CSS 111 - Introduction to Information System Security
Chapter 8, Cryptography
This lesson discusses several topics associated with
encryption of data. Objectives
important to this lesson:
- Identify different technologies in relation to network,
and application security
- Access control, access control models
- Authentication models
- Identify types of firewall, intrusion detection, dial-up,
and networking analysis tools
- Identify types of encryption, cryptography, and
The text begins this chapter with a lot of history which will
be interesting to people who love cryptography, but it is all
background. You may want to know some of the famous concepts, and some
- plaintext, cleartext - a message that has not
been encrypted or has been decrypted
- encrypt, encipher - to change an ordinary
message with a code or cipher system so that the message is unreadable
- decrypt, decipher - to change and encrypted
message to plaintext
- cipher or code - the difference between a
cipher and a code is that a cipher uses one symbol to stand for
another, while a code can use a symbol to stand for several symbols or
- Caesar cipher - Julius Caesar is famous
for several things, one of which is the creation of a substitution cipher that is
incredibly easy to crack: he wrote down the Latin alphabet on one line,
then wrote it again on a second line, offset by three characters, which
was used as an encrypting/decrypting tool. The two lines below show
what this would look like in English:
The text surveys several cipher methods. You should know some
concepts in this section:
- Substitution Cipher - like the Caesar
cipher above, it may use one letter to represent another, or it may use
a series of such ciphers like
Square shown on page 357. To use that cipher, you need to
know the pattern
to follow, which could be changed from one message to another. The
cryptogram example on page 355 uses one simple cipher, that is not an
offset. It is a tad harder to crack because it contains an error. If you want to crack it, in
the first line, third word, change the second ciphertext character to Y
instead of X. The X in the book must be a typo.
- Transposition Cipher
- the text shows us several words whose letters have been rearranged, which
is the basic concept. A more advanced concept is described: instead of
mixing up the letters, we can follow a pattern that mixes up the bits in each character.
- Hashing - A hash function takes a
plaintext block of any size
and converts it to an encrypted block of a specific
size. This is often done with passwords and PINs. The idea is to use
hash function each time a user enters a password, and to compare the
hash to a stored version of the hashed password, which is the only
version of the password that is saved on the system. This method makes
sure that anyone reading the file that holds the hash versions cannot
know what the actual passwords are. Hash
algorithms work only one way:
you can't use the hash algorithm to
decrypt the hash output. You can only compare to see if the hash of the
user's input matches the saved hash. The text explains that an
experienced hacker could use rainbow tables
to compare to a captured hash. A rainbow table holds the hash values of
known words and numbers. If the hacker finds a match, the password is
no longer secret.
The text moves on to discuss symmetric and asymmetric
Symmetric Cryptographic Algorithms
Unlike hashes, cryptographic algorithms are typically meant to
be used for encryption and decryption.
The methods in this group use the same key to encrypt
and to decrypt, which is why they are called symmetric.
They are also called private key
algorithms because the key must remain private to the users of the
system or there is no security. Consider the Enigma machine from
chapter 1. Once the encryption and decryption methods are available to
your enemy, the code is worthless. (This seems like an obvious point,
we will consider another system where it is not true.)
Stream ciphers encrypt one character
at a time (from the flowing stream of data). Block
ciphers divide the message into blocks of a specific
size, then encrypt each block as a unit. Many
variations exist on the methods discussed. The text lists three
symmetric algorithms to be aware of:
Asymmetric Cryptographic Algorithms
- DES - Data Encryption Standard
- 3DES - Triple Data Encryption Standard
- AES - Advanced Encryption Standard
It should be obvious that asymmetric (not symmetric)
algorithms will use different keys. This method
is also called public key cryptography. This name
does not describe the method well. A person must have two keys in this
system, a public key and a private
key. They are created as a pair, so that whatever is encrypted
must be decrypted with the other. The owner of the
keys gives the public key to anyone
who wants it, but keeps the private key safe
from anyone else.
This is how SSL encryption
on a web site works. I connect to a vendor's web site. I obtain the
vendor's public key when I make the secure connection. My browser
encrypts my credit card data with the vendor's public key and sends the
ciphertext to the vendor. If the vendor's private key is secure, the
vendor is the only one who can decrypt the data sent through the public
key. In this way, a key is made available to anyone who wants it, but
using it makes the data unintelligible to everyone who does not have
the private key.
Of course, this falls apart if I did not get the vendor's key,
or if I got a key from someone who hijacked my connection to the
vendor's web site.
The text only discusses one asymmetric algorithm.
You should be aware of these three for most certification tests:
- RSA - named for its creators, so there is no acronym
- also named for its creators; does not seem to belong in this group,
since it is only used to allow two users to share a key, enabling them
to use symmetric cryptography
Curve Cryptography - the link takes you to an Ars Technica article
that reviews all three methods, and may hurt to look at; just know that
Encryption algorithms are mathematical.
