Chapter 6. Cryptography
This chapter covers the following topics:
• Cryptographic concepts: Concepts discussed include encryption, decryption, keys, synchronous, asynchronous, symmetric, asymmetric, digital signatures, hash, digital certificates, plaintext, cleartext, ciphertext, cryptosystem, cryptanalysis, key clustering, key space, collision, algorithm, cryptology, encoding, decoding, transposition, substitution, confusion, diffusion, avalanche effect, work factor, trapdoor, and cryptographic life cycle.
• Cryptography history: The following components in cryptography history are discussed: Julius Caesar and the Caesar cipher, Vigenere cipher, Kerchoff’s Principle, World War II Enigma, and Lucifer by IBM.
• Cryptosystem features: Cryptosystem features discussed include authentication, confidentiality, integrity, authorization, and non-repudiation.
• Encryption systems: Encryption systems explained include running key and concealment ciphers, substitution ciphers, transposition ciphers, symmetric algorithms, asymmetric algorithms, and hybrid ciphers.
• Substitution ciphers: Substitution ciphers discussed include mono-alphabetic ciphers, polyalphabetic ciphers, key ciphers, one-time pads, steganography, and watermarking.
• Symmetric algorithms: Symmetric algorithms discussed include DES, 3DES, AES, IDEA, Blowfish, Twofish, RC4, RC5, RC6, Countermode with CBC-MAC, and CAST.
• Asymmetric algorithms: Asymmetric algorithms discussed include Diffie-Hellman, RSA, El Gamal, ECC, Knapsack, and Zero Knowledge Proof.
• Message integrity: Message integrity topics explained include hash functions and message authentication code.
• Digital signatures: Digital signatures are explained, including DSS.
• PKI: PKI topics explained include CAs and RAs, OCSP, certificates, CRLs, PKI steps, and cross-certification.
• Key management: Key management topics discussed include key management principles.
• TPM: The TPM chip is discussed.
• Encryption communication levels: Levels discussed include link encryption and end-to-end encryption.
• E-mail security: E-mail security topics discussed include PGP, MIME, S/MIME, and Quantum Cryptography.
• Internet security: Internet security topics discussed include remote access, SSL/TLS, HTTP, HTTPS, SHTTP, SET, cookies, SSH, and IPsec.
• Cryptography attacks: Cryptography attacks discussed include ciphertext-only, known plaintext, chosen plaintext, chosen ciphertext, social engineering, brute force, differential cryptanalysis, linear cryptanalysis, algebraic, frequency analysis, birthday, dictionary, replay, analytic, statistical, factoring, reverse engineering, and meet-in-the-middle.
Cryptography is one of the most complicated domains of the CISSP knowledge base. Cryptography is a crucial factor to protecting data in rest and in transmission. It is a science that either hides data or makes data unreadable by transforming it. In addition, cryptography provides message author assurance, source authentication, and delivery proof.
Cryptography concerns itself with integrity, confidentiality, and authentication, but not with availability. It helps prevent or detect the fraudulent insertion, deletion, and modification of data.
In this chapter, you will learn about cryptography concepts, cryptography history, cryptosystem features, cryptography methods, encryption systems (including substitution, symmetric, asymmetric, and hybrid ciphers), message integrity, public key infrastructure, key management, encryption communication levels, e-mail security, Internet security, and cryptography attacks.
Foundation Topics
Cryptography Concepts
As a security professional, you should understand many terms and concepts related to cryptography. These terms are often used when discussing cryptography:
• Encryption: The process of converting data from plaintext to ciphertext. Also referred to as enciphering.
• Decryption: The process of converting data from ciphertext to plaintext. Also referred to as deciphering.
• Key: A parameter that controls the transformation of plaintext into ciphertext or vice versa. Determining the original plaintext data without the key is impossible. Keys may be both public and private. Also referred to as a cryptovariable.
• Synchronous: When encryption or decryption occurs immediately.
• Asynchronous: When encryption or decryption requests are processed from a queue. This method utilizes hardware and multiple processors in the process.
• Symmetric: An encryption method whereby a single private key both encrypts and decrypts the data. Also referred to as private or secret key encryption.
• Asymmetric: An encryption method whereby a key pair, one private key and one public key, performs encryption and decryption. One key performs the encryption, whereas the other key performs the decryption. Also referred to as public key encryption.
• Digital signature: A method of providing sender authentication and message integrity. The message acts an input to a hash function, and the sender’s private key encrypts the hash value. The receiver can perform a hash computation on the received message to determine the validity of the message.
• Hash: A one-way function that reduces a message to a hash value. A comparison of the sender’s hash value to the receiver’s hash value determines message integrity. If the resultant hash values are different, then the message has been altered in some way, provided that both the sender and receiver used the same hash function.
• Digital certificate: An electronic document that identifies the certificate holder.
• Plaintext: A message in its original format. Also referred to as cleartext.
• Ciphertext: An altered form of a message that is unreadable without knowing the key and the encryption system used. Also referred to as a cryptogram.
• Cryptosystem: The entire cryptographic process, including the algorithm, key, and key management functions. The security of a cryptosystem is measured by the size of the keyspace and available computational power.
• Cryptanalysis: The science of decrypting ciphertext without prior knowledge of the key or cryptosystem used. The purpose of cryptanalysis is to forge coded signals or messages that will be accepted as authentic signals or messages.
• Key clustering: Occurs when different encryption keys generate the same ciphertext from the same plaintext message.
• Keyspace: All the possible key values when using a particular algorithm or other security measure. A 40-bit key would have 240 possible values, whereas a 128-bit key would have 2128 possible values.
• Collision: An event that occurs when a hash function produces the same hash value on different messages.
• Algorithm: A mathematical function that encrypts and decrypts data. Also referred to as a cipher.
• Cryptology: The science that studies encrypted communication and data.
• Encoding: The process of changing data into another form using code.
• Decoding: The process of changing an encoded message back into its original format.
• Transposition: The process of shuffling or reordering the plaintext to hide the original message. Also referred to as permutation. For example, AEEGMSS is a transposed version of MESSAGE.
• Substitution: The process of exchanging one byte in a message for another. For example, ABCCDEB is a substituted version of MESSAGE.
• Confusion: The process of changing a key value during each round of encryption. Confusion is often carried out by substitution. Confusion conceals a statistical connection between the plaintext and ciphertext. Claude Shannon first discussed confusion.
• Diffusion: The process of changing the location of the plaintext within the ciphertext. Diffusion is often carried out using transposition. Claude Shannon first introduced diffusion.
• Avalanche effect: The condition where any change in the key or plaintext, no matter how minor, will significantly change the ciphertext. Horst Feistel first introduced avalanche effect.
• Work factor: The amount of time and resources that would be needed to break the encryption.
• Trapdoor: A secret mechanism that allows the implementation of the reverse function in a one-way function.
• One-way function: A mathematical function that can be more easily performed in one direction than in the other.
Cryptographic Life Cycle
When considering implementing cryptography or encryption techniques in an organization, security professionals must fully analyze the needs of the organization. Each technique has strengths and weaknesses. In addition, they each have specific purposes. Analyzing the needs of the organization will ensure that you identify the best algorithm to implement.
Professional organizations manage algorithms to ensure that they provide the protection needed. It is essential that security professionals research the algorithms they implement and understand any announcements from the governing organization regarding updates, retirements, or replacements to the implemented algorithms. The life cycle of any cryptographic algorithm involves implementation, maintenance, and retirement or replacement. Any security professional who fails to obtain up-to-date information regarding the algorithms implemented might find the organization’s reputation and his or her own personal reputation damaged as the result of his or her negligence.
Cryptography History
Cryptography finds its roots in ancient civilizations. Although the early cryptography solutions were simplistic in nature, they were able to provide leaders with a means of hiding messages from enemies.
In their earliest forms, most cryptographic methods implemented some sort of substitution cipher, where each character in the alphabet was replaced with another. A mono-alphabetic substitution cipher uses only one alphabet, and a polyalphabetic substitution cipher uses multiple alphabets. As with all other cryptography methods, the early substitution ciphers had to be replaced by more complex methods.
The Spartans created the scytale cipher, which used a sheet of papyrus wrapped around a wooden rod. The encrypted message had to be wrapped around a rod of the correct size to be deciphered, as shown in Figure 6-1.
Other notable advances in cryptography history include the following:
Julius Caesar and the Caesar Cipher
Julius Caesar developed a mono-alphabetic cipher that shifts the letters of the alphabet three places. Although this technique is very simplistic, variations of it were very easy to develop because the key (the number of locations that the alphabet shifted) can be changed. Because it was so simple, it is easy to reverse engineer and led to the development of polyalphabetic ciphers.
An example of a Caesar cipher-encrypted message is shown in Figure 6-2. In this example, the letters of the alphabet are applied to a three-letter substitution shift, meaning the letters were shifted three letters. As you can see, the standard English alphabet is listed first. Underneath it, the substitution letters are listed.
Vigenere Cipher
In the sixteenth century, Blaise de Vigenere of France developed one of the first polyalphabetic substitution ciphers that is referred to as the Vigenere cipher. Although it is based on the Caesar cipher, it is considerably more complicated because it uses 27 shift alphabets with letters being shifted up one place. To encrypt a message, you must know the security key. The security key is then used in conjunction with the plaintext message to determine the ciphertext.
Figure 6-3 shows the Vigenere table.
