0% found this document useful (0 votes)
48 views13 pages

Chapter 8

Uploaded by

Gem Ian Lipardo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
48 views13 pages

Chapter 8

Uploaded by

Gem Ian Lipardo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 13

CMSC 122 INFORMATION ASSURANCE AND SECURITY BSCS 4

CHAPTER 8

CRYPTOGRAPHY

At the end of the chapter, the learners should be able to:

1. Chronicle the most significant events and discoveries in the history of cryptology
2. Explain the basic principles of cryptography
3. Describe the operating principles of the most popular cryptographic tools
4. List and explicate the major protocols used for secure communications
5. Discuss the nature and execution of the dominant methods of attack used against
cryptosystems

Total Learning Time: Week 12 (3 hours)


Introduction

Key Terms:

Cryptanalysis. The process of obtaining the plaintext message from a ciphertext message
without knowing the keys used to perform the encryption.
Cryptography. The process of making and using codes to secure the transmission of
information.
Cryptology. The science of encryption, which encompasses cryptography and cryptanalysis.

The science of cryptography is not as enigmatic as you might think. A variety of cryptographic
techniques are used regularly in everyday life. For example, open your newspaper to the entertainment
section and you’ll find the daily cryptogram, a word puzzle that involves unscrambling letters to find
a hidden message. Also, although it is a dying art, many secretaries still use shorthand, or stenography,
an abbreviated, symbolic writing method, to take rapid dictation. A form of cryptography is used even
in knitting patterns, where directions are written in a coded form in patterns such as K1P1 (knit 1, purl
1) that only an initiate can understand. These examples illustrate one important application of
cryptography—the efficient and rapid transmittal of information—but cryptography also protects and
verifies data transmitted via information systems.

The science of encryption, known as cryptology, encompasses cryptography and cryptanalysis.


Cryptography comes from the Greek words kryptos, meaning “hidden,” and graphein, meaning “to
write,” and involves making and using codes to secure messages. Cryptanalysis involves cracking or
breaking encrypted messages back into their unencrypted origins. Cryptography uses mathematical
algorithms that are usually known to all. After all, it’s not the knowledge of the algorithm that protects
the encrypted message, it’s the knowledge of the key—a series of characters or bits injected into the
algorithm along with the original message to create the encrypted message. An individual or system
usually encrypts a plaintext message
into ciphertext, making it unreadable to unauthorized people—those without the key needed to decrypt
the message back into plaintext, where it can be read and understood.

Ms. Olga Llanera Course Facilitator Page | 1


CMSC 122 INFORMATION ASSURANCE AND SECURITY BSCS 4

Foundations of Cryptography

The History of Cryptography

Ms. Olga Llanera Course Facilitator Page | 2


CMSC 122 INFORMATION ASSURANCE AND SECURITY BSCS 4

Terminology

To understand the fundamentals of cryptography, you must know the meanings of the following
terms:
● Algorithm: The steps used to convert an unencrypted message into an encrypted sequence of
bits that represent the message; sometimes refers to the programs that enable the cryptographic
processes.

● Bit stream cipher: An encryption method that involves converting plaintext to ciphertext one
bit at a time.

● Block cipher: An encryption method that involves dividing the plaintext into blocks or sets of
bits and then converting the plaintext to ciphertext one block at a time.

● Cipher or cryptosystem: An encryption method or process encompassing the algorithm, key(s)


or cryptovariable(s), and procedures used to perform encryption and decryption.

● Ciphertext or cryptogram: The encoded message resulting from an encryption.

● Code: The process of converting components (words or phrases) of an unencrypted message


into encrypted components.

● Decipher: To decrypt, decode, or convert ciphertext into the equivalent plaintext.

● Decrypt: See Decipher.

● Encipher: To encrypt, encode, or convert plaintext into the equivalent ciphertext.

● Encrypt: See Encipher.

● Key or cryptovariable: The information used in conjunction with an algorithm to create the
ciphertext from the plaintext or derive the plaintext from the ciphertext. The key can be a series
of bits used by a computer program, or it can be a passphrase used by people that is then converted
into a series of bits used by a computer program.

● Keyspace: The entire range of values that can be used to construct an individual key.

