2019 FRSecure CISSP Mentor Program: Class Four

2019 CISSP MENTOR
PROGRAM
April 17, 2019
-----------
Class 4 – April 17, 2019
Instructors:
• Brad Nigh, FRSecure Director of Professional Services & Innovation
• Evan Francen, FRSecure & SecurityStudio CEO

We’re through Chapters 1, 2, 3, and part way into
Chapter 4!
• Check-in.
• How many have read Chapter 1, 2 & 3?
• Questions?
CISSP® MENTOR PROGRAM – SESSION FOUR
1
GETTING GOING…
Security Models is the BOMB!
Only 112 slides tonight… Let’s get going!

We’re through Chapters 1, 2, 3, and part way into
Chapter 4!
• Check-in.
• How many have read Chapter 1, 2 & 3?
• Questions?
2
GETTING GOING…
Security Models is the BOMB!
Let’s get going!
Other Updates:
• We’ve got more people who told us that they are
interested in hosting/facilitating a study group. We’ll be
getting something going soon.
• Email mentorprogram@frsecure.com if you’re interested
in hosting/facilitating/participating in a study group. We’ll
put the right people in touch.
• We’ve got a request to setup a Slack channel for the class.

The Domains covered so far include:
• Introduction
• Domain 1: Security and Risk Management
• Domain 2: Asset Security
• Domain 3: Security Engineering (only through Evaluation
Methods, Certification and Accreditation
3
GETTING GOING…
Great job! We’re through Chapters 1, 2, 3, and part way into Chapter 4!

1. What type of memory is used often for CPU registers?
A. DRAM
B. Firmware
C. ROM
D. SRAM
4
GETTING GOING…
Quiz!

1. What type of memory is used often for CPU registers?
A. DRAM
B. Firmware
C. ROM
D. SRAM
5
GETTING GOING…
Quiz!

2. What was ISO 17799 renamed as?
A. BS 7799-1
B. ISO 27000
C. ISO 27001
D. ISO 27002
6
GETTING GOING…
Quiz!

2. What was ISO 17799 renamed as?
A. BS 7799-1
B. ISO 27000
C. ISO 27001
D. ISO 27002
7
GETTING GOING…
Quiz!

3. Which of the following describes a duty of the Data
Owner?
A. Patch systems
B. Report suspicious activity
C. Ensure their files are backed up
D. Ensure data has proper security labels
8
GETTING GOING…
Quiz!

3. Which of the following describes a duty of the Data
Owner?
A. Patch systems
B. Report suspicious activity
C. Ensure their files are backed up
D. Ensure data has proper security labels
9
GETTING GOING…
Quiz!

4. Which control framework has 34 processes across four
domains?
A. COSO
B. COBIT
C. ITIL®
D. OCTAVE®
10
GETTING GOING…
Quiz!

4. Which control framework has 34 processes across four
domains?
A. COSO
B. COBIT
C. ITIL®
D. OCTAVE®
11
GETTING GOING…
Quiz!

5. Which managerial role is responsible for the actual
computers that house data, including the security of
hardware and software configurations?
A. Custodian
B. Data owner
C. Mission owner
D. System owner
12
GETTING GOING…
Quiz!

5. Which managerial role is responsible for the actual
computers that house data, including the security of
hardware and software configurations?
A. Custodian
B. Data owner
C. Mission owner
D. System owner
13
GETTING GOING…
Quiz!

6. What type of relatively expensive and fast memory uses
small latches called “flip-flops” to store bits?
A. DRAM
B. EPROM
C. SRAM
D. SSD
14
GETTING GOING…
Quiz!

6. What type of relatively expensive and fast memory uses
small latches called “flip-flops” to store bits?
A. DRAM
B. EPROM
C. SRAM
D. SSD
15
GETTING GOING…
Quiz!

7. What type of memory stores bits in small capacitors (like
small batteries)?
A. DRAM
B. EPROM
C. SRAM
D. SSD
16
GETTING GOING…
Quiz!

7. What type of memory stores bits in small capacitors (like
small batteries)?
A. DRAM
B. EPROM
C. SRAM
D. SSD
17
GETTING GOING…
Quiz!

