INFORMATION SHEET MD-10.1.

1
“CRYPTOGRAPHY”

Topic Outline

This lesson discusses several topics associated with encryption of data. Objectives important to this
lesson:

1. Identify different technologies in relation to network, data, and application security

2. Access control, access control models
3. Authentication
4. Credentials
5. Authentication models
6. Identify types of firewall, intrusion detection, dial-up, and networking analysis tools
7. Identify types of encryption, cryptography, and trap-and-trace technology.

The text begins this chapter with a lot of history which will be interesting to people who love
cryptography, but it is all background. You may want to know some of the famous concepts, and some
vocabulary:

 plaintext, cleartext - a message that has not been encrypted or has been decrypted
 encrypt, encipher - to change an ordinary message with a code or cipher system so that the
message is unreadable
 decrypt, decipher - to change and encrypted message to plaintext
 cipher or code - the difference between a cipher and a code is that a cipher uses one symbol to
stand for another, while a code can use a symbol to stand for several symbols or words
 Caesar cipher - Julius Caesar is famous for several things, one of which is the creation of
a substitution cipher that is incredibly easy to crack: he wrote down the Latin alphabet on one
line, then wrote it again on a second line, offset by three characters, which was used as an
encrypting/decrypting tool. The two lines below show what this would look like in English:
abcdefghijklmnopqrstuvwxyz
defghijklmnopqrstuvwxyzabc

The text surveys several cipher methods. You should know some of the concepts in this section:

 Substitution Cipher - like the Caesar cipher above, it may use one letter to represent another, or
it may use a series of such ciphers like the Vigenčre Square shown on page 357. To use that
cipher, you need to know the pattern to follow, which could be changed from one message to
another. The cryptogram example on page 355 uses one simple cipher, that is not an offset. It is
a tad harder to crack because it contains an error. If you want to crack it, in the first line, third
word, change the second ciphertext character to Y instead of X. The X in the book must be a
typo.
 Transposition Cipher - the text shows us several words whose letters have been rearranged,
which is the basic concept. A more advanced concept is described: instead of mixing up the
letters, we can follow a pattern that mixes up the bits in each character.
 Hashing - A hash function takes a plaintext block of any size and converts it to an encrypted
block of a specific size. This is often done with passwords and PINs. The idea is to use the same
 hash function each time a user enters a password, and to compare the hash to a stored version
of the hashed password, which is the only version of the password that is saved on the system.
This method makes sure that anyone reading the file that holds the hash versions cannot know
what the actual passwords are. Hash algorithms work only one way: you can't use the hash
algorithm to decrypt the hash output. You can only compare to see if the hash of the user's
input matches the saved hash. The text explains that an experienced hacker could use rainbow
tables to compare to a captured hash. A rainbow table holds the hash values of known words
and numbers. If the hacker finds a match, the password is no longer secret.

The text moves on to discuss symmetric and asymmetric encryption methods.

Symmetric Cryptographic Algorithms

Unlike hashes, cryptographic algorithms are typically meant to be used for encryption and decryption.
The methods in this group use the same key to encrypt and to decrypt, which is why they are
called symmetric. They are also called private key algorithms because the key must remain private to
the users of the system or there is no security. Consider the Enigma machine from chapter 1. Once the
encryption and decryption methods are available to your enemy, the code is worthless. (This seems like
an obvious point, but we will consider another system where it is not true.)

Stream ciphers encrypt one character at a time (from the flowing stream of data). Block ciphers divide
the message into blocks of a specific size, then encrypt each block as a unit. Many variations exist on
the methods discussed. The text lists three symmetric algorithms to be aware of:

 DES - Data Encryption Standard

 3DES - Triple Data Encryption Standard
 AES - Advanced Encryption Standard

Asymmetric Cryptographic Algorithms

It should be obvious that asymmetric (not symmetric) algorithms will use different keys. This method is
also called public key cryptography. This name does not describe the method well. A person must have
two keys in this system, a public key and a private key. They are created as a pair, so that whatever
is encrypted with one must be decrypted with the other. The owner of the keys gives the public key
to anyone who wants it, but keeps the private key safe from anyone else.

This is how SSL encryption on a web site works. I connect to a vendor's web site. I obtain the vendor's
public key when I make the secure connection. My browser encrypts my credit card data with the
vendor's public key and sends the ciphertext to the vendor. If the vendor's private key is secure, the
vendor is the only one who can decrypt the data sent through the public key. In this way, a key is made
available to anyone who wants it, but using it makes the data unintelligible to everyone who does not
have the private key.

Of course, this falls apart if I did not get the vendor's key, or if I got a key from someone who hijacked
my connection to the vendor's web site.
The text only discusses one asymmetric algorithm. You should be aware of these three for most
certification tests:

 RSA - named for its creators, so there is no acronym meaning

 Diffie-Hellman - also named for its creators; does not seem to belong in this group, since it is
only used to allow two users to share a key, enabling them to use symmetric cryptography
 Elliptic Curve Cryptography - the link takes you to an Ars Technica article that reviews all three
methods, and may hurt to look at; just know that it exists

Encryption algorithms are mathematical. Keys may be the numbers that are used to start the
calculations in the algorithms. The larger the keys are, the better the protection your message will have.
Think of the algorithm as the series of steps in the encryption, and the keys as tools that are used in
particular steps.

Public Key Infrastructure

The Public Key Infrastructure is a system that includes several parts that have evolved to make the
system work. It addresses the concern above about actually getting the right key from the selected
vendor.

