If you’re planning on taking the CISSP exam, you know that it covers an extensive amount of knowledge and takes quite a bit of time to prepare. Your best bet is to get a comprehensive book such as the CISSP: Certified Information Systems Security Professional Study Guide (ISBN-13: 978-1118314173) by Darril Gibson, James Stewart, and Mike Chapple to learn as much as possible about the exam domains. You’ll also want to take some practice test questions to get an idea of the exam questions.
As a late stage study tool, you might like to use a recently released book titled CISSP Rapid Review (ISBN-13: 978-0735666788) by Darril Gibson. The book is currently available as an eBook on O’Reilly’s site.
This book is designed to remind you of the important concepts and help you determine if you still understand them. A common phrase with the CISSP exam is that it’s a mile deep and an inch deep. That’s certainly true, but when you’re studying you often have to study topics at some depth so that you understand them even if the actual questions might only expect you to have surface knowledge.
With that in mind, you won’t find a lot of depth in this book, but instead, it gets right to the point reminding you know what’s important. It includes listings of key exam topics, true/false questions to check your knowledge, and key information for each of the domains.
The following is a short excerpt from chapter 5 covering objective 5.3 to give you an idea of how the book is laid out.
Of course, there also some great courses out there that are valuable to take prior to the exam. Infosec Institute hosts a seven-day CISSP Prep Course Overview that reports a 93 percent pass rate by the students.
Objective 5.3: Understand encryption concepts
Before digging into the details of various cryptographic procedures, it’s important to understand many of the basic foundational concepts related to cryptography. This section covers many of the core principles related to symmetric and asymmetric cryptography, and how hashing algorithms are used to create message digests to verify integrity. These concepts are extremely important to understand before you can fully grasp other concepts, such as how symmetric and asymmetric cryptography work together and how a digital signature is created and used.
Exam need to know…
- Foundational concepts
For example: What is encrypted data called? What are the two elements of any cryptographic process?
- Symmetric cryptography
For example: How many keys does symmetric cryptography use to encrypt and decrypt a single piece of data? What is the speed of symmetric cryptography when compared to asymmetric cryptography?
- Asymmetric cryptography
For example: How many keys does asymmetric cryptography use to encrypt and decrypt a single piece of data? How is an asymmetric cryptography key distributed?
While cryptography has a lot of technical depth, there are some core foundation concepts that provide some basics. Mastering these basics will help you correctly answer many questions on the CISSP exam.
True or false? A primary method of ensuring confidentiality of data is to use hashing.
Answer: False. A primary method of ensuring confidentiality of data is to use encryption methods. Hashing is used to verify the integrity of data.
Figure 5-1 shows the basic process of encryption and decryption. Plaintext data is readable, and an encryption algorithm scrambles it in such a way that it is unreadable. The resulting text is called ciphertext data. Ciphertext data can be decrypted to create the original plaintext data.
FIGURE 5-1 Encryption and decryption process.
True or false? Most encryption methods use an encryption algorithm and a key.
Answer: True. Both an encryption algorithm and a cryptographic key are used for most encryption methods. The encryption algorithms are published and remain constant, and a cryptographic key provides variability for the algorithm.
The following statements outline many of the generic foundational concepts related to cryptography:
- Encryption is used to preserve the confidentiality of data. Plaintext data is encrypted and becomes ciphertext data. Ciphertext data is decrypted to create the original plaintext data.
- Most encryption methods use an encryption algorithm and a cryptographic key. Longer keys used with the same encryption algorithm make it more difficult for unauthorized entities to decrypt the data.
- An encryption algorithm is constant and does not change. For example, the Advanced Encryption Standard (AES) uses a specific algorithm, and this is the same algorithm that is always used with AES. Also, most encryption algorithms are publically available, exposing them to vigorous peer review.
- Encryption keys are not constant. For example, each time AES encrypts a file or other data it will use a different cryptographic key.
- Hashing methods are used to verify integrity.
- Hashing algorithms do not use a cryptographic key.
Preventing the loss of confidentiality, integrity, and availability (CIA) are three core security goals. Encryption is directly related to preventing the loss of confidentiality. Hashing is directly related to ensuring the integrity of data.
Symmetric cryptography uses the same key to encrypt and decrypt a piece of data. For example, if data was encrypted with a key of 123, the same key is used to decrypt it, as shown in Figure 5-2. (In actual practice, keys will be much more complex than a simple key of 123.)
FIGURE 5-2 Symmetric encryption and decryption process.
True or false? The primary challenge with symmetric encryption is privately sharing the key.
Answer: True. The symmetric encryption key needs to be known by the entity encrypting the data and by the entity decrypting the data. However, it should not be known to any other entities. If any other entities discover the key, they can decrypt the data.
When using symmetric cryptography, the key must be transmitted privately between the two parties and changed often. If the same key is used too often, a frequency analysis attack can discover the key and access all data encrypted with the key.
Some common symmetric encryption algorithms include the following:
- Data Encryption Standard (DES). This is an older standard that was used in most applications for many years. However, the 56-bit key size makes it relatively easy to crack with current computers.
- Triple DES (3DES). This was designed as an alternative to DES using 56-bit, 112-bit, or 168-bit keys. It apples the DES algorithm three times. While it is secure, it takes more processing power than some other alternatives.
