9. Understanding Cryptography

Basics

  • Integrity
  • Confidentiality
    • Encryption Basics
      • Symmetric Encryption
        • Same key to encrypt and decrypt data
      • Asymmetric Encryption
        • Two keys, public and private, created to match.
        • Anything encrypted with the public key can only be decrypted by the private key
        • Anything encrypted with the private key can only be decrypted by the public
      • Stream Ciphers encrypt data one bit at a time.
      • Block ciphers encrypt data in blocks
      • Steganography provides a level of confidentiality by hiding data within other files
    • Authentication validates identity
    • Non-repudiation refers to the ability to ensure that a party cannot deny the integrity of their own signature
    • Digital Signature provide authentication, non-repudiation, and integrity
      • A digital signature in an email is a hash of the email encrypted with the senders private key
      • Only the sender’s public key can decrypt the hash which verifies it was sent by the sender’s private key

Hashing

  • An algorithm run on data that can be used again later to confirm that data hasn’t been changed, without having to parse the entire data
  • MD5 – Message Digest 5
    • Produces 128 bit hash in hexadecimal
    • Often used to verify files and downloads
    • Website can display the hash, and then you can test the hash after download to make sure its the same
  • SHA – Secure Hash Algorithm
    • SHA-0 unused
    • SHA-1 creates 160 bit hashes similar to MD5
    • SHA-2 includes SHA-224, SHA-256, SHA-384, and SHA-512
    • SHA-3 uses a different method than SHA-2. Supports 224, 256, 384, and 512 bits as well.
    • Some HIDS and antivirus capture hashes of files when they first scan through, and then later they capture new hashes to compare. If any hashes are different, there is a possibility of malware.
  • HMACHash-based Message Authentication Code
    • Such as HMAC-MD5 and HMAC-SHA1
    • Uses a standard hash string of bits in conjunction with a secret key only known by the sender and receiver.
    • Creates the hash with the basic bits, then calculates on top of that with the secret key.
    • Not only does it protect integrity, but it also adds authenticity by ensuring that the message could only come from the verifiable sender
    • IPsec and TLS often use HMAC
  • Hashing
    • Most applications perform hashes automatically, but programs like md5sum.exe will allow you to run them manually.
    • Passwords are often stored in hashes for security reasons
    • Now if an attacker can change a message, they could also change a hash, and that’s why HMAC is more secure, because the hacker can’t properly fake that hash.
  • Other Hash Algorithms
    • RIPEMD – RACE Integrity Primitives Evaluation Message Digest
      • Creates 128, 160, 256, and 320 bit hashes.
    • LANMAN and NTLM
      • Older Microsoft hashing algorithms for passwords
      • LANMAN Lan Manager
        • Windows 95, 98, and ME
        • Can’t handle passwords longer than 14 characters
        • Easy-to-crack because of the way it fills with trailing spaces and hashes two 7 character codes
        • 7 character hashes too easy yo
      • NTLM – NT LAN Manager
        • Improved LANMAN
        • NTLMv1 uses an MD4 hash and occasionally LANMAN, so its useless
        • NTLMv2 uses an MD5 hash which is hard af to crack
          • Before Vista, many systems leave LANMAN enabled by default for backwards compatibility, which is baaaad.
        • The reason for 15 character passwords is to prevent LANMAN from being used

Encryption

  • Two main parts to encryption
    • Algorithm
      • Always the same
    • Key
      • Provides variability for encryption, goes into the algorithm
      • Either private or changed often
    • Symmetric Encryption
      • Same key to encrypt and decrypt
      • Also called Secret Key or Session Key encryption
      • AES uses 128 bit, 192, or 256 bit keys
      • Keys can be changed whenever a session is authenticated or re-authenticated
      • This is how RADIUS works
      • Block v Stream Ciphers
        • Stream are more efficient when… streaming
        • Block are more efficient when size of data is known.
        • WEPs vulnerability came from reusing keys on a stream cipher, so an attacker just had to be patient.
      • AES
        • Strong symmetric block cipher
        • National Institute of Standards and Technology (NIST) adopted AES from Rijndael encryption algorithm.
        • AES uses 128 bit, 192, or 256 bit keys
        • Fast, efficient, and strong. Best of the best.
      • DES
        • Symmetric Block Cipher used since the 70s. 64 bit blocks with a key of 56 bits, which is chump work nowadays.
      • 3DES
        • DES improvement. Encrypts in three passes.
        • Strong, but resource intensive.
        • Useful when AES isn’t supported.
      • RC4
        • Used in WEP, but not to blame for WEP’s insecurity.
        • Recommended in SSL and TLS for encrypting HTTPS
        • Speculation that NSA can crack RC4
        • AES is still better, haha.
        • Stream Cipher
      • Blowfish and Twofish
        • 64-bit blocks and keys from 32 to 448 bits.
        • Faster than AES in some situations.
          • Twofish
            • 128 bit blocks
            • 128, 192, or 256 bit keys.
            • Almost used for AES, but Rjindael beat it.
          • One-time Pad
            crypto encryption keys

