Chapter 6. The Application and Use of Cryptography

The exam expects you to understand the application of cryptographic systems, their functions, and their strengths and weaknesses. The CISSP candidate is expected to know basic information about cryptographic systems such as symmetric algorithms, asymmetric algorithms, public key infrastructure, message digests, key management techniques, and alternatives to traditional cryptography, such as steganography.

Test candidates will need to know that cryptography is the science and study of secret writing. Cryptography is concerned with the ways in which information can be encoded or encrypted to prevent disclosure. It is tied closely to three basic pillars of security: integrity, nonrepudiation, and confidentiality. Cryptography offers its users the capability to protect the confidentiality of information in spite of eavesdropping or other interception techniques. Cryptography protects integrity by ensuring that only the individuals who have been authenticated and authorized can access and view the data. Cryptography provides integrity services by detecting the modification to, addition to, or deletion of data while in transit or in storage. Cryptography offers assurance that the true source of information can be determined and that nonrepudiation can be insured.

To have a good understanding of cryptography, you should review how it relates to the foundations of security: privacy, authentication, integrity, and nonrepudiation.

Confidentiality, or privacy, is the ability to guarantee that private information stays private. Cryptography provides confidentiality by transforming data. This transformation is called encryption. Encryption can protect confidentiality of information in storage or in transit. Just think about the CEO’s laptop. If it is lost or stolen, what is really worth more: the laptop or information regarding next year’s hot new product line? Information assets can be worth much more than the equipment on which they are stored. Hard disk encryption offers an easy way to protect information should equipment be lost, stolen, or accessed by unauthorized individuals.

Authentication has several roles. First, authentication is usually associated with message encryption. Authentication provides a way to ensure that data or programs have not been modified and really come from the source that you believe it to have come from. Authentication is also used to confirm a user’s identity, and is part of the identification and authentication process. The most common implementation of identification and authentication is username and password. Most passwords are encrypted, but they do not have to be. Without encryption, the authentication process is very weak. FTP and Telnet are examples of weak authentication. With these protocols, usernames and passwords are passed in unencrypted or in the clear, and anyone with access to the communication stream can intercept and capture these cleartext passwords. VPNs (virtual private networks) also use authentication, but instead of a cleartext username and password, they normally use digital certificates and digital signatures to more accurately identify the user, and to protect the authentication process from spoofing.

Integrity is the assurance that information remains unaltered from the point it was created until it is received. If you’re selling widgets on the Internet for $100 each, you will likely go broke if a criminal can change the posted price to $1 at checkout. Integrity is critical for the exchange of information, be it engaging in e-commerce, maintaining trade secrets, or supplying accurate military communications.

Nonrepudiation is the capability to verify proof of identity. Nonrepudiation is used to ensure that a sender of data is provided with proof of delivery, and that the recipient is assured of the sender’s identity. Neither party should be able to deny having sent or received the data at a later date. In the days of face-to-face transactions, nonrepudiation was not as hard to prove. Today, the Internet makes many transactions faceless. You might never see the people that you deal with; therefore, nonrepudiation becomes all the more critical. Nonrepudiation is achieved through digital signatures, digital certificates, and message authentication codes (MACs).

To help make this chapter a little easier to digest, review the following basic terms that will be used throughout this chapter:

Plaintext / cleartext—Text that is directly readable.

Encryption—The transformation of cleartext into ciphertext

Ciphertext—Text that has been rendered unreadable by encryption.

Cryptographic algorithm—A set of mathematical procedures used to encrypt and decrypt data in a cryptographic system. As an example, a simple algorithm like Caesar’s cipher might simply shift characters forward or backward three characters in the alphabet.

Cryptographic key—A piece of information, also called a cryptovariable, that controls how a cryptographic algorithm functions. It can be used to control the transformation of plaintext to ciphertext, or ciphertext to plaintext. As an example, an algorithm that shifts characters might use a key of “+3” to shift characters forward by three positions. The word “cat” would be encrypted as “fdw” using this algorithm and key.

Symmetric cryptography—Cryptography that uses a single key for both encryption and decryption.

Asymmetric cryptography—Cryptography that uses a public key for encryption and a separate, private key for decryption. What the public key does, the private key can undo.

Cryptanalysis—the art and science of breaking a cryptography system or obtaining the plaintext from ciphertext without a cryptographic key. It is used by governments, the military, enterprises, and malicious hackers to find weaknesses and crack cryptographic systems.

Message digest or Hash—A fixed-length hex string used to uniquely identify a variable anount of data.

Digital signature—A hash value that is encrypted with a sender’s private key. It is used for authentication and integrity.

When symmetric encryption is used to convert plaintext into ciphertext, the transformation can be accomplished in two ways:

Block ciphers—Ciphers that separate the message into blocks for encryption and decryption.

Stream ciphers—Ciphers that divide the message into bits for encryption and decryption.

Even Julius Caesar encrypted messages sent between himself and his trusted advisors. Although many might not consider it a robust method of encryption, Caesar’s cipher worked by means of a simple substitution cipher. In Caesar’s cipher, there was a plaintext alphabet and a ciphertext alphabet. The alphabets were arranged as shown in Figure 6.1.

When Caesar was ready to send a message, it was encrypted by moving the text forward according to the key. If the key was 3 characters, for example, then the word “cat” would encrypt to “fdw”. You can try this yourself by referring to Figure 6.1. Just look up each of the message’s letters in the top row and write down the corresponding letter from the bottom row. Caesar’s cipher is also known as a rotation cipher, and a key of three is called ROT3.

Ancient Hebrews used a similar cryptographic system called ATBASH that worked by replacing each letter used with another letter the same distance away from the end of the alphabet; A was sent as a Z, and B was sent as a Y, as illustrated in Figure 6.2.

More complicated substitution ciphers were developed through the Middle Ages as individuals became better at breaking simple encryption systems. In the ninth century, Abu al-Kindi published what is considered to be the first paper that discusses how to break cryptographic systems titled, “A Manuscript on Deciphering Cryptographic Messages.” It deals with using frequency analysis to break cryptographic codes. Frequency analysis is the study of how frequent letters or groups of letters appear in ciphertext. Uncovered patterns can aid individuals in determining patterns and breaking the ciphertext.

As these early ciphers all had weaknesses, people worked to improve them. A polyalphabetic cipher makes use of more than one arrangement of the alphabet. The alphabetic cipher, also known as the Vigenère cipher, uses a single encryption/decryption chart shown here:

