Cryptography

Cryptography is an art, as well as a science, that involves the process of transforming plaintext into scrambled text and vice-versa. The purpose of cryptography is to conceal the confidential information from unauthorized eyes and ensure immediate detection of any alteration made to the concealed information.

It is one of the most important domains in the CISSP (Certified Information System Security Professional) examination. This domain includes important concepts which are the fundamental building blocks for information security.

Public key infrastructure

Public Key Infrastructure (PKI) is a framework that enables integration of various services that are related to cryptography.

The aim of PKI is to provide confidentiality, integrity, access control, authentication, and most importantly, non-repudiation.

Non-repudiation is a concept, or a way, to ensure that the sender or receiver of a message cannot deny either sending or receiving such a message in future. One of the important audit checks for non-repudiation is a time stamp. The time stamp is an audit trail that provides information of the time the message is sent by the sender and the time the message is received by the receiver.

Encryption and decryption, digital signature, and key exchange are the three primary functions of a PKI.

RSS and elliptic curve algorithms provide all of the three primary functions: encryption and decryption, digital signatures, and key exchanges. Diffie-Hellmen algorithm supports key exchanges, while Digital Signature Standard (DSS) is used in digital signatures.

Public Key Encryption is the encryption methodology used in PKI and was initially proposed by Diffie and Hellman in 1976. The algorithm is based on mathematical functions and uses asymmetric cryptography, that is, uses a pair of keys.

The image above represents a simple document-signing function. In PKI, every user will have two keys known as "pair of keys". One key is known as a private key and the other is known as a public key. The private key is never revealed and is kept with the owner, and the public key is accessible by every one and is stored in a key repository.

A key can be used to encrypt as well as to decrypt a message. Most importantly, a message that is encrypted with a private key can only be decrypted with a corresponding public key. Similarly, a message that is encrypted with a public key can only be decrypted with the corresponding private key.

In the example image above, Bob wants to send a confidential document to Alice electronically. Bob has four issues to address before this electronic transmission can occur:

Ensuring the contents of the document are encrypted such that the document is kept confidential.

Ensuring the document is not altered during transmission.

Since Alice does not know Bob, he has to somehow prove that the document is indeed sent by him.

Ensuring Alice receives the document and that she cannot deny receiving it in future.

PKI supports all the above four requirements with methods such as secure messaging, message digests, digital signatures, and non-repudiation services.

Secure messaging

To ensure that the document is protected from eavesdropping and not altered during the transmission, Bob will first encrypt the document using Alice's public key. This ensures two things: one, that the document is encrypted, and two, only Alice can open it as the document requires the private key of Alice to open it. To summarize, encryption is accomplished using the public key of the receiver and the receiver decrypts with his or her private key. In this method, Bob could ensure that the document is encrypted and only the intended receiver (Alice) can open it. However, Bob cannot ensure whether the contents are altered (Integrity) during transmission by document encryption alone.

Message digest

In order to ensure that the document is not altered during transmission, Bob performs a hash function on the document. The hash value is a computational value based on the contents of the document. This hash value is known as the message digest. By performing the same hash function on the decrypted document the message, the digest can be obtained by Alice and she can compare it with the one sent by Bob to ensure that the contents are not altered.

This process will ensure the integrity requirement.

Digital signature

In order to prove that the document is sent by Bob to Alice, Bob needs to use a digital signature. Using adigital signature means applying the sender's private key to the message, or document, or to the message digest. This process is known as as signing. Only by using the sender's public key can the message be decrypted.

Bob will encrypt the message digest with his private key to create a digital signature. In the scenario illustrated in the image above, Bob will encrypt the document using Alice's public key and sign it using his digital signature. This ensures that Alice can verify that the document is sent by Bob, by verifying the digital signature (Bob's private key) using Bob's public key. Remember a private key and the corresponding public key are linked, albeit mathematically. Alice can also verify that the document is not altered by validating the message digest, and also can open the encrypted document using her private key.

