reflection
Summarizing Basic Cryptographic Concepts
Lesson 5
1
Compare and Contrast Cryptographic Ciphers
Topic 5A
CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
2
2
2.1 Explain the importance of security concepts in an enterprise environment (Hashing only)
2.8 Summarize the basics of cryptographic concepts
Syllabus Objectives Covered
CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
3
Cryptographic Concepts
Encryption and decryption—encoding and decoding
Plaintext is the unencoded message
Ciphertext is the coded message
Cipher is the means of change or algorithm
Cryptanalysis is the art of cracking cryptographic systems
Meet Alice and Bob (and observe Mallory, lurking)
Hashing algorithms
Encryption ciphers
Symmetric
Asymmetric
CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
4
Hashing Algorithms
Fixed length hash from variable string with cryptographic properties
One-way (plaintext cannot be recovered from the digest)
Anti-collision (no two plaintexts are likely to produce the same checksum)
Used for password storage and checksums (integrity)
Secure Hash Algorithm (SHA)
Message Digest Algorithm (MD5)
CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
5
Images © 123rf.com.
Hashing is not encryption—the process is not reversible
Encryption uses a reversible process based on a secret
Process should be too complex to unravel without the secret
Substitution
Transposition
Cannot keep the cipher/algorithm itself secret
Key ensures ciphertext remains protected even when the operation of the cipher is known
Protecting the key is easier than protecting the algorithm
Encryption Ciphers and Keys
CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
6
Symmetric Encryption
Same secret key is used for encryption and decryption
Fast—suitable for bulk encryption of large amounts of data
Problem storing and distributing key securely
Confidentiality only— sender and recipient know the same key
CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
7
Images © 123rf.com.
7
Stream and Block Ciphers
Stream ciphers
Encrypt and decrypt each bit/byte at a time
Must be used with an initialization vector (IV)
Block ciphers
Treat data as equal-size blocks, using padding if necessary
Advanced Encryption Standard (AES/AES256)
Key length
Range of key values is the keyspace
Longer key bit length means a larger keyspace
Strength of key of any given length varies between ciphers
CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
8
8
Asymmetric Encryption
Public/private key pair
If the public key encrypts, only the private key can decrypt
If the private key encrypts, only the public key can decrypt
Private key cannot be derived from the public key
Private key must be kept secret
Public key is easy to distribute (anyone can have it)
Message size is limited to key size so not suitable for large amounts of data
Used for small amounts of authentication data
CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
9
Images © 123rf.com.
RSA algorithm (Rivest, Shamir, Adleman)
Basis of many public key cryptography schemes
Trapdoor function
Easy to calculate with the public key, but difficult to reverse without the private key
Elliptic curve cryptography (ECC)
Concerns about RSA being vulnerable to cryptanalysis
Another type of trapdoor function
Can use smaller keys to obtain same security
Public Key Cryptography Algorithms
CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
10
Cryptographic Ciphers
CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
11
Review Activity
Summarize Cryptographic Modes of Operation
Topic 5B
CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
12
12
2.8 Summarize the basics of cryptographic concepts
Syllabus Objectives Covered
CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
13
Digital Signatures
Using public key cryptography with hashing
Digital signatures provide integrity, authentication, non-repudiation
RSA-based digital signatures
Digital Signature Algorithm (DSA) with ECC cipher
14
Images © 123rf.com.
Digital Envelopes and Key Exchange
15
Images © 123rf.com.
Wrapper for a public key to associate it with a digital identity
Identity assertion is validated by a certificate authority (CA) by signing the certificate
Both parties must trust the CA
Referred to as public key infrastructure (PKI)
Digital Certificates
CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
16
16
RSA key exchange decrypts the session key using the server private key
The private key stored on the server may be compromised in the future
If key is compromised, previously captured transmissions could be deciphered
Perfect forward secrecy (PFS) mitigates this issue
Uses Diffie-Hellman key agreement protocols
Allows two parties to derive the same secret value that an eavesdropper cannot guess
Perfect Forward Secrecy
CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
17
Cipher Suites and Modes of Operation
Cipher suite
Signature algorithm—proves messages were created by the server (authentication and integrity)
Key exchange/agreement algorithm—allows client and server to agree session keys
Bulk encryption cipher—uses the session key to keep the data confidential
Modes of operation
Use symmetric block cipher with arbitrary length network data
Cipher Block Chaining (CBC)
Combines blocks and an initialization vector (IV) using XOR operation
Data must be a multiple of block size so requires padding for last block
Counter mode
Generates keystream with IV and counter
Does not require block padding
CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
18
Authenticated Modes of Operation
Unauthenticated encryption
Secret key encryption cannot prove integrity
Makes cryptographic system vulnerable to insertion and modification attacks
Authenticated encryption
Message authentication code (MAC)
Create a hash from combination of the message and a shared secret
Implementations vulnerable to padding oracle attacks
Authenticated encryption with additional data (AEAD)
Counter modes or stream ciphers that do not use padding
Associates message with context to prevent replay
CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
19
Cryptographic Modes of Operation
CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
20
Review Activity
Summarize Cryptographic Use Cases and Weaknesses
Topic 5C
CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
21
21
1.2 Given a scenario, analyze potential indicators to determine the type of attack
2.8 Summarize the basics of cryptographic concepts
Syllabus Objectives Covered
CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
22
Cryptography for Authentication and Non-repudiation
Cryptographic primitives versus cryptographic systems
Authentication and access control
Assuming the private key is secure, an encrypted token could only have been created by the key holder
Non-repudiation
Sender cannot deny (repudiate) the message as only she/he could have created it
CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
23
Screenshot used with permission from Microsoft.
