Security professionals should be familiar with the following symmetric algorithms:

DES/3DES

AES

IDEA

Skipjack

Blowfish

Twofish

RC4/RC5/RC6

CAST

DES uses a 64-bit key, 8 bits of which are used for parity. Therefore, the effective key length for DES is 56 bits. DES divides the message into 64-bit blocks. Sixteen rounds of transposition and substitution are performed on each block, resulting in a 64-bit block of ciphertext.

DES has mostly been replaced by 3DES and AES, both of which are discussed later in this chapter.

DES-X is a variant of DES that uses multiple 64-bit keys in addition to the 56-bit DES key. The first 64-bit key is XORed to the plaintext, which is then encrypted with DES. The second 64-bit key is XORed to the resulting cipher.

Double-DES, a DES version that used a 112-bit key length, is no longer used. After it was released, a security attack occurred that reduced Double-DES security to the same level as DES.

Electronic Code Book (ECB)

Cipher Block Chaining (CBC)

Cipher Feedback (CFB)

Output Feedback (OFB)

Counter Mode (CTR)

In ECB, 64-bit blocks of data are processed by the algorithm using the key. The ciphertext produced can be padded to ensure that the result is a 64-bit block. If an encryption error occurs, only one block of the message is affected. ECB operations run in parallel, making it a fast method.

Although ECB is the easiest and fastest mode to use, it has security issues because every 64-bit block is encrypted with the same key. If an attacker discovers the key, all the blocks of data can be read. If an attacker discovers both versions of the 64-bit block (plaintext and ciphertext), the key can be determined. For these reasons, the mode should not be used when encrypting a large amount of data because patterns would emerge.

ECB is a good choice if an organization needs encryption for its databases because ECB works well with the encryption of short messages. Figure 3-13 shows the ECB encryption process.

In CBC, each 64-bit block is chained together because each resultant 64-bit ciphertext block is applied to the next block. So plaintext message block 1 is processed by the algorithm using an IV (discussed earlier in this chapter). The resultant ciphertext message block 1 is XORed with plaintext message block 2, resulting in ciphertext message 2. This process continues until the message is complete.

Unlike ECB, CBC encrypts large files without having any patterns within the resulting ciphertext. If a unique IV is used with each message encryption, the resultant ciphertext will be different every time even in cases where the same plaintext message is used. Figure 3-14 shows the CBC encryption process.

Whereas CBC and ECB require 64-bit blocks, CFB works with 8-bit (or smaller) blocks and uses a combination of stream ciphering and block ciphering. Like CBC, the first 8-bit block of the plaintext message is XORed by the algorithm using a keystream, which is the result of an IV and the key. The resultant ciphertext message is applied to the next plaintext message block. Figure 3-15 shows the CFB encryption process.

The size of the ciphertext block must be the same size as the plaintext block. The method that CFB uses can have issues if any ciphertext result has errors because those errors will affect any future block encryption. For this reason, CFB should not be used to encrypt data that can be affected by this problem, particularly video or voice signals. This problem led to the need for DES OFB mode.

Similar to CFB, OFB works with 8-bit (or smaller) blocks and uses a combination of stream ciphering and block ciphering. However, OFB uses the previous keystream with the key to create the next keystream. Figure 3-16 shows the OFB encryption process.

With OFB, the size of the keystream value must be the same size as the plaintext block. Because of the way in which OFB is implemented, OFB is less susceptible to the error type that CFB has.

CTR mode is similar to OFB mode. The main difference is that CTR mode uses an incrementing IV counter to ensure that each block is encrypted with a unique keystream. Also, the ciphertext is not chaining into the encryption process. Because this chaining does not occur, CTR performance is much better than the other modes. Figure 3-17 shows the CTR encryption process.

3DES comes in the following four modes:

3DES-EEE3: Each block of data is encrypted three times, each time with a different key.

3DES-EDE3: Each block of data is encrypted with the first key, decrypted with the second key, and encrypted with the third key.

3DES-EEE2: Each block of data is encrypted with the first key, encrypted with the second key, and finally encrypted again with the first key.

3DES-EDE2: Each block of data is encrypted with the first key, decrypted with the second key, and finally encrypted again with the first key.

IBM’s MARS

RSA Laboratories’ RC6

Anderson, Biham, and Knudsen’s Serpent

Counterpane Systems’ Twofish

Daemen and Rijmen’s Rijndael

Of these choices, the NIST selected Rijndael. So although AES is considered the standard, the algorithm that is used in the AES standard is the Rijndael algorithm. The AES and Rijndael terms are often used interchangeably.

The three block sizes that are used in the Rijndael algorithm are 128, 192, and 256 bits. A 128-bit key with a 128-bit block size undergoes 10 transformation rounds. A 192-bit key with a 192-bit block size undergoes 12 transformation rounds. Finally, a 256-bit key with a 256-bit block size undergoes 14 transformation rounds.

Rijndael employs transformations comprised of three layers: the non-linear layer, key addition layer, and linear-maxing layer. The Rijndael design is very simple, and its code is compact, which allows it to be used on a variety of platforms. It is the required algorithm for sensitive but unclassified U.S. government data.

IDEA is faster and harder to break than DES. However, IDEA is not as widely used as DES or AES because it was patented, and licensing fees had to be paid to IDEA’s owner, a Swiss company named Ascom. However, the patent expired in 2012. IDEA is used in PGP, which is discussed later in this chapter.

RC4, also called ARC4, is one of the most popular stream ciphers. It is used in SSL and WEP (both of which are discussed in more detail in Chapter 4, “Communication and Network Security”). RC4 uses a variable key size of 40 to 2,048 bits and up to 256 rounds of transformation.

RC5 is a block cipher that uses a key size of up to 2,048 bits and up to 255 rounds of transformation. Block sizes supported are 32, 64, or 128 bits. Because of all the possible variables in RC5, the industry often uses an RC5=w/r/b designation, where w is the block size, r is the number of rounds, and b is the number of 8-bit bytes in the key. For example, RC5-64/16/16 denotes a 64-bit word (or 128-bit data blocks), 16 rounds of transformation, and a 16-byte (128-bit) key.

RC6 is a block cipher based on RC5, and it uses the same key size, rounds, and block size. RC6 was originally developed as an AES solution, but lost the contest to Rijndael. RC6 is faster than RC5.

Table 3-6 lists the key facts about each symmetric algorithm.

Security professionals should be familiar with the following symmetric algorithms:

Diffie-Hellman

RSA

El Gamal

ECC

Knapsack

Zero Knowledge Proof

1. John and Sally need to communicate over an encrypted channel and decide to use Diffie-Hellman.

2. John generates a private and public key, and Sally generates a private and a public key.

3. John and Sally share their public keys with each other.

4. An application on John’s computer takes John’s private key and Sally’s public key and applies the Diffie-Hellman algorithm, and an application on Sally’s computer takes Sally’s private key and John’s public key and applies the Diffie-Hellman algorithm.