As an example of a message on which the Vigenere cipher is applied, let’s use the security key PEARSON and the plaintext message of MEETING IN CONFERENCE ROOM. The first letter in the plaintext message is M, and the first letter in the key is P. We should locate the letter M across the headings for the columns. We follow that column down until it intersects with the row that starts with the letter P, resulting in the letter B. The second letter of the plaintext message is E, and the second letter in the key is E. Using the same method, we obtain the letter I. We continue in this same manner until we run out of key letters, then we start over with the key, which would result in the second letter I in the plaintext message working with the letter P of the key.
So applying this technique to the entire message, the MEETING IN CONFERENCE ROOM plaintext message converts to BIEKABT XR CFFTRGINTW FBDQ ciphertext message.
Kerchoff’s Principle
In the nineteenth century, Auguste Kerckoff developed six design principles for the military use of ciphers. The six principles are as follows:
1. The system must be practically, if not mathematically, indecipherable.
2. It must not be required to be secret, and it must be able to fall into the hands of the enemy without inconvenience.
3. Its key must be communicable and retainable without the help of written notes, and changeable or modifiable at the will of the correspondents.
4. It must be applicable to telegraphic correspondence.
5. It must be portable, and its usage and function must not require the concourse of several people.
6. Finally, given the circumstances that command its application, the system needs to be easy to use, requiring neither mental strain nor the knowledge of a long series of rules to observe.
In the Kerckhoff’s Principle, remember that the key is secret and the algorithm is known.
World War II Enigma
During World War II, most of the major military powers developed encryption machines. The most famous of the machines used during the war was the Enigma machine developed by Germany. The Enigma machine consisted of rotors and a plug board.
To convert a plaintext message to ciphertext, the machine operator would first configure its initial settings. Then the operator would type the each letter of the original plaintext message into the machine one at a time. The machine would display a different letter for each letter entered. After the operator wrote down the ciphertext letter, the operator would advance the rotors to the new setting. So with each letter entered, the operator had to change the machine setting. The key of this process was the initial machine setting and the series of increments used to advance the rotor, both of which had to be known by the receiver to properly convert the ciphertext back to plaintext.
As complicated as the system was, a group of Polish cryptographers were able to break the code, thereby being credited with shortening World War II by two years.
Lucifer by IBM
The Lucifer project, developed by IBM, developed complex mathematical equations. These equations later were used by the U.S. National Security Agency in the development of the U.S. Data Encryption Standard (DES), which is still used today in some form. Lucifer used a Feistel cipher, an iterated block cipher that encrypts the plaintext by breaking the block into two halves. The cipher then applies a round of transformation to one of the halves using a subkey. The output of this transformation is XORed with the other block half. Finally, the two halves are swapped to complete the round.
Cryptosystem Features
A cryptosystem consists of software, protocols, algorithms, and keys. The strength of any cryptosystem comes from the algorithm and the length and secrecy of the key. For example, one method of making a cryptographic key more resistant to exhaustive attacks is to increase the key length. If the cryptosystem uses a weak key, it facilitates attacks against the algorithm.
While a cryptosystem supports the three core principles of the CIA triad, cryptosystems directly provide authentication, confidentiality, integrity, authorization, and non-repudiation. The availability tenet of the CIA triad is supported by cryptosystems, meaning that implementing cryptography will help to ensure that an organization’s data remains available. However, cryptography does not directly ensure data availability although it can be used to protect the data.
Authentication
Cryptosystems provide authentication by being able to determine the sender’s identity and validity. Digital signatures verify the sender’s identity. Protecting the key ensures that only valid users can properly encrypt and decrypt the message.
Confidentiality
Cryptosystems provide confidentiality by altering the original data in such a way as to ensure that the data cannot be read except by the valid recipient. Without the proper key, unauthorized users are unable to read the message.
Integrity
Cryptosystems provide integrity by allowing valid recipients to verify that data has not been altered. Hash functions do not prevent data alteration but provide a means to determine whether data alteration has occurred.
Authorization
Cryptosystems provide authorization by providing the key to a valid user after that user proves his identity through authentication. The key given to the user will allow the user to access a resource.
Non-repudiation
Non-repudiation in cryptosystems provides proof of the origin of data, thereby preventing the sender from denying that he sent the message and supporting data integrity. Public key cryptography and digital signatures provide non-repudiation.
Encryption Systems
Algorithms that are used in computer systems implement complex mathematical formulas when converting plaintext to ciphertext. The two main components to any encryption system are the key and the algorithm. In some encryption systems, the two communicating parties use the same key. In other encryption systems, the two communicating parties use different keys in the process, but the keys are related.
In this section, we will discuss the following:
• Running key and concealment ciphers
Running Key and Concealment Ciphers
Running key ciphers and concealment ciphers are considered classical methods of producing ciphertext. The running key cipher uses a physical component, usually a book, to provide the polyalphabetic characters. An indicator block must be included somewhere within the text so that the receiver knows where in the book the originator started. Therefore, the two parties must agree upon which book to use and where the indicator block will be included in the cipher message. Running ciphers are also referred to as key ciphers and running key ciphers.
A concealment cipher, also referred to as a null cipher, occurs when plaintext is interspersed somewhere within other written material. The two parties must agree on the key value, which defines which letters are part of the actual message. For example, every third letter or the first letter of each word is part of the real message. A concealment cipher belongs in the steganography realm.
Note
Steganography is discussed later in this chapter.
Substitution Ciphers
A substitution cipher uses a key to substitute characters or character blocks with different characters or character blocks. The Caesar cipher and Vigenere cipher are two of the earliest forms of substitution ciphers.
Another example of a substitution cipher is a modulo 26 substitution cipher. With this cipher, the 26 letters of the alphabet are numbered in order starting at zero. The sender takes the original message and determines the number of each letter in the original message. Then the letter values for the keys are added to the original letter values. The value result is then converted back to text.
Figure 6-4 shows an example of a modulo 26 substitution cipher encryption. With this example, the original message is PEARSON, and the key is KEY. The ciphertext message is ZIYBSMX.
Figure 6-4. Modulo 26 Substitution Cipher Example
Transposition Ciphers
A transposition cipher scrambles the letters of the original message in a different order. The key determines the positions to which the letters are moved.
Figure 6-5 shows an example of a simple transposition cipher. With this example, the original message is PEARSON EDUCATION, and the key is 4231 2314. The ciphertext message is REAP ONSE AUCD IOTN. So you take the first four letters of the plaintext message (PEAR) and use the first four numbers (4231) as the key for transposition. In the new ciphertext, the letters would be REAP. Then you take the next four letters of the plaintext message (SONE) and use the next four numbers (2314) as the key for transposition. In the new ciphertext, the letters would be ONSE. Then you take the next four letters of the original message and apply the first four numbers of the key because you do not have any more numbers in the key. Continue this pattern until complete.
Figure 6-5. Transposition Example
Symmetric Algorithms
Symmetric algorithms use a private or secret key that must remain secret between the two parties. Each party pair requires a separate private key. Therefore a single user would need a unique secret key for every user with whom she communicates.
Consider an example where there are 10 unique users. Each user needs a separate private key to communicate with the other users. To calculate the number of keys that would be needed in this example, you would use the following formula:
# of users * (# of users – 1) / 2
Using our example, you would calculate 10 * (10–1) / 2 or 45 needed keys.
With symmetric algorithms, the encryption key must remain secure. To obtain the secret key, the users must find a secure out-of-band method for communicating the secret key, including courier or direct physical contact between the users.
A special type of symmetric key called a session key encrypts message between two users during one communication session.
Symmetric algorithms can be referred to as single-key, secret-key, private-key, or shared-key cryptography.
Symmetric systems provide confidentiality but not authentication or non-repudiation. If both users use the same key, determining where the message originated is impossible.
Symmetric algorithms include DES, AES, IDEA, Skipjack, Blowfish, Twofish, RC4/RC5/RC6, and CAST. All of these algorithms will be discussed later in this chapter.
Table 6-1 lists the strengths and weaknesses of symmetric algorithms.
Table 6-1. Symmetric Algorithm Strengths and Weaknesses
The two broad types of symmetric algorithms are stream-based ciphers and block ciphers. Initialization vectors (IVs) are an important part of block ciphers. These three components will be discussed in the next sections.
Stream-based Ciphers
Stream-based ciphers perform encryption on a bit-by-bit basis and use keystream generators. The keystream generators create a bit stream that is XORed with the plaintext bits. The result of this XOR operation is the ciphertext.
A synchronous stream-based cipher depends only on the key, and an asynchronous stream cipher depends on the key and plaintext. The key ensures that the bit stream that is XORed to the plaintext is random.
An example of a stream-based cipher is RC4, which is discussed later in this chapter.
Advantages of stream-based ciphers include the following:
• Stream-based ciphers generally have lower error propagation because encryption occurs on each bit.
• Stream-based ciphers are generally used more in hardware implementation.
• Stream-based ciphers use the same key for encryption and decryption.
• Stream-based ciphers are generally cheaper to implement than block ciphers.
• Stream-based ciphers employ only confusion.
Note
Confusion is defined in the “Cryptography Concepts” section earlier in this chapter. Remember to refer to that list anytime you encounter terms in this chapter with which you are unfamiliar.