- Advanced Encryption Standard (AES). The U.S. government selected an algorithm formally known as Rijndael as the primary symmetric encryption standard. It was selected after NIST completed an intensive five-year evaluation process of various encryption algorithms. AES uses 128-bit, 192-bit, or 256-bit keys and takes less processing power than 3DES. AES is a popular symmetric encryption standard used to encrypt bulk data.
- RC4 (also called arc 4). This is named after its creator, Ron Rivest, and is sometimes called Rivest’s Code. It use key sizes of 40 bits to 2,048 bits and is the symmetric encryption algorithm used with SSL.
- International Data Encryption Algorithm (IDEA). This was also designed as a replacement for DES. It is a block cipher that uses 128-bit keys to encrypt 64-bit blocks. It was patented but is available for free for non-commercial use.
- Blowfish. This is a block cipher that uses variable key sizes from 32 bits to 448 bits. It creates 64-bit encrypted blocks. Blowfish runs through the encryption algorithm more than 500 times when it first creates a set of keys and subkeys. While it is a strong cipher, it takes a lot of processing power.
- TwoFish. This is a modified version of Blowfish using keys up to 256 bits and block sizes of 128 bits. It was one of the NIST finalists in the AES competition.
True or false? AES is a stream cipher.
Answer: False. AES is a block cipher. It divides the data into 128-bit blocks and encrypts each block. RC4 is a stream cipher.
Block ciphers encrypt fixed-size blocks of data. Cipher Block Chaining (CBC) uses data in the previous block of text to encrypt the following block. Successful decryption of any of the blocks is dependent on first decrypting all preceding blocks in the chain. In contrast, Electronic Code Book (ECB) encrypts each block of data independently.
Stream ciphers encrypt individual bits in a stream of data. An important principle that must be followed when using a stream cipher is that the seed value used to create cryptographic keys must never be used twice. This was one of the many failings of Wired Equivalent Privacy (WEP), which allowed attackers to crack it.
Modes of operation for block ciphers are identified in NIST SP 800-38A. A newer version is currently in draft form as SP 800-38F. Both can be accessed from the NIST PS page: http://csrc.nist.gov/publications/PubsSPs.html.
Asymmetric cryptography uses two keys, known as a public key and a private key. There are some important but basic concepts related to these keys that you should understand.
True or false? In asymmetric cryptography, a public key is always matched with a private key.
Answer: True. Asymmetric keys are created as matched pairs. Data encrypted with a private key can be decrypted only with the matching public key. Similarly, data encrypted with a public key can be decrypted only with the matching private key.
A public key is freely shared with others, but a private key is always kept private. Only the owner of the key pair has access to the private key, with the possible exception of a recovery agent. Public keys are embedded within certificates and shared with others by sharing the certificate.
Asymmetric cryptography is sometimes called public key cryptography or public/private key cryptography. In contrast, symmetric key cryptography is sometimes called session key cryptography, secret key cryptography, or even private key cryptography. However, calling it private key cryptography confuses it with asymmetric cryptography for many people. Asymmetric cryptography always uses a matched key pair (a public key and a private key), but symmetric key cryptography always uses a single key that is kept secret.
Figure 5-3 shows the overall process for asymmetric encryption and decryption. Keys are much more complex than 123 and 456, but for the example, assume that 123 and 456 have been created as a matched pair as a public key and a private key. A key point to remember is that data encrypted with the public key can be decrypted only with the matching private key. Similarly, if data was encrypted with the private key, it can be decrypted only with the matching public key.
FIGURE 5-3 Asymmetric encryption and decryption process.
Public and private keys are created as matched pairs. Private keys are always kept private and never shared. Public keys are shared in certificates.
True or false? Asymmetric cryptography is faster than symmetric cryptography.
Answer: False. Symmetric cryptography is as much as 100 times faster than asymmetric cryptography. This is one of the reasons that asymmetric cryptography is used to encrypt only the symmetric key and not entire blocks of data.
Asymmetric cryptography is often used only to securely exchange a symmetric key. After both parties have the symmetric key, data is encrypted and decrypted with this symmetric key. Asymmetric cryptography takes a significant amount of processing power to encrypt and decrypt, but when it is used only to encrypt/decrypt a key, it reduces the overall processing power requirements.
RSA (named after its designers: Rivest, Shamir, and Adleman) is a popular asymmetric algorithm. The public and private keys are derived by first multiplying two large prime numbers. While it’s easy to multiply two numbers, it is extremely compplex to factor the product of these two large prime numbers.
Mathematically, it is difficult to factor the product of two large prime numbers. RSA takes advantage of this by starting with two large prime numbers to create the public and private keys. When the keys are sufficiently large, it is not feasible to detect the original prime numbers in a reasonable amount of time.
RSA laboratories sponsored the RSA Factoring Challenge several years ago, which encouraged cryptographers to identify the factors of large prime numbers. Many large numbers (up to 768 bits) have been factored, although they often take hundreds of computing years to complete. It’s estimated that the RSA-2048 factor (using 2,048 bits) will likely not be factored for many more decades. You can read about the RSA Factoring Challenge here: http://www.rsa.com/rsalabs/node.asp?id=2094.
True or false? Elliptic curve cryptography (ECC) is less efficient than typical asymmetric encryption methods.
Answer: False. ECC takes less processing power because it is more efficient than typical asymmetric encryption methods.
ECC is commonly used in smaller mobile devices because it requires less processing power.
Diffie-Hellman and El Gamal are two additional asymmetric cryptography methods. These methods use discrete logarithms and can be used to privately share a symmetric key over a public network.