Boyle ccs4 Guide 03
Boyle ccs4 Guide 03
Cryptography
Learning Objectives
By the end of this chapter, you should be able to:
Explain the concept of cryptography.
Describe symmetric key encryption and the importance of key length.
Explain the negotiation stage.
Explain initial authentication, including MS-CHAP.
Describe keying, including public key encryption.
Explain how electronic signatures, including digital signatures, digital certificates,
and key-hashed message authentication codes (HMACs) work.
Describe public key encryption for authentication.
Describe quantum security.
Explain cryptographic systems including VPNs, SSL, and IPsec.
Learning Suggestions
Special Issues
Module A is a review of networking concepts. It focuses on aspects of networking that
are involved in security concerns. Like it or not, IT security requires a strong foundation
in networking knowledge. Even my best students in networking usually need a refresher,
so I always cover Module A before I begin Chapter 3.
The problem some students have learning the material in this chapter is that there
are several concepts that are similar or are used differently in different contexts. This is
particularly true for symmetric key encryption, public key encryption, and hashing. The
following figure shows which of these techniques are used for confidentiality and
authentication. Two are only used for a single purpose. Public key encryption is used for
both confidentiality and authentication but is used differently in each case.
Confidentiality Authentication
A second problem for students is that some topics, such as digital signatures and MS-
CHAP authentication, are multi-step processes. Many students struggle to understand
these processes, but the effort is worth it because the ability to understand multi-step
processes is critical in IT in general.
Flow of Material
The chapter begins with a definition of cryptography: the use of mathematical op-
erations to protect messages traveling between parties or stored on a computer.
It then deals with cryptography for confidentiality. To many people, encryption
for confidentiality is synonymous with cryptography, but we will see in this chap-
ter that this is not the case at all. We begin with encryption for confidentiality be-
cause most students are familiar with the concept of using encryption so that
eavesdroppers or thieves cannot understand messages in transit or in storage.
When even very smart and well-trained people try to create new ciphers (methods
for encryptions), their communication is soon lunch for cryptanalysts. In practice,
specific encryption ciphers are too complex to understand, and IT professionals
do not really need to understand them. However, boxed material covers basic dif-
3-2
Copyright © 2015 Pearson Education, Inc.
Chapter 3: The Elements of Cryptography
Corporate Computer Security, 4th Edition
Randall J. Boyle and Raymond R. Panko
ferences between transposition and substitution ciphers, and between ciphers and
codes.
The chapter then introduces the central concept of cryptographic systems. Crypto-
graphic protections come packaged in cryptographic systems that provide a broad
spectrum of security protections.
Handshaking Stage 1:
Initial Negotiation of Security Parameters
Handshaking Stage 2:
Client PC Initial Authentication
(Usually mutual) Server
Handshaking Stage 3:
Keying
(Secure exchange of keys and other secrets)
The chapter then fleshes out each stage, discussing what each one does and giving
an example or two of how each stage works.
The first step is to negotiate security methods and options to be used during the
communication session. The example is how SSL/TLS uses cipher suites.
Next comes initial authentication, which typically, but not always, is mutual, with
each party taking on the role of supplicant and verifier. The example in this sec-
tion is one-way authentication using MS-CHAP. This standard uses hashing
rather than encryption of any type.
The final initial hand-shaking stage is keying, in which the two parties share se-
crets in a way that someone intercepting their transmissions cannot learn. This
section introduces public key encryption for confidentiality and how it is used in
secure keying. The section then discusses Diffie-Hellman keying.
In ongoing communication, every message is given an electronic signature so that
an impostor cannot transmit a message claiming that the message comes from an-
other party. This section covers two types of electronic signatures—digital signa-
tures using public key encryption for confidentiality, and key-hashed message au-
thentication codes.
Public key encryption has now been seen in two contexts—confidentiality and au-
thentication. It is used very differently for these two purposes.
3-3
Copyright © 2015 Pearson Education, Inc.
Chapter 3: The Elements of Cryptography
Corporate Computer Security, 4th Edition
Randall J. Boyle and Raymond R. Panko
Public Key Encryption for The receiver’s public key The receiver’s private key
Confidentiality
Public Key Encryption for The sender’s private key The true party’s public key
Authentication (not the sender’s public key)
DS Plaintext
3-4
Copyright © 2015 Pearson Education, Inc.
Chapter 3: The Elements of Cryptography
Corporate Computer Security, 4th Edition
Randall J. Boyle and Raymond R. Panko
The section on digital signatures introduces the need for digital certificates as
ways of getting the public key of the “true party”—the party the sender claims to
be. This public key is used to test the computation of the sender.
Quantum security, which is based on quantum physics, involves two very differ-
ent things. Quantum key distribution allows for ultra-secure keying with enor-
mously long keys. In contrast, quantum key cracking allows cryptanalysts to
break most existing keys very quickly. The former aids security, while the latter
threatens it.
This chapter concludes with a discussion of SSL/TLS and IPsec.
3-5
Copyright © 2015 Pearson Education, Inc.
Chapter 3: The Elements of Cryptography
Corporate Computer Security, 4th Edition
Randall J. Boyle and Raymond R. Panko
3-6
Copyright © 2015 Pearson Education, Inc.