SlideShare a Scribd company logo
1 of 42
Download to read offline
http://www.enterprisegrc.com
CISSP Study Concepts for Security
Engineering and Cryptographic Lifecycle
Robin Basham, using materials from SANS, ISC2,
Data
classification
Operational
activities
Safeguard
selection
Separation of
duties
Management
security
responsibilities
Guidelines and
procedures
Risk assessment Policies and
standards
Security
awareness
Effective security management practices
Bell-LaPadula – Confidentiality model
 Only deals with confidentiality does not deal with
integrity or availability
 (NO “I” or “EYE” is CONFIDENTIAL – can’t write to
my boss’ level, subordinates who are down can’t
read my level)
 Based on Government Classification – Unclassified,
Sensitive But Unclassified (SBU), Confidential,
Secret, Top Secret
 A Trusted Subject can violate the *property
 Bell-LaPadula Security State Defined by three
properties:
 Simple Security Property (ss Property) – no reading
from lower subject to higher object (No Read Up) I
don’t see above my class
 The * (star) security Property – No writing from
higher subject to lower object (No write Down) I
don’t author to a lower level of security
 Trusted Subject can violate the star property but not its
intent
 Strong * property – no reading or writing to another level
 Discretionary Security Property – Uses Access Matrix to
specify discretionary access control
 Remember the hyphen “-” is separation of duties
Writing and Reading Orders - Confidentiality
 No read up – its confidential so I can’t see a command sent to my
boss
 No write down – I only need to read what my boss sends me. A
lower rank can’t see my orders. I can’t change classification to
allow them that access. We are segregated.
Biba Integrity Model defined by three goals
1. Integrity Data protected from
modification by unauthorized users
2. Data protected from unauthorized
modification by authorized users
3. Data is internally and externally
consistent.
Biba Integrity Model add on to BLP
 Lattice Based uses less than or equal to
relation
 A lattice structure is a set with a least upper
bound (LUB) and a greatest lower bound (GLB)
 Lattice represents a set of integrity classes (IC)
and an ordered relationship
 Lattice = (IC, LUB, GUB)
Integrity – who created this order – who classified this order?
Integrity Axioms
 The Simple Integrity Axiom - no
reading of lower object from higher
subject (No Read Down)
 The * (star) Integrity Axiom – No
writing from lower subject to higher
object (No write Up)
 A subject at a lower level of
integrity can not invoke a subject at
a higher level of integrity
Clark-Wilson Integrity Model (Integrity for
Commercial Environments)
Two elements: well formed
transaction and separation of duties.
 Developed in 1987 for use in real-
world commercial environment
 Addresses the three integrity goals
 Constrained Data Item (CDI) – A data
Item whose integrity is to be
preserved
 Integrity Verification Procedure
(IVP) – confirms that all CDIs have
integrity
 Transformation Procedure (TP) –
transforms a CDI from one integrity
state to another integrity state
 Unconstrained Data Item – data
items outside of the control area of
the modeled environment
 Requires Integrity Labels
Clark-Wilson Integrity Model
Information Flow Models
 Each object and subject is assigned
security class and value; info is
constrained to flow in directions that
are permitted by the security policy.
 Based on state machine and consists
of objects, state transitions and
lattice (flow policy) states.
 Object can be a user
 Each object is assigned a security
class and value
 Information is constrained to flow in
the directions permitted by the
policy
Non-interference Model
 Actions of group A using commands
C are not seen by users in Group B
using commands D
Cryptographic
limitations
Algorithm
selection
Protocol
governance
Key
management
CISSP Study Concepts for Cryptographic Lifecycle
(Selection)
Approved
cryptographic
algorithms
key sizes
Transition
plans for
weakened
compromised
algorithms
and keys
Process
crypto
systems,
standards
what / how
organization
use
cryptography
Key
Management
Generation
Escrow and
Destruction
Incident
reporting for
key loss or
compromised
cryptographic
systems
Algorithm Protocol Governance
Needed Component Parts to an Encryption Strategy
Symmetric for confidentiality (DES, 3DES, IDEA, RC4, AES)
Hashing for integrity (MD4, MD5, RIPEMD, SHA-1, SHA-2)
Asymmetric for authentication (RSA, El Gamal, ECC
elliptic curve crypto)
Non Repudiation is Asymmetric plus Hashing – condition
where a message is hash encrypted with the sender’s
private key
Relationship of Encryption to Incidents and Threats
Threats Consequences Countermeasures
Integrity  Modification of user data
 Trojan horse browser
 Modification of memory
 Modification of message traffic in transit
 Loss of information
 Compromise of machine
 Vulnerability to all other threats
 Cryptographic
 checksums
Confidentiality  Eavesdropping on the net
 Theft of info from server
 Theft of data from client
 Info about network configuration
 Info about which client talks to server
 Loss of information
 Loss of privacy
 Encryption
 Web
 proxies
Denial of
Service
 Killing of user threads
 Flooding machine with bogus requests
 Filling up disk or memory
 Isolating machine via DNS attacks
 Disruptive ($$$)
 Annoying
 Prevent user from getting work done
 Rate limiter
 IPS and rate based IPS
 Blackholing/ Sinkholing
 Clean Pipes
 Bogon Filtering
 WAN Link Failover
Authentication  Impersonation of legitimate users
 Data forgery
 Misrepresentation of user
 Belief that false
 information is valid
 Cryptographic
 techniques
Symmetric -
Confidentiality
• Secret Key
• Single or one key
• Requires secure channel
• Pre-shared key
• Asymmetric mode or
• Diffie Hellman Key
exchange
Asymmetric -
Authentication
• Public key crypto
• Dual or two key encryption
Hash - Integrity
• One way transformation
• No key
• Collision is when 2 inputs get
same output
Non Repudiation
• Digital Signatures
• Hash + Asymmetric
• Message hash encrypted
with sender’s private key
Elements needed for Encryption and Encryption Methods
Symmetric Encryption Systems
DES (Data Encryption Standard)
 DES is a block encryption algorithm using
64-bit blocks. It uses a 64 bit key 56 bits of
true key and 8 for parity. Characters are put
through 16 rounds of transposition and
substitution.
 Devised in 1972 as a derivation of the
“Lucifer” system
 DES Describes the DEA (Data Encryption
Algorithm)
 FIPS PUB 46-1 (1977) and ANSI X3.92 (1981)
 64bit blocks, 56 bit key and
 16 rounds of transformation
 Uses confusion and diffusion for encrypting
plain text.
 Confusion Conceals statistical connection
between ciphertext and plain text. Uses
non-linear substitution boxes (S-Boxes)
 Diffusion Spreads the influence of a plain
text character over many ciphertext
characters.
DES has 4 distinct modes of operation