Block Ciphers
Blocks ciphers perform encryption by breaking the message into fixed-length units. A message of 1,024 bits could be divided into 16 blocks of 64 bits each. Each of those 16 blocks is processed by the algorithms formulas, resulting in a single block of ciphertext.
Examples of block ciphers include IDEA, Blowfish, RC5, and RC6, which are discussed later in this chapter.
Advantages of block ciphers include the following:
• Block cipher implementation is easier than stream-based cipher implementation.
• Block ciphers are generally less susceptible to security issues.
• Block ciphers are generally used more in software implementations.
Block ciphers employ both confusion and diffusion. Block ciphers often use different modes: ECB, CBC, CFB, and CTR. These modes are discussed in detail later in this chapter.
Initialization Vectors (IVs)
The modes mentioned earlier use initialization vectors (IVs) to ensure that patterns are not produced during encryption. These IVs provide this service by using random values with the algorithms. Without using IVs, a repeated phrase within a plaintext message could result in the same ciphertext. Attackers can possibly use these patterns to break the encryption.
Asymmetric Algorithms
Asymmetric algorithms use both a public key and a private or secret key. The public key is known by all parties, and the private key is known only by its owner. One of these keys encrypts the message, and the other decrypts the message.
In asymmetric cryptography, determining a user’s private key is virtually impossible even if the public key is known, although both keys are mathematically related. However, if a user’s private key is discovered, the system can be compromised.
Asymmetric algorithms can be referred to as dual-key or public-key cryptography.
Asymmetric systems provide confidentiality, integrity, authentication, and non-repudiation. Because both users have one unique key that is part of the process, determining where the message originated is possible.
If confidentiality is the primary concern for an organization, a message should be encrypted with the receiver’s public key, which is referred to as secure message format. If authentication is the primary concern for an organization, a message should be encrypted with the sender’s private key, which is referred to as open message format. When using open message format, the message can be decrypted by anyone with the public key.
Asymmetric algorithms include Diffie-Hellman, RSA, El Gamal, ECC, Knapsack, DSA, and Zero Knowledge Proof. All of these algorithms will be discussed later in this chapter.
Table 6-2 lists the strengths and weaknesses of asymmetric algorithms.
Table 6-2. Asymmetric Algorithm Strengths and Weaknesses
Hybrid Ciphers
Because both symmetric and asymmetric algorithms have weaknesses, solutions have been developed that use both types of algorithms in a hybrid cipher. By using both algorithm types, the cipher provides confidentiality, authentication, and non-repudiation.
The process for hybrid encryption is as follows:
1. The symmetric algorithm provides the keys used for encryption.
2. The symmetric keys are then passed to the asymmetric algorithm, which encrypts the symmetric keys and automatically distributes them.
3. The message is then encrypted with the symmetric key.
4. Both the message and the key will be sent to the receiver.
5. The receiver decrypts the symmetric key and uses the symmetric key to decrypt the message.
An organization should use hybrid encryption if the parties do not have a shared secret key and large quantities of sensitive data must be transmitted.
Substitution Ciphers
As mentioned earlier, a substitution cipher uses a key to substitute characters or character blocks with different characters or character blocks. Mono-alphabetic and polyalphabetic ciphers, including the Caesar cipher and Vigenere cipher, and running key ciphers have been explained earlier in this chapter.
Substitution ciphers explained in this section include the following:
One-Time Pads
A one-time pad, invented by Gilbert Vernam, is the most secure encryption scheme that can be used. If it’s used properly, an attacker cannot break a one-time pad. A one-time pad works likes a running cipher in that the key value is added to the value of the letters. However, a one-time pad uses a key that is the same length as the plaintext message, whereas the running cipher uses a smaller key that is repeatedly applied to the plaintext message.
Figure 6-6 shows an example of a one-time pad encryption. With this example, the original message is PEARSON, and the key is JOHNSON. The ciphertext message is YSHEKCA.
Figure 6-6. One-time Pad Example
To ensure that the one-time pad is secure, the following conditions must exist:
• The one-time pad must be used only one time.
• The one-time pad must be as long (or longer) than the message.
• The one-time pad must consist of random values.
• The one-time pad must be securely distributed.
• The one-time pad must be protected at its source and destination.
Although the earlier example uses a one-time pad in a Mod 26 scheme, one-time pads can also be used at the bit level. When the bit level is used, the message is converted into binary, and an XOR operation occurs two bits at a time. The bits from the original message are combined with the key values to obtain the encrypted message. When you combine the values, the result is 0 if both values are the same and 1 if both values are different. An example of an XOR operation is as follows:
Original message 0 1 1 0 1 1 0 0
Key 1 1 0 1 1 1 0 0
Cipher message 1 0 1 1 0 0 0 0
Steganography
Steganography occurs when a message is hidden inside another object, such as a picture or document. In steganography, it is crucial that only those who are expecting the message know that the message exists.
A concealment cipher, discussed earlier, is one method of steganography. Another method of steganography is digital watermarking. Digital watermarking is a logo or trademark that is embedded in documents, pictures, or other objects. The watermarks deter people from using the materials in an unauthorized manner.
Symmetric Algorithms
Symmetric algorithms were explained earlier in this chapter. In this section we discuss some of the most popular symmetric algorithms. Some of these might no longer be commonly used because there are more secure alternatives.
Security professionals should be familiar with the following symmetric algorithms:
• DES/3DES
• AES
• IDEA
• Skipjack
• Blowfish
• Twofish
• RC4/RC5/RC6
• CAST
Digital Encryption Standard (DES) and Triple DES (3DES)
Digital Encryption Standard (DES) is a symmetric encryption system created by the NSA but based on the 128-bit Lucifer algorithm by IBM. Originally, the algorithm was named Data Encryption Algorithm (DEA), and the DES acronym was used to refer to the standard. But in today’s world, DES is the more common term for both.
Note
Test candidates might see both acronyms used on the CISSP exam.
DES uses 64-bit key, 8 bits of which are used for parity. Therefore, the effective key length for DES is 56 bits. DES divides the message into 64-bit blocks. Sixteen rounds of transposition and substitution are performed on each block, resulting in a 64-bit block of ciphertext.
DES has mostly been replaced by 3DES and AES, both of which are discussed later in this chapter.
DES-X is a variant of DES that uses multiple 64-bit keys in addition to the 56-bit DES key. The first 64-bit key is XORed to the plaintext, which is then encrypted with DES. The second 64-bit key is XORed to the resulting cipher.
Double-DES, a DES version that used a 112-bit key length, is no longer used. After it was released, a security attack occurred that reduced Double-DES security to the same level as DES.
DES Modes
DES comes in the following five modes:
• Electronic Code Book (ECB)
• Cipher Block Chaining (CBC)
• Cipher Feedback (CFB)
• Output Feedback (OFB)
• Counter Mode (CTR)
In ECB, 64-bit blocks of data are processed by the algorithm using the key. The ciphertext produced may be padded to ensure that the result is a 64-bit block. If an encryption error occurs, only one block of the message is affected. ECB operations run in parallel, making it a fast method.
Although ECB is the easiest and fastest mode to use, it has security issues because every 64-bit block is encrypted with the same key. If an attacker discovers the key, all the blocks of data can be read. If an attacker discovers both versions of the 64-bit block (plaintext and ciphertext), the key can be determined. For these reasons, the mode should not be used when encrypting a large amount of data because patterns would emerge.
ECB is a good choice if an organization needs encryption for its databases because ECB works well with the encryption of short messages. Figure 6-7 shows the ECB encryption process.
In CBC, each 64-bit block is chained together because each resultant 64-bit ciphertext block is applied to the next block. So plaintext message block one is processed by the algorithm using an IV (discussed earlier in this chapter). The resultant ciphertext message block one is XORed with plaintext message block two, resulting in ciphertext message two. This process continues until the message is complete.
Unlike ECB, CBC encrypts large files without having any patterns within the resulting ciphertext. If a unique IV is used with each message encryption, the resultant ciphertext will be different every time even in cases where the same plaintext message is used. Figure 6-8 shows the CBC encryption process.
Whereas CBC and ECB require 64-bit blocks, CFB works with 8-bit (or smaller) blocks and uses a combination of stream ciphering and block ciphering. Like CBC, the first 8-bit block of the plaintext message is XORed by the algorithm using a keystream, which is the result of an IV and the key. The resultant ciphertext message is applied to the next plaintext message block. Figure 6-9 shows the CFB encryption process.
The size of the ciphertext block must be the same size as the plaintext block. The method that CFB uses can have issues if any ciphertext result has errors because those errors will affect any future block encryption. For this reason, CFB should not be used to encrypt data that can be affected by this problem, particularly video or voice signals. This problem led to the need for DES OFB mode.
Similar to CFB, OFB works with 8-bit (or smaller) blocks and uses a combination of stream ciphering and block ciphering. However, OFB uses the previous keystream with the key to create the next keystream. Figure 6-10 shows the OFB encryption process.
With OFB, the size of the keystream value must be the same size as the plaintext block. Because of the way in which OFB is implemented, OFB is less susceptible to the error type that CFB has.
CTR mode is similar to OFB mode. The main difference is that CTR mode uses an incrementing IV counter to ensure that each block is encrypted with a unique keystream. Also, the ciphertext is not chaining into the encryption process. Because this chaining does not occur, CTR performance is much better than the other modes. Figure 6-1l shows the CTR encryption process.
