| Terms |
Definitions |
|
Key Mgt Factors (9)
CM,R,S,RD,C,T,F,E
|
control measures who has keys/how assigned
Recovery recover lost keys
Storage secure repository of key assignment records
retirement/destruction how removed from use/destroyed
change changing keys to system on periodic basis
generation generate random key for better protection
theft what to do when key stolen
freq. of key use limits time that keys used and how often used
escrow spliting key into multiple parts, storing w/"escrowed" org.
|
|
XOR Cipher
|
binary math operation tests whether 2 inputs are same or different from each other:
0,0 = 0
1,0 = 1
0 1 = 1
1 1 = 0
|
|
Email Security
|
PGP Pretty Good Privacy; email, digital signature; PK to encrypt; encrypt msg, then key. key decrypted, then msg w/key.
PEM Privacy-Enhanced Mail; std for secure exchange; various crypto tech. Msg Integ; Sender Auth; confidentiality- only intended recipient
MIME & S/MIME Multipurpose Internet Mail Extension; define/ID type of attachments in email; S/MIME digital signs & encrypts contents w/PK; content integrity.
|
|
Public Key Infrastructure Components (5)
|
Digital certs
CA Cert Auth
RA Registration Auth
Cert Repository DB (SW)
Cert. Mgt System (SW)
|
|
Cryptography & CIA Triad
|
Confidentiality encrypt info to hide contents except to intended recipient
Integrity insured from modification; can ID any changes
Availability encrypting credentials (userID pw); hide pw; pw not shown in cleartext
|
|
Digital Certs
|
associates credentials w/public key
users and devices
CA issues certs and keys
|
|
Transposition
|
rearranging parts of msg/output (msg or key)
move letters around
|
|
Stream Cipher
|
symmetric encryption one bit @ a time
fewer errors
fast
|
|
Avalanche Effect
|
small change in plaintext produces large change in ciphertext
|
|
Cryptosystems (Enigma)
|
HW/SW used to implement cryptographic process
cyrptanalysis study of cryptosystems; intent of breaking; determine workfactor (time to break code)
Enigma Device used by Germans in WWII to perform encryption/decryption
|
|
DES Standard Process (4 steps)
|
Expansion 64 bit split into (2) 32 bit blocks. Each block expanded to 48 bits
Key Mixing 48 bit block XORd w/subkey. 16 48 bit subkeys created from main key (1 key per round)
Substitution Substitutions performed (S-boxes: 32 4-bit blocks)
Permutation 32 4 bit blocks rearranged based on P-box (predefined scrambling process)
|
|
Cryptoanalysis Attacks
|
Ciphertext-only attacker has ciphertext; intent to find encryption key; once has key, can decrypt other message
Known plaintext common msg format, using copies of cipher/plaintext & limited info to find correct key
Chosen plaintext key manupulated, decodes and finds key w/only part of plaintext
Chosen ciphertext key manupulated, decodes and finds key w/only part of ciphertext
|
|
Block Cipher
|
encrypts one block @ time (64 or 128 bit)
more secure
slower
|
|
IPSec Process
|
Security Association (SA):
Negotiate time limit for SA
Mode
ESP encryption alg, key, IV
ESP auth alg, key
AH auth alg, key
seq # counter
Internet Key Exchange (IKE): not PKI
|
|
Assymetric Encryption Alogrithms
|
RSA Rivest Shamir Adleman
Elgamal developed by Taher Elgamal
ECC Elliptic Curve Crypto: discrete logs, shorter keys
|
|
Encryption
|
security technique that converts data from clear/plaintext form into coded/ciphertext form
1 or 2 way encryption (hide original msg only; no encryption vs encoded msg transformed to original format)
|
|
Digital Signature
|
hash encrypted w/user's private key
msg sent digitally signed, recipient decrypts w/public key
message hashed
hash encrypted w/sender priv key
Msg re-hashed
Sender hash decrypted w/sender pub key
2 hashes compared
|
|
Substitution
|
don't have to encrypt EVERYTHING
during processing w/algorithm (encryption)
XML employs technique
|
|
PKI Process (5)
|
Obtain Key Pair
Issue Cert
CA verifies PK
CA creates ID
Revoke expired certs
|
|
Cryptography Process (5 steps)
|
Start w/plaintext
Select encryption key
Encrypt plaintext into ciphertext
Transport/store ciphertext until needed
Decrypt using key
|
|
Encryption Internet Security Methods
|
Link Encryption Layer 2 of OSI (Data) encryption; routers; devices @ both ends of transmission that en/decrypt
IPSec Transport (info encrypted) and Tunnel Mode (IP info and info encrypted); secures data over transmission; Layer 3 OSI (transport)
Upper-layer Encryption HTTPS TLS SSH SSL; upper layers of OSI
|
|
Symmetric Encryption Algorithm Issues (2)
|
Transportation must be done w/secure procedures
# of Keys [n*(n-1)]/2
|
|
Cyrptographic Keys
|
specific piece of info used w/algorithm to perform encrypt/decryption
|
|
Ciphers
|
SW or other tech that applies algorithm (rule/system used to encrypt data)
|
|
Wireless Security Protocol
|
WEP 1st encryption; single key; RC4; 40bit key;24bit IV; easy to break cause IV was always 24bit
WPA RC4; 128bit key w/48bit IV; TKIP alg
WPA2 AES
|
|
Alt. Ciphers (4)
|
Steganography hides info by enclosing it into img, sound, movie
Watermark embed mark/image to ID source for copyright/ownership
Code book book/booklet that has phrases represented by codes
One-time path toll w/very long, non-repeating key is same length of plaintext. 1 time use, then destroyed.
