Chapter 10
PKI and Cryptographic Applications
THE CISSP EXAM TOPICS COVERED IN THIS CHAPTER INCLUDE:
- Cryptography
- Understand the application and use of cryptography
- Data at rest (e.g., hard drive); data in transit (e.g., “on the wire”)
- Understand encryption concepts
- Foundational concepts; symmetric cryptography; asymmetric cryptography; hybrid cryptography; message digests; hashing
- Understand key management process
- Creation/distribution; storage/destruction; recovery; key escrow
- Understand digital signatures
- Understand methods of cryptanalytic attacks
- Chosen plain-text; social engineering for key discovery; brute force; cipher-text only; known plaintext; frequency analysis; chosen cipher-text; implementation attacks
- Employ cryptography in network security
- Use cryptography to maintain e-mail security
- Understand Public Key Infrastructure (PKI)
- Understand certificate related issues
- Understand information hiding alternatives (e.g., steganography, watermarking)
- Understand the application and use of cryptography
In Chapter 9, we introduced basic cryptography concepts and explored a variety of private key cryptosystems. These symmetric cryptosystems offer fast, secure communication but introduce the substantial challenge of key exchange between previously unrelated parties. This chapter explores the world of asymmetric (or public key) cryptography and the public key infrastructure (PKI) that supports worldwide secure communication between parties that don’t necessarily know each other prior to the communication. We’ll also explore several practical applications of cryptography: securing electronic mail, web communications, electronic commerce, and networking. The chapter concludes with an examination of a variety of attacks malicious individuals might use to compromise weak cryptosystems.
The section “Modern Cryptography” in Chapter 9 introduced the basic principles behind both private (symmetric) and public (asymmetric) key cryptography. You learned that symmetric key cryptosystems require both communicating parties to have the same shared secret key, creating the problem of secure key distribution. You also learned that asymmetric cryptosystems avoid this hurdle by using pairs of public and private keys to facilitate secure communication without the overhead of complex key distribution systems. The security of these systems relies upon the difficulty of reversing a one-way function.
In the following sections, we’ll explore the concepts of public key cryptography in greater detail and look at three of the more common public key cryptosystems in use today: RSA, El Gamal, and the elliptic curve cryptosystem.
Public and Private Keys
Recall from Chapter 9 that public key cryptosystems rely on pairs of keys assigned to each user of the cryptosystem. Every user maintains both a public key and a private key. As the names imply, public key cryptosystem users make their public keys freely available to anyone with whom they want to communicate. The mere possession of the public key by third parties does not introduce any weaknesses into the cryptosystem. The private key, on the other hand, is reserved for the sole use of the individual. It is never shared with any other cryptosystem user.
Normal communication between public key cryptosystem users is quite straightforward. Figure 10.1 shows the general process.
FIGURE 10.1 Asymmetric key cryptography
Notice that the process does not require the sharing of private keys. The sender encrypts the plain-text message (P) with the recipient’s public key to create the cipher-text message (C). When the recipient opens the cipher-text message, they decrypt it using their private key to re-create the original plain-text message. Once the sender encrypts the message with the recipient’s public key, no user (including the sender) can decrypt that message without knowing the recipient’s private key (the second half of the public-private key pair used to generate the message). This is the beauty of public key cryptography—public keys can be freely shared using unsecured communications and then used to create secure communications channels between users previously unknown to each other.
You also learned in the previous chapter that public key cryptography entails a higher degree of computational complexity. Keys used within public key systems must be longer than those used in private key systems to produce cryptosystems of equivalent strengths.
RSA
The most famous public key cryptosystem is named after its creators. In 1977, Ronald Rivest, Adi Shamir, and Leonard Adleman proposed the RSA public key algorithm that remains a worldwide standard today. They patented their algorithm and formed a commercial venture known as RSA Security to develop mainstream implementations of their security technology. Today, the RSA algorithm forms the security backbone of a large number of well-known security infrastructures produced by companies like Microsoft, Nokia, and Cisco.
The RSA algorithm depends upon the computational difficulty inherent in factoring large prime numbers. Each user of the cryptosystem generates a pair of public and private keys using the algorithm described in the following steps:
1. Choose two large prime numbers (approximately 200 digits each), labeled p and q.
2. Compute the product of those two numbers, n = p * q.
3. Select a number, e, that satisfies the following two requirements:
a. e is less than n.
b. e and (n − 1)(q − 1) are relatively prime—that is, the two numbers have no common factors other than 1.
4. Find a number, d, such that (ed − 1) mod (p − 1)(q − 1) = 0.
5. Distribute e and n as the public key to all cryptosystem users. Keep d secret as the private key.
If Alice wants to send an encrypted message to Bob, she generates the cipher text (C) from the plain text (P) using the following formula (where e is Bob’s public key and n is the product of p and q created during the key generation process):
C = Pe mod n
When Bob receives the message, he performs the following calculation to retrieve the plain-text message:
P = Cd mod n
Merkle-Hellman Knapsack
Another early asymmetric algorithm, the Merkle-Hellman Knapsack algorithm, was developed the year after RSA was publicized. Like RSA, it’s based upon the difficulty of performing factoring operations, but it relies upon a component of set theory known as super-increasing sets rather than on large prime numbers. Merkle-Hellman was proven ineffective when it was broken in 1984.
Importance of Key Length
The length of the cryptographic key is perhaps the most important security parameter that can be set at the discretion of the security administrator. It’s important to understand the capabilities of your encryption algorithm and choose a key length that provides an appropriate level of protection. This judgment can be made by weighing the difficulty of defeating a given key length (measured in the amount of processing time required to defeat the cryptosystem) against the importance of the data.
Generally speaking, the more critical your data, the stronger the key you use to protect it should be. Timeliness of the data is also an important consideration. You must take into account the rapid growth of computing power—the famous Moore’s law states that computing power doubles approximately every 18 months. If it takes current computers one year of processing time to break your code, it will take only three months if the attempt is made with contemporary technology three years down the road. If you expect that your data will still be sensitive at that time, you should choose a much longer cryptographic key that will remain secure well into the future.
The strengths of various key lengths also vary greatly according to the cryptosystem you’re using. According to a white paper published by Certicom, a provider of wireless security solutions, the key lengths shown in the following table for three asymmetric cryptosystems all provide equal protection:
| Cryptosystem | Key Length |
| RSA | 1,088 bits |
| DSA | 1,024 bits |
| Elliptic curve | 160 bits |
El Gamal
In Chapter 9, you learned how the Diffie-Hellman algorithm uses large integers and modular arithmetic to facilitate the secure exchange of secret keys over insecure communications channels. In 1985, Dr. T. El Gamal published an article describing how the mathematical principles behind the Diffie-Hellman key exchange algorithm could be extended to support an entire public key cryptosystem used for encrypting and decrypting messages.
At the time of its release, one of the major advantages of El Gamal over the RSA algorithm was that it was released into the public domain. Dr. El Gamal did not obtain a patent on his extension of Diffie-Hellman, and it is freely available for use, unlike the then-patented RSA technology. RSA released its algorithm into the public domain in 2000.
However, El Gamal also has a major disadvantage—the algorithm doubles the length of any message it encrypts. This presents a major hardship when encrypting long messages or data that will be transmitted over a narrow bandwidth communications circuit.
Elliptic Curve
Also in 1985, two mathematicians, Neil Koblitz from the University of Washington and Victor Miller from International Business Machines (IBM), independently proposed the application of elliptic curve cryptography theory to develop secure cryptographic systems.
The mathematical concepts behind elliptic curve cryptography are quite complex and well beyond the scope of this book. However, you should be generally familiar with the elliptic curve algorithm and its potential applications when preparing for the CISSP exam. If you are interested in learning the detailed mathematics behind elliptic curve cryptosystems, an excellent tutorial exists at www.certicom.com//index.php/ecc-tutorial.
