INFORMATION

ASSURANCE &
SECURITY 2
 MODULE 7
CRYPTOGRAPHY AND THE PUBLIC
KEY INFRASTRUCTURE
OBJECTIVES
Upon completion of this module, the student would be able to:
➢ Use tools to encrypt and decrypt data.
➢ Use cryptography to secure communications.
➢ Explain the role of cryptography in ensuring the integrity and authenticity of
data.
➢ Explain how cryptographic approaches enhance data confidentiality.
OBJECTIVES
Upon completion of this module, the student would be able to:
➢ Explain how the public key infrastructure (PKI) supports network security.
➢ Explain public key cryptography.
➢ Explain how the public key infrastructure functions.
➢ Explain how the use of cryptography affects cybersecurity operations.
CRYPTOGRAPHY
What is Cryptography?
Securing Communications
▪ Information security concerns
protecting network infrastructure
devices and securing data as it
travels on the network.
▪ Cryptography helps realize the four
objectives of information security:
• Data Confidentiality - only authorized
users can read the data.
• Data Integrity - the data has not been
altered by unauthorized parties.
• Origin authentication - the data has
actually originated at the expected
source.
• Non-repudiation – the integrity of the
message is irrefutable by the sender.
What is Cryptography?
Cryptology
▪ Cryptology is the science of making and
breaking secret codes. There are two
disciplines:
• Cryptography –This is the development and
use of codes that are used for communicating
privately. Specifically, it is the practice and study
of techniques to secure communications.
• Cryptanalysis – This is the breaking of those
codes. Specifically, it is the practice and study of
determining and exploiting weaknesses in
cryptographic techniques.
What is Cryptography?
Cryptography – Ciphers
▪ A cipher is an algorithm that consists of a series of well-defined steps that can be
followed as a procedure when encrypting and decrypting messages.
▪ The following are types of ciphers that have
been used over the years:
• Substitution cipher – Substitution ciphers retain the
letter frequency of the original message.
• Transposition cipher - In transposition ciphers, no
letters are replaced; they are simply rearranged.
• Polyalphabetic ciphers - Polyalphabetic ciphers are
based on substitution, using multiple substitution
alphabets.
What is Cryptography?
Cryptanalysis – Code Breaking
▪ A number of code breaking (cryptanalysis) methods exist, such as brute-force,
ciphertext, and known-plaintext, among others.

▪ Several methods are used in cryptanalysis:

• Brute-force - The cryptanalyst tries every possible key knowing that eventually one of them will work.
• Ciphertext - The cryptanalyst has the ciphertext of several encrypted messages but no knowledge of
the underlying plaintext.
• Known-Plaintext - The cryptanalyst has access to the ciphertext of several messages and knows
something about the plaintext underlying that ciphertext.
• Chosen-Plaintext - The cryptanalyst chooses which data the encryption device encrypts and observes
the ciphertext output.
• Chosen-Ciphertext - The cryptanalyst can choose different ciphertext to be decrypted and has access to
the decrypted plaintext.
• Meet-in-the-Middle - The cryptanalyst knows a portion of the plaintext and the corresponding
ciphertext.
What is Cryptography?
Keys
▪ With modern technology, security
of encryption lies in the secrecy of
the keys, not the algorithm.
Two terms that are used to describe
keys are:
• Key length - Also called the key size, this is
measured in bits. In this course, we will use
the term key length.
• Keyspace - This is the number of possibilities
that can be generated by a specific key length.

▪ As key length increases, the keyspace

increases exponentially.
Integrity and Authenticity
Cryptographic Hash Functions
▪ Cryptographic hashes are used to verify and ensure data integrity.
▪ Hashing is based on a one-way mathematical function that is relatively easy
to compute, but significantly harder to reverse.

