OfficialGuide_C06.pdf

377 Chapter 6 Cryptography Introduction Cryptography addresses the principles,means,and methods of disguis-ing information to ensure its integrity,confidentiality,and authenticity.The CISSP candidate should be able to understand:The business and security requirements for cryptography and howto apply the appropriate use of cryptography to achieve the desiredbusiness effect.Confidentiality.Understand the strength of various cryptographicapplications,impacts on system performance,and when to ap-ply;the concepts of synchronization of parameters between endsystems;and how to recognize the use of confidentiality func-tions.Integrity.Understand how the integrity function works and howit differs from the authentication and confidentiality functions,when to apply,and how to recognize its use.Authentication.Understand how the authentication functionworks,how it differs from integrity and non-repudiation,what adigital signature is,and how to apply this function to messaging,web,and commerce applications.Non-repudiation.Understand how non-repudiation works,how itdiffers from authentication,what to apply,and how to recognizeits use.Cryptographic concepts,methodologies,and practices:Understand the difference between symmetric and asymmetriccryptography,public and private keys.Understand public and private key algorithms in terms of theirapplications and uses.Understand construction and use of digital signatures.Understand the basic functionality of hash/crypto algorithms(DES,RSA,SHA,MD5,HMAC,DSA),and effects of key length.Understand the basic functions involved in key management,including creation,distribution,verification,revocation,destruc-tion,storage,recovery and life span,and how these functionsaffect cryptographic integrity.Understand major key distribution methods and algorithms(e.g.,manual,Kerberos,ISAKMP).AU1707_C06.fm Page 377 Tuesday,November 4,2003 2:27 PM 378 OFFICIAL(ISC)2 GUIDE TO THE CISSP EXAMVulnerabilities to cryptographic functions:Understand the strengths and weaknesses of algorithms and keystrengths.Understand cryptographic key administration and storage interms of vulnerability increases(compromise).Understand attack methods(COA,KPA,CTA including CPA,AC-PA,and CCA,brute force,CRACK,replay,MIM,and birthday)and how to recognize attacks against cryptographic functions.Understand which attacks work against which types of algo-rithms.Use and function of CAs and PKI:Understand how certificates are issued,verified,distributed,andrevoked(hierarchy chain).Understand types and classes of certificates(standards).Understand and recognize the components of a CA and the hier-archical structure of PKI.System architecture requirements for implementing cryptographicfunctions:Understand cryptography algorithm construction.Understand the use of application and network-based protocols,such as PEM,S/MIME,SSL,HTTPS(also SHTTP),SET,IPSec.Understand the application of hardware components,such assmart cards,tokens,etc.Understand the application of cryptographic components,suchas IPSec nodes and ISAKMP.6.1Information Protection Requirements The A-I-C Triad In this chapter we will learn how cryptography and encryption tech-niques will help us address the issues associated with Confidentiality andIntegrity as they relate to our A-I-C triad(Exhibit 1).The goal is to protect Exhibit 1.A-I-C TriadAvailabilityIntegrityConfidentiality AU1707_C06.fm Page 378 Tuesday,November 4,2003 2:27 PM 379 Cryptography the information that is stored and transmitted using cryptographic tech-niques,which is related to the Confidentiality goal.Cryptography alsoallows us to address the issue of Integrity,by providing techniques that willallow us to identify the unauthorized modification of information.6.2Information Protection Environment Introduction Oddly enough,some of the earliest cryptographers were not really try-ing to hide anything.Rather,they were trying to draw attention to theirsubject and show off their language skills by playing with words.When knowledge of the written language was not widespread,for exam-ple,during Julius Caesars time(see Exhibit 2),ciphers did not need to bevery complex.Because few people knew how to read,Caesars cipher,sim-ple as it was,was very effective.As history unfolded and more people were able to read and write,some-thing had to be done to better deal with the growing number of potentialadversaries.Throughout history,cryptography has been used mainly tosecure communications belonging to the powerful and the influential,usu-ally governments,the military,and royalty.The powerful people of thisworld have always used ciphers.They have exchanged coded messagesamong one another and decoded the messages of others for their ownadvantage.But with the advent of the computer,the widespread use ofcomputer technology has expanded the need for secure communicationsaround the world and the need for secure storage of sensitive information.The advent of computers has changed many things,but not the fundamen-tals