### CRISC

Course
Time
5 hours 20 minutes
Difficulty
CEU/CPE
7

### Video Description

This lesson covers cryptography. Cryptography produces ciphertext which is a formula consisting of plain text + initialization vector + algorithm + key. In cryptography, the plain text is unencrypted text, the initialization vector (IV) adds randomness to the beginning of the process and the algorithm is the collection of math functions that can be performed. The key is the instruction set on how to use the algorithm. There are two types of cryptography: symmetric and asymmetric. Symmetric is fast, has out of band key exchange, no integrity or non-repudiation and is not scalable. Asymmetric is slow, scales to large organizations well, provides non repudiation and the key exchange does not require exchange of any secret information.

### Video Transcription

00:04
the next section that we're gonna move into is cryptography. And again, we're gonna do this at a high level. You don't have to have a doctor in cryptography or be an expert on modular math in order to do well in this section. But you do want to get some basic concepts, and we'll talk about what cryptography brings for us. Just you know, the service is. It provides
00:23
the very basic elements. What's a key? What's an algorithm?
00:26
Ah, we'll talk about symmetric versus asymmetric, and then how we use the two of those together in order to get kind of the best of both worlds. Ah, the security service is that cryptography provides his privacy, authenticity, integrity and non repudiation and how we're gonna be able to get those.
00:44
And then we'll look specifically digital signatures and how digital
00:47
certificates make all this meaningful. So if we start out with just the very basics of cryptography, just getting some terms down plain text plus an initialization vector plus an algorithm plus a key, all that comes together to give me cipher text.
01:03
So the first part of this plain text that's kind of the easy part, right? That's our unencrypted text. It's in the clear.
01:08
We don't want to transfer that across the network because, of course, anybody that intercepts that would be able to view the content.
01:15
So we want to take that plain text in, transform it into cipher text. Well, a couple of different elements are necessary.
01:23
One of the things that we often use as a starting point is something called an initialization vector. An initialization vector provides randomness to the process so that we get more randomness basically. So the idea is, if we vary the starting point from where we begin,
01:42
we're just going to get more and more and more randomness and random. This is good with cryptography.
01:46
We want the cipher text to be as far removed from the plain text as possible. So this is a random starting point. Quite honestly, we can't really call it a random starting point because computers really can't do random. It's got to be based on something. So it technically is a pseudo random starting point,
02:05
and all that means is the starting point is gonna be
02:07
based off of maybe CPU speed, internal temperature's variables, you know, numerous variables and even though it's gonna feel random and act random. It technically is based on something else, but it's the ad random ization
02:21
now the next piece, the algorithm.
02:23
The algorithm is a collection of math functions that can be performed. So if you think about it, everything in your system gets broken down into numbers. A series of ones and zeros and many algorithms will chunk those the streams of data or the amounts of data into what are called blocks.
02:39
So we take this long amount of data. We chunk it into 64 bite blocks, or
02:45
128 k, or are 128 bit or whatever that size. Maybe will chunk them into blocks, and each block goes through a series of math processes to provide the substitution so which math processes can be used? All of that's referred to as the algorithm,
03:02
which math processes in which order and how many is driven by the key. So if you want to think of the algorithm as the math function and the key is the instruction on which math functions to use in what order? How many? That's kind of how they go together so you can see we take the plain text, which is unencrypted.
03:23
Start with randomness through the initialization vector or pseudo randomness.
03:28
We use a collection of math functions as our algorithm and the key drives. Which math function we use is part of the algorithm. So the key and the algorithm really go together. And those air, the essential piece, not every instance, is going to use an initialization vector. But it is helpful
03:43
when we talk about cryptography. There really two main types, they're symmetric cryptography, and there's asymmetric cryptography.
03:52
Symmetric cryptography is usually pretty easy for people to understand because it's what we're used to.
03:57
Okay, symmetric means sane. So the key that I used to encrypt the message you need that same key in order to decrypt it. Same symmetric one key. And you and I have to share that key between us, right? I've gotta have the key to encrypt. You've gotta have that same key to decrypt.
04:15
My house uses symmetric cryptography. When I leave in the morning, I lock it with my house key. And when I come back in the afternoon, I unlock it with my house key again.
04:25
If I try to use the wrong key. I'm not getting in.
04:28
Okay, so So metrics. Usually pretty easy to understand that there are a couple problems with symmetric.
04:33
The first is because you and I have to share a key. How do I get you that key?
04:40
You know, can I leave it for you? Take to your monitor, or can I send it to you via email? Or, um, in a high security environment, Can I put it under your keyboard? What can we do to distribute that key? And the answer is,
04:55
I don't know.
04:56
Actually, I do know. But the answer was symmetric. Cryptography is there's not a good, easy way to distribute keys with symmetric cryptography. So that's a problem. We gotta figure out some way ahead of time to get the key distributed. Okay, Now, the second problem with symmetric key cryptography is that symmetric cryptography really isn't
05:15
available
05:15
as in it doesn't grow well in a large environment. And there's a little formula you can use to figure out how many symmetric keys you need. Given what number of users you don't need that for this exam. But the idea is you need a lot of keys for a lot of users because I need a key to communicate with every person. But
05:34
they also need keys to communicate with every other person. So you wind up having a lot of keys
05:40
in a purely symmetric environment, so it doesn't grow well.
05:43
Third problem is, you only get privacy with symmetric cryptography.
05:49
