Understanding Cryptography and PKI

Core Cryptography Concepts

Concept Definition Mechanism/Example

Integrity Assurance that data has not Hashing: Computes a fixed-length string
been altered or tampered (hash) from data, e.g., SHA-3.
with.

Hashing Generating a unique, SHA-3: A cryptographic hash function that

fixed-length string from input produces a fixed-size hash.
data.

Confidentiality Ensures data is accessible Encryption: Scrambles data so that only

only to authorized users. authorized users can read it.

Encryption Transforming readable data Algorithm: Uses specific rules and keys to
into an unreadable format to encode data, e.g., AES.
protect confidentiality.

Symmetric Uses the same key for both Block Cipher: Encrypts data in fixed-size
Encryption encryption and decryption. blocks (e.g., AES).
Stream Cipher: Encrypts data bit by bit
(e.g., RC4).

Asymmetric Uses a pair of keys: a public Public Key Infrastructure (PKI):

Encryption key for encryption and a Manages public and private key pairs.
private key for decryption.

Steganography Hiding data within other files Embedding Data: Conceals information
or media. within a picture file, e.g., using LSB (Least
Significant Bit) technique.

Authentication Verifying an identity to Methods: Includes passwords, biometrics,

ensure the entity is who it and digital certificates.
claims to be.

Non-Repudiatio Ensures a party cannot Digital Signatures: A cryptographic

n deny their actions or technique using a private key to sign data,
involvement. which can be verified with the
corresponding public key.

1
Digital Provides authentication, Process: Hashes the message, then
Signatures non-repudiation, and encrypts the hash with the sender's private
integrity for digital messages key. Verification is done using the sender's
or documents. public key.

1. Hashing Basics
Concept Definition Example Detailed Explanation

Integrity Assurance that data Verification of a file's Integrity checks confirm

has not been modified, integrity using a hash. that data remains
tampered with, or consistent from its original
corrupted. state. A hash function
produces a unique output
for each input.

Hash A fixed-length string of Example: SHA-3-256 hash Hash functions produce a

alphanumeric d4723ac6f72daea2c779 fixed-size string (hash)
characters derived …3ac113863c. from variable-size input,
from a mathematical ensuring that even a small
algorithm applied to change in input drastically
data. alters the hash.

Hashing The process of Download a file, calculate Ensures data has not
Process generating a hash its hash, compare with been altered during
from data and provided hash. transmission or storage.
comparing it to a The comparison verifies
previously computed integrity by matching
hash. computed hashes.

2. Hashing Algorithms
Algorithm Description Output Example Security Notes

MD5 Produces a Example: Considered

128-bit hash 5d41402abc4b2a76b9719d911017c592 cryptographically
value, typically broken due to
shown as 32 vulnerabilities
hexadecimal such as collision
characters. attacks.

2
SHA-0 An early Not used. Replaced by
version of SHA-1;
SHA, now historically
flawed and important but not
obsolete. secure.

SHA-1 Creates a Example: Deprecated due

160-bit hash, 5baa61e4c9b93f3f0682250b6cf8331b to vulnerabilities
represented 7ee68fd8 allowing collision
as 40 attacks; not
hexadecimal recommended for
characters. secure use.

SHA-2 Improved Example: SHA-256 hash More secure;

version of 6dcd4ce23d88e2ee9568ba546d4e6d37 commonly used
SHA-1 with e4f77de2 for cryptographic
various hash purposes.
sizes:
SHA-224,
SHA-256,
SHA-384,
SHA-512.

SHA-3 Latest SHA Example: SHA-3-256 hash Provides robust

family with a5c9e1e65d5c5e6d7435…8e28c519a3d security;
sizes similar alternative to
to SHA-2, SHA-2 with
developed different internal
independently structure.
of NSA.

3. Hashing vs. Checksum

Aspect Hash Checksum Usage Example

Length Generally longer and Typically shorter, e.g., a Hashes: SHA-256, MD5.
more complex. few bits or bytes. Checksum: RAID-5 parity bit,
credit card check digit.

Purpos Cryptographic security Quick integrity checks; Hashes: File downloads,

e and data integrity not cryptographically digital signatures.
verification. secure. Checksum: Credit card
validation, RAID storage.

3
4. Hash-based Message Authentication Code (HMAC)
Concept Description Example Usage

HMAC Combines a hash Example: HMAC-MD5, Used in

function with a secret HMAC-SHA256. protocols like
key to ensure both IPsec and TLS.
integrity and authenticity.

HMAC-M MD5 combined with a Example: Suitable for

D5 secret key, provides 9e107d9d372bb6826bd81d3542 integrity if the
integrity and authenticity. d8 key is strong.

HMAC-S SHA-256 combined with Example: Provides

HA256 a secret key for 2c6ee24b09816a6f14f95d1698 strong security
enhanced security. b24ead for integrity
checks.

5. Practical Examples
Scenario Process Tools/Commands Outcome

Patch File Calculate and compare Example: sha256sum Verifies the downloaded
Verification hashes for a software patch file matches the
patch. original hash.

File Integrity Manual calculation and Command-line tools Ensures file integrity
Check comparison of file like sha256sum post-download by
hashes. comparing hashes.

Credit Card Use checksum to Built-in credit card Confirms the card
Validation validate the accuracy of validation algorithms number is entered
entered card numbers. correctly before
submission.

6. Hashing Files
Concept Description Example Tools

4
Hashing Methods for Example: SHA-256 hash of a Kali Linux image Tools:
Files manually and file. sha256sum
automatically , digital
calculating and signatures
verifying hashes in email.
of files.

One-Way Hashing creates Example: SHA-1 hash of "I will pass the Hashes do
Function a fixed-size bit Security+ exam" is not reveal
string and does 765591c4611be5e03bea41882ffdaa1593 file type or
not allow 52cf49. size.
reconstruction of
original data.

7. Hashing Example Calculation

Step Descripti Example Comma
on nd

File Downloa Downloaded Kali Linux image. N/A

Downloa d the file
d and
obtain its
original
hash
from a
trusted
source.

Hash Use a Example hash: Comman

Calculati hashing acf455e6f9ab0720df0abed15799223c2445882b44 d:
on tool to dfcc3f2216f9464db7915 sha256
calculate sum
the hash filena
of the
me
download
ed file.

5
Comparis Compare Original hash: Manual
on the acf455e6f9ab0720df0abed15799223c2445882b44 comparis
calculate dfcc3f2216f9464db7915 on
d hash
with the
original
hash.

Integrity If hashes Hashes match, file is verified. N/A

Verificati match,
on the file is
verified
as intact.

Hashing Messages
Ste Action Details/Examples
p

1 Message Lisa creates a message: "The price is $75."

Creation

2 Hash Calculation An application on Lisa's computer calculates the MD5 hash:

(Sender) D9B93C99B62646ABD06C887039053F56

3 Sending Lisa sends both the message and the hash to Bart.
Message and
Hash

4 Message The message is altered in transit to: "The price is .75." (Note: The
Modification hash remains unaltered.)

5 Hash Calculation A program on Bart's computer calculates the MD5 hash of the
(Receiver) received message: 564294439E1617F5628A3E3EB75643FE

6 Hash - Hash from Lisa (original):

Comparison D9B93C99B62646ABD06C887039053F56
- Hash calculated by Bart:
564294439E1617F5628A3E3EB75643FE

7 Integrity Check Bart's program compares the two hashes and detects a mismatch,
indicating the message has lost integrity.

6
8 Conclusion Bart knows the received message isn't the same as the sent
message and shouldn't trust it.

Important Points
Concept Explanation

Hashing Algorithm MD5 in this example, used to ensure message integrity by

producing a fixed-length hexadecimal string.

Integrity Assurance Hashing provides assurances that the message has not been
modified.

Comparison Hashes are created and compared at both sender and receiver
ends to ensure data integrity.

Example of Integrity Message altered from "The price is $75." to "The price is .75."
Loss resulting in different hashes.

Remember This!
Key Points

Recognize hashing algorithms such as MD5, SHA, and HMAC.

Hashing algorithms are used for integrity, not encryption.

Using HMAC

Problem with Simple Hashing

Ste Action Details/Examples

p

1 Message Lisa creates a message: "The price is $75."

Creation

2 Hash Lisa's computer calculates the MD5 hash:

Calculation D9B93C99B62646ABD06C887039053F56
(Sender)

3 Sending Lisa sends both the message and the hash to Bart.
Message and
Hash

7
4 Message Hacker Harry modifies the message to: "The price is .75." and
Modification by calculates a new MD5 hash:
Attacker 564294439E1617F5628A3E3EB75643FE

5 Hash - Hash from Lisa (original):

Comparison D9B93C99B62646ABD06C887039053F56
(Receiver) - Hash from attacker (modified):
564294439E1617F5628A3E3EB75643FE
- Hash calculated by Bart (modified message):
564294439E1617F5628A3E3EB75643FE

6 Integrity Check The calculated hash on the modified message matches the hash
received from the attacker, erroneously indicating the message has
maintained integrity.

Solution with HMAC

Ste Action Details/Examples

p

1 Message Lisa creates a message: "The price is $75."

Creation

2 Hash Calculation Lisa's computer calculates the MD5 hash:

with HMAC D9B93C99B62646ABD06C887039053F56 and then applies the
(Sender) HMAC secret key to get the HMAC-MD5 hash:
733C70A54A13744D5C2C9C4BA3B15034

3 Sending Lisa sends both the message and the HMAC-MD5 hash to Bart.
Message and
HMAC Hash

4 Message Hacker Harry modifies the message to: "The price is .75." but
Modification by cannot calculate a valid HMAC hash without the secret key.
Attacker

5 HMAC Hash Bart's computer calculates the HMAC-MD5 hash on the received
Calculation message using the shared secret key.
(Receiver)

6 Hash - HMAC-MD5 hash from Lisa (original):

Comparison 733C70A54A13744D5C2C9C4BA3B15034
(Receiver)

8
 - HMAC-MD5 hash calculated by Bart (modified message):
1B4FF0F6C04434BF97F1E3DDD4B6C137

7 Integrity Check The hashes are different, indicating the message has lost
integrity. If the message was not modified, the HMAC-MD5
hashes would be the same.

Key Points to Remember

Concept Explanation

Hashing MD5, used to ensure message integrity by producing a fixed-length

Algorithm hexadecimal string.

Integrity Hashing provides assurances that the message has not been modified.
Assurance

HMAC Adds a secret key to the hashing process to provide additional security,
ensuring the message integrity cannot be faked by an attacker.

Hashing Passwords
Ste Action Details/Examples
p

9
1 Password User creates a password, e.g., password123.
Creation

2 Hash Calculation The system calculates the hash for the password.
(Password Example with MD5: 482c811da5d5b4bc6d497ffa98491e38
Creation)

3 Storing the Hash The system stores the hash, not the password.
Stored hash: 482c811da5d5b4bc6d497ffa98491e38

4 Authentication User enters username and password: password123.

Attempt

5 Hash Calculation The system calculates the hash of the entered password.
(Authentication) Entered password: password123
Calculated hash: 482c811da5d5b4bc6d497ffa98491e38

6 Hash Comparison The system compares the calculated hash with the stored hash.
Stored hash: 482c811da5d5b4bc6d497ffa98491e38
Calculated hash: 482c811da5d5b4bc6d497ffa98491e38

7 Validation If the hashes match, the user is authenticated.

Result: User is authenticated.

Issue with Weak Hashing Algorithms

Problem Details/Examples

Weak MD5 is considered weak and can be easily cracked.

Hashing
Algorithm

Online Tools Tools like MD5 Online can decrypt MD5 hashes quickly if the password is
weak or common.
Example:
MD5 hash of 12345: 827ccb0eea8a706c4c34a16891f84e7b
MD5 Online can decrypt this hash to 12345 in less than a second.

Dictionary MD5 Online and similar tools use a database of common hashed
Attacks passwords to quickly find matches.

Solution: Strong Hashing Algorithms and Salting

10
 Concept Details/Examples

Strong Use algorithms like SHA-3 to store password hashes.

