Chapter 3

Cryptography

Student Study Guide

Learning Objectives
By the end of this chapter, you should be able to:
 Explain the concept of cryptography.
 Describe symmetric key encryption and the importance of key length.
 Explain the negotiation stage.
 Explain initial authentication, including MS-CHAP.
 Describe keying, including public key encryption.
 Explain how electronic signatures, including digital signatures, digital certificates,
and key-hashed message authentication codes (HMACs) work.
 Describe public key encryption for authentication.
 Describe quantum security.
 Explain cryptographic systems including VPNs, SSL, and IPsec.

Learning Suggestions

Special Issues
Module A is a review of networking concepts. It focuses on aspects of networking that
are involved in security concerns. Like it or not, IT security requires a strong foundation
in networking knowledge. Even my best students in networking usually need a refresher,
so I always cover Module A before I begin Chapter 3.
The problem some students have learning the material in this chapter is that there
are several concepts that are similar or are used differently in different contexts. This is
particularly true for symmetric key encryption, public key encryption, and hashing. The

Copyright © 2015 Pearson Education, Inc.

 Chapter 3: The Elements of Cryptography
Corporate Computer Security, 4th Edition
Randall J. Boyle and Raymond R. Panko

following figure shows which of these techniques are used for confidentiality and
authentication. Two are only used for a single purpose. Public key encryption is used for
both confidentiality and authentication but is used differently in each case.

Confidentiality Authentication

Symmetric Key Encryption Applicable. Sender encrypts Not applicable.

with key shared with the
receiver.

Public Key Encryption Applicable. Sender encrypts Applicable. Sender (supplicant)

with receiver’s public key.
Receiver decrypts with the
receiver’s own private key.
Hashing Not applicable.
encrypts with own private key.
Receiver (verifier) decrypts with
the public key of the true party,
usually obtained from the true
party’s digital certificate.
Applicable. Used in MS-CHAP
for initial authentication and in
HMACs for message-by-
message authentication.

A second problem for students is that some topics, such as digital signatures and MS-
CHAP authentication, are multi-step processes. Many students struggle to understand
these processes, but the effort is worth it because the ability to understand multi-step
processes is critical in IT in general.

Role in the Book

Chapter 2 began the discussion of the plan-protect-respond cycle that governs IT security
management, concentrating on the planning phase in particular. Chapters 3 through 9 deal
with the protection phase, which takes up the most time in IT security planning.
Once, “crypto” was synonymous with security. This is no longer the case, but
cryptographic protections are still extremely important. We begin the discussion of
protections in Chapter 3 with cryptography because cryptography is used in many IT
security protections.

Flow of Material
 The chapter begins with a definition of cryptography: the use of mathematical op-
erations to protect messages traveling between parties or stored on a computer.
 It then deals with cryptography for confidentiality. To many people, encryption
for confidentiality is synonymous with cryptography, but we will see in this chap-
ter that this is not the case at all. We begin with encryption for confidentiality be-
cause most students are familiar with the concept of using encryption so that
eavesdroppers or thieves cannot understand messages in transit or in storage.
 When even very smart and well-trained people try to create new ciphers (methods
for encryptions), their communication is soon lunch for cryptanalysts. In practice,
specific encryption ciphers are too complex to understand, and IT professionals
do not really need to understand them. However, boxed material covers basic dif-

3-2
Copyright © 2015 Pearson Education, Inc.
 Chapter 3: The Elements of Cryptography
Corporate Computer Security, 4th Edition
Randall J. Boyle and Raymond R. Panko

ferences between transposition and substitution ciphers, and between ciphers and
codes.
 The chapter then introduces the central concept of cryptographic systems. Crypto-
graphic protections come packaged in cryptographic systems that provide a broad
spectrum of security protections.

Handshaking Stage 1:
Initial Negotiation of Security Parameters

Handshaking Stage 2:
Client PC Initial Authentication
(Usually mutual) Server

Handshaking Stage 3:
Keying
(Secure exchange of keys and other secrets)

Ongoing Communication Stage

Time with Message-by-Message
Confidentiality, Authentication,
and Message Integrity

Electronic Signature Plaintext

(Authentication, Integrity)

Encrypted for Confidentiality

 The chapter then fleshes out each stage, discussing what each one does and giving
an example or two of how each stage works.
 The first step is to negotiate security methods and options to be used during the
communication session. The example is how SSL/TLS uses cipher suites.
 Next comes initial authentication, which typically, but not always, is mutual, with
each party taking on the role of supplicant and verifier. The example in this sec-
tion is one-way authentication using MS-CHAP. This standard uses hashing
rather than encryption of any type.
 The final initial hand-shaking stage is keying, in which the two parties share se-
crets in a way that someone intercepting their transmissions cannot learn. This
section introduces public key encryption for confidentiality and how it is used in
secure keying. The section then discusses Diffie-Hellman keying.
 In ongoing communication, every message is given an electronic signature so that
an impostor cannot transmit a message claiming that the message comes from an-
other party. This section covers two types of electronic signatures—digital signa-
tures using public key encryption for confidentiality, and key-hashed message au-
thentication codes.
 Public key encryption has now been seen in two contexts—confidentiality and au-
thentication. It is used very differently for these two purposes.

3-3
Copyright © 2015 Pearson Education, Inc.
 Chapter 3: The Elements of Cryptography
Corporate Computer Security, 4th Edition
Randall J. Boyle and Raymond R. Panko

Encryption Goal Sender Encrypts with Receiver Decrypts with

Public Key Encryption for The receiver’s public key The receiver’s private key
Confidentiality

Public Key Encryption for The sender’s private key The true party’s public key
Authentication (not the sender’s public key)

 Digital signatures and key-hashed message authentication codes (HMACs) are

fairly complex multi-step processes, as the figure illustrating digital signatures be-
low suggests.

To Create the Digital Signature: Plaintext

1. Hash the plaintext to create a Hash

brief message digest; this is
MD
NOT the Digital Signature.
Sign (Encrypt) with
2. Sign (encrypt) the message Sender's Private Key
digest with the sender's private DS
key to create the digital signature

Goal: to show that the supplicant

knows the True Party's DS Plaintext
private key

DS Plaintext

3. Transmit the plaintext + digital

Sender signature, encrypted with Receiver
symmetric key encryption.

To Test the Digital Signature

4. 5. 4. Hash the received plaintext
with the same hashing algorithm
Received Plaintext DS the sender used. This gives the
message digest.
Decrypt with
Hash True Party's 5. Decrypt the digital signature
Public Key with the True Party's public key.
This also will give the
message digest if the sender
has the True Party's private key.
MD MD
6. 6. If the two match, the message
Are They Equal? is authenticated.

3-4
Copyright © 2015 Pearson Education, Inc.
 Chapter 3: The Elements of Cryptography
Corporate Computer Security, 4th Edition
Randall J. Boyle and Raymond R. Panko

 The section on digital signatures introduces the need for digital certificates as
ways of getting the public key of the “true party”—the party the sender claims to
be. This public key is used to test the computation of the sender.
 Quantum security, which is based on quantum physics, involves two very differ-
ent things. Quantum key distribution allows for ultra-secure keying with enor-
mously long keys. In contrast, quantum key cracking allows cryptanalysts to
break most existing keys very quickly. The former aids security, while the latter
threatens it.
 This chapter concludes with a discussion of SSL/TLS and IPsec.

Learning Aids in the Book

The book has a number of features that can help you learn the material.
 Bite-Sized Sections. The chapters are divided into small sections with headings.
Teachers tend to hate it, but students usually like it. It allows you to learn
individual chunks of information and orients you to where you are in longer
discussions.
 Test Your Understanding Questions. After each section or subsection, there are
Test Your Understanding questions. As the name suggests, these questions are
designed to let you know if you understand the material you have just read.
Making sure you can answer these questions is an excellent way to prepare for
this course’s exams.
 Definitions. Important or difficult ideas are often set off in smaller type with a
rule line before and after. Be absolutely sure you know these concepts, and study
them before exams.
 Figures. The figures cover nearly all of the important concepts in the book and
illustrate their interrelationships. If you already know the material fairly well, the
figures are a great way to see how the topics fit together. If you can explain the
figures, you probably have a good working knowledge of the chapter.
 End of Chapter Questions. The questions at the end of each chapter are designed
to help you integrate what you have learned. If you answer them correctly, you
will have real “ah ha” moments.
 Hands-On Projects. The applied projects at the end of each chapter are designed
to give you hands-on experience with IT security software related to the chapter
material. Your retention, comprehension, and overall learning will be reinforced
by actually doing a project based on the material you are trying to learn.
 Case Study. At the end of each chapter, you will find a business case. Each case
looks at the business impacts of the topics presented in the chapter. Included with
each case study is a related industry report that provides updated information
about recent trends in the IT security industry.

3-5
Copyright © 2015 Pearson Education, Inc.
 Chapter 3: The Elements of Cryptography
Corporate Computer Security, 4th Edition
Randall J. Boyle and Raymond R. Panko

Studying the Material

The following are a few problems you may face with the material in this and other
chapters.
 There is a great deal of material to master. Mastering it will take much time and
effort—you can’t just skim the text to look for “the important concepts.” The
most successful students read a section carefully, then stop to do the Test Your
Understanding questions after the section. If they have any doubt, they go back
over the material. Doing this will help you truly master the concepts, which
subsequent material in the chapter will probably require.
 Some of the material is abstract. The problem with abstract material is that some
students have a harder time understanding it. The solution, as painful as it may
seem, is to go over the individual concepts several times (hours or days apart, if
possible) until you completely and clearly understand them. Things will gradually
become clearer as your brain develops a framework. Thinking of examples also
helps.
 Some material, such as the creation of digital signatures in Chapter 3, involves a
series of steps. Many students have a difficult time with this material. Their eyes
glaze over after one or two steps. Again, the key is to go over it multiple times.
Learn the details of each step and then focus on the overview of how the pieces fit
together into a process. Repeat until you have a solid understanding and can
explain it to someone else.
 The Thought Questions at the end of each chapter require you to understand,
integrate, and apply the concepts that you learned in the chapter. Even if you have
a solid understanding, the Thought Questions will require you to put things
together. Don’t give up if it doesn’t come to you right away. Write down what
you know from the question, what you need to find out, and what you learned in
the chapter. If this seems complicated, it is. It is also what you will be doing for
the rest of your life.
 In troubleshooting questions, don’t try to find the answer immediately. Come up
with a list of possible causes and try to eliminate as many of them as you can by
logic. Then figure out how to test the rest. Successful troubleshooters make sure
they understand the situation and list many alternatives before they begin to
explore one approach to solving the problem. Inexperienced troubleshooters go
down one dead-end road after another and take far longer.
 Much of the material consists of comparing and contrasting concepts that are
similar but also different. Learning to master such material is critical in IT work.
IT people in all job specialties have to choose between several ways to implement
a solution, but they cannot begin to understand problems without understanding
similarities and differences between possible attacks. The best way to understand
similar but dissimilar concepts is to create boxes comparing and contrasting them.
The book has done some of this for you, but don’t try to just memorize things: try
to really understand them.

3-6
Copyright © 2015 Pearson Education, Inc.