ISC(2) CISSP Revision Notes – Cryptography
Here are my revision notes for Cryptography, have fun!
[alert style=”red”]In NO way should these notes be used as your sole source of study for the CISSP exam. These notes lack things completely that could be included on your exam. I in no way provide any guarantee or assurance that these notes are correct or satisfactory for your learning. For further information see my CISSP Study and Exam Tips.[/alert]
ISC(2) CISSP Revision Notes – Study and Exam Tips
ISC(2) CISSP Revision Notes – Overarching Themes for the CISSP
ISC(2) CISSP Revision Notes – Access Control
ISC(2) CISSP Revision Notes – Business Continuity and Disaster Planning
ISC(2) CISSP Revision Notes – Cryptography (You are here)
ISC(2) CISSP Revision Notes – Information Security Governance and Risk Management
ISC(2) CISSP Revision Notes – Legal, Regulatory, Investigations and Compliance
ISC(2) CISSP Revision Notes – Operations Security
ISC(2) CISSP Revision Notes – Security Architectural Design
ISC(2) CISSP Revision Notes – Software Development Security
ISC(2) CISSP Revision Notes – Telecommunications and Network Security
***Different CIA***
- Confidentiality
- Integrity
- Authentication
- (Non-repudiation)
Plaintext becomes ciphertext
End to End Encryption: Encrypted at source, decrypted at destination, (encrypted in transit)
Link Encryption: Encrypted point to point individually
Cryptosystem
Process must be efficient for any key which can be used
It must be easy to use
The algorithm can be published and the process still be secure
Classes of Ciphers
Block
- Fixed size
- Same plaintext with same key will produce same ciphertext
- Implemented in software and easy to use
Stream
- Bit by bit
- Often implemented in hardware and faster
- XORd
Types if Cipher
One Time Pad/Vernman Cipher/Running Book
- Considered unbreakable if pad is secure
Substitution Cipher
- Replaced bits with other bits from a prescribed pattern
- Eg Caesar Shift offset by 3
Monoalphabetic: Same key used throughout
Polyalphabetic: Different key used for each bit
S Boxes: DES
Transposition/Permutation Cipher: Rearrange bits in prescribed way for each bit
Codes: different phrases
Steganography: (See below)
Alternatives to Cryptography
Steganography: Hidden in plain sight, deniable
Watermark: Visible steganography
Symmetric Encryption
Same key used to encrypt and decrypt
Eg DES, IDEA, AES, RC5
Problems with securely exchanging keys (scaleability difficult)
Fast, can be very strong and is cheap
DES
1970, IBM, “Lucifer” (128bit)
56 bits, 56 bit key (actually 64, but has 8 bits of parity)
64 bit block cipher
Splits into 32 bit blocks
16 rounds of transposition and substitution
Electronic Cook Book (ECB)
- Native DES mode
- Usually the fastest
- Same plaintext will always product the same ciphertext using the same key
Cipher Block Chaining (CBC)
- Most common DES mode
- Each block is XORd with proceeding block to minimize repetition
- Errors propagate but only for two blocks
Cipher Feedback (CFB)
- Stream cipher
- Uses previously generated ciphertext as key generator
- Errors propagate through entire stream
Output Feedback (OFB)
- Stream Cipher
- Uses plaintext as key generator
- Errors don’t propagate
3DES
- 168 bit key length
- Very slow
- Block 1 – Encrypted with #1 Key
- Block 2 – Encrypted with #2 Key
- Block 3 – Encrypted with #1 or #3 Key
- Rijndael Block Cipher
- 128, 192 or 256 bit cipher
- 10 to 14 rounds
- Simple, strong and fast
Advanced Encryption Standard (AES)
Blowfish
- 448 bit key length
- 64 bit blocks
- 16 rounds
Two Fish
- 128 bit blocks
- 16 rounds
- 256 bit key
Rivest Cipher
- RC2: 64 bit blocks, variable key
- RC4: 128 bit blocks, 128 bit key
- RC5: 32, 64, 128 bit blocks, 0-2048 bit key
- RC6: 128 bit blocks, 128, 192, 256 bit key
International Data Encryption Algorithm (IDEA)
- 64 bit blocks, 128 bit key
- 8 rounds on 64bit sub-blocks
- In use by PGP
Asymmetrical Encryption
- Different keys used to encrypt and decrypt (public keys & private keys)
- Encrypts with public key
- Signs with private key
- Decrypts with private key
- Cannot obtain private key from public key
- Slower than symmetric encryption
- Scalable and offers additional functionality
Secure Message Format: Private key to provide confidentiality
Open Message Format: Plaintext but encrypted hash (signed)
Secure & Signed Message Format: Both of the above
RSA
