Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide...
-
Upload
suzan-cameron -
Category
Documents
-
view
226 -
download
0
Transcript of Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide...
![Page 1: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/1.jpg)
Ch 10: Ch 10: Understanding CryptographyUnderstanding Cryptography
CompTIA Security+: CompTIA Security+: Get Certified Get Get Certified Get Ahead: SY0-301 Ahead: SY0-301
Study GuideStudy Guide
Darril GibsonDarril Gibson
Last modified 10-31-12Last modified 10-31-12
![Page 2: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/2.jpg)
Introducing Cryptography Concepts
![Page 3: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/3.jpg)
Integrity
Assures that data has not been modified
Hash is a number calculated from data– If the data is unchanged, the hash is
unchanged
Common hash algorithms– MD5, SHA, HMAC– MD5 is 128 bits– SHA-1 is 256 bits
![Page 4: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/4.jpg)
Concepts
Confidentiality– Ensures that only authorized users can view
data
Encryption– Ciphers data to make it unreadable if
intercepted– Includes algorithm and key
![Page 5: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/5.jpg)
Symmetric and Asymmetric Encryption
Symmetric encryption– Uses same key to encrypt and decrypt data
Asymmetric encryption– Uses two keys: public and private– Data encrypted with the public key can only be
decrypted with the private key– Data encrypted with the private key can only be
decrypted with the public key
![Page 6: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/6.jpg)
Concepts
Authentication– Validates an identity
Non-repudiation– Prevents a party from denying an action
Digital signature– Provides authentication, non-repudiation, and integrity– Hash of a message, encrypted with sender's private
key– Anyone can verify it with the sender's public key
![Page 7: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/7.jpg)
Providing Integrity with Hashing
![Page 8: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/8.jpg)
MD5
Message Digest 5– 128 bits– Commonly used to verify disk files,
downloads, etc.– Not very secure—hash collisions can be
found fairly easily– Collisions
Two different files with the same hash
![Page 9: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/9.jpg)
SHA
Secure Hash Algorithm (SHA)
SHA-0 (not used)
SHA-1– 160 bits long, very common– No collisions found yet, but they are now within
reach of well-funded attackers– Should require 2^80 calculations to find a collision,
but an attack has been found that requires only 2^52
Link Ch 10b, 10c
![Page 10: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/10.jpg)
SHA-2 and SHA-3
SHA-2 – Stronger than SHA-1– Four versions: SHA-224, SHA-256, SHA-384
and SHA-512
SHA-3– Approved in Oct. 2012– Even stronger– Link Ch 10d
![Page 11: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/11.jpg)
HMAC
Hash-based Message Authentication Code– Hash the message– Then encrypt the hash with a shared secret
key
Provides integrity and authenticity
Example: HMAC-MD5
![Page 12: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/12.jpg)
Hashing Files
md5sum
Hashcalc
FileAlyzer
![Page 13: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/13.jpg)
![Page 14: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/14.jpg)
Hashing on PC & Mac
![Page 15: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/15.jpg)
SHA-3
Project 12x
![Page 16: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/16.jpg)
Hashing Provides Integrity
![Page 17: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/17.jpg)
Using HMAC
A MITM attacker could change the "correct" hash value to fool the recipient
The general solutions for such MITM attacks are– A trusted third party– A shared secret
HMAC uses a shared secret key for this reason
![Page 18: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/18.jpg)
RIPEMD Hash Algorithm
RACE Integrity Primitives Evaluation Message Digest
Patent-free, came from open academic community– NSA designed SHA-1 & SHA-2
Original RIPEMD was based on MD4 and has known collisions
RIPEMD-160, 256, and 320 are improved versions
Considered similar to SHA-1 in security, but less used– Link Ch 10g
![Page 19: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/19.jpg)
LANMAN Password Hashes
Used in Microsoft Windows through Windows XP to hash passwords
Very old and weak, easily cracked with rainbow tables
Too insecure to be trusted
Should be disabled in Local Security Policy on Windows XP or earlier systems
![Page 20: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/20.jpg)
