Muhammed Dardir

The method of hiding the meanings of communications from

unintended parties. "Cryptography" is derived from the Greek word
Cryptography kryptos for "hidden" and graphein "to write".

Cryptology The method of deriving the plaintext or the encryption key from a
ciphertext to obtain information. Also to pass altered or fake
Cryptanalysis messages to deceive the original recipient
Block cipher: Obtained by segregating plaintext into blocks of n
characters or bits and applying the identical encryption algorithm
and key to each block
Cipher: A cryptographic transformation that operates on characters
or bits
Ciphertext or cryptogram: An unintelligible message.
Clustering: Situation in which a plaintext message generates
identical ciphertext messages using the same transfonnation
algorithm, but with different crypto variables or keys.
key terms Codes: A cryptographic transformation that operates at the level of
words or phrases
Cryptanalysis: Act of obtaining the plaintext or key from ciphertext
that is used to obtain valuable information and to pass on altered or
fake messages to deceive the original intended recipient.
Cryptographic algorithm: A step-by-step procedure used to
encipher plaintext and decipher ciphertext.
Plaintext: A message in cleartext, readable form.
Cryptography: "Hidden writing"
Encryption: Coding a message so that its meaning is concealed
core components of Cryptography
Plaintext: Message in its original form
Ciphertext: Message in its encrypted form
A cryptosystem is the collection of all possible inputs and all possible
outputs, in addition to the algorithm and keys. But, don't forget about
the humans
cryptosystem
Good cryptography rijndael algorithm,,To break you need 14 trillion years
Keys permit the existence of unrestricted algorithms
Keys might be any one of a large number of values
Keys
The strength of a cryptosystem rests with the strength of its keys
Keyspace matters

managing Keys Using Separate Key Servers

Crypto Fundamentals
TO encrypt a message, we might choose either symmetric
algorithms, such as RC4 or Blowfish, or asymmetric algorithms,
such as RSA or ECC.
digitally sign a message (that is, give some type of "digital proof" as
to the signer's identity), we might choose RSA or ECC with a
hashing algorithm, but not any of the symmetric algorithms
if we need high-speed encryption with the advantage of digital
signatures, we might choose DiffieHellman to exchange a symmetric
Big Picture key, hash our message using SHA, digitally sign the hash using
RSA, and encrypt the message and hash for transmission using
Rijndael

Communications ==> Confidentiality * Integrity* Authentication *

Goals of Cryptography Non-repudiation
The goal is to garble the original message so that its meaning is
concealed
The Boolean Exclusive OR (XOR) function is one of the fundamental
operations used in cryptography
XOR

It uses a one-to-one substitution of characters

It "rotates" the alphabet by X characters, where Xis the key

Rotation Caesar Cipher was ROT-3

Usenet uses ROT-13 (symmetric)

It uses a one-to-one substitution of arbitrary characters

Given one character mapping, you cannot determine the key, as
with rotation substitution
General Symmetric Encryption Techniques
Basic techniques Monolithic ciphers or one-to-one substitution ciphers can often be
broken with frequency analysis
Arbitrary substitution
One-to-one character substitution is weak because it can be
It is easy to break using character frequency analysis frequency analysis defeated with frequency analysis
Long ago, cryptanalysis made tables showing the relative frequency
with which letters

