Security+: Basic characteristics of cryptography algorithms [DECOMMISSIONED ARTICLE]
NOTE: This article reflects an older version of the Security+ Exam – please see the current Security+ Certification page for the most up-to-date information.
In today’s digital world, data is the currency of any organization. However, data assets are becoming increasingly vulnerable and attractive targets of malicious actors due to inadequate security mechanisms. To keep data and critical systems secure, enterprises must take full advantage of cryptographic algorithms. along with additional security controls, especially when communicating through a porous network. Here you will learn some essential cryptographic algorithms and their basic characteristics, knowledge of which will help you pass the Security+ exam with an elite score.
What do I need to know about symmetric algorithms?
Symmetric algorithms (also known as private-key or secret-key algorithms) are encryption schemes that use a shared cryptographic key for both encryption and decryption of data. When it comes to encrypting data on a hard drive, the user is the only one in possession of the secret key, while in case of data in transit, each partner has a copy of the shared secret key. The following sections describe various symmetric cryptography solutions that are essential for the Security+ exam.
AES - Advanced Encryption Standard
The AES algorithm utilizes the Rijndael algorithm with block sizes and key lengths of 128, 192, and 256 bits to provide better security than its predecessor, the DES algorithm. This solution has been adopted by the U.S. government as the standard for exchanging unclassified but sensitive data.
DES - Data Encryption Standard
As mentioned above, DES is the predecessor of AES. Unlike AES, it uses a Feistel Cipher and involves a 64-bit block cipher that provides a key strength of 56 bits. Even though DES is an outdated standard and not the most secure security mechanism today due to its small key size, it nevertheless played a crucial role in the development of advanced cryptography and deserves to be understood.
3DES - Triple Data Encryption Standard
3DES is a more secure variant of the DES algorithm. It implements the DES algorithm thrice to each data block, providing a key strength of either 112 or 168 bits.
RC4 - Rivest Cipher 4
The RC4 is a 128-bit stream cipher that forms an integral part of wireless security protocols (e.g., WEP and WPA encryption). Though still widely used today, the more advanced RC5 and RC6 are more preferred by most security pros.
Blowfish is a 64-bit license-free block cipher that utilizes keys of variable lengths from comparatively weak 32-bit to highly secure 448-bit. It can be a reliable encryption option as long as the key lengths are over 128 bits.
The more advanced 128-bit Twofish is capable of using key lengths up to 256 bits. In terms of security, its security strength is almost equal to that of the AES.
What do I need to know about cipher modes?
The National Institute of Standards and Technology (NIST), in its Special Publication 800-38A, Recommendation for Block Cipher Modes of Operation, defines some confidentiality modes of operations.
CBC—Cipher Block Chaining
In a CBC mode of operation, data is encrypted with the help of interdependent blocks that are held together by an initialization vector (IV). It uses a chaining mechanism in which the ciphertext from the previous block is used to impact the next block.
The highly efficient GCM is usually designed by the AES algorithm and involves sequential numbering of blocks. It provides authenticated encryption with associated data (AEAD), which is used to ensure integrity, confidentiality, and authenticity of sensitive information.
ECB—Electronic Code Book
In this mode of operation, each block of plaintext has a corresponding value of ciphertext and vice versa. It isn't a very secure option because it encrypts data into identical blocks.
CTR mode turns a block cipher into a stream cipher, which is encrypted using the XOR function. This mode requires the synchronization from both the sender's and the receiver's end to recover the plaintext correctly.
Block vs. Stream Ciphers
- Block Cipher: A block cipher encrypts and decrypts one block of data at a time using the same key. It is usually more complex and secure, but slower. Examples of block cipher include the DES, RC5, and Blowfish.
- Stream Cipher: A stream cipher, on the other hand, encrypts one byte of data at a time. Unlike block cipher, each bit in this mode is encrypted with a different key. In terms of security, it can perform well like a block cipher if designed properly. Examples of stream ciphers include RC4, SEAL, and SNOW.
What do I need to know about asymmetric algorithms?
Asymmetric algorithms (also known as public key algorithms) are also encryption schemes. However, they involve pairs — known as public keys and the private keys. The public key can be shared with anyone, whereas the private key is possessed only by the owner. The public key is used to encrypt the data while the private key is used to decrypt the data. Even though the keys are related, they are generated in such a way that it’s impossible to derive a private key from a public key. Since asymmetric algorithms are usually slower than symmetric cryptography, security pros do not prefer these algorithms for encrypting a large amount of data. The fundamental goals of using asymmetric algorithms are to achieve three fundamental security goals: data integrity, authentication, and non-repudiation.
