Cybersecurity Essentials - Module 18 Cheat Sheet

# Module 18: Cryptography :::success Here is a cheat sheet generated from the course content using ChatGPT. It recaps the main concepts of each module, definitions and examples. At the end of (almost) each part, you will find a link to online related flashcards. ::: ### **18.1 Confidentiality** --- #### **18.1.1 Data Confidentiality** - Two encryption types: - **Symmetric Encryption**: Uses the same key for both encryption and decryption. Faster and suitable for large data volumes. - **Asymmetric Encryption**: Uses a public-private key pair. Slower but enables secure data exchange and authentication. ![image](https://hackmd.io/_uploads/rJ_gatYN1g.png) --- #### **18.1.2 Symmetric Encryption** - **Key Features**: - Pre-shared key is required. - Shorter key lengths (40–256 bits), faster processing. - Often used for VPN traffic due to efficiency. ![image](https://hackmd.io/_uploads/SkY-TtFEkl.png) - **Encryption Modes**: - **Block Cipher**: - Encrypts fixed-length data blocks (e.g., 64-bit, 128-bit). - Examples: DES (64-bit blocks), AES (128-bit blocks). ![image](https://hackmd.io/_uploads/SJ_QaFtNye.png) - **Stream Cipher**: - Encrypts data bit-by-bit or byte-by-byte. - Faster than block ciphers; commonly used for real-time communication. - Examples: RC4, A5. ![image](https://hackmd.io/_uploads/BkYEpttVye.png) - **Common Algorithms**: - **AES**: Secure, widely recommended, 128–256-bit keys. - **DES**: Legacy, insecure. - **3DES**: Deprecated, slow. - **RC4**: Stream cipher, insecure. - **SEAL**: Efficient stream cipher. --- #### **18.1.3 Asymmetric Encryption** - **Key Features**: - Public key for encryption, private key for decryption. - Long key lengths (512–4096 bits). - Ensures confidentiality, authentication, and integrity. ![image](https://hackmd.io/_uploads/HJtvaYt4ke.png) - **Key Lengths**: - 512–4096 bits; keys of 2048+ bits are considered secure. - Longer key lengths provide higher security but are slower. - **Common Algorithms**: - **RSA**: Digital signatures, secure communication. - **Diffie-Hellman (DH)**: Key exchange. - **ECC**: Efficient, smaller keys. - **ElGamal**: Secure but inefficient for large data. --- #### **18.1.4 Asymmetric Encryption - Confidentiality** - Public key encrypts the message; private key decrypts it. ![image](https://hackmd.io/_uploads/BJG2AttVyx.png) ![image](https://hackmd.io/_uploads/rJT6CYKNJx.png) - Only the holder of the private key can read the message. ![image](https://hackmd.io/_uploads/HkB1ycYNye.png) - Common usage: Secure data transmission without pre-shared keys. --- #### **18.1.5 Asymmetric Encryption - Authentication** - Private key encrypts; public key decrypts. - Proves the sender's identity as only the sender's private key could encrypt the message. - Common usage: Verifying message authenticity. ![image](https://hackmd.io/_uploads/rkumJ5KVJx.png) ![image](https://hackmd.io/_uploads/Hku41qFEke.png) ![image](https://hackmd.io/_uploads/BkpIy9FEJl.png) --- #### **18.1.6 Asymmetric Encryption - Integrity** - Combines confidentiality, authentication, and integrity: 1. Sender encrypts the message with the recipient's public key. ![image](https://hackmd.io/_uploads/rJWcJct4kx.png) 2. Hash is created and encrypted with the sender's private key. ![image](https://hackmd.io/_uploads/H11pJ5FNJx.png) 3. Recipient decrypts the hash with the sender's public key to verify authenticity. ![image](https://hackmd.io/_uploads/ByNAkcKEJx.png) 4. Recipient decrypts the message with their private key for confidentiality. ![image](https://hackmd.io/_uploads/H1Ykl5Y4kg.png) --- #### **18.1.7 Diffie-Hellman** - **Purpose**: - Securely exchange a shared secret between two parties over an untrusted network. - No prior key sharing required. ![image](https://hackmd.io/_uploads/Bkmue5FNJg.png) - **Steps**: 1. Agree on a common base (e.g., a prime number or generator). 2. Both parties select private keys. 3. Exchange computed public keys. 4. Compute the shared secret using their private key and the other party's public key. - **Security**: - Based on the computational difficulty of discrete logarithms with large numbers. - Larger DH groups provide greater security. - **Groups Supported**: - DH Group 1: 768 bits. - DH Group 2: 1024 bits. - DH Group 14: 2048 bits (recommended). - DH Group 16: 4096 bits (high security). - Elliptic Curve DH Groups (e.g., Group 19): Provide similar security with smaller key sizes. :::danger **Check Your Understanding** :ballot_box_with_check: You can find the answers to the quiz by clicking [here](https://itexamanswers.net/16-3-9-check-your-understanding-classify-the-encryption-algorithms-answers.html). ::: >[!Warning]Recap >There are two classes of encryption that are used to provide data confidentiality: asymmetric and symmetric. These two classes differ in how they use keys. Symmetric encryption algorithms, such as DES, 3 DES, and AES are based on the premise that each communicating party knows the pre-shared key. Data confidentiality can also be ensured using asymmetric algorithms, including Rivest, Shamir, and Aldeman (RSA) and PKI. Symmetric algorithms are commonly used with VPN traffic because they use less CPU resources than asymmetric encryption algorithms. Symmetric encryption algorithms are sometimes classified as either block cipher or stream ciphers. Asymmetric algorithms (public key algorithms) are designed so that the key that is used for encryption is different from the key used for encryption. Asymmetric algorithms use a public and private key. Examples of protocols that use asymmetric key algorithms included IKE, SSL, SSH, and PGP. Common examples of asymmetric encryption algorithms include DSS, DSA, RSA, EIGamal, and elliptic curve techniques. Asymmetric algorithms are used to provide confidentiality without pre-sharing a password. The process is summarized using this formula: Public key (Encrypt) + Private Key (Decrypt) = Confidentiality. The authentication objective of an asymmetric algorithm is initiated when the encryption process is started with the private key. The process can be summarized with this formula: Private Key (Encrypt) + Public Key (Decrypt) = Authentication. Combining the two asymmetric encryption processes provides message confidentiality, authentication, and integrity. Diffie-Helllman (DH) is an asymmetric mathematical equation algorithm that allows two computers to generate an identical shared secret key without having communicate before. Two examples of instances when DH is used are when data is exchanges using an IPsec VPN, and when SSH data is exchanged. ### **18.2 Obscuring Data** --- #### **18.2.1 Introduction** - **Overview**: - Techniques like data masking and steganography obscure or conceal sensitive information. - Aim: Ensure secure handling of data and conceal messages or sensitive content from unauthorized parties. --- #### **18.2.2 Data Masking Techniques** - **Purpose**: - Replaces sensitive data with non-sensitive substitutes that look and behave like the original. - Used in non-production environments for testing and analysis without compromising sensitive data. - **Key Methods**: - **Substitution**: - Replaces sensitive values with authentic-looking values. - Example: Masking personal data for anonymization. - **Shuffling**: - Substitutes sensitive data by deriving values from the same data column. - Example: Shuffling financial data within a test database. - **Nulling Out**: - Applies null values to prevent visibility of sensitive data fields. - Example: Blocking specific fields in testing environments. --- #### **18.2.3 Steganography** - **Purpose**: - Conceals secret data (embedded data) within a cover medium (e.g., images, audio, video). - **Advantage**: - Unlike cryptography, it does not attract attention since the medium appears unaltered. - **Components**: - **Embedded Data**: The secret message. - **Cover-Text/Image/Audio**: The medium hiding the message. - **Stego Text/Image/Audio**: The resulting file after embedding the message. - **Stego Key**: Controls the hiding process. --- ##### **Steganography Techniques** 1. **Least Significant Bits (LSB)**: - Uses the least significant bits of pixels in an image to embed data. - Example: - Pixels in a 24-bit color system are encoded using three bytes (one for each color: Red, Green, Blue). - Each pixel can store three bits of hidden data. - Changes in LSB are imperceptible to the human eye. - On average, fewer than half of the bits in an image need to change to effectively hide the message. 2. **Social Steganography**: - Conceals information in plain sight using agreed-upon rules or context. - Examples: - Teens use phrases with hidden meanings, such as "going to the movies" implying "going to the beach." - Individuals in censored regions might use deliberate misspellings or obscure references to convey hidden meanings. 