Loading...

Messages

Proposals

Stuck in your homework and missing deadline? Get urgent help in $10/Page with 24 hours deadline

Get Urgent Writing Help In Your Essays, Assignments, Homeworks, Dissertation, Thesis Or Coursework & Achieve A+ Grades.

Privacy Guaranteed - 100% Plagiarism Free Writing - Free Turnitin Report - Professional And Experienced Writers - 24/7 Online Support

Cryptography infosec pro guide pdf

08/10/2021 Client: muhammad11 Deadline: 2 Day

Cryptography

cryptography

Use the code book in page 170 of your textbook to decode this:

7227 1947 8008 6582

1939 1972 7834 2205

1287 1703 3887 2205

1287 8337 6582 5002

8913 3887 9136 2205

1287 8337 1972 9631

(2) What are the most important properties of public key encryption scheme? Build a PKI structure

Secure Beginner’s Guide / Cryptography: InfoSec Pro Guide / Oriyano / 425-5 / Front Matter Blind Folio: i

Cryptography: InfoSec Pro Guide

00-FM.indd 1 7/8/13 12:07 PM

Secure Beginner’s Guide / Cryptography: InfoSec Pro Guide / Oriyano / 425-5 / Front Matter Blind Folio: ii

About the Author Sean-Philip Oriyano is a 20+ year veteran of the information technology field, where he is an instructor, author, cyberwarfare expert, and security researcher. Over the years he has worked with many clients, including all branches of the U.S. Military as well as several international clients, and has been sought to instruct at the U.S. Air Force Academy and Naval War College. He obtained his knowledge through a combination of apprenticeships and experience over the years, attaining over 50+ certifications and licenses along the way. Sean has published several books and training videos, and he has authored a dozen research papers on topics such as hacking, forensics, and encryption.

Sean spends most of his time instructing for both public and private clients all over the world. He has consistently received praise for not only his unconventional instructional methods but also for his ability to present complex topics in an easy- to-understand way.

Sean holds many certifications and qualifications that demonstrate his knowledge and experience in the IT field, such as the CISSP, CNDA, CEH, and Security+. He is also trained in Incident Command and Management from FEMA and has earned a MEMS Badge for his efforts.

Outside of work Sean enjoys hiking, skydiving, flying, playing ice hockey, and following the greatest sports franchise ever, the Montreal Canadiens.

About the Technical Editor Jason McDowell has had a varied government career, stemming from 11 years of service in the U.S. Air Force and then transitioning his commitment to a career as a civil servant with the Department of Interior. During his time as an active-duty member of the Air Force, Jason contributed to many different projects that immersed him in the industrial controls field as well as deployable field communications arena. Additionally, Jason performed as a unit Communications Security (COMSEC) officer, which enabled him to experience cryptography at a grassroots level. His involvement in the deployment, protection, and destruction of both Secret and Top Secret cryptographic keying materials gave him a newfound respect and appreciation for cryptography and the policy surrounding it.

Finishing his military service as a system administrator for a combat communications unit, Jason transitioned his skillset to the civil service workforce. His first position was with the Bureau of Land Management (BLM) in Las Vegas, Nevada. During his two years as an Information Technology Specialist for the BLM, Jason expanded his breadth

00-FM.indd 2 7/8/13 12:07 PM

Secure Beginner’s Guide / Cryptography: InfoSec Pro Guide / Oriyano / 425-5 / Front Matter Blind Folio: ii

Secure Beginner’s Guide / Cryptography: InfoSec Pro Guide / Oriyano / 425-5 / Front Matter Blind Folio: iii

of experience and knowledge working in a freshly built enterprise environment. He was integral in various projects that impacted the health of the company infrastructure, as well as the protection of physical and logical assets. While at the BLM, he played a lead role in upgrading perimeter security systems to meet the stringent federal facility requirements set forth by Homeland Security Policy Directive-12 (HSPD-12). He also had the opportunity to edit and generate numerous company policy documents, including the Continuity of Operations Plan and Site Security Plan.

Jason’s next and current position settled him into an IT Specialist role with the U.S. Fish and Wildlife Service (FWS). Maintaining his commitment to the Department of Interior, Jason’s role with the FWS has greatly expanded his scope of work and has tasked him as an IT Project Manager for multiple federal construction projects. He acts as the primary technical consultant for all ongoing Southern Nevada projects, and is working daily at a ground level with project contractors, ensuring consistency and adherence to organizational policy. Jason continues to reeducate and renew his skillset through training and course content development. His appreciation of the information technology field and all its facets has enabled him to grow his skillset through both certification and in-field application. Jason currently holds the A+, Net+, Security+, MCSA, CEH, and CISSP certifications.

00-FM.indd 3 7/8/13 12:07 PM

Secure Beginner’s Guide / Cryptography: InfoSec Pro Guide / Oriyano / 425-5 / Front Matter Blind Folio: iv

00-FM.indd 4 7/8/13 12:07 PM

This page has been intentionally left blank

Secure Beginner’s Guide / Cryptography: InfoSec Pro Guide / Oriyano / 425-5 / Front Matter Blind Folio: iv

Secure Beginner’s Guide / Cryptography: InfoSec Pro Guide / Oriyano / 425-5 / Front Matter Blind Folio: v

Cryptography: InfoSec Pro Guide

Sean-Philip Oriyano

New York Chicago San Francisco Athens London Madrid Mexico City Milan New Delhi Singapore Sydney Toronto

00-FM.indd 5 7/8/13 12:07 PM

Copyright © 2013 by McGraw-Hill Education and InfoComm International. All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication.

ISBN: 978-0-07-179426-8

MHID: 0-07-179426-3

e-book conversion by Cenveo® Publisher Services

Version 1.0

The material in this e-book also appears in the print version of this title: ISBN: 978-0-07-179425-1,

MHID: 0-07-179425-5

McGraw-Hill Education e-books are available at special quantity discounts to use as premiums and sales promotions, or for use in corporate training programs. To contact a representative, please visit the Contact Us pages at www.mhprofessional.com.

All trademarks or copyrights mentioned herein are the possession of their respective owners and McGraw-Hill Education makes no claim of ownership by the mention of products that contain these marks. McGraw-Hill Education is not associated with any product or vendor mentioned in this book. InfoComm International®, InfoComm®, CTS™, and related marks are registered trademarks of InfoComm International in the United States and/or other countries.

Information has been obtained by McGraw-Hill Education from sources believed to be reliable. However, because of the possibility of human or mechanical error by our sources, McGraw-Hill Education, or others, McGraw-Hill Education does not guarantee the accuracy, adequacy, or completeness of any information and is not responsible for any errors or omissions or the results obtained from the use of such information.

TERMS OF USE

This is a copyrighted work and McGraw-Hill Education (“McGraw-Hill”) and its licensors reserve all rights in and to the work. Use of this work is subject to these terms. Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one copy of the work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon, transmit, distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill’s prior consent. You may use the work for your own noncommercial and personal use; any other use of the work is strictly prohibited. Your right to use the work may be terminated if you fail to comply with these terms.

THE WORK IS PROVIDED “AS IS.” McGRAW-HILL AND ITS LICENSORS MAKE NO GUARANTEES OR WARRANTIES AS TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM USING THE WORK, INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK OR OTHERWISE, AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. McGraw-Hill and its licensors do not warrant or guarantee that the functions contained in the work will meet your requirements or that its operation will be uninterrupted or error free. Neither McGraw-Hill nor its licensors shall be liable to you or anyone else for any inaccuracy, error or omission, regardless of cause, in the work or for any damages resulting therefrom. McGraw-Hill has no responsibility for the content of any information accessed through the work. Under no circumstances shall McGraw-Hill and/or its licensors be liable for any indirect, incidental, special, punitive, consequential or similar damages that result from the use of or inability to use the work, even if any of them has been advised of the possibility of such damages. This limitation of liability shall apply to any claim or cause whatsoever whether such claim or cause arises in contract, tort or otherwise.

