CISSP Exam Cram - Cryptography Drill-Down

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
the cryptography portion of the cissp exam is one that is both famous and feared as the most technical subject on the exam and one that requires large amounts of memorization so by your request in this supplemental video in our cissp exam cram series we're going to drill down on cryptography in the cissp context focusing on what the study guides say you need to know and along the way i'll share some memory devices that will help you commit to mind those figures you may need to recall on the big day [Music] our focus in this session is just the subject of cryptography is covered in the cissp exam the most technical topic on the cissp and i have some very specific objectives for you in this session so our goals number one i want to make sure you understand the terminology and the concepts around cryptography there are definitely some technical details around encryption algorithms etc that are going to be very important and warning there's some memorization ahead fortunately i have for you some some memory devices some tables some techniques to make this process easier and in this area i'll just warn you you're going to see some content that you might have seen in the domain 3 video but there's some very important net new content here as well let me explain so we're going to talk about the differences between these algorithm types we'll also talk about their common usage as well as how they are used together uh you know on the on the subject of differences when we understand the the differences between algorithms their strengths and weaknesses relative to one another it's going to answer one very important question for you why is that type of algorithm used for that specific function and the bottom line is when we put this knowledge together it's going to give you the foundational knowledge you need to select the right answers on the exam so when you see a question that mentions fast cryptography you're going to know that's probably symmetric when you see a question around key length and you see a hashing function as one of your answers you're going to know that's not an answer because a hash doesn't need a key it's a one way operation all this is going to become very clear in the next few minutes so there's a pdf copy of the presentation in the video download do make sure you hit the bell so you get a heads up every time we drop a video and if you like what you're getting here give us a thumbs up it really helps with the youtube algorithm so let's talk cryptography so codes versus cipher so code are our systems of symbols that sometimes uh imply secret but don't always have to be secret don't always provide confidentiality ciphers on the other hand are meant to hide the true meaning of a message so codes are sometimes secret but don't always provide confidentiality ciphers are always secret confidentiality is always going to be implied there so you do need to know the types of ciphers that are out there so stream cipher number one uh a symmetric key cipher uh in a stream cipher your your plain text digit is encrypted one at a time it's a stream so to speak because it's not a block of data so where a stream cipher goes one character at a time a block cipher will apply the key and algorithm to a block of data like 64 contiguous bits for example so basically as a group rather than one bit at a time so that's the fundamental difference between a stream cipher and a block cipher substitution so this is a random bit string it's basically the same length as the block size that's xored in the message so transposition so transposition to transpose something means to rearrange and that's the easy way to remember this is a transposition cipher is going to rearrange the letters of a plain text message forming a ciphertext message an initialization vector is is also a random bit string it's an xor operation that uses the same key length as the block size so the two things you're remembering here is with initialization vector so it's it's an xor with the message and it's the same length as the block size i'll explain what xor is in just a moment so stick with me if you don't know exactly what that is i'll clear that up for you in the next few but with initialization vectors uh it's going to create a unique cipher text every time the same message is encrypted with the same key so the the caesar visionnaire and the one-time pad these are all stream ciphers the difference between these ciphers is their key length so stream cipher different key length so caesar is going to be a key length of one and if you think about caesar back in the day he was number one so key length the one it adds up the visionaire cipher uses a longer key it's usually a word or a sentence and then the one time pad uses a key length that's as long as the message itself so caesar is one visionaire is a word or a sentence and the key length in a one-time pad is the same length as the message itself now we need to talk a bit more about one-time pad i do expect you're going to see at least a question on this on the exam so for a one-time pad to be successful the key must be generated randomly without any known pattern and it has to be at least as long as the message to be encrypted because remember that's what what differentiates one time pad from vegenaire and caesar so the the key is the same size as the message itself and the pads must be protected against physical disclosure you can't give away the secret right and each pad must be used only one time and then discarded because repetition could reveal the answer right so basically all of these must be true for for a one-time pad to be successful so a concept here zero knowledge proof so this is a communication concept and and basically zero knowledge proof is a specific type of information that's exchanged but no data is is actually transferred this is true with digital signatures and digital certificates so what the heck does that mean let me give it to you in plain english to just put it simply zero knowledge proof enables one to prove knowledge of a fact without revealing the fact itself so that's in effect what