### CompTIA CASP

Course
Time
10 hours 28 minutes
Difficulty
CEU/CPE
15

### Video Description

This lesson covers cryptographic uses for random numbers:

• Nonces
• Key generation

Participants also learn about symmetric ciphers, there are two types, block and stream. The lesson also discusses key types such as a 56-bit key and the importance of keeping algorithms open, aka Kerckhoff's Principle.

### Video Transcription

00:04
We had just talked about confidentiality, and we look, there are little conceptual formula where we take playing tax plus initialization that Europe was algorithms plus keep give a cipher text, and I had mentioned that with the key, we had
00:21
pseudo randomly generated numbers, not the key. I'm sorry, the initialization vector
00:26
on that. I didn't have to feel ready to act random, but it wasn't truly raining because computers can't truly recognize. So our initialization Victor's made out with pseudo rained number When it comes to rein them in this
00:42
random, this is very difficult to come by with computers. There really are very few things that are truly random. And when we talk about the true randomness, we refer to that as interest
00:55
interest. So I would associate that with randomness, and I would also know the idea again. There's very little true randomness, so instead we go with sudo
01:06
random information. When we talk about cryptography and we'll talk about exchange of information, encrypted information. There's a term of mention to you called a
01:17
knots a knocked. And the idea here is I think I mentioned that isn't in Tapper captures your password on the network
01:26
even if it's encrypted that Packer can play it back later, they've gotten their goal right. They've successfully accomplished what they set out to accomplish, whether or not they could reach. And we call that a replay attack. Encryption does not foil replay.
01:44
What we need for the refit play Tak is to have some sort of uniqueness information on each package.
01:52
So, for instance, of times if your server and we get pass word to No. One in 10 of two in two No. Three didn't want again.
02:00
Well, that, too. No one is that secrets, and you can tell it. So the idea is we like you need this information on each hackett, and that's the purpose of a nonce. It's almost like a sequence number. So again, Server A gets 1234562
02:20
also that realizes wait Tuesday sequence. But the problem with that is, if I'm an attacker monitoring the connection and I see packet 1234 black, assume the next half it should be stamped five, and I didn't craft a packet where, if that's all we were using,
02:38
I will not be able to be detected. This reef
02:43
So instead of just using in sequence numbers, we use something called a nonce and non to sort of create agreed upon mechanism for stamping uniqueness on our packets without it being sequentially.
02:58
So once again there's some sort of agreement. They're so sort handshake in the beginning of the process.
03:02
And then you know what number to expect from me, although a hacker who's watching the line or an attacker which is really more accurate would not be able to anticipate the next so quick. The purpose of the knowledge to convince replay attack ad you meet this. That's unpredictable. Teach
03:23
now again with key generation. One of the things we really haven't talked a lot about keys yet. Keys must be me. They must be random. They must be a suitable link.
03:35
So with key generation, that's certainly something that, even though this says uses of random numbers, it really is much more appropriate to say the pseudo random
03:47
are. So now over on the next slide,
03:51
Um,
03:53
let's talk a little bit about algorithms and then we'll talk about keys and what they do and I have a list. This address is cemented encryption, symmetric photography and if you'll remember there several other names Symmetric cryptography can go by
04:12
Private key cryptography
04:13
we called secret key cryptography can be called shared keeper Thomas E and can also be called session. He
04:21
so symmetrical. Khadafy goes by a lot of names Now what we said earlier as we said symmetric cryptography safe
04:30
the same key on both ends. So I'll encrypt with the key. You must have that same key too deep.
04:38
Your house uses metric for papa
04:41
and you leave in the morning. You walk your house with your house key When you come home in the evening you unlock your house with your house
04:47
and you try to unlock it with the wrong key. It's not gonna work.
04:51
So what's so important there is you and I have to know the key. It must be the same king used to encrypt. You use it to put those. I is on hold for just a minute and I want to talk to you about I talk to you about confusion into fusion in just a minute.
05:09
05:14
So we said symmetric ciphers could either be
05:17
wow
05:18
or ST.
05:21
All right, so for your block ciphers, what happens with the block ciphers? A block cipher is gonna chunk down into blocks. So maybe a 64 o'clock 128 block it really struck by the Albert. But the actors had this long dad of this this long amount out of these ones and zeros,
05:42
where to chuck it into maybe 64 bit
05:45
and each block is gonna go through series of malfunctions. I'll show you that
05:51
blocks lifers are slower but more secure.
05:56
And when I ask you which block cipher would be used to, whatever
06:01
the best answers are always gonna be tripled as and a B s. With the preference towards a yes and A s stands for advanced encryption standard that is the most common. That's sort of the default out. Even the most applications