3. **Detection (Steganalysis)**: - Identifies the existence of hidden data. - Common methods: - **Disk Analysis**: - Detects unused or reserved areas on storage devices that might contain hidden information. - **Data Packet Filtering**: - Captures and analyzes packet headers for steganographic signatures. - **Visual Comparison**: - Identifies repetitive patterns by comparing an original image to the altered stego image. --- **Note**: Data masking and steganography are complementary techniques. Data masking primarily protects data in use for organizational processes, while steganography focuses on concealing communication or content. Both methods ensure the integrity and confidentiality of sensitive data. >[!Warning]Recap >Data masking can replace sensitive data in non-production environments to protect the underlying information. Methods include substitution, shuffling, and nulling out. Steganography conceals data in another file such as a graphic, audio, or video file. The advantage of steganography over cryptography is that the secret message does not attract any special attention. ### **18.3 Integrity and Authenticity** --- #### **18.3.1 Securing Communications** Organizations need to secure data traveling across networks, especially external traffic. Four key elements ensure secure communication: - **Data Integrity**: Guarantees that the data has not been altered. Integrity is ensured using cryptographic hash algorithms such as SHA-2 and SHA-3. MD5 is a legacy algorithm and should be avoided due to its vulnerabilities. - **Origin Authentication**: Confirms the sender's identity and ensures that the message is not a forgery. This is often achieved using hash-based message authentication codes (HMAC). - **Data Confidentiality**: Ensures that only authorized users can access the message. Implemented using symmetric and asymmetric encryption algorithms. - **Data Non-Repudiation**: Prevents the sender from denying the validity of a message. Non-repudiation relies on the unique characteristics of the sender, such as a digital signature. --- #### **18.3.2 Cryptographic Hash Functions** - **Purpose**: Used to verify and ensure data integrity. - **Mechanism**: - A hash function processes binary data to produce a fixed-length hash value (e.g., a "digital fingerprint"). - Any change to the data results in a different hash, making it infeasible to generate the same hash from two different data sets. - Uses: Detect duplicate files, identify version changes, and validate data authenticity. ![image](https://hackmd.io/_uploads/Hy9Kz9tEye.png) - **Example**: Grinding coffee beans is analogous to a hash function; it’s easy to grind beans but nearly impossible to reconstruct them. --- #### **18.3.3 Cryptographic Hash Operation** - **Formula**: $h = H(x)$ - $x$: Input data of arbitrary length. - $H(x)$: Hash function applied to $ x $. - $h$: Fixed-length hash value. ![image](https://hackmd.io/_uploads/rJnsz9KEJl.png) - **Properties**: - Input length can vary, but the output is always fixed. - Easy to compute $H(x)$ for any $x$. - Irreversible (one-way function). - Collision-resistant: Two different inputs produce different outputs. --- #### **18.3.4 MD5 and SHA** - **Hash Algorithms**: - **MD5**: - Produces a 128-bit hash. - Considered insecure and should be avoided. - **SHA-1**: - Produces a 160-bit hash. - Known flaws; a legacy algorithm. - **SHA-2**: - Includes SHA-224, SHA-256, SHA-384, and SHA-512. - Recommended over SHA-1 and MD5. - **SHA-3**: - Next-generation algorithm introduced by NIST. - Includes SHA3-224, SHA3-256, SHA3-384, and SHA3-512. - Preferred for new systems. ![image](https://hackmd.io/_uploads/BJpCM5KNkl.png) **Limitation**: Hashing only detects accidental changes, not intentional modifications. Man-in-the-middle attacks can compromise hashed data during transit. --- #### **18.3.5 Origin Authentication** - **HMAC (Keyed-Hash Message Authentication Code)**: - Combines a hash function with a secret key to provide authentication and integrity. - Prevents man-in-the-middle attacks by ensuring that only parties with the secret key can generate or verify the hash. - Used in systems like SSL, IPsec, and SSH. **HMAC Steps**: 1. **HMAC Hashing Algorithm**: - Combines the plaintext message, secret key, and hash function to produce a fixed-length authenticated hash value. ![image](https://hackmd.io/_uploads/rJHMm9YVyg.png) 2. **Creating the HMAC Value**: - The sender inputs the message and secret key into the hash function to generate the HMAC digest, which is sent with the message. ![image](https://hackmd.io/_uploads/HJVEX5YNJx.png) 3. **Verifying the HMAC Value**: - The receiver calculates the hash using the received message and the shared secret key. - If the calculated hash matches the sent hash, the message is authenticated and unaltered. Otherwise, the message is discarded. ![image](https://hackmd.io/_uploads/HkkU7cYN1l.png) **Cisco Router HMAC Example**: 1. **Sender**: Router $R1$ calculates the hash value using the secret key and message. 