Cryptography – Notes for CISSP

By Keith Turpin – June 2005

Cryptography is used to achieve Confidentiality, Integrity and Authenticity.

Note: This is different than the CIA of information security in which the “A” stands for availability.

Definitions
Algorithm: The set of mathematical rules used in encryption and decryption.
Cryptography: Science of protecting information by encoding it into an unreadable form.
Cryptoanalysis: The science of breaking the secrecy of encryption algorithms.
Cryptology: The study of both cryptography and cryptoanalysis.
Plaintext: Data in readable format, also referred to as cleartext.
Ciphertext: Data that has been encrypted.
Encipher: Act of transforming data into an unreadable format.
Decipher: Act of transforming data into a readable format.
Key: Secret sequence of bits and instructions that governs the act of encryption and decryption.
Also called a cryptovariable.
Key Clustering: Instance when two different keys generate the same ciphertext from the same
plaintext.
Key Zeroization: The process of properly destroying keys at the end of their useful life.
Keyspace: A large set of possible values used to construct keys.
Work factor: Estimated time, effort, and resources necessary to break a cryptosystem.
Nonrepudiation: A sender can not deny sending a message at a later date.
Substitution Cipher: Replaces bits, characters or character blocks with different values. An early
version of this was the Julius Caesar substitution cipher.
Transposition Cipher: Rearranges the bits, characters or character blocks.
Frequency Analysis: Looks for patterns in the ciphertext to try and discover the key. Originally
based on the concept that certain letters, words and phrases occur more frequently than others in a
language.
Steganography: Attempts to conceal data by hiding it. Used by placing information in graphics,
sound files or document headers.
Exclusively ORed (XOR): An operation in binary mathematics that is applied to two bits. If the
bits are the same (both 1s or both 0s) then a “0” bit is generated and if they are different a “1” bit is
generated. This process is commonly used in Stream Ciphers.

The Significance of Key Length:

In a binary system where the initial values are either 0 or 1 the difference in the number of possibilities
between two key lengths is equal to 2 to the Nth power, where N is the difference between the two key
values. The number of possible key values double whenever a single bit is added to the key
length; thus, a 30-bit key would have 2^6 (2*2*2 = 8) more possible values than a 24-bit key.

Pin numbers use our standard ten digit system of 0 - 9, but work in a similar way. A four digit
pin has 10^4 (10*10*10*10 = 10,000) possible combinations.

1
Classes of Ciphers:
• Block Ciphers: Operates on fixed blocks (typically 64 bits) of plaintext to produce the
corresponding ciphertext. Typically implemented in software solutions.
• Stream Ciphers: Operates in real-time on a continuous stream of data, typically bit-by-bit.
Stream ciphers are faster then block ciphers, but they utilize one time use keys (One Time Pads).
This makes key management more difficult. Typically implemented in hardware solutions.

Clipper Chip: An NSA designed chip that was to be placed in all US made communication devices to
support public encryption. The government maintained keys that would allow it to decrypt any messages
encrypted with this device. The Clipper Chip was never deployed, due to public push back.
• Used the classified SkipJack algorithm, which had an 80 bit key
• Used Key Escrow to split the government’s key into two pieces that were managed by two
different organizations. Law enforcement could obtain both pieces if required. The concept of
Key Escrow is often used by businesses to maintain keys for recovery purposes.

Symmetric Key Cryptography: Both parties will be using the same key for encryption and decryption.
Because two people both have the same key it can provide confidentiality, but not authentication.
Strengths:
• Faster than Asymmetric Algorithms.
• Stronger encryption than Asymmetric Algorithms, for the same sized keys
Weaknesses:
• Scalability/key management. The number of keys required is (n*(n-1))/2 where n is the
number of users. For example if you had 10 users it would requires (10*(10-1))/2 or 45 keys.
• Key distribution
• Can not provide Authentication or Nonrepudiation.

Symmetric Algorithms Include:

• Data Encryption Standard – DES
• Advanced Encryption Standard – AES (Use Rijndael algorithm)
• International Data Encryption Algorithm – IDEA
• Blowfish
• RC4

Asymmetric Key Cryptography: Uses two different keys that are mathematically related. One key is
used to encrypt and the other to decrypt information. These two keys are usually referred to as Private
(secret key) and Public (shared key).
• Secure Message Format: Only the Private key can decrypt messages encrypted with the Public
key. This guarantees confidentiality of messages encrypted with the Public key because only the
holder of the Private (secret) key can decrypt it.
• Open Message Format: Any public key can decrypt messages encrypted with the Private key.
This guarantees authenticity of the source of a message encrypted with the Private key since the
Public key can only decrypt messages originally encrypted with the corresponding Private key.

