## (My) CISSP Notes – Cryptography

10 December, 2012

**Note: This notes were made using the following books: “CISPP Study Guide” and “CISSP for dummies”.**

## Cryptographic concepts

Cryptology is the science of secure communications. Cryptography creates messages whose meaning is hidden; cryptanalysis is the science of breaking encrypted messages (recovering their meaning).

A **cipher** is a cryptographic algorithm. A **plaintext** is an unencrypted message.

Cryptography can provide confidentiality (secrets remain secret) and integrity (data is not altered in an unauthorized manner). Cryptography can also provide authentication (proving an identity claim). Additionally, cryptography can provide nonrepudiation, which is an assurance that a specific user performed a specific transaction and that the transaction did not change.

**Diffusion** means the order of the plaintext should be “diffused” (or dispersed) in the ciphertext. **Confusion** means that the relationship between the plaintext and ciphertext should be as confused (or random) as possible.

Cryptographic **substitution** replaces one character for another; this provides diffusion. **Permutation** (also called transposition) provides confusion by rearranging the characters of the plaintext, anagram-style.

The **work factor** describes how long it will take to break a cryptosystem (decrypt a ciphertext without the key).

A **monoalphabetic cipher** uses one alphabet: a specific letter (like “E”) is substituted for another (like “X”). A **polyalphabetic cipher** uses multiple alphabets: “E” may be substituted for “X” one round, and then “S” the next round.

**There are three primary types of modern encryption: symmetric, asymmetric, and hashing.**

A one-time pad uses identical paired pads of random characters, with a set amount of characters per page.

The one-time pad is the only encryption method that is mathematically proven to be secure, if the following three conditions are met: the characters on the pad are truly random, the pads are kept secure, and no page is ever reused.

The first known use of a one-time pad was the Vernam Cipher, named after Gilbert Vernam, an employee of AT&T Bell Laboratories.

COCOM is the Coordinating Committee for Multilateral Export Controls, which was in effect from 1947 to 1994.

## Symmetric encryption

Symmetric encryption uses one key to encrypt and decrypt.

Symmetric encryption may have stream and block modes. **Stream mode** means each bit is independently encrypted in a “stream.” **Block mode** ciphers encrypt blocks of data each round.

An **initialization vector** is used in some symmetric ciphers to ensure that the first encrypted block of data is random. This ensures that identical plaintexts encrypt to different ciphertexts.

**Chaining** (called **feedback** in stream modes) seeds the previous encrypted block into the next block to be encrypted.

Symmetric encryption advantages: **speed**, **strength** (strength is gained when used with large keys, 128 bits, 256 bits or larger), **availability** (there are many algorithms available to select and use).

Symmetric encryption disadvantages: **keys distribution** (secure distribution of the keys is absolutely required), **scalability** (a different key is required for each pair of communication parties),** limited functionality** (symmetry systems can’t provide authentication or non-repudiation).

### DES (Data Encryption Standard)

DES is a block cypher that uses a 64-bit block size (meaning it encrypts 64 bits each round) and a 56-bit key.

DES can use five different modes to encrypt data. The modes’ primary difference is block versus (emulated) stream, the use of initialization vectors, and whether errors in encryption will propagate to subsequent blocks.

The five modes of DES are:

**Electronic Code Book (ECB)**– is the simplest and weakest form of DES. It uses no initialization vector or chaining. Identical plaintexts with identical keys encrypt to identical ciphertexts.**Cipher Block Chaining (CBC)**– is a block mode of DES that XORs the previous encrypted block of ciphertext to the next block of plaintext to be encrypted. The first encrypted block is an initialization vector that contains random data. This “chaining” destroys patterns. One limitation of CBC mode is that encryption errors will propagate: an encryption error in one block will cascade through subsequent blocks due to the chaining, destroying their integrity.**Cipher Feedback (CFB)**– is very similar to CBC; the primary difference is CFB is a stream mode.Errors will not propagate.**Output Feedback (OFB)**– is also a stream cipher very similar to CFB. In this mode, previous plaintext is used as feedback (chaining) for key generation.**Counter Mode (CTR)**This mode shares the same advantages as OFB (patterns are destroyed and errors do not propagate) with an additional advantage: since the feedback can be as simple as an ascending number, CTR mode encryption can be done in parallel.

### Triple DES

Triple DES applies single DES encryption three times per block.

Triple DES has held up well after years of cryptanalysis; the primary weakness is that it is slow and complex compared to newer symmetric algorithms such as AES or Twofish.

Triple DES applies DES encryption three times per block. FIPS 46-3 describes **“Encrypt, Decrypt, Encrypt” (EDE)** order using three keying options: one, two, or three unique keys (called 1TDES EDE, 2TDES EDE, and 3TDES EDE, respectively).

If you “decrypt” with a different key than the one used to encrypt, you are really encrypting further. Also, EDE with one key allows backwards compatibility with single DES.

2TDES EDE uses key 1 to encrypt, key 2 to “decrypt,” and key 1 to encrypt. This results in 112 bits of key length.

3TDES EDE (three different keys) is the strongest form, with 168 bits of key length.

### International Data Encryption Algorithm

The International Data Encryption Algorithm is a symmetric block cipher designed as an international replacement to DES. The IDEA algorithm is patented in many countries. It uses a 128-bit key and 64-bit block size.