Triple DES (3DES) and Modes
Because of the need to quickly replace DES, Triple DES (3DES), a version of DES that increases security by using three 56-bit keys, was developed. Although 3DES is resistant to attacks, it is up to three times slower than DES. 3DES did serve as a temporary replacement to DES. However, the NIST has actually designated the Advanced Encryption Standard (AES) as the replacement for DES, even though 3DES is still in use today.
3DES comes in the following four modes:
• 3DES-EEE3: Each block of data is encrypted three times, each time with a different key.
• 3DES-EDE3: Each block of data is encrypted with the first key, decrypted with the second key, and encrypted with the third key.
• 3DES-EEE2: Each block of data is encrypted with the first key, encrypted with the second key, and finally encrypted again with the first key.
• 3DES-EDE2: Each block of data is encrypted with the first key, decrypted with the second key, and finally encrypted again with the first key.
Advanced Encryption Standard (AES)
Advanced Encryption Standard (AES) is the replacement algorithm for DES. When the NIST decided a new standard was needed because DES had been cracked, the NIST was presented with five industry options:
• IBM’s MARS
• RSA Laboratories’ RC6
• Anderson, Biham, and Knudsen’s Serpent
• Counterpane Systems’ Twofish
• Daemen and Rijmen’s Rijndael
Of these choices, the NIST selected Rijndael. So although AES is considered the standard, the algorithm that is used in the AES standard is the Rijndael algorithm. The AES and Rijndael terms are often used interchangeably.
The three block sizes that are used in the Rijndael algorithm are 128, 192, and 256 bits. A 128-bit key with a 128-bit block size undergoes 10 transformation rounds. A 192-bit key with a 192-bit block size undergoes 12 transformation rounds. Finally, a 256-bit key with a 256-bit block size undergoes 14 transformation rounds.
Rijndael employs transformations comprised of three layers: the non-linear layer, key addition layer, and linear-maxing layer. The Rijndael design is very simple, and its code is compact, which allows it to be used on a variety of platforms. It is the required algorithm for sensitive but unclassified U.S. government data.
IDEA
International Data Encryption Algorithm (IDEA) is a block cipher that uses 64-bit blocks. Each 64-bit block is divided into 16 smaller blocks. IDEA uses a 128-bit key and performs eight rounds of transformations on each of the 16 smaller blocks.
IDEA is faster and harder to break than DES. However, IDEA is not as widely used as DES or AES because it was patented and licensing fees had to be paid to IDEA’s owner, a Swiss company named Ascom. However, the patent expired in 2012. IDEA is used in PGP, which is discussed later in this chapter.
Skipjack
Skipjack is a block-cipher, symmetric algorithm developed by the U.S. NSA. It uses an 80-bit key to encrypt 64-bit blocks. This is the algorithm that is used in the Clipper chip. Algorithm details are classified.
Blowfish
Blowfish is a block cipher that uses 64-bit data blocks using anywhere from 32- to 448-bit encryption keys. Blowfish performs 16 rounds of transformation. Initially developed with the intention of serving as a replacement to DES, Blowfish is one of the few algorithms that are not patented.
Twofish
Twofish is a version of Blowfish that uses 128-bit data blocks using 128-, 192-, and 256-bit keys. It uses 16 rounds of transformation. Like Blowfish, Twofish is not patented.
RC4/RC5/RC6
A total of six RC algorithms have been developed by Ron Rivest. RC1 was never published, RC2 was a 64-bit block cipher, and RC3 was broken before release. So the main RC implementations that a security professional needs to understand are RC4, RC5, and RC6.
RC4, also called ARC4, is one of the most popular stream ciphers. It is used in SSL (discussed later this chapter) and WEP (discussed in the Chapter 2, “Telecommunications and Network Security”). RC4 uses a variable key size of 40 to 2,048 bits and up to 256 rounds of transformation.
RC5 is a block cipher that uses a key size of up to 2,048 bits and up to 255 rounds of transformation. Block sizes supported are 32, 64, or 128 bits. Because of all the possible variables in RC5, the industry often uses an RC5=w/r/b designation, where w is the block size, r is the number of rounds, and b is the number of 8-bit bytes in the key. For example, RC5-64/16/16 denotes a 64-bit word (or 128-bit data blocks), 16 rounds of transformation, and a 16-byte (128-bit) key.
RC6 is a block cipher based on RC5, and it uses the same key size, rounds, and block size. RC6 was originally developed as an AES solution, but lost the contest to Rijndael. RC6 is faster than RC5.
CAST
CAST, invented by Carlisle Adams and Stafford Tavares, has two versions: CAST-128 and CAST-256. CAST-128 is a block cipher that uses a 40- to 128-bit key that will perform 12 or 16 rounds of transformation on 64-bit blocks. CAST-256 is a block cipher that uses a 128-, 160-, 192-, 224-, or 256-bit key that will perform 48 rounds of transformation on 128-bit blocks.
Table 6-3 lists the key facts about each symmetric algorithm:
Table 6-3. Symmetric Algorithms Key Facts
Asymmetric Algorithms
Asymmetric algorithms were explained earlier in this chapter. In this section we discuss some of the most popular asymmetric algorithms. Some of these may no longer be commonly used because there are more secure alternatives.
Security professionals should be familiar with the following symmetric algorithms:
• RSA
• El Gamal
• ECC
• Knapsack
Diffie-Hellman
Diffie-Hellman is an asymmetric key agreement algorithm created by Whitfield Diffie and Martin Hellman. Diffie-Hellman is responsible for the key agreement process. The key agreement process includes the following steps:
1. John and Sally need to communicate over an encrypted channel and decide to use Diffie-Hellman.
2. John generates a private and public key, and Sally generates a private and a public key.
3. John and Sally share their public keys with each other.
4. An application on John’s computer takes John’s private key and Sally’s public key and applies the Diffie-Hellman algorithm, and an application on Sally’s computer takes Sally’s private key and John’s public key and applies the Diffie-Hellman algorithm.
5. Through this application, the same shared value is created for John and Sally, which in turn creates the same symmetric key on each system using the asymmetric key agreement algorithm.
Through this process, Diffie-Hellman provides secure key distribution, but not confidentiality, authentication, or non-repudiation. The key to this algorithm is dealing with discrete logarithms. Diffie-Hellman is susceptible to man-in-the-middle attacks unless an organization implements digital signatures or digital certificates for authentication at the beginning of the Diffie-Hellman process.
Note
Man-in-the-middle attacks are discussed later in this chapter.
RSA
RSA is the most popular asymmetric algorithm and was invented by Ron Rivest, Adi Shamir, and Leonard Adleman. RSA can provide key exchange, encryption, and digital signatures. The strength of the RSA algorithm is the difficulty of finding the prime factors of very large numbers. RSA uses a 1,024- to 4,096-bit key and performs one round of transformation.
RSA-768 and RSA-704 have been factored. If factorization of the prime numbers used by an RSA implementation occurs, then the implementation is considered breakable and should not be used. RSA-2048 is the largest RSA number and carries a cash prize of $200,000 US if successful factorization occurs.
As a key exchange protocol, RSA encrypts a DES or AES symmetric key for secure distribution. RSA uses a one-way function to provide encryption/decryption and digital signature verification/generation. The public key works with the one-way function to perform encryption and digital signature verification. The private key works with the one-way function to perform decryption and signature generation.
In RSA, the one-way function is a trapdoor. The private key knows the one-way function. The private key is capable of determining the original prime numbers. Finally, the private key knows how to use the one-way function to decrypt the encrypted message.
Attackers can use Number Field Sieve (NFS), a factoring algorithm, to attack RSA.
El Gamal
El Gamal is an asymmetric key algorithm based on the Diffie-Hellman algorithm. Like Diffie-Hellman, El Gamal deals with discrete logarithms. However, whereas Diffie-Hellman can only be used for key agreement, El Gamal can provide key exchange, encryption, and digital signatures.
With El Gamal, any key size can be used. However, a larger key size negatively affects performance. Because El Gamal is the slowest asymmetric algorithm, using a key size of 1,024 bit or less. would be wise
ECC
Elliptic Curve Cryptosystem (ECC) provides secure key distribution, encryption, and digital signatures. The elliptic curve’s size defines the difficulty of the problem.
Although ECC can use a key of any size, it can use a much smaller key than RSA or any other asymmetric algorithm and still provide comparable security. Therefore, the primary benefit promised by ECC is a smaller key size, reducing storage and transmission requirements. ECC is more efficient and provides better security than RSA keys of the same size.
Figure 6-12 shows an elliptic curve example with the elliptic curve equation.
Figure 6-12. Elliptic Curve Example with Equation
Knapsack
Knapsack is a series of asymmetric algorithms that provide encryption and digital signatures. This algorithm family is no longer used due to security issues.
Zero Knowledge Proof
A zero-knowledge proof is a technique used to ensure that only the minimum need information is disclosed without giving all the details. An example of this technique occurs when one user encrypts data with his private key and the receiver decrypts with the originator’s public key. The originator has not given his private key to the receiver. But the originator is proving that he has his private key simply because the receiver can read the message.
Message Integrity
Integrity is one of the three basic tenets of security. Message integrity ensures that a message has not been altered by using parity bits, cyclic redundancy checks (CRCs), or checksums.
