Teaching Tips

Security+ Guide to Network Security Fundamentals, Fourth Edition

Chapter 11 Basic Cryptography At a Glance

Instructor’s Manual Table of Contents 

Overview



Objectives



Teaching Tips



Quick Quizzes



Class Discussion Topics



Additional Projects



Additional Resources



Key Terms

11-1

Security+ Guide to Network Security Fundamentals, Fourth Edition

11-2

Lecture Notes

Overview Cryptography is the technology that we most closely associate with the concept of confidentiality. Cryptography is the art of hiding information for the purpose of protecting that information from discovery from unauthorized users. The chapter covers various schemes and methods of encryption as well as ways of exchanging keys.

Chapter Objectives   

Define cryptography Describe hash, symmetric, and asymmetric cryptographic algorithms List the various ways in which cryptography is used

Teaching Tips Defining Cryptography 1. Mention defining cryptography involves understanding what it is and what it can do. It also involves understanding how cryptography can be used as a security tool to protect data. What Is Cryptography? 1. Define cryptography as the science of transforming information into an unintelligible form while it is being transmitted or stored so that unauthorized users cannot access it. 2. Explain that steganography hides the existence of the data. What appears to be a harmless image can contain hidden data embedded within the image. Steganography can use image files, audio files, or even video files to contain hidden information. Use Figure 11-1 to illustrate your explanation. 3. Mention that one of the most famous ancient cryptographers was Julius Caesar. Caesar shifted each letter of his messages to his generals three places down in the alphabet. 4. Use Figure 11-2 to describe the cryptography process. Cryptography and Security 1. Explain that cryptography can provide basic security protection for information: a. Cryptography can protect the confidentiality of information. b. Cryptography can protect the integrity of the information. c. Cryptography can help ensure the availability of the data. d. Cryptography can verify the authenticity of the sender.

Security+ Guide to Network Security Fundamentals, Fourth Edition

11-3

e. Cryptography can enforce non-repudiation. 2. Use Table 11-1 to describe the information protections provided by cryptography.

Teaching Tip

It is generally recognized that cryptography is too important to allow the use of untested algorithms and that using proven technologies is important. However, this does not mean that older algorithms are necessarily more secure than newer ones. Each must be evaluated for its own strength.

Cryptographic Algorithms 1. This section describes the following three categories of cryptographic algorithms: a. Hashing algorithms b. Symmetric encryption algorithms c. Asymmetric encryption algorithms Hashing Algorithms 1. Define hashing, also called a one-way hash, as a process for creating a unique digital fingerprint for a set of data. This fingerprint, called a hash, represents the contents. 2. Explain that a hashing algorithm is considered secure if it has these characteristics: a. The ciphertext hash is a fixed size. b. Two different sets of data cannot produce the same hash, which is known as a collision. c. It should be impossible to produce a data set that has a desired or predefined hash. d. The resulting hash ciphertext cannot be reversed. 3. Mention that a hash created from a set of data cannot be reversed. 4. Explain that hashing is used for integrity to ensure that the information is in its original form and that no unauthorized person or malicious software has altered the data. Use Figure 11-4 to illustrate your explanation.

Teaching Tip

Hashing is not the same as creating a checksum. True checksums, such as a Cyclic Redundancy Check (CRC) and parity bits, are designed to catch datatransmission errors and are not deliberate attempts to tamper data.

5. Explain that hash values are often posted on Internet sites in order to verify the file integrity of files that can be downloaded. Use Figure 11-5 to illustrate your explanation. 6. Use Table 11-2 to describe the protections provided by hashing.

Security+ Guide to Network Security Fundamentals, Fourth Edition

11-4

7. Define Message Digest (MD) algorithm as one common hash algorithm. 8. Describe the following three versions of MD algorithms: a. Message Digest 2 (MD2) b. Message Digest 4 (MD2) c. Message Digest 5 (MD2) 9. Explain that Secure Hash Algorithm (SHA) is a more secure hash than MD. SHA is a family of hashes. 10. Describe the following versions of SHA: a. SHA-1 b. SHA-2 11. Define Whirlpool as a relatively recent cryptographic hash function that has received international recognition and adoption by standards organizations. It creates a hash of 512 bits.

Teaching Tip

According to its creators, Whirlpool will not be patented and can be freely used for any purpose.

12. Explain that the primary design feature of RIPEMD is two different and independent parallel chains of computation, the results of which are then combined at the end of the process. 13. Mention that another use for hashes is in storing passwords. When a password for an account is created, the password is hashed and stored. 14. Explain that the Microsoft NT family of Windows operating systems hashes passwords in two different forms: a. LM (LAN Manager) hash b. NTLM (New Technology LAN Manager) hash 15. Mention that most Linux systems use password-hashing algorithms such as MD5. Apple Mac OS X uses SHA-1 hashes.