18
GETTING GOING…
Picking up where we left off.

• Security Models
• Evaluation Methods, Certification and Accreditation
• Secure System Design Concepts
• Secure Hardware Architecture
• Secure Operating System and Software Architecture
• Virtualization and Distributed Computing
• System Vulnerabilities, Threats and Countermeasures
Formerly separate domains: Security Architecture, Cryptography, and Physical Security
19
GETTING GOING…
Agenda – Domain 3: Security Engineering
We will take three classes to get through this domain…
Starting on page 116 this evening

Layering
• Separates hardware and software functionality into modular tiers
• Actions that take place at one layer do not directly affect
components in another
• For networking types; OSI is an example of layering (covered
later)
• Generic list of security architecture layers:
• Hardware
• Kernel (and system/device drivers)
• Operating system
• Applications
20
GETTING GOING…
Secure System Design Concepts

Abstraction – Complexity is the enemy of security
• Unnecessary details are hidden from the user
• Good example from the book:
A user double-clicks on an MP3 file containing music, and the music plays via
the computer speakers. Behind the scenes, tremendously complex actions
are taking place: the operating system opens the MP3 file, looks up the
application associated with it, and sends the bits to a media player. The bits
are decoded by a media player, which converts the information into a digital
stream, and sends the stream to the computer’s sound card. The sound card
converts the stream into sound, sent to the speaker output device. Finally, the
speakers play sound. Millions of calculations are occurring as the sound
plays, while low-level devices are accessed.
Abstraction means the user simply presses play and hears music.
21
GETTING GOING…

The Ring Model
• CPU hardware layering used to separate and protect domains
(user mode from kernel mode)
• Most CPUs (including Intel x86) have four rings
• Ring 0 – Kernel
• Ring 1 – Operating system components outside of Ring 0
• Ring 2 - Device drivers
• Ring 3 – User applications
• Processes communicate between the rings via system calls
• System calls are slow (compared to performing work within one
ring), but provide security
• Ring model also provides abstraction
• Linux and Windows use rings 0 and 3 only
• Hypervisor mode allows virtual guests to operate in ring 0, one
ring “below” (ring -1)
22
GETTING GOING…

The Ring Model
• CPU hardware layering used to separate and protect domains
(user mode from kernel mode)
• Most CPUs (including Intel x86) have four rings
• Ring 0 – Kernel
• Ring 1 – Operating system components outside of Ring 0
• Ring 2 - Device drivers
• Ring 3 – User applications
• Processes communicate between the rings via system calls
• System calls are slow (compared to performing work within one
ring), but provide security
• Ring model also provides abstraction
• Linux and Windows use rings 0 and 3 only
• Hypervisor mode allows virtual guests to operate in ring 0, one
ring “below” (ring -1)
23
GETTING GOING…

Open and Closed Systems
• Open systems use open hardware and standards,
using standard components from various vendors
• IBM-compatible PCs
• Closed systems use proprietary hardware or software
24
GETTING GOING…

System Unit and Motherboard
• System unit is the computer case and everything in it.
• The motherboard is the hardware board that typically
includes the Central Processing Unit (CPU), memory
slots, firmware, and peripheral slots such as PCI
(Peripheral Component Interconnect) slots.
25
GETTING GOING…
Secure Hardware Architecture

26
GETTING GOING…

27
GETTING GOING…

Computer Bus
• Primary communication channel on a computer
system
• Communication between the CPU, memory, and
input/output devices such as keyboard, mouse,
display, etc., occur via the bus
28
GETTING GOING…

Computer Bus
• Primary communication channel on a computer
system
• Communication between the CPU, memory, and
input/output devices such as keyboard, mouse,
display, etc., occur via the bus
29
GETTING GOING…

Computer Bus
• Northbridge – also called the Memory Controller Hub
(MCH), connects the CPU to RAM and video memory;
directly connected to CPU, so it’s faster
• Southbridge - also called the I/O Controller Hub
(ICH), connects input/output (I/O) devices, such as
disk, keyboard, mouse, CD drive, USB ports, etc.
30
GETTING GOING…

The Central Processing Unit (CPU)
• The “brains” - capable of controlling and performing
mathematical calculations
• Everything a computer does is mathematical
• Rated by the number of clock cycles per second; a 2.4
GHz Pentium 4 CPU has 2.4 billion clock cycles per
second.
31
GETTING GOING…

