Skip to content
This repository has been archived by the owner on Dec 22, 2024. It is now read-only.

Latest commit

 

History

History
197 lines (172 loc) · 12.4 KB

11 - Cryptography 101.md

File metadata and controls

197 lines (172 loc) · 12.4 KB

Cryptography 101

Cryptograph Basics

  • Cryptography - science or study of protecting information whether in transit or at rest
    • Renders the information unusable to anyone who can't decrypt it
    • Takes plain text, applies cryptographic method, turn it into cipher text
  • Crypanalysis - study and methods used to crack cipher text
  • Linear Cryptanalysis - works best on block ciphers
  • Differential Cryptanalysis - applies to symmetric key algorithms
    • Compares differences in the inputs to how each one affects the outcome
  • Integral cryptanalysis - input vs output comparison same as differential; however, runs multiple computations of the same block size input
  • Plain text doesn't necessarily mean ASCII format - it simply means unencrypted data
  • Nonrepudiation - means by which a recipient can ensure the identity of the sender and neither party can deny sending

Encryption Algorithms and Techniques

  • Algorithm - step-by-step method of solving a problem
  • Two General Forms of Cryptography
    • Substitution - bits are replaced by other bits
    • Transposition - doesn't replace; simply changes order
  • Encryption Algorithms - methmatical formulas used to encrypt and decrypt data
  • Steam Cipher - readable bits are encrypted one at a time in a continuous stream
    • Usually done by an XOR operation
    • Work at a high rate of speed
  • Block Cipher - data bits are split up into blocks and fed into the cipher
    • Each block of data (usually 64 bits) encrypted with key and algorithm
    • Are simpler and slower than stream ciphers
  • XOR - exclusive or; if inputs are the same (0,0 or 1,1), function returns 0; if inputs are not the same (0,1 or 1,0), function returns 1
  • Key chosen for cipher must have a length larger than the data; if not, it is vulnerable to frequency attacks

Symmetric Encryption

  • Symmetric Encryption - known as single key or shared key
    • One key is used to encrypt and decrypt the data
    • Problems include key distribution and management
    • Suitable for large amounts of data
    • Harder for groups of people because more keys are needed as group increases
    • Does nothing for nonrepudiation; only performs confidentiality
  • Algorithms
    • DES - block cipher; 56 bit key; quickly outdated and now considered not very secure
    • 3DES - block cipher; 168 bit key; more effective than DES but much slower
    • AES (Advanced Encryption Standard) - block cipher; 128, 192 or 256 bit key; replaces DES; much faster than DES and 3DES
    • IDEA (International Data Encryption Algorithm) - block cipher; 128 bit key; originally used in PGP 2.0
    • Twofish - block cipher; up to 256 bit key
    • Blowfish - fast block cipher; replaced by AES; 64 bit block size; 32 to 448 bit key; considered public domain
    • RC (Rivest Cipher) - RC2 to RC6; block cipher; bariable key length up to 2040 bits; RC6 (lastest version) uses 128 bit blocks and 4 bit working registers; RC5 uses variable block sizes and 2 bit working registers

Asymmetric Encryption

  • Uses two types of keys for encryption and decryption
  • Public Key - generally used for encryption; can be sent to anyone
  • Private Key - kept secret; used for decryption
  • Comes down to what one key encrypts, the other decrypts
  • The private key is used to digitally sign a message
  • Algorithms
    • Diffie-Hellman - developed as a key exchange protocol; used in SSL and IPSec; if digital signatures are waived, vulnerable to MITM attacks
    • Elliptic Curve Cryptosystem (ECC) - uses points on elliptical curve along with logarithmic problems; uses less processing power; good for mobile devices
    • El Gamal - not based on prime number factoring; uses solving of discrete logarithm problems
    • RSA - achieves strong encryption through the use of two large prime numbers; factoring thse create key sizes up to 4096 bits; modern de facto standard
  • Only downside is it's slower than symmetric especially on bulk encryption and processing power

Hash Algorithms

  • Hash - one-way mathematical function that produces a fix-length string (hash) based on the arrangement of data bits in the input
  • Algorithms
    • MD5 (Message Digest algorithm) - produces 128 bit hash expressed as 32 digit hexadecimal number; has serious flaws; still used for file download verification
    • SHA-1 - developed by NSA; 160 bit value output
    • SHA-2 - four separate hash functions; produce outputs of 224, 256, 384 and 512 bits; not widely used
    • SHA-3 - uses sponge construction
    • RIPEMD-# - works through 80 stages, executing 5 blcosk 16 times each; uses modulo 32 addition
  • Collision - occurs when two or more files create the same output
    • Can happen and can be used an attack; rare, though
  • DHUK Attack (Don't Use Hard-Coded Keys) - allows attackers to access keys in certain VPN implementations; affects devices using ANSI X9.31 with a hard-coded seed key
  • Rainbow Tables - contain precomputed hashes to try and find out passwords
  • Salt - used with a hash to obscure the hash; collection of random bits
  • Things to Remember
    • Hashes are used for integrity
    • Hashes are one-way functions
  • Tools
    • HashCalc
    • MD5 Calculator
    • HashMyFiles

Steganography

  • Steganography - practice of concealing a message inside another medium so that only the sender and recipient know of it's existence
  • Ways to Identify
    • Text - character positions are key - blank spaces, text patterns
    • Image - file larger in size; some may have color palete faults
    • Audio & Video - require statistical analysis
  • Methods
    • Least significant bit insertion - changes least meaningful bit
    • Masking and filtering (grayscale images) - like watermarking
    • Algorithmic transformation - hides in mathematical functions used in image compression
  • Tools
    • QuickStego
    • gifshuffle
    • SNOW
    • Steganography Studio
    • OpenStego

