CompTIA CASP+ CAS-004 – Chapter 03 – Implementing Advanced Authentication and Cryptographic Techniques Part 4
- Symmetric Algorithms
So let’s go back and talk about some of these symmetric algorithms. Now, this can be a little bit mind boggling when you start trying to remember all of this, but you do need to be at least somewhat familiar with these algorithms and some of the characteristics. This is going to be just a studying point, really. The digital encryption standard Des, and it’s counterpart triple Des. Des uses a 64 bit key. Eight bits are used for parity, so the actual key length is 56 bit, and Des is a much older standard. It’s been mostly replaced by triple Des and AES, which we’ll talk about a little bit later.
There are a couple of different variants. Des X, which used multiple 64 bit keys. Double Des, which doubled the size to 112 bit key length. But triple Des was quickly released and it increases security by using 356 bit keys. All right. It is very resistant to attack, but it’s up to three times slower than Des. So it really was just a temporary replacement. The actual replacement was the advanced encryption standard, AES. This is considered a standard.
The algorithm that’s used in it is the Rendell algorithm. So the terms AES and Rendell are often used interchangeably. The block sizes used in that algorithm are 128, 192, and 256 bits. The next one is international. Data encryption. Algorithm or idea? This is a block cipher that uses 64 bit blocks. Each block is divided into 16 bit smaller blocks, and it uses 128 bit key. It’s much faster and harder to break than Des, but it’s not really widely used, in large part because of how it was patented and different licensing fees that have to be paid to this Swiss company that owns it.
Okay. Idea is used in PGP, though. Skipjack is another block cipher symmetric algorithm. This was developed by the NSA, uses an 80 bit key to encrypt 64 bit blocks. The details of that actual algorithm are classified. Blowfish is a block cipher that uses 64 bit blocks with anywhere from 32 to 448 bit encryption keys. It’s not patented. It was initially developed to replace Des and still in use in some places. Two Fish is a version of Blowfish that uses 128 bits instead of 64, along with 128, 192, and 256 bit keys. But like Blowfish, it’s also not patented.
You have RC four, RC five, RC six. These were all developed by Ron Rivist. Technically, there are six of them. One was never published. Two was 64 bit. Three was broken before it was released. So RC Four is one of the most popular stream ciphers that was out there. It was used, or is used, I should say, in SSL and WEP. The wired equivalent Privacy uses a variable key size of 40 bits to 2048, up to 256 rounds of transformation. RC Five is a key size up to 2048 bits as well. RC Six is a block cipher based on RC Five and it was originally developed as an AES solution, but it lost the contest to the Rendell algorithm.
So that’s not really used very often. Cast invented by and named for Carlyle Adams and Stafford Tavaris. Two versions, cast 128 and CAS 256. So, as I said, there are tables you can find out there and the study guides and things to just kind of get some of the characteristics of these algorithms and know where they’re used. Your most commonly used algorithms, though, are going to be triple Des and the advanced encryption standard.
- Asymmetric Algorithms
There are a number of asymmetric algorithms as well. Probably one of the more common ones would be Diffie Hellman. Diffie Hellman is responsible for the key agreement process, which is the one that we’re kind of familiar with. So let’s say user A and user B need to communicate over an encrypted channel and they decide to use the Diffie Hellman algorithm. And so user A generates a private key and a public key key. And user B generates a private key and public key, or they already had one. Potentially they share their public keys with one another and then an application on user A’s computer takes that private key and the public key from user B and applies the Diffie Hellman algorithm.
And then the reverse happens on the other system. So in this case, the same shared value is created this session. Key is a symmetric key that is used for each system, but the asymmetric key algorithm is used to protect it. And we find this kind of thing in SSL being used all the time. RSA was for a long time the most popular asymmetric algorithm. It was invented by Ron Rivist, Eddie Shamir and Leonard Adelman. There are many books about Diffie Hellman and RSA out there that are very interesting about their stories. RSA provides key exchange as well as encryption and digital signature. It uses 1024 to 4096 bit keys with one round of transformations. It is used as a key exchange protocol to encrypt des or AES symmetric keys for secure distribution. El Gamal is an asymmetric key algorithm that’s based on the Diffie Hellman algorithm and so it functions in many ways the same.