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

B C D E F G H I J K L M N O P Q R S T U V W X Y Z A

C D E F G H I J K L M N O P Q R S T U V W X Y Z A B

D E F G H I J K L M N O P Q R S T U V W X Y Z A B C

E F G H I J K L M N O P Q R S T U V W X Y Z A B C D

F G H I J K L M N O P Q R S T U V W X Y Z A B C D E

G H I J K L M N O P Q R S T U V W X Y Z A B C D E F

H I J K L M N O P Q R S T U V W X Y Z A B C D E F G

I J K L M N O P Q R S T U V W X Y Z A B C D E F G H

J K L M N O P Q R S T U V W X Y Z A B C D E F G H I

K L M N O P Q R S T U V W X Y Z A B C D E F G H I J

L M N O P Q R S T U V W X Y Z A B C D E F G H I J K

M N O P Q R S T U V W X Y Z A B C D E F G H I J K L

N O P Q R S T U V W X Y Z A B C D E F G H I J K L M

O P Q R S T U V W X Y Z A B C D E F G H I J K L M N

P Q R S T U V W X Y Z A B C D E F G H I J K L M N O

Q R S T U V W X Y Z A B C D E F G H I J K L M N O P

R S T U V W X Y Z A B C D E F G H I J K L M N O P Q

S T U V W X Y Z A B C D E F G H I J K L M N O P Q R

T U V W X Y Z A B C D E F G H I J K L M N O P Q R S

U V W X Y Z A B C D E F G H I J K L M N O P Q R S T

V W X Y Z A B C D E F G H I J K L M N O P Q R S T U

W X Y Z A B C D E F G H I J K L M N O P Q R S T U V

X Y Z A B C D E F G H I J K L M N O P Q R S T U V W

Y Z A B C D E F G H I J K L M N O P Q R S T U V W X

Z A B C D E F G H I J K L M N O P Q R S T U V W X Y

The chart is simply the alphabet written repeatedly for a total of 26 times. Each new line shifts the alphabet by one letter. You need a key to use the Vigenère system. Table 6.1 shows an example of a plaintext, key, and ciphertext using this method of encryption.

How does Vigenère encryption work? Note that the first letter of the plaintext is “C”, and the first letter of the key is “Q”. Compare the natural alphabet to the alphabet arrangement above that begins with “Q”:

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Q R S T U V W X Y Z A B C D E F G H I J K L M N O P

You can see that a plaintext “C” correlates to a ciphertext “S”. Next, encrypt the second plaintext letter, “R”, according to the alphabet that starts with the second letter of the key, “U”:

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

U V W X Y Z A B C D E F G H I J K L M N O P Q R S T

Plaintext “R” becomes ciphertext “L”. This process continues until the entire plaintext is encrypted. If the key is shorter than the plaintext (as it usually is), you start at the beginning of the key again.

Note that using a different key with the same algorithm would result in a completely different ciphertext.

Substitution ciphers use an encryption method to replace each character or bit of the plaintext message with a different character. The Caesar cipher is a basic example of a substitution cipher. Ciphers can also use transposition, which was the basis of the scytale cipher. Transposition ciphers use algorithms to rearrange the letters of a plaintext message. The result is a ciphertext message. The process of decryption reverses the encryption process to retrieve the original message. The transposition cipher is different in that the letters of the original message remain the same, but their positions are scrambled in an ordered way.

An example of this can be demonstrated in a simple column array transposition. The letters of the message are written in a rectangular array by rows and then read out by columns. Our message is CRYPTO IS MY FAVORITE SUBJECT. The message is written here in a 5 × 5 array as follows:

C R Y P T

O I S M Y

F A V O R

I T E S U

B J E C T

To encrypt the message, each column is processed:

COFIB RIATJ YSVEE PMOSC TYRUT

The result is the ciphertext. Although it appears complex, a transposition cipher can easily be broken given enough time and resources.

History offers many other examples of systems developed to act as codes and ciphers. One such example is the concealment cipher, which hides the message inside another message. One concealment cipher works by burying the intended message a word at a time inside an innocuous message. The intended message might be found as every third word in a sentence. An example can be seen in the letter received by Sir John Trevanion in the 1600s. Sir John was awaiting execution during the English civil war and was eager to escape his captors. The letter stated:

Worthie Sir John: Hope, that is ye beste comfort of ye afflicted, cannot much, I fear me, help you now. That I would saye to you, is this only: if ever I may be able to requite that I do owe you, stand not upon asking me. ‘Tis not much that I can do: but what I can do, bee ye verie sure I wille. I knowe that, if dethe comes, if ordinary men fear it, it frights not you, accounting it for a high honor, to have such a rewarde of your loyalty. Pray yet that you may be spared this soe bitter, cup. I fear not that you will grudge any sufferings; only if bie submission you can turn them away, ‘tis the part of a wise man. Tell me, an if you can, to do for you anythinge that you wolde have done. The general goes back on Wednesday. Restinge your servant to command. —R.T.

When the message is divided up and every third letter after a punctuation mark is read, it says:

Panel at east end of chapel slides

A somewhat similar technique is a book or running key cipher that uses references to pages, paragraphs, or works in a book. The running key cipher is a form of symmetric substitution cipher in which a text, typically from a book, is used to provide a very long key stream. Usually, the book or text would need to be agreed to ahead of time. These ciphers don’t actually encrypt the message using modern mathematical operations, or even scramble the message with yesterday’s techniques; however, they do hide the message from the unintended recipient. (A variation of this used to be seen in some computer games. To start the game, you had to input a certain word from a specific page of the game’s printed manual. Without the manual, the game could not be started.)

Are any ciphers or codes unbreakable? The only known system unbreakable by brute force is a one-time pad called a Vernam cipher. (Think of a brute force attack as an exhaustive search of all possible keys that could be used in an algorithm, in an attempt to decrypt the message.) The one-time pad was created in 1917 while Gilbert Vernam was investigating methods to potentially improve the polyalphabetic cipher. The one-time pad is a plaintext combined with a random key. This cryptographic system relies on several mechanisms to work correctly. These include:

The message and the key must be stored securely, and the key must be the same length or longer than the message.

The key can only be used once.

The key must be random.

The key must be distributed by an out-of-band mechanism. Out-of-band means that communications are outside a previously established method of communication.

The early twentieth century was dominated by mechanical encryption devices. Some examples include the German Enigma machine, which used a series of internal rotors to perform the encryption, and the Japanese Purple Machine. Such devices were developed in an attempt to counter the weaknesses of early substitution ciphers. Both systems were eventually broken. Today, the military, government, industry, and individuals use cryptographic systems. Cryptography is used by the movie industry for DVD and Blu-ray encryption, by Pretty Good Privacy (PGP) for email and file security, by Internet Protocol Security (IPSec) for data transfers, and so on.

In the United States, the National Security Agency (NSA) is responsible for cryptology and the creation and breaking of codes. Cryptography continues to advance; today new implementations are being created that are based on light. This is known as quantum cryptography. Quantum cryptography operates by securing optic communications by properties and phenomena of quantum physics.

Computer graphics such as bitmaps or image files are commonly used. To the viewer of the image, the picture remains the same, but in reality, information has been hidden in it. The hidden information can be plaintext, ciphertext, or other types of data.

With steganography, someone could be looking right at some type of covert message and never even realize it! And if the data is encrypted, this dual level of protection vastly increases the security of the hidden object; even if someone discovers the existence of the hidden message, the encryption method to view the contents must be overcome. An example of steganography can be seen in Figure 6.3. I have used an image of one of my prized 8-track players to demonstrate the concept.

The payload—The data or information that is to be hidden and transmitted.

The carrier or cover—The file or container, such as an image, audio file, document, or video file, that is to contain the hidden payload.

The stegomedium—The final file that contains the hidden payload.

To hide information in an image using steganography you will need to alter the image only slightly. Computer-based images are composed of many dots, called pixels. Each pixel has a color encoded as a set of three brightness values: one for red light, one for green, and one for blue. These brightness values can range from a minimum of 0 to a maximum of 255. These values can be altered slightly to hold information in a way that is undetectable to humans.

As an example, let’s say an image has a pixel with brightness values of 38, 74, 130. These correspond to binary values as shown:

To hide the decimal value 7 (binary 111) here, you could simply change the least significant bit of each byte to equal the binary digits 111:

Could a viewer recognize the difference? Most likely not because the actual image file has changed very little. Most monitors offer at least 32-bit color, which equals about four billion color shades. The human eye is not capable of detecting tiny changes from one shade to the next. The size of the payload that can be successfully hidden depends on the size of the carrier.

