0% found this document useful (0 votes)

117 views

Domain 07 - Cryptography

The document discusses cryptography concepts including encryption, decryption, symmetric and asymmetric cryptography, public key infrastructure, hash functions, and attacks on cryptography. It covers terms like plaintext, ciphertext, keys, algorithms, and nonrepudiation. It also discusses how cryptography can provide confidentiality, integrity, authentication, and access control.

Uploaded by

Oluwamodupe Esther

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

117 views

Domain 07 - Cryptography

Uploaded by

Oluwamodupe Esther

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 87

CISSP DOMAIN : CRYPTOGRAPHY

DOMAIN - 07

Objectives

The objective of this domain is to understand:

 Basic concepts within cryptography.
 Public and private key algorithms in terms of their applications and uses,
algorithm construction.
 Key distribution, management and methods of attack.
 The applications, construction and use of digital signatures to provide
authenticity of electronic transactions, and nonrepudiation of the parties
involved.

Agenda
 Cryptography Concepts
 Symmetric Cryptography
 Asymmetric Cryptography
 Public Key Infrastructure
 Hash Function
 Key Management
 Internet Security
 Attacks on Cryptography

Cryptography Concepts

Terms
Plaintext Also cleartext. Message in natural format. Readable to attacker.

Also cryptogram. Message after alteration, now unreadable, to attacker but

Ciphertext
readable to intended recipient.

Cryptosystem Entire cryptographic operation. Key + algorithm + key management functions.

Encryption Also enciphering. Process of converting message from plaintext to ciphertext.

Also decipher. The reverse of encryption. Converting ciphertext into plaintext

Decryption
through cryptographic algorithm and key used to do the original encryption.
Also cryptovariable. Sequence that controls the operation of the
Key cryptographic algorithm. Secret or Public.

Service, by which sender and recipient cannot deny having participated in the
Nonrepudiation
communication. Nonrepudiation of origin, nonrepudiation of receipt.

Algorithm Mathematical function used in the encryption or decryption process.

Terms
Study of techniques for attempting to defeat cryptographic techniques (and
Cryptanalysis
information security services).

Science dealing with hidden, disguised, encrypted communications. Embraces

Cryptology
Communications security and communications intelligence.

Collision When a hash function generates the same output for different inputs.

Total number of possible values for keys in a cryptographic algorithm or other

security measure (password). i.e., keyspace for a 20-bit key would be
Key Space 1,048,576.
The larger the keyspace the more available random values can be used -
making it harder to figure out

Work Factor Time and effort required to break a protective measure.

Non-secret binary vector. Initialization input algorithm for encryption of

Initialization plaintext BLOCK sequence.
Vector • Increases security by introducing additional cryptographic variance.
• Synchronizes cryptographic equipment.
Avalanche Effect Minor change in key or plaintext has a significant change in resulting
ciphertext. A feature of a strong hashing algorithm.

Terms
Changing a message into another format using a code. Plaintext into another
Encoding medium for transmission (e.g., Morse Code via radio). Usually for message
integrity instead of secrecy.

Decoding Reverse process from encoding. Converting encoded into plaintext format.

Also Permutation. Reorder plaintext to hide the message.

Transposition
HIDE  reorder sequence 3142  DHEI
Exchange one letter or byte for another.
Substitution
HIDE  shift alphabet 3 spaces  KLGH
Substitution and Permutation (transposition) (usually repeated)
SP-Network •Used in most block ciphers to increase their strength.
• Breaks plaintext into Series of smaller S-boxes to handle computations.
Mixing (changing) key values used during each repeated encryption round.
Confusion
Adds complexity for attacker.
Mix up the location of the plaintext throughout the ciphertext. Transposition
Diffusion allows first character of the plaintext to change several times during
encryption. Makes cryptanalysis much more difficult.
A situation in which a plaintext message generates identical ciphertext
Clustering messages by using the same transformation algorithm but with different
cryptovariables or keys.

Protecting Information
Data Storage
 The confidential information stored in Backup tapes, off -site storage, password files, etc.
needs to be protected from disclosure or undetected alteration.
 This can be done through the use of cryptographic algorithms that limit access to the data
to those that hold the proper encryption (and decryption) keys.
Data Transmission
 Modern cryptography provides secure and confidential methods to transmit data and
allows the verification of the integrity of the message, so that any changes to the message
itself can be detected.
Link Encryption
 Encrypts all of the data along a communications path.
 Traffic confidentiality; encrypts the routing information.
End-to-End Encryption
 The data is encrypted at the start of the communications channel and remains encrypted
until it is decrypted at the remote end.
 Routing information remains visible.

Cryptography
 Cryptography is secret writing; secure communication that can be understood only by
the intended recipient.
 While the fact that data is being transmitted may be known, the content of that data
should remain unknown to third parties.
 Data in motion (moving on a network) and at rest (stored on a device such as a disk)
needs to be encrypted.
 Cryptography can be used to implement confidentiality, integrity, authentication and
nonrepudiation.

Uses of Cryptography
Cryptography supports all three of the core principles of information security.
1. Availability
 Many access control systems use cryptography to limit access to systems through the use of
passwords.
 Many token-based authentication systems use cryptographic-based hash algorithms to
compute one-time passwords.
2. Confidentiality
 Cryptography provides confidentiality through altering or hiding a message so that it cannot
be understood by anyone except the intended recipient.
3. Integrity
 Cryptographic tools provide integrity checks that allow a recipient to verify that a message
has not been altered.
 It cannot prevent a message from being altered, but will detect either intentional or
accidental modification of the message.
Additional Features of Cryptographic Systems:
 Nonrepudiation
 Authentication
 Access Control

Strength of a Cryptosystem
 The strength of cryptosystem depends on:
 Algorithm
 Secrecy of the key
 Randomness of the key
 Length of the key

 Another name for cryptography strength is work factor.

Substitution Cipher
 Substitution cipher involves the simple process of substituting one letter for another
based upon a cryptovariable.
 A substitution cipher substitutes:
 Bits, characters or blocks of characters with different bits, characters or blocks.
 The key used determines the result of the substitutions that take place.
 ROT13 is a Caesar cipher, a type of substitution cipher. In ROT13, the alphabet is
rotated 13 steps.

Transposition Cipher
 Transposition cipher moves the original text around uses long sequences of complex
substitutions and permutations.
 The key determines the positions that the characters are moved to.
 Instead of a list of alphabetic substitutions, it is a mapping order.
 This table shows “SECURITY” being encrypted with a transposition cipher where every
two letters are switched with each other:

S E C U R I T Y
E S U C I R Y T

Book or Running Key Cipher

 Running Ciphers uses a key that does not require an electronic algorithm.
 Example: The key could be a book sequence, page, line number and word count.
132.2073 could mean:
 first word - page 1, line 3, word 2.
 second word - page 20, line 7, word 3.
 The sequence of books must be agreed upon in advance.

Concealment Cipher
 The concealment cipher hides a message in a longer message i.e. “a message WITHIN
a message”
 A simple example: every second word of a sentence
 “Summer is coming this year in march. The car is parked on the…. ”
The message is “coming in car”

Steganography

 Steganography is the science of hiding information.

