Cryptography - science or study of protecting information whether in transit or at rest
Renders the information unusable to anyone who can’t decrypt it
Takes plain text, applies cryptographic method, turn it into cipher text
Crypanalysis - study and methods used to crack cipher text
Linear Cryptanalysis - works best on block ciphers
Differential Cryptanalysis - applies to symmetric key algorithms
Compares differences in the inputs to how each one affects the outcome
Integral cryptanalysis - input vs output comparison same as differential; however, runs multiple computations of the same block size input
Plain text doesn’t necessarily mean ASCII format - it simply means unencrypted data
Nonrepudiation - means by which a recipient can ensure the identity of the sender and neither party can deny sending
Encryption Algorithms and Techniques
Algorithm - step-by-step method of solving a problem
Two General Forms of Cryptography
Substitution - bits are replaced by other bits
Transposition - doesn’t replace; simply changes order
Encryption Algorithms - methmatical formulas used to encrypt and decrypt data
Steam Cipher - readable bits are encrypted one at a time in a continuous stream
Usually done by an XOR operation
Work at a high rate of speed
Block Cipher - data bits are split up into blocks and fed into the cipher
Each block of data (usually 64 bits) encrypted with key and algorithm
Are simpler and slower than stream ciphers
XOR - exclusive or; if inputs are the same (0,0 or 1,1), function returns 0; if inputs are not the same (0,1 or 1,0), function returns 1
Key chosen for cipher must have a length larger than the data; if not, it is vulnerable to frequency attacks
Symmetric Encryption
Symmetric Encryption - known as single key or shared key
One key is used to encrypt and decrypt the data
Problems include key distribution and management
Suitable for large amounts of data
Harder for groups of people because more keys are needed as group increases
Does nothing for nonrepudiation; only performs confidentiality
Algorithms
DES - block cipher; 56 bit key; quickly outdated and now considered not very secure
3DES - block cipher; 168 bit key; more effective than DES but much slower
AES (Advanced Encryption Standard) - block cipher; 128, 192 or 256 bit key; replaces DES; much faster than DES and 3DES
IDEA (International Data Encryption Algorithm) - block cipher; 128 bit key; originally used in PGP 2.0
Twofish - block cipher; up to 256 bit key
Blowfish - fast block cipher; replaced by AES; 64 bit block size; 32 to 448 bit key; considered public domain
RC (Rivest Cipher) - RC2 to RC6; block cipher; bariable key length up to 2040 bits; RC6 (lastest version) uses 128 bit blocks and 4 bit working registers; RC5 uses variable block sizes and 2 bit working registers
Asymmetric Encryption
Uses two types of keys for encryption and decryption
Public Key - generally used for encryption; can be sent to anyone
Private Key - kept secret; used for decryption
Comes down to what one key encrypts, the other decrypts
The private key is used to digitally sign a message
Algorithms
Diffie-Hellman - developed as a key exchange protocol; used in SSL and IPSec; if digital signatures are waived, vulnerable to MITM attacks
Elliptic Curve Cryptosystem (ECC) - uses points on elliptical curve along with logarithmic problems; uses less processing power; good for mobile devices
El Gamal - not based on prime number factoring; uses solving of discrete logarithm problems
RSA - achieves strong encryption through the use of two large prime numbers; factoring thse create key sizes up to 4096 bits; modern de facto standard
Only downside is it’s slower than symmetric especially on bulk encryption and processing power
Hash Algorithms
Hash - one-way mathematical function that produces a fix-length string (hash) based on the arrangement of data bits in the input
Algorithms
MD5 (Message Digest algorithm) - produces 128 bit hash expressed as 32 digit hexadecimal number; has serious flaws; still used for file download verification
SHA-1 - developed by NSA; 160 bit value output
SHA-2 - four separate hash functions; produce outputs of 224, 256, 384 and 512 bits; not widely used
SHA-3 - uses sponge construction
RIPEMD-# - works through 80 stages, executing 5 blcosk 16 times each; uses modulo 32 addition
Collision - occurs when two or more files create the same output
Can happen and can be used an attack; rare, though
DHUK Attack (Don’t Use Hard-Coded Keys) - allows attackers to access keys in certain VPN implementations; affects devices using ANSI X9.31 with a hard-coded seed key
Rainbow Tables - contain precomputed hashes to try and find out passwords
Salt - used with a hash to obscure the hash; collection of random bits
Things to Remember
Hashes are used for integrity
Hashes are one-way functions
Tools
HashCalc
MD5 Calculator
HashMyFiles
Steganography
Steganography - practice of concealing a message inside another medium so that only the sender and recipient know of it’s existence
Ways to Identify
Text - character positions are key - blank spaces, text patterns
Image - file larger in size; some may have color palete faults
Audio & Video - require statistical analysis
Methods
Least significant bit insertion - changes least meaningful bit
Masking and filtering (grayscale images) - like watermarking
Algorithmic transformation - hides in mathematical functions used in image compression
Tools
QuickStego
gifshuffle
SNOW
Steganography Studio
OpenStego
PKI System
Public Key Infrastructure (PKI) - structure designed to verify and authenticate the identity of individuals
Registration Authority - verifies user identity
Certificate Authority - third party to the organization; creates and issues digital certificates
