Pi's Website - Archived

Vista Q & A
Home
Common Errors
Helpful Links
Linux
Tutorial Index
Windows Vista
Contact Us
Site Map
PC & Certification Info
Tweaks
Programs
Security+ Domain 4 - Basics of Cryptography
 
Cryptography is a process in which some sort of function is applied to data that encodes it and either the same function or a related one is used to decode it.  In cryptography, you start with a message in plaintext.  It is then encrypted (different method based on the type) into what is known as the cipher text.
 
4.1 Be able to identify and explain the of the following different kinds of cryptographic algorithms
An algorithm is a series of steps that perform some sort of action.
o Hashing - Hashing is the creation of a string that is called a "message digest" from a large amount of data to verify the identity and content of that data.  It is meant to provide integrity since, in theory, changing even the smallest amount of data changes the hash value.
 
There are several hashing functions including the Message Digest series (MD through MD5, 128 bits and 4 rounds), the Secure Hashing Algorithm (including SHA-0, SHA-1,SHA-256, and SHA-512, sizes can be seen here)

o Symmetric - In symmetric cryptography, there is one key called a "shared secret."  This key is used for both encryption and decryption.  Compared to asymmetric cryptography, it is faster, but less secure, since two or more users must know the key.  The key is used with an algorithm to encrypt/decrypt the data.  There are three main types:
  1. Block cipher - data is split into "blocks" of some specified size and encrypted at one block at a time
  2. Stream cipher - data is also split, but encrypted one bit at a time
  3. Cipher-block-chaining is a mix of the previous two, but one block's encryption results change the encryption of the next block

There are many examples of symmetric algorithms including DES (56-bit key), 3DES (168-bit), IDEA (128-bit), AES (128,192, or 256-bit), and RC2 (8-128-bit, 64 default)


o Asymmetric - In asymmetric cryptography, there are two keys - one for encryption and a related one for encryption.  One type is public-key cryptography in which a user has a public and a private key.  The public key, as suggested by the name, is available for anybody to see and is used to encrypt a message to the owner of the public key, who then decrypts the message with his or her private key.  This way, the issue of giving the key to somebody then trusting that person with the key is removed.

 

Again, there are multiple examples of asymmetric algorithms.  The first was The Diffie-Hellman, but the most popular today is the Rivest-Shamir-Adleman (RSA).


4.2 Understand how cryptography addresses the following security concepts
o Confidentiality - Confidentiality is ensuring that data is read only by those it was meant to be read by.  Symmetric cryptography can provide this because only a certain group of people know the key to decrypt the message.

o Integrity - Integrity is the assurance that data or a message has remained unaltered.  Hashing can show whether or not the message has changed through comparing hashes of the original and final messages.

o Digital Signatures - Digital signatures are basically an electronic version of a signature and a unique identifier.  These are encrypted with that users' private key, which the recipient can decrypt with the sender's public key to ensure that it came from that user.

o Authentication - Authentication is the verification of an individual's identity.  This can be done with digital signatures.

o Non-Repudiation - Non-repudiation is similar to authentication, but also ensures that a third party can verify the identity of the individual.  The sender could encrypt the message with his or her private key to prove that it came from him or her.

o Access Control - Cryptography can provide access control because only a select group knows the key.

4.3 Understand and be able to explain the following concepts of PKI (Public Key Infrastructure)
PKI, or Public Key Infrastructure was developed to identify and verify individuals operating on a network.  Many applications, such as PGP, use a form of PKI.  PKI uses both symmetric and asymmetric cryptography.
 
The most important component of PKI is the certificate authority, or CA.  The CA stores digital certificates, which contain information about a public key.  There may also be a registration authority, or RA, which decreases the load on the CA by performing verification before the CA issues the certificate.  The RA receives requests that are sent to the CA and authenticates the request before forwarding it to the CA.  The CA creates a public/private key pair at the same time using an algorithm and stores the public keys and certificates in a location that is accessible to the public.  The CA then gives the response to the RA, which gives the private key to the user, company, etc. that requested it.
o Certificates - certificates contain information about the owner of the certificate.  Many follow the X.509 standard which must contain certain information including:
  • The serial number, which identifies the certificate
  • The subject, or name of the recipient (person or company)
  • The signature algorithm
  • The issuer, or trusted source who issued the signature
  • The Valid from date when it was created
  • The Valid to date it expires
  • The public key
  • The "thumbprint," or unique value for identification and
  • The thumbprint algorithm
o Certificate Policies - Certificate policies are rules that describe what the certificate is going to be used for.  It is identified by an "object identifier," or OID so that anybody can read it if they wish.