 Steganography is a method of hiding data in another media so that the data's very
existence is concealed.
 Used to hide data within graphic images, audio files or hard drive sectors marked as
unusable.
 Can also be used to insert a digital watermark on an image to identify illegal copies.
 Watermarking is adding identifiable information into a file or document.

Symmetric Cryptography

Symmetric Cryptography
Symmetric algorithms operate with a single cryptographic key that is used for both
encryption and decryption of the message.
 Each pair of communicating users must have a copy of the key.
 The secret key must be initially communicated in a secure manner.
 Security is dependent upon properly protecting the secret key.
 Advantage: Very Fast to encrypt or decrypt , secure and cheap
 Disadvantage: Key Management is the big issue
 Can provide confidentiality, but not authenticity or nonrepudiation because
both parties are using the same key.
 Examples: Blowfish, AES, IDEA, RC4, RC5, RC6, DES & 3DES.

Block and Stream Ciphers

 Block ciphers and stream ciphers are the two main types of symmetric algorithms.
1. Block cipher
 Taking a fixed-length block of plaintext data and create a block of ciphertext
data of same length.
2. Stream cipher
 Generating a keystream (sequence of bits), combining the keystream with
plaintext data, bit-by-bit using XOR operations and create a stream of ciphertext
data.
 One-time pad (a.k.a. Vernam cipher) is a type of stream cipher. The entire
keystream is totally random and is used only once.

Block Cipher
 Operates on blocks (chunks) of text.
 Blocks are preset (64,128,192 bits, etc.).
 Most use a combination of substitution and transposition.
 Stronger than most stream-based ciphers.
 More expensive, more computationally intensive.
 Mainly implemented in software.

Stream Cipher
 Encryption performed on a bit-by-bit basis.
 Crypto operation is to mix the plaintext with the keystream generated by the cryptosystem.
 XOR operation is very fast.
 Binary operation: 1+1=0, 0+0=0 and 1+0=1, 0+1=1
 Input plaintext 0101 0001
 Keystream 0111 0011
 Output of XOR 0010 0010
 Relies mainly on substitution (one character or bit for another).
 Controlled by the key Rules like Keystream not linearly related to cryptovariable; Statistically
unpredictable and unbiased; Long periods without repetition; & Functional complexity.
 Keystream must be strong (period or repeating segment) must be long.
 If too short, susceptible to frequency analysis or other language-specific attacks.
 Mainly implemented in hardware. Most Common in voice/video.

XOR Logic
 XORing plaintext with a key produces ciphertext.
 XORing ciphertext with the same key restores the original plaintext.

 Plaintext 1 0 1 1 0 1 1 1
 Key 0 1 0 1 0 1 0 1
 Ciphertext 1 1 1 0 0 0 1 0
 Key 0 1 0 1 0 1 0 1
 Plaintext 1 0 1 1 0 1 1 1

 XOR operation
 0+1=1
 1+0=1
 0+0=0
 1+1=0

Data Encryption Standard (DES)

 DES is a symmetric-key cryptosystem.
 A block encryption algorithm.
 Fixed sized blocks of 64 bits.
 Uses a 56-bit key (plus 8-bits of parity).
 Characters are put through 16 rounds of transposition and substitution.
 DES is no longer considered strong enough, can be broken easily with distributed
computing.
 DES operates in five modes:
 Block Mode
o ECB (Electronic Code Book)
o CBC (Cipher Block Chaining)
 Stream Mode
o CFB (Cipher Feed Back)
o OFB (Output Feed Back)
o CTR (Counter)

Electronic Code Book (ECB)

 Electronic Code Book (ECB) is the simplest and weakest form of DES.
 It uses no initialization vector or chaining. Identical plaintexts with identical keys encrypt to
identical ciphertexts.
 64-bit data blocks processed individually, one at a time.
 Decrypting starts at the beginning of ciphertext file and processes 64-bit block one at a time, until
EOF.
 For a given plaintext block and key, the same ciphertext always results.
 Susceptible to Known-plaintext attacks.
 Applicable to random access encryption & decryption, such as databases.

Cipher Block Chaining (CBC)

 The CBC mode is stronger than ECB in that each input block will produce a different output—even
if the input blocks are identical.
 Accomplished with an IV and a chaining function that XORs each input with the previous
ciphertext.
 64-bit plaintext blocks loaded sequentially.
 XOR’ed with 64-bit Initialization Vector (IV).
 Combination processed into cipher under secret key.
 First ciphertext XOR’ed with next plaintext block.
 Most frequently used mode of operation.
 Produces a more random result.

Cipher Feedback (CFB)

 Cipher Feedback (CFB) Mode—In the CFB mode, the input is separated into individual segments, the size of which
can be 1-bit, 8-bit, 64-bit or 128-bit (the four submodes of CFB).
 Usually of 8 bits, because that is the size of one character.
 Initially the IV is chosen and loaded into a shift register and run through encryption algorithm.
 The first 8-bit output of this algorithm is XORed with first 8-bits of plaintext which gives ciphertext.
 Previous ciphertext block is encrypted and the output is combined with plaintext block using XOR to produce
current ciphertext block.
 Initialization Vector (IV) is used as a “seed” for the process.
 Plaintext patterns are concealed by the XOR operation.

Output Feedback (OFB)

 The OFB mode is very similar in operation to the CFB, except that instead of using the ciphertext
result of the XOR operation to feed back into the shift register for the ongoing keystream.
 It feeds the encrypted keystream itself back into the shift register to create the next portion of the
keystream.
 Initialization Vector (IV) is used as a “seed” for the process.
 CFB with the addition of a stream cipher.

Counter Mode (CTR)

 The CTR mode is used in high-speed applications such as IPSec and ATM.
 In this mode, a counter—a 64-bit random data block—is used as the first IV.
 Similar to OFB mode the quantity XOR’ed with each plaintext block is generated
independently of both plaintext and ciphertext.
 Encrypted CTR values generate a keystream to be XOR’ed with message stream, much
like stream cipher.

Triple DES (3DES)

 DES can be easily broken with current technology.
 3DES uses three 56-bit keys (instead of one).
i) The first key encrypts the plaintext data.
ii) The second key decrypts the ciphertext produced by the first key.
iii) The third key encrypts the ciphertext produced by the second key.
 Triple-DES Uses 48 rounds of transposition and substitution (instead of 16).
 TDES is approximately 256 times stronger than DES.
 3DES will be around for some time - even though the US government has chosen the Rijndael
algorithm for AES, its replacement for DES.

AES
 The Advanced Encryption Standard (AES) is the current U.S. standard symmetric block cipher.
 It uses:
 128-bit keys (10 rounds of encryption),
 192-bit keys (12 rounds of encryption), or
 256-bit keys (14 rounds of encryption) to encrypt
 Uses the Rijndael algorithm.
 Rijndael is a block cipher with variable block size and key length:
 128, 192, and 256-bit block sizes.
 128, 192, and 256-bit key lengths.

