More Related Content
Similar to CompTIASecPLUS-Part6 - UnlimitedEdited.pptx
Similar to CompTIASecPLUS-Part6 - UnlimitedEdited.pptx (20)
CompTIASecPLUS-Part6 - UnlimitedEdited.pptx
- 2. Introduction to Cryptography
Copyright © www.ine.com
»Changes plain text to cipher text through the
use of an algorithm
»Protects the confidentiality and integrity of
data
»What type of data need protecting?
• Data-at-rest
• Data-in-use
• Data-in-motion
- 3. Introduction to Cryptography
Copyright © www.ine.com
»Encryption and decryption
»What is a cipher?
• Cesar Cipher
• Numerical shift
• Generate the key; for example, 3
• “Cesar” becomes “Fhvdu”
• Can be broken with cryptanalysis
- 4. Introduction to Cryptography
Copyright © www.ine.com
»What is an encryption key?
• Determines the output of the cipher
• Length determines strength
• Key exchange is needed for asymmetric encryption
• Public keys
• Freely distributed
• Private keys
• Always a secret
- 5. Introduction to Cryptography
Copyright © www.ine.com
»Symmetric key cryptography
»Symmetric algorithms
• Stream cipher
• Block cipher
»Can be used for non-repudiation
• Message authentication code
• Verifies the integrity of the message
- 6. Introduction to Cryptography
Copyright © www.ine.com
»Asymmetric key cryptography
• Uses different keys – the public/private key pair
• Keys are mathematically related but otherwise have
no relation
• The longer the key the stronger the encryption
• What one key encrypts the other decrypts
• Public encrypts, private decrypts (confidentiality)
• Private encrypts, public decrypts (non-repudiation, integrity)
- 7. Introduction to Cryptography
Copyright © www.ine.com
»Uses of asymmetric key cryptography
• Digital signatures
• Signing the message
– Create a message digest of the message
– Sign the message digest with sender’s private key
– Protects integrity
– Provides authentication and non-repudiation
• Encrypt the message
- 8. Introduction to Cryptography
Copyright © www.ine.com
»Uses of asymmetric key cryptography
• Digital certificates
• Utilizes a public key infrastructure
• Provides identity information
• Resistant to forgery
• Verified by a third party
• Trusted third party (COMODO, Symantec, Verisign)
• Used in SSL/TLS sessions
- 10. Symmetric Cryptographic Algorithms
Copyright © www.ine.com
»AES (Rijndael)
• Advanced Encryption Standard
• Adopted in 2002
• 128-, 192- and 256-bit
• Fast and uses minimal resources
• Multiple platform usage
• Wireless
• Data-in-transit
• Whole disk encryption
- 12. Asymmetric Cryptographic Algorithms
Copyright © www.ine.com
»Diffie-Hellman-Merkle
• First practical shared key cryptosystem
• Utilizes modular arithmetic and factorization of large
prime numbers
• Vulnerable to specific attacks
• Man-in-the-middle (MITM)
• Mitigation through authentication
• Perfect Forward Secrecy (PFS)
- 13. Asymmetric Cryptographic Algorithms
Copyright © www.ine.com
»Rivest-Shamir-Adleman (RSA)
• Used in e-commerce
• Works with SSL/TLS
• Can be used for digital signatures as well as
cryptography
• Slower than symmetric cryptography
• Longer key lengths
• Utilizes integer factorization
• What one key encrypts the other decrypts
- 14. Asymmetric Cryptographic Algorithms
Copyright © www.ine.com
»Rivest-Shamir-Adleman (RSA)
• Used in security tokens
• Trusted platform modules (TPM)
• Cryptoprocessor that integrates encryption keys
• Hardware security modules (HSM)
• External key management module
• Vulnerable to specific attacks
• Timing attacks
• Man-in-the-middle (MITM)
• Mitigation through padding
- 15. Asymmetric Cryptographic Algorithms
Copyright © www.ine.com
»Eliptic Curve Cryptography (ECC)
• Based on the structure of an elliptic curve
• Uses smaller keys
• Faster
• Used in mobile devices, smart cards, wireless
• Can be used with other algorithms
• Diffie-Hellman (ECDH)
• Digital Signature Algorithm (ECDSA)
- 16. Asymmetric Cryptographic Algorithms
Copyright © www.ine.com
»Elliptic Curve Cryptography (ECC)
• Vulnerabilities
• Side-channel attacks
– Leaked information from physical implementations
• Algorithm backdoors
• Quantum cryptanalysis
– Theoretical attack based on quantum physics
- 17. Other Cryptographic Algorithms
Copyright © www.ine.com
»One-Time Pad or Vernam Cipher
• Stream cipher
• Key is the same length as the plaintext
• The keystream is generated at random
• Keystream combined with the plaintext using a
bitwise XOR operation
• The only cryptosystem with theoretically perfect
secrecy
• Provides no information to the analyst
- 18. Other Cryptographic Algorithms
Copyright © www.ine.com
»One-Time Pad or Vernam Cipher
• Problems with the one-time pad
• Requires perfect randomness
