Chapter 10

Understanding Cryptography
and PKI

CompTIA Security+
Get Certified Get Ahead
By Darril Gibson

GetCertifiedGetAhead.com © 2021 YCDA, LLC

 Introduction

• Introducing Cryptography Concepts

• Providing Integrity with Hashing
• Understanding Password Attacks
• Providing Confidentiality with Encryption
• Using Cryptographic Protocols
• Exploring PKI Components
GetCertifiedGetAhead.com © 2021 YCDA, LLC

PDF Versions of Study Guide Are Not Authorized

 Cryptography Concepts - Integrity

• Provides assurances that data has not been modified

• Hashing ensures that data has retained integrity
• A hash is a number derived from performing a calculation
on data
• If the data is unchanged the hash will always be the same
number
• Common hashing algorithms include MD5, SHA, HMAC
• Each algorithm creates a fixed-size string of bits
– Example: MD5 creates a hash of 128 bits

GetCertifiedGetAhead.com © 2021 YCDA, LLC

PDF Versions of Study Guide Are Not Authorized

 Cryptography Concepts - Confidentiality

• Ensures only authorized users can view data

• Encryption protects the confidentiality of data
• Encryption ciphers data to make it unreadable
• Encryption normally includes algorithm and key
• Symmetric encryption
– Uses the same key to encrypt and decrypt data
• Asymmetric encryption
– Uses two keys (public and private) created
as a matched pair
GetCertifiedGetAhead.com © 2021 YCDA, LLC

PDF Versions of Study Guide Are Not Authorized

 Cryptography Concepts
• Authentication validates an identity
• Non-repudiation
– Prevents a party from denying an action
• Digital signatures
– Provide authentication, non-repudiation, and integrity
– Users sign emails with a digital signature
• Digital signature is a hash of an email message encrypted
with the sender’s private key
• Only the sender’s public key can decrypt the hash
• Provides verification it was encrypted with the sender’s
private key

GetCertifiedGetAhead.com © 2021 YCDA, LLC

PDF Versions of Study Guide Are Not Authorized

 Providing Integrity with Hashing
• Hashing provides integrity for data
– Email, downloaded files, files stored on a disk
– A one-way function that creates a string of characters
• A hash is a number
– Sometimes called a checksum
– You cannot reverse the hash
– You cannot re-create the original data from the hash
– Created with a hashing algorithm
• Message Digest 5 (MD5)
• Secure Hash Algorithm (SHA) family
• HMAC

GetCertifiedGetAhead.com © 2021 YCDA, LLC

PDF Versions of Study Guide Are Not Authorized

 Hashing Protocols

• To verify integrity
– MD5 (use is discouraged)
– SHA (SHA-3 previously known as Keccak)

• To verify integrity and authenticity

– HMAC (HMAC-MD5 and HMAC-SHA1)
• Uses a shared secret
• IPsec and TLS use HMAC-MD5 and HMAC-SHA1

GetCertifiedGetAhead.com © 2021 YCDA, LLC

PDF Versions of Study Guide Are Not Authorized

 Hashing Passwords
• Passwords often stored as hashes

• Password attacks attempt to discover

passwords
– Guess a password

– Hash the guessed password

– Compare the hash to the original hash

GetCertifiedGetAhead.com © 2021 YCDA, LLC

PDF Versions of Study Guide Are Not Authorized

 Hashing Messages
• Hashing detects modified message

GetCertifiedGetAhead.com © 2021 YCDA, LLC

PDF Versions of Study Guide Are Not Authorized

 Hashing Messages with HMAC
• HMAC prevents attacker from modifying hash

GetCertifiedGetAhead.com © 2021 YCDA, LLC

PDF Versions of Study Guide Are Not Authorized

 Hash Collisions

• Hashing algorithm creates the same hash

from different inputs
– MD5 (highly susceptible)

GetCertifiedGetAhead.com © 2021 YCDA, LLC

PDF Versions of Study Guide Are Not Authorized

 Understanding Password Attacks
• Attempt to discover, or bypass, passwords
used for authentication