5. Through this application, the same shared value is created for John and Sally, which in turn creates the same symmetric key on each system using the asymmetric key agreement algorithm.

Through this process, Diffie-Hellman provides secure key distribution, but not confidentiality, authentication, or non-repudiation. The key to this algorithm is dealing with discrete logarithms. Diffie-Hellman is susceptible to man-in-the-middle attacks unless an organization implements digital signatures or digital certificates for authentication at the beginning of the Diffie-Hellman process.

RSA-768 and RSA-704 have been factored. If factorization of the prime numbers used by an RSA implementation occurs, then the implementation is considered breakable and should not be used. RSA-2048 is the largest RSA number; a cash prize of US$200,000 is being offered for successful factorization. RSA-4096 is also available and has not been broken either.

As a key exchange protocol, RSA encrypts a DES or AES symmetric key for secure distribution. RSA uses a one-way function to provide encryption/decryption and digital signature verification/generation. The public key works with the one-way function to perform encryption and digital signature verification. The private key works with the one-way function to perform decryption and signature generation.

In RSA, the one-way function is a trapdoor. The private key knows the one-way function. The private key is capable of determining the original prime numbers. Finally, the private key knows how to use the one-way function to decrypt the encrypted message.

Attackers can use Number Field Sieve (NFS), a factoring algorithm, to attack RSA.

With El Gamal, any key size can be used. However, a larger key size negatively affects performance. Because El Gamal is the slowest asymmetric algorithm, using a key size of 1,024 bit or less would be wise.

Although ECC can use a key of any size, it can use a much smaller key than RSA or any other asymmetric algorithm and still provide comparable security. Therefore, the primary benefit promised by ECC is a smaller key size, reducing storage and transmission requirements. ECC is more efficient and provides better security than RSA keys of the same size.

Figure 3-18 shows an elliptic curve example with the elliptic curve equation.

The X.509 standard is a framework that enables authentication between networks and over the Internet. A PKI includes timestamping and certificate revocation to ensure that certificates are managed properly. A PKI provides confidentiality, message integrity, authentication, and non-repudiation.

The structure of a PKI includes CAs, certificates, registration authorities, certificate revocation lists, cross-certification, and the Online Certificate Status Protocol (OCSP). In this section, we discuss these PKI components as well as a few other PKI concepts.

A certification authority (CA) is the entity that creates and signs digital certificates, maintains the certificates, and revokes them when necessary. Every entity that wants to participate in the PKI must contact the CA and request a digital certificate. It is the ultimate authority for the authenticity for every participant in the PKI by signing each digital certificate. The certificate binds the identity of the participant to the public key.

There are different types of CAs. Organizations exist who provide a PKI as a payable service to companies who need them. An example is Symantec. Some organizations implement their own private CAs so that the organization can control all aspects of the PKI process. If an organization is large enough, it might need to provide a structure of CAs with the root CA being the highest in the hierarchy.

Because more than one entity is often involved in the PKI certification process, certification path validation allows the participants to check the legitimacy of the certificates in the certification path.

An X.509 certificate complies with the X.509 standard. An X.509 certificate contains the following fields:

Version

Serial Number

Algorithm ID

Issuer

Validity

Subject

Subject Public Key Info

Public Key Algorithm

Subject Public Key

Issuer Unique Identifier (optional)

Subject Unique Identifier (optional)

Extensions (optional)

Symantec first introduced the following digital certificate classes:

Class 1: For individuals intended for email. These certificates get saved by web browsers.

Class 2: For organizations that must provide proof of identity.

Class 3: For servers and software signing in which independent verification and identity and authority checking is done by the issuing CA.

One concept to keep in mind is the revocation request grace period. This period is the maximum amount of time between when the revocation request is received by the CA and when the revocation actually occurs. A shorter revocation period provides better security but often results in a higher implementation cost.

1. A user requests a digital certificate, and the RA receives the request.

2. The RA requests identifying information from the requestor.

3. After the required information is received, the RA forwards the certificate request to the CA.

4. The CA creates a digital certificate for the requestor. The requestor’s public key and identity information are included as part of the certificate.

5. The user receives the certificate.

After the user has a certificate, he is ready to communicate with other trusted entities. The process for communication between entities is as follows:

1. User 1 requests User 2’s public key from the certificate repository.

2. The repository sends User 2’s digital certificate to User 1.

3. User 1 verifies the certificate and extracts User 2’s public key.

4. User 1 encrypts the session key with User 2’s public key and sends the encrypted session key and User 1’s certificate to User 2.

5. User 2 receives User 1’s certificate and verifies the certificate with a trusted CA.

After this certificate exchange and verification process occurs, the two entities are able to communicate using encryption.

Part 1: This draft publication covers general recommendations for key management.

Part 2: This publication covers the best practices for a key management organization.

Part 3: This publication covers the application-specific key management guidance.

Security professionals should at least understand the key management principles in Part 1 of SP 800-57. If security professionals are involved in organizations that provide key management services to other organizations, understanding Part 2 is a necessity. Part 3 is needed when an organization implements applications that use keys. In this section, we cover the recommendations in Part 1.

Several different types of keys are defined. The keys are identified according to their classification as public, private, or symmetric keys, as well as according to their use. For public and private key agreement keys, status as static or ephemeral keys is also specified:

Private signature key: These are the private keys of asymmetric (public) key pairs that are used by public-key algorithms to generate digital signatures with possible long-term implications. When properly handled, private signature keys can be used to provide source authentication, provide integrity authentication, and support the non-repudiation of messages, documents, or stored data.

Public signature-verification key: This is the public key of an asymmetric (public) key pair that is used by a public-key algorithm to verify digital signatures that are intended to provide source authentication, provide integrity authentication, and support the non-repudiation of messages, documents, or stored data.

Symmetric authentication key: This key is used with symmetric-key algorithms to provide source authentication and assurance of the integrity of communication sessions, messages, documents, or stored data (i.e., integrity authentication).

Private authentication key: This is the private key of an asymmetric (public) key pair that is used with a public-key algorithm to provide assurance of the identity of an originating entity (i.e., the source) when establishing an authenticated communication session.

Public authentication key: This is the public key of an asymmetric (public) key pair that is used with a public-key algorithm to provide assurance of the identity of an originating entity (i.e., the source) when establishing an authenticated communication session.

Symmetric data-encryption key: This key is used with symmetric-key algorithms to apply confidentiality protection to information (i.e., to encrypt the information). The same key is also used to remove the confidentiality protection (i.e., to decrypt the information).

Symmetric key-wrapping key (also called key-encrypting keys): This key is used to encrypt other keys using symmetric-key algorithms. The key-wrapping key used to encrypt a key is also used to reverse the encryption operation (i.e., to decrypt the encrypted key). Depending on the algorithm with which the key is used, the key may also be used to provide integrity protection.

Symmetric random number generation keys: This key is used to generate random numbers or random bits.

