Introduction to Cryptography

Cryptography is the art and science of keeping information secure through the use of mathematical concepts and techniques

Cipher: A method of designing secret or hidden messages

Key: Parameter specifying how plaintext is converted to ciphertext and vice versa

Encryption: Process of modifying a message or information in such a way that prevents unauthorized parties from accessing it

Encryption takes a plaintext message and converts it to an unreadable ciphertext message

Decryption: Process of converting ciphertext to plaintext

History of Cryptography

The Caesar Cipher

Works by shifting letters a set number (key) of positions from the original letter:

The Enigma Cipher

After the end of WWI, Germany developed the encryption tool called the Enigma Machine

This machine scrambles the letters of the alphabet, allowing for billions of combinations for encryptions

Settings are configured by the user, and the key was created when the sender plugged wires into specific slots and arranged the roto settings

The same settings were used for decryption, which were provided to the recipient in advance

Character Encoding

Character Encoding: Encrypting data on computers requires a method of alphanumeric representation

Encoding is not used to keep information secret

Data is encoded with publicly available schemes that can be decoded by anyone

Does not use a key

Binary Encoding: Conversion of binary to decimal

ASCII (American Standard Code for Information Interchange): Used to represent computer-stored characters in a human-readable format

Binary data can be more efficiently stored and represented by encoding with the hexadecimal number system

Hex Encoding uses 16 symbols to represent the base values:

Each hexadecimal is equal to one byte

Goals of Cryptography

Privacy: Keeps data secure from unauthorized parties

Data in Motion: Data moving between devices

Data at Rest: Static data, such as that stored on a hard drive or in a database

Authentication: Used to confirm the identities of the sender and receiver of data

Integrity: Ensures a message isn’t altered between when it’s sent and when it’s received

Non-repudiation: Prevents the original sender from denying they were the sender

Cryptographic Ciphers

Stream Ciphers: Apply their algorithm one bit (character) at a time

Substitution Cipher: Substitute out old values for new values of input messages

Examples are Caesar and Enigma

Decoder

Block Ciphers: Apply their algorithm to chunks of characters

Transposition Ciphers: Break an input message into equal-sized blocks and rearrange the letters of each block

  1. Break the message into blocks of three characters
  2. Replace the first, second, and third character of each block with the third, first, and second character
  3. Combine rearranged text

Modern Cryptography

Keys

Key Space: The possible range of numbers each algorithm that can be used as a key

For example, a password that can only use numerical digits has the key space of 10

Bit Size: Binary bits used in a key

For each bit added, the key space doubles in size (Key Space = 2^bit size)

To calculate the amount of seconds it takes to decrypt encryption: 2^(64-x) = seconds

“x” is the amount of bits the encryption is built with

Symmetric Key Algorithms

It takes time and computational resources to encrypt and decrypt larger keys

Modern symmetric key algorithms use algorithms that are secure and fast

Symmetric key algorithms use a single, shared key to encrypt and decrypt a message

The key needs to remain private

OpenSSL

First step is to create a key and initialization vector (IV):

openssl enc -pbkdf2 -nosalt -aes-256-cbc -k [password] -P > [file_name]

Then encrypt a file:

openssl enc -pbkdf2 -nosalt -aes-256-cbc -in [file_name] -out [file_name] -base64 -K [key] -iv [IV]

To decrypt the file:

openssl enc -pbkdf2 -nosalt -aes-256-cbc -in [file_name] -d -base64 -K [key] -iv [IV]

Key Management and Exchange

Disadvantages

Secure Key Exchange

Offline Exchange (Out-of-Band Exchange): Includes calling the recipient and reading the key, or mailing the key

Diffie-Hellman Key Exchange: Uses complex mathematical principles to create a shared secret key between two parties over a public channel

Key Management

Keys must be created for each combination of individuals and the amount of symmetric keys can quickly become overwhelming

Count of Symmetric Keys = (N*(N-1))/2

Asymmetric Key Encryptions

Each individual possesses a two-key pair:

Private Keys: Kept secret and can affect confidentiality of messages if exposed

Public Keys: Public and accessible to all

RSA: The asymmetric algorithm standard that works by employing the complexity of factoring large numbers

Applying Public Key Cryptography with GPG

GPG: CLI tool used to simplify the creation, encryption, and decryption of asymmetric key cryptography