Other Symmetric Systems

IDEA (International Data Encryption Algorithm)
 128-bit key, 64-bit blocks, 8 rounds of computation.
 Operates in the same modes as DES (ECB, CBC, CFB and OFB).
 Harder to break than DES.
 Used in Pretty Good Privacy (PGP) e-mail encryption software.

Blowfish
 Highly efficient block cipher, designed by Bruce Schneier.
 Key size: 32 – 448 bits (in steps of 8 bits).
 64-bit block size; 16 rounds of computation.
 Optimized for 32-bit micro-processors.

Twofish
 Modification of Blowfish using 128-bit blocks, and
 It uses variable key length up to 256 bits.

Other Symmetric Systems

RC5
 Key length up to 2040 bits, with block sizes of 32, 64 or 128 bits.
 Patented by RSA Data Security in 1997.

RC6
 RC6 is a modification of RC5 created as a candidate algorithm for AES
 Also designed by Ron Rivest.
 Based on RC5, RC6 has a block size of 128 bits, supports key size of 128, 192 and 256 bits.

Asymmetric Cryptography

Asymmetric Cryptography
 Asymmetric encryption uses two keys:
 Encrypts with one, decrypts with the other.
 One key may be made public (the public key), which is why asymmetric encryption is also called
public key encryption.
 Anyone who wants to communicate with you may simply download your publicly posted key and
use it to encrypt his/her plaintext.
 Once the plaintext is encrypted, your public key cannot decrypt it: Only your private key can do
so.
 As the name implies, your private key must be kept private and secure.
 Provides authenticity, integrity and nonrepudiation - the sent message could only have been
generated by the owner of the private key.

Asymmetric Cryptography
 Advantages:
 Provides better key distribution than symmetric systems.
 Provides better scalability due to ease of key distribution.
 Provides authenticity and nonrepudiation, in addition to confidentiality and
integrity.
 Disadvantages:
 It is much slower operation than symmetric systems.
 It is vulnerable to man-in-the-middle attacks (unless a trusted Certificate
Authority is used).
 Examples:
 RSA, Elliptic Curve Cryptosystem (ECC), Diffie-Hellman, El Gamal, Digital
Signature Algorithm (DSA).

Asymmetric Systems
RSA
 RSA stands for Ron Rivest, Adi Shamir and Leonard Adleman.
 A worldwide de facto standard.
 Provides digital signatures, encryption and secret key distribution.
 Based on the difficulty of factoring the product of two large prime numbers (may be up to 200
digits each).
 Used in:
 Web browsers with SSL
 Systems that use public key cryptosystems
 PGP
 El Gamal

Asymmetric Systems
Elliptic Curve Cryptosystems (ECCs)
 Elliptic Curve Cryptography (ECC) leverages a one-way function that uses discrete logarithms as
applied to elliptic curves.
 Provides digital signatures, secure key distribution and encryption.
 Provides its functionality with lower overhead than RSA and others.
 Used in low power devices like wireless devices and cell phones.
 Provides the same level of protection as RSA with smaller key size
(a 160-bit ECC key provides the same protection as a 1024-bit RSA key).

Diffie-Hellman Key Exchange

 Key agreement allows two parties to securely agree on a symmetric key via a public channel, such
as the Internet, with no prior key exchange.
 Subjects arrive at a shared secret key over nonsecure media without exposing the keys.
 This ground breaking work (1976) provided a basis for the further development of public key
cryptography.

Hybrid Encryption Methods

 A hybrid system combines the Symmetric and Asymmetric methods.
 Called Public key cryptography.
 Asymmetric algorithms provide better security, but are very slow.
Symmetric algorithms provide better performance, but secure key distribution can be a problem.
 “Asymmetric key” refers to the public key or private key of an asymmetric key pair.
“Symmetric key” is synonymous with secret key or session key.

Public Key Cryptography

 The more efficient symmetric algorithm encrypts a message using a secret key.
 An asymmetric algorithm uses the recipient’s public key to encrypt the symmetric secret key.
 The encrypted secret key and the message encrypted with that secret key are sent to the
recipient.
 The recipient decrypts the secret key using his private key.
 The secret key is then used to decrypt the message.
 A symmetric algorithm is used for bulk encryption, while an asymmetric algorithm is used to
distribute the symmetric key.

Symmetric vs Asymmetric
 In symmetric algorithms, both parties share the same key for encryption
and decryption.
 Symmetric algorithms do not consume too much computing power as
compared to asymmetric algorithm.
 Asymmetric algorithms use pairs of keys - one is used for encryption and
the other one for decryption.
 In asymmetric algorithm the decryption key is called private or secret key
and encryption key is called public key.
 Symmetric algorithm is more efficient then asymmetric algorithms.
 Asymmetric algorithm is far slower then symmetric algorithm and is used
to distribute the symmetric key.

Quiz

 A block cipher:
a. Encrypts by operating on a continuous data stream
b. Is an asymmetric-key algorithm
c. Converts variable-length plaintext into fixed-length ciphertext
d. Breaks a message into fixed length units for encryption

 In steganography:
a. Private-key algorithms are used.
b. Public-key algorithms are used.
c. Both public- and private-key algorithms are used.
d. The fact that the message exists is not known.

Quiz -Answers
 A block cipher:
a. Encrypts by operating on a continuous data stream
b. Is an asymmetric-key algorithm
c. Converts variable-length plaintext into fixed-length ciphertext
d. Breaks a message into fixed length units for encryption

 In steganography:
a. Private-key algorithms are used.
b. Public-key algorithms are used.
c. Both public- and private-key algorithms are used.
d. The fact that the message exists is not known.

Public Key Infrastructure

Public Key Infrastructure (PKI)

 Public Key Infrastructure provides:
 Confidentiality, integrity, authenticity and nonrepudiation.
 PKI includes:
 Digital certificates
 Certificate authority (CA)
 Registration authorities (RA)
 Policies and procedures
 Certificate revocation
 Non-repudiation support
 Timestamping
 Security-enabled applications
 Each participant in a PKI requires a digital certificate.
 Contains that individual’s public key and other identifying information.
 Digitally signed by a trusted certificate authority (CA).
 The CA takes liability for the authenticity of public key.

Certificate Authority
 A certificate authority or certification authority (CA) is an entity that issues digital certificates.
 The digital certificate certifies the ownership of a public key by the named subject of the
certificate.
 This allows others (relying parties) to rely upon signatures or assertions made by the private key
that corresponds to the public key that is certified.
 In this model of trust relationships, a CA is a trusted third party that is trusted by both the subject
(owner) of the certificate and the party relying upon the certificate.
 CA issues and maintains public key certificates:
 Verifies the individual’s identity, constructs the certificate, digitally signs it, delivers it to the
requester and maintains it over its lifetime.
 Can be a third-party (such as VeriSign), or internal to an organization.
 When a message containing a public key is received, the recipient can refer to the CA to
verify it as belonging to the identity claimed by the sender.
 This system can be compromised by an individual posting a public key under the name of
another individual.

