CompTIASecPLUS-Part6 - UnlimitedEdited.pptx

Introduction to Cryptography
Copyright © www.ine.com
»Changes plain text to cipher text through the
use of an algorithm
»Protects the confidentiality and integrity of
data
»What type of data need protecting?
• Data-at-rest
• Data-in-use
• Data-in-motion

»Encryption and decryption
»What is a cipher?
• Cesar Cipher
• Numerical shift
• Generate the key; for example, 3
• “Cesar” becomes “Fhvdu”
• Can be broken with cryptanalysis

»What is an encryption key?
• Determines the output of the cipher
• Length determines strength
• Key exchange is needed for asymmetric encryption
• Public keys
• Freely distributed
• Private keys
• Always a secret

»Symmetric key cryptography
»Symmetric algorithms
• Stream cipher
• Block cipher
»Can be used for non-repudiation
• Message authentication code
• Verifies the integrity of the message

»Asymmetric key cryptography
• Uses different keys – the public/private key pair
• Keys are mathematically related but otherwise have
no relation
• The longer the key the stronger the encryption
• What one key encrypts the other decrypts
• Public encrypts, private decrypts (confidentiality)
• Private encrypts, public decrypts (non-repudiation, integrity)

»Uses of asymmetric key cryptography
• Digital signatures
• Signing the message
– Create a message digest of the message
– Sign the message digest with sender’s private key
– Protects integrity
– Provides authentication and non-repudiation
• Encrypt the message

»Uses of asymmetric key cryptography
• Digital certificates
• Utilizes a public key infrastructure
• Provides identity information
• Resistant to forgery
• Verified by a third party
• Trusted third party (COMODO, Symantec, Verisign)
• Used in SSL/TLS sessions

Symmetric Cryptographic Algorithms
»DES/3DES
• Digital Encryption Standard
• 64-bit blocks
• 56-bit key size with 8 bits for parity
• Triple DES
• Feistel cipher
• 64-bit blocks
• 168-bit key

»AES (Rijndael)
• Advanced Encryption Standard
• Adopted in 2002
• 128-, 192- and 256-bit
• Fast and uses minimal resources
• Multiple platform usage
• Wireless
• Data-in-transit
• Whole disk encryption

»Rivest’s Cipher (RC)
• Stream and block ciphers
• Used in WEP, SSL, RDP
• RC4, RC5, and RC6 variants
»Schneier Ciphers
• Twofish
• Threefish
• Blowfish

Asymmetric Cryptographic Algorithms
»Diffie-Hellman-Merkle
• First practical shared key cryptosystem
• Utilizes modular arithmetic and factorization of large
prime numbers
• Vulnerable to specific attacks
• Man-in-the-middle (MITM)
• Mitigation through authentication
• Perfect Forward Secrecy (PFS)

»Rivest-Shamir-Adleman (RSA)
• Used in e-commerce
• Works with SSL/TLS
• Can be used for digital signatures as well as
cryptography
• Slower than symmetric cryptography
• Longer key lengths
• Utilizes integer factorization
• What one key encrypts the other decrypts

»Rivest-Shamir-Adleman (RSA)
• Used in security tokens
• Trusted platform modules (TPM)
• Cryptoprocessor that integrates encryption keys
• Hardware security modules (HSM)
• External key management module
• Vulnerable to specific attacks
• Timing attacks
• Man-in-the-middle (MITM)
• Mitigation through padding

»Eliptic Curve Cryptography (ECC)
• Based on the structure of an elliptic curve
• Uses smaller keys
• Faster
• Used in mobile devices, smart cards, wireless
• Can be used with other algorithms
• Diffie-Hellman (ECDH)
• Digital Signature Algorithm (ECDSA)

»Elliptic Curve Cryptography (ECC)
• Vulnerabilities
• Side-channel attacks
– Leaked information from physical implementations
• Algorithm backdoors
• Quantum cryptanalysis
– Theoretical attack based on quantum physics

Other Cryptographic Algorithms
»One-Time Pad or Vernam Cipher
• Stream cipher
• Key is the same length as the plaintext
• The keystream is generated at random
• Keystream combined with the plaintext using a
bitwise XOR operation
• The only cryptosystem with theoretically perfect
secrecy
• Provides no information to the analyst

»One-Time Pad or Vernam Cipher
• Problems with the one-time pad
• Requires perfect randomness
• Cryptosystems will only be able to implement pseudo-
randomness

»Pretty Good Privacy (PGP)
• Uses
• Signing, encrypting, and decrypting emails
• Whole disk encryption
• File and instant message encryption
• Symmetric session key (PSK)
• Can use asymmetric encryption (RSA) for digital signatures
and encryption
• Supports openPGP and S/MIME
• Security is based on key size

