cryptographic tools - professional · pdf filecertprs8/casp comptia advanced ... task than...

CertPrs8/CASP CompTIA Advanced Security Practitioner Cert. Stdy Gde (Exam CAS-001)/Conklin/620-6/ Blind Folio 3

1.01 Determine Appropriate Tools and Techniques

1.02 Advanced PKI Concepts

1.03 Hashing

1.04 Cryptographic Applications

1.05 Digital Signature

1.06 Code Signing

1.07 Nonrepudiation

1.08 Transport Encryption

1.09 Implications of Cryptographic Methods and Design

1.10 Entropy

1.11 Pseudorandom Number Generation

1.12 Perfect Forward Secrecy

1.13 Confusion

1.14 Diffusion

✓ Two-Minute Drill

Q&A Self Test

1Cryptographic Tools

CERTIFICATION OBJECTIVES

ch01.indd 3ch01.indd 3 8/15/12 5:17 PM8/15/12 5:17 PM

4 Chapter 1: Cryptographic Tools

CertPrs8/CASP CompTIA Advanced Security Practitioner Cert. Stdy Gde (Exam CAS-001)/Conklin/620-6/

Cryptography is one of the many tools used to secure data in a system. This chapter introduces the use of cryptographic tools and techniques to secure systems and data in the enterprise. Several factors need to be considered when choosing the appropriate

cryptographic method to protect data. This chapter outlines the elements needed to make the best decision.

CERTIFICATION OBJECTIVE 1.01

Determine Appropriate Tools and TechniquesMany cryptographic tools and techniques can be used to secure data in the enterprise. Ultimately, security becomes a risk management problem where risk and benefits are measured and balanced. Choosing the appropriate cryptographic method involves examining the context of the risk management problem. Important elements that need to be considered include the type of data, the sensitivity of the data, the value of the data, and the threats to the data. Cryptographic methods can be separated into two broad forms: encryption/decryption systems and hash functions. Encryption systems can be classified into two broad classes: symmetric and asymmetric (public key).

An important operational detail is to ensure that systems are not enabled to use outdated or deprecated algorithms. Browsers can be enabled to use either Secure Sockets Layer (SSL) v1 or v2, although this makes them vulnerable to attacks that are avoided by newer versions of SSL and Transport Layer Security (TLS).

Symmetric Key Encryption MethodsSymmetric key encryption is characterized by the use of the same key for both encryption and decryption (see Figure 1-1). Numerous algorithms are in use, but the true security is dependent on the security associated with the key used for encryption and decryption.


Determine Appropriate Tools and Techniques 5


AdvantagesThe primary advantage of symmetric key encryption systems is speed, and this can be an important issue for encrypting and decrypting large amounts of data. Symmetric key encryption is used in bulk data transfers, such as virtual private networks (VPN), and in securing hard drives and files. Symmetric key encryption is also easier

to manage on solo platforms (that is, disk encryption), where sharing of keys is not an issue and thus alleviates a dependency on a public key infrastructure (PKI) solution.

DisadvantagesThe use of a common key can simplify some aspects, but it also creates a problem where the encryption key needs to be protected. The security offered by the encryption is limited

by the security applied to the key and its distribution to authorized parties. Should the key become compromised, not only are current messages compromised, but previous messages are also potentially compromised. Key management is essential for symmetric encryption because the key must be securely passed to all authorized parties. Because these parties are usually physically separate, a key management method is critical to ensure keys are shared and exchanged easily.

For operations such as hard drive encryption, options such as the Trusted Platform Module (TPM), which provides a hardware-based key storage location, can provide secure storage. The TPM is used by many applications, including Microsoft’s BitLocker Drive Encryption feature. If the encrypted data is being shared between two parties, then a secure method for passing the key between them is needed. In the case of setting up a secure communication channel, such as a VPN, the key can be shared via a separate channel. In the case of an encrypted channel such as SSL, the symmetric key exchange can be performed during the channel setup using an asymmetric passed key exchange method to create a session key that can act as the symmetric key.

FIGURE 1-1

Symmetric key encryption system

Symmetric algorithms are faster than public key methods and therefore are commonly used for large amounts of data, such as in drive encryption and securing communication channels.




Symmetric AlgorithmsThe most commonly used symmetric algorithms are 3DES, IDEA, and AES. All three of these are known as block methods because they work on blocks of data. Block ciphers must operate on blocks of data, and if the data is less than a complete block, it will need to be padded.

For streaming data, such as video and audio data, stream ciphers are better. Symmetric stream ciphers enable the encryption of smaller data elements (typically bytes) and are used to secure streaming video and audio. The most common symmetric stream ciphers are RC4, which is for software, and A5/1, which is used in Global System for Mobile Communications (GSM) cellphones.

3DES (Triple DES) Triple DES is the use of the DES algorithm three times during encryption and decryption process (see Figure 1-2). Several variants use either two or three keys. The multiple round method used in 3DES is an encryption step, a decryption step, and then a final encryption step. The order of steps is reversed for decryption. This methodology has been shown to be more effective than three successive encryption steps in sequence.

IDEA The International Data Encryption Algorithm (IDEA) is a symmetric algorithm utilizing 64-bit blocks and 128-bit keys. Originally a patented algorithm, it became widely licensed and the patents expired in January of 2012. IDEA became widely known because of its adoption in the PGP and openPGP products.

INSIDE THE EXAM

Selecting the Appropriate Encryption Method

Selecting the appropriate encryption method involves first determining the type of data, block or stream, and then the appropri-ate method based on usage. For bulk usage, the speed of symmetric encryption makes it

the preferred method. For distributing keys to parties over open channels, public key encryption has advantages. In many cases, a combination of methods is used to garner the advantages of both public key and symmetric systems.

INSIDE THE EXAM

The most commonly used symmetric algorithms are 3DES, IDEA, and AES for block ciphers and RC4 and A5/1 for streams.


Determine Appropriate Tools and Techniques 7


Advanced Encryption Standard (AES) The Advanced Encryption Standard is a symmetric block cipher with a fixed block size of 128 bits. The key length used has no theoretical limit, although the current implementations use 128, 193 and 256 bits, with longer keys offering greater security. AES was developed from an international competition to replace the aging Triple DES method, and is the only publicly available cipher approved by the U.S. Government for top-secret data.

Asymmetric or Public Key Encryption MethodsAsymmetric or public key cryptography is an invention of the digital age. Although the methods used are mathematical, it is the use of digital computers that enables the large calculations used in these algorithms. The primary foundation of these methods is the use of a key-pair, a set of separate-yet-related keys for the purposes of encryption and decryption. The two keys are generated together and have a mathematical relationship that enables one key to act counter to the other. If one key encrypts, then only the other can decrypt, and vice versa. One other characteristic is that given one of the keys, the other key cannot be determined from it. This lends itself to a wide range of very useful capabilities.

FIGURE 1-2

3DES methodology




The two keys are typically named the public and the private key. Using this nomenclature, the following rules are then employed: The public key is distributed publicly to any who would need it (as a matter of course, everyone), whereas the private key is kept completely private to the originator of the key. The true usefulness of the key-pair then rests on the private key being kept secret, a simpler task than with symmetric keys because the private key is not shared with anyone.

Asymmetric or public key cryptography is characterized by two keys: one public and one private. The public keys are passed via certifi cates using PKI to

make key exchange easy between parties. Public key cryptography plays a key role in digital signatures and code-signing.