Certificate Revocation
 Certification Revocation is handled by the Certificate Revocation List (CRL).
 CRL is updated periodically.
 A certificate may be revoked for several reasons:
 The key holder’s private key has been compromised.
 The CA discovers the certificate was issued to the wrong person.
 The CRL also maintains an archive of revoked certificates.

Registration Authorities (RAs)

Large PKI implementations may offload some of the work to distributed Registration Authorities
(RAs)
 The RA cannot issue certificates; it acts as a middleman.
 It can establish and confirm the identity of an individual.
 It can initiate the certification process with the CA (on behalf of the end user).
 Perform certificate life cycle management functions.

PKI Steps
The following are the steps for process of PKI:
1. User requests a certificate from the CA.
2. CA requests identification information from the user.
3. Once identity is verified, the CA enters the user into its database and generates an asymmetric
key pair.
4. CA creates a certificate containing the user’s identity and public key.
5. The private key is generated on the user’s machine, or by the CA (in which case secure delivery is
required).
6. The user can now participate in the PKI.
7. When a user wishes to communicate, the other party’s verified public key is requested from the
CA.
8. Assuming the other party’s certificate is valid, the public key is used to encrypt a symmetric
session key that is sent to the other party along with one’s own public key and certificate.
9. The other party requests verification of the public key (assuming that the issuing CA is trusted).
10. If the certificate is valid, the other party decrypts the session key with their private key and
secured communication can take place.

One-Way Hash
One Way Hash
 A hash function provides encryption using an algorithm and no key. It is referred to as “one way”
because there is no way to reverse the encryption.
 A variable length plaintext is “hashed” into a fixed-length hash value (often called a “message
digest” or simply a “hash”).
 Hash functions are primarily used to provide integrity: If the hash of a plaintext changes, the
plaintext itself changes.
 A hash value can be used to identify a specific message (like a fingerprint of the message).
 Anyone can create a hash value from a message as the algorithms to do so are publicly known.
 However, the hash value can be encrypted with the sender’s private key to create a digital
signature, providing integrity, authenticity and nonrepudiation.

Message Integrity
 Cryptography can detect if a message has been intentionally modified in transit.
 The message will not decrypt properly if the bit pattern has been modified.

Message Authentication Code

 MAC (also known as a cryptographic checksum) is a small block of data that is generated using a
secret key and then appended to the message.
 Similar to a digital signature, but using a symmetric session key (rather than a private key).
 Provides integrity and generalized authenticity (but not nonrepudiation).
 If one encrypts a message’s hash value with a symmetric session key and sends it with the
message, the recipient can:
 Decrypt the message (using the session key).
 Calculate a hash value from the plaintext message.
 Decrypt the hash value received with the message (using the session key).
 Compare the calculated and received values, if the values match the message has not been
altered in transit (integrity).

Digital Signatures
 Digital signatures are used to cryptographically sign documents.
 They provide nonrepudiation, which includes authentication of the signer’s identity and proof of
the document’s integrity (i.e., that the document did not change).
 It means that the sender cannot later deny (or repudiate) signing the document.
 It consists of encrypting a message’s hash value with one’s private key.
 Note that Message Authentication Code (MAC) only provides integrity and generalized
authenticity by encrypting the message’s hash with the shared session key:
 The recipient decrypts the digital signature with the sender’s public key.
 If the hash value calculated from the message matches the hash value of the digital
signature (once decrypted) the message could only have been sent by the owner of the
private key.

Hash Function

Hashing Algorithms
MD5 (1991)
 More complex so its harder to break.
 MD5, created by Ronald Rivest, is the most widely used of the MD family of hash algorithms.
 It creates a 128-bit hash value based on any input length.

SHA (1991)
 Developed by NIST to be used with the DSS.
 Secure Hash Algorithm (SHA) is the name of a series of hash algorithms.
 SHA-1 creates a 160-bit hash value.
 SHA-2 includes SHA-224, SHA-256, SHA-384 and SHA-512, named after the length of the message
digest each creates.

HAVAL (1993)
 Hash of Variable Length (HAVAL) creates message digests of 128, 160, 192, 224 or 256 bits in
length, in three, four or five rounds.
 It uses some of the design principles behind the MD family and is faster than MD5.

One-Time Pad
 Used only once, random, unbreakable and as long as the message itself (or longer):
 The message and pad are XOR’d bit by bit.
 The sender destroys the pad after encrypting the message.
 The receiver destroys his copy of the pad after decrypting the message.
 Produced by a random number generator seeded by date, time or other sources (such as
radioactive decay).
 Provides a very high degree of security, but is impractical due to the difficulty of
distributing the pads.

Key Management

Key Management
 Key Management is the most challenging part of cryptography.
 It can be handled manually or automatically (automatic key management is more accurate and
secure).
 Key management includes:
 Keys need to be generated, destroyed and recovered properly.
 Protect keys as they can be captured, modified, corrupted or disclosed to unauthorized
individuals.
 Keys must be distributed to the right entities and updated continuously.
 Key distribution protocols (asymmetric) include:
 RSA
 Diffie-Hellman
 Key Exchange Algorithm (KEA)
 The Kerberos Key Distribution Center (KDC) is an example of automated key management.

Key Management
Key Management Principles:
 Keys are at risk of being lost, destroyed or corrupted.
 Backup copies must be easily accessible when required.
 The key recovery process could require three individuals to present their private keys (or
individual PINs).
 The three individuals should be from different departments:
Management, security and IT.
 This is an example of key escrow.
Key Management Rules:
 Stored and transmitted securely.
 Random and utilize the full keyspace.
 Backed up or escrowed.
 Properly destroyed when expired.
 Sufficiently long enough to provide the necessary level of protection.
 Key lifetime should:
 Correspond with the sensitivity of the data being protected.
 Have a shorter lifetime when used more frequently.

Escrowed Encryption
 Escrowed encryption divides a private key into two or more parts.
 The parts are held in escrow by different, trusted third-party organizations, which only release
their portion of the key with proper authorization, such as a court order.

Clipper Chip
 “Clipper Chip” was the name of the technology used in the Escrowed Encryption Standard (EES),
an effort announced in 1993 by the U.S. government to deploy escrowed encryption in
telecommunications devices.
 This effort created a media firestorm and was abandoned by 1996.
 The Clipper Chip used the Skipjack algorithm, a symmetric cipher with an 80-bit key.
 The algorithm was originally classified as secret.

Internet Security

E-mail Standards - PGP

Pretty Good Privacy (PGP)
 A freeware e-mail security:
 Mainly uses RSA public key encryption and key management.
 Uses IDEA symmetric bulk encryption and MD5 hashing.
 Supports conventional and PGP public key certificates.
 A session key is generated randomly by PGP.
 The message is encrypted with the session key, the session key is encrypted with recipient’s
public key, and both are sent to the recipient.
 A passphrase is hashed and then used to encrypt one’s own private key.
 When a PGP message is received, decryption requires one’s passphrase to be entered (to
gain access to the private key).
 Uses a decentralized “web of trust” (rather than a CA).
 Any PGP user can digitally sign another user’s public key.
 The signer must be regarded as a “trusted introducer”.
 A collection of signed keys is referred to as a “key ring”.

