reflection

profiletamerrabee3
sy0-601-05v1.0.pptx

Summarizing Basic Cryptographic Concepts

Lesson 5

1

Compare and Contrast Cryptographic Ciphers

Topic 5A

CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

2

2

2.1 Explain the importance of security concepts in an enterprise environment (Hashing only)

2.8 Summarize the basics of cryptographic concepts

Syllabus Objectives Covered

CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

3

Cryptographic Concepts

Encryption and decryption—encoding and decoding

Plaintext is the unencoded message

Ciphertext is the coded message

Cipher is the means of change or algorithm

Cryptanalysis is the art of cracking cryptographic systems

Meet Alice and Bob (and observe Mallory, lurking)

Hashing algorithms

Encryption ciphers

Symmetric

Asymmetric

CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

4

Hashing Algorithms

Fixed length hash from variable string with cryptographic properties

One-way (plaintext cannot be recovered from the digest)

Anti-collision (no two plaintexts are likely to produce the same checksum)

Used for password storage and checksums (integrity)

Secure Hash Algorithm (SHA)

Message Digest Algorithm (MD5)

CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

5

Images © 123rf.com.

Hashing is not encryption—the process is not reversible

Encryption uses a reversible process based on a secret

Process should be too complex to unravel without the secret

Substitution

Transposition

Cannot keep the cipher/algorithm itself secret

Key ensures ciphertext remains protected even when the operation of the cipher is known

Protecting the key is easier than protecting the algorithm

Encryption Ciphers and Keys

CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

6

Symmetric Encryption

Same secret key is used for encryption and decryption

Fast—suitable for bulk encryption of large amounts of data

Problem storing and distributing key securely

Confidentiality only— sender and recipient know the same key

CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

7

Images © 123rf.com.

7

Stream and Block Ciphers

Stream ciphers

Encrypt and decrypt each bit/byte at a time

Must be used with an initialization vector (IV)

Block ciphers

Treat data as equal-size blocks, using padding if necessary

Advanced Encryption Standard (AES/AES256)

Key length

Range of key values is the keyspace

Longer key bit length means a larger keyspace

Strength of key of any given length varies between ciphers

CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

8

8

Asymmetric Encryption

Public/private key pair

If the public key encrypts, only the private key can decrypt

If the private key encrypts, only the public key can decrypt

Private key cannot be derived from the public key

Private key must be kept secret

Public key is easy to distribute (anyone can have it)

Message size is limited to key size so not suitable for large amounts of data

Used for small amounts of authentication data

CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

9

Images © 123rf.com.

RSA algorithm (Rivest, Shamir, Adleman)

Basis of many public key cryptography schemes

Trapdoor function

Easy to calculate with the public key, but difficult to reverse without the private key

Elliptic curve cryptography (ECC)

Concerns about RSA being vulnerable to cryptanalysis

Another type of trapdoor function

Can use smaller keys to obtain same security

Public Key Cryptography Algorithms

CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

10

Cryptographic Ciphers

CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

11

Review Activity

Summarize Cryptographic Modes of Operation

Topic 5B

CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

12

12

2.8 Summarize the basics of cryptographic concepts

Syllabus Objectives Covered

CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

13

Digital Signatures

Using public key cryptography with hashing

Digital signatures provide integrity, authentication, non-repudiation

RSA-based digital signatures

Digital Signature Algorithm (DSA) with ECC cipher

14

Images © 123rf.com.

Digital Envelopes and Key Exchange

15

Images © 123rf.com.

Wrapper for a public key to associate it with a digital identity

Identity assertion is validated by a certificate authority (CA) by signing the certificate

Both parties must trust the CA

Referred to as public key infrastructure (PKI)

Digital Certificates

CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

16

16

RSA key exchange decrypts the session key using the server private key

The private key stored on the server may be compromised in the future

If key is compromised, previously captured transmissions could be deciphered

Perfect forward secrecy (PFS) mitigates this issue

Uses Diffie-Hellman key agreement protocols

Allows two parties to derive the same secret value that an eavesdropper cannot guess

Perfect Forward Secrecy

CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

17

Cipher Suites and Modes of Operation

Cipher suite

Signature algorithm—proves messages were created by the server (authentication and integrity)

Key exchange/agreement algorithm—allows client and server to agree session keys

Bulk encryption cipher—uses the session key to keep the data confidential

Modes of operation

Use symmetric block cipher with arbitrary length network data

Cipher Block Chaining (CBC)