Disabling LANMAN Hashes
Link Ch 10h
![Page 21: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/21.jpg)
LANMAN Algorithm
Password: Xydke23498Qq
Break into 7-character fields
Change letters to UPPERCASE– XYDKE23 498QQ
Hash each field separately, using DES– Link Ch 10i
![Page 22: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/22.jpg)
NTLM Password Hashes
Microsoft's replacement for LANMAN
NTLMv1 uses MD4– Considered compromised– Still used for logon passwords
See project 5x in CNIT 124
NTLMv2 uses MD5– More secure, used for network authentication– Links Ch 10j, 10k, 10l
![Page 23: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/23.jpg)
NTLMv2 in Windows XP
![Page 24: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/24.jpg)
Feb 8, Windows Security 20Feb 8, Windows Security 2002 Breifings02 Breifings Cracking NTLMv2 AuthenticationCracking NTLMv2 Authentication
NTLM 2 Authentication(slide from link Ch 10m)
MD4
HMAC_MD5
HMAC_MD5
unicode(password)
as KEYunicode(uppercase(account name)+domain_or_hostname)
as KEYserver_challenge+client_challenge
NTLMv2Response
![Page 25: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/25.jpg)
NTLMv2 in Windows Versions
From the Windows 7 Local Security Policy setting's "Explain" tab
![Page 26: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/26.jpg)
Providing Confidentiality with Encryption
![Page 27: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/27.jpg)
Symmetric and Asymmetric Encryption
Encryption turns plaintext into unreadable ciphertext
Symmetric encryption uses the same key for encryption and decryption
Asymmetric encryption uses two keys– A public key and a private key
![Page 28: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/28.jpg)
Symmetric Cryptography
One key encrypts and decrypts data
Cleartext with Key makes Ciphertext
Ciphertext with Key makes Cleartext
Winning Lotto #s: aWDHOP#@-w9
aWDHOP#@-w9 Winning Lotto #s:
![Page 29: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/29.jpg)
Asymmetric Cryptography Algorithms
Use two keys that are mathematically related– Data encrypted with one key can be
decrypted only with the other key
Another name for asymmetric key cryptography is public key cryptography– Public key: known by the public
– Private key: known only by owner
![Page 30: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/30.jpg)
Asymmetric Cryptography
Cleartext with Public Key makes Ciphertext
Ciphertext with Private Key makes Cleartext
Winning Lotto #s: aWDHOP#@-w9
aWDHOP#@-w9 Winning Lotto #s:
![Page 31: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/31.jpg)
Algorithm and Key
Algorithm– The mathematical steps used for encryption
and decryption
Key– A number used to perform encryption and
decryption, usually a long random number
![Page 32: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/32.jpg)
Symmetric is Faster
Symmetric encryption is much faster to perform than asymmetric encryption
Symmetric encryption keys are much shorter– 128 or 256 bits is enough for excellent security
Asymmetric encryption key length– 1024-bit keys are no longer recommended– 2048-bit is the minimum acceptable key length
![Page 33: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/33.jpg)
Symmetric Encryption
![Page 34: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/34.jpg)
Block v. Stream Cipher(both symmetric)
Block cipher– Encrypts groups of bits together– Typically blocks of 64 or 128 bits– AES uses 128-bit blocks, which is safer
Link Ch 10o
Stream cipher– Encrypts each bit individually– WEP uses RC4 stream cipher
![Page 35: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/35.jpg)
Symmetric Encryption is Like a Door Key
Every person who needs a key gets an identical copy
Same key used to lock the door and open it
![Page 36: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/36.jpg)
AES
Strong symmetric block cipher
NIST recommends it
Different key sizes– AES-128– AES-196– AES-256
All are apparently unbreakable at present
![Page 37: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/37.jpg)
AES Advantages
Fast to compute
Efficient, even on small devices
Strong
![Page 38: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/38.jpg)
Pretty animation at Link Ch 10p
![Page 39: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/39.jpg)
DES (Data Encryption Standard)
Recommended by NIST even though it was not secure
56-bit key length
Subject to brute force attack– Try all 2^56 keys
![Page 40: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/40.jpg)
4040
Data Encryption Standard (DES) (continued)