digital signatures and certificates allow us to do split knowledge so split knowledge means that the information or the privilege required to perform an operation is divided amongst multiple users that makes sense right splitting the knowledge amongst multiple people so this ensures that no single person has sufficient privileges to compromise the security of the environment it's it's separation of of the knowledge of the privilege i kind of think of of split knowledge as role separation of a fashion really we talk about role separation in the workplace so one person doesn't have too much privilege that they can carry out some sort of internal threat all on their own another concept work function sometimes called work factor so this is a way to measure the strength of a cryptography system by measuring the effort in terms of cost and or time to decrypt the message so that the the cost or time to decrypt the message speaks to the value of the function so usually the time and effort required to perform a complete brute force attack against an encryption system is what a work function rating represents so so the security and protection offered by the system is directly proportional to the value of the work function or or factor would you like that in plain english i hear you it's the time and effort required to break a protective measure that's that's the work factor so when you hear work work function or work factor think time and effort required to break a protective measure so the importance of key security so cryptographic keys provide a necessary element of secrecy and modern systems utilize keys that are at least 128 bits long to provide adequate security and that number is going to increase over time in fact when we see the rise of of quantum computing as a mainstream capability uh that's going to change everything about cryptography we're going to see a a massive shift in this space but know that 128 bits is our low water mark so to speak when it comes to key length in modern cryptography so symmetric versus asymmetric cryptography so symmetric relies on the use of a shared key so a shared key versus asymmetric where we have public private key pairs for communication between parties so the difference between the two number one symmetric key lack support for scalability it's it's not easy to distribute the key because we only have one key how do you transmit that key secretly you know confidentially between two two people and we don't have a way to implement non-repudiation there so we can't guarantee uh the the source of the message now asymmetric on the other hand basically gives us that capability to implement a solution that guarantees we know who that message came from but it also makes it easy to distribute that key amongst many parties because we have private and public key pairs to to work with stick with me and here in about five minutes we'll actually walk through an asymmetric example so you can see how the public private key pairs are used in a scenario to implement non-repudiation but also to transmit data confidentially but symmetric cryptography is going to be faster since we have that shared key asymmetric is going to be stronger and and more scalable generally speaking so so when you think symmetric that's single shared key and it's faster and asymmetric is a key a private public key pair that's going to be stronger than asymmetric so to speak so confidentiality integrity and non-repudiation of three concepts you'll definitely need to know for the exam so confidentiality is really focused on the secrecy of data both you know while it's in rest or while it's in transit integrity basically provides a recipient with an assurance that the data wasn't altered that the integrity of the data remains that the data we received is the data that was sent in other words and non-repudiation gives us undeniable proof that the sender of a message is the one who actually authored it it basically prevents the sender from subsequently denying that they sent the original message which is fantastic in certain circumstances so you need to be able to explain the five basic operational modes of data encryption standard des and triple desks so i'm going to cover these for you in a way that i hope is is easier for you to remember because just looking at them on the surface they're not just super super easy to remember they don't stand out so the first is electronic code book mode so this is the least secure of the lot and with code book mode it processes a 64-bit block the problem is if it encounters the same block multiple times it produces the same encrypted block which makes it easy to break so i like to say this code book is pretty easy reading cipher block chaining and in cipher block chaining each block of encrypted text is exorb with the block of ciphertext immediately proceeding so the previous link in the chain so to speak cipher feedback is basically cipher block chaining in a streaming version it's going to work on the data in real time in memory but but do remember when chaining is involved errors will propagate that's that's a key factor to associate with cipher block chaining and cipher feedback is when they use chaining errors propagate but cipher feedback is basically cipher block chaining in a streaming version working in memory buffers now the next one output feedback works a lot like cipher feedback but it exerts the plain text with a seed value which means we're not using chaining anymore it's using a seed value instead of that immediately preceding cipher text so no no chaining means errors don't propagate in this case and then another variation of that is is counter which uses an incrementing counter instead of a seat and again uh you know using that increment encounter is pretty pretty easy to uh to tie to that fifth mode and then uh how is triple dez different well triple dez uh runs dez three times with uh with two or three keys different keys to increase the effective key size to 112 or 168 bits respectively all right so i told you we'd talk about exor let's talk about exor this is exclusive ore option or xor it's also also called binary edition sometimes it's used pretty heavily in crypto and