Security+ Domain #6: Cryptography and PKI [DECOMMISSIONED ARTICLE]
NOTE: This article reflects an older version of the Security+ Exam – please see the current Security+ Certification page for the most up-to-date information.
Cryptography is of paramount importance to every enterprise’s security position because it ensures data confidentiality, integrity, authentication, and non-repudiation. The fundamental concept of cryptography is known as encryption, which is the act of changing the original plaintext into a secret message. According to the 2018 Global Encryption Trends Study, published by Ponemon Institute, “43% of companies now have a consistent and enterprise-wide encryption strategy.” Even if the malicious parties penetrate the host and successfully reach the data, they still need to discover the key to unlock the encrypted content, which is usually out of the question if a proper and adequate encryption is applied. In this article, we’ll delve into the basic concepts of cryptography that are indispensable for taking and then passing the Security+ SY0-501 exam with an elite score.
What Is Cryptography?
Cryptography is the science of transforming data into a secure form so that the unauthorized person cannot access it. Cryptography can be applied to both hardware and software, such as data on mobile devices, removable media, databases, and individual files.
A symmetric algorithm is the type of encryption where the same key is utilized to encrypt and decrypt messages. .
The most reliable symmetric algorithms today are Triple Data Encryption Standard (3DES), and Advanced Encryption Standard (AES). AES is reliable for both hardware and software components and supports 128-bit block length and up to 128, 192, and 256-bit key lengths. 3DES is a more secure variant of the DES algorithm. It implements the DES algorithm thrice to each data block, providing a key strength of either 112 or 168 bits. Other popular symmetric algorithms include RC4, RC5, RC6, and Blowfish/Twofish. Some older versions, which are defunct today, include DES, SIMON, and SPECK.
Symmetric algorithms can provide strong protection in the face of cyber-attacks as long as the key is kept secure.
Modes of Operations
The National Institute of Standards and Technology (NIST), in its Special Publication 800-38A, Recommendation for Block Cipher Modes of Operation, defines some confidentiality modes of operations. These include Cipher Block Chaining (CBC), Electronic Codebook (ECB), Counter (CTR), and Output Feedback. These modes can be used to provide cryptographic protection for confidential, but unclassified, computer data.
Unlike symmetric algorithms, which use a single key for encryption and decryption purposes, asymmetric algorithms employ two keys—known as the public key and the private key – to encrypt and decrypt the information. Both keys are generated in such a way that it’s impossible to derive a private key from a public key. The sender utilizes a public key to encrypt the data, whereas the recipient uses a private key to decrypt the data; what former locks, the latter unlocks. Unlike the public key, the private key is kept private and not sent over with the message to the receiver. The popular asymmetric algorithms used today are RSA (Ron Rivest, Adi Shamir, and Leonard Adleman), D-H (Diffie-Hellman), ECC (Elliptic Curve Cryptography), and ElGamal. Unlike symmetric cryptography where digital signatures are not repudiated, asymmetric cryptography can provide digital signatures that can be repudiated. In addition, asymmetric algorithms also provide increased security due to the stiff privacy of the private key.
Hashing generates a unique digital fingerprint—termed as a digest, which represents the content of the original data. Hashing doesn’t encrypt data, but is only used for comparison purposes. The hash is considered secure as long as the hash algorithm creates a fixed-length hash that is unique and the original content of the material cannot be discovered from the hash. Examples of hashing algorithms include RIPEMD, Whirlpool, Message Digest (MD) family, and the family of Secure Hash Algorithms such as SHA-1, SHA-2, and SHA 3. Today, the strongest hashing algorithms are Whirlpool, RIPEMD-320, MD5, and SHA-512. Some insecure hashing algorithms are SHA-1 and MD2. For example, Mozilla and Google phased out SHA-1 SSL certificates with expiration dates past December 2016. In 2013, Microsoft also announced its timetable (January 1, 2017) for stopping use SHA-1 certificates.
Salt, IV, and Nonce
Salt is a random string of data that is used to modify and then increase the strength of a hashed password. By comparison, Initialization Vector (IV) is a 24-bit value used in Wired Equivalent Privacy (WEP) that changes each time a packet is encrypted. A nonce is typically a pseudo-random number created during an authentication protocol to ensure that previous communications cannot be reused in a replay attack.
Elliptic Curve Cryptography (ECC) is a method of applying cryptography to attain stronger encryption from shorter keys. It means that an ECC uses sloping curves instead of employing large prime numbers. The ECC-RSA 160-bit key can provide the same level of protection as the RSA 1024-bit key. Today, mobile phone manufacturers use ECC for their mobiles and wireless devices as an alternative to prime-number-based asymmetric cryptography because these devices have less computing power due to their smaller size.
Once old algorithms become vulnerable and attractive targets for attackers, enterprises discontinue their usage and look for their most recent versions.