Symmetric master key: This key is used to derive other symmetric keys (e.g., data-encryption keys, key-wrapping keys, or source authentication keys) using symmetric cryptographic methods. The master key is also known as a key-derivation key.

Private key-transport key: These are the private keys of asymmetric (public) key pairs that are used to decrypt keys that have been encrypted with the corresponding public key using a public-key algorithm. Key-transport keys are usually used to establish keys (e.g., key-wrapping keys, data-encryption keys, or MAC keys) and, optionally, other keying material (e.g., initialization vectors).

Public key-transport key: These are the public keys of asymmetric (public) key pairs that are used to encrypt keys using a public-key algorithm. These keys are used to establish keys (e.g., key-wrapping keys, data-encryption keys, or MAC keys) and, optionally, other keying material (e.g., initialization vectors). The encrypted form of the established key might be stored for later decryption using the private key-transport key.

Symmetric key-agreement key: This key is used to establish keys (e.g., key-wrapping keys, data-encryption keys, or MAC keys) and, optionally, other keying material (e.g., initialization vectors), using a symmetric key-agreement algorithm.

Private static key-agreement key: These are the long-term private keys of asymmetric (public) key pairs that are used to establish keys (e.g., key-wrapping keys, data-encryption keys, or MAC keys) and, optionally, other keying material (e.g., initialization vectors).

Public static key-agreement key: These are the long-term public keys of asymmetric (public) key pairs that are used to establish keys (e.g., key-wrapping keys, data-encryption keys, or MAC keys) and, optionally, other keying material (e.g., initialization vectors).

Private ephemeral key-agreement key: These are the short-term private keys of asymmetric (public) key pairs that are used only once to establish one or more keys (e.g., key-wrapping keys, data-encryption keys, or MAC keys) and, optionally, other keying material (e.g., initialization vectors).

Public ephemeral key-agreement key: These are the short-term public keys of asymmetric key pairs that are used in a single-key establishment transaction to establish one or more keys (e.g., key-wrapping keys, data-encryption keys, or MAC keys) and, optionally, other keying material (e.g., initialization vectors).

Symmetric authorization key: This type of key is used to provide privileges to an entity using a symmetric cryptographic method. The authorization key is known by the entity responsible for monitoring and granting access privileges for authorized entities and by the entity seeking access to resources.

Private authorization key: This is the private key of an asymmetric (public) key pair that is used to provide privileges to an entity.

Public authorization key: This is the public key of an asymmetric (public) key pair that is used to verify privileges for an entity that knows the associated private authorization key.

In general, a single key is be used for only one purpose (e.g., encryption, integrity, authentication, key wrapping, random bit generation, or digital signatures). A cryptoperiod is the time span during which a specific key is authorized for use by legitimate entities, or the time that the keys for a given system will remain in effect. Among the factors affecting the length of a cryptoperiod are:

The cryptographic strength (e.g., the algorithm, key length, block size, and mode of operation)

The embodiment of the mechanisms (e.g., a [FIPS140] Level 4 implementation or a software implementation on a personal computer)

The operating environment (e.g., a secure limited-access facility, open office environment, or publicly accessible terminal)

The volume of information flow or the number of transactions

The security life of the data

The security function (e.g., data encryption, digital signature, key derivation, or key protection)

The re-keying method (e.g., keyboard entry, re-keying using a key loading device where humans have no direct access to key information, or remote re-keying within a PKI)

The key update or key-derivation process

The number of nodes in a network that share a common key

The number of copies of a key and the distribution of those copies

Personnel turnover (e.g., CA system personnel)

The threat to the information from adversaries (e.g., from whom the information is protected and their perceived technical capabilities and financial resources to mount an attack)

The threat to the information from new and disruptive technologies (e.g., quantum computers)

The protection requirements for cryptographic keys are shown in Table 3-7. The Security Service column lists the security service provided by the key. The Security Protection column lists the type of protection required for the key.

A key is used differently, depending on its state in the key’s life cycle. Key states are defined from a system point of view, as opposed to the point of view of a single cryptographic module. The states that an operational or backed-up key may assume are as follows:

Pre-activation state: The key has been generated but has not been authorized for use. In this state, the key may only be used to perform proof-of-possession or key confirmation.

Active state: The key may be used to cryptographically protect information (e.g., encrypt plaintext or generate a digital signature), to cryptographically process previously protected information (e.g., decrypt ciphertext or verify a digital signature), or both. When a key is active, it may be designated for protection only, processing only, or both protection and processing, depending on its type.

Suspended state: The use of a key or key pair may be suspended for several possible reasons; in the case of asymmetric key pairs, both the public and private keys are suspended at the same time. One reason for a suspension might be a possible key compromise, and the suspension has been issued to allow time to investigate the situation. Another reason might be that the entity that owns a digital signature key pair is not available (e.g., is on an extended leave of absence); signatures purportedly signed during the suspension time would be invalid. A suspended key or key pair may be restored to an active state at a later time or may be deactivated or destroyed, or may transition to the compromised state.

Deactivated state: Keys in the deactivated state are not used to apply cryptographic protection, but in some cases, they may be used to process cryptographically protected information. If a key has been revoked (for reasons other than a compromise), then the key may continue to be used for processing. Note that keys retrieved from an archive can be considered to be in the deactivated state unless they are compromised.

Compromised state: Generally, keys are compromised when they are released to or determined by an unauthorized entity. A compromised key shall not be used to apply cryptographic protection to information. However, in some cases, a compromised key or a public key that corresponds to a compromised private key of a key pair may be used to process cryptographically protected information. For example, a signature may be verified to determine the integrity of signed data if its signature has been physically protected since a time before the compromise occurred. This processing shall be done only under very highly controlled conditions, where the users of the information are fully aware of the possible consequences.

Destroyed state: The key has been destroyed as specified in the destroyed phase, discussed shortly. Even though the key no longer exists when in this state, certain key metadata (e.g., key state transition history, key name, type, cryptoperiod) may be retained.

The cryptographic key management life cycle can be divided into the following four phases:

1. Pre-operational phase: The keying material is not yet available for normal cryptographic operations. Keys may not yet be generated or are in the pre-activation state. System or enterprise attributes are established during this phase, as well. During this phase, the following functions occur:

a. User registration

b. System initialization

c. User initialization

d. Keying-material installation

e. Key establishment

f. Key registration

2. Operational phase: The keying material is available and in normal use. Keys are in the active, suspended, or deactivated state. Keys in the active state may be designated as protect only, process only, or protect and process; keys in the suspended or deactivated state can be used for processing only. During this phase, the following functions occur:

a. Normal operational storage

b. Continuity of operations

c. Key change

d. Key derivation

3. Post-operational phase: The keying material is no longer in normal use, but access to the keying material is possible, and the keying material may be used for processing only in certain circumstances. Keys are in the deactivated or compromised states. Keys in the post-operational phase may be in an archive when not processing data. During this phase the following functions occur:

a. Archive storage and key recovery

b. Entity de-registration

c. Key de-registration

d. Key destruction

e. Key revocation

4. Destroyed phase: Keys are no longer available. Records of their existence may or may not have been deleted. Keys are in the destroyed states. Although the keys themselves are destroyed, the key metadata (e.g., key name, type, cryptoperiod, usage period) may be retained.