Steganography in a sound file works in a similar fashion because sound is also represented digitally.

In reality, steganography algorithms can be much more complex, and to further protect the hidden content, you could encrypt the data before encoding it into an image file. Such a technique could be used to make it much harder for a third party to uncover the encrypted data.

Digital watermarks can be used in cases of intellectual property theft to show proof of ownership. Adobe Photoshop actually includes the capability to add a watermark. Its technology is called Digimarc. It is designed to help artists determine whether their art was stolen. Other applications include marking files such as music when they are prereleased. This allows the identification of the individuals that violate their nondisclosure agreements by releasing the work, using peer-to-peer networks, or other unauthorized sources.

Not all cryptosystems are of the same strength. For example, Caesar might have thought his system of encryption was quite strong, but it would be seen as insecure today. How strong should an encryption be? The strength of a cryptosystem relies on the strength of the algorithm itself because a flawed algorithm can be broken.

But the strength of the encryption also rests on the size and complexity of the key. As an example, imagine that you’re contemplating buying a combination lock. One lock has three digits, whereas the other has four. Which would you choose? Consider that there are 1,000 possible combinations for the three-digit lock, but 10,000 possible combinations for the four-digit lock. As you can see, just a one-digit increase can create a significant difference. The more possible keys or combinations there are, the longer it takes an attacker to guess the right key.

The size of the key, be it four possible numbers, seven possible numbers, or even sixty-four possible numbers, is known as the key space. In the world of cryptography, key spaces are defined by the number of bits. So, a 64-bit key has a key space of 2 to the power of 64, or 18,446,744,073,709,551,616.

Keys must remain secret. You could buy a seven-digit combination lock, but it would do you little good if everyone knew the combination was your phone number.

The final consideration in the choice of a cryptosystem is the value of the data. Highly valued data requires more protection than data that has little value. Therefore, more valuable information needs stronger algorithms, larger keys, and more frequent key exchange to protect against attacks.

Cryptographic systems might make use of a nonce. A nonce is a number generated as randomly as possible and used once. These pseudorandom numbers are different each time one is generated. An initialization vector (IV) is an example of a nonce. An IV can be added to a key and used to force creation of unique ciphertext even when encrypting the same message with the same cipher and the same key.

Modern cryptographic systems use two types of algorithms for encrypting and decrypting data:

Symmetric algorithms use the same key to encrypt and decrypt data.

Asymmetric algorithms use different keys, one for encryption and the other for decryption.

Before examining each of these in more detail, review Table 6.2, which highlights some of the key advantages and disadvantages of each style of algorithm.

Confusion—Occurs from substitution type operations that create a complicated relationship between the plain text and the key so that an attacker can’t alter the ciphertext to determine the key.

Diffusion—Occurs from transposition type operations that shift pieces of the plain text multiple times. The result is that changes are spread throughout the ciphertext.

The substitution box (s-box) performs a series of substitutions, transpositions, and exclusive-or (XOR) operations to obscure the relationship between the plaintext and the ciphertext. When properly implemented, s-boxes are designed to defeat cryptanalysis. An s-box takes a number of input bits (m) and transforms them into some number of output bits (n). S-boxes are implemented as a type of lookup table and used with symmetric encryption systems such as Data Encryption Standard (DES).

A stream cipher encrypts a stream of data one bit at a time. To accomplish this, a one-time pad is created from the encryption engine. This one-time pad is a key-stream, and it is XORed with the plaintext data stream (one bit at a time) to result in ciphertext. Stream ciphers differ from each other in the engine they use to create the one-time pad; the engine receives the symmetric key as input to cause the creation of a unique key stream. The XOR operation is a Boolean math function that says when two bits are combined, if either one or the other is a value of one, a one will result; but if both of the bits are the same, a zero will result. Refer to Table 6.3 for a list of commonly used Boolean operators:

Stream ciphers operate at a higher speed than block ciphers and, in theory, are well suited for hardware implementation.

The simple diagram in Figure 6.4 shows the symmetric encryption process. Plaintext is encrypted with the single shared key resulting in ciphertext; the ciphertext is then transmitted to the message’s recipient, who reverses the process to decrypt the message. Symmetric encryption and decryption are fast, and symmetric encryption is very hard to break if a large key is used. However, it has three significant disadvantages:

Distribution of the symmetric key

Key management

Provides only for confidentiality

Distribution of the symmetric key is the most serious deficiency with symmetric encryption. For symmetric encryption to be effective, there must be a secure method in which to transfer keys. In our modern world, there needs to be some type of out-of-band transmission. Just think about it: If Bob wants to send Alice a secret message but is afraid that Eavesdropper Eve can monitor their communication, how can he send the message? If the key is sent in cleartext, Eve can intercept it. Bob could deliver the key in person, mail it, or even send a courier. All these methods are highly impractical in our world of e-commerce and electronic communication.

In addition to the problem of key exchange, there is also a key management problem. If, for example, you had 10 people who all needed to communicate with each other in complete confidentiality, you would require 45 keys for them. That’s right, 45 keys! The formula used to calculate the number of keys needed in symmetric encryption is:

N(N–1)/2 = 10(10–1)/2 = 45 keys

Table 6.4 shows how the number of keys climbs as users increase.

The third and final problem with symmetric encryption is that it provides only for confidentiality. The ultimate goal within cryptography is to supply confidentiality, integrity, authenticity, and nonrepudiation.

You might be thinking that I have offered you nothing but bad news about symmetric encryption, but recall, it does have excellent features that make it the perfect choice for providing confidentiality. SP800-131A specifies encryption key lengths. Some examples of symmetric algorithms include:

DES—Data Encryption Standard was once the most commonly used symmetric algorithm. It has been officially retired by NIST. 3DES is still allowed for use while all other DES implementations are no longer allowed.

Blowfish—A general-purpose symmetric algorithm intended as a replacement for DES. Blowfish has a variable block size and a key size of 32 bits up to 448 bits.

Twofish—A block cipher that operates on 128-bit blocks of data and is capable of using cryptographic keys up to 256 bits in length.

IDEA—International Data Encryption Algorithm is a block cipher that uses a 128-bit key to encrypt 64-bit blocks of plaintext. It is patented, but free for noncommercial use, and is used by PGP.

Rijndael—This is a block cipher adopted as the Advanced Encryption Standard (AES) by the United States government to replace DES. Although Rijndael supports multiple block sizes, as AES, the block size is fixed at 128 bits. There are three approved key lengths—128, 192, and 256.

RC4—Rivest Cipher 4 is a stream-based cipher. Stream ciphers treat the data as a stream of bits.

RC5—RC5, or Rivest Cipher 5, is a fast block cipher. It is different from other symmetric algorithms in that it supports a variable block size, a variable key size, and a variable number of rounds. Allowable choices for the block size are 32, 64, and 128 bits. The number of rounds can range from 0 to 255 and the key can range up to 2,040 bits.

SAFER—Secure and Fast Encryption Routine is a block-based cipher that processes data in blocks of 64 and 128 bits.

MARS—A candidate for AES that was developed by IBM. MARS is a block cipher that has a 128-bit block size and a key length between 128 and 448 bits.

CAST—Carlisle Adams/Stafford Tavares is a 128- or 256-bit block cipher that was a candidate for AES.