Hashing Example:
Algorithms SHA-3-256 hash of password123:
9d5e3ecdeb093eab3c83e12f19f81b01421ba4b36a2edc1d7a75f4034
d1f22d8

Salting Adding random data (salt) to the password before hashing to prevent
dictionary and rainbow table attacks.
Example:
Password: password123
Salt: randomSalt123
Salted Password: password123randomSalt123
SHA-3-256 hash of salted password: examplehashedvalue (hypothetical)

Example of Salting and Hashing

Ste Action Details/Examples
p

1 Password Creation User creates a password, e.g., password123.

2 Salt Generation System generates a random salt, e.g., randomSalt123.

3 Salted Password Concatenate password and salt:

Creation password123randomSalt123.

4 Hash Calculation Calculate the hash of the salted password.

(Password Creation) SHA-3-256 hash: examplehashedvalue (hypothetical)

5 Storing the Hash and Store the hash and the salt.
Salt Stored hash: examplehashedvalue
Stored salt: randomSalt123

6 Authentication User enters username and password: password123.

Attempt

7 Salt Retrieval System retrieves the stored salt: randomSalt123.

8 Salted Password Concatenate entered password and salt:

Recreation password123randomSalt123.

11
9 Hash Calculation Calculate the hash of the salted entered password.
(Authentication) SHA-3-256 hash: examplehashedvalue (hypothetical)

10 Hash Comparison Compare the calculated hash with the stored hash.
Stored hash: examplehashedvalue
Calculated hash: examplehashedvalue

11 Validation If the hashes match, the user is authenticated.

Result: User is authenticated.

Key Points to Remember

Concept Explanation

Hashing Converts passwords into a fixed-length string that cannot be reversed.

Salting Adds random data to the password before hashing to make each hash
unique.

Strong Use strong, modern hashing algorithms like SHA-3.

Algorithms

Security Hashing and salting together provide robust security for stored
passwords.

Understanding Hash Collisions

Concept Description Example

Hash Collision Occurs when different Password “success” and “passed” both
inputs produce the same produce hash 123 using a simple hashing
hash. algorithm.

MD5 Highly susceptible to hash Not recommended for cryptographic use

Vulnerability collision attacks. due to ease of creating collisions.

Understanding Password Attacks

Online Password Attacks

Attack Type Description Indicators/Tools

12
Online Attempts to discover Tools: ncrack
Password passwords by guessing Indicators: System logs showing repeated login
Attack repeatedly. attempts, Event ID 4625, Event ID 4740 (account
lockouts).

Offline Password Attacks

Attack Type Description Indicators/Tools

Offline Attempts to discover passwords Indicators: Access to downloaded

Password from a captured database or databases, use of password cracking
Attack packet scan. tools offline.

Dictionary Attacks

Attack Type Description Prevention

Dictionary Uses a list of words and common Use complex passwords that are
Attack passwords to guess passwords. not in the dictionary.

Brute Force Attacks

Attack Type Description Prevention

Brute Force Attempts all possible Use complex, long passwords and store them
Attack character combinations. in encrypted/hashed format.

Password Spraying Attacks

Attack Type Description Indicators

Password Attempts a single password Indicators: System logs with Event ID

Spraying Attack across many accounts to avoid 4625 showing failed logins with time
lockout. lapses.

Pass the Hash Attacks

Attack Description Indicators

Type

Pass the Uses captured password Indicators: Event ID 4624 with NTLMSSP as Logon
Hash hashes to log in without Process, NTLM as Authentication Package,
Attack cracking. correlated with Event ID 4672 for privilege use.

Birthday Attacks

13
 Concept Description Prevention

Birthday Attempts to create a password producing Increase the number of bits in

Attack the same hash as another password. the hash (e.g., use SHA-3).

Rainbow Table Attacks

Concept Description Prevention

Rainbow Table Uses precomputed hashes to find a Use salting and strong hashing
Attack matching password. algorithms like SHA-3.

Salting and Key Stretching

Concept Description Example/Prevention

Salting Adds random data to a Password: password123

password before Salt: randomSalt123
hashing. Salted Password: password123randomSalt123
Hash: examplehashedvalue

Key Increases the Techniques: bcrypt, PBKDF2, Argon2

Stretching complexity of the hash
calculation process to
prevent attacks.

Bcrypt

Techniqu Descriptio Example

e n

Bcrypt Uses Password: IL0ve$ecurity

Blowfish Bcrypt Hash:
cipher, adds $2b$12$HXIKtJr93DH59BzzKQhehOI9pGjRA/03ENcFRby1j
random bits H7nXwt1Tn0kG
before
encrypting,
repeated
multiple
times.

PBKDF2

14
 Techniqu Description Usage
e

PBKDF2 Uses salts of at least 64 bits and Used in WPA2, Apple's iOS, Cisco IOS.
applies HMAC repeatedly. Can apply the process up to 1,000,000 times.

Argon2

Techniqu Description Example

e

Argon2 Uses a password and salt, passed through an algorithm Variants: Argon2d,
multiple times, continuously improved. Argon2i

Summary Points
Concept Explanation

Encryption Provides confidentiality, ensuring data is only viewable by authorized

users.

Salting Adds random data to passwords before hashing to thwart attacks.

Key Stretching Makes the hash calculation more complex to prevent brute force and
rainbow table attacks.

Attack Online and offline attack indicators include repeated failed logon attempts
Indicators and unusual log entries.

Basic Concepts of Encryption

Term Description

Plaintext Human-readable data.

Ciphertext Unreadable, scrambled data produced by an encryption algorithm.

Encryption Process of converting plaintext to ciphertext to prevent unauthorized

access.

Cleartext Unencrypted data that can be easily read if captured.

Types of Data in Encryption

15
 Type Description Example

Data at Data stored on media (e.g., hard Encrypting customer credit card fields in a
Rest drives, SSDs). Encrypt individual database.
fields, files, folders, or disks.

Data in Data sent over a network. Common Using HTTPS for secure transactions that
Transit to encrypt sensitive data during include credit card data.
transmission.

Data in Data being used by a computer, Applications decrypt data for processing
Use decrypted while in use, and and then re-encrypt it before storing it.
re-encrypted before being saved. Memory is purged of sensitive data.

Encryption Methods

Symmetric Encryption

Feature Description Example

Key Same key used for both encryption and A single shared secret key for both
Usage decryption. encrypting and decrypting
messages.

Speed Faster than asymmetric encryption due to Often used for bulk data encryption.
simpler algorithms.

Security Key distribution is challenging as the same Secret key must be exchanged
key must be securely shared between securely.
parties.

Asymmetric Encryption

Feature Description Example

Key Uses a pair of keys: a public key for Public key shared with anyone;
Usage encryption and a private key for private key kept secure.
decryption.

Speed Slower than symmetric encryption due to Used for smaller amounts of data or
more complex algorithms. for encrypting symmetric keys.

Security More secure for key distribution as the Private key never transmitted.
private key does not need to be shared.

Elements of Encryption

16
 Element Description Example

Algorithm Performs mathematical calculations on AES (Advanced Encryption

data. Standard), RSA
(Rivest-Shamir-Adleman).

Key A number that provides variability in 256-bit key used in AES for strong
encryption, either kept private or changed encryption.
frequently.

Examples of Encryption in Use

Data at Rest

Scenario Description

Database Encrypting sensitive fields like customer credit card data in a

Encryption database.

File Encryption Encrypting individual files or folders containing confidential

information.

Full Disk Encrypting the entire disk to protect all data stored on it.
Encryption

Data in Transit

Scenario Description

HTTPS Sessions Encrypting web traffic to secure online transactions.

VPNs (Virtual Private Encrypting data sent over public networks to secure
Networks) communication between remote users and a corporate network.

Data in Use

Scenario Description

Application Decrypting data for processing and re-encrypting before storing, with
Processing memory purging to remove sensitive data.

Summary Points
Concept Explanation

17
 Encryption Provides confidentiality, ensuring data is viewable only by
authorized users.

Data at Rest Encrypts stored data to protect against unauthorized access if the
Encryption storage medium is compromised.

Data in Transit Encrypts data being transmitted over networks to prevent

Encryption interception and unauthorized reading.

Data in Use Temporarily decrypts data for processing and re-encrypts it after
Encryption use, with memory being purged.

Symmetric Uses the same key for both encryption and decryption, offering
Encryption faster performance.

Asymmetric Uses a key pair (public and private), offering better security for key
Encryption distribution.

Algorithm and Key Algorithms perform mathematical operations; keys provide

variability and are crucial for security.

Symmetric Encryption Overview

Symmetric encryption uses the same key to encrypt and decrypt data. This method is also
known as secret-key encryption or session-key encryption. Here’s a breakdown with
examples:

Basic Concepts

Term Description

Encryption Algorithm The process or formula used to scramble data.

Decryption Algorithm The process or formula used to unscramble data.

Key A number or string used in both encryption and decryption

processes.

Plaintext The original, readable message or data before encryption.

Ciphertext The scrambled, unreadable message or data after encryption.

Example: Simple Letter Substitution Cipher

Imagine the message “PASS” needs to be sent using a key of 3:

18
 Step Process Result

Encrypt 'P' Move 3 spaces forward from 'P' 'S'

Encrypt 'A' Move 3 spaces forward from 'A' 'D'

Encrypt 'S' Move 3 spaces forward from 'S' 'V'

Encrypt 'S' Move 3 spaces forward from 'S' 'V'

Ciphertext SDVV

To decrypt, move each character 3 spaces backward:

Step Process Result

Decrypt 'S' Move 3 spaces backward from 'S' 'P'

Decrypt 'D' Move 3 spaces backward from 'A'

'D'

Decrypt 'V' Move 3 spaces backward from 'V' 'S'

Decrypt 'V' Move 3 spaces backward from 'V' 'S'

Plaintext PASS

ROT13 Example

The ROT13 cipher rotates each letter by 13 places. Encryption and decryption use the same
process.

Plaintext Encryption Ciphertext

'HELLO' Move 13 'URYYB'

'URYYB' Move 13 'HELLO'

Comparing Symmetric Encryption to a Door Key

This analogy helps understand symmetric encryption:

Scenario Description

19
 House Key Marge receives a key to her new home. This key locks and unlocks
her home.

Sharing Key Marge shares a copy of her key with Homer. Now both can lock
and unlock the house.

Symmetric Key Use Symmetric encryption uses a single key to both encrypt and
decrypt data.

Server Two servers use AES symmetric encryption to exchange data

Communication using the same key.

Key Rotation Symmetric encryption often changes keys to enhance security.

Vulnerability Using the same key repeatedly increases the risk of cracking and
compromise.

Symmetric Encryption in Practice

Advanced Encryption Standard (AES)

AES is a popular symmetric encryption algorithm using keys of 128, 192, or 256 bits.

Feature Description

Algorithm AES performs complex mathematical calculations to encrypt and

decrypt data.

Key Size AES uses keys of 128, 192, or 256 bits to enhance security.

Data Encrypts data before transmission and decrypts it upon receipt using
Transmission the same key.

Data Storage Encrypts data in databases or files using a symmetric key, which must
be securely stored.

Example: Server Communication

Step Process

Encryption Server A uses AES with key '123' to encrypt data.

Transmissio Encrypted data is sent over the network.

n

20
Decryption Server B uses the same AES algorithm with key '123' to decrypt
data.

Changing Keys Example

Scenario Description

Day 1 Use key '123' to encrypt and decrypt data.

Day 2 Change to key '456' for new encryption and decryption operations.

Enhanced Frequent key changes prevent reuse and reduce the risk of
Security compromising multiple data sets.

Summary Points
Concept Explanation

Symmetric Uses the same key to encrypt and decrypt data.

Encryption

ROT13 A simple substitution cipher rotating letters by 13 places, used for

obfuscation rather than true encryption.

Advanced Algorithms like AES use complex keys and are widely used for secure
Encryption data transmission and storage.

Key Management Frequent key changes enhance security and reduce vulnerabilities.

Real-World Comparing symmetric keys to house keys helps illustrate the concept
Analogies of shared access through a single key.

Comparison of Block and Stream Ciphers

Cipher Description Use Case
Type

Block Encrypts data in specific-sized blocks More efficient when data size is known,
Cipher (e.g., 64-bit, 128-bit). Encrypts each e.g., files, specific-sized database
block separately. fields.

Stream Encrypts data as a continuous stream More efficient for data of unknown size
Cipher of bits or bytes. Does not divide data or continuous streams, e.g., streaming
into blocks. audio/video.

