10. Exam Essentials for PKI and Cryptographic Applications

Asymmetric key cryptography is another way of saying public key encryption.

Understand the key types used in asymmetric cryptography: public keys are freely shared whereas private keys are kept secret. to encrypt a message, the use the recipient’s public key. To decrypt a message, use your own private key.
To sign a message, use your own private key. to validate a signature, use the sender’s public key.

Be familiar with the three major public key cryptosystems: RSA (which depends upon the difficulty of factoring the product of prime numbers), El Gamal (an extension of the Diffie-Hellman key exchange algorithm that depends upon modular arithmetic), the Elliptic Curve Algorithm (depends on the elliptic curve discrete logarithm problem and provides more security than other algorithms when both are used with keys of the same length).

A good hash function has the following fundamentals:
They must allow input of any length
Provide a fixed-length output
Make it relatively easy to compute the hash function for any input
Provide one-way functionality
Be collision free

Major hashing algorithms:
SHA
SHA-1 (160-bit message digest)
SHA-2 (variable lengths up to 512 bits)

Digital signatures are generated and verified, first using a hashing function to generate a message digest, then encrypt the digest with your private key. to verify the digital signature on a message, decrypt the signature with the sender’s public key and then compare the message digest to the one you generate yourself, if they match, its authentic.

know the components of the Digital Signature Standard (DSS).
DSS uses the SHA-1 message digest function along with one of three encryption algorithms: DSA, RSA or ECDSA
(Digital Signature Algorithm, Rivest, Shamir Adleman, Elliptic Curve DSA)

Understand the PKI.
In the pki, certificate authorities (CAs) generate digital certificates containing the public keys of system users. Users then distribute these certificates to people with whom they want to communicate. Certificate recipients certify a certificate using the CA’s public key.

Common applications of cryptography to secure email are: s/mime protocol, another popular security tool is Phil Zimmerman’s PGP.

Common applications of cryptography to secure web activity: The de facto standard for secure web traffic is the HTTP over TLS or the older SSL.

Common applications of cryptography to secure networking: IPSec protocol standard provides a common framework for encrypting network traffic and is built in to a number of common operating systems. In IPSec transport mode, packet contents are encrypted for peer-to-peer communication, in tunnel mode, the entire packet, including header information, is encrypted for gateway-to-gateway communications.

IPSec is a security architecture framework that supports secure communication over IP. IPSec establishes a secure channel in either transport mode of tunnel mode, for direct communication between computers or to setup a VPN between networks. IPSec uses two protocols: AH (authentication header) and ESP (encapsulating security payload).

Common cryptographic attacks:
Brute-Force: or exhaustive key search, is a cryptanalytic attack that can, in theory, be used against any encrypted data. Such an attack might be utilized when it is not possible to take advantage of other weaknesses in an encryption system (if any exist) that would make the task easier. It consists of systematically checking all possible keys until the correct key is found. In the worst case, this would involve traversing the entire search space.

Known plain-text: the attacker has samples of both the plaintext (called a crib), and its encrypted version (ciphertext). These can be used to reveal further secret information such as secret keys and code books. The term “crib” originated at Bletchley Park, the British World War II decryption operation.[1][2]

Chosen ciphertext: the cryptanalyst gathers information, at least in part, by choosing a ciphertext and obtaining its decryption under an unknown key. In the attack, an adversary has a chance to enter one or more known ciphertexts into the system and obtain the resulting plaintexts. From these pieces of information the adversary can attempt to recover the hidden secret key used for decryption.

Chosen plain-text: the attacker has the capability to choose arbitrary plaintexts to be encrypted and obtain the corresponding ciphertexts. The goal of the attack is to gain some further information which reduces the security of the encryption scheme. In the worst case, a chosen-plaintext attack could reveal the scheme’s secret key.

Meet-in-the-middle: a generic attack, applicable on several cryptographic systems. The internal structure of a specific system is therefore negligible to this attack. It is possible though to combine it with other kinds of attack as has been done.
Naturally it requires the ability to encrypt and decrypt, and the possession of pairs of plaintexts and corresponding ciphertexts.
When trying to improve the security of a block cipher, a tempting idea is to simply use several independent keys to encrypt the data several times using a sequence of functions (encryptions). Then one might think that this doubles or even n-tuples the security of the multiple-encryption scheme, depending on the number of encryptions the data must go through.
The Meet-in-the-Middle attack attempts to find a value using both of the range (ciphertext) and domain (plaintext) of the composition of several functions (or block ciphers) such that the forward mapping through the first functions is the same as the backward mapping (inverse image) through the last functions, quite literally meeting in the middle of the composed function.

Man-in-the-middle: a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. The attacker must be able to intercept all messages going between the two victims and inject new ones, which is straightforward in many circumstances.

Birthday: Exploits the mathematics behind the birthday problem in probability theory. This attack can be used to abuse communication between two or more parties. The attack depends on the higher likelihood of collisions found between random attack attempts and a fixed degree of permutations (pigeonholes), as described in the birthday problem/paradox.

Replay: network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and retransmits it, possibly as part of a masquerade attack by IP packet substitution (such as stream cipher attack).

This entry was posted in CISSP-Study and tagged , , . Bookmark the permalink.