Wednesday, 20 July 2011

CISSP CBK 6 Cryptography


open-community version of SSL is Transport Layer Security (TLS). The differences between SSL 3.0 and TLS is slight, but TLS is more extensible and is backward compatible with SSL

S-Http is to encrypt every message however SSL /TLS is for communication channel.

security parameter index (SPI), keep track of SA and For every tunnel you have two SA one in each direction.

integrity check value (ICV), AH calculates this value over whole Data Packet including header and when packet passes through NAT devices IP header changes and receiving station discard the packet due to mismatch ICV this is were ESP comes in play and it calculate ICV without using IP headers.

The OAKLEY protocol is the one that carries out the negotiation process. You can think of ISAKMP as providing the playing field (the infrastructure) and OAKLEY as the guy running up and down the playing field (carrying out the steps of the negotiation).

Simple Key Management Protocol for IP (SKIP) is another key exchange protocol that provides basically the same functionality as IKE all thease protocols work at Network Layer

passive attacks attacker is not affecting the protocol, algorithm, key, message, or any
parts of the encryption system

Cipher Only attack (COA)the attacker has the cipher text of several messages
Known Plain Text attack (KPTA)the attacker has the plain text and corresponding cipher text of one or more messages
chosen-plaintext attacks,(CPA) the attacker has the plain text and cipher text, but can choose the plaintext that gets encrypted to see the corresponding cipher text. some one forward your email text with encryption (I can change the Text and see the resulted Encrypted value)
chosen-ciphertext attacks, (CCA)the attacker can choose the cipher text to be decrypted and has access to the resulting decrypted plain text (most applicable against public key cryptography)

Timestamps and sequence numbers are two countermeasures to replay attacks.

In an HMAC operation, a message is concatenated with a symmetric key and the result is put through a hashing algorithm. This provides integrity and system or data authentication. CBC-MAC uses a block cipher to create a MAC, which is the last block of ciphertext

Key clustering different keys generate the same ciphertext for the same message
Collision If the algorithm does produce the same value for two distinctly different messages,

RSA algorithm’s security is based on the difficulty of factoring large numbers into their original prime numbers

The Clipper chip is a chipset that was developed and promoted by the U.S. Government as an encryption device to be adopted by telecommunications companies for voice transmission. It was announced in 1993 and by 1996 was entirely defunct.

The heart of the concept was key escrow. In the factory, any new telephone or other device with a Clipper chip would be given a "cryptographic key", that would then be provided to the government in "escrow". If government agencies "established their authority" to listen to a communication, then the password would be given to those government agencies, who could then decrypt all data transmitted by that particular telephone.

The CISSP Prep Guide states, "The idea is to divide the key into two parts, and to escrow two portions of the key with two separate 'trusted' organizations. Then, law enforcement officals, after obtaining a court order, can retreive the two pieces of the key from the organizations and decrypt the message."

There are four types of MACs:
(1) unconditionally secure,
(2) hash function based,
(3) stream cipher-based
4) block cipher-based.

The algorithm does produce the same value for two distinctly different messages, this is called a collision, MD5 is subject to this attack

HAVAL variable one way hash modification of MD5 and hash 128 or 256

An attacker can attempt to force a collision, which is referred to as a birthday attack.

A digital signature is a hash value that has been encrypted with the sender’s private key.the act of signing means encrypting the message’s hash value with a private key,

A send message to B generate hash value and then encrypt this with sender Private Key , So when B receives the message will perform the hashing function on the message, and come up with his own hash value. Then he will decrypt the sent hash value (digital signature) with Senders (A) public key and compare the two values. ensure integrity and authenticity/ non repudiation Signing means value encrypting with private Key X.509 Version 4
When users need new certificates, they make requests to the RA (registration authority)

The frequency of use of a cryptographic key has a direct correlation to how often the key should be changed

end-to-end encryption, the headers, addresses, routing, and trailer information are not encrypted however in Link encryption (some time Online encryption) every thing is encrypted and every hop need to decrypt it read the header and decide where to send traffic.

Link encryption Data Link Layer.

End-to-end encryption happens within the applications.

SSL encryption takes place at the transport layer.

PPTP encryption takes place at the data link layer.
IPsec at Network

S/MIME provides confidentiality through encryption algorithms, integrity through hashing algorithms, authentication through the use of X.509 public key certificates, and nonrepudiation through cryptographically signed message digests

protocols within PEM (Private enhanced Module) provide authentication, message integrity, encryption, and key management

Message Security Protocol (MSP) is the military’s PEM. Developed by the NSA,it is an X.400-compatible application-level protocol used to secure e-mail messages

PGP uses IDEA for Encryption , MD5 for hashing and it uses its own digital certificates.

A message can be encrypted, which provides confidentiality.
A message can be hashed, which provides integrity.
A message can be digitally signed, which provides authentication,non repudiation, and integrity.
A message can be encrypted and digitally signed, which provides confidentiality, authentication, non repudiation, and integrity.

Simple substitution and transposition ciphers are vulnerable to attacks that perform frequency analysis. In every language, there are words and patterns that are used more than others.
Some patterns common to a language can actually help attackers figure out the transformation between plaintext and ciphertext, which enables them to figure out the key that was used to perform the transformation. Polyalphabetic ciphers use different alphabets to defeat frequency analysis.

NSA took the 128-bit algorithm Lucifer that IBM developed, reduced the key size to 64 bits and with that developed DES.

Twofish. is related to Blowfish as a possible replacement for DES.

Skipjack. was developed after DES by the NSA .

