AS III

SEC 3302, Advanced IS Security 1

Course Learning Outcomes for Unit III Upon completion of this unit, students should be able to:

1. Analyze access controls used to secure information systems (IS). 1.1 Compare virtual private network (VPN) solutions for use by remote workers.

2. Examine encryption types used for the physical security protection of an organization.

2.1 Compare encryption types used in VPNs. 2.2 Investigate how organizations protect data.

Required Unit Resources Chapter 3: Cryptography In order to access the following resources, click the links below. You can access transcripts for the videos by clicking on the three dots below the video on the right, then clicking “Open transcript.” Professor Messer. (2018, January 21). Hashing and digital signatures - CompTIA Security+ SY0-501 – 6.1

[Video]. YouTube. https://www.youtube.com/watch?v=OBdEhSPoDaY Professor Messer. (2020, December 23). Cryptographic attacks - SY0-601 CompTIA Security+ : 1.2 [Video].

YouTube. https://www.youtube.com/watch?v=u_Ta0rVTL_g Professor Messer. (2021, March 7). Cryptography concepts - SY0-601 CompTIA Security+ : 2.8 [Video].

YouTube. https://www.youtube.com/watch?v=A6HNd1EGfIc Professor Messer. (2021, March 29). Cryptography limitations - SY0-601 CompTIA Security+ : 2.8 [Video].

YouTube. https://www.youtube.com/watch?v=m9DA0k0Ctz8 Unit Lesson

Cryptography—Complexity by Design Cryptography is one of the most sophisticated and complex topics we will cover. This is because cryptography, encryption, and decryption generally involve purposefully complicated mathematical operations to keep messages secret when they are traveling between a sender and recipient. Cryptography is a discipline built around maintaining confidentiality, and if it were not complicated, it would easily be cracked and rendered useless. If you need any convincing, simply Google the RSA (Rivest-Shamir-Adleman) algorithm used in cryptography. Mercifully, the algorithm will not be discussed in this lesson, but a little research can go a long way in showing you just how complicated cryptography can get.

Evolutions of Cryptography Boyle and Panko (2021) tell us that cryptography has been around for thousands of years. Throughout history, military leaders have had to keep their plans secret, government officials have had to keep their conversations private, and children have tried to convey “sensitive information” to their friends using secret language. In other words, when you substituted numbers or symbols for the alphabet to speak in code to your friends, you were also using a simple form of cryptography. The same can be said for the most sophisticated and impactful messages conveyed in code by empires past.

UNIT III STUDY GUIDE Cryptography

SEC 3302, Advanced IS Security 2

UNIT x STUDY GUIDE Title

Even in antiquity, cryptography was used on cave walls in non-standard hieroglyphs. Arabs would later develop various cryptanalytic (i.e., code-breaking) techniques, including some for polyalphabetic ciphers, which is a technique where multiple substitution alphabets are used. During the same period, the first descriptions of frequency analysis would emerge, which is a form of cryptanalysis in which the frequency of letters or groups of letters is studied to decipher the ciphertext. Most notably, during World War II, the Germans used a cryptography machine known as Enigma to send coded messages. Unfortunately for them, mathematician Marian Rejewski cracked Enigma’s code using mathematics and some limited documentation acquired from a German clerk. However, Germans were able to crack some of the codes used by Allied Forces, such as Naval Cipher No. 3, which ultimately allowed them to sink several Atlantic convoys. Cryptography has come a long way since the 1940s. Nowadays, complex algorithms must have a key to encrypt and decrypt information. The keys convert readable text, or “plaintext,” into a seemingly random stream of bits called ciphertext. This process requires a cipher, which is a mathematical process used in both encrypting and decrypting. It also requires a key, which can consist of 40 to 40,000 bits. Each key will generate a different ciphertext. The longer the keys are, the harder it is to crack the code. Characters may be substituted or transposed multiple times. Also, most of the time, encryption is performed in the bits and not the actual character.

Cryptography uses strings of characters, called keys, for both encryption and decryption of

information. Processing the information contained in a key through a cryptographic algorithm results in encoding or decoding of cryptographic data.

(Faithiecannoise, n.d.)

Symmetric Key Encryption Ciphers There is a symbiotic relationship between the hacking skills of hackers and the encryption skills of information technology (IT) professionals. As hackers increase their encryption cracking skills, algorithms simultaneously—and necessarily—evolve and continue to improve. Many encryption ciphers have been created and used over time. While they all have the same goal of producing an encrypted message, in comparison, they use differing levels of computing requirements, speed, and strength. Ciphers that are the fastest and most efficient in computer processing are often the easiest to crack. For instance, RC4 is fast and efficient but gives minimal protection if not used properly. In contrast, Advanced Encryption Standard offers key lengths in 128 bits, 192 bits, and 256 bits. Even the 128-bit version would take 100 trillion years to crack using brute force. The computing requirements, however, are more demanding. A key’s processing requirements must be considered. In IT, you have to think about any system function that has a “cost” to your resources. You may have all of the random access memory (RAM), central processing unit (CPU), and storage you need; however, if you work for an organization that does not freely spend money,

SEC 3302, Advanced IS Security 3

UNIT x STUDY GUIDE Title

you have to consider the cost. The same thing applies to adding a field to a table in a database. If the table will have a billion rows and your field could have four characters versus eight characters, you should choose what will save space.

