Security+: Cryptography Concepts (SY0-401)
Please note: this article is based on information about the previous version of the Security+ exam (SY0-401), which expired in May of 2018. For updated information, please see our up-to-date Security+ listing.
Cryptography is the study of cryptographic methods/algorithms that are used to convert the plaintext or message into an unreadable form which is known as ciphertext. The fundamental goal of the cryptographic system is to achieve the confidentiality, integrity, and authentication of data and information.
Below are the various cryptographic methods necessary to pass the Security+ exam.
What Cryptographic Methods Do I Need to Know for the Security+ Exam?
Security+ aspirants must understand how to apply and use cryptography in real-world scenarios. This section explains how to apply and use appropriate cryptographic products and tools.
WEP vs. WPA/WPA2 and Preshared key: Wired Equivalent Privacy (WEP) is an IEEE 802.11 standard and is based on Rivest Cipher 4 (RC4). Since multiple vulnerabilities have been discovered in WEP, it’s no longer an effective WiFi security solution. Thus, it is replaced by WPA and WPA2. WiFi Protected Access (WAP) was introduced in 2003 and is based on two encryption protocols, named Temporal Key Integrity Protocol (TKIP) and Lightweight Extensible Authentication Protocol (LEAP). It utilizes a secret and static passphrase, which turned out to be a reason for its failure – hackers were able to run a brute-force guessing attack to compromise that passphrase secretly.
WPA2 (WiFi Protected Access 2) is a new encryption mechanism that adds RSN (Robust Security Network) support for strong protection. Sadly, WPA2 is not a 100% secure solution for WiFi networks in the face of modern novel attacks. According to research made by Math Vanhoef, a postdoc security researcher in the computer science department of the Belgian University KU Leuven, attackers today use a novel attack technique to compromise even encrypted data. However, the patch has also been discovered to prevent and fix novel attacks.
A Preshared Key (PSK) is, in cryptography, a value that has been previously shared by using a secure communication medium between the two parties. PSK can also be used to accomplish authentication for WPA Personal. Due to its secrecy, PSK can only be possessed by authorized devices.
MD5: A Message Digest 5 (MD5) is a one-way cryptographic hash algorithm/function used to verify that a file or message has not been altered while transmitting over a network. MD5 has a 128-bit length and is typically shown in its 32-digit hexadecimal value equivalent. For example, the hexadecimal value for the text “This is my home” should look like this 120EA8A25E5D487BF68B5F7096440018. Sadly, recent attacks have shown that the MD5 algorithm is subject to collisions that question its one-way function ability. A collision occurs when hash values of different text are found to be similar.
SHA: A Secure Hash Algorithm (SHA) and its new versions are developed by the National Institute of Standards and Technology (NIST). Unlike MD5, the SHA-1 function takes an input of any length and generates a 160-bit Message Digest (MD), processing the message into 512-bit blocks. Hence, if a message is not a multiple of the 512-bit blocks, the SHA-1 function pads a message with additional detail unless its length reaches the next highest multiple of the 512-bit block. Since weaknesses in the SHA-1 algorithm have been discovered, its new version, SHA-2, was introduced with several variants that included SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/256, and SHA-512/224. In 2015, the NIST has released SHA-3, the latest member of the Secure Hash Algorithm family.
RIPEMD: This is an abbreviation for Race Integrity Primitives Evaluation Message Digest. The collision was reported in the original version of RIPEMD-128 that was designed after MD4. Later on, its successors such as RIPEMD-160, RIPEMD-256, and RIPEMD-320 were introduced to fix the issue. The main feature of RIPEMD is two independent and different parallel chains of computation whose result is combined at the end of the operation.
HMAC: HMAC stands for Hash-based Message Authentication Code. HMAC is based on the Message Authentication Code (MAC), which is a short piece of information used to authenticate the message and to provide authenticity and integrity assurance to the message. In fact, HMAC is the calculation of the MAC using hash algorithms such as SHA-1 or MD5.
AES: An Advanced Encryption Standard (AES), originally known as Rijndael, is a symmetric-key block cipher algorithm developed by NIST. It consists of fixed 128-bit block ciphers with a key size of 128, 192, or 256 bits.
DES: A Data Encryption Standard (DES) was published in 1977 by the US government for all its digital communications. DES has five modes, and each mode takes 64 bits of simple text as input to produce 64-bit blocks of ciphertext as output. Also, DES uses a 56-bit long key. The DES algorithm uses 16 OR/XOR logical gate operations (Boolean algebra) for each encryption or decryption of text, and each repetition is known as a round of encryption.
