Training and Tips that are very helpful to gain knowledge in the field of information Security and passing your CISSP Certification Exam.
To be CISSP Certified Please Check out the link below:
http://asmed.com/cissp-isc2/
2. SECURITY ENGINEERING
Cryptographic Systems
Encryption systems have become extremely
crucial in computing and data protection today.
Detailed discussions and understanding
required.
2
3. 3
SECURITY ENGINEERING
The purpose of cryptography is to render information
unintelligible to all but the intended recipient.
The sender enciphers a message into unintelligible form, and
the receiver deciphers it into intelligible form. The word
“cryptology” is derived from the Greek kryptos (hidden) and
logos (word).
• Cryptology: The scientific study of cryptography and
cryptanalysis
• Cryptography: The enciphering and deciphering of messages
into secret codes by means of various transformations of the
plaintext
• Cryptanalysis: The process of deriving the plaintext from the
ciphertext (breaking a code) without being in possession of
the key or the system (code breaking).
• The history of codes and ciphers goes back almost 4,000
years to the early Egyptian civilization.
4. 4
SECURITY ENGINEERING
More Definitions:
Plaintext – a message (sometimes called cleartext)
Encryption – the process of making a message disguised
Decryption – the process of turning a disguised message back
into plaintext
Cryptography – the science of keeping message secure
Cryptanalysis – the science of breaking ciphertext
Cryptology – mathematics of both cryptography and
cryptanalysis
5. SECURITY ENGINEERING
• The History of Cryptography
• Cryptographic Definitions & Concepts
• Components of a Cryptosystem
• Software
• Protocols
• Algorithms
• Key
• Kerckhoff’s Principle
• Key should be the only secret
component in cryptosystems.
• Strength of a Cryptosystem
• Combination of the algorithm, key
secrecy, key length, and the
initialization vector.
5
6. 6
SECURITY ENGINEERING
Basics - Services of a Cryptosystems
- Ensure Confidentiality by preventing unauthorized users to
access message/data.
- Ensure Integrity - Info cannot be altered in storage or in
transit
- Non-repudiation - Creator or sender cannot deny (via use
of digital signatures)
- Authentication - Provide foundation for secure access
control by using encrypted passwords and token-based
devices.
- Make compromise unattractive - too expensive or time
consuming to be worth the effort
8. SECURITY ENGINEERING
• The History of Cryptography
• Cryptographic Definitions & Concepts
One-Time Pad:
-Considered the most secured encryption scheme
- Sender uses each key letter on the pad to encrypt
exactly one plaintext character
- Pad is used only one time
- Pad is as long as the message
- Primarily used for ultra-secure low-bandwidth
channels
- Used by many secret agents
• Running Cipher – use common components (a page
within a book)
• Concealment Cipher – message within a message
(i.e. In a sentence)
• Steganography – message hidden within a different
8
9. SECURITY ENGINEERING
CIPHERS
A cipher (cryptographic algorithm) is a series of
transformations that convert plaintext to unreadable
text (ciphertext), using the cipher key.
Keystream – A set of random or pseudorandom
characters that are used to combine
plaintext messages during encryption.
9
10. SECURITY ENGINEERING
ATTRIBUTES OF A STRONG CIPHER
(Algorithms)
• There should be long periods of no repeating
patterns, which means that the bits generated by
the keystream must be random.
• The cipher must be statistically unpredictable,
ensuring that the bits generated from the
keystream generator cannot be predicted.
• The keystream should not be linearly related to the
key so that someone who guesses the keystream
cannot also guess the key.
• The keystream should be statistically unbiased,
ensuring that there are the same number of 0’s
and 1’s.
• The cipher should contain the right level of
confusion and diffusion. 10
11. 11
SECURITY ENGINEERING
Strong Cipher Concepts
Confusion:
-A mechanism to hide the relationship of the encryption
key, plaintext, and ciphertext.
-It reinforces the complexity to increase the work factor
of reverse-engineering
-The attacker should not be able to predict what
changing one or more characters in the plaintext will do
to the resulting ciphertext.
Diffusion:
- A mechanism to obscure redundancy in a plaintext by
spreading the effects of the transformation over the
ciphertext.
12. 12
SECURITY ENGINEERING
Cryptographic Concepts
Diffusion cont’d:
-It changes the value of at least one bit in a block of
plaintext being encrypted and will affect the value of
every other bit in the same block.
-It does dissipate the redundancy of plaintext by
spreading it out over the ciphertext.
-It impedes any statistical/frequency analysis based on
word or character occurrence.