of cryptography.The fundamentals of cryptography are the sametoday as they were hundreds and even thousands of years ago.They havejust been applied to todays technology,in order to provide some verygood methods of ensuring the confidentiality,integrity,and availability ofinformation.Computers have made adding complexity to cryptography very easy.They have also made solving complexity easier.Because of rapidly advanc-ing technology,secure systems must constantly be assessed for the possi-bility of new attacks if security is to be maintained.Secret sharing,a neces-sity in todays world,is still a tug-of-war between clever cryptographersand ingenious cryptanalysts with new tools in their belts.Definitions Cryptography is about writing secrets.The first secret messages wereexchanged thousands of years ago.Cryptography involves scramblingsome kind of useful information,in its original form called plaintext,into a AU1707_C06.fm Page 379 Tuesday,November 4,2003 2:27 PM 380 OFFICIAL(ISC)2 GUIDE TO THE CISSP EXAM Exhibit 2.History of Cryptography 1900 BCAn Egyptian scribe used non-standard hieroglyphics in an inscription.Kahn lists this as the first documented example of written cryptography.1 1500 BCA Mesopotamian tablet contains an enciphered formula for the making of glazes for pottery.1 500600 BCHebrew scribes writing down the book of Jeremiah used a reversed-alphabet simple substitution cipher known as ATBASH.(Jeremiah started dictating to Baruch in 605 BC but the chapters containing these bits of cipher are attributed to a source labeled“C”believed not to be Baruch,which could be an editor writing after the Babylonian exile in 587 BC,someone contemporaneous with Baruch or even Jeremiah himself.)ATBASH was one of a few Hebrew ciphers of the time.1 487 BCThe Greeks used a device called the“skytale”a staff around which a long,thin strip of leather was wrapped and written on.The leather was taken off and worn as a belt.Presumably,the recipient would have a matching staff and the encrypting staff would be left home.Note:an article in Cryptologia late in 1998 makes the case that the cryptographic use of the skytale may be a myth.1 5060 BC Julius Caesar (10044 BC)used a simple substitution with the normal alphabet(just shifting the letters a fixed amount)in government communications.This cipher was weaker than ATBASH,by a small amount;but in a day when few people read in the first place,it was good enough.He also used transliteration of Latin into Greek letters and a number of other simple ciphers.1 0400?The Kama Sutra of Vatsayana lists cryptography as the 44th and 45th of 64 arts(yogas)men and women should know and practice.The date of this work is unclear but is believed to be between the 1st and 4th centuries,AD.Another expert,John W.Spellman,will commit only to the range between the 4th century BC and the 5th century AD.Vatsayana says that his Kama Sutra is a compilation of much earlier works,making the dating of the cryptography references even more uncertain.Part I,Chapter III lists the 64 arts and opens with:“Man should study the Kama Sutra and the arts and sciences subordinate thereto.Even young maids should study this Kama Sutra,along with its arts and sciences,before marriage,and after it they should continue to do so with the consent of their husbands.”These arts are clearly not the province of a government or even of academics,but rather are practices of laymen.(continued)AU1707_C06.fm Page 380 Tuesday,November 4,2003 2:27 PM 381 Cryptography In this list of arts,the 44th and 45th read:The art of understanding writing in cipher,and the writing of words in a peculiar way.The art of speaking by changing the forms of words.It is of various kinds.Some speak by changing the beginning and end of words,others by adding unnecessary letters between every syllable of a word,and so on.2 200s“The so-called Leiden papyrus employs ciphers to conceal the crucial portions of important magic recipes.”1 725790?Abu Abd al-Rahman al-Khalil ibn Ahmad ibn Amr ibn Tammam al Farahidi al-Zadi al Yahmadi wrote a(now lost)book on cryptography,inspired by his solution of a cryptogram in Greek for the Byzantine emperor.His solution was based on known(correctly guessed)plaintext at the message start a standard cryptanalytic method,used even in World War II against Enigma messages.1 855 Abu Bakr Ahmad ben Ali ben Wahshiyya an-Nabati published several cipher alphabets that were traditionally used for magic.1 “A few documents with ciphertext survive from the Ghaznavid government of conquered Persia,and one chronicler reports that high officials were supplied with a personal cipher before setting out for new posts.But the general lack of continuity of Islamic states and the consequent failure to develop a permanent civil service and to set up permanent embassies in other countries militated against cryptographys more widespread use.”1 1226“As early as 1226,a faint political cryptography appeared in the archives of Venice,where dots or crosses