CompTIA Security+ 501 CompTIA Security+ SY0-501 Instructor: Ron Woerner, CISSP, CISM CompTIA Security+ Domain 6 – Cryptography & PKI 6.2 Explain cryptography algorithms and their basic characteristics – Part 1 Cybrary - Ron Woerner 1 CompTIA Security+ 501 6.2 Cryptography Algorithms PART 1 PART 2 ● Obfuscation ● Asymmetric ● Hashing algorithms ● Symmetric algorithms algorithms ○ MD5 ○ AES ○ RSA ○ SHA ○ DES ○ DSA ○ HMAC ○ 3DES ○ Diffie-Hellman ○ RIPEMD ○ RC4 ○ DHE ● Key stretching algorithms ○ Blowfish/Twofish ○ ECDHE ○ Elliptic curve ● Cipher modes ○ PGP/GPG ○ Stream vs. block ○ CTR ○ CBC ○ GCM ○ ECB 6.2 Cryptography Algorithms PART 1 PART 2 ● Obfuscation ● Asymmetric ● Hashing algorithms ● Symmetric algorithms algorithms ○ MD5 ○ AES ○ RSA ○ SHA ○ DES ○ DSA ○ HMAC ○ 3DES ○ Diffie-Hellman ○ RIPEMD ○ RC4 ○ DHE ● Key stretching algorithms ○ Blowfish/Twofish ○ ECDHE ○ Elliptic curve ● Cipher modes ○ PGP/GPG ○ Stream vs. block ○ CTR ○ CBC ○ GCM ○ ECB Cybrary - Ron Woerner 2 CompTIA Security+ 501 Obfuscation ● The act of making something difficult to understand ● Substitution cipher . Example: ROT13 (rotate 13 places) Obfuscation XOR (eXclusive OR) ● Example: Cybrary - Ron Woerner 3 CompTIA Security+ 501 Symmetric algorithms ● DES – Data Encryption Standard ○ Adopted by NIST in 1977 ○ Block cipher using 64-bit blocks - 56-bit key + 8 bits of parity ○ Short key length subject to brute-force attacks ● 3DES – Triple DES ○ DES algorithm computed three times ○ Using a "key bundle" that comprises three different DES keys, each of 56 bits = Total bit strength of 168 bits (known as 3TDEA) ○ Also options to reuse keys. Symmetric algorithms ● AES – Advanced Encryption Standard ○ Original name Rijndael ○ Free for any use public or private, commercial or non-commercial ○ Adopted by NIST in 2001 ○ Block cipher with 128 bit block size ○ Three key lengths: 128, 192 and 256 bits ○ Uses multiple encryption rounds – 10 rounds for 128-bit keys, 12 rounds for 192- bit keys, and 14 rounds for 256-bit keys Cybrary - Ron Woerner 4 CompTIA Security+ 501 AES Encryption Explained http://www.moserware.com/2009/0 9/stick-figure-guide-to- advanced.html 9 Symmetric algorithms ● RC4 / RC5 / RC6 – Rivest Cipher ○ RC4 is a stream cipher, RC5 & RC6 – block ciphers ○ Works with key sizes between 40 and 2,048 bits, ● Blowfish / Twofish ○ A symmetric block cipher that can use variable-length keys (from 32 bits to 448 bits). ○ Twofish uses 128-bit blocks Cybrary - Ron Woerner 5 CompTIA Security+ 501 Symmetric algorithms ● International Data Encryption Algorithm (IDEA) ○ 128-bit key ○ Similar to DES, but more secure ○ Used in Pretty Good Privacy (PGP) ● One-Time Pad (OTP) ○ Most secure crypto implementation ○ Use of a key as long as the plain-text message ○ Only used once and then destroyed ● Skipjack ○ NSA developed block cipher used in clipper chip ○ Uses an 80-bit key to encrypt 64-bit blocks of data Cipher modes ● CTR – Counter Mode ○ Turns a block cipher into a stream cipher ○ Used to generate a keystream ○ Each block combines a nonce or IV with a sequentially assigned number to produce a unique counter block that is then encrypted ● CBC – Cipher-Block Chaining ○ Uses an IV with the first block. ○ Thereafter, each block of plain text is obfuscated with the cipher text from the previous block before it is encrypted ○ Introduces more diffusion & reduces effects of plain-text attacks Cybrary - Ron Woerner 6 CompTIA Security+ 501 Cipher modes ● GCM – Galois/Counter Mode ○ Provides both integrity and confidentiality ○ GCM uses CTR with 128-bit blocks. ○ Each 128-bit block is given an encrypted number. That result is then obfuscated with the plain text, producing the cipher text. ○ GMAC (Galois Message Authentication Code) is an authentication-only variant of the GCM which can be used as an incremental message authentication code ● ECB – Electronic Codebook ○ Divides the message into blocks and then encrypts each block ○ No longer recommended - the same plain-text block is encrypted into the same cipher-text block each time CompTIA Security+ Domain 6 – Cryptography & PKI 6.2 Explain cryptography algorithms and their basic characteristics – end of Part 1 Cybrary - Ron Woerner 7 CompTIA Security+ 501 Exam Preparation This block cipher uses a "key bundle" that comprises three different DES keys, each of 56 bits? A. DES B. AES C. RSA D. 3DES Exam Preparation This cryptographic algorithm works by generating a keystream block by encrypting sequential values of some counter and is used to convert a block cipher into a stream cipher. A. GCM B. CTR C. AES D. Twofish Cybrary - Ron Woerner 8 CompTIA Security+ 501 CompTIA Security+ Domain 6 – Cryptography & PKI 6.2 Explain cryptography algorithms and their basic characteristics – end of Part 1 CompTIA Security+ Domain 6 – Cryptography & PKI 6.2 Explain cryptography algorithms and their basic characteristics – Part 2 Cybrary - Ron Woerner 9 CompTIA Security+ 501 6.2 Cryptography Algorithms PART 1 PART 2 ● Obfuscation ● Asymmetric ● Hashing algorithms ● Symmetric algorithms algorithms ○ MD5 ○ AES ○ RSA ○ SHA ○ DES ○ DSA ○ HMAC ○ 3DES ○ Diffie-Hellman ○ RIPEMD ○ RC4 ○ DHE ● Key stretching algorithms ○ Blowfish/Twofish ○ ECDHE ● Cipher modes ○ Elliptic curve ○ Stream vs. block ○ PGP/GPG ○ CTR ○ CBC ○ GCM ○ ECB Asymmetric Encryption ● Uses two keys – one to encrypt the other to decrypt ● Keys are mathematically related ● Public / Private key encryption ● Only the private key needs to be kept secret Only it can decrypt the message Cybrary - Ron Woerner 10 CompTIA Security+ 501 Asymmetric algorithms ● Extra computational overhead ● Used primarily for ○ Secure exchange of a shared keys used for symmetric encryption ○ Digital signatures ● Solves the issue of key exchange with symmetric encryption Asymmetric algorithms ● Rivest, Shamir, and Adleman (RSA) ○ Used for key exchange and digital signatures ○ Key can be any length ○ Algorithm works by multiplying two large prime numbers ○ Derives two different numbers: one public key and one private key ● Diffie-Hellman key exchange (D-H) ○ Two parties, without prior arrangement can agree on a secret key that is known only to them ○ Only used to generate a shared key (not encryption) ○ Key can be safely / secretly shared on a public network ● Diffie-Hellman Ephemeral (DHE) ○ Uses a different key for every conversation ○ Supports perfect forward secrecy Cybrary - Ron Woerner 11 CompTIA Security+ 501 Asymmetric algorithms ● Elliptic curve cryptography (ECC) ○ Technique using elliptic curves to calculate simple but difficult-to-break encryption keys ○ Uses smaller key sizes to obtain the same level of security [160-bit ECC = 1024-bit RSA] ● Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) ○ Variant of DHE using ECC for perfect forward secrecy ● El Gamal ○ An extension to the Diffie-Hellman using an ephemeral key ● Pretty Good Privacy (PGP) and GNU Privacy Guard (GPG) ○ Developed by Phillip R. Zimmerman in 1991 ○ Used to encrypt and sign email messages Hashing ● “Digital fingerprint” ● Work by taking a string of any length and producing a fixed-length string for output ● Changing the original changes the hash value ● Originator takes a hash of the file and provides hash to receiver. Receiver takes hash of file and compares with original to ensure file integrity. Cybrary - Ron Woerner 12 CompTIA Security+ 501 Hashing algorithms ● Secure Hash Algorithm (SHA, SHA-1, SHA-2, SHA-3) ○ Developed by US NSA ○ SHA-1 can generate a 160-bit hash from any variable-length string of data ○ SHA-2 = SHA-224, SHA-256, SHA-384, and SHA-512 (based on their digest lengths) ○ SHA-3, published in 2012. Not widely used yet ● Message Digest Algorithm (MD2, MD4, MD5) ○ The most widely known hashing function. ○ Produces a 16-byte hash value, usually expressed as a 32 digit hexadecimal number. ○ Considered compromised. Rainbow tables have been published which allow people to reverse MD5 hashes made without good salts Hashing algorithms Cybrary - Ron Woerner 13 CompTIA Security+ 501 Hashing algorithms ● Message Authentication Code (MAC) ○ Authentication of messages using a secret key ○ Used in electronic fund transfers to protect against fraud ● Hash-based Message Authentication Code (HMAC) ○ HMAC combines a cryptographic hash function and a secret cryptographic key ○ HMAC does not encrypt the message, only the key. ● RACE Integrity Primitives Evaluation Message Digest (RIPEMD) ○ Design based on MD4 ○ 160-bit version of the algorithm (RIPEMD-160) performs comparably to SHA-1 Rainbow Tables and Salts ● Rainbow table ○ a precomputed table for reversing cryptographic hash functions ○ all of the possible hashes are computed in advance ● Salt - random data that is used as an additional input to hashes Cybrary - Ron Woerner 14 CompTIA Security+ 501 Key Stretching Processes used to take a weak key and make it stronger, usually by making it longer ● Bcrypt ○ Based on the blowfish algorithm ○ provides an adaptive hash function based on a key factor ● PBKDF2 (Password-Based Key Derivation Function 2) ○ Algorithm applies a pseudo-random function to the password, combined with a salt of at least 64 bits, and then repeats the process at least 1,000 times CompTIA Security+ Domain 6 – Cryptography & PKI 6.2 Explain cryptography algorithms and their basic characteristics – end of Part 2 Cybrary - Ron Woerner 15 CompTIA Security+ 501 Exam Preparation This hashing algorithm, now considered compromised, produces a 16-byte hash value, usually expressed as a 32 digit hexadecimal number? A. SHA-1 B. Rainbow tables C. MD5 D. HMAC Exam Preparation Alice and Bob want to shared a file over the Internet. They plan on using AES-256 for file encryption, but need to share a secret key between them. Which algorithm is best for this use? A. Diffie-Hellman B. RSA C. SHA-1 D. ECB Cybrary - Ron Woerner 16 CompTIA Security+ 501 Security+ Lab Guide The Encryption and Hashing module provide you with the instructions and devices to develop your hands-on skills. CompTIA Security+ Domain 6 – Cryptography & PKI 6.2 Explain cryptography algorithms and their basic characteristics Cybrary - Ron Woerner 17.