CISSP Cryptography – Bk2D3T6P1

Module Objectives
  1. Understand key terms associated with cryptography.
  2. Understand how security services such as confidentiality, integrity, authenticity, non-repudiation, and access control are addressed through cryptography.
  3. Understand basic cryptography concepts of symmetric and asymmetric.
  4. Describe hashing algorithms and digital signatures.
  5. Understand the importance of key management.
  6. Understand cryptanalysis methods.

Cryptography Services

The word cryptography has been derived from two Greek words. The word cryptos translates into the word secret, and the word graphy translates into the word writing. Cryptography, therefore, literally means secret writing. Any form that takes something and turns it into a secret is defined as a form of cryptography. Historians have told us that cryptography is thousands of years old, and in fact, it was the ancient Egyptians that were the first (at least recorded example) to use cryptography-like services to turn knowledge and words into secrets.

The question is: why turn something into a secret? The obvious answer to that is to keep it confidential from certain people.

Throughout history knowledge has provided power over others. If you can keep certain knowledge from others, you may have significant advantage over them. Throughout history, cryptography has been used mainly to secure communications belonging to the powerful and the influential, usually governments, the military, and royalty. The powerful people of this world have always used ciphers. We have seen examples of the exchange of coded messages among one another and decoded the messages of others for their own advantage.

As we have seen, cryptography is about writing secrets. The first secret messages were exchanged as long as thousands of years ago. Cryptography involves scrambling some kind of useful information in its original form, called plaintext, into a garbled or secret form, called ciphertext. The usual intent is to allow two or more parties to communicate the information while preventing other parties from being privy to it.

Cryptography today can be said to provide some important security services. The five key services that cryptography can provide are the following:

  1. Confidentiality: Cryptography provides confidentiality through altering or hiding a message so that ideally it cannot be understood by anyone except the intended recipient. Confidentiality is a service that ensures keeping information secret from those who are not authorized to have Secrecy is a term sometimes used to mean confidentiality.
  2. Integrity: Cryptographic tools can provide integrity services that allow a recipient to verify that a message has not been altered. Cryptography tools cannot prevent a message from being altered, but they can be effective to detect either intentional or accidental modification of the message. Cryptographic functions use several methods to ensure that a message has not been changed or altered. These may include hash functions, digital signatures, and simpler message integrity controls such a message authentication codes (MACs), Cyclic Redundancy Checks (CRC), or even checksums. The concept behind this is that the recipient is able to detect any change that has been made to a message, whether accidentally or intentionally.
  3. Authenticity: Sometimes referred to as “proof of origin,” this is a service that allows entities wanting to communicate with each other to positively identify each Information delivered over a channel should be authenticated as to the origin of that transmission. Authenticity can allow a recipient to know positively that a transmission of information actually came from the entity that we expect it from.
  4. Non-repudiation: This is a service that prevents an entity from denying having participated in a previous Typically, non- repudiation can only be achieved properly through the use of digital signatures. The word repudiation means the ability to deny. So, non-repudiation means the inability to deny. There are two flavors of non-repudiation:
    • Non-repudiation of origin means that the sender cannot deny they sent a particular message.
    • Non-repudiation of delivery means that the receiver cannot say that they received a different message than the one they actually did receive.
  5. Access Control: Through the use of cryptographic tools, many forms of access control are supported—from log-ins via passwords and passphrases to the prevention of access to confidential files or In all cases, access would only be possible for those individuals who had access to the correct cryptographic keys.

The fundamental goal of cryptography is to adequately address these five security services in both theory and practice. Confidentiality is normally achieved by encrypting the message content, data integrity is achieved through cryptographic hashing functions, authenticity is achieved through the use of asymmetric cryptography, non-repudiation is normally achieved through the use of cryptographic digital signatures, and access control can be achieved through both symmetric and asymmetric key cryptography but encrypting with keys that allows the recipient to decrypt with the proper keys.

Data Protection

Data at Rest

The protection of stored data is often a key requirement for an organization’s sensitive information. Backups, off-site storage, password files, sensitive databases, valuable files, and other types of sensitive information need to be protected from disclosure or undetected alteration. This can usually be done through the use of cryptographic algorithms that limit access to the data to those that hold the proper encryption (and decryption) keys. Protecting these valuable examples of assets of the organization can be done usually through cryptography, but it is usually referred to as protecting data at rest. Data at rest means the data is resting, stored on some storage media without it moving at any point.