Keys may be the numbers
used to start the calculations in the algorithms. The larger the keys
are, the better the protection your message will have. Think of the
algorithm as the series of steps in the encryption, and the keys as
tools that are used in particular steps.
Public Key Infrastructure
The Public Key Infrastructure is a system that includes
several parts that have evolved to make the system work. It addresses
concern above about actually getting the right key from the selected
In the introduction to this section, the text lists five
security that cryptography might provide, and notes that not
all kinds of cryptography provide all five features. PKI typically
addresses all of them.
- authentication -
each party in a transaction provides an assurance of their identity
- integrity - the
certificates used in the transactions are protected from changes
- privacy - encrypted transactions are remain private
- authorization - a secure
algorithm keeps the session encrypted and removes
the need to authenticate each message
- nonrepudiation -
the encryption may prove who
something and when it was done
This leads us to an industry that supports verified identities
by the use of digital certificates.
There are companies whose business is to create key pairs and to
provide the appropriate keys to vendors and their customers. Verisign
and Entrust are examples.
Some terms associated with PKI:
- certificate authority (CA) - an agency
that issues digital certificates; the CA may create key pairs for users
or accept them from users who create them; the CA is responsible for
verifying the identity of the key owner; organizations with the proper
software can act as their own internal CA
- registration authority (RA) - an entity
that takes on some of the tasks of a CA and operates on their behalf;
think of them like a subcontractor
- certificate revocation list (CRL) - a list
of certificates that are no longer valid for various reasons
- certificate repository (CR), certificate directory (CD) - a
directory of valid certificates; may contain invalid certificates as
well or may link to a CRL
- S/MIME - may be
used by mail applications or applications that use secure forms; it
stands for Secure Multipurpose Internet Mail Extension
- SSL - Secure
Sockets Layer certificates are used for transactions on the world wide
The text moves on to discuss another type
of digital certificates, a digital signature. It mentions that this
kind of certificate supports nonrepudiation.
On page 378, the text mentions Pretty Good Privacy (PGP) as a
popular certificate creation tool. This is a tool you have to purchase.
An Open Source version is called GPG, Gnu Privacy Guard.
Everyone who uses PGP will have a public
key that is freely available, a private key that
remains secure, and everyone can generate new keys as
- When I want to send a message to you,
I generate a new symmetric key for that message.
- I encrypt the message
with the symmetric key.
- I encrypt the symmetric
key with your public key. (Which I got from your CA).
- I send the encrypted message and the
encrypted key to you.
- You are the only person who can decrypt
the encrypted key, by using your private
- You then use the decrypted symmetric key
to decrypt the message.
In this way, PGP (and GPG) can use both symmetric and
On page 380, the text has a pretty good explanation of steganography, hiding a message in
an image. The short form is that an image typically has three bytes (RGB) of color
in it. It is unlikely that anyone just looking at an image could tell
the difference between pixels that are true to color and those that
have had each of their least
significant color bits changed as needed to hide/provide data.
If you change one bit per color, you can hide one byte every three
Imagine that the table below represents a series of pixels. I
have used cells in a table to make the idea more visual. I have put a
reference color in the first cell: hex code 58C314 stands for 111,
because I chose that color as the key. I have modified the color in
each of the other cells in the second row to indicate three bits. The
bits are indicated by the color's deviation from the key color.
The binary code for that sequence, which would have taken 15
- first three ones are reference
- 010 100 11
- 0 111 010 0
- 01 100 101
- 011 101 10
- 0 110 010 1
- last two ones are padding
This example used seven variations on one color. The sender
could send an image in which every pixel was modified if the receiver
already had a reference copy to the image for comparison. I have done
this by hand: an application that encrypts a message in an image or
audio file would be much faster.
The text considers some methods that make the things we do
- We have already seen that Secure
Sockets Layer (SSL)
should be used to conduct encrypted transactions over the web. When you
are using SSL, you are using HTTPS instead of HTTP
- S-HTTP is not
the same as HTTPS. S-HTTP is another version of HTTP that supports
transferring files with encryption, digital certificates, or both. This
article on Wikipedia discusses the differences between HTTPS and
- We have discussed using S/MIME
to encrypt email. The text also mentions using Privacy Enhanced Mail (PEM) and PGP (discussed above).
The text turns to wireless networks for a moment, and mentions
two widely used standards, WEP
and WPA. You should know that WEP is no longer considered secure
and should not be used.
Note the comparison of WEP and WPA on page 385. When you set up a
wireless access point, WEP is still offered as an encryption choice.
Don't use it. Use WPA2 instead, unless you have to provide access to
devices that do not speak it.
Bluetooth is discussed
on page 386. It is for short range communications. The text says 30
feet or less. 10 feet may be a more probable limit. The problem with
Bluetooth is that it is not
secure, so eavesdropping and worse are possible for any device that has
Bluetooth enabled and accepts pairing requests.