It is the slowest algorithm and so because of that we really need a key size of less than 1024 bits. ECC is elliptical curve cryptography that’s used for secure key distribution, encryption and digital signatures. Because of the elliptic curve size, it will help to define the difficulty of the problem. Napsack is a series of asymmetric algorithms that provide encryption and digital signatures. It’s a family that’s really no longer used, though it had a number of security issues and then zero.
Knowledge. Proof is a technique used to ensure that you only have the minimum needed information that’s disclosed. We’re not going to give you all the details. An example of that would be when one user encrypts data with his private key and the receiver decrypts the original message is public key. The originator hasn’t actually given his private key to the receiver, but the originator is proving that he has his private key simply because the reader can actually read the message.
- Encryption Methods
Let’s talk about different methods of encryption. So we’ve talked about the algorithms that’s sort of behind the scenes. What are we actually using this for? Well, disk level encryption is used to encrypt an entire disk volume or an entire disk. And it may use the same key for the disk or possibly a different key for each partition or volume. It can also be using the Trusted Platform module or TPM chips. These are chips that are located on the motherboard of a system and provide password protection along with digital rights management and full disk encryption.
So essentially the key or the TPM is protecting the key that is used to encrypt and decrypt the computer hard disk. It also provides the ability to authenticate the startup process. So programs like Microsoft’s BitLocker utilize TPM and require TPM by default. This is a very effective measure to mitigate the theft of sensitive data on laptops or other mobile devices. Then you have block level encryption that can be used as a synonym for disk level encryption, but it can also mean encryption that’s acting as a virtual partition. And so it can be used when discussing different types of algorithms.
Block cipher encrypts blocks of data at a time, in contrast to a stream cipher, which is one bit at a time. File level encryption, that’s just what it sounds like. The encryption decryption happens on each file. Each file owner has a key. So, for instance, the encrypting file system that’s been built into NTFS and Windows is file level encryption.
Record level encryption would be at the record level, obviously, as the name implies. So in this case, choices can be made about which records to encrypt. And that has a very positive effect on both performance and security. It allows for a great deal of granularity and can be used in databases. Port level encryption is encrypting network data on particular ports to prevent eavesdropping with packet sniffers. Or it can occur at the network layer of a selected protocol.
But what happens is networks only encrypted when it’s in transit and it’s only encrypted on particular ports. And so IPsec would potentially be using that if it was targeting specific types of traffic. Steganography is another encryption method where a message is hidden inside another object. Typically, this is a picture or document. In the use of steganography, it’s pretty crucial that only those who are expecting the message know that the message actually exists.
So it’s using a concealment cipher. That’s at least one method. Another method is digital watermarking. So there’s a logo or a trademark embedded in documents and pictures, and it deters people from using the materials in an unauthorized manner. Steganography’s most common technique is to alter the least significant bit for each pixel in the picture. And so in this case, the pixels are changed in a very small way and human eye are unable to detect that.
- Topic C: Cryptographic Implementations
So now that we know about the various techniques used in cryptography in this topic, we’re going to be looking at implementations, and enterprises are going to employ cryptography in a lot of different ways. Depends on the needs of the organization.
But we need to be familiar with all of these crypto modules, crypto processors, CSPs, DRM, watermarking, et cetera. And so that’s that’s what we’re going to be looking at in this topic.
- Crypto Options
We’ll start with a crypto module. Crypto module is just a term used to describe the hardware, software, and possibly the firmware that’s used to implement cryptographic logic or processes. There’s a number of different standards bodies that have assessed and rated these modules. Among them is the NIST, as well as the federal information Processing Standard, or FIPS, and we’ve heard of both of those before. Phips defines different security levels that a module can receive.
It says a number of things about, you know, essentially crypto modules, security levels one and two, security levels three and four, and that determines their capabilities. Crypto processors are dedicated processors to performing encryption. They typically have multiple physical measures that help to prevent tampering. And there are a number of implementations of this. One example is a processor that resides on a smart card, so that processor inputs program instructions into an encrypted form and then decrypts the instructions into plain instructions, but all that’s executed within the same chip. Another example would be a TPM. So we mentioned Trusted Platform Module on an endpoint device that’s storing encryption keys. They’re specific to that host system, and they’re specific for hardware authentication. Then you have the cryptographic service provider, or CSP.
