CompTIA Security+ 501
CompTIA Security+
SY0-501
Instructor: Ron Woerner, CISSP, CISM
CompTIA Security+ Domain 6 – Cryptography & PKI
6.2 Explain cryptography algorithms and their basic characteristics – Part 1
Cybrary - Ron Woerner 1 CompTIA Security+ 501
6.2 Cryptography Algorithms PART 1 PART 2 ● Obfuscation ● Asymmetric ● Hashing algorithms ● Symmetric algorithms algorithms ○ MD5 ○ AES ○ RSA ○ SHA ○ DES ○ DSA ○ HMAC ○ 3DES ○ Diffie-Hellman ○ RIPEMD ○ RC4 ○ DHE ● Key stretching algorithms ○ Blowfish/Twofish ○ ECDHE ○ Elliptic curve ● Cipher modes ○ PGP/GPG ○ Stream vs. block ○ CTR ○ CBC ○ GCM ○ ECB
6.2 Cryptography Algorithms PART 1 PART 2 ● Obfuscation ● Asymmetric ● Hashing algorithms ● Symmetric algorithms algorithms ○ MD5 ○ AES ○ RSA ○ SHA ○ DES ○ DSA ○ HMAC ○ 3DES ○ Diffie-Hellman ○ RIPEMD ○ RC4 ○ DHE ● Key stretching algorithms ○ Blowfish/Twofish ○ ECDHE ○ Elliptic curve ● Cipher modes ○ PGP/GPG ○ Stream vs. block ○ CTR ○ CBC ○ GCM ○ ECB
Cybrary - Ron Woerner 2 CompTIA Security+ 501
Obfuscation
● The act of making something difficult to understand
● Substitution cipher . Example: ROT13 (rotate 13 places)
Obfuscation
XOR (eXclusive OR)
● Example:
Cybrary - Ron Woerner 3 CompTIA Security+ 501
Symmetric algorithms
● DES – Data Encryption Standard ○ Adopted by NIST in 1977 ○ Block cipher using 64-bit blocks - 56-bit key + 8 bits of parity ○ Short key length subject to brute-force attacks ● 3DES – Triple DES ○ DES algorithm computed three times ○ Using a "key bundle" that comprises three different DES keys, each of 56 bits = Total bit strength of 168 bits (known as 3TDEA) ○ Also options to reuse keys.
Symmetric algorithms
● AES – Advanced Encryption Standard ○ Original name Rijndael ○ Free for any use public or private, commercial or non-commercial ○ Adopted by NIST in 2001 ○ Block cipher with 128 bit block size ○ Three key lengths: 128, 192 and 256 bits ○ Uses multiple encryption rounds – 10 rounds for 128-bit keys, 12 rounds for 192- bit keys, and 14 rounds for 256-bit keys
Cybrary - Ron Woerner 4 CompTIA Security+ 501
AES Encryption Explained http://www.moserware.com/2009/0 9/stick-figure-guide-to- advanced.html
9
Symmetric algorithms
● RC4 / RC5 / RC6 – Rivest Cipher ○ RC4 is a stream cipher, RC5 & RC6 – block ciphers ○ Works with key sizes between 40 and 2,048 bits,
● Blowfish / Twofish ○ A symmetric block cipher that can use variable-length keys (from 32 bits to 448 bits). ○ Twofish uses 128-bit blocks
Cybrary - Ron Woerner 5 CompTIA Security+ 501
Symmetric algorithms ● International Data Encryption Algorithm (IDEA) ○ 128-bit key ○ Similar to DES, but more secure ○ Used in Pretty Good Privacy (PGP)
● One-Time Pad (OTP) ○ Most secure crypto implementation ○ Use of a key as long as the plain-text message ○ Only used once and then destroyed
● Skipjack ○ NSA developed block cipher used in clipper chip ○ Uses an 80-bit key to encrypt 64-bit blocks of data
Cipher modes
● CTR – Counter Mode ○ Turns a block cipher into a stream cipher ○ Used to generate a keystream ○ Each block combines a nonce or IV with a sequentially assigned number to produce a unique counter block that is then encrypted ● CBC – Cipher-Block Chaining ○ Uses an IV with the first block. ○ Thereafter, each block of plain text is obfuscated with the cipher text from the previous block before it is encrypted ○ Introduces more diffusion & reduces effects of plain-text attacks
Cybrary - Ron Woerner 6 CompTIA Security+ 501
Cipher modes
● GCM – Galois/Counter Mode ○ Provides both integrity and confidentiality ○ GCM uses CTR with 128-bit blocks. ○ Each 128-bit block is given an encrypted number. That result is then obfuscated with the plain text, producing the cipher text. ○ GMAC (Galois Message Authentication Code) is an authentication-only variant of the GCM which can be used as an incremental message authentication code ● ECB – Electronic Codebook ○ Divides the message into blocks and then encrypts each block ○ No longer recommended - the same plain-text block is encrypted into the same cipher-text block each time
CompTIA Security+ Domain 6 – Cryptography & PKI
6.2 Explain cryptography algorithms and their basic characteristics – end of Part 1
Cybrary - Ron Woerner 7 CompTIA Security+ 501
Exam Preparation
This block cipher uses a "key bundle" that comprises three different DES keys, each of 56 bits?
A. DES B. AES C. RSA D. 3DES
Exam Preparation
This cryptographic algorithm works by generating a keystream block by encrypting sequential values of some counter and is used to convert a block cipher into a stream cipher.