o Certificate Practice Statements - A certificate practice statement, or CPS, is a policy that describes how the CA will manage the certificates.

o Revocation - Certifications can be revoked, meaning that they are finished before the date they expire on.  This can happen for many reasons including moving, a change in the Internet Service Provider, a request by the certificate's subject, etc.  If they follow X.509 standards, the CA must create a Certificate Revocation List (CRL).

o Trust Models - There are various models of CAs:
  1. Single CA Model - in this model, there is only one CA and the RA sets up the "trust" between the users and CA.
  2. Hierarchical Model - In this model, there is a root CA that is the highest authority above various subordinate CAs.  The intermediate CA is directly below the root CA and issues certificates to the CAs under it, which are called leaf CAs.  These leaf CAs give certificates to the users who need them.
  3. Web-of-trust - in this model, users sign certificates for others based on knowledge.  PGP is based on this model.

4.4 Identify and be able to differentiate different cryptographic standards and protocols
 
There was a set of standards set for PKI known as the Public-Key Cryptography Standards, or PKCS.  These were developed to standardize PKI before it was too late.
 

4.5 Understand and be able to explain the following concepts of Key Management and Certificate Lifecycles
o Centralized vs. Decentralized - centralized key management is used in the hierarchical model because the public keys are held in only one location.
Decentralized key management is when keys are held within a "key ring" and no one location holds all of the keys.

o Storage - certificates must be stored securely to protect them from attackers who may want to use them for malicious purposes
o Hardware vs. Software -
  • Hardware - hardware storage modules (HSMs) were created because software storage is not very secure.  These include smart cards that store the owner's private key and encrypt/decrypt data to avoid the necessity of transmitting the key over to the computer.  They are secure, but expensive
  • Software - Many private keys are stored on software and use the file system's permissions to block access to unauthorized individuals.  However, this is insecure, but cheap.


o Private Key Protection - Private keys must be protected, otherwise others can use them to decrypt sensitive information.

o Escrow - Escrowing keys involves sending a copy of the private key to two different companies, but the copy is split between the two.  Thus, it is a form of separation of duties
o Expiration - All certificates include a "Valid to" date.  When this date comes, the certificate is expired and must be renewed or removed.

o Revocation - revocation can occur for various reasons, most of which include either important information changing or a loss of confidentiality.  These include:
  • Switching ISPs
  • Moving to a new location
  • Different contact for the certificate
  • Loss of confidentiality of the private key
o Status Checking - There are two ways to check for revoked certificates:
  1. CRLs - Certificate revocation list
  2. OCSP
o Suspension - Certificates can be "suspended" for a period of time if the private key isn't going to be used for that amount of time.  It can help prevent the public and private key from being use.
o Status Checking  - The two methods of checking for suspended certificates are CRLs and OSCP again.
o Recovery - There should always be a method of recovering keys because, for example, if an employee lost a smart card and couldn't recover the key, he or she would not be able to decrypt all the data and messages any longer.  Companies often have a key recovery agent who is authorized to recover private keys for employees.  CAs usually require a certain amount of information known as the Key Recovery Information, or KRI for recovery.
o M-of-N Control (Of M appropriate individuals, N must be present to authorize recovery) - one method of key recovery requires a certain number of people necessary to recover another number of keys.  For example, 2 (N) people must recover 1 (M) person's key.
o Renewal - Certificates must be renewed before or while they expire.  Keys are not renewed if they are compromised.

o Destruction - Keys can be and should be destroyed if they are not necessary anymore.

o Key Usage - keys are used in many situations including VPNs, SSH, SSL, PGP, etc.  Most use only one pair, but some use multiple:
o Multiple Key Pairs (Single, Dual) - These are usually created when somebody is afraid that another person may forge digital signatures.  One pair is used for encryption and decryption while another is used for digital signatures.

Resources:
Security+ Study Guide & DVD Training System, Second Edition. By: Ido Dubrawsky, Jeremy Faircloth
ISBN: 1597491535 http://www.syngress.com/catalog/?pid=4350

PrepLogic Security+ Mega Guide - http://www.preplogic.com/products/mega-guides/mega-guides-product-details.asp?eid=129

ExamCram CompTIA Security+ ISBN 0-7897-2910-5 Que Publishing July 2006.

Wikipedia - "PKI" and "Cryptography" - http://en.wikipedia.org/wiki/Public_key_infrastructure

http://en.wikipedia.org/wiki/Cryptography


This page was last modified on 07/28/07 02:08 PM