Cryptography
Security professionals are expected to use cryptography responsibly. They should consider the potential impacts on accessibility, security, and privacy, and at the same time ensure that it is being used sensibly and in a balanced way. An organization’s goals are to protect sensitive data and maintain privacy. It relies on its security professionals to choose appropriate cryptographic resources and entrusts them with protecting this data through effective cryptographic practices.
Cryptography is the use of codes and ciphers to secure sensitive information from unauthorized parties. Organizations employ cryptography to protect its information at rest, information in use, electronic communications between multiple parties, digital signatures, and secure online transactions. The core principles of cryptography center around (Wickramasinghe, 2023):
Privacy and Confidentiality – Uses techniques like encryption to protect information. Ensures that only the intended receiver could read the information.
Authentication – Ensures that the person receiving the information gets it from a sender who is authenticated to do so. Access tokens and Auth signatures are two common authentication methods.
Encryption – Transforms the information into an unreadable format to protect the information’s privacy.
Data Integrity – Employs techniques such as cryptographic hashing to ensure that there is no data manipulation.
Non-repudiation – Uses techniques such as digital signatures to ensure that the sender of the information cannot deny the authenticity of his or her signature.
Key-management – Ensures that cryptographic keys are securely maintained. This includes key generation, distribution, rotation, etc.
In addition, there are three major cryptographic types:
Symmetric Cryptography – The use of a single key which is used for both encryption and decryption and is used by both the sender and the receiver for secure communications.
Asymmetric Cryptography – This is known as public-key cryptography where different cryptographic keys are used for the process of encryption.
Hash function – This is an algorithm that converts any amount of data to a fixed size output. It is used to verify data integrity.
Security professionals are expected to balance security with other societal values. They must protect privacy and the information that they are responsible for. When using cryptography, the must follow compliance regulations and adhere to data privacy and security requirements.
References:
Wickramasinghe, S. (2023, February 13). Cryptography 101: Key Principles, Major Types, Use Cases & Algorithms. Retrieved from Splunk.com: https://www.splunk.com/en_us/blog/learn/cryptography.html
Block Ciphers
Block ciphers are symmetric key ciphers that convert plaintext to ciphertext block by block. They have a high diffusion in that information from one plaintext symbol is scattered into various ciphertext symbols. Block ciphers are also immune to tampering because it is difficult to insert symbols without being detected. However, an entire block must be collected before the encryption/decryption process could begin and, a block could be corrupted if there is an error in a symbol (Kaczanowski, 2021). For block ciphers, block sizes vary such AES (128, 192, and 256 bits) and DES (64 bits). They have many applications such data encryption, file and disk encryption, VPN encryption, and digital signatures to provide authenticity and integrity to digital documents. To provide security to confidential data transmitted between web browsers and servers across the internet, block ciphers are used in Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols for data encryption. Also, for cloud data security, block ciphers provide strong encryption for data at rest and in transit.
Below is a copy of a Block Ciphers Lab which focused on the concepts of secret-key encryption and some common attacks.
References:
Kaczanowski, M. (2021, June 3). Cipher Definition – What is a Block Cipher and How Does it Work to Protect Your Data? Retrieved from Freecodecamp.org: https://www.freecodecamp.org/news/what-is-a-block-cipher/#What%20Are%20Block%20and%20Stream%20Ciphers?
Hash Functions
Hash functions are used in combination with digital signatures to ensure confidentiality and integrity. While they are considered deterministic, in that the same output is produced from the same input data, it is exceedingly difficult to reverse the process to produce the input data. Hash functions possess advantages such as they are unlikely to yield the same hash for two different inputs, they provide one-way protection from hackers and they are fast and efficient in the processing of large amounts of data (Loo, 2024). Hash functions have numerous applications. In blockchain technology, they are used to craft tamper-proof records, in file management they are used for indexing data and removing duplicate files, and to verify data integrity they are used as checksums. Examples of hash functions are MD5, SHA-1, and SHA-2. SHA-2 is part of numerous security protocols such as Transport Layer Security (TLS/SSL), Secure Shell (SSH), and Pretty Good Privacy (PGP) (Schurman, 2023).
Below is a copy of a lab exercise on OpenPgP which uses Hash Functions to create digital signatures.