Skipjack—Promoted by the NSA. Skipjack uses an 80-bit key, supports the same four modes of operation as DES, and operates on 64-bit blocks of text. Skipjack faced public opposition because it was developed so that the government could maintain information enabling legal authorities (with a search warrant or approval of the court) to reconstruct a Skipjack access key and decrypt private communications between affected parties.

To provide authentication from cryptography, you must turn to asymmetric encryption. But, before discussing asymmetric encryption, the sections that follow complete the discussion of DES and a couple of other popular symmetric encryption methods.

DES uses a 64-bit block to process 64 bits of plaintext at a time, and outputs 64-bit blocks of ciphertext. As mentioned, DES uses a 64-bit key (with every 8th bit being ignored) and has the following modes of operation:

Electronic Codebook (ECB) mode

Cipher Block Chaining (CBC) mode

Cipher Feedback (CFB) mode

Output Feedback (OFB) mode

Counter (CTR) mode

The written standard reports the DES key to be 64 bits, but 8 bits are actually used for parity to ensure the integrity of the remaining 56 bits. Therefore, in terms of encryption strength, the key is really only 56 bits long. Each 64-bit plaintext block is separated into two 32-bit blocks, and then processed by this 56-bit key. The processing submits the plaintext to 16 rounds of transpositions and substitutions.

There is a derivative mode of OFB known as counter mode. Counter mode implements DES as a stream cipher and produces a ciphertext that does not repeat for long periods. Figure 6.6 illustrates an example of DES OFB encryption.

Although AES was to be the long-term replacement, the government had not chosen a cipher to put behind the label of AES. Another temporary solution was needed to fill the gap before AES could be deployed. Some thought that Double-DES might be used. After all, Double-DES could have a 112-bit key! However, cryptanalysis proved that Double-DES was no more secure than DES; it requires the same work factor to crack as DES. Double-DES is also susceptible to a meet-in-the-middle attack.

But a geometric increase in performance was provided by using Triple-DES. Therefore, to extend the usefulness of the DES encryption standard, Triple-DES was seen as a stopgap solution. Triple-DES (3DES) can make use of two or three keys to encrypt data, depending on how it is implemented; therefore, it has either an effective key length of 112 bits or 168 bits. Triple-DES performs 48 rounds of transpositions and substitutions. Although it is much more secure, it is approximately three times as slow as 56-bit DES. 3DES can be implemented in several ways:

DES EEE2 uses two keys—The first key is reused during the third round of encryption. The encryption process is performed three times (encrypt, encrypt, encrypt).

DES EDE2 uses two keys—Again, the first key is reused during the third round of encryption. Unlike DES EEE2, DES EDE2 encrypts, decrypts, and then encrypts.

DES EEE3 uses three keys and performs the encryption process three times, each time encrypting—Sometimes, you might see the specifics of these ciphers mathematically summarized. For example, when discussing DES-EEE3 using E(K,P), where E refers to the encryption of plaintext P with key K, the process is summarized as E(K3,E(K2,E(K1,P))).

DES EDE3 uses three keys but operates by encrypting, decrypting, and then encrypting the data—Figure 6.8 illustrates an example of EDE3.

Linear mix transform

Nonlinear transform

Key addition transform

It also uses a four-step, parallel series of rounds. The steps performed during each round are

Byte sub—Each byte is replaced by an S-box substitution.

Shift row—Bytes are arranged in a rectangular matrix and shifted.

Mix column—Matrix multiplication is performed based on the arranged rectangle.

Add round key—Each byte of the state is combined with the round key.

On the last round, the fourth step is bypassed and the first is repeated.

Rijndael is an iterated block cipher, and as developed, it supports variable key and block lengths of 128, 192, or 256 bits. If both key and block size are

128-bit, there are 10 rounds.

192-bit, there are 12 rounds.

256-bit, there are 14 rounds.

As specified in the standard for becoming AES, Rijndael is now fixed in block size of 128 but can still deploy multiple key lengths.

RC2 is an early algorithm in the series. It features a variable key-size, 64-bit block cipher that can be used as a drop-in substitute for DES.

RC4 is a fast stream cipher, faster than block mode ciphers, and was widely used. It was especially suitable for low power devices. The 40-bit version is used in Wi-Fi’s Wired Equivalent Privacy (WEP). Although only 40-bit keys (together with a 24-bit IV, creating 64-bit WEP) were specified by the 802.11 standard, many vendors tried to strengthen the encryption by a de facto deployment of a 104-bit key (with the 24-bit IV, making 128-bit WEP).

RC5 is a block-based cipher in which the number of rounds can range from 0 to 255 and the key can range from 0 bits to 2,048 bits. RC6 is similar; it uses a variable key size and key rounds. RC6 added two features (integer multiplication and four 4-bit working registers) not found in RC5.

Here’s how asymmetric encryptions functions: Imagine that you want to send a client a message. You use your client’s public key to encrypt the message. When your client receives the message, he uses his private key to decrypt it. The important concepts here are that if the message is encrypted with the public key, only the matching private key will decrypt it. The private key, by definition, is generally kept secret, whereas the public key can be given to anyone. If properly designed, it should not be possible for someone to easily deduce a key pair’s private key from the public key.

Cryptographic systems can also make use of zero knowledge proof. This concept allows you to prove your knowledge without revealing the fact to a third party. For example, if someone encrypts with the private key it can be decrypted with the public key. This would permit a perfect check of authenticity. Asymmetric encryption provided the mechanism for accomplishing this concept. It is possible for the holder of a private key to prove they hold that key without ever disclosing the contents to anyone. Dr. W. Diffie and Dr. M. E. Hellman (discussed next) used this concept to permit creation of a trusted session key while communicating across an untrusted communication path. And, presto, key distribution was solved.

Public key cryptography is made possible by the use of one-way functions. A one-way function, known as a trap door, is a mathematical calculation that is easy to compute in one direction, yet next to impossible to compute in the other. Depending on the type of asymmetric encryption used, this calculation involves one of the following:

Manipulating discrete logarithms

Factoring large composite numbers into their original prime factors

As an example of the trap door function, consider an implementation that uses factoring. If you are given two large prime numbers such as 387 and 283, it is easy to multiply them together and get 109,521. However, if you are given only the product 109,521, it will take a while to find the factors.

As you can see, anyone that knows the trap door can perform the function easily in both directions, but anyone lacking the trap door can perform the function in only one direction. Trap door functions are used in their forward direction when someone is using the public key function; the forward direction is used for encryption, verification of digital signatures, and receipt of symmetric keys. Trap door functions are used in the inverse direction when someone is using the private key function; the inverse direction is used for decryption, generation of digital signatures, and transmission of symmetric keys. Properly implemented, anyone with a private key can generate its public pair, but no one with a public key can easily derive its private pair. We have Dr. W. Diffie and Dr. M. E. Hellman to thank for helping develop public key encryption; they released the first key-exchange protocol in 1976.