In 1988, NSA thought the standard was at risk to be broken
In 1997, a DES key was broken in 3 months
In 1998, the EFF built a a computer system that cracked a DES key in 3 days– Link Ch 10q
![Page 41: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/41.jpg)
3DES
Performing DES three times makes it stronger– Using 2 or 3 56-bit keys
Less efficient than AES
Secure enough to use—effective key strength of 112 bits
![Page 42: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/42.jpg)
RC4
Strong symmetric stream cipher
Used in WEP– But it was not the weak point that broke WEP
SSL uses RC4– Therefore, so does HTTPS
![Page 43: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/43.jpg)
One-Time Pad
A printed list of random numbers
Effectively a very long shared-secret key
Each part of the key is used only once
Considered unbreakable– Key must be random– Key must be as long as the message– Key is never re-used
![Page 44: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/44.jpg)
RSA Tokens
These things SHOULD be one-time pads
They aren't—RSA held some sort of master key and got hacked in 2011, compromising their security– Link Ch 10r
![Page 45: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/45.jpg)
Blowfish
Strong symmetric block cipher
Designed by Bruce Schneier
![Page 46: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/46.jpg)
Asymmetric Encryption
![Page 47: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/47.jpg)
Key Pairs
Every user of asymmetric encryption must generate a key pair
Public key– Shared with the world
Private key– Kept secret
The two keys are mathematically related
There is no practical way to find the private key from the public key
![Page 48: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/48.jpg)
Key Use
Data encrypted with the public key must be decrypted with the private key
Data encrypted with the private key must be decrypted with the public key
Private keys are kept secret and never shared
Public keys are distributed widely, in certificates or key servers
![Page 49: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/49.jpg)
Symmetric Keys
Asymmetric encryption is strong, but resource intensive
It's too slow to encrypt all traffic
Instead, it's used to share a symmetric key which is then used to encrypt data
![Page 50: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/50.jpg)
Protocols Using Asymmetric Encryption
SSL and TLS (therefore HTTPS)
RSA and Diffie-Hellman
S/MIME and PGP/GPG
Elliptic curve cryptographyElGamal
![Page 51: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/51.jpg)
Rayburn Box (fiction)
A box to transfer secret documentsUses two types of physical keysThe private key opens the box, and there
is only one copy of itThe public key has many copies, and can
lock the box but not unlock it
![Page 52: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/52.jpg)
Mailbox
Anyone can put mail in
Only the mail handler with the secret key can take the mail out
![Page 53: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/53.jpg)
Certificates
Certificate is like a digital ID cardIt has the name of the owner and a public
keyIssued by Certificate Authorities (CAs)
![Page 54: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/54.jpg)
Certificate Uses
EncryptionAuthenticationDigital signatures
![Page 55: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/55.jpg)
![Page 56: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/56.jpg)
NIST Recommended Key Sizes
From Dec. 2009 (Link Ch 10s)
![Page 57: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/57.jpg)
RSA
A cryptography system invented by Rivest, Shamir, and Adelman
The standard used on the Internet for HTTPS
Uses prime numbers– Private key is a long prime number– Public key is the product of two long prime
numbers
Considered very secure
![Page 58: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/58.jpg)
Diffie-Hellman
Not an encryption systemA key exchange algorithm to share a
private key between two partiesHad been a military secret, but it was
independently re-invented by civilian mathematicians
The basis for public-key cryptography
![Page 59: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/59.jpg)
Moxie Marlinspike and Whitfield Diffie at Defcon 19
![Page 60: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/60.jpg)
Elliptic Curve Cryptography (ECC)
Uses elliptic curves instead of prime numbers to calculate keys
Faster and more efficient than RSAUsed on small wireless devicesApproved by NIST in 2005
![Page 61: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/61.jpg)