2. **Transmission**: The hash and message are sent to router $R2$. 3. **Receiver**: Router $R2$ recalculates the hash using its secret key. If the hash values match, the message is accepted; otherwise, it is discarded. ![image](https://hackmd.io/_uploads/H1Nv75Y4Jg.png) >[!Warning]Recap >Organizations must provide support to secure data as it travels across links. There are four elements of secure communications: data integrity, origin authentication, data confidentiality, and data non-repudiation. Cryptography can be used almost anywhere that there is data communication. Hashes are used to verify and ensure data integrity. Hashing is based on a one-way mathematical function that is relatively easy to compute, but significantly harder to reverse. The cryptographic hashing function can also be used to verify integrity. A hash function takes a variable block of binary data, called the message, and produces a fixed-length, condensed representation, called the hash. There are four well-known hash functions: MD5 with 128-bit digest, SHA-1, SHA-2, and SHA-3. While hashing can be used to detect accidental changes, it cannot be used to guard against deliberate changes that are made by a threat actor. Hashing is vulnerable to man-in-the-middle attacks. To provide integrity and origin authentication, something more is required. To add authentication to integrity assurance, use a keyed-has message code (HMAC). HMAC uses an additional secret key as input to the hash function. ### **18.4 Using Hashes** --- #### **18.4.1 Hashing Files and Digital Media** Hashing ensures the integrity of data by verifying that files or digital media remain unaltered. Common use cases include: - **Software Verification**: Cisco provides MD5 and SHA checksums for IOS images, allowing users to compare the provided hash with their local file’s hash to confirm it has not been tampered with. - **Digital Forensics**: - Examiners create a hash of the original digital media and compare it with a bit-for-bit copy (digital clone) to confirm both are identical. - Questions addressed by hashing in forensic analysis: - Are the expected files present? - Has the data been corrupted? - Can the examiner prove that the files are intact and unaltered? --- #### **18.4.2 File Integrity Scenario** If the hash of a received file does not match the hash generated for the original file, this indicates: - **The data file has been tampered with and should not be used.** --- #### **18.4.3 Hashing Passwords** Hashing algorithms convert passwords into fixed-length hashes that: - Are irreversible, meaning the original password cannot be derived from the hash. - Produce unique hashes for even the slightest input changes. **Workflow for Password Hashing**: 1. During registration, the system stores the hashed password without saving the plaintext password. 2. During authentication, the system hashes the input password and compares it to the stored hash. ![image](https://hackmd.io/_uploads/HJt1LqKNJg.png) --- #### **18.4.4 Cracking Hashes** Two main attacks used to guess hashed passwords: 1. **Dictionary Attacks**: - Use precomputed hashes of common words and passwords. - Compares these hashes to the target hash to find potential matches. 2. **Brute-Force Attacks**: - Tries every possible combination of characters. - Requires significant computational power and time. - Long passwords make brute-force attacks impractical. --- #### **18.4.5 Identifying Hashing Terminology** Key hashing terminology includes: - **Input**: Can be any length. - **Output**: Always has a fixed length. - **Hash Function**: Irreversible, meaning it cannot be reversed to retrieve the original input. - **Fixity**: Ensures that one set of bits matches the original set, verifying data integrity. --- #### **18.4.6 Salting** Salting adds an extra layer of security to hashed passwords by: - Adding a random string (salt) to the password before hashing. - Ensuring identical passwords produce different hashes due to unique salts. - Storing both the salt and the hash in the user’s database record. --- #### **18.4.7 Implementing Salting** **Best Practices**: 1. Generate a unique salt for every user using a Cryptographically Secure Pseudo-Random Number Generator (CSPRNG). 2. Never reuse salts. 3. Match the salt length to the hash function’s output length. 4. Always hash on the server in web applications. 5. Use **key stretching** to slow down brute-force attempts. **Steps for Salting**: 1. Generate a random salt using a CSPRNG. 2. Append the salt to the password and hash it with a cryptographic hash function (e.g., SHA-256). 