First, create the Public and Private key:

gpg --gen-key

To validate the keys were created:

gpg --list-keys

Then, export the public key:

gpg --armor --output [FILE_NAME] --export [email_addr]

--armor: Puts the key in ASCII

--output: Creates public key in the provided file

--export: References which key by email address

The sender will then need to retrieve the key and import it into their key ring:

gpg --import [FILE_NAME]

Use gpg --list-keys to validate the key was imported successfully

To use a gpg key to encrypt a message:

gpg --armor --output [FILE_NAME] --encrypt --recipient [email_addr] [FILE_NAME]

--output: Output file, which creates the name of the encrypted file

--encrypt: Initiates encryption

--recipient: Instructs which key to use, based on email address

FILE_NAME: Which plaintext file to encrypt

Once the receiver will then save the encrypted message and decrypt it:

gpg --output [FILE_NAME] --decrypt [FILE_NAME]

--output: Creates output file to place the decrypted message

--decrypt: Indicates which file to decrypt

Hashing and Data Integrity

Hashing: A cryptographic method used to verify the integrity of data

Hashing takes plaintext and converts it to a message digest with an algorithm and no key

Message digests are also known as fingerprints, hashes, and checksums

Hashing is a one-way function, meaning it cannot be converted back to plaintext

Hashing algorithms output in fixed lengths, regardless of the input length

Hashing Algorithms

Digital Signatures

Digital Signature: A mathematical scheme used to verify the authenticity of digital data

Step 1: Key creation

A public and private key are created

The public key is accessible globally

Step 2: Creating the message

The message is placed inside a file

Step 3: Signing the Message

The message is signed with the local private key in order to create a digital signature

Step 4: Sending the Message

The plaintext message is sent along with the digital signature

Step 5: Validating the Signature

The public key is used to validate the signature, using a validation tool such as GPG

Digital Signature Types

Detached Signature: The message and the signature are sent separately

All At Once: Signature is appended to an encrypted message

Clearsigned: Signature is appended to an unencrypted message

Signed Hash: Instead of signing a message, a hash is created first and the hash is signed for verification

Creating a Signature

First, generate a private and public key:

gpg --gen-key

Export the public key:

gpg --armor --output [file_name] --export [email_addr]

The key is then placed in a publicly available space

A message can then be placed in a plaintext file, and the message can be signed using a detached digital signature:

gpg --output [file_name] --armor --detach-sig [file_name]

The message and the plaintext message can be sent to the receiver

The receiver will then import the public key and verify the signature:

gpg --import [name.gpg]

gpg --verify [signature_file] [message_file]

The verification will also fail if the message was altered after the signature was attached

Introduction to Applied Cryptography

Applied Cryptography

Portable Devices

Operating systems use disk encryption to prevent unauthorized parties from viewing the data on the machine

Email

Encryption can be used to secure emails with programs such as S/MIME and PGP by applying public key cryptography to provide email confidentiality, as well as digital signatures to ensure authenticity and integrity

Websites

Secure Socket Layer (SSL): Protocol designed to encrypt web traffic

Websites use SSL certificates as seals of approval to confirm a website can be trusted

Websites use hashing to store passwords

Hashing algorithms prevent passwords from being revealed even after a breach

A user’s password is verified against a password hash

Digital Forensics

Forensic Examiner: Cybersecurity professional who captures and investigates digital evidence from computers, cell phones, and other devices containing digital data

Forensic examiners make a hash of a device when it is initially collected for investigation

The hash is used to verify that the digital data was not modified during the investigation

Steganography: Cyrptographic technique of placing hidden messages within files, images, or videos

steghide can be used to hide and extract messages from other files

To embed text file hidden_message.txt into image family.jpg:

steghide embed -cf family.jpg -ef hidden_message.txt

Then, provide a passphrase and confirm

To extract a hidden message:

steghide extract -sf family.jpg

SSL Certificates

SSL Certificates: Small data files that use public key cryptography to secure connections between the browser and the web server

An organization must first reach out to a Certificate Authority (CA)

X.509: Current standard of SSL Certificates for securing online communications

The CA will need the following information from the organization:

