ISC(2) CISSP Revision Notes – Cryptography

cryptography

Here are my revision notes for Cryptography, have fun!

In NO way should these notes be used as your sole source of study for the CISSP exam.  These notes lack things completely that could be included on your exam.  I in no way provide any guarantee or assurance that these notes are correct or satisfactory for your learning.  For further information see my CISSP Study and Exam Tips.

ISC(2) CISSP Revision Notes – Study and Exam Tips
ISC(2) CISSP Revision Notes – Overarching Themes for the CISSP
ISC(2) CISSP Revision Notes – Access Control
ISC(2) CISSP Revision Notes – Business Continuity and Disaster Planning
ISC(2) CISSP Revision Notes – Cryptography (You are here)
ISC(2) CISSP Revision Notes – Information Security Governance and Risk Management
ISC(2) CISSP Revision Notes – Legal, Regulatory, Investigations and Compliance
ISC(2) CISSP Revision Notes – Operations Security
ISC(2) CISSP Revision Notes – Security Architectural Design
ISC(2) CISSP Revision Notes – Software Development Security
ISC(2) CISSP Revision Notes – Telecommunications and Network Security

 

***Different CIA***

  • Confidentiality
  • Integrity
  • Authentication
  • (Non-repudiation)

 

Plaintext becomes ciphertext

End to End Encryption: Encrypted at source, decrypted at destination, (encrypted in transit)

Link Encryption: Encrypted point to point individually

Cryptosystem

Process must be efficient for any key which can be used

It must be easy to use

The algorithm can be published and the process still be secure

Classes of Ciphers

Block

  • Fixed size
  • Same plaintext with same key will produce same ciphertext
  • Implemented in software and easy to use

Stream

  • Bit by bit
  • Often implemented in hardware and faster
  • XORd

Types if Cipher

One Time Pad/Vernman Cipher/Running Book

  • Considered unbreakable if pad is secure

Substitution Cipher

  • Replaced bits with other bits from a prescribed pattern
  • Eg Caesar Shift offset by 3

Monoalphabetic: Same key used throughout

Polyalphabetic: Different key used for each bit

S Boxes: DES

Transposition/Permutation Cipher: Rearrange bits in prescribed way for each bit

Codes: different phrases

Steganography: (See below)

Alternatives to Cryptography

Steganography: Hidden in plain sight, deniable

Watermark: Visible steganography

Symmetric Encryption

Same key used to encrypt and decrypt

Eg DES, IDEA, AES, RC5

Problems with securely exchanging keys (scaleability difficult)

Fast, can be very strong and is cheap

DES

1970, IBM, “Lucifer” (128bit)

56 bits, 56 bit key (actually 64, but has 8 bits of parity)

64 bit block cipher

Splits into 32 bit blocks

16 rounds of transposition and substitution

Electronic Cook Book (ECB)

  • Native DES mode
  • Usually the fastest
  • Same plaintext will always product the same ciphertext using the same key

Cipher Block Chaining (CBC)

  • Most common DES mode
  • Each block is XORd with proceeding block to minimize repetition
  • Errors propagate but only for two blocks

Cipher Feedback (CFB)

  • Stream cipher
  • Uses previously generated ciphertext as key generator
  • Errors propagate through entire stream

Output Feedback (OFB)

  • Stream Cipher
  • Uses plaintext as key generator
  • Errors don’t propagate

3DES

  • 168 bit key length
  • Very slow
  • Block 1 – Encrypted with #1 Key
  • Block 2 – Encrypted with #2 Key
  • Block 3 – Encrypted with #1 or #3 Key
  • Rijndael Block Cipher
  • 128, 192 or 256 bit cipher
  • 10 to 14 rounds
  • Simple, strong and fast

Advanced Encryption Standard (AES)

Blowfish

  • 448 bit key length
  • 64 bit blocks
  • 16 rounds

Two Fish

  • 128 bit blocks
  • 16 rounds
  • 256 bit key

Rivest Cipher

  • RC2: 64 bit blocks, variable key
  • RC4: 128 bit blocks, 128 bit key
  • RC5: 32, 64, 128 bit blocks, 0-2048 bit key
  • RC6: 128 bit blocks, 128, 192, 256 bit key

International Data Encryption Algorithm (IDEA)

  • 64 bit blocks, 128 bit key
  • 8 rounds on 64bit sub-blocks
  • In use by PGP

Asymmetrical Encryption

  • Different keys used to encrypt and decrypt (public keys & private keys)
  • Encrypts with public key
  • Signs with private key
  • Decrypts with private key
  • Cannot obtain private key from public key
  • Slower than symmetric encryption
  • Scalable and offers additional functionality

Secure Message Format: Private key to provide confidentiality

Open Message Format: Plaintext but encrypted hash (signed)