Digital envelop A message encrypted with a secret key attached with the message. The secret key is encrypted with the public key of the receiver.

digital watermarking is a computing techniques for inseparably embedding unobtrusive marks or labels as bits in digital data-text, graphics, images, video, or audio#and for detecting or extracting the marks later. The set of embedded bits (the digital watermark) is sometimes hidden, usually imperceptible, and always intended to be unobtrusive. It is used as a measure to protect intellectual property rights. Steganography involves hiding the very existence of a message.

SHA-1 = 160 bit digest
SHA-256 = 256 bit digest
SHA-384 = 384 bit digest
SHA-512 = 512 bit digest

DSS provides Integrity, digital signature and Authentication, but does not provide Encryption.

An analytic attack refers to using algorithm and algebraic manipulation weakness to reduce complexity

RC5 is a fast block cipher designed by Ronald Rivest for RSA Data Security (now RSA Security) in 1994

The Clipper Chip is a NSA designed tamperproof chip for encrypting data and it uses the SkipJack algorithm. Each Clipper Chip has a unique serial number and a copy of the unit key is stored in the database under this serial number. The sending Clipper Chip generates and sends a Law Enforcement Access Field (LEAF) value included in the transmitted message. It is based on a 80-bit key and a 16-bit checksum..

Authentication Header is a mechanism for providing strong integrity and authentication for IP datagrams. It might also provide non-repudiation,

concealment cipher, every X number of words within a text, is a part of the real message.

IDEA 128 Bits

PKCS #1= RSA Cryptography Standard

AES Rijindel Algoritham
10 rounds if the key/block size is 128 bits
12 rounds if the key/block size is 192 bits
14 rounds if the key/block size is 256 bits

Cryptography supports all three goals of the CIA Triad.

Key encapsulation is one class of key recovery techniques and is defined as a key recovery technique for storing knowledge of a cryptographic key by encrypting it with another key and ensuring that that only certain third parties called "recovery agents" can perform the decryption operation to retrieve the stored key.
Key encapsulation typically allows direct retrieval of the secret key used to provide data confidentiality.
The other class of key recovery technique is Key escrow, defined as a technique for storing knowledge of a cryptographic key or parts thereof in the custody of one or more third parties called "escrow agents", so that the key can be recovered and used in specified circumstances.

ECC KEY In most cases, the longer the key, the more protection that is provided, but ECC can provide the same level of protection with a key size that is shorter than what RSA requires. Because longer keys require more resources to perform mathematical tasks, the smaller keys used in ECC require fewer resources of the device

Private key Cryptosystem is a synonym to Symmetric Key or Secret Key cryptosystems very important to remeber it in EXAM!!!!!!!!

Cipher Block Chaining and Cipher Feedback create a key that is dependent of the previous block and the final block serves as a Message Authentication Code.

Key clustering happens when a plaintext message generates identical ciphertext messages using the same transformation algorithm, but with different keys.

Blowfish is a symmetric block cipher with variable-length key (32 to 448 bits) designed in 1993 by Bruce Schneier as an unpatented, license-free, royalty-free replacement for DES or IDEA.

IKE= Key establishment , Partly based on Okley, putting in place auth keying material.
SKIP= Hybrid encryption for session Key
KEA= simmilar to DH

Users can obtain certificates with various levels of assurance.
Class 1/Level 1 for individuals, intended for email, no proof of identity
Class 2/Level 2 is for organizations and companies for which proof of identity is requiredLevel 2 certificates verify a user's name, address, social security number, and other information against a credit bureau database. -
Class 3/Level 3 is for servers and software signing, for which independent verification and checking of identity and authority is done by the issuing certificate authorityLevel 3 certificates are available to companies. This level of certificate provides photo identification to accompany the other items of information provided by a level 2 certificate.
Class 4 for online business transactions between companies-
Class 5 for private organizations or governmental security

Certificated issued to CA = ARL
Certificated issued by CA = CRL

Internet Key Exchange. A hybrid protocol that implements Oakley and Skeme key exchanges inside the ISAKMP framework. IKE can be used with other protocols, but its initial implementation is with the IPSec protocol. IKE provides authentication of the IPSec peers, negotiates IPSec keys, and negotiates IPSec security associations (SA).

DEA is the algorithm that fulfills DES, which is really just a standard. So DES is the standard and DEA is the algorithm, but in the industry we usually just refer to it as DES. The CISSP exam may refer to the algorithm by either name, so remember both

Electronic Code Book (ECB) encypt individual block , good for Databases (reveal a pattern)
Cipher Block Chaining (CBC) The results of one block are XORed with the next block before it is encrypted good large chunks of data at a time
Cipher Feedback (CFB) steady stream of data
Output Feedback (OFB) what if bit of first block get corrupted (small amount of data at a time but you need to ensure possible errors do not affect your encryption and decryption processes)
Values used to encrypt the next block of plaintext are coming directly from the keystream, not from the resulting ciphertext
Counter Mode (CTR) very similar to OFB uses IV Counter

DES-EEE3 Uses three different keys for encryption, and the data are encrypted, encrypted, encrypted.
DES-EDE3 Uses three different keys for encryption, and the data are encrypted, decrypted, and encrypted.
DES-EEE2 The same as DES-EEE3 but uses only two keys, and the first and third encryption processes use the same key.
DES-EDE2 The same as DES-EDE3 but uses only two keys, and the first and third encryption processes use the same key

1 comment:

  1. Great post, I have a module coming up on ssl encryption so this was really helpful to give me a head start for the work. We have got to learn now to install and also create are own self certified certs aswell.