Secure Beginner’s Guide / Cryptography: InfoSec Pro Guide / Oriyano / 425-5

eBook 425-5cr_pg.indd 1 7/12/13 1:53 PM

http://www.mhprofessional.com
Secure Beginner’s Guide / Cryptography: InfoSec Pro Guide / Oriyano / 425-5 / Front Matter Blind Folio: vi

Secure Beginner’s Guide / Cryptography: InfoSec Pro Guide / Oriyano / 425-5 / Front Matter Blind Folio: vii

I first and foremost would like to dedicate this book to the memory of my father, who passed away during the writing of this book. Dad, you are gone, but never

forgotten. Thanks to my mom for encouraging me to go into this field in the first place. Without her support I don’t think I would have made it this far.

And in the spirit of this book, I also have a coded dedication for someone special out there—you know who you are.

SIAAQKIIMTNPGLYWJYKCLVNCXUEWZKYACVHPWELNGQYVOAMFN QBNQVEGQBLLGIYUVEHKVCLZRISHJFQNSWLHWXMGDZW

APXUNBREUQGQBWPPEOUVEJSJRXUZMEMTMVPLZPCW JYGXGITQXBRFUVVEAOFPZGIXROILVNWOF

XRRBBMIIFPKUKKHMULAYMRBVIGUMMSEAZQMFPTRP MAGATRIAVYTDSLYITYCXPD

Duty, Service, Honor

00-FM.indd 7 7/8/13 12:07 PM

Secure Beginner’s Guide / Cryptography: InfoSec Pro Guide / Oriyano / 425-5 / Front Matter Blind Folio: viii

ix

00-FM.indd 8 7/8/13 12:07 PM

This page has been intentionally left blank

Secure Beginner’s Guide / Cryptography: InfoSec Pro Guide / Oriyano / 425-5 / Front Matter Blind Folio: viii

Secure Beginner’s Guide / Cryptography: InfoSec Pro Guide / Oriyano / 425-5 / Front Matter

ix

Contents

ACKNOWLEDGMENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv

1 The Language of Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Fundamentals of Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Things to Know Upfront About Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 The Process of Encryption: A Closer Look . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Plaintext . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Ciphertext . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Algorithms and Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Putting It All Together . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 We’ve Covered . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

2 History of Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Cryptography Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 What Is Cryptography? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 History of Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Modern Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 We’ve Covered . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

00-FM.indd 9 7/8/13 12:07 PM

Secure Beginner’s Guide / Cryptography: InfoSec Pro Guide / Oriyano / 425-5 / Front Matter

x Cryptography: InfoSec Pro Guide

3 Components of Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Cryptography: Taking a Look Back

and Looking Forward . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Visiting an Old Friend . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Dissecting the Caesar Cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

We’ve Covered . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

4 Algorithms and Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 A High-Level Look at Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Symmetric Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Common Symmetric Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 So What’s the Key? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Don’t Forget Your Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 Don’t Cross the Streams, You Block... Head . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 One-Time Pad . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 Which Is Better, Getting Hit with a Block or Drowning in a Stream? . . . . . . . . . 105

Asymmetric/Public-Key Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 We’ve Covered . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

5 Hashing and Message Digests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 Fundamentals of Hashing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 A Closer Look . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Hashing Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 Applications of Hashing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122 Breaking Hashes and “Kicking Hash” . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

Lookup Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 Rainbow Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 Adding a Pinch of Salt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

We’ve Covered . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

6 Cryptanalysis and Code Breaking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 Setting Things Straight . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 A Look at Cryptanalysis and Code Breaking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 How it Works, Breaking the Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

The Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 We’ve Covered . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

7 Public Key Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 So What Is PKI? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

Symmetric Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 Asymmetric Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178 Hashing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179 Digital Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

Authenticating the Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184

00-FM.indd 10 7/8/13 12:07 PM

Secure Beginner’s Guide / Cryptography: InfoSec Pro Guide / Oriyano / 425-5 / Front Matter Secure Beginner’s Guide / Cryptography: InfoSec Pro Guide / Oriyano / 425-5 / Front Matter

Contents xi

Enter the PKI System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184 So What Is a Certification Authority? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 Building a PKI Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 After PKI Has Been Set Up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 PKI in Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

Digital Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196 We’ve Covered . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

8 Steganography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 Steganography Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202 Steganography: A Brief History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 So Why Steganography? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212 How Does Steganography Work? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213

Steganography in Audio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219 Steganography in Video . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219 Steganography in Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220 Null Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220 Steganography on Hard Drives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

Steganalysis: Detecting Hidden Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 Other Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225

Tools in Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226 We’ve Covered . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228

9 Applied Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229 Less Theory, More Practical . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230

Secure Sockets Layer (SSL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232 Digital Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235 Hashes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237 Automated Teller Machines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239 Drive Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240

We’ve Covered . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

10 Quantum Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243 So What Is Quantum Cryptography? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244

Traditional Cryptography: A Quick Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245 Finding a Solution via Quantum Mechanics . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

So How Does Quantum Cryptography Work? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249 Photons as Information Carriers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254 But What About Eavesdropping? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256

So There Have to Be Problems, Right? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258 We’ve Covered . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260

11 The Future of Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263 Where Are We Now? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264 Personal Data Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266

00-FM.indd 11 7/8/13 12:07 PM

Secure Beginner’s Guide / Cryptography: InfoSec Pro Guide / Oriyano / 425-5 / Front Matter

xii Cryptography: InfoSec Pro Guide

xiii

What About the Law? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268 The Law and Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268

Military, Government, and the Individual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270 Key Escrow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270

Embedded Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 We’ve Covered . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291

00-FM.indd 12 7/8/13 12:07 PM

Secure Beginner’s Guide / Cryptography: InfoSec Pro Guide / Oriyano / 425-5 / Front Matter Secure Beginner’s Guide / Cryptography: InfoSec Pro Guide / Oriyano / 425-5 / Front Matter

xiii

Acknowledgments

Amy, thanks for giving me the opportunity to write this book and making the experience as low pressure as it could be. Also thanks for keeping my “scatter- brained” head focused.

Amanda, thanks for your help and input during the writing of this book. It is much appreciated and kept me on track.

Jason, your input was invaluable, and thanks for keeping me honest and not pulling any punches in your comments. Don’t worry, I don’t hold grudges that long.

Katrina, thanks for the support and words of encouragement during my work on this book. Your smile was enough to give me the tailwind I needed.

Cryptomuseum.com, thanks for the use of your images and your help. To my classmates: I would love to thank each of you personally and tell you how much

I appreciate and value the support you gave me in my personal life after my father passed. Shigeru Miyamoto, thanks for letting me borrow Hyrule for awhile. Mark, thanks for your support and for making sure I had the gear I needed to get

things done. Mick, thanks for encouraging me to take breaks from writing and get my butt to the gym. Jennifer, your expertise and encouragement were invaluable.

00-FM.indd 13 7/8/13 12:07 PM

Secure Beginner’s Guide / Cryptography: InfoSec Pro Guide / Oriyano / 425-5 / Front Matter Blind Folio: xiv

xv

00-FM.indd 14 7/8/13 12:07 PM

This page has been intentionally left blank

Secure Beginner’s Guide / Cryptography: InfoSec Pro Guide / Oriyano / 425-5 / Front Matter Blind Folio: xiv

Secure Beginner’s Guide / Cryptography: InfoSec Pro Guide / Oriyano / 425-5 / Front Matter

xv

Introduction

This book is a beginner’s guide to the world of cryptography and will give the reader a basic understanding of the science. The reader will learn the terminology, processes, and the mechanics of cryptography, and how to put those skills and understanding together to gain knowledge of even more complex systems. This text will allow the reader to learn how to use each cryptosystem by experimenting with some of the leading examples through puzzles and code-breaking sessions.