Keeps the same letters, but changes the position within the text

Permutation Very easy to break

Hybrid Substitution and permutation can be combined together

Basic techniques : These techniques are used by symmetric key
systems

Fast! Single key for encryption. and decryption

Requires secure key distribution channel (scalability)
Pre-shared key
Symmetric key cryptography "Secret key" encryption
Requires secure channel Asymmetric encryption
Diffie-Hellman key exchange
No technical non-repudiation
Slow! Public / private key pair
Public keys widely distributed within digital certificates
Used as a secure channel for symmetric key exchange
Technical non-repudiation via digital signatures
Asymmetric key cryptography"Public key" encryption
The mathematics behind asymmetric encryption depends on the
Cryptography
existence of so-called trapdoor functions
Multiplication versus factorization
Two common examples are:
Asymmetric Encryption Exponentiation versus logarithms
Encrypt with recipient's public key
Secure Channel
Decrypt with recipient's private key
Use of.Asymmetric Keys
Encrypt with sender's private key
Authentication
Decrypt with sender's public key
No key used during encryption
Irreversible one-way transfotmation
Key length is the hash length
Plain text (and length ofplaintext:)is riot recoverable from the
types of cryptosystems cipliertext
Byte-oriented, produces a 128-bit hash value from an arbitrary-
MD2 length message, designed for smart cards
MD4 Similar to MD2, designed specifically for fast processing in software
Similar to MD4 but slower because the data is manipulated more.
MD5 Developed after potential weaknesses were reported in MD4
RIPEMD160
Examples:
Modeled after MD4 and proposed by NIST for the Secure Hash
SHA Standard (SHS), produces a I 60-bit hash value.
hash function
SHA-l
SHA-2
SHA-3
Also called "message digests" or"one-way encryption
Primacy use: Message integrity
Secret (Private) Key Cryptography
There are three forms of Cryptographic Algorithms Public Key Cryptography
Hashing Functions (Message Digests or one-way encryptions)
Since hashes produce a fixed length output, the number of possible
Hash collisions: Where two different files are hashed and produce inputs to a hash algorithm are larger than the number of outputs
the same output If every input must map to an output, two different inputs have to
map to the same output
Hash collisions
Similar items will not collide
Collisions are an acceptable risk because with strong hashing There is no way to predict when a collision will occur except via
brute force
Digital signatures use public key cryptography to "sign" documents
The signatures are non-repudiable
Digital signatures They "sign" a document by encrypting a one-way hash with a
private key
To protect the hash from modification during transmission
digitally sign the document for two reasons
To prove to Bob that she sent the message
Data hiding (steganography means "covered writing")
Dates to Ancient Greece; modern awareness relatively new
Images (bmp, png, gif, jpg)
Word documents
Can hide in a variety of formats :
Text files
Machine-generated images (fractals)
Cryptography ( crypto) provides confidentiality but not secrecy
It is fairly easy to detect that someone is sending an encrypted
message; it is just difficult for someone to read it
steganography "Stego" Ceypto versus Stego
With stego, you might not even know someone is sending a
message; the true intent is hidden
NOTE :: Steganography Doesn't Guarantee Safety
Injection

General methods of Stego Substitution Data in a file can be replaced or substituted with hidden text
The hidden data can also be used to generate a new file
File generation
No host file is needed
Stegexpose
Tools to detect Stego
Detecting Stego StegSecret
No universal way to detect steganography
Histograms are graphical representations of the number of
occurrences of data in a given distribution of such data
For example, a histogram of a text document would show the
Histograms number of occurrences of each character that appears in the
document. A normal text document would generate a histogram that
shows that the frequency of characters varies greatly

Confidentiality, integrity of data, authentication, and non-

repudiation
study Computational Complexity deals with time and space
cipher designer requirements for the execution of algorithms.
Crypto concepts
Difficulty of factoring a large integer into its two prime factors "RSA"
Difficulty of solving the discrete logarithm problem - for finite fields "
Example of an Intractable Problem Diffie-Hellman ,DSA"
Difficulty of solving the discrete logarithm problem --as applied to
elliptic curves " ECDSA "
Data Encryption Standard
Rather fast encryption algorithm
Widely used; a de facto standard
Symmetric key, 64-bit block cipher
56-bit key size: Small 256 keyspace
Today, DES is not considered secure
DES used to be one of the more commonly used enc1yption
algorithms in the world, which is based on IBM's Lucifer cipher
,Because of the internal bit-oriented operations in the design of
DES
DES is considered non-secure. It is crackable in a short period of
time
See the book, Cracking DES (O'Reilly)
DES
Multiple encryptions and key size increase the security
DES Weaknesses
Double DES is vulnerable to the meet-in-the-middle attack and only
has an effective key length of 5 7 bits
Triple DES is preferred
This means that multiple DES encryptions are not related, making it
stronger than a single encryption
DES is not group If an algorithm is a group, then • E(K2,E(K,M)) = E(K3,M)
Multiple DES encryptions increase security
Encrypting twice with DES (Double DES) does not significantly
increase the effective key size. !fa cryptanalyst is able to obtain
both a cleartext message (M) and its corresponding ciphertext (C),
they can perform a meet-in-the-middle attack
Symmetric cryptosystems (Private) Key
meet-in-the-middle attack

