EC Council CCT Module 14-L PDF
Document Details
Uploaded by Deleted User
Emmanuel Ayamaba
Tags
Summary
This document provides an overview of cryptography, including cryptographic techniques, encryption, and hashing. It discusses different cryptographic tools and concepts related to Public Key Infrastructure.
Full Transcript
WITH @CDR AYAM MODULE 14 Cryptography Describe cryptographic techniques Understand the different encryption algorithms Understand the different hashing algorithms Use di...
WITH @CDR AYAM MODULE 14 Cryptography Describe cryptographic techniques Understand the different encryption algorithms Understand the different hashing algorithms Use different cryptography tools and hash calculators Explain public key infrastructure (PKI) and certificate management concepts Understand various applications of cryptography EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA MODULE 14 Cryptography EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography Objectives of Cryptography Confidentiality: Assurance that the information is accessible only to those authorized to access it. Integrity: Trustworthiness of data or resources in terms of preventing improper and unauthorized changes. Authentication: Assurance that the communication, document, or data is genuine. Nonrepudiation: Guarantee that the sender of a message cannot later deny having sent the message and that the recipient cannot deny having received the message. EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography Symmetric Encryption & Asymmetric Encryption Symmetric encryption (symmetric key encryption): encrypt/decrypt a message using the same key Key: a piece of information or sequence of bits Asymmetric encryption (asymmetric key encryption): one key used for encryption (public key), another key used for decryption (private key) EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography Advantages/Disadvantages of Asymmetric & Symmetric Advantages Symmetric Key Encryption: Advantages Asymmetric Key Encryption: It is easy to encrypt and decrypt a message. It is more secure than symmetric encryption. It is faster than asymmetric encryption. There is no need to distribute the keys. It is used to encrypt large amounts of data. Disadvantages Asymmetric Key Encryption: Disadvantages Symmetric Key Encryption: It takes a longer processing time than symmetric encryption since it involves various combinations of The communicating parties need to share the key secret keys and public keys. used for transmitting the data. Various complex algorithms involved in the process of Unauthorized access to a symmetric key leads to the asymmetric encryption also increase the time taken to compromise of data at both ends. implement EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography Difference between Symmetric & Asymmetric Basis of Comparison Symmetric Encryption Asymmetric Encryption Encryption key Same key for encryption & decryption Different keys for encryption & decryption Encryption is slow due to high Performance Encryption is fast but more vulnerable computation Algorithms DES, 3DES, AES and RC4 Diffie-Hellman, RSA Often used for securely exchanging secret Purpose Used for bulk data transmission keys EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography Government Access to Keys (GAK) Government Access to Keys (GAK) refers to the statutory obligation of individuals and organizations to disclose their cryptographic keys to government agencies. It means that software companies will give copies of all keys (or at least enough of the key such that the remainder can be cracked) to the government. Law enforcement agencies around the world acquire and use these cryptographic keys to monitor suspicious communication and collect evidence of cybercrimes in the interests of national security. The government promises that it will hold on to the keys in a secure manner and only use them when a court issues a warrant to do so. To the government, this issue is similar to the ability to wiretap phones. Government agencies often use key escrow for uninterrupted access to keys. Key escrow is a key exchange arrangement in which essential cryptographic keys are stored with a third party in escrow. The third party can use or allow others to use the encryption keys under certain predefined circumstances. The third party, with regard to GAK, is generally a government agency that may use the encryption keys to decipher digital evidence under authorization or a warrant from a court of law. However, there is growing concern about the privacy and security of cryptographic keys and information. Government agencies are responsible for protecting these keys. Such agencies generally use a single key to protect other keys, which is not a good idea, as revealing a single key could expose the other keys. @CDR AYAM EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA MODULE 14 Cryptography EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography Ciphers In cryptography, a cipher is an algorithm (a series of well-defined steps) for performing encryption and decryption. Encipherment is the process of converting plaintext into a cipher or code; the reverse process is called decipherment. A message encrypted using a cipher is rendered unreadable unless its recipient knows the secret key required to decrypt it. Communication technologies (e.g., Internet, cell phones) rely on ciphers to maintain both security and privacy. Cipher algorithms may be open-source (the algorithmic process is in the public domain while the key is selected by a user and is private) or closed-source (the process is developed for use in specific domains, such as the military, and the algorithm itself is not in the public domain). Furthermore, ciphers may be free for public use or licensed. EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography Types of Ciphers 1. Classical Ciphers Classical ciphers are the most basic type of ciphers, which operate on letters of the alphabet (A–Z). These ciphers are generally implemented either by hand or with simple mechanical devices. Because these ciphers are easily deciphered, they are generally unreliable. Types of classical ciphers a) Substitution cipher: The user replaces units of plaintext with ciphertext according to a regular system. The units may be single letters, pairs of letters, or combinations of them, and so on. The recipient performs inverse substitution to decipher the text. Examples include the Beale cipher, autokey cipher, Gronsfeld cipher, and Hill cipher. For example, “HELLO WORLD” can be encrypted as “PSTER HGFST” (i.e., H=P, E=S, etc.). b) Transposition cipher: Here, letters in the plaintext are rearranged according to a regular system to produce the ciphertext. For example, “CRYPTOGRAPHY” when encrypted becomes “AOYCRGPTYRHP.” Examples include the rail fence cipher, route cipher, and Myszkowski transposition. EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography Types of Ciphers 2. Modern ciphers are designed to withstand a wide range of attacks. They provide message secrecy, integrity, and authentication of the sender. A user can calculate a modern cipher using a one-way mathematical function that is capable of factoring large prime numbers. Types of Modern ciphers a) Based on the type of key used Symmetric-key algorithms (Private-key cryptography): Use the same key for encryption and decryption. Asymmetric-key algorithms (Public-key cryptography): Use two different keys for encryption and decryption. b) Based on the type of input data: Block cipher: Deterministic algorithms operating on a block (a group of bits) of fixed size with an unvarying transformation specified by a symmetric key. Most modern ciphers are block ciphers. They are widely used to encrypt bulk data. Examples include DES, AES, IDEA, etc. When the block size is less than that used by the cipher, padding is employed to achieve a fixed block size. Stream cipher: Symmetric-key ciphers are plaintext digits combined with a key stream (pseudorandom cipher digit stream). Here, the user applies the key to each bit, one at a time. Examples include RC4, SEAL, etc. EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography Data Encryption Standard (DES) A standardized encryption algorithm approved by the U.S. government in 1977. It uses a 56-bit key, which is sometimes stored with additional parity bits, extending its length to 64 bits. DES is a block cipher which encrypts and decrypts 64-bit data blocks. It is now considered insecure. In 1998, a cracker could crack the key in 3 days. EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography Advanced Encryption Standard (AES) AES replaced Triple DES (which was to deploy) and the DES. A symmetric fast block cipher algorithm with variable key length and block sizes of 128, and converts them into ciphertext using key of 128, 192 or 256 bits. An official U.S. government standard since 2002. Now widely used for commercial and private encryption purposes. The algorithm is public, and its use is unrestricted, with no royalties or license fees owed to the inventors or the government. Unlike DES, AES performs on byte data instead of bit data The number of rounds of the encryption process depends on the key being used 128 bits key length = 10 rounds 192 bits key length = 12 rounds 256 bits key length = 14 rounds EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography RSA Algorithm RC4 is a variable key-size symmetric-key stream cipher with byte-oriented operations, and it is based on the use of a random permutation. According to some analyses, the period of the cipher is likely to be greater than 10,100. Each output byte uses 8 to 16 system operations; thus, the cipher can run fast when used in software. RC4 enables safe communications such as for traffic encryption (which secures websites) and for websites that use the SSL protocol. RC5 RC5 is a fast symmetric-key block cipher designed by Ronald Rivest for RSA Data Security (now RSA Security). The algorithm is a parameterized algorithm with a variable block size, a variable key size, and a variable number of rounds. The block sizes can be 32, 64, or 128 bits. The range of the rounds can vary from 0 to 255, and the size of the key can vary from 0 to 2,040 bits. This built-in variability can offer flexibility at all levels of security. The routines used in RC5 are key expansion, encryption, and decryption. In the key expansion routine, the secret key that a user provides is expanded to fill the key table (the size of which depends on the number of rounds). RC5 uses a key table for both encryption and decryption. The encryption routine has three fundamental operations: integer addition, bitwise XOR, and variable