Why This Book? This book is intended to get people thinking about the world of cryptography without having to become a mathematical genius to understand everything.

Who Should Read This Book I recommend this book to anyone interested in the field of cryptography who has been confused or intimidated by the formulas and science they encountered. I have attempted to make this book cover the essential details in a fun way that builds a foundation for later exploration.

00-FM.indd 15 7/8/13 12:07 PM

Secure Beginner’s Guide / Cryptography: InfoSec Pro Guide / Oriyano / 425-5 / Front Matter

xvi Cryptography: InfoSec Pro Guide

What This Book Covers This book covers the history, mechanics, categories, applications, and future of cryptography.

How to Use This Book This book is intended to be an interactive journey, giving readers the ability to see the algorithms and systems in action as well as use the systems themselves.

How This Book Is Organized This book is arranged in such a way as to introduce you to the basics of cryptography and then take you through increasingly more complex concepts. Toward the end of the book we look at the more cutting-edge technologies and the future of cryptography.

Chapter 1: The Language of Cryptography Cryptography has a language that is all its own. Although the language is complex, it is understandable and plays an important part in understanding the world of cryptography. In this first chapter, you learn the language of cryptography.

Chapter 2: History of Cryptography Cryptography is not a new technology and has been with us for quite a long time. In order to better understand the present and the future, we take a look back at how the technology has evolved and what this means for the future.

Chapter 3: Components of Cryptography Although you can sit back and listen to the music of an orchestra, you learn much more by understanding the various instruments. In this chapter, you learn about the components of cryptography and how they relate to one another to make up the final picture.

Chapter 4: Algorithms and Ciphers Every design has a blueprint, and in this chapter you learn about the blueprint or design of a system that makes it work.

Chapter 5: Hashing and Message Digests Not all cryptography deals with keeping information secret, and in this chapter you see and understand the world of hashing and how it preserves information in its own way.

Chapter 6: Cryptanalysis and Code Breaking Every time someone has a secret, someone else is likely to want to know it. In this chapter, you learn about how codes can be broken through an analysis of the famous Enigma machine and other techniques.

00-FM.indd 16 7/8/13 12:07 PM

Secure Beginner’s Guide / Cryptography: InfoSec Pro Guide / Oriyano / 425-5 / Front Matter Secure Beginner’s Guide / Cryptography: InfoSec Pro Guide / Oriyano / 425-5 / Front Matter

Introduction xvii

Chapter 7: Public Key Infrastructure Cryptography comes in many forms, with asymmetric and Public Key Infrastructure (PKI) being just two examples. In this chapter, you learn the value of PKI and how it relates to many of the technologies you use every day.

Chapter 8: Steganography Hiding in plain sight—this is the power of steganography. Hiding information in such a way that someone can look right at it and not know it’s there is something that only steganography can offer.

Chapter 9: Applied Cryptography Once you have learned about cryptography and the rules involved, you must then think about how to apply the techniques in the real world. In this chapter, you see how cryptography has been applied to many of the items and systems you use every day without realizing its presence.

Chapter 10: Quantum Cryptography The story of evolution is ongoing, and in our world part of that evolution is quantum cryptography, which uses the power of quantum mechanics to enhance existing systems in ways never imagined.

Chapter 11: The Future of Cryptography Finally, this chapter discusses where cryptography is going and how it will play an increasingly larger role as technology becomes more advanced, more information is generated, and the legal system imposes stricter laws regarding privacy and protection.

About the Series I worked with the publisher to develop several special editorial elements for this series, which we hope you’ll find helpful while navigating the book—and furthering your career.

Lingo The Lingo boxes are designed to help you familiarize yourself with common security terminology so that you’re never held back by an unfamiliar word or expression.

IMHO (In My Humble Opinion) When you come across an IMHO box, you’ll be reading my frank, personal opinion based on experiences in the security industry.

00-FM.indd 17 7/8/13 12:07 PM

Secure Beginner’s Guide / Cryptography: InfoSec Pro Guide / Oriyano / 425-5 / Front Matter

xviii Cryptography: InfoSec Pro Guide

In Actual Practice Theory might teach us smart tactics for business, but there are in-the-trenches exceptions to every rule. The In Actual Practice feature highlights how, at times, things actually get done in the real world (that is, exceptions to the rule) and why.

Your Plan The Your Plan feature offers strategic ideas that can be helpful to review as you get into planning mode, refine your plan outline, and embark on a final course of action.

00-FM.indd 18 7/8/13 12:07 PM

Secure Beginner’s Guide / Cryptography: InfoSec Pro Guide / Oriyano / 425-5 / Chapter 1

1

The Lan guage

of Crypt ography

CH A

PTER 1

01-Ch01.indd 1 7/12/13 10:01 AM

Secure Beginner’s Guide / Cryptography: InfoSec Pro Guide / Oriyano / 425-5 / Chapter 1

2 Cryptography: InfoSec Pro Guide

We’ll Cover

● Fundamentals of cryptography

● Key concepts in cryptography

● Key terms and terminology

Cryptography is a field that has a language all its own—and a complicated and unique language it is. When you first delve into the field and dip those toes into the pool of knowledge known as cryptography, the terms may be overwhelming and intimidating.

Don’t let the idea of formulas, algorithms keys, and the like scare you off and make you feel like you aren’t smart enough to understand them, however. The science is very accessible and digestible at a basic level, but obviously can quickly spiral into complex mathematics—which is something we will not being doing in this text.

In fact, we should think not in terms of formulas, mathematics, logic, and that D we got in math class in 12th grade (long story). Instead, we should think in terms of applications. Where can cryptography be applied, and why should we care? Well, the reality is that the knowledge is applied everywhere you look and frequently in places you would not even guess or be aware of. Some of the places where encryption is used range from the obvious to the not so obvious, as the following list shows:

● Hard drives In today’s world, with the abundance of portable computing devices such as laptops that are easily stolen, drive encryption has become a large part of routine security in the mobile space. Many different products have arrived in the last few years that work to ensure that the thief cannot violate the confidentiality or integrity of the data.

● Digital signatures More and more e-mails are being digitally signed to validate the identity of the sender and to ensure that the information is as the sender intended it to be.

● E-commerce For the last decade, an increasing number of transactions (such as banking and shopping) have taken place online. Without encryption offering the protection needed to keep these transactions secret and authentic, e-commerce would not be possible—or at least not in its current form.

● Cell phones Cell phones make widespread use of cryptographic technologies to authenticate devices as well as protect data and other items. Additionally, many financial transactions are now being completed via mobile devices such as tablets and smartphones. This makes cryptographic operations an integral daily activity for a vast number of customers.

01-Ch01.indd 2 7/12/13 10:01 AM

Secure Beginner’s Guide / Cryptography: InfoSec Pro Guide / Oriyano / 425-5 / Chapter 1 Secure Beginner’s Guide / Cryptography: InfoSec Pro Guide / Oriyano / 425-5 / Chapter 1

Chapter 1 The Language of Cryptography 3

This is just a short (very short) sampling of the applications of cryptographic technologies in today’s world and marketplace and is just the beginning of the many real- world applications of the art. Hopefully, by the end of this book you will look at current technologies and applications with a new perspective that includes the concepts we will discuss.

Your Plan

When reading through the following chapters, take the time to observe the world and the technologies around to see if you can identify places where cryptographic technology may be used. This is a great exercise because it will get you in the right mindset to understand and possibly implement the technologies later, or at the very least be able to identify them in the software or hardware you purchase.

Fundamentals of Cryptography So what is cryptography? Well, in the broadest and truest sense, it can be referred to as the science and art of creating, studying, breaking, and working with techniques that secure communications. In more simple or layman’s terms, it is the science of securing communications of all types. In the past, the term mainly focused strictly on the process of encryption, but now it has expanded out to cover all the items mentioned here in this text, plus many more.