Advanced Encryption Standard

A new encryption algorithm(s) that is designed to be effective well
into the 21st century
AddRoundKey: XOR Round Key with State
subBytes: Substitute bytes in, StattJ sto form Statll s' on a byte-for-
byte basis using S-box
AES "Rijndael "
Cryptography Algorithms and Deployment AES algorithm employs four basic transformations ShiftRows: Left circularshiftof rows 1-3 in State sby 1, 2, and3
bytes, respectively
MixColumns: Apply mathematical transformation.to each column
inSta.tes to form States'

The RSA algorithm has been widely implemented all over the world
in all kinds of cryptography-enabled applications
It can be used to support both encryption and digital signature
schemes
RSA
As a central part of the Secure Sockets Layer (SSL)
it is also included in major web clients, such as Microsoft Internet
Explorer
asymmetric cryptosystems " (Public) Key " ECCs are capable of supporting both an encryption/decryption
scheme and a digital signature scheme.
High security even at relatively small key lengths (that is, a higher
strength per bit), high-speed implementations, low processing power
Elliptic Curve Cryptosystems (ECCs) requirements, and low storage requirements
ECC a particularly attractive cryptographic option for use in
resourceconstrained computing environments such as mobile
telephones, information appliances, and smart cards
MDS takes variable-length input Output is 128~bit unique fingerprint
MDS Typically used with digital evidence
sha1 "EOL" Output is l60 bit
hash
SHA-256 Output is256-bit
SHA sha2
SHA-512 Output is 512-bit
SHA3-256 Output is 2S6-bit
sha3
SHA3-512 Outputis 512-bit

Uses algorithms and mathematics to· deduce key or

Analytic reducekeyspaceto be searched
Statistical Uses statistical.characteristics of language or weaknessesin keys
Analyzes resultant differences as related plain texts are encrypted
general types of cryptanalysis
Differential using a cryptographic key
Linear Linear analysis of pairs of plaintext and ciphertext
Differential linear Applies differential analysis· with linear analysis
Crypto attacks "Cryptanalysis"
Cryptanalysts can sometimes use a phenomenon known as the
birthday paradox to attack hash signatures
When 23 people are put together, the odds are greater than 5 0%
birthday attack
that 2 or more people share a birthda
Hash collisions are related to that probability

Pro: Dedicated lines and equipment are not shared by others

Confidentiality in Transit Private network Con: Dedicated lines are expensive, grow more so with distance,
and are underutilized
Data is encrypted at one end of the VPN from cleartext into
ciphertext
Ciphertext is transmitted over the internet
Data is decrypted at the other end of the VPN from ciphertext back
into the original cleartex
VPNs are flexible
A VPN "tunnel" over the internet can be set up rapidly; a frame
VPN advantage - flexibility
circuit can take weeks
All you need is an internet connection