06:17
default to. And the reason for that is that's what the government decided they were gonna use for their sensitive but unclassified information.
06:25
They decide that back in the early two thousands of things. 2002. So that's kind of what most programs were designed to default to. However, the predecessor that eight Yes, was an algorithm called Triple Dance. Sometimes I prefer that strip dance. One thing about trip this very feeling
06:44
processor chips
06:46
extremely process for intensive. So eight yes is much more preferable, just from inefficiency.
06:54
So let me show you help loss. Like
07:00
if you remember an algorithm, it's simply a collection. Math functions,
07:05
All right,
07:08
you may have noticed a slight Southern drawl. I am from North Carolina,
07:13
and I am the crowd
07:15
problem for victim. However, you won't think of it off the North Carolina public school systems.
07:21
So, um,
07:24
after 12 years in the fine public school establishment of North Carolina, this is all man.
07:30
I can take any number and to take any numbers. Track two multiplied by two races in power to take square root of divide by two. That's all the math I know.
07:43
Okay, so this is Kelly's Albert, simply a collection of math that can be performed.
07:48
So what theatrical rhythms specified is first of all, how we chunked that in the box. Do I use a 64 bit lock 1 28 to 56 bit block, and that's usually driven by the algorithm key.
08:03
So let's say I'm gonna take a 256.
08:07
Rightfully shocked at 256 bits,
08:11
every walk of data goes through a series of malfunctions and each one of those math functions. What happens? This substitution.
08:22
So, for instance, and I take this block and I have been through this particular man function. Once the man function is finished, I'm gonna have a separate result when I started with.
08:31
So the idea is we get substitution at every one of these blocks along the way.
08:37
There's something really important is when we talk about out Britain's. There are a couple of big pieces that were looking for. We're looking for confusion,
08:46
and we're looking for different
08:48
confusion in different
08:50
Well, confusion is so very important
08:54
because what confusion says is we need a good, strong
09:01
And if you look at the math out burgers, the malfunctions that I've used. Obviously this is very,
09:07
you know, there's nothing complex about Adam Choose. Well, the thing is,
09:13
when I create or my album consists of these malfunctions, you know a lot of people will judge algorithm by the Keeper.
09:22
You know, Fritz itself here will triple Triple Dance has 168 key? A. Yes, it's a 2 56 58 Yes, we'll speak that.
09:30
And in some instances, that's correct. But the point I wanna make here is unless you have good, strong man, it doesn't matter how long he had. I would have 2048 bit key, and this algorithm would be like that. So many things that making algorithm secure and strong.
09:48
The key is just one of
09:52
what we would look for. First of all, this confusion,
09:54
it was. Confusion
09:56
has to do with
09:58
this complex man,
10:01
and a lot of times that's associating with some execution.
10:05
So we don't want a malfunction where we add two strapped you to whatever we want. Good, strong confusion. We want math functions that theory long and very complex. Take into account the number of variables we want. Good, strong math. Call it diffusion.
10:26
Now, the next thing that more
10:28
diffusion
10:31
and diffusion can sometimes be referred to is for mutations
10:35
or
10:37
rounds. Diffusion. That's supposed to be around my hand, right? It's not the best. But rounds in a boxing match has 12 permutations, 12 rounds,
10:48
and I mentioned triple this,
10:54
as was the predecessor to triple death. And that's actually with the government used in the seventies to protect sensitive but unclassified information. It's kind of evolved throughout the years, but what Death Dance was the first algorithm to choke its data?
11:09
And could it Saturday? So dance with Chuck that into a 64 big block
11:15
and each block of data to go through Siri's of math functions.
11:18
Then you do it again
11:22
and again and in and then into that same walk of that. As a matter of fact, Daz wouldn't stab it through 16 permutations. Also, bonus round we'll triple. Does could sense data through three times that 48 rounds.
11:39
You can see that adds to the complexity. Absolutely,
11:43
and you could film the encryption crosses once twice 3456 only 48 times. That gives you a good, strong complexity.
11:52
But if you think about it, there's always trade off for security.
11:56
And as you could imagine, triple death is extremely process with ***.
12:01
So the reason we're not using triple this is not so much from a security perspective, but it's more about processing capabilities.
12:11
Triple gas was really not a long term solution. It was a quick easy Band aid. We could put on Dez for being rude. But this idea diffusion means the more rounds you put your dad threw, you do add to the complexity, and that's something that's designed.
12:26
I don't need you to memorize that Dad's goes through 48 per mutations, but the concept that does and tripped as is not very efficient and the big push to go to A s is that is very efficient.
12:41
Okay, now with block ciphers again with Chuck, that in blocks each lot those number of functions. But the question that is, which functions and what order and how many functions that's exactly were the chief comes in,