Loo, A. (2024). Hash Function. Retrieved from corporatefinanceinstitute.com: https://corporatefinanceinstitute.com/resources/cryptocurrency/hash-function/
Schurman, K. (2023, October 8). What are message authentication codes (MACs) and hash-based message authentication codes (HMACs)? Retrieved from Comparitech.com: https://www.comparitech.com/blog/information-security/what-are-macs-and-hmacs/#Putting_HMAC_and_MAC_to_use
Message Authentication Codes and Secure Channel
(Crane, 2023)
A Message Authentication Code (MAC) is also referred to as an authentication message tag. It is a string of code which is used to authenticate the origin of a message and validate the integrity of the data. Before a MAC process commences, a secure channel must be established between the sender and the receiver. To create the MAC, the message and a secret key are combined and hashed to a fixed length. The MAC is tagged on to the message and transferred to the receiver, who uses the same secret key to re-compute the MAC. This secret key is only known by the sender and the receiver. In executing the MAC process, both parties must agree on how it will be done so that they both generate the same MAC.
(Crane, 2023)
Unlike the traditional hash function that uses a single input and generate a fixed length output, the MAC function uses two inputs and generates varied-sized output which is dependent on the input. A MAC guarantees authentication and data integrity but does not offer confidentiality or provide non-repudiation. Examples of MACs are CMAC, HMAC and KMAC. HMAC has an extra layer of security built into it and is used in the protection of highly sensitive data such as personal identification information or account numbers in financial industries that are required to abide with regulations. (Schurman, 2023). It is also used in some VPNs to secure in-tunnel web traffic.
References:
Crane, C. (2023, February 23). What Is a Message Authentication Code (MAC)? Retrieved from https://www.thesslstore.com/blog/what-is-a-message-authentication-code-mac/
Schurman, K. (2023, October 8). What are message authentication codes (MACs) and hash-based message authentication codes (HMACs)? Retrieved from Comparitech.com: https://www.comparitech.com/blog/information-security/what-are-macs-and-hmacs/#Putting_HMAC_and_MAC_to_use
Key Distribution Protocols (Diffie-Hellman, Rivest, Shamir, Adelman (RSA))
Two of the most well-known and common algorithms used to protect information from eavesdroppers are Diffie-Hellman and RSA. While both algorithms are vital for safeguarding information from unauthorized users, Diffie-Hellman is a symmetric algorithm which is used for key exchange and RSA is asymmetric encryption algorithm used to encrypt and decrypt messages.
Diffie-Hellman uses a secret key for encryption and decryption, which is shared between two users. It employs exponential methods for key development and the key is not transmitted with the communication. Its main purpose lies in the secure development of shared secrets which could be used to derive keys. In security protocols such as Transport Layer Security (TLS), Secure Shell (SSH) and IPSec and Pretty Good Privacy (PGP), Diffie-Hellman is often used to help secure remote access to another computer, connectivity to a website, and sending encrypted emails. Diffie-Hellman is rarely used by itself because it provides no authentication, making users vulnerable to Man-in-the-middle (MiTM) attacks (Lake, 2023).
RSA was first publicly described in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman of the Massachusetts Institute of Technology. It uses public-key encryption to secure sensitive data that is transmitted over insecure networks such as the internet. Public-key cryptography uses two keys, a public and a private key, where the public key could be shared with everyone, but the private key must remain secret. RSA is known as asymmetric algorithm where both public and private keys could be used for encrypting data, while the opposite key must be used to decrypt the data.
(Cobb, 2021)
Unlike Diffie-Hellman which does not authenticate users in the key exchange process, RSA ensures that the communication is secure by authenticating the users and the entire communication. In terms of key strength, RSA could utilize larger key sizes in comparison to Diffie-Hellman, making it stronger and more difficult to crack.
References:
Cobb, M. (2021, November). Retrieved from Techtarget.com: https://www.techtarget.com/searchsecurity/definition/RSA
Lake, J. (2023, August 24). Demystifying Diffie-Hellman key exchange and explaining how it works. Retrieved from Comparitech.com: https://www.comparitech.com/blog/information-security/diffie-hellman-key-exchange/
Key Management (Kerberos)
Organizations utilize cryptographic keys for data encryption, data decryption and data authentication. However, if a cryptographic key is compromised, it could negatively impact an organization’s security architecture. For compliance with standards such as PCI-DSS (Payment Card Industry Data Security Standard), cryptographic key management is required for protection against disclosure and misuse.
(Mhembere, 2021)
Cryptographic keys observe a lifecycle, and key management ensures that throughout that lifecycle, keys are managed securely.