Message authentication is an authenticity verification procedure that facilitates the verification of the integrity of the message as well as the authenticity of the source from which the message is received.

Digital certificate

By digitally signing the document, Bob has assured that the document is sent by him to Alice. However, he has not yet proved that he is Bob. To prove this, Bob needs to use a digital certificate.

A digital certificate is an electronic identity issued to a person, system, or an organization by a competent authority after verifying the credentials of the entity. A digital certificate is a public key that is unique for each entity. A certification authority issues digital certificates.

In PKI, digital certificates are used for authenticity verification of an entity. An entity can be an individual, system, or an organization.

An organization that is involved in issuing, distributing, and revoking digital certificates is known as aCertification Authority (CA). A CA acts as a notary by verifying an entity's identity.

One of the important PKI standards pertaining to digital certificates is X.509. It is a standard published by the International Telecommunication Union (ITU) that specifies the standard format for digital certificates.

PKI also provides key exchange functionality that facilitates the secure exchange of public keys such that the authenticity of the parties can be verified.

Key management procedures

Key management consists of four essential procedures concerning public and private keys. They are as follows:

Secure generation of keys—Ensures that private and public keys are generated in a secure manner.

Secure storage of keys—Ensures that keys are stored securely.

Secure distribution of keys—Ensures that keys are not lost or modified during distribution.

Secure destruction of keys—Ensures that keys are destroyed completely once the useful life of the key is over.

Type of keys

Private signature key—It is a private key of public key pairs and is used to generate digital signatures. It is also used to provide authentication, integrity, and non-repudiation.

Public signature verification key—It is the public key of the asymmetric (public) key pair. It is used to verify the digital signature.

Symmetric authentication key—It is used with symmetric key algorithms to provide assurance of the integrity and source of the messages.

Private authentication key—It is the private key of the asymmetric (public) key pair. It is used to provide assurance of the integrity of information.

Public authentication key—Public key of an asymmetric (public) pair that is used to determine the integrity of information and to authenticate the identity of entities.

Symmetric data encryption key—It is used to apply confidentiality protection to information.

Symmetric key wrapping key—It is a key-encryptin key that is used to encrypt the other symmetric keys.

Symmetric and asymmetric random number generation keys—They are used to generate random numbers.

Symmetric master key—It is a master key that is used to derive other symmetric keys.

Private key transport key—They are the private keys of asymmetric (public) key pairs, which are used to decrypt keys that have been encrypted with the associated public key.

Public key transport key—They are the public keys of asymmetric (public) key pairs that are used to decrypt keys that have been encrypted with the associated public key.

Symmetric agreement key—It is used to establish keys such as key wrapping keys and data encryption keys using a symmetric key agreement algorithm.

Private static key agreement key—It is a private key of asymmetric (public) key pairs that is used to establish keys such as key wrapping keys and data encryption keys.

Public static key agreement key— It is a public key of asymmetric (public) key pairs that is used to establish keys such as key wrapping keys and data encryption keys.

Private ephemeral key agreement key—It is a private key of asymmetric (public) key pairs used only once to establish one or more keys such as key wrapping keys and data encryption keys.

Public ephemeral key agreement key—It is a public key of asymmetric (public) key pairs that is used in a single key establishment transaction to establish one or more keys.

Symmetric authorization key—This key is used to provide privileges to an entity using symmetric cryptographic method.

Private authorization key—It is a private key of an asymmetric (public) key pair that is used to provide privileges to an entity.

Public authorization key—It is a public key of an asymmetric (public) key pair that is used to verify privileges for an entity that knows the associated private authorization key.