3DES: 3DES is also known as Triple Data Encryption Algorithm (TDEA). It’s similar to DES protocol but applies the cipher algorithm three times to each cipher block of text. Unlike DES that uses the 56-bit key, 3DES employs a 168-bit long key. However, AES replaced both 3DES and DES and became popular during 2001 and later.
RSA: Rivest, Shamir, and Adleman (RSA) is a form public key cryptography and was designed in 1970. Even after a long time, RSA is still an effective and secure hashing algorithm. However, the sole difference between the modern RSA and the original RSA deployment is the length of the private and public keys.
Diffie-Hellman: The Diffie-Hellman key exchange is an asymmetric algorithm that was invented in 1970 for developing a shared key over an insecure communication medium.
RC4: A Rivest Cipher (RC4) is a 128 bit stream cipher. It is a foundation of the WPA and WEP encryption schemes. Its successors, RC5 and RC6, are more effective and reliable against hacking techniques.
One-time pads: A one-time pad, also known as Vernam cipher, is a stream cipher used to encrypt a simple text with a secret random key that has the same length as that of the simple text. To accomplish the encryption, the key-stream is combined with the simple text through an XOR Boolean operator to generate a ciphertext.
NTLM and NTLMv2: NTLM provides Unicode support and RC4 cipher. NTLM uses message digest algorithms and Cyclic Redundancy Checks (CRC) to ensure the integrity of the message. Since NTLM is based on RC4, it’s no longer a viable solution because vulnerabilities have been discovered in RC4. Thus, its successor, NTLMv2 has been introduced to overcome the issues. NTLMv2 is a 128-bit system and is based on an MD5 hash that is difficult to crack as compared to its predecessor, NTLM.
Blowfish and Twofish: These are two ciphers developed by the Bruce Schneider. Blowfish uses a 64-bit block size and has a variable key size between 1 and 448 bits. However, Bruce recommends the Twofish cipher because its key size is 256 bits and block size 128 bits.
PGP/GPG: Pretty Good Privacy (PGP) is a commercial product and one of most extensively used asymmetric cryptography solutions for E-mail messages and files on Windows operating systems. Unlike PGP, GNU Privacy Guard (GPG) is an open-source product that can be run on Linux, UNIX, and Windows OSs.
CHAP and PAP: Challenge-Handshake Authentication Protocol (CHAP) is the authentication protocol employed over dial-up connections. Password Authentication Protocol (PAP) is an outdated protocol that was an early POTS (Plain Old Telephone Service) authentication mechanism.
What are the Comparative Strengths and Performance of the Above Algorithms?
Although comparative strengths are based on various factors, two most common factors are Work Factor and Key Length. Work factor, in fact, is the measurement or judgment of the effort and amount of time required to perform a complete brute-force attack on a particular cryptographic algorithm. The algorithms having large work factors are considered more secure than those holding small work factors. On the other hand, Key length is the vital security parameter that provides an appropriate level of protection to the data. The performance of the algorithm can be known by measuring the time and effort required to defeat a specific key length of an algorithm. Thus, stronger keys have paramount importance in cryptosystems.
What Do I Need to Know About Cipher Suites?
A cipher suite is the combination of encryption, authentication, and Message Authentication Code (MAC) algorithms that are employed with SSL/TLS connections. These are negotiated between the web server and web browser during the initial handshake process. Depending on distinct algorithms, the transmission security can be either weak or strong.
Strong vs. Weak Ciphers: The strong ciphers are more secure than weak ciphers. In fact, weak ciphers are prone to numerous vulnerabilities. Therefore, strong ciphers are highly recommended and weak ciphers should be avoided. For instance, the RC4 cipher is significantly weaker than AES cipher suite. The key length factor is also worth mentioning here. The length of the keys must be greater than 2048 bits. The recommended length is 4096 bits, which provides an effective and reliable defense in the face of modern cryptographic attacks such as Replay attack and Ciphertext-only attack.
Are You a Security+ Aspirant and Need Some Help?
If the answer is yes, then InfoSec Institute is the right choice for you. As a matter of fact, the InfoSec offers a Security+ Boot Camp that teaches you the information theory, as well as reinforces theory with hands-on exercises that help you “learn by doing.”
InfoSec also offers thousands of articles on all manner of security topics.