CEHv12-20 - Cryptography

In

Cryptography basics

Cryptography involves high-level mathematics used for securing data.

  • It is essential in various security practices like TLS, SSL, SSH, and email encryption.
  • Encryption protects data in three states: in use, in transit, and at rest.

Key Concepts

  • Encryption:

    • Symmetric Encryption: Uses a single key for both encryption and decryption.
      • Strength: High.
      • Challenge: Securely sharing the key.
    • Asymmetric Encryption: Uses a pair of keys (public and private).
      • Public Key: shared openly.
      • Private Key: kept secret.
      • Usage: the other side of communication encrypts with my public key and then I decrypt with my private key.

  • Hashing: obfuscate data (like passwords) using algorithms.

    • Common algorithms: MD5, SHA-256, SHA-512.
    • Usage: hashes are one-way functions used to verify data integrity.

Ciphers

  • Key-based ciphers:
    • Private key (Symmetric): Same key for encryption and decryption.
    • Public key (Asymmetric): Pair of public and private keys.
  • Input-based ciphers:
    • Block ciphers: Encrypt data in fixed-size block (e.g. AES, Blowfish, Triple DES). Strong but slower. it uses an initialization vector and encrypts a block then it uses the encryption of that block to encrypt the next one (Block chaining).
    • Stream ciphers: Encrypt data one byte at a time (e.g. RC4). Faster but generally less secure than block ciphers.
  • Substitution vs Transposition ciphers:
    • Substitution cipher: replaces each letter with another (e.g. Caesar Ciphe)r.
    • Transposition cipher: rearranges the positions of letters (e.g. Rail Fence Cipher).

Government Access to Keys (GAK)

  • Governments may require access to encryption keys to monitor communications.
  • Keys are securely stored and can be accessed with a court order.

Tools

  • SSH Key Generation: create public and private keys using tools like ssh-keygen.
  • OpenSSL: tool for generating keys and implementing various ciphers.

Crypto algorithms and implementations

Symmetric algorithms

  • DES and Triple DES:
    • DES (Data Encryption Standard): adopted in 1977, officially retired in 2005. It’s still used in some industries, particularly the payment card industry.
    • Triple DES: an extension of DES, but with enhanced security. It’s being prohibited after 2023.
  • RC Algorithms (RC4, RC5, RC6): these are symmetric key algorithms, each iteration being more secure than the previous one. RC4 is notably used in Kerberos.
  • AES (Advanced Encryption Standard): a widely used symmetric algorithm, known for its strength and efficiency.
  • Blowfish: Utilized in secure email encryption tools, backup software, and password management systems.

Asymmetric algorithms

  • RSA (Rivest–Shamir–Adleman): uses a pair of keys (public and private). It is widely used for secure data transmission.
  • Diffie-Hellman: another key exchange algorithm that allows secure sharing of cryptographic keys.

Hashing algorithms

  • MD5: commonly used to verify data integrity. Though simple, it is still useful for non-critical applications.
  • SHA (Secure Hash Algorithms): includes SHA-1, SHA-256, and SHA-512. Higher numbers indicate more complexity and security. SHA-256 is the current standard.
  • RipeMD, HMAC: other notable hashing algorithms used in various applications for ensuring data integrity.

Digital signatures

Digital signatures use a combination of encryption and hashing. They ensure that a message:

  • Comes from a verified sender (using the sender’s private key).
  • Has not been altered (using a hashing algorithm like MD5 or SHA).

Hardware-based encryption

  • TPM (Trusted Platform Module): a hardware chip that stores cryptographic keys and enhances security for features like BitLocker.
  • USB Encryption: keys stored on a USB drive, used for secure data access.
  • HSM (Hardware Security Module): a device for managing digital keys, providing both physical and logical protection.

Advanced encryption concepts

  • Quantum encryption: leverages quantum mechanics to enhance cryptographic security.
  • Elliptic Curve Cryptography (ECC): uses advanced algebraic equations to create shorter keys, enhancing efficiency without compromising security.
  • Homomorphic Encryption: allows encrypted data to be processed without needing to decrypt it first, ensuring data remains secure even during processing.

Cryptography tools

  • PGP (Pretty Good Privacy): a standard encryption mechanism, originally open-source, now owned by Broadcom Inc.
  • GPG (GNU Privacy Guard): an open-source alternative to PGP, providing similar functionalities.

Using GPG

  • Platforms: GPG can be used on various operating systems, including Linux, Windows (through GPG4Win), and others.

  • Basic Commands:

    • Generating Keys: gpg --full-generate-key to create a new key pair.
    • Listing Keys: gpg --list-keys to display all keys.
    • Exporting Keys: gpg --armor --export <email> to export a key in ASCII format.
    • Importing Keys: gpg --import <keyfile> to import a key.
    • Encrypting Files: 
      1
      gpg --output doc.gpg --encrypt --recipient <recipient-email> doc.txt
    • Decrypting Files:
      1
      gpg --output doc2.txt --decrypt doc.gpg

  • Tools:

    • GPG for Linux: command-line based usage for key generation, key management, encryption, and decryption.
    • GPG4Win: a suite of tools for Windows, including Cleopatra for managing keys and GPGEX for encryption and decryption through the context menu.
    • BC Text Encoder: a simple tool for encoding and decoding text with a password or key, although its interface may not be very user-friendly.