Packet Switching & Circuit Switching

Circuit switching and packet switching both are used in high-capacity networks. In circuit-switched networks, network resources are static, set in “copper” if you will, from the sender to receiver before the start of the transfer, thus creating a “circuit”. The resources remain dedicated to the circuit during the entire transfer and the entire message follows the same path. In packet-switched networks, the message is broken into packets, each of which can take a different route to the destination where the packets are recompiled into the original message.

packet switching. Fact is, there’s at least one other way, circuit switching.While the majority of switched networks today get data across the network through packet switching, the concept of circuit switching should be no mystery to the average tech, let alone the tech wannabe. There are at least two good reasons to learn the difference. First of all, there is plenty of legacy hardware out there to support. Second, and perhaps more or at least very important, it could well turn up on the test. If one question stands between you and passing, don’t make this the one you miss.

In Circuit Switching networks, when establishing a call a set of resources is allocated for this call. These resources are dedicated for this call, and can be used by any of the other calls. Circuit Switching is ideal when data must be transmitted quickly, must arrive in sequencing order and at a constant arrival rate. There for when transmitting real time data, such as audio and video, Circuit Switching networks will be used.

Packet switching main difference from Circuit Switching is that that the communication lines are not dedicated to passing messages from the source to the destination. In Packet Switching, different messages can use the same network resources within the same time period. Since network resources are not dedicated to a certain session the protocol avoid from waste of resources when no data is transmitted in the session. Packet Switching is more efficient and robust for data that is burst in its nature, and can withstand delays in transmission, such as e-mail messages, and Web pages.

Consider the two following examples to answer your question:

Example of Circuit Switching:-

 You pick up your land phone and dial your friend. At that point, the TELCO provider creates a dedicated Circuit for that session and connects you to your friend's telephone. No matter how long you keep the line open with your friend, the circuit will remain, and packets flowing between both telephones will always follow the same path. This is an example of a circuit-switched network.

Example of packet-switching:-

 In the second example, you switch on your PC and connect to your favorite site that offers a number of applications you can download from, so you begin downloading one application at a time. Each packet has to find its own route to the destination, i.e., your computer. Each packet finds its way using the information it carries, such as the source and destination IP Address. If network congestion occurs, the routers responsible for routing packet between networks will automatically select different paths to ensure data is transferred as required. This is an example of a packet-switched network.

WELL KNOWN PROTOCOL

Address Resolution Protocol (ARP) 

For two machines on a given network to communicate, they must know the other machine’s physical 

(orMAC) addresses. By broadcasting Address Resolution Protocols (ARPs), a host can dynamically 

discover the MAC-layer address corresponding to a particular IP network-layer address. 

After receiving aMAC-layer address, IP devices create an ARP cache to store the recently acquired 

IP-to-MAC address mapping, thus avoiding having to broadcast ARPS when they want to recontact 

a device. If the device does not respond within a specified time frame, the cache entry is flushed. 

In addition to the Reverse Address Resolution Protocol (RARP) is used to map MAC-layer addresses 

to IP addresses. RARP, which is the logical inverse of ARP, might be used by diskless workstations 

that do not know their IP addresses when they boot. RARP relies on the presence of a RARP server 

with table entries of MAC-layer-to-IP address mappings. 

Internet Control Message Protocol (ICMP) 

The Internet Control Message Protocol (ICMP) is a network-layer Internet protocol that provides 

message packets to report errors and other information regarding IP packet processing back to the 

source. 

ICMP Messages 

ICMPs generate several kinds of useful messages, including Destination Unreachable, Echo Request 

and Reply, Redirect, Time Exceeded, and Router Advertisement and Router Solicitation. If an ICMP 

message cannot be delivered, no second one is generated. This is to avoid an endless flood of ICMP 

messages. 

When an ICMP destination-unreachable message is sent by a router, it means that the router is unable 

to send the package to its final destination. The router then discards the original packet. Two reasons 

exist for why a destination might be unreachable. Most commonly, the source host has specified a 

nonexistent address. Less frequently, the router does not have a route to the destination. 

