownas cleartext / message). Mathematically represented as
M.
Session Key Not a literal key, but describes the lifetime of a key, either
symmetric or asymmetric
Steganography The method / process of hiding data, information or amessage in another medium (picture, soundfile, digitalwatermark).
Symmetric Both sender and receiver use the same key for encryptionKey and decryption. Also known as Secret Keys.
Work Factor Estimated time, effort energy or resources needed to break
a Cryptosystem. Usually estimated in relative time.
XOR eXclusive OR (meaning one or the other but not both). Used
with Symmetric Keys, ex. DES.
Cryptosystems
The goal of a cryptosystem is to provide
Confidentiality To ensure that unauthorized parties cannot accessthe data, message or information
Authenticity To ensure that the source / sender of the data,message or information is identifiable
Integrity To ensure that the data. Message or informationwas not modified during transmission
Nonrepudiation To ensure that either party cannot deny sending or
receiving the data, message or information
The strength / functional use of a Cryptosystem is determined by
Algorithm Strength Key SecrecyKey LengthInitialization VectorsEnd User(s)
Symmetric Key / Private Key Cryptosystem
** Uses a single Private Key shared between users **
Strengths
Quick / Efficient Algorithms – much quicker than AsymmetricHard to break when using a large Key SizeIdeal for bulk encryption / decryption
Weaknesses
Poor Key Management / Scalability (each user needs a unique key)Poor Key Distribution (must be done out of band – ie phone, mail,
etc)Cannot provide authenticity or nonrepudiation – only confidentiality
Types of Algorithms
DES (Data Encryption Standard), Triple DES, Blowfish, IDEA, RC4 – 6,Rijndael, AES (Advanced Encryption Standard)
* See CISSP Study Guides for In-Depth information on each Algorithm *
Asymmetric Key / Public Key Cryptosystem
** Uses a Key Pair (Public / Private Keys) **** Public Key shared between users **
Strengths
Better Scalability than Symmetric Key CryptosystemsCan provide confidentiality, authentication and nonrepudiationKey Distribution ManagementUses one Key to encrypt, the other to decrypt
Weaknesses
Slower Algorithms than Symmetric Key System
Algorithms
RSA, Elliptic Curve Cryptosystem (ECC), Diffie-Hellman, El Gamal, DSS (Digital Signature Standard), PGP
ECC has higher work factor than other asymmetric algorithms
* See CISSP Study Guides for In-Depth information on each Algorithm *
Asymmetric Key / Symmetric Key Size
Equivalent Strength Comparison
Asymmetric Keys Symmetric Keys
512 Bits 64 Bits
1792 Bits 112 Bits
2304 Bits 128 Bits
** See pg 158-159 of The CISSP Prep Guide for more info on key strength **
** Elliptic Curve, Discrete Logarithm, and Prime Number Factoring**
Hybrid – Asymmetric / Symmetric Key Cryptosystem
** Uses both Public(Asymmetric) and Private (Symmetric) **Algorithms and Keys
Uses two Key sets (2 private keys and 1 public key) and two concepts
Uses Asymmetric Keys (Public / Private Pair) for protectingEncryption Keys and Key Distribution
Uses Symmetric Keys (Private) for bulk / data encryption
Benefits
Better Scalability than Symmetric Key Cryptosystems (A)Can provide confidentiality, authentication and nonrepudiation (A)Key Distribution Management (A)Uses one Key to encrypt, the other to decrypt (A)Quick / Efficient Algorithms (S)Ideal for bulk encryption / decryption (S)
(A) Asymmetric (S) Symmetric
Exclusive Or Function / XOR Logic
Boolean logic operation that performs binary addition
0 XOR 0 = 0 Result is False because both False
0 XOR 1 = 1 Result is True because only 1 is True
1 XOR 0 = 1 Result is True because only 1 is True
1 XOR 1 = 0 Result is False because both are True)
Mathematical Action
If a Binary String is (B) and a Message is (M) then the logic is defined as
B XOR M = C and C XOR B = M – where C is the Resultant .
Used in
Data Encryption Standard (DES) – typically for MAC messages Cisco Routers / Switches ( at one time for really weak password
encryption )One Time Pad
Asymmetric Attack Types
Analytic Uses algorithm and algebraic manipulation weakness to
reduce complexity
Implementation Uses the specific implementation of the encryption
protocol as the basis for attack
Ciphertext Only statistical knowledge of plaintext available is usedOnly
Man-in-the Attacker is middle of transmission path where message Middle is intercepted and is used to match against keys
* See pgs 577 – 580 of CISSP Exam Certification Guide for in-depth detail *
Symmetric Attack Types
Known Some known Plaintext and matching Ciphertext are Plaintext used to break encryption.
Chosen A complementary Secret Key and Plaintext arePlainText used to determine Ciphertext block.
Brute Force Attack on all possible combinations of Keys andPasswords to break into computer.
Meet-in Plaintext encryption and Ciphertext decryption areThe-Middle known and are used to derive the key.
* See pgs 577 – 580 of CISSP Exam Certification Guide for in-depth detail *
Ciphers
Substitution
Replaces bits / data with different bits / data.
Uses a Key to know how the substitution should be done.