Steganography – Hiding in Plain Sight
»Security through obscurity
»Modify the least significant bit
• Image
• Audio
• Video
»LACK
»HICCUPS

Hashing
»Generated through the use of a one-way
function
• Mathematical operation that converts a variable-sized
block of data into a fixed-length block of data
• A hash of a file, email, or other message can be generated
at the source
• This hash value is made public and can be compared by
anyone who views the file to ensure that no alterations
have been made
• Significant change in the hash value will result upon the
slightest change in the message

Hashing
»Types of cryptographic hash functions
• Message Digest 5
• Created by Ron Rivest
• 32-character output
• More susceptible to collisions
• Secure Hashing Algorithm
• Version 1 – 160-bit hash
• Version 2 – 256- to 512-bit block size

Hashing
»Types of cryptographic hash functions
• RIPEMD
• RACE Integrity Primitives Evaluation Message Digest
• 128-bit
• 160-bit
• HMAC
• Hash-based Message Authentication Code
• Uses MD5 or SHA for message authentication

Hashing
»Microsoft domain password hashing algorithms
• LANMAN
• Used before Windows NT
• Based on DES
• Maximum of 14 characters
• NTLM
• Based on RC4
• NTLMv2
• Based on MD5

Hashing
»Vulnerabilities
• Happy Birthday
• Collision
»Defenses
• Key stretching
• Salting
• Nonce
• Complexity and length

Public Key Infrastructure
»Functions of the PKI
• Create, distribute, store, and revoke digital certificates
• System of users, hardware, encryption, policies, and
procedures
• Secure websites over SSL/TLS
• Email
• Securing remote connections
• Computers
• Networks

»Not the same as asymmetric cryptography
»Components
• Users
• Computers
• Servers
• Encryption
• Policies
• Procedures

»Components of the PKI
• Digital certificates
• Binds the user key to an identity for verification
• X509 Standard
• What does the X509 include?
• Certificate owner and their public key
• Certificate authorities
– Name
– Digital signature
– Serial number, issue date, expiration date

• What is the certificate authority?
• Issuing authority (trusted third party)
• Verifies the identity of the certificate recipient
• Maps the public key of the party to the identity
• Types of certificates
• One-to-one mapping
• One-to-many mapping

• Registration authority
• Verifies the request for the digital certificate
• Gives the “OK” for the CA to issue the certificate
• Certificate revocation list
• Updated every 24 hours
• Used to verify the validity of a digital certificate
• Online certificate status protocol (OCSP)

• Key escrow
• Used when data loss in unacceptable
• Key recovery agent
• Allows for the recovery of corrupted or lost keys
• Single and dual-sided certificates
• Best for smaller environments with limited sessions

»Web of trust
• Decentralized model of trust
• Peer to peer
• No root certificate authority
• Certificates are self signed
• Users decide which certificates to trust
• Used by PGP

Secure Connection Types
» Email/communications
• PGP
• S/MIME
• IPSec
• SSH
» Website logins and e-commerce
• SSL/TLS
» Direct connections to other workstations
»Virtual connections to remote networks
• VPNs (PPTP/L2TP)

Secure Connection Protocols
»S/MIME
• Secure/Multi-purpose Internet Mail Extensions
• Developed by RSA
• Authentication/integrity/non-repudiation
• Uses unique session keys
• Relies on PKI
• Relies on certificate authorities

»SSH
• Creates an encrypted channel between two
workstations or network devices
• Designed as a replacement for telnet
• Utilizes asymmetric key cryptography
• SSH Daemon and SSH Client
• Runs on port 22

»SSL/TLS
• Uses
• IM
• Email
• Web browsing
• VoIP
• Relies on PKI
• Two keys required
• Public and session

»Virtual Private Networks (VPNs)
• Enables secure remote connections
»PPTP
• Point-to-point tunneling protocol
• Encapsulates PPP packets
• Uses port 1723

»Virtual Private Networks (VPNs)
• L2TP
• Layer 2 tunneling protocol
• No inherent security
• Uses port 1701
• Uses PKI

»IPSec
• Native to IPv6
• Security association
• Sub-protocols
• Internet Key Exchange (IKE)
• Authentication Header (AH)
• Encapsulating security payload (ESP)
• IP Payload Compression Protocol (IPComp)

CompTIASecPLUS-Part6 - UnlimitedEdited.pptx

More Related Content

Similar to CompTIASecPLUS-Part6 - UnlimitedEdited.pptx (20)

Recently uploaded (20)

CompTIASecPLUS-Part6 - UnlimitedEdited.pptx