Any well-designed algorithm should utilize
properties of both confusion and diffusion.
13. SECURITY ENGINEERING
CIPHER TYPES & MODES
• Substitution Ciphers
• Transposition Ciphers
Methods of Encryption
1. Substitution methods
- substituting one bit for another bit
- destination has to have the correct key to indicate how to
substitute the original bit back in
2. Transposition methods
- Bits are moved to new places in bitstream
- Bits are scrambled
- The destination has to have the correct key to indicate how
to unscramble the bits
13
14. SECURITY ENGINEERING
Initialization Vectors
Randomly-generated value used by many cryptosystems to ensure that a
unique a ciphertext is generated when there are multiple ciphertext
generated by the same key.
It is simply a continuously changing number used in combination with a
secret key to encrypt data.
Key:
Long string of random values. The key is the element that effects
randomness in the work of the algorithm. In other words, the key values
are used by the algorithms to indicate which mathematical equations to
use and in which order, and also with what values.
Key Space:
Comprises all the possible values that can facilitate the generation of a
key.
The large the key size the larger the key space ( 2 64 < 2 128 ).
Therefore the larger the key space the more values an attacker has to deal
with via brute force.
14
15. SECURITY ENGINEERING
Exclusive-OR (XOR)
• Another name for binary addition: an XOR operation results
in 0, if both values are the same or 1, if they are different.
• Provides simple and efficient method to combine two values.
• Used in many stream and block ciphers for substitution
operations.
• Rules:
• If both bits are the same, the result is 0
• 0 XOR 0 = 0
• 1 XOR 1 = 0
• If bits are different, the result is 1
• 1 XOR 0 = 1
• 0 XOR 1 = 1
• Example of XOR in operation:
• Assume you have two binary values: 11100101 and 10101111
• If you XOR them, you get 01001010
• In order to get back the original value, you just need to XOR the
second value (101001111) back into the result (01001010).
15
16. SECURITY ENGINEERING
Algorithm:
An algorithm is a well-defined mathematical/computational
procedure that takes a variable input and generates a
corresponding output. It performs the actual encryption and
decryption process.
Work Factor:
The amount of effort and resources, such as time, needed by an
attacker to break into a system.
16
17. SECURITY ENGINEERING
Methods of Encryption
Symmetric vs. Asymmetric Algorithms
Block & Stream Ciphers
Hybrid Encryption Methods
17
19. SECURITY ENGINEERING
CIPHERS TYPES & MODES
a.Block ciphers
Message divided into blocks of bits
Each block is encrypted (algorithm applied) separately
Whole message is not encrypted as one entity
Best used in software implementations
Uses diffusion, confusion, and substitution boxes in each
step
b. Stream ciphers
Encrypts (applies mathematical functions) individual bits of
the message
More complex as compared to block ciphers
Best used in hardware implementations 19
20. 20
SECURITY ENGINEERING
Block Cipher Modes
Electronic Code Book (ECB)
ECB is a block cipher mode used primarily to disguise the
pattern of a ciphertext. That is when each block of
plaintext is also encrypted and in addition mapped to a
code.
Cipher Block Chaining (CBC)
Ciphertext from previously encrypted block is used to
encrypt the next block of data
Provides more randomness and patterns are not as much of
a concern as in ECB code
21. 21
SECURITY ENGINEERING
Block Cipher Modes CFB & OFB
a.k.a. Stream Cipher Emulation Modes
Cipher Feedback (CFB) Mode
Previous ciphertext is used to encrypt the next block of data.
Basically the same as the CBC mode except the CFB emulates
a stream cipher by using a keystream generator.
Output Feedback (OFB) Mode
Values from a previous keystream are used to encrypt the
next block of data
Often used to encrypt satellite communications
22. SECURITY ENGINEERING
• Symmetric Systems
Uses a shared secret key for encryption and decryption
Based on mathematical transposition and substitution
functions
Faster than asymmetric and hard to break.
Examples below:
Data Encryption Standard (DES)
Triple-DES
Advance Encryption Standard (AES)
International Data Encryption Algorithm (IDEA)
Blowfish
RC4
RC5
RC6
22
23. SECURITY ENGINEERING
•Weaknesses of Symmetric Systems
Difficulty in distributing secret key
securely to recipients
Scalability – extremely difficult for large
groups to use
Does not provide authentication and
non-repudiation because sender cannot
be established if multiple users have the
same key
Keys must be regenerated often
23
24. SECURITY ENGINEERING
Asymmetric Systems
Uses a pair of keys (private and public) for encryption and
decryption
Built upon hard-to-resolve mathematical problem using
factorization, discreet logarithms, and the elliptic curve theory.
