CISSP – Cryptography

Disclamer

These are my personal notes and not a complete course

Vocabulary

• Cryptographyis the practice and study of techniques for secure communication in the presence of third parties called adversaries.
• A Monoalphabetic cipher is a method of encrypting by which units of plaintext are replaced with ciphertext, according to a fixed system; the "units" may be single letters (the most common), pairs of letters, triplets of letters, mixtures of the above, and so forth. The receiver deciphers the text by performing the inverse substitution.

Quelle: Wikipedia EN

• A Polyalphabetic cipher is any cipher based on substitution, using multiple substitution alphabets. The Vigenère cipher is probably the best-known example of a polyalphabetic cipher, though it is a simplified special case. The Enigma machine is more complex but is still fundamentally a polyalphabetic substitution cipher.

Quelle: http://crypto.interactive-maths.com/autokey-cipher.html

Quelle: http://crypto.interactive-maths.com/autokey-cipher.html

• Algorithm A mathematical procedure that is carried out in sequential steps to solve a problem.
• Cipher See Algorithm
• Cryptography The science of secret writing
• Cryptosystem A suite of cryptographic algorithms needed to implement a particular security service, most commonly for achieving confidentiality
• Cryptanalysis is used to breach cryptographic security systems and gain access to the contents of encrypted messages, even if the cryptographic key is unknown.
• Cryptology See Cryptography
• Encipher Is the application of cryptography to encrypt data
• Decipher  Is the application of cryptography to decrypt data to plaintext
• Key Sequence of bits used in encryption and decryption

Quelle: https://www.quora.com/What-is-symmetric-key-encryption

• Key Clustering Is whey two keys generate the same ciphertext from the same text
• Key space Range of possible values that are used to create the key for the cryptosystem
• Paintext Unencrypted text
• Ciphertext encrypted plaintext
• Kerckhoff's Principle An algorithm should be known, only the key should be secret 
• One-Time pad (OTP) is an encryption technique that cannot be cracked, but requires the use of a one-time pre-shared key the same size as, or longer than, the message being sent. In this technique, a plaintext is paired with a random secret key (also referred to as a one-time pad). Then, each bit or character of the plaintext is encrypted by combining it with the corresponding bit or character from the pad using modular addition.
• Running Ciphers We can use keys that don't require electronically generated keys. Use things around us like newspapers, books
• Concealement Ciphers Put a message inside another message
• Steganography is the practice of concealing a file, message, image, or video within another file, message, image, or video.
• Key Derivation Function (KDF) Derives one or more secret keys from a secret value such as a master key, a password, or a passphrase using a pseudorandom function.
• Number Generators Mathematical systems to generate random numbers
• Symmetric-key algorithms are algorithms for cryptography that use the same cryptographic keys for both encryption of plaintext and decryption of ciphertext.

Quelle: https://www.quora.com/What-is-symmetric-key-encryption

• Asymmetric Cryptographyis any cryptographic system that uses pairs of keys: public keys which may be disseminated widely, and private keys which are known only to the owner.

https://en.wikipedia.org/wiki/Public-key_cryptography

https://en.wikipedia.org/wiki/Public-key_cryptography

• Stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream (keystream). In a stream cipher, each plaintext digit is encrypted one at a time with the corresponding digit of the keystream, to give a digit of the ciphertext stream.
• Block cipher is a deterministic algorithm operating on fixed-length groups of bits, called a block, with an unvarying transformation that is specified by a symmetric key. Block ciphers operate as important elementary components in the design of many cryptographic protocols, and are widely used to implement encryption of bulk data.
• Cryptographic primitives are well-established, low-level cryptographic algorithms that are frequently used to build cryptographic protocols for computer security systems. These routines include, but are not limited to, one-way hash functions and encryption functions.
  • One-way hash algorithm 
    Symmetric key algorithmPublic key algorithm

• Initialization vector (IV) is an input to a cryptographic primitive that is typically required to be random or pseudorandom. Randomization is crucial for encryption schemes to achieve semantic security, a property whereby repeated usage of the scheme under the same key does not allow an attacker to infer relationships between segments of the encrypted message.
• Hybrid System Exchange of symmetric key via public key algorithm 

http://kryptophone.kryptotel.net/faq/encryption/index.html

Data Encryption Standard (DES)

• 64-bit total 56-bit actual
  • 56-bit true key8-bit parity

• Symetric block encryption alogrithm
  • 16 rounds of transposition and substitution

DES Modes

Siehe auch https://www.youtube.com/watch?v=aflVXL8N_WI

Electronic Codebook (ECB)

• 64-bit blocks of data in + key = ciphertext
• For a given block of plaintext and given key, we get same ciphertext
• Not all plaintext comes in 64 bit blocks, so must be padded to create 64 bit blocks
• can be run in parallel
• only usable for short messanges

Cipher Block Chaining (CBC)

• Overcomes issue of pattern recognition found in ECB
• Results of one block are XORed with the next block before encrypting

Cipher Feedback Mode (CFB)

• Combine block cipher and stream cipher together
• Initialization vector + algorithm is used to create a key stream to be able to encrypt the data

Output Feedback (OFB)

• Block cipher that emulates a stream cipher

Counter (CTR)