3. Store both the salt and the hash in the database. 4. During authentication, retrieve the stored salt and hash. 5. Recreate the hash with the user’s input and compare it with the stored hash. --- #### **18.4.8 Preventing Attacks** Salting mitigates various attack types: 1. **Lookup Tables**: - Pre-compute password hashes for a dictionary of common passwords to compare with stored hashes. - Salting invalidates precomputed lookup tables by introducing randomness. 2. **Reverse Lookup Tables**: - Associate users to hashed passwords, enabling targeted dictionary or brute-force attacks. - Unique salts ensure that identical passwords for different users produce different hashes, thwarting such attacks. 3. **Rainbow Tables**: - Optimize storage by trading speed for smaller tables. - Salting ensures rainbow tables cannot be effectively used to crack hashes. >[!Warning]Recap >Hash functions are one-way functions used to verify and ensure data integrity. A hash tool can also verify authentication. Every time the data changes, the hash value also changes. A cryptographic has function has the following properties: the input can be any length, the output has a fixed length, the hash function is one-way and not reversible, and two different input values will almost never result in the same hash. The two most common hash algorithms are MD5 and SHA. To crack a hash, an attacker must guess the password. The two top attacks used are dictionary and brute-force attacks. A salt is an additional input added to the password. This creates a different hash result even when the two passwords are identical. A cryptographically secure pseudo-random number generator (CSPRNG) is the best way to generate the salt. Salting prevents an attacker from using a dictionary attack to guess passwords. Using a secret key in the hash using an algorithm called HMAC or KHMAC helps protect against dictionary or brute force attacks. ### **18.5 Public Key Cryptography** --- #### **18.5.1 Using Digital Signatures** Digital signatures use asymmetric cryptography to ensure authenticity, integrity, and nonrepudiation of data. Their key properties include: - **Authentic**: Cannot be forged; proof that the signer signed the document. - **Unalterable**: Prevents any alteration after the document is signed. - **Not Reusable**: Signature cannot be transferred to another document. - **Non-Repudiated**: Provides legal proof that the signer authorized the transaction. **Common Uses**: 1. **Code Signing**: Verifies integrity and authenticity of software downloads. 2. **Digital Certificates**: Acts as a virtual ID card for authentication and encryption. **Digital Signature Algorithms**: 1. **Digital Signature Algorithm (DSA)**: Standard for generating key pairs and verifying signatures. 2. **Rivest-Shamir-Adelman (RSA)**: Widely used for creating and verifying signatures. 3. **Elliptic Curve Digital Signature Algorithm (ECDSA)**: Provides computational efficiency and minimal bandwidth usage. --- #### **18.5.2 Digital Signatures for Code Signing** Digital signatures verify the authenticity and integrity of software code: - Confirm the publisher is the source of the code. - Ensure the code remains unmodified after publishing. - Provide nonrepudiation, proving the publisher’s identity. **Key Details**: - US Government FIPS 140-3 mandates that downloadable software must be digitally signed to prevent tampering. - Certificates are included with files to validate their source and confirm they are unaltered. **Example Process**: 1. **File Properties**: Show basic details such as publisher information. 2. **Digital Signature Tab**: Displays the algorithm (e.g., SHA-256) and the date of signature. 3. **Details**: Verifies the timestamp and signature authenticity. 4. **Certificate Information**: Specifies validity dates, the certificate issuer, and its purpose. 5. **Certificate Path**: Tracks the verification chain (e.g., Cisco > DigiCert). --- #### **18.5.3 Digital Signatures for Digital Certificates** Digital certificates authenticate identities and enable secure exchanges over the Internet. They: - Verify the sender’s claimed identity. - Encrypt replies to ensure confidentiality. **How Digital Certificates Work**: 1. Certificates identify the subject (e.g., Bob) and include: - Issuer details. - Expiration date. - Public key of the subject. 