A. GCM B. CTR C. AES D. Twofish
Cybrary - Ron Woerner 8 CompTIA Security+ 501
CompTIA Security+ Domain 6 – Cryptography & PKI
6.2 Explain cryptography algorithms and their basic characteristics – end of Part 1
CompTIA Security+ Domain 6 – Cryptography & PKI
6.2 Explain cryptography algorithms and their basic characteristics – Part 2
Cybrary - Ron Woerner 9 CompTIA Security+ 501
6.2 Cryptography Algorithms PART 1 PART 2 ● Obfuscation ● Asymmetric ● Hashing algorithms ● Symmetric algorithms algorithms ○ MD5 ○ AES ○ RSA ○ SHA ○ DES ○ DSA ○ HMAC ○ 3DES ○ Diffie-Hellman ○ RIPEMD ○ RC4 ○ DHE ● Key stretching algorithms ○ Blowfish/Twofish ○ ECDHE ● Cipher modes ○ Elliptic curve ○ Stream vs. block ○ PGP/GPG ○ CTR ○ CBC ○ GCM ○ ECB
Asymmetric Encryption
● Uses two keys – one to encrypt the other to decrypt ● Keys are mathematically related ● Public / Private key encryption
● Only the private key needs to be kept secret Only it can decrypt the message
Cybrary - Ron Woerner 10 CompTIA Security+ 501
Asymmetric algorithms
● Extra computational overhead ● Used primarily for
○ Secure exchange of a shared keys used for symmetric encryption
○ Digital signatures ● Solves the issue of key exchange with symmetric encryption
Asymmetric algorithms
● Rivest, Shamir, and Adleman (RSA) ○ Used for key exchange and digital signatures ○ Key can be any length ○ Algorithm works by multiplying two large prime numbers ○ Derives two different numbers: one public key and one private key
● Diffie-Hellman key exchange (D-H) ○ Two parties, without prior arrangement can agree on a secret key that is known only to them ○ Only used to generate a shared key (not encryption) ○ Key can be safely / secretly shared on a public network
● Diffie-Hellman Ephemeral (DHE) ○ Uses a different key for every conversation ○ Supports perfect forward secrecy
Cybrary - Ron Woerner 11 CompTIA Security+ 501
Asymmetric algorithms
● Elliptic curve cryptography (ECC) ○ Technique using elliptic curves to calculate simple but difficult-to-break encryption keys ○ Uses smaller key sizes to obtain the same level of security [160-bit ECC = 1024-bit RSA] ● Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) ○ Variant of DHE using ECC for perfect forward secrecy ● El Gamal ○ An extension to the Diffie-Hellman using an ephemeral key
● Pretty Good Privacy (PGP) and GNU Privacy Guard (GPG) ○ Developed by Phillip R. Zimmerman in 1991 ○ Used to encrypt and sign email messages
Hashing
● “Digital fingerprint” ● Work by taking a string of any length and producing a fixed-length string for output ● Changing the original changes the hash value ● Originator takes a hash of the file and provides hash to receiver. Receiver takes hash of file and compares with original to ensure file integrity.
Cybrary - Ron Woerner 12 CompTIA Security+ 501
Hashing algorithms
● Secure Hash Algorithm (SHA, SHA-1, SHA-2, SHA-3) ○ Developed by US NSA ○ SHA-1 can generate a 160-bit hash from any variable-length string of data ○ SHA-2 = SHA-224, SHA-256, SHA-384, and SHA-512 (based on their digest lengths) ○ SHA-3, published in 2012. Not widely used yet
● Message Digest Algorithm (MD2, MD4, MD5) ○ The most widely known hashing function. ○ Produces a 16-byte hash value, usually expressed as a 32 digit hexadecimal number. ○ Considered compromised. Rainbow tables have been published which allow people to reverse MD5 hashes made without good salts
Hashing algorithms
Cybrary - Ron Woerner 13 CompTIA Security+ 501
Hashing algorithms
● Message Authentication Code (MAC) ○ Authentication of messages using a secret key ○ Used in electronic fund transfers to protect against fraud
● Hash-based Message Authentication Code (HMAC) ○ HMAC combines a cryptographic hash function and a secret cryptographic key ○ HMAC does not encrypt the message, only the key.
● RACE Integrity Primitives Evaluation Message Digest (RIPEMD) ○ Design based on MD4 ○ 160-bit version of the algorithm (RIPEMD-160) performs comparably to SHA-1
Rainbow Tables and Salts
● Rainbow table ○ a precomputed table for reversing cryptographic hash functions ○ all of the possible hashes are computed in advance
● Salt - random data that is used as an additional input to hashes
Cybrary - Ron Woerner 14 CompTIA Security+ 501
Key Stretching
Processes used to take a weak key and make it stronger, usually by making it longer ● Bcrypt ○ Based on the blowfish algorithm ○ provides an adaptive hash function based on a key factor
● PBKDF2 (Password-Based Key Derivation Function 2) ○ Algorithm applies a pseudo-random function to the password, combined with a salt of at least 64 bits, and then repeats the process at least 1,000 times
CompTIA Security+ Domain 6 – Cryptography & PKI
6.2 Explain cryptography algorithms and their basic characteristics – end of Part 2
Cybrary - Ron Woerner 15 CompTIA Security+ 501
Exam Preparation
This hashing algorithm, now considered compromised, produces a 16-byte hash value, usually expressed as a 32 digit hexadecimal number?
A. SHA-1 B. Rainbow tables C. MD5 D. HMAC
Exam Preparation
Alice and Bob want to shared a file over the Internet. They plan on using AES-256 for file encryption, but need to share a secret key between them. Which algorithm is best for this use?
A. Diffie-Hellman B. RSA C. SHA-1 D. ECB
Cybrary - Ron Woerner 16 CompTIA Security+ 501
Security+ Lab Guide The Encryption and Hashing module provide you with the instructions and devices to develop your hands-on skills.
CompTIA Security+ Domain 6 – Cryptography & PKI
6.2 Explain cryptography algorithms and their basic characteristics
Cybrary - Ron Woerner 17