Data in transit Virtual private networks (VPNs

VPN breakdown

Client-to-site VPN (transport) • Example: Laptop connection to

remote access server at HQ
Types of Remote Access Site-to-site (tunnel) • Example: Sales office connection to HQ
office location
IP Security (IPsec) is an IETF standard for establishing virtual
private networks.
Can enable encrypted communication between users and devices
VPN
Transparently fits into network infrastructure
Can be used on networks on a small or very large scale
IP Security (IPsec) Commonly implemented: Most VPN devices and clients are IPsec-
compliant
Data integrity: No modification ofdatain transit
Authentication Header (AH.) No confidentiality
Origin authentication: Identifies where data originated
Types of IPsec Headers
Data integrity: No Inodification of data intransit
Encapsulating Security Payload·(ESP) Confidentiality: Data can he encrypted
Origin authentication: ·Identifies where data originated
Fastest growing, have less operational problems than IPsec,
cryptographically equivalent, but from an application perspective not
quite as secure
Ideal if you have multiple vendors and all you need is a browser for
client side. Portal VPNs work with almost any browser. SSL Tunnel
SSL VPN
VPNs require modern browsers that can handle active content
Problems include opening firewall ports, application vulnerabilities,
authentication, and the attack surface of thebrowser··
Be careful where encrypted tunnels are set up to avoid bypassing
security devices
Security implications Encryption not only stops an adversary from reading your
information, but-itstopsyoufromreadinganadversary's information
Encrypted files are decrypted to read, and then encrypted back to
the hard drive
If system is turned off and is stolen, data is encrypted on the hard
drive
one-the-fly encryption "Full disk encryption"
If computer is on and person is logged in, someone could potentially
decrypt your encrypted messages
You should know what threat you are protecting against
Protects files on hard drives
Brings privacy to public communication medium via providing
Confidentiality in Storage GPG encryption for personal devices : Protects files transferred via email
Provides file/folder level encryption
401.4_Cryptography

Data at rest
GNU Privacy Guard (GPG)

Applying Cryptography Using GPG To encrypt or sign content, it is as easy as clicking an icon s
Encrypting information
Decrypting information
GPG provides 4 main functions
Signing information
Verifying a signature
GPG also provides an interface for key management, which is
critical for performing these functions
PKI provides a technical mechanism for encrypting an
organization's data
A hierarchy of infrastructure systems is used to create digital
certificates
Digital certificates contain the public key
Creating certificates
A PKI provides a managed infrastructure for Maintaining certificates
Revokingcel'ti
Certificate registration
Certificate creation
Certificate distribution

Public key infrastructure (PKI) The traditional PKI certificate life cycle includes Certificate validation
Certificate key recovery
Certificate expiration
Certificate revocation
Certification occurs when the CA actually issues-the certificate,
which includes the user's DN, public key, and certificate details
such as validity period, protected by a signature generated by the
CA
the cetiificate can be stored in a certificate server, such as an
LDAP
Public keys
Private client-side keys
several facets of a key storage
Private server-side keys
Private CA root and subordinate keys
An essential part of PKI
Digital document attesting the binding of an entity to a public key
Certificates Unique to each entity
Equivalent to a passport or driver's license
Mitigates impersonation
Standard for digital certificates is the x.509 certificate
Demographic data
Digital certificates Validity period
Each certificate contains Supported encryption algorithm
Public/private key
Signature by issuing CA
Public or private keys can be used for multiple forms of encryption
Digital certificates A Certificate Revocation List (CRL) is a list of revoked digital
certificates Often due to private key compromise
Key management
A Certificate Revocation List (CRL) The entire list must be downloaded each time it is updated
CRLs have limitations CRL downloads can be network-intensive
CRLs do not offer real-time notification of a revoked certificate
Request status of an individual serial number
OCSP is designed to replace CRLs Real-time notification of revoked certifications
OCSP - Online Certificate Status Protocol Lower bandwidth and storage requirements
OCSP is recommended by the IETF over CR
is a company or organization that acts to validate the identities of
entities (such as websites, email addresses, companies, or
individual persons) and bind them to cryptographic keys through the
issuance of electronic documents known as digital certificates. A
digital certificate
Authentication, by serving as a credential to validate the identity of
Certificate authorities (CA) the entity that it is issued to.
Encryption, for secure communication over insecure networks such
provides as the Internet
Integrity of documents signed with the certificate so that they cannot
be altered by a third party in transit
One use of PKI is to encrypt messages between a web server and a
web browser
Secure Sockets Layer (SSL)
This is accomplished by the use of either
Transport Layer Security (TLS)
Client and server use a PKI certificate (asymmetric) to negotiate a
session key (symmetric)
PKI certificate is used for secure key exchange
Session key is used to encrypt data between systems
Key Establishment
Confidentiality with symmetric encryption
SSL/TLS is expanding today into more than websites Both SSL and TLS protocols provide for:
Secure Socket Layer (SSL) Signature via asymmetric
Integrity via hash

