cryptographic terms and implementations

Cryptographic Terms and Implementations

Table of Contents

Cryptographic Terms and Implementations ................................................................................... 2

Cryptographic Tools and Techniques .............................................................................................. 3

Data-At-Rest Encryption ................................................................................................................. 4

Digital Signatures ............................................................................................................................ 6

Cryptography and Confidentiality ................................................................................................... 7

Chain of Trust .................................................................................................................................. 8

Root of Trust ................................................................................................................................... 9

Key Escrow .................................................................................................................................... 10

Steganography .............................................................................................................................. 11

Cryptographic Methods ................................................................................................................ 13

Data Encryption Standard (DES) Modes of Operation -1 ............................................................. 14

Data Encryption Standard (DES) Modes of Operation -2 ............................................................. 15

Cryptographic Methods – Flaws and Weaknesses ....................................................................... 16

Encryption Implementations -1 .................................................................................................... 18

Encryption Implementations -2 .................................................................................................... 20

Notices .......................................................................................................................................... 21

of 21


1


**001 Instructor: Cryptographic terms and implementation.

of 21

Cryptographic Tools and Techniques

2

Cryptographic Tools and Techniques

Key Stretching makes a brute-force attack slower and harder for an attacker to recover information such as passwords.

• Hashes a password and adds a salt process that is repeated multiple times (1000+) to produce a derived key.

Password Salt

Hash Password Salt

Hash Password Salt

Hash Algorithm

Hash Algorithm

Hash Algorithm

**002 Cryptographic tools and techniques, what is key stretching? Key stretching is the process of taking a weak password or a weak key and adding or padding and sending it through an algorithm to produce a more enhanced key. So, it's typically referred to as salting. When you salt a password, it's basically putting a normal or weak password into a algorithm and making that a more stronger password. It slows down the attackers to being able to break and use brute force password attacks against the system. So, it hashes a password and adds a salt process to it that is repeated multiple times

of 21

upwards to a hundred times to a thousand times to produce a derived way for a new key.

Data-At-Rest Encryption

3

Data-At-Rest Encryption

Refers to data stored physically in any digital form that is not activeCan be stored in databases, data warehouses, files, archives, tapes, offsite backups, mobile devices, or any other storage mediumMost often protected using data encryption algorithms

**003 Data-at-rest encryption, encryption incorporates two different tracks. You have a data-in-motion, and then you have a data-at-rest encryption. Data-at-rest encryption is exactly what it says, data that is maintained on your system that is at rest, that is not being transmitted over the wire. It is being stored in your local servers at rest. So, data stored physically in the digital form that is not active can be stored in databases or data warehouses, files,

of 21

archives, tapes, off-site backups, mobile devices, most often protected using data encryption algorithms. When you look out there at the different algorithms that are used, you have your AES encryption, which is a symmetric encryption that uses the same key for both encryption and decryption. Then you have your asymmetric encryption modules that uses two different keys that are related to each other, a private key and a public key. Data-at-rest is a protection added to your databases. So, if somebody comes in and breaches your system, and they don't have the proper encryption key to get into your data warehouse or your database, they have to go break another level of encryption in order to view those. So, it is very good to look at data-at-rest encryption. That can be done with a full disk encryption, file or folder protection encryption, or volume encryption. But AES is the standard that you see used out there, AES 256, most commonly used in corporations today to protect their data for that.

of 21

Digital Signatures

4

Digital Signatures

Verify authenticity and integrity of a messageValue hashed and encrypted on sender’s side must match when unencrypted and calculated by the receiverBased on asymmetric encryption

Message

Message Hash

Message Digital Signature

Hashing Algorithm

Encrypted with Private Key

Sent to Recipient

Message

**004 Digital signatures, what is a digital signature? Is a hashed value or encrypted on the sender's side must match when unencrypted and calculated by the receiver. So, it's basically talking about nonrepudiation of those devices. So, you have a digital signature so they know that that user knows that you sent that device.

of 21

Cryptography and Confidentiality

5

Cryptography and Confidentiality

What is private or confidential must stay private – at rest or in transit.Cryptography provides confidentiality by altering the original data in such a way as to ensure that the data cannot be read except by a valid recipient.

