Embedded Files
Level 2 CAT
Level 2 CAT
12COMP & 12DTEC
12COMP & 12DTEC
Date: Thursday 26 September
Date: Thursday 26 September
Time: 9am - 12pm
Time: 9am - 12pm
DURATION : 3hrs to complete: AS91899(DTEC) AND/OR AS91898(COMP)
DURATION : 3hrs to complete: AS91899(DTEC) AND/OR AS91898(COMP)
ROOM: Students will be allocated a room to go to sit the exam (not necessarily with their class).
ROOM: Students will be allocated a room to go to sit the exam (not necessarily with their class).
What is encryption'?
What is encryption'?
From Canterbury Uni's Computer Science Field Guide (CSFG):
From Canterbury Uni's Computer Science Field Guide (CSFG):
Encryption is used to keep data secret. In its simplest form, a file or data transmission is garbled so that only authorised people with a secret "key" can unlock the original text. If you're using digital devices then you'll be using systems based on encryption all the time: when you use online banking, when you access data through wifi, when you pay for something with a credit card (either by swiping, inserting or tapping), in fact, nearly every activity will involve layers of encryption. Without encryption, your information would be wide open to the world – anyone could pull up outside a house and read all the data going over your wifi, and stolen laptops, hard disks and SIM cards would yield all sorts of information about you – so encryption is critical to make computer systems usable.
Encryption is used to keep data secret. In its simplest form, a file or data transmission is garbled so that only authorised people with a secret "key" can unlock the original text. If you're using digital devices then you'll be using systems based on encryption all the time: when you use online banking, when you access data through wifi, when you pay for something with a credit card (either by swiping, inserting or tapping), in fact, nearly every activity will involve layers of encryption. Without encryption, your information would be wide open to the world – anyone could pull up outside a house and read all the data going over your wifi, and stolen laptops, hard disks and SIM cards would yield all sorts of information about you – so encryption is critical to make computer systems usable.
the basics of encryption
the basics of encryption
How secure is the website you are using?
How secure is the website you are using?
Some common sites rated by HTTPS Watch
Some common sites rated by HTTPS Watch
Don't worry if you don't understand what its about; below are resources which will make it clear.
Don't worry if you don't understand what its about; below are resources which will make it clear.
Delve into symmetric keys, asymmetric keys and hashing
Delve into symmetric keys, asymmetric keys and hashing
1:19 - 3:00 excellent overview of encryption
1:19 - 3:00 excellent overview of encryption
3:03 - 7:32 Symmetric key; don't worry about the XOR command
3:03 - 7:32 Symmetric key; don't worry about the XOR command
7:33 - end Real world use of symmetric key; block ciphers ECB & CBC
7:33 - end Real world use of symmetric key; block ciphers ECB & CBC
0:00 - 3:13 Asymetric key
0:00 - 3:13 Asymetric key
3:15 - 6:23 Hashing
3:15 - 6:23 Hashing
Another simple explanation of Symmetric key vs Asymmetric key from medium.com
Another simple explanation of Symmetric key vs Asymmetric key from medium.com
In summary: Encryption is used for:
In summary: Encryption is used for:
Privacy of communication or Secrecy in transmission.
Privacy of communication or Secrecy in transmission.
The major goal of encryption is to prevent data from being read by any third party.
Verifying who you are communicating with or Digital signatures
Verifying who you are communicating with or Digital signatures
A digital signature is a mechanism by which a message is authenticated i.e. proving that a message is coming from a given sender
Privacy of storage or Secrecy in storage.
Privacy of storage or Secrecy in storage.
Refers to the application of encryption on data, while on storage media, eg disks.
Forward secrecy.
Forward secrecy.
Can we be sure that current encryption methods will remain secure in the future.
Verifying passwords
Verifying passwords
We can use hashing to secure passwords.
Integrity in transmission
Integrity in transmission
We can use hashing to provide a means to ensure that data is not altered.
We can classify encryption into:
We can classify encryption into:
Symmetric.
Symmetric.
Asymmetric.
Asymmetric.
Hashing - not strictly encryption, but we can write about it.
Hashing - not strictly encryption, but we can write about it.
Another good introductory source is: Canterbury University's Computer Science Field Guide (CSFG)
Another good introductory source is: Canterbury University's Computer Science Field Guide (CSFG)
modern encryption
modern encryption
Modern encryption uses symmetric keys , asymmetric keys and hashing, which were covered in the section above.
Modern encryption uses symmetric keys , asymmetric keys and hashing, which were covered in the section above.
But why do we have both methods?
But why do we have both methods?
From VENAFI:
From VENAFI:
Encryption should not be seen as the ultimate answer to any information security problem, but only as one part of the security equation. Obviously, high-risk data, such as sensitive customer data needs better encryption than marketing plans.