▪ The cryptographic hashing function can also be used to

verify authentication.
▪ A hash function takes a variable block of binary data, called
the message, and produces a fixed-length, condensed
representation, called the hash.
▪ The resulting hash is also sometimes called the message
digest, digest, or digital fingerprint.
▪ With hash functions, it is computationally infeasible for two
different sets of data to come up with the same hash
output.
▪ Every time the data is changed or altered, the hash value
also changes.
Integrity and Authenticity
Cryptographic Hash Operation
▪ Mathematically, the equation h=
H(x) is used to explain how a hash
algorithm operates.
▪ A cryptographic hash function should
have the following properties:
• The input can be any length.
• The output has a fixed length.
• H(x) is relatively easy to compute for any
given x.
• H(x) is one way and not reversible.
• H(x) is collision free, meaning that two
different input values will result in
different hash values.
Integrity and Authenticity
MD5 and SHA
▪ Hash functions are used to ensure the integrity of a message. They ensure data has not changed accidentally
or intentionally.
▪ Three well-known hashing algorithms are 128-bit MD5, SHA-1, and SHA-2.
• MD5 with 128-bit digest - A one-way function that produces a 128-bit hashed message. MD5 is considered to be a legacy
algorithm. It is recommended that SHA-2 be used instead.
• SHA-1 – Very similar to the MD5 hash functions. Several versions exist. SHA-1 creates a 160 bit hashed message and is
slightly slower than MD5. SHA-1 has known flaws and is a legacy algorithm.
• SHA-2 –Next-generation algorithm and should be used whenever possible.
▪ While hashing can be used to detect accidental changes, it cannot be used to guard against deliberate
changes. There is no unique identifying information from the sender in the hashing procedure.
Integrity and Authenticity
Hash Message Authentication Code
▪ To add authentication to integrity assurance, a keyed-
hash message authentication code (HMAC) is used.
▪ To add authentication, HMAC uses an additional
secret key as input to the hash function.
▪ Only the sender and the receiver know the secret key,
and the output of the hash function now depends on
the input data and the secret key.
▪ Only parties who have access to that secret key can
compute the digest of an HMAC function.
▪ If the digest that is calculated by the receiving device
is equal to the digest that was sent, the message has
not been altered.
Confidentiality
Encryption
These two classes differ in how they use keys:
▪ Symmetric encryption algorithms - Encryption algorithms use the same key to encrypt and decrypt
data. They are based on the premise that each communicating party knows the pre-shared key.
▪ Asymmetric encryption algorithms - Encryption algorithms use different keys to encrypt and
decrypt data. They are based on the assumption that the two communicating parties have not
previously shared a secret and must establish a secure method to do so. Asymmetric algorithms are
resource intensive and slower to execute.
Confidentiality
Symmetric Encryption
▪ Symmetric algorithms use the same pre-shared key to encrypt and decrypt data.
▪ Today, symmetric encryption algorithms are commonly used with VPN traffic. This is
because symmetric algorithms use less CPU than asymmetric encryption algorithms.
▪ When using symmetric encryption algorithms, like any other type of encryption, the
longer the key, the longer it will take for someone to discover the key.
▪ Most encryption keys are between 112 and 256 bits. Use a longer key for more
secure communications.
Confidentiality
Symmetric Encryption Algorithms
Encryption algorithms are
often classified as either:
▪ Block ciphers - Block ciphers
transform a fixed-length
block of plaintext into a
common block of ciphertext
of 64 or 128 bits.
▪ Stream Ciphers - Stream
ciphers encrypt plaintext one
byte or one bit at a time.