Electronic Code Book (ECB) It is a block cipher Native
encryption method for DES. Electronic codebook literally
operates like a code book. For a given block of plaintext and a
given key, the same set of ciphertext is always produced. ECB
uses padding to round up to a 64 bit block boundary. ECB is used
for small amounts of data such as challenge-response or key
management. Not good for large amounts of data as patterns
would eventually show.
Cipher Block Chaining (CBC) In Cipher Block Chaining,
the value of the previous block processed is a part of the
algorithm and key for the next block, so, patterns are not
revealed. This chaining effect means that a particular ciphertext
block is dependent on all the blocks that came before it, not just
the current block.
Cipher Feedback Mode (CFB) It is a stream cipher.
Previously generated ciphertext is used as feedback into the key
generation source to develop the next keystream. This mode is
used when encrypting individual characters is required.
Output Feedback Mode (OFB) Similar to CFB, but stream
cipher functions by generating a random stream of bits to be
combined with the plaintext to create ciphertext. Requires
initialization vector. Ciphertext is fed back to the algorithm to
form a portion of the next input to encrypt the stream of bits.
DES 4 Distinct modes
Key Terms
Symmetric algorithm Encryption method where the sender
and receiver use an instance of the same key for
encryption and decryption purposes.
Out-of-band method Sending data through an alternate
communication channel.
Asymmetric algorithm Encryption method that uses two
different key types, public and private. Also called public
key cryptography.
Public key Value used in public key cryptography that is
used for encryption and signature validation that can be
known by all parties.
Private key Value used in public key cryptography that is
used for decryption and signature creation and known to
only key owner.
Public key cryptography Asymmetric cryptography, which
uses public and private key values for cryptographic
functions.
Block cipher Symmetric algorithm type that encrypts
chunks (blocks) of data at a time.
Diffusion Transposition processes used in encryption
functions to increase randomness.
Confusion Substitution processes used in encryption
functions to increase randomness.
Avalanche effect Algorithm design requirement so that
slight changes to the input result in drastic changes to the
output.
Stream cipher Algorithm type that generates a keystream
(random values), which is XORd with plaintext for
encryption purposes.
Keystream generator Component of a stream algorithm
that creates random values for encryption purposes.
Initialization vectors (IVs) Values that are used with
algorithms to increase randomness for cryptographic
functions.
Triple DES (3DES)
Encrypting plaintext with one DES key and then encrypting it
with a second DES key is no more secure than using a single DES
key, therefore, Triple DES is used to obtain stronger encryption
DES-EDE2 2 keys are used. Encrypt with 1, decrypt with 2 and
then encrypt with 1 again.
DES-EEE2 2 keys used. Encrypt with 1, encrypt with 2, encrypt
with 1.
DES-EEE3 3 keys used. Encrypt with 1, encrypt with 2, encrypt
with 3. Most secure, but requires 3 keys.
Advanced Encryption Standard (AES)
Uses Rjindael block cipher, specifies three key sizes; 128,
192 or 256 bit. Choice of key determines encryption level.
AES is the government standard for encrypting SBU
information. Best suited for hardware encryption.
The number of rounds of transformation is a function of
the key size used
256 bit – 14 rounds.
192 bit – 12 rounds.
128 bit – 10 rounds.
Symmetric Algorithms that provide bulk (data)
Encryption services only
DES and 3DES
TwoFish
 128 bit blocks in 16 rounds. Key
lengths can be up to 256 bits.
BlowFish
 A block cipher operating on 64 bit
blocks with a key length of up to 448
bits. The blocks go through 16 rounds
of crypto functions.
IDEA
 Ideas stands for International Data
Encryption Algorithm. It operates
on 64 bit blocks and uses a 128 bit
key. (cont)
Symmetric Algorithms that provide bulk (data) Encryption
services only
IDEA (cont)
 Performs 8 rounds on 16 bit sub-
blocks. Each 64 bit block is divided
into 16 smaller blocks and each block
has 8 rounds of mathematical
functions performed on it.
 IDEA is harder to crack than DES for
the same keysize and is used in PGP.
RC5
 Block cipher of variable block
length. Key can be 0-2048 bits,
blocks can be 32, 64 or 128 bits
and the number of rounds can be
0 – 255. Created by Ron Rivest and
patented by RSA data.
.
Asymmetric Encryption Algorithms – Authentication
and Public Key Crypto
RSA
 Defacto standard for
public encryption.
Invented by Ron Rivest,
Adi Shamir and Leonard
Adleman. Developed at
MIT. Security comes
from the difficulty of
factoring large numbers.
Public and private key
are functions of a pair of
large prime numbers.
RSA is used in many web
browsers with SSL.
El-Gamal
 Extends Diffie-Hellman
to apply to encryption
to digital signatures.
Based on calculating
discrete logarithms in a
finite field.
Elliptical Curve
Cryptosystem (ECC)
 Provides much of the
same functionality as
RSA Digital signatures,
secure key distribution
and encryption. ECC is
very resource efficient
– ideal for smaller
devices. ECC providers
higher protection with
smaller keys than RSA.
An ECC key of 160 bits
is equivalent to a 1024-
bit RSA key.
.
Asymmetric Encryption Algorithms
Public Key Cryptography
 Public key cryptography uses
asymmetric encryption for key
encryption and secret key
encryption for data. We use an
asymmetric algorithm to encrypt
the secret key.
Diffie-Hellman
 Used for key distribution, NOT
encryption and decryption.
Subjects can exchange session
keys over a non-secure medium
without exposing the keys.
Session-Key
 “Secret” key used for one data
exchange only. Usually randomly
generated then encrypted using
public cryptography
Public Key Infrastructure (PKI) – X.509
 PKI is an ISO authentication
framework that uses public key
cryptography and X.509 standard
protocols.
 PKI provides authentication,
confidentiality, non-repudiation
and message integrity.
 The PKI infrastructure contains the
pieces that will identify the user,
distribute and maintain keys,
distribute and maintain certificates
and allow certificate revocation.
 Each individual taking part in PKI
needs a digital signature signed by
a CA.
 Some well-known Certification
Authorities are Entrust and
VeriSign. The old method of
revocation is handled by the
certification revocation list (CRL).
 New revocation is via Online
Certificate Status Protocol OCSP
PKI is made up of the following entities and functions
Certification
Authorities
Registration
Authorities
Certificate
Repository
Certificate
Revocation
System
Key backup
and recovery
system
Automatic key
update
Management
of key
histories
Cross-
