SlideShare a Scribd company logo

501 ch 10 cryptography

Download as PPTX, PDF
T
Toyeeb Onimole

This document provides an overview of cryptography and PKI concepts. It introduces cryptography, hashing, encryption, and digital signatures. It discusses symmetric and asymmetric encryption algorithms like AES, RSA and protocols like TLS. It also explores components of PKI including certificates, certificate authorities, registration, revocation and validation.

Education
1 of 69
Chapter 10 Understanding Cryptography and PKI CompTIA Security+ Get Certified Get Ahead 1
Introduction • Introducing cryptography concepts • Providing integrity with hashing • Providing confidentiality with encryption • Using cryptographic protocols • Exploring PKI components
Cryptograph y Concepts - Integrity • Provides assurances that data has not been modified • Hashing ensures that data has retained integrity • A hash is a number derived from performing a calculation on data • If the data is unchanged the hash will always be the same number • Common hashing algorithms include MD5, SHA, HMAC • Each algorithm creates a fixed size string of bits – Example: MD5 creates a hash of 128 bits
Cryptography Concepts - Confidentiality • Ensures only authorized users can view data • Encryption protects the confidentiality of data • Encryption ciphers data to make it unreadable • Encryption normally includes algorithm and key • Symmetric encryption - Uses the same key to encrypt and decrypt data • Asymmetric encryption - Uses two keys (public and private) created as a matched pair
Cryptography Concepts • Stream Encryptciphers - 1 bit at a time • Block ciphers - Encrypt data in blocks • Steganography - Hides data in data
Cryptography Concepts • Authentication validates an identity • Non-repudiation - Prevents a party from denying an action • Digital signatures - Provide authentication, non-repudiation, and integrity - Users sign emails with a digital signature • Digital signature is a hash of an email message encrypted with the sender’s private key • Only the sender’s public key can decrypt the hash • Provides verification it was encrypted with the sender’s private key
Providing Integrity with Hashing • Hashing provides integrity for data - Email, downloaded files, files stored on a disk - A one-way function that creates a string of characters • A hash is a number - Sometimes called a checksum - You cannot reverse the hash - You cannot re-create the original data from the hash - Created with a hashing algorithm • Message Digest 5 (MD5) • Secure Hash Algorithm (SHA) family • HMAC
Hashing Protocols • To verify integrity - MD5 (use is discouraged) - SHA (SHA-3 previously known as Keccak) • To verify integrity and authenticity - HMAC (HMAC-MD5 and HMAC-SHA1) • Uses a shared secret • IPsec and TLS use HMAC-MD5 and HMAC-SHA1
Hashing FilesHashing Files
Hashing Passwords • Passwords often stored as hashes • Password attacks attempt to discover passwords - Guess a password - Hash the guessed password - Compare the hash to the original hash
Cryptography • Key stretching - Bcrypt and PBKDF2 - Help prevent brute force and rainbow table attacks - Both salt the password with additional bits • Advanced techniques add pepper
Hashing Messages • Hashing detects modified message
Hashing Messages with HMAC • HMAC prevents attacker from modifying hash
Hashing Protocols Review Algorithm Type Comments MD5 Hashing - Integrity Creates 128-bit hashes SHA-1 Hashing - Integrity Creates 160-bit hashes SHA-2 Hashing - Integrity Creates 224-, 256-, 384-, or 512-bit hashes SHA-3 Hashing - Integrity Creates 224-, 256-, 384-, or 512-bit hashes HMAC-MD5 Integrity/Authenticity Creates 128-bit hashes HMAC-SHA1 Integrity/Authenticity Creates 160-bit hashes
Providing Confidentiality with Encryption • Encryption provides confidentiality – Helps ensure only authorized users can view data – Applies to any type of data • Data-at-rest (files, in a database, and so on) • Data-in-transit (sent over a network) – Data-in-use • Not encrypted while in use • If sensitive should be purged after use
Providing Confidentiality with Encryption • Two basic components of encryption – Algorithm • Performs mathematical calculations on data • Algorithm always the same – Key • A number that provides variability • Either kept private and/or changed frequently
Encryption Terms • Random and pseudo-random numbers • Initialization vector (starting value) • Nonce (number used once) • XOR (logical operation comparing two inputs) • Confusion – Ciphertext significantly different than plaintext • Diffusion – Small changes in ciphertext result in large changes in ciphertext
Encryption Terms • Secret algorithm – Private instead of published – Not recommended • Weak/deprecated algorithms – Don’t use • High resiliency – Refers to security of key even if an attacker discovers part of the key
Block vs. Stream Ciphers • Block ciphers – Encrypts data in specific sized blocks • Often 64-bit blocks or 128-bit blocks – Divides large files or messages into these blocks – Encrypts each block separately • Stream ciphers – Encrypt data as a single bit or byte at a time in a stream – An important principle when using a stream cipher • Encryption keys should never be reused • If a key is reused, it is easier to crack the encryption
Block Cipher Modes • Electronic Codebook (ECB) – Simplest (deprecated and not recommended) • Cipher Block Chaining (CBC) – Susceptible to pipeline delays • Counter (CTM) – Converts a block cipher into a stream cipher • Galois/Counter Mode (GCM) – Combines CTM with hashing techniques for integrity
Symmetric Encryption • Uses the same key to encrypt and decrypt data – When transmitting encrypted data • Uses key to encrypt data before transmission • Uses same key to decrypt data when received • Much more efficient encrypting large amounts of data than asymmetric encryption • RADIUS uses symmetric encryption
Simple Symmetric Encryption Example • Encryption algorithm uses substitution cipher – Move forward ____ spaces to encrypt – For example, move forward 3 spaces to encrypt • Decryption algorithm – Move back ____ spaces to decrypt – For example, move back 3 spaces to decrypt • With the key of 3 – Message is PASS and encrypted it is SDVV • ROT13 always uses a key of 13
Symmetric Encryption • Obfuscation – Attempts to make something unclear – Security through obscurity (isn’t secure) • Compare symmetric encryption to a door key – One key can lock door – Same key can unlock door – Copy of same key can lock or unlock door
Symmetric Encryption • Advanced Encryption Standard (AES) – Fast, efficient, strong symmetric block cipher – 128-bit block cipher – Uses 128-bit, 192-bit, or 256-bit keys • Widely used – Provides a high level of confidentiality – Selected in NIST competition – Adopted by U.S. Government
Symmetric Encryption • Data Encryption Standard (DES) – 64-bit block cipher – Uses 56-bit keys and should not be used today • 3DES – 64-bit block cipher – Originally designed as a replacement for DES – Uses multiple keys and multiple passes – Not as efficient as AES – 3DES is still used in some applications, such as when hardware doesn’t support AES
Symmetric Encryption • RC4 – Symmetric stream cipher – AES recommended instead of RC4 • Blowfish – 64-bit block cipher – Faster than AES in some situations • Twofish – 128-bit block cipher
Symmetric Encryption Algorithm Encryption Type Method Key Size AES Symmetric 128-bit block cipher 128-, 192-, or 256-bit key 3DES Symmetric 64-bit block cipher 56-, 112-, or 168-bit key Blowfish Symmetric 64-bit block cipher 32- to 448-bit key Twofish Symmetric 128-bit block cipher 128-, 192-, or 256-bit key RC4* Symmetric Stream cipher 40- to 2,048-bit key DES* Symmetric 64-bit block cipher 56-bit key * Don’t use
Asymmetric Encryption • Private Key / Public Key matched pair – One key encrypts, the other key decrypts – Only a private key can decrypt information encrypted with a matching public key – Only a public key can decrypt information encrypted with a matching private key – Private key stays private – Public key shared in a certificate – Asymmetric encryption methods require certificate and PKI
