Navigation

How Can We Help?

Section 8 – Cryptographic Solutions

Created On
Last Updated On
byeditor
Print
You are here:
< All Topics

CompTIA IT Security Course

29.4.25

Section 8

Cryptographic Solutions

always remember:
Encryption strength comes from the encryption KEY and NOT the algorithm

essential piece of info that determines the output of a cipher

use larger key lengths and rotate keys frequently

longer the key the safer eg 128 bit key, but 256 bit even better – as it is the square of 128 not double!

changing keys regularly is a best practice

eg annual TLS key rotation for data in transit

most algorithms are open source and publicly acceptable

so it is the keys that make it safe, not the algos

dont rely on obfuscation – very weak!

keep keys secret and confidential!

keys must be store din secure hardware modules

limit key access

conduct regular key access audits

 

symmetric and asymmetric algos:

symmetric uses same key for encryption and decryption

asymmetric uses separate keys for encryption and decryption

 

Asymmetric:

Remember these three:

DH Diffie-Hellman often used to conduct key exchanges first, and for vpn tunnel craetion. – but is risky – man in middle attack,
important to have some authentication at the start

 

RSA – based on difficulty of factoring large prime numbers

in use widely

used for MFA a lot

ECC Elliptic Curve Cryptography

esp used for mobile devices and low power computing devices – smaller keysize but very strong – very powerful but requires much less processor power than for RSA

uses algebraic struture of elliptical curves to generate keys

much more powerful than RSA

there are different types of ECC:

eg ECDH – Diffie-Hellman

or ECDHE – Diffie-Hellman Ephemeral

ECDSA is a public key encryption system

 

HASHING

one way crupto function takes an input and created a unique message as its output = as a “fingerprint”

always the same length regardless of input

eg;

MD5
SHA Family
RIPEMD
HMAC

 

MD5 the most widely used, creates 128 bit hash value, it can only create limited no of values = collision problem = multiple files can have same hash value = very unsafe!

so another method was created:

SHA-1 -2 -3

SHA-1 160 bit hash, reduces collisions

SHA2 includes -224 256 384 512 bit size

SHA3 newer version between 224 and 512 but a major increase in security as it uses 120 rounds instead of 64 rounds of encrypting

RIPEMD : RACE Integrity Primitive Evaluation Mssage Digest

160, 256 and 320 bit versions

160 = most commonly used often called RIPEMD-160

 

HMAC Hash-based Message Authentication Code

used to check integrity of a message and provides some level of assurance that the authenticity is real

comes in variations:

paired with other algos: eg

HMAC-MD5
HMAC-SHA1

 

HASH ATTACKS

Pass the hash attack

and

birthday paradox

 

Pass the Hash Attack

allows attacker to authenticate to a server/service using the underhlying hash of the user password instead of required the actual plaintext password

tools such as Mimikatz provide ability to automate harvesting hashes and hash attacks

birthday attack:

when attacker sends 2 diff messages through a hash algo which then results in the same identical hash digest ie a collision

comes from fact that random group of people can have same birthday as only 365 days in a year…

eg
group with 30 people – 2 people often have same bday

57 people = 99% chance

23 people = 50/50 chance

thus use sha256 or higher!

other attacks:

dictionary attacks; user uses known words or phrases

brute force: trying every character combination

rainbow tables: pre computed tables for reversing hashes!

 

methods to protect hashes:

key stretching:

can improve a weaker key by increasing the time needed to crack it – it is put thru an algo for this, eg pgp, wifi protected access privacy

salting: adds random data or salt to a one way crypto hash

nonce: number used once = a unique random number added to a passwd authentication process

means the hash data changes each time.

limit no of failed login attacks for ysers.

eg 3 else locked out!

 

PKI or Public Key Infra

refers to a whole system of hw, sw, policies, procedures, people, based on asymmetric encryption

includes SSL/TLS https tunnels

 

important distinction!