In the introduction to this section, the text lists five kinds of security that cryptography might provide,
and notes that not all kinds of cryptography provide all five features. PKI typically addresses all of them.

 authentication - each party in a transaction provides an assurance of their identity

 integrity - the certificates used in the transactions are protected from changes
 privacy - encrypted transactions are remain private
 authorization - a secure algorithm keeps the session encrypted and removes the need to
authenticate each message
 nonrepudiation - the encryption may prove who did something and when it was done

This leads us to an industry that supports verified identities by the use of digital certificates. There are
companies whose business is to create key pairs and to provide the appropriate keys to vendors and
their customers. Verisign and Entrust are examples.

Some terms associated with PKI:

 certificate authority (CA) - an agency that issues digital certificates; the CA may create key pairs
for users or accept them from users who create them; the CA is responsible for verifying the
identity of the key owner; organizations with the proper software can act as their own internal
CA
 registration authority (RA) - an entity that takes on some of the tasks of a CA and operates on
their behalf; think of them like a subcontractor
 certificate revocation list (CRL) - a list of certificates that are no longer valid for various reasons
 certificate repository (CR), certificate directory (CD) - a public directory of valid certificates; may
contain invalid certificates as well or may link to a CRL
 S/MIME - may be used by mail applications or applications that use secure forms; it stands for
Secure Multipurpose Internet Mail Extension
  SSL - Secure Sockets Layer certificates are used for transactions on the world wide web

The text moves on to discuss another type of digital certificates, a digital signature. It mentions that this
kind of certificate supports nonrepudiation.

On page 378, the text mentions Pretty Good Privacy (PGP) as a popular certificate creation tool. This is a
tool you have to purchase. An Open Source version is called GPG, Gnu Privacy Guard.

Everyone who uses PGP will have a public key that is freely available, a private key that remains secure,
and everyone can generate new keys as needed.

1. When I want to send a message to you, I generate a new symmetric key for that message.
2. I encrypt the message with the symmetric key.
3. I encrypt the symmetric key with your public key. (Which I got from your CA).
4. I send the encrypted message and the encrypted key to you.
5. You are the only person who can decrypt the encrypted key, by using your private key.
6. You then use the decrypted symmetric key to decrypt the message.

In this way, PGP (and GPG) can use both symmetric and asymmetric keys.

On page 380, the text has a pretty good explanation of steganography, hiding a message in an image.
The short form is that an image typically has three bytes (RGB) of color information for each pixel in it. It
is unlikely that anyone just looking at an image could tell the difference between pixels that are true to
color and those that have had each of their least significant color bits changed as needed to
hide/provide data. If you change one bit per color, you can hide one byte every three pixels.

Imagine that the table below represents a series of pixels. I have used cells in a table to make the idea
more visual. I have put a reference color in the first cell: hex code 58C314 stands for 111, because I
chose that color as the key. I have modified the color in each of the other cells in the second row to
indicate three bits. The bits are indicated by the color's deviation from the key color.

The binary code for that sequence, which would have taken 15 pixels, is:

 first three ones are reference

 010 100 11
 0 111 010 0
 01 100 101
 011 101 10
 0 110 010 1
 last two ones are padding
This example used seven variations on one color. The sender could send an image in which every pixel
was modified if the receiver already had a reference copy to the image for comparison. I have done this
by hand: an application that encrypts a message in an image or audio file would be much faster.

The text considers some methods that make the things we do safer.

 We have already seen that Secure Sockets Layer (SSL) should be used to conduct encrypted
transactions over the web. When you are using SSL, you are using HTTPS instead of HTTP
 S-HTTP is not the same as HTTPS. S-HTTP is another version of HTTP that supports transferring
files with encryption, digital certificates, or both. This article on Wikipedia discusses the
differences between HTTPS and S-HTTP.
 We have discussed using S/MIME to encrypt email. The text also mentions using Privacy
Enhanced Mail (PEM) and PGP (discussed above).

The text turns to wireless networks for a moment, and mentions two widely used
standards, WEP and WPA. You should know that WEP is no longer considered secure and should not be
used. Note the comparison of WEP and WPA on page 385. When you set up a wireless access point,
WEP is still offered as an encryption choice. Don't use it. Use WPA2 instead, unless you have to provide
access to devices that do not speak it.
Reference:

1. https://stevevincent.info/CSS111_2014_4.htm
2. https://stevevincent.info/CSS111_2014_5.htm

WEEK 11: (PHYSICAL SECURITY)

 SELF-CHECK MD-10.1.1

Identify: Identify the following question:

1. ___________- a message that has not been encrypted or has been decrypted
2. ___________- to change an ordinary message with a code or cipher system so that the message
is unreadable
3. ___________- to change and encrypted message to plaintext
4. ___________- the difference between a cipher and a code is that a cipher uses one symbol to
stand for another, while a code can use a symbol to stand for several symbols or words
5. ___________-that is incredibly easy to crack: he wrote down the Latin alphabet on one line,
then wrote it again on a second line, offset by three characters, which was used as an
encrypting/decrypting tool.
 SELF-CHECK ANSWER KEY MD-10.1.1

1. PLAINTEXT, CLEARTEXT
2. ENCRYPT, ENCIPHER
3. DECRYPT, DECIPHER
4. CIPHER OR CODE
5. SUBSTITUTION CIPHER