|
|
Block Cipher Modes (4)
|
ECB Electronic Code Book 64 bit blocks encrypted sep.
CBC Cipher Block Chaining 64 bit blocks XORed w/64 bit IV; encrypted w/1 key. outputted ciphertext used to replaces IV for next round, creating a chain
CFB Cipher FeedBack like CBC, but each round uses different key. iie AES
OFB Output FeedBack
|
|
Cert Info (14)
|
Ver
Serial #
Algorithm ID
Issuer
Validity
Not Before
Not After
Subject
Subject PK info
Issuer Unique ID (opt.)
Subject Unique ID (opt.)
Extensions (opt.)
Cert Signature Alog.
Cert Signature (determines validity)
|
|
Symmetric Encryption Algorithms (8)
|
DES
2DES
3DES
IDEA
AES
RC2/4/5/6
BLOWFISH
CAST-128
|
|
Cipher Types (2) and XOR
|
Stream symmetric encryption one bit @ a time; fewer errors; fast
Block encrypts one block @ time (64 or 128 bit); more secure; slower
XOR binary math operation tests whether 2 inputs are same or different from each other:
0,0 = 0
1,0 = 1
0 1 = 1
1 1 = 0
|
|
Cert Revocation List (CRL)
|
list of certs (serial #) that have been revoked, no longer valid
|
|
Ideal Cipher (2 terms)
|
Usability simple keys/algorithms; easy to implement; plaintext not > ciphertext
Secrecy assume enemy knows key
using Diffusion (mixup plaintext during encryption) and Confusion (mixing up key values during encryption)
|
|
Public Key Infrastructure
|
cyrpto system composed of certs, CA, RA, CRD (cert repository database), CMS (cert mgt system) to enable authenticity/validate of data
|
|
Digesting and Hashing Alog. (3)
|
MD2/4/5 128 bit; created in 89,90,91; 8-bit, 32-bit, 32-bit; MD5 stronger, but slower than MD4
HAVAL modified MD5 w/variable lengths (128, 160, 192, 224, 256)
SHA 1/256/384/512 stronger than MD5; used w/DSA (Digital Sig. Alg); 160, 256, 384, 512-bit len.
|
|
Initialization Vectors (IV)
|
string used w/symmetric cipher and key to produce unique result
same phrase encrypted different cipher/key @ different versions
|
|
Auth. Code Alg. (4)
|
MAC Msg Auth Code; shared secret key; last block of encrypted file used as comparison: encrypted, then last block & unencrypted file sent. recipient encrypts again and compares last block to lask block sent
HMAC Hash MAC
UMAC Universal HMAC
CMAC, OMAC, CBC-MAC, PMAC Cipher, One-key, Cipher-Block, Parallelized MAC are all BLOCK cipher ACA
|
|
Hashing
|
1 way encryption
produces hash, hash value, message digest
keyed or non-keyed
keyed w/secret key sent w/msg; non-keyed no mech used
hash len. fixed
suceptible to brute force
PW Protection is example
|
|
Assymetric Encryption
|
2 way, 2 keys (private/public keys; 1 for encrypt, 1 for decrypt)
attempts to solve problems of key distro/mgt
key generation process of generating priv/pub keys
slower
more secure
|
|
Assym. Encryption Applications
|
Confidentiality increased confidentiality; only recipient can decrypt
Integrity if msg altered in transmission, decryption not possible
Non-repudiation (can not be disputed) ID of sender is confirmed because only sender has private key
|
|
Encryption Attacks (5)
|
Bday Attack probability
Dictionary using predetermined list
Replay While in transmission, pw captured and replayed
Side Channel tries to exploits encryption technique
Factoring Prime #
|
|
Symmetric Encryption
|
key on both sides
also known as shared-key
same key used for both en/decryption
fast, but vulnerable
|
|
Cipher Evolution (3 Eras)
|
Early Spartan technique: encryption - wrap paper/leather around staff and write message; key - unwrap paper/leather; decryption - wrap paper/leather around staff of identical diameter
Mechanical HW-based like Enigma uses cypherdisk (fast en/decryption)
Software SW-based using computers; early on user must know process; now little knowledge of process required
|
|
Cryptography
|
analysis/practice of information concealment via encryption using algorithms
|