Encryption gets the most attention in the field of cryptography, so let’s focus on this first and expand our understanding outward from there. Encryption provides a very important tool to the modern world, much like it did in the ancient world, and that is to keep specific information secret to prevent exposure to those who aren’t supposed to see it. How it does this is something that will be discussed in more detail later in the book. Right now we are just concerned with concepts and getting oriented.

LINGO The word cryptography comes to us by way of the Latin language and translates into English as “secret writing,” which quite accurately describes what we will discuss in this text.

01-Ch01.indd 3 7/12/13 10:01 AM

Secure Beginner’s Guide / Cryptography: InfoSec Pro Guide / Oriyano / 425-5 / Chapter 1

4 Cryptography: InfoSec Pro Guide

IMHO Encryption, the most widely encountered component of the cryptographic suite, is at the heart and center of many of the commonly performed tasks, including e-commerce over the Internet. Due to clever design and implementation, encryption has enabled the level of secrecy needed to carry out this activity and at the same time maintain the simplicity and transparency needed to make it practical and usable. If either of these last two points was not the case, then the Internet as we know it and the transactions that take place on it would look like a complex mess of unidentifiable characters and symbols—far different from what we are used to seeing today.

Encryption is a process that converts unencrypted information from a clear and open state to a secure and relatively protected state intended to keep the information safe from prying eyes. While the information may be digital, analog, or just written down on paper, the concept is still 100 percent the same: What comes in is unscrambled, and what goes back out is scrambled. Regardless of the medium used, the fundamental and overarching concepts still remain: Plaintext (unencrypted) information is fed into the cryptographic process, and encrypted secured data exits. A simplistic food-based example (I like food) is the meat grinder. Solid meat is fed into one side, on the opposite side out comes ground beef. My apologies to any vegetarians! That ground beef is now in an encrypted form. In other words, there is no way to tell exactly what cut of beef was originally fed into the grinder. Grilling up a fat juicy patty with that ground beef would be a form deciphering that encrypted “message,” but that’s another section.

Is the process that simple? Yes and no. At a conceptual level, it is just like what’s stated here, but at an ever-increasing technical level, it is much more than this. Figure 1-1 shows what encryption looks like at a very fundamental level.

Encryption has been used for thousands of years, but even though the art has taken many forms during this long history, the underlying concepts have remained essentially unchanged, although greatly expanded upon. Even when our cave-dwelling ancestors and others used primitive means to obscure their intentions from outsiders, the basic concepts were the same as they are today.

Note Cryptography plays an important role in information security and is often mentioned in the context of something known as the “CIA triad” in this field. CIA doesn’t refer to a shadowy government agency in this case; rather, it refers to the elements of confidentiality, integrity, and availability. Although encryption cannot help you with preserving the availability of systems or information, it can preserve the first two elements (confidentiality and integrity) very effectively.

01-Ch01.indd 4 7/12/13 10:01 AM

Secure Beginner’s Guide / Cryptography: InfoSec Pro Guide / Oriyano / 425-5 / Chapter 1 Secure Beginner’s Guide / Cryptography: InfoSec Pro Guide / Oriyano / 425-5 / Chapter 1

Chapter 1 The Language of Cryptography 5

Input

Output

Encryption Process

Figure 1-1 The encryption process

In Actual Practice So what is encryption good for? Just about anything that requires a level of “secrecy” benefits from encryption. Real-world applications range from the simplistic cave drawings to the mathematically complex algorithms of some of today’s highest bit- encrypted ciphers. In actual practice, we use a wide range of encryption functions on a daily basis, and it’s quite amazing to realize just how integrated into our daily lives encryption really is. It has become a technology that we as a society would not be able to safely operate without. Consider all of your online banking transactions, your debit card purchase at the grocery store, that birthday present you purchased online, or the vacation hotel reservations you made last summer. All these products rely on some form of encryption to secure your information and ensure it gets to the intended party. Strictly speaking, encryption is a very effective and relatively easy means of keeping information away from prying eyes and restricting it to those parties who are intended to possess it. The process and technology is effective at keeping information secret, but it does have limitations like anything else, and knowing these limitations is an important piece of information to have handy.

When speaking about encryption as a means to keep something secret, it is important understand that this need not necessarily keep information from being altered. In fact, information that is secret can be altered; therefore, a means of preserving the stated information is also important.

01-Ch01.indd 5 7/12/13 10:01 AM

Secure Beginner’s Guide / Cryptography: InfoSec Pro Guide / Oriyano / 425-5 / Chapter 1

6 Cryptography: InfoSec Pro Guide

However, the history and evolution of cryptography and encryption is a discussion for later. Let’s strive to get the language and mechanics correct first. We’ll get things started by focusing on the core items that cryptography and encryption attempt to protect and preserve:

● Confidentiality This is the most obvious item that is preserved by encryption and is the one most will think of when discussing the topic. The need to keep something secret was an early requirement of encryption and the one most widely enforced. When encryption does its job the way it is intended to, information that is meant to stay secret will stay that way to all except those who are meant to view it. In fact, the information will look like a scrambled “mess” and be essentially impossible to view or use in any other way.

● Integrity Not something that you may commonly associate with science and art, but one that is nonetheless important. Integrity simply refers to the need to ensure that information is not altered and is in fact in the same form that the creator or sender wished it to be in when it is received. This element is a relatively new feature of the art, as there hasn’t been a genuinely effective and easy way of ensuring this element until the modern era and the introduction of hashing and message digests (both discussed in a later chapter). Remember when we discuss integrity later on, however, that any time integrity is preserved, it is distinctly different from preserving confidentiality. Integrity is very much the domain of the cryptographic function known as hashing.

Your Plan

When considering any situation in the real world, where you believe encryption or cryptography is the answer or the “magic bullet,” you should be able to answer the following questions:

❑ Am I trying to prevent others from accessing or viewing my data?

❑ Am I trying to prevent information from being altered without my knowledge?

❑ Am I trying to positively identify who the sender or party is that sent a message or carried out an action?

❑ Do I need to be able to verify that information came from a trusted source and no one else?

01-Ch01.indd 6 7/12/13 10:01 AM

Secure Beginner’s Guide / Cryptography: InfoSec Pro Guide / Oriyano / 425-5 / Chapter 1 Secure Beginner’s Guide / Cryptography: InfoSec Pro Guide / Oriyano / 425-5 / Chapter 1

Chapter 1 The Language of Cryptography 7

● Authentication This is a vital supporting element and feature covered by encryption. Simply put, information must be trusted in regard to who created it and/or who sent it. Authentication is very important when verifying data, a person, or even software such as drivers. Applications of cryptography that support authentication include digital signatures and hashing, both of which are discussed in the following pages and chapters.

● Non-repudiation A fascinating, but little thought of, element preserved by cryptographic elements is non- repudiation, or the ability to positively identify the source or origin of an action or an item of data. Essentially it provides the ability to definitively prove who and where an action or piece of information came from. Non- repudiation should also, in theory, eliminate or substantially cut down on what is known as spoofing, or the impersonation of another party, if the system is kept secure. A great example of a non-repudiation supporting application of cryptography is the use of digital signatures, which will be discussed in detail later.

Each of these elements (plus more) will show up again and again in later chapters, so learn to recognize them in any of the many forms they take. Remember that the elements seen here can exist separately or be used together (as they often are) to create a substantially more powerful solution for a particular application.

LINGO Authentication can and is an incredibly important benefit to have in today’s digital world. In today’s digital world, it is easier than ever before to claim that a piece of information is true and correct. Authentication provides the ability to verify data in regard to its source.