Although in-depth knowledge of Diffie-Hellman’s operation is not necessary for the CISSP exam, its operation is classic and worth review for anyone interested in the working of cryptographic systems. Diffie-Hellman has two system parameters: p and g. Both parameters are public and can be used by all the system’s users. Parameter p is a prime number and parameter g, which is usually called a generator, is an integer less than p that has the following property: For every number n between 1 and p–1 inclusive, there is a power k of g such that g^k = n mod p. For example, when given the following public parameters:

p = Prime number

g = Generator

These values are used to generate the function y = g^x mod p. With this function, Alice and Bob can securely exchange a previously unshared secret (symmetric) key as follows:

Alice can use a private value a, which only she holds, to calculate

y^a = g^a mod p

Bob can use a private value b, which only he holds, to calculate

y^b = g^b mod p

Alice can now send y^a (as Alice’s nonce, or A-nonce) to Bob, and Bob can send y^b (as Bob’s nonce, or B-nonce) to Alice. Again, starting with Alice, she can again use her private value A on the B-nonce. Her result will be (y^b)^a or

g^ba mod p

Similarly, with his private value, b, Bob can calculate (y^a)^b from the received A-nonce:

g^ab mod p

But guess what: Mathematically, g^ba mod p and g^ab mod p are equivalent. So, in fact, Bob and Alice have just, securely, exchanged a new secret key.

Diffie-Hellman is vulnerable to man-in-the-middle attacks because the key exchange does not authenticate the participants. To prove authenticity, digital signatures and digital certificates by accepting someone’s public key in advance, sometimes within a PKI, should be used. Diffie-Hellman is used in conjunction with several authentication methods including the Internet Key Exchange (IKE) component of IPSec. The following list provides some information you should know about Diffie-Hellman:

First asymmetric algorithm

Provides key exchange services

Considered a key agreement protocol

Operates by means of discrete logarithms

Typically, the plaintext will be broken into equal-length blocks, each with fewer digits than n, and each block will be encrypted and decrypted. Cryptanalysts or anyone attempting to crack RSA would be left with the difficult challenge of factoring a large integer into its two factors. Cracking the key would require an extraordinary amount of computer processing power and time. RSA supports a key size up to 2,048 bits.

The RSA algorithm has become the de facto standard for industrial-strength encryption, especially since the patent expired in 2000. It has been built into many protocols, firmware, and software products such as Microsoft’s Internet Explorer, Edge, Google Chrome, and Mozilla’s Firefox.

y² = x³ + ax + b, along with a single point O, the point at infinity

The space of the elliptic curve has properties where

Addition is the counterpart of modular multiplication.

Multiplication is the counterpart of modular exponentiation.

Thus, given two points, P and R, on an elliptic curve where P = KR, finding K is known as the elliptic curve discrete logarithm problem. ECC is fast. According to RFC 4492, a 163-bit key used in ECC has similar cryptographic strength to a 1,024-bit key used in the RSA algorithm and, as such, is being implemented in smaller, less-powerful devices such as smart phones, tablets, smartcards, and other handheld devices.

The system works as follows. If Michael wants to send a message to his editor, Betsy, the following would occur, as illustrated in Figure 6.10.

1. Michael generates a random private key for the data encapsulation scheme. We will call this the session key.

2. Michael encrypts the message with the data encapsulation scheme using the session key that was generated in step 1.

3. Michael encrypts the session key using Betsy’s public key.

4. Michael sends both of these items, the encrypted message and the encrypted key, to Betsy.

5. Betsy uses her private key to decrypt the session key and then uses the session key to decrypt the message.

Nearly all modern cryptosystems work this way because you get the speed of secret key cryptosystems and the “key-exchange-ability” of public key cryptosystems. Hybrid cryptographic systems include IPSec, PGP, SSH, SET, SSL, WPA2-Enterprise, and TLS. Each of these systems will be discussed in detail later in the chapter.

Hashing algorithms are not intended to be reversed to reproduce the data. The purpose of the message digest is to verify the integrity of data and messages. In a well-designed message digest if there is even a slight change in an input string the output hash value should change drastically. This is known as the avalanche effect. As an example, Knoppix STD version 0.1 (s-t-d.org/md5.html) has an MD5 hash value of de03204ea5777d0e5fd6eb97b43034cb. This means if you were to download the distribution, or get it from a friend, the file you receive should produce this saved hash value if you recalculate the MD5 hash. Any other value would indicate the file has been altered or corrupted. Programs such as Tripwire, MD5sum, and Windows System File Verification all rely on hashing. Some common hashing algorithms include:

Message DIGEST Algorithm (MD5) series

Secure Hash Algorithm (SHA) series

HAVAL

RIPEMD

Whirlpool

Tiger

The biggest problem for hashing is the possibility of collisions. Collisions result when two or more different inputs create the same output. Collisions can be reduced by moving to an algorithm that produces a larger hash.

1. Bill produces a message digest by passing a message through a hashing algorithm.

2. The message digest is then encrypted using Bill’s private key.

3. The message is forwarded to the recipient, Alice.

4. Alice creates a message digest from the message with the same hashing algorithm that Bill used. Alice then decrypts Bill’s signature digest by using his public key.

5. Finally, Alice compares the two message digests, the one originally created by Bill and the other that she created. If the two values match, Alice can rest assured that the message is unaltered.

Figure 6.12 illustrates this process and demonstrates how the hashing function ensures integrity, and the signing of the hash value provides authentication and nonrepudiation.

PKI is a framework that consists of hardware, software, and policies that exist to manage, create, store, and distribute keys and digital certificates. The components of this framework include the following:

The Certificate Authority (CA)

The Registration Authority (RA)

The Certificate Revocation List (CRL)

Digital certificates

A certificate distribution system

A CA doesn’t have to be an external third party; many companies decide to tackle these responsibilities by themselves. Regardless of who performs the services, the following steps must be performed:

1. The CA verifies the request for certificate with the help of the RA.

2. The individual’s identification is validated.

3. A certificate is created by the CA, which certifies that the person matches the public key that is being offered.

RAs play a key role when certificate services expand to cover large geographic areas. One central CA can delegate its responsibilities to regional RAs around the world.

The CRL is maintained by the CA, which signs the list to maintain its accuracy. Whenever problems are reported with digital certificates, they are considered invalid and the CA has the serial number added to the CRL. Anyone requesting a digital certificate can check the CRL to verify the certificate’s integrity. The replacement for CRLs is the Online Certificate Status Protocol (OCSP); it has a client–server design that scales better. When a user requests access to a server, OCSP sends a request for certificate status information. The server sends back a response of current, expired, or unknown. Regardless of which method is used, problems with certificates are nothing new; Dell had such a problem in 2015. You can read more about it at www.infoworld.com/article/3008422/security/what-you-need-to-know-about-dells-root-certificate-security-debacle.html.

It ensures the integrity of the public key and makes sure that the key remains unchanged and in a valid state.

It validates that the public key is tied to the stated owner and that all associated information is true and correct.

The information needed to accomplish these goals is added into the digital certificate. Digital certificates are formatted to the X.509 standard. The most current version of X.509 is version 3. One of the key developments in version 3 was the addition of extensions. Version 3 includes the flexibility to support other topologies. It can operate as a web of trust much like PGP. An X.509 certificate includes the following elements, and examples showing some of these elements are displayed in Figure 6.13:

Version

Serial number

Algorithm ID

Issuer

Validity

Not Before (a specified date)

Not After (a specified date)

Subject

Subject public key information

Public key algorithm

Subject public key

Issuer-unique identifier (optional)

Subject-unique identifier (optional)

Extensions (optional)

Digital certificates play a vital role in the chain of trust. Public key encryption works well when we are dealing with people we know because it’s easy for us to send each other a public key. But what about communicating with people we don’t know?