Systems that process valuable information require controls in order to protect the information from unauthorized disclosure and modification. Cryptographic systems that contain keys and other cryptographic information are especially critical. Security professionals should work to ensure that the protection of keying material provides accountability, audit, and survivability.

Accountability involves the identification of entities that have access to, or control of, cryptographic keys throughout their life cycles. Accountability can be an effective tool to help prevent key compromises and to reduce the impact of compromises when they are detected. Although it is preferred that no humans be able to view keys, as a minimum, the key management system should account for all individuals who are able to view plaintext cryptographic keys. In addition, more sophisticated key management systems may account for all individuals authorized to access or control any cryptographic keys, whether in plaintext or ciphertext form.

Two types of audits should be performed on key management systems:

Security: The security plan and the procedures that are developed to support the plan should be periodically audited to ensure that they continue to support the key management policy.

Protective: The protective mechanisms employed should be periodically reassessed with respect to the level of security they currently provide and are expected to provide in the future. They should also be assessed to determine whether the mechanisms correctly and effectively support the appropriate policies. New technology developments and attacks should be considered as part of a protective audit.

Key management survivability entails backing up or archiving copies of all keys used. Key backup and recovery procedures must be established to ensure that keys are not lost. System redundancy and contingency planning should also be properly assessed to ensure that all the systems involved in key management are fault tolerant.

Public key cryptography, which is discussed in the next section, is used to create digital signatures. Users register their public keys with a CA, which distributes a certificate containing the user’s public key and the CA’s digital signature. The digital signature is computed by the user’s public key and validity period being combined with the certificate issuer and digital signature algorithm identifier.

The Digital Signature Standard (DSS) is a federal digital security standard that governs the Digital Security Algorithm (DSA). DSA generates a message digest of 160 bits. The U.S. federal government requires the use of DSA, RSA (discussed earlier in this chapter), or Elliptic Curve DSA (ECDSA) and SHA for digital signatures. DSA is slower than RSA and only provides digital signatures. RSA provides digital signatures, encryption, and secure symmetric key distribution.

When considering cryptography, keep the following facts in mind:

Encryption provides confidentiality.

Hashing provides integrity.

Digital signatures provide authentication, non-repudiation, and integrity.

Directories:

Lightweight Directory Access Protocol (LDAP)

Active Directory (AD)

Custom

Permissions:

Open

Print

Modify

Clipboard

Additional controls:

Expiration (absolute, relative, immediate revocation)

Version control

Change policy on existing documents

Watermarking

Online/offline

Auditing

Ad hoc and structured processes:

User initiated on desktop

Mapped to system

Built into workflow process

The parity bit method adds an extra bit to the data. This parity bit simply indicates if the number of 1 bits is odd or even. The parity bit is 1 if the number of 1 bits is odd, and the parity bit is 0 if the number of 1 bits is even. The parity bit is set before the data is transmitted. When the data arrives, the parity bit is checked against the other data. If the parity bit doesn’t match the data sent, then an error is sent to the originator.

The CRC method uses polynomial division to determine the CRC value for a file. The CRC value is usually 16- or 32-bits long. Because CRC is very accurate, the CRC value will not match up if a single bit is incorrect.

The checksum method adds up the bytes of data being sent and then transmits that number to be checked later using the same method. The source adds up the values of the bytes and sends the data and its checksum. The receiving end receives the information, adds up the bytes in the same way the source did, and gets the checksum. The receiver then compares his checksum with the source’s checksum. If the values match, message integrity is intact. If the values do not match, the data should be resent or replaced. Checksums are also referred to as hash sums because they typically use hash functions for the computation.

Message integrity is provided by hash functions and message authentication code.

Security professionals should be familiar with the following hash functions:

One-way hash

MD2/MD4/MD5/MD6

SHA/SHA-2/SHA-3

HAVAL

RIPEMD-160

Tiger

Using a given function H, the following equation must be true to ensure that the original message, M1, has not been altered or replaced with a new message, M2:

H(M1) < > H(M2)

For a one-way hash to be effective, creating two different messages with the same hash value must be mathematically impossible. Given a hash value, discovering the original message from which the hash value was obtained must be mathematically impossible. A one-way hash algorithm is collision free if it provides protection against creating the same hash value from different messages.

Unlike symmetric and asymmetric algorithms, the hashing algorithm is publicly known. Hash functions are always performed in one direction. Using it in reverse is unnecessary.

However, one-way hash functions do have limitations. If an attacker intercepts a message that contains a hash value, the attacker can alter the original message to create a second invalid message with a new hash value. If the attacker then sends the second invalid message to the intended recipient, the intended recipient will have no way of knowing that he received an incorrect message. When the receiver performs a hash value calculation, the invalid message will look valid because the invalid message was appended with the attacker’s new hash value, not the original message’s hash value. To prevent this from occurring, the sender should use message authentication code (MAC).

Encrypting the hash function with a symmetric key algorithm generates a keyed MAC. The symmetric key does not encrypt the original message. It is used only to protect the hash value.

The basic steps of a hash function are shown in Figure 3-19.

The MD4 algorithm also produces a 128-bit hash value. However, it performs only three rounds of computations. Although MD4 is faster than MD2, its use has significantly declined because attacks against it have been so successful.

Like the other MD algorithms, the MD5 algorithm produces a 128-bit hash value. It performs four rounds of computations. It was originally created because of the issues with MD4, and it is more complex than MD4. However, MD5 is not collision free. For this reason, it should not be used for SSL certificates or digital signatures. The U.S. government requires the usage of SHA-2 instead of MD5. However, in commercial usage, many software vendors publish the MD5 hash value when they release software patches so customers can verify the software’s integrity after download.

The MD6 algorithm produces a variable hash value, performing a variable number of computations. Although it was originally introduced as a candidate for SHA-3, it was withdrawn because of early issues the algorithm had with differential attacks. MD6 has since been re-released with this issue fixed. However, that release was too late to be accepted as the NIST SHA-3 standard.

Like SHA-0, SHA-1 produces a 160-bit hash value after performing 80 rounds of computations on 512-bit blocks. SHA-1 corrected the flaw in SHA-0 that made it susceptible to attacks.

SHA-2 is actually a family of hash functions, each of which provides different functional limits. The SHA-2 family is as follows:

SHA-224: Produces a 224-bit hash value after performing 64 rounds of computations on 512-bit blocks.

SHA-256: Produces a 256-bit hash value after performing 64 rounds of computations on 512-bit blocks.

SHA-384: Produces a 384-bit hash value after performing 80 rounds of computations on 1,024-bit blocks.