Combines blocks and an initialization vector (IV) using XOR operation

Data must be a multiple of block size so requires padding for last block

Counter mode

Generates keystream with IV and counter

Does not require block padding

CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

18

Authenticated Modes of Operation

Unauthenticated encryption

Secret key encryption cannot prove integrity

Makes cryptographic system vulnerable to insertion and modification attacks

Authenticated encryption

Message authentication code (MAC)

Create a hash from combination of the message and a shared secret

Implementations vulnerable to padding oracle attacks

Authenticated encryption with additional data (AEAD)

Counter modes or stream ciphers that do not use padding

Associates message with context to prevent replay

CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

19

Cryptographic Modes of Operation

CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

20

Review Activity

Summarize Cryptographic Use Cases and Weaknesses

Topic 5C

CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

21

21

1.2 Given a scenario, analyze potential indicators to determine the type of attack

2.8 Summarize the basics of cryptographic concepts

Syllabus Objectives Covered

CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

22

Cryptography for Authentication and Non-repudiation

Cryptographic primitives versus cryptographic systems

Authentication and access control

Assuming the private key is secure, an encrypted token could only have been created by the key holder

Non-repudiation

Sender cannot deny (repudiate) the message as only she/he could have created it

CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

23

Screenshot used with permission from Microsoft.

Hybrid encryption

Public key cryptography is only efficient with small amounts of data

Symmetric encryption makes key distribution difficult

Symmetric key is used for bulk encryption and protected by public key cryptography

File encryption

Private key encrypts the symmetric key

Use of the key is locked to a user account credential

Transport encryption

Session key exchange/agreement

Cryptography Supporting Confidentiality

CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

24

Integrity

Using hash functions and message authentication codes to validate messages

Resiliency

Using cryptography to ensure authentication and integrity of control messages

Obfuscation

Make something hard to understand

Encryption can perform this function, but it is very hard to secure an embedded key

White box cryptography

Cryptography Supporting Integrity and Resiliency

CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

25

Cryptographic Performance Limitations

Limitations

Speed—Amount of data/number of operations per second

Time/latency—Delay in completing an operation

Size—Key size increases security but also CPU/memory requirements

Computational overhead—Complexity of cryptographic implementation or cipher

Resource-constrained environments

Low-power devices

Battery-powered systems

Contactless smart cards

Low latency

Delay-sensitive communications protocols/implementations

CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

26

Cryptographic Security Limitations

Entropy

Checksums and ciphertext must reduce order (high entropy)

Weak ciphers and weak keys

Weak implementations

Weak randomness

Predictability and reuse

Nonce

Initialization vector (IV)

Salt

27

How secure are current algorithms?

How long must a ciphertext be resistant to attacks?

Longevity and Cryptographic Attacks

CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

28

Man-in-the-Middle (MitM)

Interferes with the public key presented to the client

Downgrade attack

Forces server into using weak protocol versions and ciphers

Man-in-the-Middle and Downgrade Attacks

CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

29

Key Stretching and Salting

User-generated data is low entropy

Key stretching

Use additional rounds to strengthen keys

Makes attacker do more work so slows down brute force

Salting

Add a random value to each password when hashing it for storage

Prevents use of pre-computed hash tables

CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

30

Exploit collisions to forge a signature

Math of birthday paradox shows that this might be easier than expected

Chosen prefix collision attacks

Collisions and the Birthday Attack

CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

31

Cryptographic Use Cases and Weaknesses

CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

32

Review Activity

Summarize Other Cryptographic Technologies

Topic 5D

CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

33

33

2.8 Summarize the basics of cryptographic concepts

Syllabus Objectives Covered

CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

34

Quantum computing

Quantum bit (qubits), superpositions, entanglement and collapse

Quantum computers can keep track of a lot of state data at the same time

Communications

Tamper-evident key distribution

Post-quantum

Quantum-based cryptanalysis

Post-quantum cryptography (replacements for the current algorithms)

Lightweight cryptography

Quantum

CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

35

Supports data analytics functions while preserving confidentiality and privacy

Homomorphic Encryption

CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

36

36

Expanding list of transactional records (blocks)

Each block is linked by hashing

Public ledger

Ledger of transactions performed on a digital asset

Peer-to-peer so transactions are public

Transactions cannot be deleted or reversed

Widely used for cryptocurrencies

Potential uses for financial transactions, online voting systems, identity management systems, notarization, data storage, …

Blockchain

CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

37

Concealing messages within a covertext

Often uses file data that can be manipulated without introducing obvious artifacts

Image

Audio

Video

Covert channels

Steganography

CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

38

38

Other Cryptographic Technologies

CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

39

Review Activity

Summary

Lesson 5

CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

40

40