SteganographyThe process of hiding data in plain view in
pictures, graphics, or text– Example: changing colors slightly to encode
individual bits in an image
The image on the left contains the image on the right hidden in it (link Ch 10t)
![Page 62: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/62.jpg)
Spam Mimic
LinkCh 10u
![Page 63: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/63.jpg)
Steganography
Steganography hides the existence of a message
No one even knows you sent a message at all
This is one type of covert channel– A way to send messages without others even
knowing you sent anything
![Page 64: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/64.jpg)
Quantum Cryptography
Send a secret key one photon at a timeA photon can only be measured once
– Because measuring it destroys it
So if the key gets to the recipient undamaged, that proves no one else snooped on it
![Page 65: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/65.jpg)
Commercial Quantum Cryptography Devices
$82,000 for a pair of devices– Links Ch 10v, Ch 10w
![Page 66: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/66.jpg)
SSL (Secure Sockets Layer)
Created by NetscapeUsed to secure several higher-level
protocols– HTTPS– FTPS
SSL uses certificates for authentication, asymmetric cryptography, and symmetric cryptography
![Page 67: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/67.jpg)
TLS (Transport Layer Security)
Created by the IETF to standardize improvements in SSL
Replaces SSLProtected EAP (PEAP) uses TLS
(PEAP-TLS) to encrypt authenticationTLS requires certificates and CAs
![Page 68: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/68.jpg)
IPsecCan be used for point-to-point VPNsL2TP/IPsec is used for one-to-many VPNsAH (Authentication Header) provides
authentication and integrityESP (Encapsulating Security Payload)
provides confidentiality, integrity, and authentication
AH uses protocol ID 51 and ESP uses protocol ID 50
![Page 69: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/69.jpg)
SSH (Secure Shell)
SSH encrypts Telnet trafficSCP (Secure Copy)
– Copies files over SSH
SFTP– Secures FTP
SSH uses port 22
![Page 70: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/70.jpg)
HTTPS
Sends HTTP traffic over SSL ot TLSUses port 443
![Page 71: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/71.jpg)
Sending EmailAlice is sending mail to Bob
Alice encrypts it with Bob's Public Key
Ciphertext send via emailBob decrypts it with Bob's Private Key
Winning Lotto #s: aWDHOP#@-w9
aWDHOP#@-w9 Winning Lotto #s:
![Page 72: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/72.jpg)
Digital SignatureAlice is signing a loan
Alice calculates the hash of the loan agreement Alice encrypts the hash with Alice's Private Key
Signed loan agreement is sent to the bank The bank can decrypt the hash with Alice's Public Key The bank calculates the hash of the agreement The hash matches the decrypted value
12AB6F89798 #VBEGmg18^*(
#VBEGmg18^*( 12AB6F89798
![Page 73: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/73.jpg)
HTTPS Websites
When you connect, the server sends your browser a certificate containing its public key
Your browser creates a public-private key pair, and sends the public key to the server
Asymetric encryption is used to transmit a session key which is used for symmetric encryption of the session
![Page 74: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/74.jpg)
Signing Email with Digital Signatures
Digital signatures provide– Authentication
Only holder of the private key could create the signature
– Non-repudiationThe sender cannot later deny sending the
message
– IntegrityThe hash value ensures that the message has not
been altered
![Page 75: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/75.jpg)
Digital Signature
![Page 76: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/76.jpg)
Process at Email Sender
Sender's email application:– Hashes the message– Uses sender's private key to encrypt the hash– Sends these items to the recipient
Unencrypted messageEncrypted hash
![Page 77: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/77.jpg)
Process at Email Receiver
Receiver's email application:– Retrieves the sender's public key, from a
certificate or keyserver– Decrypts the encrypted hash with the sender's
public key– Hashes the message– Compares the decrypted hash to the calculated
hash– If they match, the message has authentication,
non-repudiation, and integrity
![Page 78: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/78.jpg)
Encrypted Email
