Sophos Certified Engineer: Fundamentals

Sophos Certified
Engineer
Fundamentals

Cryptography basics
Version 1.1

SOPHOS TRAINING

Cryptography has been used for thousands of years as a means to protect the confidentiality of
information. In this section you will learn the basics of cryptography so you will recognize the
technologies as you learn about Sophos products.

Sophos Certified Engineer
Endpoint Protection ET011 – Fundamentals
May 2016
Training version: 1.1

© 2016 Sophos Limited. All rights reserved. No part of this document may be used or
reproduced in any form or by any means without the prior written consent of Sophos.
Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos
and marks mentioned in this document may be the trademarks or registered trademarks of
Sophos Limited or their respective owners.
While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.
Sophos Limited is a company registered in England number 2096520, whose registered office is
at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Module 1 - 1
Sophos Certified Engineer: Fundamentals

Course agenda
1. Cryptography basics
2. Networking basics
3. Active Directory basics
4. Security threat basics

SOPHOS TRAINING

The Sophos Certified Engineer Fundamentals course is split into 4 short modules, with
suggestions for further reading throughout. You are now in module 1.

Module 1 - 2
Sophos Certified Engineer: Fundamentals

Module agenda
• Encryption overview
• Key length and complexity
• Symmetric cryptography and key transfer
• Asymmetric cryptography
• Hash functions
• Digital signatures
• Digital certificates
• SSL / TLS

SOPHOS TRAINING

The module covers the fundamentals of encryption and the methods used to protect data and
provide proof of its origin.

Module 1 - 3
Sophos Certified Engineer: Fundamentals

Module objectives
• Once you complete this module you will be able to:
 Recognize cryptographic technologies that are implemented in
Sophos products
 Describe the process of encryption and decryption using symmetric
and asymmetric algorithms
 Explain how hash functions can be used to ‘finger print’ data
 Understand how digital signatures verify the sender and data integrity
 Describe the function of digital certificates

SOPHOS TRAINING

On completion of this module you will be able to …..
• Recognise cryptographic technologies that are implemented in Sophos products
• Describe the process of encryption and decryption using symmetric and asymmetric
algorithms
• Explain how hash functions can be used to ‘fingerprint’ data
• Understand how digital signatures verify the sender and data integrity
• Describe the function of digital certificates

Module 1 - 4
Sophos Certified Engineer: Fundamentals

Encryption overview
Plain text

Encryption algorithm
Caesar algorithm uses substitution and replaces letters in the plain text ‘n’ places up or down the
alphabet

Plain text message: Attack at dawn

n=2 Substitute each letter with that 2 characters higher

Cipher text: Cvvcem cv fcyp

SOPHOS TRAINING

The original purpose of encryption was to ensure that secret messages could not be read by an
enemy. The message originates as plain text so is not secure.

Encryption algorithms, also known as ciphers, are used to secure the message. These are
mathematical formulae that replace characters (that’s substitution) and move them around
(known as transposition).

The Caesar cipher, named after Julius Caesar, is one of the earliest known. It uses simple
substitution to replace each letter in the plaintext with another ‘n’ up or down the alphabet. For
example, if n=1 A would be replaced by B, B would become C, and so on.

Let’s consider an example. A plain text message ‘Attack at dawn’ needs to be encrypted.

The number ‘2’ is chosen as the key to encrypt the message. With the Caesar algorithm the key
determines how many places up or down the alphabet characters are substituted.

The encrypted message is created by substituting each character with the character 2 places
higher in the alphabet; the encrypted message is now referred to as cipher text.

To decrypt the message each character must be replaced by a character 2 lower in the alphabet.

Module 1 - 5
Sophos Certified Engineer: Fundamentals

Encryption overview
Plain text

Encryption algorithm: Advanced Encryption Standard (AES)

Key

Cipher text

Try it yourself: http://aesencryption.net/

SOPHOS TRAINING

Modern algorithms are based on complex mathematical procedures such as those used in the
Advanced Encryption Standard, known as the (AES) algorithm. Although the algorithms are
complex they are generally well documented so it would be possible for someone to reverse the
process. The purpose of the Key is to include an element that is only known by the person
encrypting it. In the Caesar algorithm the Key is the number of characters to move up or down
the alphabet.

So if the cipher text is created using a combination of the algorithm and key, to decrypt this and
restore the plain text the recipient will need to know both.

You can try encryption yourself at sites such as aesencryption.net.

