Cryptography Algorithms

Symmetric Algorithms

• DES, 3DES, AES, RC-4, RC-5, Two Fish, Blowfish, IDEA, CAST, MARS, Skipjack are examples of symmetric algorithms
• These algorithms are fast, but not scalable and do not provide integrity, authenticity, or non-repudiation

Asymmetric Algorithms

• RSA, DSA, ECC (Elliptical Curve Cryptography), El Gamal, Diffie Hellman, Knapsack are examples of asymmetric algorithms
• These algorithms are slow, but scalable and provide integrity, authenticity, and non-repudiation

RSA

• Named after Rivest, Shamir, and Adleman
• Currently the standard for digital signatures
• Uses the idea that there is no efficient way to factor the product of large prime numbers
• The math used for RSA is sometimes referred to as a trap-door function

Diffie-Hellman

• The first asymmetric algorithm
• Enables secure key-agreement without pre-shared secrets
• Based on discrete logarithms in a finite field

ECC (Elliptical Curve Cryptography)

• Based on plotting points upon a curve
• Very efficient, but only designed to work within certain environments
• Frequently used for handheld devices due to their limited processing capability

Hybrid Cryptography in SSL/TLS

• Client initiates a secure connection
• Server responds by sending its public key to the client
• The client then generates a symmetric session key
• Oakley uses Diffie Hellman to agree upon a key
• ISAKMP (Internet Security Association and Key Management Protocol) manages keys, security associations (SAs), and security parameters index (SPI)

SSH (Secure Shell)

• A secure alternative to unsecure remote administrative protocols
• Telnet, FTP, R-utilitites (Rlogin, etc.) transmit credentials in clear text
• SSH sets up a secure tunnel

Security Associations and SPIs

• Manage keys, security associations (SAs), and security parameters index (SPI)

S/MIME (Secure Multipart Internet Mail Exchange)

• A standard for secure email by creating a digital envelope
• Sender functions: calculate hash value on message, encrypt message with session key, encrypt hash value with private key, encrypt session key with receiver’s public key
• Receiver functions: decrypt session key with private key, decrypt hash value with sender’s public key, decrypt message, calculate hash value and compare with one sent

PGP (Pretty Good Privacy)

• A proprietary mail standard from Phil Zimmerman
• Free, but proprietary software must be installed
• Uses Web of Trust
• Passphrases instead of passwords
• Learned keys are stored in a file called the key ring

Protecting Confidentiality of Data at Rest

• Data stored on local drives must be protected
• Log off of workstations not in use
• Use encryption within the operating system (ex: EFS in Windows environment)
• Whole Drive Encryption: Protect Hard Drive in the event the disk is stolen
• TPM (Trusted Platform Module)
• USB
• Directory Services

Attacks on Cryptography

• Ciphertext Only: Attacker has captured encrypted text on the network
• Known Plain Text: Attacker has captured cipher text, but also knows what a portion of the message is in plain text
• Chosen Plaintext: Attacker can see the full text encrypted and decrypted
• Chosen Ciphertext: Attacker can see whatever they want in plain or ciphertext
• Meet in the Middle (Not to be confused with Man in the Middle): An attacker tries to learn what each key does individually

Physical Security

• Physical assets: people, buildings, systems, and data
• CISSP exam considers human safety as the most critical concern of this domain - trumps all other concerns
• Physical security protects against threats such as unauthorized access and disasters, both man-made and natural

Perimeter Defenses

• Help prevent, detect, and correct unauthorized physical access
• Should employ defense-in-depth
• Defenses: Fences, doors, walls, locks, etc.

Site Selection, Design, and Configuration

• Shared Tenancy and Adjacent Buildings: Other tenants in a building can pose security issues
• Attackers can enter a less secure adjacent building and use that as a base to attack an adjacent building, often breaking in through a shared wall
• Many bank heists have been pulled off this way; including the theft of over $20 million dollars from British Bank of the Middle East in 1976
• Site selection, design, and configuration should consider shared tenancy and adjacent buildings

Physical System Defenses

• One of the last lines of defense in a defense-in-depth strategy
• Assume an attacker has physical access to a device or media containing sensitive information
• Asset Tracking: You cannot protect your data unless you know where (and what) it is

Heat and Humidity

• Humidity levels of 40-55% are recommended
• A commonly recommended “set point” temperature range for a data center is 68-77 °F (20-25 °C)
• With sufficient data center airflow, higher temperatures can be used
• Can result in energy savings; however, the data center may heat to dangerous levels more quickly in the event of HVAC failure

Static and Corrosion

• Sudden static discharge can cause damage from system reboots to chip or disk damage
• Static is mitigated by maintaining proper humidity, proper grounding all circuits in a proper manner, and using antistatic sprays, wrist straps, and work surfaces
• High humidity levels can allow the water in the air to condense onto (and into) equipment, which may lead to corrosion

Airborne Contaminants

• Dust is a common problem: airborne dust particles can be drawn into computer enclosures, where they become trapped
• Built-up dust can cause overheating and static buildup
• CPU fans can be impeded by dust buildup, which can lead to CPU failure due to overheating
• Other contaminants can cause corrosion or damaging chemical reactions