Any elliptic curve can be defined by the following equation:
y2 = x3 + ax + b
In this equation, x, y, a, and b are all real numbers. Each elliptic curve has a corresponding elliptic curve group made up of the points on the elliptic curve along with the point O, located at infinity. Two points within the same elliptic curve group (P and Q) can be added together with an elliptic curve addition algorithm. This operation is expressed, quite simply, as follows:
P + Q
This problem can be extended to involve multiplication by assuming that Q is a multiple of P, meaning the following:
Q = xP
Computer scientists and mathematicians believe that it is extremely hard to find x, even if P and Q are already known. This difficult problem, known as the elliptic curve discrete logarithm problem, forms the basis of elliptic curve cryptography. It is widely believed that this problem is harder to solve than both the prime factorization problem that the RSA cryptosystem is based upon and the standard discrete logarithm problem utilized by Diffie-Hellman and El Gamal. This is illustrated by the data shown in the table in the sidebar “Importance of Key Length,” which noted that a 1,024-bit RSA key is cryptographically equivalent to a 160-bit elliptic curve cryptosystem key.
Later in this chapter, you’ll learn how cryptosystems implement digital signatures to provide proof that a message originated from a particular user of the cryptosystem and to ensure that the message was not modified while in transit between the two parties. Before you can completely understand that concept, we must first explain the concept of hash functions. This section explores the basics of hash functions and looks at several common hash functions used in modern digital signature algorithms.
Hash functions have a very simple purpose—they take a potentially long message and generate a unique output value derived from the content of the message. This value is commonly referred to as the message digest. Message digests can be generated by the sender of a message and transmitted to the recipient along with the full message for two reasons. First, the recipient can use the same hash function to recompute the message digest from the full message. They can then compare the computed message digest to the transmitted one to ensure that the message sent by the originator is the same one received by the recipient. If the message digests do not match, it indicates that the message was somehow modified while in transit. Second, the message digest can be used to implement a digital signature algorithm. This concept is covered in “Digital Signatures” later in this chapter.
The term message digest can be used interchangeably with a wide variety of synonyms, including hash, hash value, hash total, CRC, fingerprint, checksum, and digital ID.
In most cases, a message digest is 128 bits or larger. However, a single-digit value can be used to perform the function of parity, a low-level or single-digit checksum value used to provide a single individual point of verification. In most cases, the longer the message digest, the more reliable its verification of integrity.
According to RSA Security, there are five basic requirements for a cryptographic hash function:
- The input can be of any length.
- The output has a fixed length.
- The hash function is relatively easy to compute for any input.
- The hash function is one-way (meaning that it is extremely hard to determine the input when provided with the output). One-way functions and their usefulness in cryptography are described in Chapter 9.
- The hash function is collision free (meaning that it is extremely hard to find two messages that produce the same hash value).
In the following sections, we’ll look at four common hashing algorithms: SHA, MD2, MD4, and MD5. HMAC is also discussed later in this chapter.
There are numerous hashing algorithms not addressed in this exam. In addition to SHA, MD2, MD4, MD5, and HMAC, you should recognize HAVAL. Hash of Variable Length (HAVAL) is a modification of MD5. HAVAL uses 1,024-bit blocks and produces hash values of 128, 160, 192, 224, and 256 bits.
SHA
The Secure Hash Algorithm (SHA) and its successor, SHA-1, are government standard hash functions developed by the National Institute of Standards and Technology (NIST) and are specified in an official government publication—the Secure Hash Standard (SHS), also known as Federal Information Processing Standard (FIPS) 180.
SHA-1 takes an input of virtually any length (in reality, there is an upper bound of approximately 2,097,152 terabytes on the algorithm) and produces a 160-bit message digest. The SHA-1 algorithm processes a message in 512-bit blocks. Therefore, if the message length is not a multiple of 512, the SHA algorithm pads the message with additional data until the length reaches the next highest multiple of 512. Recent cryptanalytic attacks demonstrated that there are weaknesses in the SHA-1 algorithm. This led to the creation of SHA-2, which has four variants:
- SHA-224 produces a 224-bit message digest using a 512-bit block size.
- SHA-256 produces a 256-bit message digest using a 512-bit block size.
- SHA-512 produces a 512-bit message digest using a 1,024-bit block size.
- SHA-384 uses a truncated version of the SHA-512 hash to produce a 384-bit digest using a 1,024-bit block size.
Although it might seem trivial, take the time to memorize the size of the message digests produced by each one of the hash algorithms described in this chapter.
The cryptographic community generally considers the SHA-2 algorithms secure, but they theoretically suffer from the same weakness as the SHA-1 algorithm. In 2007, the federal government announced a competition to create SHA-3 and expect to announce a winner in 2012.
MD2
The Message Digest 2 (MD2) hash algorithm was developed by Ronald Rivest (the same Rivest of Rivest, Shamir, and Adleman fame) in 1989 to provide a secure hash function for 8-bit processors. MD2 pads the message so that its length is a multiple of 16 bytes. It then computes a 16-byte checksum and appends it to the end of the message. A 128-bit message digest is then generated by using the entire original message along with the appended checksum.
Cryptanalytic attacks exist against the MD2 algorithm. Specifically, Nathalie Rogier and Pascal Chauvaud discovered that if the checksum is not appended to the message before digest computation, collisions may occur. Frederic Mueller later proved that MD2 is not a one-way function. Therefore, it should no longer be used.
MD4
In 1990, Rivest enhanced his message digest algorithm to support 32-bit processors and increase the level of security. This enhanced algorithm is known as MD4. It first pads the message to ensure that the message length is 64 bits smaller than a multiple of 512 bits. For example, a 16-bit message would be padded with 432 additional bits of data to make it 448 bits, which is 64 bits smaller than a 512-bit message.
The MD4 algorithm then processes 512-bit blocks of the message in three rounds of computation. The final output is a 128-bit message digest.
The MD2, MD4, and MD5 algorithms are no longer accepted as suitable hashing functions. However, the details of the algorithms may still appear on the CISSP exam.
Several mathematicians have published papers documenting flaws in the full version of MD4 as well as improperly implemented versions of MD4. In particular, Hans Dobbertin published a paper in 1996 outlining how a modern PC could be used to find collisions for MD4 message digests in less than one minute. For this reason, MD4 is no longer considered to be a secure hashing algorithm, and its use should be avoided if at all possible.
MD5
In 1991, Rivest released the next version of his message digest algorithm, which he called MD5. It also processes 512-bit blocks of the message, but it uses four distinct rounds of computation to produce a digest of the same length as the MD2 and MD4 algorithms (128 bits). MD5 has the same padding requirements as MD4—the message length must be 64 bits less than a multiple of 512 bits.
MD5 implements additional security features that reduce the speed of message digest production significantly. Unfortunately, recent cryptanalytic attacks demonstrated that the MD5 protocol is subject to collisions, making it not a one-way function. Specifically, Arjen Lenstra and others demonstrated in 2005 that it is possible to create two digital certificates from different public keys that have the same MD5 hash.
TABLE 10.1 lists well-known hashing algorithms and their resultant hash value lengths in bits. Earmark this page for memorization.
Table 10.1 Hash algorithm memorization chart
| Name | Hash Value Length |
| Secure Hash Algorithm (SHA-1) | 160 |
| SHA-224 | 224 |
| SHA-256 | 256 |
| SHA-384 | 384 |
| SHA-512 | 512 |
| Message Digest 5 (MD5) | 128 |
| Message Digest 4 (MD4) | 128 |
| Message Digest 2 (MD2) | 128 |
| Hash Message Authenticating Code (HMAC) | Variable |
| Hash of Variable Length (HAVAL)—an MD5 variant | 128, 160, 192, 224, and 256 bits |
Once you have chosen a cryptographically sound hashing algorithm, you can use it to implement a digital signature system. Digital signature infrastructures have two distinct goals:
- Digitally signed messages assure the recipient that the message truly came from the claimed sender, and they enforce nonrepudiation (that is, they preclude the sender from later claiming that the message is a forgery).