Module 1 - 6
Sophos Certified Engineer: Fundamentals

Key length and complexity
• It is very important that cryptographic keys are secure enough not to
be guessed or broken
• A ‘Dictionary Attack’ tries a list of words and strings that are
commonly used in passwords in the hope of finding one that
decrypts the text
• A ‘Brute Force Attack’ tries all possible combinations of letters,
numbers and symbols until they find the one that works
• Attackers typically use both methods

• Read the information in the slide and then
click Next to proceed to a knowledge check
question

SOPHOS TRAINING

It is very important that cryptographic keys are secure enough not to be guessed or broken
using ‘Dictionary’ or ‘Brute Force’ attacks. A dictionary attack tries a list of words and strings
that are commonly used in passwords in the hope of finding one that decrypts the text. A brute
force attack tries all possible combinations of letters, numbers and symbols until they find the
one that works. In practice attacks are likely to use both methods; trying dictionary first and the
brute force if this does not work.

Module 1 - 7
Sophos Certified Engineer: Fundamentals

Key length and complexity
• A key of 1 alphanumeric character
○ 26 letters + 10 numbers = 36 options
• Make the letter case sensitive
○ 52 letter options + 10 numbers = 62 options
• Add a second and third character
○ 62 x 62 options (622) = 3844 options
○ 62 x 62 x 62 options (623) = 238,328 options

SOPHOS TRAINING

The length of the key is very important. For example, if you had a single character key that
could contain letters or numbers, this could give 36 options, depending on the character set
used.

Making letters case-sensitive helps and results in 62 options.

Better still, if we add a second character this means we have 62 x 62 permutations, that’s 3844
and a third gives over 200 hundred thousand.

Module 1 - 8
Sophos Certified Engineer: Fundamentals

Key length and complexity
• In practice most keys are created automatically
• Computers operate using binary numbers
○ Value can be 0 or 1
• Key length expressed as ‘bits’
○ e.g 128, 192 or 256-bit key for AES
• A binary digit has two possible values so:
○ 40-bit key gives 240 options = 1,099,511,627,776
○ Each time you add an extra bit it doubles !

SOPHOS TRAINING

In practice most keys are created automatically by software applications – this eliminates the
risk of users choosing their own passwords which could be guessable.

Computer programs operate using binary numbers. A binary number can have a value of 0 or 1
and a single binary digit is referred to as a bit.

For this reason the length of cryptographic keys is measured in bits. For example AES can use
128, 192 or 256 bit keys.

In theory it is possible to write very powerful programs that can generate all possible key
combinations to crack the cipher. In practice though it would take so long to do that the
information would no longer matter.

A 40-bit key has more than a million, million permutations and this number doubles every time
you add a bit to the key.

Module 1 - 9
Sophos Certified Engineer: Fundamentals

Symmetric cryptography and key transfer

Secret Key

Secret Key

Secret Key at risk !

SOPHOS TRAINING

So using good algorithms and a secure key we can protect the confidentiality of messages. But
there is a problem….

The technique we have considered so far uses the same key to encrypt and decrypt. This is
known as Symmetric encryption. So to send confidential financial information securely over the
Internet you also have to find a secure way to send the key to the recipient.

The development of asymmetric cryptography in the 1970s provided a solution for this.

Module 1 - 10
Sophos Certified Engineer: Fundamentals

Asymmetric cryptography
• Uses two keys that are mathematically linked
○ Public key – freely available
○ Private key – must be kept secure
• Encrypt with public key decrypt with private key
• Encrypt with private key decrypt with public key
• Much longer key lengths e.g. 2048 and 4096-bits
○ Much slower than symmetric cryptography as a result

SOPHOS TRAINING

Asymmetric cryptography uses two keys that are mathematically linked. These are known as
the Public Key, which can be freely distributed and the Private Key which must be kept secure.

When one of the keys is used to encrypt, the other key must be used to decrypt. This works for
both of the keys. The choice of key depends on the task required as we will show in a moment.

Because there are two keys it is necessary for them to be much longer to prevent brute force
attacks. The RSA algorithm was developed by Rivest, Shamir and Adleman and is widely used
for asymmetric cryptography. For RSA a key length of 2048-bits is the minimum required and
longer keys are available.

This means that asymmetric algorithms are very much slower than symmetric and cannot be
used for encryption of bulk data such as disks, files and emails.

Module 1 - 11
Sophos Certified Engineer: Fundamentals

Asymmetric cryptography and key transfer

2 4

3
AES AES
1 5
???

SOPHOS TRAINING

In this example we’ll see how the problem of key transfer is solved.