Asymmetric Encryption • Rayburn Box Rayburn Box Rayburn Box Locked by one key Unlocked by the other key
Asymmetric Encryption • Rayburn box used to send secrets – Encryption Rayburn Box Rayburn Box Locked by one key Unlocked by the other key
Asymmetric Encryption • Rayburn box used for authentication – Digital signature Rayburn Box Rayburn Box Locked by one key Unlocked by the other key
Certificates • Used for – Encryption – Authentication – Digital signatures
Certificates • Includes – Serial number – Issuer – Validity dates – Subject – Public key – Usage
Asymmetric Encryption • RSA – Rivest, Shamir, Adleman – Widely used to protect Internet traffic and email – Relies on mathematical properties of prime numbers when creating public and private keys – Public and private keys created as a matched pair – Keys commonly used with asymmetric encryption to privately share a symmetric key
Asymmetric Encryption • Static keys – Semi-permanent – Stay the same over a long period of time • Ephemeral keys – Short lifetimes – Re-created for each session – Perfect forward secrecy
Other Encryptions • Elliptic curve cryptography (ECC) – Commonly used with small wireless devices – Uses smaller key sizes requires less processing power • Diffie-Hellman (DH) – Secure method of sharing symmetric keys over a public network – Diffie-Hellman Ephemeral (DHE) – Elliptic Curve Diffie-Hellman Ephemeral (ECDHE)
Other Encryptions • Steganography – Hides data within data • Hides data by manipulating bits • Hides data within white space of a file – Security professionals use hashing to detect – Steganalysis
Using Cryptographic Protocols • Email digital signatures – The sender’s private key encrypts (or signs) – The sender’s public key decrypts • Email encryption – The recipient’s public key encrypts – The recipient’s private key decrypts Knowing which key encrypts and which key decrypts will help you answer many questions
Using Cryptographic Protocols • Website encryption – The website’s public key encrypts It encrypts a symmetric key – The website’s private key decrypts It decrypts a symmetric key – The symmetric key encrypts data in the website session Knowing which key encrypts and which key decrypts will help you answer many questions
Digital Signature • Encrypted hash of a message – The sender’s private key encrypts the hash – Recipient decrypts hash with sender’s public key – Provides • Authentication – identifies the sender • Non-repudiation – prevents the sender from denying the action • Integrity – verifies the message has not been modified
Digital Signature • Signing email with a digital signature I passed! Digital Signature I passed! Digital Signature Encrypted hash decrypted with sender’s public key Hash of message encrypted with sender’s private key Lisa Bart Sender Recipient
Encrypting Email • Using only asymmetric encryption (Not common) – Lisa retrieves a copy of Bart’s certificate that contains his public key – Lisa encrypts the email with Bart’s public key – Lisa sends the encrypted email to Bart – Bart decrypts the email with his private key
Encrypting Email • Using symmetric and asymmetric encryption
Decrypting Email • Using symmetric and asymmetric encryption
Encrypting Email • Action on the client’s system Email encrypted with symmetric key Asfv32r9h a39vm94k asd0f34t Key encrypted with recipient’s public key iP@$$3d! Secrets in email Symmetric key (53) 1 2 3
Decrypting Email (cont) Encrypted message and encrypted session key sent to recipient Lisa Bart Asfv32r9h a39vm94k asd0f34t iP@$$3d! Asfv32r9h a39vm94k asd0f34t iP@$$3d! Recipient decrypts session key with private key and then decrypts message 4 5 Sender Recipient
Protecting Email • S/MIME and PGP/GPG • Both: – Use RSA algorithm – Use public and private keys for encryption and decryption – Use certificates – Can digitally sign and encrypt email • Including email at rest and in transit – OpenPGP (PGP-based standard)
Transport Encryption • Protects confidentiality of transmitted data – SSH, IPsec, HTTPS, SSL, and TLS – IPsec must use HMAC for authentication and integrity – IPsec can use either AES or 3DES for encryption – IPsec’s ESP encrypts the entire packet – Creates an additional IP header
TLS and SSL • TLS is the replacement for SSL – SSL deprecated – Both require certificates issued by CAs • TLS used in HTTPS – HTTPS uses a combination of symmetric and asymmetric encryption to encrypt HTTPS sessions
1 2 Client creates symmetric key and encrypts it with public key 53 4 Encrypted symmetric key sent to server Server decrypts symmetric key with private key 6 The session is encrypted with the session key using symmetric encryption Client requests secure session Server responds with certificate UcaNP@$$ Encrypting HTTPS traffic with TLS
Cipher Suites • Three primary cryptographic solutions – Encryption – Authentication – Integrity • Examples – 0x00C031. TLS_ECDH_RSA_WITH_AES_128_GC M_SHA256 – 0x00003C. TLS_RSA_WITH_AES_128_CBC_SHA 256
Implementation vs Algorithm Selection • Crypto module – A set of hardware, software, and/or firmware that implements cryptographic functions – Includes algorithms for encryption and hashing, key generation, and authentication techniques • Crypto service providers – A software library of cryptographic standards and algorithms – Typically distributed within crypto modules
Downgrade Attacks • Exploit weak implementations of cipher suites • Uses weakest cipher suite available • Padding Oracle On Downgraded Legacy Encryption (POODLE) attack – Downgraded to SSL – Allowed SSL attacks
Exploring PKI Components • Public Key Infrastructure – Includes components required for certificates – Allows two entities to privately share symmetric keys without any prior communication • Certificate Authority (CA) – Issues, manages, validates, and revokes certificates
Certificate Chaining & Trust Models • Root certificate • Trusted root certification authorities
Trusted Models • Certificate chain • Root CA • Intermediate Cas • Child CAs • All certificates issued by trusted CAs are trusted • Errors when a site uses an untrusted certificate
Trusted Models • Most trust models are hierarchical and centralized with a central root CA • Web-of-trust – Self-signed certificates
Registration • Certificate signing request (CSR) – PKCS #10 format – Create the RSA-based private key, which is used to create the public key – Include the public key in the CSR – The CA will embed the public key in the certificate.
Revoking Certificates • Reasons – Key or CA Compromise Employee Leaves – Change of Affiliation Superseded – Cease of Operation Certificate Hold • Revoked certificates – Revoked by serial number – Published in Certificate Revocation List (CRL) – Publicly available
Certificate Revocation List (CRL) • Issued in a version 2 certificate
Certificate Revocation List (CRL)
Certificate Revocation List (CRL)
Validating Certificates Web server in DMZClient 1 2 3 4 CRL CA CRL alternative is OCSP OCSP answers • Good • Revoked • Unknown OCSP Stapling
Certificates • OCSP Stapling – Signs OCSP response with digital signature • Public key pinning – Helps prevent web site impersonation
Certificates • Key escrow – Maintains a copy of a private key for recovery – Used if the original is lost • Recovery Agent – Can recover user messages and data – In some cases, recovery agents can recover private keys from a key escrow
Certificate Types • Machine/computer • User • Email • Encryption and digital signatures • Code signing • Validates authentication of code • Self-signed • Not issued by CA
Certificate Types • Wildcard • Same root domain • Subject Alternative Name (SAN) • Different root domains, but same organization • Domain validation • CA takes extra steps to contact requestor • Extended validation • Additional steps beyond domain validation
Certificate Formats
Chapter 10 Summary • Introducing cryptography concepts • Providing integrity with hashing • Providing confidentiality with encryption • Using cryptographic protocols • Exploring PKI components