2. Example Scenario: - Bob sends an order confirmation to Alice using his private key to encrypt the hash (digital signature). ![image](https://hackmd.io/_uploads/r1g6Ict4yg.png) - Alice verifies the signature by: - Using Bob’s public key to decrypt the signature. - Hashing the document and comparing it to the decrypted hash. - If the hashes match, the document is authentic and unaltered. ![image](https://hackmd.io/_uploads/r1n0UqF4Jl.png) This process ensures: - **Authenticity**: The signature confirms Bob sent the document. - **Integrity**: The document has not been modified since it was signed. - **Nonrepudiation**: Bob cannot deny sending the document. >[!Warning]Recap >Digital signatures are a mathematical technique used to provide three basic security services: authenticity, integrity, and nonrepudiation. Properties of digital signature are that they are authentic, unalterable, not reusable, and non-repudiated. Digital signatures are commonly used in the following two situations: code signing and digital certificates. There are three Digital Signature Standard (DSS) algorithms that are used for generating and verifying digital signatures: Digital Signature Algorithm (DSA), Rivet-Shamir Adelman Algorithm (RSA) and Elliptical Curve Digital Signature Algorithm (ECDSA). Digitally signing code provides assurances about the software code: the code is authentic and is actually sourced by the publisher, the code has not been modified since it left the software publisher, and the publisher undeniably published the code. A digital certificate is equivalent to an electronic passport. It enables users, hosts, and organizations to securely exchanges information over the internet. Specifically, a digital certificate is used to authenticate and verify that a user who is sending a message is who they claim to be. ### **18.6 Authorities and the PKI Trust System** --- #### **18.6.1 Public Key Management** Public Key Management facilitates secure communication by enabling the exchange of public key information between hosts. An SSL certificate confirms the identity of a website domain and ensures trust. Trusted Certificate Authorities (CAs) conduct rigorous investigations before issuing these certificates. **Steps for SSL Certificate Management**: 1. A website owner purchases a certificate from a trusted CA. 2. The CA verifies the website's identity. 3. The certificate is issued and locally stored by web browsers for future transactions. 4. The public key within the certificate is used to verify communications between the website and clients. **Analogy**: - A digital certificate is akin to a driver’s license, where the CA acts like a licensing bureau that verifies identity. **Public Key Infrastructure (PKI)**: - PKI consists of specifications, systems, and tools for managing digital certificates. - Certificates are issued by CAs and linked to confirmed identities. - Examples of CAs include: IdenTrust, DigiCert, Sectigo, GlobalSign, and GoDaddy. --- #### **18.6.2 The Public Key Infrastructure** PKI supports large-scale public key distribution and identification, establishing a scalable trust relationship. **PKI Components**: 1. **PKI Certificates**: Contains the public key, purpose, issuing CA, validity, and signature algorithm. 2. **Certificate Store**: Stores issued certificates and private keys on local machines. 3. **Certificate Authority (CA)**: A trusted entity that verifies identity and issues certificates. 4. **Certificate Database**: Maintains records of all approved certificates. ![image](https://hackmd.io/_uploads/By6pwcYNJg.png) **Example Process**: 1. Bob obtains a certificate from a CA. 2. Bob exchanges the certificate with Alice. 3. Alice verifies Bob’s certificate with the CA. ![image](https://hackmd.io/_uploads/BJylu5KE1e.png) **Note**: Registration Authorities (RAs) can issue certificates under root CAs for specific purposes. --- #### **18.6.3 The PKI Authorities System** Vendors such as Symantec, Comodo, and DigiCert offer CA services. Organizations can also establish private PKIs. Certificates are categorized into classes based on trust level. **Certificate Classes**: | **Class** | **Description** | |-----------|----------------------------------------------------------------------------------------------------------| | **0** | Testing purposes, no verification performed. | | **1** | Used by individuals requiring email verification. | | **2** | Used by organizations requiring proof of identity. | | **3** | For servers and software signing; requires independent identity verification. | | **4** | Used for online business transactions between companies. | | **5** | Reserved for private organizations or government security. | **Example**: - Class 1 requires email confirmation, whereas Class 3 requires in-person identity verification with official