Introduction

Cryptography is used as a security tool everywhere these days, from hashed passwords to encrypted mail, to Internet Protocol Security (IPSec) virtual private networks (VPNs), and encrypted filesystems. This chapter covers most of the cryptography you will use as network security administrators.

This chapter looks closely at a few of the most common algorithms, including Advanced Encryption Standard (AES), the recently announced new cryptography standard for the U.S. government. It covers how key exchanges and public key cryptography come into play and how to use them. You will learn that almost all cryptography is at least theoretically vulnerable to brute force attacks.

Once all of the background is covered, the chapter next looks at how cryptography can be broken, from cracking passwords to man-in-the-middle-type attacks. It looks at how poor implementation of strong cryptography can reduce the security level to zero. Finally, it examines how attempts to hide information using outdated cryptography can easily be broken.

What does the word crypto mean? Its origins are in the Greek word kruptos, which means "hidden." Thus, the objective of cryptography is to hide information so that only the intended recipient(s) can convert it. In crypto terms, the hiding of information is called encryption, and converting the information is called decryption.

  • Cryptography is the science of preventing information from being disclosed to unauthorized persons.

  • Encryption is a subset of cryptography and involves the conversion of information by algorithmic, arithmetic processes into a form that is unreadable without authorization or possession of a secret key. Plaintext is an original, unencrypted message or data set.

  • Ciphertext is the resulting encrypted message, after an algorithm or function and a key have processed the plaintext. The key is also called a cryptovariable.

The function that converts plaintext to ciphertext is called a cipher. A cipher is used to accomplish both encryption and decryption. Merriam-Webster's Collegiate Dictionary defines cipher as "a method of transforming a text in order to conceal its meaning." Ideally changing any bit of either the plaintext or the cryptovariable will result in different ciphertext. Attempting to recover the plaintext message without knowledge of the cryptovariable is called cryptanalysis.

According to Fred Cohen, the history of cryptography has been documented back to over 4,000 years ago, where it was first allegedly used in Egypt. Julius Caesar even used his own cryptography called Caesar's Cipher. Basically, Caesar's Cipher rotated the letters of the alphabet to the right by three. For example, S moves to V and E moves to H. By today's standards, the Caesar Cipher is extremely simplistic, but it served Julius just fine in his day. If you are interested in knowing more about the history of cryptography, the following site is a great place to start: www.all.net/books/ip/Chap2-1.html.

In fact, Rotate 13 (ROT-13), which is similar to Caesar's Cipher, is still used today to avoid offending people when sending jokes, spoiling the answers to puzzles, and things of that nature. If such things do occur when the receiver decodes the message, then the responsibility lies on them and not the sender. For example, Mr. G. might find the following example offensive to him if he decoded it, but as it is shown it offends no one:

V guvax Jvaqbjf fgvaxf…

ROT-13 is simple enough to work out with pencil and paper. Just write the alphabet in two rows; the second row offset by 13 letters:

ABCDEFGHIJKLMNOPQRSTUVWXYZ NOPQRSTUVWXYZABCDEFGHIJKLM

start sidebar
Head of the Class…
Theory versus Reality

At this point you may be wondering, "Why do I have to learn about ROT-13? No one uses that!" Much of what is covered in this chapter is theory. Knowledge of the actual math behind an algorithm is not a prerequisite for successful configuration of a VPN or creation of a digital signature. Realize that the test objectives want you to recognize and understand many possible algorithms and implementations that exist, even if they are no longer used in real-world environments. You may, however, see the options for these "obsolete" encryption methods in legacy hardware or software in the course of your work, but current best practices preclude using them.

Do not let the attention to theory over pragmatic discussion discourage you. It is easier to know where you are going if you know where you came from. Also, should you run across a case where interoperability with a legacy solution is required, you will know the most secure option(s) available.

end sidebar



SSCP Systems Security Certified Practitioner Study Guide
SSCP Study Guide and DVD Training System
ISBN: 1931836809
EAN: 2147483647
Year: 2003
Pages: 135

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net