### Advanced Encryption Standards (AES)

AES was designed to replace DES. Two- and three-key TDES EDE remain a FIPS-approved standard until 2030, to allow transition to AES. Single DES is not a current standard, and not recommended.

AES has four functions:

**SubBytes**– provides confusion by substituting the bytes of the State. The bytes are substituted according to a substitution table (also called an S-Box).**ShiftRows**– provides diffusion by shifting rows of the State.**MixColumns**– provides diffusion by “mixing” the columns of the State via finite field mathematics,**AddRoundKey**– is the final function applied in each round. It XORS the State with the subkey. The subkey is derived from the key, and is different for each round of.

**Blowfish** and **Twofish** are symmetric block ciphers created by teams lead by Bruce Schneier,

**RC5** and **RC6** are symmetric block ciphers by RSA Laboratories.

**RC6** was an AES finalist. It is based on **RC5**, altered to meet the AES requirements.

## Asymmetric encryption

Asymmetric encryption uses two keys: if you encrypt with one key, you may decrypt with the other.

The main disadvantage of asymmetric encryption is theirs lower speed.

The main significant advantages of the asymmetric encryptions are extended functionality (can provide both confidentiality and authentication) and scalability (it solves the key management issues associated with symmetric keys systems).

### Some mathematical concepts

The asymmetric algorithms uses “one-way functions”. An example of one-way function is factoring a composite number into its primes. Multiplying the prime number 6269 by the prime number 7883 results in the composite number 49 418 527. That “way” it’s easy to compute. Answering the question “which prime number times which prime number equals 49,418,527” is much more difficult. That problem is called **factoring**, This is the basis of RSA algorithm.

Factoring a large composite number (one thousands of bits long) is so difficult that the composite number can be safely publicly posted (this is the public key).

The primes that are multiplied to create the public key must be kept private (they are the private key).

A **logarithm** is the opposite of **exponentiation**. Computing 7 to the 13th power (exponentiation) is easy on a modern calculator: 96,889,010,407. Asking the question “96,889,010,407 is 7 to what power” (finding the logarithm) is more difficult. This is the basis of the Diffie-Hellman algorithm.

**Key agreement** allows two parties to securely agree on a symmetric key via a public channel, such as the Internet, with no prior key exchange.

Asymmetric and symmetric encryption are typically used together: use an asymmetric algorithm such as RSA to securely send someone an AES (symmetric) key. The symmetric key is called the session key; a new session key may be retransmitted periodically via RSA.

Use the slower and weaker asymmetric system for the one part that symmetric encryption cannot do: securely preshare keys. Once shared, leverage the fast and strong symmetric encryption to encrypt all further traffic.

## Hash functions

Hash functions are primarily used to provide integrity: if the hash of a plaintext changes, the plaintext itself has changed.

**MD5** creates a 128-bit hash value based on any input length.

**MD6** is the newest version of the MD family.

**SHA-1** creates a 160-bit hash value.

**SHA-2** includes SHA-224, SHA-256, SHA-384, and SHA-512, named after the length of the message digest each creates.

**HAVAL** uses some of the design principles behind the MD family of hash algorithms, and is faster than MD5.

## Cryptographic attacks

Cryptographic attacks are used by cryptanalysts to recover the plaintext without the key.

**brute-force attack**– generates the entire keyspace, which is every possible key.**known plaintext**– relies on recovering and analyzing a matching plaintext and ciphertext pair: the goal is to derive the key which was used.**chosen plaintext and adaptive chosen plaintext**– a cryptanalyst chooses the plaintext to be encrypted in a chosen plaintext attack; the goal is to derive the key. Adaptive chosen plaintext begins with a chosen plaintext attack in round 1. The cryptanalyst then “adapts” further rounds of encryption based on the previous round.**chosen cipher text and adaptive chosen cipher text**-chosen cipher text attacks mirror chosen plaintext attacks: the difference is that the cryptanalyst chooses the cipher text to be decrypted. This attack is usually launched against asymmetric crypto-systems, where the cryptanalyst may choose public documents to decrypt which are signed (encrypted) with a user’s public key.**meet-in-the-middle attack**– encrypts on one side, decrypts on the other side, and meets in the middle.**known key attack**– the term “known key attack” is misleading: if the cryptanalyst knows the key, the attack is over. Known key means the cryptanalyst knows something about the key, to reduce the efforts used to attack it. If the cryptanalyst knows that the key is an uppercase letter and a number only, other characters may be omitted in the attack.**differential cryptanalysis**– seeks to find the “difference” between related plaintexts that are encrypted.**linear cryptanalysis**– is a known plaintext attack where the cryptanalyst finds large amounts of plaintext/ciphertext pairs created with the same key.**side-channel attacks**– use physical data to break a cryptosystem, such as monitoring CPU cycles or power consumption used while encrypting or decrypting.**the birthday attack**– is used to create hash collisions. Just as matching your birthday is difficult, finding a specific input with a hash that collides with another input is difficult. However, just like matching any birthday is easier, finding any input that creates a colliding hash with any other input is easier due to the birthday attack.**key clustering**– occurs when two symmetric keys applied to the same plaintext produce the same ciphertext. This allows two different keys to decrypt the ciphertext.