Litnotes CyberOps 4 - Avalonian Memex

- Intro - Bad guys use encryption too. Decrypting it on the network may cause slowness and privacy concerns. - [**4.2** Impact of Cryptography on Security Investigations](https://ondemandelearning.cisco.com/cisco/cbrops10/sections/4/pages/2) - Two aspects: Algorithm attacks and hiding. - Encrypting/decrypting and netflow data for anomalies in cnc - [**4.3** Cryptography Overview](https://ondemandelearning.cisco.com/cisco/cbrops10/sections/4/pages/3) - **Confidentiality:** Ensuring that only authorized parties can read a message - **Data integrity:** Ensuring that any changes to data in transit will be detected and rejected - **Origin authentication:** Ensuring that any messages received were actually sent from the perceived origin - **Non-repudiation:** Ensuring that the original source of a secured message cannot deny having produced the message - It is ironic that it is impossible to prove that an algorithm is secure. You can prove only that it is not vulnerable to __known __cryptanalytic attacks. - All crypto can be brute forced. - Substitution, poly alphabetic, transposition, one time pad. - OTP is XOR randomly. Computers can't generated truly random ciphers because they are mathematical. (use of mouse shaking by a human to generate for example) - Key distribution is a problem and can't be reused. - [**4.4** Hash Algorithms](https://ondemandelearning.cisco.com/cisco/cbrops10/sections/4/pages/4) - MD5/SHA1 have flaws like collisions - Used for message integrity, especially HMAC in IPSEC and routing updates - Has **avalanche effect** where small change makes big difference - [**4.5** Encryption Overview](https://ondemandelearning.cisco.com/cisco/cbrops10/sections/4/pages/5) - Disguising a message to not show original. - Encrypt application layer data, such as encrypting email messages with PGP. - Encrypt session layer data using a protocol such as SSL or TLS. - Encrypt network layer data using protocols such as those provided in the IPsec protocol suite. - Encrypt data link layer using MACsec (IEEE 802.1AE) or proprietary link-encrypting devices. - Key Size determines strength of crypto. Large diff exponentially between 16-bit and 60-bit for example. - [**4.6** Cryptanalysis](https://ondemandelearning.cisco.com/cisco/cbrops10/sections/4/pages/6) - All crypto vuln to bruteforce. 50% of key space is avg for break. - If both plaintext and ciphertext known a meet-in-the-middle attack can take place. - Cipher-text only not practical because now pseudorandom resists statistical analysist. - [**4.7** Symmetric Encryption Algorithms](https://ondemandelearning.cisco.com/cisco/cbrops10/sections/4/pages/7) - Data Encryption Standard (DES) - Triple Data Encryption Standard (3DES) - EDE - encrypt, decrypt, encrypt with 3 56-bit keys. Ranges from 112-160 bits. - Advanced Encryption Standard (AES) - Replacement for 3/DES, faster and more secure. - Rivest Cipher 4 (RC4) (secure but can be implemented insecurely like in WEP, used in TLS) - 40-bit insecure, up to 256, generally 80+ good. - Symmetric uses same key to encrypt/decrypt. Wire speed. - **Electronic Code Book (ECB):** In ECB mode, it serially encrypts each 64-bit plaintext block using the same 56-bit key. If two identical plaintext blocks are encrypted using the same key, their ciphertext blocks are the same. - **Cipher Block Chaining (CBC):** In CBC mode, each 64-bit plaintext block is XORed bitwise with the __previous ciphertext bloc__k and then is encrypted with the DES key. Because of this process, the encryption of each block depends on previous blocks. Encryption of the same 64-bit plaintext block can result in different ciphertext blocks. - [**4.8** Asymmetric Encryption Algorithms](https://ondemandelearning.cisco.com/cisco/cbrops10/sections/4/pages/8) - The typical key length range for asymmetric algorithms is 1024 to 4096 bits. You cannot directly compare the key length of asymmetric and symmetric algorithms, because the underlying design of the two algorithm families differs greatly. - Examples of asymmetric cryptographic algorithms include RSA, DSA, ElGamal, and elliptic curve algorithms. - Because they lack speed, asymmetric algorithms are typically used in low-volume cryptographic mechanisms, such as digital signatures and key exchange. - Digital signature example in PGP: Encrypt the message with your private key, and again with the destination’s public key, so that the recipients can decrypt the message with their private key and your public key. -By Encrypting with your private key anyone can decrypt that part