**005 Cryptography and confidentiality, what is private or confidential must stay private at rest or in transit. That's where we use cryptography. Cryptography provides confidentiality by altering the original data in such a way to ensure the data can not be read if it's intercepted by another recipient other than the valid recipient. What you'll see out there, RSA asymmetrical keys is the common cryptography used for asymmetrical encryption. Symmetrical encryption using the AES 256 standard is what you see out there.

of 21

Chain of Trust

6

Chain of Trust

Provides a means of passing trust from one entity to anotherCommonly used in relation with certificate distribution when certificates are passed from one certificate authority to another

• This can be viewed graphically in a web of trust.

Root CA

Sub CASub CA Sub CA

Server Server Server

**006 Chain of trust provides a means for passing trusts from one entity to another, commonly used in relations with certificate distributions coming from a certificate authority. You see certificate authorities out there like Verisign, Comodo, that are commonly used. And that provides that web of trust. So, when you're going to access a site, it is verifying that you're actually going to that site through the Verisign, or the Comodo processes of their certificates and checking those certificates to make sure that they have a valid certificate, and it has not been revoked.

of 21

Root of Trust

7

Root of Trust

Concept of trust in a system, software, or dataMost common form of attestation

• Provides a basic set of functions that are inherently trusted by the operating system

Can be hardware based, software based, or a hybridMost common form is the Trusted Platform Module (TPM)

**007 The root of trust in a system, software or data, most common form of attestation, provides a basic set of functions that are inherently trusted by the operating system. It can be hardware based, software based, or a hybrid of both. The most common form is the Trusted Platform Module. That is the encryption module when you log on to a system, and it requires you to authenticate to that system before it unencrypts the hard drive on that particular system. VM from a virtual trusted platform module is a software based system that enables-- to use those resources from the host-based hardware to each virtual machine using the same

of 21

trusted platform module, produces that root of trust for that.

Key Escrow

8

Key Escrow

Process of storing keys with a third party to ensure that decryption can occurMost often used to collect evidence during investigationsIt is important to understand the difference between key escrow and key recovery.

• Key Recovery is the process whereby a key is archived in a safe place by the primary issuer so it can be recovered when a disaster occurs or when the employee associated with the key leaves the organization.

**008 Key escrow, that's the process of storing keys with a third party to ensure that decryption can't occur. So, putting stuff into key escrow, you have a key escrow server. Those are most often used to collect evidence during the investigations, who accessed this system, going through the key escrow process so you can tell who was able to go out there and get the keys, and who used that key for those systems.

of 21

So, key recovery is a process whereby a key is archived in a safe place by the primary issuer, so it can be recovered when a system disaster occurs. So, you have a system go down. Disaster recovery plan has been invoked. You need to be able go out and recover those keys. That's where the key recovery process and that key escrow accounts in a third- party environment helps you restore your data to your local system.

Steganography

9

Steganography

The practice of concealing information within a container that is visible such as a message, image, or fileRequires:

• Container – medium into which data is embedded- Choosing an appropriate container determines the effectiveness of

the steganographic technique.- Common containers: images, audio files, video files, and office

documents• Data to be hidden

**009 Stenography, you don't hear about this too often. But it's making its way back into the limelight. Stenography is the practice of

of 21

concealing information within a container that is visible within a message or an image or a file. So, most commonly it was used in the past to hide images within an image. So, you're passing around a jpeg image from a local friend or something like that, but they actually embed file types into that system. And you have to have a key to unlock that system. Open stenography is a common tool that is used out there that is free to be able to hide data in plain sight in other images out there. So, container is a medium in which data is embedded. Choosing the appropriate container determines the effectiveness of the stenography technique. So, if you're choosing an image, what can you hide within that image? Can you hide a secret text file in that image, a Word document, a PDF from work? You'll see this a lot with insider threats. When an insider threat is trying to exfiltrate data from your system, you might have data protection and data loss prevention in place, being able to exfiltrate these type of files. But if they hide those files within an image, maybe your IPS or your IDS systems will not detect those type of exfiltrations. So, that's where stenography comes into. And it's making a full recurrence in organizations as people are trying to hide stuff and exfiltrate stuff out of the system.