- Based on factoring large prime numbers
- 512 bits
Diffie-Hellman (DH) Key Exchange
- Private keys combined with public keys to produce a symmetric key
- Vulnerable to MITM attack
- Discrete Logarithms
El Gamal
- Extends DH with encryption and signatures
Markle-Hellman/Knapsack
- Broken, used fixed weight calculations
Elliptic Curve (EC)
- Elliptic Curves very computationally difficult to calculate
- 160 bit EC key comparable to 1024 bit RSA key
Message Authentication
Guarantees authenticity and integrity of message (eg checksums and parity checks)
Digital Signatures
- RSA Digital Signature Algorithm and Digital Signature (EL Gamal)
Sender encrypts with own private key
Message Digests (MDx)
- One way hash functions of a message are encrypted (“signed”) with own private key
Eg MD5, SHA-1, HMAC
Allows plaintext emails
- MD2: Very slow, 128 bit
- MD4: 128 bit (Microsoft)
- MD5: 128 bit (Popular)
- MD6: 512 bit
- SHA-1: 160 bit
- SHA2: 224, 256, 384 or 512 bit
- HMAC
Public Key Infrastructure (PKI)
Central authority
Certificate Authority (CA): Machine, software and hardware
Registration Authority (RA): Verified certificate components
Certificate Revocation List (CRL): Removes certificates
Repository: Distributes certificates from CA, CRLs and distribute accordingly
Archive: Long term storage
Key Management Functions
Generation: Random sequence generation
Distribution:
Installation:
Storage:
Change:
Control: Properly used
Disposal: Erased securely
Email Encryption
Secure Multipurpose Internet Mail Extensions (S/Mime)
- RSA, X.509 certs
Mime Object Security Services (MOSS)
- MD2/MD5, RSA, DES (rare)
Privacy Enhanced Mail
- MD2/MD5, RSA, 3DES
Pretty Good Privacy (PGP)
- IDEA, RSA, PKI or manually trusts
Internet Encryption
Secure Sockets Layer (SSL) & Transport Layer Security (TLS)
- Layer 4
- RSA Asymmetric
- IDEA, DES, 3DES, Symmetric
- MD5 hash
- Used in HTTPS and VPNS
Secure Hypertext Transfer Protocol (S-HTTP)
- NOT HTTPS
IPSec
- Transport Mode: Only data encrypted
- Tunnel Mode: Entire packet encrypted
- Authentication Header (AH): Integrity, authentication and non-repudiation
- Encapsulating Security Payload (ESP): Encryption
- Security Association (SA): One way comms for each AH or ESP
- Security Parameter Index (SPI): 32 bit unique identifier for tunnel
- Destination IP: NOT Source
- Protocol ID: AH or ESP
- Internet Key Exchange (IKE): ISAKMP, SKEME, Oakley
Multi-protocol Label Switching (MPLS): QoS, CoS, Layer 2 and 3
Secure Shell (SSH): Confidentiality, integrity and authentication
Wireless Transport Layer Security: WEP, Broken. Class 1 – Anonymous. Class 2 – Server Authentication. Class 3 – Client-Server Authentication.
Secure Electronic Transaction (SET): DES, RSA digital signatures, X.509 authentication
Attacks
Analytical Attacks: Reduced complexity of algorithm (patterns)
Brute Force: All possible combinations are tried
Implementation: Exploit cryptosystem
Statistical Attacks: eg randomness
Rainbow Table: pre-computed tables of values
Birthday Attack: Collisions
Work Factor: The amount of time and effort required to break
Cipher Text Only (CTO): Several ciphertexts produced by the same key are combined and analyses for patterns
Chosen Text Attack (CTA)
Chosen Plaintext Attack (CPA): Encrypts a known text
Adaptive Plaintext Attack (APA):Multiple known texts are encrypted and analysed
Chosen Ciphertext Attack (CCA): Chooses the ciphertext to be decrypted
All Chosen Ciphertext Attack (ACCA): Multiple ciphertexts are decrypted and analysed
Known Plaintext (KPA): Known plaintext and ciphertext, work to calculate cipher
Man In The Middle (MITM): Intercepting connections and decrypting and encrypting again
Meet In The Middle: Encryption with every key and compare to cipher
Replay: Session key is captured and replayed
[alert style=”red”]In NO way should these notes be used as your sole source of study for the CISSP exam. These notes lack things completely that could be included on your exam. I in no way provide any guarantee or assurance that these notes are correct or satisfactory for your learning. For further information see my CISSP Study and Exam Tips.[/alert]
1 Comment
[…] Control ISC(2) CISSP Revision Notes – Business Continuity and Disaster Planning (You are here) ISC(2) CISSP Revision Notes – Cryptography ISC(2) CISSP Revision Notes – Information Security Governance and Risk Management ISC(2) CISSP […]