rotation. The intensive use of data- dependent rotation and the combination of different operations make RC5 a secure encryption algorithm. EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography RSA Algorithm RC6 is a symmetric-key block cipher derived from RC5. It is a parameterized algorithm with a variable block size, key size, and number of rounds. Two features that differentiate RC6 from RC5 are integer multiplication (which is used to increase the diffusion, achieved in fewer rounds with increased speed of the cipher) and the use of four 4-bit working registers rather than two 2-bit registers. RC6 uses four 4-bit registers instead of two 2- bit registers because the block size of the AES is 128 bits. Stands for Rivest, Shamir and Adleman who first publicly described it. RSA type of public-key cryptography widely used for data encryption of e-mail and other digital transactions over the Internet. The RSA algorithm involves three steps: key generation encryption EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA decryption @CDR AYAM MODULE 14 Cryptography EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography Digital Signature Algorithm (DSA) Processes involved in DSA: Benefits of DSA: a) Signature generation process: A private key is used Less chances of forgery than in the case of a written to sign the digital message. signature b) Signature verification process: A public key is used Quick and easy method for business transactions to verify whether the given digital signature is genuine. Fake currency problem can be drastically reduced DSA is a public-key cryptosystem as it involves the use of both private and public keys. EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography Rivest Shamir Adleman (RSA) a) Ron Rivest, Adi Shamir, How cryptography uses RSA algorithm in a practical exchange: and Leonard Adleman formulated RSA, a public- The sender encrypts a message using a randomly chosen DES symmetric key cryptosystem for key. DES is a relatively insecure symmetric-key system that uses 64-bit Internet encryption and encryption (56 bits for key-length, 8 bits for cyclic redundancy check) to authentication. RSA uses a encrypt data. modular arithmetic and The sender then looks up the recipient’s public key and uses it to encrypt elementary number the DES key using the RSA system. The sender transmits an RSA digital envelope, consisting of a DES- encrypted message and an RSA-encrypted DES key, to the recipient. The recipient decrypts the DES key using his/her RSA private key and uses it to decrypt the message itself. EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography Other Encryption Techniques and Technologies 1. Elliptic Curve Cryptography (ECC) is a modern public-key cryptography developed to avoid larger cryptographic key usage. The asymmetric cryptosystem depends on number theory and mathematical elliptic curves (algebraic structure) to generate short, quick, and robust cryptographic keys. RSA is an incumbent public-key algorithm, but its key size is large. The speed of the encryption always depends on the key size: a smaller key length allows faster encryption. To minimize the key size, elliptic curve cryptography has been proposed as a replacement for the RSA algorithm. The operational key sizes of both algorithms to achieve similar goals are listed below: EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography Other Encryption Techniques and Technologies 2. Quantum Cryptography As the world is increasingly adopting online information sharing, cryptosystems are witnessing a sharp increase in security attacks. Since mathematical encryption uses binary digits (0 and 1), it can be easily eavesdropped on or manipulated using various techniques. Hence, quantum cryptography has been introduced to protect data from theft midway (e.g., MITM attacks). This cryptography is processed based on quantum mechanics, such as quantum key distribution (QKD), using photons instead of mathematics as a part of encryption. In quantum cryptography, the data are encrypted by a sequence of photons that have a spinning trait while traveling from one end to another end. These photons keep changing their shapes during their course through filters: vertical, horizontal, forward slash, and backslash. Here, vertical and backslash spins imply “ones,” while horizontal and forward slash spins imply “zeros.” 1 Horizontal (–): 0 2 Vertical (|): 1 3 Backslash (/): 1 4 Forward slash (\): 0 Attackers can eavesdrop on but cannot manipulate the data because the photons are transferred through arbitrary filters. To breach this mechanism, attackers have to know the exact shape of the photons; if they fail to choose the right transmission, the photon polarization is distorted and the receiver detects an error indicating the eavesdrop. EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography Other Encryption Techniques and Technologies 3. Homomorphic Encryption differs from conventional encryption mechanisms, where math operations are performed to encrypt the plaintext. Homographic encryption allows users to secure and leave their data in an encrypted format even while it is being processed or manipulated. In this technique, encryption and decryption are performed by the same key holder. The homomorphic mechanism enables the user/sender to encrypt the confidential data and out-source it