Please enable JavaScript.
Coggle requires JavaScript to display documents.
Cryptography
use cases and Techniques
Confidentiality (Encryption)
…
Cryptography
use cases and Techniques
Confidentiality (Encryption)
Integrity (Hashing)
Non-repudiation (Digital Signature)
Authentication (Digital Certificate)
1 Symmetric
Using Single key for encryption and decryption
Block Sizes: Large
Strength: Large key sizes ( difficult to break)
Processing: Fast
Scalability: Not Scaleable
Key Exchange: Inherently insecure
Stream Ciphers
works with one bit at a time (RC4)
Block Ciphers
works on blocks of data
DES: 56-bit key.Broken
3DES: 64-bit key with 2 or 3 keys. Considered deprecated.
AES: 128,192 or 256 bit key. replaced 3DES in 2002.
Blowfish,IDEA (PGP), Twofish (open source)
:star:4 known modes
ECB ( each block is independent, not suitable for long messages)
CBC (includes IV and component of previous cipher text to leverage the randomization. It uses chaining and propagates errors.
CFB Uses IV and it has chaining. Steam Cipher. it propagates errors.
CTR (does have any dependencies, converts the block to stream cipher using XOR function.
GCM ( efficient mode of operation for symmetric key cryptographic 128-bit block
2 Asymmetric
Using two related keys (Private and Public)
Block Sizes: Small
Strength: small key sizes
Scalability: highly scaleable
Key Exchange: key exchange distribution system
RSA: Widely Implemented, Defacto commercial standard. works with encryption and digital signature. key length is 1088 bits
ECC: Similar to RSA but with smaller keys sizes ,requires less computing power. Current US Govt. standard. key length 160 bit
Diffie Hellman: Primarily used for the key agreement. allows two parties in DH group that have no prior knowledge of each other jointly establish a shared secret key.
El Gamal: Primarily used for transmitting digital signature and key exchange
Message Flow - Asymmetric (Encrypted message from Alice to Bob)
PlainText message ---->Asymmetric Cipher + Bob Public key ----->Encrypted message ----->Asymmetric Cipher +Bob private key ----> plain text message
3 Hashing
Hashing produces a visual representation of data set. The objective is integrity.
-validates that the message has not be changed during the transmission (message digest)
-verify that a file has not be altered (checksum)
Hash Function Characteristic
1-output must not be reversible.
2-variable length must produce fixed length output
3-output must be unique to the input. if hash function produces same value from two different input. the result is known as collision
Variable length input ---> Hash Function ---> Unique one-way fixed length output (fingerprint)
Note: the original message remains intact.
Hashing Algorithms
MDx: MD5 has been shown to be subject to collision attacks and it is considered Broken.
SHA: SHA1 has been subject to collision and considered "Broken"
SHA-2 family is widely used and includes SHA-256, SHA-384, SHA-512
RIPEMD: was developed based on MD4, it has been replaced by RIPEMD-160
Message Digest in Action
Alice sends message to Bob
1-Alice puts message through hashing algorithm and generates message digest hash value
2-Alice sends message and message digest to Bob
3- Bob receives the message and message digest
4-Bob puts message through a hashing algorithm and generates message digest hash value
5- Bob compares the both messages digests
6-If the message digests are same, the message was not modified during the transmission
7- If the message digests are different, the message was modified during the transmission
Hashed MAC
A hashed message authentication code is hashed value that includes a symmetric key.
HMAC provides integrity and origin authentication and it is used by Cryptographic protocols such as TLS and IPSEC to verity the integrity of the transmitted data.
Hash Attacks
Collision using mathematical technique to force two inputs producing same hash value.
Birthday exploits the mathematics behind the birthday problem in probability theory to cause a collision.
Pass-the-Hash using captured hashed credentials from one match to successfully gain control of another machine.
4 Digital Signature is a message digest that has been encrypted using private key. The goal of digital signature is integrity and non-repudiation.
Digital Signature in Action
Alice sending message to Bob
1- Alice puts a message through a hashing algorithm and generates message digest value.
2- Alice encrypts the message digest with her private key
3- Alice sends plain text message and message digest to Bob
4- Bob receives the message and message digest.
5-Bob decrypts the message digest using Alice public key which provided the non repudiation.
6-Bob puts plain text message through the same hashing alogorithm and generates the message digest.
7-Bob compares the both message digests.
8-if the message digests are same, the message was not modified during the transmission (integrity)
9-if the message digests are different, the message was modified in transmission
Digital Signature Algorithm
RSA: widely implemented. defacto commercial standard
works with both encryption and digital signature.
Digital Signature Algorithm: Published by NIST with NSA. US Govt. Standard.
Note: Digital signature requires two algorithms, a hashing algorithm and digital signature algorithm
5 Public Key Infrastructure (PKI)
Consists of programs, data formats, communication protocols, security policies and public key cryptographic mechanism working together in a comprehensive manner to enable secure communication.
Public Key Infrastructure X.509: is a working group formed to develop standards and models knows as x.509
Public key cryptography standards is a set of voluntary standard created by RSA and other industry leaders.
Digital Certificate is mechanism used to generate a private key and to associate public key with a collection of components sufficient to authenticate the claimed owner
1-X.509 standard defines certificate format and files for public key
2-X.509 standard defines the distribution procedure
Types of Digital Certificates (use)
1- Personal- verifies a user identity ( generally used for email)
2-Server/Workstation - verifies a device identity
3-Domain validation - verifies a domain and wild card domains (*.example.com)
4- Organization- verifies a domain or organization
5- Extended validation - verifies a domain or organization subject to additional vetting aka "green bar".
6-Trusted/ Intermediate - identifies root and intermediate certificate authorities.
Trust Models (Chain of Trust)It defines how users trust other users, organization, CAs, RAs within in the PKI.Web of Trust: No central authority. each user create and sign their own certificate. users sign each others public key "indicating" trust.Third party ( Single Authority) Trust : A central third-party certificate authority (CA) signs a key and authenticate the owner.Hierarchical Model: it is extension of third party model in which root CAs issues certificate to lower level "intermediate" CAs who can issue certificates. Trust is inherited.
*Offline root CA is the one that is isolated from the network and often kept power down to prevent compromise.
- A Registration Authority (RA) offload some work from CA. The RA can accept and process registration requires and distributes certificate.
- A Local Registration Authority (LRA) requires physical identification.
Trusted Certificate Lifecycle
1- CSR - Certificate Signing Request
2- Certificate is issued
3- Certificate is published
4- Certificate is received
5- Certificate is installed
6- Certificate renewed, suspended,revoked or expired
7- Key is destroyed.
Certificate Revocation
Suspension - Temporary revocation of certificate until certificate problem is resolved.
Revocation - Permanent withdrawal of trust by issuing authority before scheduled expiration date.
Certificate Revocation List (CRL) - CA maintains list of certificates that have been revoked. PULL Method, PUSH Method,
Online Certificate Status Protocol (OSCP) - Process designed to query the status of certificate in real time.
6 Cryptographic Attacks
A cryptographic attack is circumvention of a cryptographic system by exploiting a weakness in a code, cipher, cryptographic protocol or key management scheme.
Cryptanalysis Process of finding cryptographic weakness.
Brute Force Every possible key is tested (online/offline)
Dictionary Attack List of known keys tested.
Frequency Attack Looking for patterns to reveal the key.
Replay Attack Attacker tries to reuse a cryptographic transmission.
Rainbow Tables are publicly available tables of precomputed hashes.
Salting salts are the value appended to the input to negate the value of rainbow tables.