Chapter 8: Cryptology PDF

Summary

This chapter discusses various aspects of cryptography, including social engineering attacks, ransomware, and cryptographic algorithms. It also provides a quick review of key concepts in cryptography.

Full Transcript

Chapter 8: Cryptology
375
instead of letters “o”). The attacker needs to present her own certificate because she needs
the corresponding private key to complete the connection with the client and be able to
share the secret session key. There are a few ways in which the attacker can make this less
noticeable to the user. The first is to send the link to the server in an e-mail to the user.
The HTML representation of the link is the legitimate site, while the actual (hidden)
link points to the almost identical but malicious domain. A more sophisticated attacker
can use a variety of techniques to compromise DNS resolution and have the client go
to the malicious site instead of the legitimate one. Either way, the browser is likely to
generate a warning letting the user know that something is not right. Fortunately for the
attackers (and unfortunately for us), most users either do not pay attention to or actively
disregard such warnings.

Social Engineering Attacks
It should come as no surprise that people can be fooled by clever attackers who can trick

PART III
them into providing their cryptographic key material through various social engineering
attack types. As discussed in earlier chapters, social engineering attacks are carried out on
people with the goal of tricking them into divulging some type of sensitive information
that can be used by the attacker. For example, an attacker may convince a victim that the
attacker is a security administrator who requires the cryptographic data for some type of
operational effort. The attacker could then use the data to decrypt and gain access to sen-
sitive data. Social engineering attacks can be carried out through deception, persuasion,
coercion (rubber-hose cryptanalysis), or bribery (purchase-key attack).

Ransomware
Ransomware is a type of malware that typically encrypts victims’ files and holds them
ransom until a payment is made to an account controlled by the attacker. When the vic-
tim pays, the attacker usually (but not always) provides the secret key needed to decrypt
the files. It is not so much an attack against cryptography as it is an attack employing
cryptography. Ransomware attacks are typically delivered through a phishing e-mail that
contains a malicious attachment. After the initial compromise, however, the ransomware
may be able to move laterally across the victim’s network, infecting other hosts.

Chapter Review
Cryptographic algorithms provide the underlying tools to most security protocols used in
today’s infrastructures. They are, therefore, an integral tool for cybersecurity professionals.
The cryptographic algorithms work off of mathematical functions and provide various
types of functionality and levels of security. Every algorithm has strengths and weaknesses,
so we tend to use them in hybrid systems such as public key infrastructures. Symmetric
and asymmetric key cryptography, working with hashing functions, provide a solid foun-
dation on which to build the security architectures we’ll discuss in the next chapter.
Of course, there are many ways to attack these cryptosystems. Advanced adversaries
may find vulnerabilities in the underlying algorithms. Others may target the manner
in which these algorithms are implemented in software and hardware. Most attackers,
however, simply attempt to bypass cryptography by replaying authentication data,
CISSP All-in-One Exam Guide
376
inserting themselves in the middle of a trusted communications channel, or simply
targeting the people involved through social engineering.

Quick Review
Cryptography is the practice of storing and transmitting information in a form
that only authorized parties can understand.
A readable message is in a form called plaintext, and once it is encrypted, it is in
a form called ciphertext.
Cryptographic algorithms are the mathematical rules that dictate the functions of
enciphering and deciphering.
Cryptanalysis is the name collectively given to techniques that aim to weaken or
defeat cryptography.
Nonrepudiation is a service that ensures the sender cannot later falsely deny
sending a message.
The range of possible keys is referred to as the keyspace. A larger keyspace and the
full use of the keyspace allow for more-random keys to be created. This provides
more protection.
The two basic types of encryption mechanisms used in symmetric ciphers are
substitution and transposition. Substitution ciphers change a character (or bit)
out for another, while transposition ciphers scramble the characters (or bits).
A polyalphabetic cipher uses more than one alphabet to defeat frequency analysis.
A key is a random string of bits inserted into an encryption algorithm. The result
determines what encryption functions will be carried out on a message and in
what order.
In symmetric key algorithms, the sender and receiver use the same key for
encryption and decryption purposes.
In asymmetric key algorithms, the sender and receiver use different keys for
encryption and decryption purposes.
The biggest challenges in employing symmetric key encryption are secure key
distribution and scalability. However, symmetric key algorithms perform much
faster than asymmetric key algorithms.
Symmetric key algorithms can provide confidentiality, but not authentication or
nonrepudiation.
Examples of symmetric key algorithms include AES and ChaCha20.
Asymmetric algorithms are typically used to encrypt keys, and symmetric algorithms
are typically used to encrypt bulk data.
Asymmetric key algorithms are much slower than symmetric key algorithms but
can provide authentication and nonrepudiation services.
Examples of asymmetric key algorithms include RSA, ECC, and DSA.
 Chapter 8: Cryptology
377
Two main types of symmetric algorithms are stream ciphers and block ciphers.
Stream ciphers use a keystream generator and encrypt a message one bit at a time.
A block cipher divides the message into groups of bits and encrypts them.
Many algorithms are publicly known, so the secret part of the process is the key.
The key provides the necessary randomization to encryption.
RSA is an asymmetric algorithm developed by Rivest, Shamir, and Adleman and
is the de facto standard for digital signatures.
Elliptic curve cryptosystems (ECCs) are used as asymmetric algorithms and can
provide digital signatures, secure key distribution, and encryption functionality.
ECCs use fewer resources, which makes them better for wireless device and cell
phone encryption use.
Quantum cryptography is the field of scientific study that applies quantum