of 21

Cryptographic Methods

10

Cryptographic Methods

Block Cipher – based on blocks or fixed-sized chunks of data • Commonly shift or reposition blocks to result in a permutation

of the plaintext Stream Cipher – inputs digits, bits, or characters and encrypts the stream of data

• Operate at a higher speed than block ciphers • Theoretically well suited for hardware implementation

**010 Cryptographic methods, you have your block cipher based on blocks or fixed sized chunks of data, commonly shift or reposition blocks to result in a permutation of the plain text. Then you have your stream cipher, smaller, inputs digits or bits instead of using the blocks, and encrypts the stream of the data, operates at a higher speed than the block ciphers. And it is theoretically well suited for hardware implementation.

of 21

Data Encryption Standard (DES) Modes of Operation -1

11


Electronic Code Block (ECB) Mode – default mode used by DES• If last 64-bit block is not a full 64-bits, padding is added• Produces the greatest throughput • Easiest DES implementation to crack – should only be used on

small amounts of dataCipher Block Chaining (CBC) Mode

• Inserts some of the cipher text created from previous block into the next block via a process called XORing- Makes the cipher text more secure and less susceptible to

cracking- Since one block is used in the next, the blocks are chained

together – produces dependency but results are more random

**011 Data Encryption Standard, DES, modes of operation, electronic code block, the ECB mode, is the default mode used by DES. It is a sixty-four block bit. It is not a full sixty-four bits. It will add the padding to make sure it's sixty-four bits. So, it's using that block data. So, if your data is not sixty-four bits, it's only thirty-two, it's going to pad that to make sure it's sixty-four to make sure it's all fixed one length. So, it is the easiest to crack. A lot of people don't use DES anymore. Most people are using the AES encryption now. DES is not commonly used because it is the easiest to crack.

of 21

Cipher block chaining inserts some of the cipher text created from previous block into the next block via processing called XORing, makes the cipher text more secure and less susceptible to cracking because it's adding some of the stuff. So, you have to be able to get all of the chains, all of the blocks, to you in order to decrypt it. So, if you miss a block, and you don't see that, you don't have the prior block. So, you can't decrypt it.


12


Cipher Feedback (CFB) Mode• Can be implemented as a stream cipher• Used to encrypt individual characters • Similar to OFB – previously generated cipher text is added to

subsequent streams- Errors and corruption can be propagated throughout the encryption

process Output Feedback (OFB) Mode

• Implemented as a stream cipher• Uses plain text to feed back into the stream of cipher text• Transmission errors do not propagate throughout the encryption

process • Initialization vector used to create seed value for first encrypted block

- DES XORs plain text with seed value to be applied to subsequent data

**012 Cipher feedback mode can be implemented as a stream cipher used to encrypt individual characters.

of 21

Previously generated cipher text is added to subsequent streams. Output feedback mode, the implementation has a stream cipher, uses plain text to feed back into the stream of the cipher text, transmission errors that happen.

Cryptographic Methods – Flaws and Weaknesses

13

Cryptographic Methods – Flaws and Weaknesses

Symmetric Strengths Symmetric Weaknesses

1,000 to 10,000 times faster than asymmetric algorithms

Number of unique keys needed can cause key management issues

Hard to break Secure key distribution critical

Cheaper to implement Key compromise occurs if one party is compromised, thereby allowing impersonation