To examine the usefulness of public key cryptography, assume we have two people, Alice and Bob, who wish to communicate securely. Assume that each has generated their own key-pair. Also assume that each has kept their private key private (known only to themselves). Their public keys, on the other hand, are known by all. If Alice wishes to privately communicate with Bob, she needs to encrypt a message that only Bob can decrypt and read. If Alice uses Bob’s public key to encrypt her message, only Bob’s private key can decrypt it, meaning that only Bob can read her message. Now suppose that Alice wishes to send a message and have everyone know that she and only she could have written it. If she encrypts the message with her private key before sending it, only her public key will decrypt it and hence only she could have made the message. If Alice wants only Bob to read it, and know it is from her, she can perform both operations. A simpler method to achieve this same goal is to use a digital signature.

AdvantagesThe major advantage offered by public key cryptosystems is the ability to manage key distribution and provide for integrity checks and nonrepudiation. Public keys are just that—known to all in the public, thus making the key distribution problem a key attribution problem rather than a message secrecy problem. To solve the key attribution problem, a system called public key infrastructure was created.



Advanced PKI Concepts 9

Asymmetric AlgorithmsThe original origin of public key cryptography was in the U.K. at a secret lab, GCHQ. This work was kept secret until 1997, long after the same methods were independently invented by others in the cryptographic community. The form commonly seen is the RSA algorithm, named after the three scientists who developed it: Rivest, Shamir and Adleman. The RSA algorithm is based on factoring very large, nearly prime numbers. Two other algorithms, one based on

discrete logarithms, the ElGamal algorithm, and the other based on elliptic curves, are also used. The ElGamal algorithm is used in the Digital Signature Algorithm (DSA), the approved digital signature algorithm of the U.S. Government. Elliptic Curve cryptography has found a niche in low power and computationally constrained devices (think mobile devices) because the keys are shorter and the math is faster for a given level of security.


Advanced PKI ConceptsThe passing of public keys between entities is done via a specific format called a digital certificate. Digital certificates offer not only a means of standardized key transmission, but also a format whereby the key’s attribution to a particular entity can be established. The necessary set of policies, procedures, hardware, and software to perform the tasks associated with key creation, management, distribution, use, storage, and revocation is referred to as a public key infrastructure (PKI).

SystemsA PKI consists of several elements to allow the association of public keys and entities and to do so with a level of trust. The primary elements of a PKI include the Certificate Authority, the Registration Authority, certificates, the management

The common public key algorithms are RSA, ElGamal, and Elliptic Curve. RSA is common for general-purpose use, ElGamal is primarily used in digital signatures, and Elliptic Curve is a newer method that is useful for mobile and other low-power devices.




of these certificates through their life cycle, and policies. Policies are required to manage the rules and processing of certificates and trust. Acceptance of a certificate is based on trusting the chain of signatures associated with issuance of a certificate from a CA.

The principal components of a PKI system include Certifi cate Authorities (CAs), Registration Authorities (RAs), certifi cates, policies, certifi cate life cycles, and chains of trust. A certifi cate

carries a public key (or keys) and is attested to by a CA. Whether or not one trusts the key depends on the trust relationship with the CA and its signers.

Digital CertificateA digital certificate is a standard format for the passing of public keys between entities. The common standard used is X.509, and this format provides for a variety of information to be passed between entities. Four main types of certificates can be issued by a Certificate Authority: end-entity, CA, cross-certification, and policy certificates.

End-entity certificates are issued by a CA to a specific entity, such as a person, Alice, a group, the accounting department, or a device such as a firewall. An end-entity certificate is the identity document provided by most PKI implementations. End-entity certificates bind a public key to the entity listed on the certificate. End-entity certificates are signed by the CA.

A CA certificate is the certificate identifying the public key for the CA. It can be self-signed, in the case of a standalone or root CA, or it can be issued by a superior CA within a hierarchical model. A superior CA can give the authority and allow a subordinate CA to accept certificate requests and generate the individual certificates itself. This may be necessary when a company needs to have multiple internal CAs, and different departments within an organization need to have their own CAs

servicing their specific end-entities in their sections. In these situations, a representative from each department requiring a CA registers with the higher trusted CA and requests a Certificate Authority certificate.

A cross-certification certificate (or cross-certificate) is used when independent CAs establish peer-to-peer trust relationships. Simply put, cross-certificates are a mechanism

The common standard used for digital certifi cates is X.509. The four main types of certifi cates are end-entity, CA, cross-certifi cation, and policy certifi cates.




through which one CA can issue a certificate allowing its users to trust another CA. When two firms merge, this mechanism allows for easy certificate management across both firms.

Finally, policy certificates are traceable documents that can disseminate specific policy guidance to PKI clients. These are used in high-security applications, where a mechanism is required to provide centrally controlled policy information to PKI clients.

Certificate AuthorityA Certificate Authority (CA) is a trusted authority that certifies individuals’ identities and creates electronic documents indicating that individuals are who they say they are. The electronic document is referred to as a digital certificate, and it establishes an association between the subject’s identity and a public key. The private key that is paired with the public key in the certificate is stored separately.

INSIDE THE EXAM

X.509 Digital Certificate Fields

The following fields are included within an X.509 digital certificate:

■ Version number Identifies the version of the X.509 standard that was used to create the certificate; indicates the format and fields that can be used.

■ Serial number A unique number identifying this one specific certificate issued by a particular CA.

■ Signature algorithm Specifies the hashing and digital signature algorithms used to digitally sign the certificate.

■ Issuer Identifies the CA that generated and digitally signed the certificate.

■ Validity Specifies the dates through which the certificate is valid for use.

■ Subject Specifies the owner of the certificate.

■ Public key Identifies the public key and algorithm being bound to the certified subject.

■ Certificate usage Specifies the approved use of the key/certificate, which dictates the intended use of this public key.

■ Extensions Allow additional data to be encoded into the certificate to expand the functionality of the certificate. X.509 version 3 has extended the extension possibilities.

INSIDE THE EXAM




A CA is made up of the software, hardware, procedures, policies, and people who are involved in validating individuals’ identities and generating the certificates. This means that if one of these components is compromised, it can negatively affect the CA overall and can threaten the integrity of the certificates it produces. This is a weakness in the current PKI system because false certificates have been appearing in malware systems in recent years.

Every CA should have a certification practices statement (CPS) that outlines how identities are verified; the steps the CA follows to generate, maintain, and transmit certificates; and why the CA can be trusted to fulfill its responsibilities. The CPS describes how keys are secured, what data is placed within a digital certificate, and how revocations will be handled. If a company is going to use and depend on a public CA, the company’s security officers, administrators, and legal department should review the CA’s entire CPS to ensure that it will properly meet the company’s needs, and to make sure that the level of security claimed by the CA is high enough for their use and environment. A critical aspect of a PKI is the trust between the users and the CA, so the CPS should be reviewed and understood to ensure that this level of trust is warranted.

Registration AuthorityA Registration Authority (RA) is the PKI component that accepts a request for a digital certificate and performs the necessary steps of registering and authenticating the person requesting the certificate. The authentication requirements differ depending on the type of certificate being requested. Although not specified in the standards, or required by any specific rule, most CAs offer a series of classes of certificates with increasing levels of trust by class. RAs must have appropriate mechanisms to match validation with the level of trust implied by the class of the certificate.