LINGO Non-repudiation is a huge benefit in today’s world because it can limit a lot of the situations where an individual or party claims they didn’t do something, but really did. For example, with non- repudiation features in place, such as with a digital signature, it is possible to definitively state that a message originated from someone. To help you understand the term non-repudiation, let’s consider its root. To “repudiate” means to “deny the truth or validity of” a claim; thus, non-repudiation simply means the inability to refute or deny a truthful and proven claim. In essence, you can’t lie your way out of this one!

01-Ch01.indd 7 7/12/13 10:01 AM

Secure Beginner’s Guide / Cryptography: InfoSec Pro Guide / Oriyano / 425-5 / Chapter 1

8 Cryptography: InfoSec Pro Guide

IMHO I always recommend that newcomers to the field always think of the first two letters of CIA and what they stand for as well as the supporting elements of authentication and non-repudiation as a way to help smooth the understanding of the art. You can do this, too, by thinking about which elements are preserved by a particular cryptography function or feature. For example, when hashing is discussed later, try to think of what element or elements of CIA it is preserving.

Things to Know Upfront About Encryption So before we go much further, let’s clear up some misconceptions about cryptography. To make sure you don’t get sidetracked or confused about the process, let’s take a look at some erroneous ideas:

● Encryption is unbreakable. This is a commonly held misconception—that encryption, when performed properly, is unbreakable. This statement is simply not true at all, because encryption is actually breakable in just about every case. You may be wondering at this point whether this is indeed true, as you may have heard otherwise. However, I assure you this is the case.

● All encryption is created equal. This is also a misconception that has widespread appeal among common users. As you will learn later, many aspects of the encryption process can affect its strength, effectiveness, and usability in the real world.

● Confusing means encrypted. Encryption and its parent art cryptography provide a systematic and intensely logical approach to securing data. As you learn more about encryption and its subsequent functions, you will quickly appreciate the preciseness and exactness of this integral system.

● Encryption can only be understood if you’re a mathematician. As stated before, the nitty-gritty details of encryption are based on very complex mathematical algorithms; however, as students and practitioners of cryptography, we respect the complexity for what it is and simply rely on these intricate algorithms as a foundation and framework to the actual encryption functions. In other words, we don’t build the engines, but we do drive the cars.

In just about every case, encrypted data can be revealed if enough time and effort is put forth by the curious party. The idea is that by the time the information is revealed, it will be useless or, as would be the case in many situations, the attacker will have decided to give up and move on.

01-Ch01.indd 8 7/12/13 10:01 AM

Secure Beginner’s Guide / Cryptography: InfoSec Pro Guide / Oriyano / 425-5 / Chapter 1 Secure Beginner’s Guide / Cryptography: InfoSec Pro Guide / Oriyano / 425-5 / Chapter 1

Chapter 1 The Language of Cryptography 9

● Encryption requires computers. This seems to be another misconception by the newbie to the field, which is that something so complex must require tons of processing power to carry out. Frequently people envision big powerful computers—on par with the HAL 9000—that perform the encryption and decryption process. This is entirely untrue because great cryptosystems were created before the advent and introduction of computers into the field.

In Actual Practice Another great example that is coming up in a later chapter is a famous system known as the Vigenère cipher. This cipher, although broken now, was used for a considerable length of time, up to and including the U.S. Civil War, for a period of around 300 years. The Vigenère cipher used a complex system to replace the contents of the original message with coded content. Although the system was complex and tedious, it did not require the powerful computing systems that came later.

● Encryption is hard. This is a subjective opinion for the most part. Encryption is without a doubt complex when you move into the higher-order mathematics and logic, but not everyone needs to be at that level. In fact, for the vast majority of us that information is unnecessary to know. What may be hard is choosing from all the options available, but I can help you with that in this book. With a basic understanding in hand, you, too, can choose the best option for a given situation and be ready to go.

In Actual Practice In a later chapter we will encounter several awesome examples of cryptography and cryptographic systems, one of them being the Enigma system. Although we won’t worry about the details here, as they are covered well enough later, I can say that the system shows us the concept quite nicely.

The Enigma was a simple pre-computer-era system that was a collection of simple wires and rotors, but was so powerful that some messages that were encrypted by it didn’t get broken by brute-force methods until much later (for example, 2001).

01-Ch01.indd 9 7/12/13 10:01 AM

Secure Beginner’s Guide / Cryptography: InfoSec Pro Guide / Oriyano / 425-5 / Chapter 1

10 Cryptography: InfoSec Pro Guide

Note I don’t want to give the impression that just anyone can do encryption—or specifically that anyone can author an encryption algorithm, which is something different from what we will see here altogether. Encryption algorithms are extremely complex, high-order mathematics and are the exclusive domain of mathematicians and scientists with labels such as Ph.D. after their names. Although the mathematics and formulas are very complex in this field, we do not need to know the intimate details at that level to understand encryption and the larger body of knowledge known as cryptography. As such, I will try to refrain from formulas in this text—they are unnecessary. As Stephen Hawking once said, “Every mathematical formula in a text cuts book sales in half.”

● Newer technologies eliminate the need for encryption. This is also a common, but erroneous thought to have in mind. Encryption is only one part of a solution, and in many cases it addresses problems that other technologies cannot. For example, encryption cannot take the place of a good firewall or anti-malware application, nor can it take the place of common sense. It is only one member of a cast of characters designed to protect and safeguard information and other items from those who would wish to view or alter them without permission.

IMHO Never forget that encryption may also protect you or your company from other threats, such as the threat of legal action. In the state of California, for example, encrypting a hard drive on a laptop can lessen the legal penalties in the event the laptop is stolen and personal information is compromised. If the encryption of the drive is not undertaken, the legal ramifications can be harsh, with fines and other penalties available to the prosecutor. The law in the state is known as SB 1386 and covers encryption as part of its scope.

The Process of Encryption: A Closer Look Before we get into the mechanics, terms, and other fine details of encryption, let’s take a brief look at some of the cast of characters and what each does for the process. We’ll get started by looking at some basic terms and processes and then we’ll put them together.

Encryption As was stated earlier, encryption is the process of converting something from one format to another that is unreadable by normal means, thus keeping the data secret or confidential. Encryption takes information and transforms it using a mechanism that is

01-Ch01.indd 10 7/12/13 10:01 AM

Secure Beginner’s Guide / Cryptography: InfoSec Pro Guide / Oriyano / 425-5 / Chapter 1 Secure Beginner’s Guide / Cryptography: InfoSec Pro Guide / Oriyano / 425-5 / Chapter 1

Chapter 1 The Language of Cryptography 11

mathematical or logical in nature and outputs the end result that is then delivered to the recipient who can then “unpack” it using the correct methods and processes.

Note In the cryptography field, it is not uncommon to use the names Alice and Bob to refer to the parties involved in the encryption process. However, this naming is not a hard-and- fast standard, and in this text I will use different names to refer to the parties involved.

Consider a sample situation where we have two parties: We’ll call them Link and Zelda. These two parties need to share something—it doesn’t really matter what—and keep it secret. In our scenario, Link creates a message and before sending it to Zelda runs it through a process that encrypts or scrambles it and then transmits the message. Link also tells Zelda how the message was encrypted along with some instructions on how to decrypt the message.

When Zelda receives the message from Link, she starts the process of reversing, or decrypting, the message. When receiving the message, Zelda uses the instructions to decrypt the message and then view its contents.

If done correctly, this process only allows Link and Zelda to know what is being said or transferred, with everyone else left to wonder. This is the goal of the process of encryption. Figure 1-2 shows this process and how it looks conceptually.

Plaintext In Figure 1-2, the input and output are labeled simply as “plaintext” and “ciphertext,” respectively. Plaintext is simply the information that enters the encryption process to be

Plaintext

Ciphertext

Encryption Process

Figure 1-2 The encryption process conceptually, in its simplest form

01-Ch01.indd 11 7/12/13 10:01 AM

Secure Beginner’s Guide / Cryptography: InfoSec Pro Guide / Oriyano / 425-5 / Chapter 1

12 Cryptography: InfoSec Pro Guide

scrambled. Plaintext—and I must stress this point—can be literally anything and not just text, so don’t get hung up on that term. Plaintext can be text, binary code, or even an image that needs to be transformed into a format that is unreadable by anyone except those who possess the secret to unlocking it.