Data in Transit

Data in transit, sometimes referred to as data in motion, is data that is moving, usually across networks. Whether the message is sent manually, over a voice network, or via the internet, modern cryptography can provide secure and confidential methods to transmit data and allows the verification of the integrity of the message so that any changes to the message itself can be detected.

End-to-end Encryption

End-to-end encryption is generally performed by the end user within an organization. The data is encrypted at the start of the communications channel or before and remains encrypted until it is decrypted at the remote end. Although  data  remain  encrypted when passed through a network, routing information remains visible.

Link Encryption

Data that is moving across a network can be protected using cryptography. There are two methods for protecting data in transit across a network, link or end-to-end encryption.

In general, link encryption is performed by service providers, such as a data communications provider on networks. Link encryption encrypts all of the data along a communications path (e.g., a satellite link, telephone circuit, or T-1 line). Because link encryption also encrypts routing data, communications nodes need to decrypt the data to continue routing. The data packet is decrypted and re-encrypted at each point in the communications channel. It is theoretically possible that an attacker compromising a node in the network may see the message in the clear. Because link encryption also encrypts the routing information, it provides traffic confidentiality (not data confidentiality) better than end-to- end encryption. In other words, it can be used to hide the routing information. Traffic confidentiality hides the addressing information from an observer, preventing an inference attack based on the existence of traffic between two parties.

Related Product : Certified Information System Security Professional | CISSP

Cryptographic Evolution

Oddly enough, some of the earliest cryptographers were not really trying to hide anything. Rather, they were trying to draw attention to their subject and show off their language skills by playing with words. When knowledge of the written language was not widespread, for example during Julius Caesar’s time, ciphers did not need to be very complex. Because few people knew how to speak or read, Caesar’s cipher, simple as it was, was very effective. As history unfolded and more people were able to read and write, cryptographers had to find a better way to deal with the growing number of potential adversaries.

Throughout history, cryptography has been used mainly to secure communications belonging to the powerful and the influential, usually governments, the military, and also royalty. The powerful people of this world have always used ciphers. They have exchanged coded messages among one another and decoded the messages of others for their own advantage. Throughout history, knowledge is power.

But with the advent of the computer, the widespread use of computer technology has expanded the need for secure communications around the world and the need for secure storage of sensitive information. The advent of computers has changed many things but not the fundamentals of cryptography. The fundamentals of cryptography are the same today as they were hundreds and even thousands of years ago. They have just been applied to today’s technology to provide some very good methods of ensuring the confidentiality, integrity, authenticity, non-repudiation, and access of information.

Computers have made adding complexity to cryptography very easy. They have also made solving complexity more of a snap. Because of rapidly advancing technology, secure systems must constantly be assessed for the possibility of new attacks if security is to be maintained. Secret sharing, a necessity in today’s world, is still a tug-of-war between clever cryptographers and ingenious cryptanalysts with new tools in  their belts.

The Early (Manual) Era

Cryptographers have found evidence of cryptographic-type operations going back thousands of years. A perfect example of this is in early Egypt, where sets of nonstandard hieroglyphics were used in inscriptions to avoid certain people from being able to understand what was written on those inscriptions.

Another example of later in history, the Spartans were known for something very appropriately called the Spartan scytale, a method of transmitting a message by wrapping a leather belt around a tapered dowel. Written across the dowel, the message would be unreadable once it was unwrapped from the dowel. The belt could then be carried to the recipient, who would be able to read the message as long as he had a dowel of the same diameter and taper.

There are further examples of the use and development of cryptographic methods throughout the past two millennia. Julius Caesar used the Caesar cipher, a very simple substitution cipher that shifted the alphabet by three positions. Developments in cryptographic science continued throughout the middle ages with the work of Leon Battista Alberti, who invented the idea of a cryptographic key in 1466, and the enhanced use of polyalphabetic ciphers by Blais de Vigenère.

The Mechanical Era

The major advancement developed in this era was the performance of the algorithm on the numerical value of a letter, rather than the letter itself. Up until this point, most cryptography was based on substitution ciphers, such as the Caesar cipher. This was a natural transition into the electronic era, where cryptographic operations are normally performed on binary values of letters, rather than on the written letter itself. For example, the alphabet could be written as follows: A = 0,

B = 1, C = 2 . . . Z = 25. This was especially integral to the one-time pad and other cipher methods that were developed during this era. This represented a major evolution of cryptography that really set the stage for further developments in later time periods.