● Link encryption: A series of encryptions and decryptions between a number of systems,


wherein each system in a network decrypts the message sent to it and then reencrypts the message

Ms. Olga Llanera Course Facilitator Page | 3


CMSC 122 INFORMATION ASSURANCE AND SECURITY BSCS 4

using different keys and sends it to the next neighbor. This process continues until the message
reaches the final destination.

● Plaintext or cleartext: The original unencrypted message, or a message that has been
successfully decrypted.

● Steganography: The hiding of messages—for example, within the digital encoding of a picture
or graphic.

● Work factor: The amount of effort (usually in hours) required to perform cryptanalysis to
decode an encrypted message when the key, the algorithm, or both are unknown.

Cipher Methods
There are two methods of encrypting plaintext: the bit stream method or the block cipher method.
In the bit stream method, each bit in the plaintext is transformed into a cipher bit one bit at a time. In
the block cipher method, the message is divided into blocks—for example, sets of 8-, 16-, 32-, or 64-
bit blocks—and then each block of plaintext bits is transformed into an encrypted block of cipher bits
using an algorithm and a key. Bit stream methods commonly use algorithm functions like the exclusive
OR operation (XOR), whereas block methods can use substitution, transposition, XOR, or some
combination of these operations, as described in the following sections. Note that most computer-based
encryption methods operate on data at the level of its binary digits (bits), while others operate at the
byte or character level.

Substitution Cipher

A substitution cipher exchanges one value for another—for example, it might exchange a letter
in the alphabet with the letter three values to the right, or it might substitute one bit for another bit four
places to its left. A three-character substitution to the right results in the following transformation of
the standard English alphabet.

Initial alphabet: ABCDEFGHIJKLMNOPQRSTUVWXYZ yields


Encryption alphabet: DEFGHIJKLMNOPQRSTUVWXYZABC

Within this substitution scheme, the plaintext MOM would be encrypted into the ciphertext
PRP. This is a simple enough method by itself, but it becomes very powerful if combined with other
operations. The previous example of substitution is based on a single alphabet and thus is known as a
monoalphabetic substitution. More advanced substitution ciphers use two or more alphabets, and are
referred to as polyalphabetic substitutions.
To extend the previous example, consider the following block of text:

Plaintext: ABCDEFGHIJKLMNOPQRSTUVWXYZ
Substitution cipher 1: DEFGHIJKLMNOPQRSTUVWXYZABC
Substitution cipher 2: GHIJKLMNOPQRSTUVWXYZABCDEF
Substitution cipher 3: JKLMNOPQRSTUVWXYZABCDEFGHI
Substitution cipher 4: MNOPQRSTUVWXYZABCDEFGHIJKL

The first row here is the plaintext, and the next four rows are four sets of substitution ciphers,
which taken together constitute a single polyalphabetic substitution cipher. To encode the word TEXT
with this cipher, you substitute a letter from the second row for the first letter in TEXT, a letter from
the third row for the second letter, and so on—a process that yields the ciphertext WKGF. Note how
the plaintext letter T is transformed into a W or an F, depending on its order of appearance in the
plaintext. Complexities like these make this type of encryption substantially more difficult to decipher

Ms. Olga Llanera Course Facilitator Page | 4


CMSC 122 INFORMATION ASSURANCE AND SECURITY BSCS 4

when one doesn’t have the algorithm (in this case, the rows of ciphers) and the key, which is the
substitution method. A logical extension to this process is to randomize the cipher rows completely in
order to create a more complex operation.

In addition to ciphers, another important encryption technique that is often incorporated into
cryptosystems is the hash function. Hash functions are mathematical algorithms used to confirm the
identity of a specific message and confirm that the content has not been changed. While they do not
create ciphertext, hash functions confirm message identity and integrity, both of which are critical
functions in e-commerce.
Hash algorithms are used to create a hash value, also known as a message digest, by converting
variable-length messages into a single fixed-length value. The message digest is a fingerprint of the
author’s message that is compared with the recipient’s locally calculated hash of the same message. If
both hashes are identical after transmission, the message has arrived without modification. Hash
functions are considered one-way operations in that the same message always provides the same hash
value, but the hash value itself cannot be used to determine the contents of the message.

