Summarizing Basic Cryptographic Concepts

# Compare and Contrast Cryptographic Ciphers [[Principles of Security]] ## Cryptographic Concepts - Encryption and Decryption - encoding and decoding - **Plain Text** -> unencoded message - **Ciphertext** -> coded message - Cipher is the means of change or algorithm - Cryptanalysis is the art of cracking these systems - Allice and bomb and( observe Mallory lurking) - hashing algorithms -> one way function, cant go backwards - NOT encryption, just conceals - Encryption Ciphers - **Symmetric (same key encrypts and decrypt)** - fast, good with bulk, uses pre-shared secret key - CONS: Key management / Key distribution - Kind of like a wireless access point shared WIFI password - **Asymmetric (2 keys generated, Public key & Private Key)** - If you encrypt with 1 key, only the other key can decrypt - Key management is much easier - CONS: Slow, not too good with large amounts of data ## Hashing Algorithms - Fixed length hash from variable strong with cryptographic properties - One-way (plain text cannot be recovered from the hash) - Anti-collision (no 2 plaintexts are likely to produce the same checksum) - Used for password storage and checksums (integrity) - Secure hash algorithm (SHA) - Message Digest Algorithm (MD5) ![[Pasted image 20230628094453.png]] ## Symmetric Encryption - Same secret key is used for encryption and decryption - Fast - suitable for bulk encryption of large amounts of data - Problem storing and distributing key securely - Confidentiality only - sender and recipient know the same key ## Stream and Block Cipher - Stream ciphers - encrypt and decrypt each bit/byte at a time - must be used with an initialization vector (IV) - Block ciphers - Treat data as equal size blocks, using padding if necessary - Advanced encryption standard (AES/AES256) - Key length - Range of key values is the keyspace - Longer key bit length means a larger keyspace - Strength of key of any given length varies between ciphers ## Asymmetric Encryption - Public/private key pair - If the public key encrypts, only the private key can decrypt - If the private key encrypts, only the public key can decrypt - so typically you only want to encrypt with the PUBLIC key - private key cannot be derived from the public key - private key must be kept secure - anyone can have the public key - Message size is limited to key size so not suitable for large amounts of data - used for small amounts of authentication data ![[Pasted image 20230628095046.png]] ## Public Key Cryptography Algorithms - RSA algorithm (Rivest, Shamir, Adleman) - basis of many public key cryptography schemes - Trapdoor function - Easy to calculate with the public key, but difficult to reverse without the private key - Elliptic curve cryptography (ECC) - Concerns about RSA being vulnerable to cryptanalysis - Another type of trapdoor function - Can use smaller keys to obtain the same security # Summarize Cryptographic Modes of Operation ## Digital Signatures - Encrypting with the private key provides a signature - Using public key cryptography with hashing - Digital signatures provide integrity, authentication, non-repudiation - RSA-based digital signatures - Digital Signature Algorithm (DSA) with ECC cipher ## Digital Envelopes and Key Exchange - Symmetric and Asymmetric is combined - method below, will get Bob a copy of the symmetric key hence they can send stuff back and forth securely ![[Pasted image 20230628100606.png]] ## Digital Certificates - wrapper for a public key to associate it with a digital identity - Identity assertion is validated by a Certificate authority (CA) by signing the certificate - Both parties must trust the CA - Referred to as public key infrastructure (PKI) ## Perfect Forward Secrecy - RSA key exchange decrypts the session key using the server private key - way to mitigate if the private key of a server is compromised - If the key is compromised, previously captured transmissions could be deciphered - PFS mitigates the issue - Uses Diffie-Hellman Key agreement protocols - Allows 2 parties to derive the same secret value that an eavesdropped cannot guess ![[Pasted image 20230628104831.png]] ## Cipher Suites and Modes of Operation - Cipher Suite - **Signature algorithm** - proves messages were created by the server (authentication and integrity) - **Key exchange/agreement algorithm** - allows client and server to agree session keys - **Bulk encryption cipher** - uses the session key to keep the data confidential - Modes of operation - Use symmetric block cipher with arbitrary length network data - Cipher Block Chaining (CBC) - Combines blocks and an initialization vector (IV) using XOR operation - Data must be a multiple of block size so requires padding for last block - Counter mode - Generates keystream with IV and counter - Does not require block padding ![[Pasted image 20230628105147.png]] # Summarize Cryptographic Use Cases and Weaknesses ## Cryptograph for Authentication and Non-Repudiation - Cryptographic primitives versus cryptographic systems - Encrypted via your private key means you are the one that signed it. As that is your key and yours alone - Authentication and access control - Assuming the private key is secure, an encrypted token could only have been created by the key holder - Non-repudiation - Sender cannot deny (repudiate) the message as only she/he could have created it ## Cryptography Supporting Confidentiality - Hybrid encryption - Public key cryptography is only efficient with small amounts of data - Symmetric encryption makes key distribution difficult - Symmetric key is used for bulk encryption and protected by public key crypto - File Encryption - Private key encrypts the symmetric key - use of the key is locked to a user account credential - Transport encryption - Session key exchange/agreement - SSH, HTTPS ## Cryptography Supporting Integrity and Resiliency - Integrity - using hash functions and message authentication codes to validate messages - Resiliency - using crypto to ensure authentication and integrity of control messages - Obfuscation - Make something hard to understand - Encryption can perform this function, but it is very hard to secure an embedded key - White box cryptography ![[Pasted image 20230628105645.png]] ![[Pasted image 20230628105659.png]] ![[Pasted image 20230628105707.png]] ## Man-in-the-Middle and Downgrade attacks - MitM / on path attack - Interferes with the public key presented client - Downgrade attack - forces server into using weak protocol versions and ciphers ## Key Stretching and Salting - User generated data is low entropy - Key stretching - Use additional rounds to strengthen keys - makes attack do more work so slows down brute force - Salting - add a random value to each password when hashing it for storage - Prevents use of pre-computed hash tables (rainbow tables) ## Collisions and Birthday Attack - exploit collisions to forge a signature - Math of birthday paradox shows that this might be easier then expected - Chosen prefix collision attacks ![[Pasted image 20230628105956.png]] # Summarize Other Cryptographic Technologies ## Quantum - Quantum computing - Quantim bits (qbits), super positions, entanglement and collapse - quantum computers can keep track of a lot of state data at the same time - nothing really supports this yet. - Communications - Tamper-evident key distribution ## Homomorphic Encryption - Supports data analytics functions while preserving confidentiality and privacy - analyze data sets without decrypting it ![[Pasted image 20230629073026.png]] ![[Pasted image 20230629073035.png]] ## Blockchain - expanding list of transactional records (blocks) - each block is linked by hashing - Public ledger - Ledge of transactions performed on a digital asset - Peer-to-peer so transactions are public - Transaction cannot be deleted or reversed - Widely used for cryptocurrencies\ - Potential uses for financial transactions, online voting systems, identity management systems, notarization, data storage, etc ![[Pasted image 20230629073341.png]] ## Steganography - Concealing messages within a covertext - Often uses file data that can be manipulated without introducing obvious artifacts - Image - Audio - Video - Covert channels