Well-known symmetric encryption algorithms include: Data Encryption Standard (DES), 3DES
(Triple DES), Advanced Encryption Standard, (AES) Software-Optimized Encryption Algorithm
(SEAL), Rivest ciphers (RC)
Confidentiality
Asymmetric Encryption Algorithms
▪ Asymmetric algorithms, also called public-key algorithms, are designed so that the key that is used
for encryption is different from the key that is used for decryption.
▪ The decryption key cannot, in any reasonable amount of time, be calculated from the encryption
key and vice versa.
▪ Asymmetric algorithms use a public key and a private key.
▪ Both keys are capable of the encryption process, but the complementary paired key is required for
decryption.
▪ The process is also reversible in that data encrypted with the public key requires the private key to
decrypt.
▪ This process enables asymmetric algorithms to achieve confidentiality, authentication, and integrity.
Confidentiality
Asymmetric Encryption – Confidentiality
▪ Asymmetric algorithms are used to
provide confidentiality without pre-
sharing a password.
▪ The confidentiality objective of
asymmetric algorithms is initiated when
the encryption process is started with
the public key.
The process can be summarized using the
formula: Public Key (Encrypt) + Private
Key (Decrypt) = Confidentiality
• When the public key is used to encrypt the
data, the private key must be used to
decrypt the data.
• Only one host has the private key.
Confidentiality
Asymmetric Encryption – Authentication
▪ The authentication objective of asymmetric algorithms is
initiated with the private key encryption process.
The process can be summarized using the formula
▪ Private Key (Encrypt) + Public Key (Decrypt) =
Authentication
▪ When the private key is used to encrypt the data, the
corresponding public key must be used to decrypt the
data.
▪ Because only one host has the private key, only that host
could have encrypted the message, providing
authentication of the sender.
▪ When a host successfully decrypts a message using a
public key, it is trusted that the private key encrypted the
message, which verifies the sender.
Confidentiality
Asymmetric Encryption – Integrity
▪ Combining the two asymmetric encryption processes provides message
confidentiality, authentication, and integrity.
Confidentiality
Diffie-Hellman
▪ Diffie-Hellman (DH) is an asymmetric
mathematical algorithm that allows two
computers to generate an identical shared secret
without having communicated before.
▪ The new shared key is never actually exchanged
between the sender and receiver.
▪ However, because both parties know it, the key
can be used by an encryption algorithm to encrypt
traffic between the two systems.
▪ The security of DH is based on the fact that it uses
unbelievably large numbers in its calculations.
▪ Unfortunately, asymmetric key systems are
extremely slow for any sort of bulk encryption.
This is why it is common to encrypt the bulk of the
traffic using a symmetric algorithm.
PUBLIC KEY INFRASTRUCTURE
Public Key Cryptography
Using Digital Signatures
▪ Digital signatures are a mathematical technique used to provide
authenticity, integrity, and nonrepudiation in the form of code
signing and digital certificates.
▪ Digital signatures are commonly used in the following two situations:
• Code signing –Code signing is used to verify the integrity of executable files
downloaded from a vendor website.
• Digital certificates – These are used to authenticate the identity of a system
and exchange confidential data.
▪ There are three Digital Signature Standard (DSS) algorithms used for
generating and verifying digital signatures:
• Digital Signature Algorithm (DSA)
• Rivest-Shamir Adelman Algorithm (RSA)
• Elliptic Curve Digital Signature Algorithm (ECDSA)
Public Key Cryptography
Digital Signatures for Code Signing
▪ Digital signatures are commonly used to provide assurance of
the authenticity and integrity of software code.
▪ Executable files are wrapped in a digitally signed envelope,
which allows the end user to verify the signature before
installing the software.
▪ Digitally signing code provides several assurances about the
code:
• The code is authentic and is actually sourced by the publisher.
• The code has not been modified since it left the software publisher.
• The publisher undeniably published the code. This provides
nonrepudiation of the act of publishing.
Public Key Cryptography
Digital Signatures for Digital Certificates
▪ A digital certificate enables users, hosts,
and organizations to securely exchange
information over the Internet.
▪ Specifically, a digital certificate is used to
authenticate and verify that users
sending a message are who they claim to
be.
▪ Digital certificates can also be used to
provide confidentiality for the receiver
with the means to encrypt a reply.
Authorities and the PKI Trust System
Public Key Management
▪ When establishing an asymmetric connection between two hosts, the hosts will exchange their public key
information.
▪ Trusted third parties on the Internet validate the authenticity of these public keys using digital certificates.
The third party issues credentials that are difficult to forge.
▪ From that point forward, all individuals who trust the third party simply accept the credentials that the third
party issues.

▪ The Public Key Infrastructure (PKI) is an example of a

trusted third-party system referred to as certificate
authority (CA).
▪ The CA issues digital certificates that authenticate the
identity of organizations and users.
▪ These certificates are also used to sign messages to ensure
that the messages have not been tampered with.
Authorities and the PKI Trust System
The Public Key Infrastructure
▪ PKI is needed to support large-scale distribution and identification of public encryption keys.

▪ The PKI framework facilitates a highly scalable trust relationship.

