Security+ Guide to Network Security Fundamentals, Fourth Edition
Chapter 11
Basic Cryptography
1
Defining Cryptography
What is cryptography?
Scrambling information so it appears unreadable to attackers
Transforms information into secure form
Stenography
Hides the existence of data
Image, audio, or video files containing hidden message embedded in the file
Achieved by dividing data and hiding in unused portions of the file
Security+ Guide to Network Security Fundamentals, Fourth Edition
2
2
Security+ Guide to Network Security Fundamentals, Fourth Edition
3
Figure 11-1 Data hidden by stenography
© Cengage Learning 2012
3
Security+ Guide to Network Security Fundamentals, Fourth Edition
4
Cryptography Process
4
Cryptographic Algorithms
Three categories of cryptographic algorithms
Hash algorithms
Symmetric encryption algorithms
Asymmetric encryption algorithms
Hash algorithms
Most basic type of cryptographic algorithm
Process for creating a unique digital fingerprint for a set of data
Contents cannot be used to reveal original data set
Primarily used for comparison purposes
Security+ Guide to Network Security Fundamentals, Fourth Edition
5
5
Cryptographic Algorithms (cont’d.)
Example of hashing (ATMs)
Bank customer has PIN of 93542
Number is hashed and result stored on card’s magnetic stripe
User inserts card in ATM and enters PIN
ATM hashes the pin using the same algorithm that was used to store PIN on the card
If two values match, user may access ATM
Security+ Guide to Network Security Fundamentals, Fourth Edition
6
6
Security+ Guide to Network Security Fundamentals, Fourth Edition
7
Defeating “Man in the Middle”
7
Cryptographic Algorithms (cont’d.)
Most common hash algorithms
Message Digest
Secure Hash Algorithm
Whirlpool
RIPEMD
Password hashes
Security+ Guide to Network Security Fundamentals, Fourth Edition
8
8
Cryptographic Algorithms (cont’d.)
Message Digest (MD)
Three versions
Message Digest 2
Takes plaintext of any length and creates 128 bit hash
Padding added to make short messages 128 bits
Considered too slow today and rarely used
Message Digest 4
Has flaws and was not widely accepted
Security+ Guide to Network Security Fundamentals, Fourth Edition
9
9
Cryptographic Algorithms (cont’d.)
Message Digest 5
Designed to address MD4’s weaknesses
Message length padded to 512 bits
Weaknesses in compression function could lead to collisions
Some security experts recommend using a more secure hash algorithm
Secure Hash Algorithm (SHA)
More secure than MD
No weaknesses identified
Example of HIT certification requirement
Security+ Guide to Network Security Fundamentals, Fourth Edition
10
10
Cryptographic Algorithms (cont’d.)
Whirlpool
Recent cryptographic hash
Adopted by standards organizations
Creates hash of 512 bits
Race Integrity Primitives Evaluation Message Digest (RIPEMD)
Two different and parallel chains of computation
Results are combined at end of process
Security+ Guide to Network Security Fundamentals, Fourth Edition
11
11
Cryptographic Algorithms (cont’d.)
Password hashes
Used by Microsoft Windows operating systems
LAN Manager hash
New Technology LAN Manager (NTLM) hash
Linux and Apple Mac strengthen password hashes by including random bit sequences
Known as a salt
Make password attacks more difficult
Security+ Guide to Network Security Fundamentals, Fourth Edition
12
12
Symmetric Cryptographic Algorithms
Original cryptographic algorithms
Stream, Monalphabetic Substitute, Transposition, Combine (cipher with plain text) – all fairly simple to crack
OTP (One Time Pad) fairly secure if not reused
Block Cipher (8-16) bytes encrypted independently
All cycle intensive
Security+ Guide to Network Security Fundamentals, Fourth Edition
13
13
Symmetric Cryptographic Algorithms
Data Encryption Standard
Triple Data Encryption Standard
Advanced Encryption Standard
Several other algorithms
Understanding symmetric algorithms
Same shared single key used to encrypt and decrypt document
Security+ Guide to Network Security Fundamentals, Fourth Edition
14
14
Symmetric Cryptographic Algorithms
Data Encryption Standard (DES)
Based on product originally designed in early 1970s
Adopted as a standard by the U.S. government
Triple Data Encryption standard (3DES)
Designed to replace DES
Uses three rounds of encryption
Ciphertext of first round becomes input for second iteration
Most secure versions use different keys used for each round
Security+ Guide to Network Security Fundamentals, Fourth Edition
15
15
Security+ Guide to Network Security Fundamentals, Fourth Edition
16
Figure 11-11 3DES
© Cengage Learning 2012
16
Symmetric Cryptographic Algorithms (cont’d.)