• Same as OFB, bit instead of random IV's, we use an IV counter

3DES Modes

DES-EEE3

• Three different keys for encryption
• Data encrypted three different times

DES-EDE3

• Three different keys for encryption
• Data is encrypted, decrypted and then encrypted again

DES-EEE2

• Same as DES-EEE2 except we use two keys instead of three and the first and third encryotion runs use the same key

DES-EDE2

• Same as DES-EDE2 except we use two keys instead of three and the first and third encryotion runs use the same key

AES

• Symmetric block cipher
• supports 128, 192 and 256 bit solutions
• if both key and block are 128 bit, then there are 10 rounds
• if both key and block are 192 bit, then there are 12 rounds
• if both key and block are 256bit, then there are 14 rounds

IDEA

• 64 bit block cipher
• 128 bit key

Blowfish

• 64 bit block cipher
• key size from 32 bit to 448 bit

RC4

• stream cipher
• variable key size
• used is SSL protocol

RC5

• block ciper
• key size up to 2048-bit

Asymmetric Alogrithms

• Diffie-Hellman
  • Two systems can generate a symmetric key security without requireing a previous relationship
  • Used for key distributionAlgorithm is based on the difficulty of calculation discrete logarithms in a finite field

• RSA
  • Security of RSA algorithm comes from the difficulty of factoring large numbers into theire original primes

• One-way Functions
  • A matematical function that is easier to computer in one direction that in the opposite direction
  • trap door

• El Gamal
  • Public key algorithm used for digital signatures

• Elliptic Curve Cryptosystem (ECC)
  • Provides digital signature, secure key distribution and encryption
  • More efficient than RSA by requiring a smaller key signature 

• Zero Knowledge Proof
  • Equivalent to need-to-know

• One-Way Hash
  • Fixed bit output as a hash
  • Provides integrity

• Message Authentication Codes (MAC)

• Attacks against one-way hash functions
  • A birthday attack is a type of cryptographic attack that exploits the mathematics behind the birthday problem in probability theory. This attack can be used to abuse communication between two or more parties.

Digital Signature

• A hash value that has been encrypted with the senders private key
• What are the security  services available within cryptography:
  • Encrypt = Confidentiality
• • Hash = Integrity 
• • Digital Signature = Authentication, Proof-of-Origin and Integrity

Public Key Infrastructure (PKI)

• x.509 v3 is the digital signature standard
• PKI provides authentication, confidentiality, proof-of-origin and integrity for all messages exchanges

Components of a PKI

• A certificate authority (CA) that stores, issues and signs the digital certificates
  • Root CA (Should not talk to end users, issues Sub-Cerfitcates for the subordinate CAs)
    Subordinate CA (Handles requests from end users)
• A registration authority (RA) which verifies the identity of entities requesting their digital certificates to be stored at the CA. Validates information befor presenting it to the CA.
• Certificate Revocation List (CRL) List of revoked certificates
• The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate.

Key Management

Note: Not only for PKI. Any Kind of key, symentic and asymetric keys.

Responsibilities

• Key should be long enough to provide the neccessery protection
• Key should be stored and transmitted securely
• Keys should be random and the algorithm should use the full keyspace
• Key lifetime should correspond to the lifetime of data
• The more the key is used the shorter the life
• Key should be escrowed
• Keys should be destroyed at the end of life-cycle

Trusted Platform Module (TPM)

Microchip dedicated to carrying ouf security functions

Link Encryption vs End-to-End-Encryption

• Link Encryption encrypts all of the data along a specific communication path (Example: Telephone Line)
• End-To-End-Encryption does not encrypt the addresses, header, routing and trailer information

Encryption at different layers

• End-To-End is layer 7 (Application)
• SSL is at layer 4 (Transport)
• PPTP is layer 2 (Data-Link)
• Link encryption is layer 1 and 2 (Physical of Data-Link)

Multipurpose Internet Mail Extensions (MIME)

• S/MIME
  • Secure MIME, Encryption and digital signatures for mail
• Pretty Good Privacy (PGP)

Quantum Cryptography

HTTPS and S-HTTP

• HTTPS protects the communication channel between two nodes
• S-HTTP protects each message between nodes

Cookies

• Text files that are maintained by a web browser
• stored on local machine to cache user information

IPSec

• Authentication Header (AH)
• Encapsulation Secure Payload (ESP)
• Tunnel Mode (on WAN)
• Transport More (on LAN)
• Secure Association (SA)
  • Unidirectional, One for each direction
• Security Parameter Index (SPI)
  • Brokers SAs
• Internet Key Exchange (IKE) (Layer 3, Network Layer)

Attacks against Cryptosystems

Ciphertext Only

• We have only the ciphertext
• Don't have key or plaintexts

Known Plaintext

• We have the some plaintext and ciphertext

Chosen Plaintext

• Same as above, except we choose the plaintext input

Differential Cryptoanalysis

• Look at differences in the keys that are used to encrypt

Lineral Cryptanalysis

• Look at the functions that might yield results. Like encrypting using the letter frequency in a language to break encryption.

Side Channel

• Trying to break encryption by looking at outside parameters of the cryptosystem (Power consumption, EMI)

Replay Attack

• Capture something and resend it at a later time

Algebraic

Look at the algorithms themselves

Analytic

Structure of the algorithm

Statistical

Identify statistical weaknesses

Social Engineering

• Getting someone to give up a secret info
• Keys, etc.