HTTP, S-HTTP & HTTPS

HTTP (Hypertext Transport Protocol):
 Used by both web browser and server to request and send web pages respectively.
 Uses standard port 80 over TCP.
 It is a stateless protocol - connections are terminated after each transaction.
 An HTTP session is identified by URLs with http://
S-HTTP (Secure Hypertext Transport Protocol):
 It is used to protect individual messages encrypted with a symmetric session key at the application
layer (HTTP).
 It is an extension of HTTP.
 Web server creates a session key, encrypts it with the client’s public key and sends it to the client.
 Unlike Http , it is a stateful protocol - the initial connection remains up between exchanges.
 An S-HTTP session is identified by URLs with shttp://
HTTPS (Hypertext Transport Protocol over SSL):
 Uses standard port 443.
 It encrypts all information that passes over the connection at the session layer.
 Unlike S-HTTP, SSL can be applied to non-HTTP traffic.
 It runs HTTP over the Secure Sockets Layer (SSL) protocol.
 An HTTPS session is identified by URLs with https://

SSL
SSL (Secure Sockets Layer)
 Developed by Netscape.
 Mostly used for e-commerce:
 The server sends its digital certificate to the
client.
 The CA verifies the server's public key.
 The client generates a symmetric session key.
 The session key is encrypted with the server’s
public key and sent to the server.
 Supports asymmetric RSA, symmetric DES, 3DES &
IDEA, and MD5 hashing.
 An SSL session is identified by URLs starting with
https://

MIME & S/MIME

MIME (Multipurpose Internet Mail Extension)
 It provides a means of encoding multimedia and attachments for transport.
 The user requests a multimedia component from a web server.
 The web server replies with the file and a MIME header describing the file (such as MIME
type: Video, with subtype: mpg).

S/MIME (Secure MIME)

 Extension of MIME.
 It provides a means to digitally sign and encrypt e-mail containing attachments.
 It uses X.509 Public key certificates.
 It provides confidentiality, integrity, authenticity and nonrepudiation.

Secure Electronic Transaction (SET)

SET (Secure Electronic Transaction)
 Proposed by Visa and MasterCard.
 Provides an effective way of securely transmitting credit card information.
 More effort and cost than SSL.
 More software installation and configuration.
 SET components include:
 Electronic wallet (a digital certificate holding user financial information).
 Software running on the merchant’s web server.
 Payment server at the merchant’s bank.

Cookies
Cookies
 HTTP is a stateless protocol - no memory of prior connections.
 Cookies save information between HTTP connections by storing text information to the user’s
disk.
 Most cookie data is harmless.
 Used primarily for demographic and advertising information.
 Commercial web sites use cookies to store the selections a user has put into his cart - the
items in the cart are then totaled at checkout.
 Financial Institution use cookies to limit session length by setting a timestamp.
 Some cookies can contain usernames and passwords.
 The server does not encrypt this information many times.

Internet Security - SSH

SSH (Secure Shell)
 Provides secure terminal-like access to remote computers.
 Can be used to log into another computer over the network.
 Used for accessing files, running applications, copying files, etc.
 Can be used instead of telnet, ftp, rlogin, rexec or rsh.
 SSH creates a secure tunnel between two computers through use of a session key – uses TCP port
22.
 Uses Diffie-Hellman for secret key distribution.

IPsec
 IPsec (Internet Protocol Security) is a suite of protocols that add a cryptographic layer
to both IPv4 and IPv6.
 It is one of the methods for providing Virtual Private Networks (VPN), which allow
you to send private data over an insecure network such as the Internet (the data
crosses a public network, but is “virtually private”).
 The two basic security protocols:
i. Authentication Header (AH) - An authentication protocol.
ii. Encapsulating Security Payload (ESP) - An authentication and encryption
protocol.
 Two modes of operation:
i. Transport mode:
 Typically used between two hosts.
 IP header, AH or ESP header, segment.
ii. Tunnel mode:
 Typically used between two security gateways (routers or firewalls), or
between a host and a security gateway.
 Additional IP header, AH or ESP header, IP header, segment.

Internet Security - IPsec

Authentication Header (AH) provides:
 Authentication and integrity for each packet of network data.
 It offers no confidentiality, but rather acts as a digital signature for the data.
 AH also protects against replay attacks where data is sniffed off a network and resent, often in an
attempt to fraudulently reuse encrypted authentication credentials.

Encapsulating Security Payload (ESP) provides:

 Confidentiality by encrypting packet data.
 It may also optionally provide authentication and integrity.

IPsec
Security Association
 AH and ESP may be used separately or in combination.
 An IPsec Security Association (SA) is a simplex (one-way) connection that may be used to
negotiate.
 ESP or AH parameters.
 If two systems communicate via ESP, they use two SAs (one for each direction).
 If the systems leverage AH in addition to ESP, they use two more SAs for a total of four.
 Each simplex SA connection is identified by a unique 32-bit number known as the Security
Parameter Index (SPI).

 Internet Security Association and Key Management Protocol (ISAKMP)

 Manages the SA process.
 Provides a key exchange framework.
 Negotiates establishment, modification and deletions of SAs.
 Negotiates key exchange protocol to be used.

IPsec
Internet Key Exchange (IKE)
 IPsec can employ a variety of encryption algorithms, such as MD5 or SHA-1 for integrity and triple
DES or AES for confidentiality.
 The algorithm selection process is negotiated by the Internet Key Exchange (IKE).
 The preferred and recommended key exchange protocol, though others are possible (such as
Kerberos or SKIP).
 Two sides of an IPsec tunnel typically use IKE to negotiate to the highest and fastest level of
security.
 E.g. selecting AES over single DES for confidentiality if both sides support it.

IPsec
Tunnel and Transport Mode
 IPsec can be used in either tunnel mode or transport mode.
 Tunnel Mode:
 Used by security gateways (which can provide point-to-point IPsec tunnels).
 It encrypts the entire packet, the payload and header are protected (i.e., encryption &
hash).
 Used for network-to-network, host-to-network and host-to-host communications.
 Transport Mode:
 Only the payload is protected (i.e., encryption & hash).
 IP headers are not encrypted.
 If AH is used then IP address can not be translated (i.e., NAT).
 For host-to-host communications only.

Comparing IPsec Modes

 ESP in Transport Mode
 Provides confidentiality for the segment’s payload, data authentication for the packet’s
headers and payload, or both.
 Implemented on the communicating end points.
ESP in Tunnel Mode
 Provides confidentiality, authentication, or both for entire original packet.
 Must be implemented on IPSec gateways (acting as such).
 An additional IP header identifying the gateways is prepended.
 AH in Transport Mode
 Provides data authentication only - no encryption.
 Implemented on the communicating endpoints.
 Useful when encryption is not needed, or is not permitted.
AH in Tunnel Mode
 Used when either end of a security association is a gateway.
 Possible to use private addresses.

Attacks on Cryptography

Attacks
Passive Attacks:
 Eavesdropping, capturing data on the media, network sniffing.
 Hard to detect since data and processes are not being modified.
 Techniques attempt to prevent rather than detect and stop them.
 Generally used to gain information for mounting an active attack.

