PACE-IT, Security+ 6.2: Cryptographic Methods (part 2)

Instructor, PACE-IT Program – Edmonds Community College
Areas of Expertise Industry Certifications
 PC Hardware
 Network Administration
 IT Project Management
 Network Design
 User Training
 IT Troubleshooting
Qualifications Summary
Education
 M.B.A., IT Management, Western Governor’s University
 B.S., IT Security, Western Governor’s University
Entrepreneur, executive leader, and proven manger
with 10+ years of experience turning complex issues
into efficient and effective solutions.
Strengths include developing and mentoring diverse
workforces, improving processes, analyzing
business needs and creating the solutions
required— with a focus on technology.

PACE-IT.
– Key stretching.
– Cryptographic implementations.

Cryptographic methods II.

The greatest vulnerability in
any cryptographic
implementation tends to be
in the security key that is
used in the process.
In many cases, the security key is either a password
or passphrase that is used in the cryptographic
process. Both passwords and passphrases—when
used on their own—are susceptible to brute force
type attacks, leading to a weakness in the
cryptography.
The solution to this is to use a process called key
stretching (key strengthening) to harden the keys
against these attacks. With key stretching, the
password or passphrase is processed by an algorithm to
strengthen the password by increasing the complexity of
the key. Two popular algorithms used for key stretching
are bcrypt and PBKDF2 (Password-Based Key
Derivation Function 2).

– One-time pad (OTP).
» A symmetrical cryptographic encryption method in which a
random security key is used to encrypt a message only one
time.
• It is particularly resistant to hacking, as the key will change
with every message that is sent.
• When the random key used is the same length as the
message, it is even more difficult to break.
– DES (Data Encryption Standard).
» A symmetrical cryptographic encryption standard developed by
the U.S. government.
• It is a block cipher (encrypts complete blocks of data) that
utilizes a 56-bit encryption algorithm; it is not considered
secure.
– 3DES (Triple DES).
» An improvement on DES that utilizes three separate 56-bit
encryption keys to create a 168-bit encryption method.
• Each block of data is encrypted three times (once for each of
the security keys).

– RC (Rivest Cipher).
» A family of symmetrical cryptographic encryption methods
developed by Ronald Rivest.
• RC4 is a stream cipher (encrypts data one bit at a time) used
by other cryptographic solutions including SSL (Secure
Socket Layer) and WEP (Wired Equivalent Privacy); it is
considered to be a weak encryption standard.
• RC5 is a block cipher algorithm that is much more secure
than RC4.
– Blowfish.
» A symmetrical cryptographic encryption method developed by
Bruce Schneier as a replacement for the weaker DES standard.
• Utilizes a variable encryption bit length—can offer anywhere
from single bit encryption to 448-bit encryption.

– TwoFish.
» A symmetrical cryptographic encryption method developed by
Bruce Schneier based on the development of Blowfish.
• Utilizes 128-bit encryption.
– AES (Advanced Encryption Standard).
» A symmetrical cryptographic encryption method developed on
behalf of the National Institute of Standards and Technology
(NIST), an agency of the U.S. government.
• It is a block cipher encryption method in which the block size
is always 128 bits, but the key used for the encryption can be
128 bits, 192 bits, or 256 bits.
• AES has been adopted worldwide as an acceptable level of
encryption and performance.

– RSA (Rivest Shamir Adleman).
» An asymmetrical cryptographic encryption method that is
named after the developers.
» It is the first widely used encryption standard to employ the use
of public and private security keys.
• An entity’s public key can be used by anyone to encrypt
messages.
• Only the entity’s private key can be used to decrypt messages
encrypted by the public key.
– PGP (Pretty Good Privacy).
» An asymmetrical cryptographic encryption method that can be
used to generate security keys and to publish the public
security keys in a secure manner.
• Allows for the secure (encrypted) use of email between two
endpoints with minimal effort.
» GPG (GNU Privacy Guard) is a GNU system’s implementation
of PGP.
• GNU is a UNIX-like operating system (Linux is part of the
GNU family of operating systems).

One issue with asymmetrical
encryption is how the
exchange of security keys is
going occur in a secure
manner.
The first practical solution was developed by Whitfield Diffie and
Martin Hellman. Their solution was referred to as the Diffie-
Hellman (DH) key exchange. It created a secure method in which
two unrelated parties could jointly create a shared secret key over
an unsecure communication channel (e.g., the Internet).
Diffie-Hellman has since been improved upon with the creation of
DHE (Diffie-Hellman ephemeral key) and ECDHE (elliptic curve
Diffie-Hellman ephemeral key). Both DHE and ECDHE help to
provide perfect forward secrecy and help to ensure the security of
the key exchange process.

One of the greatest vulnerabilities in any cryptographic implementation is
the weaknesses that are found in the security keys. The security keys are
often passwords or passphrases that can be subjected to brute force
attacks. Key stretching is a process of using a special algorithm on the
security key to strengthen the key. Two of the most popular key
strengthening algorithms are bcrypt and PBKDF2.
Topic
Key stretching.
Summary
Some common implementations of cryptography that provide symmetrical
encryption include: OTP, DES, 3DES, RC, Blowfish, TwoFish, and AES.
Some common implementations of cryptography that provide asymmetrical
encryption include: RSA, PGP, and GPG. An issue with asymmetrical
encryption is how to ensure that the key exchange remains secure. The first
practical solution was DH. It has since been improved upon with DHE and
ECDHE.
Cryptographic
implementations.

This workforce solution was 100 percent funded by a $3 million grant awarded by the
U.S. Department of Labor's Employment and Training Administration. The solution was
created by the grantee and does not necessarily reflect the official position of the U.S.
Department of Labor. The Department of Labor makes no guarantees, warranties, or
assurances of any kind, express or implied, with respect to such information, including
any information on linked sites and including, but not limited to, accuracy of the
information or its completeness, timeliness, usefulness, adequacy, continued availability
or ownership. Funded by the Department of Labor, Employment and Training
Administration, Grant #TC-23745-12-60-A-53.
PACE-IT is an equal opportunity employer/program and auxiliary aids and services are
available upon request to individuals with disabilities. For those that are hearing
impaired, a video phone is available at the Services for Students with Disabilities (SSD)
office in Mountlake Terrace Hall 159. Check www.edcc.edu/ssd for office hours. Call
425.354.3113 on a video phone for more information about the PACE-IT program. For
any additional special accommodations needed, call the SSD office at 425.640.1814.
Edmonds Community College does not discriminate on the basis of race; color; religion;
national origin; sex; disability; sexual orientation; age; citizenship, marital, or veteran
status; or genetic information in its programs and activities.

PACE-IT, Security+ 6.2: Cryptographic Methods (part 2)

More Related Content

What's hot

Viewers also liked

Similar to PACE-IT, Security+ 6.2: Cryptographic Methods (part 2)

Recently uploaded

PACE-IT, Security+ 6.2: Cryptographic Methods (part 2)