21
Key Principle: Encryption keys for stream ciphers should never be reused to avoid making
encryption easier to crack.

Common Symmetric Algorithms

Advanced Encryption Standard (AES)

Feature Description

Type Symmetric Block Cipher

Block 128-bit
Size

Key 128 bits, 192 bits, 256 bits

Sizes

Strength - Fast: Uses efficient mathematical formulas requiring only one pass to encrypt
s and decrypt data.
- Efficient: Less resource-intensive than 3DES, suitable for small devices.
- Strong: Provides a high level of confidentiality.

Example Usage: Commonly used to encrypt data on USB drives.

Triple DES (3DES)

Feature Description

Type Symmetric Block Cipher

Block Size 64-bit

Key Sizes 112 bits, 168 bits

Descriptio Encrypts data using the DES algorithm in three separate passes with multiple
n keys.

Use Case Suitable for environments where hardware doesn't support AES.

Blowfish and Twofish

Feature Blowfish Twofish

Type Symmetric Block Cipher Symmetric Block Cipher

Block Size 64-bit 128-bit

22
 Key Sizes 32 bits to 448 bits 128 bits, 192 bits, 256 bits

Descriptio Faster than AES in some cases, especially Related to Blowfish, was a
n AES-256. Designed as a general-purpose finalist in NIST evaluation for
algorithm to replace DES. AES.

Use Case Widely used in various applications for Suitable for applications
general-purpose encryption. requiring strong encryption with
larger block size.

Examples of Symmetric Encryption

AES Encryption Example

Scenario: Encrypting data on a server using AES-256.

1. Data: Sensitive customer information stored in a database.

2. Algorithm: AES-256.
3. Process:
○ Encryption: Data is encrypted using AES-256 algorithm and a 256-bit key.
○ Transmission: Encrypted data is transmitted securely over the network.
○ Decryption: At the receiving end, the same AES-256 algorithm and key are used
to decrypt the data.

3DES Encryption Example

Scenario: Legacy system encryption using 3DES.

1. Data: Financial transaction details.

2. Algorithm: 3DES.
3. Process:
○ Encryption: Data is encrypted in 64-bit blocks using 3DES with a 168-bit key.
○ Transmission: Encrypted data is transmitted over the network.
○ Decryption: At the receiving end, the same 3DES algorithm and key are used to
decrypt the data.

Summary Points
Concept Explanation

Block Ciphers Encrypt data in fixed-size blocks, suitable for known data sizes like files.

Stream Ciphers Encrypt data as a continuous stream, suitable for unknown data sizes
like live streaming.

23
AES Strong symmetric block cipher with 128-bit, 192-bit, and 256-bit keys.
Fast, efficient, and highly secure.

3DES Symmetric block cipher using DES in three passes, suitable for legacy
systems where AES is not supported.

Blowfish Symmetric block cipher with 64-bit blocks, key sizes from 32 to 448 bits.
Faster than AES in some instances.

Twofish Symmetric block cipher with 128-bit blocks, key sizes of 128, 192, and
256 bits.

Key Frequent key changes enhance security and reduce vulnerabilities.

Management

Use Cases Specific scenarios where each algorithm is best applied for optimal
security and performance.

Asymmetric Encryption Concepts

Concept Description

Asymmetric Uses two keys: a public key and a private key.

Encryption

Public Key Freely shared and embedded in digital certificates.

Private Key Always kept private and never shared.

Encryption with Only the matching private key can decrypt the information
Public Key encrypted with the public key.

Encryption with Only the matching public key can decrypt the information
Private Key encrypted with the private key.

Resource Intensive Asymmetric encryption requires significant processing power

compared to symmetric encryption.

Key Exchange
Concept Description

Key Method to share cryptographic keys securely between two entities.

Exchange

24
Usage Asymmetric encryption is often used for key exchange to share a symmetric
key, which is then used for efficient encryption.

Rayburn Box Metaphor for Asymmetric Keys

Scenario Description

Sending - Box is locked with a public key.

Secrets - Only the private key can unlock it.
- Ensures confidentiality.

Authentication - Box is locked with a private key.

- Only the public key can unlock it.
- Ensures the sender’s identity.

Certificates
Element Description

Digital Certificate Digital document containing the public key and information about the
owner.

Certificate Entity that issues and manages digital certificates.

Authority (CA)

Serial Number Unique identifier for the certificate issued by a CA. Used to validate
the certificate and check for revocation.

Issuer The CA that issued the certificate.

Validity Dates The dates between which the certificate is valid.

Subject Identifies the owner of the certificate.

Public Key Used in combination with the matching private key for asymmetric
encryption.

Key Usage Specifies whether the certificate is for encryption, authentication, or

other purposes.

Certificate Includes details like Common Name (CN), Organization (O), Locality
Attributes (L), State (S), and Country (C).

Asymmetric Encryption Example

25
Encrypting a Message for Confidentiality

1. Scenario: Alice wants to send a confidential message to Bob.

2. Process:
○ Alice encrypts the message with Bob’s public key.
○ Bob decrypts the message with his private key.

Authenticating a Message

1. Scenario: Alice wants to send a message to Bob with assurance that she sent it.
2. Process:
○ Alice encrypts the message with her private key.
○ Bob decrypts the message with Alice’s public key.

Real-World Application of Asymmetric Encryption

Key Exchange in HTTPS (TLS)

1. Scenario: Establishing a secure connection between a client and a server.

2. Process:
○ The server sends its public key to the client in a digital certificate.
○ The client generates a symmetric key and encrypts it with the server’s public key.
○ The server decrypts the symmetric key with its private key.
○ Both the client and the server now use the symmetric key for secure
communication.

Digital Signatures for Email

1. Scenario: Alice sends an email to Bob and wants to ensure Bob knows it’s from her.
2. Process:
○ Alice’s email application hashes the email content and encrypts the hash with her
private key, creating a digital signature.
○ Alice’s email application attaches the digital signature to the email and sends it to
Bob.
○ Bob’s email application uses Alice’s public key to decrypt the digital signature
and retrieves the hash.
○ Bob’s email application hashes the received email content and compares it with
the decrypted hash. If they match, Bob knows the email is from Alice and hasn’t
been tampered with.

Summary

● Asymmetric Encryption: Uses public and private keys for encryption and decryption.
● Key Exchange: Utilizes asymmetric encryption to share symmetric keys securely.
● Rayburn Box: Metaphor for understanding the usage of public and private keys.

26
 ● Digital Certificates: Crucial for sharing public keys and validating identities.
● Real-World Applications: HTTPS (TLS) for secure web communication and digital
signatures for email authentication

Ephemeral Keys
Concept Description

Ephemeral Key A short-lived key used for a single session and then discarded.

Static Key A semi-permanent key used over a long period, often embedded in
certificates.

Perfect Forward A property ensuring that session keys are not reused and that a
Secrecy compromise of one key does not affect past keys.

Key Comparison: Ephemeral vs Static

Aspect Ephemeral Key Static Key

Lifetime Short, per session Long, until certificate expires

Usage One-time use Reused over the lifetime of the certificate

Validation Not validated by CA Validated by CA

Example Certain versions of Diffie-Hellman Public/private key pairs in digital certificates

Elliptic Curve Cryptography (ECC)

Concept Description

ECC Uses mathematical equations to create smaller keys that provide strong security
with less processing power.

ECDSA A variant of the Digital Signature Algorithm using ECC, providing equivalent
security with smaller keys.

Use Often used in low-power devices and wireless devices due to its efficiency.
Case

Example A 256-bit ECC key provides the same security as a 3072-bit RSA key.

Key Length

27
 Concept Description

Key Longer keys provide stronger security.

Strength

Example NIST recommends using at least 2048-bit keys for RSA.

Key Sizes RSA supports 1024, 2048, and 4096 bits. Current recommendation is 2048
bits minimum.

Obfuscation Techniques
Technique Description

Steganograph Hides data within other data, such as images, audio, or video files.
y

Tokenization Replaces sensitive data with non-sensitive placeholders or tokens.

Masking Partially or fully conceals sensitive data with characters, symbols, or other
data.

Steganography
Type Description Example

Audio Embeds data within audio files. Audio beacons used to

Steganography track user activity.

Image Hides data within image files by Changing the least

Steganography manipulating bits or using white space. significant bit of image
pixels.

Video Embeds data within video files, often Modifying bits in video
Steganography modifying the image portion to avoid audio frames.
noise.

Tokenization
Concept Description

Definition Replaces sensitive data with non-sensitive tokens, retaining essential

information.

Example Replacing credit card numbers with random tokens.

28
 Storage Actual sensitive data stored in a secure token vault.

Masking
Concept Description

Definition Partially or fully conceals sensitive data to prevent unauthorized

access.

Example Displaying an account number as 123*****1208.

Usage Commonly used in login screens and password fields.

Remember This!

● Steganography: Hides messages or data within other files.

● Tokenization: Replaces sensitive data with non-sensitive tokens.
● Masking: Partially or fully conceals sensitive data.

Cryptographic Protocols and Usage

Key Uses in Different Contexts

Context Encryption Key Decryption Key

Email Digital Signatures Sender's Private Key Sender's Public Key

Email Encryption Recipient’s Public Key Recipient's Private Key

Website Encryption Website’s Public Key Website’s Private Key

Session Data Symmetric Key Symmetric Key

Encryption

Protecting Email

Digital Signatures

● Purpose: To ensure authenticity, non-repudiation, and integrity.

● Process:
1. Sender hashes the email message.
2. Sender encrypts the hash with their private key to create the digital signature.
3. Sender sends both the email and the digital signature to the recipient.
4. Recipient decrypts the digital signature with the sender’s public key to obtain the
hash.

29
 5. Recipient hashes the received message.
6. Recipient compares the decrypted hash with the hash of the received message.

Ste Action Example Data

p

1 Sender hashes the message e0b1531c6bc68c6e8e64e2a6fffb924d

2 Encrypts the hash with private key 87d439d1c7e5e2abde6fe22e5c4f0b0f

3 Sends message and digital Message: "I passed"

signature

4 Decrypts signature with public key Reveals:

e0b1531c6bc68c6e8e64e2a6fffb924d

5 Hashes received message e0b1531c6bc68c6e8e64e2a6fffb924d

6 Compares hashes Hashes match, message is authenticated

Email Encryption

● Purpose: To ensure confidentiality.

● Process:
1. Sender retrieves recipient’s public key.
2. Sender encrypts the email with the recipient’s public key.
3. Recipient decrypts the email with their private key.

Ste Action Example Data

p

1 Retrieves recipient’s public key Public Key: abc123...

2 Encrypts the email with public key Encrypted Message:

b94d27b9934d3e08...

3 Decrypts email with private key Decrypted Message: "Meeting at 3 PM"

Combining Asymmetric and Symmetric Encryption for Emails

● Purpose: To enhance efficiency and security by combining encryption methods.

● Process:
1. Sender generates a symmetric key.
2. Sender encrypts the email with the symmetric key.
3. Sender encrypts the symmetric key with the recipient’s public key.

30
 4. Sender sends both the encrypted email and the encrypted symmetric key to the
recipient.
5. Recipient decrypts the symmetric key with their private key.
6. Recipient decrypts the email with the decrypted symmetric key.

Ste Action Example Data

p

1 Generates a symmetric key Symmetric Key: 53

2 Encrypts email with symmetric key Encrypted Email: b94d27b9934d3e08...

3 Encrypts symmetric key with public key Encrypted Symmetric Key:

cd5e82e99c27a2a7

4 Sends encrypted email and key

5 Decrypts symmetric key with private Symmetric Key: 53

key

6 Decrypts email with symmetric key Decrypted Email: "Meeting at 3 PM"

S/MIME

● Purpose: To secure email communication using digital signatures and encryption.

● Ports:
○ POP3 over TLS: Port 995
○ SMTP over TLS: Port 587
○ IMAP over TLS: Port 993
● Usage: Encrypts email both at rest and in transit using a combination of asymmetric and
symmetric encryption.

Function Description

Digital Uses asymmetric encryption to provide authentication, non-repudiation,

Signatures and integrity.

Email Uses a combination of asymmetric and symmetric encryption to ensure

Encryption confidentiality.

Summary Table
Protocol Symmetric Key Asymmetric Key Usage Examples/Ports
Usage

31
Digital Not used Sender's private key Email signing
Signatures encrypts, public key
decrypts

Email Encrypts email Recipient's public key Encrypted communication

Encryption contents encrypts, private key
decrypts

S/MIME Encrypts data at Uses certificates and PKI POP3-TLS: 995,

rest and in transit for key management SMTP-TLS: 587,
IMAP-TLS: 993

Remember This!

