CISSP Domain 3 Security Engineering – Part 2 – Cryptographic Concepts Cheat Sheet

Advanced Encryption Standard (AES)

Current US standard symmetric block cipher using 128bit (10 rounds), 192bit (12 rounds), 256bit (14 rounds) keys and 128bit blocks of data. It is open and free to use.

Choosing AES

NIST sought input from the public for DES replacement in 1997 that would be faster and more secure. The five finalists were; MARS, RC6, Rijndael, Serpent and two fish.
Rijndeal was chosen and became the AES standard due to best combination of security, performance, efficiency, and flexibility.

AES functions

  • ShiftRows – Provides diffusion by shifting rows of the state. It treats each row like a row of blocks, sifhting each a different amount320px-aes-shiftrows-svg
  • MixColumns – Provides diffusion by mixing the columns of the state via finite field mathematics320px-aes-mixcolumns-svg
  • SubBytes – Provides confusion by subsituting the bytes of a state320px-aes-subbytes-svg
  • AddRoundkey – is the final function applied in each round. It XORs the state with the subkey. The subkey is derived from the key and is different for each round of AES320px-aes-addroundkey-svg

Blowfish and Twofish

  • Blowfish – Uses 32 through 448bit (default 128bit) keys and 64bit blocks
  • Twofish – Uses 128 through 256 bit keys and 128bit blocks

Both are free and unpatented and AES finalists

RC5 and RC6

  • RC5 – Key size range from 0 – 2040bit and 32,64, or 128 bit blocks
  • RC6 – Key size 128,192 or 256 bit key, and encrypte 128 bit blocks – based on RC5 and AES finalist

Asymmetric Algorithm

Solves the challenge of pre-shared keys, the asymetric encryption (aka public key encryption) uses two keys; you encrypt with one and decrypt with other. One key is made public. Whoever that wants to communicate with you will download and use the public key to encrypt. The public key cannot decrypt the plaintext. Only the private key can decrypt it and therefore must be kept private and secure. This works the otherway around, communication can be encrypted using the private key and decrypted using the public key used for signature signing.

Asymmetric Methods

  • Factoring Prime Numbers – Basis of the RSA algorithm , An example of one-way function (easy to computer one way but not the other). Factoring large composite number is so difficult that the composite number can be safely publicly posted (public key). The primes that are multiplied (which is easy) to create the public key must be kept private (private key)
  • Discrete logarithm – Computing logorithms to groups is hard to solve, thus forms the basis to Diffie-Helman and ElGamal asymmetric algorithms
  • Diffie-Hellman Key Agreement Protocol – Allows two parties to securely agree on a symmetric key via public channel such as internet with no prior key exchange.
  • Elliptic Curve Cryptography – ECC uses one way function that uses discrete logarithms applied to elliptic curves. This is harder than discrete logorithms and are much more secure and stronger per bit. ECC requires less computational resources due to shorter keys and are used in low power devices due to this reason.

Asymmetric and Symmetric Tradeoffs

Asymmetric algorithms are slower, and weaker per bit length compared to symmetric. Both encryption algorithms are used together, ie Asymmetric such as RSA is used to exchange secret keys and the symmetric key (session key) is used to create a session used to encrypt the subsequent data, leveraging the best of both worlds.

Hash Functions

Hash functions provides encryption using an algorithm with no key (aka one-way hash). There is no way to reverse the encryption. The primary use case is for integrity checks. MD5(128bit) and SHA1(160bit) are older and have weaknesses. Recommendation is use SHA-2


Hashes are not unique and different plaintext can result in the same hash.


Created by Ronald Rivest. MD5 creates a 128bit hash however, has been discovered where collissions can be found in a practical amoutn of time.

Secure Hash Algorithm

SHA1 was announced in 1993 as FIPS 180 standards, however it is now considered weak due to poor collission avoidance. SHA2 was announced in 2001. It includes SHA-224, SHA256, SHA-384 and SHA-512 with the differing hash values. In 2015 SHA-3 has been finalized.


HAVAL (Hash of variable length) is a a hash algorithm that creates message digests of 128, 160,192,224,256 bits in length, using 3,4, or 5 rounds. It’s designed around the MD family and is faster than MD5.

Related Posts with Thumbnails

About the Author

Alfred Tong
Author and owner of this blog. A Networking enthusiast, full time networking and systems Engineer. Generally curious about all things IT.Certifications: GIAC GSEC, CCNP-S, CCNP, CCSP, CCDP, CCNA, RHCE, JNCIA - FWV