Cryptography

Cryptography

• Cryptography is the technique of making something such as message secret/private from unauthorized persons.

• When users can want to exchange messages across a network, they can use cryptography to ensure their messages stay private between the two authorized users only.

• Cryptography is used to protect data in use and data in motion (transit).

• Cryptography provides the following key functions:

• Confidentiality - Ensures the message is private using data encryption technologies.

• Integrity - Ensures the message is not modified using hashing algorithms.

• Authentication - Ensures the receiver of a message is able to validate the source (origin) of the message.

• Non-repudiation - Ensures the sender of the message is unable to deny the transaction of the message.

Lightweight cryptography

• Lightweight cryptography is used on lower-powered systems such as mobile technologies.

• This type of cryptography allows lower-powered devices to handle encryption techniques without using too much computing power.

Quantum

• Quantum computing is the technique which super-powerful systems work together to perform huge computing calculations.

• With quantum computing, it is eventually possible to break (crack) encryption algorithms.

• Post quantum is the terminology used to defined something that is resilient towards quantum computing technologies.

Blockchain

• Blockchain is a type of technology which allows multiple systems to perform and combine their computing power using a distributed system while remaining decentralized.

• Blockchain uses a public ledger as a record-keeping system that secures the identities of participate who is part of a blockchain.

• Each transaction done using blockchain is stored in blocks and they can be publicly verified.

• With blockchain, each block is hashed which allows other systems to easily verify the blocks.

• Each verified block is added to create a chain while every transaction is also verified.

Encryption Process

• The encryption process takes a plaintext (unencrypted) message and passes it through an encryption algorithm to create ciphertext (encrypted message).

Cipher suites

• A cipher suite is the algorithm used to perform the encryption process by converting the plaintext into ciphertext.

• A stream cipher is an encryption algorithm which is used to encrypt one byte at a time.

• A block cipher encrypts an entire block (64-bit blocks and higher) of data at a time.

• Using a stream cipher, it's easier to reverse the encryption process, while the block cipher is harder to reverse.

• The data encryption process is much faster when using a streaming cipher algorithm as compared to block cipher which is usually slower.

Modes of operation

• Some encryption algorithms may encrypt data in blocks at a time or each individual bits.

• Each block of data is a fixed size.

• The methods which an algorithm uses to encrypt data such as blocks or bits is called the mode of operations.

Cipher Block Chaining (CBC)

• The algorithm add randomization during the encryption process

• The first plaintext message uses and Initialization Vector (IV) as the randomization with a Key to encrypt the message.

• The second plaintext message uses the ciphertext from the previous message is used a the randomization with a key to create the ciphertext.

Galois Counter Mode (GCM)

• Combined Counter mode with Galois authentication

• Allows encryption with authentication

• This cipher mode has very low latency and is commonly found with using Secure Socks Layer (SSL) and Transport Layer Security (TLS)

Electronic Codebook (ECB) 

• Each block of message is encrypted using the same key.

 Counter Mode (CTR) 

• Counter mode of data encryption

• Operates like a stream cipher

• Allows blocks of any size to be encrypted

• Uses a Counter (any number) and a Key to create a block cipher, than use the plaintext message as the randomization to create the ciphertext.

• The next block of plaintext, the counter will increase by 1 and the process is repeated.

Steganography

• This is a technique which hackers use to conceal a message into another file.

• Steganography is used to evade detection by threat monitoring systems.

• This method takes advantage of hiding a message into the following:

  • Audio files

  • Video files

  • Image files

Hashing

• A hash is a one-way function which takes a message and create a unique message-digest representation of the message.

• Hashes are used to check integrity of message or data.

• Hashes are also used to storage passwords on a system.

• Uses to verify downloaded files.

• If 2 different files create the same hash value, this is referred to as a Hash Collision.

• Message Digest 5 (MD5) - 128-bt hash.

• Secure Hashing Algorithm 1 (SHA-1) - 160-bit hash.

• Secure Hashing Algorithm 2 (SHA-2) - 224, 256, 384 & 512-bit hash.

• Hashed Message Authentication Code (HMAC) - Used with existing algorithm for additional layer of security.

Salting

• Salting is the technique of adding extra padding to the hashing the algorithm to reduce the risk a threat actor reverse the hash.

• This is type of nonce for randomization.

• Salting makes it more challenging for an attacker to retrieve the actual password of a user.

Symmetric algorithms

• With symmetric encryption, the same Key is used to encrypt and decrypt the message.

• If the Key is lost or compromised, the message is also compromised.