● Digital Signature: Sender’s private key encrypts the hash; the recipient’s public key
decrypts it.
● Email Encryption: Recipient’s public key encrypts the message; the recipient’s private
key decrypts it.
● Combination of Encryption: Asymmetric encryption is used for key exchange,
symmetric encryption is used for data.

Encrypting Email

Encrypting Email with Only Asymmetric Encryption

32
Steps to Encrypt Email with Asymmetric Encryption:

1. Lisa retrieves a copy of Bart’s certificate that contains his public key.
2. Lisa encrypts the email with Bart’s public key.
3. Lisa sends the encrypted email to Bart.
4. Bart decrypts the email with his private key.

Process Explanation:

● Lisa's Action: Lisa encrypts the email using Bart's public key.
● Bart's Action: Bart decrypts the email using his private key.

Key Points:

● The recipient’s public key encrypts the email.

● The recipient’s private key decrypts the email.
● The sender’s keys are not involved in this process.

Ste Action Key Used Outcome

p

1 Lisa retrieves Bart’s public key Bart’s public key Lisa has Bart’s public key

2 Lisa encrypts the email Bart’s public key Email is encrypted

3 Lisa sends the encrypted - Encrypted email is sent to Bart

email

4 Bart decrypts the email Bart’s private key Email is decrypted by Bart

Remember This!

● The recipient’s public key encrypts the email message.

● The recipient uses their private key to decrypt the email message.

Encrypting Email with Asymmetric and Symmetric Encryption

Steps to Encrypt Email with Combined Encryption:

1. Lisa’s system generates a symmetric key (e.g., 53).

2. Lisa encrypts the email contents with the symmetric key.
3. Lisa retrieves Bart’s public key from his digital certificate.
4. Lisa encrypts the symmetric key with Bart’s public key.
5. Lisa sends the encrypted email and the encrypted symmetric key to Bart.
6. Bart decrypts the symmetric key with his private key.
7. Bart decrypts the email with the decrypted symmetric key.

33
Process Explanation:

● Lisa's Action: Lisa uses a symmetric key to encrypt the email and then uses Bart’s
public key to encrypt the symmetric key.
● Bart's Action: Bart first decrypts the symmetric key with his private key, then uses the
decrypted symmetric key to decrypt the email.

Key Points:

● Asymmetric encryption is used to securely share the symmetric key.

● Symmetric encryption is used to encrypt the email contents for efficiency.

Ste Action Key Used Outcome

p

1 Lisa generates a symmetric key Symmetric key Symmetric key is generated

(e.g., 53)

2 Lisa encrypts the email with Symmetric key (53) Email is encrypted with
symmetric key symmetric key

3 Lisa retrieves Bart’s public key Bart’s public key Lisa has Bart’s public key

4 Lisa encrypts the symmetric key Bart’s public key Symmetric key is encrypted

5 Lisa sends encrypted email and - Encrypted email and key are
key to Bart sent to Bart

6 Bart decrypts the symmetric key Bart’s private key Symmetric key is decrypted
by Bart

7 Bart decrypts the email with Symmetric key (53) Email is decrypted by Bart
symmetric key

Remember This!

● Asymmetric Encryption: Used for encrypting the symmetric key.

● Symmetric Encryption: Used for encrypting the email contents for efficiency.

Figures for Email Encryption

Figure: Encrypting Email

1. Lisa’s system generates a symmetric key (e.g., 53).

2. Lisa encrypts the email contents with the symmetric key (53).
3. Lisa retrieves Bart’s public key.

34
 4. Lisa encrypts the symmetric key (53) with Bart’s public key.
5. Lisa sends the encrypted email and the encrypted symmetric key to Bart.

Figure: Decrypting Email

1. Bart decrypts the symmetric key with his private key.

2. Bart decrypts the email with the decrypted symmetric key (53).

Summary Table for Email Encryption

Encryption Type Key for Encryption Key for Decryption Efficiency &
Usage

Only Asymmetric Recipient’s public key Recipient’s private key Simple but slow,
Encryption used for smaller
data

Combined Symmetric key for Symmetric key for Efficient for larger
Asymmetric and email, recipient’s email, recipient’s data, uses both
Symmetric public key for private key for encryption methods
Encryption symmetric key symmetric key

35
S/MIME (Secure/Multipurpose Internet Mail Extensions)

Overview: S/MIME is a widely used standard for securing email communications through
encryption and digital signatures. It supports both asymmetric and symmetric encryption to
provide robust security for email messages.

Key Features:

● Digital Signatures: Provides authentication, non-repudiation, and integrity.

● Encryption: Ensures confidentiality of email messages both at rest and in transit.

Encryption Methods:

● Asymmetric Encryption: Used for key exchange.

● Symmetric Encryption: Used for encrypting the actual email content for efficiency.

Encryption Scenarios:

1. Email at Rest: Encrypts stored email messages.

2. Email in Transit: Encrypts email messages being sent over the network.

Cryptographic Message Syntax (CMS):

● Allows the use of various hashing and encryption algorithms.

● Requires Public Key Infrastructure (PKI) to manage certificates.

Common Ports Used in S/MIME:

● Port 995: Used for Post Office Protocol 3 (POP3) over Transport Layer Security (TLS) -
POP3-over-TLS.

36
 ● Port 587: Used for Simple Mail Transfer Protocol (SMTP) over Transport Layer Security
(TLS) - SMTP-over-TLS.
● Port 993: Used for Internet Message Access Protocol (IMAP) over Transport Layer
Security (TLS) - IMAP-over-TLS.

S/MIME Encryption Process

Digital Signatures

● Step 1: The sender’s email application hashes the message.

● Step 2: The sender’s private key encrypts the hash, creating a digital signature.
● Step 3: The email application sends the email along with the digital signature.
● Step 4: The recipient’s email application uses the sender’s public key to decrypt the
hash.
● Step 5: The recipient’s email application calculates the hash of the received message
and compares it with the decrypted hash.

Email Encryption (Using Asymmetric and Symmetric Encryption)

● Step 1: The sender’s email application generates a symmetric key.

● Step 2: The symmetric key encrypts the email content.
● Step 3: The sender’s email application encrypts the symmetric key with the recipient’s
public key.
● Step 4: The sender’s email application sends the encrypted email and the encrypted
symmetric key to the recipient.
● Step 5: The recipient’s email application decrypts the symmetric key with the recipient’s
private key.
● Step 6: The recipient’s email application decrypts the email content with the decrypted
symmetric key.

S/MIME Ports and Usage Table

Port Protocol Description

995 POP3-over-TLS Secure retrieval of email from the server

587 SMTP-over-TLS Secure sending of email to the server

993 IMAP-over-TLS Secure retrieval and management of email on the

server

Summary of S/MIME
Feature Description

37
 Digital Uses the sender’s private key to encrypt the hash of the message for
Signatures authentication, integrity, and non-repudiation.

Email Uses the recipient’s public key to encrypt the symmetric key and the
Encryption symmetric key to encrypt the email content for confidentiality.

Encryption Combines asymmetric encryption for key exchange and symmetric

Types encryption for message content.

Ports POP3-over-TLS (Port 995), SMTP-over-TLS (Port 587), IMAP-over-TLS

(Port 993) for secure email transmission and retrieval.

Standards Uses CMS, supports various hashing and encryption algorithms, and
requires PKI for certificate management.

Remember This!

● S/MIME is essential for securing email communications through encryption and digital
signatures.
● Digital Signatures provide authentication, integrity, and non-repudiation using the
sender’s private key.
● Encryption ensures the confidentiality of emails, using the recipient’s public key to
encrypt the symmetric key, which then encrypts the email content.
● Ports: Ensure secure email transmission using POP3-over-TLS (Port 995),
SMTP-over-TLS (Port 587), and IMAP-over-TLS (Port 993).

HTTPS Transport Encryption

Transport encryption methods encrypt data in transit to ensure transmitted data remains
confidential. This includes data transmitted over the Internet and on internal networks. HTTPS
commonly uses TLS to encrypt the traffic, ensuring confidentiality of data transmitted over the
Internet.

TLS Versus SSL

● Transport Layer Security (TLS) and Secure Sockets Layer (SSL) are encryption
protocols used to encrypt data sent over the Internet.
● SSL has significant vulnerabilities and should not be used anymore.
● Many people refer to TLS as SSL/TLS.
● TLS provides certificate-based authentication and uses both symmetric and asymmetric
encryption during a session.
● TLS requires certificates issued by Certificate Authorities (CAs), which can be internal or
external third-party CAs.

38
Remember This: TLS is the replacement for SSL. TLS encrypts HTTPS traffic and can also
encrypt other types of traffic. It requires certificates issued by CAs.

Encrypting HTTPS Traffic with TLS

HTTPS uses TLS to encrypt web traffic, combining both asymmetric and symmetric encryption.

1. Asymmetric Encryption: Used to securely share the symmetric key.

2. Symmetric Encryption: Used to encrypt the session data.

Simplified TLS Handshake Process

1. Client Request: The client requests an HTTPS session by entering an HTTPS URL or
clicking on an HTTPS link.
2. Server Certificate: The server sends its certificate, which includes the server’s public
key.
3. Client Creates Symmetric Key: The client creates a symmetric key and encrypts it with
the server’s public key.
4. Client Sends Encrypted Symmetric Key: The client sends the encrypted symmetric
key to the server.
5. Server Decrypts Symmetric Key: The server decrypts the symmetric key with its
private key.
6. Session Data Encryption: All session data is encrypted with the symmetric session key.

Remember This:

● TLS uses asymmetric encryption to securely share the symmetric key.

● TLS uses symmetric encryption to encrypt the session data.

TLS Handshake Process Table

Ste Description
p

1 Client requests an HTTPS session by entering an HTTPS URL or clicking an HTTPS

link.

2 Server responds by sending its certificate, which includes the server’s public key.

3 Client creates a symmetric key and encrypts it with the server’s public key.

4 Client sends the encrypted symmetric key to the server.

5 Server decrypts the symmetric key with its private key.

39
 6 All session data is encrypted with the symmetric session key using symmetric
encryption.

Ports Commonly Used with HTTPS and S/MIME

Port Protocol Description

995 POP3-over-TLS Secure retrieval of email from the server

587 SMTP-over-TLS Secure sending of email to the server

993 IMAP-over-TLS Secure retrieval and management of email on the

server

Protecting Email

Cryptography provides two primary security methods for email: digital signatures and
encryption.

Signing Email with Digital Signatures

Digital signatures use an encrypted hash of a message, providing:

● Authentication: Identifies the sender of the email.

● Non-repudiation: Prevents the sender from denying sending the message.
● Integrity: Assures that the message has not been modified.

Process of Signing Email:

1. Hashing the Message: The application hashes the message.

2. Encrypting the Hash: The sender’s private key encrypts the hash, creating the digital
signature.
3. Sending the Email: The application sends the encrypted hash and the unencrypted
message.
4. Verifying the Signature: The recipient’s system decrypts the digital signature with the
sender’s public key and verifies the hash.

Remember This: A digital signature is an encrypted hash of a message. The sender’s private
key encrypts the hash to create the digital signature. The recipient decrypts the digital signature
with the sender’s public key.

Encrypting Email

1. With Only Asymmetric Encryption:

40
 ○ Recipient’s Public Key Encrypts: The sender encrypts the email with the
recipient’s public key.
○ Recipient’s Private Key Decrypts: The recipient decrypts the email with their
private key.

Remember This: The recipient’s public key encrypts the email, and the recipient’s private key
decrypts it.

2. With Asymmetric and Symmetric Encryption:

○ Creating a Symmetric Key: The sender’s system generates a symmetric key.
○ Encrypting the Email: The sender encrypts the email with the symmetric key.
○ Encrypting the Symmetric Key: The sender encrypts the symmetric key with
the recipient’s public key.
○ Sending the Encrypted Email and Key: The sender sends the encrypted email
and the encrypted symmetric key.
○ Decrypting the Symmetric Key: The recipient decrypts the symmetric key with
their private key.
○ Decrypting the Email: The recipient decrypts the email with the symmetric key.

Summary of Cryptographic Protocols

Key Concept Description

TLS Replaces SSL, requires certificates, encrypts HTTPS and other

traffic.

Digital Signatures Provide authentication, integrity, and non-repudiation using the

sender’s private key and public key.

