This is part three of a series of posts about the CCNA Cyber Ops certification, you can find the second part here. Essentially in this post, we summarize the basic concepts about cryptography, hash, signatures and algorithms.
3.1 Describe the uses of a hash algorithm
A hash function is any function that can be used to map data of arbitrary size to data of fixed size. The values returned by a hash function are called hash values, hash codes, digests, or simply hashes.
A cryptographic hash function is a special class of hash function that has certain properties which make it suitable for use in cryptography. It is a mathematical algorithm that maps data of arbitrary size to a bit string of a fixed size (a hash function) which is designed to also be a one-way function, that is, a function which is infeasible to invert. The only way to recreate the input data from an ideal cryptographic hash function’s output is to attempt a brute-force search of possible inputs to see if they produce a match. The input data is often called the message, and the output (the hash value or hash) is often called the message digest or simply the digest.
3.2 Describe the uses of encryption algorithms
Cryptographic hash functions have many information-security applications, notably in digital signatures, message authentication codes (MACs), and other forms of authentication. They can also be used as ordinary hash functions, to index data in hash tables, for fingerprinting, to detect duplicate data or uniquely identify files, and as checksums to detect accidental data corruption. Indeed, in information-security contexts, cryptographic hash values are sometimes called (digital) fingerprints, checksums, or just hash values, even though all these terms stand for more general functions with rather different properties and purposes.
3.3 Compare and contrast symmetric and asymmetric encryption algorithms: Symmetric-key algorithms are algorithms for cryptography that use the same cryptographic keys for encryption of plaintext and decryption of ciphertext. Public key cryptography, or asymmetric cryptography, is any cryptographic system that uses pairs of keys: public keys which may be disseminated widely, and private keys which are known only to the owner. This accomplishes two functions: authentication, which is when the public key is used to verify that a holder of the paired private key sent the message, and encryption, whereby only the holder of the paired private key can decrypt the message encrypted with the public key.
3.4 Describe the processes of digital signature creation and verification
A digital signature is a mathematical scheme for demonstrating the authenticity of digital messages or documents. A valid digital signature gives a recipient reason to believe that the message was created by a known sender (authentication), that the sender cannot deny having sent the message (non-repudiation), and that the message was not altered in transit (integrity).
Digital signatures are based on public key cryptography, also known as asymmetric cryptography. Using a public key algorithm such as RSA, one can generate two keys that are mathematically linked: one private and one public. To create a digital signature, signing software (such as an email program) creates a one-way hash of the electronic data to be signed. The private key is then used to encrypt the hash. The encrypted hash — along with other information, such as the hashing algorithm — is the digital signature. The reason for encrypting the hash instead of the entire message or document is that a hash function can convert an arbitrary input into a fixed length value, which is usually much shorter. This saves time since hashing is much faster than signing.
The value of the hash is unique to the hashed data. Any change in the data, even changing or deleting a single character, results in a different value. This attribute enables others to validate the integrity of the data by using the signer’s public key to decrypt the hash. If the decrypted hash matches a second computed hash of the same data, it proves that the data hasn’t changed since it was signed. If the two hashes don’t match, the data has either been tampered with in some way (integrity) or the signature was created with a private key that doesn’t correspond to the public key presented by the signer (authentication).
3.5 Describe the operation of a PKI
A public key infrastructure (PKI) is a set of roles, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates and manage public-key encryption.
In the following video the concept of digital signatures is explained in a simple way:
3.6 Describe the security impact of these commonly used hash algorithms
- 3.6.a MD5: The MD5 algorithm is a widely used hash function producing a 128-bit hash value. Although MD5 was initially designed to be used as a cryptographic hash function, it has been found to suffer from extensive vulnerabilities. It can still be used as a checksum to verify data integrity, but only against unintentional corruption.
- 3.6.b SHA-1: Secure Hash Algorithm 1 is a cryptographic hash function designed by the United States National Security Agency and is a U.S. Federal Information Processing Standard published by the United States NIST. SHA-1 produces a 160-bit (20-byte) hash value known as a message digest. A SHA-1 hash value is typically rendered as a hexadecimal number, 40 digits long. SHA-1 is no longer considered secure against well-funded opponents.
- 3.6.c SHA-2: Secure Hash Algorithm 2 is a set of cryptographic hash functions designed by the National Security Agency (NSA). SHA-2 includes significant changes from its predecessor, SHA-1. The SHA-2 family consists of six hash functions with digests (hash values) that are 224, 256, 384 or 512 bits: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256.
- 3.6.c.1 SHA-256
- 3.6.c.2 SHA-512
- 3.6.d SHA-3
3.7 Describe the security impact of these commonly used encryption algorithms and secure communications protocols
- 3.7.a DES: Data Encryption Standard is a symmetric-key algorithm for the encryption of electronic data. Although now considered insecure, it was highly influential in the advancement of modern cryptography.