Recommended

CNIT 141 6. Hash Functions
CNIT 141 6. Hash FunctionsCNIT 141 6. Hash Functions
CNIT 141 6. Hash FunctionsSam Bowne
 
CNIT 141 8. Authenticated Encryption
CNIT 141 8. Authenticated EncryptionCNIT 141 8. Authenticated Encryption
CNIT 141 8. Authenticated EncryptionSam Bowne
 
CNIT 141: 1. Encryption
CNIT 141: 1. EncryptionCNIT 141: 1. Encryption
CNIT 141: 1. EncryptionSam Bowne
 
CNIT 141: 14. Quantum and Post-Quantum
CNIT 141: 14. Quantum and Post-QuantumCNIT 141: 14. Quantum and Post-Quantum
CNIT 141: 14. Quantum and Post-QuantumSam Bowne
 
Information Security Lesson 8 - Cryptography - Eric Vanderburg
Information Security Lesson 8 - Cryptography - Eric VanderburgInformation Security Lesson 8 - Cryptography - Eric Vanderburg
Information Security Lesson 8 - Cryptography - Eric VanderburgEric Vanderburg
 
CNIT 141: 8. Authenticated Encryption
CNIT 141: 8. Authenticated EncryptionCNIT 141: 8. Authenticated Encryption
CNIT 141: 8. Authenticated EncryptionSam Bowne
 
CNIT 141 7. Keyed Hashing
CNIT 141 7. Keyed HashingCNIT 141 7. Keyed Hashing
CNIT 141 7. Keyed HashingSam Bowne
 
CISSP Certification Security Engineering-Part2
CISSP Certification Security Engineering-Part2CISSP Certification Security Engineering-Part2
CISSP Certification Security Engineering-Part2Hamed Moghaddam
 

Recommended

CNIT 141 6. Hash Functions
CNIT 141 6. Hash FunctionsCNIT 141 6. Hash Functions
CNIT 141 6. Hash FunctionsSam Bowne
 
CNIT 141 8. Authenticated Encryption
CNIT 141 8. Authenticated EncryptionCNIT 141 8. Authenticated Encryption
CNIT 141 8. Authenticated EncryptionSam Bowne
 
CNIT 141: 1. Encryption
CNIT 141: 1. EncryptionCNIT 141: 1. Encryption
CNIT 141: 1. EncryptionSam Bowne
 
CNIT 141: 14. Quantum and Post-Quantum
CNIT 141: 14. Quantum and Post-QuantumCNIT 141: 14. Quantum and Post-Quantum
CNIT 141: 14. Quantum and Post-QuantumSam Bowne
 
Information Security Lesson 8 - Cryptography - Eric Vanderburg
Information Security Lesson 8 - Cryptography - Eric VanderburgInformation Security Lesson 8 - Cryptography - Eric Vanderburg
Information Security Lesson 8 - Cryptography - Eric VanderburgEric Vanderburg
 
CNIT 141: 8. Authenticated Encryption
CNIT 141: 8. Authenticated EncryptionCNIT 141: 8. Authenticated Encryption
CNIT 141: 8. Authenticated EncryptionSam Bowne
 
CNIT 141 7. Keyed Hashing
CNIT 141 7. Keyed HashingCNIT 141 7. Keyed Hashing
CNIT 141 7. Keyed HashingSam Bowne
 
CISSP Certification Security Engineering-Part2
CISSP Certification Security Engineering-Part2CISSP Certification Security Engineering-Part2
CISSP Certification Security Engineering-Part2Hamed Moghaddam
 
CNIT 141 11. Diffie-Hellman
CNIT 141 11. Diffie-Hellman CNIT 141 11. Diffie-Hellman
CNIT 141 11. Diffie-Hellman Sam Bowne
 
CNIT 141: 7. Keyed Hashing
CNIT 141: 7. Keyed HashingCNIT 141: 7. Keyed Hashing
CNIT 141: 7. Keyed HashingSam Bowne
 
Cryptography
CryptographyCryptography
CryptographyPragun Shah
 
Cryptography
CryptographyCryptography
CryptographyTêjäçhoudhary Maddineni
 
CNIT 141 12. Elliptic Curves
CNIT 141 12. Elliptic CurvesCNIT 141 12. Elliptic Curves
CNIT 141 12. Elliptic CurvesSam Bowne
 
CNIT 1417. Keyed Hashing
CNIT 1417. Keyed HashingCNIT 1417. Keyed Hashing
CNIT 1417. Keyed HashingSam Bowne
 
CNIT 126: 13: Data Encoding
CNIT 126: 13: Data EncodingCNIT 126: 13: Data Encoding
CNIT 126: 13: Data EncodingSam Bowne
 
