Confidentiality, Integrity, Authentication, Nonrepudiation
|2 main types of cipher encryption||
substitution and transposition
A pair of identical keys. The same key is used both to encrypt and decrypt. Also called Same, Secret, Shared, Session, Single, and Streaming Keys.
A stream cipher encrypts data 1 bit at a time. Faster than block ciphers. The encryption of any plain-text data with a block cipher results in the same ciphertext when the same key is used. With stream ciphers, each bit of the plain-text stream is transformed into a different ciphertext bit.
A block cipher encrypts entire blocks of data, rather than smaller bits of data. The plain-text block and the ciphertext block are the same length. For many block ciphers, the block size is 64 bits.
Everyone uses a pair of different, but mathematically related keys. A message encrypted using one of the pair can only be decrypted using the other of the pair. One key is the public key, which is known to all users, while the private key remains secret and is given to the user to keep private. It offers a level of authentication that symmetric encryption does not.
Steganography is a method of hiding data in another type of media that effectively conceals the existence of the data. This is typically performed by hiding messages in graphics images such as bitmap (BMP) files or other types of media files such as WAV digital music files. These types of files contain insignificant data bits that can be replaced by the data to be hidden without affecting the original file enough to be detected.
|Public Key Infrastructure (PKI)||
Public Key Infrastructure (PKI) is a standard infrastructure consisting of a framework of procedures, standards, and protocols, based on public key cryptography. PKI is a hybrid of asymmetric and symmetric key algorithms and provides the full range of the information assurance objectives for confidentiality, integrity, authentication, and nonrepudiation. The asymmetric keys are used for authentication, and, after this is successfully accomplished, one or more symmetric keys are generated and exchanged using the asymmetric encryption. A message is encrypted using a symmetric algorithm, and that key is then encrypted asymmetrically using the recipient’s public key. The entire message (symmetrically encrypted body and asymmetrically encrypted key) is sent together to the recipient. The message might also be digitally signed through the use of digital certificates.
A digital certificate is a credential required by PKI systems that can securely identify an individual, as well as create an association between the individual’s authenticated identity and public keys. A trusted third party, called a certificate authority (CA), is used to sign and issue certificates. The CA is responsible for verifying the identity of a key owner and binding the owner to a public key. This enables users who have never met to exchange encrypted communications, because the authentication is performed by the third-party CA. Each certificate contains a unique serial number, identity, and public key information of the user, and the validity dates for the life of the certificate.
A CA is an organization or entity that issues and manages digital certificates. The CA is responsible for authenticating and identifying users who participate in the PKI. This service doesn’t necessarily involve a third party; it can be internal to an organization. A CA server can be set up to act as the manager of certificates and the user’s public keys.
|Registration Authorities (RAs)||
Registration authorities offload some of the work from CAs by confirming the identities of users, issuing key pairs, and initiating the certificate process with a CA on behalf of the user. The RA acts as a middleman between the user and the CA, and doesn’t issue certificates on its own.
A certificate contains the authenticated identification of a user and his or her public key information.
Trust models define how users trust other users, companies, CAs, and RAs within the PKI. These models provide a chain of trust from a user’s public key through the root key of a CA. They are: Web of Trust, Third-party Trust, and Hierarchical Model.
A digital signature is an encrypted hash value used to ensure the identity and integrity of a message. The signature can be attached to a message to uniquely identify the sender. Like a written signature, the digital signature guarantees the individual sending the message is who he claims to be. The sender runs a hash function on his message, takes the resulting hash value, encrypts it with his private key, and sends it along with the message. When the receiver gets the signed message, he first decrypts the encrypted hash with the corresponding public key (verifies the sender) and then performs his own hashing function on the message.
|Trusted Platform Module||
A trusted platform module (TPM) is a special hardware chip that is typically installed within a computer system or device, such as on the system motherboard of a PC or laptop. This module provides authentication by storing security mechanisms such as passwords, certificates, and encryption keys that are specific to that system hardware. The chip itself contains a built-in RSA key that is used for encryption and authentication.
|Whole Disk Encryption||
In whole disk encryption, the entire contents of a computer system’s hard drive are encrypted, typically by encrypting the disk volume that contains all the operating system data; this does not include the booting instructions located in a boot volume or Master Boot Record (MBR).