Plaintext is not only what goes into the encryption process but what comes out of the decryption process as well (more on that in a moment). Remember that you can read plaintext; this is the element of the process you are trying to protect.

Ciphertext If plaintext comes into the process of encryption to get converted into a scrambled format, the resulting format is called ciphertext. Ciphertext is nothing more than plaintext that has been operated on by the encryption process to render a final product. This final product actually contains the original message, albeit in a format that is not retrievable unless someone knows the correct means or can break the code.

In Actual Practice Ciphertext can indeed be broken using the techniques contained in a body of knowledge known as cryptanalysis. Cryptanalysis includes a myriad of methods that may be employed in an attempt to break a message. We will explore these methods and concepts much later in this book after we have explored the techniques in encryption in more detail and have a solid foundation.

Algorithms and Ciphers Probably the trickiest and most mysterious part in the encryption process is something known as the algorithm or cipher. This component sounds complex (and it is), but we

LINGO The term plaintext is used when referring to information that has not been transformed by the encryption process into another form. Is either term more correct than another? No, there is no difference between the terms plaintext and cleartext, and either can be used interchangeably with the other at any time. The choice is really yours, just be sure that whatever term you decide to use you stick with it, because changing back and forth could confuse others.

01-Ch01.indd 12 7/12/13 10:01 AM

Secure Beginner’s Guide / Cryptography: InfoSec Pro Guide / Oriyano / 425-5 / Chapter 1 Secure Beginner’s Guide / Cryptography: InfoSec Pro Guide / Oriyano / 425-5 / Chapter 1

Chapter 1 The Language of Cryptography 13

don’t have to get into it that far. In fact, the algorithm or cipher is nothing more than a formula that includes discrete steps that mandate how the encryption/ decryption process is to be performed in a given instance. For example, let’s look at a method used by a process discussed later to understand this relationship. In this upcoming sample letter, the characters in a message are shifted a certain amount of spots to the right, thus yielding an encrypted message or ciphertext. Conversely, the algorithm would specifically state that to decrypt the information, the individual characters would be shifted the exact same amount to the left. In other words, the process is reversed, and by abiding by the rules of the encryption process used, you can convert the ciphertext back to plaintext.

So are all algorithms created equal? Absolutely not; they are in fact very different, but they can generally be broken into one of three types, each working in their own separate and unique way. Keep in mind that each of the types of encryption are covered in depth in later chapters. I mention them here to start to distinguish between each and to set up later discussions.

IMHO Two of these encryption types mention a special item known as a “key,” which I will discuss in a moment, and how it pertains to the encryption process itself. Let’s first worry about the types of algorithms, how they differ from each other, and why you should care.

● Symmetric encryption This is the oldest and most widely used type of encryption. Symmetric works by using the same combination to encrypt as to decrypt. The combination used is known as the key, and the same key that is used to encrypt will be used to decrypt. This method is both simple and quick and relies on the sending party both generating a key and finding a way to provide the same to the receiving party. Figure 1-3 shows what the symmetric encryption process looks like conceptually.

LINGO Algorithm and cipher are used interchangeably in just about every case you will encounter. To some the terms refer to distinctly different processes, while others will insist that the processes involved are the same, just with a different name. Although we won’t argue the semantics here, it is worth pointing out that the terms are intertwined and closely related, with ciphers being components of an algorithm.

01-Ch01.indd 13 7/12/13 10:01 AM

Secure Beginner’s Guide / Cryptography: InfoSec Pro Guide / Oriyano / 425-5 / Chapter 1

14 Cryptography: InfoSec Pro Guide

Tip Symmetric encryption is simple to remember if you think of the word “symmetric” as conveying a sense of balance. In this case, the same key is used to perform decryption and encryption, which gives a sense of balance as both keys are exactly the same or equal.

● Asymmetric encryption This is one of the newest forms of encryption, and one of the most interesting when examined closer. In essence, the asymmetric encryption process boils down to using one key to encrypt and a totally different, but related one, to decrypt the information. Asymmetric algorithms are ideally suited where non- repudiation and integrity are both needed. Generally, these types of algorithms are not used to ensure confidentiality, simply because of performance reasons (more on that later). Figure 1-4 shows what the asymmetric process looks like.

Plaintext CiphertextEncryption

Ciphertext PlaintextDecryption

Key

Key

Figure 1-3 Symmetric encryption. Note the same key is used for both encryption and decryption.

01-Ch01.indd 14 7/12/13 10:01 AM

Secure Beginner’s Guide / Cryptography: InfoSec Pro Guide / Oriyano / 425-5 / Chapter 1 Secure Beginner’s Guide / Cryptography: InfoSec Pro Guide / Oriyano / 425-5 / Chapter 1

Chapter 1 The Language of Cryptography 15

Tip Asymmetric encryption is also sometimes known as “public-key cryptography.” This name comes from the fact that one key is held exclusively by a single individual or party while the public key is available to the masses. Stay with me here; these concepts will be explained later. Just remember at this point that the “public” key is asymmetric and is different than the “private” key. Keeping things simple, the private key is, well, private. The public key is, yep, you guessed it, public. That being said, in this particular algorithm, you should always protect that private key!

● Hash functions Any algorithm that fits into this category is unique in how it operates and may confuse your thinking a little. Whereas the previous two types of algorithms are designed to spit out ciphertext that is intended to be reversed, this one does not strive to provide us this. In fact, this type of algorithm takes input and generates a piece of information that is unique and cannot be reversed (or cannot be reversed easily). Hashing is unique because it provides integrity features, but it does not provide confidentiality. Figure 1-5 shows the hashing process in action.

Plaintext Hash

Plaintext

Hash Function

Figure 1-4 The asymmetric encryption process. Note that a separate key is used for encryption and another for decryption.

LINGO In the real world, hashing can produce a fixed-length value known as a “hash” or a “message digest.” The two terms are indeed interchangeable, but at the same time should not be confused with ciphertext, as that is entirely different. Ciphertext is intended to be reversible whereas a hash is not designed to be so.

01-Ch01.indd 15 7/12/13 10:01 AM

Secure Beginner’s Guide / Cryptography: InfoSec Pro Guide / Oriyano / 425-5 / Chapter 1

16 Cryptography: InfoSec Pro Guide

Each of the algorithm types introduced here are intended to be used for a specific purpose, and each will provide good levels of protection for the information that is entrusted to it if they are used within these constraints. Using an algorithm outside of what it is designed for may not only be less than optimal, it may provide no protection at all— and, even worse, it will also foster a false sense of security in those using it.

Plaintext Ciphertext Encryption Algorithm

Key

Keyspace

Figure 1-5 The hashing process. Note the output of both the original plaintext and the hash.

In Actual Practice In the real world, it may seem that algorithms need to be kept restricted lest the secrets as to how data is encrypted be revealed to the outside world. This may seem to be the case, but it is not. In reality, an old but well-known concept known as Kerckoff’s Principle is an important but interesting piece to the puzzle. Kerckoff’s Principle states that algorithms do not need to be kept secret and, in fact, may actually suffer if they are kept as such. The principle goes on to state that the strength of a system is largely dependent on the key that is used, not the algorithm itself.

Keep in mind, however, that Kerckoff’s Principle is not some sort of law; instead, it may be thought of as a general guideline or suggestion. In fact, the National Security Agency (NSA) in the United States is one of the many such agencies and organizations that develop algorithms and do not make them public.