Hybrid encryption
Public key cryptography is only efficient with small amounts of data
Symmetric encryption makes key distribution difficult
Symmetric key is used for bulk encryption and protected by public key cryptography
File encryption
Private key encrypts the symmetric key
Use of the key is locked to a user account credential
Transport encryption
Session key exchange/agreement
Cryptography Supporting Confidentiality
CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
24
Integrity
Using hash functions and message authentication codes to validate messages
Resiliency
Using cryptography to ensure authentication and integrity of control messages
Obfuscation
Make something hard to understand
Encryption can perform this function, but it is very hard to secure an embedded key
White box cryptography
Cryptography Supporting Integrity and Resiliency
CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
25
Cryptographic Performance Limitations
Limitations
Speed—Amount of data/number of operations per second
Time/latency—Delay in completing an operation
Size—Key size increases security but also CPU/memory requirements
Computational overhead—Complexity of cryptographic implementation or cipher
Resource-constrained environments
Low-power devices
Battery-powered systems
Contactless smart cards
Low latency
Delay-sensitive communications protocols/implementations
CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
26
Cryptographic Security Limitations
Entropy
Checksums and ciphertext must reduce order (high entropy)
Weak ciphers and weak keys
Weak implementations
Weak randomness
Predictability and reuse
Nonce
Initialization vector (IV)
Salt
27
How secure are current algorithms?
How long must a ciphertext be resistant to attacks?
Longevity and Cryptographic Attacks
CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
28
Man-in-the-Middle (MitM)
Interferes with the public key presented to the client
Downgrade attack
Forces server into using weak protocol versions and ciphers
Man-in-the-Middle and Downgrade Attacks
CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
29
Key Stretching and Salting
User-generated data is low entropy
Key stretching
Use additional rounds to strengthen keys
Makes attacker do more work so slows down brute force
Salting
Add a random value to each password when hashing it for storage
Prevents use of pre-computed hash tables
CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
30
Exploit collisions to forge a signature
Math of birthday paradox shows that this might be easier than expected
Chosen prefix collision attacks
Collisions and the Birthday Attack
CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
31
Cryptographic Use Cases and Weaknesses
CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
32
Review Activity
Summarize Other Cryptographic Technologies
Topic 5D
CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
33
33
2.8 Summarize the basics of cryptographic concepts
Syllabus Objectives Covered
CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
34
Quantum computing
Quantum bit (qubits), superpositions, entanglement and collapse
Quantum computers can keep track of a lot of state data at the same time
Communications
Tamper-evident key distribution
Post-quantum
Quantum-based cryptanalysis
Post-quantum cryptography (replacements for the current algorithms)
Lightweight cryptography
Quantum
CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
35
Supports data analytics functions while preserving confidentiality and privacy
Homomorphic Encryption
CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
36
36
Expanding list of transactional records (blocks)
Each block is linked by hashing
Public ledger
Ledger of transactions performed on a digital asset
Peer-to-peer so transactions are public
Transactions cannot be deleted or reversed
Widely used for cryptocurrencies
Potential uses for financial transactions, online voting systems, identity management systems, notarization, data storage, …
Blockchain
CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
37
Concealing messages within a covertext
Often uses file data that can be manipulated without introducing obvious artifacts
Image
Audio
Video
Covert channels
Steganography
CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
38
38
Other Cryptographic Technologies
CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
39
Review Activity
Summary
Lesson 5
CompTIA Security+ Lesson 5 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
40
40