cryptology it actually sounds a lot more complicated than it really is it's basically a function of flipping bits in a simple systematic fashion so if you look at my table here we have the original value and the key value and then the cipher value so what you're seeing here is when the binary values match we get a zero and otherwise it's going to be one so one and one matches we get a zero so key clustering is a weakness in cryptography where a plain text message generates identical ciphertext messages using the same algorithm but using different keys i'll tell you how i remember this one i think of of key cluster as being similar to collisions in hashing so hashes have a collision when two different strings produce the same hash collisions are exact exactly why md5 isn't used as a hashing algorithm anymore so with key clustering uh basically it's when two different keys using the same algorithm produce the same ciphertext so it's similar to collision in that respect so let's start by talking about the most basic difference between symmetric and asymmetric cryptography so your symmetric algorithms use a single shared key between your sender and recipient we'll talk about the advantages and disadvantages of that later but symmetric we have a single shared key in asymmetric cryptography sometimes called public key cryptography we have different keys we have a public key and then a private key which is unshared and both sender and recipient will each have a private key and neither will share their own private key we're going to peel back the layers of the onion in this session but but start with that so now we're going to talk asymmetric cryptography or public key cryptography so on the asymmetric side of cryptography of public keys that are going to be shared amongst communicating parties so if you and i are going to communicate and share secrets you can see my you have access to my public key and i have access to yours my private key is secret only i know my private key and in your case only you know yours and in terms of data to encrypt a message you each can use the recipient's public key so i can use your public key to encrypt a message and then you can decrypt it using your own private key and with a digital signature to sign a message you're going to use your own private key which gives us non-repudiation it ensures that if i sign a digitally signed a message with my private key it ensures that it was sent by me and to validate a signature you'll use my public key so asymmetric and symmetric can work together in the sense that remember symmetric cryptography is is fast right so we can use asymmetric cryptography to securely transmit the shared key we're going to use in symmetric cryptography so essentially asymmetric solves three problems one of which is distribution of of a secret and with symmetric that's that's a problem right sharing that key amongst many parties on the symmetric side would be really difficult so that's where asymmetric can help out so just remember each party has both a private and public key so let's look at a simple example we have franco and maria so franco sends a request to maria requesting her public key maria sends her public key back to franco remember your public key is shared with alan franco is going to encrypt his message using maria's public key and she's going to decrypt the message using her private key as simple as that and the contents of that message could be anything including but not limited to a key a shared key to be used in a symmetric crypto function so hash function so a good hash function has five requirements it has to allow input of any length and it has to provide fixed length output that is to say no matter how long the input the output must always be the same length the hash must always be the same length it has to make it relatively easy to compute the hash function for any input so it needs to be relatively fast in that respect it has to provide a one way functionality in other words it can't be reversed or a hash function that's easily reversed a two-way functionality would not be so simple and it has to be collision free collisions are exactly why the md5 protocol is not why md5 is no longer used as a hashing algorithm so a collision in hashing means that we could put two different inputs through a hash function and it would generate the same output meaning we can't then determine reliably what the original value was that's exactly why md5 is not used anymore let's talk about cryptographic salts so attackers may use something called a rainbow table it's a table of pre-computed values to to try to identify commonly used passwords and a salt is random data that's used as an additional input to a one-way function that hashers data password passphrase whatever and and because we're injecting random data adding salts to passwords before hashing them reduces the effectiveness of of the rainbow table attacks because the attacker doesn't know what additional random data has been injected before the hash so digital signature standard so dss uses sha one shot two sha-3 message digest function functions uh it used to use shell one generally speaking uh shot two is going to be more common now the sha-2 is approved with dss and it works in conjunction with one of three encryption algorithms so it would work with a digital signature algorithm or dsa uh an rsa algorithm or elliptic curve dsa so public key infrastructure so this is the certificate server that you'd see commonly in an enterprise environment so certificate authorities are sometimes called certification authorities generate digital certificates that contain public keys of system users every certificate has a public key and a private key to be clear and the users can distribute the certificates to people with whom they want to communicate and the recipients verify a certificate using the ca's public key so so that's how one can establish a chain of trust back to the issuing certificate authority so it all goes all the way back to the the root certification authority so in pki you'll sometimes have tiers of servers and you'll have an issuing authority but you'll have a root authority at the at the base of