 In step 1 Bob generates a shared key for use with a symmetric algorithm
 In step 2 that key is encrypted using the recipient’s public key
 It can now be sent securely over the Internet to Alice.
 In step 4 Alice uses her private key to decrypt and by step 5 Bob and Alice have the same
shared key and can now use it for symmetric encryption.

Module 1 - 12
Sophos Certified Engineer: Fundamentals

Proof of identity

1 2

SOPHOS TRAINING

In this example Bob wants to prove that he is the sender of the message.

In step 1 he uses his Private key to encrypt the message – only he has access to this key
In step 2 Alice uses his Public key to decrypt the message – if this works correctly she can be
sure that it is from Bob.

In a moment we’ll look at something called a digital signature which is widely used to prove the
authenticity of messages and software but there’s one more technique we need to consider
first.

Module 1 - 13
Sophos Certified Engineer: Fundamentals

Hash function / thumbprint

With just an ‘!’ added

SOPHOS TRAINING

A hash function calculates a fixed length string from the information in the file. The slightest
change to the file will completely change the result. In the example shown here the only
change is the addition of an exclamation mark (!) at the end. This result can be used to prove
that a file is genuine and unchanged; it is also known as a thumbprint or fingerprint.

Hash functions do not use keys and typically only operate in a single direction. In other words
you cannot re-generate the original data from the hash.

The strength of a hash is dependent on its length. For example early versions of the Secure Hash
Algorithm (SHA) used 160 bits. This is no longer considered secure enough so versions providing
a longer thumbprint, such as SHA-256 are preferred and may be required by some applications.

Module 1 - 14
Sophos Certified Engineer: Fundamentals

Digital Signatures

If the results match then:
1) Bob sent the message
2) Message not altered
3
1 Message
Digest Process 4
Message
2 Digest Process
5
Encrypt using Decrypt using
Bob’s Private key Bob’s Public key
SOPHOS TRAINING

Let’s see now how a combination of hash functions and asymmetric cryptography can provide a
digital signature.

Bob wants to send a signed message that Alice can verify on receipt.

 In step 1 a hash algorithm is used to create a fixed length representation of the message,
known as a Message Digest.
 In step 2 this is encrypted using Bob’s Private key
 The original message and the encrypted message digest are sent to Alice
 In step 4 Alice uses the same hash function to create a message digest of the message
she has received
 In step 5 she decrypts the message digest sent by Bob using his Public key.

If the results of step 4 and step 5 match, Alice knows the message is from Bob and has not been
changed.

Digital signatures also provide an important service known as ‘non-repudiation’. This is
defined as a service that proves the integrity and origin of the data.

Module 1 - 15
Sophos Certified Engineer: Fundamentals

Digital Certificates

SOPHOS TRAINING

The final component we need to consider in cryptography is a Digital Certificate. This provides a
way of distributing Public keys and provides identity information about the certificate owner.

The slide shows the certificate used for the Sophos web site, with confirmation that it belongs
to www.sophos.com on the general tab.

In the details tab you can see more information about Sophos, including the company address.

Module 1 - 16
Sophos Certified Engineer: Fundamentals

Digital Certificates

SOPHOS TRAINING

A little further down on the details tab you can find the public key – your browser can use this
to set up secure communication with Sophos.

Module 1 - 17
Sophos Certified Engineer: Fundamentals

Who are certificates issued by?
• Certificate issued by GlobalSign
Extended Validation CA
(Certification Authority)
• CAs verify requestor’s identities
then issue certificates
• PCs and mobile devices have a list
of Trusted CAs
• GlobalSign is trusted so the
Certificate is OK
• An error will display of the CA is
not trusted

SOPHOS TRAINING

Organisations known as CAs or Certification Authorities are responsible for issuing certificates
once they have verified the identity of the person requesting it.

PCs and mobile devices hold a list of CAs that can be trusted. The list will include Public CAs
who issue certificates for web and other Internet resources. It may also include CAs that belong
to the user’s organisation and can therefore be trusted. If the CA that issued the certificate is
not in this list the browser or application will display an error. It is unwise to continue if you see
an error.

Module 1 - 18
Sophos Certified Engineer: Fundamentals

Certificate revocation
• CAs may need to cancel or ‘revoke’
certificates
• Revoked certificates are published
in a Certificate Revocation List
(CRL)
• The location of the CRL should be
included in all certificates
• Clients check the CRL before using
a certificate

SOPHOS TRAINING

It is sometimes necessary for a CA to cancel or ‘revoke’ a certificate. A common reason for
revoking a certificate is when the private key linked to the certificate is no longer believed to be
secure.