Although you might want to use an external certificate authority, it is not mandatory. You could decide to have your own organization act as a certificate authority. Regardless of whether you have a third party handle certificate duties or you perform them yourself, digital certificates will typically contain the following critical pieces of information:

Identification information that includes username, serial number, and validity dates of the certificates.

The public key of the certificate holder.

The digital signature of the signature authority. This piece is critical because it certifies and validates the integrity of the entire package.

Protecting the private key is an important issue because it’s easier for an attacker to target the key than to try to crack the certificate service. Organizations should concern themselves with seven key management issues:

Generation

Distribution

Installation

Storage

Key change

Key control

Key disposal

Key recovery and control is an important issue that must be addressed. One basic recovery and control method is the M of N Control method of access. This method is designed to ensure that no one person can have total control and is closely related to dual control. Therefore, if N number of administrators have the ability to perform a process, M number of those administrators must authenticate for access to occur. M of N Control should require physical presence for access. Here is an example: Suppose that a typical M of N Control method requires that four people have access to the archive server and at least two of them must be present to accomplish access. In this situation, M = 2 and N = 4. This would ensure that no one person could compromise the security system or gain access.

Secure Multipurpose Internet Mail Extensions (S/MIME)—By default, MIME does not provide any protection. To overcome this problem, S/MIME was developed by RSA. S/MIME has been built into virtually every email system to encrypt and digitally sign the attachments of protected email messages. S/MIME adds two valuable components to standard email: digital signatures and public key encryption. S/MIME supports X.509 digital certificates and RSA encryption.

Privacy Enhanced Mail (PEM)—PEM is an older standard that has not been widely implemented but was developed to provide authentication and confidentiality. PEM public key management is hierarchical. PEM uses MD2/MD5 and RSA for integrity and authentication.

Message Security Protocol (MSP)—MSP is the military’s answer to PEM. Because it was developed by the NSA, it has not been open to public scrutiny and is not widely used. It is part of the DoD’s Defense Messaging System and provides authentication, integrity, and nonrepudiation. The military has its own security network referred to as SIPERNET.

MIME Object Security Services (MOSS)—MOSS extended the functionality of PEM and is not widely used. MOSS was eclipsed by S/MIME and by PGP. MOSS is the only email standard that gives users an out-of-the-box mechanism for signing the recipient-list.

Because security wasn’t one of the driving forces when the TCP/IP protocols were developed, the cryptographic solutions discussed here can go a long way toward protecting the security of an organization. Although in reality encryption at any layer is accomplished on the payload of the next higher layer, most CISSP questions will focus on basic knowledge of encryption processes and the layer at which they are found. Figure 6.14 shows some common cryptographic solutions and their corresponding layers. Chapter 7, “Communications and Network Security,” discusses many of these protocols in greater depth. Let’s start at the top of the stack and work down through the layers.

Secure Shell (SSH)—SSH is an Internet application that provides secure remote access. It is considered a replacement for FTP, Telnet, and the Berkley “r” utilities. SSH defaults to TCP port 22. SSH version 1 has been found to contain vulnerabilities, so it is advisable to use SSH V2.

Secure FTP (SFTP)—SFTP uses an SSH connection, and then tunnels the FTP protocol through the secure shell. The latest version of SSH is v2.0 and typically runs on TCP port 22. The FTP client software must support the SFTP protocol.

FTP Secure (FTPS)—FTPS establishes an SSL secure channel, and then runs the FTP session through SSL. IANA assigned ports 989 (data) and 990 (control) for FTPS, but vendors are free to use custom port numbers and often do.

Secure Hypertext Transfer Protocol (S-HTTP)—S-HTTP is a superset of HTTP that was developed to provide secure communication with a web server. S-HTTP is a connectionless protocol designed to send individual messages securely.

Secure Electronic Transaction (SET)—Visa and MasterCard wanted to alleviate fears of using credit cards over the Internet, so they developed SET. This specification uses a combination of digital certificates and digital signatures among the buyer, merchant, and the bank so that privacy and confidentiality are ensured. While this sounds like a great idea, one of the problems with SET was that the banks wanted to charge for this service, and required hardware and software changes. Many vendors fought these fees and so SET is not widely used. Out of the ashes of SET came the Payment Card Industry Data Security Standard (PCI-DSS). This requires all vendors who accept credit cards to meet and guarantee specific information system security standards designed to protect the credit card data.

Secure Sockets Layer (SSL)—SSL was developed by Netscape for transmitting private documents over the Internet. Unlike S-HTTP, SSL is application-independent. One of the advantages of SSL is its cryptographic independence. The protocol itself is merely a framework for communicating certificates, encrypted keys, and data. The most current version of SSL is SSLv3, which provides for mutual authentication and compression. Figure 6.15 illustrates the transactions in an SSL session. As of 2014 SSLv3 is considered insecure and is vulnerable to the POODLE exploit. If attackers successfully exploit this vulnerability, they only need to make about 256 SSL 3.0 requests to break the encryption. TLS 1.2 is the current standard for HTTP encryption.

Transport Layer Security (TLS)—TLS encrypts the communication between a host and a client. TLS typically makes use of an X.509 digital certificate for server authentication. This mechanism provides strong authentication of the server to the client, so the client can trust that it is connected to the correct remote system. TLS consists of two layers: the TLS Record Protocol and the TLS Handshake Protocol. One of the most common implementations of TLS is HTTPS, which is simply HTTP over TLS.

Secure Socket Tunneling Protocol (SSTP)—SSTP is a form of VPN tunnel that was released in 2008 and provides a mechanism to transport PPP or L2TP traffic through an SSL 3.0 connection. SSTP requires a digital certificate on the server side and establishes an SSL tunnel that encrypts all traffic over TCP port 443. Because it uses the same port used by HTTPS, this facilitates its use through corporate firewalls.

Wireless Transport Layer Security (WTLS)—WTLS is a security protocol developed for cellular technology. In an attempt to minimize upper-layer support code, the cellular industry developed its own Wireless Access Protocol (WAP) stack. WTLS encrypts the communication between the cellular wireless client and the ISP tower that the cell phone is connecting to. At the tower, the WTLS packet is decrypted, then re-encrypted with standard TLS and routed on to the Internet. This means that for a moment, customer data exists unencrypted. This is a security vulnerability that has become known as the gap in WAP. The cellular industry has since released WAPv2, which incorporates industry standard TLS (minimized as possible), so that decryption is no longer necessary.

Encapsulated secure payload (ESP)—ESP provides confidentiality by encrypting the data packet. The encrypted data is hidden from prying eyes, so its confidentiality is ensured.

Authentication header (AH)—The AH provides integrity and authentication. The AH uses a hashing algorithm and symmetric key to calculate a message authentication code. This message-authentication code is known as the integrity check value (ICV). When the AH is received, an ICV value is calculated and checked against the received value to verify integrity.

Security Association (SA)—For AH and ESP to work, there must be some negotiations regarding the rules of conduct for exchanging information between the client and server. These negotiations include the type of symmetric and asymmetric algorithms that will be used, as well as state-specific information in support of the secure channel. The results of these negotiations are stored in an SA. The SA identifies the details of each one-way connection. Two-way communication channels will have two SAs; each distinguished by its Security Parameter Index (SPI). If both AH and ESP are used, four SAs are required. IPSec uses a symmetric shared key to encrypt bulk communications. The Diffie-Hellman algorithm is used to generate this shared key.