the the infrastructure oftentimes that root authority is is maintained offline but it's using asymmetric in that case certs are used for web network and email security pretty commonly so in fact let's talk about web network and email security so an email pretty common standards for encrypted messages include s mime and pretty good privacy on the website of the house the de facto standard is is http over tls transport layer security which has largely replaced the older ssl standard that was in use for a lot of years then on the network side i the ipsec protocol is is pretty a pretty standard framework used for encrypting network traffic uh you may actually see a bit uh uh additional uh in terms of questions on on ipsec so let's talk about ipsec at some greater depth here so ipsec is a security architecture that supports frame secure communications over ip and it establishes a channel in one of two modes transport mode or tunnel mode and it can be used to establish direct communication with computers over or over a vpn so i've seen ipsec used between computers without a vpn vpn is a very common use of ipsec though the windows operating system has has capability to do you know ipsec between computers without a vpn but you can also establish a vpn and it uses one of two protocols authentication header and encapsulating security payload all right common cryptographic attacks just a couple here you should be familiar with for sure from uh from domain three brute force attacks which are attempts to randomly find the correct cryptographic key so it's just using brute force of of computing power with known plain text and chosen cipher text to but it requires the attacker to have some extra information there's a meet in the middle attack which exploits protocols that use two rounds of encryption so it's going to exploit some weaker protocols and it requires requires the attacker to know something somewhere around at least eight bytes of uh of a message so so if uh an attacker knew the parties involved and weaker protocols were in play here i'm eating the middle attack might be possible but but it uses looking for those two rounds of encryption would be the key i'd remember for the exam in case this comes up man in the middle attack you'll hear a lot more about this this fools both parties into communicating with the attacker in the middle instead of directly with one another so each side actually thinks they're communicating with one another but instead they're communicating with the man in the middle and a birthday attack is an attempt to find collisions in hash functions and remember a collision in a hash function is when a hash function can receive two different values but generates the same output that's a collision then a replay attack is an attempt to reuse authentication requests so basically to get uh the the uh the hashed um output of the uh the authentication request and to present that um so that's actually uh pretty pretty common so digital rights management you hear this a lot uh in the entertainment world so it allows content owners to enforce restrictions on the use of their content by others so this used to be a a big deal in the entertainment world with uh with music back in the day it's occasionally found in the enterprise protecting sensitive information stored in in document but the entertainment content is where where drm was always a big discussion and nobody was ever very happy about it uh so let's talk about symmetric algorithms if you haven't watched my my uh video on memorization techniques for cissp you get a taste of them here so so i like to break my cryptography down in a process called chunking so i start by breaking it down to the types of algorithms i need to remember because this is the most uh technical topic on the cissp exam and it's a big topic so let's look at symmetric algorithms here so you need to remember these you need to know the block size i'd try to remember the key size as well and and remember you know symmetric from asymmetric so so looking at this table i see i have a big chunk of of algorithms here that have a 64-bit block size uh including uh blowfish the uh the the dez family the uh rc two through five so one of the tricks i use here so i i tied blowfish and skipjack together i remember that they're both 64-bit because blowfish and skipjack are both fish okay you're asking what the heck is a skipjack this is a skipjack it's a tuna i i've lived near the coast many times so i happen to to know that and because i know blowfish and skipjack are both the 64-bit block size remembering two fish is easy for me because one fish times two is two fish right so that's 128 so two fish is going to be a little more advanced in that respect and i know that aes is used commonly in the enterprise so that's advanced as well so i just kind of tie those together that the advanced family has a 128 bit block size and rc-5 has three different options there but but i remember that the the greatest is the the 128 so then you just half that and then half again to get your three rc5 algorithms and then streaming you know doesn't have the block size right it's doing it piece at a time as it streams okay hash algorithms we've talked about these a lot today right so these are easy to break down so i break the md5 family down so that's message digest mdmd24 and 5 all have a hash value of 128. also notice that none of those are still in use remember i mentioned md5 which is the the newest of the three you see there none of those are still in use they were replaced by multiple other functions and then you have the shaw family and the shaw family is easy to remember here because uh the and these are this is secure hash algorithm so you'll notice that with the shaw family that the name maps to the uh the hash value link so so all of those shaw 224 through 512 these are these are sha2 variants and uh and essentially the uh the hash value shows up in the name and and shaw one's not really in use anymore but uh the sha-2 family are still actively used so make sure you you're going to break out md the md family and the shaw families and remember those the three major public key crypto systems so you have rsa