CISSP Week 21


Published on

Published in: Education, Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

CISSP Week 21

  1. 1. Crypto IV p. 862 - 888
  2. 2. Digital Signature -a digital signature is intended to be comparable to a handwritten signature -provide assurance that the message does indeed come from the person who claims to have sent it, it has not been altered, both parties have a copy of the same document
  3. 3. Digital Signature Standard (DSS) -FIPS 186 -uses 2 methods for created a signature. The RSA method and the DSS method -It will be appended to the message -Both methods begin by hashing the message
  4. 4. RSA -RSA will then encrypt the hash with the sender’s private key, thus creating the signature DSS -DSS approach is to sign the hash using DSA. The DSA uses a random num to create a private & public key, then encrypts the hash value
  5. 5. Non-Repudiation -service that ensures the sender cannot deny a message was sent and the integrity of the message is intact -NIST SP800-57
  6. 6. Methods of Cryptanalytic Attacks Chosen Plain-Text -attacker knows the algorithm and is trying to determine the key -attacker will put in multiple known inputs and use the output to determine the key Social Engineering for Key Discovery -use of coercion, bribery, befriending people in positions of powers
  7. 7. Brute Force -trying all possible keys until one is found that decrypt the ciphertext, this is why length is important Linear Cryptanalysis -is a known plaintext attack that uses linear approximations to describe the behavior of the block cipher
  8. 8. Differential Cryptanalysis (Side Channel Attack) -complex attack is executed by measuring the exact execution times and power required by the crypto device to perform the en/decryption. -Measuring power consumption, clock cycles, etc makes it possible to determine the value of the key and algorithm used
  9. 9. Algebraic -class of techniques that rely for their success on block ciphers exhibiting a high degree of mathematical structure Ciphertext-Only Attack -attacker only has ciphertext and tries to work backwards -the more examples the better chance of success
  10. 10. Randow Table -to determine a given plaintext from its hash one of these are done: 1) Hash each plaintext until matching hash is found 2) Do 1 but store each generated hash in a table that can be used for future attacks
  11. 11. Known Plaintext -attack has access to plain and cipher text of the message Frequency Analysis -especially useful when attacking a substitution cipher where statistics of the plaintext language are known
  12. 12. Chosen Cipher-Text -when attacker has access to the decryption device/software and decrypts chosen ciphertexts to discover the key -RSA gets whooped by this Birthday Attack -since a hash is a short representation of a message there are two messages that will give the same hash
  13. 13. Dictionary Attack -use dictionary words against a password file Replay Attack -meant to disrupt and damage processing by the attacker sending repeated files to the host Reverse Engineering
  14. 14. Factoring Attacks -aimed at RSA algorithms -since that algorithm uses the product of prime numbers to generate the public and private keys, this attack attempts to find the keys through solving the factoring of these numbers
  15. 15. Attacking the Random Number Generators -ability to guess nonces will greatly improve the attack success rate Temporary Files -most cryptosystems use temporary files to perform their calculations if the files are not cleared it may lead to it being broken
  16. 16. Implementation Attacks ☻Side Channel Analysis: rely on physical attributes of implementation ☻Fault Analysis: attempts to force the system into an error state ☻Probing Attacks: watch the circuitry surrounding the crypto module in hopes that the complementing components will disclose info
  17. 17. Network Sec an Cryptography Virtual Private Networks -goal of VPN is to provide confidentiality & data integrity of data transmission -site to site: deploys 2+ VPN servers or appliances that securely connect private networks together -remove access: securely connects a user’s computer to another user’s computer or VPN server -each VPN member must be configured to use the same cryptoparamerters
  18. 18. E-Commerce -crypto continues to enable trust between businesses and consumers IPSec -developed to provide security over Internet connections and prevent IP spoofing, eavesdropping, and misuse of IP based authentication -operates with IPv4 and IPv6
  19. 19. SSL/TLS -encrypts messages using symmetric algorithms, also calculates MAC
  20. 20. Application Security and Crypto -Email is the most common business communication, so it is important to secure Email protocols and standards ☻Privacy Enhanced Mail (PEM) RFC 1421-1424 -provides message integrity; message origin & authentication; confidentiality, has a sweet encapsulating boundry
  21. 21. ☻Pretty Good Privacy (PGP) -gives the user a choice of which encryption algorithm to use i.e. CAST, 3DES -establishes trust based on relationships ☻Secure/Multipurpose Internet Mail Extension S/MIME -provides signed & encrypted mail messages -similar to IPSec & SSL as it uses hash functions & as/symetric crypto
  22. 22. Public Key Infrastructure PKI -PKI is a set of system, software, and communication protocols required to use, manage, and control public key crypto. It has 3 primary purposes 1. Publish keys/Certs 2. Certify that a key is tied to an individual/entity 3. Provide Verification of the validity of a public key
  23. 23. -The CA “signs” an entities digital certificate to certify that the certificate accurately represents the certificate owner -Functions of a CA may be spread among several servers -CA can revoke certs & provide an update service to the other members of the PKI via a certificate revocation list (CRL), a list of non-valid certs that should not be accepted by any member of the PKI
  24. 24. -Set up a trusted public directory of keys, each user must register with the directory service, it could delete & add keys automatically -use public key certs, this can be done directly or thru a CA which would act as a trusted 3rd party
  25. 25. Certificate Related Issues -users may/will have to communicate with users from another CA, so CAs must have a method of crosscertifying one another -Business agreements & PKI policies are negotiated, then each CA signs the others public key, or root cert, thus establishing a cert chain -3 Basic Ways of constraining trust between CAs
  26. 26. 1. Path Length: Orgs can control whether their CA should trust any cross-cert relationships that have been established by CAs with orgs have cross-certed 2. Name: In peer-to-peer cross-cert, name constraints are used to limit trust to a subgroup of cross-certed CAs based on their distinguished name (DN) 3. Policy: can be used to limit trust only to those users in another CA who have certain policy values in their certs
  27. 27. Information Hiding Alternatives Steganography -hiding a message inside of another medium Watermarking -the addition of identifiable info into a file or document, this is often done to detect the improper copying or theft of info
  28. 28. Summary & Conclusion Crypto, use it or lose it.