Active Attacks:
 Altering messages, modifying system files, masquerading.
 The attacker is making changes to data within the system.

Attacks
Types of cryptanalytic attacks:
 Ciphertext-only attack
 Known-plaintext attack
 Chosen-plaintext attack
 Chosen-ciphertext attack
 Adaptive-chosen-plaintext attack
 Adaptive-chosen-ciphertext attack

Types of cryptographic attacks

 Man-in-the-middle attack
 Dictionary & Brute-force attack
 Replay Attacks
 Symmetric block cipher attacks
 Hash function attack
 Birthday attack, etc.

Cryptanalytic Attacks
Ciphertext-only attack
 An attacker collects lots of cipher text messages that have been encrypted with the SAME
key.
 Use statistical analysis to attempt to determine the encryption key.
Chosen-ciphertext attack
 The attacker chooses which portion of the ciphertext will be decrypted and has access to
the original plaintext.
 Goal is to figure out the key.
Known-plaintext attack
 A known plaintext attack relies on recovering and analyzing a matching plaintext and
ciphertext pair: The goal is to derive the key that was used.
 The attacker attempts to determine the key working from the ciphertext and plaintext of
the original messages.
Chosen-plaintext attack
 Same as the known-plaintext attack, except the attacker chooses which portion of the
plaintext gets encrypted.

Cryptanalytic Attacks
Adaptive-chosen-ciphertext attack
 Depending on previous outcomes of the attack the attacker is able to choose ciphertext sample
dynamically.
 The aim is to discover key.

Adaptive-chosen-plaintext attack
 Attacker chooses plaintext samples dynamically, and alter his or her choice based on the results of
the previous operations.
 The aim is to discover key.

Cryptographic Attacks
Man-in-the-middle attack (MITM)
 The attacker intercepts each user’s public key and stores them, forwards his own public key to the
other party.
 Each user then unknowingly uses the attacker’s public key to encrypt data intended only for the
other user.
 The attacker intercepts these messages decrypts them to plaintext (using his own private key) and
re-encrypts the resulting plaintext (using the intended recipient’s previously intercepted public
key).
 The attacker then forwards the message to the intended recipient.
 Countermeasures include use of Kerberos, Certificate Authority.

Cryptographic Attacks
Dictionary Attacks
 The dictionary attack is used most commonly against password files.
 It exploits the poor habits of users who choose simple passwords based on natural words.
 The dictionary attack merely encrypts all of the words in a dictionary and then checks whether
the resulting hash matches an encrypted password stored in the SAM file or other password file.

Brute Force Attacks

 Exhaustive search of possible combination (key) until the correct one is identified.
 Can be applied to any type of cipher because the advance technologies in computing
performance has made brute-force attacks practical against keys of a fixed length.

Cryptographic Attacks
Replay Attacks
 The attacker captures passwords as they are transmitted across the network.
 With Kerberos, the attacker may:
 Copy a session ticket.
 Break the encryption.
 Attempt to use the ticket at a later time to gain unauthorized access to a resource.
 Countermeasures:
 Timestamps - A replay attack is indicated if timestamped packets are received outside of an
allowable timeframe.
 Sequence numbers - A replay attack is indicated if a device receives a packet with a
sequence number previously used.

Cryptographic Attacks
Symmetric block cipher attacks
 Differential cryptanalysis – A chosen-plaintext attack that relies on the analysis of the evolution of
the differences between the two related plaintext samples as they are encrypted using the same
key.
 Linear cryptanalysis – A known-plaintext attack using linear approximations to describe the
behavior of the block cipher.
 Weak keys – Secret keys with a certain value for which the block cipher in question will exhibit
certain regularities in encryption, or in other cases a poor level of encryption.
 Algebraic attacks – A class of techniques that rely on the block ciphers exhibiting a high degree of
mathematical structure. (i.e., “pattern”).

Cryptographic Attacks
Hash function attack
 Brute-force attack - Attacker chooses random inputs to the hash function until a targeted output
is produced.
 Differential attack - Attacker uses the difference in term of integer modular subtraction as inputs
to MD5 until a targeted output is produced.
 Message authentication code (MAC) attack - Unlike digital signature, MAC value is generated and
verified using same secret key (i.e. symmetric). Attacker performs chosen-plaintext attack on
MAC to find the secret key.

Cryptographic Attacks
Birthday attack
 A class of brute-force attack used against hashing functions based on birthday paradox:
probability that two or more people in a group of 23 share the same birthday is greater than 50%.
 Attacker is to find two messages with the same digest value instead of matching a specific value.
Temporary Files
 Most cryptosystems will use temporary files to perform their calculations.
 If these files are not deleted and overwritten, they may be compromised and lead an attacker to
the message in plaintext.
Reverse Engineering
 This attack is one of the most common.
 A competing firm buys a crypto product from another firm and then tries to reverse engineer the
product.
 With reverse engineering, it may be able to find weaknesses in the system or gain crucial
information about the operations of the algorithm.
Social Engineering
 This is the most common type of attack and usually the most successful. All cryptography relies to
some extent on humans to implement and operate.

Cryptographic Attack
Rainbow Table
 A rainbow table is a lookup table of sorted hash outputs which attacker can later refer to saves
time and computer resources when attempting to decipher the plaintext from its hash value.
Frequency Analysis
 It is the study of the frequency of occurrence of characters in a message ciphertext.
 If a message is encrypted using a substitution cipher, then the frequency of occurrence of the
characters in the ciphertext can be used to discover the original plaintext.
Meet-in-the-middle attack
 It encrypts on one side, decrypts on the other side, and meets in the middle.
 The attacker has a copy of a matching plaintext and ciphertext, and seeks to recover the two keys
used to encrypt.
Implementation attacks / Side Channel attacks
 This attack based on information gained from the physical implementation of a cryptosystem,
rather than brute force or theoretical weaknesses in the algorithms.
 Example: Side-channel attacks use physical data to break a cryptosystem, such as by monitoring
CPU cycles or power consumption used while encrypting or decrypting.
 General classes of side channel attack include: Timing attack, Power monitoring attack,
Electromagnetic attack, Acoustic cryptanalysis, Differential fault analysis.