Email Encryption Ensures confidentiality; recipient’s public key encrypts, recipient’s

private key decrypts.

Symmetric Fast, used for encrypting session data after key exchange via
Encryption asymmetric encryption.

Asymmetric Secure key exchange; inefficient for large data, used for encrypting
Encryption symmetric keys.

S/MIME Standard for secure email; uses both asymmetric and symmetric
encryption, requires PKI.

41
Downgrade Attacks on Weak Implementations

A downgrade attack is a type of attack that forces a system to downgrade its security to a less
secure state. The attacker then exploits the lesser security control. This is particularly relevant in
the context of cryptographic protocols due to weak implementations of cipher suites.

Example: TLS and SSL

● Scenario: A server supports both TLS (a secure protocol) and SSL (an outdated and
insecure protocol).
● Downgrade: If a client cannot use TLS, the server downgrades to SSL to accommodate
the client.
● Exploitation: Attackers configure their systems to be incapable of using TLS, forcing the
server to use SSL.
● Attack: Once downgraded to SSL, attackers can exploit vulnerabilities such as the
Padding Oracle On Downgraded Legacy Encryption (POODLE) attack.

Preventing Downgrade Attacks

42
 1. Disable SSL: Ensure that SSL is disabled on the server to prevent it from downgrading
to SSL.
2. Disable Weak Cipher Suites: Disable any cipher suites with known vulnerabilities to
reduce the risk of exploitation.
3. Regular Updates: Keep systems and protocols updated to avoid vulnerabilities
associated with outdated protocols and cipher suites.

Remember This!

Administrators should disable weak cipher suites and weak protocols on servers. When a server
supports both strong and weak cipher suites, attackers can bypass the strong cipher suites by
forcing a downgrade and exploiting the weak ones.

Downgrade Attack Example Table

Step Description

Scenario Server supports both TLS and SSL.

Downgrade Client cannot use TLS, server downgrades to SSL.

Exploitation Attackers configure their systems to force the server to use SSL.

Attack Attackers exploit vulnerabilities in SSL, such as POODLE, often via on-path
attacks.

Prevention Disable SSL and weak cipher suites; keep systems and protocols updated.

Cipher Suite Vulnerabilities

● SSL: Outdated and insecure; susceptible to various attacks, including POODLE.

● Weak Cipher Suites: Vulnerable to cryptographic attacks; should be disabled to
enhance security.

Steps to Mitigate Downgrade Attacks

1. Identify and Disable Weak Protocols: Regularly audit and disable SSL and other
deprecated protocols.
2. Update Server Configurations: Ensure the server is configured to use only strong,
secure cipher suites.
3. Monitor and Maintain: Continuously monitor and maintain the security configurations of
the server to respond to new vulnerabilities.

Summary Table for Mitigating Downgrade Attacks

43
 Action Description

Disable SSL Prevents downgrading to an insecure protocol.

Disable Weak Cipher Reduces the risk of exploitation by eliminating weak

Suites encryption.

Regular Updates Ensures the system uses the latest, most secure protocols.

Continuous Monitoring Helps identify and mitigate new vulnerabilities promptly.

Blockchain

Blockchain is commonly defined as a distributed, decentralized, public ledger. It serves as a

public record-keeping technology, akin to how banks use ledgers to record transactions such as
deposits and withdrawals. Here’s a detailed breakdown of blockchain technology:

Components of a Block

1. Transaction Information:
○ Includes details such as the date, time, and amount of transactions.
2. Parties Involved:
○ Uses digital signatures instead of actual names to record the parties involved in
the transaction.
3. Unique Hash:
○ Each block has a unique identifier called a hash, which distinguishes it from other
blocks.

Process of Adding a Block to the Blockchain

1. Transaction Occurrence:
○ A transaction happens.
2. Verification:
○ The transaction is verified by a network of computers.
3. Recording:
○ The transaction is accurately recorded in a block.
4. Hash Assignment:
○ The block is assigned a unique hash and includes the hash of the previous block,
creating a chain.

Structure of Blockchain

● Chain Formation:
○ Every block contains a unique hash and the hash of the preceding block, linking
them together and forming a chain.

44
Example: Bitcoin

Bitcoin is a cryptocurrency that utilizes blockchain technology. The verification and recording of
transactions are conducted by a network of computers known as miners. Here’s a detailed look
at the mining process:

Mining and Rewards

1. Miners:
○ Network of computers that verify and record transactions.
2. Rewards:
○ Miners earn money (bitcoins) through transaction fees and rewards for adding
blocks.
○ The initial block reward was 50 bitcoins per block.
○ This reward halves approximately every four years after 210,000 blocks are
mined.
○ In May 2020, the reward dropped to 6.25 bitcoins per block.
○ Eventually, block rewards will cease, and miners will earn solely through
transaction fees.

Summary Table
Component Description

Blockchain Distributed, decentralized, public ledger for recording transactions.

Transaction Date, time, and amount of transactions.

Info

Parties Uses digital signatures to record parties involved.

Involved

Unique Hash Each block has a unique identifier.

Block Addition Transaction occurrence, verification, accurate recording, hash

assignment.

Chain Each block includes the hash of the previous block, forming a chain.
Formation

Miners Network of computers that verify and record transactions.

Mining Initial 50 bitcoins per block, halving every 210,000 blocks; currently 6.25
Rewards bitcoins per block.

Process Table for Adding a Block

45
 Step Description

Transaction A transaction takes place.

Occurs

Verification Network of computers verifies the transaction.

Recording Transaction is recorded in a block.

Hash Assignment Block is assigned a unique hash and includes the previous block's
hash.

Bitcoin Mining and Rewards

Component Description

Miners Computers that verify and record transactions on the blockchain.

Rewards Bitcoins earned by miners; started at 50 bitcoins per block, halving every
210,000 blocks, currently 6.25 bitcoins per block.

Transaction Ongoing earnings for miners once block rewards cease.

Fees

Identifying Limitations in Cryptographic Algorithms

When evaluating different cryptographic algorithms, it's crucial to understand their possible
limitations to choose the best algorithm for specific requirements. Here are some common
limitations to consider:

Resource Versus Security Constraints

Organizations often need to balance resource availability with security constraints. Encryption,
for example, consumes additional resources. Encrypting all data increases storage
requirements and processing power for encrypting and decrypting data. Executives must
balance the costs and benefits to find an optimal solution.

Constraint Description

Resource Encryption increases storage and processing power

Cost requirements.

Security Higher security typically requires more resources.

Needs

46
Speed and Time

The speed of an algorithm is important in determining how quickly it can encrypt and decrypt
data. While fast algorithms are desirable for data encryption, slower algorithms can be beneficial
for operations like hashing passwords to deter brute force attacks.

Aspect Description

Encryption Fast algorithms are preferable for encrypting and decrypting large
Speed amounts of data.

Hashing Speed Slower algorithms are desirable for hashing passwords to increase
resistance to brute force attacks.

Size and Computational Overhead

Size relates to the memory space needed to execute an algorithm and the size of the encrypted
output compared to the input. Lightweight cryptographic methods are essential for devices with
limited resources.

Aspect Description

Memory Smaller devices require lightweight cryptographic methods.

Size

Output Size Encrypted data is typically larger than unencrypted data, requiring more
storage space.

Entropy

Entropy refers to the randomness in cryptographic algorithms. Higher entropy leads to stronger
security. Lack of entropy can make algorithms more vulnerable to attacks.

Aspect Description

High Entropy Results in stronger security due to increased

randomness.

Low Entropy Makes algorithms more susceptible to attacks.

Predictability

Predictability concerns the ability to foresee outcomes based on repeated events, particularly
with random number generators. True random number generators offer better security
compared to pseudo-random number generators.

47
 Aspect Description

Pseudo-rando Uses deterministic algorithms, which can be predictable if the input is

m known.

True Random Uses environmental factors to ensure high entropy and unpredictability.

Weak Keys

Weak keys are short or small keys that make it easier for attackers to decrypt data. Stronger,
longer keys provide better security.

Aspect Description

Strong Larger keys provide better security and resistance to attacks.

Keys

Weak Keys Short keys are more susceptible to attacks and should be
avoided.

Longevity

Longevity refers to the expected duration of an algorithm’s effectiveness, often influenced by

advances in processing power.

Aspect Description

Long-lastin Algorithms that support larger keys can remain secure for longer periods.
g

Short-lasti Algorithms with fixed small key sizes (like DES) have a shorter lifespan due
ng to evolving threats.

Reuse

Reusing symmetric keys, especially with stream ciphers, can lead to vulnerabilities. Keys should
not be reused to maintain security.

Aspect Description

Non-reus Ensures each session or data stream uses a unique key, enhancing
e security.

Reuse Increases vulnerability to attacks, especially with stream ciphers.

48
Plaintext Attack

Plaintext attacks occur when attackers have access to some plaintext and its corresponding
ciphertext, allowing them to discover the encryption method. Known plaintext and chosen
plaintext attacks are particularly effective against weak encryption algorithms.

Aspect Description

Known Attacker uses known plaintext and ciphertext to discover encryption

Plaintext methods.

Chosen Attacker selects specific plaintext to discover the encryption method

Plaintext used.

Ciphertext-onl Attacker tries to deduce plaintext from ciphertext alone, generally only
y successful on weak algorithms.

Summary Tables

Resource Constraints

Constraint Impact

Encryption Overhead Increased storage and processing

requirements.

Security Needs Higher security increases resource

consumption.

Speed and Time

Speed Use Case

Fast Encryption Suitable for large data encryption and decryption

tasks.

Slow Hashing Useful for deterring password brute force attacks.

Size and Overhead

Size Aspect Impact

Memory Requirement Lightweight cryptography for small devices.

Encrypted Data Size Increased storage needs.

49
Entropy and Predictability

Factor Security Implication

High Entropy Stronger security due to randomness.

Predictability Reduced security if random number generators are

predictable.

Key Management

Key Strength Recommendation

Strong Keys Use large keys (e.g., 2048-bit RSA) for security.

Weak Keys Avoid using small keys (e.g., 1024-bit RSA).

Algorithm Longevity

Algorithm Key Size Lifespan

RSA 2048 bits or Longer lifespan due to larger key

more sizes.

DES 56 bits Deprecated due to insufficient security.

Key Reuse

Practice Security Impact

Unique Keys per Enhances security, avoids vulnerabilities from reuse.

Use

Key Reuse Increases risk of attacks, especially with stream

ciphers.

Plaintext Attacks

Attack Type Description

Known Plaintext Attacker has plaintext and ciphertext, can discover methods.

Chosen Attacker chooses plaintext to identify encryption methods.

Plaintext

Ciphertext-only Attacker only has ciphertext, less effective on strong algorithms.

50
Summary of PKI Components
Component Description Example

PKI Group of technologies for Ensures secure email communication

managing digital certificates and protects Internet transactions via
used in asymmetric encryption. HTTPS.

Digital Used to verify identities and HTTPS sessions protect credit card
Certificates secure communications over the transactions on websites like
Internet. Amazon.com using certificates issued
by trusted CAs.

Asymmetric Depends on digital certificates TLS encrypts data transmitted over the
Encryption for secure communications and Internet, such as secure browsing on
transactions. e-commerce sites.

Certificate Issues, manages, validates, and Amazon.com uses certificates from a

Authority (CA) revokes digital certificates. trusted CA to establish secure sessions
with users.

Secure Established using certificates A user can securely connect to

Session issued by a trusted CA. Amazon.com without prior interaction,
relying on the CA's certificate for
verification.

Certificate Authority Summary

Concept Details Examples

Certificate Issues, manages, validates, and Comodo, DigiCert (Public CAs); a

Authority (CA) revokes certificates. server within a private network
(Private CA).

Trust in Public Public CAs must be trusted for their Comodo and DigiCert are trusted
CAs certificates to be trusted. Trust is entities, similar to how businesses
based on a root of trust. trust a DMV-issued driver's license.

Root of Trust The CA is a trusted entity that Department of Motor Vehicles (DMV)
provides a solid foundation for for driver's licenses.
secure systems and processes.

Certificate Computers trust CAs based on the A computer trusts a CA's root
Trust Path certificate trust path, similar to how certificate placed in its trusted root
businesses trust DMV-issued IDs. certificate store.