CAs publish a Certificate Revocation List (CRL) and each certificate should provide the location
of this list.

Before using the public key in a certificate to open a secure communication channel, clients
such as browsers check the list to ensure that it has not been revoked.

Module 1 - 19
Sophos Certified Engineer: Fundamentals

Cryptography in action – HTTPS
HTTP
Not secure

HTTPS
Secure

See a short demo of HTTP v. HTTPS
SOPHOS TRAINING

Many web sites use the HTTP protocol which is good for public web sites that do not hold or ask
for confidential data. HTTP provides no security and should be used with caution on a public
network like the Internet.

Sites that use HTTPS encrypt communication and provide verification of the server’s identity. So
for example, you can be sure it really is your Bank you are providing the login details to.

Web servers using HTTPS require a certificate to provide:
1. A cryptographic key used to set up secure communication between the client and server
2. Validation of the web server’s identity

The browser checks the validity of the Certificate before allowing the connection. If there is a
problem it shows a red-coloured error and warns the user.

Module 1 - 20
Sophos Certified Engineer: Fundamentals

Module objective review
• On completion of this module, you can now:
 Recognize cryptographic technologies that are implemented in
Sophos products
 Describe the process of encryption and decryption using symmetric
and asymmetric algorithms
 Explain how hash functions can be used to ‘finger print’ data
 Understand how digital signatures verify the sender and data integrity
 Describe the function of digital certificates

SOPHOS TRAINING

Now you have completed this module you should have the knowledge to recognise these
cryptographic technologies when you see them used in Sophos products.

Module 1 - 21
Sophos Certified Engineer: Fundamentals

Knowledge check
Question 1 of 3:
Which type of algorithm should be used for bulk data
encryption?

SOPHOS TRAINING

To complete this module there are 3 knowledge check questions to help you remember what
you have learned.

Please enter your answer into the text box and then click Submit when you are ready.

Module 1 - 22
Sophos Certified Engineer: Fundamentals

Knowledge check
Question 1 of 3:
Which type of algorithm should be used for bulk data
encryption?

Answer:
Symmetric. Asymmetric encryption is too slow for bulk
data.

SOPHOS TRAINING

Module 1 - 23
Sophos Certified Engineer: Fundamentals

Knowledge check
Question 2 of 3:
Which type of algorithm can identify the slightest change
to data?

SOPHOS TRAINING

Module 1 - 24
Sophos Certified Engineer: Fundamentals

Knowledge check
Question 2 of 3:
Which type of algorithm can identify the slightest change
to data?

Answer:
Hash functions generate a fixed length string that is
different if any change is made to the data.

SOPHOS TRAINING

Module 1 - 25
Sophos Certified Engineer: Fundamentals

Knowledge check
Question 3 of 3:
List the two important functions that asymmetric
cryptography provides?

SOPHOS TRAINING

Module 1 - 26
Sophos Certified Engineer: Fundamentals

Knowledge check
Question 3 of 3:
List the two important functions that asymmetric
cryptography supports?
Answer:
Key transfer
Proof of identity

SOPHOS TRAINING

Module 1 - 27
Sophos Certified Engineer: Fundamentals

Module 1 - 28
Sophos Certified Engineer: Fundamentals

Want to learn more?
• CrypTool – free software to learn and practice cryptography
http://www.cryptool.org

SOPHOS TRAINING

If you would like to learn more about cryptography there is free software available from
www.cryptool.org which allows you to practice using the technologies.

The version illustrated is Cryptool 1.4.30. Using this you can:
 Encrypt and decrypt using AES and RSA
 Create public and private key pairs
 Use hash functions and digital signatures
 The help provides a series of examples and tutorials which are a good way to get started.

Module 1 - 29
Sophos Certified Engineer: Fundamentals

Feedback is always welcome

Please email globaltraining@sophos.com

SOPHOS TRAINING

Feedback is always welcome; please send this to the global training team.

Module 1 - 30
Sophos Certified Engineer: Fundamentals

Next steps
• Now that you have completed this module, you should:
○ Complete Module 2 – Networking Basics

SOPHOS TRAINING

You should now continue to the next module in this fundamentals course, which is Networking
Basics.

Module 1 - 31
Sophos Certified Engineer: Fundamentals

© Sophos Ltd. All rights reserved.
SOPHOS TRAINING

Module 1 - 32