Cloned from: CISSP - Cyptography



keywords:
Bookmark and Share



Front Back
end to end encryption
only data is encrypted.  packets encrypted once at beginning and decrypted at end.  good for speed and overall security.
link encryption
each node has separate key pairs. packets are encrypted and decrypted at each node.  the disadvantages are latency and inherent vulnerability.
cryptosystem
hardware and software implementation that transforms plaintext into ciphertext and back to plaintext.  uses cyprtographic algorithm (cipher) and cryptovariable (key). uses substitution and transposition.
block cipher (symetric key)
symetric key algorithm implemented in software.  operates in 64 bit fixed block.  plaintext will produce the same ciphertext block.  advantages include reusable keys and interoperability.
stream cipher (symetric key)
operated in real time on a continuous stream. work faster than block ciphers. keys are only used once (ex. one-time pad). disadvantages include key management and plaintext will produce different ciphertext.  implemented in hardaware.
substitution ciphers
replaces bits, characters, or character blocks in plaintext with alternate bits, characters, or blocks. Uses modulo 26.  Can be monoalphabetic or polyalphabetic.
transposition (permutation) ciphers
message might be read horizontally but written vertically.  The order of text is changed. 
symetric key algorithim
AKA: secret key, single key, private key.  Uses sinclge key to encrypt and decrypt. disadvantages include: different key for communication, no authentication or non-repudiation.  Advantages include speed, streght and availability.  Include DES, AES, IDEA, and RC5.
Data encryption Standard (DES)
Symetric key algorithim. Is a block cipher using 56 bit key. during encryption message divided in 64 bit blocks then split into 32-bit blocks. uses 16 rounds of transposition and substitution.
Electronic Code Book (ECB)
Mode of DES. Best if used with small data.  Operates in 64 bit blocks of plaintext and encrypts into 64 bit blocks of ciphertext. Disadvantage: same plaintext using same key produces same ciphertext.
Cipher Block Chainging (CBC)
Most common mode of DES.  64-bit blocks of plaintext for 64-bit blocks of ciphertext.  Each block is XORed with the ciphertext of the preceding block, creating a dependency, thereby producing more random ciphertext.
Cipher Feedback (CFB)
Stream cipher most often used to encrypt individual characters.  Previously generated ciphertext is used as feedback for key generation. Resulting ciphertext is chained together,which causes errors in the encryption process.
Output Feedback (OFB)
Stream cipher similar to CFB.  Used to encyrpt satellite communication.  Previously generated plaintext is used as feedback for key generation. Resulting ciphertext is not chained together, therefore no errors in the encryption process.
Triple DES (3DES)
Message is encrypted using one key, encrypted using a second key and then again encrypted by using either the first key or a third key.  Uses 3 separate 56-bit keys producing a key length of 168 bits.

Disadvantage:  cost is significant. slow therefore doesnt work with applications. Cryptanalyst can reduce the effective key size to 108 bits in a brute force attack.
Advanced Encryption Standard (AES)
Based on the Rijndael Block Cipher.  Uses variable block and key lengths (128, 192, or 256 bits) and 10 to 14 rounds.  implemented in software and hardware.  Employs three layers of round transformation.  1) non-linear: parallel application of S-boxes having optimum worst case nonlinearity properties. 2) linear mixing layer: provides a guarantee of a high diffusion of multiple rounds. 3) key addition: XORed of the Round key to the intermediate state.
IDEA Cipher (international data encryption algorithm)
Block cipher operating on 64-bit plaintext block by using 128-bit key. Performs 8 rounds on 16-bit sub-blocks.  Stronger than 3DES and RC. Applies confusion and diffusion.  Used in PGP email encryption system.
Rivest Ciphers (RC)
Block cipher of variable block length and encrypts through integer addition. Block sizes: 32, 64, and 128 bits.  Rounds range from 0 to 255. Key size range 0-2048 bits.
Asymmetric key cryptography - public key -
Uses one key to encrypt and one to decrypt. Uses concept of one-way function.  More commonly used for key management or digital signatures.

Secure message format uses recipients private key for confidentiality. Open message format guarantees only authenticity using senders private key. Secure and signed message uses senders private key and recipients public key to ensure confidentiality and authenticity.
Disadvantages and advantages of Asymmetric Key
Disadvantage: slow do to use of large keys.

advantage:  Confidentiality and authenticity.
Types of asymmetric key cryptography
RSA, Diffie-Hellman, El Gamal, Trapdoor, Elliptic Curve,
RSA
Based on the difficulty of factoring a number, N, which is the product of 2 large prime numbers.

Sender creates symmetric key, encrypts it with recipients public key, and transmits it.  Recipient decrypts the symmetric key using own private key.
Diffie- Hellman
Secret key agreement algorithm based on discrete logarithms. Vulnerable to Man-in-the-Middle attacks.  a separate mechanism can protect against this attack.