You can also encrypt the body of the message
If you need confidentialityThis can be done with asymmetric or
symmetric encryption
![Page 79: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/79.jpg)
S/MIME
Secure/Multipurpose Internet Mail Extensions (S/MIME)
A popular standard used to sign and encrypt email
Uses RSA for asymmetric encryptionAnd AES for symmetric encryptionRequires CAs and a PKI (Public Key
Infrastructure) to distribute and manage certificates
![Page 80: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/80.jpg)
PGP/GPG
Pretty Good Privacy (PGP)– A commercial encryption system
developed by Phil Zimmerman
GNU Privacy Guard (GPG)– Free open-source replacement
for PGP
Uses RSA asymmetric encryption and symmetric encryption
Usually with CAs
Phil ZimmermanDesigned PGP
![Page 81: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/81.jpg)
![Page 82: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/82.jpg)
Capturing SSL Handshake with Wireshark
![Page 83: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/83.jpg)
How to Recognize Secure Sites
Padlock icon (not always present)https:// at start of URL (not always visible)
![Page 84: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/84.jpg)
Exploring PKI Components
![Page 85: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/85.jpg)
Public Key Infrastructure (PKI)
Technologies for digital certificates– Create– Manage– Store– Distribute– Revoke
With PKI, two people or entities can communicate securely without knowing one another previously
![Page 86: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/86.jpg)
Certificate Authority (CA)
Public CAs are trusted by browsersThey issue digital certificates, which act as
online ID cardsCAs must be trusted, or the system will fail
![Page 87: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/87.jpg)
Trusted Root Certification Authorities
![Page 88: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/88.jpg)
Link Ch 10x
![Page 89: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/89.jpg)
Link Ch 10x1
![Page 90: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/90.jpg)
Trust Models
Hierarchical– Most common trust model– Public CA creates the root CA– Large CAs also create Child CAs
Trust chain– Root CA issues certificates to Intermediate CAs– Intermediate CAs issue certificates to Child CAs– Child CAs issue certificates to end users
![Page 91: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/91.jpg)
Chain of Trust
PGP and GPG can use a "Chain of Trust"You sign public keys of your friendsThis avoids the cost of Certificate Authorities
(CAs)An old traditional systemNot used for e-commerce
![Page 92: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/92.jpg)
Chain of Trust Problem
Do you really trust a friend of a friend?How about a friend of a friend of a friend?
– http://xkcd.com/364
![Page 93: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/93.jpg)
Self-signed Certificates
You can create a CA and use self-signed certificates
It saves money, but no one will trust your CA– Except your own employees, with your CA
added to the "Trusted Root CA" list– Unacceptable for e-commerce
![Page 94: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/94.jpg)
Registration
Purchase a certificate from a CARegister it with your websiteIn large organizations, these tasks are
separated– Registration Authority (RA)– Certificate Authority (CA)
![Page 95: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/95.jpg)
Revoking Certificates
Reasons– Key compromise– CA conpromise– Change of affiliation– Superseded– Cease of operation– Certificate hold
Certificate Revocation List– Published by each CA
![Page 96: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/96.jpg)
Validating Certificates
Clients check with CA each time they get a certificate
The CA is the Trusted Third PartyCheck to see that certificate is not revokedTwo ways
– CRL– OSCP (Online Certificate Status Protocol)
![Page 97: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/97.jpg)
Google's New System
Link Ch 10y
![Page 98: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/98.jpg)
Key Escrow
Placing a copy of a private key in a safe environment
Prevents data loss from a lost private key
![Page 99: Ch 10: Understanding Cryptography CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-31-12.](https://reader036.fdocuments.net/reader036/viewer/2022081514/56649e445503460f94b37d8a/html5/thumbnails/99.jpg)
Recovery Agent
A designated person who can recover or restore cryptographic keys
Microsoft BitLocker supports a recovery agent with a second key that works