IPSec Internet Key Exchange (IKE)—IPSec must have a procedure to exchange key information between clients, and the Internet Key Exchange (IKE) is the default standard. IKE is responsible for creating IPSec’s SA and is considered a hybrid protocol because it combines the functions of two other protocols: the Internet Association and Key Management Protocol (ISAKMP) and the OAKLEY protocol.

The Internet Association and Key Management Protocol (ISAKMP)—This subset of IKE sets up the framework for performing the negotiations during the client/server handshake process. This could include items such as algorithm types and key sizes.

OAKLEY Protocol—This portion of the IKE is responsible for carrying out the negotiations. This protocol is like the errand guy!

Transport and tunnel modes—AH and ESP can work in one of two modes: transport mode or tunnel mode. These modes define how the encryption or integrity functions will be applied to the data stream. Transport mode encrypts the payload received from the host-to-host layer. Tunnel mode encapsulates the payload received from the host-to-host layer and the original IP header that was to encapsulate that payload. A new IPv4 header is added for routing between the tunnel endpoints. Tunnel mode is designed to be used by VPNs.

Other lesser-known cryptographic solutions found at the Internet layer include:

Simple Key Management for Internet Protocol (SKIP)—SKIP was developed by the IETF. SKIP is rarely used and requires no prior communication; it is similar to SSL. SKIP was evaluated as a key exchange mechanism for IPsec before the adoption of IKE in 1998.

Software IP Encryption (SwIPe)—SwIPe was an early attempt to develop an open standard for VPNs. Although freely available, it was available only for SunOS and is not widely used.

Point-to-Point Tunneling Protocol (PPTP)—PPTP was developed by a group of vendors. It consists of two components: the transport, which maintains the virtual connection, and the encryption, which ensures confidentiality. It can operate at a 40-bit or 128-bit key length.

Layer 2 Tunneling Protocol (L2TP)—L2TP was created by Cisco and Microsoft to replace L2F and PPTP. L2TP merged the capabilities of both L2F and PPTP into one tunneling protocol. By itself, it provides no encryption; but it is deployed with IPSec as a VPN solution.

WPA2-Enterprise—This is a Wi-Fi Alliance certification that identifies equipment capable of establishing a secure channel of communication at TCP/IP layer 1 / OSI Layer 2 using EAP for authentication, and AES-CTR-CBC-MAC for encryption. Cisco LEAP can be used with WPA and WPA2 networks.

End-to-end encryption encrypts the message and the data packet. Header information, IP addresses, and routing data are left in cleartext. Although this means that a malicious individual can intercept packets and learn the source and target destination, the data itself is secure. The advantage of this type of encryption is speed. No time or processing power is needed to decode address information at any intermediate points. The disadvantage is that even with the data encrypted, an attacker might be able to make an inference attack.

Sending information by means of end-to-end encryption prevents the attacker from sniffing host-to-host or application data, but it does not mean the attacker cannot understand something about the actual communication. This is known as inference.

Inference can occur any time an attacker notices a change in activity at a client. As an example, some news agencies allegedly monitor the White House for pizza deliveries. The belief is that a spike in pizza deliveries indicates that officials are working overtime and that there is a pending event of importance. A similar spike in encrypted email traffic could allow similar inferences.

Traffic padding can be used to defeat an inference attack. As an example, a military agency could have a connection between the United States and Afghanistan. Although third parties might be able to see that traffic is flowing, the amount transmitted stays at a constant flow and thereby prevents attackers from performing an inference attack.

Your choice for encryption at the physical layer is link-to-link encryption. Link-to-link encryption encrypts all the data sent from a specific communication device to another specific device. This includes the headers, addresses, and routing information. Its primary strength is that it provides added protection against sniffers and eavesdropping. Its disadvantage is that all intermediate devices must have the necessary keys, software, and algorithms to encrypt and decrypt the encrypted packets at each hop along the trip. This adds complexity, consumes time, and requires additional processing power.

Because cryptography can be such a powerful tool and the ability to break many algorithms is limited, the Coordinating Committee for Multilateral Export Controls (CoCOM) was established to deal with the control of cryptographic systems. CoCOM ended in 1994 and was replaced by the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies. The Wassenaar Arrangement had wide support; that more than 30 countries have come together to control the export of cryptography.

One issue to consider before launching a cryptographic attack is what is known about the algorithm. Is it public or private? Auguste Kerckhoff is credited with creating, in the nineteenth century, Kerckhoff’s Principle, which states that a cryptographic system should not require secrecy. Everything should be public except the key. An example of this debate can be seen in the development and crack of Content Scrambling System (CSS). This method of encryption was developed by the DVD Copy Control Association (DVD CCA). Because the algorithm was proprietary, it was not made public. CSS was designed to allow only authorized DVD players to decode scrambled content stored on the original DVD discs. This was until Jon Lech Johansen and others got together and cracked CSS, posting a utility called DeCSS to the Internet in late October 1999. So, whereas some argue that algorithms should be secret, others continue to believe that open standards and systems allow for more robust, secure systems.

When attempting a cryptographic attack, the work factor is something that must be considered. The work factor can be measured as the time and effort needed to perform a brute-force attack against an encryption system. As an example, the CSS algorithm reduced the effective key length to only around 16 bits. This small key size meant the work factor was low and that CSS could be brute-forced by a 1GHz processor in less than a minute. An example of a distributed cryptographic attack can be seen with www.distributed.net. The program functions by downloading a client utility. Anyone can join in as long as they do not mind sharing some of the local system’s CPU cycles. This project was started in 1997 and, on July 14, 2002, was able to crack the RSA Labs 64-bit secret-key for one message.

With the basic concepts of cryptanalysis completed, let’s review some common attacks that might target a cryptographic system:

Known plaintext attack—This attack requires the attacker to have the plaintext and ciphertext of one or more messages. Encrypted file archives such as ZIP are prone to this attack.

Ciphertext-only attack—This attack requires the attacker to obtain several encrypted messages that have been encrypted using the same encryption algorithm. The attacker does not have the associated plaintext; he attempts to crack the code by looking for patterns and using statistical analysis.

Chosen ciphertext—If the attacker can decrypt portions of the ciphertext message, the decrypted portion can then be used to discover the key.

Chosen plaintext—The attacker has the plaintext messages encrypted and then can analyze the ciphertext output.

Differential cryptanalysis—Generally used to target block ciphers, it works by looking for the difference between related plaintexts that are encrypted, and the difference between their resultant ciphertexts.

Linear cryptanalysis—Along with differential cryptanalysis, one of the two most widely used attacks on block ciphers. Linear cryptanalysis uses functions to identify the highest probability a specific key was used during the encryption process. The key pairs are then studied to derive information about the key used to create them.

Birthday attack—The birthday attack gets its name from the birthday paradox, which states that within a group of people, the chances that two or more will share birthdays is unexpectedly high. This same logic is applied to calculate collisions in hash functions. A message digest can be susceptible to birthday attacks if the output of the hash function is not large enough to avoid collisions.

Key clustering—This is a vulnerability that can occur when two different keys produce the same ciphertext from the same message. This can sometimes be the result of having a small key space or might be a characteristic of some cryptosystems. Key clustering is a real problem as it means that two or more different keys could also decrypt the secure content. A strong cryptosystem should have a low frequency of key clustering occurrences. If not, this is yet another way that a cryptosystem might be targeted for attack.

Replay attack—This method of attack occurs when the attacker can intercept cryptographic keys and reuse them later to either encrypt or decrypt messages.

