Fatskills
Practice. Master. Repeat.
Study Guide: SSCP: 14. Cryptography
Source: https://www.fatskills.com/systems-security-certified-practitioner-sscp/chapter/sscp-14-cryptography

SSCP: 14. Cryptography

By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.

⏱️ ~5 min read

Cryptography provides several important security benefits. You can encrypt data to prevent the loss of confidentiality, and you can use hashing algorithms to help ensure integrity. Many encryption and hashing protocols also provide authenticity, providing assurances that data is coming from a known source and is valid or reliable.
Organizations use cryptographic methods to secure sensitive data. In general, all nonpublic data should be encrypted to help ensure its protection. Additionally, regulations require organizations to protect certain data, such as personally identifiable information (PII) and protected health information (PHI). Encryption is a primary method of doing so.
Hashing provides one-way encryption to create a fixed-length hash (a number) from a file or message of any size. The created hash will always be the same as long as the file or message has not been modified. By comparing hashes at different times (such as before and after downloading a file), you can tell whether the original data has been modified or has lost integrity. If the hashes are the same, the data has not lost integrity. Message Digest 5 (MD5) and Secure Hashing Algorithm 1 (SHA-1) have been popular hashing algorithms, but both have been cracked and should not be used. NIST recommends the use of SHA-3, which can create hashes of 224, 256, 384, or 512 bits.
Encryption converts plaintext data into ciphertext data. The two primary categories of encryption are symmetric encryption and asymmetric encryption.
Symmetric encryption uses a single key to encrypt and decrypt data. Keys used with symmetric encryption need to be protected and changed often. If the key is not protected, an attacker can use it to decrypt the data.
Advanced Encryption Standard (AES) is a strong, efficient symmetric encryption algorithm. NIST identified it in 2002 as a standard to be used by the U.S. government agencies, and it has been adopted in many different commercial applications. AES can use key sizes of 128 bits (AES or AES-128), 192 bits (AES-192), or 256 bits (AES-256). AES is the designated replacement for Data Encryption Standard (DES). DES has been cracked and is not recommended for use today. Other symmetric encryption algorithms include 3DES, Blowfish, International Data Encryption Algorithm (IDEA), and RC4 (though RC4 is not recommended for use today).
Asymmetric encryption uses two keys (a public key and a private key) created as matched pairs. Information encrypted by one of the keys can only be decrypted with the matching key. The public key is embedded in a certificate and freely shared, but the private key always remains private. RSA is used for asymmetric encryption and employs large prime numbers to create matching public and private keys. Transport Layer Security (TLS) uses asymmetric encryption to share a symmetric key privately, and then it uses symmetric encryption to encrypt session data.
Secure/Multipurpose Internet Mail Extensions (S/MIME) is a popular standard used to protect e-mail. It supports encryption and digital signatures. Digital signatures are created by hashing an e-mail message and then encrypting the hash with the sender’s private key. The recipient uses the sender’s public key to decrypt the hash, and if the decryption succeeds, the digital signature provides authentication, integrity, and nonrepudiation. DomainKeys Identified Mail (DKIM) helps detect e-mail spoofing by verifying the e-mail was sent by an authorized mail server.
Two other encryption schemes include steganography and Internet Protocol security (IPsec). Steganography is the practice of hiding data within data. IPsec is used to secure data going over a network and uses Authentication Header (AH) and Encapsulating Security Protocol (ESP). AH provides authentication and integrity, and ESP provides authentication, integrity, and confidentiality.
A public key infrastructure (PKI) includes all the components needed to issue and manage certificates, which follow the X.509 standard. The certificate authority (CA) issues the certificates. Certificates have expiration dates, but the CA can revoke the certificate earlier if necessary, such as if the matching private key is compromised. The CA publishes a list of revoked certificates by serial number in a certificate revocation list (CRL). Clients can request a copy of the CRL to validate a certificate. The Online Certificate Status Protocol (OCSP) is an alternative method used to validate certificates. The first CA in a certificate trust chain is called the root CA. If the root CA is trusted, all certificates issued by any CAs in the trust path are also trusted.
S/MIME depends on a centralized PKI for certificates. Pretty Good Privacy (PGP), GNU Privacy Guard (GPG), and OpenPGP are alternatives to S/MIME and can use a decentralized web of trust (WOT). A WOT allows individuals to create their own self-signed certificates and share them. When enough people endorse a certificate, it indicates a high level of trust that it is valid.
Cryptanalysis is the process of deciphering codes through analysis. Two common cryptanalysis attacks are a known-plaintext attack and a ciphertext-only attack. A known-plaintext (or known-text) attack is possible when the attacker has samples of both plaintext and ciphertext data. A ciphertext-only attack is one where the attacker has only ciphertext for analysis.
A hash collision occurs when two different inputs to a hashing function produce the same hash. When collisions are possible, it indicates the hashing function is not secure and should not be used.
Common countermeasures against cryptanalysis attacks start with using known strong algorithms. When flaws are found, organizations should replace older algorithms with recommended replacements. Additionally, organizations should ensure that they are implementing common key management concepts. This includes using strong keys, rotating them as recommended, exchanging them securely, and revoking them when they are compromised.



ADVERTISEMENT