but it ensures origin. Then real message is encrypted with destination's public so only they can decrypt with private. - [**4.9** Diffie-Hellman Key Agreement](https://ondemandelearning.cisco.com/cisco/cbrops10/sections/4/pages/9) - Relies on mathematical symmetry of mod exponents to exchange value, as well as discrete logarithm problem with larger (2048) bit primes needed. - Logjam was an attack. DH Group 14,15,16, (19,20,24 ECC) needed - The DH key exchanges always use the same DH private key. Each time the same two parties perform a DH key exchange, they will end up with the same shared secret. With ephemeral Diffie-Hellman, a temporary private key is generated for every DH key exchange, and thus the same private key is never used twice. This enables perfect forward secrecy (PFS), which means that if the private key is ever exposed, any past communications are still secured. - Which two parts of the Diffie-Hellman process are arbitrary items that are agreed upon by both parties before any mathematical calculations? (Prime Number and Generator) - The higher the Diffie-Hellman group number indicates a larger key size - [**4.10** Use Case: SSH](https://ondemandelearning.cisco.com/cisco/cbrops10/sections/4/pages/10) - SSH v1 uses PKI instead of DH, so server sends it's public key first. - [**4.11** Digital Signatures](https://ondemandelearning.cisco.com/cisco/cbrops10/sections/4/pages/11) - To communicate that a document is using a digital signature, what is the next step in the process after a hash of the document is calculated by the sender? The hash is encrypted using the private key of the sender. - Which three security services are provided by digital signatures? (Choose three.) integrity, non-repudiation, authenticity - [**4.12** PKI Overview](https://ondemandelearning.cisco.com/cisco/cbrops10/sections/4/pages/12) - Certs are digitally signed by CA. CA is like driver bureau, cert is like license. - [**4.13** PKI Operations](https://ondemandelearning.cisco.com/cisco/cbrops10/sections/4/pages/13) - Which two are true regarding the CA in a PKI deployment? (Choose two.) - The CA is the trusted third party that signs the public keys of entities in a PKI-based system. - The CA issues either a certificate revocation list (CRL) or uses an OCSP process to determine certificate validity. - Which two options must be included in the CSR that is to be signed by a CA? (Choose two. - subject’s public key information - Subject identity information - [**4.14** Use Case: SSL/TLS](https://ondemandelearning.cisco.com/cisco/cbrops10/sections/4/pages/14) - The structure and use of the cipher suite concept are defined in the documents that define the protocol (RFC 5246 for TLS version 1.2). This RFC defines mandatory cipher suites that must be implemented by all TLS-compliant applications. The only mandatory cipher suite is TLS_RSA_WITH_AES_128_CBC_SHA, including RSA for authentication and key exchange, AES for confidentiality (encryption), and SHA for integrity (Hashed Message Authentication Code). - [**4.15** Cipher Suite](https://ondemandelearning.cisco.com/cisco/cbrops10/sections/4/pages/15) - An SSL/TLS cipher suite is used to define a set of cryptographic algorithms including the authentication and key exchange algorithms (such as RSA), encryption algorithm (such as AES), message authentication code algorithm (such as SHA), and the **PRF**. The cipher suites are described in RFC 5288 and RFC 5289. - [**4.16** Key Management](https://ondemandelearning.cisco.com/cisco/cbrops10/sections/4/pages/16) - Key management deals with the secure generation, verification, exchange, storage, and destruction of keys. It is extremely important to have secure methods of key management. - The larger the key the long it takes to compute. Adding 1 bit doubles key space. Key space is total number of keys generated by algorithm. - [**4.17** NSA Suite B](https://ondemandelearning.cisco.com/cisco/cbrops10/sections/4/pages/17) - Encryption using the AES with128- or 256-bit keys in the GCM mode. The block cipher modes of operation include CTR mode and GCM mode, in which case, GCM is the most common. GCM is an authenticated encryption algorithm that is designed to provide both data authenticity and confidentiality - Digital signatures using the ECDSA with 256 and 384-bit prime moduli - Key agreement using the ECDH method - Message digest using the SHA-2 method (SHA-256 and SHA-384) - [**4.18** Explore Cryptographic Technologies](https://ondemandelearning.cisco.com/cisco/cbrops10/sections/4/pages/18) - Extensive Questions should be reviewed (20)