- 3.7.b 3DES: Triple DES, officially the Triple Data Encryption Algorithm (TDEA or Triple DEA), is a symmetric-key block cipher, which applies the Data Encryption Standard (DES) cipher algorithm three times to each data block.
- 3.7.c AES: The Advanced Encryption Standard, also known by its original name Rijndael, is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) in 2001. AES is based on a design principle known as a substitution-permutation network, a combination of both substitution and permutation, and is fast in both software and hardware. Unlike its predecessor DES, AES does not use a Feistel network. AES is a variant of Rijndael which has a fixed block size of 128 bits, and a key size of 128, 192, or 256 bits. By contrast, the Rijndael specification per se is specified with block and key sizes that may be any multiple of 32 bits, both with a minimum of 128 and a maximum of 256 bits.
- 3.7.d AES256-CTR: AES256 is a symmetrical encryption algorithm that has become ubiquitous, due to the acceptance of the algorithm by the U.S. and Canadian governments as standards for encrypting transited data and data at rest. Because of the length of the key (256 bits) and the number of hashes (14), it takes a murderously long time for a malware hacker to perform a dictionary attack.
Block cipher mode of operation: (ECB, CBC, OFB, CTR and CFB) In cryptography, a mode of operation is an algorithm that uses a block cipher to provide an information service such as confidentiality or authenticity.
- 3.7.e RSA: RSA is one of the first practical public-key cryptosystems and is widely used for secure data transmission. In such a cryptosystem, the encryption key is public and differs from the decryption key which is kept secret. In RSA, this asymmetry is based on the practical difficulty of factoring the product of two large prime numbers, the factoring problem. RSA is made of the initial letters of the surnames of Ron Rivest, Adi Shamir, and Leonard Adleman, who first publicly described the algorithm in 1977.
- 3.7.f DSA: The Digital Signature Algorithm (DSA) is a Federal Information Processing Standard for digital signatures. It was proposed by the National Institute of Standards and Technology (NIST) in August 1991 for use in their Digital Signature Standard (DSS) and adopted as FIPS 186 in 1993.
- 3.7.g SSH: Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. The best known example application is for remote login to computer systems by users.
- 3.7.h SSL/TLS: Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), both frequently referred to as “SSL”, are cryptographic protocols that provide communications security over a computer network.
3.8 Describe how the success or failure of a cryptographic exchange impacts security investigation
The key exchange problem is how to exchange whatever keys or other information are needed so that no one else can obtain a copy. Historically, this required trusted couriers, diplomatic bags, or some other secure channel. With the advent of public key / private key cipher algorithms (ie, asymmetric ciphers), the encrypting key (aka, the public key of a pair) could be made public, since (at least for high quality algorithms) no one without the decrypting key (aka, the private key of that pair) could decrypt the message.
In terms of a “security investigation” let’s first take the case of a failed exchange between the authorized parties. If the exchange fails the concepts of authentication, non-reputation, and integrity are affected. Then an investigation can’t take place and also the systems are left vulnerable. If the exchange is successful then there is no problem, but that makes me think that this question could be referring to the attack itself. If the attack is protected and the exchange between the system and the attacker is successful, then the investigation is going to be really hard because the investigator will have limited access to the facts of the attack, like where it comes from or the actual code of the virus, if that were the case.
3.9 Describe these items in regards to SSL/TLS
- 3.9.a Cipher-suite: is a concept used in Transport Layer Security (TLS) / Secure Sockets Layer (SSL) network protocol. Before TLS version 1.3, a cipher suite is a named combination of authentication, encryption, message authentication code (MAC) and key exchange algorithms used to negotiate the security settings. The format of cipher suites is modified since TLS 1.3. In the current TLS 1.3 draft document, cipher suites are only used to negotiate encryption and HMAC algorithms. When a TLS connection is established, a handshaking, known as the TLS Handshake Protocol, occurs. Within this handshake, a client hello (ClientHello) and a server hello (ServerHello) message are passed. First, the client sends a list of the cipher suites that it supports, in order of preference. Then the server replies with the cipher suite that it has selected from the client’s list. To test which TLS ciphers a server supports, an SSL/TLS Scanner may be used.
- 3.9.b X.509 certificates: In cryptography, X.509 is an important standard for a public key infrastructure (PKI) to manage digital certificates and public-key encryption and a key part of the Transport Layer Security protocol used to secure both web and email communication. An ITU-T standard, X.509 specifies formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation algorithm.
- 3.9.c Key exchange: Key exchange (also known as “key establishment”) is any method in cryptography by which cryptographic keys are exchanged between two parties, allowing the use of a cryptographic algorithm.
- 3.9.d Protocol version: TLS 1.0, TLS 1.1, TLS 1.2, TLS 1.3.
- 3.9.e PKCS: stands for “Public Key Cryptography Standards”. These are a group of public-key cryptography standards devised and published by RSA Security Inc, starting in the early 1990s. The company published the standards to promote the use of the cryptography techniques to which they had patents, such as the RSA algorithm, the Schnorr signature algorithm, and several others.