certification
with other CAs
Time stamping
Client side
software
Uses for PKI (Public Key Infrastructure)
IPSec & VPN
Authentication
General User
Authentication
Code & Driver
Signing
Wireless
Authentication
Network
Access Control
Protection
(NAC/NAP)
Digital
Signatures
LDAP, ISAKMP, IKE
 LDAP is the standard format for accessing certification repositories.
Availability and Integrity of LDAP servers is a concern.
 ISAKMP Internet Security Association and Key Management Protocol.
 IKE ISAKMP, Secure Key Exchange Mechanism (SKEME) and Oakley,
combined.
In general
 ISAKMP defined the phases for establishing a secure relationship
 SKEME describes a secure exchange mechanism
 Oakley defined the modes of operation needed to establish a secure
connection.
http://www.enterprisegrc.com
Bad Poodle
Can you match the exploit name to exploited protocol?
Exploit Vulnerability
A. RC4 - does not require MITM, passive sniffing or eavesdropping, also vulnerable to MITM
B. SSL 3.0 enables MITM - must be disabled, was already replaced by TLS 1.0, only works while victim is online and attacker is near
C. OpenSSL - missing bound check during TLS heartbeat, eavesdrop web, email, IM, VPN, reads system memory to get secret
keys used to encrypt traffic, names, passwords, content.
D. *NIX OS, exploited via CGI, attacker can tack-on malicious code to the environment variable
E. Factoring Attack on RSA-EXPORT - weak cipher suite SSLv3
F. TLS 1.0 browser reveals session id;java script compares block cipher msg hash and deduces IV out of CBC-steal first block before XOR
G. TLS 1.0 and SPDY Compression Ratio Info-Leak Mass Exploitation
H. Schannel - remote code execution vulnerability
D Bash Bug ShellShock
H WinShock
C Heartbleed
B POODLE (Padding Oracle On Downgraded Legacy Encryption)
E Freak
G Crime
F Beast
A Bar Mitzvah
Denial-of-Service Attacks
Prevents a systems from processing or responding to
legitimate traffic
Transmits data packets
Exploits a known fault in an OS, service or application
Results in system crash or CPU at 100%
Distributed reflective denial of service DRDoS
Reflected approach, rather than direct to victim,
manipulates traffic so that attack is reflected back to victim
from other sources
Example: DNS Poisoning and SMURF
Smurf and Fraggle Attacks
A smurf attack is another type of flood attack, but it floods the
victim with Internet Control Message Protocol (ICMP) echo
packets instead of with TCP SYN packets. More specifically, it is a
spoofed broadcast ping request using the IP address of the
victim as the source IP address. Ping uses ICMP to check
connectivity with remote systems.
Normally, ping sends an echo request to a single system, and the
system responds with an echo reply. However, in a smurf attack
the attacker sends the echo request out as a broadcast to all
systems on the network and spoofs the source IP address. All
these systems respond with echo replies to the spoofed IP
address, flooding the victim with traffic.
Smurf amplifier
 Smurf attacks take advantage of an amplifying network (also called a smurf amplifier)
by sending a directed broadcast through a router. All systems on the amplifying
network then attack the victim. However, RFC 2644, released in 1999, changed the
standard default for routers so that they do not forward directed broadcast traffic.
When administrators correctly configure routers in compliance with RFC 2644, a
network cannot be an amplifying network. This limits smurf attacks to a single
network. Additionally, it’s becoming common to disable ICMP on firewalls, routers,
and even many servers to prevent any type of attacks using ICMP. When standard
security practices are used, smurf attacks are rarely a problem today.
Fraggle
Fraggle attacks are similar to smurf attacks. However,
instead of using ICMP, a fraggle attack uses UDP packets
over UDP ports 7 and 19.
The fraggle attack will broadcast a UDP packet using the
spoofed IP address of the victim. All systems on the
network will then send traffic to the victim, just as with a
smurf attack.
La la, lala lah la, la la la ladi dah (smurf song)
Botnets
Robots or Zombies, introduced through malware, often
browser based
Allows a herder to send instructions to the computer
Examples
Gamover Zues GOZ,
CrytoLocker ransomware
Simda
Esthost DNS Changer
Ping of Death – Teardrop and Land Attacks
POD
Oversized packets, changes size of packets to over 64KB
Results crash, buffer overflow
Rarely successful today
Teardrop
Fragments traffic so data can’t be put back together
Land Attacks
Sends spoofed SYN packets as both source and destination
SSLv3 is broken
What is SSLv3
Performs a security-related function and applies
cryptographic methods, often as sequences of
cryptographic primitives.
A protocol describes how the algorithms should be used. A
sufficiently detailed protocol includes details about data
structures and representations, at which point it can be
used to implement multiple, interoperable versions of a
program.
What is SSL and how did it get here?
Transport Layer Security (TLS) and its predecessor, Secure
Sockets Layer (SSL), both of which are frequently referred
to as 'SSL', are cryptographic protocols designed to
provide communications security over a computer
network.
Security protocol (cryptographic protocol or encryption
protocol)
Cryptographic protocols are widely used for secure
application-level data transport. A cryptographic protocol
usually incorporates at least some of these aspects:
Key agreement or establishment
Entity authentication
Symmetric encryption and message authentication material
construction
Secured application-level data transport
Security protocol (cryptographic protocol or encryption
protocol)
 Non-repudiation methods
 Secret sharing methods
 Secure multi-party computation
 For example, Transport Layer Security (TLS) is a cryptographic
protocol that is used to secure web (HTTP/HTTPS)
connections. It has an entity authentication mechanism,
based on the X.509 system; a key setup phase, where a
symmetric encryption key is formed by employing public-key
cryptography; and an application-level data transport
function. These three aspects have important
interconnections. Standard TLS does not have non-
repudiation support.
Encrypted messages are exchanged
SSL client “finished” SSL Server “finished”
Server decrypts the session key
If required, SSL Server verifies client certificate
Session key exchange
SSL Client sends certificate
Client encrypts session key
SSL client sends secret key information (encrypted with server public key)
Client validates certificate and crypto
SSL Client verifies server certificate Checks cryptographic parameters
Server Responds
SSL Server sends “Hello”
Sends Server certificate & optional “client certificate
request”
Client Web Request
SSL Client sends “Hello”
SSL Client to SSL Server Encryption and Key Exchange
Ring Layer Protection in Computing Systems