CNIT 141: 6. Hash Functions
CNIT 141: 6. Hash FunctionsCNIT 141: 6. Hash Functions
CNIT 141: 6. Hash FunctionsSam Bowne
 
CNIT 141: 1. Encryption
CNIT 141: 1. EncryptionCNIT 141: 1. Encryption
CNIT 141: 1. EncryptionSam Bowne
 
CNIT 141: 13. TLS
CNIT 141: 13. TLSCNIT 141: 13. TLS
CNIT 141: 13. TLSSam Bowne
 
CNIT 141: 14. Quantum and Post-Quantum
CNIT 141: 14. Quantum and Post-Quantum CNIT 141: 14. Quantum and Post-Quantum
CNIT 141: 14. Quantum and Post-Quantum Sam Bowne
 
CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersCNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersSam Bowne
 
CNIT 141: 11. Diffie-Hellman
CNIT 141: 11. Diffie-HellmanCNIT 141: 11. Diffie-Hellman
CNIT 141: 11. Diffie-HellmanSam Bowne
 
Distribution of public keys and hmac
Distribution of public keys and hmacDistribution of public keys and hmac
Distribution of public keys and hmacanuragjagetiya
 
CNIT 141: 1. Encryption
CNIT 141: 1. EncryptionCNIT 141: 1. Encryption
CNIT 141: 1. EncryptionSam Bowne
 
CNIT 141 12. Elliptic Curves
CNIT 141 12. Elliptic CurvesCNIT 141 12. Elliptic Curves
CNIT 141 12. Elliptic CurvesSam Bowne
 
CNIT 141: 1. Encryption
CNIT 141: 1. EncryptionCNIT 141: 1. Encryption
CNIT 141: 1. EncryptionSam Bowne
 
Pgp pretty good privacy
Pgp pretty good privacyPgp pretty good privacy
Pgp pretty good privacyPawan Arya
 
Encryption
EncryptionEncryption
EncryptionZeeshan Butt
 
Pgp smime
Pgp smimePgp smime
Pgp smimeTania Agni
 
Basic cryptography
Basic cryptographyBasic cryptography
Basic cryptographyPerfect Training Center
 
501 ch 10 understanding cryptography and pki
501 ch 10 understanding cryptography and pki501 ch 10 understanding cryptography and pki
501 ch 10 understanding cryptography and pkigocybersec
 

More Related Content

What's hot

CNIT 141 11. Diffie-Hellman
CNIT 141 11. Diffie-Hellman CNIT 141 11. Diffie-Hellman
CNIT 141 11. Diffie-Hellman Sam Bowne
 
CNIT 141: 7. Keyed Hashing
CNIT 141: 7. Keyed HashingCNIT 141: 7. Keyed Hashing
CNIT 141: 7. Keyed HashingSam Bowne
 
CNIT 141 12. Elliptic Curves
CNIT 141 12. Elliptic CurvesCNIT 141 12. Elliptic Curves
CNIT 141 12. Elliptic CurvesSam Bowne
 
CNIT 1417. Keyed Hashing
CNIT 1417. Keyed HashingCNIT 1417. Keyed Hashing
CNIT 1417. Keyed HashingSam Bowne
 
CNIT 126: 13: Data Encoding
CNIT 126: 13: Data EncodingCNIT 126: 13: Data Encoding
CNIT 126: 13: Data EncodingSam Bowne
 
CNIT 141: 6. Hash Functions
CNIT 141: 6. Hash FunctionsCNIT 141: 6. Hash Functions
CNIT 141: 6. Hash FunctionsSam Bowne
 
CNIT 141: 1. Encryption
CNIT 141: 1. EncryptionCNIT 141: 1. Encryption
CNIT 141: 1. EncryptionSam Bowne
 
CNIT 141: 13. TLS
CNIT 141: 13. TLSCNIT 141: 13. TLS
CNIT 141: 13. TLSSam Bowne
 
CNIT 141: 14. Quantum and Post-Quantum
CNIT 141: 14. Quantum and Post-Quantum CNIT 141: 14. Quantum and Post-Quantum
CNIT 141: 14. Quantum and Post-Quantum Sam Bowne
 
CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersCNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersSam Bowne
 
CNIT 141: 11. Diffie-Hellman
CNIT 141: 11. Diffie-HellmanCNIT 141: 11. Diffie-Hellman
CNIT 141: 11. Diffie-HellmanSam Bowne
 
Distribution of public keys and hmac
Distribution of public keys and hmacDistribution of public keys and hmac
Distribution of public keys and hmacanuragjagetiya
 
CNIT 141: 1. Encryption
CNIT 141: 1. EncryptionCNIT 141: 1. Encryption
CNIT 141: 1. EncryptionSam Bowne
 
CNIT 141 12. Elliptic Curves
CNIT 141 12. Elliptic CurvesCNIT 141 12. Elliptic Curves
CNIT 141 12. Elliptic CurvesSam Bowne
 
CNIT 141: 1. Encryption
CNIT 141: 1. EncryptionCNIT 141: 1. Encryption
CNIT 141: 1. EncryptionSam Bowne
 
Pgp pretty good privacy
Pgp pretty good privacyPgp pretty good privacy
Pgp pretty good privacyPawan Arya
 

What's hot (20)

CNIT 141 11. Diffie-Hellman
CNIT 141 11. Diffie-Hellman CNIT 141 11. Diffie-Hellman
CNIT 141 11. Diffie-Hellman
 
CNIT 141: 7. Keyed Hashing
CNIT 141: 7. Keyed HashingCNIT 141: 7. Keyed Hashing
CNIT 141: 7. Keyed Hashing
 
Cryptography
CryptographyCryptography
Cryptography
 
Cryptography
CryptographyCryptography
Cryptography
 
CNIT 141 12. Elliptic Curves
CNIT 141 12. Elliptic CurvesCNIT 141 12. Elliptic Curves
CNIT 141 12. Elliptic Curves
 
CNIT 1417. Keyed Hashing
CNIT 1417. Keyed HashingCNIT 1417. Keyed Hashing
CNIT 1417. Keyed Hashing
 
CNIT 126: 13: Data Encoding
CNIT 126: 13: Data EncodingCNIT 126: 13: Data Encoding
CNIT 126: 13: Data Encoding
 
CNIT 141: 6. Hash Functions
CNIT 141: 6. Hash FunctionsCNIT 141: 6. Hash Functions
CNIT 141: 6. Hash Functions
 
CNIT 141: 1. Encryption
CNIT 141: 1. EncryptionCNIT 141: 1. Encryption
CNIT 141: 1. Encryption
 