PKI creates the asymmetrical public/private key pairs

Public Key Cryptography by contrast just refers to one small part of PKI architecture – ie the encryption/decryption process

CAs – also part of PKI

trusted third party is required for the keys – this is done with a CA or Certificate Authority which issues digital certificates and assures trust between all the differen CAs around the world

Key Escrow – another part of PKI

a location where keys are stored at a secure 3rd party location “an escrow” – this ensures the keys are safely backed up.

prime concern however is security with an escrow… so it has to be extremely secure.

Digital Certificate – digitally signed

= an electronic docu that binds a public key with a user ID, or a device ID – can also be for a server

many diff types:

Wildcard

Single-sided

Dual-sided

self signed

third party

 

As well as the PKI concepts:

root of trust

certificate authority

Registration authority

certificate signing request or CSR

certificate Revocation List

Online Certificate Status Protocol

OSCP Stapling

Public Key Pinning

Key Escrow Agents

Key Recovery Agents

 

wildcard certificates:

allow all subdomains to use one same certificate = less overhead and cheaper

disadvantage: revoking – it will affect all subdomains

SAN Subject Alternate Name in a cerfif – specifies which different domains and ip addresses will be supported by the certif,
but if subdomains then can just used wildcard certif

single sided certif:

only reqs server to be validated, not the user

dual-sided:

both user and server must be validated: is safer but requires more processor power on server

self signed certif:

signed by same entity for whom it is valid = less trust since no external verification of id of the entity using a self signed certif.
it causes a message for user about unsafe

third part certif

issued by a trusted certif auth, CA – embedded in browsers usually,
esp used for browser traffic for public facing apps and websites

concept of root of trust:

refers to the chain of trust, like an extended family tree

the root of trust is usually a trusted established third party CA such as amazon or verisign

you have to purchase these certificate from the CA

but first you have to rewquest id info from a Registration Authority, these verify the ID of the applicant

 

CSR

The CSR or Certificate Signing Request is a block of encoded text that contains info about the entity requesting the certif.

org name

domain name

location

country

 

the private key for the request remains with the organization processing the CSR

it does not go out to the applicant

 

Certif Revocation List CRL

serves as online list of digital certifs that the CA has already revoked

 

OCSP

Online Certificate Status Protocol

allows to determine revocation status of a certif using its serial number

 

OCSP Stapling. An alternative to simple OCSP – allows holder to check the status of the certif at intervals automatically

 

Public Key Pinning

allows https website to resist impersonation attacks from users who are trying to present fraudulent certifs

 

Key Escrow Agents

hold a secure copy of a users private key

but you must make sure the escrow is secure

recommended to have at least 2 people present when withdrawing a key from the escrow

 

Key Recovery Agent – s/w which allows for restoration of lost/corrupted keys

 

Blockchain

public ledger used for cryptocurrencies but also other purposes

maintainiing secure and anonymous peer to peer decentralised hashed ledger entries

can also be used for smart contracts, the terms of agreement are written into the code and autoexecute without intermediaries

assures cannot be altered, is trustworthy and tamper proof

IBM is focused on using blockchain tech in commmercial envs by promoting permissioned blockchains

for biz transactions

offers:

traceability, accountability, security, trustworthiness, transparancy

not yet widely used though

 

 

Encryption Tools – these are all hardware based systems:

TPM

HSM

Key Management Systems

Secure Enclave

 

TPM: Trusted Platform Module

= a dedicated microcontroller which secures h/w using integrated cryptographic keys

offer security for hardware

bitlocker is an example of TPM

 

HSM Hardware Security Module

physical device that safeguards digital keys

esp used for highly sensitive data

 

KMS Key Management System

integrated approach for managing keys over their lifecycle for devices and apps

 

Secure Enclave

is a co-processor integrated into the main processor of a device which deals solely with data protection

eg like fingerprint or facial id recog, etc, by keeping this data separate from main processor, the data in the secure enclave still remains secure even if the main part of the device is hacked

 

Quantum Computing

Qubits.. or qbits… changes everything… current cryptography will be easy to crack, so will need to use post quantum cryptographic algorothms

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Tags:
Table of Contents