CISSP study notes: Cryptography and symmetric encryption algorithms

Chapter 6 Cryptography and Symmetric Encryption Algorithms

6.1 Milestones in the history of cryptography

6.1.1 Caesar Cipher

Simply replacing each letter of the alphabet with the next three letters is a single-letter substitution cipher.

6.1.2 American Civil War

The American Civil War used a complex combination of lexical substitutions and substitutions in an attempt to undermine enemy attempts at decipherment

6.1.3 Ultrasingle Enigma

6.2 Basics of cryptography

6.2.1 Goals of cryptography

Basic goals of cryptosystems: confidentiality, integrity, authentication and non-repudiation

• Confidentiality
  • Confidentiality: ensuring confidentiality remains secret in storage or in transit
  • Symmetric key cryptography: a cryptosystem in which all users use a shared key
  • Public key cryptography: Each user is able to use a combination of public and private keys
• integrity
  • Integrity: Ensure that data is not modified during transmission
  • Integrity is enforced through digital signature digests created when transmitting messages, both public and private key cryptography can enforce integrity
• Authentication
  • Identity Authentication: Verification of the claimed system user identity, which is the main function of a cryptographic system
• non-repudiation
  • Non-repudiation provides a guarantee to the recipient that the message really came from the sender and not from someone pretending to be the sender.
  • Secret key (symmetric key) cryptosystems do not provide non-repudiation
  • Public key (asymmetric key) cryptosystems provide non-repudiation

6.2.2 Cryptography concepts

• The message sender uses a cryptographic algorithm to encrypt the plaintext message into a ciphertext message, represented by the letter C
• The technique of creating and implementing secret codes and ciphers is called cryptography
• Cryptography and cryptanalysis are called cryptography
• The specific operations of encoding or decoding on hardware or software are called cryptosystems

6.2.3 Mathematical principles of cryptography

• Binary math:
• Logical operations: OR, AND, NOT, XOR, modular function, one-way function, random number, zero-knowledge proof, partitioning knowledge, work function
• Split Knowledge: A single solution that includes separation of duties and two-person control is called Split Knowledge
• Zero-knowledge proof: Zero-knowledge proof means that you can fully prove that you are the legal owner of a certain right without leaking relevant information - that is, the "knowledge" to the outside world is "zero". The prover can convince the verifier that a certain assertion is correct without providing any useful information to the verifier.
• Work function: A measure of the strength of a cryptographic system by measuring all effort in terms of cost and/or time

6.2.5 Password

• Coding and password:
  • Encoding: A symbol that identifies a word or phrase in a cryptographic system
  • Password: Hide the true meaning of the message
• Transposition cipher: Using an encryption algorithm to rearrange the letters in a plaintext message to form a ciphertext message
• Substitution cipher: Uses an encryption algorithm to replace each character or bit in a plaintext message with a different character, such as the Caesar cipher
• One-time pad cipher: Using a different alphabet for each letter of the plaintext message, an extremely strong substitution cipher. An unbreakable encryption scheme must meet the following requirements:
  1. Encryption keys must be randomly generated
  2. Disposable refills must be physically protected
  3. Each disposable refill must be used only once
  4. The secret key must be at least as long as the message being encrypted
  5. Disadvantages of one-time filling: can only be used for short messages, distribution and protection require lengthy keys
• Block cipher: operates on "chunks" or groups of messages and applies the encryption algorithm to the entire message group simultaneously
• Stream cipher: operates on each character or bit in the message, processing only one/thought at a time, such as Caesar cipher
• Confusion and diffusion:
  • Obfuscation: The attacker cannot determine the secret key by continuing to modify the plaintext and analyze the resulting ciphertext
  • Expansion: When changes in the plaintext lead to multiple changes, this change spreads to the entire ciphertext.

6.3 Modern cryptography

6.3.1 Key

• Modern cryptosystems do not rely on the security of their algorithms
• Modern cryptosystems do not rely on secret algorithms
• Modern cryptographic systems rely on one or more keys that are unique to a specific user or group of users.