The process of transforming characters into other characters that represent (but are not) the originals. Traditionally, the results are smaller and more secure than the original. A hash is called referred to as message digest (MD), SHA, MAC, and checksum.
|Hash Value Collision||
When two hashed messages result in the same hashing value. Collisions can be used to reveal the underlying algorithm.
A class of brute-force attacks, birthday attacks are often used to find collisions of hash functions. The birthday attack gets its name from this surprising result: The probability that two or more people in a group of 23 share the same birthday is greater than one half. Such a result is called a birthday paradox.
|Message Digest 2 (MD2)||
Message Digest 2 (MD2) is a one-way hashing algorithm that can produce a 128-bit hash. Developed in 1989, MD2 is optimized for 8-bit machines. In the MD2 algorithm, the message is first padded so its length in bytes is divisible by 16. A 16-byte checksum is then appended to the message, and the hash value is computed on this resulting message.
|Message Digest 4 (MD4)||
Message Digest 4 (MD4) is a one-way hash function that produces a 128-bit hash message digest value. Developed in 1990, MD4 is much faster than MD2 and is optimized for 32-bit machines. The message is padded to ensure its length in bits plus 448 is divisible by 512. Next, a 64-bit binary representation of the original length of the message is added to the message. The message is then processed in 512-bit blocks, and then each block is processed in three rounds. Over time, MD4 has been shown to be easily broken.
|Message Digest 5 (MD5)||
Message Digest 5 (MD5), developed in 1991, is a slower but more complex version of MD4. MD5 is popular and widely used for security applications and integrity checking. For example, downloaded software usually includes an MD5 checksum that the user can compare to the checksum of the downloaded file. MD5 produces a 128-bit hash value using a hexadecimal 32-character string. Its complex algorithms make it much more difficult to crack than MD4. The algorithm consists of four distinct rounds that have a slightly different design from that of MD4. Vulnerabilities have been found in MD5 in which techniques are used to reverse-engineer the MD5 hash, and Secure Hash Algorithm (SHA) hash functions are often considered better alternatives to MD5 hashing.
|Secure Hash Algorithm (SHA)||
SHA produces a 160-bit hash value that is run through the Digital Signature Algorithm (DSA), which adds the signature for the message. The sender encrypts the hash value with a private key, which is attached to the message before it’s sent. The receiver decrypts the message with the sender’s public key and runs the hashing function to compare the two values. If the values are identical, the message hasn’t been altered. Other variants of basic SHA (sometimes called SHA-1) exist, such as SHA-224, SHA-256, SHA-384, and SHA-512, which indicate their larger bit values. SHA is used in several popular security applications such as PGP, Transport Layer Security (TLS), SSL, and Internet Protocol Security (IPSec). SHA is considered fairly secure, although published theoretical attacks have been able to break the hash.
The hashing system used is easily subverted via a brute-force attack in which a password can be cracked in only a few hours. LANMAN’s hashing method includes converting all characters in the password to upper-case, truncating longer passwords and splitting then into two even 7-byte halves, and then using DES to encrypt the halves separately, creating a ciphertext hash. This made it susceptible to cracking because the two smaller halves could be cracked separately.