Each higher class of certificate can carry out more powerful and critical tasks than the one below it. This is why the different classes have different requirements for proof of identity. If you want to receive a Class 1 certificate, you may only be asked to provide your name, e-mail address, and physical address. For a Class 2 certification, you may need to provide the RA with more data, such as your driver’s




license, passport, and company information that can be verified. To obtain a Class 3 certificate, you will be asked to provide even more information and most likely will need to go to the RA’s office for a face-to-face meeting. Each CA will outline the certification classes it provides and the identification requirements that must be met to acquire each type of certificate for RAs to follow.

VeriSign, a CA, issues fi ve classes of certifi cates:

■ Class 1 for individuals, primarily intended for e-mail. No real proof of identity is required.

■ Class 2 for organizations. Proof of identity is required.

■ Class 3 for servers and software signing, with independent verification and checking of identity.

■ Class 4 for online business transactions between companies.

■ Class 5 for private organizations or governmental security.

In most situations, when a user requests a Class 1 certificate, the registration process will require the user to enter specific information into a web-based form. The web page will have a section that accepts the user’s public key, or it will step the user through creating a public/private key pair, which will allow the user to choose the size of the keys to be created. Once these steps have been completed, the public key is attached to the certificate registration form and both are forwarded to the RA for processing. The RA is responsible only for the registration process and cannot actually generate a certificate. Once the RA is finished processing the request and verifying the individual’s identity, the RA sends the request to the CA. The CA uses the RA-provided information to generate a digital certificate, integrates the necessary data into the certificate fields (user identification information, public key,




validity dates, proper use for the key and certificate, and so on), and sends a copy of the certificate to the user. The certificate may also be posted to a publicly accessible directory so that others can access it. Note that a one-to-one correspondence does not necessarily exist between identities and certificates. An entity can have multiple key pairs, using separate public keys for separate purposes. Thus, an entity can have multiple certificates, each attesting to separate public key ownership. It is also possible to have different classes of certificates, again with different keys. This flexibility allows entities total discretion in how they manage their keys, and the PKI manages the complexity by using a unified process that allows key verification through a common interface.

ApplicationsWhen applications need to use public key cryptography, the standards defined by PKI allow vendors an interoperable method to exchange keys via certificates. This enables a browser to correctly utilize the required keys, including the checking of trust paths and revocation before use, automatically and seamlessly behind the scenes.

INSIDE THE EXAM

Validating a Certificate

The following steps are required for validat-ing a certificate:

1. Compare the CA that digitally signed the certificate to a list of CAs that have already been loaded into the receiver’s computer.

2. Calculate a message digest for the certificate.

3. Use the CA’s public key to decrypt the digital signature and recover what is claimed to be the original

message digest embedded within the certificate (validating the digital signature).

4. Compare the two resulting message digest values to ensure the integrity of the certificate.

5. Review the identification informa-tion within the certificate, such as the e-mail address.

6. Review the validity dates.

7. Check a revocation list to see if the certificate has been revoked.

INSIDE THE EXAM




UsersA user of public keys can be a person, a piece of hardware, software, a department, or a company—virtually any entity can have a public key. The role of the PKI is to validate that the entity claiming to have the key is the correct entity by way of information listed on the certificate itself. Public keys and digital certificates act as cryptographic surrogates providing a secure means of identification for an entity as part of a digital transaction.

Issuance to EntitiesThe PKI system has a responsibility to support the entire public key life cycle, from issuance, through use, retirement/destruction, and management functions such as key recovery and escrow. The issuance of certificates is the most common function identified by users, but the real work occurs during the certificate usage phase. Before each use of a certificate, the user should validate that the certificate is still valid. This is done by checking in with the Certificate Authority.

The life cycle of a certificate also includes the management of certificate issues with respect to key escrow and key recovery. As noted earlier, the private key is typically never moved from the machine it was generated on, yet in today’s business world there exists a need to manage keys through equipment and personnel changes. This can be done through a system known as key escrow and key recovery. Upon the creation of the key-pair, the private key can be written to a certificate and a copy can be deposited in an appropriately secure repository. This is known as key archiving and can act as a safety net in the event of disaster or the loss of an employee associated with the key.

Two systems are important for backing up and restoring cryptographic keys: key archiving and key recovery. Key archiving is a way of backing up keys and

securely storing them in a repository; key recovery is the process of restoring lost keys to the users or the company.




Key escrow is different from key recovery; it is the process of giving keys to a third party so that they can decrypt and read sensitive information if the need arises. Key escrow almost always pertains to handing over encryption keys to a higher authority so that the keys can be used to collect evidence during investigations. A key-pair used in a person’s place of work may be required to be escrowed by the employer for three reasons. First, the keys are property of the enterprise, issued to the worker for use. Second, the firm may have need for them after an employee leaves the firm. Lastly, the firm may need them to perform an investigation on data secured by the keys.

OSCP vs. CRLBefore using a certificate, one should ensure that it is still valid and has not been revoked by the issuer or entity. The two primary methods to verify whether a certificate is still valid are the Online Certificate Status Protocol (OCSP) and a certificate revocation list (CRL).

The CA is the entity responsible for the status of the certificates it generates; it needs to be told of a revocation, and it must provide this information to others. The CA is responsible for maintaining the CRL and posting it in a publicly available directory. Certificates that have expired are not the same as those that have been revoked. If a certificate has expired, it means that its end validity date was reached.

This information is typically provided by means of a certificate revocation list, a list of all revoked certificates and the reasons for revocation. The list usually contains all certificates that have been revoked within the lifetime of the CA. The format of the CRL message is also defined by X.509. The list is signed, to prevent tampering, and contains information on certificates that have been revoked and the reasons for their revocation. These lists can grow quite long, and as such, there are provisions for date-time stamping the list and for issuing delta lists, which show changes since the last list was issued.

Before one uses a public key, it is highly recommended to check to see if it is still valid. This can be done by one of two mechanisms: certifi cate revocation lists (CRLs) or the Online Certifi cate

Storage Protocol (OSCP). CRLs are verifi ed from the CA that issued the certifi cate, whereas the OSCP offers a service-based mechanism that can cross multiple CAs in a convenient fashion.



Hashing 17

OCSP is a request and response protocol that obtains the serial number of the certificate that is being validated and reviews revocation lists for the client. The protocol has a responder service that reports the status of the certificate back to the client, indicating whether it has been revoked, is valid, or has an unknown status. This protocol and service saves the client from having to find, download, and process the right lists.

WildcardA wildcard certificate is a specific form of certificate used in TLS/SSL instances. Normally a separate certificate would be required for each subdomain under

a domain, and this could lead to a large number of certificates and force cryptographic renegotiation as a user crosses the subdomains. A wildcard certificate addresses this issue by enabling TLS/SSL encryption on multiple subdomains using a single certificate as long as the domains are controlled by the same organization and share the same second-level domain name.


HashingHashing is the process of running data through a mathematical function to produce a message digest of a specified size. Hash functions are special mathematical algorithms that cannot be undone, resulting in a one-way operation. The size of a message digest is fixed by the hash algorithm, not the size of the data being processed. The unique message digests provide a representative surrogate for the data and are uniquely determined by the bit pattern of the data. The nonreversible nature of the hash function means that it is not possible to reconstruct the original data if given the message digest. The uniqueness of the hash output, the message digest, provides a means of testing digital data for alterations and integrity checking.

A wildcard certifi cate issued to Company ABC using the Common Name “*.CompanyABC.com” may be used to secure the help.CompanyABC.com, research.CompanyABC.com, and web.CompanyABC.com domains.




Hashing AlgorithmsSeveral different major hash functions are available, although from a user perspective they work in an identical fashion: input data and receive a fixed-length message digest. What differs among the hash functions is the length of the message digest and the internal resistance to collisions and other forms of cryptographic attack.

