Professional Documents
Culture Documents
Cryptography - Notes For CISSP: by Keith Turpin - June 2005
Cryptography - Notes For CISSP: by Keith Turpin - June 2005
Definitions
Algorithm: The set of mathematical rules used in encryption and decryption.
Cryptography: Science of protecting information by encoding it into an unreadable form.
Cryptoanalysis: The science of breaking the secrecy of encryption algorithms.
Cryptology: The study of both cryptography and cryptoanalysis.
Plaintext: Data in readable format, also referred to as cleartext.
Ciphertext: Data that has been encrypted.
Encipher: Act of transforming data into an unreadable format.
Decipher: Act of transforming data into a readable format.
Key: Secret sequence of bits and instructions that governs the act of encryption and decryption.
Also called a cryptovariable.
Key Clustering: Instance when two different keys generate the same ciphertext from the same
plaintext.
Key Zeroization: The process of properly destroying keys at the end of their useful life.
Keyspace: A large set of possible values used to construct keys.
Work factor: Estimated time, effort, and resources necessary to break a cryptosystem.
Nonrepudiation: A sender can not deny sending a message at a later date.
Substitution Cipher: Replaces bits, characters or character blocks with different values. An early
version of this was the Julius Caesar substitution cipher.
Transposition Cipher: Rearranges the bits, characters or character blocks.
Frequency Analysis: Looks for patterns in the ciphertext to try and discover the key. Originally
based on the concept that certain letters, words and phrases occur more frequently than others in a
language.
Steganography: Attempts to conceal data by hiding it. Used by placing information in graphics,
sound files or document headers.
Exclusively ORed (XOR): An operation in binary mathematics that is applied to two bits. If the
bits are the same (both 1s or both 0s) then a “0” bit is generated and if they are different a “1” bit is
generated. This process is commonly used in Stream Ciphers.
Pin numbers use our standard ten digit system of 0 - 9, but work in a similar way. A four digit
pin has 10^4 (10*10*10*10 = 10,000) possible combinations.
1
Classes of Ciphers:
• Block Ciphers: Operates on fixed blocks (typically 64 bits) of plaintext to produce the
corresponding ciphertext. Typically implemented in software solutions.
• Stream Ciphers: Operates in real-time on a continuous stream of data, typically bit-by-bit.
Stream ciphers are faster then block ciphers, but they utilize one time use keys (One Time Pads).
This makes key management more difficult. Typically implemented in hardware solutions.
Clipper Chip: An NSA designed chip that was to be placed in all US made communication devices to
support public encryption. The government maintained keys that would allow it to decrypt any messages
encrypted with this device. The Clipper Chip was never deployed, due to public push back.
• Used the classified SkipJack algorithm, which had an 80 bit key
• Used Key Escrow to split the government’s key into two pieces that were managed by two
different organizations. Law enforcement could obtain both pieces if required. The concept of
Key Escrow is often used by businesses to maintain keys for recovery purposes.
Symmetric Key Cryptography: Both parties will be using the same key for encryption and decryption.
Because two people both have the same key it can provide confidentiality, but not authentication.
Strengths:
• Faster than Asymmetric Algorithms.
• Stronger encryption than Asymmetric Algorithms, for the same sized keys
Weaknesses:
• Scalability/key management. The number of keys required is (n*(n-1))/2 where n is the
number of users. For example if you had 10 users it would requires (10*(10-1))/2 or 45 keys.
• Key distribution
• Can not provide Authentication or Nonrepudiation.
Asymmetric Key Cryptography: Uses two different keys that are mathematically related. One key is
used to encrypt and the other to decrypt information. These two keys are usually referred to as Private
(secret key) and Public (shared key).
• Secure Message Format: Only the Private key can decrypt messages encrypted with the Public
key. This guarantees confidentiality of messages encrypted with the Public key because only the
holder of the Private (secret) key can decrypt it.
• Open Message Format: Any public key can decrypt messages encrypted with the Private key.
This guarantees authenticity of the source of a message encrypted with the Private key since the
Public key can only decrypt messages originally encrypted with the corresponding Private key.
2
Asymmetric Key Cryptography (continued):
• Secure and Signed Message Format: The two previous methods can be combined in the
following way:
o Sender first encrypts the message with his own Private key.
o Then re-encrypts it with the recipient’s Public key.
o The recipient first uses his own Private key, which verifies confidentiality. Then uses
sender’s Public key, which verifies Authenticity.
Weaknesses:
• Requires longer key lengths
• Much slower than Symmetric systems
Strengths:
• Better key distribution
• Better scalability. Number of keys required is equal to (2 * n), where “n” is the number of
users.
• Can provide confidentiality, authentication and Nonrepudiation.