51
Remember This!

● Certificate Authorities (CAs) are essential for issuing, managing, validating, and
revoking digital certificates.
● Public CAs like Comodo and DigiCert are trusted entities that sell certificates. Trust in
these CAs is based on a root of trust.
● Root of Trust: Similar to how a DMV-issued driver's license is trusted, a CA's root
certificate must be trusted for the certificates it issues to be trusted.
● Certificate Trust Path: Computers trust certificates based on the CA's root certificate
stored in the operating system's trusted root certificate store.
● Hierarchical Trust Model: Common trust model where a root CA issues certificates to
intermediate CAs, which then issue certificates to end-entities.

This is similar to how a driver’s license is trusted. The Department of Motor Vehicles
(DMV) issues driver’s licenses after validating a person’s identity. If you want to cash a
check, you might present your driver’s license to prove your identity. Businesses trust
the DMV, so they trust the driver’s license. On the other hand, if you purchased an ID
from Gibson’s Instant IDs, businesses might not trust it. Although we might trust the
DMV, why would a computer trust a CA? The answer is based on the certificate trust
path.

Certificate Authority (CA) and Trust Models Summary

Concept Details Examples

Certificate Issues, manages, validates, and Comodo, DigiCert (Public CAs); a

Authority (CA) revokes certificates. server within a private network
(Private CA).

Trust in Public Public CAs must be trusted for their Comodo and DigiCert are trusted
CAs certificates to be trusted. Trust is entities, similar to how businesses
based on a root of trust. trust a DMV-issued driver's license.

Root of Trust The CA is a trusted entity that Department of Motor Vehicles (DMV)
provides a solid foundation for for driver's licenses.
secure systems and processes.

Certificate Computers trust CAs based on the A computer trusts a CA's root
Trust Path certificate trust path, similar to how certificate placed in its trusted root
businesses trust DMV-issued IDs. certificate store.

Certificate Trust Models Summary

Trust Model Details Examples

52
Root The first certificate created by the COMODO RSA Certification Authority
Certificate CA that identifies it. Stored in the certificate in Windows Trusted Root
trusted root certificate store. Certification Authorities store.

Trusted Root A collection of root certificates in Windows OS Trusted Root

Store operating systems and browsers Certification Authorities store,
that establish trust for issued mainstream web browsers' trusted
certificates. stores.

Hierarchical The most common trust model. The A root CA issues certificates to
Trust Model root CA issues certificates to intermediate CAs; intermediate CAs
intermediate CAs, which issue leaf issue certificates for code signing,
certificates to end-entities. digital signatures, HTTPS, S/MIME.

Self-Signed A root CA that signs its own Public CA, private CA, or government
Root CA certificate. agency root CA.

Intermediate CAs that receive certificates from Intermediate CA certificates stored in

CAs the root CA and issue certificates to the Intermediate Certification
end-entities. Authorities store in Windows.

Remember This!

● Certificate Authorities (CAs): Essential for issuing, managing, validating, and revoking
digital certificates.
● Public CAs: Examples include Comodo and DigiCert. Trust in these CAs is based on a
root of trust.
● Root of Trust: The foundation for trusted certificates, similar to a DMV-issued driver's
license.
● Certificate Trust Path: Computers trust certificates based on the CA's root certificate
stored in the operating system's trusted root certificate store.
● Hierarchical Trust Model: The most common model, where a root CA issues
certificates to intermediate CAs, which then issue certificates to end-entities for various
purposes, such as code signing, digital signatures, HTTPS, and S/MIME.

53
Certificate Chaining Summary
Concept Details Examples

Certificate Combines all certificates from the root Wildcard certificate issued to
Chaining CA down to the certificate issued to google.com, includes root,
end-entities. intermediate, and leaf
certificates.

Root CA Issues certificates to intermediate CAs. Root CA certificate.

Intermediate Receive certificates from the root CA Intermediate CA certificate.

CAs and issue certificates to end-entities.

Leaf Certificates Issued to end-entities such as Leaf certificate for google.com.

organizations, governments, or
end-users.

Security Keeping the root certificate online In a small organization, the root
Considerations poses cybersecurity risks; it’s better to CA might issue certificates
issue certificates through intermediate directly to devices and end
CAs. users.

Example of Certificate Chain

● Root CA Certificate: Trusted root certificate installed on systems.

54
 ● Intermediate CA Certificate: Issued by the root CA, trusted because it’s linked to the
root.
● Leaf Certificate: Issued by an intermediate CA, used by end-entities like websites.

Important Points for Exam

1. Certificate Chaining: Ensures a trusted path from the root CA to the end-entity
certificate.
2. Root CA: The top-level CA that issues certificates to intermediate CAs.
3. Intermediate CAs: Link between the root CA and leaf certificates, enhancing security by
distributing trust.
4. Leaf Certificates: The final certificates used by end-entities, verified through the chain
to the root CA.
5. Security: Keeping the root CA offline reduces the risk of cybersecurity attacks; use
intermediate CAs for issuing certificates.

55
ummary of Registration Authority and Certificate Signing Requests (CSRs)
Concept Details Example

Registration Assists the CA by collecting Large organizations use RAs to

Authority (RA) digital certificate registration manage the registration process.
information; does not issue
certificates.

Certificate Signing A request sent to a CA to issue Generating a CSR for

Request (CSR) a digital certificate. It includes GetCertifiedGetAhead.com to secure
the public key and other HTTPS sessions.
identifying information.

Public-Key Specification format for CSRs. Most CAs require CSRs to be

Cryptography formatted using PKCS #10.
Standards (PKCS)
#10

Public and Private Generated using tools like Using OpenSSL to create key pairs
Key Pair OpenSSL; the private key for a digital certificate request.
remains with the requester and
the public key is included in the
CSR.

Certificate The CA validates the identity of CA may use credit card verification or
Validation the requester and creates a extensive checking to validate the
digital certificate with the public requester’s identity.
key.

Process for Requesting a Digital Certificate

1. Generate Key Pair:

○ Use a tool like OpenSSL to create a public and private key pair.
○ Example: openssl genpkey -algorithm RSA -out private_key.pem
and openssl rsa -pubout -in private_key.pem -out
public_key.pem.
2. Create CSR:
○ Generate a CSR including the public key and necessary information.
○ Example: openssl req -new -key private_key.pem -out csr.pem.
3. Submit CSR to CA:
○ Send the CSR to the CA, formatted using PKCS #10.
○ Example: Submit CSR for GetCertifiedGetAhead.com to Comodo or DigiCert.
4. CA Validation:

56
 ○ The CA validates the identity of the requester.
○ Example: CA uses credit card information to verify the requester.
5. Receive Digital Certificate:
○ The CA issues a digital certificate embedding the public key.
○ Example: Digital certificate for GetCertifiedGetAhead.com received from the CA.
6. Register Certificate:
○ Register the digital certificate with the website and the private key.
○ Example: Configure the server to use the digital certificate for HTTPS sessions.

Important Points for Exam

1. Role of RA: Assists in the registration process but does not issue certificates.
2. CSR: Used to request digital certificates; includes the public key but not the private key.
3. Public and Private Key Pair: Generated by the requester; private key is never sent to
the CA.
4. PKCS #10: Standard format for CSRs.
5. Certificate Validation: Performed by the CA; involves verifying the requester’s identity.

Summary of Online Versus Offline Certificate Authorities (CAs)

Concept Details Example

Online CA Accessible over a network; allows Submitting a CSR to an online CA like

automated CSR submission. DigiCert through an automated web
interface.

Offline CA Not accessible over a network; Submitting a CSR to an offline root CA

CSRs must be submitted manually. using physical media or a secure
manual process.

Root CA Typically kept offline to reduce risk A large organization keeps its root CA
of compromise; issues certificates offline to protect its integrity and issues
to intermediate CAs. certificates to intermediates.

Intermediate Online and accessible; issues An intermediate CA issues certificates

CA certificates to end-entities; can be for HTTPS, S/MIME, or VPNs, and can
replaced if compromised. be replaced if it is compromised.

Important Points for Exam

1. Online CA: Accessible over the network; supports automated CSR submission.
○ Example: Using an online CA to quickly process and issue digital certificates
through an automated system.
2. Offline CA: Kept offline for security; requires manual CSR submission.

57
 ○ Example: A root CA in a large organization is kept offline to protect against cyber
attacks and only accepts CSRs manually.
3. Root CA: The top-level CA, usually kept offline; issues certificates to intermediate CAs
to mitigate risks.
○ Example: The root CA of a corporate PKI infrastructure is kept offline, and its
compromise affects the entire certification path.
4. Intermediate CA: Online and issues certificates to end-entities; can be replaced if
compromised to maintain security.
○ Example: Intermediate CAs manage day-to-day certificate issuance for web
servers, email encryption, etc., and are replaced if compromised.

Key Differences and Examples

Feature Online CA Offline CA

Accessibility Network accessible Not network accessible

CSR Submission Automated process Manual process

Usage Intermediate CAs for day-to-day Root CAs for high security and
certificate issuance reduced risk

Compromise Replaceable; only intermediate CA Compromise affects entire

Impact affected certification path

Summary of Updating and Revoking Certificates

Concept Details Example

Updating Certificates expire and need to be Let's Encrypt certificates are

Certificates updated with newer ones before updated every 90 days
expiration. automatically.

Revoking Certificates can be revoked by the A certificate is revoked if the private

Certificates CA if compromised or no longer key is leaked or the CA is
needed. compromised.

Reasons for Various reasons for revoking A certificate is revoked due to a

Revocation certificates include key compromise, private key compromise or a
CA compromise, etc. change of affiliation.

Important Points for Exam

1. Updating Certificates: Certificates have a validity period and must be updated before
expiration.

58
 ○ Example: Let's Encrypt certificates, which are updated every 90 days using
automated processes.
2. Revoking Certificates: Certificates can be revoked before expiration due to various
security or operational reasons.
○ Example: A certificate is revoked because its private key is leaked to the public,
compromising its security.
3. Reasons for Revocation:
○ Private Key Compromise: The private key is leaked or exposed.
○ CA Compromise: The issuing CA is compromised, affecting the trustworthiness
of issued certificates.
○ Change of Affiliation: The certificate holder's organizational affiliation changes.
○ Superseded by Another Certificate: A new certificate replaces the old one.
○ Cease of Operation: The entity holding the certificate ceases operations.
○ Certificate Hold: Temporarily suspending the certificate's validity.
○ Certificate Holder’s Request: The certificate holder requests revocation for any
reason.

Key Differences and Examples

Feature Details Example

Updating Certificates need to be renewed Automated renewal of Let's

Process before they expire. Encrypt certificates every 90 days.

Revocation Certificates can be revoked at any Revoking a certificate when its

Process time before expiration if needed. private key is compromised.

Common Include private key compromise, CA Revoking a certificate when an

Revocation compromise, change of affiliation, organization ceases operations or
Reasons supersession, cessation, or holder’s at the certificate holder's request.
request.

Summary of Certificate Revocation Lists (CRLs)

Concept Details Example

Certificate A version 2 certificate containing a A CRL lists certificates revoked

Revocation List list of revoked certificates by their due to key compromise or CA
(CRL) serial numbers. compromise.

Purpose of CRLs Provides a publicly available list of When a private key is

revoked certificates to ensure they compromised, the certificate is
are no longer trusted. added to the CRL.

59
Alternative to Online Certificate Status Protocol OCSP responses include
CRLs (OCSP) provides real-time statuses like "good," "revoked,"
certificate status checking. or "unknown."

Important Points for Exam

1. Certificate Revocation List (CRL): A CRL is a list issued by a CA containing the serial
numbers of revoked certificates.
○ Purpose: To inform users which certificates are no longer trustworthy due to
various reasons such as compromise.
○ Example: A certificate is revoked and listed in the CRL when its private key is
leaked.
2. Reasons for Revocation:
○ Private Key Compromise: The certificate's private key is exposed.
○ CA Compromise: The CA issuing the certificate is compromised.
○ Change of Affiliation: The entity holding the certificate changes its
organizational affiliation.
○ Superseded by Another Certificate: A newer certificate replaces the old one.
○ Cease of Operation: The entity holding the certificate stops its operations.
○ Certificate Hold: The certificate is temporarily suspended.
○ Certificate Holder’s Request: The holder requests the revocation.
3. Alternative to CRLs - OCSP:
○ Online Certificate Status Protocol (OCSP): Provides real-time status of
certificates.
○ Responses: OCSP can indicate if a certificate is "good," "revoked," or
"unknown."
○ Advantage: More efficient than downloading a full CRL, especially for frequent
status checks.