PKI can be used for more than secure web traffic. It can also be
Other Uses of PKI used for:

Competing/incomplete standards
Certification of CAs Important issue, but easy to overlook
problems with PKI Do-it-yourself or outsource?
Extensive planning requirement
User education and/or perception

Incident handling is an action planfor dealing with intrusions, cyber-

theft, denial of service, malicious code, fire, floods, and other
securityrelated events
Incidents can be intentional or unintentional
incident response plans help to know what to do when an incident
occurs
Incident-handling fundamentals why it is important? sooner or later, an incident is going to occur
An "incident" is an adverse event in an information system, and/or ·
What Is an Incident? network, or the threat of the occurrenceofsuchan event
An ''event" is any observable occurrence in a system and/ or
What ls an Event? network
Preparation
Identification
Containment
Six-step process for handling an incident
Eradication
Recovery
Lessons Learned
Failure to report or ask for help
Incomplete/non-existent notes
Mishandling/ destroying evidence
Key Mistakes in Incident Handling Failure to create working backups
Failure to contain or eradicate
Failure to prevent reinfection
Failure to apply lessons learned
Assess: Identify and triage all threats. This assessment is the
beginning of the business impact analysis (BIA). We must
understand what the threats are and assess the impact the threat
would have on the business if the threat were to become reality.

Planning Evaluate: Assess the likelihood and impact of each threat.

Realistically, what is the chance that the threat will happen? Perform
the cost-benefit analysis to ensure any investments are justified.
Prepare: Plan for contingent operations to occur within the
Incident-Handling and Contingency Planning necessmy time frame. This step includes not only the preparation of
the BCP, but also the ongoing management of the plan. Ensure
employees are properly trained and that all documentation is in
order. Perform periodic testing of the plan in accordance with your
policy.
The key components of a business continuity plan (BCP) are :
Business continuity planning Mitigate: Identify actions that might eliminate risks in advance. Are
there things we can do that will decrease the likelihood of the threat
becoming a reality? Are they cosHustified?
Respond: Take actions necessary to minimize the impact of risks
that materialize. When disaster strikes, a quick response can
minimize the impact to the business. Organizations that are well-
prepared are in a better position to respond quickly than those that
have not thoroughly planned for disasters
Disaster recovery planning
Recover: Return to normal as quickly as possible.
Business continuity planning (BCP) focuses on the availability of
critical business processes
Performs a strategic look across the entire business and asks what
could happen
what is business continuity plan (BCP)? It includes disaster recovery and business resumption planning
It considers long-term impact to the business
It focuses on identifying problems and proactively fixing them before
they occur
Disaster recovery plan
End-user recovery plan
Contingency plan
other plans including Emergency response plan
Crisis management pla
Contingency planning Other plans as required (for example, a server recovery plan or a
phone system recovery plan)
Insurance model: Plan for the worst; hope for the best
BCP covers high-level strategic planning
BCP/DRP
DRP covers tactical infrastructure items
DRP is a part of BCP
Management Awareness
Planning committee
Risk Assessment
DR Planning Process
Process Priority establishment
Recovery Strategies
Testing Criteria

DR Planning Mistakes

The Cloud offers a new DR option for businesses

Cloud Service Providers can enable DR of critical IT systems
without the business having to incur the infrastructure expense of a
Cloud Disaster Recovery second physical site
Many large CSP's already provide a set of cloud-based disaster
recovery services that enable rapid recovery of IT infrastructure and
data