A key exchange is the core concept of symmetric cryptography. It involves two primary approaches—termed in-band key exchange and out-of-the band key exchange. .
During an In-band key exchange, two users share the encryption key in the same communication channel as an encrypted information. Contrarily, out-of-band key exchange demonstrates that two users share a symmetric key in one communication channel and then exchange encrypted data in the separate communication channel.
To protect the keys, Forward Secrecy is used, which makes sure that if one key is exploited, subsequent keys will not be exploited down the line.
A digital signature is the electronic verification of the sender that prevents him from disowning the message. A digital signature also ensures the integrity of the message by proving that the message was not altered since it had signed.
Diffusion, Confusion, and Collision
Diffusion and Confusion are proposed by Claude Shannon for capturing the basic blocks of the cryptographic function instead of employing a time-consuming and long technique of statistics. Both diffusion and confusion make a secure cipher by preventing the encryption keys from their deduction that ultimately safeguards the original message.
A hash collision attack is an attempt to find out two (2) input strings of a hash function that generates the same hash result. The collision occurs if two distinct inputs generate the same hash output.
Steganography is the act of concealing a piece of information or a message within other non-secret data or text such as images, videos, or audios files. It takes the message, divides it into smaller parts, and then hides it in unused sections of the file. Steganography is often used to send secret messages to friends, colleagues, or conspirators.
Block vs Stream
- Block Cipher: A block cipher encrypts and decrypts one block of data at a time using the same key. It is usually more complex and secure, but slower. Examples of block cipher include the DES, RC5, and Blowfish.
- Stream Cipher: A stream cipher, on the other hand, encrypts one byte of data at a time. Unlike block cipher, each bit in this mode is encrypted with a different key. In terms of security, it can perform well like a block cipher if designed properly. Examples of stream cipher include RC4, SEAL, and SNOW.
Session Keys and Ephemeral Keys
Session keys are symmetric keys used to encrypt and decrypt data exchanged during a handshake session between a web server and web browser. On the other hand, an ephemeral key is a temporary key that is utilized only once before it’s discarded.
Data-in-transit is the active data that is being transmitted over the network connection. Prior to sending data on the internet, it must be encrypted through secure connections such as SSL, TLS, HTTPS, and FTPS to safeguard it against possible eavesdropping of network traffic by unauthorized parties.
Data-at-rest refers to the data that is not currently being transmitted over the network. RAID enables servers to have more than one hard drives so that if the primary hard drive stops functioning, the whole system keeps functioning.
To ensure the protection of data at rest, the data security professionals highly recommend storage encryption, such as whole-drive encryption or file encryption.
Data-in-use is also an active data that is stored in a non-persistent digital state, usually in CPU registers, CPU caches, and Random-Access Memory (RAM). To protect data in use, enterprises use full memory encryption that safeguards data visibility on the eve of its theft or unauthorized access.
Random/Pseudo-Random Number Generation
Random/pseudo-random number generation is the act of generating a random set of numbers that shouldn’t display any distinguishable patterns in their generation or appearance, hence the word “random.” The program used for this purpose is Pseudorandom Number Generator (PRNG) that employs computational algorithms and mathematical equations to get a random number.
Implementation vs. Algorithm Selection
This involves the Crypto Service Provider (CSPs) and Crypto Modules. A CSP incorporates the implementation of cryptographic algorithms and standards. It further includes a Dynamic Link Library (DLL) that implements functions in Crypto SPI (System Program Interface). The purpose of the CSP is to provide hardware or software-based encryption and decryption services. On the other hand, a cryptographic module is a combination of hardware, firmware, and/or software that implements cryptographic functions such as authentication techniques, digital signatures, encryption, and decryption.
Perfect Forward Secrecy
Perfect Forward Secrecy is a public key system that generates random public keys that are disparate for each session. The purpose of Perfect Forward Secrecy is that if a secret key is exploited, it cannot disclose the content of more than one message. The DHE algorithm provides perfect forward secrecy by carrying out multiple rekey operations during a single session.
The security+ candidates should learn the following use cases of cryptography:
- Low power devices
- High resiliency
- Low latency
- Supporting integrity
- Supporting confidentiality
- Supporting non-repudiation
- Supporting authentication
- Supporting obfuscation
- Resource vs. security constraints
Are You a Security+ Aspirant and Looking for Some Help?
If the answer to this question is yes, then InfoSec Institute is the right choice for you. InfoSec offers a Security+ Boot Camp that teaches you the information theory in a compressed time frame, and also reinforces the theory with hands-on exercises that help you “learn by doing.”
InfoSec Institute has been one of the most awarded (42 industry awards) and trusted information security training vendors for 17 years.
InfoSec also offers thousands of articles on all manner of security topics.