Sender and recipient obtain each others public key.  Both combine own private keys with the public key of the other person, producing a symmetric key.
El Gamal
Based on Diffie- Hellman.  Extends functionality of Diffie-Hellman to include encryption and digital signatures.
Elliptic Curve (EC)
More efficient than other asymmetric key systems.  Uses smaller keys (160 bit EC is equivalent to a 1,024 bit RSA key). Faster and can be implemented in hardware applications, including wireless and smart cards. used to implement digital signatures, encryption, key management.
Digital Signatures Standard (DSS)
Uses two acceptable algorithms: the RSA digital signature algorithm and Digital Signature algorithm (both use SHA-1). Verifies authenticity and integrity. Sender encrypts message with own private key (open message).
Message Digests - MD2, MD4, MD5, MD6
A condensed representation of a message. Produced using one-way hash function ( one way function - same key can't encrypt and decrypt message : confidentiality; one way hash - produces hash value that cant be reversed: authenticity and integrity).

Original message cant be recreated from the MD.  No two messages should produce the same message digest (collision).  the MD should be calculated by using the entire contents of the original message
MD5
Most popular hashing algorithms today. Used to store passwords and check the integrity of files. Produces a 128-bit digest.  Messages are processed in 512-bit blocks using four rounds of transformation.  It is susceptible to collisions.
MD6
Uses very large input message blocks (up to 512 bytes) and produces variable length digests (up to 512 bites).
Secure Hash Algorithm (SHA) - SHA- 1
SHA-1:  takes variable size input and produces fixed size output (160 bit digest).  processes message 512-bit blocks and adds padding to message. 
SHA-2
SHA-2:  four hash functions - SHA-224, SHA-256, SHA-384, SHA-512 that have digests of 224, 256, 384, and 512 bits. Processes message in 512 bit blocks for 224, 256, 384, and 1024 for SHA-512.
Hashed Message Authentication Code (HMAC)
Known as checksum. extends security for MD5 and SHA-1through keyed digest.  Takes prviously shared secret key and the original message into a single message digest.
Public Key Infrastructure (PKI)
A central authority (CA) stores encryption keys or certificates associated with users an systems, thereby enabling secure communication through the integration of digital signatures, digital certs.  Ensure confidentiality, integrity, authentication, non-repudiation, and access control.
Secure Multipurpose Internet Mail Extension (S/MIME)
Secure method of sending email.  Provides confidentiality and authentication using RSA asymmetric key system, digital signatures, and X.509 certs.  Complies with PKCS #7 format.
MIME Object Security Services (MOSS)
Provides confidentiality, integrity, identification, and authentication and non-repudiation using MD2, MD5, RSA and DES.
Privacy Enhanced Mail (PEM)
proposed as a PKCS-compliant standard but not used.  Provides confidentiality, authentication using 3DES for encryption, MD2 and MD5, X.509 certs, and RSA for digital signatures and secure key distribution.
Pretty Good Privacy (PGP)
Popular email encryption. Provides confidentiality and authentication by using IDEA for encryption and RSA for digital signature and key distribution.  PGP uses a trust model instead of a Certificate Authority.
Secure Socket Layer (SSL)
Session based encryption an authentication for secure communications between client and severs on the internet.  Operates at the Transport Layer (Layer 4).  Uses RSA, IDEA, DES, 3DES and MD5 has function. Used with webpages that are https.
S-HTTP
Internet protocol that provides a method for secure communications with Web servers.  a connectionless (UDP) that encapsulates data after security properties for the session have been negotiated.  Uses symmetric key (confidentiality), message digest (integrity), and public key (client-server authentication and non-repudiation). Secures individual Web documents unlike SSL securing the entire session.
IPSec
Secure communications for secure communications of Public IP-based networks. Ensures confidentiality, integrity and authenticity by using OSI model Layer 3 (Network) encryption and authentication to provide end-to-end solutions .

Operates in 2 models:
1. Transport Mode: only data is encrypted.
2. Tunnel Mode:  entire packet is encrypted.

2 protocols for IPSec:
1. AH: provides integrity, authentication, and non-repudiation
2. encapsulation Security Payload (ESP):  provides confidentiality and limited authentication.

Sessions must establish communication through Security association (SA).  An SA is a one way connection.  two SA's are required for each pair of communication hosts.


Key management is done by Internet Key Exchange (IKE).
Security Association (SA)
Used in IPSec. Has 3 parameters that uniquely identify it in a IPSec session:

1. Security Parameter Index (SPI): 32-bit string used by receiving station to differentiate between SA's terminating on that station.  Located between AH or ESP.
2.Destination IP address:  could be a end station or an intermediate gateway or firewall, but it must be unicast.
3.Security Protocol ID: either an AH or ESP association.
Multi-Protocol Label Switching (MPLS)
fast method forwarding packets through a network by using labels inserted between layer 2 and Layer 3 headers in the packet.  Provides QoS and secure layer 3 VPN tunneling.
Secure Shell (SSH)
used for securing remote access as one alternative to Telnet.  Provides confidentiality, integrity, and authenticity.  SSH-2 establishes an encrypted tunnel between client and server.
Wireless Transport Layer Security (WTLS)
Provides security services for the WAP (used for internet connectivity on mobile devices).  Provides 3 classes:
1. Anonymous Authentication
2. Server Authentication only
3. Client-Server Authentication.
4 Classes of Attack Methods:  Analytic, Brute Force, Implementation, Statistical
Analytic attack: uses algebraic manipulation in an attempt to reduce the complexity of the algorithm.

Brute force:  try all possible combination of key patterns.

Implementation attack:  exploiting some weakness in the cryptosystem such as a vulnerability in a protocol.

Statistical attack:  exploit some statistical weakness in the cryptosystem, such as a lack of randomness in a key generation.
x of y cards Next >|