Hashing functions do not require the use of keys, but it is possible to attach a message
authentication code (MAC) to allow only specific recipients to access the message digest. Because hash
functions are one-way, they are used in password verification systems to confirm the identity of the
user. In such systems, the hash value, or message digest, is calculated based on the originally issued
password, and this message digest is stored for later comparison. When the user logs on for the next
session, the system calculates a hash value based on the user’s password input, and this value is
compared against the stored value to confirm identity.

Cryptographic Algorithms
Cryptographic algorithms are often grouped into two broad categories—symmetric and
asymmetric—but in practice, today’s popular cryptosystems use a combination of both algorithms.
Symmetric and asymmetric algorithms are distinguished by the types of keys they use for encryption
and decryption operations.

Symmetric Encryption
Encryption methodologies that require the same secret key to encipher and decipher the message are
performing private-key encryption or symmetric encryption. Symmetric encryption methods use
mathematical operations that can be programmed into extremely fast computing algorithms so that
encryption and decryption are executed quickly, even by small computers.

One of the challenges is that both the sender and the recipient must have the secret key. Also, if either
copy of the key falls into the wrong hands, messages can be decrypted by others and the sender and
intended receiver may not know a message
was intercepted. The primary challenge of symmetric key encryption is getting the key to the receiver,
a process that must be conducted out of band to avoid interception. In other words, the process must
use a channel or band other than the one carrying the ciphertext. There are a number of popular
symmetric encryption cryptosystems. One of the most widely known is the Data Encryption Standard
(DES); it was developed by IBM and is based on the company’s Lucifer algorithm, which uses a key
length of 128 bits. As implemented, DES uses a 64-bit block size and a 56-bit key. DES was adopted
by NIST in 1976 as a federal standard for encryption of nonclassified information, after which it
became widely employed in commercial applications.

Asymmetric Encryption

Ms. Olga Llanera Course Facilitator Page | 5


CMSC 122 INFORMATION ASSURANCE AND SECURITY BSCS 4

asymmetric encryption. An encryption method that incorporates mathematical operations involving


both a public key and a private key to encipher or decipher a message. Either key can be used to encrypt
a message, but then the other key is required to decrypt it.

While symmetric encryption systems use a single key both to encrypt and decrypt a message,
asymmetric encryption uses two different but related keys. Either key can be used to encrypt or decrypt
the message. However, if key A is used to encrypt the message, only key B can decrypt it; if key B is
used to encrypt a message, only key A can decrypt it. Asymmetric encryption can be used to provide
elegant solutions to problems of secrecy and verification. This technique has its greatest value when
one key is used as a private key, which means it is kept secret (much like the key in symmetric
encryption) and is known only to the owner of the key pair. The other key serves as a public key, which
means it is stored in a public location where anyone can use it. For this reason, the more common name
for asymmetric encryption is public-key encryption.

Asymmetric algorithms are one-way functions, meaning they are simple to compute in one
direction, but complex to compute in the opposite direction. This is the foundation of public-key
encryption. It is based on a hash value, which is calculated from an input number using a hashing
algorithm, as you learned earlier in this chapter. This hash value is essentially a summary of the original
input values. It is virtually impossible to derive the original values without knowing how they were
used to create the hash value.

Encryption Key Size

When deploying ciphers, it is important for users to decide on the size of the cryptovariable or
key, because the strength of many encryption applications and cryptosystems is measured by key size.
How exactly does key size affect the strength of an algorithm? Typically, the length of the key increases
the number of random guesses that have to be made in order to break the code. Creating a larger
universe of possibilities increases the time required to make guesses, and thus a longer key directly
influences the strength of the encryption.

It may surprise you to learn that when it comes to cryptosystems, the security of encrypted data
is not dependent on keeping the encrypting algorithm secret. In fact, algorithms should be published
and often are, to enable research to uncover their weaknesses. The security of any cryptosystem
depends on keeping some or all elements of the cryptovariable(s) or key(s) secret, and effective security
is maintained by manipulating the size (bit length) of the keys and following proper procedures and
policies for key management.

Cryptographic Tools
The ability to conceal the contents of sensitive messages and verify the contents of messages
and the identities of their senders can be important in all areas of business. To be useful, these
cryptographic capabilities must be embodied in tools that allow IT and information security
practitioners to apply the elements of cryptography in the everyday world of computing.

