SSCP - Cryptography 1.0 (2023/2024) Rated A

SSCP - Cryptography 1.0 (2023/2024) Rated A Cryptography - science of encrypting data Cryptanalysis - science of decrypting encrypted data (attackers) Cryptographic system - system + algorithm to support encryption/decryption Encryption - converting plaintext into cipher text Integrity - assurance that data hasn't been modified (use hashing) Confidentiality - assurance that unauthorised entities can't access data (protected by authentication, access control, encryption) Escrowed Encryption - Divides private key in two or more parts. Held by different trusted third parties. Hashing Create hash by reducing message or file into a message digest (fixed length, can't be reversed) Will always produce same hash against same data) MD5 128 bit, cryptographically broken SHA1 160 bit, potential vulnerabilities identified SHA2 224, 256, 384, 512 bit, improvement over SHA1, but may be cracked in future Symmetric Encryption Single key used to encrypt and decrypt Key should be protected and changed regularly Block Cipher Divides plaintext into fixed length sizes, encrypts each block individually Stream Cipher Encrypts bits as a stream of data - never reuse the same key e.g. WEP (RC4 cipher, also used in HTTPS) AES Fast, efficient block cipher Algorithm = Rijndael 128, 192, 256 bit key lengths (longer key - harder to break, but more processor intensive) DES 56 bit key length, block cipher No longer used, replaced with AES 3DES Encrypts in 3 phases with 3 keys Slower and more processor intensive the AES Blowfish Block cipher, Bruce Schneier IDEA International Data Encryption Algorithm 128 bit key, used in PGP RC4 Rivests Cipher, stream cipher Used in SSL with HTTPS Asymmetric Encryption 2 keys (in a pair, what one encrypts the other can decrypt) Requires a PKI to create, manage, distribute, validate and revoke certificates Public key is embedded in a certificate - shared freely RSA Used for encryption Large prime numbers used to create keys Diffie-Hellman Used for key exchange Elliptic Curve Harder to solve, so stronger than prime numbers or logarithms Asymmetric Encryption Uses 1) Share symmetric key between partied - public key encrypts (SSL) 2) Digitally sign an email - private key encrypts (digital signature) SSL Uses asymmetric encryption to share session key Uses symmetric encryption to encrypt session data SSL Process 1) User requests HTTPS session 2) Server sends certificate (inc. Public key) 3) Client creates session key 4) Client encrypts session key with server's public key 5) Client sends encrypted session key to server 6) Server decrypts session key with its private key 7) HTTPS session encrypted with session key Digital Signatures Authentication (proof sender is who they say they are) Integrity (hash verifies msg hasn't been changed) Nonrepudiation (sender cannot deny sending it) Sign Email - Sender 1) Sender creates email 2) Message hashed 3) Hash encrypted with senders private key (creates digital signature) 4) Email + encrypted hash sent. Sign Email - Recipient 1) Recipient retrieves public key 2) Digital signature decrypted 3) Hash calculated on message 4) Hashes compared Encrypt Email - Sender 1) Senders system creates session key 2) Symmetric encryption encrypts email 3) Asymmetric encrypts session key with recipients public key 4) Encrypted email and encrypted session key sent to recipient Encrypt Email - Reveiver 1) Recipients system retrieves recipients public key 2) Recipients private key decrypts the encrypted session key 3) System decrypts email by using the decrypted session key Steganography Hiding data within data e.g. Within picture or streamed data Modify least significant bit of individual bytes in a file IPsec Uses ISAKMP - Security Associations negotiations (SA) Uses IKE - Negotitate the highest and fastest level of security, e.g. AES if both sides support it RFC 4301, 4309, 6040 IPv4 - an extension - compatibility problems e.g. NAT IPv6 - mandates support of IPSec AH Authentication and Integrity (no confidentiality - acts as digital signature for the data) Assures both sides of the identify of the other party Creates hash to provide integrity - prevents replay ESP Confidentiality, Authentication and Integrity Encrypts packet data PKI Includes all components to create, manage, distribute, validate and revoke certificates (based on x.509) Certificate Purposes Authentication - Encryption - Protecting email - Code Signing - Certificates - Authentication - Prove identify of users and computers e.g. In smartcards Certificates - Encryption - Encrypt a symmetric key so it can be privately shared Certificates - Protecting email - Encryption and digital signatures Certificates - Code Signing - Provides authentication of the developer and integrity of the code Info included in certificate includes Who it was issued to (website, server etc) Who issues it (CA) Validity dates (allows cert to expire) Serial number (unique identifier) Public key (Private key not included) Certification path showing chain of trust (cert > CA > Root CA) What does a CA do? Issues and manages certificates May use RA - accepts requests, verifies them and passes them to CA. RA optional. Never issues certificates. Public CA Create public/private key Send public key + other info to CA CA would create cert and send it back Use this cert to configure website Private CA Issued internally No additional cost, however not trusted by default Certificate Trust Chain Root CA Intermediate CA Website IF Root CA is trusted any certs issued by intermediate Cass in the chain are also trusted Trusted Root CA Install Root CA into Trusted Certificate Authorities store Any cert issued by any CS in this trust chain is automatically trusted (e-commerce sites buy certificates from CAs that are in the trust chain > all customers trust them Revoking Certificates Validity dates (allows cert to expire) However may need to revoke before that if private key is compromised CA maintains list of revoked certs in CRL - published as v2 cert (rather than v3) Certs include list of CRL distribution points Certificate Validation process - System examines cert - checks it hasn't expired, check website name the same, checks CA is trusted Then checks it hasn't been revoked via the CRL distribution point What is OCSP? Online Certificate Status Protocol Client identifies serial no of cert > sends that to OCSP responder > OCSP responder checks cert health Know Plaintext Attack Attacker has samples of both plaintext and cipher text Tries to decrypt the cipher text to the known text Same method can be used to decrypt similar data Goal - to find key Chosen Plaintext Attack Access to some plaintext or can predict plaintext included in the cipher text Goal - to find key Cipher Text Attack Attacker only has cipher text, wants to discover the plaintext Usually only successful when weak cryptographic methods have been used. Goal - to find plaintext