Time
1 hour 39 minutes
Difficulty
Beginner
CEU/CPE
3

Video Description

Thank you for viewing our Whiteboard discussion on Cryptography. Cryptography is one of the most underrated courses of study in the industry. Of those who do study it, issues with comprehension tend to hinder individual mastery. By taking this course, learners will finally be able to grasp all the critical concepts, theories and practices associated with Cryptography. This Cryptography presentation discusses and demonstrates the key concepts of Cryptography from attacks, PKIs and Encryption in detail. You'll learn about the difference between public and private keys and about the similarities and differences between symmetry & asymmetry. We'll also discuss the concept of integrity and confidentiality and their relationships to/with protocols. This Cybrary Cryptography course will help you master the basics of Cryptography as you begin to develop the discipline needed to become an accomplished pen tester.

Video Transcription

00:04
This is one of the most undervalued lessons there is. Hands down, it's the subject of cryptography, and for whatever reason, a lot of people have problems with modern cryptography. Still, to the state haven't figured out exactly what that ISS. Maybe it's their approach, trying to memorize all of the facts about all the different algorithms,
00:23
but it's really not that hard. So let's take a closer look.
00:27
Okay, First of all, you have to understand some basic concepts. All right, in the symmetric world, it's the same key, the private key, the symmetric key. So it's the same key that is used in the asymmetric world. There is a public and private key pair. One key does the other key up annd does,
00:45
and there's different principles in play in the symmetric world, the only principle involved is confidentiality.
00:51
In the symmetric world, not only do you have confidentiality, but you also have integrity, authenticity, and I'm repudiation.
00:59
So you have to keep track of the principles as Ugo. Okay, in the basics of you know, confidentiality, we try to change plain text in the cipher, text and cipher text back in the plane tax and just some of the basic ways of doing that
01:12
institution in transposition or permutations. So substitution means to take out and replaced with something else. Ah, permutation is like a scrambling think Rubiks Cube here. Okay. And then, of course, there's the concept of, like, whole hard drive encryption and things like that. Otherwise, if you just look at it,
01:32
this is the landscape of cryptography. You've got the symmetric world. You've got the integrity world, you've got the asymmetric world.
01:40
You got all of that tied together in P. K I. And a handful of attacks otherwise is really just that simple. So let's start here with just symmetric.
01:51
Here it's It's basically different versions of the same stuff. This is all of these air, different procedures or different ways to hide stuff or encrypted or to get cipher tax. So plain text, the cipher text that protects the plane tax.
02:06
So the first challenge is how you're gonna remember all of the algorithms, rightly everything from a s says triple best idea cast, et cetera.
02:15
So there's an easy, easy pneumonic that you guys can remember to remember all of these symmetric algorithm. So watch this. This is super super easy. Great for test taking. A. These three guys had an idea to cast out the rod to fish for blowfish, but instead they receive serpents in the rain.
02:32
Very, very easy. You can rattle off pen symmetric algorithms just like that.
02:38
Otherwise, it's really just knowing a handful of details about each algorithm. Some of the algorithms, like Dez there a little bit outdated, but that's 56 bits worth of encryption, plus a picks, bits of parity equaling a 64 bit block sides were something like a Yes, it's got a variable block size 1 28 when then he tuned to 56
02:57
or things like Blowfish.
02:59
They use a 448 bit block size, so orbits worth of encryption. So 4 48 tends to be the dead giveaway here. Okay. Otherwise, you have exceptions to the rule of symmetric, which are things like pretty good privacy or G, PG or PG P
03:15
and one time pads or one time passwords. Unless I would put those all in the symmetrical
03:21
next. Let's talk about integrity. Integrity is not where we change plain text on the safer text, but rather the principle of integrity what we're trying to detect an unauthorised change, modification or alteration. So we have some data. We analyze it, we get an output, caught a message, digest or hash,
03:38
and you can hash a single file at a time, a whole directory at a time. Oh, hard drive, whole application, a Web server.
03:45
And basically, look, if any of those hash has changed well, that means there must be a change in integrity where something's been changed, modified or altered somewhere. Okay, most common algorithms. MD 5 128 Bits S A. J at 160. Although Shh does have variable bit sizes as well.
04:02
You can go Google Online Ashen Calculator.
04:06
There's some great online hashing Cal crew calculators where you'll put in the word password Select hash and it'll tell you the hash in all possible algorithms. Great tools, especially if he just wanted to know what the hash is for something like password or passport one or something like that.
04:23
Next principal is asymmetric. You're also gonna need a way to remember all of your asymmetric algorithms, so here's a great test taking technique. I call this the derricks model derricks for Diffie Hellman El Gamal Arcee Elliptical curve knapsack and asks for digital signature algorithm.
04:42
That's a real easy way to rattle off six asymmetric algorithms,
04:46
all of the asymmetric algorithms they use public end private keys. So the private key This is when you digitally sign something to prove that you are who you say you are. So that the sender or anybody with the public he can validate who you are. Okay, Very, very easy.
05:04
Diffie Hellman is more of a key exchange. Al Gamal,