• The “brains” - capable of controlling and performing
• Everything a computer does is mathematical
• Rated by the number of clock cycles per second; a 2.4
GHz Pentium 4 CPU has 2.4 billion clock cycles per
second.
32
GETTING GOING…

• Arithmetic Logic Unit (ALU) - performs
• Control Unit (CU) – controls and send instructions to
the ALU
33
GETTING GOING…

• Fetch & Execute, process actually takes four steps
(one CPU or clock cycle):
• Fetch Instruction 1
• Decode Instruction 1
• Execute Instruction 1
• Write (save) result 1
34
GETTING GOING…

• Pipelining combines multiple steps into one
combined process; simultaneous fetch, decode,
execute, and write steps
• Each part is called a pipeline stage
35
GETTING GOING…

• Pipelining combines multiple steps into one
combined process; simultaneous fetch, decode,
execute, and write steps
• Each part is called a pipeline stage
36
GETTING GOING…

• Interrupts cause the CPU to stop processing its
current task, save the state, and process a new
request. Once the interrupt task is complete, the CPU
will start where it left off.
• Interrupts are typically hardware related.
37
GETTING GOING…

• Interrupts cause the CPU to stop processing its
current task, save the state, and process a new
request. Once the interrupt task is complete, the CPU
will start where it left off.
• Interrupts are typically hardware related.
38
GETTING GOING…

• Process – an executable program and its data loaded and
running in memory
• Thread (also called a lightweight process or “LWP”) – a child
process; where one process has “spawned” another process. A
heavyweight process (or “HWP”) is called a task; one big
advantage for threads is that they can share memory.
• Process states:
• New: a process being created
• Ready: process waiting to be executed by the CPU
• Running: process being executed by the CPU
• Blocked: waiting for I/O
• Terminate: a completed process
39
GETTING GOING…
A zombie or orphan is a
process (or thread) where
the parent is terminated

• Multitasking allows multiple tasks (heavy weight
processes) to run simultaneously on one CPU
• Multiprocessing - multiple processes running on
multiple CPUs
• Symmetric Multiprocessing (SMP) - one operating system
to manage all CPUs
• Asymmetric Multiprocessing (AMP) - one operating
system image per CPU
• Multiprogramming - multiple programs running
simultaneously on one CPU
• Multithreading - multiple threads (light weight
processes) running simultaneously on one CPU
40
GETTING GOING…

• Watchdog Timers are designed to recover a system
by rebooting after critical processes hang or crash
• Complex Instruction Set Computer (CISC)
• Reduced Instruction Set Computer (RISC)
41
GETTING GOING…

Memory Addressing
• Addressing modes are CPU-dependent
• Direct - “Add X to the value stored in memory location
#YYYY.”
• Indirect – Works the same way as direct; however, the
#YYYY is actually another memory location, not a
location itself.
• Register direct – references CPU cache register, not
secondary memory.
• Register indirect – references CPU cache register
also.
42
GETTING GOING…

Memory Addressing
#YYYY.”
location itself.
secondary memory.
also.
43
GETTING GOING…

Memory Addressing
#YYYY.”
location itself.
secondary memory.
also.
44
GETTING GOING…

Memory Protection
• Preventing processes from accessing memory space
belonging to another
• Memory protection is required for multi-user and multi-
tasking systems
Hardware Segmentation
• Completely separate hardware
Virtual Memory
• Virtual address mapping between applications and
hardware memory
45
GETTING GOING…

Memory Protection
• Preventing processes from accessing memory space
belonging to another
• Memory protection is required for multi-user and multi-
tasking systems
Swapping and Paging
• Uses virtual memory to copy contents in primary
memory (RAM) to or from secondary memory (not
directly addressable by the CPU, on disk)
• Kernel accessing memory in swap space results in a
page fault
46
GETTING GOING…

BIOS
• Basic Input Output System
• Contains code in firmware that is executed when a PC
is powered on
• 1st thing it does is run the Power On Self-Test (POST)
• POST finds the boot sector that contains machine
code for the OS kernel
• Kernel loads and executes into the OS
47
GETTING GOING…

BIOS
• Basic Input Output System
• Contains code in firmware that is executed when a PC
is powered on
• 1st thing it does is run the Power On Self-Test (POST)
• POST finds the boot sector that contains machine
code for the OS kernel
• Kernel loads and executes into the OS
48
GETTING GOING…

