Sec+ preparation #8 (standards, hashes, keys, certs)

Jonas SatkauskasJonas Satkauskas
6 min read

Table of contents

Intro

Let’s jump into next day of preparing for SEC+.

Before beginning I just want to give credit to Master OTW at Hackers-Arise. I really enjoy how he describes data of various topics. Real professional.

You can purchase Security+ SY0-701 boot camp here

Kerchoff’s Principle (1883)

  • It must not be required to be secret.

    • Effective cryptographys algorithm must not be secret.

  • Algorithm has to be publicly known

  • Too many secrets can lead to easier compromise

  • Only the key should be secret and protected

In OWASP TOP3 many cases are cryptographic misconfiguration

Unknown cryptography algorithm is not more secure.

Hashing algorithms (will be in exam)

  • SHA

  • SHA1 (160-bit, developed by NSA)

    • 160-bits (could be in exam)

  • SHA2 (256, 384 and 512)

  • MD2 (MD algorithms were developed by Ron Rivest)

    • 128-bit

  • MD4 (128-bit)

  • MD5 (128-bit)

    • 128 bits

  • HAVAL (Variation of MD5)

  • LANMAN

    • Developed in 1980

    • Was not used very much

    • It is easy to hack it

  • NTLM

    • Sends an 8-byte challenge to the client

    • Client returns the challenge in encrypted form

    • If response is correct, client is authenticated

    • Optional on Windows 2000

  • NTLM V2

    • Offer Session Security

    • Encrypted with 128 bit key

    • You must configure servers to accept only NTLM V2

    • Use passwords longer than 14 characters

There are lots of old systems in the world

Corporations does not update systems

SCADA uses really old systems.

Registry Editor is important part in Windows. It controls software behavior in the system.

  • Collision

    • Happens with hashing algorithms

    • Two different inputs creates same output (hash)

    • MD5 today has multiple collision

      • Less collisions means more integrity

    • Use SHA-1 for forensics

  • The Birthday paradox (sometimes appears in exam)

    • Based on probability

    • How many people do I need in a room to have a 50% chance that two of them have the same birthday?

      • Answer is: 23

    • It is easier to generate random messages to attempt to get a collision instead of trying all possible values.

    • Guessing is often better

Hashes or message digest is:

  • A one way function comparable to a CRC check

  • Usually 128-bit or 160-bit.

    • 160-bit looks strange.

      • It is 128bits + 32bits

  • You can’t reverse hash. It is one-way.

  • Encrypted text can be as short as 3 characters or as long as 1000 characters. The hash length will be the same.

  • 1 bit changed means hash changes. 50% of hash changes when changing 1 bit!

  • If two inputs generate same hash it’s called Collision

    • Here’s where integrity comes.

    • It’s a sign of weakness of the algorithm

  • You can find hashes on you Kali system in /etc/shadow

OFFTOPIC:

Check about Stuxnet attack (2010)

Symmetric Cipher Authentication

  • A message authentication Code (MAC) is used

  • Also called a keyed Hash

Data Encryption Standard (DES) (WILL BE IN EXAM)

  • Originally from IBM, Block Cipher

  • 16 rounds of encryption

  • Lucifer Algorithm accepted as DES standard 1974

  • DES and AES are standards. These are not the algorithms.

  • Original used 48 to 128-bit key

  • NIST - National Institute of Standards and Technologies

  • The key is 64 bits in it’s total lenght

Triple DES or 3DES

  • 3 X DES applied to plaintext

Rivest Shamir Adleman (RSA)

  • Developed by Rivest, Shamir and Adleman

  • Patented in 1977

    • Was free to use by anyone

    • Became the de facto standard

  • Digital signatures, key distribution, encryption

  • Based on Difficulty of factoring large numbers

  • Key sizes: 512, 1024, 2048, 4096, 8192

Pretty Good Privacy (PGP)

  • Developed by Phil Zimmerman

  • Was initially a 1024 bits cipher

  • Offers Email and File Encryption

  • Offers Drive Encryption

  • The Web Of Trust was initially used with PGP

NSA always asks that there would be a Backdoor open for them in an algorithm. PGP refused.

Eliptic Curve Cryptosystem (ECC)

  • Short Key size with same strength as large key size

  • Very efficient for small portable devices

    • it is used in every portable device now.

Advanced Encryption Standard (AES) - (MUST KNOW for the exam)

  • Created by Vincent Rijmen and Joan Daemen (Dutch engineers)

  • Effective as of May 26, 2002

  • Block Symmetric Encryption Algorithm

    • There’s stream and block symmetric

    • Block sizes of 128, 192, 256

  • Rounds (10, 12, 14) - how many times it will go through encryption algorithm

  • This is World STANDARD.

  • IT IS NOT AN ALGORITHM, IT’S A STANDARD

NIST picks the best algorithm. Secure and fast.

One Time Pad (One Time Password)

  • Known as the unbreakable cipher

    • If the pad is truly random or protected it is unbreakable

  • No longer used today

SSL/TLS

In the beginning nothing was encrypted,

  • Secure Sockets Layer (SSL)

    • Developed in Netscape

    • Protects the communication channel (Session)

    • Server authenticates to client

    • Optionally client can authenticate to server

    • Used for secure WWW connections

  • Transport Layer Security (TLS)

    • Was supposed to replaced SSL

    • More features than SSL

S/MIME

  • Application-layer protocol (Layer 7 of OSI model)

  • Provides data integrity, confidentiality and authentication

Public Key Infrastructure (PKI)

Concepts that you need to be aware of:

  • Recovery Agent

    • A recovery agent can save you data if you loose it

    • No longer used,

  • Public Key

  • Private Key

  • Certificate Authority (CA)

    • These are the companies that issue certificates

    • Top level of trust

    • Commercial Companies:

      • VeriSign

      • Baltimore

      • Thawte

    • Can have sub-CA of their own

    • Can also be private, like:

      • DoD

      • Microsoft

      • Cisco

    • Must be protected at all cost

  • Registration authority

    • User fills a form, get certificate and gets approval or not

    • Identity will be attached to digital certificate

  • Key escrow

    • A copy of a Private key kept by the issuer

    • Could be clear text copies kept in a safe

  • Certificate Revocation List (CRL)

    • Answers the question if certificate is still valid today?

    • Contains list of compromised certificates and checks if upcoming certificate is not in that list.

    • Mostly replaced today by OCSP (Online Certificate Status Protocol)

  • Trust models

    • How do we know if the certificate we see is real?

      • There’s a PKI model

        • Nice Hierarchy

      • There’s a Web of trust

        • If I’m friend with you, then I’m gonna trust anybody who you trust

Key Management

  • The need for key management

  • CA and RA

  • Keys are:

    • Public

    • Private

    • No trust on keys by default

  • We need automated way of distributing keys

  • We need creation and distribution

  • Key length long enough for usage

  • Keys need to be backup or escrowed

  • Keys should be properly destroyed

OFF TOPIC

Mark Shuttleworth is a founder of UBUNTU. He spent lots of money on it and made it free to people. He made his billion while selling digital certificates in the beginning. He also went to the space.

0
Subscribe to my newsletter

Read articles from Jonas Satkauskas directly inside your inbox. Subscribe to the newsletter, and don't miss out.

learningLearning Journeycybr#cybersecuritycybersecurityCyberSeccyberLinuxcomptia security+comptiacomptia security+ certification

Written by

Jonas Satkauskas
Jonas Satkauskas