SHA-512: Produces a 512-bit hash value after performing 80 rounds of computations on 1,024-bit blocks.

SHA-512/224: Produces a 224-bit hash value after performing 80 rounds of computations on 1,024-bit blocks. The 512 designation here indicates the internal state size.

SHA-512/256: Produces a 256-bit hash value after performing 80 rounds of computations on 1,024-bit blocks. Once again, the 512 designation indicates the internal state size.

SHA-3, like SHA-2, will be a family of hash functions. SHA-2 has not yet been broken. The hash value sizes for SHA-3 range from 224 to 512 bits. The block sizes range from 576-1,152. SHA-3 performs 120 rounds of computations, by default.

Keep in mind that SHA-1 and SHA-2 are still widely used today. SHA-3 was not developed because of some security flaw with the two previous standards but was instead proposed as an alternative hash function to the others.

HMAC

CBC-MAC

CMAC

HMAC’s hash value output size will be the same as the underlying hash function. HMAC can help to reduce the collision rate of the hash function.

The basic steps of an HMAC process are as follows:

1. The sender and receiver agree on which symmetric key to use.

2. The sender joins the symmetric key to the message.

3. The sender applies a hash algorithm to the message and obtains a hash value.

4. The sender adds a hash value to the original message, and the sender sends the new message to the receiver.

5. The receiver receives the message and joins the symmetric key to the message.

6. The receiver applies the hash algorithm to the message and obtains a hash value.

7. If the hash values are the same, the message has not been altered. If the hash values are different, the message has been altered.

The basic steps of a CBC-MAC process are as follows:

1. The sender and receiver agree on which symmetric block cipher to use.

2. The sender encrypts the message with the symmetric block cipher in CBC mode. The last block is the MAC.

3. The sender adds the MAC to the original message, and the sender sends the new message to the receiver.

4. The receiver receives the message and encrypts the message with the symmetric block cipher in CBC mode.

5. The receiver obtains the MAC and compares it to the sender’s MAC.

6. If the values are the same, the message has not been altered. If the values are different, the message has been altered.

Salting means randomly adding data to a one-way function that “hashes” a password or passphrase. The primary function of salting is to defend against dictionary attacks versus a list of password hashes and against precomputed rainbow table attacks.

A security professional should randomize the hashes by appending or prepending a random string, called a salt, to the password before hashing. To check if a password is correct, the attacker needs the salt. The salt is usually stored in the user account database, along with the hash, or as part of the hash string itself.

An attacker does not know in advance what the salt will be, so she cannot precompute a lookup table or rainbow table. If each user’s password is hashed with a different salt, a reverse lookup table attack doesn’t work either.

If salts are used, security professionals must ensure that they are not reused and not too short. A new random salt must be generated each time an administrator creates a user account or a user changes his or her password. A good rule of thumb is to use a salt that is the same size as the output of the hash function. For example, the output of SHA-256 is 256 bits (32 bytes), so the salt should be at least 32 random bytes.

Salts should be generated using a cryptographically secure pseudo-random number generator (CSPRNG). As the name suggests, a CSPRNG is designed to provide a high level of randomness and is completely unpredictable.

Cryptography attacks that are discussed include the following:

Ciphertext-only attack

Known plaintext attack

Chosen plaintext attack

Chosen ciphertext attack

Social engineering

Brute force

Differential cryptanalysis

Linear cryptanalysis

Algebraic attack

Frequency analysis

Birthday attack

Dictionary attack

Replay attack

Analytic attack

Statistical attack

Factoring attack

Reverse engineering

Meet-in-the-middle attack

Frequency analysis usually involves the creation of a chart that lists all the letters of the alphabet alongside the number of times that letter occurs. So if the letter Q in the frequency lists has the highest value, a good possibility exists that this letter is actually E in the plaintext message because E is the most used letter in the English language. The ciphertext letter is then replaced in the ciphertext with the plaintext letter.

Today’s algorithms are considered too complex to be susceptible to this type of attack.

For example, an electric fence surrounding the facility is designed to prevent access to the building by those who should not have any access (an external threat), whereas a door lock system on the server room that requires a swipe of the employee card is designed to prevent access by those who are already in the building (an internal threat). Keep this in mind as you read the following sections.

For this reason, all mission-critical systems should have uninterruptable power supplies (UPSs) that can provide power on a short-term basis until the system can be cleanly shut down. In cases where power must be maintained for longer than a matter of minutes, make onsite generators available to provide the power to keep systems running on a longer term basis until power is restored.

Noise, humidity, and brownouts are also issues that affect the electricity supply. The recommended optimal relative humidity range for computer operations is 40% to 60%. Critical systems must be protected from both power sags and surges. Neither is good for equipment. Line conditioners placed between the system and the power source can help to even out these fluctuations and prevent damage.

Finally, the most prevalent cause of computer center fires is electrical distribution systems. Checking these systems regularly can identify problems before they occur.

For example, in the case of email, the email servers should be locked away, and access to them over the network must be tightly controlled with usernames and complex passwords.

In the case of fax machines, implementing policies and procedures can prevent sensitive faxes from becoming available to unauthorized persons. In some cases, preventing certain types of information from being transmitted with faxes might be necessary.

Many phone systems now have been merged into the data network using Voice over IP (VoIP). With these systems, routers and switches might be involved in managing the phone system and should be physically locked away and logically protected from network access in the same fashion as email servers. Because email and VoIP both use the data network, ensure that cabling is not exposed to tampering and malicious destruction.

Some additional considerations that can impact disaster recovery are:

Maintain fault-tolerant connections to the Internet, such as T1 as the primary connection and a backup dial-up or satellite connection.

Establish phone connections to employees besides primary organizational phone connections. Know cellphone and home numbers for employee notification.

Establish radio communications over the entire campus with repeater antennas to provide communication during emergencies. Many primary forms of communication (such as phone lines and cellphones) can go down.

Any critical parts of the systems where cut-off valves and emergency shutdown systems are located should be physically protected from malicious tampering. In some cases covering and protecting these valves and controls using locking cages might be beneficial.

With regard to intentional explosions, the best defense is to prevent access to areas where explosions could do significant damage to the enterprise’s operational components, such as server rooms, wiring closets, and areas where power and utilities enter the building. When an intentional explosion occurs, typically thought has been given to locating the explosive where the most harm can be done, so those areas should get additional physical protection.

Fire extinguishers are classified using the standard system shown in Table 3-8. Later in this chapter, we talk more about fire extinguishers and suppression systems for the various types.

With respect to construction materials, according to (ISC)², all walls must have a two-hour minimum fire rating in an information processing facility. Knowing that the most prevalent cause of computer center fires is electrical distribution systems is also useful. Regardless of the fire source, the first action to take in the event of a fire is evacuating all personnel.

Even when all measures have been taken, vandalism can still cause problems. For example, a purposefully plugged toilet can flood a floor and damage equipment if undetected.