49
GETTING GOING…
In general, the MBR consists of 512 or more bytes located in the first sector of the drive.

WORM Storage
• Write Once Read Many
• Usually used for record retention and high integrity
information
• CD-Rs, DVD-Rs, etc.
• Not CD-RWs or DVD-RWs
50
GETTING GOING…

Trusted Platform Module (or TPM)
• Developed and updated by the Trusted Computing
Group; international standard
• Processor that can provide additional security
capabilities in hardware
• Usually on the motherboard
• Hardware-based encryption (fast)
• Boot integrity – protecting against rootkits and kernel
bypass attacks
• Platform integrity and disk encryption (primary uses)
51
GETTING GOING…

bypass attacks
52
GETTING GOING…

bypass attacks
53
GETTING GOING…
Tidbit
The United States Department of Defense (DoD) specifies that "new computer assets
(e.g., server, desktop, laptop, thin client, tablet, smartphone, personal digital assistant,
mobile phone) procured to support DoD will include a TPM version 1.2 or higher where
required by DISA STIGs and where such technology is available."

Data Execution Prevention and Address Space
Layout Randomization
• Intentionally corrupting the memory of a system via,
for example a stack or heap-based buffer overflow
condition, is a common means employed by an
adversary.
• Enabled within hardware and/or software, attempts to
ensure that memory locations not pre-defined to
contain executable content will not have the ability to
have code executed.
54
GETTING GOING…

Data Execution Prevention and Address Space
Layout Randomization
• Intentionally corrupting the memory of a system via,
for example a stack or heap-based buffer overflow
condition, is a common means employed by an
adversary.
• Enabled within hardware and/or software, attempts to
ensure that memory locations not pre-defined to
contain executable content will not have the ability to
have code executed.
55
GETTING GOING…
Pretty good basic explanation: https://slideplayer.com/slide/4775349/

Kernel
• Heart (or core) of the operating system, usually
running at ring 0
• Interface between the operating system and hardware
• Two primary types of kernels
• Monolithic kernel - compiled into one static
executable and the entire kernel runs in supervisor
mode; requires recompiling to add new features
• Microkernel – a modular kernel; can add functionality
via loadable kernel modules
56
GETTING GOING…

Kernel
• Reference monitor
– core function of the
kernel; mediates all
access between
subjects and objects
• Always enabled and
cannot be bypassed
57
GETTING GOING…

Users and File Permissions
Linux and UNIX permissions - output of a Linux “ls
–la /etc”
58
GETTING GOING…

• Types of permissions available depend on the file
system being used
• Microsoft NTFS Permissions
• Read
• Write
• Read and execute
• Modify
• Full control (read, write, execute, modify, and in addition the
ability to change the permissions.)
59
GETTING GOING…

• Types of permissions available depend on the file
system being used
• Microsoft NTFS Permissions
• Read
• Write
• Read and execute
• Modify
• Full control (read, write, execute, modify, and in addition the
ability to change the permissions.)
60
GETTING GOING…

Virtualization
• Adds a software layer between the operating system
and computer hardware
• Multiple “guest” systems can run on one physical
“host”
• Transparent (or Full) Virtualization – runs stock
operating systems; no changes to the OS are
necessary
• Paravirtualization – specially modified operating
systems/modified kernel
61
GETTING GOING…
Virtualization and Distributed Computing

Virtualization
• Adds a software layer between the operating system
and computer hardware
• Multiple “guest” systems can run on one physical
“host”
• Transparent (or Full) Virtualization – runs stock
operating systems; no changes to the OS are
necessary
• Paravirtualization – specially modified operating
systems/modified kernel
62
GETTING GOING…

Hypervisor
• Software that controls access between “guest”
operating systems and the “host” hardware
• Type 1 – part of the operating system; runs on host
hardware, e.g. VMware ESX
• Type 2 – runs as an application within the operating
system, e.g. VMware Workstation
63
GETTING GOING…

Hypervisor
• Software that controls access between “guest”
operating systems and the “host” hardware
• Type 1 – part of the operating system; runs on host
hardware, e.g. VMware ESX
• Type 2 – runs as an application within the operating
system, e.g. VMware Workstation
64
GETTING GOING…