Hybrid Key Cryptography: Combines the strengths of both asymmetric and symmetric systems. It uses
Symmetric keys to encrypt the bulk of the data and uses Asymmetric keys to distribute the symmetric
keys.
Symmetric Algorithms:
• Data Encryption Standard – DES:
o Key type = Symmetric
o Key length = 56 bit
o Process = 16 rounds of transposition and substitution
3
o Output feedback - OFB: This mode also operates like a stream cipher and works on
individual bits to encrypt individual characters. Instead of feeding previous Ciphertext
into the process, like Cipher Feedback, it uses previous Plaintext.
3DES is accomplished by running Plaintext through three iterations of the original DES
Algorithm. There are four variations to how this is done. Two of these require two unique
keys and two require three unique keys. The two methods that use a decryption step, actually
encrypt the data because they are decrypting with the wrong key.
• DES-EEE2: Encrypt – 1st key & Encrypt – 2nd key & Encrypt – 1st key again
• DES-EDE2: Encrypt – 1st key & Decrypt – 2nd key & Encrypt – 1st key again
• DES-EEE3: Encrypt – 1st key & Encrypt – 2nd key & Encrypt – 3rd key again
• DES-EDE3: Encrypt – 1st key & Decrypt – 2nd key & Encrypt – 3rd key again
Selected by the National Institute of Standards and Technology (NIST) as the new standard to
replace DES.
• IDEA:
o Key type = Symmetric
o Key length = variable 128 bits
o Process = 8 rounds of transposition and substitution
A patented algorithm used in the Pretty Good Protection (PGP) email encryption system.
• RC5:
o Key type = Symmetric
o Key length = variable up to 2,048 bits
o Process = 8 rounds of transposition and substitution
Developed and patented by RSA Data Security
4
Asymmetric Algorithms:
• Diffie-Hellman:
o Key type = Asymmetric
o Key length = 768 or 1024 bits
This was the first public key algorithm and was design to facilitate symmetric key exchange.
Uses a process call “Key Agreement Procedure”.
**Vulnerability – Subject to Man-in-the-middle attacks.
• El Gamal:
o Key type = Asymmetric
o Key length = 768 or 1024 bits
El Gammal is based on Diffie-Hellman, but extends its capabilities to include encryption and
digital signatures.
• RSA:
o Key type = Asymmetric
o Key length = 768 or 1024 bits
Designed to facilitate symmetric key exchange. The letters RSA come from the first initials
of the three inventors. It is based on the difficulty of factoring a number that is the product of
two large prime numbers. Used for symmetric key exchange, encryption and digital
signatures.
• Elliptic Curve:
Uses properties of elliptical curves for encrypting data. This method is much more
efficient than other asymmetric algorithms and can use much smaller keys. Because it is
fast and has low overhead it is often used to support wireless devices encryption.
5
Hash Algorithms:
Non-Keyed Message Digests
• MD5: Produces a 128 bit digest. Performs 4 rounds of calculations on 512 bit blocks.
• Secure Hash Algorithm (SHA-1): Produces 160 bit digest. Processes text in 512 bit blocks.
o Registration Authority – RA: Assists the CA and takes some of the workload.
! Receives the certification request
! Verify an individual’s identity for the CA prior to forwarding the request.
6
Pretty Good Privacy (PGP):
PGP is an email encryption application that was originally distributed as freeware. It has the following
features.
• Uses a “Web of Trust” model instead of a central certification authority.
• Uses asymmetric RSA algorithm for key distribution and digital signatures.
• Uses the symmetric IDEA algorithm to and “Session Keys” for message encryption.
Secure Electronic Transaction (SET): A specification developed by MasterCard and Visa to support
secure e-commerce. Uses a combination of DES, RSA and x.509 certificates.
Secure Socket Layer (SSL): A protocol developed by Netscape to provide session based encryption and
authentication to secure communications between clients and servers on the internet. Both the server and
browser must be SSL enabled. SSL is used by HTTPS to encrypt all communications during a session.
Internet Protocol Security (IPSec): Is a method of setting up a secure channel for protected data
exchange between two devices. It is usually used to establish a VPN.
It has two basic security protocols:
• Authentication Header (AH): Is an authenticating protocol.
• Encapsulating Security Payload (ESP): Is an authenticating and encrypting protocol.
Security Association (SA): Is a one way connection between two parties. A minimum of two
SAs are required for a two way communication. An SA describes how services are to be deployed
to secure communication between the two nodes.
Security Parameter Index (SPI): Keeps track of the different SAs terminating at the same
destination.
Secure Shell (SSH-2): An internet security application that provides secure remote access. It provides a
secure alternative to Telnet.