The Electro-Mechanical Era

In the early 20th century, the world saw the invention of complex mechanical and electromechanical machines. In cryptography, these machines, such as the Enigma machine used by the Germans during World War II, provided more sophisticated and efficient means of encryption and decryption.

The Modern Era

After World War II, we saw the subsequent introduction of electronics and computing. In cryptography, this has allowed elaborate schemes that offer greater complexity in encryption. Today’s cryptosystems operate in a manner that allows anyone with a computer to be able to use cryptography without even understanding cryptographic operations, algorithms, and advanced mathematics. This is because most crypto systems are driven by software applications that have become easy to use, and offer greater services. However, from our perspective, it is still important to implement a cryptosystem in a secure manner. In fact, the majority of attacks against cryptosystems are not the result of weaknesses in cryptographic algorithms, or key lengths, but rather poor or mismanaged implementations, usually related to key management.

Quantum Cryptography

A fundamental difference between traditional cryptography and quantum cryptography is that in traditional cryptography, we primarily use difficult mathematical techniques as the fundamental mechanism to provide security for cryptography algorithms. Quantum cryptography, on the other hand, uses physics to secure data. The basic difference is that in traditional cryptography, strength is provided due to strong math, and in quantum cryptography, the security is based on known physical laws rather than on mathematical difficulties.

Quantum cryptography, also known as quantum key distribution, is built on quantum physics. Many people understand the basic premise of quantum physics as the uncertainty principle of Werner Heisenberg. His basic claim is that a person cannot know both a particle’s position and momentum with unlimited accuracy at the same time. Specifically, quantum cryptography is a set of protocols, systems, and procedures by which it is possible to create and distribute secret keys. Quantum cryptography can be used to generate and distribute secret keys that can then be used together with traditional crypto algorithms and protocols to encrypt and transfer data. It is important to note that quantum cryptography is not used to encrypt data, transfer encrypted data, or store encrypted data. The need for asymmetric key systems arose from the issue of key distribution.

The biggest issue in symmetric key cryptography is that users need a secure channel to set up a secure channel. Quantum cryptography solves the key distribution problem by allowing the exchange of a cryptographic key between two remote parties with complete security, as dictated via the laws of physics. Once the key exchange takes place, conventional cryptographic algorithms are used. For that reason, many prefer the term quantum key distribution to quantum cryptography as it is typically only used to distribute the symmetric keys required for secure exchange of information.