- Digitally signed messages assure the recipient that the message was not altered while in transit between the sender and recipient. This protects against both malicious modification (a third party wanting to alter the meaning of the message) and unintentional modification (because of faults in the communications process, such as electrical interference).
Digital signature algorithms rely upon a combination of the two major concepts already covered in this chapter—public key cryptography and hashing functions. If Alice wants to digitally sign a message she’s sending to Bob, she performs the following actions:
1. Alice generates a message digest of the original plain-text message using one of the cryptographically sound hashing algorithms, such as SHA-512.
2. Alice then encrypts only the message digest using her private key. This encrypted message digest is the digital signature.
3. Alice appends the signed message digest to the plain-text message.
4. Alice transmits the appended message to Bob.
Digital signatures are used for more than just messages. Software vendors often use digital signature technology to authenticate code distributions that you download from the Internet, such as applets and software patches.
When Bob receives the digitally signed message, he reverses the procedure, as follows:
1. Bob decrypts the digital signature using Alice’s public key.
2. Bob uses the same hashing function to create a message digest of the full plain-text message received from Alice.
3. Bob then compares the decrypted message digest he received from Alice with the message digest he computed himself. If the two digests match, he can be assured that the message he received was sent by Alice. If they do not match, either the message was not sent by Alice or the message was modified while in transit.
Note that the digital signature process does not provide any privacy in and of itself. It only ensures that the cryptographic goals of integrity, authentication, and nonrepudiation are met. However, if Alice wanted to ensure the privacy of her message to Bob, she would add a step to the message creation process. After appending the signed message digest to the plain-text message, Alice could encrypt the entire message with Bob’s public key. When Bob received the message, he would decrypt it with his own private key before following the steps just outlined.
HMAC
The Hashed Message Authentication Code (HMAC) algorithm implements a partial digital signature—it guarantees the integrity of a message during transmission, but it does not provide for nonrepudiation.
Which Key Should I Use?
If you’re new to public key cryptography, selecting the correct key for various applications can be quite confusing. Encryption, decryption, message signing, and signature verification all use the same algorithm with different key inputs. Here are a few simple rules to help keep these concepts straight in your mind when preparing for the CISSP exam:
- If you want to encrypt a message, use the recipient’s public key.
- If you want to decrypt a message sent to you, use your private key.
- If you want to digitally sign a message you are sending to someone else, use your private key.
- If you want to verify the signature on a message sent by someone else, use the sender’s public key.
These four rules are the core principles of public key cryptography and digital signatures. If you understand each of them, you’re off to a great start!
HMAC can be combined with any standard message digest generation algorithm, such as SHA-2. It can be combined with these algorithms by using a shared secret key. Therefore, only communicating parties who know the key can generate or verify the digital signature. If the recipient decrypts the message digest but cannot successfully compare it to a message digest generated from the plain-text message, the message was altered in transit.
Because HMAC relies on a shared secret key, it does not provide any nonrepudiation functionality (as previously mentioned). However, it operates in a more efficient manner than the digital signature standard described in the following section and may be suitable for applications in which symmetric key cryptography is appropriate. In short, it represents a halfway point between unencrypted use of a message digest algorithm and computationally expensive digital signature algorithms based upon public key cryptography.
Digital Signature Standard
The National Institute of Standards and Technology specifies the digital signature algorithms acceptable for federal government use in Federal Information Processing Standard (FIPS) 186-3, also known as the Digital Signature Standard (DSS). This document specifies that all federally approved digital signature algorithms must use the SHA-1 or SHA-2 hashing functions.
DSS also specifies the encryption algorithms that can be used to support a digital signature infrastructure. There are three currently approved standard encryption algorithms:
- The Digital Signature Algorithm (DSA) as specified in FIPS 186-3
- The Rivest, Shamir, Adleman (RSA) algorithm as specified in ANSI X9.31
- The Elliptic Curve DSA (ECDSA) as specified in ANSI X9.62
Two other digital signature algorithms you should recognize, at least by name, are Schnorr’s signature algorithm and Nybergrueppel’s signature algorithm.
The major strength of public key encryption is its ability to facilitate communication between parties previously unknown to each other. This is made possible by the public key infrastructure (PKI) hierarchy of trust relationships. PKI combines asymmetric cryptography with symmetric cryptography along with hashing and digital certificates. Thus, it is also called hybrid cryptography. In the following sections, you’ll learn the basic components of the public key infrastructure and the cryptographic concepts that make global secure communications possible. You’ll learn the composition of a digital certificate, the role of certificate authorities, and the process used to generate and destroy certificates.
Certificates
Digital certificates provide communicating parties with the assurance that the people they are communicating with truly are who they claim to be. Digital certificates are essentially endorsed copies of an individual’s public key. When users verify that a certificate was signed by a trusted CA, they know that the public key is legitimate.
Digital certificates contain specific identifying information, and their construction is governed by an international standard—X.509. Certificates that conform to X.509 contain the following data:
- Version of X.509 to which the certificate conforms
- Serial number (from the certificate creator)
- Signature algorithm identifier (specifies the technique used by the certificate authority to digitally sign the contents of the certificate)
- Issuer name (identification of the certificate authority that issued the certificate)
- Validity period (specifies the dates and times—a starting date and time and an ending date and time—during which the certificate is valid)
- Subject’s name (contains the distinguished name, or DN, of the entity that owns the public key contained in the certificate)
- Subject’s public key (the meat of the certificate—the actual public key the certificate owner used to set up secure communications)
The current version of X.509 (version 3) supports certificate extensions—customized variables containing data inserted into the certificate by the certificate authority to support tracking of certificates or various applications.
If you’re interested in building your own X.509 certificates or just want to explore the inner workings of the public key infrastructure, you can purchase the complete official X.509 standard from the International Telecommunications Union. It’s part of the Open Systems Interconnection (OSI) series of communication standards and can be purchased electronically on the ITU website at www.itu.int.
X.509 has not been officially accepted as a standard, and implementations can vary from vendor to vendor. However, both Microsoft and Mozilla have adopted X.509 as their de facto standard for Secure Sockets Layer (SSL) communication between their web clients and servers. SSL is covered in greater detail in the section “Applied Cryptography” later in this chapter.
Certificate Authorities
Certificate authorities (CAs) are the glue that binds the public key infrastructure together. These neutral organizations offer notarization services for digital certificates. To obtain a digital certificate from a reputable CA, you must prove your identify to the satisfaction of the CA. The following list includes the major CAs:
- VeriSign
- Thawte
- Geotrust
- Comodo Limited
- Starfield Technologies
- GoDaddy
- DigiCert
- Network Solutions, LLC
- Entrust.net
Nothing is preventing any organization from simply setting up shop as a CA. However, the certificates issued by a CA are only as good as the trust placed in the organization that issued them. This is an important item to consider when receiving a digital certificate from a third party. If you don’t recognize and trust the name of the CA that issued the certificate, you shouldn’t place any trust in the certificate at all. PKI relies upon a hierarchy of trust relationships. If you configure your browser to trust a CA, it will automatically trust all of the digital certificates issued by that CA. Browser developers preconfigure browsers to trust the major CAs to avoid placing this burden on users.
Registration authorities (RAs) assist CAs with the burden of verifying users’ identities prior to issuing digital certificates. They do not directly issue certificates themselves, but they play an important role in the certification process, allowing CAs to remotely validate user identities.
Certificate Path Validation
You may have heard of certificate path validation (CPV) in your studies of certificate authorities. CPV means that each certificate in a certificate path from the original start or root of trust down to the server or client in question is valid and legitimate. CPV can be important if you need to verify that every link between “trusted” endpoints remains current, valid, and trustworthy. This issue arises from time to time when intermediary systems’ certificates expire or are replaced; this can break the chain of trust or the verification path. By forcing a reverification of all stages of trust, you can reestablish all trust links and prove that the assumed trust remains assured.
Certificate Generation and Destruction
The technical concepts behind the public key infrastructure are relatively simple. In the following sections, we’ll cover the processes used by certificate authorities to create, validate, and revoke client certificates.
