Cryptography

In this course, we'll explore the field of cryptography, including public key infrastructures, certificates and digital signing. Here, we take a deep dive into the realm of confidentiality, integrity and availability. Since we aren't only using cryptography to protect data from unauthorized disclosure and improper modification, but also using encryption to regulate the ability of users to log into systems and applications. Course 3 Learning ObjectivesAfter completing this course, the participant will be able to: L3.1 - Identify the fundamental concepts of cryptography driving requirements and benefits.L3.2 - Recognize symmetric encryption methods.L3.3 - Use asymmetric encryption methods.L3.4 - Examine public-key infrastructure (PKI) systems and certificates.L3.5 - Summarize fundamental key management terms and concepts.L3.6 - Recognize how to implement secure protocols.L3.7 - Review methods of cryptanalytic attack.Course AgendaModule 1: Benefits and Driving Requirements for Cryptography (Domain 5 - Cryptography, Domain 7 - Systems and Application Security)Module 2: Support the Use of Symmetric Encryption Methods (Domain 5 - Cryptography)Module 3: Support the Use of Asymmetric Encryption Methods (Domain 5 - Cryptography)Module 4: Support the Use of Public Key Infrastructure (PKI) Systems (Domain 5 - Cryptography)Module 5: Support Key Management Processes (Domain 5 - Cryptography)Module 6: Support the use of Secure Protocols (Domain 5 - Cryptography)Module 7: Cryptanalysis (Domain 5 - Cryptography)Who Should Take This Course: BeginnersExperience Required: No prior experience required

In contrast to symmetric encryption, asymmetric encryption is relatively new, having been invented, published and thereby made publicly available only in the late 1970s.  Asymmetric algorithms became commonly known when Drs. Whitfield Diffie and Martin Hellman released a paper in 1976 called “New Directions in Cryptography.” The Diffie-Hellman paper described the concept of using two different keys (a key pair) to perform the cryptographic operations — the essence of asymmetric cryptography. The pair of keys used in asymmetric cryptography are mathematically related and must always be used as a pair. One key will not work without the other key also being used. The key pair consists of a private key, which the owner of the key pair MUST keep private; and a public key, which is computed from the private key and can be shared with anyone the owner wishes to share it with.  Asymmetric cryptography uses what is known as a trapdoor function, meaning that while it may be easy to compute a value in one direction, reversing the process is extremely difficult if not mathematically impossible to do. The mathematics used in creating the key pair makes it simple to calculate the value of the public key if a person knows the value of the private key, but the reverse (i.e., to determine the value of the private key based on the value of the public key) is something we call computationally infeasible — it would take more processing time, on more CPUs and GPUs (graphics processor units) running in parallel, to be confident of making that “lucky guess” at going backward through the trapdoor, so to speak, and cracking the private key based only on the public key.  Even Kerckhoffs’s Principle (covered in module 5) doesn’t make these cryptographic attacks any easier! Modern attacks have been done using botnet systems in which CPUs and GPUs become part of a massively parallel attack on such cryptosystems. Trapdoor functions were one of the “new directions” in the Diffie-Hellman paper; the other was using these functions to compute a symmetric session key on demand, without requiring the sender and recipient to first exchange a secret value such as a symmetric encryption key. Suddenly, the key distribution and management problem became much, much simpler. Let’s take a closer look at these ideas and see how they gave rise to public key cryptography as an infrastructure (which we call PKI for short), the widespread use of digital signatures, and a host of other ideas vital to the safe and reliable use of e-business of all forms. 

The compromise of most cryptographic systems does not happen because of weaknesses in the algorithms; instead, it is most frequently due to problems with key management. This is often a human problem when people share keys, distribute keys improperly, choose weak keys, do not destroy old keys or store keys insecurely. History is littered with the defeats of nations and the failures of business ventures because of this. A major part of breaking the code for Nazi Germany’s Enigma machine during the Second World War was the work of the Polish mathematician Marian Rejewski. Working in the Polish General Staff’s Cipher Bureau with allied French military intelligence, he was able to determine the order of the letters on the cipher disks used in the Enigma by gaining access to two months’ worth of old encryption (setting) keys the Germans had discarded. As security professionals, we ought to be able to reach up to our bookshelves and pull down a handbook for cryptographic key and certificate management for business and private organizational use; that handbook doesn’t seem to exist yet.  NIST SP 1800-16, issued in June 2020, is a great start on this effort, but it does not address the small- and medium-sized enterprise needs, nor does the NIST Cybersecurity Framework do this either. Let’s see what we can put together, drawing from the lessons in modules 1 through 4, and a few other lessons from history.