Cryptography

7/22/2019 TestOut LabSim

https://cdn.testout.com/client-v5-1-10-563/startlabsim.html 1/3

9.3.3 Cryptographic Implementation Facts9.3.3 Cryptographic Implementation Facts

Operating systems, applications, and other components of information systems typically use a hybrid cryptography system. A hybrid cryptography system combines the strengths of hashing, symmetric, and asymmetric encryption, depending on the need for cryptographic services. For example:

Use symmetric encryption for fast and efficient encryption of bulk data. Use hashing to verify message integrity. Use asymmetric encryption for authentication and non-repudiation. Use asymmetric encryption for secure exchange of symmetric encryption keys (for example, by encrypting the key used for symmetric encryption prior to sharing the key with the recipient). Using asymmetric cryptography for encryption is best for small pieces of data.

The following table lists some of the applications for cryptography:

Implementation Description

File System Encryption

Encrypting data in files, directories, volumes, and hard drives provides an additional layer of security for data. Options for file system encryption are as follows:

Encrypting File System (EFS) is available for encrypting files and directories on NTFS partitions. GNU Privacy Guard (GPG) and Pretty Good Privacy (PGP) offer encryption options for Linux systems. BitLocker Drive Encryption (also known as full-volume encryption) protects offline data access on lost or stolen laptops or other compromised systems. In Microsoft Windows, EFS is referred to as file encryption key (FEK).

Digital Signature

A digital signature or signing is a combination of asymmetric encryption and hashing values. A signature provides confidentiality, integrity validation, strong authentication, and non-repudiation. Typically, a digital signature works as follows:

1. A hash value is generated for a message. 2. The hash value is asymmetrically encrypted using the sender's private key. Non-repudiation is provided because only

the sender could have encrypted the hash using the private key (only the sender knows the private key). 3. The encrypted hash value and the message are sent. 4. The recipient decrypts the hash using the sender's public key. 5. The recipient hashes the message. 6. Message integrity and sender authenticity (non-repudiation) is confirmed if the two hash values match.

Digital Envelope

In addition to the digital signatures, the data can be secured during transmit by secure data transmission. This protects the message from hackers by using asymmetric encryption to secure the message before sending it to the recipient. Secure data transmission uses the following process:

1. The sender requests a copy of the recipient's public key. 2. The recipient or CA sends a digital certificate containing the public key to the sender. 3. The sender asymmetrically encrypts the message using the recipient's public key. 4. The sender sends the asymmetrically encrypted message to the recipient. 5. The recipient uses his private key to decrypt the message.

Trusted Platform Module

Trusted Platform Module (TPM) is a hardware chip on the motherboard that can generate and store cryptographic keys.

A TPM is required to check the integrity of startup files and components in BitLocker implementations. The TPM generates a hash of the startup files to verify the integrity of those files. Additionally, the TPM creates a hash of system components. This hash acts as a validation check of the system to ensure that system components have not changed. The hash can also be used to uniquely identify the system.

The system startup key can be saved in the TPM. With the startup key saved in the TPM, the system can start without additional intervention. Without a TPM, the startup key must be stored on a USB drive. The system will not start without the startup key. When the startup key is saved in the TPM, you can require an additional PIN or startup key that must be used to start the system. The TPM generates random numbers. TPM provides full support for asymmetric encryption; therefore, it can generate public and private keys.

Full Disk Encryption and Self-Encrypting

Drive

There are many vendors that provide hardware-based full disk encryption (FDE) devices which require a password or key to access the encrypted data. A hard disk drive with FDE is usually referred to as a self-encrypting drive (SED).

Hardware Root Many roots of trust are implemented in hardware. A TPM is an implementation of a hardware root of trust. One benefit of

7/22/2019 TestOut LabSim

https://cdn.testout.com/client-v5-1-10-563/startlabsim.html 2/3

of Trust using a hardware root of trust is that malware can't tamper with the functions they provide.

Hardware Security Modules

A Hardware Security Module (HSM) is a piece of hardware and associated software/firmware that is connected to a computer system to provide cryptographic functions such as encryption, decryption, key generation, and hashing. HSM devices can also provide key management. HSMs traditionally come in the form of a plug-in card or an external security device that can be attached directly to the computer system. Other names for HSMs include the following:

Personal Computer Security Module (PCSM) Secure Application Module (SAM) Hardware Cryptographic Device Cryptographic Module

When using a HSM to backup keys, make sure the backup device attaches directly to the HSM.