Enrollment
When you want to obtain a digital certificate, you must first prove your identity to the CA in some manner; this process is called enrollment. As mentioned in the previous section, this sometimes involves physically appearing before an agent of the certification authority with the appropriate identification documents. Some certificate authorities provide other means of verification, including the use of credit report data and identity verification by trusted community leaders.
Once you’ve satisfied the certificate authority regarding your identity, you provide them with your public key. The CA next creates an X.509 digital certificate containing your identifying information and a copy of your public key. The CA then digitally signs the certificate using the CA’s private key and provides you with a copy of your signed digital certificate. You may then safely distribute this certificate to anyone with whom you want to communicate securely.
Verification
When you receive a digital certificate from someone with whom you want to communicate, you verify the certificate by checking the CA’s digital signature using the CA’s public key. Next, you must check and ensure that the certificate was not published on a certificate revocation list (CRL). At this point, you may assume that the public key listed in the certificate is authentic, provided that it satisfies the following requirements:
- The digital signature of the CA is authentic.
- You trust the CA.
- The certificate is not listed on a CRL.
- The certificate actually contains the data you are trusting.
The last point is a subtle but extremely important item. Before you trust an identifying piece of information about someone, be sure that it is actually contained within the certificate. If a certificate contains the email address ([email protected]) but not the individual’s name, you can be certain only that the public key contained therein is associated with that email address. The CA is not making any assertions about the actual identity of the [email protected] email account. However, if the certificate contains the name Bill Jones along with an address and telephone number, the CA is vouching for that information as well.
Digital certificate verification algorithms are built in to a number of popular web browsing and email clients, so you won’t often need to get involved in the particulars of the process. However, it’s important to have a solid understanding of the technical details taking place behind the scenes to make appropriate security judgments for your organization.
Revocation
Occasionally, a certificate authority needs to revoke a certificate. This might occur for one of the following reasons:
- The certificate was compromised (for example, the certificate owner accidentally gave away the private key).
- The certificate was erroneously issued (for example, the CA mistakenly issued a certificate without proper verification).
- The details of the certificate changed (for example, the subject’s name changed).
- The security association changed (for example, the subject is no longer employed by the organization sponsoring the certificate).
Revocation request grace period is the maximum response time within which a CA will perform any requested revocation. This is defined in the certificate practice statement (CPS). The CPS states the practices a CA employs when issuing or managing certificates.
You can use two techniques to verify the authenticity of certificates and identify revoked certificates:
Certificate revocation lists Certificate revocation lists (CRLs) are maintained by the various certification authorities and contain the serial numbers of certificates that have been issued by a CA that have been revoked along with the date and time the revocation went into effect. The major disadvantage to certificate revocation lists is that they must be downloaded and cross-referenced periodically, introducing a period of latency between the time a certificate is revoked and the time end users are notified of the revocation. However, CRLs remain the most common method of checking certificate status in use today.
Online Certificate Status Protocol (OCSP) This protocol eliminates the latency inherent in the use of certificate revocation lists by providing a means for real-time certificate verification. When a client receives a certificate, it sends an OCSP request to the CA’s OCSP server. The server then responds with a status of valid, invalid, or unknown.
Key Management
When working within the public key infrastructure, it’s important that you comply with several best practice requirements to maintain the security of your communications.
First, choose your encryption system wisely. As you learned earlier, “security through obscurity” is not an appropriate approach. Choose an encryption system with an algorithm in the public domain that has been thoroughly vetted by industry experts. Be wary of systems that use a “black-box” approach and maintain that the secrecy of their algorithm is critical to the integrity of the cryptosystem.
You must also select your keys in an appropriate manner. Use a key length that balances your security requirements with performance considerations. Also, ensure that your key is truly random. Any patterns within the key increase the likelihood that an attacker will be able to break your encryption and degrade the security of your cryptosystem.
When using public key encryption, keep your private key secret! Do not, under any circumstances, allow anyone else to gain access to your private key. Remember, allowing someone access even once permanently compromises all communications that take place (past, present, or future) using that key and allows the third party to successfully impersonate you.
Retire keys when they’ve served a useful life. Many organizations have mandatory key rotation requirements to protect against undetected key compromise. If you don’t have a formal policy that you must follow, select an appropriate interval based upon the frequency with which you use your key. You might want to change your key pair every few months, if practical.
Back up your key! If you lose the file containing your private key because of data corruption, disaster, or other circumstances, you’ll certainly want to have a backup available. You may want to either create your own backup or use a key escrow service that maintains the backup for you. In either case, ensure that the backup is handled in a secure manner. After all, it’s just as important as your primary key file!
Up to this point, you’ve learned a great deal about the foundations of cryptography, the inner workings of various cryptographic algorithms, and the use of the public key infrastructure to distribute identity credentials using digital certificates. You should now feel comfortable with the basics of cryptography and prepared to move on to higher-level applications of this technology to solve everyday communications problems. In the following sections, we’ll examine the use of cryptography to secure data at rest, such as that stored on portable devices, as well as to data in transit, using techniques that include secure electronic mail, web communications services, electronic commerce, and networking.
Portable Devices
The now ubiquitous nature of notebook computers, netbooks, smartphones, PDAs, and other small portable computing devices brings new risks to the world of computing. Those devices often contain highly sensitive information that, if lost or stolen, could cause serious harm to an organization and its customers, employees, and affiliates. For this reason, many organizations turn to encryption to protect the data on these devices in the event they are misplaced.
Current versions of popular operating systems now include disk encryption capabilities that make it easy to apply and manage encryption on portable devices. For example, Microsoft Windows includes the BitLocker and Encrypting File System (EFS) technologies, Mac OS X includes FileVault encryption, and the TrueCrypt open-source package allows the encryption of disks on Linux, Windows, and Mac systems. There is also a wide variety of commercial tools available that provide added features and management capability.
Don’t forget about smartphones when developing your portable device encryption policy. BlackBerries, iPhones, and other devices all include enterprise-level functionality that supports encryption of data stored on the phone.
Electronic Mail
We have mentioned several times that security should be cost effective. When it comes to electronic mail, simplicity is the most cost-effective option, but sometimes cryptography functions provide specific security services that you can’t avoid using. Since ensuring security is also cost effective, here are some simple rules about encrypting email:
- If you need confidentiality when sending an email message, then encrypt the message.
- If your message must maintain integrity, then you must hash the message.
- If your message needs authentication, integrity and/or nonrepudiation, then you should digitally sign the message.
- If your message requires confidentiality, integrity, authentication, and nonrepudiation, then you should encrypt and digitally sign the message.
It is always the responsibility of the sender to ensure that proper mechanisms are in place to ensure that the security (that is, confidentiality, integrity, authenticity, and nonrepudiation) and privacy of a message or transmission are maintained.
One of the most demanded applications of cryptography is encrypting and signing electronic mail messages. Until recently, encrypted email required the use of complex, awkward software that in turn required manual intervention and complicated key exchange procedures. An increased emphasis on security in recent years resulted in the implementation of strong encryption technology in mainstream electronic mail packages. Next, we’ll look at some of the secure electronic mail standards in widespread use today.
Pretty Good Privacy
Phil Zimmerman’s Pretty Good Privacy (PGP) secure email system appeared on the computer security scene in 1991. It combines the CA hierarchy described earlier in this chapter with the “web of trust” concept—that is, you must become trusted by one or more PGP users to begin using the system. You then accept their judgment regarding the validity of additional users and, by extension, trust a multilevel “web” of users descending from your initial trust judgments. PGP initially encountered a number of hurdles to widespread use. The most difficult obstruction was the U.S. government export regulations, which treated encryption technology as munitions and prohibited the distribution of strong encryption technology outside the United States. Fortunately, this restriction has since been repealed, and PGP may be freely distributed to most countries.