Quick Quiz 1 1. ____ is the science of transforming information into an unintelligible form while it is being transmitted or stored so that unauthorized users cannot access it. Answer: Cryptography 2. Whereas cryptography scrambles a message so that it cannot be viewed, ____ hides the existence of the data.

Security+ Guide to Network Security Fundamentals, Fourth Edition

11-5

Answer: steganography 3. Changing the original text to a secret message using cryptography is known as ____. Answer: encryption 4. A(n) ____ is a mathematical value entered into the algorithm to produce ciphertext, or text that is “scrambled.” Answer: key Symmetric Cryptographic Algorithms 1. Explain that symmetric cryptographic algorithms use the same single key to encrypt and decrypt a message. They are also called private key cryptography. Use Figure 11-6 to illustrate your explanation. 2. There are two types of symmetric cryptographic algorithms: stream ciphers and block ciphers. 3. Explain that a stream cipher takes one character and replaces it with one character. Use Figure 11-7 to illustrate your explanation. 4. Define a substitution cipher as the simplest type of stream cipher. It simply substitutes one letter or character for another. Use Figure 11-8 to illustrate your explanation. 5. Define a transposition cipher as a more complicated stream cipher. It rearranges letters without changing them. Use Figure 11-9 to illustrate your explanation. 6. Explain that with most symmetric ciphers, the final step is to combine the cipher stream with the plaintext to create the ciphertext. The process is accomplished through the exclusive OR (XOR) binary logic operation. Use Figure 11-10 to illustrate your explanation. 7. Explain that a one-time pad (OTP) cipher combines a truly random key with the plaintext.

Teaching Tip

If the pad is a random string of numbers that is kept secret and not reused then an OTP can be considered secure. OTPs are rarely used and are more theoretical than practical.

8. Explain that a block cipher manipulates an entire block of plaintext at one time. The plaintext message is divided into separate blocks of 8 to 16 bytes and then each block is encrypted independently.

Security+ Guide to Network Security Fundamentals, Fourth Edition

11-6

9. Describe the following advantages and disadvantages of the stream cipher: a. Fast when the plaintext is short, but can consume much more processing power if the plaintext is long. b. More prone to attack because the engine that generates the stream does not vary 10. Describe the following advantages and disadvantages of the block cipher: a. It is considered more secure because the output is more random. b. Cipher is reset to its original state after each block is processed. This results in the ciphertext being more difficult to break. 11. Use Table 11-3 to show the information protections provided by symmetric cryptography. 12. Define Data Encryption Standard (DES) as one of the first widely popular symmetric cryptography algorithms. 13. Note that the U.S. government officially adopted DES as the standard for encrypting nonclassified information. 14. Explain that Triple Data Encryption Standard (3DES) was designed to replace DES. It uses three rounds of encryption instead of just one. Use Figure 11-11 to illustrate your explanation. 15. Explain that the Advanced Encryption Standard (AES) was approved by the NIST in late 2000 as a replacement for DES. 16. AES performs three steps on every block (128 bits) of plaintext. Within Step 2, multiple rounds are performed depending upon the key size. Within each round, bytes are substituted and rearranged, and then special multiplication is performed based on the new arrangement.

Teaching Tip

Vincent Rijmen, one of the co-creators of AES, is also one of the designers of Whirlpool.

Other Algorithms 1. Describe the following additional symmetric encryption algorithms: a. Rivest Cipher (RC) family from RC1 to RC6 b. International Data Encryption Algorithm (IDEA) c. Blowfish d. Twofish

Security+ Guide to Network Security Fundamentals, Fourth Edition

11-7

Asymmetric Cryptographic Algorithms 1. Explain that asymmetric cryptographic algorithms, also known as public key cryptography, use two keys instead of one. The public key is known to everyone and can be freely distributed, while the private key is known only to the recipient of the message. Use Figure 11-12 to illustrate your explanation. 2. Mention that asymmetric cryptography can also be used to create a digital signature. A digital signature can: a. Verify the sender b. Prevent the sender from disowning the message c. Prove the integrity of the message 3. Use Figure 11-13 to describe the steps for creating a digital signature.

Teaching Tip

Using a digital signature does not encrypt the message itself. If Bob wants to ensure the privacy of the message, he must also encrypt it using Alice’s public key.