More Related Content

What's hot

Cryptography Lecture by Sam Bowne
Cryptography Lecture by Sam BowneCryptography Lecture by Sam Bowne
Cryptography Lecture by Sam Bowne
SecurityTube.Net
 
Implementation of-hybrid-cryptography-algorithm
Implementation of-hybrid-cryptography-algorithmImplementation of-hybrid-cryptography-algorithm
Implementation of-hybrid-cryptography-algorithm
Ijcem Journal
 
Encryption And Decryption
Encryption And DecryptionEncryption And Decryption
Encryption And Decryption
NA
 
Advanced Encryption Standard (AES) Implementaion using Java
Advanced Encryption Standard (AES) Implementaion using JavaAdvanced Encryption Standard (AES) Implementaion using Java
Advanced Encryption Standard (AES) Implementaion using Java
Sunil Kumar R
 

What's hot (20)

Security in Data Communication and Networking
Security in Data Communication and NetworkingSecurity in Data Communication and Networking
Security in Data Communication and Networking
 
Cryptography.ppt
Cryptography.pptCryptography.ppt
Cryptography.ppt
 
Security and Cryptography
Security and CryptographySecurity and Cryptography
Security and Cryptography
 
Cryptography & Steganography
Cryptography & SteganographyCryptography & Steganography
Cryptography & Steganography
 
Cryptography Lecture by Sam Bowne
Cryptography Lecture by Sam BowneCryptography Lecture by Sam Bowne
Cryptography Lecture by Sam Bowne
 
Encryption algorithms
Encryption algorithmsEncryption algorithms
Encryption algorithms
 
Data Encryption and Decryption using Hill Cipher
Data Encryption and Decryption using Hill CipherData Encryption and Decryption using Hill Cipher
Data Encryption and Decryption using Hill Cipher
 
Network security and cryptography
Network security and cryptographyNetwork security and cryptography
Network security and cryptography
 
Unit 4
Unit 4Unit 4
Unit 4
 
Ch12 Cryptography it-slideshares.blogspot.com
Ch12 Cryptography it-slideshares.blogspot.comCh12 Cryptography it-slideshares.blogspot.com
Ch12 Cryptography it-slideshares.blogspot.com
 
Cryptography
CryptographyCryptography
Cryptography
 
Network Security
Network SecurityNetwork Security
Network Security
 
Cryptography
CryptographyCryptography
Cryptography
 
Information and network security 31 public key cryptography
Information and network security 31 public key cryptographyInformation and network security 31 public key cryptography
Information and network security 31 public key cryptography
 
Implementation of-hybrid-cryptography-algorithm
Implementation of-hybrid-cryptography-algorithmImplementation of-hybrid-cryptography-algorithm
Implementation of-hybrid-cryptography-algorithm
 
An Enhanced Encryption Technique using BCD and Bit Complementation
An Enhanced Encryption Technique using BCD and Bit ComplementationAn Enhanced Encryption Technique using BCD and Bit Complementation
An Enhanced Encryption Technique using BCD and Bit Complementation
 
Encryption And Decryption
Encryption And DecryptionEncryption And Decryption
Encryption And Decryption
 
Unit 2
Unit 2Unit 2
Unit 2
 
Advanced Encryption Standard (AES) Implementaion using Java
Advanced Encryption Standard (AES) Implementaion using JavaAdvanced Encryption Standard (AES) Implementaion using Java
Advanced Encryption Standard (AES) Implementaion using Java
 
SECURED TEXT MESSAGE TRANSMISSION IN A WIRELESS COMMUNICATION SYSTEM WITH THE...
SECURED TEXT MESSAGE TRANSMISSION IN A WIRELESS COMMUNICATION SYSTEM WITH THE...SECURED TEXT MESSAGE TRANSMISSION IN A WIRELESS COMMUNICATION SYSTEM WITH THE...
SECURED TEXT MESSAGE TRANSMISSION IN A WIRELESS COMMUNICATION SYSTEM WITH THE...
 

Viewers also liked

Viewers also liked (20)

Networking and communications security – network architecture design
Networking and communications security – network architecture designNetworking and communications security – network architecture design
Networking and communications security – network architecture design
 
Enterprise governance risk_compliance_fcm slides
Enterprise governance risk_compliance_fcm slidesEnterprise governance risk_compliance_fcm slides
Enterprise governance risk_compliance_fcm slides
 
CobiT Foundation Free Training
CobiT Foundation Free TrainingCobiT Foundation Free Training
CobiT Foundation Free Training
 
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleWalk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
 
The value of our data
The value of our dataThe value of our data
The value of our data
 
Cissp d5-cryptography v2012-mini coursev2
Cissp d5-cryptography v2012-mini coursev2Cissp d5-cryptography v2012-mini coursev2
Cissp d5-cryptography v2012-mini coursev2
 
Security assessment with a hint of CISSP Prep
Security assessment with a hint of CISSP PrepSecurity assessment with a hint of CISSP Prep
Security assessment with a hint of CISSP Prep
 
Does audit make us more secure
Does audit make us more secureDoes audit make us more secure
Does audit make us more secure
 
Essential Guide to Protect Your Data [Key Management Techniques]
Essential Guide to Protect Your Data [Key Management Techniques]Essential Guide to Protect Your Data [Key Management Techniques]
Essential Guide to Protect Your Data [Key Management Techniques]
 
Open Source KMIP Implementation
Open Source KMIP ImplementationOpen Source KMIP Implementation
Open Source KMIP Implementation
 
Key management
Key managementKey management
Key management
 
Cybersecurity for modern industrial systems
Cybersecurity for modern industrial  systemsCybersecurity for modern industrial  systems
Cybersecurity for modern industrial systems
 
Industrial Control Cyber Security Europe 2015
Industrial Control Cyber Security Europe 2015 Industrial Control Cyber Security Europe 2015
Industrial Control Cyber Security Europe 2015
 
CISSP Study Exercises, Just some good will to help my peers with their studies
CISSP Study Exercises, Just some good will to help my peers with their studiesCISSP Study Exercises, Just some good will to help my peers with their studies
CISSP Study Exercises, Just some good will to help my peers with their studies
 
ISACA SV 2013 Winter Conference Brochure
ISACA SV 2013 Winter Conference BrochureISACA SV 2013 Winter Conference Brochure
ISACA SV 2013 Winter Conference Brochure
 
The Perils of Mount Must Read
The Perils of Mount Must ReadThe Perils of Mount Must Read
The Perils of Mount Must Read
 
Procedures and Controls Documentation Guidelines
Procedures and Controls Documentation GuidelinesProcedures and Controls Documentation Guidelines
Procedures and Controls Documentation Guidelines
 
Startupy w Pałacu - prezentacja Elmodis
Startupy w Pałacu - prezentacja ElmodisStartupy w Pałacu - prezentacja Elmodis
Startupy w Pałacu - prezentacja Elmodis
 
Dubai Cyber Security 02 Ics Scada Cyber Security Standards, Solution Tips...
Dubai Cyber Security   02   Ics Scada Cyber Security Standards, Solution Tips...Dubai Cyber Security   02   Ics Scada Cyber Security Standards, Solution Tips...
Dubai Cyber Security 02 Ics Scada Cyber Security Standards, Solution Tips...
 