This section covers some of the widely used tools that bring the functions of cryptography to the world
of information systems.

1. Public Key Infrastructure (PKI)


certificate authority (CA). In PKI, a third party that manages users’ digital certificates.
certificate revocation list (CRL). In PKI, a published list of revoked or terminated digital certificates.
digital certificates. Public-key container files that allow PKI system components and end users to
validate a public key and identify its owner.

Ms. Olga Llanera Course Facilitator Page | 6


CMSC 122 INFORMATION ASSURANCE AND SECURITY BSCS 4

public key infrastructure (PKI). An integrated system of software, encryption methodologies,


protocols, legal agreements, and third-party services that enables users to communicate securely
through the use of digital certificates.
registration authority (RA) In PKI, a third party that operates under the trusted collaboration of the
certificate authority and handles day-to-day certification functions.

Public key infrastructure (PKI) systems are based on public-key cryptosystems and include digital
certificates and certificate authorities (CAs). Digital certificates allow the PKI components and their
users to validate keys and identify key owners. (Digital certificates are explained in more detail later
in this chapter.) PKI systems and their digital certificate registries enable the protection of information
assets by making verifiable digital certificates readily available to business applications. This, in turn,
allows the applications to implement several key characteristics of information security and integrate
these characteristics into the following business processes across an organization:

● Authentication: Individuals, organizations, and Web servers can validate the identity of each
party in an Internet transaction.

● Integrity: Content signed by the certificate is known not to have been altered while in transit
from host to host or server to client.

● Privacy: Information is protected from being intercepted during transmission.

● Authorization: The validated identity of users and programs can enable authorization rules that
remain in place for the duration of a transaction; this reduces overhead and allows for more control
of access privileges for specific transactions.

● Nonrepudiation: Customers or partners can be held accountable for transactions, such as online
purchases, which they cannot later dispute.

A typical PKI solution protects the transmission and reception of secure information by integrating
the following components:

● A certificate authority (CA), which issues, manages, authenticates, signs, and revokes users’
digital certificates. These certificates typically contain the user name, public key, and other
identifying information.

● A registration authority (RA), which handles certification functions such as verifying


registration information, generating end-user keys, revoking certificates, and validating user
certificates, in collaboration with the CA.

● Certificate directories, which are central locations for certificate storage that provide a single
access point for administration and distribution.

● Management protocols, which organize and manage communications among CAs, RAs, and end
users. This includes the functions and procedures for setting up new users, issuing keys, recovering
keys, updating keys, revoking keys, and enabling the transfer of certificates and status information
among the parties involved in the PKI’s area of authority.

● Policies and procedures, which assist an organization in the application and management of
certificates, in the formalization of legal liabilities and limitations, and in actual business use.

Common implementations of PKI include systems that issue digital certificates to users and
servers, directory enrollment, key issuing systems, tools for managing key issuance, and verification
and return of certificates. These systems enable organizations to apply an enterprisewide solution that

Ms. Olga Llanera Course Facilitator Page | 7


CMSC 122 INFORMATION ASSURANCE AND SECURITY BSCS 4

allows users within the PKI’s area of uthority to engage in authenticated and secure communications
and transactions.

The CA performs many housekeeping activities regarding the use of keys and certificates that are issued
and used in its zone of authority. Each user authenticates himself or herself withthe CA. The CA can
issue new or replacement keys, track issued keys, provide a directory of public-key values for all known
users, and perform other management activities. When a private
key is compromised or the user loses the privilege of using keys in the area of authority, the CA can
revoke the user’s keys. The CA periodically distributes a certificate revocation list (CRL) to all users.
When important events occur, specific applications can make a real-time request to the CA to verify
any user against the current CRL.

The issuance of certificates and their keys by the CA enables secure, encrypted, nonrepudiable
e-business transactions. Some applications allow users to generate their own certificates and keys, but
a key pair generated by the end user can only provide nonrepudiation, not reliable encryption. A central
system operated by a CA or RA can generate cryptographically strong keys that are considered
independently trustworthy by all users, and can provide services for users such as private-key backup,
key recovery, and key revocation.

