Chapter 14 - 01 - Discuss Cryptographic Security Techniques - 02_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Exam 212-82 Cryptography Asymmetric Encryption o ° Q Unlike symmetric encryption, asymmetric encryption uses two separate keys to carry out encryption and decryption; one key, called the public key, is used for encrypting messages, whereas the second key, called the private key, is used for decrypting messages Q 1tis also called public key encryption and is used to encrypt small amounts of data D Receiver selects a public and a private key and sends the public key to the sender E@ : R ‘ = ' \ s \ | O Receiver Sender uses the public key to encrypt the message and sends it to the receiver Receiver decrypts the data using the private key and reads the message Asymmetric Encryption Asymmetric encryption was introduced for solving key-management problems. Asymmetric encryption involves a public key and a private key. The public key is publicly available, whereas the sender keeps the private key a secret. It is also called public key encryption and is used to encrypt small amounts of data. Asymmetric encryption uses the following sequence to send a message: 1. Anindividual finds the public key of the person they want to contact in a directory. 2. This public key is used for encrypting a message that is sent to the intended recipient. 3. The receiver uses the private key to decrypt the message for reading it. No one except the holder corresponding public key. of the private key can decrypt a message composed with the This increases the security of the information because all communications involve only public keys; the message sender never transmits or shares the private keys. The sender must link the public keys with the usernames in a secured method to ensure that unauthorized individuals, claiming to be the intended recipient, do not intercept the information. To meet the requirement of authentication, one can use digital signatures. Module 14 Page 1642 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Cryptography Exam 212-82 et \ Public Key ’ Gooreerersatantantetttettetnstetatesssesaesanes. Private Ke Receiver selects a public and a private key and sends the public key to the sender v > \ Sender Receiver Sender uses the public key to encrypt the message and sends it to the receiver Receiver decrypts the data using the private key and reads the message Figure 14.4: Asymmetric Encryption Advantages: = |tis more secure than symmetric encryption. = There is no need to distribute the keys. Disadvantages: = |t takes a longer processing time than symmetric encryption since it involves various combinations of secret keys and public keys. = Various complex algorithms involved in the process of asymmetric encryption also increase the time taken to implement it. Module 14 Page 1643 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Cryptography Government Access to Keys (GAK) @ GAK means that software companies will give copies of all keys (or at least a sufficient proportion of each key that the remainder could be cracked) to the government The government promises that they will hold on to the keys in a secure manner and will only use them when a court issues a warrant to do so 0 To the government, this is similar to the ability to wiretapping phones Cryptographic Key v v_ | ¥ ¥ v Item D Copyright © by EC-C cll. All Rights Reserved. Reproductionis Strictly Prohibited Government Access to Keys (GAK) Government Access to organizations to disclose Keys their (GAK) refers to the cryptographic keys statutory obligation to government of individuals agencies. It means and that software companies will give copies of all keys (or at least enough of the key such that the remainder can be cracked) to the government. Law enforcement agencies around the world acquire and use these cryptographic keys to monitor suspicious communication and collect evidence of cybercrimes in the interests of national security. The government promises that it will hold on to the keys in a secure manner and only use them when a court issues a warrant to do so. To the government, this issue is similar to the ability to wiretap phones. Government agencies often use key escrow for uninterrupted access to keys. Key escrow is a key exchange arrangement in which essential cryptographic keys are stored with a third party in escrow. The third party can use or allow others to use the encryption keys under certain predefined circumstances. The third party, with regard to GAK, is generally a government agency that may use the encryption keys to decipher digital evidence under authorization or a warrant from a court of law. However, there is growing concern about the privacy and security of cryptographic keys and information. Government agencies are responsible for protecting these keys. Such agencies generally use a single key to protect other keys, which is not a good idea, as revealing a single key could expose the other keys. These agencies are not aware of how confidential the information protected by the keys is, which makes it difficult to judge how much protection is required. In cases where seized keys also protect other information that these agencies have no right to access, the consequences of key revelation cannot be determined, because government agencies are not aware of the information that the keys protect. In such cases, the key owner is liable for the consequences of key revelation. Before owners hand over their keys to government agencies, they need to be Module 14 Page 1644 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Cryptography assured that the government agencies will protect these keys according to a sufficiently strong standard to protect their interests. Cryptographic Key P | T TS. \4 v : ltemA ItemB |: * Items to which the GAK has right of access R L ).; N D rsasa seeriennnenn seeeefereseeresreseirai et Item C Item D. st aaaasaaaanas ceeees..g Item E g..............'.‘f‘.‘!f.‘.".!’t’f‘ff'.’.f'.‘?.?.‘?!‘.5‘.“.’.."!‘.’.fi.%'.‘f.‘ff.?.‘.‘.’:’.‘...............g Figure 14.5: lllustration of GAK Module 14 Page 1645 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.