            • One of the most secure algorithms, but very labor intensive.
            • Each key is on a page of a pad, and destroyed after use.
            • Tokens and fobs are like digital successors to these.
          • Asymmetric encryption
            • Private keys are never shared
            • Public keys are freely shared within a certificate
            • More resource intensive than symmetric encryption.
            • Often asymmetric encryption is only used to privately share a symmetric key
            • Certificates
              • Certificate Authorities (CA) issue and manage certificates.
              • Serial Number – unique to certificate, CA uses to validate, and if it’s revoked, a CRL – Certificate Revocation List will update that
              • Issuer
              • Validity Dates
              • Subject
              • Public Key
              • Usage
            • RSA – Rivest, Shamir, Adleman
              • Asymmetric encryption that’s widely used
              • Email often uses RSA to share a symmetric key
              • TPM and HSM both store RSA keys
              • Supports a minimum of 1,024-bit keys, and often 2048 or 4096 are recommended
            • Static v Ephemeral Keys
              • Static keys are semi permanent
              • Ephemeral keys are recreated each session
              • RSA uses static keys that are valid for the lifetime of a certificate, often a year
              • Diffie-Hellman can use either static or ephemeral keys.
              • Perfect Forward Secrecy is an important characteristic for ephemeral keys, and it’s that the public keys are random, not deterministic.
            • Elliptic Curve Cryptography
              • Often used with wireless devices because it requires less processing power to encrypt, but is still hard to crack.
              • Even the NSA endorsed ECC
            • Diffie-Hellman
              • Means for sharing symmetric keys securely
              • DHE and ECDHE both use ephemeral keys.
            • Steganography
              • Hiding data in other data.
              • Hide data by manipulating bits without affecting the final product.
              • Hide data in the white space of a file. Gifs and Jpegs save in blocks, so can be modified without changing the file size.
              • Steganalysis uses hashing to detect changes.
            • Quantum Cryptography
              • exploiting quantum mechanical properties, such as Heisenberg’s Uncertainty Principle, to perform cryptographic tasks
              • If alice and bob try to establish a key and eve tries to gain information about this, key establishment will fail.