Quiz

 What are MD4 and MD5?

a. Symmetric encryption algorithms
b. Asymmetric encryption algorithms
c. Hashing algorithms
d. Digital certificates

 A Security Parameter Index (SPI) and the identity of the security protocol (AH or ESP)
are the components of:
a. SSL
b. IPsec
c. S-HTTP
d. SSH-1

Quiz - Answers

 What are MD4 and MD5?

a. Symmetric encryption algorithms
b. Asymmetric encryption algorithms
c. Hashing algorithms
d. Digital certificates

 A Security Parameter Index (SPI) and the identity of the security protocol (AH or ESP)
are the components of:
a. SSL
b. IPsec
c. S-HTTP
d. SSH-1

Thank You

Download ebooks file CISSP study guide Conrad all chapters
No ratings yet
Download ebooks file CISSP study guide Conrad all chapters
55 pages
FortiOS 7.4.3 Administration Guide
No ratings yet
FortiOS 7.4.3 Administration Guide
3,620 pages
Packet Tracer - Lab 3 - VLAN and VTP Configuration - Packet Tracer 5.3
0% (1)
Packet Tracer - Lab 3 - VLAN and VTP Configuration - Packet Tracer 5.3
2 pages
CCDE Written Learning Matrix
No ratings yet
CCDE Written Learning Matrix
42 pages
OpenText Archive Center 16.0.2 - Installation Guide For Windows (Integrated Archive Installer) English (AR160002-00-IGW-EN-1)
No ratings yet
OpenText Archive Center 16.0.2 - Installation Guide For Windows (Integrated Archive Installer) English (AR160002-00-IGW-EN-1)
62 pages
Blue Coat Authentication Webcast Final
No ratings yet
Blue Coat Authentication Webcast Final
53 pages
Cse Cryptography
No ratings yet
Cse Cryptography
18 pages
AAA Network Security Services
100% (1)
AAA Network Security Services
20 pages
Domain 00 - Intoduction
No ratings yet
Domain 00 - Intoduction
9 pages
CISSP Certification Training
0% (1)
CISSP Certification Training
28 pages
sy0-701_Lesson 05
No ratings yet
sy0-701_Lesson 05
46 pages
Cissp Domain 4
No ratings yet
Cissp Domain 4
111 pages
Eleventh H Cissp Abstract
No ratings yet
Eleventh H Cissp Abstract
8 pages
CISSP Study Guide On Cryptography
No ratings yet
CISSP Study Guide On Cryptography
48 pages
CISSP Combined Notes - All Domains
No ratings yet
CISSP Combined Notes - All Domains
59 pages
Penetration Testing Slides
No ratings yet
Penetration Testing Slides
64 pages
CISSP - Cryptography Drill-Down Handout
No ratings yet
CISSP - Cryptography Drill-Down Handout
43 pages
(Exam Outline) : Effective Date 1 January 2012
No ratings yet
(Exam Outline) : Effective Date 1 January 2012
43 pages
4. Security threats, Attack and vulnerabilities on IT &OT System
No ratings yet
4. Security threats, Attack and vulnerabilities on IT &OT System
15 pages
DLP Manger Interview Question
No ratings yet
DLP Manger Interview Question
14 pages
Cissp 4
No ratings yet
Cissp 4
63 pages
CISSP - Domain 1 Part 1
No ratings yet
CISSP - Domain 1 Part 1
21 pages
ZTNA Whitepaper
No ratings yet
ZTNA Whitepaper
11 pages
CISSP Exam Cram Full Course (All 8 Domains) UPDATED - 2022 EDITION!
No ratings yet
CISSP Exam Cram Full Course (All 8 Domains) UPDATED - 2022 EDITION!
7 pages
Cryptography
No ratings yet
Cryptography
20 pages
Cissp Guide Steps 2
No ratings yet
Cissp Guide Steps 2
4 pages
Cissp 3
No ratings yet
Cissp 3
64 pages
Isc2 Cissp 1 16 1 Security and Risk Management Key Points
No ratings yet
Isc2 Cissp 1 16 1 Security and Risk Management Key Points
3 pages
ZPhrb7gWTNK4vrXZHBEu_2024 FRSecure CISSP Mentor Program - Class 6
No ratings yet
ZPhrb7gWTNK4vrXZHBEu_2024 FRSecure CISSP Mentor Program - Class 6
108 pages
Ch.13 Authentication and Access Control
No ratings yet
Ch.13 Authentication and Access Control
33 pages
CISSP Aide Memoire (E) v4
No ratings yet
CISSP Aide Memoire (E) v4
11 pages
Cissp Domain 5
No ratings yet
Cissp Domain 5
56 pages
SSCP
No ratings yet
SSCP
24 pages
sy0-701_Lesson 02
No ratings yet
sy0-701_Lesson 02
29 pages
2023+CISSP+Domain+3+Study+Guide+by+ThorTeaches Com+v3 1
No ratings yet
2023+CISSP+Domain+3+Study+Guide+by+ThorTeaches Com+v3 1
67 pages
CISSP Live Session 5 Slides
No ratings yet
CISSP Live Session 5 Slides
128 pages
JrqpOQnGQD2xE6jIJAZV_2024 CISSP Mentor Program - Class 5
No ratings yet
JrqpOQnGQD2xE6jIJAZV_2024 CISSP Mentor Program - Class 5
123 pages
Chapter 4 Cybersecurity
No ratings yet
Chapter 4 Cybersecurity
76 pages
XFug7KtBSUK36ZEStp0L_2024 FRSecure CISSP Mentor Program - Class Nine
No ratings yet
XFug7KtBSUK36ZEStp0L_2024 FRSecure CISSP Mentor Program - Class Nine
208 pages
Full Mind Map
No ratings yet
Full Mind Map
32 pages
0YgDVEpBQwy46ztPbVIB_2024 FRSecure CISSP Mentor Program - Class 7 Domain 4 Pt2
No ratings yet
0YgDVEpBQwy46ztPbVIB_2024 FRSecure CISSP Mentor Program - Class 7 Domain 4 Pt2
128 pages
Zscaler Sase Overview
No ratings yet
Zscaler Sase Overview
2 pages
Ch5 - Cyptography
No ratings yet
Ch5 - Cyptography
22 pages
Sans mgt414 1 Course Book
No ratings yet
Sans mgt414 1 Course Book
147 pages
Introduction To Cryptography
No ratings yet
Introduction To Cryptography
39 pages
CCNA Security Overview
No ratings yet
CCNA Security Overview
20 pages
Gghy5tyRkiJWps2QB2xQ_2024 FRSecure CISSP Mentor Program - Class 10
No ratings yet
Gghy5tyRkiJWps2QB2xQ_2024 FRSecure CISSP Mentor Program - Class 10
146 pages
ESwitching Lab 3 5 1
No ratings yet
ESwitching Lab 3 5 1
7 pages
Study - Notes - and - Theory - Course - Usage Guide
No ratings yet
Study - Notes - and - Theory - Course - Usage Guide
13 pages
Palo Alto Network
No ratings yet
Palo Alto Network
4 pages
Session 1_ 2024 FRSecure CISSP Mentor Program
No ratings yet
Session 1_ 2024 FRSecure CISSP Mentor Program
166 pages
Cissp - Domain 8
No ratings yet
Cissp - Domain 8
34 pages
Domain 1 Questions
No ratings yet
Domain 1 Questions
8 pages
UltimateGuideCISSP Web
No ratings yet
UltimateGuideCISSP Web
8 pages
HLD Oceanprotect
No ratings yet
HLD Oceanprotect
33 pages
Exam Cissp: Physical Security Principles & Controls
No ratings yet
Exam Cissp: Physical Security Principles & Controls
34 pages
Cloud Security Lecture 3
No ratings yet
Cloud Security Lecture 3
37 pages
CISSP Exam Tips InfoSec
No ratings yet
CISSP Exam Tips InfoSec
12 pages
Unified MPLS Functionality, Features, and Configuration Example
No ratings yet
Unified MPLS Functionality, Features, and Configuration Example
16 pages
CISSP D5 Slides1
No ratings yet
CISSP D5 Slides1
62 pages
Overview of ISO 27K
No ratings yet
Overview of ISO 27K
8 pages
Configuring IPCop Firewalls: Closing Borders with Open Source
From Everand
Configuring IPCop Firewalls: Closing Borders with Open Source
James Eaton-Lee
No ratings yet
Intrusion detection system Standard Requirements
From Everand
Intrusion detection system Standard Requirements
Gerardus Blokdyk
No ratings yet
Electromagnetic Fields and Waves3
No ratings yet
Electromagnetic Fields and Waves3
187 pages
Graph With Estimated Y: 70000 Column C Column D
No ratings yet
Graph With Estimated Y: 70000 Column C Column D
2 pages
Domain 01 - Information Security Governance & Risk Management
No ratings yet
Domain 01 - Information Security Governance & Risk Management
75 pages
ARRAYS
No ratings yet
ARRAYS
4 pages
EE4T2 Electrical Measurements & Instrumentation
No ratings yet
EE4T2 Electrical Measurements & Instrumentation
2 pages
District Calendar - McNairy County Schools
No ratings yet
District Calendar - McNairy County Schools
3 pages
FortiGate 7.4 Operator Exam_ Attempt ReviewMURtaza
No ratings yet
FortiGate 7.4 Operator Exam_ Attempt ReviewMURtaza
9 pages
Fortigate Ii: Instructor Guide For Fortigate 5.4.1
No ratings yet
Fortigate Ii: Instructor Guide For Fortigate 5.4.1
8 pages
Salesforce Sandbox To Sandbox Deployment Using GitLab Tool
No ratings yet
Salesforce Sandbox To Sandbox Deployment Using GitLab Tool
10 pages
EMC ScaleIO Best Practices - Security
No ratings yet
EMC ScaleIO Best Practices - Security
10 pages
Akamai Integration Process For Sites
No ratings yet
Akamai Integration Process For Sites
5 pages
Draytek Vigor 2925 User Guide
No ratings yet
Draytek Vigor 2925 User Guide
950 pages
IIS Interview Questions and Answers Guide.: Global Guideline
No ratings yet
IIS Interview Questions and Answers Guide.: Global Guideline
15 pages
Instant Download Financial Cryptography and Data Security 22nd International Conference FC 2018 Nieuwpoort Curaçao February 26 March 2 2018 Revised Selected Papers Sarah Meiklejohn PDF All Chapters
100% (3)
Instant Download Financial Cryptography and Data Security 22nd International Conference FC 2018 Nieuwpoort Curaçao February 26 March 2 2018 Revised Selected Papers Sarah Meiklejohn PDF All Chapters
52 pages
46xxsettingsNEW (00000003)
No ratings yet
46xxsettingsNEW (00000003)
199 pages
Vulnerability Scanning With Nessus
No ratings yet
Vulnerability Scanning With Nessus
6 pages
Tender
No ratings yet
Tender
20 pages
imageRUNNER ADV 6055, 8085 Series SEND Functions Service Manual
No ratings yet
imageRUNNER ADV 6055, 8085 Series SEND Functions Service Manual
103 pages
Nse4 PDF
No ratings yet
Nse4 PDF
9 pages
FortiOS-7.6.0-SSL VPN_to_IPsec_VPN Migration
100% (1)
FortiOS-7.6.0-SSL VPN_to_IPsec_VPN Migration
38 pages
Connecting Audiocodes SBC To Microsoft Teams Direct Routing Hosting Model Configuration Note
No ratings yet
Connecting Audiocodes SBC To Microsoft Teams Direct Routing Hosting Model Configuration Note
58 pages
DSFSDF
No ratings yet
DSFSDF
2 pages
Accuenergy Catalogue V2 11 WEB
No ratings yet
Accuenergy Catalogue V2 11 WEB
40 pages
Interview Preparation For Cyber Security
100% (2)
Interview Preparation For Cyber Security
114 pages
HP Thinpro: Security Layers For RDP Connections
No ratings yet
HP Thinpro: Security Layers For RDP Connections
4 pages
Unit 3: Internet/extranet/intranet
No ratings yet
Unit 3: Internet/extranet/intranet
82 pages
Surreptitiously Weakening Cryptographic Systems
100% (2)
Surreptitiously Weakening Cryptographic Systems
26 pages
Application Security Introduction - Overview PT 2
No ratings yet
Application Security Introduction - Overview PT 2
40 pages
Cyber Security Lab
No ratings yet
Cyber Security Lab
27 pages
Deploying Odoo - Odoo 12.0 Documentation
0% (1)
Deploying Odoo - Odoo 12.0 Documentation
13 pages
AX Series™ Advanced Traffic Manager Configuration Guide
No ratings yet
AX Series™ Advanced Traffic Manager Configuration Guide
950 pages
Camera Configuration Tool User Guide en
No ratings yet
Camera Configuration Tool User Guide en
45 pages