CNIT 141: 13. TLS
CNIT 141: 13. TLSCNIT 141: 13. TLS
CNIT 141: 13. TLS
 
CNIT 141: 14. Quantum and Post-Quantum
CNIT 141: 14. Quantum and Post-Quantum CNIT 141: 14. Quantum and Post-Quantum
CNIT 141: 14. Quantum and Post-Quantum
 
CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersCNIT 141: 4. Block Ciphers
CNIT 141: 4. Block Ciphers
 
CNIT 141: 11. Diffie-Hellman
CNIT 141: 11. Diffie-HellmanCNIT 141: 11. Diffie-Hellman
CNIT 141: 11. Diffie-Hellman
 
Distribution of public keys and hmac
Distribution of public keys and hmacDistribution of public keys and hmac
Distribution of public keys and hmac
 
CNIT 141: 1. Encryption
CNIT 141: 1. EncryptionCNIT 141: 1. Encryption
CNIT 141: 1. Encryption
 
CNIT 141 12. Elliptic Curves
CNIT 141 12. Elliptic CurvesCNIT 141 12. Elliptic Curves
CNIT 141 12. Elliptic Curves
 
CNIT 141: 1. Encryption
CNIT 141: 1. EncryptionCNIT 141: 1. Encryption
CNIT 141: 1. Encryption
 
Pgp pretty good privacy
Pgp pretty good privacyPgp pretty good privacy
Pgp pretty good privacy
 
Encryption
EncryptionEncryption
Encryption
 
Pgp smime
Pgp smimePgp smime
Pgp smime
 

Similar to 501 ch 10 cryptography

501 ch 10 understanding cryptography and pki
501 ch 10 understanding cryptography and pki501 ch 10 understanding cryptography and pki
501 ch 10 understanding cryptography and pkigocybersec
 
Basic Cryptography.pdf
Basic Cryptography.pdfBasic Cryptography.pdf
Basic Cryptography.pdfSetiya Nugroho
 
UNIT 4 CRYPTOGRAPHIC SYSTEMS.pptx
UNIT 4 CRYPTOGRAPHIC SYSTEMS.pptxUNIT 4 CRYPTOGRAPHIC SYSTEMS.pptx
UNIT 4 CRYPTOGRAPHIC SYSTEMS.pptxssuserd5e356
 
CISSP Prep: Ch 4. Security Engineering (Part 2)
CISSP Prep: Ch 4. Security Engineering (Part 2)CISSP Prep: Ch 4. Security Engineering (Part 2)
CISSP Prep: Ch 4. Security Engineering (Part 2)Sam Bowne
 
CompTIASecPLUS-Part6 - UnlimitedEdited.pptx
CompTIASecPLUS-Part6 - UnlimitedEdited.pptxCompTIASecPLUS-Part6 - UnlimitedEdited.pptx
CompTIASecPLUS-Part6 - UnlimitedEdited.pptxmohedkhadar60
 
CEH Module 20 Cryptograhy PPT.pptx
CEH Module 20 Cryptograhy PPT.pptxCEH Module 20 Cryptograhy PPT.pptx
CEH Module 20 Cryptograhy PPT.pptxSandeshSM1
 
Cryptography and Network Security
Cryptography and Network SecurityCryptography and Network Security
Cryptography and Network SecurityRamki M
 
Ch 12: Cryptography
Ch 12: CryptographyCh 12: Cryptography
Ch 12: CryptographySam Bowne
 
CNIT 125 Ch 4. Security Engineering (Part 2)
CNIT 125 Ch 4. Security Engineering (Part 2)CNIT 125 Ch 4. Security Engineering (Part 2)
CNIT 125 Ch 4. Security Engineering (Part 2)Sam Bowne
 
CNIT 123 12: Cryptography
CNIT 123 12: CryptographyCNIT 123 12: Cryptography
CNIT 123 12: CryptographySam Bowne
 
TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006Nate Lawson
 

Similar to 501 ch 10 cryptography (20)

Basic cryptography
Basic cryptographyBasic cryptography
Basic cryptography
 
501 ch 10 understanding cryptography and pki
501 ch 10 understanding cryptography and pki501 ch 10 understanding cryptography and pki
501 ch 10 understanding cryptography and pki
 
Basic Cryptography.pdf
Basic Cryptography.pdfBasic Cryptography.pdf
Basic Cryptography.pdf
 
UNIT 4 CRYPTOGRAPHIC SYSTEMS.pptx
UNIT 4 CRYPTOGRAPHIC SYSTEMS.pptxUNIT 4 CRYPTOGRAPHIC SYSTEMS.pptx
UNIT 4 CRYPTOGRAPHIC SYSTEMS.pptx
 
CISSP Prep: Ch 4. Security Engineering (Part 2)
CISSP Prep: Ch 4. Security Engineering (Part 2)CISSP Prep: Ch 4. Security Engineering (Part 2)
CISSP Prep: Ch 4. Security Engineering (Part 2)
 
CompTIASecPLUS-Part6 - UnlimitedEdited.pptx
CompTIASecPLUS-Part6 - UnlimitedEdited.pptxCompTIASecPLUS-Part6 - UnlimitedEdited.pptx
CompTIASecPLUS-Part6 - UnlimitedEdited.pptx
 
CEH Module 20 Cryptograhy PPT.pptx
CEH Module 20 Cryptograhy PPT.pptxCEH Module 20 Cryptograhy PPT.pptx
CEH Module 20 Cryptograhy PPT.pptx
 
CISSP - Chapter 3 - Cryptography
CISSP - Chapter 3 - CryptographyCISSP - Chapter 3 - Cryptography
CISSP - Chapter 3 - Cryptography
 
Cryptography
CryptographyCryptography
Cryptography
 
Cryptography and Network Security
Cryptography and Network SecurityCryptography and Network Security
Cryptography and Network Security
 
Crypto academy
Crypto academyCrypto academy
Crypto academy
 
Ch 12: Cryptography
Ch 12: CryptographyCh 12: Cryptography
Ch 12: Cryptography
 
Key management
Key managementKey management
Key management
 
CNIT 125 Ch 4. Security Engineering (Part 2)
CNIT 125 Ch 4. Security Engineering (Part 2)CNIT 125 Ch 4. Security Engineering (Part 2)
CNIT 125 Ch 4. Security Engineering (Part 2)
 
Cryptography
CryptographyCryptography
Cryptography
 
Cipher Suites
Cipher SuitesCipher Suites
Cipher Suites
 
Slidecast - Workshop
Slidecast - WorkshopSlidecast - Workshop
Slidecast - Workshop
 