Limiting the specific accesses of operations personnel forces an operator into collusion with an operator of a different category to have access to unauthorized data. Collusion is much less likely to occur from a statistical standpoint than a single person operating alone. When you consider this fact, the tradeoff in exchanging one danger for another is justified.

It might also manifest itself as an action against some practice by the enterprise that might not be illegal but might be seen by some groups as harmful in some way. When this is the case the physical security of the facility becomes important as in some cases action might be taken to harm the facility.

For example, many buildings have bollards or large posts in the front of the building with lights on them. These objects serve a number of purposes. They protect the building entrance from cars being driven into it. The lights also brighten the entrance and discourage crime, and finally they can guide people to the entrance.

Natural access control also encourages the idea of creating security zones in the building. These areas can be labeled, and then card systems can be used to prevent access to more sensitive areas. This concept also encourages a minimization of entry points and a tight control over those entry points. It also encourages a separate entrance in the back for suppliers that is not available or highly visible to the public.

Walls

Doors

Ceilings

Windows

Flooring

HVAC

Power source

Utilities

Fire detection and suppression

Some special considerations include the following:

According to (ISC)², all walls must have a two-hour minimum fire resistant rating.

Doors must resist forcible entry.

Location and type of fire suppression systems should be known.

Flooring in server rooms and wiring closets should be raised to help mitigate flooding damage.

Backup and alternate power sources should exist.

Separate AC units must be dedicated and air quality/humidity should be controlled for data centers and computer rooms.

Locate computer and equipment room in the center of the building, when possible.

Computer and equipment rooms should have a single access door or point of entry.

Avoid the top floors of buildings for computer and equipment rooms.

Install and frequently test fire detection and suppression systems.

Install raised flooring.

Install separate power supplies for computer and equipment rooms when possible.

Use only solid doors.

Vault doors: Leading into walk-in safes or security rooms

Personnel doors: Used by humans to enter the facility

Industrial doors: Large doors that allow access to larger vehicles

Vehicle access doors: Doors to parking building or lots

Bullet-resistant doors: Doors designed to withstand firearms

An electromagnetic lock

A credential reader

A closed door sensor

A mantrap is a series of two doors with a small room between them. The user is authenticated at the first door and then allowed into the room. At that point, additional verification occurs (such as a guard visually identifying the person) and then she is allowed through the second door. These doors are typically used only in very high security situations. Mantraps also typically require that the first door is closed prior to enabling the second door to open. Figure 3-20 shows a mantrap design.

Warded locks: These have a spring-loaded bolt with a notch in it. The lock has wards or metal projection inside the lock with which the key will match and enable opening the lock. A warded lock design is shown in Figure 3-21.

Tumbler locks: These have more moving parts than the warded lock, and the key raises the lock metal piece to the correct height. A tumbler lock design is shown in Figure 3-22.

Combination locks: These require rotating the lock in a pattern that, if correct, lines the tumblers up, opening the lock. A combination lock design is shown in Figure 3-23.

In the case of device locks, laptops are the main item that must be protected because they are so easy to steal. Laptops should never be left in the open without being secured to something solid with a cable lock. These are vinyl-coated steel cables that connect to the laptop and then lock around an object.

Standard: Used in residential area and is easily broken

Tempered: Created by heating the glass, which gives it extra strength

Acrylic: Made of polycarbonate acrylic; is much stronger than regular glass but produces toxic fumes when burned

Laminated: Two sheets of glass with a plastic film between, which makes breaking it more difficult

In areas where regular glass must be used but security is a concern, glass can be used that is embedded with wire to reduce the likelihood of breaking and entering. An even stronger option is to supplement the windows with steel bars.

Another best practice with regard to visitors is to always accompany a contractor or visitor to their destination to help ensure they are not going where they shouldn’t. In low security situations, this practice might not be necessary but is recommended in high security areas. Finally, log all visits.

They should not be located on top floors or in basements.

An off switch should be located near the door for easy access.

Separate HVAC for these rooms is recommended.

Environmental monitoring should be deployed to alert of temperature or humidity problems.

Floors should be raised to help prevent water damage.

All systems should have a UPS with the entire room connected to a generator.

You should be familiar with the following basic types of fire detection systems:

Smoke-activated: Operates using a photoelectric device to detect variations in light caused by smoke particles.

Heat-activated (also called heat-sensing): Operates by detecting temperature changes. These can either alert when a predefined temperature is met or alert when the rate of rise is a certain value.

Flame-actuated: Optical devices that “look at” the protected area. They generally react faster to a fire than non-optical devices do.

You should be familiar with the following sprinkler system types:

Wet pipe: Use water contained in pipes to extinguish the fire. In some areas, the water might freeze and burst the pipes, causing damage. These are also not recommended for rooms where equipment will be damaged by the water.

Dry pipe: In this system, the water is not held in the pipes but in a holding tank. The pipes hold pressurized air, which is reduced when fire is detected allowing the water to enter the pipe and the sprinklers. This minimizes the chance of an accidental discharge. Figure 3-24 shows a comparison of wet and dry systems.

Preaction: Operates like a dry pipe system except that the sprinkler head holds a thermal-fusible link that must be melted before the water is released. This is currently the recommended system for a computer room.

Deluge: Allows large amounts of water to be released into the room, which obviously makes this not a good choice where computing equipment will be located.

At one time, fire suppression systems used Halon gas, which works well by suppressing combustion through a chemical reaction. However, these systems are no longer used because they have been found to damage the ozone layer.

EPA-approved replacements for Halon include:

Water

Argon

NAF-S-III

Another fire suppression system that can be used in computer rooms that will not damage computers and is safe for humans is FM-200.

Surge: A prolonged high voltage

Brownout: A prolonged drop in power that is below normal voltage

Fault: A momentary power outage

Blackout: A prolonged power outage

Sags: A momentary reduction in the level of power

However, possible power problems go beyond partial or total loss of power. Power lines can introduce noise and interfere with communications in the network. In any case where large electric motors or source of certain types of light, such as florescent lighting, are present, shielded cabling should be used to help prevent radio frequency interference (RFI) and electromagnetic interference (EMI).

Use anti-static sprays.

Maintain proper humidity levels.

Use anti-static mats and wrist bands.

To protect against dirty power (sags and surges) and both partial and total power outages, the following devices can be deployed:

Power conditioners: Go between the wall outlet and the device and smooth out the fluctuations of power delivered to the device, protecting against sags and surges.

Uninterruptible power supplies (UPSs): Go between the wall outlet and the device and use a battery to provide power if the source from the wall is lost.

Heat: Excessive heat causes reboots and crashes

Humidity: Causes corrosion problems with connections

Low humidity: Dry conditions encourage static electricity, which can damage equipment

With respect to temperature, some important facts to know are:

At 100 degrees, damage starts occurring to magnetic media.

At 175 degrees, damage starts occurring to computers and peripherals.

At 350 degrees, damage starts occurring to paper products.

In summary, the conditions need to be perfect for these devices. It is for this reason that AC units should be dedicated to the information processing facilities and on a separate power source than the other HVAC systems.