Encryption should not be seen as the ultimate answer to any information security problem, but only as one part of the security equation. Obviously, high-risk data, such as sensitive customer data needs better encryption than marketing plans.
In general, public key encryption, or asymmetric encryption, is about 10,000 times slower than private key encryption. This is because of asymmetric encryption's creation and exchange of the two keys versus the single one in private or symmetric encryption.
In general, public key encryption, or asymmetric encryption, is about 10,000 times slower than private key encryption. This is because of asymmetric encryption's creation and exchange of the two keys versus the single one in private or symmetric encryption.
SSL/TSL
SSL/TSL
Transport Layer Security (TLS)
Transport Layer Security (TLS)
and its predecessor secure socket layer (SSL)
and its predecessor secure socket layer (SSL)
Used for web browsers, instant messaging, e-mail and voice over IP.
Used for web browsers, instant messaging, e-mail and voice over IP.
Good explanation of a possible problem that can still arise even with public-private keys.
Good explanation of a possible problem that can still arise even with public-private keys.
And how SSL/TSL is a solution.
And how SSL/TSL is a solution.
2:00 - 4:35 SSL steps explained
2:00 - 4:35 SSL steps explained
High level description of the protocol involved in....
High level description of the protocol involved in....
FIRST: setting up to use a CA and HTTPS:
FIRST: setting up to use a CA and HTTPS:
· The Web server creates a private/public key pair.
· The Web server creates a Certificate Signing Request with its private key and sends it to the CA.
· The CA then signs the Certificate Signing Request with its own Private key and sends it back to the Web server.
· The Web server can verify that the returned Certificate Signing Request came from the CA by decrypting the message using the CA’s freely available public key.
THEN: a user’s browser connecting to the Web server:
THEN: a user’s browser connecting to the Web server:
· The Web server has created a private/public key pair beforehand.
· The browser requests a secure page (usually https://) from the Web server.
· The Web server uses its own private key to encrypt a message containing the CA’s signed certificate.
· The web server sends this encrypted message to the browser.
· The browser uses the Web server’s public key to decrypt the Web server’s message - the CA’s signed certificate is now revealed, although its encrypted by the CA so it won’t make sense yet.
· The browser then uses the CA’s public key to decrypt the CA’s signed certificate.
· The browser can now check that the certificate was issued by a trusted party (usually a trusted CA), that the certificate is still valid and that the certificate is related to the site contacted.
· In which case the browser can conclude the message is from the correct Web server.
So why don't we see a green padlock with https?
So why don't we see a green padlock with https?
From Net solutions:
From Net solutions:
In September 2018, when Chrome 69 was released, the green padlock was replaced by a grey padlock. In addition to this there is no explicit wording to state that the site is ‘secure’. The end goal being that users should expect all web pages to be secure by default, and to only receive a warning if the site is not secure.
In September 2018, when Chrome 69 was released, the green padlock was replaced by a grey padlock. In addition to this there is no explicit wording to state that the site is ‘secure’. The end goal being that users should expect all web pages to be secure by default, and to only receive a warning if the site is not secure.
Chrome will be taking even further steps with its security indicators as Google would like to achieve 100% encryption across all websites. So don’t rely on seeing a green padlock as a security indicator, as eventually it won’t apply anymore in Chrome:
Chrome will be taking even further steps with its security indicators as Google would like to achieve 100% encryption across all websites. So don’t rely on seeing a green padlock as a security indicator, as eventually it won’t apply anymore in Chrome:
Diffie-Hellman key exchange
Diffie-Hellman key exchange
"exchange some public variables and combine them with some private variable we kept hidden, so we can both create the same key"
"exchange some public variables and combine them with some private variable we kept hidden, so we can both create the same key"
Easy to understand explanation of Diffie-Hellman
Easy to understand explanation of Diffie-Hellman
Another easy to understand explanation of Diffie-Hellman
Another easy to understand explanation of Diffie-Hellman
1:00 - 2:00 Interesting info on the cold war & encryption.
1:00 - 2:00 Interesting info on the cold war & encryption.
2:00 - 4:30 The concept behind Diffie-Hellman.
2:00 - 4:30 The concept behind Diffie-Hellman.
4:00 - end The maths - if you are interested...
4:00 - end The maths - if you are interested...
RSA
RSA
From comparitech:
From comparitech:
RSA encryption is often used in combination with other encryption schemes, or for digital signatures which can prove the authenticity and integrity of a message. It isn’t generally used to encrypt entire messages or files, because it is less efficient and more resource-heavy than symmetric-key encryption.
RSA encryption is often used in combination with other encryption schemes, or for digital signatures which can prove the authenticity and integrity of a message. It isn’t generally used to encrypt entire messages or files, because it is less efficient and more resource-heavy than symmetric-key encryption.
To make things more efficient, a file will generally be encrypted with a symmetric-key algorithm, and then the symmetric key will be encrypted with RSA encryption. Under this process, only an entity that has access to the RSA private key will be able to decrypt the symmetric key.
To make things more efficient, a file will generally be encrypted with a symmetric-key algorithm, and then the symmetric key will be encrypted with RSA encryption. Under this process, only an entity that has access to the RSA private key will be able to decrypt the symmetric key.
Without being able to access the symmetric key, the original file can’t be decrypted. This method can be used to keep messages and files secure, without taking too long or consuming too many computational resources.
Without being able to access the symmetric key, the original file can’t be decrypted. This method can be used to keep messages and files secure, without taking too long or consuming too many computational resources.
The difference between Diffie-Hellman and RSA
The difference between Diffie-Hellman and RSA
RSA is used to come up with a public/private key pair for asymmetric (“public-key”) encryption.
Diffie-Hellman is used to generate a shared secret in public for later symmetric (“private-key”) encryption.
From VANAFI:
From VANAFI:
In RSA cryptography, both the public and the private keys can encrypt a message; the opposite key from the one used to encrypt a message is used to decrypt it. This attribute is one reason why RSA has become the most widely used asymmetric algorithm: It provides a method of assuring the confidentiality, integrity, authenticity, and non-reputability of electronic communications and data storage.
In RSA cryptography, both the public and the private keys can encrypt a message; the opposite key from the one used to encrypt a message is used to decrypt it. This attribute is one reason why RSA has become the most widely used asymmetric algorithm: It provides a method of assuring the confidentiality, integrity, authenticity, and non-reputability of electronic communications and data storage.
The nature of the Diffie-Hellman key exchange, however, makes it susceptible to man-in-the-middle (MITM) attacks, since it doesn't authenticate either party involved in the exchange. The MITM maneuver can also create a key pair and spoof messages between the two parties, who think they're both communicating with each other. This is why Diffie-Hellman is used in combination with an additional authentication method, generally digital signatures.
The nature of the Diffie-Hellman key exchange, however, makes it susceptible to man-in-the-middle (MITM) attacks, since it doesn't authenticate either party involved in the exchange. The MITM maneuver can also create a key pair and spoof messages between the two parties, who think they're both communicating with each other. This is why Diffie-Hellman is used in combination with an additional authentication method, generally digital signatures.
Unlike Diffie-Hellman, the RSA algorithm can be used for signing digital signatures as well as symmetric key exchange, but it does require the exchange of a public key beforehand.
Unlike Diffie-Hellman, the RSA algorithm can be used for signing digital signatures as well as symmetric key exchange, but it does require the exchange of a public key beforehand.
AES
AES
Hashing
Hashing
MD5 vs SHA-1 vs SHA-2
MD5 vs SHA-1 vs SHA-2
See keycdn for details
See keycdn for details
Explains the concept of hashing.
Explains the concept of hashing.
Hashing needs to be fast to compute BUT good enough not to be tampered with.
Hashing needs to be fast to compute BUT good enough not to be tampered with.
Why old hashing algorithms are vulnerable.
Why old hashing algorithms are vulnerable.
And how SHA-1 is also becoming vulnerable, leading to SHA-2 and SHA-3.
And how SHA-1 is also becoming vulnerable, leading to SHA-2 and SHA-3.
Ignore the maths component...
Ignore the maths component...
Stenography
Stenography
concealing messages or information within other non-secret text or data.
concealing messages or information within other non-secret text or data.
Is Steganography still used?
Is Steganography still used?
From the EC-Council May 2020
From the EC-Council May 2020
Yes, Steganography is still popular among cyber criminals.
Yes, Steganography is still popular among cyber criminals.
Recent attacks show that security researchers found a new malware campaign that used WAV audio files to hide their malware. It is believed that the attackers used Steganography to embed the malicious code inside the WAV audio
Recent attacks show that security researchers found a new malware campaign that used WAV audio files to hide their malware. It is believed that the attackers used Steganography to embed the malicious code inside the WAV audio
Why encryption
Why encryption
3 reasons why encryption matters
3 reasons why encryption matters
From Norton security
From Norton security
1. Internet privacy concerns are real
1. Internet privacy concerns are real
Encryption helps protect your online privacy by turning personal information into “for your eyes only” messages intended only for the parties that need them — and no one else.
You should make sure that your emails are being sent over an encrypted connection, or that you are encrypting each message.
Most email clients come with the option for encryption in their Settings menu, and if you check your email with a web browser, take a moment to ensure that SSL encryption is available.
2. Hacking is big business
2. Hacking is big business
Cybercrime is a global business, often run by multinational outfits.
Many of the large-scale data breaches that you may have heard about in the news demonstrate that cybercriminals are often out to steal personal information for financial gain.
3. Regulations demand it
3. Regulations demand it
The Health Insurance Portability and Accountability Act (HIPAA) requires healthcare providers to implement security features that help protect patients’ sensitive health information online.
Institutions of higher learning must take similar steps under the Family Education Rights and Privacy Act (FERPA) to protect student records.
Retailers must contend with the Fair Credit Practices Act (FCPA) and similar laws that help protect consumers.
Encryption helps businesses stay compliant with regulatory requirements and standards. It also helps protect the valuable data of their customers.
Frequency of attacks
Frequency of attacks
On average a computer connected to the internet will be the target of an attempted hack every 39 seconds.
OR on average, a computer will be the target of 2,224 hacking attempts every day.
Costs
Costs
From: Cybercrime magazine
From: Cybercrime magazine
Cybercrime damage costs are predicted to hit $6 trillion annually by 2021.
Cybersecurity spending will exceed $1 trillion from 2017 to 2021.
The world will have 3.5 million unfilled cybersecurity jobs by the end of 2021.
Ransomware damage costs are predicted to grow more than 57 times from 2015 to 2021 reaching $20 billion by 2021.
70 percent of cryptocurrency transactions will be for illegal activity by 2021
The downsides of encryption
The downsides of encryption
From Norton security
From Norton security
How ransomware uses encryption to commit cybercrimes
How ransomware uses encryption to commit cybercrimes
Encryption is designed to protect your data, but encryption can also be used against you.
For instance, targeted ransomware is a cybercrime that can impact organizations of all sizes, including government offices. Ransomware can also target individual computer users.
How do ransomware attacks occur? Attackers deploy ransomware to attempt to encrypt various devices, including computers and servers. The attackers often demand a ransom before they provide a key to decrypt the encrypted data. Ransomware attacks against government agencies can shut down services, making it hard to get a permit, obtain a marriage license, or pay a tax bill, for instance.
Targeted attacks are often aimed at large organizations, but ransomware attacks can also happen to you.
From: Cybercrime magazine
From: Cybercrime magazine
It was estimated that every 40 seconds a business falls victim to a ransomware attack, in a December 2016 security bulletin posted by the cybersecurity firm Kaspersky Lab, which stated that the number of attacks rose from every two minutes in early 2016.
The news that Interpol is about to “condemn” the spread of strong encryption is just the latest salvo in the crypto wars, a decades-long controversy between proponents of strong encryption, law enforcement and investigative bodies over the widespread use of encryption by technology companies. The central tenet of the law enforcement argument is that strong end-to-end encryption hinders the investigation and prosecution of crimes when suspects use it on their personal devices. For their part, privacy and human rights advocates contend that there is no mechanism “that (both) protects the security and privacy of communications and allows access for law enforcement”.
What’s the issue?
What’s the issue?
Facebook Messenger, WhatsApp and other communication apps use an implementation of public key cryptography called end-to-end encryption. Only the end users have access to the decrypted data; the service provider, like Facebook, doesn’t. As such, it is theoretically impossible for the company to hand over decrypted data to the authorities.
This is the crux of the debate. It is what has led law enforcement to ask that end-to-end encryption not be rolled out by Facebook, or that 'backdoors' be introduced to aid in surveillance or data recovery.
Read more about this at The World Economic Forum
Read more about this at The World Economic Forum
The Future of Encryption
The Future of Encryption
From StorageCraft
From StorageCraft
Cyber attacks are constantly evolving, so security specialists must stay busy in the lab concocting new schemes to keep them at bay. Expert observers are hopeful that a new method called Honey Encryption will deter hackers by serving up fake data for every incorrect guess of the key code. This unique approach not only slows attackers down, but potentially buries the correct key in a haystack of false hopes. Then there are emerging methods like quantum key distribution, which shares keys embedded in photons over fiber optic, that might have viability now and many years into the future as well.
Cyber attacks are constantly evolving, so security specialists must stay busy in the lab concocting new schemes to keep them at bay. Expert observers are hopeful that a new method called Honey Encryption will deter hackers by serving up fake data for every incorrect guess of the key code. This unique approach not only slows attackers down, but potentially buries the correct key in a haystack of false hopes. Then there are emerging methods like quantum key distribution, which shares keys embedded in photons over fiber optic, that might have viability now and many years into the future as well.
Quantum computing & how it could break encryption
Quantum computing & how it could break encryption
click on the link above to find out about the following terms:
click on the link above to find out about the following terms:
Plaintext
Plaintext
Ciphertext
Ciphertext
Encryption
Encryption
Keys
Keys
Hash
Hash
Salt
Salt
Symmetric and Asymmetric Algorithms
Symmetric and Asymmetric Algorithms
Public and Private Keys
Public and Private Keys
HTTPS
HTTPS
End-to-End Encryption
End-to-End Encryption
interesting encryption history
interesting encryption history
The NSA building ===>
Page updated
Report abuse