to an enterprise via cloud services to process the given data. How homomorphic encryption differs from other encryption mechanisms: In private key encryption: Only keyholders can generate and decrypt ciphertexts using similar keys. In public key encryption: Only the public keyholder generates the ciphertext and the secret keyholder decrypts the ciphertext. The reason for using this cryptography is that an untrusted entity can manipulate the data. Hence, this mechanism allows the sender himself/herself to encrypt and decrypt the data, allowing anyone to perform mathematical operations on the ciphertext with respect to the rules applied by the sender. EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography Other Encryption Techniques and Technologies 4. Hardware-based encryption is a technique that uses computer hardware for assisting or replacing the software when the data encryption process is being performed. Devices that offer encryption techniques can be considered as hardware- based encryption devices. In the implementation of hardware-based encryption, the cryptography technique workload is transferred to the hardware processors, making the system resources free for performing other functions. These devices can also store encryption keys and other sensitive information in secured areas of RAM or other nonvolatile storage devices such as flash memory. Hardware encryption devices reduce instruction sets, where only the authorized code can be executed. These devices do not support third-party software, thereby preventing the execution of any malicious programs. Hardware encryption offers many advantages over software encryption, as it can perform rapid processing of algorithm. It provides tamper-resistant key storage and avoids unauthorized code. Some hardware-based encryption devices are wireless access points, Nitrokey, credit card terminals, and network bulk encryptors. EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography Types of Hardware-based Encryption Device Trusted Platform Module (TPM) is a crypto-processor or a chip that is present in the motherboard. It can securely store the encryption keys and perform many cryptographic operations. TPM offers various features such as authenticating platform integrity, providing full disk encryption capabilities, performing password storage, and providing software license protection. A hardware security module (HSM) is an additional external security device that is used in a system for crypto-processing, and it can be used for managing, generating, and securely storing cryptographic keys. HSM offers enhanced encryption computation that is useful for symmetric keys longer than 256 bits. High-performance HSM devices are connected to the network using TCP/IP. Some HSM devices include SafeNet Luna Network HSM, nSheild, Cloud HSM, and Cryptosec Dekaton. USB encryption is an additional feature for USB storage devices, which offers onboard encryption services. Encrypted USB devices need an on-device credential system or software-or hardware-based credentials from a computer. USB encryption provides protection against malware distribution over USB and helps in preventing data loss and data leakage. Some hardware USB- encrypted devices include Crypto USB, Kingston Ironkey D300S, and diskAshur Pro 500GB. Hard drive encryption is a technology whereby the data stored in the hardware can be encrypted using a wide range of encryption options. Hard drive encryption devices cannot use an on-device keyboard or fingerprint reader; instead, they need a TPM or an HSM. These devices can be installed as an internal drive on a computer. Some hard drive encryption devices include military-grade 256-bit AES Hardware Encryption and DiskCypher AES Sata Hard Drive Encryption. EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography Other Encryption Techniques and Technologies 5. Post-quantum Cryptography is also known as quantum-resistant and quantum-proof cryptography, as it is an advanced cryptographic algorithm (mostly public-key based) designed to protect security systems from attacks initiated on both conventional and quantum computers. It can also work in conjunction with underlying communication protocols and operating networks. Moreover, post- quantum cryptography can serve as a stand-alone encryption algorithm that replaces current vulnerable cryptosystems complying with standard security policies. Post-quantum cryptography is intended to provide secure wide-range communication, secure secret-key processing, public-key-based signatures, and public-key-based encryption for high-end activities such as secure e-voting. The cryptography comprises several low-cost, secure systems and other systems that are usually employed for online communications. Post-quantum cryptography is aimed at preparedness for the age of quantum computing by updating specific algorithms and standards. EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography Other Encryption Techniques and Technologies 6. Lightweight Cryptography: A major challenge in current cryptography techniques is its usage in low-powered devices. Researchers are attempting to develop a compact algorithm that is quantum-safe and can be operated effectively on low-powered devices. Most current cryptographic algorithms are suitable for servers and desktops, but lightweight cryptographic algorithms