PART III
mechanics to perform cryptographic functions. The most immediate application
of this field is quantum key distribution (QKD), which generates and securely
distributes encryption keys of any length between two parties.
When symmetric and asymmetric key algorithms are used together, this is called
a hybrid system. The asymmetric algorithm encrypts the symmetric key, and the
symmetric key encrypts the data.
A session key is a symmetric key used by the sender and receiver of messages for
encryption and decryption purposes. The session key is only good while that
communication session is active and then it is destroyed.
A public key infrastructure (PKI) is a framework of programs, procedures,
communication protocols, and public key cryptography that enables a diverse
group of individuals to communicate securely.
A certificate authority (CA) is a trusted third party that generates and maintains
user certificates, which hold their public keys.
The CA uses a certification revocation list (CRL) to keep track of revoked certificates.
A certificate is the mechanism the CA uses to associate a public key to a person’s
identity.
A registration authority (RA) validates the user’s identity and then sends the request
for a certificate to the CA. The RA cannot generate certificates.
A one-way function is a mathematical function that is easier to compute in one
direction than in the opposite direction.
RSA is based on a one-way function that factors large numbers into prime numbers.
Only the private key knows how to use the trapdoor and how to decrypt messages
that were encrypted with the corresponding public key.
Hashing algorithms provide data integrity only.
When a hash algorithm is applied to a message, it produces a message digest, and
this value is signed with a private key to produce a digital signature.
Some examples of hashing algorithms include SHA-1, SHA-2, SHA-3, and MD5.
SHA produces a 160-bit hash value and is used in DSS.
CISSP All-in-One Exam Guide
378
A birthday attack is an attack on hashing functions through brute force. The
attacker tries to create two messages with the same hashing value.
A one-time pad uses a pad with random values that are XORed against the
message to produce ciphertext. The pad is at least as long as the message itself
and is used once and then discarded.
A digital signature is the result of a user signing a hash value with a private key. It
provides authentication, data integrity, and nonrepudiation. The act of signing is
the actual encryption of the value with the private key.
Key management is one of the most challenging pieces of cryptography. It pertains
to creating, maintaining, distributing, and destroying cryptographic keys.
Brute-force attacks against cryptosystems systematically try all possible keys
against given ciphertext in hopes of guessing the key that was used.
Ciphertext-only attacks against cryptosystems involve analyzing the ciphertext
of one or more messages encrypted with the same algorithm and key in order to
discover the key that was used.
In a known-plaintext attack, the attacker has the plaintext and corresponding
ciphertext of one or more messages and wants to discover the key that was used.
A chosen-plaintext attack is like a known-plaintext attack but the attacker
chooses the plaintext that gets encrypted to see the corresponding ciphertext.
A chosen-ciphertext attack is like a chosen-plaintext attack except that the attacker
chooses the ciphertext and then gets to see the corresponding decrypted plaintext.
A frequency analysis, also known as a statistical attack, identifies statistically
significant patterns in the ciphertext generated by a cryptosystem.
Implementation attacks are the techniques used to exploit defects in the
implementation of a cryptosystem.
Side-channel attacks analyze changes in the environment around a cryptosystem
in an attempt to infer an encryption key whose processing causes those changes.
Timing attacks are side-channel attacks that use time measurements to determine
the inner workings, states, and even data flows within a cryptosystem.
Fault injection attacks attempt to cause errors in a cryptosystem in an attempt to
recover or infer the encryption key.
In man-in-the-middle (MitM) attacks, threat actors intercept an outbound secure
connection request from clients and relay their own requests to the intended
servers, terminating both and acting as a proxy.
Pass the hash is a type of attack against Microsoft Windows Active Directory in
which the attacker resubmits cached authentication tokens to gain illicit access to
resources.
Ransomware is a type of malware that encrypts victims’ files and holds them
ransom until a payment is made to an account controlled by the attacker.