Comptia Security +

Date : 29 /06/ 2023

 Module 3|
Cryptography and the
Public Key
Infrastructure
Course objectives
After completing this course, students should be able to :

 Given a scenario, analyze potential indicators to determine the type of attack

 Explain the importance of security concepts in an enterprise environment
 Summarize the basics of cryptographic concepts
 Given a scenario, implement public key infrastructure
Course Outline
3.1 Introduction to Cryptography
3.2 Algorithms and Keys
3.3 Symmetric Cryptography
3.4 Symmetric Ciphers Stream and Block
3.5 Asymmetric Cryptography
3.6 Hashing Algorithms
3.7 SSL, TLS and PKI Infrastructure
3.1 Introduction to Cryptography
Definition

 Cryptography is the process of encoding information in a manner that it cannot

be decoded without the decryption key

 Cryptography consists of two main operations:

 Encryption, which transforms plain-text information into ciphertext using an encryption key

 Decryption, which transforms ciphertext back into plain text using a decryption key
Cryptography goals

 Confidentiality : used to protect sensitive information

 Integrity : used to ensure that data is not maliciously or unintentionally altered

 Authentication : used to validate the identity of individuals

 Nonrepudiation : ensures that individuals can prove to a third party that a

message came from its purported sender.
Historical Cryptography

 The are two primary types of nonmathematical cryptography

 Substitution cipher : Caesar cipher, Vigenère cipher (polyalphabetic)

 Transposition cipher
Steganography

 Steganography is the art of using cryptographic techniques to embed secret

messages within another file.

 Many free available the implementation

 E.g : OpenStego, steghide, …

3.2 Algorithms and Keys
Cryptographic Concepts

 Before a message is put into a coded form, it is known as a plain-text message

 The technic used to encrypt the plain-text message is called is called the
cryptographic algorithm

 The encrypted message is called ciphertext message

 Cryptographic Keys : All cryptographic algorithms rely on keys to maintain their

security
Cryptographic Concepts

 Ciphers are the algorithms used to perform encryption and decryption operations

 There are two major modern ciphers:

 Block ciphers : operate on “chunks,” or blocks, of a message and apply the encryption algorithm
to an entire message block at the same time
 Stream ciphers :operate on one character or bit of a message (or data stream) at a time

 There are three types of algorithms commonly used today: symmetric key
encryption algorithms, asymmetric key encryption algorithms, and hashing
algorithms
3.3 Symmetric Cryptography
Symmetric Key Algorithms

 Symmetric key algorithms rely on a “shared secret” encryption key

 This key is used by all parties to both encrypt and decrypt messages

 Key distribution is a major problem

 Symmetric key cryptography does not implement nonrepudiation

 symmetric key cryptography is very fast (compared to asymmetric encryption)

 Common symmetric cryptosystems: Data Encryption Standard (DES), Triple DES

(3DES), and the Advanced Encryption Standard (AES).
Symmetric Key Algorithms
3.4 Symmetric Ciphers Stream
and Block
Symmetric Ciphers

 There are two types of symmetric encryption algorithms: Block and Stream
algorithms.
• Examples of symmetric encryption algorithms :
• AES (Advanced Encryption Standard) : recommended by security standards : 128, 192, and 256 bits
• DES (Data Encryption Standard)
• IDEA (International Data Encryption Algorithm)
• Blowfish (Drop-in replacement for DES or IDEA)
• RC4 (Rivest Cipher 4) : 56-bit
• RC5 (Rivest Cipher 5)
• RC6 (Rivest Cipher 6)
• AES, DES, IDEA, Blowfish, RC5 and RC6 are block ciphers. RC4 is stream cipher.
3.5 Asymmetric Cryptography
Asymmetric Cryptography

 Asymmetric key algorithms is also known as public key algorithms

 In these systems, each user has two keys:

 a public key, which is shared

 and a private key, which is kept secret and known only to the owner of the keypair

 Asymmetric key encryption can provide integrity, authentication, and

nonrepudiation

 Key distribution is a simple process

Asymmetric Cryptography
Asymmetric Algorithms

 Examples of asymmetric key techniques for varied purposes include:

• DSS (Digital Signature Standard)
• Diffie–Hellman key exchange protocol
• Elliptic-curve cryptography (ECDSA, ECDH, EdDSA,…)
• RSA encryption algorithm

• Examples of protocols using asymmetric key algorithms include:

• SSH : Secure Shell Protocol (secure remote)
• PGP : Pretty Good Privacy (Email encryption and signature)
• IPsec : Internet Protocol Security (VPNs)
• TLS : Transport Layer Security
• Bitcoin
• RSA and Diffie–Hellman are the most widely used.
3.6 Hashing Algorithms
Hash Functions

 Hash functions take a potentially long message and generate a unique output
value

 The output message is referred as message digest

 Hash functions are used in modern digital signature.

 Hash Algorithms : SHA, MD5

Hash Function characteristics

 They accept an input of any length.

 They produce an output of a fixed length, regardless of the length of the input.