The strength of a cryptosystem relies on both the raw strength of its key’s complexity and the
overall quality of its key management security. PKI solutions can provide several mechanisms for
limiting access and possible exposure of the private keys. These mechanisms include password
protection, smart cards, hardware tokens, and other hardware-based key storage devices that are
memory-capable, like flash memory or PC memory cards. PKI users should select the key security
mechanisms that provide an appropriate level of key protection for their needs. Managing the security
and integrity of the private keys used for nonrepudiation or the encryption of data files is critical to
successfully using the encryption and nonrepudiation services within the PKI’s area of trust.

2. Digital Signatures
Digital Signature Standard (DSS). The NIST standard for digital signature algorithm usage by
federal information systems. DSS is based on a variant of the ElGamal signature scheme.

digital signatures. Encrypted message components that can be mathematically proven as authentic.

Nonrepudiation. The process of reversing public-key encryption to verify that a message was sent
by the sender and thus cannot be refuted.

Digital signatures were created in response to the rising need to verify information transferred
via electronic systems. Asymmetric encryption processes are used to create digital signatures. When
an asymmetric cryptographic process uses the sender’s private key to encrypt a message, the sender’s
public key must be used to decrypt the message. When the decryption is successful, the process verifies
that the message was sent by the sender and thus cannot be refuted. This process is known as
nonrepudiation, and is the principle of cryptography that underpins the authentication mechanism
collectively known as a digital signature. Digital signatures, therefore, are encrypted messages that can
be mathematically proven as authentic.

3. Digital Certificates

A digital certificate is an electronic document or container file that contains a key value and
identifying information about the entity that controls the key. The certificate is often issued and
certified by a third party, usually a certificate authority. A digital signature attached to the certificate’s

Ms. Olga Llanera Course Facilitator Page | 8


CMSC 122 INFORMATION ASSURANCE AND SECURITY BSCS 4

container file certifies the file’s origin and integrity. This verification process often occurs when you
download or update software via the Internet.

Unlike digital signatures, which help authenticate the origin of a message, digital certificates
authenticate the cryptographic key that is embedded in the certificate. When used properly, these
certificates enable diligent users to verify the authenticity of any organization’s certificates.

This process is much like what happens when the Federal Deposit Insurance Corporation
(FDIC) issues its logo to assure customers that a bank is authentic. Different client-server applications
use different types of digital certificates to accomplish their assigned functions, as follows:
● The CA application suite issues and uses certificates (keys) that identify and establish a trust
relationship with a CA to determine what additional certificates can be authenticated.
● Mail applications use Secure/Multipurpose Internet Mail Extension (S/MIME) certificates for
signing and encrypting e-mail as well as for signing forms.
● Development applications use object-signing certificates to identify signers of object-oriented
code and scripts.
● Web servers and Web application servers use Secure Sockets Layer (SSL) certificates to
authenticate servers via the SSL protocol in order to establish an encrypted SSL session.
● Web clients use client SSL certificates to authenticate users, sign forms, and participate
in single sign-on solutions via SSL.

4. Hybrid Cryptography Systems

Diffie-Hellman key exchange. A hybrid cryptosystem that facilitates exchanging private keys using
public-key encryption.

session keys. Limited-use symmetric keys for temporary communications during an online session.

Except in digital certificates, asymmetric key encryption in its pure form is not widely used.
However, it is often used in conjunction with symmetric key encryption—in other words, as part of a
hybrid encryption system. The most common hybrid system is based on the Diffie-Hellman key
exchange, which uses asymmetric encryption to exchange session keys. These are limited-use
symmetric keys that allow two entities to conduct quick, efficient, secure communications based on
symmetric encryption, which is more efficient than asymmetric encryption for sending messages.
Diffie-Hellman provides the foundation for subsequent developments in public-key encryption. It
protects data from exposure to third parties, which is sometimes a problem when keys are exchanged
out of band.

5. Stenography

The word steganography—the art of secret writing—is derived from the Greek words steganos,
meaning “covered,” and graphein, meaning “to write.” The Greek historian Herodotus described one
of the first steganographers, a fellow Greek who warned of an imminent invasion by writing a message
on the wood beneath a wax writing tablet.8 While steganography is technically not a form of
cryptography, it is another way of protecting the confidentiality of information in transit. The most
popular modern version of steganography involves hiding information within files that contain digital
pictures or other images.