The parity bit method adds an extra bit to the data. This parity bit simply indicates if the number of 1 bits is odd or even. The parity bit is 1 if the number of 1 bits is odd, and the parity bit is 0 if the number of the 1 bits is even. The parity bit is set before the data is transmitted. When the data arrives, the parity bit is checked against the other data. If the parity bit doesn’t match the data sent, then an error is sent to the originator.
The CRC method uses polynomial division to determine the CRC value for a file. The CRC value is usually 16- or 32-bits long. Because CRC is very accurate, the CRC value will not match up if a single bit is incorrect.
The checksum method adds up the bytes of data being sent and then transmits that number to be checked later using the same method. The source adds up the values of the bytes and sends the data and its checksum. The receiving end receives the information, adds up the bytes in the same way the source did, and gets the checksum. The receiver then compares his checksum with the source’s checksum. If the values match, message integrity is intact. If the values do not match, the data should be resent or replaced. Checksums are also referred to as hash sums because they typically use hash functions for the computation.
Message integrity is provided by hash functions and message authentication code.
Hash Functions
Hash functions were explained earlier in this chapter. In this section we discuss some of the most popular hash functions. Some of these might no longer be commonly used because more secure alternatives are available.
Security professionals should be familiar with the following hash functions:
• HAVAL
• Tiger
One-Way Hash
A hash function takes a message of variable length and produces a fixed-length hash value. Hash values, also referred to as message digests, are calculated using the original message. If the receiver calculates a hash value that is the same, then the original message is intact. If the receiver calculates a hash value that is different, then the original message has been altered.
Using a given function H, the following equation must be true to ensure that the original message, M1, has not been altered or replaced with a new message, M2:
H(M1) < > H(M2)
For a one-way hash to be effective, creating two different messages with the same hash value must be mathematically impossible. Given a hash value, discovering the original message from which the hash value was obtained must be mathematically impossible. A one-way hash algorithm is collision free if it provides protection against creating the same hash value from different message.
Unlike symmetric and asymmetric algorithms, the hashing algorithm is publicly known. Hash functions are always performed in one direction. Using it in reverse is unnecessary.
However, one-way hash functions do have limitations. If an attacker intercepts a message that contains a hash value, the attacker can alter the original message to create a second invalid message with a new hash value. If the attacker then sends the second invalid message to the intended recipient, the intended recipient will have no way of knowing that he received an incorrect message. When the receiver performs a hash value calculation, the invalid message will look valid because the invalid message was appended with the attacker’s new hash value, not the original message’s hash value. To prevent this from occurring, the sender should use message authentication code (MAC).
Encrypting the hash function with a symmetric key algorithm generates a keyed MAC. The symmetric key does not encrypt the original message. It is used only to protect the hash value.
Notes
The basic types of MAC are discussed later in this chapter.
The basic steps of a hash function are shown in Figure 6-13.
Figure 6-13. Hash Function Process
MD2/MD4/MD5/MD6
The MD2 message digest algorithm produces a 128-bit hash value. It performs 18 rounds of computations. Although MD2 is still in use today, it is much slower than MD4, MD5, and MD6.
The MD4 algorithm also produces a 128-bit hash value. However, it performs only three rounds of computations. Although MD4 is faster than MD2, its use has significantly declined because attacks against it have been so successful.
Like the other MD algorithms, the MD5 algorithm produces a 128-bit hash value. It performs four rounds of computations. It was originally created because of the issues with MD4, and it is more complex than MD4. However, MD5 is not collision free. For this reason, it should not be used for SSL certificates or digital signatures. The United States government requires the usage of SHA-2 instead of MD5. However, in commercial usage, many software vendors publish the MD5 hash value when they release software patches so customers can verify the software’s integrity after download.
The MD6 algorithm produces a variable hash value, performing a variable number of computations. Although it was originally introduced as a candidate for SHA-3, it was withdrawn because of early issues the algorithm had with differential attacks. MD6 has since been re-released with this issue fixed. However, that release was too late to be accepted as the NIST SHA-3 standard.
SHA/SHA-2/SHA-3
Secure Hash Algorithm (SHA) is a family of four algorithms published by the United States National Institute of Standards and Technology (NIST). SHA-0, originally referred to as simply SHA because there were no other “family members,” produces a 160-bit hash value after performing 80 rounds of computations on 512-bit blocks. SHA-0 was never very popular because collisions were discovered.
Like SHA-0, SHA-1 produces a 160-bit hash value after performing 80 rounds of computations on 512-bit blocks. SHA-1 corrected the flaw in SHA-0 that made it susceptible to attacks.
SHA-2 is actually a family of hash functions, each of which provides different functional limits. The SHA-2 family is as follows:
• SHA-224: Produces a 224-bit hash value after performing 64 rounds of computations on 512-bit blocks.
• SHA-256: Produces a 256-bit hash value after performing 64 rounds of computations on 512-bit blocks.
• SHA-384: Produces a 384-bit hash value after performing 80 rounds of computations on 1,024-bit blocks.
• SHA-512: Produces a 512-bit hash value after performing 80 rounds of computations on 1,024-bit blocks.
• SHA-512/224: Produces a 224-bit hash value after performing 80 rounds of computations on 1,024-bit blocks. The 512 designation here indicates the internal state size.
• SHA-512/256: Produces a 256-bit hash value after performing 80 rounds of computations on 1,024-bit blocks. Once again, the 512 designation indicates the internal state size.
SHA-3, like SHA-2, will be a family of hash functions. However, this standard has not been formally adopted as of March 2013. The hash value sizes will range from 224 to 512 bits. Although the block sizes are unknown, SHA-3 will perform 120 rounds of computations, by default.
Keep in mind that SHA-1 and SHA-2 are still widely used today. SHA-3 was not developed because of some security flaw with the two previous standards but was instead proposed as an alternative hash function to the others.
HAVAL
HAVAL is a one-way function that produces variable-length hash values, including 128 bits, 160 bits, 192 bits, 224 bits, and 256 bits, and uses 1,024-bit blocks. The number of rounds of computations can be 3, 4, or 5. Collision issues have been discovered if producing a 128-bit hash value with three rounds of computations. All other variations do not have any discovered issues as of this printing.
RIPEMD-160
Although several variations of the RIPEMD hash function exist, security professionals should only worry about RIPEMD-160 for exam purposes. RIPEMD-160 produces a 160-bit hash value after performing 160 rounds of computations on 512-bit blocks.
Tiger
Tiger is a hash function that produces 128-, 160-, or 192-bit hash values after performing 24 rounds of computations on 512-bit blocks, with the most popular version being the one that produces 192-bit hash values. Unlike MD5, RIPEMD, SHA-0, and SHA-1, Tiger is not built on the MD4 architecture.
Message Authentication Code
MAC was explained earlier in this chapter. In this section we discuss the three types of MACs.
Security professionals should be familiar with the following types of MACs:
• HMAC
• CBC-MAC
• CMAC
HMAC
A hash MAC (HMAC) is a keyed-hash MAC that involves a hash function with symmetric key. HMAC provides data integrity and authentication. Any of the previously listed hash functions can be used with HMAC, with the HMAC name being appended with the hash function name, as in HMAC-SHA-1. The strength of HMAC is dependent upon the strength of the hash function, including the hash value size, and the key size.
HMAC’s hash value output size will be the same as the underlying hash function. HMAC can help to reduce the collision rate of the hash function.
Figure 6-14 shows the basic steps of an HMAC process.
CBC-MAC
Cipher block chaining MAC (CBC-MAC) is a block-cipher MAC that operates in CBC mode. CBC-MAC provides data integrity and authentication.
Figure 6-15 shows the basic steps of a CBC-MAC process.
CMAC
Cipher-based MAC (CMAC) operates in the same manner as CBC-MAC but with much better mathematical functions. CMAC addresses some security issues with CBC-MAC and is approved to work with AES and 3DES.
Digital Signatures
A digital signature is a hash value encrypted with the sender’s private key. A digital signature provides authentication, nonrepudiation, and integrity. A blind signature is a form of digital signature where the contents of the message are masked before it is signed.
Public key cryptography, which is discussed in the next section, is used to create digital signatures. Users register their public keys with a certification authority, which distributes a certificate contains the user’s public key and the CA’s digital signature. The digital signature is computed by the user’s public key and validity period being combined with the certificate issuer and digital signature algorithm identifier.
The Digital Signature Standard (DSS) is a federal digital security standard that governs the Digital Security Algorithm (DSA). DSA generates a message digest of 160 bits. The U.S. federal government requires the use of DSA, RSA (discussed earlier in this chapter), or Elliptic Curve DSA (ECDSA) and SHA for digital signatures. DSA is slower than RSA and only provides digital signatures. RSA provides digital signatures, encryption, and secure symmetric key distribution.
When considering cryptography, keep the following facts in mind:
• Encryption provides confidentiality.
• Hashing provides integrity.
• Digital signatures provide authentication, nonrepudiation, and integrity.
Public Key Infrastructure
A public key infrastructure (PKI) includes systems, software, and communication protocols that distribute, manage, and control public key cryptography. A PKI publishes digital certificates. Because a PKI establishes trust within an environment, a PKI can certify that a public key is tied to an entity and verify that a public key is valid. Public keys are published through digital certificates.
The X.509 standard is a framework that enables authentication between networks and over the Internet. A PKI includes timestamping and certificate revocation to ensure that certificates are managed properly. A PKI provides confidentiality, message integrity, authentication, and nonrepudiation.