Confidentiality, Data Integrity, and Authentication Now that we have talked about the basics of cryptography, what makes up a cryptographic system? Boyle and Panko (2021) describe a cryptographic system as a packaged set of cryptographic countermeasures necessary for protecting dialogues. It is also referred to as a cryptosystem. Parties using the system have to agree on which standard they are going to use to communicate. There are steps that two parties will take when they agree to communicate through a cryptographic system standard. These steps include the handshaking stages, initial authentication, keying, and ongoing communication. We will not explain these steps here because the textbook gives you a good explanation and a visual depiction of each work. However, they work very well with our next topic. Cryptography and encryption techniques can provide essential things: confidentiality, data integrity, and authentication. Confidentiality and authentication refer to limiting information to authorized users. This involves using authentication methods that are also part of encryption. Authentication is a process in which a user’s identity is verified. During the authentication process, someone known as a supplicant is trying to prove their identity and someone else, called a verifier, will verify the information. Credentials are sent, and if all is well, the two will shake hands, meaning that they will be able to establish a connection. Data integrity refers to the process of ensuring that the data being passed has not been changed along the journey. Hashing is also used in cryptography. One example of how hashing can be used is this: If you take a sentence and apply a hash algorithm to it, you will get a short number. For example, 21 divided by 5 is 4 with a remainder of 1, so 1 is your hash. If you change the 21 to 22, then your hash is 2. The same applies to text. If you apply a hash algorithm to a sentence, you will get a hash number. If you change the sentence, you will get a different number. This can be used to make sure that the message you have received did not change in transit.

Did you ever see the 2014 movie The Imitation Game, starring Benedict Cumberbatch?

Cumberbatch played British mathematician Alan Turing, who designed a device that used hashing to crack the German Enigma code and decrypt German intelligence messages during World War II. Common hashing functions include MD5, SHA1, and SHA 256. In the photo above, a man turns a

cryptography switch to change the hash algorithm to SHA-256. (Le Moal, n.d.)

Deep Dive on Hashing and Evidentiary Implications

SEC 3302, Advanced IS Security 4

UNIT x STUDY GUIDE Title

Before we move on, what is a very important, practical way that a hash can be used? How about in computer forensics? Suppose you are an IT forensics technician, and you have been given a hard drive to inspect and pull information from for evidence. Because digital evidence must be preserved, just like physical evidence, it must be duplicated—or imaged—in a way that ensures no changes will be made to the original files. After imaging, the digital forensics technician must ensure that the original and duplicated copies are exactly the same. But how? As you may have guessed, the answer lies in hashing. Hash algorithm values are used for verification—they take any amount of data (input) and create a fixed-length value (output) known as a hash, which acts as a unique reference number for the original data. Because hash values are fixed in length and made up of a combination of digits unique to the original data they reference, the values are extremely sensitive to changes in original data, down to the bit. If hash values between the original image and the copy match, the investigator has verified that the original and duplicate are the same. Courts can then accept this information as evidence.

VPNs Many people are unaware that virtual private networks (VPNs) are created using a cryptographic system. The use of the cryptographic system allows secure communication over an untrusted network, like a wireless local area network (LAN). Many organizations enjoy the use of remote access VPNs so their workers can connect offsite. VPNs are attractive because they are so inexpensive compared to other options like (wide area networks (WANs). The textbook discusses several types of VPNs, such as host-to-host, remote access, and site-to-site. Be sure to familiarize yourself with these options. Some of these manifestations of VPNs appear in our everyday lives, even as consumers. For instance, when you purchase something online, you are first connected to an e-commerce server. The server, in turn, will create a host-to-host VPN between itself and your browser. This technique allows for confidential, and therefore safe, communication between yourself and the server so you can create a secure transaction. In remote access VPNs, users connect to a VPN gateway. Before the user is given access, he or she must first be authenticated. Another iteration of VPNs allow site-to-site communication. Each of these VPN types is considered a cryptographic system. There are standards for VPNs, such as Secure Sockets Layer (SSL) and Transport Layer Security (TLS), which are discussed in more detail in your textbook.

Internet Protocol Security (IPsec) The strongest VPN system is the most important standard to learn. It is a family of Internet Engineering Task Force (IETF) cryptographic standards that is known as IPsec. IPsec operates at the internet rather than the transport layer, protecting everything in the IP packet data field. It is also completely transparent at the higher levels. Please review the discussion on this standard in the textbook, as it involves important concepts in IT security.

References Boyle, R. J., & Panko, R. R. (2021). Corporate computer security (5th ed.). Pearson.

https://online.vitalsource.com/#/books/9780135823354 Faithiecannoise. (n.d.). Matching keys made of circuits & led lights, encryption & cryptography (ID 79973735)

[Photograph]. Dreamstime. https://www.dreamstime.com/stock-photo-matching-keys-made-circuits- led-lights-encryption-crypto-algorithms-cryptography-concepts-public-private-electronic- image79973735

Le Moal, O. (n.d.). Cryptography concept, cryptographic hash algorithm, SHA-2 (ID 111330522) [Photograph].

Dreamstime. https://www.dreamstime.com/cryptography-concept-cryptographic-hash-algorithm-sha- man-turning-cryptography-switch-to-change-cryptographic-hash-algorithm-image111330522