12:56
if you were called from just a little bit of the key is the instruction on how to use the bathroom. So how many functions are called what war root functions were called the randomness of the functions? All that's driven by,
13:13
they said, we have things we want for an algorithm.
13:18
We have things that we want from a key
13:22
way. Want a long qi
13:26
and I will mention this.
13:28
Um, the question is along he or short key best. You can't answer that because best is a very subjective term.
13:39
If all things are, you get greater protection with longer key. That's absolutely true.
13:45
However, what we said, not all things were equal. You might have fear sophisticate outward with Shorty versus a very silly basic out along. It's not always the key, that's the innovator.
13:58
But the other thing to keep in mind is, as you increase in, keeping
14:03
you also decrease in process is just like we've seen. So it's not so much of which is better
14:09
if all things were equal a longer he is forced.
14:13
But all things aren't always equal A s. For instance, you can use 128 91 92 year to 56.
14:22
So in that case, with a s being the algorithm in question, you have to 56 fifty's great.
14:30
But those calls performance. We want our kid to be good at random
14:35
again. Randomness is the friend of photography, or you could say patterns or the enemy of cryptography. So the longer the key, the more rain and keep more possibilities. And by the way, when I say along and you'll hear a 56 1 92 to 56
14:54
What that means is,
14:56
for instance, a 56 key
15:00
would mean they were 2 to 56. How
15:03
possibilities of keys somewhere in 70 quadrillion. That's a lot of these, but today's processing power that's not very large. S o. You know, we're talking about things like
15:18
you're 92 bit, he's or even with something like RC five
15:24
2 to 2048.
15:28
So just when you hear that business for keys, that's what it means is how many possible he's there would be and more possibilities for keys.
15:37
We will keep our secret, and we'll talk about that
15:41
now. One other thing on the dimension from Albertsons and said Confusion and diffusion or important. One other idea there are algorithms is it's generally considered that we would like our algorithms to be open. And that idea comes to us from a gentleman named her. Call
16:02
her calls. Principal said Albert, with should be open
16:06
meeting,
16:07
people should be able to see the math that my algorithm performs. Why?
16:11
Well, we just said earlier. This is very basic, man.
16:15
Maybe they're people out there that didn't go to North Carolina published two systems, and maybe there are people that helped me get more complex. Man,
16:23
we're sophisticated,
16:26
you know? The idea is sure the cryptographic community conceding it and they can break it. But they can also help me put it back together and make it much more strong from the inside out. If you've ever heard that phrase, many heads are better than one, that's the idea behind making code and operating system source and
16:45
all those things
16:47
is to bring the cryptographic the end. And as a general rule, that adds to the streets of the Kirk Off says, Let the out Britain's being known.
16:56
16:59
and think whether or not that sounds like something you think U. S government with father
17:03
probably think that through the government is not so much a fan of perk off. The government says, Listen, you need two pieces of information to be able to decrypt our information. You need to know the algorithm in the key, and we're not getting
17:17
so. It's not that Kirk calls principle is written in stone, but the cryptographic community really kind of supports this idea. The government protects the proprietary nature off their software off their outfits, algorithms should be open. We want confusion, diffusion,
17:36
confusion, good strong math diffusion. Put things through a number of rounds and then our key will take which functions are abused. Our case should be well, Bring them in secret. And one thing I will mention to you these functions are usually referred to as ehs costs.
17:56
17:56
s spots, one s spots to an s and s box ends for substitution
18:03
because again at each function or s pots some form of substitution.
18:10
This
18:11
So all this information is particular to a block cipher. Now some of these ideas will carry over the stream. Ciphers, which is the second type, will talk about just a minute. But again, a quick the block ciphers are slow. They're not as efficient, but they do provide greater security.
18:30
And one of the things about breaker security, they're hard to reverse.
18:33
So if I take that 128 key
18:37
and choke my dad and put it through a series of s boxes and then do it again and again in the end, even if you know what steps out before you can see how that would take a long time to back out so block ciphers to provide greater degree of security. But they're slow
18:53
if you get any questions on what Seifert would be used for W P. H. Two s,
19:02
her groups. And you those ideas A yes, is that when you want a default is A S is the basic block cipher that most applications

### CompTIA CASP

In our online CompTIA CASP training, you will learn how to integrate advanced authentication, how to manage risk in the enterprise, how to conduct vulnerability assessments and how to analyze network security concepts and components.

### Instructed By

Kelly Handerhan
Senior Instructor