01-Ch01.indd 16 7/12/13 10:01 AM

Secure Beginner’s Guide / Cryptography: InfoSec Pro Guide / Oriyano / 425-5 / Chapter 1 Secure Beginner’s Guide / Cryptography: InfoSec Pro Guide / Oriyano / 425-5 / Chapter 1

Chapter 1 The Language of Cryptography 17

Working along with algorithms are something known as ciphers, which are nothing more than a set of instructions used during the encryption and decryption process. Although the actual functioning of ciphers varies as much as the algorithms, we will discuss later that they still essentially perform the same processes. In the real world, two main types of ciphers are in play: stream ciphers and block ciphers. They both provide protective services to information.

Keys Let’s move on to the important and frequently complicated subject of keys. Keys are incredibly significant for us if we are to understand the encryption process fully.

In the strictest and most technical sense, a key is a discrete piece of information that enacts a specific result or output for a given cryptographic operation. Sounds confusing, but it doesn’t need to be if we look at this the right way. A key in the cryptographic sense can be thought of in the same way as a key in the physical world—as a special item used to open or unlock something (in this case, a piece of information). In the encryption world, the key is what allows access to secured information, thus creating a meaningful result. Without this key, access and translation of the information would not be possible.

IMHO Another helpful way to think of a key is as the combination for a combination lock. A hundred combination locks of the same model may be purchased by you, but they typically will all have different combinations if they are preset by the manufacturer. Although it is theoretically possible that you may acquire two locks with the same combination, it is intended to be highly unlikely.

I personally like the lock analogy in relation to keys because it helps when thinking of the overall encryption process later.

Similar to how a lock of any type will define the parameters of the key or combination that may be used on it, such is the case with encryption keys. Encryption keys are defined by the algorithm in use at a given time. The algorithm is like the design of a lock, which dictates all the different types of grooves, cuts, and other features of a key.

Think of it this way: Let’s propose a theoretical combination lock, much like the one you would use to lock up a bike or a gym locker. This hypothetical lock needs (in our case at least) to have a combination of eight digits that will be used by an individual to unlock

01-Ch01.indd 17 7/12/13 10:01 AM

Secure Beginner’s Guide / Cryptography: InfoSec Pro Guide / Oriyano / 425-5 / Chapter 1

18 Cryptography: InfoSec Pro Guide

the lock in order to open their locker or bike. In this case, we can we can write down the parameters of the proposed key in a pseudo formula as such:

● Combination length: Equal to 8

● Valid usable digit range: 0 to 9

With this information in hand, we can see that the combination must be eight digits in length and each digit can only be in the range 0 to 9, inclusive. If we look at the numbers and amount of valid combinations, we can calculate that there are 100 million possible arrangements of digits, given the information we have.

Is 100 million a lot? Well, it is and it isn’t. In human terms, the number of keys is a lot, but in the digital world not so much. In fact, many of the stronger algorithms include a substantially larger number of keys than is possible with our simple example. In cryptography, all the potential key types possible with a particular algorithm are commonly known as the keyspace. Algorithms are designed to provide the greatest amount of protection; as such, modern algorithms are designed to have a vast amount of potential keys in order to thwart guessing or brute-force attacks (which you will learn about much later).

IMHO If it helps you understand the value of having a large keyspace, consider a different approach to the situation. Envision a trench that is one mile deep and one mile across that stretches from Sacramento, California to Los Angeles, which is a distance of about 400 miles. Take that trench and fill it up with ping pong balls and somewhere in this process pick one ball at random, paint it red, and toss it in the trench. Although someone could dig through the trench and perhaps find the red ball, they probably won’t be able to do so quickly. Although statistically one may find the red ball first or maybe find it halfway through, it is likely they will be digging around for a good period of time. In this analogy, the trench would represent the keyspace, the ping pong balls would represent all the possible keys, and the red ping pong ball would represent the one correct key for any given encryption sequence.

Let’s not get too comfortable by thinking that the number of keys is a potent defense against attack, because it is not the only factor. Another factor is key length or size. Basically, as a key gets longer, it offers stronger protection against attacks. Key length together with key size combines to form a stronger solution and defense against many types of key weaknesses, both by design and through outside attack.

01-Ch01.indd 18 7/12/13 10:01 AM

Secure Beginner’s Guide / Cryptography: InfoSec Pro Guide / Oriyano / 425-5 / Chapter 1 Secure Beginner’s Guide / Cryptography: InfoSec Pro Guide / Oriyano / 425-5 / Chapter 1

Chapter 1 The Language of Cryptography 19

So do longer keys make a given particular encryption scheme stronger? Well, this can be debated, but the answer is that the length of keys can have a substantial impact on the power and strength of an encryption system. For instance, a cryptosystem developed only 40 years ago with 56-bit keys would now be viewed as much weaker in the face of stronger computing systems. In fact, over the last 30 years as computing power has increased thousands of times, algorithms have had to be developed and strengthened to increase the length and number of keys available in any given system.

So how much does key length make a difference? Well, this can be a tricky question, and an even trickier problem to get your head around, so let’s look at this in a matrix format. Table 1-1 shows the relative strength of keys compared to one another as well as how long it would take to break each one on different hardware, whereas Table 1-2 shows the relative value of each key length.

LINGO Key length or size refers to how “long” a key resulting from an actual algorithm may be, but there is another term referring to length of which you should be aware. This term is bits, as in a key is a 40-bit or 1024-bit key, for instance.

In Actual Practice As increased computing power showed up on the scene, key lengths had to be increased with more bits being added to the scheme. So how much power does an extra bit add to a scheme? Consider a 56-bit key: Adding a single bit (that is, changing it to a 57-bit key) doubles the strength of the system, and adding 10 more bits (making it a 66-bit key) makes the key 1,024 times stronger than the original 56-bit key.

In the mid-to-late 1990s, computing power that had the ability to break many of the shorter keyed cryptosystems became widely available to the public, when they had been solely the domain of governments and corporations before. Moving forward to today’s world, we can see that commodity hardware (hardware that can be purchased off the shelf) is much more accessible and available than ever before. In fact, many of the computers available today to the consumer are able to process at a minimum 50,000 56-bit keys per second, or more.

01-Ch01.indd 19 7/12/13 10:01 AM

Secure Beginner’s Guide / Cryptography: InfoSec Pro Guide / Oriyano / 425-5 / Chapter 1

20 Cryptography: InfoSec Pro Guide

Looking at Table 1-1 and 1-2, it would seem that a longer key would automatically equal a greater amount of protection, and in many cases this is true. However, there are tradeoffs in the name of performance. A longer key generally equates to longer encrypt and decrypt times. Additionally, the old axiom that says “more is better” is proven wrong here in relation to key length and protection. In fact, the length of the key will only result in a stronger algorithm up to a point, and anything after that will slowly plateau and result in the aforementioned increased processing time.

One more factor that enhances the effectiveness and security of a key is a technique known as a cryptoperiod, the objective of which is to define the specific period of time a cryptographic key may be used before it is pulled from usage in favor of a new key. The cryptoperiod, when used as intended, dictates that after a defined period has expired, the key is no longer to be used to encrypt or decrypt any information, and will either be relegated to an archive or discarded altogether.