ELMODIS na INFERENCE
ELMODIS na INFERENCEELMODIS na INFERENCE
ELMODIS na INFERENCE
 

Similar to Cryptographic lifecycle security training

6. cryptography
6. cryptography6. cryptography
6. cryptography
7wounders
 
The Time-Consuming Task Of Preparing A Data Set For...
The Time-Consuming Task Of Preparing A Data Set For...The Time-Consuming Task Of Preparing A Data Set For...
The Time-Consuming Task Of Preparing A Data Set For...
Kimberly Thomas
 
An Understanding And Perspectives of END TO END ENCRYPTION (4).pdf
An Understanding And Perspectives of END TO END ENCRYPTION (4).pdfAn Understanding And Perspectives of END TO END ENCRYPTION (4).pdf
An Understanding And Perspectives of END TO END ENCRYPTION (4).pdf
KailasS9
 
A Robust Cryptographic System using Neighborhood-Generated Keys
A Robust Cryptographic System using Neighborhood-Generated KeysA Robust Cryptographic System using Neighborhood-Generated Keys
A Robust Cryptographic System using Neighborhood-Generated Keys
IJORCS
 
A Robust Cryptographic System using Neighborhood-Generated Keys
A Robust Cryptographic System using Neighborhood-Generated KeysA Robust Cryptographic System using Neighborhood-Generated Keys
A Robust Cryptographic System using Neighborhood-Generated Keys
IJORCS
 
136 latest dot net interview questions
136  latest dot net interview questions136  latest dot net interview questions
136 latest dot net interview questions
sandi4204
 
PERFORMANCE ANALYSIS OF PARALLEL IMPLEMENTATION OF ADVANCED ENCRYPTION STANDA...
PERFORMANCE ANALYSIS OF PARALLEL IMPLEMENTATION OF ADVANCED ENCRYPTION STANDA...PERFORMANCE ANALYSIS OF PARALLEL IMPLEMENTATION OF ADVANCED ENCRYPTION STANDA...
PERFORMANCE ANALYSIS OF PARALLEL IMPLEMENTATION OF ADVANCED ENCRYPTION STANDA...
ijistjournal
 

Similar to Cryptographic lifecycle security training (20)

A study of cryptography for satellite applications
A study of cryptography for satellite applicationsA study of cryptography for satellite applications
A study of cryptography for satellite applications
 
Cryptography
CryptographyCryptography
Cryptography
 
6. cryptography
6. cryptography6. cryptography
6. cryptography
 
IRJET- Comparative Analysis of Encryption Techniques
IRJET-  	  Comparative Analysis of Encryption TechniquesIRJET-  	  Comparative Analysis of Encryption Techniques
IRJET- Comparative Analysis of Encryption Techniques
 
The Time-Consuming Task Of Preparing A Data Set For...
The Time-Consuming Task Of Preparing A Data Set For...The Time-Consuming Task Of Preparing A Data Set For...
The Time-Consuming Task Of Preparing A Data Set For...
 
Solve Big Data Security Issues
Solve Big Data Security IssuesSolve Big Data Security Issues
Solve Big Data Security Issues
 
Comparative Analysis of Cryptographic Algorithms and Advanced Cryptographic A...
Comparative Analysis of Cryptographic Algorithms and Advanced Cryptographic A...Comparative Analysis of Cryptographic Algorithms and Advanced Cryptographic A...
Comparative Analysis of Cryptographic Algorithms and Advanced Cryptographic A...
 
An Understanding And Perspectives of END TO END ENCRYPTION (4).pdf
An Understanding And Perspectives of END TO END ENCRYPTION (4).pdfAn Understanding And Perspectives of END TO END ENCRYPTION (4).pdf
An Understanding And Perspectives of END TO END ENCRYPTION (4).pdf
 
A Robust Cryptographic System using Neighborhood-Generated Keys
A Robust Cryptographic System using Neighborhood-Generated KeysA Robust Cryptographic System using Neighborhood-Generated Keys
A Robust Cryptographic System using Neighborhood-Generated Keys
 
A Robust Cryptographic System using Neighborhood-Generated Keys
A Robust Cryptographic System using Neighborhood-Generated KeysA Robust Cryptographic System using Neighborhood-Generated Keys
A Robust Cryptographic System using Neighborhood-Generated Keys
 
CNS_Solutions-Adi.pdf
CNS_Solutions-Adi.pdfCNS_Solutions-Adi.pdf
CNS_Solutions-Adi.pdf
 
CNS_Solutions-Adi.pdf
CNS_Solutions-Adi.pdfCNS_Solutions-Adi.pdf
CNS_Solutions-Adi.pdf
 
CNS Solutions-Adi.pdf
CNS Solutions-Adi.pdfCNS Solutions-Adi.pdf
CNS Solutions-Adi.pdf
 
Key aggregate searchable encryption (kase) for group data sharing via cloud s...
Key aggregate searchable encryption (kase) for group data sharing via cloud s...Key aggregate searchable encryption (kase) for group data sharing via cloud s...
Key aggregate searchable encryption (kase) for group data sharing via cloud s...
 
Introduction to Cryptography
Introduction to CryptographyIntroduction to Cryptography
Introduction to Cryptography
 
Hybrid Encryption for Database Security
Hybrid Encryption for Database SecurityHybrid Encryption for Database Security
Hybrid Encryption for Database Security
 
136 latest dot net interview questions
136  latest dot net interview questions136  latest dot net interview questions
136 latest dot net interview questions
 
PERFORMANCE ANALYSIS OF PARALLEL IMPLEMENTATION OF ADVANCED ENCRYPTION STANDA...
PERFORMANCE ANALYSIS OF PARALLEL IMPLEMENTATION OF ADVANCED ENCRYPTION STANDA...PERFORMANCE ANALYSIS OF PARALLEL IMPLEMENTATION OF ADVANCED ENCRYPTION STANDA...
PERFORMANCE ANALYSIS OF PARALLEL IMPLEMENTATION OF ADVANCED ENCRYPTION STANDA...
 
security issue
security issuesecurity issue
security issue
 
Survey of Hybrid Encryption Algorithm for Mobile Communication
Survey of Hybrid Encryption Algorithm for Mobile CommunicationSurvey of Hybrid Encryption Algorithm for Mobile Communication
Survey of Hybrid Encryption Algorithm for Mobile Communication
 

More from EnterpriseGRC Solutions, Inc.

Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4
Virtualization And Cloud Impact Overview Auditor Spin   Enterprise Gr Cv4Virtualization And Cloud Impact Overview Auditor Spin   Enterprise Gr Cv4
Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4
EnterpriseGRC Solutions, Inc.
 

More from EnterpriseGRC Solutions, Inc. (7)

2012 Summer Conference Brochure
2012 Summer Conference Brochure2012 Summer Conference Brochure
2012 Summer Conference Brochure
 
2011 Summer Conference Brochure
2011 Summer Conference Brochure2011 Summer Conference Brochure
2011 Summer Conference Brochure
 
Erm talking points
Erm talking pointsErm talking points
Erm talking points
 
Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016
 
Virtualization and cloud impact overview auditor spin enterprise gr-cv3
Virtualization and cloud impact overview auditor spin   enterprise gr-cv3Virtualization and cloud impact overview auditor spin   enterprise gr-cv3
Virtualization and cloud impact overview auditor spin enterprise gr-cv3
 
Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4
Virtualization And Cloud Impact Overview Auditor Spin   Enterprise Gr Cv4Virtualization And Cloud Impact Overview Auditor Spin   Enterprise Gr Cv4
Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4
 
Green Tech
Green TechGreen Tech
Green Tech
 

Recently uploaded

Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
FIDO Alliance
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider  Progress from Awareness to Implementation.pptxTales from a Passkey Provider  Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
FIDO Alliance
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
FIDO Alliance
 

Recently uploaded (20)

Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptx
 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
 
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider  Progress from Awareness to Implementation.pptxTales from a Passkey Provider  Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
 
Overview of Hyperledger Foundation
Overview of Hyperledger FoundationOverview of Hyperledger Foundation
Overview of Hyperledger Foundation
 
Using IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandUsing IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & Ireland
 
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data Science
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
 
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
 
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The InsideCollecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
 
Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024
 
Intro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераIntro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджера
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
 