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.

Domain 07 - Cryptography

Uploaded by

Domain 07 - Cryptography

Uploaded by

CISSP DOMAIN : CRYPTOGRAPHY

The objective of this domain is to understand:

Also cryptogram. Message after alteration, now unreadable, to attacker but

Cryptosystem Entire cryptographic operation. Key + algorithm + key management functions.

Encryption Also enciphering. Process of converting message from plaintext to ciphertext.

Also decipher. The reverse of encryption. Converting ciphertext into plaintext

Algorithm Mathematical function used in the encryption or decryption process.

Science dealing with hidden, disguised, encrypted communications. Embraces

Total number of possible values for keys in a cryptographic algorithm or other

Work Factor Time and effort required to break a protective measure.

Non-secret binary vector. Initialization input algorithm for encryption of

Also Permutation. Reorder plaintext to hide the message.

 Another name for cryptography strength is work factor.

Book or Running Key Cipher

 Steganography is the science of hiding information.

Block and Stream Ciphers

Data Encryption Standard (DES)

Electronic Code Book (ECB)

Cipher Block Chaining (CBC)

Cipher Feedback (CFB)

Output Feedback (OFB)

Counter Mode (CTR)

Triple DES (3DES)

Other Symmetric Systems

Other Symmetric Systems

Diffie-Hellman Key Exchange

Hybrid Encryption Methods

Public Key Cryptography

Public Key Infrastructure

Public Key Infrastructure (PKI)

Registration Authorities (RAs)

Message Authentication Code

E-mail Standards - PGP

HTTP, S-HTTP & HTTPS

MIME & S/MIME

S/MIME (Secure MIME)

Secure Electronic Transaction (SET)

Internet Security - SSH

Internet Security - IPsec

Encapsulating Security Payload (ESP) provides:

 Internet Security Association and Key Management Protocol (ISAKMP)

Comparing IPsec Modes

Types of cryptographic attacks

Brute Force Attacks

 What are MD4 and MD5?

 What are MD4 and MD5?

You might also like

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.