Book Image

Modern Cryptography for Cybersecurity Professionals

By : Lisa Bock
Book Image

Modern Cryptography for Cybersecurity Professionals

By: Lisa Bock

Overview of this book

In today's world, it is important to have confidence in your data storage and transmission strategy. Cryptography can provide you with this confidentiality, integrity, authentication, and non-repudiation. But are you aware of just what exactly is involved in using cryptographic techniques? Modern Cryptography for Cybersecurity Professionals helps you to gain a better understanding of the cryptographic elements necessary to secure your data. The book begins by helping you to understand why we need to secure data and how encryption can provide protection, whether it be in motion or at rest. You'll then delve into symmetric and asymmetric encryption and discover how a hash is used. As you advance, you'll see how the public key infrastructure (PKI) and certificates build trust between parties, so that we can confidently encrypt and exchange data. Finally, you'll explore the practical applications of cryptographic techniques, including passwords, email, and blockchain technology, along with securely transmitting data using a virtual private network (VPN). By the end of this cryptography book, you'll have gained a solid understanding of cryptographic techniques and terms, learned how symmetric and asymmetric encryption and hashed are used, and recognized the importance of key management and the PKI.
Table of Contents (16 chapters)
1
Section 1: Securing Our Data
5
Section 2: Understanding Cryptographic Techniques
9
Section 3: Applying Cryptography in Today's World

Understanding security services

Today, there are many threats to the security of our data. Therefore, it's imperative that we remain vigilant in protecting our networks and data from attack or unauthorized access. In this section, we'll take a look at some of the security services designed to assure our data is protected. We'll also see how cryptographic techniques can help ensure data is not modified, lost, or accessed in an unauthorized manner.

There are many guidelines that outline how to provide data security. One document that helps list security concepts is the International Telecommunications Union (ITU) Security architecture for Open Systems Interconnection for CCITT applications, also known as X.800. Let's take a look.

Investigating X.800

The Consultative Committee for International Telephony and Telegraphy (CCITT), now known as the International Telecommunications Union - Telecommunication Standardization Sector (ITU-T), recognized the need to provide a secure architecture when dealing with data transmission. More specifically, they wanted to outline the general framework of security services that should be implemented within the Open Systems Interconnection (OSI) model.

Important note

The OSI model is a seven-layer representation of how systems communicate with one another. The OSI model is well recognized among network professionals, as it breaks down the function of each layer.

X.800 outlines recommended security services, along with best-practice logical and physical controls that help protect each service. In addition to logical and physical controls, the document outlines various cryptographic techniques that should be used, such as the following:

  • Encryption: Transforms plaintext into ciphertext by using a cryptographic algorithm and key.
  • Hashing: Functions that take a given input (of any size) and produce a fixed-length output. The output size will depend on the algorithm. This is also called a one-way function, in that you cannot derive the original input from the hash value.
  • Digital signature: A cryptographic technique using asymmetric encryption to ensure message authenticity and non-repudiation.

The document lists the main security services designed to protect data, which include confidentiality, integrity, authentication, and non-repudiation.

Let's take a look at each of these and how they can be achieved, starting with confidentiality.

Ensuring confidentiality

While we may not feel that all data should be rigorously protected, in today's world, it's best to keep most, if not all, data protected from prying eyes. Confidentiality means keeping private data private by protecting against unauthorized disclosure.

An example of a violation of confidentiality would be if a malicious actor were to gain access to a company's proprietary trade secrets or customer database.

A data breach of client information can cause business harm and result in a tarnished reputation and loss of trust. To ensure confidentiality, businesses and individuals should restrict access by using access control methods that allow only authorized people, devices, or processes to have access to the data.

In addition, we can protect data confidentiality by using encryption. That way, if someone were to gain access to the information, it would be meaningless, unless they have a key to decrypt the data.

Another service is to ensure data integrity, as we'll see next.

Safeguarding integrity

Providing integrity ensures that data is not modified, lost, or destroyed in either an accidental or unauthorized manner.

An example of a violation of integrity would be someone gaining access to their payroll file and changing their salary from $30,000 to $40,000.

To protect integrity, use access control methods and employ strong audit policies. In addition, monitor the network for unusual or suspicious activity and use software designed to compare cryptographic hash values for unauthorized changes to the data.