Benefits
• Lower hardware cost
• Lower power cost
• Smaller footprint
Security Issues
• More complex
• Easy to bring up new systems (without proper checks/balances)
• An issue in the host and/or hypervisor could affect every guest
(VMEscape)
Don’t host systems with varying security sensitivities on the same
hardware
65
GETTING GOING…

Cloud Computing
• Leverage economies of scale
• Infrastructure as a Service (IaaS) – customer configures
operating system and all else (Linux server hosting)
• Platform as a Service (PaaS) – pre-configured operating
system, customer installs & configures everything else (Web
service hosting)
• Software as a Service (SaaS) – everything is configured,
customer just uses (Web mail)
• Private cloud – cloud is dedicated to one single customer
• Public cloud – cloud is shared amongst multiple organizations
66
GETTING GOING…

Cloud Computing
• Leverage economies of scale
• Infrastructure as a Service (IaaS) – customer configures
operating system and all else (Linux server hosting)
• Platform as a Service (PaaS) – pre-configured operating
system, customer installs & configures everything else (Web
service hosting)
• Software as a Service (SaaS) – everything is configured,
customer just uses (Web mail)
• Private cloud – cloud is dedicated to one single customer
• Public cloud – cloud is shared amongst multiple organizations
67
GETTING GOING…

Cloud Computing - Security Issues
• Need strict SLAs
• Limited visibility
• Shared infrastructure and shared target
• Right to audit, right to assess (vulnerabilities), and right to test
(pentest)
• Physical boundaries (geographically)
68
GETTING GOING…

Grid Computing
BOINC
165 PFLOPS!
165 x 1015 FLOPS
Intel Core 4 FLOPS
69
GETTING GOING…

Peer to Peer (P2P)
• Any system can act as a client, a server, or both
• Decentralized and neutral
• Napster (central index servers = busted), Gnutella,
and BitTorrent
• IP issues, data integrity, and data loss are all risks
70
GETTING GOING…

Thin Clients
• Rely on central servers – central servers run applications, store
data, and simplified security
• Cheaper than full PCs
Diskless Workstations
• Contains CPU, memory, and firmware (no disk drive)
• Kernel and operating system loaded via network
• BIOS  POST  TCP/IP  BOOTP (typically *nix) or DHCP
(more robust)
Thin Client Applications
• Browser-based access to centralized applications and data
• Runs on a full PC
• Citrix ICA, OpenThinClient, etc.
71
GETTING GOING…

The Internet of Things (IoT)
• Small Internet connect devices
• Refrigerators, Televisions, home automation, etc.
• Security freaking nightmare! Vendors don’t patch,
poor customer support, features overrule security, etc.
72
GETTING GOING…

Emanations
• Energy that escapes an electronic system – potential
side-channel attack
• TEMPEST is a National Security Agency specification
and a NATO certification referring to spying on
information systems through leaking emanations,
including unintentional radio or electrical signals,
sounds, and vibrations. – Wikipedia
• Shielding standards (many are classified); however,
three levels are public.
73
GETTING GOING…
System Vulnerabilities, Threats and Countermeasures

Backdoors
• Usually malicious
• System shortcut to bypass security checks
• Bypass login, sometimes planted as part of a larger
attack
Maintenance Hooks
• Usually innocent
• Shortcuts installed on purpose by system designers or
programmers
• Should never be left in a production system
74
GETTING GOING…

Malware (or Malicious Software or Malicious
Code)
• Zero-day exploit is malicious code for which there is
no vendor patch (or fix)
Computer Virus
• Doesn’t spread automatically
• Types:
• Macro virus
• Boot sector virus
• Stealth virus
• Polymorphic Virus
• Multipartite Virus
75
GETTING GOING…
In general, viruses embed and worms spread.