CNS ppt.pdf
CNS ppt.pdfCNS ppt.pdf
CNS ppt.pdf
 
CNIT 123 12: Cryptography
CNIT 123 12: CryptographyCNIT 123 12: Cryptography
CNIT 123 12: Cryptography
 
TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006
 

Recently uploaded

How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17Celine George
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdfssuser54595a
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformChameera Dedduwage
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxmanuelaromero2013
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionSafetyChain Software
 
Class 11 Legal Studies Ch-1 Concept of State .pdf
Class 11 Legal Studies Ch-1 Concept of State .pdfClass 11 Legal Studies Ch-1 Concept of State .pdf
Class 11 Legal Studies Ch-1 Concept of State .pdfakmcokerachita
 
Pharmacognosy Flower 3. Compositae 2023.pdf
Pharmacognosy Flower 3. Compositae 2023.pdfPharmacognosy Flower 3. Compositae 2023.pdf
Pharmacognosy Flower 3. Compositae 2023.pdfMahmoud M. Sallam
 
Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Sakshi Ghasle
 
ENGLISH5 QUARTER4 MODULE1 WEEK1-3 How Visual and Multimedia Elements.pptx
ENGLISH5 QUARTER4 MODULE1 WEEK1-3 How Visual and Multimedia Elements.pptxENGLISH5 QUARTER4 MODULE1 WEEK1-3 How Visual and Multimedia Elements.pptx
ENGLISH5 QUARTER4 MODULE1 WEEK1-3 How Visual and Multimedia Elements.pptxAnaBeatriceAblay2
 
Painted Grey Ware.pptx, PGW Culture of India
Painted Grey Ware.pptx, PGW Culture of IndiaPainted Grey Ware.pptx, PGW Culture of India
Painted Grey Ware.pptx, PGW Culture of IndiaVirag Sontakke
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxthorishapillay1
 
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting DataJhengPantaleon
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxVS Mahajan Coaching Centre
 
Blooming Together_ Growing a Community Garden Worksheet.docx
Blooming Together_ Growing a Community Garden Worksheet.docxBlooming Together_ Growing a Community Garden Worksheet.docx
Blooming Together_ Growing a Community Garden Worksheet.docxUnboundStockton
 
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxEPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxRaymartEstabillo3
 
Final demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptxFinal demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptxAvyJaneVismanos
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfsanyamsingh5019
 

Recently uploaded (20)

How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptx
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory Inspection
 
Class 11 Legal Studies Ch-1 Concept of State .pdf
Class 11 Legal Studies Ch-1 Concept of State .pdfClass 11 Legal Studies Ch-1 Concept of State .pdf
Class 11 Legal Studies Ch-1 Concept of State .pdf
 
Pharmacognosy Flower 3. Compositae 2023.pdf
Pharmacognosy Flower 3. Compositae 2023.pdfPharmacognosy Flower 3. Compositae 2023.pdf
Pharmacognosy Flower 3. Compositae 2023.pdf
 
Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application )
 
ENGLISH5 QUARTER4 MODULE1 WEEK1-3 How Visual and Multimedia Elements.pptx
ENGLISH5 QUARTER4 MODULE1 WEEK1-3 How Visual and Multimedia Elements.pptxENGLISH5 QUARTER4 MODULE1 WEEK1-3 How Visual and Multimedia Elements.pptx
ENGLISH5 QUARTER4 MODULE1 WEEK1-3 How Visual and Multimedia Elements.pptx
 
Painted Grey Ware.pptx, PGW Culture of India
Painted Grey Ware.pptx, PGW Culture of IndiaPainted Grey Ware.pptx, PGW Culture of India
Painted Grey Ware.pptx, PGW Culture of India
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptx
 
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
 
9953330565 Low Rate Call Girls In Rohini Delhi NCR
9953330565 Low Rate Call Girls In Rohini Delhi NCR9953330565 Low Rate Call Girls In Rohini Delhi NCR
9953330565 Low Rate Call Girls In Rohini Delhi NCR
 
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
 
Blooming Together_ Growing a Community Garden Worksheet.docx
Blooming Together_ Growing a Community Garden Worksheet.docxBlooming Together_ Growing a Community Garden Worksheet.docx
Blooming Together_ Growing a Community Garden Worksheet.docx
 
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxEPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
 
Final demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptxFinal demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptx
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdf
 
