CBROPS 200-201: Chapter 7 - Fundamentals of Cryptography & Public Key Infrastructure (PKI)

1. Multifactor Authentication

1.1. The process of authentication requires a subject to supply verifiable credentials, these credentials are referred to as factors.

1.2. In multifactor-authentication two or more factors are presented.

1.3. Multilayer Authentication

1.3.1. In multilayer authentication more than one of the same type of factor is used.

1.4. Identification

1.4.1. Identification is establishing identity.

1.5. Authentication

1.5.1. Authentication is about proving identity.

2. Single Sign-On System

2.1. 1. A user is accessing resources on Server B; for example, the user sends an HTTP GET request for a web page (step 1)

2.2. 2,3. SSO is used to provide authentication service for Server B. When Server A receives the request for a web page, it redirects the user to the SSO server of the organization for authentication (steps 2 and 3)

2.3. 4, 5. The user will authenticate to the SSO server, redirecting the user back to Server B with proof of authentication—for example, a token (steps 4 and 5).

2.4. 6. Server B will validate the proof of authentication and grant access to resources.

3. Security Events & Log Management

3.1. Event (NIST SP 800-61r2)

3.1.1. An event is any observable occurrence in a network.

3.2. Security Incident

3.2.1. An event that violates the security policy of an organization.

3.3. Event Management

3.3.1. includes administrative, physical, & technical controls that allow the proper collection, storage, and analysis of events.

3.3.2. Many compliance frameworks such as ISO & PCI DSS mandate log management controls & practices.

4. Symmetric & Asymmetric Algorithms

4.1. Symmetric Encryption Algorithm / Symmetric Cipher

4.1.1. uses the same key to encrypt and decrypt the data

4.1.2. Examples

4.1.2.1. DES

4.1.2.2. 3DES

4.1.2.3. AES

4.1.2.4. IDEA

4.1.2.5. Blowfish

4.1.2.6. RC2

4.1.2.7. RC4

4.1.2.8. RC5

4.1.2.9. RC6

4.2. Asymmetric Algorithm

4.2.1. Is a public key pair. Two keys, private and public both work in tandem as a pair.

4.2.2. Public Key

4.2.2.1. The public key is available to anyone who wants to use it

4.2.3. Private Key

4.2.3.1. The private key is known only to the device that owns the key pair.

4.2.4. Examples

4.2.4.1. RSA (PKCS #1)

4.2.4.1.1. With a key length of 512 to 2048, min for security is at least 1024. Slower than Symmetric algorithms but can be used for signing and encryption. Uses integer factorization cryptography.

4.2.4.2. Diffie-Hellman (DH)

4.2.4.2.1. Allows the negotiation of a shared secret keying material (keys). The algorithm is asymmetric but the keys generated by the exchange are symmetric.

4.2.4.3. ElGamal

4.2.4.3.1. Is based on the DH exchange.

4.2.4.4. DSA

4.2.4.4.1. The Digital Signature Algorithm was developed by the US National Security Agency.

4.2.4.5. ECC

4.2.4.5.1. Elliptic curve cryptography is public-key cryptography based on the algebraic structure of elliptic curves over finite fields.

5. Hashes

5.1. Used to verify data integrity, also called a digest, message digest, or hash. A cryptographic hash function takes a block of data and creates a small-sized hash value.

6. The three most popular types of hashes

6.1. Message Digest 5 (MD5)

6.1.1. Creates a 128-bit digest

6.2. Secure Hash Algorithm 1 (SHA-1)

6.2.1. Creates a 160-bit hash digest.

6.3. Secure Hash Algorithm 2 (SHA-2)

6.3.1. Options of 224-bit digest & 512-bit digest.

7. Digital Signatures

7.1. Proves that you are who you say you are.

7.2. Core Benefits

7.2.1. Authentication, Data Integrity, Nonrepudiation

8. Description of next-generation encryption protocols

8.1. Suite B

8.1.1. algorithms designed to meet future security needs, approved for protecting classified info at secret & top-secret levels.