Worms
• Self-propagate
• Damages include:
• Malicious code itself
• Wasted resources (usually network-related)
• Famous worms include Morris Worm, ILOVEYOU,
Nimda, Code Red, and Melissa
76
GETTING GOING…

Worms
• Self-propagate
• Damages include:
• Malicious code itself
• Wasted resources (usually network-related)
• Famous worms include Morris Worm, ILOVEYOU,
Nimda, Code Red, and Melissa
77
GETTING GOING…

Trojans
• One function is benign (maybe a game)
• A second function is malicious (could be anything)
• Famous Trojans include the Zeus Trojan,
CryptoLocker, Netbus, Back Orifice, and Shedun
(Android)
78
GETTING GOING…

Trojans
• One function is benign (maybe a game)
• A second function is malicious (could be anything)
• Famous Trojans include the Zeus Trojan,
CryptoLocker, Netbus, Back Orifice, and Shedun
(Android)
79
GETTING GOING…

Rootkits
• Replaces portions of the kernel and/or operating
system
• User-mode (ring 3, called “userland”) and kernel-
mode (ring 0)
• Common rootkitted binaries are ls, ps, and many
others
80
GETTING GOING…

Antivirus Software
Signature-based (static signatures) and heuristic-based
(anomaly and behavior)
81
GETTING GOING…

Server-side Attacks (or service-side attacks)
• Attacking a service
Client-side Attacks
• Downloads
82
GETTING GOING…

Web Architecture and Attacks
83
GETTING GOING…
https://www.owasp.org/images/7/72/OWAS
P_Top_10-2017_%28en%29.pdf.pdf

Web Architecture and Attacks
84
GETTING GOING…
https://www.owasp.org/images/7/72/OWAS
P_Top_10-2017_%28en%29.pdf.pdf

Applets
• Small pieces of mobile code that are embedded in
other software such as Web browsers
• Downloaded from servers and run locally
• Java:
• Object-oriented
• Bytecode is platform independent; requires the Java Virtual
Machine (JVM)
• Applets run in a sandbox
• ActiveX:
• Functionally very similar to Java applets
• Only on M$ systems
• Use digital certificates for security
85
GETTING GOING…

XML – Extensible Markup Language
• defines a set of rules for encoding documents in a format that is
both human-readable and machine-readable
• XML documents should begin by declaring some information
about themselves
SOA– Service Oriented Architecture
• an architectural pattern in computer software design in which
application components provide services to other components via
a communications protocol, typically over a network
• service can be used and reused throughout an organization
rather than built within each individual application
• SOA concepts include SOAP, REST, DCOM, CORBA, and others
86
GETTING GOING…

Polyinstantiation
• Two different objects (instances) with the same name
• Depending on the security level established, one
record contains sensitive information, and the other
one does not, that is, a user will see the record's
information depending on his/her level of
confidentiality dictated by the policy
• the ability of a database to maintain multiple records
with the same key. It is used to prevent inference
attacks.
87
GETTING GOING…
Database Security

Inference
• Requires deduction using clues
• Controls might be polyinstantiation or diffusion
Aggregation
• Mathematical process that asks every question
• No deduction
• Control might be limiting the number of queries
88
GETTING GOING…
Database Security

Data Mining
• Searching through large (many TB and EB) data
stores looking for patterns
• Used extensively for detecting fraud
• Sometimes causes privacy concerns if data is not
properly anonymized
Data Analytics
• Often used to determine a baseline of normal
behaviors
• Deviations from the baseline may indicate misuse or
compromise
89
GETTING GOING…
Database Security

Defense in depth
• Crunch shell and gooey center (bad)
• Network segmentation/isolation
• NSA Methodology for Adversary Obstruction
(https://www.cdse.edu/documents/cdse/nsa-
methodology-for-adversary-obstruction.pdf)
Mobile Device Defenses
• Mobile device management (MDM)
• Network Access Control (NAC) and 802.1x
• Authentication, remote wipe, encryption, etc.
90
GETTING GOING…
Countermeasures

YAY!!!
Best day ever!
91
NOW FOR SOME ENCRYPTION!!!

Key Terms
• Cryptology is the science of secure communications
• Cryptography creates messages whose meaning is hidden
• Cryptanalysis is the science of breaking encrypted messages
(recovering their meaning)
• Cryptology encompasses both cryptography and cryptanalysis
• Cipher is a cryptographic algorithm
• Plaintext is an unencrypted message
• Ciphertext is an encrypted message
• Encryption converts the plaintext to a ciphertext
• Decryption turns a ciphertext back into a plaintext
92
GETTING GOING…
Cornerstone Cryptographic Concepts