Asymmetric Strengths Asymmetric Weaknesses

Key distribution is easier and more manageable than with symmetric algorithms

More expensive to implement

Key management is easier because same public key used by all parties

1,000 to 10,000 times slower than symmetric algorithms

**013 So, here are some of the flaws and weaknesses that you look at. So, when we look at symmetric strengths, you know that's a thousand to ten thousand times faster than asymmetric algorithms. They're hard to break. And they're cheaper to implement. Some of the drawbacks that you might see with them is the number of unique keys

of 21

needed can cause key management issues. When you have so many keys that are out there in your organization, managing those keys become a huge issue. Secure key distribution is critical. Making sure that you distribute those keys to who you are distributing those keys to. You don't want them to be out there in the wild and running loose. Key compromise occurs if one party is compromised therefore allowing impersonation. So, very critical is one of the weaknesses of symmetric cryptographic methods. Asymmetric strengths, key distribution is easier and more manageable. Key management is easier because the same public key is used by all parties. So, you have your private key, but then you have the same public key that is available to all parties. So, I have my personal private key. I encrypt something. I have a public key that is out there that is able to be downloaded by anybody. And then they can use that public key to unencrypt my messages that are sent out to them. The asymmetric weaknesses, it is more expensive to implement. And it is slower than the symmetric algorithms.

of 21

Encryption Implementations -1

14


Digital Rights Management (DRM)• Suite of technology designed to protect digital content • Prevents copyright infringement online and thus helps the copyright

holder maintain control of the information Watermarking

• Used for legal purposed to identify ownership or copyright of material such as videos and images

• Passive protection tool – flags ownership but does not degrade in any way

GNU Privacy Guard (GPG) • Licensed, free version of PGP• Uses hybrid encryption and uses the best of both symmetric and

asymmetric encryption- Symmetric used for encryption and asymmetric used for key

exchange

**014 Encryption implementations, digital rights management, that is a suite of technology designed to protect digital content. You see digital rights managements being used by CD makers that are out there that don't want the images copied over from their devices and being shared upon multiple music devices. So, you see digital rights management in the music industry quite a bit. It prevents copyright infringements online and thus helps protect the copyright holders and maintain control of that information. Watermarking, digital watermarking, is used for legal purposes to identify

of 21

ownership or copyright of material such as video or images. You commonly see that on images. Everything is going digital now. If a photographer takes a picture of you and your family, they watermark it until you pay for the rights to print that image. So, it is a passive protection tool, flags ownership but does not degrade in any other way. So, it just flags your ownership so they can still do stuff with that image. But it still has your ownership flag on that. GNU Privacy Guard, GPG is a licensed free version of PGP. It uses hybrid encryption, and uses the best of both symmetric and asymmetric encryption. Symmetric used for encryption and asymmetric used for the key exchange.

of 21


15


Secure Socket Layer (SSL)• Application and cryptographically independent• Framework for communicating certificates, encrypted keys,

and dataSecure Shell (SSH)

• Internet application that provides secure remote access• Replaces FTP, Telnet, and Berkeley “r” utilities• Defaults to TCP port 22

Secure/Multipurpose Internet Mail Extensions (S/MIME)• Standard for public key encryption and signing of MIME data• Popular for securing email

- Built into most email software programs

**015 Secure Socket Layer, SSL as it's commonly referred to, is an application in cryptography. Independent, it is a framework for communicating certificates and encrypted keys and data. Your SSH, or secure shell, is an Internet application that provides secure, remote access to a system. It's replacing FTP/Telnet type of things. Those are normally wide open protocols that are used to transfer, where you're using a secure shell, which you're now providing a remote access to a server, or a drop box. And it's more secure than the FTP or Telnet. Secure Multipurpose Internet Mail Extensions, standard for public

of 21

key encryption. It is built into most email software programs.

Notices

16

Notices

Copyright 2016 Carnegie Mellon University

This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center.

Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Department of Defense.

NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.

[DISTRIBUTION STATEMENT D] Distribution authorized to the Department of Defense and U.S. DoD contractors only (administrative or operational use) (2016-05-01). Other requests shall be referred to DISA/RME.

Carnegie Mellon® and CERT® are registered marks of Carnegie Mellon University.

DM-0004104

**016 Thank you.

of 21

cryptographic terms and implementations

Documents