Several major families of hash functions exist. The MD series, including MD2, MD4, and MD5, are now all considered to be obsolete, although MD5 is still in wide use. The reason for the deprecation was collisions and the availability of successors, namely the SHA series. The SHA1 and SHA2 series are more resistant to collisions, but recent advances have caused SHA1 to be considered a candidate for deprecation. The SHA2 series includes SHA256, SHA384, and SHA512, with the numbers representing the message digest size. Because the SHA and MD series all use similar algorithms and are considered collision candidates, a new competition for a collision-resistant hash algorithm has begun with SHA3 being the series title. A separate series of hash functions from Belgium, the RIPEMD series, has also been strengthened against collisions, with RIPEMD-128/256 and RIPEMD-160/320 being the current sets.

The common hash functions used today include MD5, SHA1, SHA2 series (SHA256, SHA384, and SHA512) and the RIPEMD series. By most accounts

MD5 is considered to be obsolete, but it is still used and supported across a variety of platforms.

Hash functions are used in a variety of IT systems, from the storing of passwords, to message authentication

and digital signatures. Hash functions are commonly used for integrity checks, masking of secrets, and indexing.



Hashing 19

Hash VulnerabilitiesTwo major weaknesses are associated with hash functions. In the case of using a hash function for the purposes of integrity, there exists the possibility of a collision. A collision is when two separate input functions produce the same message digest. Collisions are a natural consequence of the fixed message digest size. A message digest of 128 bits can only represent a maximum of 2128 different inputs; after that there will have to be a repeat message digest. The good news is that although theoretically possible, the practical feasibility of producing a collision where the two data sets could be confused with each other, yet produce a common digest, is considered to be null.

The other weakness is in the form of rainbow table attacks. Rainbow tables are pre-computed hash values against all members of a particular set of values. For certain functions, such as passwords, this attack methodology can assist in “reversing” a hash through the computation of all possible hashes and looking up the matching value. This attack can be mitigated by system design, specifically the addition of a salt to a password, making the password too long for pre-computation and lookup.

Use of Hashing in an EnterpriseHash functions find many uses in a modern enterprise. Because hash functions are nonreversible, any data that passes through the function is in essence destroyed. What is returned from the hash function is a unique digest associated with the original data. Because the hash digest is determined by the original data and will change with a single bit change in the original data, hash digests can be used to compare different data sets to see if they are identical all the way to the bit level. This makes hash functions ideal for integrity checking of data.

Hash functions can also serve a number of other functions, including the creation of hash tables for indexing data, the creation of pseudorandom numbers and password protection. The storage of passwords presents the possibility of an unauthorized party obtaining the password. Rather than store the password, the system can store a hash of the password. Whenever a password is entered, it is subsequently hashed and checked against the stored value; if the hashes match, it means the password was correct. This is not a perfect scheme, and a series of attack




vectors have been developed against it, but it provides significantly better security than just storing the passwords. Because hash functions are incredibly sensitive to even the minutest change in input and produce a seemingly random output, this has been used to create pseudorandom numbers.


Cryptographic ApplicationsCryptographic functions perform many useful tasks in today’s enterprise. From using hash values to verify password matches, to digital signatures and code signing to providing for secure data transfer and storage, cryptography offers a means to tackle many challenging problems.

Practical Application of Cryptographic FunctionsThe most practical application of cryptography is when it is built into the applications and operating systems so that the desired functionality is performed without having to dwell on individual detailed steps. Multistep functions such as digital signatures and code-signing verification can be built into a wide range of applications by simply following the appropriate design elements. The use of standards to define the elements and relationships between them makes it functionally easier to achieve the desired results.

All of the necessary cryptographic functionality is provided for in libraries for most major languages and development platforms. This makes the proper inclusion of this functionality a reasonable task to achieve. The one challenge is to avoid pitfalls such as designing your own encryption methods or algorithms, configuring older, deprecated methods, and not fully implementing standards beginning with the design of a system.



Digital Signatures 21


Digital SignaturesSignatures have been a mainstay of proving the authenticity of documents for centuries, and digital signatures extend this functionality to electronic documents. Digital signatures utilize both hashing functions and asymmetric cryptography to verify integrity and nonrepudiation. Digital documents are very easy for anyone to change and virtually impossible to directly detect tampering. To protect against unauthorized document editing, hashing functions are used to create a digest of the message that is unique and easily reproducible by any party desiring to know if the document was altered. This ensures that the message integrity is protected from unknown alterations. Asymmetric encryption is used to prevent unauthorized alterations to this resultant hash value. The properties of asymmetric encryption allow anyone to use a person’s private key to generate a message that can be decrypted and read by anyone. Assuming the private key is used to encrypt the hash value and is only possessed by the authorized keyholder, this proves that the hash was encrypted by that person. If the hash value obtained by decrypting the hash matches a new hash taken of the data, this demonstrates that the data has not been altered.

The United States Government has issued a standard for digital signatures referred to as the Digital Signature Standard. One of the three techniques approved is the Digital Signature Algorithm (DSA). This method has

been updated to use a SHA2 series hash and large seeds for the ElGamal discrete logarithm method used for public key encryption. This standard is published by NIST as FIPS 186-3.




The “standard” for digital signatures is the Digital Signature Standard, which is published by NIST as FIPS 186-3. The Digital Signature Algorithm (DSA) is one of three techniques approved and is specified in FIPS 186-3.

Digital signatures are very powerful and can be applied to any digital item, including e-mail, documents, pictures, and other types of digital transmission. Digital signatures can provide more than simple integrity checks; they can also provide nonrepudiation. It is also possible to incorporate timestamps into the signed element, providing a means to prove that a signature is valid even after a private key is later exposed or considered insecure.

INSIDE THE EXAM

Creating a Digital Signature

Here are the steps you would perform as the signer:

1. Obtain a hash value for the data to be signed.

2. Encrypt the hash value using your private key.

3. Attach the encrypted hash, and a copy of your public key (via certificate), to the data and send to other party.

And here are the steps you would perform as the recipient:

1. Separate the data, encrypted hash, and certificate.

2. Obtain your own hash value of the data.

3. Verify the public key is still valid us-ing PKI methods.

4. Decrypt the encrypted hash value using the public key provided.

5. Compare the two hash values. If they are identical, the data is unchanged from time of signing. (See Figure 1-3.)

INSIDE THE EXAM



Digital Signatures 23

110110101011

Certificatesigner’s

public key

Hash

Function

Signature

Signing Process

Encrypt hashwith signer’sprivate key

Hash

Informationto besigned

110110101011

10110001101010+ +

Verification Process

Hash

Hashfunction

Informationthat issigned

If hashes are identical,message is genuine

Decrypt usingsender’spublic key

10110001101010

110110101011

Signature

Digitallysigned data

=

?

Digitallysigned data

Send to recipient

Certificatesigners’s

public key

FIGURE 1-3 T Digital Signature Signing and Verification





Code SigningCode signing is the application of digital signature technology to computer code, executable files, scripts, and resource files, and it provides many benefits. A common concern when downloading code, or receiving it via any channel, is whether or not the code has been changed or tampered with. Using a digital signature and signing the code provides an easy way to verify the integrity of the code. The digital signature can also verify the author of the code, be it a person or a firm. If you are downloading an update to the operating system and the code is signed, the operating system can check to see if the signature is valid and hence the code is intact. It can also alert the administrator as to the source of the signature, so that one knows where the software is coming from. Again, this all rests on the third-party certificate validation scheme (PKI) and valid certificates on the system connecting to the software developers. For large-scale patching systems, such as Microsoft’s Update service, all of this checking is done behind the scenes. Should a certificate not validate or a hash check fail, the patch would not be applied to the system and the operator would be alerted as to the failure.