Conduct a rapid assessment of risks so you know what your

security policy needs to cover. This forms the basis for your
security policy, with input from various business departments
Fully analyze risks or identify industry practice for due care;
analyze vulnerabilities
Set up a security infrastructure
Design controls; write standards for each technology
Cybersecurity Risk Management Process
Decide which resources are available, prioritize
countermeasures, and implement the top priority countenneasures
you can afford
Conduct periodic reviews and possibly tests
Implement intrusion prevention and incident response
Risk management overview
Determine overall threats and vulnerabilities
Risk analysis Matrix Create risk matrixfor each business unit focµsing inon likelihood
and consequenc (impact)
What could happen?
When evaluating risk, it is helpful to ask yourself some key How bad would it be?
questions
How frequently could it occur?
How reliable is our evaluation?

Single Loss Expectancy (SLE): The lossf.rorn a single event

SLE & ALE

Annualized Loss Expectancy (ALE): Annual expected loss based on

a threat

Approach to risk management

Assigns an exact numeric value

Quantitative Risk Assessment Far more valuable as a business~decisiontool because it works in
metrics, usually dollars
Quantitative Versus Qualitative
Easier to calculate, but results are more subjective
Qualitative Risk Assessment Results typically categorized as low-, medium-, or high-risk events
Succeeds atidentifying high~riskareas
Use qualitative, quantitative, or best practice/checklist risk
Risk Management measurement to define the gap between our current risk status and
where we want to be
Host-based solutions
Business Case for Risk Management Network-based solutions
Preventive measures
After the gap analysis, we select safeguards, such as
Detective measures
Logging
Data-focused controls
Organization has rudimentary capability, and you want to upgrade
Business case should always map back to risk Organization has central monitoring, and you are presenting the
case for a departmental capability
Business Case Applications
If you cannot provide proof that systems are at risk, it becomes
more difficult to get additional funds for the countermeasures that
you recommend
Identify the types of threats
External attack from network
Step 1 - Threat Assessment and Analysis
External attack from a business partner
Look for evidence that these threats are actually in use and
remember the threat vectors Insider attack from local network
Insider attack from local system
Attack from malicious code
If you work incybersecurit:y,youmustu.ndetstand and know how to
read financial statements
If you do·not know how much an asset is worth, how do you know
Step 2 - Asset Identification and Valuation how much to spend protectingit?
If you know what your assets areworth, it is easier to justify
theincreased cost of the. security controls
Threat assessment, analysis, and report to management
Doorways for the use of exploit code or techniques
Increase frequency of threat event
Step 3 - Vulnerability Analysis Vulnerabilities are the gateways by which threats are manifested
Increase impact of threat event
Vulnerabilities are the primary focus for reducing an overall risk
Match threats and known vulnerabilities, calculate ALE
Step 4 - : Risk Evaluation Estimate risk from unknown (not yet discovered) vulnerabilities
Risk might be expressed monetarily (preferred) or qualitatively
Project summary: Clearly list the top risks, the likelihood if the risk
occurs, the cost if it occurs and the cost to fix it
Asset identification and valuation report: Present the critical
assets that were found and their value. It is critical to tie the threats
with the vulnerabilities that will have the biggest impact
Step 5 - Interim Report
Plan to make things better: NEVER brief senior management
without a plan
Remember that it is critical to understand the critical data and.the
servers that it resides .on

Comparison of the cost of implementing countermeasures with the Make sure to show cost-benefit analysis
value of the reduced risk Allows look at multiple options to reduce a risk, including
compensating controls
Cost-Benefit Analysis
Importantto show that this Is high priority risk and the solution is the
most cost effective for reducing it
Includes the interim report results
Safeguard selection Including easy-to-do tasks that have already been implemented
final report Risk mitigation analysis
Cost-benefit analysis
Recommendations