The structure of a PKI includes certification authorities, certificates, registration authorities, certificate revocation lists, cross-certification, and the Online Certificate Status Protocol (OCSP). In this section, we discuss these PKI components as well as a few other PKI concepts.
Certification Authority (CA) and Registration Authority (RA)
Any participant that requests a certificate must first go through the registration authority (RA), which verifies the requestor’s identity and registers the requestor. After the identity is verified, the RA passes the request to the CA.
A certification authority (CA) is the entity that creates and signs digital certificates, maintains the certificates, and revokes them when necessary. Every entity that wants to participate in the PKI must contact the CA and request a digital certificate. It is the ultimate authority for the authenticity for every participant in the PKI by signing each digital certificate. The certificate binds the identity of the participant to the public key.
There are different types of CAs. Organizations exist who provide a PKI as a payable service to companies who need them. An example is VeriSign. Some organizations implement their own private CAs so that the organization can control all aspects of the PKI process. If an organization is large enough, it might need to provide a structure of CAs with the root CA being the highest in the hierarchy.
Because more than one entity is often involved in the PKI certification process, certification path validation allows the participants to check the legitimacy of the certificates in the certification path.
OCSP
The Online Certificate Status Protocol (OCSP) is an Internet protocol that obtains the revocation status of an X.509 digital certificate. OCSP is an alternative to the standard certificate revocation list (CRL) that is used by many PKIs. OCSP automatically validates the certificates and reports back the status of the digital certificate by accessing the CRL on the CA.
Certificates
A digital certificate provides an entity, usually a user, with the credentials to prove its identity and associates that identity with a public key. At minimum a digital certification must provide the serial number, the issuer, the subject (owner), and the public key.
An X.509 certificate complies with the X.509 standard. A X.509 certificate contains the following fields:
• Version
• Serial Number
• Algorithm ID
• Issuer
• Validity
• Subject
• Subject Public Key Info
• Public Key Algorithm
• Subject Public Key
• Issuer Unique Identifier (optional)
• Subject Unique Identifier (optional)
• Extensions (optional)
VeriSign first introduced the following digital certificate classes:
• Class 1: For individuals intended for email. These certificates get saved by Web browsers.
• Class 2: For organizations that must provide proof of identity.
• Class 3: For servers and software signing in which independent verification and identity and authority checking is done by the issuing CA.
Certificate Revocation List (CRL)
A certificate revocation list (CRL) is a list of digital certificates that a CA has revoked. To find out whether a digital certificate has been revoked, the browser must either check the CRL or the CA must push out the CRL values to clients. This can become quite daunting when you consider that the CRL contains every certificate that has ever been revoked.
One concept to keep in mind is the revocation request grace period. This period is the maximum amount of time between when the revocation request is received by the CA and when the revocation actually occurs. A shorter revocation period provides better security but often results in a higher implementation cost.
PKI Steps
The steps involved in requesting a digital certificate are as follow:
1. A user requests a digital certificate, and the RA receives the request.
2. The RA requests identifying information from the requestor.
3. After the required information is received, the RA forwards the certificate request to the CA.
4. The CA creates a digital certificate for the requestor. The requestor’s public key and identity information are included as part of the certificate.
5. The user receives the certificate.
After the user has a certificate, he is ready to communicate with other trusted entities. The process for communication between entities is as follows:
1. User 1 requests User 2’s public key from the certificate repository.
2. The repository sends User 2’s digital certificate to User 1.
3. User 1 verifies the certificate and extracts User 2’s public key.
4. User 1 encrypts the session key with User 2’s public key and sends the encrypted session key and User 1’s certificate to User 2.
5. User 2 receives User 1’s certificate and verifies the certificate with a trusted CA.
After this certificate exchange and verification process occurs, the two entities are able to communicate using encryption.
Cross-Certification
Cross-certification establishes trust relationships between CAs so that the participating CAs can rely on the other participants’ digital certificates and public keys. It enables users to validate each other’s certificates when they are actually certified under different certification hierarchies. A CA for one organization can validate digital certificates from another organization’s CA when a cross-certification trust relationship exists.
Key Management
Key management in cryptography is essential to ensure that the cryptography provides confidentiality, integrity, and authentication. If a key is compromised, it can have serious consequences throughout an organization.
Key management involves the entire process of ensuring that keys are protected during creation, distribution, transmission, and storage. As part of this process, keys must also be destroyed properly. When you consider the vast number of networks over which the key is transmitted and the different types of system on which a key is stored, the enormity of this issue really comes to light.
As the most demanding and critical aspect of cryptography, it is important that security professionals understand key management principles.
Keys should always be stored in ciphertext when stored on a non-cryptographic device. Key distribution, storage, and maintenance should be automatic by integrating the processes into the application.
Because keys can be lost, backup copies should be made and stored in a secure location. A designated individual should have control of the backup copies with other individuals designated serving as emergency backups. The key recovery process should also require more than one operator to ensure that only valid key recovery requests are completed. In some cases, keys are even broken into parts and deposited with trusted agents, who provide their part of the key to a central authority when authorized to do so. Although other methods of distributing parts of a key are used, all the solutions involve the use of trustee agents entrusted with part of the key and a central authority tasked with assembling the key from its parts. Also, key recovery personnel should span across the entire organization and not just be member of the IT department.
Organizations should also limit the number of keys that are used. The more keys that you have, the more keys you must worry about and ensure are protected. Although a valid reason for issuing a key should never be ignored, limiting the number of keys issued and used reduces the potential damage.
When designing the key management process, you should consider how to do the following:
• Securely store and transmit the keys.
• Use random keys.
• Issue keys of sufficient length to ensure protection.
• Properly destroy keys when no longer needed.
• Back up the keys to ensure that they can be recovered.
Trusted Platform Module (TPM)
Trusted Platform Module (TPM) is a security chip installed on computer motherboards that is responsible for managing symmetric and asymmetric keys, hashes, and digital certificates. This chip provides service to protect passwords, encrypt drives, and manage digital rights, making it much harder for attackers gain access to the computers that have a TPM-chip enabled.
Two particularly popular uses of TPM are binding and sealing. Binding actually “binds” the hard drive through encryption to a particular computer. Because the decryption key is stored in the TPM chip, the hard drive’s contents are available only when connected to the original computer. But keep in mind that all the contents are at risk if the TPM chip fails and a backup of the key does not exist.
Sealing, on the other hand, “seals” the system state to a particular hardware and software configuration. This prevents attacks from making any changes to the system. However, it can also make installing a new piece of hardware or a new operating system much harder. The system can only boot after the TPM verifies system integrity by comparing the original computed hash value of the system’s configuration to the hash value of its configuration at boot time.
The TPM consists of both static memory and dynamic memory that is used to retain the important information when the computer is turned off. The memory used in a TPM chip is as follows:
• Endorsement Key (EK): Persistent memory installed by the manufacturer that contains a public/private key pair.
• Storage Root Key (SRK): Persistent memory that secures the keys stored in the TPM.
• Attestation Identity Key (AIK): Dynamic memory that ensures the integrity of the EK.
• Platform Configuration Register (PCR) Hashes: Dynamic memory that stores data hashes for the sealing function.
• Storage keys: Dynamic memory that contains the keys used to encrypt the computer’s storage, including hard drives, USB flash drives, and so on.
Encryption Communication Levels
Encryption can provide different protection based on which level of communication is being used. The two types of encryption communication levels are link encryption and end-to-end encryption.
Link Encryption
Link encryption encrypts all the data that is transmitted over a link. In this type of communication, the only portion of the packet that is not encrypted is the data-link control information, which is needed to ensure that devices transmit the data properly. All the information is encrypted, with each router or other device decrypting its header information so that routing can occur and then re-encrypting before sending the information to the next device.
If the sending party needs to ensure that data security and privacy is maintained over a public communication link, then link encryption should be used. This is often the method used to protect e-mail communication or when banks or other institutions that have confidential data must send that data over the Internet.
Link encryption protects against packet sniffers and other forms of eavesdropping and occurs at the data link and physical layers of the OSI model. Advantages of link encryption include: All the data is encrypted, and no user interaction is needed for it to be used. Disadvantages of link encryption include: Each device that the data must be transmitted through must receive the key, key changes must be transmitted to each device on the route, and packets are decrypted at each device.
End-to-End Encryption
End-to-end encryption encrypts less of the packet information than link encryption. In end-to-end encryption, packet routing information, as well as packet headers and addresses, are not encrypted. This allows potential hackers to obtain more information if a packet is acquired through packet sniffing or eavesdropping.
End-to-end encryption has several advantages. A user usually initiates end-to-end encryption, which allows the user to select exactly what gets encrypted and how. It affects the performance of each device along the route less than link encryption because every device does not have to perform encryption/decryption to determine how to route the packet.
E-mail Security
E-mail has become an integral part of almost everyone’s life, particularly as it relates to their business communication. But many e-mail implementations provide very little security natively without the incorporation of encryption, digital signatures, or keys. For example, e-mail authenticity and confidentiality are provided by signing the message using the sender’s private key and encrypting the message with the receiver’s public key.
In the following sections we briefly discuss the PGP, MIME, S/MIME e-mail standards that are popular in today’s world and also give a brief description of quantum cryptography.
PGP
Pretty Good Privacy (PGP) provides e-mail encryption over the Internet and uses different encryption technologies based on the needs of the organization. PGP can provide confidentiality, integrity, and authenticity based on which encryption methods are used.
