Cryptography (Whiteboard)

This Cryptography lecture discusses and demonstrates the key aspects of Cryptography from concepts and attacks, PKI, Symmetry/Asymmetry, Integrity and the relationships with Protocols. You’ll gain a deeper understanding of Cryptography's basic principles in this whiteboard lecture video.  [toggle_content title="Transcript"] This is one of the most under-valued lessons there is, hands down. It's the subject of Cryptography. And for whatever reason, a lot of people have problems with modern cryptography. Still to this day haven't figured out exactly what that is. Maybe it's their approach, trying to memorize all the facts about all the different algorithms. But it's really not that hard, so let's take a closer look. OK, first of all, you have to understand some basic concepts. All right, in the symmetric world, it's the same key, the private key, the symmetric key, so it's the same key that is used. In the asymmetric world, there is a public and private key pair. What one key does, the other key un-does. And there's different principles in play. In the symmetric world, the only principle involved is confidentiality. In the asymmetric world, not only do you have confidentiality, but you also have integrity, authenticity, and non-repudiation. So you have to keep track of the principles as you go, ok? In the basics of, you know, confidentiality, we try to change plain text into cipher text, and cipher text back into plain text. And just some of the basic ways of doing that [audio skips 0:01:16.7] ...institution in transposition or permutations. So substitution means to take out and replace with something else. A permutation is like a scrambling. Think Rubik’s Cube here, ok? And then of course, there's the concept of like, whole hard drive encryption and things like that. Otherwise, if you just look at it, this is the landscape of Cryptography. You've got the symmetric world, you've got the integrity world, you've got the asymmetric world, you've got all of that tied together in PKI and a handful of attacks. Otherwise, it's really just that simple. So let's start here with just symmetric. Here, it's basically different versions of the same stuff. This is, all of these are different procedures or different ways to hide stuff, or encrypt it, or to get cipher text. So plain text to cipher text, cipher text to plain text. So the first challenge is, how are you going to remember all of the algorithms, right? Like everything from AES, DES, triple DES, [unintelligible 0:02:17.4], et cetera. So there's an easy, easy, pneumonic that you guys can remember, to remember all of these symmetric algorithms. So watch this. This is super, super easy. Great for test-taking. A - D - three guys had an idea to cast out their rod to fish for blowfish, but instead they received serpents in the rain. Very, very easy. You can rattle off ten symmetric algorithms just like that. Otherwise, it's really just knowing a handful of details about each algorithm. Some of the algorithms, like DES, are a little bit outdated, but that's 56 bits worth of encryption plus eight bits of parity, equaling a 64 bit block size. Or something like AES, it's got a variable block size - 128, 192, and 256. Or things like Blowfish, they use a 448 bit box size. So, or bits worth of encryption. So 448 tends to be the dead giveaway here, ok? Otherwise, you have exceptions to the rule of symmetric, which are things like pretty good privacy, or GPG or PGP, and one time pads or one time passwords. None the less, I would have put all of them in the symmetric world. Next, let’s talk about integrity. Integrity is not where we change plain text into cipher text, but rather the principle of integrity, what we're trying to detect a non-authorized change, modification or alteration. So we have some data, we analyze it. We get an output called a message digest or hash. And you can hash a single file at a time, a whole directory at a time, a whole hard drive, a whole application, a whole web server. And basically look if any of those hashes change, well that means there must be a change in integrity or something's been changed, modified or altered somewhere, ok. Most common algorithms, MD5, at 128 bits, SHA at 160, although SHA does have variable bit sizes as well. You can go Google 'online hashing calculator'. There's some great online hashing calculators, where you put in the word 'password', select hash, and it will tell you the hash in all possible algorithms. Great tools, especially if you just wanted to know what the hash is for something like password, or password 1, or something like that. Next principle is asymmetric. You're also going to need a way to remember all of your asymmetric algorithms. So here's a great test-taking technique. I call this the DEREKS model. DEREKS for Diffie-Hellman, Elgamal, RSA, Elliptical Curve, Knapsack and S for digital signature algorithm. It's a real easy way to rattle off six asymmetric algorithms. All of the asymmetric algorithms, they use public and private keys. So the private key, this is when you digitally sign something to prove you are who you say you are, so that the sender, or anybody with the public key can validate who you are, ok? Very, very easy. Diffie-Hellman is more of a key exchange. Elgamal, very popular in the open-source world. RSA, very popular on the internet, especially on websites. Elliptical curve - very popular for devices with limited processing power. Knapsack - not that popular at all. Digital signature algorithm - popular because it's a U.S. standard. All right? Next we