– Online password attack (guess the password of an

online system)

– Offline password attack (guess the password stored

within a downloaded file, such as a database)

GetCertifiedGetAhead.com © 2021 YCDA, LLC

PDF Versions of Study Guide Are Not Authorized

 Password Attacks
• Dictionary attacks
– Uses a dictionary of words
– Attempts every word in the dictionary to see if it
works

• Brute force
– Attempts to guess all possible character
combinations

GetCertifiedGetAhead.com © 2021 YCDA, LLC

PDF Versions of Study Guide Are Not Authorized

 Password Attacks
• Spraying attacks
– Special type of brute force or dictionary attack
designed to avoid being locked out
• Pass the hash
– Attempts to use an intercepted hash to access an
account
• Birthday attacks
– Attempts to create a password that produces the
same hash as the user’s actual password
GetCertifiedGetAhead.com © 2021 YCDA, LLC

PDF Versions of Study Guide Are Not Authorized

 Password Attacks

• Rainbow table attacks

– Attempts to discover the password from the hash

• Salting passwords
– Prevent rainbow table attacks, along with other
password attacks

• Key stretching
– Used to increase the strength of stored passwords
(Bcrypt, PBKDF2, and Argon2)
GetCertifiedGetAhead.com © 2021 YCDA, LLC

PDF Versions of Study Guide Are Not Authorized

 Providing Confidentiality with Encryption

• Encryption provides confidentiality

– Helps ensure only authorized users can view data

– Applies to any type of data

• Data-at-rest (files, in a database, and so on)
• Data-in-transit or data in motion (sent over a network)

– Data-in-processing (sometimes called data in use_

• Not encrypted while in use
• If sensitive should be purged after use

GetCertifiedGetAhead.com © 2021 YCDA, LLC

PDF Versions of Study Guide Are Not Authorized

 Providing Confidentiality with Encryption

• Two basic components of encryption

– Algorithm
• Performs mathematical calculations on data
• Algorithm always the same

– Key
• A number that provides variability
• Either kept private and/or changed frequently

GetCertifiedGetAhead.com © 2021 YCDA, LLC

PDF Versions of Study Guide Are Not Authorized

 Symmetric Encryption
• Uses the same key to encrypt and decrypt data
– When transmitting encrypted data
• Uses key to encrypt data before transmission
• Uses same key to decrypt data when received

• Much more efficient encrypting large amounts of

data than asymmetric encryption

• RADIUS uses symmetric encryption

GetCertifiedGetAhead.com © 2021 YCDA, LLC

PDF Versions of Study Guide Are Not Authorized

 Simple Symmetric Encryption Example
• Encryption algorithm uses substitution cipher
– Move forward ____ spaces to encrypt
– For example, move forward 3 spaces to encrypt

• Decryption algorithm
– Move back ____ spaces to decrypt
– For example, move back 3 spaces to decrypt

• With the key of 3

– Message is PASS and encrypted it is SDVV

• ROT13 always uses a key of 13

GetCertifiedGetAhead.com © 2021 YCDA, LLC

PDF Versions of Study Guide Are Not Authorized

 Block vs. Stream Ciphers
• Block ciphers
– Encrypts data in specific sized blocks
• Often 64-bit blocks or 128-bit blocks
– Divides large files or messages into these blocks
– Encrypts each block separately

• Stream ciphers
– Encrypt data as a single bit or byte at a time in a stream
– An important principle when using a stream cipher
• Encryption keys should never be reused
• If a key is reused, it is easier to crack the encryption
GetCertifiedGetAhead.com © 2021 YCDA, LLC

PDF Versions of Study Guide Are Not Authorized

 Symmetric Algorithms
• Advanced Encryption Standard (AES)
– Fast, efficient, strong symmetric block cipher
– 128-bit block cipher
– Uses 128-bit, 192-bit, or 256-bit keys

• Blowfish and Twofish

– Strong symmetric block cipher (widely used)
– 64-bit blocks
– Supports between 32 and 448 bits
GetCertifiedGetAhead.com © 2021 YCDA, LLC