8.1.2. Examples

8.1.2.1. Elliptic curve cryptography replaces RSA signatures with the ECDSA (EC variant of DSA)

8.1.2.2. DH → ECDH

8.1.2.3. AES in GaRobin/Counter Mode (GCM)

8.1.2.4. ECC digital signature algorithm

8.1.2.5. SHA-256

8.1.2.6. SHA-384

8.1.2.7. SHA-512

8.1.2.8. Elliptic curve cryptography replaces RSA signatures with the ECDSA (EC variant of DSA)

9. Public & Private Key pairs

9.1. A key pair is a set of two keys that work in combination as a team.

9.2. A public key may be shared with everyone, a private key is known only to the owner.

9.3. The private key can encrypt, the public key can decrypt and the inverse is also true. This process is also called public-key cryptography or asymmetric key cryptography.

10. Description of Certificate Authorities

10.1. A certificate authority is a computer or entity that issues digital certificates.

10.2. Inside of digital certificates there contains information about the device.

11. Identity Certificates

11.1. An identity certificate describes the client and contains the public key of an individual host (the client). Identity certificates are used by web servers, APIs, VPN clients, and web browsers (in some cases).

11.2. X.500 & X.509v3

11.2.1. X.500 is a series of standards focused on directory services and how those directories are organized. Example, CN=Batman (CN stands for common name), OU=engineering (OU stands for organizational unit), O=cisco.com (O stands for organization)

11.3. Enrollment with a CA

11.3.1. 1. Authenticate with root CA, request own identity certificate with public-private key pair.

11.3.2. 2. CA signs your certificate, you can verify the digital certificate of CA with the signature provided in the authentication step.

12. Methods to check if certificates have been revoked

12.1. Certificate Revocation List (CRL)

12.1.1. This is a list of certificates, based on their serial numbers, that had initially been issued by a CA but have since been revoked and as a result should not be trusted.

12.2. Online Certificate Status Protocol (OCSP)

12.2.1. This is an alternative to CRLs. Using this method, a client simply sends a request to find the status of a certificate and gets a response without having to know the complete list of revoked certificates.

12.3. Authentication, Authorization, & Accounting

12.3.1. isco AAA services also provide support for validating digital certificates, including a check to see whether a certificate has been revoked. Because this is a proprietary solution, it is not often used in PKI.

13. Identity & account management life cycle management phases

13.1. Registration & Identity Validation

13.1.1. A user provides information and registers for digital identity. The issuer will verify the information and securely issue a unique and non-descriptive identity.

13.2. Privileges provisioning

13.2.1. The resource owner authorizes the access rights to a specific account, & privileges are associated with it.

13.3. Access Review

13.3.1. Access rights are constantly reviewed to avoid privilege creep.

13.4. Access Revocation

13.4.1. Access to a given resource may be revoked due, for example, to account termination.

14. Password Management

14.1. Password Creation

14.1.1. Organizations should have policies and standards for password creation: strength, age, reusability.

14.2. User-generated passwords

14.2.1. Users generate their own passwords which are simple to remember but easy to guess and often re-used across multiple systems.

14.3. System-generated passwords

14.3.1. Generated by the system, are strong and compliant with security policy but can be difficult to remember and users tend to write them down.

14.4. OTP & token

14.4.1. Passwords are generated by an external entity & synced with an internal resource.

14.4.2. Users don't need to remember complex passwords, this method requires more infrastructure and the software & hardware required generates deployment & maintenance costs.

15. Log Collection, Analysis, & Disposal

15.1. Log storage critical for maintaining log confidentiality & integrity.

15.2. Information Collected via Logs

15.2.1. User ID, system activities, timestamps, successful or unsuccessful access attempts, configuration changes, network addresses & protocols, file access activities.