PGP provides key management using RSA. PGP uses a web of trust to manage the keys. By sharing public keys, users create this web of trust, instead of relying on a CA. The public keys of all the users are stored on each user’s computer in a key ring file. Within that file, each user is assigned a level of trust. The users within the web vouch for each other. So if user 1 and user 2 have a trust relationship and user 1 and user 3 have a trust relationship, user 1 can recommend the other two users to each other. Users can choose the level of trust initially assigned to a user but can change that level later if circumstances warrant a change. But compromise of a user’s public key in the PGP system means that the user must contact everyone with whom he has shared his key to ensure that this key is removed from the key ring file.
PGP provides data encryption for confidentiality using IDEA. However, other encryption algorithms can be used. Implementing PGP with MD5 provides data integrity. Public certificates with PGP provides authentication.
MIME and S/MIME
Multipurpose Internet Mail Extension (MIME) is an Internet standard that allows e-mail to include non-text attachments, non-ASCII character sets, multiple-part message bodies, and non-ASCII header information. In today’s world, SMTP in MIME format transmits a majority of e-mail.
MIME allows the e-mail client to send an attachment with a header describing the file type. The receiving system uses this header and the file extension listed in it to identify the attachment type and open the associated application. This allows the computer to automatically launch the appropriate application when the user double-clicks the attachment. If no application is associated with that file type, the user is able to choose the application using the Open With option or a website might offer the necessary application.
Secure MIME (S/MIME) allows MIME to encrypt and digitally sign e-mail messages and encrypt attachments. It adheres to the Public Key Cryptography Standards (PKCS), which is a set of public-key cryptography standards designed by the owners of the RSA algorithm.
S/MIME uses encryption to provide confidentiality, hashing to provide integrity, public key certificates to provide authentication, and message digests to provide nonrepudiation.
Quantum Cryptography
Quantum cryptography is a method of encryption that combines quantum physics and cryptography and offers the possibility of factoring the products of large prime numbers. Quantum cryptography provides strong encryption and eavesdropping detection.
This would be an excellent choice for any organizations that transmit Top Secret data, including the U.S. government.
Internet Security
The World Wide Web is a collection of HTTP servers that manage websites and their services. The Internet is a network that includes all the physical devices and protocols over which web traffic is transmitted. The web browser that is used allows users to read web pages via HTTP. Browsers can natively read many protocols. Any protocols not natively supported by the web browser can only be read by installing a plug-in or application viewer, thereby expanding the browser’s role.
In our discussion of Internet security, we cover the following topics:
• SSL/TLS
• SET
• Cookies
• SSH
• IPSec
Note
All the topics in this “Internet Security” section are also discussed in Chapter 3, “Telecommunications and Network Security.”
Remote Access
Remote access applications allow users to access an organization’s resources from a remote connection. These remote connections can be direct dial-in connections but are increasingly using the Internet as the network over which the data is transmitted. If an organization allows remote access to internal resources, the organization must ensure that the data is protected using encryption when the data is being transmitted between the remote access client and remote access server. Remote access servers can require encrypted connections with remote access clients, which means that any connection attempt that does not use encryption will be denied.
SSL/TLS
Secure Sockets Layer (SSL) is a transport-layer protocol that provides encryption, server and client authentication, and message integrity. SSL was developed by Netscape to transmit private documents over the Internet. While SSL implements either 40-bit (SSL 2.0) or 128-bit encryption (SSL 3.0), the 40-bit version is susceptible to attacks because of its limited key size. SSL allows an application to have encrypted, authenticated communication across a network.
Transport Layer Security (TLS) is an open-community standard that provides many of the same services as SSL. TLS 1.0 is based upon SSL 3.0 but is more extensible. The main goal of TLS is privacy and data integrity between two communicating applications.
SSL and TLS are most commonly used when data needs to be encrypted while it is being transmitted (in transit) over a medium from one system to another.
HTTP, HTTPS, and SHTTP
Hypertext Transfer Protocol (HTTP) is the protocol used on the Web to transmit website data between a web server and a web client. With each new address that is entered into the web browser, whether from initial user entry or by clicking a link on the page displayed, a new connection is established because HTTP is a stateless protocol.
HTTP Secure (HTTPS) is the implementation of HTTP running over the SSL/TLS protocol, which establishes a secure session using the server’s digital certificate. SSL/TLS keeps the session open using a secure channel. HTTPS websites will always include the https:// designation at the beginning.
Although it sounds very similar, Secure HTTP (S-HTTP) protects HTTP communication in a different manner. S-HTTP only encrypts a single communication message, not an entire session (or conversation). S-HTTP is not as common as HTTPS.
SET
Secure Electronic Transaction (SET), proposed by Visa and MasterCard, secures credit card transaction information over the Internet. It was based on X.509 certificates and asymmetric keys. It used an electronic wallet on a user’s computer to send encrypted credit card information. But to be fully implemented, SET would have required the full cooperation of financial institutions, credit card users, wholesale and retail establishments, and payment gateways. It was never fully adopted.
Visa now promotes the 3-D Secure protocol, which is not covered on the CISSP exam as of this writing.
Cookies
Cookies are text files that are stored on a user’s hard drive or memory. These files store information on the user’s Internet habits, including browsing and spending information. Because a website’s servers actually determine how cookies are used, malicious sites can use cookies to discover a large amount of information about a user.
Although the information retained in cookies on the hard drive usually does not include any confidential information, it can still be used by attackers to obtain information about a user that can help an attacker develop a better targeted attack. For example, if the cookies reveal to an attack that a user accesses a particular bank’s public website on a daily basis, that action can indicate that a user has an account at that bank, resulting in the attacker’s attempting a phishing attack using an e-mail that looks to come from the user’s legitimate bank.
Many anti-virus or anti-malware applications include functionality that allows you to limit the type of cookies downloaded and to hide personally identifiable information (PII), such as e-mail addresses. Often these types of safeguards end up proving to be more trouble than they are worth because they often affect legitimate Internet communication.
SSH
Secure Shell (SSH) is an application and protocol that is used to remotely log in to another computer using a secure tunnel. After the secure channel is established after a session key is exchanged, all communication between the two computers is encrypted over the secure channel.
IPsec
Internet Protocol Security (IPsec) is a suite of protocols that establishes a secure channel between two devices. IPsec is commonly implemented over VPNs. IPsec provides traffic analysis protection by determining the algorithms to use and implementing any cryptographic keys required for IPsec.
IPsec includes Authentication Header (AH), Encapsulating Security Payload (ESP), and security associations. AH provides authentication and integrity, whereas ESP provides authentication, integrity, and encryption (confidentiality). A security association (SA) is a record of a device’s configuration needs to participate in IPsec communication. A security parameter index (SPI) is a type of table that tracks the different SAs used and ensures that a device uses the appropriate SA to communicate with another device. Each device has its own SPI.
IPSec runs in one of two modes: transport mode or tunnel mode. Transport mode only protects the message payload, whereas tunnel mode protects the payload, routing, and header information. Both of these modes can be used for gateway-to-gateway or host-to-gateway IPsec communication.
IPsec does not determine which hashing or encryption algorithm is used. Internet Key Exchange (IKE), which is a combination of OAKLEY and Internet Security Association and Key Management Protocol (ISAKMP), is the key exchange method that is most commonly used by IPsec. OAKLEY is a key establishment protocol based on Diffie-Hellman that was superseded by IKE. ISAKMP was established to set up and manage SAs. IKE with IPsec provides authentication and key exchange.
The authentication method used by IKE with IPsec includes pre-shared keys, certificates, and public key authentication. The most secure implementations of pre-shared keys require a PKI. But a PKI is not necessary if a pre-shared key is based on simple passwords.
Cryptography Attacks
Cryptography attacks are categorized as either passive or active attacks. A passive attack is usually implemented just to discover information and is much harder to detect because it is usually carried out by eavesdropping or packet sniffing. Active attacks involve an attacker actually carrying out steps, like message alteration or file modification. Cryptography is usually attacked via the key, algorithm, execution, data, or people. But most of these attacks are attempting to discover the key used.
Cryptography attacks that will be discussed include the following:
Ciphertext-Only Attack
In a ciphertext-only attack, an attacker uses several encrypted messages (ciphertext) to figure out the key used in the encryption process. Although it is a very common type of attack, it is usually not successful because so little is known about the encryption used.
Known Plaintext Attack
In a known plaintext attack, an attacker uses the plaintext and ciphertext versions of a message to discover the key used. This type of attack implements reverse engineering, frequency analysis, or brute force to determine the key so that all messages can be deciphered.
Chosen Plaintext Attack
In a chosen plaintext attack, an attacker chooses the plaintext to get encrypted to obtain the ciphertext. The attacker sends a message hoping that the user will forward that message as ciphertext to another user. The attacker captures the ciphertext version of the message and tries to determine the key by comparing the plaintext version he originated with the captured ciphertext version. Once again, key discovery is the goal of this attack.
Chosen Ciphertext Attack
A chosen ciphertext attack is the opposite of a chosen plaintext attack. In a chosen ciphertext attack, an attacker chooses the ciphertext to be decrypted to obtain the plaintext. This attack is more difficult because control of the system that implements the algorithm is needed.
Social Engineering
Social engineering attacks against cryptographic algorithms do not differ greatly from social engineering attacks against any other security area. Attackers attempt to trick users into giving the attacker the cryptographic key used. Common social engineering methods include intimidation, enticement, or inducement.