PGP is available in two versions. The commercial version uses RSA for key exchange, IDEA for encryption/decryption, and MD5 for message digest production. The freeware version uses Diffie-Hellman key exchange, the Carlisle Adams/Stafford Tavares (CAST) 128-bit encryption/decryption algorithm, and the SHA-1 hashing function.
Privacy Enhanced Mail
The Privacy Enhanced Mail (PEM) standard addresses implementation guidelines for secure electronic mail in a variety of Internet Request for Comments (RFC) documents. RFC 1421 outlines an architecture that provides the following services:
- Disclosure protection
- Originator authenticity
- Message integrity
- Nonrepudiation (if asymmetric cryptography is used)
However, the same RFC also notes that PEM is not intended to provide the following services:
- Access control
- Traffic flow confidentiality
- Address list accuracy
- Routing control
- Assurance of message receipt and nondeniability of receipt
- Automatic association of acknowledgments with the messages to which they refer
- Replay protection
Security administrators who desire any of the services just listed should implement additional controls over and above those provided by a PEM-compliant electronic mail system. An important distinction between PEM and PGP is that PEM uses a CA-managed hierarchy of digital certificates, whereas PGP relies upon the “web of trust” between system users.
MOSS
Another Request for Comments document, RFC 1848, specifies the MIME Object Security Services (MOSS), yet another standard for secure electronic mail, designed to supersede Privacy Enhanced Mail. Like PGP, MOSS does not require the use of digital certificates and provides easy associations between certificates and email addresses. It also allows the secure exchange of attachments to email messages. However, MOSS does not provide any interoperability with PGP or PEM.
S/MIME
The Secure Multipurpose Internet Mail Extensions (S/MIME) protocol has emerged as a likely standard for future encrypted electronic mail efforts. S/MIME utilizes the RSA encryption algorithm and has received the backing of major industry players, including RSA Security. S/MIME has already been incorporated in a large number of commercial products, including these:
- Microsoft Outlook and Outlook Express
- Netscape Communicator
- Lotus Notes
- VeriSign Digital ID
- Eudora WorldSecure
S/MIME relies upon the use of X.509 certificates for exchanging cryptographic keys. The public keys contained in these certificates are used for digital signatures and for the exchange of symmetric keys used for longer communications sessions. RSA is the only public key cryptographic protocol supported by S/MIME. The protocol supports the following symmetric encryption algorithms:
- DES
- 3DES
- RC2
The strong industry support for the S/MIME standard makes it likely that S/MIME will be widely adopted and approved as an Internet standard for secure electronic mail by the Internet Engineering Task Force (IETF) in the near future.
Web
Although secure electronic mail is still in its early days, secure web browsing has achieved widespread acceptance in recent years. This is mainly because of the strong movement toward electronic commerce and the desire of both e-commerce vendors and consumers to securely exchange financial information (such as credit card information) over the Web. We’ll look at the two technologies that are responsible for the small lock icon at the bottom of web browsers—Secure Sockets Layer (SSL) and Secure HTTP (S-HTTP).
Secure Sockets Layer/Transport Layer Security
Secure Sockets Layer (SSL) was developed by Netscape to provide client/server encryption for web traffic. Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS) uses port 443 to negotiate encrypted communications sessions between web servers and browser clients. Although SSL originated as a standard for Netscape browsers, Microsoft also adopted it as a security standard for its popular Internet Explorer browser. The incorporation of SSL into both of these products made it the de facto Internet standard.
SSL relies upon the exchange of server digital certificates to negotiate RSA encryption/decryption parameters between the browser and the web server. SSL’s goal is to create secure communications channels that remain open for an entire web browsing session.
SSL relies upon a combination of symmetric and asymmetric cryptography. When a user accesses a website, the browser retrieves the web server’s certificate and extracts the server’s public key from it. The browser then creates a random symmetric key, uses the server’s public key to encrypt it, and then sends the encrypted symmetric key to the server. The server then decrypts the symmetric key using its own private key, and the two systems exchange all future messages using the symmetric encryption key. This approach allows SSL to leverage the advanced functionality of asymmetric cryptography while encrypting and decrypting the vast majority of the data exchanged using the faster symmetric algorithm.
SSL forms the basis for a newer security standard, the Transport Layer Security (TLS) protocol, specified in RFC 2246. TLS is slowly surpassing SSL in popularity. SSL and TLS both support server authentication (mandatory) and client authentication (optional).
Be certain to know the differences between HTTP over SSL (HTTPS) and Secure HTTP (S-HTTP).
Secure HTTP
Secure HTTP (S-HTTP) is the second major protocol used to provide security on the World Wide Web. S-HTTP is not nearly as popular as SSL/TLS, but it has two major differences:
- S-HTTP secures individual messages between a client and server rather than creating a secure communications channel as SSL does.
- S-HTTP supports two-way authentication between a client and a server rather than the server-only authentication supported by SSL.
Steganography
Steganography is the art of using cryptographic techniques to embed secret messages within another message. Steganographic algorithms work by making alterations to the least significant bits of the many bits that make up image files. The changes are so minor that there is no appreciable effect on the viewed image. This technique allows communicating parties to hide messages in plain sight—such as embedding a secret message within an illustration on an otherwise innocent web page.
Steganographers often embed their secret messages within images or WAV files. These files are often so large that the secret message would easily be missed by even the most observant inspector. Steganography techniques are often used for illegal or questionable activities, such as espionage and child pornography. However, they can also be used for legitimate purposes, such as adding digital watermarks to documents to protect intellectual property. The process of digital watermarking hides information within a file that is known only to the file’s creator. If someone later creates an unauthorized copy of the content, the watermark can be used to detect the copy and (if uniquely watermarked files are provided to each original recipient) trace the offending copy back to the source.
E-commerce
As mentioned in the previous section, the rapid growth of electronic commerce led to the widespread adoption of SSL and HTTPS as standards for securely exchanging information through web browsers. Recently, industry experts have recognized the added security necessary for electronic transactions. In this section, we’ll explore the Secure Electronic Transaction protocol designed to add this enhanced security.
The Secure Electronic Transaction (SET) standard was originally developed jointly by Visa and MasterCard—the two largest providers of credit cards in the United States—as a means for securing e-commerce transactions. When they outlined the business case for SET, the two vendors identified the following seven requirements:
- Provide confidentiality of payment information and enable confidentiality of order information transmitted along with the payment information.
- Ensure the integrity of all transmitted data.
- Provide authentication that a cardholder is a legitimate user of a branded payment card account.
- Provide authentication that a merchant can accept branded payment card transactions through its relationship with an acquiring financial institution.
- Ensure the use of the best security practices and system design techniques to protect all legitimate parties in an electronic commerce transaction.
- Create a protocol that neither depends on transport security mechanisms nor prevents their use.
- Facilitate and encourage interoperability among software and network providers.
SET is no longer used by anyone, anywhere. However, questions about it still pop up on the CISSP exam from time to time.
SET utilizes a combination of RSA public key cryptography and DES private key cryptography in conjunction with digital certificates to secure electronic transactions. The original SET standard was published in 1997.
MONDEX
The MONDEX payment system, owned by MasterCard, uses cryptographic technology to allow electronic commerce users to store value on smart chips in proprietary payment cards. The value can then be instantly transferred to a vendor at the point of purchase.
Networking
The final application of cryptography we’ll explore in this chapter is the use of cryptographic algorithms to provide secure networking services. In the following sections, we’ll take a brief look at two methods used to secure communications circuits as well as IPSec and the ISAKMP protocol. We’ll also look at some of the security issues surrounding wireless networking.
Circuit Encryption
Security administrators use two types of encryption techniques to protect data traveling over networks—link encryption and end-to-end encryption.
Link encryption protects entire communications circuits by creating a secure tunnel between two points using either a hardware solution or a software solution that encrypts all traffic entering one end of the tunnel and decrypts all traffic entering the other end of the tunnel. For example, a company with two offices connected via a data circuit might use link encryption to protect against attackers monitoring at a point in between the two offices.