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
 

501 ch 10 cryptography

  • 1. Chapter 10 Understanding Cryptography and PKI CompTIA Security+ Get Certified Get Ahead 1
  • 2. Introduction • Introducing cryptography concepts • Providing integrity with hashing • Providing confidentiality with encryption • Using cryptographic protocols • Exploring PKI components
  • 3. Cryptograph y Concepts - Integrity • Provides assurances that data has not been modified • Hashing ensures that data has retained integrity • A hash is a number derived from performing a calculation on data • If the data is unchanged the hash will always be the same number • Common hashing algorithms include MD5, SHA, HMAC • Each algorithm creates a fixed size string of bits – Example: MD5 creates a hash of 128 bits
  • 4. Cryptography Concepts - Confidentiality • Ensures only authorized users can view data • Encryption protects the confidentiality of data • Encryption ciphers data to make it unreadable • Encryption normally includes algorithm and key • Symmetric encryption - Uses the same key to encrypt and decrypt data • Asymmetric encryption - Uses two keys (public and private) created as a matched pair
  • 5. Cryptography Concepts • Stream Encryptciphers - 1 bit at a time • Block ciphers - Encrypt data in blocks • Steganography - Hides data in data
  • 6. Cryptography Concepts • Authentication validates an identity • Non-repudiation - Prevents a party from denying an action • Digital signatures - Provide authentication, non-repudiation, and integrity - Users sign emails with a digital signature • Digital signature is a hash of an email message encrypted with the sender’s private key • Only the sender’s public key can decrypt the hash • Provides verification it was encrypted with the sender’s private key
  • 7. Providing Integrity with Hashing • Hashing provides integrity for data - Email, downloaded files, files stored on a disk - A one-way function that creates a string of characters • A hash is a number - Sometimes called a checksum - You cannot reverse the hash - You cannot re-create the original data from the hash - Created with a hashing algorithm • Message Digest 5 (MD5) • Secure Hash Algorithm (SHA) family • HMAC
  • 8. Hashing Protocols • To verify integrity - MD5 (use is discouraged) - SHA (SHA-3 previously known as Keccak) • To verify integrity and authenticity - HMAC (HMAC-MD5 and HMAC-SHA1) • Uses a shared secret • IPsec and TLS use HMAC-MD5 and HMAC-SHA1
  • 10. Hashing Passwords • Passwords often stored as hashes • Password attacks attempt to discover passwords - Guess a password - Hash the guessed password - Compare the hash to the original hash
  • 11. Cryptography • Key stretching - Bcrypt and PBKDF2 - Help prevent brute force and rainbow table attacks - Both salt the password with additional bits • Advanced techniques add pepper
  • 13. Hashing Messages with HMAC • HMAC prevents attacker from modifying hash
  • 14. Hashing Protocols Review Algorithm Type Comments MD5 Hashing - Integrity Creates 128-bit hashes SHA-1 Hashing - Integrity Creates 160-bit hashes SHA-2 Hashing - Integrity Creates 224-, 256-, 384-, or 512-bit hashes SHA-3 Hashing - Integrity Creates 224-, 256-, 384-, or 512-bit hashes HMAC-MD5 Integrity/Authenticity Creates 128-bit hashes HMAC-SHA1 Integrity/Authenticity Creates 160-bit hashes
  • 15. Providing Confidentiality with Encryption • Encryption provides confidentiality – Helps ensure only authorized users can view data – Applies to any type of data • Data-at-rest (files, in a database, and so on) • Data-in-transit (sent over a network) – Data-in-use • Not encrypted while in use • If sensitive should be purged after use
  • 16. Providing Confidentiality with Encryption • Two basic components of encryption – Algorithm • Performs mathematical calculations on data • Algorithm always the same – Key • A number that provides variability • Either kept private and/or changed frequently
  • 17. Encryption Terms • Random and pseudo-random numbers • Initialization vector (starting value) • Nonce (number used once) • XOR (logical operation comparing two inputs) • Confusion – Ciphertext significantly different than plaintext • Diffusion – Small changes in ciphertext result in large changes in ciphertext
  • 18. Encryption Terms • Secret algorithm – Private instead of published – Not recommended • Weak/deprecated algorithms – Don’t use • High resiliency – Refers to security of key even if an attacker discovers part of the key
  • 19. Block vs. Stream Ciphers • Block ciphers – Encrypts data in specific sized blocks • Often 64-bit blocks or 128-bit blocks – Divides large files or messages into these blocks – Encrypts each block separately • Stream ciphers – Encrypt data as a single bit or byte at a time in a stream – An important principle when using a stream cipher • Encryption keys should never be reused • If a key is reused, it is easier to crack the encryption
  • 20. Block Cipher Modes • Electronic Codebook (ECB) – Simplest (deprecated and not recommended) • Cipher Block Chaining (CBC) – Susceptible to pipeline delays • Counter (CTM) – Converts a block cipher into a stream cipher • Galois/Counter Mode (GCM) – Combines CTM with hashing techniques for integrity
  • 21. Symmetric Encryption • Uses the same key to encrypt and decrypt data – When transmitting encrypted data • Uses key to encrypt data before transmission • Uses same key to decrypt data when received • Much more efficient encrypting large amounts of data than asymmetric encryption • RADIUS uses symmetric encryption
  • 22. Simple Symmetric Encryption Example • Encryption algorithm uses substitution cipher – Move forward ____ spaces to encrypt – For example, move forward 3 spaces to encrypt • Decryption algorithm – Move back ____ spaces to decrypt – For example, move back 3 spaces to decrypt • With the key of 3 – Message is PASS and encrypted it is SDVV • ROT13 always uses a key of 13
  • 23. Symmetric Encryption • Obfuscation – Attempts to make something unclear – Security through obscurity (isn’t secure) • Compare symmetric encryption to a door key – One key can lock door – Same key can unlock door – Copy of same key can lock or unlock door
  • 24. Symmetric Encryption • Advanced Encryption Standard (AES) – Fast, efficient, strong symmetric block cipher – 128-bit block cipher – Uses 128-bit, 192-bit, or 256-bit keys • Widely used – Provides a high level of confidentiality – Selected in NIST competition – Adopted by U.S. Government
  • 25. Symmetric Encryption • Data Encryption Standard (DES) – 64-bit block cipher – Uses 56-bit keys and should not be used today • 3DES – 64-bit block cipher – Originally designed as a replacement for DES – Uses multiple keys and multiple passes – Not as efficient as AES – 3DES is still used in some applications, such as when hardware doesn’t support AES
  • 26. Symmetric Encryption • RC4 – Symmetric stream cipher – AES recommended instead of RC4 • Blowfish – 64-bit block cipher – Faster than AES in some situations • Twofish – 128-bit block cipher
  • 27. Symmetric Encryption Algorithm Encryption Type Method Key Size AES Symmetric 128-bit block cipher 128-, 192-, or 256-bit key 3DES Symmetric 64-bit block cipher 56-, 112-, or 168-bit key Blowfish Symmetric 64-bit block cipher 32- to 448-bit key Twofish Symmetric 128-bit block cipher 128-, 192-, or 256-bit key RC4* Symmetric Stream cipher 40- to 2,048-bit key DES* Symmetric 64-bit block cipher 56-bit key * Don’t use
  • 28. Asymmetric Encryption • Private Key / Public Key matched pair – One key encrypts, the other key decrypts – Only a private key can decrypt information encrypted with a matching public key – Only a public key can decrypt information encrypted with a matching private key – Private key stays private – Public key shared in a certificate – Asymmetric encryption methods require certificate and PKI
  • 29. Asymmetric Encryption • Rayburn Box Rayburn Box Rayburn Box Locked by one key Unlocked by the other key
  • 30. Asymmetric Encryption • Rayburn box used to send secrets – Encryption Rayburn Box Rayburn Box Locked by one key Unlocked by the other key