Secure & Signed Message Format: Both of the above

RSA

  • Based on factoring large prime numbers
  • 512 bits

Diffie-Hellman (DH) Key Exchange

  • Private keys combined with public keys to produce a symmetric key
  • Vulnerable to MITM attack
  • Discrete Logarithms

El Gamal

  • Extends DH with encryption and signatures

Markle-Hellman/Knapsack

  • Broken, used fixed weight calculations

Elliptic Curve (EC)

  • Elliptic Curves very computationally difficult to calculate
  • 160 bit EC key comparable to 1024 bit RSA key

Message Authentication

Guarantees authenticity and integrity of message (eg checksums and parity checks)

Digital Signatures

  • RSA Digital Signature Algorithm and Digital Signature (EL Gamal)

Sender encrypts with own private key

Message Digests (MDx)

  • One way hash functions of a message are encrypted (“signed”) with own private key

Eg MD5, SHA-1, HMAC

Allows plaintext emails

  • MD2: Very slow, 128 bit
  • MD4: 128 bit (Microsoft)
  • MD5: 128 bit (Popular)
  • MD6: 512 bit
  • SHA-1: 160 bit
  • SHA2: 224, 256, 384 or 512 bit
  • HMAC

Public Key Infrastructure (PKI)

Central authority

Certificate Authority (CA): Machine, software and hardware

Registration Authority (RA): Verified certificate components

Certificate Revocation List (CRL): Removes certificates

Repository: Distributes certificates from CA, CRLs and distribute accordingly

Archive: Long term storage

Key Management Functions

Generation: Random sequence generation

Distribution:

Installation:

Storage:

Change:

Control: Properly used

Disposal: Erased securely

Email Encryption

Secure Multipurpose Internet Mail Extensions (S/Mime)

  • RSA, X.509 certs

Mime Object Security Services (MOSS)

  • MD2/MD5, RSA, DES (rare)

Privacy Enhanced Mail

  • MD2/MD5, RSA, 3DES

Pretty Good Privacy (PGP)

  • IDEA, RSA, PKI or manually trusts

Internet Encryption

Secure Sockets Layer (SSL) & Transport Layer Security (TLS)

  • Layer 4
  • RSA Asymmetric
  • IDEA, DES, 3DES, Symmetric
  • MD5 hash
  • Used in HTTPS and VPNS

Secure Hypertext Transfer Protocol (S-HTTP)

  • NOT HTTPS

IPSec

  • Transport Mode: Only data encrypted
  • Tunnel Mode: Entire packet encrypted
  • Authentication Header (AH): Integrity, authentication and non-repudiation
  • Encapsulating Security Payload (ESP): Encryption
  • Security Association (SA): One way comms for each AH or ESP
  • Security Parameter Index (SPI): 32 bit unique identifier for tunnel
  • Destination IP: NOT Source
  • Protocol ID: AH or ESP
  • Internet Key Exchange (IKE): ISAKMP, SKEME, Oakley

Multi-protocol Label Switching (MPLS): QoS, CoS, Layer 2 and 3

Secure Shell (SSH): Confidentiality, integrity and authentication

Wireless Transport Layer Security: WEP, Broken. Class 1 – Anonymous. Class 2 – Server Authentication. Class 3 – Client-Server Authentication.

Secure Electronic Transaction (SET): DES, RSA digital signatures, X.509 authentication

Attacks

Analytical Attacks: Reduced complexity of algorithm (patterns)

Brute Force: All possible combinations are tried

Implementation: Exploit cryptosystem

Statistical Attacks: eg randomness

Rainbow Table: pre-computed tables of values

Birthday Attack: Collisions

Work Factor: The amount of time and effort required to break

Cipher Text Only (CTO): Several ciphertexts produced by the same key are combined and analyses for patterns

Chosen Text Attack (CTA)

Chosen Plaintext Attack (CPA): Encrypts a known text

Adaptive Plaintext Attack (APA):Multiple known texts are encrypted and analysed

Chosen Ciphertext Attack (CCA): Chooses the ciphertext to be decrypted

All Chosen Ciphertext Attack (ACCA): Multiple ciphertexts are decrypted and analysed

Known Plaintext (KPA): Known plaintext and ciphertext, work to calculate cipher

Man In The Middle (MITM): Intercepting connections and decrypting and encrypting again

Meet In The Middle: Encryption with every key and compare to cipher

Replay: Session key is captured and replayed

In NO way should these notes be used as your sole source of study for the CISSP exam.  These notes lack things completely that could be included on your exam.  I in no way provide any guarantee or assurance that these notes are correct or satisfactory for your learning.  For further information see my CISSP Study and Exam Tips.

 

Trackbacks for this post

  1. ISC(2) CISSP Revision Notes – Business Continuity and Disaster Planning | Gyp the Cat dot Com

Got something to say? Go for it!