End-to-end encryption protects communications between two parties (for example, a client and a server) and is performed independently of link encryption. An example of end-to-end encryption would be the use of Privacy Enhanced Mail to pass a message between a sender and a receiver. This protects against an intruder who might be monitoring traffic on the secure side of an encrypted link or traffic sent over an unencrypted link.
The critical difference between link and end-to-end encryption is that in link encryption, all the data, including the header, trailer, address, and routing data, is also encrypted. Therefore, each packet has to be decrypted at each hop so it can be properly routed to the next hop and then reencrypted before it can be sent along its way, which slows the routing. End-to-end encryption does not encrypt the header, trailer, address, and routing data, so it moves faster from point to point but is more susceptible to sniffers and eavesdroppers. When encryption happens at the higher OSI layers, it is usually end-to-end encryption, and if encryption is done at the lower layers of the OSI model, it is usually link encryption.
Secure Shell (SSH) is a good example of an end-to-end encryption technique. This suite of programs provides encrypted alternatives to common Internet applications such as FTP, Telnet, and rlogin. There are actually two versions of SSH. SSH1 (which is now considered insecure) supports the DES, 3DES, IDEA, and Blowfish algorithms. SSH2 drops support for DES and IDEA but adds support for several other algorithms.
IPSec
Various security architectures are in use today, each one designed to address security issues in different environments. One such architecture that supports secure communications is the Internet Protocol Security (IPSec) standard. IPSec is a standard architecture set forth by the Internet Engineering Task Force (IETF) for setting up a secure channel to exchange information between two entities. The two entities could be two systems, two routers, two gateways, or any combination of entities. Although generally used to connect two networks, IPSec can be used to connect individual computers, such as a server and a workstation or a pair of workstations (sender and receiver, perhaps). IPSec does not dictate all implementation details but is an open, modular framework that allows many manufacturers and software developers to develop IPSec solutions that work well with products from other vendors.
IPSec uses public key cryptography to provide encryption, access control, nonrepudiation, and message authentication, all using IP protocols. The primary use of IPSec is for virtual private networks (VPNs), so IPSec operates in either transport or tunnel mode. IPSec is commonly paired with the Layer 2 Tunneling Protocol (L2TP) as L2TP/IPSec.
The IP Security (IPSec) protocol provides a complete infrastructure for secured network communications. IPSec has gained widespread acceptance and is now offered in a number of commercial operating systems out of the box. IPSec relies upon security associations, and there are two main components:
- The Authentication Header (AH) provides assurances of message integrity and nonrepudiation. AH also provides authentication and access control and prevents replay attacks.
- The Encapsulating Security Payload (ESP) provides confidentiality and integrity of packet contents. It provides encryption and limited authentication and prevents replay attacks.
ESP also provides some limited authentication, but not to the degree of the AH. Though ESP is sometimes used without AH, it’s rare to see AH used without ESP.
IPSec provides for two discrete modes of operation. When IPSec is used in transport mode, only the packet payload is encrypted. This mode is designed for peer-to-peer communication. When it’s used in tunnel mode, the entire packet, including the header, is encrypted. This mode is designed for gateway-to-gateway communication.
IPSec is an extremely important concept in modern computer security. Be certain that you’re familiar with the component protocols and modes of IPSec operation.
At runtime, you set up an IPSec session by creating a security association (SA). The SA represents the communication session and records any configuration and status information about the connection. The SA represents a simplex connection. If you want a two-way channel, you need two SAs, one for each direction. Also, if you want to support a bidirectional channel using both AH and ESP, you will need to set up four SAs. Some of IPSec’s greatest strengths come from being able to filter or manage communications on a per-SA basis so that clients or gateways between which security associations exist can be rigorously managed in terms of what kinds of protocols or services can use an IPSec connection. Also, without a valid security association defined, pairs of users or gateways cannot establish IPSec links.
Further details of the IPSec algorithm are provided in Chapter 3, “ISO Model, Protocols, Network Security, and Network Infrastructure.”
ISAKMP
The Internet Security Association and Key Management Protocol (ISAKMP) provides background security support services for IPSec by negotiating, establishing, modifying, and deleting security associations. As you learned in the previous section, IPSec relies upon a system of security associations (SAs). These SAs are managed through the use of ISAKMP. There are four basic requirements for ISAKMP, as set forth in Internet RFC 2408:
- Authenticate communicating peers.
- Create and manage security associations.
- Provide key generation mechanisms.
- Protect against threats (for example, replay and denial-of-service attacks).
Wireless Networking
The widespread rapid adoption of wireless networks poses a tremendous security risk. Many traditional networks do not implement encryption for routine communications between hosts on the local network and rely upon the assumption that it would be too difficult for an attacker to gain physical access to the network wire inside a secure location to eavesdrop on the network. However, wireless networks transmit data through the air, leaving them extremely vulnerable to interception.
Wired Equivalent Privacy
The security community responded with the introduction of Wired Equivalent Privacy (WEP), which provides 40-, 64-, and 128-bit encryption options to protect communications within the wireless LAN. WEP is described in IEEE 802.11 as an optional component of the wireless networking standard.
Recent cryptanalysis attacks have demonstrated that significant flaws exist in the WEP algorithm, making it possible to completely undermine the security of a WEP-protected network within seconds. You should never use WEP encryption to protect a wireless network. In fact, the use of WEP encryption on a store network was the root cause behind the TJX security breach that was widely publicized in 2007. Again, you should never use WEP encryption on a wireless network.
WiFi Protected Access
WiFi Protected Access (WPA) improves upon WEP encryption by implementing the Temporal Key Integrity Protocol (TKIP), eliminating the cryptographic weaknesses that undermined WEP. A further improvement to the technique, dubbed WPA-2, replaces TKIP with AES cryptography. Both are secure algorithms appropriate for use on modern wireless networks.
Remember that WPA does not provide an end-to-end security solution. It encrypts traffic only between a mobile computer and the nearest wireless access point. Once the traffic hits the wired network, it’s in the clear again.
Another commonly used wireless security standard, IEEE 802.1x, provides a flexible framework for authentication and key management in wired and wireless networks. To use 802.1x, the client runs a piece of software known as the supplicant. The supplicant communicates with the authentication server. After successful authentication, the network switch or wireless access point allows the client to access the network. WPA was designed to interact with 802.1x authentication servers.
As with any security mechanism, malicious individuals have found a number of attacks to defeat cryptosystems. It’s important that you, as a security administrator, understand the threats posed by various cryptographic attacks to minimize the risks posed to your systems:
Analytic attack This is an algebraic manipulation that attempts to reduce the complexity of the algorithm. Analytic attacks focus on the logic of the algorithm itself.
Implementation attack This is a type of attack that exploits weaknesses in the implementation of a cryptography system. It focuses on exploiting the software code, not just errors and flaws but the methodology employed to program the encryption system.
Statistical attack A statistical attack exploits statistical weaknesses in a cryptosystem, such as inability to produce random numbers and floating-point errors. Statistical attacks attempt to find a vulnerability in the hardware or operating system hosting the cryptography application.
Brute force Brute-force attacks are quite straightforward. Such an attack attempts every possible valid combination for a key or password. They involve using massive amounts of processing power to methodically guess the key used to secure cryptographic communications. For a nonflawed protocol, the average amount of time required to discover the key through a brute-force attack is directly proportional to the length of the key. A brute-force attack will always be successful given enough time. Every additional bit of key length doubles the time to perform a brute-force attack because the number of potential keys doubles.
Frequency analysis In many cases, the only information you have at your disposal is the encrypted cipher-text message, a scenario known as the “cipher-text only attack.” In this case, one technique that proves helpful against simple ciphers is frequency analysis—counting the number of times each letter appears in the cipher text. Using your knowledge that the letters E, T, O, A, I, and N are the most common in the English language, you can then test several hypotheses:
- If these letters are also the most common in the cipher text, the cipher was likely a transposition cipher, which rearranged the characters of the plain text without altering them.