At its simplest, Kerberos is an authentication protocol used for authentication and identity verification over non-secure networks. It is used in Active Directory for identity verification and calls for the use of a Key Identification Center (KDC). The KDC is a service which runs on Domain Controllers as part of the Active Directory Domain Services. It implements the Kerberos protocol and is comprised of the Authentication Service (AS), the Ticket Granting Service (TGS), and the Kerberos Database. The Authentication Service (AS) is responsible for users’ initial authentication, the Ticket Granting Service (TGS) connects users with service servers, and the Kerberos database stores users’ identifications and passwords in databases such as LDAP (Lightweight Directory Access Protocol) or the Security Account Manager (SAM) in the Active Directory environment (Katz, 2021).
The benefits of Kerberos are numerous. Apart from user authentication and mutual authentication prior to any data transferal, Kerberos offers a Single Sign-On (SSO) solution, enabling users to access a variety of network resources with only a single login, and transparency and auditing of all events (Fortinet, 2024). Even though it is an effectual process for ensuring network security, Kerberos is a single point of failure if the KDC is compromised and has strict requirements for clock synchronization between the client, server and KDC. Additionally, it has limited compatibility with non-Kerberos systems and requires individual modification for each network service that will use Kerberos.
References:
Fortinet. (2024). Kerberos Authentication. Retrieved from Fortinet.com: https://www.fortinet.com/resources/cyberglossary/kerberos-authentication
Katz, A. (2021, July 19). How Does Kerberos Work? The Authentication Protocol Explained. Retrieved from freecodecamp.org: https://www.freecodecamp.org/news/how-does-kerberos-work-authentication-protocol/
Mhembere, S. (2021, June 8). INTRODUCING A PCI DSS COMPLIANT KEY MANAGEMENT SYSTEM TO A BANK. Retrieved from cryptomathic.com: https://www.cryptomathic.com/news-events/blog/introducing-a-pci-dss-compliant-key-management-system-to-a-bank
Public Key Infrastructure
Public Key Infrastructure (PKI) is a collection of everything that is employed to create and manage public key encryption. This includes policies, hardware, software, and procedures used to create, manage, distribute, and revoke digital certificates. PKI is used in securing access to connected devices, securing web traffic, and internal communications in an organization. Its main goals lie in ensuring the privacy of messages and verifying the authenticity of the senders (Okta, 2023). PKI ensures data confidentiality by facilitating secure communications via encryption and by using digital certificates, it maintains integrity of the information. To prevent unauthorized access to systems and networks, organizations use PKI certificates to verify the identity of users, services, or devices. With PKI, a strong foundation for secure interactions is provided by using a strict hierarchical trust model that ensures communication stays authentic, confidential, and tamper-proof.
Below is a copy of the lab that my team and I did to verify that PKI upholds in protecting from the vulnerabilities of the Man-In-The-Middle (MITM) attack.
References:
Okta. (2023, June 26). What Is Public Key Infrastructure (PKI) and How Does It Work? Retrieved from Okta.com: https://www.okta.com/identity-101/public-key-infrastructure/
Reflection
Before starting this course in cryptography, my role as a Senior Systems Test Engineer included executing security test cases on new software releases for our Data Center switches. Because some government agencies are our major customers, our switches must conform to their cryptographic requirements which require that the switches must have FIPS mode enabled. I knew that I was enabling some sort of security but did have a clear understanding of the logic. Some releases later, we implemented smartcard security on the switches, and I was tasked with building the PKI environment in the lab to test this feature. After extensive reading, I was able to implement this environment and began testing the smartcard feature on the switch. While I understood that the Certificate Authority issued the certificates which I loaded onto the smartcard, the concept of symmetric and asymmetric encryption was confusing. It became more confusing when I had to add an intermediate Certificate Authority into the environment and was experiencing issues with certificates. It took some time for me to understand that the intermediate CA needed the certificate of the Root CA. Overall, troubleshooting took longer because I did not fully understand the concept of cryptography.
During this course, I found the lab exercises extremely helpful because they added context by bridging the theory and practice. They enhanced my learning experience by conveying some clarity to a complex subject.
Now that I have completed this class, I would not say I am an expert, but overall, I do have a better understanding of cryptography. In my testing of the switches, I understood the hash algorithms specified by FIPS-180, how the digital certificates were being used, the difference between symmetric and asymmetric encryption, and the Certificate Authority’s role in the PKI system.
The artifacts I chose are lab exercises which I completed with my team. They provide detail steps showing what was done and explain each category succinctly. The included videos compliment the artifacts and give visual explanations in simplistic language.
Cryptography is part of our daily lives. Whether we are accessing websites for information or paying bills online, we look for a valid certificate on those sites to ensure that they are secure.