NTLM (NT LAN Manager) was created as an improvement to the original Microsoft LANMAN implementation and combines challenge/response authentication with message digest-hashed passwords that are transmitted between the clients and authenticating servers. NTLM version 1 uses MD4 hashing, while version 2 (introduced in Windows NT Service Pack 4) uses keyed-Hash Message Authentication Code (HMAC)–MD5 hashing and is more secure than version 1.
|Data Encryption Standard (DES)||
The Data Encryption Standard (DES) is a block cipher defined by the US government in 1977 as an official standard. DES has become the most well-known and widely used cryptosystem in the world. This symmetric cryptosystem uses a 64-bit block size and a 56-bit key. Over time and after tests with multi-CPU systems proved the standard could be broken through brute force, DES encryption was considered insecure.
3DES is a 168-bit encryption standard that’s resistant to cryptanalysis because it uses 48 rounds of cryptographic computations. 3DES is considered 256 times stronger than DES. The main disadvantage of 3DES is that encryption and decryption is much slower than that of DES by almost three times. Nevertheless, 3DES is considered powerful enough to be implemented in many banking and financial applications. 128-bit key (+24 for parity)
|Advanced Encryption Standard (AES)||
Advanced encryption standard (AES) (also often called Rijndael) is the government-defined encryption standard created to replace DES, which was considered vulnerable. The new standard uses a symmetric-block cipher supporting variable block and key lengths, such as 128, 192, and 256 bits. In 2003, the US government stated that the AES encryption standard could be used for nonclassified documents, while AES using 192–256 bits was required for top secret purposes.AES itself has not been compromised, but a number of speculative theoretical attacks have been published.
Blowfish is a symmetric block cipher that uses 64-bit blocks of data. Its key length is 448 bits and it uses 16 rounds of cryptographic computations. Blowfish was designed specifically for 32-bit machines and is significantly faster than DES.
|International Data Encryption Algorithm (IDEA)||
International Data Encryption Algorithm (IDEA) is a symmetric block cipher that uses 64-bit blocks of data, with a key length of 128 bits. The data blocks are divided into 16 smaller sections, which are subjected to eight rounds of cryptographic computation. The speed of IDEA in software is similar to that of DES. IDEA is the cipher used in the popular encryption program Pretty Good Privacy (PGP).
128-bit block cipher. Variable-length keys (128, 192, or 256-bits). Finalist for AES)
CAST-128 - 64-bit block size, variable key lengths (40 to 128-bits)CAST-256 - 128-bit block size, variable key lengths (128, 160, 192, 224, 256-bits)
|Rivest Cipher (Ron's Code or RC)||
First algorithm known to be suitable for signing as well as encryption.
RC1 & RC2 were never released
RC3 was cracked in the lab
RC4 (stream) variable key length (0 to 2048 bits)
variable block (32, 64, 128-bits)
variable key length (0 to 2048)
variable block (128-bits)
variable key length (0 to 2048)
|Advantages of Symmetric Key Encryption||
Less computationally intensive.
Produces a smaller file size.
Allows for faster transmissions.
|Disadvantages of Symmetric Key Encryption||
Exchanging of the shared secret key.
Trust between parties sharing the key.
Management of keys: n(n-1)/2 keys where n is the # of people
No authentication or non-repudiation
|Advantages of Asymmetric Key Encryption||
Key management (n*2) where n is the number of people
Public key can be freely distributed
Offers: Digital signatures, integrity checks, key exchange, and non-repudiation
|Disadvantages of Asymmetric Key Encryption||
Typically 1,000 to 10,000 times slower than symmetric
The resulting file size of an encryption is larger
|Asymmetric Key Encryption Algorithms||
Elliptic Curve Cryptography (ECC)
Encryption, digital signatures, key exchange
De facto standard
Based on the difficulty of factoring N, a product of two large prime numbers
Variable Block and Key Length
512-bit to arbitrarily long
1024-2048 considered secure
Used in PGP
|Elliptic Curve Cryptography (ECC)||
Encryption, digital signatures, key exchange
Based on the idea of using points on a curve to define the public/private key
Requires less computing power
An ECC key of 160-bits is equivalent to 1024-bit RSA key
Implemented on hardware devices such as wireless devices and smart cards