CISSP Domain 3 Security Engineering – Part 2 – Cryptographic Concepts Cheat Sheet


Hebern Machines and Purple

Hebern machines are a class of cryptograhic devices known as rotor machines named after Edward Hebern. They look like manual typewriters with electrified rotors.

Enigma

Used by the Axis German powers during WWII. There were 3 finger wheels which could be set to any number from 1-26 which is to be used as key.

Sigaba

The sigaba was a rotor machine used by the US in WWII. Due to it’s large size it had limited field use.

Purple

Purple was the allied name for the encryption device used by the Japanese Axis powers in WWII. It is described as a rotor machine but actually a stepping-switch which encrypted plaintext by adding code words.

Cryptography Laws

Intelligence derived from cryptoanalysis was arguably as powerful as any bomb. This leads to attempts to control cryptography through the same laws used to control bombs: munition laws.

COCOM

Coordinating Committee for Multilateral Export Controls designed to control export of critical technologies (including cryptography) to “Iron Curtain” countries during the code war. US, Japan, EU, Australia, Turkey and rest of non-soviet countries were members during 1947-1994

Wassenaar Arrangement

Created in 1996 after COCOM ended. Includes former soviet union countries and laxed many of the restrictions on exporting cryptography.

Types of Cryptography

Symmetric Encryption

Aka Secret key encryption uses one key to encrypt and decrypt. The key must be kept secret and often shared using out of band method.
Strengths: Speed and Cryptographic strength per bit of key.
Weakness: Key must be kept secure and shared before two parties can communicate.

Stream and Block Ciphers

  • Stream mode: Each bit is independently encrypted in a “stream”
  • Block mode: encrypt blocks of data each round: 64bits for DES, 128bits for AES. To emulate stream block size can be set to 1bit

Initialization Vectors and Chaining

  • Initialization Vector – Ensure first encrypted block of data is random so identical plaintexts ecnrypt to different cipher texts
  • Chaining – Uses feedback from previous cipher block to seed next block to be encrypted. This destroys patterns in resulting ciphertext
  • DES – does not use initialization vector or chaining

DES

DES is the data encryption standard, which describes the Data Encryption Algorithm (DEA). Designed in the US to in 1976 to address standardization. Its a symmetric cipher that uses a 64bit block size (encrypts 64 bit each round) and a 56 bit key.

Modes of DES

  • Electronic Code Book (ECB) – earliest mode (hence – code book WWII), simplest and weakest, no vector, no chaining
  • Cipher Block Chaining (CBC) – XORs previous encrypted block of cipher text to next block and users initialization vector, encryption errors can propagate destroying integrity
  • Cipher Feedback (CFB) – Same as CBC but stream mode
  • Output Feedback (OFB) – uses previous cipher text as feedback uses subkey before it is XORed to plaintext, not affected by encryption errors and will not propagate
  • Counter Mode (CTR) – Latest, similar to OFB but uses a counter, can be parallelized

Single DES

Encrypts 64bit blocks using 56bit key. Susceptible to brute force key attack due to advent of faster CPUs.

Triple DES 3DES

Applies single DES three times per block. Formally called Triple Data Encryption Algorithm. Slow and complex compared to newer algorithms.

Triple DES Encryption Order and Keying Options

  • 1TDES EDE – Encrypt, Decrypt, Encrypt with 1 key – results in same cipher text as DES for backwards compatibility
  • 2TDES EDE – Encrypt with key 1, Decrypt with key 2 (same as encrypt), and Encrypt with key 1 – results in 112bit key strength – used with legacy hardware with limited memory
  • 3TDES EDE – Encrypt with key 1, Decrypte with key 2, Encrypt with key 3, results with 168bit key strength, effective strength is 112bit due to MiTM attack

2TDES and 3TDES EDE are still FIPS approved until 2030.

International Data Encryption Algorithm (IDEA)

International replacement to DES using 128bit key and 64bit block size. Drawbacks are patent encumbrance and slow speed compared to AES.

Related Posts with Thumbnails

About the Author

Alfred Tong
Author and owner of this blog. A Networking enthusiast, full time networking and systems Engineer. Generally curious about all things IT.Certifications: GIAC GSEC, CCNP-S, CCNP, CCSP, CCDP, CCNA, RHCE, JNCIA - FWV