Public key infrastructure

Introduction to PKI

  • Definition: public Key Infrastructure (PKI) involves generating, creating, distributing, managing, and revoking digital certificates.
  • Components: includes public keys, certificates, and the management of these elements.

PKI processes

  • Certificate Authority (CA): issues, validates, and revokes certificates.
  • Registration Authority (RA): pre-screens certificate requests and verifies requester identity before forwarding to the CA.
  • Validation Authority (VA): validates digital certificates and manages the Certification Revocation List (CRL).

Using PKI

  • Generating certificates: the process involves the subject (user or organization) applying for a certificate, RA verifying the request, CA issuing the certificate, and VA validating it.
  • Certificate services: built into Windows Server, allowing for the management of certificates, including issuing, revoking, and handling certificate requests.

Practical Examples

  • HTTPS websites: use certificates to establish secure connections.
  • VPN connections: certificates can secure VPN tunnels using IPsec.
  • User authentication: systems like Windows Server and Active Directory use certificates for user and device authentication.

Certificate Management

  • Windows server certificate cervices: provides a management console to handle all certificate-related tasks, such as issuing, revoking, and managing certificate requests.
  • Third-party CA services: organizations like VeriSign and DigiCert provide globally trusted certificates stored securely to prevent compromise.

Self-signed certificates

  • Usage: suitable for internal organization use where the entities involved trust each other.
  • Limitations: not ideal for public use as they are not recognized by external parties without explicit trust settings, potentially leading to security warnings.

Cryptanalysis

Study of cryptosystems to find exploitable weaknesses.

Methods of Cryptanalysis

  1. Linear Method (Known Plain Text Attack):
    • Requires both encrypted and plaintext data.
    • Used to reverse engineer the decryption key.
    • Guessing common words or phrases can help in finding the plaintext.
  2. Differential Method (Chosen Plain Text Attack):
    • Attacker defines the plaintext inputs and analyzes the results.
    • Aimed at discovering the encryption key by chosen inputs and outputs.
    • Similar to linear but more controlled since the plaintext is chosen.
  3. Integral Method:
    • A specific type of differential attack.
    • Works with larger inputs, often used in block ciphers.

Code Breaking Techniques

  1. Brute Force Attack: systematically tries all possible keys until the correct one is found. Extremely time-consuming.
  2. Frequency Analysis: analyzes the frequency of letters or groups of letters in the ciphertext. Used to break substitution ciphers by matching frequencies to known patterns.

Additional attack types

  1. Man-in-the-Middle Attack: the attacker intercepts and possibly alters the communication between two parties who believe they are directly communicating with each other.
  2. Meet-in-the-Middle attack: Reduces the time to break ciphers using multiple keys. Involves known plaintext attacks from both sides of the encryption/decryption process.
  3. Side channel attacks: exploits physical characteristics of the cryptosystem such as power usage, electromagnetic emissions, or audio emanations to gain information about the cryptosystem.
  4. Hash collisions: occur when two different inputs produce the same hash output. Dangerous because it can allow unauthorized access if a different input produces a matching hash.
  5. Related key attacks: exploits relationships between keys to uncover the key or data. Common in older encryption methods like WEP where keys are reused.
  6. Rubber hose attack: a physical attack where secrets are extracted from a person through coercion or torture.

Tools for cryptanalysis

  • Crack Station: An online tool for cracking hashed passwords. It supports various hash types including MD5, SHA-1, and others.
  • CrypTool is a free, open-source e-learning application used in the implementation and analysis of cryptographic algorithms.

Crypto-attack Countermeasures

  • Secure key sharing:
    • Protect private information by securely sharing keys to prevent unauthorized access.
    • Avoid common pitfalls like emailing keys, which can lead to compromise if intercepted.
  • Symmetric vs. Asymmetric encryption:
    • Symmetric algorithms are stronger but require secure key sharing.
    • Asymmetric algorithms offer easier key management but may lack robust encryption.
    • Combining both types of encryption enhances security.
  • Encryption strength:
    • Use encryption schemes with higher bit lengths for better security.
    • AES 256 and RSA are recommended due to their proven track record.
  • Avoiding homegrown encryption:
    • Stick to established encryption methods like AES and RSA rather than creating custom systems.
    • Homegrown encryption lacks the vetting and community support of widely-used encryption standards.
  • Avoid hard-Coded credentials:
    • Hard-coded keys pose a significant security risk, making it easy for attackers to reverse engineer and compromise systems.
    • Encrypt keys with passwords or passphrases to add an extra layer of security.
  • Intrusion Detection Systems (IDS):
    • IDS can monitor key exchanges and detect suspicious activities like man-in-the-middle attacks.
    • Ensure IDS systems are robust and properly vetted to avoid security vulnerabilities.
  • Key stretching:
    • Increase the length of keys to enhance security, similar to using longer passwords to resist brute-force attacks.
    • Key stretching techniques like PBKDF2 and bcrypt strengthen encryption by making it more difficult to crack.