One example of software that monitors for unauthorized changes in the filesystem is called Tripwire, which acts as a software intrusion detection system.

Tripwire works in the following manner:

  1. Prior to activating the monitoring feature, you must first flag the files that need to be checked on all filesystems and devices.
  2. Once the appropriate files are identified, the software will baseline the existing filesystem and generate a hash value for all files.
  3. After baselining, the software will scan the filesystem and generate another hash value for all flagged files.
  4. The software then compares each file's hash value against the baseline.
  5. If the hash value does not match the baseline, the system will send an alert, which will indicate that the file has been modified in an unauthorized manner.

In the following figure, the hash value of the baseline file is not the same as the hash value of the checked file:

Figure 1.2 – A hash value that does not match the baseline

Figure 1.2 – A hash value that does not match the baseline

If the hash value does not match, this will send an alert that there is a violation of the integrity of the file.

Another service that is paramount on a network is authentication, as we'll see next.

Providing authentication

When something or someone is authentic, we are assured that it is true or genuine. For example, when you go to a bank to cash a check, the bank will require you to produce identification to prove who you are.

A violation of authentication occurs when spoofing techniques are used. For example, malicious actors often use an email address that spoofs the name to look like someone you know. This is a social engineering technique that is used to get you to open a file or complete some action.

When dealing with an entity on a network, it's especially important to guarantee authenticity, as this assures both parties that the message has originated from an authorized source. One way to prove authentication is by using a message authentication code, which is a small block of code used to authenticate the origin of the message.

Another security service is non-repudiation, which prevents an entity from denying that they either sent or received a communication.

Certifying non-repudiation

Non-repudiation is preventing a party from denying participation in a communication and can be used in both sides of a conversation to prevent either party from denying their involvement. By using a digital signature, non-repudiation can be achieved in the following manner:

  • Proof of origin: Assurance that the message was sent by a specific entity
  • Proof of receipt: Assurance that the message was received by a specific entity

To understand the importance of providing non-repudiation, let's outline the concept using a scenario in the following section.

Denying involvement

Every day, busy professionals send and receive emails. So that you can better understand how this works, I'll outline the concept in a story where using a digital signature when sending an email could help provide non-repudiation.

Bob is an office manager for a large payroll department. The supervisor is Jessica, who oversees the day-to-day operations of the department. Jessica is generally busy, with many tasks and meetings throughout the day.

Jessica's administrative assistant, Paul, notices that Jessica's birthday is in 2 days. Paul emails Bob to purchase a birthday cake and plan a surprise party and invite the whole office. Bob completes all the necessary arrangements and lets Paul and the department know that everything is ready for Friday.

On Friday, Jessica returns from her morning meeting, where she is greeted by the entire department wishing her a happy birthday. Jessica looks around the room and is visibly upset, and states, "you shouldn't have done this." She then retreats to her office and closes the door.

Later that morning, Jessica calls Bob and Paul into her office and tells them that she knows they meant well, but she didn't appreciate the attention. Paul states that he has no idea how this happened. Bob replies to Paul, "you sent me an email telling me to plan the event!" Paul answers, "no I didn't."

At that point, Bob has no recourse but to take the blame, as Paul has repudiated the fact that he had requested the party.

While Bob could have printed the email from Paul to attempt to prove that Paul requested the party, this may not be sufficient, as it is possible to spoof (or recreate) an email. However, if Paul had sent the email using a digital signature, this would prove that he had sent the email. At that point, Bob could have defended himself and let Jessica know what really happened.

Using a digital signature to prevent non-repudiation is not always required; however, in a high-stakes situation, such as a financial transaction, this can be especially important.

On any network, it's also important to ensure availability, as we'll see next.

Assuring availability

Availability is the assurance that resources are available to authorized devices, users, and/or processes on the network.

A violation of availability would be a DoS attack designed to interrupt or suspend services to legitimate users.

Although ensuring availability is an important concept, we cannot use a cryptographic method to ensure this service. However, there are other ways to protect availability, such as using intrusion detection and prevention. In addition, the network administrator should also keep systems up to date with all security patches, and upgrade systems and devices when necessary.

As outlined, encryption and cryptographic techniques are some of the ways through which we can protect against the constant threats to the security of our data. In the next section, let's take a look at a few of the cryptographic concepts that you might encounter.