are aimed at low-complexity applications such as RFID tags, sensor- based applications, and other IoT-based applications. The main objective of developing lightweight cryptography is to use less power and less resources without compromising security. EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography Electronic Code Book (ECB) Mode Cipher Block Chaining (CBC) Mode Electronic Code Book (ECB) Mode The ECB mode is a Cipher Block Chaining (CBC) Mode: The CBC mode is an straightforward process of encryption and decryption that improvement over ECB that rectifies most of the security requires plaintext, a secret key, and a block cipher encryption flaws in ECB. In the CBC mode, the process of encryption algorithm. The plaintext is divided into a fixed length of blocks, requires an initialization vector and a secret key. First, the which is equal to the size of the secret key. In the first stage, the plaintext is divided into blocks of the same size. The first encryption starts by taking the first block of the plaintext, and block is XOR with the initialization vector (IV), and the the secret key is taken as input to the block cipher encryption resultant is sent as input to the block cipher encryption algorithm; the output is the first block of ciphertext. The process algorithm, along with the secret key. The output is the first is repeated for all the plaintext blocks. block of ciphertext. This cipher block is used to perform XOR with the next plaintext block; the chain process On the destination side, decryption is performed in the same continues till the last block of plaintext. manner as generation of the first block of ciphertext. The secret key is taken as input to the block cipher decryption algorithm, On the destination side, the first block of ciphertext and which outputs the first block of plaintext. This process is secret key is sent to the block cipher decryption algorithm, repeated for all the ciphertext blocks. However, this mode has a and the result is XOR with the same IV. The output is the flaw: if the equally partitioned blocks of plaintext contain the first block of plaintext. For the next cipher blocks, in the same data, then the output cipher blocks also contain the same place of the IV, the previously ciphertext, providing analysts a chance to predict the plaintext. EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography Electronic Code Book (ECB) Mode Counter Mode Cipher Feedback (CFB) Mode In the CFB mode, previously Counter Mode: The counter mode is a block cipher mode generated ciphertext is used as feedback for the encryption of operation that uses a counter value in the encryption algorithm to encrypt the next plaintext block to ciphertext. First, and decryption process. A counter value is initiated and the initialization vector (IV) is stored in a shift register and sent to sent as the input to the block cipher encryption algorithm the encryption algorithm, along with a secret key. From the result with a secret key, and the result is subjected to the XOR of that encryption, the first S bits are selected, and the XOR operation with a block of plaintext. The output is the operation is performed with a plaintext block of size S. The ciphertext block. This process is performed in a sequential resultant output is the ciphertext block. For the next encryption manner to encrypt all the other plaintext blocks. On the block, the previous cipher block is given as the input to the shift destination side, this mode uses the same counter values register; it shifts S bits to the left, and the process is continued till and secret keys. The same encryption algorithm is used to the end of the plaintext. On the destination side, the decryption encrypt the counter value and secret key, the result is process is the same till the XOR operation. The XOR operation is subjected to the XOR operation with the obtained performed for the first S bits from the result of the encryption ciphertext block, and the output contains plaintext. The algorithm and the first cipher block, and the output is the first counter mode eliminates the problem of error propagation block of plaintext. For the subsequent blocks, the previously used because it does not use previously generated ciphertext in cipher block is taken as the input for the shift register, and the encryption or decryption. The counter mode requires process continues till the last cipher block. The advantage of this synchronized counter values on both the source and mode is that it makes cryptanalysis difficult as it has some data EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA destination sides. @CDR AYAM loss because of the use of shift registers. MODULE 14 Cryptography Cipher Modes of Operation Cipher modes of operation, also known as block cipher modes of operation, are used to encrypt a fixed block of plaintext using a secret key and, in some modes, an initialization vector. These modes of operation can ensure the confidentiality and authenticity of data. The client and server exchange an encrypted symmetric key securely to facilitate encryption and decryption. Discussed below are the four block cipher modes of operation that explain how source-side encryption and destination-side decryption work. EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography Authenticated encryption with Message Authentication Code (MAC) A