Confusion, Diffusion, Substitution, and Permutation
• Confusion means that the relationship between the plaintext and
ciphertext should be as confused (or random) as possible.
• Diffusion means the order of the plaintext should be “diffused”
(or dispersed) in the ciphertext
• Substitution replaces one character for another; this provides
diffusion.
• Permutation (also called transposition) provides confusion by
rearranging the characters of the plaintext, anagram-style.
Substitution and permutation are often combined.
Strong encryption destroys patterns. Any signs of nonrandomness
may be used as clues to a cryptanalyst, hinting at the underlying
order of the original plaintext or key.
93
GETTING GOING…

Cryptographic Strength
Good encryption is strong: for key-based encryption, it should be very
difficult (and ideally impossible) to convert a ciphertext back to a
plaintext without the key.
Work factor describes how long it will take to break a cryptosystem
(decrypt a ciphertext without the key)
Secrecy of the cryptographic algorithm does not provide strength -
Kerckhoffs' principle
94
GETTING GOING…

Monoalphabetic and Polyalphabetic Ciphers
• Monoalphabetic cipher uses one alphabet: a specific letter (like
“E”) is substituted for another (like “X”). Monoalphabetic ciphers
are susceptible to frequency analysis.
• Polyalphabetic cipher uses multiple alphabets: “E” may be
substituted for “X” one round, and then “S” the next round.
95
GETTING GOING…

Frequency Analysis
96
GETTING GOING…

Exclusive Or (XOR) Logic Gate
Encrypt the plaintext “ATTACK AT DAWN” with a key of
“UNICORN,”
• “A” is binary 01000001 and “U” is binary 01010101.
• This results in a Ciphertext of 00010100 (is “chr(20)” in ASCII
– no text conversion)
97
GETTING GOING…

Cryptography is the oldest domain in the Common Body of
Knowledge: stretching back thousands of years to the days of the
Pharos in Egypt.
Egyptian Hieroglyphics
• Stylized pictorial writing used in ancient Egypt
• Popular from roughly 2000 to 1000 B.C.
Spartan Scytale
• Used in ancient Sparta around 400 B.C.
• Strip of parchment wrapped around a rod
• Plaintext was encrypted by writing lengthwise down the rod
• Message was then unwound and sent
• Rod of the same diameter used to decrypt message
98
GETTING GOING…
History of Cryptography

Caesar Cipher and other Rotation Ciphers
• Monoalphabetic rotation cipher used by Gaius Julius Caesar
• Rotated each letter of the plaintext forward three times to
encrypt, so that A became D, B became E, etc. (Rot-3)
• The rotation can be anything you want
• A common rotation cipher is Rot-13, frequently used to conceal
information on bulletin board systems such as Usenet
Vigenère Cipher
• Polyalphabetic cipher named after Blaise de Vigenère, a French
cryptographer who lived in the 16th century
• Alphabet is repeated 26 times to form a matrix, called the
Vigenère Square
99
GETTING GOING…

100
GETTING GOING…

Cipher Disk
• Two concentric disks, each with an alphabet around the
periphery.
• Allow both monoalphabetic and polyalphabetic encryption.
• For monoalphabetic encryption, two parties agree on a fixed offset:
“Set ‘S’ to ‘D’.”
• For polyalphabetic encryption, the parties agree on a fixed starting
offset, and then turn the wheel once every X characters: “Set ‘S’ to
‘D,’ and then turn the inner disk 1 character to the right after every
10 characters of encryption.”
• Invented in 1466 or 1467 by Leon Battista Alberti.
• Alberti is considered the inventor of the polyalphabetic cipher
• Used for hundreds of years, through the U.S. Civil war
101
GETTING GOING…

Jefferson Disks
• Created by Thomas Jefferson in the 1790s.
• Has 36 wooden disks, each with 26 letters in random order along
the edge
• The order of the disks is the cipher key
Book Cipher and Running-Key Cipher
• Use well-known texts as the basis for keys
• Book Cipher - to encode, agree on a text source, and note the
page number, line, and word offset of each word you would like
to encode.
• Benedict Arnold used a book cipher to communicate with
British conspirators.
• Running-Key Cipher - instead of using whole words, use modulus
math to “add” letters to each other.
102
GETTING GOING…

Codebooks
Codebooks assign a codeword for important people, locations, and
terms.
One-Time Pad
• Uses identical paired pads of random characters, with a set
amount of characters per page
• One page is used to encrypt the data, the same page (at the
receiver) is used to decrypt. Then the page is discarded.
• Pages are never reused.
• Only encryption method that is mathematically proven to be
secure, if the following three conditions are met:
• The characters on the pad are truly random
• The pads are kept secure
• No page is ever reused
103
GETTING GOING…

