Domain 3.

4: Cryptography (Symmetric,
(Symmetric, Asymmetric...
Asymmetric, Saved Comment 0 Export as PNG Share

Topic Subtopic Connection Icon Note Link 20% Theme Tips

Cryptography - Science

Cryptosystem - All in one sw, hw, algo,key

Cryptology - study Pros - fast

Cryptanalysis - decrypt/break Cons - out of band key distribution, no

nonrepudiation, only confidentiality, algorithm is
not scalable, key must generate often
Kerckhoff’s principle - algorithm is
public, key is secret
keys require = n(n-1) / 2
PAIN - privacy, authenticity,
Key clustering - same plain text with different
integrity, non-repudiation use case: encrypt bulk data
keys generate same cipher
Terminology
Key space - range of key value *AES (Rijndael)- 128B, 128/192/256 key, 10, 12, 14 rounds

One way function - math's output value #ECB - block, same encrypted block
but can't get input value
CBC - block, IV, chain (error propagate),
Initialization Vector (IV) - is a random bit string (a nonce) that is unencrypted text XORed
XORed with the message, reducing predictability and repeatability.
CFB - stream, IV, chain (error
Work function/work factor - measure strength of propagate)
Symmetric - a
cryptography, effort to decrypt msg #DES - 64B, 56 key
shared secret key
OFB - stream, IV, NO ERROR, XOR
Strength factor: algorithm, secrecy of plaintext with a seed value
key, key length, IV, random key
CTR - stream, IV, NO ERROR, use
Dual control - 2 separate increment counter instead of seed
function/process for key recovery
Galois counter mode - adds authentication
Split knowledge - 2 separate pieces of knowledge
Key management 3DES - 64B, 112 (more effective security), 168 key
Key escrow - third party hold the key Domain 3.4:
and release with condition Modern
Cryptography IDEA - PGP, 64B, 128 key
crypto (at
(Symmetric,
least 128
Rules: key length, store secure, key random, key lifetime Asymmetric, Blowfish - alternative to DES, IDEA but faster, variable
bits long)
on sensitivity of data, backup key, destroy key Quantum) lengh keys up to 448 bit

Transposition (scytale) - REARRANGE letters #Skipjack/clipper - US government, escrow of keys

Substituition (Caesar） - RREPLACE letter #RC4,5,6 - RC4 is stream cipher 40-2048 bit, WEP,
WPA, SSL (no longer secure)
Vigenere - polyalphabetic substitution
Old crypto Pros - easy key distribution, integrity,
One time pad - authentication, nonrepudiation
Requirement - random, pad protected, unbreakable
used only once, key as long as msg (vernam) Cons: Slow, small data

Enigma machine/purple machine - WWII keys require = n * 2

Confusion (substitution) - use case: PKI (verify identity), encrypt keys

relationship is complicated
Block cipher - text divide into blocks *RSA (factoring of large prime number) - Use in digital
Diffusion (transposition) - change in and encrypt one block at a time. Asymmetric - receiver's
signature, key distribution, encryption
plaintext results in multiple changes public key encrypt +
through ciphertext receiver's private key
decrypt ElGamal (discrete)- free to use but double
size of message, SLOWEST
Pros - quickly, scale, real time VoIP
Stream cipher - operate one Elliptic Curve (discrete), more efficient than RSA
Cons: less secure (RC4), require lot character/bit a time (256 bits = 3072 bits in RSA). Use in encryption, digital
randomness, processing power signature, key exchange

security: asymmetric like RSA, DH could be broken. Stream Diffie-Hellman (discrete)- key exchange, middle man
cipher least vulnerable. Lattice offer some resistance attack. Use in SSL, TLS, SSH, IPSec, PKI

not for encrypt, solves key distribution problem Quantum - replace binary
#Knapsack - obsolete
with multidimensional
quantum bits (qubits)
Grover's algo - computer speeds up to attack with halve the key length

Shor's algo - easily break all public key algo based on factoring and discrete logorithm problem
Domain 3.5 Cryptography (HASH,
(HASH, HMAC,
HMAC, digital
digital sig...
signa Saved Comment 0 Export as PNG Share

Topic Subtopic Connection Icon Note Link 40% Theme Tips

TPM - full disk encryption

Pretty good privacy (PGP) - web of trust

Integrity only Email S/MIME - RSA, x509 exchange key

5 requirement: input any length-->fix length output. key exchange - RSA, DH, ECDH
Easy to compute, one way, collision free
authentication - RSA, DSA, ECDSA
Attack: collision (2 different doc produce same
hash)--> birthday attack
Applied Web TLS/SSL encryption - AES, 3DES
Hash (MD)
#SHA1- 160 bit,224,256,512,384 message digest
hash - SHA
#MD5 - 512 block
TLS_DH_RSA_WITH_AES_256_CBC_SHA384
HAVAL - faster than MD5 with 3 rounds used
link encryption - secure tunnel btw 2
points (nodes)
RIPEMD, RIPEMD-128, RIPEMD-160 (remain secure)
Network Circuit encryption, IPSec
end-to-end encryption - btw client and
Integrity, authentication, server. Data is encrypted at origin
non-repudiation (NO CONFIDENTIALITY) and decrypt at destination
Digital Signature (Digests)
To sign/create - sender's private key encrypt hash brute force - try all possible key

To verify - sender's public key to decrypt singature cipher text

authentication, integrity, (NO ciphertext only

most difficult attack, modern crypto
NON-REPUDIATION), shared secret key guarded this attack
HMAC (MAC)
message + secret key --> MAC value plaintext + corresponding ciphertext
Domain 3.5 Cryptography known plaintext
DSA，RSA, ECDSA Digital signature standard (DSS) (HASH, HMAC, digital
signature, PKI, hybrid, vulnerable: linear cryptanalysis
cryptanalytic Attack)
authentication, confidentiality, chosen plaintext ciphertext-plaintext pair (cryptosystem)
integrity, non-repudiation

piece of ciphertext (same cipher text msg)=

cert X.509 - version, serial number,
get decrypted plaintext
signature algo, issuer, subject public key chosen ciphertext

CA - issue cert, RA - verify and register, vulnerable: RSA

CRL - contain list of revoke cert (serial Public Key Infrastructure (PKI)
number), OSCP - real time. certificate frequency analysis (eng letter) - transportation
stapling as OSCP is burden
site channel - monitor power, timing, radiation/emission
Cryptanalytic Attack
cert file: DER, PFX (Binary); PEM, P7B (Text) -
.der & .crt, .pem & crt, .pfx & .p12 implementation attack - exploit weakness in software,
protocol, encryption algorithm
cert recipient verify cert using CA's public key
fault injection - external fault like electric, temperature (physical attack)
symmetric (encrypt msg) + asymmetric (encrypt key)
timing - how long cryptographic operation
1. client browser https://www
man in the middle - fools both parties into communicating with attacker
2. server send its public key instead of directly with each other

Hybrid (TLS) differential cryptoanalysis

3. client browser generates a symmetric session key

4. client use server's public key to encrypt the replay attack - replay a valid session
symmetric key and sends it to server
pass the hash - windows active directory where attacker
5. server uses its private key to decrypt the symmetry key resubmit cached authentication token. Use mimikatz tool

ransomware - encrypt victim's file and ask for payment to unlock

Meet in the middle - 2DES, 3DES, 2 rounds of encryption