Speaking of raised floors, in areas such as wiring closets, data centers, and server rooms, all floors should be raised to provide additional margin for error in the case of rising water.

Beyond this, devices that can be easily stolen, such as laptops, tablets, and smartphones, should be locked away. If that is not practical, then lock these types of devices to a stationary object. A good example of this is the cable locks used with laptops.

Another useful feature available on these same types of devices is a remote wipe feature. This allows sending a signal to a stolen device instructing it to wipe out the data contained on the device. Finally, these devices typically also come with the ability to remotely lock the device when misplaced.

Some items require even more protection than a locked cabinet. Keep important legal documents and any other items of extreme value in a safe or a vault for the added protection these items require. Fire-proof safes and vaults can provide protection for contents even during a fire.

3DES

absolute addressing

accreditation

acrylic glass

aggregation

algorithm

architecture

associative memory

asymmetric encryption

asymmetric mode

asynchronous encryption

authentication

authorization

auxiliary station alarm

availability

avalanche effect

Bell-LaPadula model

Biba model

blackout

block cipher

Blowfish

bollards

Brewer-Nash (Chinese Wall) model

brownout

CA

cable lock

cache

capacitance detector

CAST-128

CAST-256

CBC

CBC-MAC

CCTV

certificate revocation list (CRL)

certification

certification authority (CA)

CFB

Chinese Wall model

chosen ciphertext attack

chosen plaintext attack

cipher

Cipher Block Chaining (CBC)

Cipher Block Chaining MAC (CBC-MAC)

Cipher Feedback (CFB)

cipher locks

ciphertext

ciphertext-only attack

civil disobedience

Clark-Wilson integrity model

Class A extinguisher

Class B extinguisher

Class C extinguisher

Class D extinguisher

Class K extinguisher

cleartext

closed-circuit television (CCTV)

cloud computing

collision

combination lock

Common Criteria

concealment cipher

concentric circle

confidentiality

confusion

contamination

Counter Mode (CTR)

Crime Prevention Through Environmental Design (CPTED)

CRL

cryptanalysis

cryptogram

cryptography

cryptology

cryptosystem

cryptovariable

data warehouse

decoding

decryption

defense in depth

deluge extinguisher

DES

DES-X

diffusion

digital certificate

Digital Encryption Standard (DES)

digital signature

Digital Signature Standard (DSS)

Double-DES

dry pipe extinguisher

DSS

ECB

electromechanical systems

Electronic Code Book (ECB)

embedded system

encoding

encryption

environmental error

Extensible Markup Language (XML)

external threats

fail safe state

fail soft state

fault

fetching

Field-Programmable Gate Array (FPGA)

firmware

flame-actuated sensor

flash memory

Graham-Denning model

grid computing

Harrison-Ruzzo-Ullman model

hash

hash MAC (HMAC)

HAVAL

heat-activated sensor

hygrometer

IaaS

implied addressing

indirect addressing

inference

information flow model

Information Technology Security Evaluation Criteria (ITSEC)

infrastructure as a service (IaaS)

integrity

internal threats

International Data Encryption Algorithm (IDEA)

interrupt

key

key clustering

keyspace

known plaintext attack

laminated glass

layered defense model

Lipner model

maintenance hook

human-caused threats

mantrap

matrix-based model

MD2

MD4

MD5

MD6

mercury vapor

mobile code

mono-alphabetic substation cipher

multilevel lattice model

multitasking

natural access control

natural surveillance

natural territorials reinforcement

natural threats

noninterference model

non-repudiation

null cipher

OCSP

OFB

one-time pad

one-way function

Online Certificate Status Protocol (OCSP)

Open Web Application Security Project (OWASP)

Orange Book

Output Feedback (OFB)

PaaS

peer-to-peer computing

permutation

pipelined processor

plaintext

platform as a service (PaaS)

polyalphabetic substation cipher

polyinstantiation

power conditioner

preaction extinguisher

private key encryption

process

proximity authentication device

public key encryption

RA

RC4

RC5

RC6

Red Book

reference monitor

registration authority

Rijndael algorithm

RIPEMD-160

running key cipher

secret key encryption

Security Assertion Markup Language (SAML)

security kernel

Skipjack

smoke-activated sensor

software as a service (SaaS)

standard glass

state machine models

steganography

stream-based cipher

substitution

substitution cipher

superscalar

supervisor mode

surge

symmetric encryption

symmetric mode

synchronous encryption

system threats

tempered glass

thread

tiger

time-of-check/time-of-use attack

transposition

transposition cipher

trapdoor (encryption)

Triple DES (3DES)

Trusted Computer Base (TCB)

Trusted Computer System Evaluation Criteria (TCSEC)

Trusted Platform Module (TPM)

tumbler lock

Twofish

uninterruptible power supply (UPS)

warded lock

wave motion detector

wet pipe extinguisher

work factor (encryption)

a. integrity

b. confidentiality

c. availability

d. defense in depth

2. In a distributed environment, which of the following is software that ties the client and server software together?

a. embedded systems

b. mobile code

c. virtual computing

d. middleware

3. Which of the following comprises the components (hardware, firmware, and/or software) that are trusted to enforce the security policy of the system?

a. security perimeter

b. reference monitor

c. Trusted Computer Base (TCB)

d. security kernel

4. Which process converts plaintext into ciphertext?

a. hashing

b. decryption

c. encryption

d. digital signature

5. Which type of cipher is the Caesar cipher?

a. polyalphabetic substitution

b. mono-alphabetic substitution

c. polyalphabetic transposition

d. mono-alphabetic transposition

6. What is the most secure encryption scheme?

a. concealment cipher

b. symmetric algorithm

c. one-time pad

d. asymmetric algorithm

7. Which 3DES implementation encrypts each block of data three times, each time with a different key?

a. 3DES-EDE3

b. 3DES-EEE3

c. 3DES-EDE2

d. 3DES-EEE2

8. Which of the following is NOT a hash function?

a. ECC

b. MD6

c. SHA-2

d. RIPEMD-160

9. Which of the following is an example of preventing an internal threat?

a. a door lock system on a server room

b. an electric fence surrounding a facility

c. armed guards outside a facility

d. parking lot cameras

10. Which of the following is NOT one of the three main strategies that guide CPTED?

a. Natural Access Control

b. Natural Surveillance Reinforcement

c. Natural Territorials Reinforcement

d. Natural Surveillance

11. What occurs when different encryption keys generate the same ciphertext from the same plaintext message?

a. key clustering

b. cryptanalysis

c. keyspace

d. confusion

12. Which encryption system uses a private or secret key that must remain secret between the two parties?

a. running key cipher

b. concealment cipher

c. asymmetric algorithm

d. symmetric algorithm

13. Which of the following is an asymmetric algorithm?

a. IDEA

b. Twofish

c. RC6

d. RSA

14. Which PKI component contains a list of all the certificates that have been revoked?

a. CA

b. RA

c. CRL

d. OCSP

15. Which attack executed against a cryptographic algorithm uses all possible keys until a key is discovered that successfully decrypts the ciphertext?

a. frequency analysis

b. reverse engineering

c. ciphertext-only attack

d. brute force

16. In ISO/IEC 15288:2015, which process category includes acquisition and supply?

a. Technical management processes

b. Technical processes

c. Agreement processes

d. Organizational project-enabling processes

17. Which of the following is NOT a principle in the risk-based category of NIST 800-27 Rev A?

a. Assume that external systems are insecure.

b. Eliminate risk.

c. Protect information while being processed, in transit, and in storage.

d. Protect against all likely classes of attacks.