Protocols for Secure Communications


1. Securing Internet Communication with S-HTTP and SSL

Ms. Olga Llanera Course Facilitator Page | 9


CMSC 122 INFORMATION ASSURANCE AND SECURITY BSCS 4

S-HTTP (Secure Hypertext Transfer Protocol) and SSL are two protocols designed to enable
secure network communications across the Internet. S-HTTP and SSL ensure Internet security via
different mechanisms and can be used independently or together.
Netscape developed the Secure Sockets Layer (SSL) protocol to use public-key encryption to
secure a channel over the Internet, thus enabling secure communications. Most popular browsers,
including Internet Explorer, use SSL. In addition to providing data encryption, integrity, and server
authentication, SSL can provide client authentication when properly configured.

2. Securing E-mail with S/MIME, PEM, and PGP

A number of cryptosystems have been adapted to work with the dominant e-mail protocols in
an attempt to incorporate some degree of security into this notoriously insecure communication
medium. Some popular adaptations are described in this section.
Secure Multipurpose Internet Mail Extensions (S/MIME) builds on the encoding format of the
Multipurpose Internet Mail Extensions (MIME) protocol and uses digital signatures based on public-
key cryptosystems to secure e-mail. In 1993, the Internet Engineering Task Force (IETF) proposed the
Privacy-Enhanced Mail (PEM) standard to use 3DES symmetric key encryption and RSA for key
exchanges and digital signatures; however, it was never widely deployed. Pretty Good Privacy (PGP)
was developed by Phil Zimmermann, and uses the IDEA cipher for message encoding. PGP also uses
RSA for symmetric key exchange and digital signatures.

3. Securing Web Transactions with SET, SSL, and S-HTTP

Just as PGP, PEM, and S/MIME work to secure e-mail operations, a number of related protocols
work to secure Web browsers, especially at e-commerce sites. Among these protocols are SET, SSL,
S-HTTP, Secure Shell (SSH-2), and IP Security (IPSec).

Secure Electronic Transactions (SET) was developed by MasterCard and Visa in 1997 to
protect against electronic payment fraud. SET uses DES to encrypt credit card information transfers
and RSA for key exchange. SET provides security both for Internet-based credit card transactions and
credit card swipe systems in retail stores. SSL, as you learned earlier in this chapter, also provides
secure online e-commerce transactions. SSL uses a number of algorithms, but mainly relies on RSA
for key transfer and uses IDEA, DES, or 3DES for encrypted symmetric key-based data transfer. Figure
8-8, shown earlier, illustrates the kind of certificate and SSL information that appears when you check
out of an e-commerce site. If your Web connection does not automatically display such certificates,
you can right-click in your browser’s window and select Properties to view the connection encryption
and certificate properties.

4. Securing Wireless Networks with WEP and WPA

Wireless local area networks (also known by the brand name Wi-Fi, or wireless fidelity networks) are
thought by many in the IT industry to be inherently insecure. The communication channel between the
wireless network interface of any computing device and the access point that provides its services uses
radio transmissions. Without some form of protection, these radio signals can be intercepted by anyone
with a wireless packet sniffer. To prevent interception of these communications, wireless networks
must use some form of cryptographic security control. Two sets of protocols are widely used to help
secure wireless transmissions: Wired Equivalent Privacy and Wi-Fi Protected Access. Both are
designed for use with the IEEE 802.11 wireless networks.

5. Securing TCP/IP with IPSec and PGP

Internet Protocol Security (IPSec) is an open-source protocol framework for security


development within the TCP/IP family of protocol standards. It is used to secure communications
across IP-based networks such as LANs, WANs, and the Internet. The protocol is designed to protect
data integrity, user confidentiality, and authenticity at the IP packet level. IPSec is the cryptographic

Ms. Olga Llanera Course Facilitator Page | 10


CMSC 122 INFORMATION ASSURANCE AND SECURITY BSCS 4

authentication and encryption product of the IETF’s IP Protocol Security Working Group. It is often
described as the security system from IP version 6, the future version of the TCP/IP protocol, retrofitted
for use with IP version 4 (the current version). IPSec is defined in Request for Comments (RFC) 1825,
1826, and 1827, and is widely used to create virtual private networks (VPNs), which were described in
Chapter 6. IPSec itself is actually an open framework.