The RSA algorithm is based on the factoring problem (the difficulty in finding the common factors of large prime numbers) that can be used both for encryption and digital signatures.
DSA—Digital Signature Algorithm
The DSA is a variation of the ElGamal and Schnorr algorithms. Rather than performing encryptions, it uses a discrete logarithm to create 320-bit digital signatures of key strengths between 512 and 1024 (multiples of 64).
The D-H key algorithm is used primarily to generate symmetric shared security keys across insecure public networks. D-H Groups are responsible for the strength of the keys used in the exchange of data through public networks. The higher the number, the higher the security will be. However, with higher number groups it takes much longer to compute the key.
Below are some D-H groups:
- Group 1: 768-bit
- Group 2: 1024-bit
- Group 5: 1536-bit
- Group 14: 2048-bit
- Group 15: 3072-bit
- Group 19: 256-bit elliptic curve
- Group 20: 384-bit elliptic curve
DHE—Diffie-Hellman Ephemeral: The DHE algorithm provides perfect forward secrecy by carrying out multiple rekey operations during a single session.
ECDHE—Elliptic Curve Diffie-Hellman Ephemeral: The ECDHE also provides perfect forward secrecy utilizing elliptic curve cryptography (ECC), which can produce greater security with lesser computational strain than the DHE.
ECC (Elliptic Curve Cryptography)
The ECC is a process of obtaining more secure encryption from shorter keys. By way of comparison, the ECC RSA using a 160-bit key provides as much security as the RSA 1024-bit key. Today, mobile phone manufacturers use ECC for their mobiles and wireless devices as an alternative to prime-number-based asymmetric cryptography because these devices have less computing power.
PGP/GPG—Pretty Good Privacy/GNU Privacy Guard
PGP and GPG are used to encrypt or create digital signatures of email messages. They are public-private key systems that may utilize a variety of algorithms to protect data while it is in transit. GPG has been available as a commercial product after the split of the free-to-use PGP.
How are hashing algorithms used in cryptography?
Hashing algorithms or functions are a type of cryptography that produces a unique identifier, hash value, checksum, or a message authentication code (MAC). The hash function converts data of arbitrary size into a fixed-length output.
MD5—Message Digest 5
The MD5 cryptographic algorithm is, in fact, a hash function that produces a 128-bit long hash value (output), regardless of the size of the input. The most prominent application of MD5 is the creation and verification of digital signatures.
SHA—Secure Hash Algorithm
Similar in function to the MD5, the SHA algorithm can produce hash value lengths of 160, 224, 256, 384, or 512 bits depending on the type used (SHA-224, SHA-256, and so on).
HMAC—Hashed Message Authentication Code
The HMAC algorithm provides a partial digital signature and depends on a shared secret key. It ensures the integrity of the message being transmitted but doesn't provide non-repudiation.
RIPEMD—RACE Integrity Primitives Evaluation Message Digest
RIPEMD is a group of hash functions designed on the basis of MD4, and is similar in performance to the SHA-1. It produces hash value lengths of 160 bits.
How are key stretching algorithms helpful?
Key stretching is a group of methods that have the potential to stretch weak keys or passwords into more secure ones. A simple example is encrypting a user's password by running it through a series of hash operations.
BCRYPT is based on the Blowfish algorithm and uses the salting technique and an adaptive function to enhance iterations over time.
PBKDF2—Password-Based Key Derivation Function 2
This technique involves the repetition of a pseudorandom function (a hashing operation, an HMAC operation, or an encryption cipher function) on the input password along with a salt (a randomly generated string used as an additional input for a one-way function).
How does obfuscation help with data protection?
Obfuscation is the process of making data difficult to interpret or read. For instance, a function may be given the name of a random string of numbers and letters.
According to the XOR truth table (A and B), the value of A XOR B is true if only one of A or B is true. The XOR is an associative and commutative cipher, hence it can only use the key once. The operation is carried out one bit at a time.
ROT13—Rotate by 13 places
The ROT13 is a cipher that substitutes each letter of the plaintext by the 13th letter that comes after it in alphabetical order.
Finally, a substitution cipher is a technique of encrypting data by replacing units of plaintext, which may be a letter or a group of letters, with a fixed ciphertext.
Are You a Security+ Aspirant Looking for Some Help?
If the answer is yes, then InfoSec Institute is the right choice for you. InfoSec offers a Security+ Boot Camp that teaches you the information theory in a compressed time frame while also reinforcing the theory via hands-on exercises that help you “learn by doing.”
InfoSec also offers thousands of articles on all manner of security topics.