18. Which statement is true of dedicated security mode?

a. It employs a single classification level.

b. All users have the same security clearance, but they do not all possess a need-to-know clearance for all the information in the system.

c. All users must possess the highest security clearance, but they must also have valid need-to-know clearance, a signed NDA, and formal approval for all information to which they have access.

d. Systems allow two or more classification levels of information to be processed at the same time.

19. What is the first step in ISO/IEC 27001:2013?

a. Identify the requirements.

b. Perform risk assessment and risk treatment.

c. Maintain and monitor the ISMS.

d. Obtain management support.

20. Which two processor states are supported by most processors?

a. supervisor state and problem state

b. supervisor state and kernel state

c. problem state and user state

d. supervisor state and elevated state

21. When supporting a BYOD initiative, from which group do you probably have most to fear?

a. hacktivists

b. careless users

c. software vendors

d. mobile device vendors

22. Which term applies to embedded devices that bring with them security concerns because engineers that design these devices do not always worry about security?

a. BYOD

b. NDA

c. IoT

d. ITSEC

23. Which option best describes the primary concern of NIST SP 800-57?

a. asymmetric encryption

b. symmetric encryption

c. message integrity

d. key management

24. Which of the following key types requires only integrity security protection?

a. public signature verification key

b. private signature key

c. symmetric authentication key

d. private authentication key

25. What is the final phase of the cryptographic key management life cycle, according to NIST SP 800-57?

a. operational phase

b. destroyed phase

c. pre-operational phase

d. post-operational phase

2. d. In a distributed environment, middleware is software that ties the client and server software together. It is neither a part of the operating system nor a part of the server software. It is the code that lies between the operating system and applications on each side of a distributed computing system in a network.

3. c. The TCB comprises the components (hardware, firmware, and/or software) that are trusted to enforce the security policy of the system and that if compromised jeopardize the security properties of the entire system.

4. c. Encryption converts plaintext into ciphertext. Hashing reduces a message to a hash value. Decryption converts ciphertext into plaintext. A digital signature is an object that provides sender authentication and message integrity by including a digital signature with the original message.

5. b. The Caesar cipher is a mono-alphabetic substitution cipher. The Vigenere substitution is a polyalphabetic substitution.

6. c. A one-time pad is the most secure encryption scheme because it is used only once.

7. b. The 3DES-EEE3 implementation encrypts each block of data three times, each time with a different key. The 3DES-EDE3 implementation encrypts each block of data with the first key, decrypts each block with the second key, and encrypts each block with the third key. The 3DES-EDE2 implementation encrypts each block of data with the first key, decrypts each block with the second key, and then encrypts each block with the first key. The 3DES-EEE2 implementation encrypts each block of data with the first key, encrypts each block with the second key, and then encrypts each block with the third key.

8. a. ECC is NOT a hash function. It is an asymmetric algorithm. All the other options are hash functions.

9. a. An electric fence surrounding a facility is designed to prevent access to the building by those who should not have any access (an external threat), whereas a door lock system on the server room that requires a swipe of the employee card is designed to prevent access by those who are already in the building (an internal threat).

10. b. The three strategies are natural access control, natural territorials reinforcement, and natural surveillance.

11. a. Key clustering occurs when different encryption keys generate the same ciphertext from the same plaintext message. Cryptanalysis is the science of decrypting ciphertext without prior knowledge of the key or cryptosystem used. A keyspace is all the possible key values when using a particular algorithm or other security measure. Confusion is the process of changing a key value during each round of encryption.

12. d. A symmetric algorithm uses a private or secret key that must remain secret between the two parties. A running key cipher uses a physical component, usually a book, to provide the polyalphabetic characters. A concealment cipher occurs when plaintext is interspersed somewhere within other written material. An asymmetric algorithm uses both a public key and a private or secret key.

13. d. RSA is an asymmetric algorithm. All the other algorithms are symmetric algorithms.

14. c. A CRL contains a list of all the certificates that have been revoked. A CA is the entity that creates and signs digital certificates, maintains the certificates, and revokes them when necessary. An RA verifies the requestor’s identity, registers the requestor, and passes the request to the CA. OCSP is an Internet protocol that obtains the revocation status of an X.509 digital certificate.

15. d. A brute-force attack executed against a cryptographic algorithm uses all possible keys until a key is discovered that successfully decrypts the ciphertext. A frequency analysis attack relies on the fact that substitution and transposition ciphers will result in repeated patterns in ciphertext. A reverse engineering attack occurs when an attacker purchases a particular cryptographic product to attempt to reverse engineer the product to discover confidential information about the cryptographic algorithm used. A ciphertext-only attack uses several encrypted messages (ciphertext) to figure out the key used in the encryption process.

16. c. ISO/IEC 15288:2015 establishes four categories of processes:

Agreement processes, including acquisition and supply

Organizational project-enabling processes, including infrastructure management, quality management, and knowledge management

Technical management processes, including project planning, risk management, configuration management, and quality assurance

Technical processes, including system requirements definition, system analysis, implementation, integration, operation, maintenance, and disposal

17. b. NIST 800-27 Rev A does NOT require that risk be eliminated. These are the risk-based principles in NIST 800-27 Rev A:

Reduce risk to an acceptable level.

Assume that external systems are insecure.

Identify potential trade-offs between reducing risk and increased costs and decrease in other aspects of operational effectiveness.

Implement tailored system security measures to meet organizational security goals.

Protect information while being processed, in transit, and in storage.

Consider custom products to achieve adequate security.

Protect against all likely classes of attacks.

18. a. Dedicated security mode employs a single classification level.

19. d. The first step in ISO/IEC 27001:2013 is to obtain management support.

20. a. Two processor states are supported by most processors: supervisor state (or kernel mode) and problem state (or user mode).

21. b. As a security professional, when supporting a BYOD initiative, you should take into consideration that you probably have more to fear from the carelessness of the users than you do from hackers.

22. c. Internet of Things (IoT) is the term used for embedded devices and their security concerns because engineers that design these devices do not always worry about security.

23. d. Key management is the primary concern of NIST SP 800-57.

24. a. Public signature verification keys require only integrity security protection.

25. b. The destroyed phase is the final phase of the cryptographic key management life cycle, according to NIST SP 800-57.