Message Authentication Code (MAC) and Hash Message Authentication Code (HMAC)When communicating, it is sometimes desired to have a manner of managing message authenticity and integrity. The use of a cryptographic primitive, a secret key, and the message can produce a message authentication code (MAC) that can only be reproduced by holders of the secret key. This enables an authorized receiver (who has possession of the secret key) to verify that a message was not changed in transit. MACs differ from digital signatures because they use a single key for all functions; therefore, they cannot offer nonrepudiation because both the sender and receiver must possess the key. The use of a hash function to derive a message digest can be employed to provide a very sensitive method of detecting changes in messages, and the employment of this technique is referred to as message authentication codes.

An HMAC is a specific form of a MAC in which a hash function is used over the message and key. This has become a standard mechanism, with HMAC-SHA1 and HMAC-MD5 both being used in TLS and IPSec protocols. Additional information on HMACs is available in RFC 2104 and FIPS PUB 198.



Code Signing 25

Key ExchangeThe key exchange problem is simple to describe. For two parties to use cryptography to encrypt and decrypt messages, they need to exchange keys used in the process. The devil is in the details, for in the case of symmetric cryptography, the key represents the security of the message and it must be securely transmitted by some secure channel, even courier in some cases, between the parties. This represents a burden because the maintenance of security associated with the symmetric key is a substantial task.

With public key cryptography, it is the public keys that have to be exchanged, and the beauty of this scheme is that they can be exchanged publicly. Having unauthorized parties view a public key does them no good whatsoever because it is

assumed that everyone has the public key. The challenge of public keys is the validation of the assignment of a particular key to a specific entity: Is Alice’s key really Alice’s? The tools to do this are part of the public key infrastructure, a set of elements designed to manage the key assignment and validation process.

Coming back to the problem of securely sharing a symmetric key, asymmetric cryptography has an answer to that problem

as well. In 1976, Whitfield Diffie and Martin Hellman developed a method of exchanging secrets across an observed channel, which is now called the Diffie-Hellman key exchange protocol. This method allows two parties to pass messages back and forth, allowing an observer to monitor all the messages but not be able to determine the computed secret. This computed secret can then be used either directly as a symmetric key or to pass a symmetric key securely between the parties.

The standard form of HMAC is Hash(keyouter pad || Hash(keyinner pad || message)). The secret key is padded (XORed with x36, concatenated with the message, and hashed). The result is concatenated with the key, padded by

XOR with x5C, and hashed again. The dual hash prevents any attacks against the hash function. This form has been put in most computer language standard libraries so best practice for usage is a simple function call of an approved cryptographic function.

The protocol Internet Key Exchange (IKE) is a form of Diffi e-Hellman key exchange used in IPSec to establish a security association. IKE uses X.509 certifi cates, which can be pre-shared or distributed via DNS or DNSSEC.




The Diffie-Hellman key exchange algorithm is used in the Oakley Key Determination Protocol (Oakley) to allow authenticated parties to exchange keying material across an insecure connection. The Internet Security Association and Key Management Protocol (ISAKMP) was designed to be a key exchange independent framework for authentication and key exchange. ISAKMP does not define a specific key exchange, but is designed to support a wide range of key exchanges. The Internet Key Exchange protocol (IKE) was designed from elements of previous protocols (Oakley, SKEME, and ISAKMP) and defines an automated method of negotiation and authentication for IPSec security associations.


NonrepudiationNonrepudiation is the providing of a means so that at a future date an action cannot be denied. A simple example is the sending of an e-mail. If Alice sends Bob an e-mail, and at a later date denies it, then for Bob to have a means of nonrepudiation will require more than a simple digital file, which can be altered. Cryptography offers a simple means of nonrepudiation in the form of a digital signature. If Alice digitally signs the e-mail, then at a later date, she cannot repudiate her signature provided that at the time of the signature her private key was considered valid. Using digital signatures as a means of nonrepudiation is a simple exercise and an easy way to accomplish an otherwise difficult task with digital data.

The principle is simple—if the digital signature is valid, then only Alice could have signed it, and if the data is not changed, then it must have been the data she signed. Any other explanation would involve a third party having and using her private key, which is a violation of the signing protocol.

Nonrepudiation is a condition where a party cannot successfully challenge the validity of a communication. Public key cryptography enables nonrepudiation on the basis that a

party’s private key is only known to them and no one else. Items encrypted with this key, as evidenced by successful decryption using the public key, must have originated from the private keyholder.



Implications of Cryptographic Methods and Design 27


Transport EncryptionCommunication across networks requires a level of security to match the sensitivity of the data being carried. Because networks can carry the most sensitive data, secure communication mechanisms are needed to the highest level. Encryption is employed in Transport Layer Security (TLS) and Secure Sockets Layer (SSL), both of which are used in HTTPS, IPSec and VPNs, Secure Shell (SSH), and other methods to secure the communication channel.

HTTPS is a secured web transport mechanism using TCP port 443. Two different protocols are used to accomplish this security: SSL and TLS. TLS has numerous enhancements, making it superior from a security perspective. The current version of SSL is 3.0; the current version of TLS is 1.2. Most browsers (except for Microsoft) and web servers only support TLS 1.0. The PCI DSS standard requires that weak encryption mechanisms be disabled. It is important to disable SSL 2.0 and weak ciphers, not just to meet this requirement, but to ensure adequate security levels.

Although the PCI DSS standard specifi es strong encryption, it does not specify what would constitute weak encryption. The common interpretation

is the use of at least a 128-bit key cipher, no export-strength algorithms, and SSL v2 should be disabled.


Implications of Cryptographic Methods and DesignCryptography is not a panacea, nor is it the solution to every security problem. Properly employed, it can play a role in securing information both at rest and in transit. To do so requires appropriate architectural and design considerations based on the context of the system, data, and threats against which protection is desired.




A starting point is to define the requirements in terms of both confidentiality and integrity. It is also necessary to examine the data types, and when transport is involved, the characteristics of the transport channel. Because cryptography involves both algorithms and keys, decisions need to be made on algorithms and key exchange issues. Most modern software development platforms have built-in library functions that cover the standard cryptographic functions. This eliminates the need to create one’s own encryption method, a proven method of failure in virtually every case it has been attempted. This leaves the issue of proper implementation. Even with a good algorithm it is possible to create designs where a key is exposed or lost. Care must be exercised to properly implement the systems as designed in the standards defining the various algorithms and cryptosystems.

The primary method of defeating a modern cryptosystem lies in either exploiting a weakness in implementation or an offline attack that bypasses the encryption mechanism. A pass-the-hash attack, circumventing the need for a password, has proven the demise of many a system thought to be protected.

StrengthModern digital cryptography offers significant protection from attack. As digital computers have become more powerful, various systems have come under attack due to the sheer power of today’s computers, including distributed processing. This has led to the retirement of the DES method, and the replacement of 3DES with AES. As a general rule, the longer the key, the larger the keyspace and the stronger the encryption for a given algorithm.

Hash functions have also been challenged by modern computing power, and this has led to the development of the SHA2 series. The use of rainbow tables, pre-computed hash values, has led to the practice of salting passwords, effectively increasing their length.