which is probably the most famous it was it was developed by three folks back in the 1970s you have elgamal which is actually an extension of diffie-hellman key exchange and it depends on modular arithmetic so with rsa i tie rsa back to the to prime numbers so rsa involves the difficulty of factoring the product of prime numbers diffie diffie-hellman relies on modular arithmetic it's less common than rsa in the last few years but algomal is based on diffie-hellman and then elliptic curve depends on the elliptic curve discrete logarithm problem and it's going to provide more security than other algorithms when both keys are of the same length but but rsa i think is the the most famous of these and the most likely to come up on the exam but try try to kind of tie some of these key facts about these three into your head so you can pick the right one out should a question come up so digital signatures so digital signatures rely on public key cryptography and hashing functions so so digital signatures have to use shock 2 nowadays and there are three currently approved encryption algorithms for digital signatures you've got dsa you've got rsa and you've got elliptic curve dsa all right asymmetric algorithms so we just we just touched on rsa elgamal and ecc and remember elgamal is based on diffie-hellman key exchange right so this is a small table to memorize i didn't give you much in terms of memory devices here because it's pretty small there are a couple of angles around the cryptographic algorithm types that we didn't cover in domain three that i think could prove important in your exam performance and your ability to get to the right answer so let's have a look at those now now to really help you filter down to the right answers on the exam i want to unpack some differences and common uses of the different types of cryptography so let's start with hashing versus encryption so how is hashing different from encryption well encryption is a two-way function what is encrypted can be decrypted with the proper key now on the other hand hashing is a one-way function that scrambles plain text to produce a unique message digest it takes variable length content and produces fixed length output and if properly designed there's no way to reverse that hash it's it's a one-way function by design so let's talk about common uses so how are these different algorithm types used well symmetric is typically used for bulk encryption or encrypted encrypting large amounts of data essentially and since there's a shared key that's going to be a weakness because key exchanges is challenging now asymmetric on the other hand is used for distribution of symmetric bulk encryption keys that that shared key that's one use so so in that sense we could use symmetric and asymmetric together in that asymmetric can be used for that exchange of keys and symmetric can be used for the heavy lifting of the bulk encryption and then and then identity authentication via digital signatures and and certificates you'll hear about both of those no doubt on the exam and when we can verify that a message has come from a source beyond uh any shadow of a doubt we that's that's non-repudiation right proving that a message came from a particular source and no other an asymmetric is going to to play a role in non-repudiation well digital signatures will will factor right hash functions can be used to uh to verify digital signatures uh generation of pseudo random numbers um integrity services verifying data integrity if we hash the data before and after before and after encryption if the hash matches then we know that our data is intact right it's authentic it hasn't been modified in any way so just from this very simple single slide you can see how these three areas of cryptography can be used together in a hybrid approach to produce a more secure powerful end result and to really seal the deal here let's do some quick comparisons in a table between the algorithm types so we know a hash needs no key it's a one-way operation we know symmetric operates on a single shared key we know asymmetric is going to have two or more keys public and private and and the number depending on the number of parties recommended key length from nist i haven't checked this in a while but we can look at the algorithms we've studied here and know that these are pretty solid so a hash 256 bit with symmetric 128 bits being the uh the low water mark yeah so i know right off the top my head aes is uh a common example there in aes has a 128-bit key rsa is a common asymmetric algorithm uh shaw are our common the shaw family are common hash algorithms sha secure hash algorithm speed our hashing algorithms and our symmetric cryptography where we have a single shared key going to be fast and asymmetric by comparison will be relatively slow which is why we don't see it used typically for bulk data encryption complexity uh hashing and symmetric cryptography are going to be in the in the medium range and then asymmetric is going to be uh highly complex by comparison the effective key compromise well when we're using a single shared key in the symmetric world both the sender and receiver are in trouble right on the asymmetric side uh it's a loss only for the owner of the asymmetric key and then this just doesn't matter in hashing uh key management and sharing well we mentioned one of the the weaknesses of symmetric uh algorithms is sharing a key you know sharing that key is challenging right with with asymmetric we have a secure means to exchange the keys as we talked about earlier in this session and then finally a few examples here you've seen these in the tables before i wanted to throw them here again that's all for our cryptography drill down for the cissp exam if you're getting value out of these sessions do give us a comment and a thumbs up it really helps with the youtube algorithm look forward to seeing you in the next video so until next time be well and stay safe
Info
Channel: Inside Cloud and Security
Views: 6,560
Rating: 4.9475408 out of 5
Keywords:
Id: 8_NLPDRLfg4
Channel Id: undefined
Length: 35min 56sec (2156 seconds)
Published: Mon Mar 22 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.