When a cryptoperiod is in use, the actual timeframe for key usage is defined by a myriad of factors, dependent on the organization itself. Factors that can impact the time a

Power 40 Bit 56 Bit 64 Bit 128 Bit

Individual 1.4 Min 73 Days 50 Years 1020 Year

Corporate 2 Sec 35 Hours 1 Year 1019 Year

Government 0.2 Sec 3.5 Hours 37 Days 1018 Year

Table 1-1 Times to Break a Key of a Given Length on Different Types of Hardware

Key Length Value

40 Of no use to companies and governments; effective at stopping casual attackers.

56 Used for privacy. Vulnerable and has been broken. DES is the best example of a broken 56-bit encryption scheme.

64 Considered safe, but still is vulnerable and has been broken.

128 Considered generally unbreakable, but some newer technologies and implementations have been vulnerable.

256 Impossible to break with today’s technology.

Table 1-2 Subjective Values of Each Key Length

01-Ch01.indd 20 7/12/13 10:01 AM

Secure Beginner’s Guide / Cryptography: InfoSec Pro Guide / Oriyano / 425-5 / Chapter 1 Secure Beginner’s Guide / Cryptography: InfoSec Pro Guide / Oriyano / 425-5 / Chapter 1

Chapter 1 The Language of Cryptography 21

key is valid are key compromises of any type, cost of replacing a key to include decrypting and re-encrypting with a new key and business requirements. Factors that effect the cryptoperiod include incidents such as the loss of a key or other types of compromise.

Putting It All Together Now that you know the key players and terms, let’s put everything together to form a complete picture of the encryption/decryption process. First, it is important to clearly understand what is needed prior to the encryption or decryption process occurring.

In the case of encryption, here’s what’s needed:

● Plaintext In other words, you need to have the information on hand that you are going to put through the encryption process.

● Encryption algorithm This is the mechanism that will perform that actual encryption process and is responsible for being the “mechanism” that transforms the information.

● Key The item responsible for setting the specific options or configuration, if you will, of the mechanism at a specific point in time.

In Actual Practice Key lengths may also be impacted by export laws that fall outside the scope of the cryptographer—and the scope of this book for that matter. When we discuss key lengths and export laws, we’ll refer to the United States and the laws that were in place for a period of time. In the United States the laws that were in play for a while absolutely forbad the export of any encryption technology that exceeded 40 bits in length. Anyone who chose to run afoul of this would quickly find themselves in trouble with the U.S. government and in the same category as those who would export weapons technology to foreign powers. Although these laws were intended to prevent the technology from getting into the hands of hostile powers, it also impacted, tremendously, the flow of strong encryption technology outside the U.S. Although such controls still exist, they have been substantially relaxed, and the export of stronger encryption is allowed more than it was before—but restrictions still exist.

Homework is Completed By:

Writer Writer Name Amount Client Comments & Rating
Instant Homework Helper

ONLINE

Instant Homework Helper

$36

She helped me in last minute in a very reasonable price. She is a lifesaver, I got A+ grade in my homework, I will surely hire her again for my next assignments, Thumbs Up!

Order & Get This Solution Within 3 Hours in $25/Page

Custom Original Solution And Get A+ Grades

  • 100% Plagiarism Free
  • Proper APA/MLA/Harvard Referencing
  • Delivery in 3 Hours After Placing Order
  • Free Turnitin Report
  • Unlimited Revisions
  • Privacy Guaranteed

Order & Get This Solution Within 6 Hours in $20/Page

Custom Original Solution And Get A+ Grades

  • 100% Plagiarism Free
  • Proper APA/MLA/Harvard Referencing
  • Delivery in 6 Hours After Placing Order
  • Free Turnitin Report
  • Unlimited Revisions
  • Privacy Guaranteed

Order & Get This Solution Within 12 Hours in $15/Page

Custom Original Solution And Get A+ Grades

  • 100% Plagiarism Free
  • Proper APA/MLA/Harvard Referencing
  • Delivery in 12 Hours After Placing Order
  • Free Turnitin Report
  • Unlimited Revisions
  • Privacy Guaranteed

6 writers have sent their proposals to do this homework:

Homework Guru
Math Guru
Quick Mentor
Top Essay Tutor
Ideas & Innovations
A Grade Exams
Writer Writer Name Offer Chat
Homework Guru

ONLINE

Homework Guru

I have read and understood all your initial requirements, and I am very professional in this task.

$44 Chat With Writer
Math Guru

ONLINE

Math Guru

You can award me any time as I am ready to start your project curiously. Waiting for your positive response. Thank you!

$36 Chat With Writer
Quick Mentor

ONLINE

Quick Mentor

I have read your project details. I can do this within your deadline.

$28 Chat With Writer
Top Essay Tutor

ONLINE

Top Essay Tutor

I am known as Unrivaled Quality, Written to Standard, providing Plagiarism-free woork, and Always on Time

$22 Chat With Writer
Ideas & Innovations

ONLINE

Ideas & Innovations

I am known as Unrivaled Quality, Written to Standard, providing Plagiarism-free woork, and Always on Time

$42 Chat With Writer
A Grade Exams

ONLINE

A Grade Exams

I have read your project details. I can do this within your deadline.

$40 Chat With Writer

Let our expert academic writers to help you in achieving a+ grades in your homework, assignment, quiz or exam.

Similar Homework Questions

Baron d holbach free will - Mechanical heat pump experiment lab report - Kimpel products makes pizza ovens for commercial use - Wk1D1 - Chapter 1 the business and society relationship - Ld didactic physics leaflets - How does bassanio describe portia - 360 degree marketing campaign ppt - Travis perkins credit control - International hrm policies and practices - Prophetic orientation is a prominent aspect of - How to pronounce subitizing - Sycamore candy company offers an mp3 download - Writing Assignment - Ammonium hydroxide and silver nitrate chemical equation - Capsim consumer report answers - Crosby's basic elements of improvement - Discussion question, 150 words minimum, 2 recent reference citations(2019-2020) - Community Health Case 2 - Assignment Question - Carbine deadbolt installation instructions - Hipaa compliance privacy officer snopes - Chemical properties of windex - If equal masses of o2 and hbr are in separate - Duct mounted hepa filter - West durham amalgamation pigeons - Translate - Types of falsework systems - Discussion 16 - Engineering fundamentals and problem solving 6th edition answer key - Commonwealth bank eftpos machine error codes - Nun gimel hei shin song - Discussion Topic Ch 10. - Alarmsense sounder beacon base - Persuasive writing holiday destination - Adclick g doubleclick net pcs click - Discussion - Gcse balancing chemical equations - Is prom worth it debate - The trouble with the term art summary - View of toledo painter crossword clue - As nzs 3820 2009 - Environmental protection authority nt - Business research management - Ffn milk carton refill bottle - Why is foopets not free anymore - Characteristics of a story - Liberating education consists in acts of cognition - A nonconducting container filled with 25 kg - Compare and contrast these three protocols - Sydney water sewerage diagram - Hst 3000 user guide - It's hard enough being me by anna lisa raya - Money exchange ashford - Is 559 fema answers - Collaborative documentation in mental health - Where was i answers brian smith - Boyle's law lab report answers - Horse attacking human dream - MGT312T Week. 2 Apply Self-Assessment Reflection - Executive summary of hotel industry - How to write a soap note for nurse practitioners - Paul root wolpe it's time to question bio engineering - Barefoot moneymovement org au - Better world books case study pdf - Learning activity - Organ Leader - How to separate iron filings and sand - Discussions in economics - Karla tanner opens a web consulting business income statement - Policy, Legal, Ethics and Cmplc - Forecasting the adoption of a new product - Excel 2019 in practice ch 2 independent project 2 5 - Mgmt - 300 Words - Island experiment forum - Developing effective communication in health and social care - Jk rowling harvard commencement speech - What happened to vilimas and nikalojus lukoszaite - Practical Connection: Security Breach Evaluation - 4-6 pages Adolescent Psychology Imterview - Pmkeys self service online - Determine whether each phrase describes starch glycogen or cellulose - Leadership - Week6-Ns - Consequences of boston busing crisis - In which sea has connell set ship trap island - Homework 1:Exercise - Information Silo - Agenda Comparison Grid - Besson serial number lookup - Unrelated diversification strategy company examples - The fourth of july audre lorde - There will come soft rains powerpoint - Mount gambier to robe - What is the test for the presence of starch - How to calculate surface area to volume ratio - Mybcommlab answers - Cambridge primary mathematics past papers - How to do dupont analysis