  • 31. Asymmetric Encryption • Rayburn box used for authentication – Digital signature Rayburn Box Rayburn Box Locked by one key Unlocked by the other key
  • 32. Certificates • Used for – Encryption – Authentication – Digital signatures
  • 33. Certificates • Includes – Serial number – Issuer – Validity dates – Subject – Public key – Usage
  • 34. Asymmetric Encryption • RSA – Rivest, Shamir, Adleman – Widely used to protect Internet traffic and email – Relies on mathematical properties of prime numbers when creating public and private keys – Public and private keys created as a matched pair – Keys commonly used with asymmetric encryption to privately share a symmetric key
  • 35. Asymmetric Encryption • Static keys – Semi-permanent – Stay the same over a long period of time • Ephemeral keys – Short lifetimes – Re-created for each session – Perfect forward secrecy
  • 36. Other Encryptions • Elliptic curve cryptography (ECC) – Commonly used with small wireless devices – Uses smaller key sizes requires less processing power • Diffie-Hellman (DH) – Secure method of sharing symmetric keys over a public network – Diffie-Hellman Ephemeral (DHE) – Elliptic Curve Diffie-Hellman Ephemeral (ECDHE)
  • 37. Other Encryptions • Steganography – Hides data within data • Hides data by manipulating bits • Hides data within white space of a file – Security professionals use hashing to detect – Steganalysis
  • 38. Using Cryptographic Protocols • Email digital signatures – The sender’s private key encrypts (or signs) – The sender’s public key decrypts • Email encryption – The recipient’s public key encrypts – The recipient’s private key decrypts Knowing which key encrypts and which key decrypts will help you answer many questions
  • 39. Using Cryptographic Protocols • Website encryption – The website’s public key encrypts It encrypts a symmetric key – The website’s private key decrypts It decrypts a symmetric key – The symmetric key encrypts data in the website session Knowing which key encrypts and which key decrypts will help you answer many questions
  • 40. Digital Signature • Encrypted hash of a message – The sender’s private key encrypts the hash – Recipient decrypts hash with sender’s public key – Provides • Authentication – identifies the sender • Non-repudiation – prevents the sender from denying the action • Integrity – verifies the message has not been modified
  • 41. Digital Signature • Signing email with a digital signature I passed! Digital Signature I passed! Digital Signature Encrypted hash decrypted with sender’s public key Hash of message encrypted with sender’s private key Lisa Bart Sender Recipient
  • 42. Encrypting Email • Using only asymmetric encryption (Not common) – Lisa retrieves a copy of Bart’s certificate that contains his public key – Lisa encrypts the email with Bart’s public key – Lisa sends the encrypted email to Bart – Bart decrypts the email with his private key
  • 43. Encrypting Email • Using symmetric and asymmetric encryption
  • 44. Decrypting Email • Using symmetric and asymmetric encryption
  • 45. Encrypting Email • Action on the client’s system Email encrypted with symmetric key Asfv32r9h a39vm94k asd0f34t Key encrypted with recipient’s public key iP@$$3d! Secrets in email Symmetric key (53) 1 2 3
  • 46. Decrypting Email (cont) Encrypted message and encrypted session key sent to recipient Lisa Bart Asfv32r9h a39vm94k asd0f34t iP@$$3d! Asfv32r9h a39vm94k asd0f34t iP@$$3d! Recipient decrypts session key with private key and then decrypts message 4 5 Sender Recipient
  • 47. Protecting Email • S/MIME and PGP/GPG • Both: – Use RSA algorithm – Use public and private keys for encryption and decryption – Use certificates – Can digitally sign and encrypt email • Including email at rest and in transit – OpenPGP (PGP-based standard)
  • 48. Transport Encryption • Protects confidentiality of transmitted data – SSH, IPsec, HTTPS, SSL, and TLS – IPsec must use HMAC for authentication and integrity – IPsec can use either AES or 3DES for encryption – IPsec’s ESP encrypts the entire packet – Creates an additional IP header
  • 49. TLS and SSL • TLS is the replacement for SSL – SSL deprecated – Both require certificates issued by CAs • TLS used in HTTPS – HTTPS uses a combination of symmetric and asymmetric encryption to encrypt HTTPS sessions
  • 50. 1 2 Client creates symmetric key and encrypts it with public key 53 4 Encrypted symmetric key sent to server Server decrypts symmetric key with private key 6 The session is encrypted with the session key using symmetric encryption Client requests secure session Server responds with certificate UcaNP@$$ Encrypting HTTPS traffic with TLS
  • 51. Cipher Suites • Three primary cryptographic solutions – Encryption – Authentication – Integrity • Examples – 0x00C031. TLS_ECDH_RSA_WITH_AES_128_GC M_SHA256 – 0x00003C. TLS_RSA_WITH_AES_128_CBC_SHA 256
  • 52. Implementation vs Algorithm Selection • Crypto module – A set of hardware, software, and/or firmware that implements cryptographic functions – Includes algorithms for encryption and hashing, key generation, and authentication techniques • Crypto service providers – A software library of cryptographic standards and algorithms – Typically distributed within crypto modules
  • 53. Downgrade Attacks • Exploit weak implementations of cipher suites • Uses weakest cipher suite available • Padding Oracle On Downgraded Legacy Encryption (POODLE) attack – Downgraded to SSL – Allowed SSL attacks
  • 54. Exploring PKI Components • Public Key Infrastructure – Includes components required for certificates – Allows two entities to privately share symmetric keys without any prior communication • Certificate Authority (CA) – Issues, manages, validates, and revokes certificates
  • 55. Certificate Chaining & Trust Models • Root certificate • Trusted root certification authorities
  • 56. Trusted Models • Certificate chain • Root CA • Intermediate Cas • Child CAs • All certificates issued by trusted CAs are trusted • Errors when a site uses an untrusted certificate
  • 57. Trusted Models • Most trust models are hierarchical and centralized with a central root CA • Web-of-trust – Self-signed certificates
  • 58. Registration • Certificate signing request (CSR) – PKCS #10 format – Create the RSA-based private key, which is used to create the public key – Include the public key in the CSR – The CA will embed the public key in the certificate.
  • 59. Revoking Certificates • Reasons – Key or CA Compromise Employee Leaves – Change of Affiliation Superseded – Cease of Operation Certificate Hold • Revoked certificates – Revoked by serial number – Published in Certificate Revocation List (CRL) – Publicly available
  • 60. Certificate Revocation List (CRL) • Issued in a version 2 certificate
  • 63. Validating Certificates Web server in DMZClient 1 2 3 4 CRL CA CRL alternative is OCSP OCSP answers • Good • Revoked • Unknown OCSP Stapling
  • 64. Certificates • OCSP Stapling – Signs OCSP response with digital signature • Public key pinning – Helps prevent web site impersonation
  • 65. Certificates • Key escrow – Maintains a copy of a private key for recovery – Used if the original is lost • Recovery Agent – Can recover user messages and data – In some cases, recovery agents can recover private keys from a key escrow
  • 66. Certificate Types • Machine/computer • User • Email • Encryption and digital signatures • Code signing • Validates authentication of code • Self-signed • Not issued by CA
  • 67. Certificate Types • Wildcard • Same root domain • Subject Alternative Name (SAN) • Different root domains, but same organization • Domain validation • CA takes extra steps to contact requestor • Extended validation • Additional steps beyond domain validation
  • 69. Chapter 10 Summary • Introducing cryptography concepts • Providing integrity with hashing • Providing confidentiality with encryption • Using cryptographic protocols • Exploring PKI components

Editor's Notes

  1. You can unhide these slides and use them if desired.
  2. You can unhide these slides and use them if desired.
  3. You can unhide these slides and use them if desired.