Only the public CSR is sent to the CA, and the private remains on the web server

SSL certificates validate authenticity using a chain of trust

Browsers have a pre-established list of trusted CA’s called a root store

Root certificate authorities: List of CA’s trusted by the browser and at the top of the trust chain. They are typically not the organizations that issue SSL certificates

Intermediate Certificate Authorities: Issue certificates and report up to a root certificate authority

View Root Certificate Authorities

In Chrome, select Preferences > Settings, then Privacy and Security > Security > Manage Certificates:

In MAC, select System Roots, then the Certificates tab:

Confirm SSL is Valid

Visit a site and select the Lock Icon next to the URL of the Website:

Then, select Certificate (Valid) to view the details of the certificate:

The Certificate Path of google.com:

google.com is the website that the certificate was issued for

GTS CA 101 is the intermediate certificate authority that issued a certificate to google.com

Google Trust Services is the root certificate authority that signed off on the intermediate certificate authority

The chain of trust:

Invalid SSL

When visiting a website with an invalid SSL, the browser will throw an error:

Select the Not Secure icon next to the URL:

Select Certificate (Invalid) and review the details of the certificate:

The SSL is invalid due to it being expired

SSL Certificates Privacy

  1. When a website is accessed, the browser requests the web server for certificate details
  2. The server responds with a copy of the SSL certificate and the public key
  3. The browser validates the certificate by checking the expiration date and root CA
  4. The browser uses the server’s public key to create, encrypt, and send a session key
  5. The server decrypts the key, sends an acknowledgement, and starts an encrypted session
  6. Secure web traffic begins. Server and browser encrypt/decrypt data with the session key

The above steps use both asymmetric and symmetric encryption, specifically, steps one through five use asymmetric methods and step six uses symmetric methods

Cryptographic Attacks

Statistical Attack

Statistical Attack: Exploits weaknesses in cryptographic algorithms by attempting to determine if the random produced are actually predictable

Example: Some technology professionals use a token generation program that creates a random number for use to log into their computer. If the number generated is not random, an attacker could determine the number and access unauthorized data

Mitigation: Ensure that algorithms used to generate random values continue to produce values that are in fact random

Brute Force Attack

Brute Force Attack: Attackers use many passwords or user and passwords or user and password combinations until one eventually works

Example: An attacker wants to log in with the user root, they would attempt to log in with many passwords until they guess correctly:

Mitigation: Apply a lockout functionality to all logins, which will limit the number of login attempts a user has before getting locked out. Also, applications can have firewalls that detect and stop large volumes of attempted logins from a single source IP Address

Birthday Attacks

Birthday Attacks: Exploit the probability that two separate plaintexts that use the same hash algorithm will produce the same ciphertext

Also known as hashing collision or collision

Mitigation: Stronger hashing algorithms limit the possibility of hashing collision

Frequency Analysis

Frequency Analysis: Method for cracking substitution algorithms

Example: An attacker can note the most frequently used letters in the ciphertext and substitute them with most frequently used letters in the English language (e,t,o, and a)

Mitigation: Using more advanced encryption algorithms

Replay Attack

Replay Attack: Attacker obtains an encrypted signal and replays the signal at a later time

Mitigation: Add an expiration time for the encrypted data

Known Plaintext

When an attacker has obtained both the ciphertext and its associated plaintext, they can determine the encryption algorithm and decrypt future messages

Example: If the Ciphertext for Hello is 8 5 12 12 15, it can be determined that the algorithm is A=1, B=2, etc.

Mitigation: Use advanced encryption and limiting access to ciphertext and plaintext pairs

Chosen Plaintext

When an attacker has access to the encryption program and ciphertext, but not the plaintext, they can encrypt messages to learn how the ciphertext is generated

Rainbow Tables

Rainbow Tables: Resources that contain precomputed hashes with the associated plaintext passwords

Some rainbow tables are extremely large and can take up a lot of storage space and CPU to use effectively

Salting: A cryptographic method of combining salt (a random value) with the plaintext into the hash function

Salted Hash: The output of hashed text and a salt

hashcat: CLI tool that automates the cracking of hashes

Hashcat uses dictionary wordlists, rainbow tables, and brute force methods to figure out plaintext passwords from hashes

To use hashcat:

hashcat -m 0 -a 0 -o solved.txt hash.txt rockyou.txt --force

Leave a Reply

Your email address will not be published.