Different cryptographic algorithms have different key lengths associated with them, and comparing the strength between algorithms on the basis of key length is not an exact science. An AES key of 256 bits offers very strong encryption as a block-based symmetric

cipher. A 3,072-bit RSA key is a very strong public key, and a 384-bit elliptic curve key is also strong. Although the previous three examples are considered to be strong, exact comparison of strengths is not an exact science.



Implications of Cryptographic Methods and Design 29

PerformanceCryptographic performance is dependent on both the algorithm and the key length. Public key algorithms are more computationally intensive than symmetric algorithms, and hence require more computing power for a given amount of desired encryption. For this reason, public key methods are typically used to pass a secret key, often referred to as a session key, which is used with a symmetric algorithm for the bulk encryption work.

A special case, Elliptic Curve cryptography, was developed using an algorithm that is much more computationally efficient, allowing it to be implemented in mobile devices with lower processing power.

Feasibility to ImplementThe key to feasibly implementing cryptographic elements into an enterprise is planning and design. Cryptography is not a new science; it is well understood, and a wide range of cryptographic elements are included in all major development languages. The challenge comes in the proper design and execution. Because cryptography imposes a computational cost on both the sender and receiver, it is important to determine the correct level of needed protection. Just as it doesn’t make sense to protect a $100 bill with a $1,000 system, cryptography can be overdone. Typically, however, cryptography is under-utilized, leading to unnecessary risk from avoidable data breaches and disclosures.

InteroperabilityThe key to interoperability is to operate within the standards that have been developed for all the methods of cryptography. Although the math and methods may be complex—and nearly impossible to understand—they all have standards governing their implementation so that vendor-neutral interoperable solutions can be designed and employed.

As in all issues surrounding security, the landscape is always changing, with attacks causing older technologies to be less secure than desired. This has led to the retirement or deprecation of many algorithms and protocols. Keeping abreast

of issues and ensuring older protocols, such as SSL 2.0 and below, and less-than-128-bit encryption methods are disabled on systems, is essential in the constantly changing environment of security.





EntropyIn information theory, entropy is a measure of the randomness associated with information. A two-headed coin has no entropy, for when tossed, the output is known: heads. A fair coin has maximum entropy because a series of tosses cannot be predetermined. Where this becomes important is in issues such as compression and cryptography. If the future states can be predicted, this can have implication when encrypting and securing data. Elements such as the English language are not that random and hence have low entropy. This means they can be compressed raising the entropy per bit, but still maintaining the message in lossless form. The raising of entropy is one of the reasons many encryption implementations perform a lossless compression step first, to increase the entropy in the incoming material and thus minimizing certain types of encryption challenges, such as an all-zero block.


Pseudorandom Number GenerationRandom numbers are used in many cryptographic processes, but are difficult to generate in a computer. Pseudorandom numbers are numbers that may be deterministically generated and hence are not actually random, but appear to be random. True random numbers are very difficult to generate, and if a pseudorandom

sequence appears to be random from a statistical perspective then it can be used in place of a true random number. In most modern computer systems, input such as keystrokes, mouse movements, voltages, and other varying information can be used as a base for random number generation. Increasing the entropy hash functions can provide a means of spreading values to the point where statistically the output has all the characteristics of a random distribution.

Generation of random numbers is important in many cryptographic functions. To support this, a hardware-based approach is included in Trusted Platform Module (TPM) chip devices. This chip can also securely store cryptographic keys used by the system.



Confusion 31


Perfect Forward SecrecyWhen cryptographic keys are used to secure information, there is always a possibility that a given transmission will be compromised and a key lost. If this key is reused, the communications protected by it would also be at risk. The same would be true of communications secured by a key derived from the compromised key. The term perfect forward secrecy is used to describe a condition where the loss of

any specific key will not compromise future communications. To achieve perfect forward secrecy, it is important not to reuse a key. Key reuse can lead to key disclosure, which would then potentially compromise additional messages. Creating a new key as a function of a previous key can also lead to a manner of compromising future messages.


ConfusionIn cryptographic systems, the term confusion refers to a property identified by Claude Shannon in 1949, where the relationship between the encryption key and the resulting ciphertext is as complex and involved as possible. This is important to ensure that even if one has a large number of plaintext-ciphertext pairs produced with the same key, it is still very difficult to derive the key. This is an important property to ensure security.

Two conditions are required for perfect forward secrecy: One is that keys are not reused and the other that new keys are not derived from previously used keys.





DiffusionDiffusion is another term from Claude Shannon’s work, referring to a property that the statistical distribution in the plaintext is completely dispersed in the ciphertext. This means that the output of an encryption algorithm must depend on the input bits, but only in a complex, nondeterminable fashion. In practical terms, good diffusion is when any bit change in the input will result in an entirely new ciphertext in an unpredictable manner. This is important to prevent similar plaintext messages from providing information as to the key. The removal of statistical information from the plaintext will eliminate many forms of cryptanalysis based on statistical analysis.

CERTIFICATION SUMMARYIn this chapter, we covered the foundational elements of cryptographic tools and techniques. The elements of symmetric and asymmetric (public key) algorithms, hash functions, and how they can be used were covered. The concept of public key infrastructure was addressed, illustrating its place in achieving key management across entities. Use of cryptography for digital signatures, code signing, nonrepudiation, and message authentication was covered. Key elements supporting cryptography, such as pseudorandom numbers, diffusion, confusion, and entropy were also described.

The practical aspects surrounding the employment of cryptography to achieve a desired level of protection were addressed. Comparisons of different algorithms and their optimal use was covered, including the difference between bulk or block data and streaming data.


Two-Minute Drill 33


TWO-MINUTE DRILLDetermine Appropriate Tools and Techniques

❑ Choosing the appropriate cryptographic method involves examining the context of the risk management problem.

❑ Important elements that need to be considered include the type of data, the sensitivity of the data, the value of the data, and the threats to the data.

Advanced PKI Concepts

❑ PKI enables the use of public keys between entities by establishing a means of creating and understanding the appropriate level of trust in an identity.

Hashing

❑ Hash functions are nonreversible functions that produce a specific-size digest that can be used to verify integrity.

Cryptographic Applications

❑ Cryptographic methods are used to secure data from unauthorized disclosure and change.

❑ Hash methods are used to securely store passwords in a system, preventing their direct recovery.

Digital Signature

❑ Digital signatures utilize both hashing functions and asymmetric cryptography to verify integrity and nonrepudiation.

❑ The DSA method involves the use of SHA2 series hashing and discrete logarithm-based public key encryption to secure the signature.

Code Signing

❑ Code signing is the application of digital signature technology to computer code, executable files, scripts, and resource files.

✓




Nonrepudiation

❑ Nonrepudiation is a condition where a party cannot successfully challenge the validity of a communication.

❑ Public key cryptography can enable nonrepudiation on the basis that a party’s private key is only known to them and no one else.

Transport Encryption

❑ Encryption is employed in Transport Layer Security (TLS) and Secure Sockets Layer (SSL), both of which are used in HTTPS, IPSec and VPNs, Secure Shell (SSH), and other methods to secure the communication channel.

Implications of Cryptographic Methods and Design

❑ Cryptography typically fails due to poor implementation or improper design, not to algorithm failure.

❑ It is essential to match cryptographic elements with the data types and desired schemes of protection desired.

Entropy

❑ Entropy is a measure of the randomness within a stream of information.

❑ Increasing entropy can increase the effectiveness of encryption, hence many methods begin with a lossless compression step to increase entropy.