Key Differences and Examples

Feature Details Example

CRL A list of revoked certificates, updated A CRL contains serial numbers of all
periodically and distributed by the certificates revoked due to key
CA. compromise.

OCSP Provides immediate status of a A client queries OCSP to check if a

certificate without needing to certificate is still valid or has been
download the entire CRL. revoked.

Real-time OCSP allows real-time certificate When accessing a secure website, the
Checking status checking, improving efficiency. browser uses OCSP to verify the
server's certificate.

60
Summary Table: Validating a Certificate
Validation Details Example
Check

Expired Ensure the certificate's "Valid From" and A user receives an error
Certificate "Valid To" dates are current. If the certificate message when visiting a
is expired, an error is shown indicating the website with an expired SSL
certificate is not valid. certificate.

Certificate Check if the certificate was issued by a A browser displays a warning

Not Trusted trusted CA. If not, it will show an error and for a certificate issued by an
often warn users not to continue. unrecognized CA.

61
Certificate Validate the certificate through the CA to A system checks the CRL or
Revoked ensure it hasn’t been revoked. uses OCSP to see if a
certificate has been revoked.

Certificate Validation Methods

Method Details Example

CRL Clients request a copy of the Certificate
Revocation List (CRL) from the CA. The CRL
contains serial numbers of revoked
certificates. Clients check the serial number
of the certificate against the CRL.
A browser requests and checks
the CRL to see if a certificate is
listed as revoked.

OCSP The client queries the CA with the A client sends a query to the CA
certificate's serial number. The CA responds and receives a real-time status
with "good," "revoked," or "unknown." indicating the certificate is valid
Provides real-time status of certificates. (good), revoked, or unknown.

OCSP The certificate presenter appends a A web server includes a digitally

Stapling timestamped OCSP response to the signed OCSP response with the
certificate during the TLS handshake, certificate during the HTTPS
reducing real-time traffic to the CA. handshake, reducing the need for
client queries.

Important Points to Remember for Exam

1. Validation Checks:
○ Expired Certificate: Verify the validity period of the certificate.
○ Certificate Not Trusted: Ensure the certificate is issued by a trusted CA.
○ Certificate Revoked: Check for revocation status using CRL or OCSP.
2. Certificate Revocation List (CRL):
○ Purpose: Provides a list of revoked certificates.
○ Usage: Clients download and check the CRL to verify if a certificate is revoked.
3. Online Certificate Status Protocol (OCSP):
○ Purpose: Provides real-time status of certificates.
○ Responses: "Good," "revoked," or "unknown."
○ Advantage: Low latency and immediate awareness of certificate status.
4. OCSP Stapling:
○ Purpose: Reduces real-time traffic to the CA by appending a timestamped
OCSP response during the TLS handshake.
○ Advantage: Efficient certificate validation without frequent client queries to the
CA.

62
Certificate Validation Process
Ste Description
p

1. Client Initiates Session: The client starts a session requiring a certificate (e.g.,
HTTPS).

2. Server Responds: The server sends its certificate, which includes the public key.

3. Client Queries CA: The client queries the CA for a copy of the CRL or sends an
OCSP request.

4. CA Responds: The CA provides the CRL or OCSP response.

5. Client Checks Status: The client checks the certificate's serial number against the
CRL or processes the OCSP response for status.

Certificate Pinning

Definition: Certificate pinning is a security mechanism used to prevent attackers from

impersonating a website using fraudulent certificates. It ensures that clients only accept a
specific set of certificates for a particular website, making it more difficult for attackers to use
fake certificates.

63
Purpose: The primary purpose of certificate pinning is to protect against man-in-the-middle
(MITM) attacks and ensure that clients are connecting to the intended website and not an
impostor.

How It Works:

1. Extra Header:
○ When a server is configured with certificate pinning, it responds to client HTTPS
requests with an extra header. This header includes a list of hashes derived from
valid public keys used by the website.
○ The header also includes a max-age field specifying how long the client should
store and use the pinned data.
2. Hash Comparison:
○ When clients connect to the same website again, they recalculate the hashes of
the certificates and compare these hashes with the stored hashes.
○ If the hashes match, it verifies that the client is connected to the same legitimate
website.
3. Backup Keys:
○ Website administrators create hashes of one or more certificates used by the
website, including the public key used by the website’s certificate.
○ It can also include any public keys from certificates in the certificate chain, such
as the root CA certificate and intermediate CA certificates.
○ It must include a backup key to be used if the current key becomes invalid.

Example Use Case:

● Banking Websites:
○ A banking website can implement certificate pinning to ensure that clients only
accept the bank's legitimate certificates. This prevents attackers from using
fraudulent certificates to impersonate the bank and steal sensitive information.

Benefits:

1. Enhanced Security:
○ Protects against MITM attacks by ensuring that only specific certificates are
accepted.
2. Trust Assurance:
○ Increases trust that the connection to the website is legitimate and secure.
3. Attack Prevention:
○ Makes it more difficult for attackers to use fake certificates to impersonate a
website.

Considerations:

1. Implementation Complexity:

64
 ○Requires careful planning and implementation to ensure the correct certificates
are pinned and updated.
2. Backup Keys:
○ It is crucial to include backup keys to handle certificate changes or invalidation
without breaking the pinning.
3. Client Compatibility:
○ Not all clients may support certificate pinning, so it’s important to ensure
compatibility with target users.

Summary Table: Certificate Pinning

Aspect Description Example

Definition A security mechanism to prevent Implementing certificate pinning on

attackers from impersonating a a banking website.
website using fraudulent certificates.

Purpose Protects against MITM attacks and Ensuring only legitimate certificates
ensures clients connect to the are accepted by clients.
intended website.

Extra Header Server responds with an extra Server sends an extra header with
header including hashes of valid valid public key hashes and
public keys and a max-age field. max-age for storing pinning
information.

Hash Clients recalculate and compare Clients compare stored hashes with
Comparison hashes on subsequent connections recalculated hashes to verify the
to verify the website. connection.

Backup Keys Includes backup keys in case the Including hashes of root CA and
current key becomes invalid. intermediate CA certificates as
backup keys.

Benefits Enhanced security, trust assurance, Protecting against MITM attacks

attack prevention. and ensuring secure connections.

Considerations Implementation complexity, need for Ensuring correct certificates are

backup keys, client compatibility. pinned, planning for backup keys,
checking client support.

Key Escrow

65
Definition: Key escrow is a security measure that involves storing a copy of a cryptographic
key, especially a private key, in a secure, trusted environment. This is done to ensure that
encrypted data can be recovered if the original key is lost, stolen, or otherwise unavailable.

Purpose: The primary purpose of key escrow is to provide a mechanism for data recovery. It
ensures that organizations can access encrypted data even if the encryption keys are lost or
unavailable due to unforeseen circumstances.

Key Components:

1. Storage:
○ The escrowed key is stored in a highly secure environment to prevent
unauthorized access. This can be done using hardware security modules (HSMs)
or trusted third-party services.
2. Management:
○ Designated personnel or systems manage the key escrow process. These
individuals are responsible for maintaining the security and integrity of the
escrowed keys.
3. Access Control:
○ Strict access control measures are in place to ensure that only authorized
individuals can retrieve the escrowed keys.

Implementation Scenarios:

1. Third-Party Escrow Services:

○ Organizations can use third-party services to store their escrowed keys. These
services specialize in securely managing and storing cryptographic keys.
2. Internal Escrow Systems:
○ Large organizations may choose to implement their own key escrow systems,
managed by designated employees within the organization.

Key Recovery Agent (KRA): A key recovery agent is an individual or system authorized to
recover or restore escrowed keys. The KRA ensures that the recovery process is secure and
complies with organizational policies.

Example Use Case:

● Microsoft BitLocker:
○ When using BitLocker to encrypt an entire drive, organizations can designate a
data recovery agent (DRA). BitLocker uses two keys: one for the user and one
for the DRA. If the user's key is lost, the DRA key can be used to decrypt and
access the drive.

Benefits:

1. Data Recovery:

66
 ○ Ensures that encrypted data can be recovered if the original keys are lost or
become inaccessible.
2. Business Continuity:
○ Supports business continuity by preventing data loss in critical situations.
3. Regulatory Compliance:
○ Helps organizations comply with regulatory requirements that mandate data
recovery capabilities.

Considerations:

1. Security:
○ The security of the escrowed keys is paramount. They must be stored in a secure
environment with strict access controls.
2. Trust:
○ The entity responsible for key escrow must be trustworthy, whether it's an internal
team or a third-party service.
3. Policy and Procedures:
○ Clear policies and procedures must be established for key escrow and recovery
processes to ensure they are followed correctly.

Summary Table: Key Escrow

Aspect Description Example

Definition Storing a copy of a private key in a Key escrow in Microsoft

secure environment for recovery BitLocker for encrypted drives.
purposes.

Purpose Ensure encrypted data can be Recovering encrypted data

recovered if the original key is lost or after key loss.
unavailable.

Storage Securely storing the escrowed key Using a third-party escrow

using HSMs or third-party services. service to store private keys.

Management Managed by designated personnel or Internal team managing the

systems with strict access controls. key escrow system.

Key Recovery Authorized individual/system Security professional

Agent responsible for recovering escrowed designated as a key recovery
keys. agent.

Implementation Can be done through third-party escrow Large organization

services or internal systems. implementing its own key
escrow system.

67
 Benefits Ensures data recovery, supports Recovering access to
business continuity, and aids in encrypted data after the
regulatory compliance. original key is lost.

Considerations Security of escrowed keys, trust in the Establishing strict security

managing entity, and clear policies and measures and policies for key
procedures for key escrow and escrow management and
recovery. recovery.

Key Management in PKI

Key management within a PKI (Public Key Infrastructure) involves several critical steps to
ensure the security and integrity of cryptographic keys. This process includes generating,
distributing, storing, rotating, revoking, and retiring keys. Proper key management is essential
for maintaining the authenticity, confidentiality, and integrity of encrypted data and
communications.

Summary Table: Key Management Tasks and Examples

Task Description Example

Key Generation Generating cryptographic Using a KMS to

keys using strong, generate RSA or AES
industry-standard keys with high entropy
algorithms to ensure sources to prevent
security and randomness. predictability.

Key Storage Securely storing Storing private keys in

cryptographic keys in an HSM to protect them
hardware security modules from theft and
(HSMs) or tamper-resistant unauthorized access.
storage devices to prevent
unauthorized access and
misuse.

Key Distribution Securely distributing public Distributing public keys

keys in the form of
certificates, while keeping
private keys confidential.
Ensures authenticity and
integrity of the certificates.
through a trusted CA's
certificates to ensure
secure communication.

68
 Key Rotation Regularly generating new
keys, replacing old ones,
and updating systems to
use the new keys to reduce
the risk of unauthorized
access or key compromise.
Automating key rotation
every 90 days to
maintain security and
prevent long-term key
exposure.

Key Securely retiring or Revoking a

Retirement/Revocation/Destruction
destroying keys that are no
longer needed or have
been compromised,
ensuring they cannot be
accessed or used again.
compromised key and
updating the CRL to
inform clients of its
invalid status.

Key Management System (KMS)

A Key Management System (KMS) is a centralized service responsible for the secure
management of cryptographic keys used in various security applications. The primary goal of a
KMS is to provide a secure framework for managing the lifecycle of cryptographic keys.

Key Components and Functions of a KMS

Component/Function Description Example

Centralized Key A KMS provides a centralized Using a KMS to manage keys

Management platform for managing keys, for multiple applications within
reducing the complexity of key an organization.
management across different
systems and applications.

Strong Key Ensures the use of strong Generating AES-256 keys

Generation algorithms and high entropy with a KMS using
sources to generate secure and hardware-based entropy
random cryptographic keys. sources.

Secure Key Storage Uses HSMs or tamper-resistant Storing encryption keys in an

storage devices to securely store HSM to prevent physical and
cryptographic keys and protect logical attacks.
them from unauthorized access.

Automated Key Automates the process of key Implementing automated key

Rotation rotation, reducing the risk of key rotation policies that rotate
compromise and ensuring that keys every 30 days.
new keys are regularly generated
and deployed.

69
Key Distribution Securely distributes public keys in Using a KMS to distribute
certificates and manages the public keys through
transmission of symmetric keys CA-signed certificates for
between parties. secure email communication.