05:08
very popular in the open source world, are a say very popular on the Internet, especially on websites. Elliptical curve very popular for devices with limited processing power. Net *** not that popular at all digital signature algorithm popular because it's a U. S. Standard
05:27
all right,
05:28
next week and see how all of this gets tied together in the world of Piquet. I Now you have the concept of a certification authority or certificate authority versus a registration authority, and it's very easy to use the analogy now analogy of the motor vehicle administration.
05:45
You go 11 line to register for a driver's license and then you go into another line to actually get the driver's license.
05:51
So you have a registration component, and then you have a certificate issuing and component. Now we just happened. Issue extort 509 certificates in the P K I world, but that would be the equivalent of a driver's license. And there's a good 80% crossover from all of the fields and values that are on your own driver's license
06:10
to all over the fields and next up. 509 certificate.
06:14
Other than that, really, the next thing to talk about is how do you get the the components of asymmetric to and from the clients? And this is where you have things like Defeat helmet or Internet key exchange. Or, um,
06:29
it's a camp, which is a keen management protocol, but nonetheless they manage all of the back and forth in the infrastructure of the public and private keys.
06:38
And then, just like in the motor vehicles, you have a revoked list of people that can't drive well in the P. K I world, you have a certification revocation list, which is a list of certificates that can no longer be used. Okay, and then you could, of course, use protocols like O C S P
06:54
well, mine certificates. That is protocol that dynamically checks the c r L. Where Sierra I was more of a manual concept. O C s P is more by dynamic protocol that actually checks to see if your driver's license or expect 509 certificate is actually revoked.
07:10
Then we can go into the attacks, and it's really known versus chosen plain text versus cipher text. So a known plain text attack. This is easy. This is where you know the plane tax and that's it. All right, we're choke or known cipher text. Not only do you know the plain text,
07:29
but you also know the corresponding safer text.
07:30
You might not know the algorithms. You might not know the keys. You might know how you might not know how often the keys air changed, but at least you have some other additional information you can use to try to break that cryptographic system.
07:43
Next is chosen. Site protects. This is where you choose what cipher text gets encrypted, which is often called like the lunchtime attack. Because you basically have to get a physical access to somebody's computer. You know, an encrypted using their account. Therefore, you're choosing what gets encrypted and then chose in plain text.
08:01
This is where you choose what actually gets decrypted.
08:05
Okay? Also, a very, very advanced attack. Because it assumes that you have to get at physical access, um, toe like a network router or something like that. So there's a handful of attacks that are relevant. Otherwise, the really only thing left to do is really to combine this with a handful of particles. All right, but
08:22
cryptography really doesn't change at this point. It's just
08:26
how is it implemented with protocols? So you have verticals like sshh which replace telnet. Okay. For terminal sessions commonly used in the administration world,
08:35
then you have any protocol that ends with an X secure l dab secure. Http, secure. Whatever. This is basically combining SSL war t l s with some sort of protocol. So it wraps all of the upper layer applications in a cryptographic crapper.
08:54
Okay, but nonetheless, they all realistically work the same.
08:56
Then you have network layer
09:00
cryptography like I p sec, which uses an authentication header and encapsulating security payload. I often use the analogy of a truck when I'm in the classroom. All right. So the header, that's the front of the truck. The payload. That's the back of the truck and the head. Or you can add an integrity check.
09:15
Um, see, MD five and shh. If you want more information or in the payload, you can add an integrity check and the confidentiality check.
09:22
And again, you can use MP five s H A or whatever the vendor supports in terms of secrecy. Dez, triple Daz and a yes are some of the most common
09:33
on. And then, of course, S S L N T l s. There's a great Wikipedia page on this That'll give you the whole history and the popularity of S S l N T l s. But nonetheless, they're just protocols. Okay, So, realistically, cryptography isn't that hard. Although I will tell you, countless network administrators and
09:52
countless
09:52
experts used the wrong words to talk about the wrong principles. They're using words like hashing when they really mean confidentiality. So they mix things up. But it's very, very, very easy. You have symmetric, you have asymmetric, you have integrity. And then you have P k I. All of that gets realistically tied together.
10:11
So let's go ahead and look at some hands on examples. I don't show you out of use tools like MD five Som,
10:18
um, or hash my files and a few of the other tools. I want to point out one last thing. There's a huge difference here between the academic world and the professional world. In the academic world, we have to learn all of the history and the nuts and the bolts of how all the algorithms work.
10:33
In the professional world, it's pretty simple. All you have to do is click a button, encrypt their decrypt
10:39
or hash or verify hash. And it's relatively pretty simple, so you can go get the theory. And that's always hopeful. There's plenty of good videos on this, um, or feel pretty. Watch my videos, but it's realistically not that hard, folks. It is 2014. So let's go ahead and look at some hands on examples

Up Next