This is a software library that implements the Microsoft crypto API. In Windows, CSPs are technically independent modules that can be used by different applications for cryptographic services. They’re implemented as a type of DLL. They have specific restrictions on loading and use. All CSPs have to be digitally signed by Microsoft, and then the signature is verified when Windows loads the CSP. After it loads, windows will periodically rescan it to try to detect tampering, whether it’s by malware viruses or the user actually trying to circumvent restrictions that might be built into the code.
- Additional Crypto Options
Some additional options are digital Rights Management DRM that’s used by hardware manufacturers, software publishers, copyright holders. To control the use of digital content, it often involves device controls. First generation DRM would control copying. Second generation DRM controls executing, code viewing, copying and printing. Printing.
So often when we think of digital rights management, we’re thinking of the copyright on a DVD that prevents me from copying it. Right? That’s first generation DRM. But DRM can also be implemented on, say, Word documents or PDFs, where we can restrict who can read it, who can copy it, who can forward it, or print.
That can be implemented through programs in windows like Rights Management Services or Azure rights Management Services. In the cloud, watermarking is a digital method used in steganography we’d mentioned that involves embedding a logo or trademark in documents or other objects, and it just deters people from trying to utilize that material in an unauthorized way. The GNU Privacy Guard. GPG. That’s closely related to pretty good privacy.
Both programs were developed to protect electronic communications. SSL TLS is one that we’ve talked about in detail. We discussed the SSL portal VPN, the tunnel VPN SSL, very similar to TLS, but not the same. TLS 1. 0 is based on the SSL Three specification, but they are actually not compatible with one another. They’re used for different purposes.
Secure Shell SSH is an application and protocol that’s used to remotely log into another computer using a secure tunnel. It generates a session key and exchanges it, and then the secure channel is established. So everything between the client and server is then going to be encrypted.
And then SMIME is secure. Multipurpose Internet Mail Extensions this is actually an Internet standard that allows email to include non text attachments. SMTP in Mime format transmits a majority of email today. So Mime is just this is the type of data SMIME allows me to encrypt and digitally sign email attached or email messages I should say, and encrypt attachments. It adheres to the public key cryptography standards. It’s a client level encryption method.
- Cryptographic Applications
Cryptographic applications are going to provide a number of different functions. For an enterprise, it’s usually best to implement cryptography that’s implemented within an operating system or within an application because it allows it to be implemented pretty much seamlessly. We don’t have a whole lot of user interaction, but we always want to make sure that we’ve fully read up on this and understand any of the features of any OS or any application. And we also want to keep things up to date.
So those are some of the key concerns. You want to test the application in the enterprise as well. Just make sure you understand completely how it works, because improperly implementing these types of applications can result in significant security issues for the organization. This is especially true in financial ecommerce applications. You really want to avoid designing your own cryptographic algorithms. You also want to avoid using older ones or partially implemented standards. So that’s kind of what we stick with to make sure that we are secure.
- Crypto Considerations
Now, when you’re implementing cryptographic algorithms, we know that we’re doing so to increase the security of the enterprise. But it’s not the solution to every problem that you encounter, right? So you really need to understand the confidentiality and integrity issues of the particular data that we’re trying to protect. Because any algorithm that’s deployed on an enterprise needs to be properly carried out, out both from the key exchange and implementation to retirement. So you need to consider four aspects for any algorithm that you want to implement. The first is strength. The strength is usually determined by the size of the key that’s used. The longer the key, the stronger the encryption, right?
But using longer keys, even though it increases the strength, it often results in slower performance. So we have to find a balance. Performance is the next aspect. The performance also depends on the key length. It’s also based on the algorithm that’s used. So we know the longer the less performance but symmetric key algorithms are faster than asymmetric algorithms, then you have the feasibility to implement. We really want to have proper planning and design of these algorithms, and they need to be standardized for us to use. We also need to think about interoperability, its ability to operate within the enterprise, across different platforms. So all of those are very important.
