CISSP Week 21
Upcoming SlideShare
Loading in...5

Like this? Share it with your network


CISSP Week 21






Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as OpenOffice

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

CISSP Week 21 Presentation Transcript

  • 1. Crypto IV p. 862 - 888
  • 2. Digital Signature -a digital signature is intended to be comparable to a handwritten signature -provide assurance that the message does indeed come from the person who claims to have sent it, it has not been altered, both parties have a copy of the same document
  • 3. Digital Signature Standard (DSS) -FIPS 186 -uses 2 methods for created a signature. The RSA method and the DSS method -It will be appended to the message -Both methods begin by hashing the message
  • 4. RSA -RSA will then encrypt the hash with the sender’s private key, thus creating the signature DSS -DSS approach is to sign the hash using DSA. The DSA uses a random num to create a private & public key, then encrypts the hash value
  • 5. Non-Repudiation -service that ensures the sender cannot deny a message was sent and the integrity of the message is intact -NIST SP800-57
  • 6. Methods of Cryptanalytic Attacks Chosen Plain-Text -attacker knows the algorithm and is trying to determine the key -attacker will put in multiple known inputs and use the output to determine the key Social Engineering for Key Discovery -use of coercion, bribery, befriending people in positions of powers
  • 7. Brute Force -trying all possible keys until one is found that decrypt the ciphertext, this is why length is important Linear Cryptanalysis -is a known plaintext attack that uses linear approximations to describe the behavior of the block cipher
  • 8. Differential Cryptanalysis (Side Channel Attack) -complex attack is executed by measuring the exact execution times and power required by the crypto device to perform the en/decryption. -Measuring power consumption, clock cycles, etc makes it possible to determine the value of the key and algorithm used
  • 9. Algebraic -class of techniques that rely for their success on block ciphers exhibiting a high degree of mathematical structure Ciphertext-Only Attack -attacker only has ciphertext and tries to work backwards -the more examples the better chance of success
  • 10. Randow Table -to determine a given plaintext from its hash one of these are done: 1) Hash each plaintext until matching hash is found 2) Do 1 but store each generated hash in a table that can be used for future attacks
  • 11. Known Plaintext -attack has access to plain and cipher text of the message Frequency Analysis -especially useful when attacking a substitution cipher where statistics of the plaintext language are known
  • 12. Chosen Cipher-Text -when attacker has access to the decryption device/software and decrypts chosen ciphertexts to discover the key -RSA gets whooped by this Birthday Attack -since a hash is a short representation of a message there are two messages that will give the same hash
  • 13. Dictionary Attack -use dictionary words against a password file Replay Attack -meant to disrupt and damage processing by the attacker sending repeated files to the host Reverse Engineering
  • 14. Factoring Attacks -aimed at RSA algorithms -since that algorithm uses the product of prime numbers to generate the public and private keys, this attack attempts to find the keys through solving the factoring of these numbers
  • 15. Attacking the Random Number Generators -ability to guess nonces will greatly improve the attack success rate Temporary Files -most cryptosystems use temporary files to perform their calculations if the files are not cleared it may lead to it being broken
  • 16. Implementation Attacks ☻Side Channel Analysis: rely on physical attributes of implementation ☻Fault Analysis: attempts to force the system into an error state ☻Probing Attacks: watch the circuitry surrounding the crypto module in hopes that the complementing components will disclose info
  • 17. Network Sec an Cryptography Virtual Private Networks -goal of VPN is to provide confidentiality & data integrity of data transmission -site to site: deploys 2+ VPN servers or appliances that securely connect private networks together -remove access: securely connects a user’s computer to another user’s computer or VPN server -each VPN member must be configured to use the same cryptoparamerters
  • 18. E-Commerce -crypto continues to enable trust between businesses and consumers IPSec -developed to provide security over Internet connections and prevent IP spoofing, eavesdropping, and misuse of IP based authentication -operates with IPv4 and IPv6
  • 19. SSL/TLS -encrypts messages using symmetric algorithms, also calculates MAC
  • 20. Application Security and Crypto -Email is the most common business communication, so it is important to secure Email protocols and standards ☻Privacy Enhanced Mail (PEM) RFC 1421-1424 -provides message integrity; message origin & authentication; confidentiality, has a sweet encapsulating boundry
  • 21. ☻Pretty Good Privacy (PGP) -gives the user a choice of which encryption algorithm to use i.e. CAST, 3DES -establishes trust based on relationships ☻Secure/Multipurpose Internet Mail Extension S/MIME -provides signed & encrypted mail messages -similar to IPSec & SSL as it uses hash functions & as/symetric crypto
  • 22. Public Key Infrastructure PKI -PKI is a set of system, software, and communication protocols required to use, manage, and control public key crypto. It has 3 primary purposes 1. Publish keys/Certs 2. Certify that a key is tied to an individual/entity 3. Provide Verification of the validity of a public key
  • 23. -The CA “signs” an entities digital certificate to certify that the certificate accurately represents the certificate owner -Functions of a CA may be spread among several servers -CA can revoke certs & provide an update service to the other members of the PKI via a certificate revocation list (CRL), a list of non-valid certs that should not be accepted by any member of the PKI
  • 24. -Set up a trusted public directory of keys, each user must register with the directory service, it could delete & add keys automatically -use public key certs, this can be done directly or thru a CA which would act as a trusted 3rd party
  • 25. Certificate Related Issues -users may/will have to communicate with users from another CA, so CAs must have a method of crosscertifying one another -Business agreements & PKI policies are negotiated, then each CA signs the others public key, or root cert, thus establishing a cert chain -3 Basic Ways of constraining trust between CAs
  • 26. 1. Path Length: Orgs can control whether their CA should trust any cross-cert relationships that have been established by CAs with orgs have cross-certed 2. Name: In peer-to-peer cross-cert, name constraints are used to limit trust to a subgroup of cross-certed CAs based on their distinguished name (DN) 3. Policy: can be used to limit trust only to those users in another CA who have certain policy values in their certs
  • 27. Information Hiding Alternatives Steganography -hiding a message inside of another medium Watermarking -the addition of identifiable info into a file or document, this is often done to detect the improper copying or theft of info
  • 28. Summary & Conclusion Crypto, use it or lose it.