Caesar Cipher (current letter is replaced with letter three places away) is an example. Is also monoalphabetic.
Polyalphabetic Cipher uses multiple alphabets instead of one.
These Ciphers are vulnerable to frequency analysis anddiscovery of periods attacks (when the substitution repeats).
Transposition / Permutation
Letters of plaintext are permuted (scrambled).
Key determines the position the letters are moved to.
Can be quite complex when done electronically and with complexmathematical algorithms / functions.
Columnar Transposition Cipher writes letters horizontally andreads them vertically.
These Ciphers are vulnerable to frequency analysis but hides thestatistical properties of letter pairs and triples such as US and
ZOO.
Stream Cipher
Symmetric Algorithm that converts Plaintext to Ciphertextone bit / byte at a time.
Operate on continuous streams of Plaintext (i.e. network / continuous flow traffic).
Can use a Keystream Generator which produces a stream ofbits / bytes that is XOR’ed from the Plaintext to produce Ciphertext.
Hardware implemented due to performance / speed issues
Key is used to prevent attacker from XORing Plaintext andCiphertext and finding the KeyStream Generator.
Key determines order functions are applied to plaintext.
Long periods of nonrepeating patterns.
Cannot do statistical analysis to perform attack on Cipher.
Block Ciphers
Message / Plaintext is divided into blocks of data (ex DES – 64 bits)
Uses substitution, transposition and other mathematical functions.
Key determines order the functions are performed.
S-Boxes are small data transformation boxes that perform different
functions / formulas and methods. (ex. Black Box ).
Strong S-Box systems use random Key Values so attacker cannotfind pattern as to order of S-Box operation.
One Time Pad / Vernam Cipher
Invented in 1917 by Gilbert Vernam and Joseph Mauborgne.
Usually implemented as a stream cipher using the XOR function.
Key is used once and discarded by both sender and receiver.
Length of the Key character stream is equal to the message length.
Not practical for large amounts of data (MB / GB).
Pad is theoretically unbreakable by exhaustive brute force.
Implementation uses a Key that consists of a set of random
non-repeating characters.
Each Key letter and Plaintext are added modulo 26 to each other
and then converted back into a letter.
Running Cipher
Generally not implemented electronically.
Is usually used in spy-novel type mentality /fashion.
Uses normal everyday items / locations to leave clues.
Example – 5th word down on the 4th page of the 3rd bookon the 2nd shelve in the red building near the 7th window.
Concealment Cipher
Secret Decoder Ring mentality / implementation.
Key value set by a selected word or number association withan object or document.
Example – Lil Orphan Annie decoder ring with numbers on one side
and letters on the other side. Message is given in numeric form to
match to letters. (Anyone seen A Christmas Story ???)
Modes of DES
Electronic Code Book (ECB)
Native mode of DES
Best suited for small amounts of data
Usually applied to encrypt keys
Applied to 64-bit blocks of Plaintext to produce 64-bit blocks of Ciphertext
64-bit block of Ciphertext is divide into two 32-bit blocks(Right / Left Block)
The bits are recopied to produce two 48-bit blocks
Each 48-bit block is XOR’ed with a 48-bit encryption Key
Cipher Block Chaining (CBC)
Uses blocks of 64-bit Plaintext
Random 64-bit Intialization Vector is XOR’ed withthe first block of plaintext (to disguise first part of messageThat may be predictable – ie salutation, column number, etc.)
Result is encrypted with the DES Key
The first Ciphertext will then XOR with the next 64-bit block ofCiphertext until all Plaintext is exhausted
Errors propagate in this mode
Cipher Feedback (CFB)
A Stream Cipher where the Ciphertext is used as feedback intothe Key generation source to develop the next Key Stream
The Ciphertext generated by performing an XOR on the Plaintextwith the Key Stream the same number of bits as the Plaintext
Errors will propagate in this mode
Output Feedback (OFB)
A Stream Cipher that generates the Ciphertext Key by XORing the
Plaintext with a Key Stream.
Requires an Initialization Vector
Feedback is used to generate the Key Stream – therefore the Key Stream will vary
Errors will not propagate in this mode
Asymmetric Message Formats
Open Message Format
Message is encrypted with Senders Private KeyProvides Authenticity
Secure Message Format
Encrypted with Receivers Public KeyProvides Confidentiality
Secure and Signed Format
Encrypted with Senders Private KeyEncrypted with Receivers Public KeyProvides Authentication and Confidentiality
Key Management
Expiration Life cycle of cryptographic keys
Generation Random number generator used – or not
Distribution Can be manual or automated method / process
Entry / Use Manual or electronic device / process
Storage Keys in plaintext and available only to application
Recovery Lost or damaged keys / need to store or escrow themwith a third party
Revocation Removal of keys compromised or expired
Archiving Keys placed in secure storage for retrieval. Used for both public and private keys
Encryption- Part II ( Next week )
Digital Signatures
Hashes / Digests
Hashed Method Authentication Code
Cryptographic Attacks (brief)
PKI
Digital Certificates
Email Security (brief)
Financial ( SET, Mondex)
Internet Security (SSL,TLS, WTLS, IPSec, SHTTP, HTTPS, SSH)
Wireless Security ( WAP, WEP, DoS, Tools, RC4)