2
Asymmetric Key Cryptography (continued):
• Secure and Signed Message Format: The two previous methods can be combined in the
following way:
o Sender first encrypts the message with his own Private key.
o Then re-encrypts it with the recipient’s Public key.
o The recipient first uses his own Private key, which verifies confidentiality. Then uses
sender’s Public key, which verifies Authenticity.
Weaknesses:
• Requires longer key lengths
• Much slower than Symmetric systems
Strengths:
• Better key distribution
• Better scalability. Number of keys required is equal to (2 * n), where “n” is the number of
users.
• Can provide confidentiality, authentication and Nonrepudiation.

Symmetric Algorithms Include:

• Diffie-Hellman
• El Gamal
• RSA
• Elliptical Curve Cryptosystem (ECC)

Hybrid Key Cryptography: Combines the strengths of both asymmetric and symmetric systems. It uses
Symmetric keys to encrypt the bulk of the data and uses Asymmetric keys to distribute the symmetric
keys.

Symmetric Algorithms:
• Data Encryption Standard – DES:
o Key type = Symmetric
o Key length = 56 bit
o Process = 16 rounds of transposition and substitution

DES has four different modes in which can operate:

o Electronic Code Book - ECB: This is the native mode for DES. The exact same key is
applied to each block. The is a weakness because two identical Plaintext blocks will
encrypt into two identical Ciphertext blocks. For this reason it is usually used for
encrypting small amounts of data, like keys.
o Cipher Block Chaining - CBC: The first Plaintext block is XORed with a randomly
generated block of bits called an “Initialization Vector” to produce Ciphertext. This
Ciphertext is then XORed with the second Plaintext block and so on. This helps
randomize the content of each block.
o Cipher Feedback - CFB: This mode operates like a stream cipher and works on
individual bits to encrypt individual characters. Otherwise it functions very similar to
Cipher Block Chaining.

3
 o Output feedback - OFB: This mode also operates like a stream cipher and works on
individual bits to encrypt individual characters. Instead of feeding previous Ciphertext
into the process, like Cipher Feedback, it uses previous Plaintext.

• Triple DES ( 3DES ):

o Key type = Symmetric
o Key length = 3 * 56 bit = 168 bits
o Process = 48 rounds of transposition and substitution

3DES is accomplished by running Plaintext through three iterations of the original DES
Algorithm. There are four variations to how this is done. Two of these require two unique
keys and two require three unique keys. The two methods that use a decryption step, actually
encrypt the data because they are decrypting with the wrong key.
• DES-EEE2: Encrypt – 1st key & Encrypt – 2nd key & Encrypt – 1st key again
• DES-EDE2: Encrypt – 1st key & Decrypt – 2nd key & Encrypt – 1st key again
• DES-EEE3: Encrypt – 1st key & Encrypt – 2nd key & Encrypt – 3rd key again
• DES-EDE3: Encrypt – 1st key & Decrypt – 2nd key & Encrypt – 3rd key again

• Advanced Encryption Standard ( AES ) – Rijndael:

o Key type = Symmetric
o Key length = variable 128, 192 or 256 bits
o Process = variable 10 - 14 rounds of transposition and substitution

Selected by the National Institute of Standards and Technology (NIST) as the new standard to
replace DES.

• IDEA:
o Key type = Symmetric
o Key length = variable 128 bits
o Process = 8 rounds of transposition and substitution

A patented algorithm used in the Pretty Good Protection (PGP) email encryption system.

• RC5:
o Key type = Symmetric
o Key length = variable up to 2,048 bits
o Process = 8 rounds of transposition and substitution
Developed and patented by RSA Data Security

4
Asymmetric Algorithms:

• Diffie-Hellman:
o Key type = Asymmetric
o Key length = 768 or 1024 bits
This was the first public key algorithm and was design to facilitate symmetric key exchange.
Uses a process call “Key Agreement Procedure”.
**Vulnerability – Subject to Man-in-the-middle attacks.

• El Gamal:
o Key type = Asymmetric
o Key length = 768 or 1024 bits
El Gammal is based on Diffie-Hellman, but extends its capabilities to include encryption and
digital signatures.

• RSA:
o Key type = Asymmetric
o Key length = 768 or 1024 bits
Designed to facilitate symmetric key exchange. The letters RSA come from the first initials
of the three inventors. It is based on the difficulty of factoring a number that is the product of
two large prime numbers. Used for symmetric key exchange, encryption and digital
signatures.