Advanced Encryption Standard (AES)
Symmetric cipher approved by NIST in 2000 as replacement for DES
Official encryption standard used by the U.S. government
Performs three steps on every block of plaintext
Designed to be secure well into the future
Adopted as a certification requirement for HIT in 2008
Security+ Guide to Network Security Fundamentals, Fourth Edition
17
17
Other Algorithms
Rivest Cipher (RC)
Family of cipher algorithms designed by Ron Rivest
International Data Encryption Algorithm (IDEA)
Used in European nations
Block cipher processing 64 bits with a 128-bit key with 8 rounds
Blowfish
Block cipher operating on 64-bit blocks with key lengths from 32-448 bits
No significant weaknesses have been identified
Security+ Guide to Network Security Fundamentals, Fourth Edition
18
18
Asymmetric Cryptographic Algorithms
Weakness of symmetric algorithms
Distributing and maintaining a secure single key among multiple users distributed geographically
Asymmetric cryptographic algorithms
Also known as public key cryptography
Uses two mathematically related keys
Public key available to everyone and freely distributed
Private key known only to individual to whom it belongs
Security+ Guide to Network Security Fundamentals, Fourth Edition
19
19
Asymmetric Cryptographic Algorithms (cont’d.)
Important principles
Key pairs
Public key
Private key
Both directions
Digital signature
Verifies the sender
Prevents sender from disowning the message
Proves message integrity
Security+ Guide to Network Security Fundamentals, Fourth Edition
20
20
Security+ Guide to Network Security Fundamentals, Fourth Edition
21
Figure 11-13 Digital signature
© Cengage Learning 2012
21
Asymmetric Cryptographic Algorithms (cont’d.)
RSA
Published in 1977 and patented by MIT in 1983
Most common asymmetric cryptography algorithm
Uses two large prime numbers
Elliptic curve cryptography (ECC)
Users share one elliptic curve and one point on the curve
Uses less computing power than prime number-based asymmetric cryptography
Key sizes are smaller
Security+ Guide to Network Security Fundamentals, Fourth Edition
22
22
Asymmetric Cryptographic Algorithms
Quantum cryptography
Exploits the properties of microscopic objects such as photons
Does not depend on difficult mathematical problems
Any interruption is noticed see video here
NTRUEncypt
New, only been in existence since 1996
Uses lattice-based cryptography
Relies on a set of points in space
Faster than RSA and ECC
More resistant to quantum computing attacks
Still being vetted
Security+ Guide to Network Security Fundamentals, Fourth Edition
23
23
Using Cryptography
Cryptography
Should be used to secure data that needs to be protected
Can be applied through either software or hardware
Security+ Guide to Network Security Fundamentals, Fourth Edition
24
24
Encryption Through Software
File and file system cryptography
Encryption software can be applied to one or many files
Protecting groups of files
Based on operating system’s file system
Pretty Good Privacy (PGP)
Widely used asymmetric cryptography system
Used for files and e-mails on Windows systems
GNU Privacy Guard (GPG)
Runs on Windows, UNIX, and Linux
Security+ Guide to Network Security Fundamentals, Fourth Edition
25
25
Encryption Through Software (cont’d.)
PGP and GPG use both asymmetric and symmetric cryptography
Microsoft Windows Encrypting File System (EFS)
Cryptography system for Windows
Uses NTFS file system
Tightly integrated with the file system
Encryption and decryption transparent to the user
Users can set encryption attribute for a file in the Advanced Attributes dialog box
Security+ Guide to Network Security Fundamentals, Fourth Edition
26
26
Encryption Through Software (cont’d.)
Whole disk encryption
Protects all data on a hard drive
Example: BitLocker drive encryption software
Not perfect but one more step
Video he erfre
https://www.youtube.com/watch?v=Tr5SgShepME
Security+ Guide to Network Security Fundamentals, Fourth Edition
27
27
Hardware Encryption
Software encryption can be subject to attacks to exploit its vulnerabilities
Cryptography can be embedded in hardware
Provides higher degree of security
Can be applied to USB devices and standard hard drives
Trusted platform module
Hardware security model
Security+ Guide to Network Security Fundamentals, Fourth Edition
28
28
Hardware Encryption (cont’d.)
USB device encryption
Encrypted hardware-based flash drives
Will not connect a computer until correct password has been provided
All data copied to the drive is automatically encrypted
Tamper-resistant external cases
Administrators can remotely control and track activity on the devices
Stolen drives can be remotely disabled
Security+ Guide to Network Security Fundamentals, Fourth Edition
29
29
Hardware Encryption (cont’d.)
Trusted Platform Module (TPM)
Chip on computer’s motherboard that provides cryptographic services
Includes a true random number generator
Entirely done in hardware so cannot be subject to software attack
Prevents computer from booting if files or data have been altered
Prompts for password if hard drive moved to a new computer
Security+ Guide to Network Security Fundamentals, Fourth Edition
30
30
Hardware Encryption (cont’d.)
Hardware Security Module (HSM)
Secure cryptographic processor
Includes onboard key generator and key storage facility
Performs accelerated symmetric and asymmetric encryption
Can provide services to multiple devices over a LAN
One more movie
https://zybersafe.com/video-hardware-based-encryption/
Security+ Guide to Network Security Fundamentals, Fourth Edition
31