PKI System

  • Public Key Infrastructure (PKI) - structure designed to verify and authenticate the identity of individuals
  • Registration Authority - verifies user identity
  • Certificate Authority - third party to the organization; creates and issues digital certificates
  • Certificate Revocation List (CRL) - used to track which certificates have problems and which have been revoked
  • Validation Authority - used to validate certificates via Online Certificate Status Protocol (OCSP)
  • Trust Model - how entities within an enterprise deal with keys, signatures and certificates
  • Cross-Certification - allows a CA to trust another CS in a completely different PKI; allows both CAs to validate certificates from either side
  • Single-authority system - CA at the top
  • Hierarchial trust system - CA at the top (root CA); makes use of one or more RAs (subordinate CAs) underneath it to issue and manage certificates

Digital Certificates

  • Certificate - electronic file that is used to verify a user's identity; provides nonrepudiation
  • X.509 - standard used for digital certificates
  • Contents of a Digital Certificate
    • Version - identifies certificate format
    • Serial Number - used to uniquely identify certificate
    • Subject - who or what is being identified
    • Algorithm ID (Signature Algorithm) - shows the algorithm that was used to create the certificate
    • Isuer - shows the entity that verifies authenticity
    • Valid From and Valid To - dates certificate is good for
    • Key Usage - what purpose the certificate serves
    • Subject's Public Key - copy of the subject's public key
    • Optional Fields - Issuer Unique Identifier, Subject Alternative Name, and Extensions
  • Some root CAs are automatically added to OSes that they already trust; normally are reputable companies
  • Self-Signed Certificates - certificates that are not signed by a CA; generally not used for public; used for development purposes
    • Signed by the same entity it certifies

Digital Signatures

  • When signing a message, you sign it with your private key and the recipient decrypts the has with their public key
  • Digital Signature Algorithm (DSA) - used in generation and verification of digital signatures per FIPS 186-2

Full Disk Encryption

  • Data at Rest (DAR) - data that is in a stored state and not currently accessible
    • Usually protected by full disk encryption (FDE) with pre-boot authentication
    • Example of FDE is Microsoft BitLocker and McAfee Endpoint Encryption
    • FDE also gives protection against boot-n-root

Encrypted Communication

  • Often-Used Encrypted Communication Methods
    • Secure Shell (SSH) - secured version of telnet; uses port 22; relies on public key cryptography; SSH2 is successor and includes SFTP
    • Secure Sockets Layer (SSL) - encrypts data at transport layer and above; uses RSA encryption and digital certificates; has a six-step process; largely has been replaced by TLS
    • Transport Layer Security (TLS) - uses RSA 1024 and 2048 bits; successor to SSL; allows both client and server to authenticate to each other; TLS Record Protocol provides secured communication channel
    • Internet Protocol Security (IPSEC) - network layer tunnelling protocol; used in tunnel and transport modes; ESP encrypts each packet
    • PGP - Pretty Good Privacy; used for signing, compress and encryption of emails, files and directories; known as hybrid cryptosystem - features conventional and public key cryptography
    • S/MIME - standard for public key encryption and signing of MIME data; only difference between this and PGP is PGP can encrypt files and drives unles S/MIME
  • Heartbleed - attack on OpenSSL heartbeat which verifies data was received correctly
    • Vulnerability is that a single byte of data gets 64kb from the server
    • This data is random; could include usernames, passwords, private keys, cookies; very easy to pull off
    • nmap -d --script ssl-heartbleed --script-args vulns.showall -sV [host]
    • Vulnerable versions include Open SSL 1.0.1 and 1.0.1f
    • CVE-2014-0160
  • FREAK (Factoring Attack on RSA-EXPORT Keys) - man-in-the-middle attack that forces a downgrade of RSA key to a weaker length
  • POODLE (Paddling Oracle On Downgraded Legacy Encryption) - downgrade attack that used the vulnerability that TLS downgrades to SSL if a connection cannot be made
    • SSl 3 uses RC4, which is easy to crack
    • CVE-2014-3566
    • Also called PoodleBleed
  • DROWN (Decrypting RSA with Obsolete and Weakened eNcyption) - affects SSL and TLS services
    • Allows attackers to break the encryption and steal sensitive data
    • Uses flaws in SSL v2
    • Not only web servers; can be IMAP and POP servers as well

Cryptography Attacks

  • Known plain-text attack - has both plain text and cipher-text; plain-text scanned for repeatable sequences which is compared to cipher text
  • Chosen plain-text attack - attacker encrypts multiple plain-text copies in order to gain the key
  • Adaptive chosen plain-text attack - attacker makes a series of interactive queries choosing subsequent plaintexts based on the information from the previous encryptions; idea is to glean more and more information about the full target cipher text and key
  • Cipher-text-only attack - gains copies of several encrypted messages with the same algorithm; statistical analysis is then used to reveal eventually repeating code
  • Replay attack
    • Usually performed within context of MITM attack
    • Hacker repeats a portion of cryptographic exchange in hopes of fooling the system to setup a communications channel
    • Doesn't know the actual data - just has to get timing right
  • Chosen Cipher Attack
    • Chooses a particular cipher-text message
    • Attempts to discern the key through comparative analysis
    • RSA is particularly vulnerable to this
  • Side-Channel Attack
    • Monitors environmental factors such as power consumtion, timing and delay
  • Tools
    • Carnivore and Magic Lantern - used by law enforcement for cracking codes
    • L0phtcrack - used mainly against Windows SAM files
    • John the Ripper - UNIX/Linux tool for the same purpose
    • PGPcrack - designed to go after PGP-encrypted systems
    • CrypTool
    • Cryptobench
    • Jipher
  • Keys should still change on a regular basis even though they may be "unhackable"
  • Per U.S. government, an algorithm using at least a 256-bit key cannot be cracked