If I can get you a key distributed securely, we get a good guarantee of privacy and confidentiality.
05:56
But
05:57
just because the message is encrypted with the key that you and I share doesn't prove it came from me. You've got that key also,
06:05
and I can always say, No, it came from you. You've got the key.
06:10
So cryptographic Lee speaking. We don't get authenticity with a symmetric key because two parties share that keep.
06:15
We also don't get any sort of guarantee that the message hasn't been modified, and that's integrity. Just because I've encrypted a message with the key doesn't guarantee it hasn't been corrupted,
06:27
right? And the non repudiation non repudiation is actually a combination of authenticity and integrity. Authenticity guarantees wth e identity of the sender
06:38
integrity guarantees. The message hasn't been modified, So non repudiation essentially says that a cinder can't dispute having sent the message nor the contents of that message. So if you don't have authenticity and you don't have integrity, there's no way you're gonna get non repudiation.
06:56
So symmetric apostrophe is somewhat limited with what we can use it with,
07:00
but it is fast, fast, fast.
07:03
So when it comes down to actual data exchange, symmetric cryptography, something that we want to do, we want to use symmetric cryptography.
07:11
However,
07:12
we need some way to solve all these other problems, and that's really where asymmetric cryptography comes in. An asymmetric cryptography solves many of these problems just in the very nature of how it works.
07:25
First of all, it deals with the scalability problem right off the bat,
07:29
because every user gets two keys, a key pair,
07:33
and they are a public and a private key.
07:35
So whether I have 10,000 users or two users, I will always have two keys as well every other person in my environment.
07:45
So right now we don't have to worry about containing the environments good for large environment. Um, the other thing that's important here is that we don't have to secretly distribute a key with asymmetric cryptography. I have a public key which I'll make readily available to anyone that want
08:05
Sit.
08:05
I do not need to protect my public key. It is public.
08:09
Okay, now I also have a private key, which is mine and mine alone. It should never be disclosed. It should never be compromised. And if it is, the key pair needs to be revoked. And then I need to be re issued a new key pair.
08:24
Okay, So with this public private key,
08:28
the heart and soul of asymmetric cryptography is that anything encrypted with one can only be decrypted with the other.
08:35
So if you can encrypt something with my public key and think about that for a minute, let's say you've got a message. You want to get to me securely. You want it to be private.
08:43
You can ask me for my public key.
08:46
I'll give that to you because it's public.
08:50
If you encrypt a message for me with my public
08:52
on Lee, my private will be able to decrypt it.
08:56
And only I should have my private key.
08:58
So we didn't have to send anything sensitive across the wire. You asked my public key. I gave it to you. You encrypted the message with my public key came to me on the only one that can decrypt it because I'm the only one who has the private key. Okay, so the relationship between the key pair is essential to how asymmetric cryptography works.
09:18
Now, when I say you asked me for my public, he
09:22
you don't really ask me for my public heat. Your application asks my application. So, for instance, when you're
09:30
going to a website and having a secure transaction when you connect to, say, capital one or any of the other banking servers Wells Fargo, whoever might be out there, you connect using h T T P.
09:43
S right. That s on the end, says I want to secure transaction. So what's happening is your Web browser is asking that Web server for its public key.
09:54
Remember,
09:54
anybody will give you their public key because it's not. There's nothing sensitive on it.
10:00
So when we do https, that's essentially saying, Hey, server, give me your public key.
10:05
And remember, I can use that servers public key to encrypt secret messages
10:09
because only that servers private key would be able to decrypt anybody intercepting the traffic or listening on the wire. Can't do anything with it.
10:18
Okay, so we get a lot of problems that are solved with asymmetric cryptography. We can also use asymmetric cryptography for authenticity as well.
10:30
Because if I decrypt, I'm sorry if I increase
10:33
a portion of my message Now, think this through because this could get a little tricky.
10:37
So I'm the sender. Kelly Hander hand. I'm sending you a message.
10:41
If I encrypt the message for you
10:46
with your public key, I get privacy. Right.
10:48
But what about if I encrypt just a tiny portion off that message with my private key?
10:56
Okay, if I take a portion of that message or let's say I put something on the message like a time stamp.
11:03
If I were to encrypt that with my private key,
11:07
you would decrypt it with my public key.
11:11
Okay, now that seems a little bit weird, right? Let's say I put a time stamp. It's 12 o'clock
11:16
and I encrypted with Kelly Hander Han's private key.
11:20
When you get that message specifically, your application gets that message. You're gonna try to decrypt the time stamp with Kelly Hander hands public.
11:28
If you can decrypt that time stamp
11:31
with Kelly Hander hands Public key.
11:35
It had to have been encrypted with Kelly Hander hands Private Key,
11:39
which only Kelly Hander hand has.
11:41
Okay, so when the sender uses their private key, they're guaranteeing their authenticity. Because when you decrypt whatever have encrypted with my public, you know it was encrypted with my private, So that's authenticity.
11:56
Okay, so asymmetric cryptography can provide more than just privacy.
12:01
That's a big benefit.
12:03
So pros and cons symmetric is fast, and that's enough to drive us to want to use symmetric cryptography. Okay, but we've got to figure out a way to exchange keys. We don't get authenticity, which means we're not going to get non repudiation. We don't get integrity with symmetric cryptography. It doesn't grow well, so we've got all these problems
12:22
now with asymmetric. It's slow,
12:26
fixes all the other problems, but it's slow.
12:30
So what we ultimately would like to do is find a way to use both of these and get a hybrid technology which really is gonna give us the best of both worlds, and that's where we're headed next

### CRISC

Archived Certified in Risk and Information Systems Control is for IT and business professionals who develop and maintain information system controls, and whose job revolves around security operations and compliance.

### Instructed By

Kelly Handerhan
Senior Instructor