15.3. NIST SP 800-92

15.3.1. Defines three categories of logs of interest for security professionals.

15.4. Logs generated by security software

15.4.1. Antivirus/antimalware, IPS/ICD, Web Proxies, remote access software, authentication servers, vulnerability management software, infrastructure devices (firewalls, routers, switches, wireless access points)

15.5. Logs generated by the operating system

15.5.1. System events, audit logs

15.6. Logs generated by the applications

15.6.1. Connection & session info, usage info, significant operational action

15.7. Syslog (RFC 5424)

15.7.1. Event notification protocol with three main entities

15.7.1.1. Originator

15.7.1.1.1. The entity that generates a Syslog message

15.7.1.2. Collector

15.7.1.2.1. The entity that receives that info about an event in Syslog format

15.7.1.3. Relay

15.7.1.3.1. An entity that can receive messages from originators and forward them to other relays or collectors).

15.7.2. Syslog Facility

15.7.2.1. Kernel Messages (0)

15.7.2.2. User-level messages (1)

15.7.2.3. Mail system (2)

15.7.2.4. System daemons (3)

15.7.2.5. Security/Authorization messages (4)

15.7.2.6. Messages generated by Syslogd (5)

15.7.2.7. Line printer subsystem (6)

15.7.2.8. Network news subsystem (7)

15.7.2.9. UUCP subsystem (8)

15.7.2.10. Clock daemon (9)

15.7.2.11. Security/authorization messages (10)

15.7.2.12. FTP daemon (11)

15.7.2.13. NTP subsystem (12)

15.7.2.14. Log Audit (13)

15.7.2.15. Log alert (14)

15.7.2.16. Clock daemon (15)

15.7.2.17. Local use 0-7 (16-23)

16. Ciphers & Keys

16.1. Cipher

16.1.1. Also called an algorithm, which are rules on how to perform encryption & decryption

16.1.2. Common Cipher Methods

16.1.2.1. Substitution

16.1.2.1.1. Character substitution

16.1.2.2. Polyalphabetic

16.1.2.2.1. Similar to substitution but with more alphabets

16.1.2.3. Transposition

16.1.2.3.1. Any options including letter rearrangement

16.2. Key

16.2.1. Instructions on how to reassemble characters. For example, a one-time pad (OTP) could encrypt a 32-bit message with a 32-bit key called a pad.

16.2.2. Key Management

16.2.2.1. Deals with the relationship between users & keys.

16.2.2.2. Specifically deals with generating keys, verifying keys, exchanging keys, storing keys, and, at the end of their lifetime, destroying keys.

17. Block & Stream Ciphers

17.1. Block Cipher

17.1.1. Is a symmetric key pair (same key used to encrypt & decrypt) that operates on a group of bits called a block.

17.1.2. May add padding for a full block if necessary.

17.1.3. Examples

17.1.3.1. Advanced Encryption Standard (AES)

17.1.3.2. Triple Digital Encryption Standard (3DES)

17.1.3.3. Blowfish

17.1.3.4. Digital Encryption Standard (DES)

17.1.3.5. International Data Encryption Algorithm (IDEA)

17.2. Stream Cipher

17.2.1. Is a symmetric key pair (same key used to encrypt & decrypt) that operates on a bit at a time against the keystream, called a cipher digit stream.

17.2.2. May have slightly less overhead than a block cipher since it does not require a block.

18. Hashed Message Authentication Code (HMAC)

18.1. uses the mechanism of hashing with a secret key. Thus, only the other party who also knows the secret key and can calculate the resulting hash can correctly verify the hash. Interception and modification unrealistic since the attacker does not have the secret key.

18.2. MD5

18.2.1. Is an insecure hash function.

18.3. SHA-256

18.3.1. Provides adequate protection for sensitive information.

18.4. SHA-384

18.4.1. Used to protect classified information.

19. Digital Signatures in Action

19.1. Digital Signature

19.1.1. 1. For example, Batman takes a packet, generates a hash, and then encrypts it with his private key.

19.1.2. 2. Batman attaches this encrypted hash ( digital signature ) to the packet and sends it to Robin.