▪ It consists of the hardware, software, people, policies, and procedures needed to create, manage, store,
distribute, and revoke digital certificates.
▪ Not all PKI certificates are directly received from a CA. A registration authority (RA) is a subordinate CA and is
certified by a root CA to issue certificates for specific uses.
Authorities and the PKI Trust System
The PKI Authorities System
▪ Many vendors provide CA servers as a managed service or as an end-user product.
▪ Organizations may also implement private PKIs using Microsoft Server or Open SSL.
▪ CAs issue certificates based on classes which determine how trusted a certificate is.
▪ The class number is determined by how rigorous the procedure was that verified the identity of the holder when
the certificate was issued.
▪ The higher the class number, the more trusted the certificate.
▪ Some CA public keys are preloaded, such as those listed in web browsers.
▪ An enterprise can also implement PKI for internal use.
Authorities and the PKI Trust System
The PKI Trust System
▪ PKIs can form different topologies of
Single-Root PKI
trust. The simplest is the single-root
PKI topology.
On larger networks, PKI CAs may be
linked using two basic architectures:
• Cross-certified CA topologies - This a
peer-to-peer model in which individual
CAs establish trust relationships with Cross-certified CA
other CAs by cross-certifying CA
certificates.
• Hierarchical CA topologies - The
highest level CA is called the root CA. It
can issue certificates to end users and
to a subordinate CA.
Hierarchical CA
Authorities and the PKI Trust System
Interoperability of Different PKI Vendors
▪ Interoperability between a PKI and its
supporting services is a concern because
many CA vendors have proposed and
implemented proprietary solutions
instead of waiting for standards to
develop.
▪ To address this interoperability concern,
the IETF published the Internet X.509
Public Key Infrastructure Certificate Policy
and Certification Practices Framework
(RFC 2527).
▪ The X.509 version 3 (X.509v3) standard
defines the format of a digital certificate.
Authorities and the PKI Trust System
Certificate Enrollment, Authentication, and Revocation
▪ All systems that leverage the PKI must have the CA’s public key, called the
self-signed certificate.
▪ The CA public key verifies all the certificates issued by the CA and is vital for
the proper operation of the PKI.
▪ The certificate enrollment process begins when CA certificates are retrieved
in-band over a network, and the authentication is done out-of-band (OOB)
using the telephone.
▪ The system enrolling with the PKI contacts a CA to request and obtain a
digital identity certificate for itself and to get the CA’s self-signed certificate.
▪ The final stage verifies that the CA certificate was authentic and is
performed using an OOB method such as the Plain Old Telephone System
(POTS) to obtain the fingerprint of the valid CA identity certificate.
▪ A digital certificate can be revoked if key is compromised or if it is no longer
needed.
Applications and Impacts of Cryptography
PKI Applications
▪ Some of the many applications of PKIs are:
• SSL/TLS certificate-based peer authentication
• Secure network traffic using IPsec VPNs
• HTTPS Web traffic
• Control access to the network using 802.1x
authentication
• Secure email using the S/MIME protocol
• Secure instant messaging
• Approve and authorize applications with Code Signing
• Protect user data with the Encryption File System
(EFS)
• Implement two-factor authentication with smart
cards
• Securing USB storage devices
Applications and the Impacts of Cryptography
Encrypting Network Transactions
▪ Threat actors can use SSL/TLS to introduce regulatory
compliance violations, viruses, malware, data loss,
and intrusion attempts in a network.
▪ Other SSL/TLS-related issues may be associated with
validating the certificate of a web server. When this
occurs, web browsers will display a security warning.
PKI-related issues that are associated with security
warnings include:
• Validity date range - The X.509v3 certificates specify “not
before” and “not after” dates. If the current date is outside
the range, the web browser displays a message.
• Signature validation error - If a browser cannot validate the
signature on the certificate, there is no assurance that the
public key in the certificate is authentic.
Applications and Impacts of Cryptography
Encryption and Security Monitoring
▪ Network monitoring becomes more challenging when packets are encrypted.
▪ Because HTTPS introduces end-to-end encrypted HTTP traffic (via TLS/SSL), it is not
as easy to peek into user traffic.
▪ Here is a list of some of the things that a security analyst could do:
• Configure rules to distinguish between SSL and non-SSL traffic, HTTPS and non-HTTPS SSL
traffic.
• Enhance security through server certificate validation using CRLs and OCSP.
• Implement antimalware protection and URL filtering of HTTPS content.
• Deploy a Cisco SSL Appliance to decrypt SSL traffic and send it to intrusion prevention system
(IPS) appliances to identify risks normally hidden by SSL.
• Diane Barrett/ Martin M. Weiss (2018).CompTIA Security+ SY0-501 Exam Cram (5th Edition)

• Emmett Dulaney and Chuck Easttom. CompTIA Security+ Study Guide: Exam SY0-501 7th Edition

• David L. Prowse (2018) Pearson. CompTIA Security+ SY0-501 Cert Guide (4th Edition)

• Cisco Networking Academy (Author).(June 25, 2018)CCNA Cybersecurity Operations Companion

Guide 1st Edition

• Omar Santos/ Joseph Muniz /Stefano De Crescenzo(June 17, 2017)CCNA Cyber Ops (SECFND #210-
250 and SECOPS #210-255)Official Cert Guide Library 1st Edition