Pseudorandom Number Generation

❑ Pseudorandom numbers are numbers that may be deterministically generated and hence are not actually random, but appear to be random.

❑ Pseudorandom numbers are used by many cryptographic methods.

Perfect Forward Secrecy

❑ Perfect forward secrecy describes a condition where the loss of any specific key will not compromise future communications.

❑ Two conditions are required for perfect forward secrecy: One is that keys are not reused and the other that new keys are not derived from previously used keys.


Two-Minute Drill 35


Confusion

❑ Confusion is when the relationship between the encryption key and the resulting ciphertext is as complex and involved as possible.

❑ This is important to ensure that even if one has a large number of plaintext-ciphertext pairs produced with the same key, it is still very difficult to derive the key.

Diffusion

❑ Good diffusion is when any bit change in the input will result in an entirely new ciphertext in an unpredictable manner.

❑ Diffusion is important to prevent similar plaintext messages from providing information as to the key.




SELF TESTThe following questions will help you measure your understanding of the material presented in this chapter. Read all the choices carefully because there might be more than one correct answer. Choose all correct answers for each question.

1. The primary advantage of symmetric key encryption is: A. Key exchange B. Speed C. Nonrepudiation D. Cost

2. Which of the following are block-based symmetric algorithms? (Check all that are correct.) A. RSA B. 3DES C. AES D. MD5

3. You have a business requirement to encrypt a streaming video channel. Which algorithm(s) can be used?

A. A5/1 B. RC4 C. IDEA D. AES

4. Alice needs to secure a message to Bob and prove it came from her. Which keys will she need to use to accomplish this task? (Choose all that apply.)

A. Alice’s private key B. Alice’s public key C. Bob’s private key D. Bob’s public key

5. Public key cryptography offers which of the following advantages over symmetric cryptography? (Choose all that apply.)

A. A public key can be used for free—there are no patent issues. B. It is built into most computer programming languages via library calls. C. It is faster on a bit basis. D. It can provide for nonrepudiation.



Self Test 37

6. In a modern browser environment, which of the following considerations should be taken? A. Disable SSL v2 to block attempts against this version. B. Disable SSL v2 to prevent interference with TLS, a newer form of SSL. C. Enable SSL v2 to increase compatibility with diverse systems. D. Enable SSL v2 for use with non–Internet Explorer browsers.

7. Which of the following items are not standard fields on an X.509 certificate? A. Serial Number B. Reason for Revocation C. Certificate Usage D. Version Number

8. A company buys another firm in a similar industry, but located in a different country. The certificates used by each company come from different CAs. Which of the following represents the easiest method of connecting the trust relationships associated with the certificates?

A. Use a wildcard certificate. B. Have each firm get additional certificates from the other firm’s CA. C. Use a cross-certificate defining the new trust relationship. D. Have the smaller firm move its certificates to the larger firm’s CA via a certificate transfer.

9. The components of a PKI include all of the following except: A. Certificate Authority (CA) B. Validation Authority (VA) C. Registration Authority (RA) D. X.509 certificates

10. OCSP is best described as: A. A replacement for standard PKI, taking advantage of Web 2.0 capabilities B. An alternative to the X.509 certificate format C. A service for transferring certificates securely between parties D. An alternative to certificate revocation lists

11. The following are hash algorithms except: A. MD5 B. SHA256 C. IDEA D. RIPEMD-160




12. Hash functions used to protect passwords can be attacked using which of the following attack methods?

A. Collision attack B. Cryptographic deconstruction C. Birthday attack D. Rainbow tables

13. The Digital Signature Algorithm (DSA) utilizes which of the following cryptographic functions?

A. MD5 or SHA and AES B. SHA2 series hash and the ElGamal discrete logarithm method C. Any hash function and any public key method (methods identified in header) D. SHA1 hash or newer and RSA public key algorithm

14. To create a digital signature, which of the following steps are used? A. Hash the data to be signed, encrypt the data using a public key method, and send both. B. Hash the data and send the hash with the data to the recipient. C. Encrypt the data, hash the encrypted data, and send to recipient. D. Hash the data to be signed, encrypt the message digest using a public key method, and send

both.

15. One of the advantages of code signing is: A. It doesn’t use PKI so it is easier to deploy. B. It offers a means of verifying integrity and authorship of software. C. It provides for version tracing via a subversion process. D. It can prevent malware via detection of malware signatures.

16. A protocol utilizing a Diffie-Hellman key exchange with IPSec to establish a security association is a description of which of the following?

A. DNSSEC binding B. OAKLEY C. ISAKMP D. IKE

17. To verify authenticity and integrity, TLS uses which of the following? A. HMAC-AES B. Diffie-Hellman key exchange via IKE protocol C. HMAC-SHA1 D. Public key encryption



Self Test 39

18. The sales manager has requested your help in building an electronic ordering system that will offer nonrepudiation of orders entered through the system. You suggest a method with the following explanation of how it protects the firm from repudiation of an order. (Choose the best answer.)

A. Use a digital signature to support nonrepudiation by ensuring a specific private key (regis-tered to the person or firm submitting the order) was used in the order process. Only the holder of the private key could create the order and corresponding signature.

B. Use an SSL login page to a secure order page. Logging in can create a log of the order and the credentials used.

C. Verify all orders with an automated callback system designed around e-mail and a secondary approval process.

D. Build the order system behind a VPN solution, having customers use the VPN to protect their orders from outside snooping.

19. Select the best set of conditions associated with PCI DSS compliance with respect to cryptographic algorithms and processes.

A. Ensure all machines using SSL and TLS are updated to the current patch levels. B. When using SSL or TLS to secure communication channels, ensure client connections are

also fully patched. C. Restrict connections to HTTPS and VPNs using IPSec. D. Disable SSL v1 and SSL v2, and all export-level cryptographic algorithms (less than

128 bit).

20. Entropy is important in encryption because: A. Increasing apparent randomness in plaintext can reduce patterns that might enable some

forms of differential cryptographic attack. B. It is a measure of the strength of an algorithm and key. C. Increasing entropy increases the speed of encryption and decryption. D. Entropy creates a random seed or initialization vector for the algorithm.

21. The best source of pseudorandom numbers for a cryptographic function in a system would be which of the following?

A. A combination of random elements from time, network activity, and user activity B. A crypto-library call in the source code C. Random user mouse movements D. The Trusted Platform Module (TPM) chip




22. Which two elements must exist to ensure perfect forward secrecy? A. Keys are not reused; new keys cannot be derived from existing keys. B. Keys are not reused; new keys use a different algorithm. C. Only AES can offer perfect forward secrecy. D. Keys must be stored in a TPM chip.

23. The concept that any change in plaintext will create a significantly different ciphertext, with no pattern to determine input changes, is the principle of what?

A. Perfect forward secrecy B. Preprocessing C. Confusion D. Diffusion

LAB QUESTIONSenior management wishes to protect the data on their laptops from loss when traveling. The issues they wish to address are 1) data loss and 2) disclosure regulations and bad press if a laptop is lost with sensitive data. The laptops are business-class machines running Microsoft Windows 7 Enterprise and they are equipped with a TPM chip. What are the major considerations your plan will address?



Self Test Answers 41

SELF TEST ANSWERS

Determine Appropriate Tools and Techniques

1. � B. The primary advantage is the speed of operation for bulk encryption/decryption. This makes symmetric key encryption ideally suited for tasks such as whole disk encryption.� A, C, and D are incorrect. A is incorrect because key management is an issue with symmetric key encryption because the security depends on the secrecy of the key that has to be distributed. C is incorrect because nonrepudiation is a characteristic found with public key (asymmetric) encryption. D is incorrect because, although cost may be related to speed, there are other issues that drive cost, making it a factor determined by circumstances and context, not algorithm type.