Key Encryption Concepts and Definitions
  • Plaintext or cleartext: This is the message or data in its natural format and in readable form. Plaintext is human readable and is extremely vulnerable from a confidentiality perspective. Plaintext is the message or data that has not been turned into a secret.
  • Ciphertext or cryptogram: This is the altered form of a plaintext message so as to be unreadable for anyone except the intended recipients. In other words, it has been turned into a An attacker seeing ciphertext would be unable to easily read the message or to determine its content. Also referred to as the message that has been turned into a secret.
  • Cryptosystem: This represents the entire cryptographic operation and This typically includes the algorithm, key, and key management functions, together with the services that can be provided through cryptography. The cryptosystem is the complete set of applications that allows sender and receiver to communicate using cryptography systems.
  • Algorithm: An algorithm is a mathematical function that is used in the encryption and decryption It may be quite simple or extremely complex. Also defined as the set of instructions by which encryption and decryption is done.
  • Encryption: This is the process and act of converting the message from its plaintext to ciphertext. Sometimes this is also referred to as enciphering. The two terms are sometimes used interchangeably in the literature and have similar meanings.
  • Decryption: This is the reverse process from encryption. It is the process of converting a ciphertext message back into plaintext through the use of the cryptographic algorithm and key (cryptovariable) that was used to do the original encryption. This term is also used interchangeably with the term deciphering.
  • Key or cryptovariable: The input that controls the operation of the cryptographic algorithm. It determines the behavior of the algorithm and permits the reliable encryption and decryption of the There are both secret and public keys used in cryptographic algorithms.
  • Non-repudiation: The inability to In cryptography, it is a security service by which evidence is maintained so that the sender and the recipient of data cannot deny having participated in the communication. There are two flavors of non-repudiation, “nonrepudiation of origin” means the sender cannot deny having sent a particular message, and “non- repudiation of delivery’” where the receiver cannot say that they have received a different message than the one that they actually did receive.
  • Cryptanalysis: The study of techniques for attempting to defeat cryptographic techniques and, more generally, information security services.
  • Cryptology: The science that deals with hidden, disguised, or encrypted communications. It embraces communications security and communications intelligence.
  • Collision: This occurs when a hash function generates the same output for different In other words, two different messages produce the same message digest.
  • Key space: This represents the total number of possible values of keys in a cryptographic algorithm or other security measure, such as a password. For example, a 20-bit key would have a key space of 1,048,576. A 2-bit key would have a key space of 4.
  • Initialization vector (IV): A non-secret binary vector used as the initializing input algorithm for the encryption of a plaintext block sequence to increase security by introducing additional cryptographic variance and to synchronize cryptographic equipment. Typically referred to as a “random starting point,” or random number that starts the process.
  • Encoding: The action of changing a message into another format through the use of a This is often done by taking a plaintext message and converting it into a format that can be transmitted via radio or some other medium, and it is usually used for message integrity instead of secrecy. An example would be to convert a message to Morse code.
  • Decoding: The reverse process from encoding, converting the encoded message back into its plaintext format.
  • Substitution: The process of exchanging one letter or byte for another. An example is the Caesar cipher, where each letter was shifted by 3 An “A” was represented by a “D,” a “B” was represented by an “E,” a “C” was represented by an “F,” and so on.
  • Transposition or permutation: The process of reordering the plaintext to hide the message, but keeping the same letters.
  • Confusion: Provided by mixing or changing the key values used during the repeated rounds of encryption. When the key is modified for each round, it provides added complexity that the attacker would encounter.
  • Diffusion: Provided by mixing up the location of the plaintext throughout the Through transposition, the location of the first character of the plaintext may change several times during the encryption process, and this makes the cryptanalysis process much more difficult.
  • Avalanche effect: An important consideration in all cryptography used to design algorithms where a minor change in either the key or the plaintext will have a significant large change in the resulting This is also a feature of a strong-hashing algorithm.
  • Key clustering: When different encryption keys generate the same ciphertext from the same plaintext message.
  • Synchronous: Each encryption or decryption request is performed immediately.
  • Asynchronous: Encrypt/Decrypt requests are processed in queues. A key benefit of asynchronous cryptography is utilization of hardware devices and multiprocessor systems for cryptographic acceleration.
  • Hash function: A hash function is a one-way mathematical operation that reduces a message or data file into a smaller fixed length output, or hash By comparing the hash value computed by the sender with the hash value computed by the receiver over the original file, unauthorized changes to the file can be detected, assuming they both used the same hash function. Ideally, there should never be more than one unique hash for a given input and one hash exclusively for a given input. 
  • Digital signatures: These provide authentication of a sender and integrity of a sender’s A message is input into a hash function. Then, the hash value is encrypted using the private key of the sender. The result of these two steps yields a digital signature. The receiver can verify the digital signature by decrypting the hash value using the signer’s public key, then perform the same hash computation over the message and then compare the hash values for an exact match. If the hash values are the same, then the signature is valid.
  • Symmetric: This is a term used in cryptography to indicate that the same key is required to encrypt and
  • The word “symmetric” means “the same,” and we are obviously referring to the key that is required at both ends to encrypt and decrypt. Symmetric key cryptography has the fundamental problem of secure key distribution.
  • Asymmetric: This word means “not the ” This is a term used in cryptography in which two different but mathematically related keys are used where one key is used to encrypt and another is used to decrypt.
  • Digital certificate: A digital certificate is an electronic document that contains the name of an organization or individual, the business address, the digital signature of the certificate authority issuing the certificate, the certificate holder’s public key, a serial number, and the expiration The certificate is used to identify the certificate holder and the associated public key when conducting electronic transactions.
  • Certificate authority (CA): This is an entity trusted by one or more users as an authority in a network that issues, revokes, and manages digital certificates that prove the authenticity of public keys belonging to certain individuals or entities.
  • Registration authority (RA): This performs certificate registration services on behalf of a CA. The RA, a single-purpose server, is responsible for the accuracy of the information contained in a certificate request. The RA is also expected to perform user validation before issuing a certificate request.
  • Work factor: This represents the time and effort required to break a protective measure, or in cryptography, the time and effort required to break a cryptography algorithm.

Follow Us
https://www.facebook.com/INF0SAVVY
https://www.linkedin.com/company/14639279/admin/