Man-in-the middle attack—This attack is carried out when attackers place themselves in the communications path between two users. From this position, the possibility exists that they can intercept and modify communications.

Side channel attack—These attacks are based on side channel information such as timing, sound, or electromagnetic leaks. Here is a link that provides a good example of side channel attack by analyzing the power consumption of the CPU: en.wikipedia.org/wiki/Side-channel_attack

Rubber hose attack—When all else fails, this method might be used to extract a key value or other information. This type of attack might include threats, violence, extortion, or blackmail, because humans are the biggest weakness, not the cryptosystem.

A. 4950

B. 49.5

C. 99

D. 4900

2. Which of the following best describes obtaining plaintext from ciphertext without a key?

A. Frequency analysis

B. Cryptanalysis

C. Decryption

D. Hacking

3. Which of the following attacks occurs when an attacker can intercept session keys and reuse them at a later date?

A. Known plaintext attack

B. Ciphertext-only attack

C. Man-in-the-middle attack

D. Replay attack

4. Which of the following is a disadvantage of symmetric encryption?

A. Key size

B. Speed

C. Key management

D. Key strength

5. Which of the following is not an example of a symmetric algorithm?

A. DES

B. RC5

C. AES

D. RSA

6. Which of the following forms of DES is considered the most vulnerable to attack?

A. CBC

B. ECB

C. CFB

D. OFB

7. DES uses which of the following for a key size?

A. 56 bits

B. 64 bits

C. 96 bits

D. 128 bits

8. Which implementation of Triple-DES uses the same key for the first and third iterations?

A. DES-EEE3

B. HAVAL

C. DES-EEE2

D. DES-X

9. Which of the following algorithms is used for key distribution, not encryption or digital signatures?

A. El Gamal

B. HAVAL

C. Diffie-Hellman

D. ECC

10. Which hashing algorithm produces a 160-bit output?

A. MD2

B. MD4

C. SHA-1

D. El Gamal

11. What is another name for a one-time pad?

A. ATBASH cipher

B. Vigenère cipher

C. Caesar cipher

D. Vernam cipher

12. Which of the following is also known as a ROT3 cipher?

A. ATBASH cipher

B. Vigenère cipher

C. Caesar cipher

D. Vernam cipher

13. Which of the following did the Wassenaar Arrangement replace?

A. IETF

B. ComCo

C. The group of five

D. CoCom

14. Which of the following is not a hashing algorithm?

A. Whirlpool

B. RipeMD

C. Tiger

D. Mars

15. While working with a file integrity program, Tripwire, you have been asked to review some recent issues with a cryptographic program. What is it called when two different keys generate the same ciphertext for the same message?

A. Hashing

B. A collision

C. Key clustering

D. Output verification

2. B. Cryptanalysis is the study and act of breaking encryption systems. Although it can mean obtaining the plaintext from the ciphertext without a key, it can also mean that the cryptosystem was cracked because someone found a weakness in the cryptosystem’s implementation. Such was the case with wired equivalent privacy (WEP). Answer A is incorrect because although the cryptanalyst can use frequency analysis to aid in cracking, it is not a valid answer. Answer C is incorrect because decryption is the act of unencrypting data. Answer D is incorrect because hacking is a term used to describe the actions of criminal hackers.

3. D. A reply attack occurs when the attacker can intercept session keys and reuse them at a later date. Answer A is incorrect because a known plaintext attack requires the attacker to have the plaintext and ciphertext of one or more messages. Answer B is incorrect because a ciphertext-only attack requires the attacker to obtain several messages encrypted using the same encryption algorithm. Answer C is incorrect because a man-in-the middle attack is carried out when attackers place themselves in the communications path between two users.

4. C. Key management is a primary disadvantage of symmetric encryption. Answers A, B, and D are incorrect because encryption speed, key size, and key strength are not disadvantages of symmetric encryption.

5. D. RSA is an asymmetric algorithm. Answers A, B, and C are incorrect because DES, RC5, and AES are examples of symmetric algorithms.

6. B. Electronic Code Book is susceptible to known plaintext attacks because the same cleartext always produces the same ciphertext. Answers A, C, and D are incorrect. Because CBC, CFB, and OFB all use some form of feedback, which helps randomize the encrypted data, they do not suffer from this deficiency and are considered more secure.

7. A. Each 64-bit plaintext block is separated into two 32-bit blocks and then processed by the 56-bit key. Total key size is 64 bits but 8 bits are used for parity, thereby making 64, 96, and 128 bits incorrect.

8. C. DES-EEE2 performs the first and third encryption passes using the same key. Answers A, B, and D are incorrect: DES-EEE3 uses three different keys for encryption; HAVAL is used for hashing and DES does not use it; DES-X is a variant of DES with only a 56-bit key size, which was designed for DES, not 3DES.

9. C. Diffie-Hellman is used for key distribution, but not encryption or digital signatures. Answer A is incorrect because El Gamal is used for digital signatures, data encryption, and key exchange. Answer B is incorrect because HAVAL is used for hashing. Answer D is incorrect because ECC is used for digital signatures, data encryption, and key exchange.

10. C. SHA-1 produces a 160-bit message digest. Answers A, B, and D are incorrect because MD2 and MD4 both create a 128-bit message digest and El Gamal is not a hashing algorithm.

11. D. Gilbert Vernam is the creator of the one-time pad. A one-time pad (key) is a keystream that can be used only once and is considered unbreakable if properly implemented. The one-time pad (Vernam cipher) consists of a pad of the same length as the message to which it’s applied. The one-time pad is very effective for short messages and is typically implemented as stream ciphers. Therefore, answers A, B, and C are incorrect.

12. C. Caesar’s cipher is also known as a ROT3 cipher as each character is rotated by three spaces. ATBASH used two separate alphabets that were reversed. The Vigenère cipher is an example of a polyalphabetic cipher, and Gilbert Vernam is the creator of the one-time pad.

13. D. CoCom is an acronym for Coordinating Committee for Multilateral Export Controls and was established by Western block powers after the end of World War II. The Wassenaar Arrangement replaced it. Answers A, B, and C are therefore incorrect.

14. D. Mars is an example of a symmetric encryption algorithm, whereas Whirlpool, RipeMD, and Tiger are all examples of hashing algorithms.

15. C. Key clustering is said to occur when two different keys produce the same ciphertext for the same message. A good algorithm, using different keys on the same plaintext, should generate a different ciphertext. Answers A, B, and D are incorrect: hashing is used for integrity verification; a collision occurs when two different messages are hashed and output the same message digest; and output verification is simply a distractor.

IETF PKI Working Group: datatracker.ietf.org/wg/pkix/charter/

Possible Backdoor to ECC: blog.cloudflare.com/how-the-nsa-may-have-put-a-backdoor-in-rsas-cryptography-a-technical-primer/

Concealment ciphers: math.ucdenver.edu/~wcherowi/courses/m5410/m5410cc.html

Historical ciphers: www.cs.trincoll.edu/~crypto/historical/

RFC 3280 information on PKI: www.ietf.org/rfc/rfc3280.txt

Steganography in real life: threatpost.com/attackers-embracing-steganography-to-hide-communication/115394/

Enigma: www.codesandciphers.org.uk/enigma/index.htm

Digital signature algorithm: www.rfc-base.org/rfc-5485.html

Steganography: www.garykessler.net/library/steganography.html

Password hashing: phpsec.org/articles/2005/password-hashing.html