MAC is a value obtained by hashing a plaintext message using a shared secret key. It provides integrity for the message, and the receiver can verify the message using the hash value attached to it. The following are the three different ways of using a MAC while encrypting a message. Encrypt-then-MAC (EtM): In this approach, the plaintext is first encrypted using a secret key. For the obtained ciphertext, a hash value called message authentication code (MAC) is generated. The MAC is attached to the ciphertext and transmitted. This approach provides higher security for the transmitted message than other AE approaches. Encrypt-and-MAC (E&M): In the E&M approach, a MAC is first generated for the plaintext, following which the plaintext is encrypted using a secret key. Finally, both the ciphertext and MAC are combined and transmitted. MAC-then-encrypt (MtE): In the MtE approach, a MAC is first generated for the plaintext using the hash function, and the MAC is combined with the plaintext. The combination of the plaintext and MAC is encrypted with a secret key to produce ciphertext. The ciphertext contains the encrypted MAC. EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography Authenticated Encryption with Associated Data (AEAD) AEAD is another approach used to ensure the integrity and authenticity of a message that contains both encrypted and unencrypted data. This approach adds additional data to the ciphertext at certain places to thwart chosen ciphertext attacks. The message header is kept unencrypted so that the receiver can verify the source of the message, and the payload is encrypted to ensure confidentiality. EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography Certification Authorities Certification Authorities (CAs) are trusted entities that issue digital certificates. The digital certificate certifies the possession of the public key by the subject (user, company, or system) specified in the certificate. This aids others to trust signatures or statements made by the private key that is associated with the certified public key. EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography PKI Trust Models A trust model is a set of rules or constraints that instruct client applications on how to verify the authenticity of digital certificates. The trust is built from different security policies, services, operations, and protocols that provide interoperability through public-key encryption and certificate management and together provide a certain level of security. In public key infrastructure (PKI), the trust originates from a third party known as the certificate authority (CA). The PKI architecture explains its certificates and the trust relationships among them. EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography Different Types of Trust Models in PKI 1. Peer-to-peer trust model: In the peer-to- peer trust model, CAs do not have any intermediate CAs. There is no trust anchor between the CAs involved in the certificate process. In this model, clients usually depend on their local CAs, which serve as a starting point. The two CAs here are separate trust domains; only domain users can validate a domain user using their public key, which creates bi- directional trust. This type of trust model is useful for small organizations. EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography Different Types of Trust Models in PKI 2. Hierarchical trust model: This trust model is an inverted tree-like structure in which one master CA called a root is the initial point of trust. The root CA sends all the information to its descendants known as intermediate CAs or subordinate CAs, which only trust the information sent by the master CA. The master CA also trusts the intermediate CAs in the hierarchical structure. The leaf nodes are the users. All nodes in this model trust the master CA and hold the public key certificate of the master CA. The interaction between two users to validate themselves using the public key certificate should be performed through the root or master CA. The entire trust can be achieved from the root CA; any problem in the root CA can impact the overall trust in the PKI infrastructure. EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography Different Types of Trust Models in PKI 3. Hybrid trust model: This trust model is a combination of peer-to-peer and hierarchical trust models, in which root CAs perform peer-to-peer tasks by sharing public keys. The intermediate CAs trust only the respective root CAs and other intermediate CAs within the hybrid environment. Each root CA forms a separate trust domain with its child classes (nodes). This model is useful for cross-certification, where one domain user can verify another domain user. This is a widely used and easy operable model, in which two organizations or departments need to be combined. EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography Different Types of Trust Models in PKI 4. Bridge trust model: This model supports PKI apps across organizations and avoids conditions where clients need to hold the information of numerous trust points or enterprises wish to build crosslinks to various other enterprises (or departments). Bridge CAs (BCAs) reduce the number of cross- certificates needed to be associated with PKIs. In a BCA, one CA serves as a central hub for connecting all other