- If other letters are the most common in the cipher text, the cipher is probably some form of substitution cipher that replaced the plain-text characters.
This is a simple overview of frequency analysis, and many sophisticated variations on this technique can be used against polyalphabetic ciphers and other sophisticated cryptosystems.
Known plain text In the known plain-text attack, the attacker has a copy of the encrypted message along with the plain-text message used to generate the cipher text (the copy). This knowledge greatly assists the attacker in breaking weaker codes. For example, imagine the ease with which you could break the Caesar cipher described in Chapter 9 if you had both a plain-text copy and a cipher-text copy of the same message.
Chosen cipher text In a chosen cipher-text attack, the attacker has the ability to decrypt chosen portions of the cipher-text message and use the decrypted portion of the message to discover the key.
Chosen plain text In a chosen plain-text attack, the attacker has the ability to encrypt plain-text messages of their choosing and can then analyze the cipher-text output of the encryption algorithm.
Meet in the middle Attackers might use a meet-in-the-middle attack to defeat encryption algorithms that use two rounds of encryption. This attack is the reason that Double DES (2DES) was quickly discarded as a viable enhancement to the DES encryption in favor of Triple DES (3DES). In the meet-in-the-middle attack, the attacker uses a known plain-text message. The plain text is then encrypted using every possible key (k1), while the equivalent cipher text is decrypted using all possible keys (k2). When a match is found, the corresponding pair (k1, k2) represents both portions of the double encryption. This type of attack generally takes only double the time necessary to break a single round of encryption (or 2n rather than the anticipated 2n * 2n), offering minimal added protection.
Man in the middle In the man-in-the-middle attack, a malicious individual sits between two communicating parties and intercepts all communications (including the setup of the cryptographic session). The attacker responds to the originator’s initialization requests and sets up a secure session with the originator. The attacker then establishes a second secure session with the intended recipient using a different key and posing as the originator. The attacker can then “sit in the middle” of the communication and read all traffic as it passes between the two parties.
Be careful not to confuse the meet-in-the-middle attack with the man-in-the-middle attack. They may have similar names but are quite different!
Birthday The birthday attack, also known as a collision attack or reverse hash matching (see the discussion of brute-force and dictionary attacks in Chapter 2), seeks to find flaws in the one-to-one nature of hashing functions. In this attack, the malicious individual seeks to substitute in a digitally signed communication a different message that produces the same message digest, thereby maintaining the validity of the original digital signature.
Don’t forget that social engineering techniques can also be used in cryptanalysis. If you’re able to obtain a decryption key by simply asking the sender for it, that’s much easier than attempting to crack the cryptosystem!
Replay The replay attack is used against cryptographic algorithms that don’t incorporate temporal protections. In this attack, the malicious individual intercepts an encrypted message between two parties (often a request for authentication) and then later “replays” the captured message to open a new session. This attack can be defeated by incorporating a time stamp and expiration period into each message.
Public key encryption provides an extremely flexible infrastructure, facilitating simple, secure communication between parties that do not necessarily know each other prior to initiating the communication. It also provides the framework for the digital signing of messages to ensure nonrepudiation and message integrity. This chapter explored public key encryption, which is made possible by the public key infrastructure (PKI) hierarchy of trust relationships. We also described some popular cryptographic algorithms, such as link encryption and end-to-end encryption. Finally, we introduced you to the public key infrastructure, which uses certificate authorities (CAs) to generate digital certificates containing the public keys of system users and digital signatures, which rely upon a combination of public key cryptography and hashing functions.
We also looked at some of the common applications of cryptographic technology in solving everyday problems. You learned how cryptography can be used to secure electronic mail (using PGP, PEM, MOSS, and S/MIME), web communications (using SSL and S-HTTP), electronic commerce (using SET), and both peer-to-peer and gateway-to-gateway networking (using IPSec and ISAKMP) as well as wireless communications (using WPA).
Finally, we covered some of the more common attacks used by malicious individuals attempting to interfere with or intercept encrypted communications between two parties. Such attacks include birthday, cryptanalytic, replay, brute-force, known plain-text, chosen plain-text, chosen cipher-text, meet-in-the-middle, man-in-the-middle, and birthday attacks. It’s important for you to understand these attacks in order to provide adequate security against them.
Understand the key types used in asymmetric cryptography. Public keys are freely shared among communicating parties, whereas private keys are kept secret. To encrypt a message, use the recipient’s public key. To decrypt a message, use your own private key. To sign a message, use your own private key. To validate a signature, use the sender’s public key.
Be familiar with the three major public key cryptosystems. RSA is the most famous public key cryptosystem; it was developed by Rivest, Shamir, and Adleman in 1977. It depends upon the difficulty of factoring the product of prime numbers. El Gamal is an extension of the Diffie-Hellman key exchange algorithm that depends upon modular arithmetic. The elliptic curve algorithm depends upon the elliptic curve discrete logarithm problem and provides more security than other algorithms when both are used with keys of the same length.
Know the fundamental requirements of a hash function. Good hash functions have five requirements. They must allow input of any length, provide fixed-length output, make it relatively easy to compute the hash function for any input, provide one-way functionality, and be collision free.
Be familiar with the four major hashing algorithms. The successors to the Secure Hash Algorithm (SHA), SHA-1 and SHA-2, make up the government standard message digest function. SHA-1 produces a 160-bit message digest while SHA-2 supports variable lengths, ranging up to 512 bits.
Understand how digital signatures are generated and verified. To digitally sign a message, first use a hashing function to generate a message digest. Then encrypt the digest with your private key. To verify the digital signature on a message, decrypt the signature with the sender’s public key and then compare the message digest to one you generate yourself. If they match, the message is authentic.
Know the components of the Digital Signature Standard (DSS). The Digital Signature Standard uses the SHA-1 message digest function along with one of three encryption algorithms: the Digital Signature Algorithm (DSA); the Rivest, Shamir, Adleman (RSA) algorithm; or the Elliptic Curve DSA (ECDSA) algorithm.
Understand the public key infrastructure (PKI). In the public key infrastructure, certificate authorities (CAs) generate digital certificates containing the public keys of system users. Users then distribute these certificates to people with whom they want to communicate. Certificate recipients verify a certificate using the CA’s public key.
Know the common applications of cryptography to secure electronic mail. The emerging standard for encrypted messages is the S/MIME protocol. Other popular email security protocols include Phil Zimmerman’s Pretty Good Privacy (PGP), Privacy Enhanced Mail (PEM), and MIME Object Security Services (MOSS).
Know the common applications of cryptography to secure web activity. The de facto standard for secure web traffic is the use of HTTP over Secure Sockets Layer (SSL), otherwise known as HTTPS. Secure HTTP (S-HTTP) also plays an important role in protecting individual messages. Most web browsers support both standards.
Know the common applications of cryptography to secure networking. The IPSec protocol standard provides a common framework for encrypting network traffic and is built in to a number of common operating systems. In IPSec transport mode, packet contents are encrypted for peer-to-peer communication. In tunnel mode, the entire packet, including header information, is encrypted for gateway-to-gateway communications.
Describe IPSec. IPSec is a security architecture framework that supports secure communication over IP. IPSec establishes a secure channel in either transport mode or tunnel mode. It can be used to establish direct communication between computers or to set up a VPN between networks. IPSec uses two protocols: Authentication Header (AH) and Encapsulating Security Payload (ESP).
Explain common cryptographic attacks. Brute-force attacks are attempts to randomly find the correct cryptographic key. Known plain-text, chosen cipher-text, and chosen plain-text attacks require the attacker to have some extra information in addition to the cipher text. The meet-in-the-middle attack exploits protocols that use two rounds of encryption. The man-in-the-middle attack fools both parties into communicating with the attacker instead of directly with each other. The birthday attack is an attempt to find collisions in hash functions. The replay attack is an attempt to reuse authentication requests.
