There are books upon books about cryptography and this article will not attempt to regurgitate all of the historical background about the subject. However, there are some specific definitions and concepts that you need to understand in order to successfully navigate the CISSP exam and, for that matter, to be successful in your job.

First let’s take a look at some definitions:

Plaintext — That’s what you’re reading now, plain text.

Ciphertext — That’s encrypted text, plain and simple.

Encryption — That’s taking a plain text message and converting it to ciphertext.

Decryption — That’s taking an encrypted text, or ciphertext, and converting it back to plaintext.

Cryptology — Is the science of securing data.

Cryptography — Is the process of converting plaintext to ciphertext a.k.a. encryption.

Cryptanalysis — Is the science of breaking the code or decrypting the data.

Cryptology — Encompasses both cryptography and cryptanalysis.

Cipher — Is an algorithm for performing encryption or decryption.

Algorithm — Is a set of rules that precisely defines a sequence of operations.

We’ll cover more definitions later. Now let’s look at some math. You need to be familiar with modular math, which is basically what is the remainder after division. As an example, 7 Mod 3 is what? 1 of course. That’s because 3 goes into 7 twice with a remainder of 1. I’ve seen that exact question on an exam. Even something as simple as telling time is modular math. Think about it, two hours past 11 PM is 1 (2+11 = 13, 13/12 = 1 with a remainder of 1) a remainder of 1 so it must be 1 AM.

Before I forget, let’s define Steganography as the hiding of things in things. For a neat way of learning about Steganography, download version 4 of S-Tools from Finland from http://soft.softoogle.com/ap/s-tools-download-126.shtml. Download it and play around with it. For those of you interested in a quick tutorial on S-Tools, you can read this article.

When we’re talking about ciphers, there’s really two basic types: substitution and transposition. Substitution is simply substituting one character for another, e.g. in the word FOOD we substitute B for F, E for O, and T for D and instead of the word FOOD, we now have BEET. In transposition, we simply rearrange the letters, e.g. in the word DRAB we transpose the D and B and the resulting word is BRAD.

When we talk about algorithms, we have to talk about symmetric and asymmetric. I know I said I wouldn’t talk about history, but you have to remember a little history of algorithms here, at least for the exam. Remember that symmetric is ONE key, also known as a secret key. Whereas, asymmetric is two keys, or a pair of keys, known popularly as public/private key pair. Now this may be obvious, but who knows your public key? Right, everyone. And who knows your private key? Only you, correct.

So here’s an important concept: When you see “non-repudiation” that means you can’t deny something is yours. If you encrypt something with your private key and you’re the only one with your private key, then you can’t deny something is yours. Anyone can decrypt the message but everyone knows it came from you.

Let’s take it a step further, on a second pass of encryption (encrypted a second time — HINT: that’s a test question) you use the receiver’s public key. Who can decrypt the message now? Only the receiver, since they’re the only one with the matching private key, thus ensuring confidentiality.

So how do I ensure integrity? I take the message and digitally sign it. I generate a SHA-1 hash of the plaintext message and encrypt the hash with my private key. You receive the message, run your own SHA-1 hash, decrypt the attached hash and compare the two, and if they are the same you know the message hasn’t been changed.

There’s a lot of other things you need to read up on using Google or a reliable Wiki. Things such as block ciphers, stream ciphers, DES and Triple-DES will come up. While you’re looking at DES, also find the definitions for electronic code book (ECB), cipher block chaining (CBC), cipher feedback (CFB), output feedback (OFB) and counter mode (CTR). You should also know the differences in encryption strength between DES and Triple-DES. I’ve also seen a question on the exam that asks about the difference between DES and Double-DES. Now there’s an interesting Google search.

So, which systems are symmetric?

Data Encryption Standard (DES)

Triple-DES

The Advanced Encryption Standard (AES)

International Data Encryption Algorithm (IDEA)

Blowfish

RC4

RC5

RC6

And which systems are Asymmetric?

The Diffie-Hellman Algorithm

RSA

El Gamal

Elliptic Curve Cryptosystems (ECC)

Knapsack

You will also need to read up on Public-Key Infrastructure (PKI) and make sure you understand the roles that Certificate Authorities (CA), and Registration Authority (RA) have. As well as what the PKI steps are.

When we talk about e-mail standards, you need to understand MIME and S/MIME as well as having a fairly good understanding of PGP. Like I said in the beginning, I’m not going into a lot of detail, there’re books out there for that.

When we talk about internet security, there’s more than just basics. Remember, if you’re going to be using the internet for communications, use VPN. You also need to understand AH and ESP.

There are many different attacks against encrypted data. These are the ones you’ll need to understand for the exam.

1) Cipher-Only Attacks

2) Known-Plaintext Attacks

3) Chosen-Plaintext Attacks

4) Chosen-Ciphertext Attacks

Remember that cryptography covers a huge area of knowledge and has been around since the time of Caesar. Get a good book on the subject, find a soft comfortable chair and read yourself to sleep, several times.

Fill out the short form below for pricing information and details regarding our various training options (self paced, online mentored & instructor lead) for the CISSP.

CISSP Instant Pricing- Resources

Grade A stuff. I’m unueqtsionably in your debt.

Stayed tuned. There’s more coming on the 20 Critical IT Security Controls.

Kenneth

This is an excellent summary of the cryptography domain.

More and more crap from ISC2

S-tools can no longer be found on the site you provide.