Using Cryptographic Protocols

  • Basics
    • Email Digital Signatures
      • Sender’s private key
      • Sender’s public key
    • Email Encryption
      • The recipient’s public key
      • The recipient’s private key
    • Web Site encryption
      • The web site’s public key encrypts (symmetric)
      • The web site’s private key decrypts (symmetric)
      • The symmetric key encrypts data in the web session.
    • Often assymetric encryption is used to securely share symmetric keys.
    • Just knowing that a private key is encrypting is enough to know its being used as a digital signature.
  • Protecting Email
    • To send a digital sig on an email, you click a button which hashes the message
    • App uses her private key and encrypts the hash
    • App sends the hash and message to receiver
    • Receiver’s system uses Lisa’s public key from either the network, or an attached certificate
    • Email decrypts the hash with lisa’s public key
    • App calculates a hash on the message
    • Compares decrypted hash with calculated hash
  • Encrypting Email
    • With Only Assymetric
      • Lisa retrieves Bart’s certificate and public key
      • Lisa encrypts the email with his public key
      • Lisa sends the email
      • Bart uses his private key to decrypt
    • With Both
      • Lisa picks a symmetric key to encrypt her email, let’s say 51
      • Lisa encrypts her email with that key.
      • Lisa gets bart’s certificate to take his public key
      • Lisa uses bart’s public key to encrypt the symmetric key of 51
      • Lisa sends the encrypted email and encrypted symmetric key to bart
      • Bart decrypts the symmetric key of 51 with his private key, and then uses 51 to decrypt the email
    • S/MIME – Secure/Multipurpose Internet Mail Extension
      • Very popular email standard for signing/encryption
      • Uses RSA for asymmetric, and AES for symmetric
      • Requires PKI to distribute and manage certs
    • PGP – Pretty Good Privacy
      • OpenPGP is a PGP standard that circumvents licensing
      • GNU Privacy Guard is free and based on OpenPGP
      • PGP uses asymmetric and symmetric, and some versions follow S/MIME
    • Transport Encryption
      • SSH – for SFTP, SCP, and Telnet
      • HTTPS – uses SSL or TLS over port 443
      • IPsec
        • Can encrypt data in tunnel mode with VPNs such as L2TP/IPsec.
        • Uses Authentication Header through HMAC which not only hashes, but uses a private key encryption on top of the hash.
        • Can use Encapsulating Security Payload (ESP) to provide confidentiality with AES or 3DES. Protocol ID 50.
        • In ESP packet, there’s an additional IP header over the whole packet, which doesn’t allow attackers to see anything more than just that this is an ESP packet.
        • Mandates HMAC, AES/3DES
      • SSL
        • HTTPS and FTPS both utilize to encrypt web traffic
        • Certificate based authentication
        • Both asymmetric and symmetric keys
        • Netscape made SSLv3, but when netscape waned, nobody maintained SSL properly. TLS fills this gap.
      • TLS
        • Replaces SSL, and TLS 1.0 is actually SSL 3.1.
        • Cert based authentication
        • Asymmetric and symmetric encryption
        • EAP-TLS is the most secure version of EAP (802.1x servers that authenticate users signing into a network) because it requires certs on both host and server.
      • Cipher Suites
        • Cipher suites are how two systems know which sets of cryptographic algorithms they’re going to use together.
        • These provide Encryption, Authentication, and Integrity solutions.
        • There are over 200 named cipher suites that identify:
          • Protocol
          • Key Exchange MEthod
          • Authentication
          • Encryption
          • Integrity
        • You can enable or disable cipher suite options in a system
      • Strong Versus Weak Ciphers
        • Only use the strength you need to limit resource drain, but also don’t go too weak.
      • Encrypting HTTPS traffic with SSL or TLS
        • Client requests secure session
        • Server sends its certificate including its public key
        • The client creates a symmetric key and and encrypts it with the servers public key
        • The client sends the encrypted symmetric key to the server
        • The server decrypts the symmetric key using its private key
        • All of the session data from thereon is encrypted with the symmetric key
      • Key Stretching
        • Technique used to increase the strength of stored passwords
        • Bcrypt
          • Based on blowfish.
          • Salts passwords by adding extra bits before encrypting with blowfish
        • PBKDF2
          • WPA2 and iOS use this. Salts with at least 64 bits
        • In-band v Out-of-Band Key Exchange
          • In-band means you send keys and data in the same channel
          • Out-of-band means you share the key outside of the channel that you share data

Exploring  PKI Concepts

  • Allows two entities to communicate securely without previous contact
  • Certificate Authority
    • Issues, manages, validates, and revokes certificates.
    • Large companies like Verisign, which services Amazon, or small service.
    • CA’s must be trusted, because they make money by selling certs.
  • Certificate Trust Paths and Trust Models
    • CAs are trusted by placing their root certificate into a trusted root CA store.
    • CAs have to negotiate with web browsers to get their certificates added into that browset
    • Hierarchical Trust Model
      • Root CA issues intermediate CAs
      • Intermediate CAs issue certs to child CAs
      • Child CAs issue certs to devices or users
    • Self-Signed Certs
      • You can create your own CA and use it internally in your company, but if a third party tries to connect, their web browser will reject it
      • In order to make computers trust it, you need to copy the root certificate to each computer that will be connecting to the CA
    • Wildcard Certificates
      • Certificate good for additional level of domains such as store.google.com or docs.google.com.
    • Registration
      • Use a program like SSL to make yourself a public/private key.
      • Create a Certificate Signing Request (CSR) for the cert, including the purpose, info about the website, the public key, and yourself.
        • This may follow PKCS #10 specification for formatting
      • Send this to CA and the CA will make a cert with the public key
      • May be a Registration Authority (RA) that assists with this process
    • Revoking Certificates
      • Key compromise
      • CA compromise
      • Change of Affiliation
      • Superseded
      • Cease of Operation
      • Certificate Hold
      • CA creates CRL which tells systems to stop using certain certs.
    • Validating Certs
      • Systems check if cert is expired, check if the CA issuer is trusted, then query the CA to ensure its valid and not on a CRL.
      • OCSP – Online Certificate Status Protocol (OCSP)
        • Allows clients to query the serial number of a cert for status
        • Unknown, good, or revoked.
      • Key Escrow
        • Safe environment to hide private key
      • Recovery Agent
        • Designated person who can recover or restore keys
        • Typically security professional
        • Sometimes there’s a second private key for emergencies
Advertisements
Advertisements

I post all things that interest me. Mainly computers.

%d bloggers like this: