501 ch 10 understanding cryptography and pki

Proprietary & Confidential
@GoCyberSec | January, 2020
Chapter 10
Understanding Cryptography & PKI
CompTIA Security +

Introduction
• Introducing cryptography concepts
• Providing integrity with hashing
• Providing confidentiality with encryption
• Using cryptographic protocols
• Exploring PKI components

Cryptography Concepts - Integrity
• Provides assurances that data has not been modified
• Hashing ensures that data has retained integrity
• A hash is a number derived from performing a calculation on data
• If the data is unchanged the hash will always be the same number
• Common hashing algorithms include MD5, SHA, HMAC
• Each algorithm creates a fixed size string of bits
– Example: MD5 creates a hash of 128 bits

Cryptography Concepts - Confidentiality
• Ensures only authorized users can view data
• Encryption protects the confidentiality of data
• Encryption ciphers data to make it unreadable
• Encryption normally includes algorithm and key
• Symmetric encryption
– Uses the same key to encrypt and decrypt data
• Asymmetric encryption
– Uses two keys (public and private) created as a matched pair

Cryptography Concepts
• Stream ciphers
– 1 bit at a time
• Block ciphers
– Encrypt data in blocks
• Steganography
– Hides data in data

Cryptography Concepts
• Authentication validates an identity
• Non-repudiation
– Prevents a party from denying an action
• Digital signatures
– Provide authentication, non-repudiation, and integrity
– Users sign emails with a digital signature
• Digital signature is a hash of an email message encrypted with
the sender’s private key
• Only the sender’s public key can decrypt the data
• Provides verification it was encrypted with the sender’s private
key

Providing Integrity with Hashing
• Hashing provides integrity for data
– Email, downloaded files, files stored on a disk
– A one-way function that creates a string of characters
• A hash is a number
– Sometimes called a checksum
– You cannot reverse the hash
– You cannot re-create the original data from the hash
– Created with a hashing algorithm
• Message Digest 5 (MD5)
• Secure Hash Algorithm (SHA) family
• HMAC

Hashing Files

Hashing Passwords
• Passwords often stored as hashes
• Password attacks attempt to discover passwords
– Guess a password
– Hash the guessed password
– Compare the hash to the original hash

Hashing Protocols Review
Algorithm Type Comments
MD5 Hashing - Integrity Creates 128-bit hashes
SHA-1 Hashing - Integrity Creates 160-bit hashes
SHA-2 Hashing - Integrity Creates 224-, 256-, 384-, or 512-bit hashes
SHA-3 Hashing - Integrity Creates 224-, 256-, 384-, or 512-bit hashes
HMAC-MD5 Integrity/Authenticity Creates 128-bit hashes
HMAC-SHA1 Integrity/Authenticity Creates 160-bit hashes

Providing Confidentiality with Encryption
• Encryption provides confidentiality
– Helps ensure only authorized users can view data
– Applies to any type of data
• Data-at-rest (files, in a database, and so on)
• Data-in-transit (sent over a network)
– Data-in-use
• Not encrypted while in use
• If sensitive should be purged after use

Providing Confidentiality with Encryption
• Two basic components of encryption
– Algorithm
• Performs mathematical calculations on data
• Algorithm always the same
– Key
• A number that provides variability
• Either kept private and/or changed frequently

Block vs. Stream Ciphers
• Block ciphers
– Encrypts data in specific sized blocks
• Often 64-bit blocks or 128-bit blocks
– Divides large files or messages into these blocks
– Encrypts each block separately
• Stream ciphers
– Encrypt data as a single bit or byte at a time in a stream
– An important principle when using a stream cipher
• Encryption keys should never be reused
• If a key is reused, it is easier to crack the encryption

Block Cipher Modes
• Electronic Codebook (ECB)
– Simplest (deprecated and not recommended)
• Cipher Block Chaining (CBC)
– Susceptible to pipeline delays
• Counter (CTM)
– Converts a block cipher into a stream cipher
• Galois/Counter Mode (GCM)
– Combines CTM with hashing techniques for integrity

Symmetric Encryption
• Uses the same key to encrypt and decrypt data
• When transmitting encrypted data
– Uses key to encrypt data before transmission
– Uses same key to decrypt data when received
• Much more efficient encrypting large amounts of data than
asymmetric encryption
• RADIUS uses symmetric encryption

• Obfuscation
– Attempts to make something unclear
– Security through obscurity (isn’t secure)
• Compare symmetric encryption
to a door key
– One key can lock door
– Same key can unlock door
– Copy of same key can lock or unlock door

• Data Encryption Standard (DES)
– 64-bit block cipher
– Uses 56-bit keys and should not be used today
• 3DES
– Originally designed as a replacement for DES
– Uses multiple keys and multiple passes
– Not as efficient as AES
– 3DES is still used in some applications, such as
when hardware doesn’t support AES

• RC4
– Symmetric stream cipher
– AES recommended instead of RC4
• Blowfish
– Faster than AES in some situations
• Twofish