PDF Versions of Study Guide Are Not Authorized

 Symmetric Algorithms

• 3DES
– 64-bit block cipher

– Originally designed as a replacement for DES

– Uses multiple keys and multiple passes

– Not as efficient as AES

– 3DES is still used in some applications, such as

when hardware doesn’t support AES
GetCertifiedGetAhead.com © 2021 YCDA, LLC

PDF Versions of Study Guide Are Not Authorized

 Asymmetric Encryption
• Private Key / Public Key matched pair
– One key encrypts, the other key decrypts

– Only a private key can decrypt information encrypted with a matching

public key

– Only a public key can decrypt information encrypted with a matching

private key

– Private key stays private

– Public key shared in a certificate

– Asymmetric encryption methods require certificate and PKI

GetCertifiedGetAhead.com © 2021 YCDA, LLC

PDF Versions of Study Guide Are Not Authorized

 Asymmetric Encryption
• Key exchange

– Used to share cryptographic keys between two

entities

– Asymmetric encryption uses key exchange to share

a symmetric key

GetCertifiedGetAhead.com © 2021 YCDA, LLC

PDF Versions of Study Guide Are Not Authorized

 Asymmetric Encryption
• Rayburn Box

Rayburn Box Rayburn Box

Locked by one key Unlocked by the other key

GetCertifiedGetAhead.com © 2021 YCDA, LLC

PDF Versions of Study Guide Are Not Authorized

 Asymmetric Encryption
• Rayburn box used to send secrets
– Encryption

Rayburn Box Rayburn Box

Locked by one key Unlocked by the other key

GetCertifiedGetAhead.com © 2021 YCDA, LLC

PDF Versions of Study Guide Are Not Authorized

 Asymmetric Encryption
• Rayburn box used for authentication
– Digital signature

Rayburn Box Rayburn Box

Locked by one key Unlocked by the other key

GetCertifiedGetAhead.com © 2021 YCDA, LLC

PDF Versions of Study Guide Are Not Authorized

 Certificates

• Used for

– Encryption

– Authentication

– Digital signatures

GetCertifiedGetAhead.com © 2021 YCDA, LLC

PDF Versions of Study Guide Are Not Authorized

 Certificates
• Includes

– Serial number

– Issuer

– Validity dates

– Subject

– Public key

– Usage
GetCertifiedGetAhead.com © 2021 YCDA, LLC

PDF Versions of Study Guide Are Not Authorized

 Asymmetric Encryption
• Ephemeral keys
– Short lifetimes
– Re-created for each session
– Perfect forward secrecy

• Elliptic curve cryptography (ECC)

– Commonly used with small wireless devices
– Uses smaller key sizes requires less processing
power
GetCertifiedGetAhead.com © 2021 YCDA, LLC

PDF Versions of Study Guide Are Not Authorized

 Other Encryptions
• Quantum computing

– Quantum key distribution (QKD)

– Post-quantum cryptography

• Lightweight Cryptography
– Deployed to smaller devices (RFID tags, sensor
nodes, smart cards, IoT devices)
GetCertifiedGetAhead.com © 2021 YCDA, LLC

PDF Versions of Study Guide Are Not Authorized

 Other Encryptions
• Key length
– RSA (Rivest-Shamir-Adleman)

• Modes of operation
– Authenticated, counter, and unauthenticated

• Steganography
– Audio, image, video steganography
GetCertifiedGetAhead.com © 2021 YCDA, LLC

PDF Versions of Study Guide Are Not Authorized

 Using Cryptographic Protocols
• Email digital signatures

– The sender’s private key encrypts (or signs)

– The sender’s public key decrypts Knowing which key
encrypts and which key
decrypts will help you
answer many questions.
• Email encryption

– The recipient’s public key encrypts

– The recipient’s private key decrypts
GetCertifiedGetAhead.com © 2021 YCDA, LLC

PDF Versions of Study Guide Are Not Authorized

 Using Cryptographic Protocols
• Website encryption
Knowing which key
encrypts and which key
– The website’s public key encrypts decrypts will help you
It encrypts a symmetric key answer many questions.