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
 

Cryptographic lifecycle security training

  • 1. http://www.enterprisegrc.com CISSP Study Concepts for Security Engineering and Cryptographic Lifecycle Robin Basham, using materials from SANS, ISC2,
  • 3. Bell-LaPadula – Confidentiality model  Only deals with confidentiality does not deal with integrity or availability  (NO “I” or “EYE” is CONFIDENTIAL – can’t write to my boss’ level, subordinates who are down can’t read my level)  Based on Government Classification – Unclassified, Sensitive But Unclassified (SBU), Confidential, Secret, Top Secret  A Trusted Subject can violate the *property  Bell-LaPadula Security State Defined by three properties:  Simple Security Property (ss Property) – no reading from lower subject to higher object (No Read Up) I don’t see above my class  The * (star) security Property – No writing from higher subject to lower object (No write Down) I don’t author to a lower level of security  Trusted Subject can violate the star property but not its intent  Strong * property – no reading or writing to another level  Discretionary Security Property – Uses Access Matrix to specify discretionary access control  Remember the hyphen “-” is separation of duties
  • 4. Writing and Reading Orders - Confidentiality  No read up – its confidential so I can’t see a command sent to my boss  No write down – I only need to read what my boss sends me. A lower rank can’t see my orders. I can’t change classification to allow them that access. We are segregated.
  • 5. Biba Integrity Model defined by three goals 1. Integrity Data protected from modification by unauthorized users 2. Data protected from unauthorized modification by authorized users 3. Data is internally and externally consistent. Biba Integrity Model add on to BLP  Lattice Based uses less than or equal to relation  A lattice structure is a set with a least upper bound (LUB) and a greatest lower bound (GLB)  Lattice represents a set of integrity classes (IC) and an ordered relationship  Lattice = (IC, LUB, GUB)
  • 6. Integrity – who created this order – who classified this order? Integrity Axioms  The Simple Integrity Axiom - no reading of lower object from higher subject (No Read Down)  The * (star) Integrity Axiom – No writing from lower subject to higher object (No write Up)  A subject at a lower level of integrity can not invoke a subject at a higher level of integrity
  • 7. Clark-Wilson Integrity Model (Integrity for Commercial Environments) Two elements: well formed transaction and separation of duties.  Developed in 1987 for use in real- world commercial environment  Addresses the three integrity goals  Constrained Data Item (CDI) – A data Item whose integrity is to be preserved  Integrity Verification Procedure (IVP) – confirms that all CDIs have integrity  Transformation Procedure (TP) – transforms a CDI from one integrity state to another integrity state  Unconstrained Data Item – data items outside of the control area of the modeled environment  Requires Integrity Labels
  • 8. Clark-Wilson Integrity Model Information Flow Models  Each object and subject is assigned security class and value; info is constrained to flow in directions that are permitted by the security policy.  Based on state machine and consists of objects, state transitions and lattice (flow policy) states.  Object can be a user  Each object is assigned a security class and value  Information is constrained to flow in the directions permitted by the policy Non-interference Model  Actions of group A using commands C are not seen by users in Group B using commands D
  • 10. (Selection) Approved cryptographic algorithms key sizes Transition plans for weakened compromised algorithms and keys Process crypto systems, standards what / how organization use cryptography Key Management Generation Escrow and Destruction Incident reporting for key loss or compromised cryptographic systems Algorithm Protocol Governance
  • 11. Needed Component Parts to an Encryption Strategy Symmetric for confidentiality (DES, 3DES, IDEA, RC4, AES) Hashing for integrity (MD4, MD5, RIPEMD, SHA-1, SHA-2) Asymmetric for authentication (RSA, El Gamal, ECC elliptic curve crypto) Non Repudiation is Asymmetric plus Hashing – condition where a message is hash encrypted with the sender’s private key
  • 12. Relationship of Encryption to Incidents and Threats Threats Consequences Countermeasures Integrity  Modification of user data  Trojan horse browser  Modification of memory  Modification of message traffic in transit  Loss of information  Compromise of machine  Vulnerability to all other threats  Cryptographic  checksums Confidentiality  Eavesdropping on the net  Theft of info from server  Theft of data from client  Info about network configuration  Info about which client talks to server  Loss of information  Loss of privacy  Encryption  Web  proxies Denial of Service  Killing of user threads  Flooding machine with bogus requests  Filling up disk or memory  Isolating machine via DNS attacks  Disruptive ($$$)  Annoying  Prevent user from getting work done  Rate limiter  IPS and rate based IPS  Blackholing/ Sinkholing  Clean Pipes  Bogon Filtering  WAN Link Failover Authentication  Impersonation of legitimate users  Data forgery  Misrepresentation of user  Belief that false  information is valid  Cryptographic  techniques
  • 13. Symmetric - Confidentiality • Secret Key • Single or one key • Requires secure channel • Pre-shared key • Asymmetric mode or • Diffie Hellman Key exchange Asymmetric - Authentication • Public key crypto • Dual or two key encryption Hash - Integrity • One way transformation • No key • Collision is when 2 inputs get same output Non Repudiation • Digital Signatures • Hash + Asymmetric • Message hash encrypted with sender’s private key Elements needed for Encryption and Encryption Methods
  • 14. Symmetric Encryption Systems DES (Data Encryption Standard)  DES is a block encryption algorithm using 64-bit blocks. It uses a 64 bit key 56 bits of true key and 8 for parity. Characters are put through 16 rounds of transposition and substitution.  Devised in 1972 as a derivation of the “Lucifer” system  DES Describes the DEA (Data Encryption Algorithm)  FIPS PUB 46-1 (1977) and ANSI X3.92 (1981)  64bit blocks, 56 bit key and  16 rounds of transformation  Uses confusion and diffusion for encrypting plain text.  Confusion Conceals statistical connection between ciphertext and plain text. Uses non-linear substitution boxes (S-Boxes)  Diffusion Spreads the influence of a plain text character over many ciphertext characters.
  • 15. DES has 4 distinct modes of operation Electronic Code Book (ECB) It is a block cipher Native encryption method for DES. Electronic codebook literally operates like a code book. For a given block of plaintext and a given key, the same set of ciphertext is always produced. ECB uses padding to round up to a 64 bit block boundary. ECB is used for small amounts of data such as challenge-response or key management. Not good for large amounts of data as patterns would eventually show. Cipher Block Chaining (CBC) In Cipher Block Chaining, the value of the previous block processed is a part of the algorithm and key for the next block, so, patterns are not revealed. This chaining effect means that a particular ciphertext block is dependent on all the blocks that came before it, not just the current block. Cipher Feedback Mode (CFB) It is a stream cipher. Previously generated ciphertext is used as feedback into the key generation source to develop the next keystream. This mode is used when encrypting individual characters is required. Output Feedback Mode (OFB) Similar to CFB, but stream cipher functions by generating a random stream of bits to be combined with the plaintext to create ciphertext. Requires initialization vector. Ciphertext is fed back to the algorithm to form a portion of the next input to encrypt the stream of bits. DES 4 Distinct modes
  • 16. Key Terms Symmetric algorithm Encryption method where the sender and receiver use an instance of the same key for encryption and decryption purposes. Out-of-band method Sending data through an alternate communication channel. Asymmetric algorithm Encryption method that uses two different key types, public and private. Also called public key cryptography. Public key Value used in public key cryptography that is used for encryption and signature validation that can be known by all parties. Private key Value used in public key cryptography that is used for decryption and signature creation and known to only key owner. Public key cryptography Asymmetric cryptography, which uses public and private key values for cryptographic functions. Block cipher Symmetric algorithm type that encrypts chunks (blocks) of data at a time. Diffusion Transposition processes used in encryption functions to increase randomness. Confusion Substitution processes used in encryption functions to increase randomness. Avalanche effect Algorithm design requirement so that slight changes to the input result in drastic changes to the output. Stream cipher Algorithm type that generates a keystream (random values), which is XORd with plaintext for encryption purposes. Keystream generator Component of a stream algorithm that creates random values for encryption purposes. Initialization vectors (IVs) Values that are used with algorithms to increase randomness for cryptographic functions.
  • 17. Triple DES (3DES) Encrypting plaintext with one DES key and then encrypting it with a second DES key is no more secure than using a single DES key, therefore, Triple DES is used to obtain stronger encryption DES-EDE2 2 keys are used. Encrypt with 1, decrypt with 2 and then encrypt with 1 again. DES-EEE2 2 keys used. Encrypt with 1, encrypt with 2, encrypt with 1. DES-EEE3 3 keys used. Encrypt with 1, encrypt with 2, encrypt with 3. Most secure, but requires 3 keys.
  • 18. Advanced Encryption Standard (AES) Uses Rjindael block cipher, specifies three key sizes; 128, 192 or 256 bit. Choice of key determines encryption level. AES is the government standard for encrypting SBU information. Best suited for hardware encryption. The number of rounds of transformation is a function of the key size used 256 bit – 14 rounds. 192 bit – 12 rounds. 128 bit – 10 rounds.