• Cryptosystems will only be able to implement pseudo-
randomness
- 19. Other Cryptographic Algorithms
Copyright © www.ine.com
»Pretty Good Privacy (PGP)
• Uses
• Signing, encrypting, and decrypting emails
• Whole disk encryption
• File and instant message encryption
• Symmetric session key (PSK)
• Can use asymmetric encryption (RSA) for digital signatures
and encryption
• Supports openPGP and S/MIME
• Security is based on key size
- 20. Steganography – Hiding in Plain Sight
Copyright © www.ine.com
»Security through obscurity
»Modify the least significant bit
• Image
• Audio
• Video
»LACK
»HICCUPS
- 21. Hashing
Copyright © www.ine.com
»Generated through the use of a one-way
function
• Mathematical operation that converts a variable-sized
block of data into a fixed-length block of data
• A hash of a file, email, or other message can be generated
at the source
• This hash value is made public and can be compared by
anyone who views the file to ensure that no alterations
have been made
• Significant change in the hash value will result upon the
slightest change in the message
- 22. Hashing
Copyright © www.ine.com
»Types of cryptographic hash functions
• Message Digest 5
• Created by Ron Rivest
• 32-character output
• More susceptible to collisions
• Secure Hashing Algorithm
• Version 1 – 160-bit hash
• Version 2 – 256- to 512-bit block size
- 23. Hashing
Copyright © www.ine.com
»Types of cryptographic hash functions
• RIPEMD
• RACE Integrity Primitives Evaluation Message Digest
• 128-bit
• 160-bit
• HMAC
• Hash-based Message Authentication Code
• Uses MD5 or SHA for message authentication
- 26. Public Key Infrastructure
Copyright © www.ine.com
»Functions of the PKI
• Create, distribute, store, and revoke digital certificates
• System of users, hardware, encryption, policies, and
procedures
• Secure websites over SSL/TLS
• Email
• Securing remote connections
• Computers
• Networks
- 28. Public Key Infrastructure
Copyright © www.ine.com
»Components of the PKI
• Digital certificates
• Binds the user key to an identity for verification
• X509 Standard
• What does the X509 include?
• Certificate owner and their public key
• Certificate authorities
– Name
– Digital signature
– Serial number, issue date, expiration date
- 29. Public Key Infrastructure
Copyright © www.ine.com
»Components of the PKI
• What is the certificate authority?
• Issuing authority (trusted third party)
• Verifies the identity of the certificate recipient
• Maps the public key of the party to the identity
• Types of certificates
• One-to-one mapping
• One-to-many mapping
- 30. Public Key Infrastructure
Copyright © www.ine.com
»Components of the PKI
• Registration authority
• Verifies the request for the digital certificate
• Gives the “OK” for the CA to issue the certificate
• Certificate revocation list
• Updated every 24 hours
• Used to verify the validity of a digital certificate
• Online certificate status protocol (OCSP)
- 31. Public Key Infrastructure
Copyright © www.ine.com
»Components of the PKI
• Key escrow
• Used when data loss in unacceptable
• Key recovery agent
• Allows for the recovery of corrupted or lost keys
• Single and dual-sided certificates
• Best for smaller environments with limited sessions
- 32. Public Key Infrastructure
Copyright © www.ine.com
»Web of trust
• Decentralized model of trust
• Peer to peer
• No root certificate authority
• Certificates are self signed
• Users decide which certificates to trust
• Used by PGP
- 33. Secure Connection Types
Copyright © www.ine.com
» Email/communications
• PGP
• S/MIME
• IPSec
• SSH
» Website logins and e-commerce
• SSL/TLS
» Direct connections to other workstations
»Virtual connections to remote networks
• VPNs (PPTP/L2TP)
- 34. Secure Connection Protocols
Copyright © www.ine.com
»S/MIME
• Secure/Multi-purpose Internet Mail Extensions
• Developed by RSA
• Authentication/integrity/non-repudiation
• Uses unique session keys
• Relies on PKI
• Relies on certificate authorities
- 35. Secure Connection Protocols
Copyright © www.ine.com
»SSH
• Creates an encrypted channel between two
workstations or network devices
• Designed as a replacement for telnet
• Utilizes asymmetric key cryptography
• SSH Daemon and SSH Client
• Runs on port 22
- 37. Secure Connection Protocols
Copyright © www.ine.com
»Virtual Private Networks (VPNs)
• Enables secure remote connections
»PPTP
• Point-to-point tunneling protocol
• Encapsulates PPP packets
• Uses port 1723
- 39. Secure Connection Protocols
Copyright © www.ine.com
»IPSec
• Native to IPv6
• Security association
• Sub-protocols
• Internet Key Exchange (IKE)
• Authentication Header (AH)
• Encapsulating security payload (ESP)
• IP Payload Compression Protocol (IPComp)