– The website’s private key decrypts

It decrypts a symmetric key

– The symmetric key encrypts data in the website

session

GetCertifiedGetAhead.com © 2021 YCDA, LLC

PDF Versions of Study Guide Are Not Authorized

 Digital Signature
• Encrypted hash of a message
– The sender’s private key encrypts the hash
– Recipient decrypts hash with sender’s public key
– Provides

• Authentication – identifies the sender

• Non-repudiation – prevents the sender from denying the
action
• Integrity – verifies the message has not been modified

GetCertifiedGetAhead.com © 2021 YCDA, LLC

PDF Versions of Study Guide Are Not Authorized

 Digital Signature
• Signing email with a digital signature
Sender Recipient

I passed! I passed!

Digital Digital
Signature Signature
Lisa Bart
Hash of message Encrypted hash
encrypted with decrypted with
sender’s private key sender’s public key

GetCertifiedGetAhead.com © 2021 YCDA, LLC

PDF Versions of Study Guide Are Not Authorized

 Encrypting Email
• Using only asymmetric encryption
(Not common)

1. Lisa retrieves a copy of Bart’s certificate that contains

his public key

2. Lisa encrypts the email with Bart’s public key

3. Lisa sends the encrypted email to Bart

4. Bart decrypts the email with his private key

GetCertifiedGetAhead.com © 2021 YCDA, LLC

PDF Versions of Study Guide Are Not Authorized

 Encrypting Email
• Using symmetric and asymmetric encryption

GetCertifiedGetAhead.com © 2021 YCDA, LLC

PDF Versions of Study Guide Are Not Authorized

 Decrypting Email
• Using symmetric and asymmetric encryption

GetCertifiedGetAhead.com © 2021 YCDA, LLC

PDF Versions of Study Guide Are Not Authorized

 Protecting Email
• S/MIME and PGP/GPG
• Both:
– Use RSA algorithm
– Use public and private keys for encryption and
decryption
– Use certificates
– Can digitally sign and encrypt email
• Including email at rest and in transit
– OpenPGP (PGP-based standard)
GetCertifiedGetAhead.com © 2021 YCDA, LLC

PDF Versions of Study Guide Are Not Authorized

 Transport Encryption
• Protects confidentiality of transmitted data
– SSH, IPsec, HTTPS, SSL, and TLS

– IPsec must use HMAC for authentication and integrity

– IPsec can use either AES or 3DES for encryption

– IPsec’s ESP encrypts the entire packet

– Creates an additional IP header

GetCertifiedGetAhead.com © 2021 YCDA, LLC

PDF Versions of Study Guide Are Not Authorized

 TLS and SSL
• TLS is the replacement for SSL

– SSL deprecated
– Both require certificates issued by CAs

• TLS used in HTTPS

– HTTPS uses a combination of symmetric and
asymmetric encryption to encrypt HTTPS sessions
GetCertifiedGetAhead.com © 2021 YCDA, LLC

PDF Versions of Study Guide Are Not Authorized

 Client requests
1
secure session

Server responds
with certificate

Encrypting
3 4 5
HTTPS
Client creates Encrypted Server decrypts
traffic with symmetric key symmetric key symmetric key
and encrypts it sent to server with private key
TLS with public key
UcaNP@$$

6
The session is encrypted
with the session key using
symmetric encryption
 Other Cryptographic Protocols
• Blockchain
– Public record-keeping technology
– Distributed, decentralized, public ledger

• Crypto Diversity
– Using different methods to protect security keys

GetCertifiedGetAhead.com © 2021 YCDA, LLC

PDF Versions of Study Guide Are Not Authorized

 Other Cryptographic Protocols
• Limitations
– Resource versus security constraint
– Speed and time
– Size and computational overhead
– Entropy
– Predictability
– Weak keys
– Longevity
– Reuse
GetCertifiedGetAhead.com © 2021 YCDA, LLC

PDF Versions of Study Guide Are Not Authorized

 Other Cryptographic Protocols
• Plaintext attack
– Also called a known plaintext
– Attacker has some known plaintext data and the
ciphertext created from this plaintext