  • 19. Symmetric Algorithms that provide bulk (data) Encryption services only DES and 3DES TwoFish  128 bit blocks in 16 rounds. Key lengths can be up to 256 bits. BlowFish  A block cipher operating on 64 bit blocks with a key length of up to 448 bits. The blocks go through 16 rounds of crypto functions. IDEA  Ideas stands for International Data Encryption Algorithm. It operates on 64 bit blocks and uses a 128 bit key. (cont)
  • 20. Symmetric Algorithms that provide bulk (data) Encryption services only IDEA (cont)  Performs 8 rounds on 16 bit sub- blocks. Each 64 bit block is divided into 16 smaller blocks and each block has 8 rounds of mathematical functions performed on it.  IDEA is harder to crack than DES for the same keysize and is used in PGP. RC5  Block cipher of variable block length. Key can be 0-2048 bits, blocks can be 32, 64 or 128 bits and the number of rounds can be 0 – 255. Created by Ron Rivest and patented by RSA data.
  • 21. . Asymmetric Encryption Algorithms – Authentication and Public Key Crypto RSA  Defacto standard for public encryption. Invented by Ron Rivest, Adi Shamir and Leonard Adleman. Developed at MIT. Security comes from the difficulty of factoring large numbers. Public and private key are functions of a pair of large prime numbers. RSA is used in many web browsers with SSL. El-Gamal  Extends Diffie-Hellman to apply to encryption to digital signatures. Based on calculating discrete logarithms in a finite field. Elliptical Curve Cryptosystem (ECC)  Provides much of the same functionality as RSA Digital signatures, secure key distribution and encryption. ECC is very resource efficient – ideal for smaller devices. ECC providers higher protection with smaller keys than RSA. An ECC key of 160 bits is equivalent to a 1024- bit RSA key.
  • 22. . Asymmetric Encryption Algorithms Public Key Cryptography  Public key cryptography uses asymmetric encryption for key encryption and secret key encryption for data. We use an asymmetric algorithm to encrypt the secret key. Diffie-Hellman  Used for key distribution, NOT encryption and decryption. Subjects can exchange session keys over a non-secure medium without exposing the keys. Session-Key  “Secret” key used for one data exchange only. Usually randomly generated then encrypted using public cryptography
  • 23. Public Key Infrastructure (PKI) – X.509  PKI is an ISO authentication framework that uses public key cryptography and X.509 standard protocols.  PKI provides authentication, confidentiality, non-repudiation and message integrity.  The PKI infrastructure contains the pieces that will identify the user, distribute and maintain keys, distribute and maintain certificates and allow certificate revocation.  Each individual taking part in PKI needs a digital signature signed by a CA.  Some well-known Certification Authorities are Entrust and VeriSign. The old method of revocation is handled by the certification revocation list (CRL).  New revocation is via Online Certificate Status Protocol OCSP
  • 24. PKI is made up of the following entities and functions Certification Authorities Registration Authorities Certificate Repository Certificate Revocation System Key backup and recovery system Automatic key update Management of key histories Cross- certification with other CAs Time stamping Client side software
  • 25. Uses for PKI (Public Key Infrastructure) IPSec & VPN Authentication General User Authentication Code & Driver Signing Wireless Authentication Network Access Control Protection (NAC/NAP) Digital Signatures
  • 26. LDAP, ISAKMP, IKE  LDAP is the standard format for accessing certification repositories. Availability and Integrity of LDAP servers is a concern.  ISAKMP Internet Security Association and Key Management Protocol.  IKE ISAKMP, Secure Key Exchange Mechanism (SKEME) and Oakley, combined. In general  ISAKMP defined the phases for establishing a secure relationship  SKEME describes a secure exchange mechanism  Oakley defined the modes of operation needed to establish a secure connection.
  • 28. Can you match the exploit name to exploited protocol? Exploit Vulnerability A. RC4 - does not require MITM, passive sniffing or eavesdropping, also vulnerable to MITM B. SSL 3.0 enables MITM - must be disabled, was already replaced by TLS 1.0, only works while victim is online and attacker is near C. OpenSSL - missing bound check during TLS heartbeat, eavesdrop web, email, IM, VPN, reads system memory to get secret keys used to encrypt traffic, names, passwords, content. D. *NIX OS, exploited via CGI, attacker can tack-on malicious code to the environment variable E. Factoring Attack on RSA-EXPORT - weak cipher suite SSLv3 F. TLS 1.0 browser reveals session id;java script compares block cipher msg hash and deduces IV out of CBC-steal first block before XOR G. TLS 1.0 and SPDY Compression Ratio Info-Leak Mass Exploitation H. Schannel - remote code execution vulnerability D Bash Bug ShellShock H WinShock C Heartbleed B POODLE (Padding Oracle On Downgraded Legacy Encryption) E Freak G Crime F Beast A Bar Mitzvah
  • 29.
  • 30. Denial-of-Service Attacks Prevents a systems from processing or responding to legitimate traffic Transmits data packets Exploits a known fault in an OS, service or application Results in system crash or CPU at 100%
  • 31. Distributed reflective denial of service DRDoS Reflected approach, rather than direct to victim, manipulates traffic so that attack is reflected back to victim from other sources Example: DNS Poisoning and SMURF
  • 32. Smurf and Fraggle Attacks A smurf attack is another type of flood attack, but it floods the victim with Internet Control Message Protocol (ICMP) echo packets instead of with TCP SYN packets. More specifically, it is a spoofed broadcast ping request using the IP address of the victim as the source IP address. Ping uses ICMP to check connectivity with remote systems. Normally, ping sends an echo request to a single system, and the system responds with an echo reply. However, in a smurf attack the attacker sends the echo request out as a broadcast to all systems on the network and spoofs the source IP address. All these systems respond with echo replies to the spoofed IP address, flooding the victim with traffic.
  • 33. Smurf amplifier  Smurf attacks take advantage of an amplifying network (also called a smurf amplifier) by sending a directed broadcast through a router. All systems on the amplifying network then attack the victim. However, RFC 2644, released in 1999, changed the standard default for routers so that they do not forward directed broadcast traffic. When administrators correctly configure routers in compliance with RFC 2644, a network cannot be an amplifying network. This limits smurf attacks to a single network. Additionally, it’s becoming common to disable ICMP on firewalls, routers, and even many servers to prevent any type of attacks using ICMP. When standard security practices are used, smurf attacks are rarely a problem today.
  • 34. Fraggle Fraggle attacks are similar to smurf attacks. However, instead of using ICMP, a fraggle attack uses UDP packets over UDP ports 7 and 19. The fraggle attack will broadcast a UDP packet using the spoofed IP address of the victim. All systems on the network will then send traffic to the victim, just as with a smurf attack. La la, lala lah la, la la la ladi dah (smurf song)
  • 35. Botnets Robots or Zombies, introduced through malware, often browser based Allows a herder to send instructions to the computer Examples Gamover Zues GOZ, CrytoLocker ransomware Simda Esthost DNS Changer
  • 36. Ping of Death – Teardrop and Land Attacks POD Oversized packets, changes size of packets to over 64KB Results crash, buffer overflow Rarely successful today Teardrop Fragments traffic so data can’t be put back together Land Attacks Sends spoofed SYN packets as both source and destination
  • 37. SSLv3 is broken What is SSLv3 Performs a security-related function and applies cryptographic methods, often as sequences of cryptographic primitives. A protocol describes how the algorithms should be used. A sufficiently detailed protocol includes details about data structures and representations, at which point it can be used to implement multiple, interoperable versions of a program.
  • 38. What is SSL and how did it get here? Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), both of which are frequently referred to as 'SSL', are cryptographic protocols designed to provide communications security over a computer network.
  • 39. Security protocol (cryptographic protocol or encryption protocol) Cryptographic protocols are widely used for secure application-level data transport. A cryptographic protocol usually incorporates at least some of these aspects: Key agreement or establishment Entity authentication Symmetric encryption and message authentication material construction Secured application-level data transport
  • 40. Security protocol (cryptographic protocol or encryption protocol)  Non-repudiation methods  Secret sharing methods  Secure multi-party computation  For example, Transport Layer Security (TLS) is a cryptographic protocol that is used to secure web (HTTP/HTTPS) connections. It has an entity authentication mechanism, based on the X.509 system; a key setup phase, where a symmetric encryption key is formed by employing public-key cryptography; and an application-level data transport function. These three aspects have important interconnections. Standard TLS does not have non- repudiation support.
  • 41. Encrypted messages are exchanged SSL client “finished” SSL Server “finished” Server decrypts the session key If required, SSL Server verifies client certificate Session key exchange SSL Client sends certificate Client encrypts session key SSL client sends secret key information (encrypted with server public key) Client validates certificate and crypto SSL Client verifies server certificate Checks cryptographic parameters Server Responds SSL Server sends “Hello” Sends Server certificate & optional “client certificate request” Client Web Request SSL Client sends “Hello” SSL Client to SSL Server Encryption and Key Exchange
  • 42. Ring Layer Protection in Computing Systems