documents. --- #### **18.6.4 The PKI Trust System** PKI trust models establish relationships between certificate authorities (CAs). There are three main topologies: 1. **Single-Root PKI Topology**: - A single CA issues all certificates. - Simple to manage but prone to single points of failure. ![image](https://hackmd.io/_uploads/Syn-O5F4ke.png) 2. **Cross-Certified CA Topology**: - Peer-to-peer trust relationships between CAs. - Redundant and eliminates single points of failure. ![image](https://hackmd.io/_uploads/HkWQd5K4yg.png) 3. **Hierarchical CA Topology**: - Root CA delegates to subordinate CAs. - Suitable for large organizations with diverse trust needs. ![image](https://hackmd.io/_uploads/ByqNO5YEJe.png) **Hybrid Model**: - Combines hierarchical and cross-certified models to allow trust between different organizations. --- #### **18.6.5 Interoperability of Different PKI Vendors** PKI interoperability is essential for consistency between systems. X.509 v3 certificates provide a standardized format for digital certificates. **Applications of X.509 v3**: 1. **SSL**: Website authentication and HTTPS implementation. 2. **IPsec**: Used in RSA-based VPN authentication. 3. **S/MIME**: Email protection using Secure/Multipurpose Internet Mail Extensions. 4. **EAP-TLS**: Authentication of devices in LANs using certificates. ![image](https://hackmd.io/_uploads/rkPUdct41l.png) **Note**: LDAP and X.500 protocols facilitate directory service queries for user authentication. --- #### **18.6.6 Certificate Enrollment, Authentication, and Revocation** PKI authentication starts by securely obtaining the CA's public key (self-signed certificate). Certificates can be distributed automatically by browsers or manually obtained through out-of-band methods for verification. **Enrollment Process**: 1. Retrieve CA certificates via network. 2. Authenticate out-of-band using methods like phone verification. 3. Obtain digital identity certificates for users or devices. **Certificate Revocation Methods**: 1. **Certificate Revocation List (CRL)**: - Lists revoked certificate serial numbers. - Entities poll CRL repositories regularly for updates. 2. **Online Certificate Status Protocol (OCSP)**: - Provides immediate revocation status by querying OCSP servers. - Updates are pushed to an online database. :::danger **Check Your Understanding** :ballot_box_with_check: You can find the answers to the quiz by clicking [here](https://itexamanswers.net/8-6-7-check-your-understanding-pki-assessment.html). ::: >[!Warning]Recap >When establishing secure connection between two hosts, the hosts will exchange their public key information. There are trusted third parties on the internet that validate the authenticity of these public keys using digital certificates. The Public Key Infrastructure (PKI) consists of specifications, systems, and tools that are used to create, manage, distribute, use, store, and revoke digital certificates. PKI is needed to support large-scale distribution of public encryption keys. The PKI framework facilitates a highly scalable trust relationship. Many vendors provide CA servers as a managed service or as an end-user product. Some of these vendors include Symantec Group (VeriSign), Comodo, Go Daddy Group, GlobalSign, and DigiCert among others. The class number (0 thorough 5) is determined by how rigorous the procedure was that verified the identity of the holder when the certificate was issued, with five being the highest. PKIs can form different topologies of trust. The simplest is the single-root PKI topology. Interoperability between PKI and its supporting services is a concern because many CA vendors have proposed and implemented proprietary solution instead of waiting for standards to develop. To address the interoperability concern, the IETF published the Internet X>509 Public Key Infrastructure Certificate Policy and Certification Framework (RFC 2527). ### **18.7 Applications and Impacts of Cryptography** --- #### **18.7.1 PKI Applications** Public Key Infrastructure (PKI) provides essential support for various enterprise security implementations. Below are common uses of PKI: - **SSL/TLS Certificate-Based Peer Authentication**: Establishes secure connections between parties. - **Secure Network Traffic Using IPsec VPNs**: Ensures the confidentiality and integrity of traffic. - **HTTPS Web Traffic**: Encrypts communication between web clients and servers. - **802.1x Authentication**: Controls network access. - **Secure Email with S/MIME**: Protects email confidentiality and authenticity. - **Secure Instant Messaging**: Prevents eavesdropping in