Key Revocation and Ensures that compromised or Revoking a certificate and

Retirement outdated keys are revoked and updating the CRL when a
securely destroyed to prevent private key is suspected to be
unauthorized access or use. compromised.

Important Points for Exam Preparation

1. Key Generation:
○ Ensure keys are generated using strong, industry-standard algorithms and high
entropy sources.
○ Example: Generating RSA or AES keys using a KMS.
2. Key Storage:
○ Securely store keys in HSMs or tamper-resistant devices to prevent unauthorized
access.
○ Example: Storing private keys in an HSM.
3. Key Distribution:
○ Distribute public keys in certificates signed by a trusted CA, keeping private keys
confidential.
○ Example: Distributing public keys through CA certificates for secure
communication.
4. Key Rotation:
○ Regularly rotate keys to reduce the risk of compromise and ensure security over
time.
○ Example: Automating key rotation every 90 days.
5. Key Revocation and Retirement:
○ Revoke and securely destroy keys that are no longer needed or have been
compromised.
○ Example: Updating the CRL to inform clients of revoked certificates.
6. KMS Functions:
○ Centralized key management, strong key generation, secure key storage,
automated key rotation, and secure key distribution.
○ Example: Using a KMS to manage keys for multiple applications within an
organization.

Summary Table: Comparing Certificate Types

Certificate Type Description Example

70
Machine/Computer Issued to devices or A certificate issued to a server to
computers for identification authenticate within an Active
within a domain. Directory domain.

User Issued to users for A user certificate allowing data

encryption, authentication, encryption using Microsoft
smart cards, etc. Encrypting File System (EFS).

Email Used for email encryption An email certificate used to encrypt

and digital signatures. emails and sign them digitally to
ensure authenticity and integrity.

Code Signing Used by developers to A PowerShell script signed with a

validate the authenticity of code signing certificate to verify it
executable applications or hasn't been modified.
scripts.

Self-signed Not issued by a trusted CA, A self-signed certificate created by

often used within private an organization's private CA for
networks. internal use.

Root The highest-level certificate The root certificate of a CA

issued by the root CA or a hierarchy, trusted as the top-level
self-signed anchoring authority.
certificate.

Wildcard Used for multiple A wildcard certificate for

subdomains with the same *.google.com, usable for
root domain. accounts.google.com,
support.google.com, etc.

Subject Alternative Used for multiple domains A SAN certificate for *.google.com,
Name (SAN) with different names but *.android.com, *.cloud.google.com.
owned by the same
organization.

Domain Validation Indicates the requestor has A certificate issued after the CA
(DV) control over a DNS domain, verifies control of example.com by
providing basic trust. contacting the domain owner.

Extended Validation Uses additional verification An EV certificate for a banking

(EV) steps beyond domain website, displaying the company
validation for higher trust. name in the browser's address bar.

Important Points for Exam Preparation

71
 1. Machine/Computer Certificates:
○ Used to identify devices within a domain.
○ Example: Certificates issued to servers for authentication within Active Directory.
2. User Certificates:
○ Used for user authentication, encryption, and smart cards.
○ Example: User certificates enabling data encryption via Microsoft EFS.
3. Email Certificates:
○ Used for email encryption and digital signatures to ensure secure
communication.
○ Example: Encrypting and digitally signing emails for authenticity and integrity.
4. Code Signing Certificates:
○ Used by developers to sign executables and scripts to validate authenticity.
○ Example: Signing PowerShell scripts to ensure they haven't been altered.
5. Self-signed Certificates:
○ Created and used internally, not issued by a trusted CA.
○ Example: An organization's private CA generating certificates for internal use.
6. Root Certificates:
○ The top-level certificate in a CA hierarchy, establishing trust.
○ Example: The root certificate of a trusted CA like DigiCert.
7. Wildcard Certificates:
○ Used for multiple subdomains of a single root domain.
○ Example: *.example.com for mail.example.com, ftp.example.com, etc.
8. SAN Certificates:
○ Used for multiple domains owned by the same organization.
○ Example: A SAN certificate for google.com, google.net, and google.org.
9. Domain Validation Certificates:
○ Indicates control over a specific DNS domain with basic verification.
○ Example: A DV certificate verifying control of example.com.
10. Extended Validation Certificates:
○ Provides higher trust with more rigorous validation processes.
○ Example: An EV certificate for a financial institution showing the company name
in the browser.

Summary Table: Comparing Certificate Formats

Format Encodin Extension Contains Usage Example
g s

CER ASCII .cer, .crt Public key, General use, A .cer file used to
Certificate public key distribute a public
sharing key.

72
DER Binary .der, .cer Public key, General use, A .der file containing
Certificate public key a public key for
sharing installation on a
server.

PEM ASCII .pem, .crt, Public key, Versatile, used A .pem file holding
.cer, .key Private key, for public/private both public and
Certificate, keys, CSRs, private keys for
CSR, CRL CRLs server configuration.

P7B Base64 .p7b, .p7c Public key, Sharing public A .p7b file used by a
ASCII Certificate keys, Certificate web server to share
chain, CRL chains its public key and
certificate chain.

P12 Binary .p12 Private key, Holding private A .p12 file installed
Certificate keys, full on a server for
chain certificate chains, HTTPS, containing
often encrypted private key and full
certificate chain.

PFX Binary .pfx Private key, Similar to P12, A .pfx file used to
Certificate used on Windows export a certificate
chain systems for and private key from
import/export one server to
another.

Important Points for Exam Preparation

1. CER (Canonical Encoding Rules):

○ ASCII format.
○ Extensions: .cer, .crt.
○ Typically contains public key and certificate.
○ Example: A .cer file used to distribute a public key.
2. DER (Distinguished Encoding Rules):
○ Binary format.
○ Extensions: .der, .cer.
○ Typically contains public key and certificate.
○ Example: A .der file containing a public key for installation on a server.
3. PEM (Privacy Enhanced Mail):
○ ASCII format.
○ Extensions: .pem, .crt, .cer, .key.
○ Versatile: can contain public key, private key, certificate, CSR, or CRL.

73
 ○
Example: A .pem file holding both public and private keys for server
configuration.
4. P7B (PKCS #7):
○ Base64 ASCII encoding.
○ Extensions: .p7b, .p7c.
○ Contains public key, certificate chain, or CRL.
○ Example: A .p7b file used by a web server to share its public key and certificate
chain.
5. P12 (PKCS #12):
○ Binary format.
○ Extension: .p12.
○ Contains private key and certificate chain, often encrypted.
○ Example: A .p12 file installed on a server for HTTPS, containing private key and
full certificate chain.
6. PFX (Personal Information Exchange):
○ Binary format.
○ Extension: .pfx.
○ Contains private key and certificate chain.
○ Example: A .pfx file used to export a certificate and private key from one server to
another.

Introducing Cryptography Concepts

Concept Description Example

Integrity Assures data has not been modified. Hashing a file to verify it hasn’t
Hashing ensures integrity. changed.

74
Confidentiality Ensures data is only viewable by Encrypting a message so only
authorized users. the recipient can read it.

Symmetric Uses the same key to encrypt and AES encryption of a file.
Encryption decrypt data.

Asymmetric Uses a pair of keys (public and RSA encryption for secure
Encryption private) to encrypt and decrypt. email.

Digital Signature Provides authentication, Signing a document with a

non-repudiation, and integrity. digital certificate.

Authentication Validates an identity. Logging in with a username

and password.

Non-repudiation Prevents a party from denying an Sending a signed contract

action. digitally.

Providing Integrity with Hashing

Concept Description Example

Hashing Verifies the integrity of data such as Verifying a downloaded file's

files and emails. hash matches the provided
hash.

Hash A fixed-length string of hexadecimal SHA-256 hash of a file.

characters.

Checksum Similar to a hash but typically smaller CRC32 checksum of a file.

and not cryptographically secure.

Hash Collision Occurs when different inputs produce Two different passwords
the same hash. generating the same MD5 hash.

Common MD5, SHA, HMAC. Using SHA-256 for hashing

Algorithms passwords.

Understanding Password Attacks

Attack Type Description Example

Online Attempts to discover a password Brute force login attempts on a

Password from an online system. website.
Attack

75
Offline Attempts to discover passwords from Cracking password hashes from a
Password a captured database. leaked database.
Attack

Brute Force Attempts all possible character Trying every possible password
Attack combinations. combination.

Dictionary Uses all words and character Using a list of common passwords
Attack combinations stored in a file. to gain access.

Spraying Attack Tries common passwords against Trying "password123" on multiple

many accounts. user accounts.

Pass the Hash Uses the hash of a password to log Using a captured NTLM hash to
Attack on as a user. authenticate.

Birthday Attack Attempts to create a password that Finding two different messages
produces the same hash. with the same MD5 hash.

Password Adds characters to passwords before Adding a unique salt to each

Salting hashing to prevent attacks. user's password before hashing.

Key Stretching Techniques like bcrypt, PBKDF2, and Using bcrypt to hash passwords
Argon2 protect against attacks. for storage.

Providing Confidentiality with Encryption

Encryption Type Description Example

Symmetric Encryption Uses the same key to encrypt Encrypting files with AES.
and decrypt data.

Block Ciphers Encrypt data in fixed-size blocks AES encryption in 128-bit

(e.g., AES, 3DES). blocks.

Stream Ciphers Encrypt data bit by bit or byte by RC4 encryption for streaming
byte. data.

Asymmetric Encryption Uses public and private keys as RSA encryption for secure
matched pairs. communications.

Certificates Distribute public keys. Using an SSL certificate for a

website.

Ephemeral Keys Last only a short time, providing Diffie-Hellman key exchange
perfect forward secrecy. in HTTPS.

76
Elliptic Curve Efficient encryption technology Encrypting data on mobile
Cryptography (ECC) for low power devices. devices using ECC.

Obfuscation Include steganography, Hiding text in an image

Techniques tokenization, and masking. (steganography).

Using Cryptographic Protocols

Use Case Key Action Description Example

Email Digital Sender’s private key Provides authentication, Signing an email with
Signatures encrypts (signs), public non-repudiation, integrity a digital signature.
key decrypts

Email Recipient’s public key Uses symmetric key for Encrypting an email
Encryption encrypts, private key content encryption with the recipient’s
decrypts public key.

S/MIME Uses certificates and Secure email with Encrypting emails

depends on PKI encryption and digital with S/MIME.
signatures

Website Public key encrypts Symmetric key encrypts Securing web traffic
Traffic (TLS) symmetric key, private session data with HTTPS.
key decrypts

Exploring PKI Components

Component Description Example

Public Key Technologies to request, create, manage, Establishing a secure

Infrastructure (PKI) store, distribute, and revoke digital connection to a bank’s
certificates. website.

Certificate Issues, manages, validates, revokes Comodo, DigiCert issuing

Authority (CA) certificates. SSL certificates.

Certificate Trust Hierarchical trust with root and Using a trusted root CA in
Models intermediate CAs. a browser.

Certificate Updating and revoking certificates, Revoking a compromised

Revocation identifying revoked certificates with certificate.
CRLs.

77
Certificate Formats Formats like CER (ASCII) and DER Using PEM format for SSL
(binary), PEM, P7B, P12, PFX. certificates.

Key Management Managing cryptographic keys, including Using a KMS to manage

generation, distribution, storage, rotation, encryption keys.
and retirement.

Certificate Types and Formats

Certificate Type Description Examples/Usage

Machine/Computer Issued to a device or computer Identify computer within a

domain

User Issued to users Encrypt data using EFS,

authentication, smart cards

Email Used for email encryption and Secure email communications

digital signatures

Code Signing Validates authenticity of PowerShell script verification

executable applications/scripts

Self-signed Not issued by a trusted CA Used within private CAs

Root Highest-level certificate issued Anchor for certificate trust

by root CA

Wildcard Used for multiple subdomains *.google.com

Subject Alternative Used for multiple domains with *.google.com, *.android.com

Name (SAN) different names

Domain Validation Indicates control over a DNS Additional validation steps by

domain CA

Extended Validation Additional validation beyond Company name before URL in

(EV) domain validation browsers

Certificate Formats
Certificate Description Examples/Usage
Format

CER ASCII format PEM-based certificates

78
DER Binary format PEM-based certificates

PEM Most commonly used certificate Can be used for various certificate
format types

P7B Base64 ASCII encoding Sharing public keys

P12/PFX Binary encoding, holds private key Installing certificates on servers

79