• Use cases

GetCertifiedGetAhead.com © 2021 YCDA, LLC

PDF Versions of Study Guide Are Not Authorized

 Exploring PKI Components
• Public Key Infrastructure
– Includes components required for certificates
– Allows two entities to privately share symmetric
keys without any prior communication

• Certificate Authority (CA)

– Issues, manages, validates, and revokes certificates

GetCertifiedGetAhead.com © 2021 YCDA, LLC

PDF Versions of Study Guide Are Not Authorized

 Certificate Trust Models
• Trusted root certification authorities

GetCertifiedGetAhead.com © 2021 YCDA, LLC

PDF Versions of Study Guide Are Not Authorized

 Trust Models
• Certificate chain
– Root CA
– Intermediate Cas
– Child CAs
– All certificates issued by
trusted CAs are trusted
– Errors when a site uses an
untrusted certificate

GetCertifiedGetAhead.com © 2021 YCDA, LLC

PDF Versions of Study Guide Are Not Authorized

 Registration Authority and CSRs
• Certificate signing request (CSR)
– PKCS #10 format
– Create the RSA-based private key, which is used to
create the public key
– Include the public key in the CSR
– The CA will embed the public key
in the certificate.

GetCertifiedGetAhead.com © 2021 YCDA, LLC

PDF Versions of Study Guide Are Not Authorized

 Other PKI Components
• Online Versus Offline CAs
– Online (accessible over a network, it’s possible to
submit the CSR using an automated process)
– Offline (to reduce the risk of compromise)

• Updating certificates

GetCertifiedGetAhead.com © 2021 YCDA, LLC

PDF Versions of Study Guide Are Not Authorized

 Revoking Certificates
• Reasons
– Key or CA Compromise – Employee Leaves
– Change of Affiliation – Superseded
– Cease of Operation – Certificate Hold

• Revoked certificates
– Revoked by serial number
– Published in Certificate Revocation List (CRL)
– Publicly available
GetCertifiedGetAhead.com © 2021 YCDA, LLC
 Certificate Revocation List
• Issued in a
version 2
certificate

GetCertifiedGetAhead.com © 2021 YCDA, LLC

PDF Versions of Study Guide Are Not Authorized

 Validating Certificates
CRL alternative
is OCSP
Web server
Client in DMZ OCSP answers
2
1 • Good
• Revoked
• Unknown

CRL

4
OCSP Stapling
CA

GetCertifiedGetAhead.com © 2021 YCDA, LLC

 Certificates
• Public key pinning
– Helps prevent web site impersonation
• Key escrow
– Maintains a copy of a private key for recovery

– Used if the original is lost

• Key management
– Steps taken to manage public and private keys
GetCertifiedGetAhead.com © 2021 YCDA, LLC

PDF Versions of Study Guide Are Not Authorized

 Certificate Types
• Machine/computer
• User
• Email
– Encryption and digital signatures
• Code signing
– Validates authentication of code
• Self-signed
– Not issued by CA
• Root
– Issued by the root CA

GetCertifiedGetAhead.com © 2021 YCDA, LLC

PDF Versions of Study Guide Are Not Authorized

 Certificate Types
• Wildcard
– Same root domain
• Subject Alternative Name (SAN)
– Different root domains, but
same organization
• Domain validation
– CA takes extra steps to contact
requestor
• Extended validation
– Additional steps beyond
domain validation
GetCertifiedGetAhead.com © 2021 YCDA, LLC

PDF Versions of Study Guide Are Not Authorized

 Certificate Formats

GetCertifiedGetAhead.com © 2021 YCDA, LLC

PDF Versions of Study Guide Are Not Authorized

 Chapter 10 Summary
• Introducing Cryptography Concepts
• Providing Integrity with Hashing
• Understanding Password Attacks
• Providing Confidentiality with Encryption
• Using Cryptographic Protocols
• Exploring PKI Components
• Check out the free online labs

GetCertifiedGetAhead.com © 2021 YCDA, LLC

PDF Versions of Study Guide Are Not Authorized