can see how all of this gets tied together in the world of PKI. Now you have the concept of a certification authority, a certificate authority versus a registration authority. it is very easy to use the analogy of the motor vehicle administration. You go in one line to register for a driver's license, and then you go into another line to actually get the driver's license. So you have a registration component, and then you have a certificate issuing component. Now we just happen to issue x.509 certificates in the PKI world, but that would be the equivalent of a driver's license. And there's a good 80 percent crossover from all of the fields and values that are on your own driver's license, to all of the fields on an x.509 certificate. Other than that, really, the next thing to talk about is how do you get the components of asymmetric to and from the clients. And this is where you have things like Diffie-Hellman, or Internet Key Exchange, or ISAKMP, which is a key management protocol, but none the less, they manage all of the back and forth in the infrastructure of the public and private keys. And then, just like in the motor vehicles, you have a revoked list of people that can't drive, well in the PKI world you have a certification revocation list which is a list of certificates that can no longer be used. OK? And then you could, of course, use protocols like OCSP, Online Certificate Status Protocol, that dynamically checks the CRL. Or CRL is more of a manual concept, OCSP is more of a dynamic protocol that actually checks to see if your driver's license or x.509 certificate is actually revoked. Then we can go into the attacks, and it's really known versus chosen, plain text versus cipher text. So a known plain text attack, this is easy. This is where you know the plain text and that's it. All right? With known cipher text, not only do you know the plain text, but you also know the corresponding cipher text. You might not know the algorithms, you might not know the keys, you might know how -- you might NOT know how often the keys are changed, but at least you have some other additional information you can use to try to break that cryptographic system. Next is chosen cipher text. This is where you choose what cipher text gets encrypted, which is often called the lunch-time attack because you basically have to get physical access to somebody's computer and encrypt it using their account. Therefore, you're choosing what gets encrypted. And then chosen plain text, this is where you choose what actually gets decrypted, ok? Also a very, very advanced attack because it assumes that you have to get physical access to a network router, or something like that. So there's a handful of attacks that are relevant. Otherwise, the only thing left to do is really to combine this with a handful of protocols. But cryptography really doesn't change at this point, it just, how is it implemented with protocols. So, you have protocols like SSH, which replace Tellman for terminal sessions, commonly used in the administration world. Then you have any protocol that ends with an 'S', secure L-DAPS, secure HTTP, secure whatever. This is basically combining SSL or TLS with some sort of protocol, so it wraps all of the upper-layer applications in a cryptographic wrapper. But none the less, they all realistically work the same. Then you have network layer cryptography, like IP Sec, which uses an authentication header and encapsulating security payload. I often use the analogy of a truck when I'm in a classroom. So the header, that's the front of the truck, the payload, that's the back of the truck. And the header, you can add an integrity check, see MD5 and SHA, if you want more information. Or in the payload, you can add an integrity check and a confidentiality check. And again you can use MD5 and SHA or whatever the vendor supports in terms of secrecy. DES, triple DES and AES are some of the most common. And then, of course, SSL and TLS. There's a great Wikipedia page on this, that will give you the whole history and the popularity of SSL and TLS. But none the less, they're just protocols, ok? So, realistically, cryptography isn’t that hard, although I will tell you, countless network administrators and countless experts use the wrong words to talk about the wrong principles. They're using words like 'hash' and they really mean confidentiality. So they mix things up, but it's very, very, very easy. You have symmetric, you have asymmetric, you have integrity, and then you have PKI. All of that gets realistically tied together. Let’s go ahead and have a look at some hands on examples. I'm going to show you how to use tools like MD 5 or hash my files, and a few of the other tools. I want to point out one last thing. There's a huge difference here between the academic world and the professional world. In the academic world, we have to learn all the history and the nuts and the bolts of how all the algorithms work. In the professional world, it's pretty simple. All you have to do is click a button. Encrypt or decrypt. Or hash. Or verify a hash. And it's relatively pretty simple. So you can go get the theory, and that's always helpful, there's plenty of good videos on this. Or feel free to watch my videos. But it's realistically not that hard, folks. It is 2014, so let's go ahead and look at some hands-on examples. [/toggle_content]
Recommended Study Material
Learn on the go.
The app designed for the modern cyber security professional.
Get it on Google Play Get it on the App Store

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?