Symmetric Encryption Types

• Advanced Encryption Standard

• Block cipher which uses 128-bit blocks

• Encrypts data uses 128-bit, 192-bit and 256-bit keys.

• Uses with the WPA2 wireless security standard

Data Encryption Standard (DES)

• Created by the NSA and IBM.

• Uses 64-bit blocks with 56-bit key

Triple DES (3DES)

• Encrypts the data 3 times with the key

• Takes plaintext and encrypt the message using DES-Key 1, then uses DES-Key 2 to decrypt the data and uses DES-Key 3 to encrypt the data to get the final result

Rivest Cipher 4 (RC4)

• Commonly used in wireless security standards such as WEP.

• Contain many vulnerabilities.

Blowfish

• This is a block cipher which uses 64-bit blocks

• Uses key lengths from 1 - 448-bits for data encryption

• Uses 16 rounds of encryption and is considered to be unbreakable.

Twofish

• The newer or successor of Blowfish cipher.

• Uses keys of 256-bits to encrypt data in 128-bit blocks.

Asymmetric algorithms

• With Asymmetric encryption, a key is used to encrypted data while another key is use to decrypted data.

• Uses a Key pair: Private key and Public Key.

• Commonly used with a the Public Key Infrastructure (PKI).

• The Public key is shared with everyone while the Private key is kept safely.

• Uses large prime numbers to create both the Public and Private key pairs.

Rivest, Shamir & Adelman (RSA)

• Used in Public Key Infrastructure (PKI)

• Provides data encryption, decryption and Digital Signatures

Digital Signature Algorithm (DSA)

• This is a part of the Federal Information Processing standard

• This is a customized version of Diffie-Hellman and can be combined with Elliptic Curve (EC) to provide ECDSA.

ElGamal

• Uses in Pretty Good Privacy (PGP) and GNU Privacy Guard (GPG).

Digital Signatures

• A system can use hashes to verify integrity of a message between a source and destination.

• The Private Key is used to encrypt the Hash of the message to create a Digital Signature.

• A system can use the Private Key from Public Key Infrastructure (PKI) to sign the message before sending it to the destination.

• The receipt of the message uses the Public Key of the sender to decrypt the Digital Signature to get the original hash.

• A Digital Signature is commonly used to provide the following key features to a user or system:

  • Integrity

  • Authentication / Authenticity

  • Non-repudiation

Cipher Suites

• This is mutually agreed between the client and the server.

• Transport Layer Security (TLS)

• Key exchange algorithm

• Authentication/Digital signature algorithm

• Symmetric encryption algorithm

• Mode of operation

• Message authentication algorithm

Keys

• The encryption or cryptographic key is used by an encryption algorithm to encrypt data.

• The key can be used to both encrypt and decrypt data.

• The key must be kept safe at all times.

Key strength

• The size of the key is measured using a bit size.

• Larger the key, the more secure the encryption.

• Encryption algorithm such as Advanced Encryption Algorithm (AES) uses key sizes (length) of 128-bits, 192-bits and 256-bits.

• In PKI, the Public Key is usually 2048-bits.

Key exchange

•  

• Sending the key to a trusted person may be challenging.

• The key can be delivered using an out-of-band method such as via in-person or telephone.

• In most situations, a system will exchange the key using the network such as the Internet or the local area network (LAN).

Diffie-Hellman (DH)

• 
  

• This algorithm allows a key to be exchange over an unsecure channel or network.

• Commonly used between web browsers and web servers by using the Ephemeral Diffie-Hellman (EDH or DHE) keys.

EDH or DHE is sometimes combines with Elliptic Curve for ECDHE.

Ephemeral key

• This type of key is usually a temporary key.

• Needs to be change very often.

Key stretching algorithms

• Some encryption algorithm uses a very small key which is unsecure.

• Key stretching is taking the key and passing it through multiple processes to increase the strength.

BCRYPT

• BCRYPT can be used to create a hash from a password.

• The BCRYPT algorithm uses the blowfish cipher to perform key stretching.

PBKDF2

• Password-Based Key Derivation Function 2

• Part of Public Key Infrastructure (PKI).

The Key Lifecycle

1. Generation of the Key - Cipher and Key size.

2. Certificate generation - The Digital certificate is created and assigned to a person or device.

3. Distribute - The key is distributed to the person or the device.

4. Storage - The key is stored in a secure location to prevent unauthorized usage.

5. Revocation - A certificate or key may be revoke if it is compromised by a threat actor.

6. Expiration - Each certificate has a lifespan.