Algorithm Encryption
Type
Method Key Size
AES Symmetric 128-bit block cipher 128-, 192-, or 256-bit key
3DES Symmetric 64-bit block cipher 56-, 112-, or 168-bit key
Blowfish Symmetric 64-bit block cipher 32- to 448-bit key
Twofish Symmetric 128-bit block cipher 128-, 192-, or 256-bit key
RC4* Symmetric Stream cipher 40- to 2,048-bit key
DES* Symmetric 64-bit block cipher 56-bit key
* Don’t use

Asymmetric Encryption
• Private Key / Public Key matched pair
– One key encrypts, the other key decrypts
– Only a private key can decrypt information encrypted with a
matching public key
– Only a public key can decrypt information encrypted with a
matching private key
– Private key stays private
– Public key shared in a certificate
– Asymmetric encryption methods require certificate and PKI

Asymmetric Encryption

Certificates
• Used for
– Encryption
– Authentication
– Digital signatures
• Includes
– Serial number
– Issuer
– Validity dates
– Subject
– Public key
– Usage

Using Cryptographic Protocols
• Email digital signatures
– The sender’s private key encrypts (or signs)
– The sender’s public key decrypts
• Email encryption
– The recipient’s public key encrypts
– The recipient’s private key decrypts
Knowing which key
encrypts and which
key decrypts will help
you answer many
questions

• Website encryption
– The website’s public key encrypts, it encrypts a symmetric key
– The website’s private key decrypts, it decrypts a symmetric key
– The symmetric key encrypts data in the website session
Knowing which key
encrypts and which
key decrypts will help
you answer many
questions

• Encrypted hash of a message
– The sender’s private key encrypts the hash
– Recipient decrypts hash with sender’s public key
– Provides
• Authentication – identifies the sender
• Non-repudiation – prevents the sender from denying the
action
• Integrity – verifies the message has not been modified

Encrypting Email
• Using only asymmetric encryption (Not common)
– Lisa retrieves a copy of Bart’s certificate that contains his public
key
– Lisa encrypts the email with Bart’s public key
– Lisa sends the encrypted email to Bart
– Bart decrypts the email with his private key

Protecting Email
• S/MIME and PGP/GPG
• Both:
–Use RSA algorithm
–Use public and private keys for encryption and decryption
–Use certificates
–Can digitally sign and encrypt email
–Including email at rest and in transit
–OpenPGP (PGP-based standard)

Transport Encryption
• Protects confidentiality of transmitted data
–SSH, IPsec, HTTPS, SSL, and TLS
–IPsec must use HMAC for authentication and integrity
–IPsec can use either AES or 3DES for encryption
–IPsec’s ESP encrypts the entire packet
–Creates an additional IP header

TLS and SSL
• TLS is the replacement for SSL
–SSL deprecated
–Both require certificates issued by CAs
• TLS used in HTTPS
–HTTPS uses a combination of symmetric and asymmetric
encryption to encrypt HTTPS sessions

Encrypting HTTPS traffic with TLS

Cipher Suites
• Three primary cryptographic solutions
–Encryption
–Authentication
–Integrity
• Examples
–0x00C031. TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
–0x00003C. TLS_RSA_WITH_AES_128_CBC_SHA256

Downgrade Attacks
• Exploit weak implementations of cipher suites
• Uses weakest cipher suite available
• Padding Oracle On Downgraded Legacy Encryption (POODLE)
attack
–Downgraded to SSL
–Allowed SSL attacks

Exploring PKI Components
• Public Key Infrastructure
–Includes components required for certificates
–Allows two entities to privately share symmetric keys without
any prior communication
• Certificate Authority (CA)
–Issues, manages, validates, and revokes certificates

Certificate Chaining & Trust Models
• Root certificate
• Trusted root certification authorities

Trusted Models
• Certificate chain
–Root CA
–Intermediate Cas
–Child CAs
–All certificates issued by trusted CAs are trusted
–Errors when a site uses an untrusted certificate
• Most trust models are hierarchical and centralized with a central
root CA
• Web-of-trust
–Self-signed certificates

Revoking Certificates
• Reasons
–Key or CA Compromise Employee Leaves
–Change of Affiliation Superseded
–Cease of Operation Certificate Hold
• Revoked certificates
–Revoked by serial number
–Published in Certificate Revocation List (CRL)
–Publicly available

Certificate Revocation List (CRL)
• Issued in a version 2 certificate

Certificate Revocation List (CRL)

Certificate Types
• Machine/computer
• User
• Email
–Encryption and digital signatures
• Code signing
–Validates authentication of code
• Self-signed
–Not issued by CA

Chapter 10 Summary
• Introducing cryptography concepts
• Providing integrity with hashing
• Providing confidentiality with encryption
• Using cryptographic protocols
• Exploring PKI components

501 ch 10 understanding cryptography and pki

More Related Content

What's hot (18)

Similar to 501 ch 10 understanding cryptography and pki (20)

More from gocybersec (12)

Recently uploaded (20)

501 ch 10 understanding cryptography and pki

Editor's Notes