Brute Force
As with a brute-force attack against passwords, a brute-force attack executed against a cryptographic algorithm uses all possible keys until a key is discovered that successfully decrypts the ciphertext. This attack requires considerable time and processing power and is very difficult to complete.
Differential Cryptanalysis
Differential cryptanalysis, also referred to as a side-channel attack, measures the execution times and power required by the cryptographic device. The measurements help the key and algorithm used.
Linear Cryptanalysis
Linear cryptanalysis is a known plaintext attack that uses linear approximation, which describes the behavior of the block cipher. An attacker is more successful with this type of attack when more plaintext and matching ciphertext messages are obtained.
Algebraic Attack
Algebraic attacks rely on the algebra used by cryptographic algorithms. If an attacker exploits known vulnerabilities of the algebra used, looking for those vulnerabilities can help the attacker to determine the key and algorithm used.
Frequency Analysis
Frequency analysis is an attack that relies on the fact that substitution and transposition ciphers will result in repeated patterns in ciphertext. Recognizing the patterns of eight bits and counting them can allow an attacker to use reverse substitution to obtain the plaintext message.
Frequency analysis usually involves the creation of a chart that lists all the letters of the alphabet alongside the number of times that letter occurs. So if the letter Q in the frequency lists has the highest value, a good possibility exists that this letter is actually E in the plaintext message because E is the most used letter in the English language. The ciphertext letter is then replaced in the ciphertext with the plaintext letter.
Today’s algorithms are considered too complex to be susceptible to this type of attack.
Birthday Attack
A birthday attack uses the premise that finding two messages that result in the same hash value is easier than matching a message and its hash value. Most hash algorithms can resist simple birthday attacks.
Dictionary Attack
Similar to a brute-force attack, a dictionary attack uses all the words in a dictionary until a key is discovered that successfully decrypts the ciphertext. This attack requires considerable time and processing power and is very difficult to complete. It also requires a comprehensive dictionary of words.
Replay Attack
In a replay attack, an attacker sends the same data repeatedly in an attempt to trick the receiving device. This data is most commonly authentication information. The best countermeasures against this type of attack are timestamps and sequence numbers.
Analytic Attack
In analytic attacks, attackers use known structural weaknesses or flaws to determine the algorithm used. If a particular weakness or flaw can be exploited, then the possibility of a particular algorithm being used is more likely.
Statistical Attack
Whereas analytic attacks look for structural weaknesses or flaws, statistical attacks use known statistical weakness of an algorithm to aid in the attack.
Factoring Attack
A factoring attack is carried out against the RSA algorithm by using the solutions of factoring large numbers.
Reverse Engineering
One of the most popular cryptographic attacks, reverse engineering occurs when an attacker purchases a particular cryptographic product to attempt to reverse engineer the product to discover confidential information about the cryptographic algorithm used.
Meet-in-the-Middle Attack
In a meet-in-the middle attack, an attacker tries to break the algorithm by encrypting from one end and decrypting from the other to determine the mathematical problem used.
Exam Preparation Tasks
Review All Key Topics
Review the most important topics in this chapter, noted with the Key Topics icon in the outer margin of the page. Table 6-4 lists a reference of these key topics and the page numbers on which each is found.
Table 6-4. Key Topics for Chapter 6
Complete the Tables and Lists from Memory
Print a copy of CD Appendix A, “Memory Tables,” or at least the section for this chapter, and complete the tables and lists from memory. CD Appendix B, “Memory Tables Answer Key,” includes completed tables and lists to check your work.
Define Key Terms
Define the following key terms from this chapter and check your answers in the glossary:
cryptography
key
cryptovariable
synchronous encryption
asynchronous encryption
symmetric encryption
private key encryption
secret key encryption
asymmetric encryption
public key encryption
hash
cleartext
ciphertext
cryptogram
cryptosystem
cryptanalysis
key clustering
keyspace
algorithm
cipher
cryptology
encoding
decoding
permutation
confusion
diffusion
avalanche effect
work factor
trapdoor
one-way function
mono-alphabetic substitution cipher
polyalphabetic substitution cipher
authentication
confidentiality
integrity
authorization
non-repudiation
running key cipher
concealment cipher
null cipher
substitution cipher
transposition cipher
stream-based cipher
block cipher
one-time pad
steganography
Digital Encryption Standard
DES
DES-X
Double-DES
Electronic Code Book
ECB
Cipher Block Chaining
CBC
Cipher Feedback
CFB
Output Feedback
OFB
Counter Mode
CTR
Triple DES
3DES
Rijndael algorithm
International Data Encryption Algorithm
IDEA
Skipjack
Blowfish
Twofish
RC4
RC5
RC6
CAST-128
CAST-256
MD2
MD4
MD5
MD6
HAVAL
RIPEMD-160
Tiger
Hash MAC
HMAC
cipher block chaining MAC
CBC-MAC
Digital Signature Standard
DSS
certification authority
CA
registration authority
RA
online certificate status protocol
OCSP
certificate revocation list
CRL
trusted platform module
TPM
Secure Sockets Layer
SSL
HTTP Secure
HTTPS
Secure Electronic Transaction
SET
Secure Shell
SSH
ciphertext-only attack
known plaintext attack
chosen plaintext attack
chosen ciphertext attack.
Review Questions
1. Which process converts plaintext into ciphertext?
a. hashing
b. decryption
c. encryption
d. digital signature
2. What occurs when different encryption keys generate the same ciphertext from the same plaintext message?
a. key clustering
b. cryptanalysis
c. keyspace
d. confusion
3. Which type of cipher is the Caesar cipher?
a. polyalphabetic substitution
b. monoalphabetic substitution
c. polyalphabetic transposition
d. monoalphabetic transposition
4. Which encryption system uses a private or secret key that must remain secret between the two parties?
a. running key cipher
b. concealment cipher
c. asymmetric algorithm
d. symmetric algorithm
5. What is the most secure encryption scheme?
a. concealment cipher
b. symmetric algorithm
c. one-time pad
d. asymmetric algorithm
6. Which 3DES implementation encrypts each block of data three times, each time with a different key?
a. 3DES-EDE3
b. 3DES-EEE3
c. 3DES-EDE2
d. 3DES-EEE2
7. Which of the following is an asymmetric algorithm?
a. IDEA
b. Twofish
c. RC6
d. RSA
8. Which of the following is NOT a hash function?
a. ECC
b. MD6
c. SHA-2
d. RIPEMD-160
9. Which PKI component contains a list of all the certificates that have been revoked?
a. CA
b. RA
c. CRL
d. OCSP
10. Which attack executed against a cryptographic algorithm uses all possible keys until a key is discovered that successfully decrypts the ciphertext?
a. frequency analysis
b. reverse engineering
c. ciphertext-only attack
d. brute force
Answers and Explanations
1. c. Encryption converts plaintext into ciphertext.
Hashing reduces a message to a hash value. Decryption converts ciphertext into plaintext. A digital signature is an object that provides sender authentication and message integrity by including a digital signature with the original message.
2. a. Key clustering occurs when different encryption keys generate the same ciphertext from the same plaintext message.
Cryptanalysis is the science of decrypting ciphertext without prior knowledge of the key or cryptosystem used. A keyspace is all the possible key values when using a particular algorithm or other security measure. Confusion is the process of changing a key value during each round of encryption.
3. b. The Caesar cipher is a monoalphabetic substitution cipher.
The Vigenere substitution is a polyalphabetic substitution.
4. d. A symmetric algorithm uses a private or secret key that must remain secret between the two parties.
A running key cipher uses a physical component, usually a book, to provide the polyalphabetic characters. A concealment cipher occurs when plaintext is interspersed somewhere within other written material. An asymmetric algorithm uses both a public key and a private or secret key.
5. c. A one-time pad is the most secure encryption scheme because it is used only once.
6. b. The 3DES-EEE3 implementation encrypts each block of data three times, each time with a different key.
The 3DES-EDE3 implementation encrypts each block of data with the first key, decrypts each block with the second key, and encrypts each block with the third key. The 3DES-EEE2 implementation encrypts each block of data with the first key, encrypts each block with the second key, and then encrypts each block with the third key. The 3DES-EDE2 implementation encrypts each block of data with the first key, decrypts each block with the second key, and then encrypts each block with the first key.
7. d. RSA is an asymmetric algorithm. All the other algorithms are symmetric algorithms.
8. a. ECC is NOT a hash function. It is an asymmetric algorithm. All the other options are hash functions.
9. c. A CRL contains a list of all the certificates that have been revoked.
A CA is the entity that creates and signs digital certificates, maintains the certificates, and revokes them when necessary. An RA verifies the requestor’s identity, registers the requestor, and passes the request to the CA. The OCSP is an Internet protocol that obtains the revocation status of an X.509 digital certificate.
10. d. A brute force attack executed against a cryptographic algorithm uses all possible keys until a key is discovered that successfully decrypts the ciphertext.
A frequency analysis attack relies on the fact that substitution and transposition ciphers will result in repeated patterns in ciphertext. A reverse engineering attack occurs when an attacker purchases a particular cryptographic product to attempt to reverse engineer the product to discover confidential information about the cryptographic algorithm used. A ciphertext-only attack uses several encrypted messages (ciphertext) to figure out the key used in the encryption process.