- Stream vs. Block Ciphers
Another consideration is stream versus block ciphers. And I believe we’ve said the words so far, but we haven’t really dug into it. Stream ciphers perform encryption based on a bit by bit basis. And they use key stream generators. So the keystream generator creates a bit stream with plaintext bits. And the result of that operation is then ciphertext.
Stream ciphers used to secure streaming video and audio. They have a much lower error propagation because the encryption occurs on each individual bit. They’re also generally used in more hardware implementations. They always use a single key for encryption and decryption, so they are symmetric. They are generally cheaper to implement than block ciphers. And they employ only confusion, not diffusion. Block ciphers, on the other hand, break a message into fixed length units. These are referred to as blocks. So it might be 16 bit blocks of 64 bits each, for instance.
Each of the 16 bit blocks is then processed by the algorithm formulas and so it results in a single block of ciphertext. Now, the data is I’m sorry, if the data is less than a complete block, it’ll just be padded. So idea blowfish. RC five. RC six. These are block ciphers, and the advantage is they’re easier to implement than stream based ciphers. They are generally less susceptible to security issues, so we see them used more in software implementations. They also employ both confusion and diffusion. So they’re different modes for block ciphers. But a lot of what we’ve talked about thus far are going to be block ciphers.
- Block Cipher Modes
Here are those modes that we want to be familiar with the electronic code book cipher, blockchaining cipher feedback, output feedback and counter mode. And as you might imagine, the difference between these gets really technical and is kind of beyond the scope. So just kind of want to understand there are different modes that they are operating in.
- Public Key Infrastructure
The public key infrastructure. PKI is really the primary implementation of cryptography at the enterprise level. And we’ve discussed some of the basics of the PKI certificate authorities, digital certificates, et cetera. But we want to talk about some advanced PKI concepts. Now standard CAS are going to provide certificates to users and computer computers. This is a certificate authority. And a certificate authority can be set up in one of three different roles. Typically in an enterprise, they’re set up in a hierarchy, route, subordinate and issuing. The root CA is the original certificate authority. It is not validated by any other entity. So a root CA internally attests its own identity. So basically it’s saying I am who I say I am because I said I was. We don’t accept that from other people.
You don’t accept my ID card that was created in Word, but we will accept that from a root CA. It’s the highest level of authority in the public key infrastructure. There just simply isn’t anybody else to attest to the identity of this entity. The root CA then would issue certificates to subordinate CAS. And in many cases that’s the only two levels that you have and the subordinate is the issuing CA. In other cases, you might have a three tiered approach. The issuing CAS then would just simply be the classification of the CA that’s actually issuing digital certificates to clients.
Okay, so technically in Microsoft when you set up a PKI and you are actually creating a certificate authority, it’s either a root CA or a subordinate. There isn’t any such thing as an issuing. So issuing is really more of the functionality that is being provided. There are some additional options that we should know about wild card certificates. This is a public key certificate that can be used with multiple domains. Your typical certificates issued to computers are going to have a particular name in them and that certificate then is only valid for authentication if the connecting computer is actually connecting to that name. You’re going to see this all the time on the internet.
You can see it with email systems where you connect to a certificate or excuse me, you connect to a server and the name you’re using to connect doesn’t match one of the names on the certificate. Well, some certificates may require multiple names, and when we start talking public certificate authorities, that can be costly. So often the wildcard certificates are used because they allow you to secure an unlimited number of subdomains and they are much cheaper than individual certificates and much cheaper in some cases than certificates that have multiple names inside of them. Another option that we have is OCSP versus the CRL.
When somebody gives a certificate to me for the purpose of authentication, I have to be able to validate that. I have to be able to verify that that certificate is still valid. I love using the driver’s license analogy for all of this because it just seems to work so well. So when I hand you my driver’s license, you may be looking at the expiration date, right? You’re looking to see if it is expired. Now, the analogy sometimes fall off, and this one kind of does because that’s not exactly what this is doing. In fact, what it’s doing is it’s a mechanism to check that even though the expiration date is good on your ID, we got to check to see that it hasn’t been revoked. So the better analogy for this would not be I present my ID to somebody who’s carding me to buy alcohol and they’re just looking to see if it’s expired. That’s it. The better analogy would be I get pulled over and I present my ID to the police officer. And the police officer doesn’t just look at the expiration date. What does he do? He or she? They go back to their car and they run my license. They’re checking to see if, what, my license has been suspended, if there are warrants out for my arrest, or who knows what else.