19.1.3. 3. Robin decrypts the packet with Batman's public key and runs the hash function, if a match we know Batman is who he says he is, this is authentication using digital signatures.

19.1.4. The keys are exchanged with the certificate exchange, these certificates are trusted if they are signed by a CA they both trust.

19.1.5. Certificate Authority (CA)

19.1.5.1. A trusted entity that hands out digital certificates.

20. Description of IPsec & SSL

20.1. IPsec

20.1.1. A suite of protocols to protect IP packets. Typically in remote-access VPNs & site-to-site VPNs

20.2. SSl/TLS

20.2.1. Is typically used for remote-access VPNs & secure communications with web services.

21. RSA Algorithm, the Keys, & Digital Signatures

21.1. Keys

21.1.1. Secrets that allow cryptography to provide confidentiality.

21.1.2. With RSA digital signatures, each party has a public-private key pair because both parties intend on authenticating the other side.

21.1.3. A CA takes each of their public keys as well as their names and IP addresses and created individual digital certificates, and the CA issued these certificates back to each party respectively. The CA also digitally signed each certificate.

21.2. Digital Signature

21.2.1. 1. Batman takes some data, generates a hash, and then encrypts the hash with Batman’s private key.

21.2.2. 2. This encrypted hash is inserted into the packet and sent to Robin. This encrypted hash is Batman’s digital signature.

21.2.3. 3. Having received the packet with the digital signature attached, Robin first decodes or decrypts the encrypted hash using Batman’s public key.

21.2.4. 4. It then sets the decrypted hash to the side for a moment and runs a hash against the same data that Batman did previously. If the hash that Robin generates matches the decrypted hash, which was sent as a digital signature from Batman, then Robin has just authenticated Batman—because only Batman has the private key used for the creation of Batman’s digital signature.

22. Root Certificates

22.1. A root certificate contains the public key of the CA server and other details about the CA server.

22.2. Certificate Parts

22.2.1. Serial Number

22.2.1.1. This is the number issued and tracked by the CA that issued the certificate.

22.2.2. Issuer

22.2.2.1. This is the CA that issued this certificate. (Need to have their certificates issued from someone, could be themselves.)

22.2.3. Validity Dates

22.2.3.1. These dates indicate the time window during which the certificate is considered valid.

22.2.4. The subject of the certificate

22.2.4.1. Includes organizational unit (OU), organization (O), country (C), other details commonly found in an X.500 structured directory.

22.2.5. Public Key

22.2.5.1. Contents of the public key and the length of the key.

22.2.6. Thumbprint algorithm and thumbprint

22.2.6.1. Hash of certificate.

23. Simple Certificate Enrollment Protocol (SCEP)

23.1. Cisco, in association with a few other vendors, developed the Simple Certificate Enrollment Protocol (SCEP), which can automate most of the process for requesting and installing an identity certificate.

24. Key Terms

24.1. Block Ciphers

24.1.1. A symmetric key cipher that operates on a group of bits called a block. The same key is used to encrypt and decrypt.

24.2. Symmetric Algorithms

24.2.1. An encryption algorithm that uses the same key to encrypt and decrypt.

24.3. Asymmetric Algorithms

24.3.1. An encryption algorithm that uses two different keys: private & public, these make a key-pair.

24.4. Hashing Algorithms

24.4.1. An algorithm used to verify data integrity.

24.5. Digital Certificates

24.5.1. A digital entity used to verify that the user is who he or she claims to be and provide the receiver a means to encode a reply. Can apply to systems as well.

24.6. Certificate Authority

24.6.1. A system that generates and issues digital certificates to users and systems.

24.7. Advanced Encryption Standard (AES)

24.7.1. A symmetric-key encryption algorithm used by most modern crypto implementations. Defined in FIPS PUB 197: "Advanced Encryption Standard (AES)" and ISO/IEC 18033-3: "Block Ciphers".

24.8. Online Certificate Status Protocol (OCSP)

24.8.1. A protocol used to perform certificate validation.