• Elliptic Curve:
Uses properties of elliptical curves for encrypting data. This method is much more
efficient than other asymmetric algorithms and can use much smaller keys. Because it is
fast and has low overhead it is often used to support wireless devices encryption.

One Way Hash Function:

• Hashing algorithms take the entire contents of the original message and condenses it into a fixed
length variable that acts like a finger print of the original message. This is called a Message
Digest. This is different than encryption because you cannot recreate the original message from
the Message Digest and no two messages should create the same digest.
• Message Digests are used to ensure that the message was not modified by having the sender
generate a digest and then sending it with the message and the receiver generates their own digest
using the same algorithm and compares the two to make sure that they are the same.
• Message Digests are also used to support digital signatures. In this case the sender encrypts the
message digest, instead of the original message with their Private key. This also prevents
someone from modifying the original message and just creating a new message digest.
**Vulnerability – Collision: When two different messages result in the same Message Digest. This
can be exploited using the birthday paradox which says “There is a 50% chance that two people in a
room of 23 will have the same birthday”.

5
Hash Algorithms:
Non-Keyed Message Digests
• MD5: Produces a 128 bit digest. Performs 4 rounds of calculations on 512 bit blocks.
• Secure Hash Algorithm (SHA-1): Produces 160 bit digest. Processes text in 512 bit blocks.

Key Message Digest:

• Message Authentication Code (MAC): Works by combining the original text with a symmetric
key and then hashing the result. This is done to prevent message and digest tampering.

Public Key Infrastructure (PKI):

PKI is a framework to secure e-commerce through the integration of digital signatures, digital
certificates and other services. It is meant to provide Confidentiality, message Integrity and
Authentication (Nonrepudiation). It is not a specific technology and does not specify products,
protocols or algorithms.

There are two basic components to a PKI:

o Certificate Authority – CA: Certificate Authorities do the following:
! Create and digitally sign certificates
! Deliver certificates
! Maintain certificates and the Certificate Revocation Lists

o Registration Authority – RA: Assists the CA and takes some of the workload.
! Receives the certification request
! Verify an individual’s identity for the CA prior to forwarding the request.

There are Seven Key Management Functions:

1. Generation
2. Distribution
3. Installation
4. Storage
5. Change
6. Control
7. Disposal

Privacy-Enhanced Mail (PEM):

Provide authentication, message integrity, encryption and key management.
Specific components that can be used:
• Messages encrypted with DES in CBC mode
• Authentication provided by MD2 or MD5
• Public key management provided by RSA
• X.509 standard used for certification structure and format

6
Pretty Good Privacy (PGP):
PGP is an email encryption application that was originally distributed as freeware. It has the following
features.
• Uses a “Web of Trust” model instead of a central certification authority.
• Uses asymmetric RSA algorithm for key distribution and digital signatures.
• Uses the symmetric IDEA algorithm to and “Session Keys” for message encryption.

Secure Electronic Transaction (SET): A specification developed by MasterCard and Visa to support
secure e-commerce. Uses a combination of DES, RSA and x.509 certificates.

Secure Socket Layer (SSL): A protocol developed by Netscape to provide session based encryption and
authentication to secure communications between clients and servers on the internet. Both the server and
browser must be SSL enabled. SSL is used by HTTPS to encrypt all communications during a session.

Secure Hypertext Transfer Protocol (S-HTTP): A protocol developed to support secure

communication with a web server. It is unique in that it encrypts individual messages instead of the entire
session.

Internet Protocol Security (IPSec): Is a method of setting up a secure channel for protected data
exchange between two devices. It is usually used to establish a VPN.
It has two basic security protocols:
• Authentication Header (AH): Is an authenticating protocol.
• Encapsulating Security Payload (ESP): Is an authenticating and encrypting protocol.

Can work in two modes:

• Transport Mode: The only the payload (message) is encrypted
• Tunnel Mode: The payload, routing and header information are all encrypted

Security Association (SA): Is a one way connection between two parties. A minimum of two
SAs are required for a two way communication. An SA describes how services are to be deployed
to secure communication between the two nodes.

Security Parameter Index (SPI): Keeps track of the different SAs terminating at the same
destination.

Internet Key Exchange (IKE):

• Creates the tunnel between the two nodes.
• Negotiates an SA for the IPSec services

Secure Shell (SSH-2): An internet security application that provides secure remote access. It provides a
secure alternative to Telnet.