2. � B and C. 3DES and AES are symmetric algorithms.� A and D are incorrect because A is a public key algorithm and D is a hashing algorithm.

3. � A and B. A5/1 and RC4 are symmetric stream cipher algorithms.� C and D are incorrect because, although they are symmetric algorithms, they are block ciphers and not appropriate for streaming content such as video.

4. � A and D. Alice will use her private key (A) to provide nonrepudiation. She will use Bob’s public key (D) for confidentiality—to create a message only Bob can read.� B and C are incorrect. Alice does not need her public key, Bob does. Alice also does not need, nor should she have access to, Bob’s private key.

5. � D. Public key algorithms offer a means for nonrepudiation services, a feature not directly possible with symmetric algorithms.� A, B, and C are incorrect. A and B because both are true for both symmetric and asymmetric algorithms. C is incorrect because symmetric has the speed advantage.

6. � A. Several attacks target SSL v2, so disabling this protocol on the browser helps protect against these attacks.� B, C, and D are incorrect. B is incorrect because SSL v2 has nothing to do with TLS. C and D are incorrect because SSL v2 leaves a system vulnerable to attacks blocked by SSL v3, which is widely distributed, so compatibility is not an issue.

7. � B. A certificate does not have a reason for revocation as a standard field; this information is carried separately from the certificate.� A, C, and D are incorrect because Serial Number (A) is the serial number the CA uses to identify the certificate, Certificate Usage (C) defines how the key is intended to be used by the owner, and Version Number (D) is the version of X.509 being used.




8. � C. A cross-certificate can be issued tying the two CAs into a trust relationship.� A, B, and D are incorrect because wildcard certificates (A) are used for subdomains of a web domain, and although B and D would work, they are not simple practical solutions and have technical and financial issues associated with them and the transition.

9. � B. There is no such entity as a Validation Authority in PKI.� A, C, and D are incorrect because they are standard technical components of a PKI system.

10. � D. OCSP (Online Certificate Status Protocol) is an alternative method for checking for certificate revocation.� A, B, and C are incorrect. OCSP is a request and response protocol that obtains the serial number of the certificate being validated and reviews revocation lists for the client. The protocol has a responder service that reports the status of the certificate back to the client, indicating whether it has been revoked, is valid, or has an unknown status. This protocol and service saves the client from having to find, download, and process the right lists.

11. � C. IDEA is a symmetric encryption algorithm.� A, B, and D are incorrect. A is a hash algorithm, although it has been recommended by the U.S. Government for deprecation. B is one of the recommended replacements for MD5. D is a hash function developed in Europe and used there.

12. � D. Rainbow tables represent a set of pre-computed hash values for an entire set of values (all passwords less than 10 characters). Although large, they can be computed, stored, and used to look up the value being represented by the hash value.� A, B, and C are incorrect. A and C represent attacks, but not ones that are relevant with respect to the hashing of passwords. B is a nonsense term being used as a distractor.

13. � B. The DSA defined by FIPS 186-3 (the current U.S. Government standard) is defined as ElGamal and SHA2 series.� A, C and D are incorrect. A is incorrect because AES is not involved and MD5 is no longer considered secure. C is incorrect because the DSA defines specific hash and public key algorithms. D is incorrect because the latest version uses SHA2 series and RSA has never been part of the DSA method.

14. � D. The data to be signed is hashed to create a message digest, which is protected from change by public key encryption.� A, B and C are incorrect. A does not protect the hash and encrypting the data is wasteful. B does not protect the hash from change, and encrypting the data (C) is unnecessary and wasteful from a computational perspective.



Self Test Answers 43

15. � B. Code signing is the application of digital signature technology to software distribution, providing a means of verifying integrity and authorship against a trusted list (certificate list).� A, C and D are incorrect. A is incorrect because code signing uses PKI to establish the basis of trust. C is incorrect because code signing is not directly related to the subversion process associated with software distribution. D is incorrect because code-signing does not identify malware directly.

16. � D. IKE, which is built from ISAKMP and Oakley, automates the key exchange as part of IPSec.� A, B and C are incorrect. A is incorrect because IKE is not involved in DNSSEC. B and C are incorrect because they are components of IKE.

17. � C. TLS uses HMAC, and one of the defined forms is HMAC using SHA1.� A, B and D are incorrect. A is incorrect because AES is not a hash function. B and D are incorrect because they are general methods of cryptographic functions, not specific forms of HMAC.

18. � A. The use of a digital signature and dependence on the private key being private is the best and simplest method of creating a nonrepudiation environment.� B, C, and D are incorrect. All of these may secure a communication channel, but they do not pin down the identity of the person entering the order. Passwords can be copied and used by others than the associated party.

19. � D. PCI DSS mandates the use of strong encryption. SSL v1 and SSL v2 are considered to be weak, as are export-grade ciphers.� A, B, and C are incorrect. All of these methods could employ a weak form of encryption and thus be in violation of the PCI DSS mandate for the use of strong encryption.

20. � A. Entropy is a crucial element in ensuring patterns in plaintext do not create patterns in ciphertext that can be used to break the encryption. For this reason, many applications of cryptography have a lossless compression step to increase entropy before encryption.� B, C, and D are incorrect. B is incorrect because entropy is not related directly to the strength of the algorithm, but it may have an issue on the implementation strength. C is incorrect because entropy has no effect on the speed of encryption. D is incorrect because entropy is not related to initialization vectors or random seeds.

21. � D. The TPM chip has special hardware to ensure cryptographically suitable pseudorandom number generation.� A, B, and C are incorrect. A and C are incorrect because there is no guarantee of randomness or measure of distribution associated with these functions. B is incorrect because, although crypto-libraries address many implementation issues, a TPM chip is better suited for this function.




22. � A. Reuse of a key can cause it to be disclosed from previous use. Deriving keys from previous keys creates a dependency that can be revealed.� B, C, and D are incorrect. B is incorrect because a new algorithm is neither needed nor useful in protecting the keys. C is incorrect because perfect forward secrecy is a key issue, not an algorithm issue. D is incorrect because where a key is stored is not relevant; how often it is used is the essential element.

23. � D. Good diffusion is when any bit change in the input will result in an entirely new ciphertext in an unpredictable manner.� A, B, and C are incorrect. A is incorrect because perfect forward secrecy is a principle that future encryption is not placed at risk by previous encryption. B is incorrect because, although preprocessing is included in many implementations, the objective is for elements such as confusion and diffusion. However, this is not the definition of the question. C is incorrect because confusion is a principle that the relationship between the encryption key and ciphertext is complex to a degree that it does not reveal the key.

LAB ANSWERSeveral elements need to be addressed in the solution. To deal with the issues of data loss, a backup solution is needed. To address the issue of disclosure, the disks in the machines need to be encrypted. The TPM chip and Windows 7 Enterprise enable a strong seamless solution—Microsoft BitLocker, with the keys being stored in the TPM chip. The next issue is key escrow, in the event of TPM chip failure. All of these elements can be implemented in automated form, minimizing end user involve-ment. One additional element to consider would be the use of LoJack-type technology that enables tracking and remote wiping of data.


cryptographic tools - professional · pdf filecertprs8/casp comptia advanced ... task than...

Documents