replaced the vowels in a few scattered words.”1 1250 Roger Bacon not only described several ciphers but wrote:“A man is crazy who writes a secret in any other way than one which will conceal it from the vulgar.”1 1379 Gabrieli di Lavinde,at the request of Clement VII,compiled a combination substitution alphabet and small code the first example of the nomenclator Kahn has found.This class of code/cipher was to remain in general use among diplomats and some civilians for the next 450 years,despite the fact that there were stronger ciphers being invented in the meantime,possibly because of its relative convenience.1 1300s Abd al-Rahman Ibn Khaldun wrote“The Muqaddimah,”a substantial survey of history that cites the use of“names of perfumes,fruits,birds,or flowers to indicate the letters,or of forms different from the accepted forms of the letters”as a cipher among tax and army bureaus.He also includes a reference to cryptanalysis,noting that“Well-known writings on the subject are in the possession of the people”p.97.1(continued)Exhibit 2.History of Cryptography (Continued)AU1707_C06.fm Page 381 Tuesday,November 4,2003 2:27 PM 382 OFFICIAL(ISC)2 GUIDE TO THE CISSP EXAM 1392“The Equatorie of the Planetis,”possibly written by Geoffrey Chaucer,contains passages in cipher.The cipher is a simple substitution with a cipher alphabet consisting of letters,digits,and symbols.3 1412 Shihab al-Din abu l-Abbas Ahmad ben Ali ben Ahmad Abd Allah al-Qalqashandi wrote Subh al-a sha,a 14-volume Arabic encyclopedia that included a section on cryptology.This information was attributed to Taj ad-Din Ali ibn al-Duraihim ben Muhammad ath-Thaalibi al-Mausili,who lived from 1312 to 1361 but whose writings on cryptology have been lost.The list of ciphers in this work included both substitution and transposition and,for the first time,a cipher with multiple substitutions for each plaintext letter.Also traced to Ibn al-Duraihim is an exposition on and worked example of cryptanalysis,including the use of tables of letter frequencies,and sets of letters that cannot occur together in one word.1 14661467 Leon Battista Alberti (a friend of Leonardo Dato,a political secretary who might have instructed Alberti in the state-of-the-art of cryptology)invented and published the first polyalphabetic cipher,designing a cipher disk(known to us as the Captain Midnight Decoder Badge)to simplify the process.This class of cipher was apparently not broken until the 1800s.Alberti also wrote extensively on the state-of-the-art in ciphers,in addition to his own invention.Alberti also used his disk for enciphered code.These systems were much stronger than the nomenclator in use by the diplomats of the day and for centuries to come.1 14731490“A manuscript by Arnaldus de Bruxella uses five lines of cipher to conceal the crucial part of the operation of making a philosophers stone.”1 1518 Johannes Trithemius wrote the first printed book on cryptology.He invented a steganographic cipher in which each letter was represented as a word taken from a succession of columns.The resulting series of words would be a legitimate prayer.He also described polyalphabetic ciphers in the now-standard form of rectangular substitution tables.He introduced the notion of changing alphabets with each letter.1 1553 Giovan Batista Belaso introduced the notion of using a passphrase as the key for a repeated polyalphabetic cipher.(This is the standard polyalphabetic cipher operation mis-named“Vigenre”by most writers to this day.)1 1563 Giovanni Battista Porta wrote a text on ciphers,introducing the digraphic cipher.He classified ciphers as transposition,substitution,and symbol substitution(use of a strange alphabet).He suggested use of synonyms and misspellings to confuse the cryptanalyst.He apparently introduced the notion of a mixed alphabet in a polyalphabetic tableau.1(continued)Exhibit 2.History of Cryptography (Continued)AU1707_C06.fm Page 382 Tuesday,November 4,2003 2:27 PM 383 Cryptography 1564Bellaso published an autokey cipher improving on the work of Cardano,who appears to have invented the idea.1 1623 Sir Francis Bacon described a cipher that now bears his name a biliteral cipher,known today as a 5-bit binary encoding.He advanced it as a steganographic device by using variation in type face to carry each bit of the encoding.4 1585 Blaise de Vigenre wrote a book on ciphers,including the first authentic plaintext and ciphertext autokey systems(in which previous plaintext or ciphertext letters are used for the current letters key).Both of these were forgotten and reinvented in the late 19th century.1 The autokey idea survives today in the DES,CBC,and CFB modes.1 1790s Thomas Jefferson,possibly aided by Dr.Robert Patterson (a mathematician at U.Penn),invented his wheel cipher.This was reinvented in several forms later and used in World War II by the U.S.Navy as the Strip Cipher,M-138-A.1,5 1817 Colonel Decius Wadsworth produced a geared cipher disk with a different number of letters in t