communication. - **Code Signing**: Verifies the authenticity and integrity of application code. - **Encryption File System (EFS)**: Safeguards user data through encryption. - **Two-Factor Authentication with Smart Cards**: Adds an additional layer of authentication. - **Securing USB Storage Devices**: Protects data stored on removable media. --- #### **18.7.2 Encrypted Network Transactions** Encrypted traffic, such as SSL/TLS, poses both advantages and risks in enterprise environments. While encryption protects data, it can hinder network monitoring and introduce security challenges. **Risks of SSL/TLS Traffic**: - **Malware Introduction**: Encrypted traffic can bypass network monitoring tools. - **Data Leaks**: Confidential information can be exfiltrated through encrypted channels. - **Regulatory Compliance Violations**: Failure to monitor encrypted traffic could lead to compliance issues. **PKI-Related Issues**: 1. **Validity Date Range**: - Certificates specify “not before” and “not after” dates. - Browsers display security warnings if certificates are expired or invalid. 2. **Signature Validation Errors**: - Occurs when a certificate signature cannot be validated. - Possible causes include missing CA root certificates in the browser's certificate store. **Cipher Suites**: - A modular set of cryptographic algorithms used in SSL/TLS. - Includes components such as the Message Authentication Code Algorithm (MAC), encryption algorithm, key exchange algorithm, and authentication algorithm. - Cipher suites can evolve to patch vulnerabilities without replacing the entire protocol. --- #### **18.7.3 Encryption and Security Monitoring** Encryption challenges security monitoring by making traffic opaque to traditional tools. Analysts must address these challenges to maintain network visibility and security. **Monitoring Strategies**: - **Differentiate Traffic Types**: - Configure rules to distinguish between SSL and non-SSL traffic. - Identify HTTPS versus non-HTTPS SSL traffic. - **Server Certificate Validation**: - Use CRLs and OCSP to verify certificate validity. - **HTTPS Content Security**: - Implement antimalware and URL filtering for HTTPS traffic. - **Decrypt Traffic for Inspection**: - Use solutions like Cisco SSL Appliances to decrypt SSL traffic and send it to IPS appliances for analysis. **Cryptography and Security Investigations**: 1. **Targeted Attacks on Algorithms**: - Attackers crack encryption algorithms to obtain keys, decrypting captured data. 2. **Hidden Malicious Traffic**: - Encrypted command and control traffic can evade detection. - Decryption and analysis are required to identify attack signatures or anomalous traffic. **Challenges**: - Decrypting traffic for analysis is time-consuming and may not always be feasible. - TLS/SSL traffic detection is often a hit-or-miss process. :::danger **Check Your Understanding** :ballot_box_with_check: You can find the answers to the quiz by clicking [here](https://itexamanswers.net/8-7-4-check-your-understanding-recommend-encryption.html). ::: >[!Warning]Recap >There are many common uses of PKIs including a few listed here: SSL/TLS certificate-based peer authentication, HTTPS Web traffic, secure instant message, and securing USB storage devices. A security analyst must be able to recognize and solve potential problems related to permitting PHI-related solutions on the enterprise network. For example, threat actors can use SSL/TSL to introduce regulatory compliance violations, viruses, malware, data loss, and intrusion attempts in the network. Other SSL/TSL related issues may be associated with validating the certificate of the web server. PKI-related issues that are associated with security warnings include validity date range and signature validation. Some of these issues can be avoided due to the fact that the SSL/TSL protocols are extensible and modular. This is known as the cipher suite. The key components of the cipher suite are the Message Authentication Code Algorithm (MAC), the encryption algorithm, the key exchange algorithm, and the authentication algorithm. Cryptography is dynamic and always changing. You must maintain a good understanding of algorithms and operations to be able to investigate cryptography-related security incidents. Encrypted communications can make network security data payloads unreadable by cybersecurity analysts. Encryption can be used to hide malware command and control traffic between infected hosts and the command and control servers. In addition, malware can be hidden by encryption and data can be encrypted during exfiltration, making it hard to detect.