 The hash function is one-way (meaning that it is extremely hard to determine the
input when provided with the output).

 The hash function is collision free (meaning that it is extremely hard to find two
messages that produce the same hash value)
Secure Hash Algorithm (SHA)

 We have SHA1, SHA2, and SHA3 :

 SHA1 : produces 160-bit message digest

 SHA2 :produces 256-bit message digest.

 SHA3 : same thing as SHA2 but different algorithm

 It is important to note that SHA2 has four variants (SHA-256, SHA-224 and SHA-
384)They accept an input of any length.

 SHA1 has some weaknesses, it is recommended to use SHA2

MD5

 MD5 was released by Ron Rivest

 MD5 produces 128-bit message digest

 MD5 is subjected to collisions, so it cannot be used to ensure message integrity

Digital Signatures

 Digital signature infrastructures have two distinct goals:

 Digitally signed messages assure the recipient that the message truly came from
the claimed sender : nonrepudiation

 Digitally signed messages assure the recipient that the message was not altered
while in transit between the sender and recipient : message integrity

 Digital signature algorithms rely on a combination of public key cryptography

and hashing functions.
HMAC Algorithm

 Hashed Message Authentication Code (HMAC) algorithm implements a partial

digital signature. It only ensure message integrity and does not guarantee
nonrepudiation

 HMAC relies on a shared secret key, therefore suitable for application where
symmetric key cryptography is appropriate
Digital Signature Standard (DSS)

 There are three currently approved standard encryption algorithms:

 The Digital Signature Algorithm (DSA) as specified in FIPS 186-4

 The Rivest, Shamir, Adleman (RSA) algorithm as specified in ANSI X9.31

 The Elliptic Curve DSA (ECDSA) as specified in ANSI X9.62

Which Key Should I Use?

There are a few simple rules to help keep these concepts straight in your mind when
preparing for the exam:

 If you want to encrypt a message, use the recipient's public key.

 If you want to decrypt a message sent to you, use your private key.

 If you want to digitally sign a message you are sending to someone else, use your private
key.

 If you want to verify the signature on a message sent by someone else, use the sender's
public key
3.7 SSL, TLS and PKI
Infrastructure
Public Key Infrastructure

 Secure remote communication is facilitated by the public key Infrastructure (PKI)

 PKI is based on hierarchy of trust relationships.

 PKI combine asymmetric cryptography with symmetric cryptography along with

hashing and digital certificates, giving us hybrid cryptography
Certificates (SSL/TLS)

 Digital certificates provide communicating parties with the assurance that the people
they are communicating with truly are who they claim to be

 Digital certificates is governed by the international standard—X.509.

 Certificates are signed by Certificate authorities (CA) and contain following information
:
 Version of X.509, Serial number, Signature algorithm identifier, Issuer name

 Validity period, Subject's Common Name (CN) (certificate owner), Subject's public key

 The current version of X.509 is version 3

Certificates usage

 Certificates may be issued for a variety of purposes. These include providing

assurance for the public keys of :
 Computers/machines

 Individual users

 Email addresses

 Developers (code-signing certificates)

 The subject of a certificate may include a wildcard in the certificate name,

indicating that the certificate is good for subdomains as well. Eg : *.ipnet.tg
Certificate Authorities

 Certificate authorities (CAs) binds the public key infrastructure together.

 They offer notarization services for digital certificates.

 To obtain a digital certificate from a reputable CA, you must prove your identity to the satisfaction
of the CA.
 Major CAs who provide widely accepted digital certificates:
 Symantec, IdenTrust, Amazon Web Services, GlobalSign, Comodo, Certum, GoDaddy, DigiCert, Secom, LetsEncrypt.....

 Certificate authorities issue different types of certificates depending upon the level of identity
verification that they perform:
 Domain Validation (DV) certificates, where the CA simply verifies that the certificate subject has control of the domain name.
 Extended Validation (EV) certificates provide a higher level of assurance and the CA takes steps to verify that the certificate owner is a legitimate business
Certificate Verification and formats

 You can use three techniques to verify the authenticity of certificates and identify revoked
certificates:
 Certificate Revocation Lists (CRLs): latency issue
 Online Certificate Status Protocol (OCSP) : online and real time certificate verification
 Certificate Stapling : an extension of OCSP

 Digital certificates are stored in files, and those files come in a variety of different formats, both
binary and text-based:
 Distinguished Encoding Rules (.DER, .CRT, .CER) format in binary, where the CA simply verifies that the certificate subject has control of the domain name.
 The Privacy Enhanced Mail (PEM) certificate format in ASCII (.pem, .crt). Linux systems
 The Personal Information Exchange (PFX) format in binary (.pfx) .Windows systems
 P7B certificates in ASCII for windows systems
Certificate formats
End of Module 3
LAB 1 : Installation of Kleopatra
 Email encryption with OpenPGP
 Hash calculation using Linux and online tools
Note
PGP can be used for both email encryption and disk encryption. But SMIME can
only be used for email encryption.

39