6.3.2 Symmetric key algorithm

• Symmetric keys rely on a shared encryption key that is distributed to all members participating in the communication
• Symmetric keys are also called secret key cryptography or private key cryptography
• Weaknesses of symmetric keys
  1. Key distribution is a problem: before communication can be established with symmetric keys, communication participants must have a secure method of exchanging keys.
  2. Symmetric key cryptography does not achieve non-repudiation
  3. This algorithm is not scalable
  4. Secret keys must be updated frequently
• Symmetric key cryptography scalability problem: The total number of keys required for a complete connection between n communicating parties is: n*(n-1)/2

6.3.2 Asymmetric key algorithm

• Asymmetric secret key algorithms are also called public key algorithms. Each user has a public key and a private key.
• Advantages of asymmetric keys:
  1. New users only need to generate a public key-private key pair
  2. Easier to remove users from asymmetric systems
  3. Only when the user's private key is destroyed, the key needs to be reconstructed
  4. Asymmetric key encryption provides integrity, authentication and non-repudiation
  5. Key distribution is a simple process
  6. No pre-existing communication link required
• Comparison of symmetric and asymmetric cryptography systems:

6.3.4 Hash algorithm

• Commonly used hashing algorithms:
  • Message Digest 2 (MD2)
  • Message Digest 5 (MD5)
  • Secure Hash Algorithm (SHA-0, SHA-1, SHA-2)
  • Hash-based Message Authentication Code (HMAC)

6.4 Symmetric ciphers

• Common symmetric cryptosystems: DES (Data Encryption Standard), 3DES (Triple Data Encryption Standard), IDEA (International Data Encryption Algorithm), Blowfish, Skipjack, AES (Advanced Encryption Standard)

6.4.1 Data Encryption Standard (DES) Derived from the Lucifer algorithm, DEA is the algorithm that implements the DES standard

• DES is a 64-bit block cipher with five modes of operation
  1. Electronic codebook mode (ECB): The worst security, processing a 64-bit packet at a time, and simply using the secret key to encrypt the packet
  2. Cipher Block Chaining Mode (CBC): Each block of unencrypted text is XORed with the previous ciphertext block before being encrypted using the DES algorithm.
     • Disadvantages: Error propagation, if a packet is corrupted during transmission, the packet will not be decrypted.
  3. Password feedback mode (CFB): CBC in the form of stream cipher, operating on data generated in real time
  4. Output feedback mode (OFB): almost the same as CFB mode.
     • The advantage is that there is no linking function and transmission errors will not affect the decryption of subsequent packets through propagation.
  5. Counting mode (CTR): Stream cipher, incrementing the count after each operation, like OFB mode, does not propagate errors.

6.4.2 Triple Data Encryption Algorithm (3DES)

• There are four versions of 3DES:
  1. DES EEE3: Encrypt plaintext three times using three different keys
  2. DES EDE3: uses three keys, but replaces the second encryption operation with a decryption operation
  3. DES EEE2: Use only two keys
  4. DES EDE2: using two keys and decryption operation in between

6.4.3 International Data Encryption Algorithm (IDEA)

• For the DES algorithm where the key length is not enough, a 128-bit key is used for operation.

6.4.4 Blowfish (used by SSH)

• Blowfish extends the key length of IDEA and can use variable length keys. BlowFish is a faster algorithm than IDEA and DES.

6.4.5 Skipjack

• For 64-bit text grouping operations, use an 80-bit key
• Not generally accepted by the cryptography community because the hosting process is controlled by the US government

6.4.6 Advanced Encryption Protocol (AES) (Rijndael, Twofish algorithm encryption)

• Using 128, 192, and 256-bit encryption, supporting 128 block processing symmetric encryption algorithm memory table
• The Twofish algorithm utilizes two techniques: pre-white noise and post-white noise.

6.4.7 Symmetric key management

1. Create and distribute symmetric ciphers
   • Offline distribution: One party provides another party with a piece of paper or a storage medium containing the secret key
   • Public key encryption: Use public key encryption to establish an initial communication link and exchange secret keys during the link.
   • Diffie-Hellman algorithm: exchanging secret keys over an insecure link
2. Store and destroy symmetric keys
   • Never store encryption keys with encrypted data
   • Sensitive keys consider two people holding the keys separately.
3. Key escrow
   • Fair cryptosystem: the private key is divided into multiple parts and handed over to an independent third party
   • Managed Encryption Standard: Provides governments with the technical means to decrypt ciphertext

6.4.8 Password life cycle

• Determine which encryption algorithms your organization can accept and use
• Acceptable key lengths for sensitivity validation algorithms based on transmitted information
• List of secure transport protocols that can be used (SSL and TLS)