Slower than symmetric algorithm.
Strengths of Asymmetric Systems
Addition of new users may require the generation of only one
public-private key pair
Users can be removed far more easily via a key revocation
mechanism
Key regeneration is required only when a user’s private key is
compromised
Asymmetric encryption key can provide integrity,
authentication, and nonrepudiation
Key distribution is a simple process
No preexisting communication links need to exist.
24
26. SECURITY ENGINEERING
Diffie-Hellman Key Exchange Algorithm
(Asymmetric)
The Diffie-Hellman Key Exchange Algorithm
allows two entities to exchange a secret key
over an insecure medium
Developed in 1976 by Whitfield Diffie and
Martin Hellman
It is based on the asymmetric algorithm
scheme
26
28. SECURITY ENGINEERING
Hashing Algorithms
Uses a one-way mathematical function.
Characteristics:
Accepts variable-length string (message) and generates a
fixed-length value (hash value)
No key is involved
No confidentiality is provided because nothing is getting
encrypted
Similar to a CRC function
Creates a “fingerprint” of the message
28
30. SECURITY ENGINEERING
Security Issues in Hashing
Strength Hashing Algorithm:
Hash should be computed over entire message
Messages cannot be disclosed by MD value
Different messages should generate different
MD values – ie. Collision free
30
31. SECURITY ENGINEERING
Digital Signatures
Providing Authenticity and Non-
repudiation
After message is put through a hashing algorithm, the
MD is encrypted with the sender’s private key
Receiver validates the digital signature by decrypting
it with the sender’s public key
Provides data integrity, authenticity, and non-
repudiation
31
33. SECURITY ENGINEERING
U.S. Government Standard
Digital Signature Standard (DSS):
Secure Hash Algorithm (SHA) must be used for message
digest creation
DSA, RSA, and ECDSA asymmetric algorithms can be used
for digital signature creation
ECDSA – elliptic curve digital signature algorithm
33
35. SECURITY ENGINEERING
Public Key Infrastructure (PKI) (e.g.
Certification Authorities, etc.)
Key Components of PKI
• CA
• RA
• Certificate repository
• Certificate revocation system
35
36. SECURITY ENGINEERING
Public Key Infrastructure (PKI) (e.g.
Certification Authorities, etc.)
Certificate Authority (VeriSign, Thawte,
GoDaddy.com, DigiCert, etc.)
Creates digital certificate
Binds customer’s identity to public key
Sends certificate directly to user (customer)
Maintains certificate throughout its lifetime
X.509 v3 is the standard that defines Digital
Certificates.
36
37. SECURITY ENGINEERING
Public Key Infrastructure (PKI) (e.g. Certification
Authorities, etc.)
Registration Authority:
Accepts registration requests from buyers
Validates user’s identities
Passes requests to CA
Cannot create certificates
37
38. SECURITY ENGINEERING
Public Key Infrastructure (PKI)
Digital Certificates
Characteristics
Currently using X.509 version 3
Associates public key with owner
Digitally signed by CA
38
39. SECURITY ENGINEERING
Public Key Infrastructure (PKI)
Certificate Details
Version
Serial number
Issuer name
Validity period
Subject (user) name
etc
39
40. SECURITY ENGINEERING
Public Key Infrastructure (PKI)
Certificate Repository
Storage of certificates
Usually publicly accessible
Each certificate is digitally signed, therefore,
eliminating the possibility of being modified
40
41. DOMAIN #3 – SECURITY ENGINEERING
Public Key Infrastructure (PKI)
Certificate Revocation List (CRL)
Certificates can be revoked
CRL is a list of certificates that have been revoked
Method to inform the public about status of certificates
Online Certificate Status Protocol (OCSP)
41
42. SECURITY ENGINEERING
Key Management
Key Management Principles
Key must not be in cleartext.
There should be recovery options for keys
Rules for Keys & Key Management
Key length must be long enough to provide the
necessary protection
Key should be stored and transmitted by secure
means
Keys should be extremely random, and the
algorithm should use the full spectrum of keyspace.
The keys lifetime should correspond to the
sensitivity of the data it is protecting
The more the key is used the shorter its lifetime
should be
Keys should be backed up or escrowed for
emergencies
Keys should be properly destroyed at the end of
their lifetimes
42
43. GOOD LUCK!
ASM Educational Center Inc. (ASM)
Where Training, Technology & Service Converge
www.asmed.com
Phone: (301)984-7400
43