The following table identifies how the technologies are implemented in LAN- and web-based environments:

Technology Description

Secure Electronic

Transaction

Secure Electronic Transaction (SET) was developed by VISA and MasterCard to secure transactions. Credit card data and a digital certificate are stored in a plug-in to the user's web browser. An order received by a SET-enabled merchant server passes the encrypted payment information to the bank. Approval is electronically sent to the merchant. SET uses DES and RSA in addition to digital signatures.

Secure Sockets Layer

Secure Sockets Layer (SSL) was developed by Netscape to secure internet-based client/server interactions. SSL authenticates the server to the client using public key cryptography and digital certificates and encrypts the entire communication session. SSL can be used to protect web (HTTP) traffic as well as TELNET, FTP, and email. SSL operates over TCP port 443. SSL operates at the Session layer of the OSI model. Session keys employed by SSL (Secure Sockets Layer) are available in 128-bit and 40-bit lengths.

Transport Layer

Security

Transport Layer Security (TLS) was developed by Netscape to secure internet-based client/server interactions. TLS is based on SSL, but they are not interoperable. TLS authenticates the server to the client using public key cryptography and digital certificates. TLS encrypts the entire communication session between a server and a client. TLS can be used to protect web (HTTP) traffic as well as TELNET, FTP, and email. TLS operates over TCP port 443 or port 80. TLS has a specific version for wireless communications known as Wireless Transport Layer Security (WTLS).

Secure Hypertext Transport Protocol

Secure Hypertext Transport Protocol (S-HTTP) is the old method for securing communications on web servers. It is a message- based encryption technique in which each file is encrypted separately. S-HTTP is not used any more.

Hypertext Transport Protocol Secure

Hypertext Transport Protocol Secure (HTTPS) uses HTTP over SSL (Secure Socket Layer). It has replaced S-HTTP as the method of securing HTTP (web) traffic. It is a session-based encryption technology, meaning that the keys used for that session are valid for that session only. HTTP-S is used predominantly throughout the internet. HTTPS operates over TCP port 443.

Secure Shell

Secure Shell (SSH) was developed for the UNIX platform to encrypt or secure communications for remote facilities. SSH operates over TCP port 22.

Internet Protocol Security

Internet Protocol Security (IPsec) is a data encryption protocol for LAN-based applications. IPsec:

Is widely deployed in VPN technology. Can be used with IP only. Can be used to encrypt any traffic supported by the IP protocol. This includes web, email, TELNET, file transfer, and SNMP traffic, as well as countless others. Includes both encryption and authentication mechanisms. Is fully capable of providing a secure communication means for any LAN or internet-based system using TCP/IP. Can be used with L2TP or alone to protect data. Requires either certificates or pre-shared keys. Functions at the Network layer of the OSI model. Generally can't be used when a NAT proxy is deployed. Operates at the Network layer (Layer 3). Uses UDP port 500.

Secure Real-Time

Secure real-time transport protocol (SRTP) is a secure extension of RTP (real-time transport protocol) that adds enhanced security features. It was developed to secure VoIP (Voice over IP) communications. SRTP uses encryption and authentication and can

7/22/2019 TestOut LabSim

https://cdn.testout.com/client-v5-1-10-563/startlabsim.html 3/3

Transport Protocol

achieve high throughput in multiple communications environments, including both hard-wired and wireless environments.

The following table identifies the encryption technologies implemented to secure email messages:

Technology Description

Privacy Enhanced

Mail

Privacy Enhanced Mail (PEM) was one of the first email securing technologies. It supports digital signatures, digital certificates, and asymmetric key cryptography.

Pretty Good Privacy

Pretty Good Privacy (PGP) is a commercial asymmetric cryptosystem used for email. PGP provides all four cryptographic services and uses the RSA public key encryption system for key exchange and digital signatures. It relies upon the IDEA or 3DES algorithm for encryption and is based on a pass phrase and a web of trust, not a hierarchy of trust. The public keys used in a PGP system are stored in a key ring. PGP can also secure the email attachments to the messages.

Secure Multipurpose Internet Mail Extensions

Secure Multipurpose Internet Mail Extensions (S/MIME) uses a standard public key encryption, authenticates through digital signatures, uses X.509 version 3 certificates, and is included in most web browsers. Similar to PGP, S/MIME can secure email attachments.

Message Security Protocol

Message security protocol (MSP) is a military implementation of PEM.