Certificate Revocation List (CRL) - used to track which certificates have problems and which have been revoked
Validation Authority - used to validate certificates via Online Certificate Status Protocol (OCSP)
Trust Model - how entities within an enterprise deal with keys, signatures and certificates
Cross-Certification - allows a CA to trust another CS in a completely different PKI; allows both CAs to validate certificates from either side
Single-authority system - CA at the top
Hierarchial trust system - CA at the top (root CA); makes use of one or more RAs (subordinate CAs) underneath it to issue and manage certificates
Digital Certificates
Certificate - electronic file that is used to verify a user’s identity; provides nonrepudiation
X.509 - standard used for digital certificates
Contents of a Digital Certificate
Version - identifies certificate format
Serial Number - used to uniquely identify certificate
Subject - who or what is being identified
Algorithm ID (Signature Algorithm) - shows the algorithm that was used to create the certificate
Isuer - shows the entity that verifies authenticity
Valid From and Valid To - dates certificate is good for
Key Usage - what purpose the certificate serves
Subject’s Public Key - copy of the subject’s public key
Optional Fields - Issuer Unique Identifier, Subject Alternative Name, and Extensions
Some root CAs are automatically added to OSes that they already trust; normally are reputable companies
Self-Signed Certificates - certificates that are not signed by a CA; generally not used for public; used for development purposes
Signed by the same entity it certifies
Digital Signatures
When signing a message, you sign it with your private key and the recipient decrypts the has with their public key
Digital Signature Algorithm (DSA) - used in generation and verification of digital signatures per FIPS 186-2
Full Disk Encryption
Data at Rest (DAR) - data that is in a stored state and not currently accessible
Usually protected by full disk encryption (FDE) with pre-boot authentication
Example of FDE is Microsoft BitLocker and McAfee Endpoint Encryption
FDE also gives protection against boot-n-root
Encrypted Communication
Often-Used Encrypted Communication Methods
Secure Shell (SSH) - secured version of telnet; uses port 22; relies on public key cryptography; SSH2 is successor and includes SFTP
Secure Sockets Layer (SSL) - encrypts data at transport layer and above; uses RSA encryption and digital certificates; has a six-step process; largely has been replaced by TLS
Transport Layer Security (TLS) - uses RSA 1024 and 2048 bits; successor to SSL; allows both client and server to authenticate to each other; TLS Record Protocol provides secured communication channel
Internet Protocol Security (IPSEC) - network layer tunnelling protocol; used in tunnel and transport modes; ESP encrypts each packet
PGP - Pretty Good Privacy; used for signing, compress and encryption of emails, files and directories; known as hybrid cryptosystem - features conventional and public key cryptography
S/MIME - standard for public key encryption and signing of MIME data; only difference between this and PGP is PGP can encrypt files and drives unles S/MIME
Heartbleed - attack on OpenSSL heartbeat which verifies data was received correctly
Vulnerability is that a single byte of data gets 64kb from the server
This data is random; could include usernames, passwords, private keys, cookies; very easy to pull off
Vulnerable versions include Open SSL 1.0.1 and 1.0.1f
CVE-2014-0160
FREAK (Factoring Attack on RSA-EXPORT Keys) - man-in-the-middle attack that forces a downgrade of RSA key to a weaker length
POODLE (Paddling Oracle On Downgraded Legacy Encryption) - downgrade attack that used the vulnerability that TLS downgrades to SSL if a connection cannot be made
SSl 3 uses RC4, which is easy to crack
CVE-2014-3566
Also called PoodleBleed
DROWN (Decrypting RSA with Obsolete and Weakened eNcyption) - affects SSL and TLS services
Allows attackers to break the encryption and steal sensitive data
Uses flaws in SSL v2
Not only web servers; can be IMAP and POP servers as well
Cryptography Attacks
Known plain-text attack - has both plain text and cipher-text; plain-text scanned for repeatable sequences which is compared to cipher text
Chosen plain-text attack - attacker encrypts multiple plain-text copies in order to gain the key
Adaptive chosen plain-text attack - attacker makes a series of interactive queries choosing subsequent plaintexts based on the information from the previous encryptions; idea is to glean more and more information about the full target cipher text and key
Cipher-text-only attack - gains copies of several encrypted messages with the same algorithm; statistical analysis is then used to reveal eventually repeating code
Replay attack
Usually performed within context of MITM attack
Hacker repeats a portion of cryptographic exchange in hopes of fooling the system to setup a communications channel
Doesn’t know the actual data - just has to get timing right
Chosen Cipher Attack
Chooses a particular cipher-text message
Attempts to discern the key through comparative analysis
RSA is particularly vulnerable to this
Side-Channel Attack
Monitors environmental factors such as power consumtion, timing and delay
Tools
Carnivore and Magic Lantern - used by law enforcement for cracking codes
L0phtcrack - used mainly against Windows SAM files
John the Ripper - UNIX/Linux tool for the same purpose
PGPcrack - designed to go after PGP-encrypted systems
CrypTool
Cryptobench
Jipher
Keys should still change on a regular basis even though they may be “unhackable”
Per U.S. government, an algorithm using at least a 256-bit key cannot be cracked