4. Use Table 11-4 to explain various asymmetric cryptography practices. 5. Use Table 11-5 to show the information protections offered by asymmetric cryptography. 6. Define RSA as the most common asymmetric cryptography algorithm. 7. Explain how RSA works. 8. Explain that elliptic curve cryptography uses elliptic curves. An elliptic curve is a function drawn on an X-Y axis as a gently curved line. By adding the values of two points on the curve, you can arrive at a third point on the curve. 9. Mention that the public aspect of an elliptic curve cryptosystem is that users share an elliptic curve and one point on the curve. 10. Discuss quantum cryptography attempts to use the unusual and unique behavior of microscopic objects to enable users to securely develop and share keys as well as to detect eavesdropping. 11. Describe NTRUEncrypt, which is a relatively new asymmetric cryptographic algorithm that uses a different foundation than prime numbers (RSA) or points on a curve(ECC).

Security+ Guide to Network Security Fundamentals, Fourth Edition

Teaching Tip

11-8

Elliptic curve cryptography has not been as fully scrutinized as other types of asymmetric algorithms because the concept is still new. The studies that have been performed so far have indicated that elliptic curve cryptography may be a promising technology.

Using Cryptography 1. Mention that cryptography should be used to secure any and all data that needs to be protected including individual files or databases that are stored on standard desktop computers, servers, removable media, or mobile devices. 2. Mention that cryptography can be applied through either software or hardware. Encryption Through Software 1. Software can be used to encrypt individual files or it can be used to encrypt the file system or the entire disk drive. 2. Define a file system as a method used by operating systems to store, retrieve, and organize files. 3. Define Pretty Good Privacy (PGP) as one of the most widely used asymmetric cryptography system for files and e-mail messages on Windows systems. GNU Privacy Guard (GPG) is a similar open-source program. 4. Mention that PGP and GPG use both asymmetric and symmetric cryptography. 5. Define Microsoft Windows Encrypting File System (EFS) as a cryptography system for Windows operating systems that use the Windows NTFS file system. 6. Explain that because EFS is tightly integrated with the file system, file encryption and decryption are transparent to the user. EFS encrypts the data as it is written to disk.

Teaching Tip

EFS files are encrypted with a single symmetric key, and then the symmetric key is encrypted twice: once with the user’s EFS public key (to allow transparent decryption), and once with the recovery agent’s key to allow data recovery.

7. Define whole disk encryption as cryptography applied to entire disks. 8. Define Windows BitLocker as a hardware-enabled data encryption feature. It can encrypt the entire Windows volume, which includes Windows system files as well as all user files.

Security+ Guide to Network Security Fundamentals, Fourth Edition

11-9

9. Explain that BitLocker encrypts the entire system volume, including the Windows Registry and any temporary files that might hold confidential information. 10. Emphasize that software encryption suffers from the same fate as any application program: it can be subject to attacks to exploit its vulnerabilities. 11. Note that hardware encryption can be applied to USB devices and standard hard drives. 12. Mention that the more sophisticated hardware encryption options include the trusted platform module and the hardware security model. 13. Emphasize that many instances of data leakage are the result of USB flash drives being lost or stolen. 14. Discuss the differences between a standard USB flash drive and encrypted hardwarebased USB devices. 15. Note that just as an encrypted hardware-based USB flash drive will automatically encrypt any data stored on it, self-encrypting hard disk drives (HDDs) can also protect all files stored on them. 16. Define Trusted Platform Module (TPM) as a chip on the motherboard of the computer that provides cryptographic services. 17. Explain that TPM includes a true random number generator. Also, TPM can measure and test key components as the computer is starting up. 18. Mention that if the computer does not support hardware-based TPM then the encryption keys for securing the data on the hard drive can be stored by BitLocker on a USB flash drive. 19. Define a Hardware Security Module (HSM) as a secure cryptographic processor. 20. Note that an HSM includes an onboard key generator and key storage facility, accelerated symmetric and asymmetric encryption, and can even back up sensitive material in encrypted form.

Quick Quiz 2 1. ____ cryptographic algorithms use the same single key to encrypt and decrypt a message. Answer: Symmetric 2. The ____ was approved by the NIST in late 2000 as a replacement for DES. Answer: Advanced Encryption Standard (AES) Advanced Encryption Standard

Security+ Guide to Network Security Fundamentals, Fourth Edition

11-10

AES 3. Cryptography can also be applied to entire disks. This is known as ____. Answer: whole disk encryption 4. ____ is essentially a chip on the motherboard of the computer that provides cryptographic services. Answer: Trusted Platform Module (TPM) Trusted Platform Module TPM

Class Discussion Topics 1. What are the advantages of hashing passwords? 2. What are the main differences between symmetric and asymmetric cryptographic algorithms?