One-Time Pad - Vernam Cipher
• First known use of a one-time pad
• Named after Gilbert Vernam, an employee of AT&T Bell
Laboratories
• The Vernam cipher used bits (before the dawn of computers, as
other teletypes also did)
• The one-time pad bits were XORed to the plaintext bits
104
GETTING GOING…

Project VENONA
• Project undertaken by United States and United Kingdom
cryptanalysts to break the KGB’s (the Soviet Union’s national
security agency) encryption in the 1940s.
• The KGB used one-time pads for sensitive transmissions, which
should have rendered the ciphertext unbreakable.
• The KGB violated one of the three rules of one-time pads: they
reused the pads.
• Many famous names were decrypted, including details on the
nuclear espionage committed by Ethel and Julius Rosenberg.
NOTE: Project VENONA itself is not testable; it is described to show the
dangers of reusing the pages of a one-time pad.
105
GETTING GOING…

Good Movies About Encryption
106
GETTING GOING…

Hebern Machines and Purple
• Class of cryptographic devices known as rotor machines
• Named after Edward Hebern
• Look like large manual typewriters, electrified with rotors (rotating
motors)
• Used after World War I, through World War II, and in some cases
into the 1950s
107
GETTING GOING…

Enigma
• Used by German Axis powers during World War II
• Cryptanalysis of Enigma was performed by French and Polish cryptanalysts
• The work was continued by the British, led by Alan Turing in Bletchley Park,
England
• Intelligence provided by the cryptanalysis of Enigma (called Ultra) proved critical
in the European theater of World War II
• British cryptanalyst Sir Harry Hinsley said, “the war, instead of finishing in 1945,
would have ended in 1948 had the Government Code and Cypher School not
been able to read the Enigma ciphers and produce the Ultra intelligence.”
• Looks like a large typewriter with lamps and finger wheels added
• The military version of Enigma (commercial versions also existed) had three
finger wheels which could be set to any number from 1 to 26 (the finger wheels
provide the key)
• As you type on the keyboard, the finger wheels turn, and a lamp for the
corresponding ciphertext illuminates
• To decrypt, set the finger wheels back to their original position, and type the
ciphertext into the keyboard. The lamps illuminate to show the corresponding
plaintext.
108
GETTING GOING…

SIGABA
• A rotor machine used by the United States through
World War II into the 1950s
• More complex, based on analysis of weaknesses in
Enigma by American cryptanalysts including William
Friedman
• Also called ECM (Electronic Code Machine) Mark II
• Large, complex, and heavy
• Never known to be broken
109
GETTING GOING…

Purple
• Allied name for the encryption device used by Japanese Axis
powers during World War II
• A stepping-switch device, primarily built with phone switch
hardware
• Only fragments of the original machine exist
• William Friedman led the United States effort against Purple
• In 1942, the Allies decoded Purple transmissions referencing a
planned sneak attack on “AF.” The Allies believed AF was a code
word for Midway Island, but they wanted to be sure. They sent a
bogus message, weakly encoded, stating there was a water
problem on Midway Island. Two days later the Allies decrypted a
Purple transmission stating there was a water problem on AF.
110
GETTING GOING…

Wassenaar Arrangement
• After COCOM ended
• Created in 1996
• Many more countries, including former Soviet Union
countries such as Estonia, the Russian Federation,
Ukraine, and others
• Relaxed many of the restrictions on exporting
cryptography
111
GETTING GOING…

STOP!!! THAT’S ENOUGH ALREADY!
• That’s it for tonight.
• No class on Monday. Good time to catch up!
• We’ll pick it back up again on Wednesday, more
encryption!
• We gone up to page 160 in the book if you’re following
along in your reading/study.
• Please come with questions on Wednesday (4/24). We
will recap some of today’s material and cover questions in
the next class.
112
THAT’S IT. NEXT?
See you next Wednesday!

2019 FRSecure CISSP Mentor Program: Class Four

More Related Content

What's hot (20)

Similar to 2019 FRSecure CISSP Mentor Program: Class Four (20)

Recently uploaded (20)

2019 FRSecure CISSP Mentor Program: Class Four