1. Explain the process Bob should use if he wants to send a confidential message to Alice using asymmetric cryptography.
2. Explain the process Alice would use to decrypt the message Bob sent in question 1.
3. Explain the process Bob should use to digitally sign a message to Alice.
4. Explain the process Alice should use to verify the digital signature on the message from Bob in question 3.
1. Bob should encrypt the message using Alice’s public key and then transmit the encrypted message to Alice.
2. Alice should decrypt the message using her private key.
3. Bob should generate a message digest from the plain-text message using a hash function. He should then encrypt the message digest using his own private key to create the digital signature. Finally, he should append the digital signature to the message and transmit it to Alice.
4. Alice should decrypt the digital signature in Bob’s message using Bob’s public key. She should then create a message digest from the plain-text message using the same hashing algorithm Bob used to create the digital signature. She should then compare the two message digests. If they are identical, the signature is authentic.
1. In the RSA public key cryptosystem, which one of the following numbers will always be largest?
A. e
B. n
C. p
D. q
2. Which cryptographic algorithm forms the basis of the El Gamal cryptosystem?
A. RSA
B. Diffie-Hellman
C. 3DES
D. IDEA
3. If Richard wants to send an encrypted message to Sue using a public key cryptosystem, which key does he use to encrypt the message?
A. Richard’s public key
B. Richard’s private key
C. Sue’s public key
D. Sue’s private key
4. If a 2,048-bit plain-text message were encrypted with the El Gamal public key cryptosystem, how long would the resulting cipher-text message be?
A. 1,024 bits
B. 2,048 bits
C. 4,096 bits
D. 8,192 bits
5. Acme Widgets currently uses a 1,024-bit RSA encryption standard companywide. The company plans to convert from RSA to an elliptic curve cryptosystem. If it wants to maintain the same cryptographic strength, what ECC key length should it use?
A. 160 bits
B. 512 bits
C. 1,024 bits
D. 2,048 bits
6. John wants to produce a message digest of a 2,048-byte message he plans to send to Mary. If he uses the SHA-1 hashing algorithm, what size will the message digest for this particular message be?
A. 160 bits
B. 512 bits
C. 1,024 bits
D. 2,048 bits
7. Which one of the following technologies is considered flawed and should no longer be used?
A. SHA-2
B. PGP
C. WEP
D. SSL
8. What encryption technique does WPA use to protect wireless communications?
A. TKIP
B. DES
C. 3DES
D. AES
9. Richard received an encrypted message sent to him from Sue. Which key should he use to decrypt the message?
A. Richard’s public key
B. Richard’s private key
C. Sue’s public key
D. Sue’s private key
10. Richard wants to digitally sign a message he’s sending to Sue so that Sue can be sure the message came from him without modification while in transit. Which key should he use to encrypt the message digest?
A. Richard’s public key
B. Richard’s private key
C. Sue’s public key
D. Sue’s private key
11. Which one of the following algorithms is not supported by the Digital Signature Standard?
A. Digital Signature Algorithm
B. RSA
C. El Gamal DSA
D. Elliptic Curve DSA
12. Which International Telecommunications Union (ITU) standard governs the creation and endorsement of digital certificates for secure electronic communication?
A. X.500
B. X.509
C. X.900
D. X.905
13. What cryptosystem provides the encryption/decryption technology for the commercial version of Phil Zimmerman’s Pretty Good Privacy secure email system?
A. ROT13
B. IDEA
C. ECC
D. El Gamal
14. What TCP/IP communications port is utilized by Secure Sockets Layer traffic?
A. 80
B. 220
C. 443
D. 559
15. What type of cryptographic attack rendered Double DES (2DES) no more effective than standard DES encryption?
A. Birthday attack
B. Chosen cipher-text attack
C. Meet-in-the-middle attack
D. Man-in-the-middle attack
16. Which of the following security systems was created to support the use of stored-value payment cards?
A. SET
B. IPSec
C. MONDEX
D. PGP
17. Which of the following links would be protected by WPA encryption?
A. Firewall to firewall
B. Router to firewall
C. Client to wireless access point
D. Wireless access point to router
18. What is the major disadvantage of using certificate revocation lists?
A. Key management
B. Latency
C. Record keeping
D. Vulnerability to brute force attacks
19. Which one of the following encryption algorithms is now considered insecure?
A. El Gamal
B. RSA
C. Skipjack
D. Merkle-Hellman Knapsack
20. What does IPSec define?
A. All possible security classifications for a specific configuration
B. A framework for setting up a secure communication channel
C. The valid transition states in the Biba model
D. TCSEC security categories
1. B. The number n is generated as the product of the two large prime numbers p and q. Therefore, n must always be greater than both p and q. Furthermore, it is an algorithm constraint that e must be chosen such that e is smaller than n. Therefore, in RSA cryptography n is always the largest of the four variables shown in the options to this question.
2. B. The El Gamal cryptosystem extends the functionality of the Diffie-Hellman key exchange protocol to support the encryption and decryption of messages.
3. C. Richard must encrypt the message using Sue’s public key so that Sue can decrypt it using her private key. If he encrypted the message with his own public key, the recipient would need to know Richard’s private key to decrypt the message. If he encrypted it with his own private key, any user could decrypt the message using Richard’s freely available public key. Richard could not encrypt the message using Sue’s private key because he does not have access to it. If he did, any user could decrypt it using Sue’s freely available public key.
4. C. The major disadvantage of the El Gamal cryptosystem is that it doubles the length of any message it encrypts. Therefore, a 2,048-bit plain-text message would yield a 4,096-bit cipher-text message when El Gamal is used for the encryption process.
5. A. The elliptic curve cryptosystem requires significantly shorter keys to achieve encryption that would be the same strength as encryption achieved with the RSA encryption algorithm. A 1,024-bit RSA key is cryptographically equivalent to a 160-bit elliptic curve cryptosystem key.
6. A. The SHA-1 hashing algorithm always produces a 160-bit message digest, regardless of the size of the input message. In fact, this fixed-length output is a requirement of any secure hashing algorithm.
7. C. The WEP algorithm has documented flaws that make it trivial to break. It should never be used to protect wireless networks.
8. A. WiFi Protected Access (WPA) uses the Temporal Key Integrity Protocol (TKIP) to protect wireless communications. WPA-2 uses AES encryption.
9. B. Sue would have encrypted the message using Richard’s public key. Therefore, Richard needs to use the complementary key in the key pair, his private key, to decrypt the message.
10. B. Richard should encrypt the message digest with his own private key. When Sue receives the message, she will decrypt the digest with Richard’s public key and then compute the digest herself. If the two digests match, she can be assured that the message truly originated from Richard.
11. C. The Digital Signature Standard allows federal government use of the Digital Signature Algorithm, RSA, or the Elliptic Curve DSA in conjunction with the SHA-1 hashing function to produce secure digital signatures.
12. B. X.509 governs digital certificates and the public key infrastructure (PKI). It defines the appropriate content for a digital certificate and the processes used by certificate authorities to generate and revoke certificates.
13. B. Pretty Good Privacy uses a “web of trust” system of digital signature verification. The encryption technology is based upon the IDEA private key cryptosystem.
14. C. Secure Sockets Layer utilizes TCP port 443 for encrypted client/server communications.
15. C. The meet-in-the-middle attack demonstrated that it took relatively the same amount of computation power to defeat 2DES as it does to defeat standard DES. This led to the adoption of Triple DES (3DES) as a standard for government communication.
16. C. The MONDEX payment system, owned by MasterCard, provides the cryptographic technology necessary to support stored-value payment cards.
17. C. The WiFi Protected Access protocol encrypts traffic passing between a mobile client and the wireless access point. It does not provide end-to-end encryption.
18. B. Certificate revocation lists (CRLs) introduce an inherent latency to the certificate expiration process due to the time lag between CRL distributions.
19. D. The Merkle-Hellman Knapsack algorithm, which relies upon the difficulty of factoring super-increasing sets, has been broken by cryptanalysts.
20. B. IPSec is a security protocol that defines a framework for setting up a secure channel to exchange information between two entities.