But they are doing this verification. That’s what the certificate revocation list does. The CRL identifies certificates that have been revoked for various reasons before the actual end of their validity period. Now, historically, this was a certificate revocation list, a list of certificates that had been revoked that was accessible to individual clients.
So the client would connect, and they would download the CRLs, and then they could validate the certificates that were being given to them for the purposes of authentication. But it’s a time consuming process, and it’s a process where updates aren’t pushed out very quickly. So the alternative to that was OCSP, the Online Certificate Status Protocol, which essentially allowed clients to make an individual request to a central point on a web server requesting the validation of this particular certificate. So rather than me connecting periodically and having the CRL pushed with its delta updates, I would connect via OCSP and just simply say, hey, how about computer b? Is computer b valid? And then I would get that information so it operates in a much higher level of performance. And we’re seeing that used more and more.
- Primary PKI Functions
Let’s talk about some of the primary functions of the PKI. So we have a good understanding of how these work. Issuance of certificates to entities is of course the most common thing for performed, but PKI does handle other traffic certificate usage verification, retirement, key recovery, Escrow, et cetera. The first though issuance of certificate certificates.
The steps that are involved with doing that is a user request, a digital certificate, and the requesting authority receives that request. They then request identifying information from the user. Potentially they just obtain that from a database like Active Directory. After it’s received, it gets forwarded to the CA. Now usually the Raca or components within the same software. So the CA is requesting this information, then it creates a digital certificate for that individual with the public key and it pushes that back to the user. Once the user has a certificate, they’re ready to communicate with other trusted entities.
So certificate usage is then just the utilization of these certificates and it’s used in computer authentication, it can be used in user authentication, it can be used for encrypting and decrypting, email, et cetera. Certificate verification is just that OCSP versus CRL. So every time a certificate is attempted to be used, we have to verify that it’s still valid. Certificate retirement on the other hand is going to be when we have to retire ACA or a particular certificate expires and then we have key recovery and Key Escrow. Key recovery is just I need to restore a key from a backup so that I can decrypt data. Key Escrow is the process of storing keys with a third party to make sure that decryption can occur. This can happen with actual third party. It can also be just stored in the certificate Authority database.
- Additional PKI Concepts
Some additional PKI concepts. Of course, you have the certificates. These are often referred to as X 509 standards. They they contain various fields like the version, the issuer, the validity, subject name, the unique identifier extensions, et cetera. According to Verisign, there are five digital certificate classes. So class one is for individuals and intended for email. Class two is for organizations that need to provide proof of identity. Class three would be your servers and code signing, class four for online business transactions, and class five for private organizations or governmental securities. A token is going to be a hardware device that stores digital certificates and private keys. Some implementations are USB devices and smart cards.
They provide login capabilities. Stapling is another concept. This was formerly known as TLS certificate status request extension. This is OCSP stapling, and it’s an alternative to using OCSP. And then you have public key pinning, which is a security mechanism delivered via an Http header. It allows Https websites to resist impersonation by attackers that would be using misused or otherwise fraudulent certificates. So essentially, it just delivers a set of public keys to the client, which should be the only ones that are trusted for connections to this particular domain. All right, so again, that’s quick. But those are a few additional and more advanced PKI concepts that you may not have run into before.
- Chapter 03 Review
In this chapter, we looked at implementing advanced authentication and cryptographic techniques. We started by talking about authentication and authorization concepts. Of course, authentication the process of identifying who is trying to access your network. And there are several different factors that we discussed could be used to accurately identify that entity. And then once we’ve identified that entity, we have to determine term and their authorization level. And that’s typically done depending on the situation through access control list, ACLs, firewall rule sets, et cetera.
Cryptography is the science of encrypting data, making it easier to ensure the confidentiality of that data. We talked about cryptographic techniques like asymmetric versus symmetric encryption for confidentiality message digest and hashing algorithms for data integrity and then the various types of those. And then finally, we look through some realworld implementations of cryptography in today’s enterprises.