CAs and acts as a communication medium for them. Every intermediate CA trusts only the CAs that are connected above and below it, but an additional CA can be constructed without generating extra layers of CAs. The major advantage of this model includes its flexibility and support for smooth interoperability between enterprises or departments. EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography Different Types of Trust Models in PKI 5. Web of trust (WoT): WoT is a trust model of PGP-, OpenPGP-, and GnuPG-accessible systems. It is based on the idea of decentralizing key distribution among PGP users. In PKI, only a centralized power such as the CA signs certificates in the network, ensuring authenticity between the public key and its owner. In WoT, everyone in the network is a CA and can sign for other trusted entities. WoT is a network chain in which individuals act as intermediaries to validate each other’s certificates using their signatures. These signatures verify the ownership of keys from various trust levels. There are various similar trust levels through direct or indirect references in WoT. EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography Key Management Lifecycle Processes 1. Key generation: Strong and secure key pairs are generated using standard algorithms. Key establishment or registration: The generated key should be specific to the user, system, or process with a name and attributes. The key is submitted to the CA to identify the public part of the key pair. The CA verifies the client and registers the key. Once the key is registered, it can be used for its intended purpose. 2. Key storage: The registered key will be used over the long term. Therefore, it needs to be stored in a protected storage space. It is imperative for client to ensure that the private key is stored securely and no unauthorized access is allowed 3. Key usage: The key should be used for its intended purpose by the client. The registered key is used to sign and encrypt the data and other keys. 4. Key archival: It is the backup or recovery mechanism used to obtain lost or stolen private key. 5. Key revocation: If the private key is compromised, the key pair must be revoked as early as possible so that it cannot be used for new encryption and decryption. If the key has already been used for encryption, it must be retained for some time. The administrator can restore the revoked key to decrypt the previously encrypted information. Key revocation is also performed when an organization closes its business activities, an employee leaves the organization, or the organization changes its domain name. 6. Key destruction: The key is destroyed on the expiry date (it can also be renewed). When it needs to be removed permanently, the decommissioned key should be deleted along with all its associated data and instances. EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography How Certificate Pinning Works 1. A copy of the certificate integrated in the client’s application is used during the SSL/TLS handshake. 2. The client SDK checks whether the server certificate’s public key matches the application certificate’s public key. 3. If the pinning process is successful, the public key inside the certificate is used to check the integrity of the server certificate. 4. If the pinning process is unsuccessful, all SSL/TLS queries to the server are refused by the client application. EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography Online Certificate Status Protocol (OCSP) OSCP, also known as online revocation check, is an alternative to CRL for checking the status of certificate revocation. OCSP requests are sent to the CA using HTTP. The OCSP responder at the CA checks the certificate’s unique serial number and responds with its status. With this method, instead of going through the entire CRL, the client can check the certificate status using its unique serial number. The main disadvantage of this method is that the OSCP responder placed at the CA requires enormous processing resources to send responses to client requests. Moreover, the responder monitoring the client’s requests may have an impact on the client’s privacy. OSCP stapling has been introduced to solve these issues. EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography How Certificate Stapling Works 1. The client’s web server sends an OCSP request to the issuer CA server. 2. The issuing CA replies with the OCSP status and a timestamp. 3. The web server caches the OCSP response and delivers it to the client, instead of making multiple requests on behalf of the client. 4. The client validates the signature on the timestamp to check if it is signed by the CA. EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography Authentication Protocols: Shiva Password Authentication Protocol (S-PAP) Shiva Password Authentication Protocol (SPAP) is an extension to PAP that does encrypt the username and password that is sent over the Internet. SPAP is a proprietary version of PAP. Most experts consider SPAP somewhat more secure than PAP. This is because both username and password are encrypted before being transmitting over the network, unlike PAP which sends them in cleartext. EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM MODULE 14 Cryptography EC-COUNCIL CCT: CERTIFIED CYBERSECURITY TECHNICIAN BY EMMANUEL AYAMBA @CDR AYAM