Additional Projects 1. Ask your students to read an article about Microsoft’s BitLocker at http://www.schneier.com/blog/archives/2006/05/bitlocker.html and write a report summarizing its most important points. 2. Ask your students to read more about the Data Encryption Standard (DES) algorithm and write a report summarizing explaining how it works. Use the following link as a starting point: http://www.itl.nist.gov/fipspubs/fip46-2.htm.

Additional Resources 1. Advanced Encryption Standard http://en.wikipedia.org/wiki/Advanced_Encryption_Standard 2. Symmetric cryptography http://www.ibm.com/developerworks/library/s-crypt02.html 3. Asymmetric cryptography http://www.digitalcomputersecurity.com/Encryption/asymmetric.html 4. PGP Corporation http://www.pgp.com/ 5. Windows Trusted Platform Module Management Step-by-step Guide http://technet.microsoft.com/en-us/library/cc749022(WS.10).aspx

Security+ Guide to Network Security Fundamentals, Fourth Edition

11-11

Key Terms  Advanced Encryption Standard (AES) A symmetric cipher that was approved by the NIST in late 2000 as a replacement for DES.  algorithm Procedures based on a mathematical formula; used to encrypt data.  asymmetric cryptographic algorithm Encryption that uses two mathematically related keys.  block cipher A cipher that manipulates an entire block of plaintext at one time.  Blowfish A block cipher that operates on 64-bit blocks and can have a key length from 32 to 448 bits.  ciphertext Data that has been encrypted.  cleartext Unencrypted data.  cryptography The science of transforming information into a secure form while it is being transmitted or stored so that unauthorized persons cannot access it.  Data Encryption Standard (DES) A symmetric block cipher that uses a 56-bit key and encrypts data in 64-bit blocks.  decryption The process of changing ciphertext into plaintext.  digital signature An electronic verification of the sender.  elliptic curve cryptography (ECC) An algorithm that uses elliptic curves instead of prime numbers to compute keys.  encryption The process of changing plaintext into ciphertext.  GNU Privacy Guard (GPG) Free and open-source software that is commonly used to encrypt and decrypt e-mail messages.  Hardware Security Module (HSM) A secure cryptographic processor.  hash The unique digital fingerprint created by a hashing algorithm.  Hashed Message Authentication Code (HMAC) A variation of a hash that encrypts the hash with a shared secret key before transmitting it.  hashing The process for creating a unique digital fingerprint signature for a set of data.  key A mathematical value entered into the algorithm to produce ciphertext.  Message Digest (MD) A common hash algorithm of several different versions.  Message Digest 5 (MD5) A revision of MD4 that is designed to address its weaknesses.  nonrepudiation The process of proving that a user performed an action.  NTLM (New Technology LAN Manager) hash A password hash for Microsoft Windows systems that is no longer recommended for use.  NTLMv2 (New Technology LAN Manager Version 2) hash An updated version of NTLM that uses HMAC with MD5.  one-time pad (OTP) Using a unique truly random key to create ciphertext.  plaintext Data input into an encryption algorithm.  Pretty Good Privacy (PGP) A commercial product that is commonly used to encrypt e-mail messages.  private key An asymmetric encryption key that does have to be protected.  private key cryptography Cryptographic algorithms that use a single key to encrypt and decrypt a message.  public key An asymmetric encryption key that does not have to be protected.  public key cryptography Encryption that uses two mathematically related keys.  quantum cryptography An asymmetric cryptography that attempts to use the unusual and unique behavior of microscopic objects to enable users to securely develop and share keys.

Security+ Guide to Network Security Fundamentals, Fourth Edition

11-12

 RACE Integrity Primitives Evaluation Message Digest (RIPEMD) A hash algorithm that uses two different and independent parallel chains of computation and then combines the result at the end of the process.  RC4 An RC stream cipher that will accept keys up to 128 bits in length.  Rivest Cipher (RC) A family of cipher algorithms designed by Ron Rivest.  RSA An asymmetric algorithm published in 1977 and patented by MIT in 1983.  Secure Hash Algorithm (SHA) A secure hash algorithm that creates hash values of longer lengths than Message Digest (MD) algorithms.  steganography Hiding the existence of data within a text, audio, image, or video file.  stream cipher An algorithm that takes one character and replaces it with one character.  symmetric cryptographic algorithm Encryption that uses a single key to encrypt and decrypt a message.  Triple Data Encryption Standard (3DES) A symmetric cipher that was designed to replace DES.  Trusted Platform Module (TPM) A chip on the motherboard of the computer that provides cryptographic services.  Twofish A later derivation of the Blowfish algorithm that is considered to be strong.  whole disk encryption Cryptography that can be applied to entire disks.