IPSec includes the IP Security protocol itself, which specifies the information to be added to an
IP packet as well as how to encrypt packet data; and the Internet Key Exchange, which uses an
asymmetric-based key exchange and negotiates the security associations. IPSec operates in two modes:
transport and tunnel. In transport mode, only the IP data is encrypted,
not the IP headers. This allows intermediate nodes to read the source and destination addresses. In
tunnel mode, the entire IP packet is encrypted and then placed into the content portion of another IP
packet. This requires other systems at the beginning and end of the tunnel to act as proxies and to send
and receive the encrypted packets. These systems then transmit the decrypted packets to their true
destinations.

IPSec uses several different cryptosystems:


● Diffie-Hellman key exchange for deriving key material between peers on a public
network
● Public-key cryptography for signing the Diffie-Hellman exchanges to guarantee the
identity of the two parties
● Bulk encryption algorithms, such as DES, for encrypting the data
● Digital certificates signed by a certificate authority to act as digital ID cards

PGP Pretty Good Privacy (PGP) is a hybrid cryptosystem that combines some of the best
available cryptographic algorithms. It has become the open-source de facto standard for encryption and
authentication of e-mail and file storage applications. Both freeware and low-cost commercial versions
of PGP are available for a wide variety of platforms.

The PGP security solution provides six services: authentication by digital signatures, message
encryption, compression, e-mail compatibility, segmentation, and key management.

Ms. Olga Llanera Course Facilitator Page | 11


CMSC 122 INFORMATION ASSURANCE AND SECURITY BSCS 4

Activity 8

Name: ________________________________ Date: _______________


Course & Year: _________________________ Score: _______________

Direction: Write True if the statement is correct otherwise write False.

__________ 1. The two basic processing methods are used to convert plaintext data into
encrypted
data—bit stream and substitution ciphering.
__________ 2. The strength of many encryption applications and cryptosystems is determined
by key
size.
__________ 3. Most cryptographic algorithms can be grouped into two broad categories:
symmetric
and asymmetric
__________ 4. The most popular cryptosystems are crossbrids that combine symmetric and
asymmetric algorithms.
__________ 5. Public key infrastructure (PKI) includes digital certificates and digital
signatures.
__________ 6. Another important encryption technique that is often incorporated into
cryptosystems is the hash function.
__________ 7. The PGP security solution provides five services: authentication by digital
signatures, message encryption, e-mail compatibility, segmentation, and key
management.
__________ 8. Steganography is the hiding of information.
__________ 9. S-HTTP (Secure Hypertext Transfer Protocol), Secure Electronic Transactions
(SET), and
SSL (Secure Sockets Layer) are protocols designed to enable secure
communications across
the Internet.
__________ 10. Most modern Wi-Fi networks are now protected with WPA2.

Ms. Olga Llanera Course Facilitator Page | 12


CMSC 122 INFORMATION ASSURANCE AND SECURITY BSCS 4

Evaluation 8

Name: ________________________________ Date: _______________


Course & Year: _________________________ Score: _______________

Direction: Match Column A with Column B. Write the letter of your choice on the space provided
before each item.

COLUMN A COLUMN B

______ 1. The process of converting a A. Cryptology


message into a form that is
unreadable to
unauthorized people.
______ 2. The science of encryption B. Internet Protocol
Security (IPSec)
______ 3. Making C. Encryption
and using encryption codes
______ 4. The breaking of encryption codes D. Digital certificate
______ 5. It is used to secure E. Digital signatures
communications across IP-based
networks such as LANs, WANs,
and the Internet.
______ 6. Are mathematical algorithms that F. Cryptography
generate a message summary, or
digest, that can be used to confirm
the identity of a specific message
and confirm that the message has
not been altered.
______ 7. A hybrid cryptosystem that G. Certificate authority
combines some of the best (CA)
available cryptographic
algorithms.
______ 8. A third party that manages users’ H. Cryptanalysis
digital certificates.

______ 9. An electronic document or I. Hash functions


container file that contains a key
value and identifying information
about the entity that controls the
key.
______ 10. Encrypted message components J. Session keys
that can be mathematically proven
as authentic.
K. Pretty Good Privacy
(PGP)

Ms. Olga Llanera Course Facilitator Page | 13

You might also like