Destination-unreachable messages include four basic types: network unreachable, host unreachable, 

protocol unreachable, and port unreachable. Network-unreachable messages usually mean that a 

failure has occurred in the routing or addressing of a packet. Host-unreachable messages usually 

indicates delivery failure, such as a wrong subnet mask. Protocol-unreachable messages generally 

mean that the destination does not support the upper-layer protocol specified in the packet. 

Port-unreachable messages imply that the TCP socket or port is not available. 

An ICMP echo-request message, which is generated by the ping command, is sent by any host to test 

node reachability across an internetwork. The ICMP echo-reply message indicates that the node can 

be successfully reached. 

An ICMP Redirect message is sent by the router to the source host to stimulate more efficient 

routing. The router still forwards the original packet to the destination. ICMP redirects allow host 

routing tables to remain small because it is necessary to know the address of only one router, even if 

that router does not provide the best path. Even after receiving an ICMP Redirect message, some 

devices might continue using the less-efficient route. 

ICMP Router-Discovery Protocol (IDRP) 

IDRP uses Router-Advertisement and Router-Solicitation messages to discover the addresses of 

routers on directly attached subnets. Each router periodically multicasts Router-Advertisement 

messages from each of its interfaces. Hosts then discover addresses of routers on directly attached 

subnets by listening for these messages. Hosts can use Router-Solicitation messages to request 

immediate advertisements rather than waiting for unsolicited messages. 

IRDP offers several advantages over other methods of discovering addresses of neighboring routers. 

Primarily, it does not require hosts to recognize routing protocols, nor does it require manual 

configuration by an administrator. 

Router-Advertisement messages enable hosts to discover the existence of neighboring routers, but 

not which router is best to reach a particular destination. If a host uses a poor first-hop router to reach 

a particular destination, it receives a Redirect message identifying a better choice. 

Transmission Control Protocol (TCP) 

The TCP provides reliable transmission of data in an IP environment. TCP corresponds to the 

transport layer (Layer 4) of the OSI reference model. Among the services TCP provides are stream 

data transfer, reliability, efficient flow control, full-duplex operation, and multiplexing. 

With stream data transfer, TCP delivers an unstructured stream of bytes identified by sequence 

numbers. This service benefits applications because they do not have to chop data into blocks before 

handing it off to TCP. Instead, TCP groups bytes into segments and passes them to IP for delivery. 

TCP offers reliability by providing connection-oriented, end-to-end reliable packet delivery through 

an internetwork. It does this by sequencing bytes with a forwarding acknowledgment number that 

indicates to the destination the next byte the source expects to receive. Bytes not acknowledged 

within a specified time period are retransmitted. The reliability mechanism of TCP allows devices 

to deal with lost, delayed, duplicate, or misread packets. A time-out mechanism allows devices to 

detect lost packets and request retransmission. 

User Datagram Protocol (UDP) 

The User Datagram Protocol (UDP) is a connectionless transport-layer protocol (Layer 4) that 

belongs to the Internet protocol family. UDP is basically an interface between IP and upper-layer 

processes. UDP protocol ports distinguish multiple applications running on a single device from one 

another. 

Unlike the TCP, UDP adds no reliability, flow-control, or error-recovery functions to IP. Because of 

UDP’s simplicity, UDP headers contain fewer bytes and consume less network overhead than TCP. 

UDP is useful in situations where the reliability mechanisms of TCP are not necessary, such as in 

cases where a higher-layer protocol might provide error and flow control. 

UDP is the transport protocol for several well-known application-layer protocols, including Network 

File System (NFS), Simple Network Management Protocol (SNMP), Domain Name System (DNS), 

and Trivial File Transfer Protocol (TFTP). 

Internet Protocols Application-Layer Protocols 

The Internet protocol suite includes many application-layer protocols that represent a wide variety 

of applications, including the following: 

• File Transfer Protocol (FTP)—Moves files between devices 

• Simple Network-Management Protocol (SNMP)—Primarily reports anomalous network 

conditions and sets network threshold values 

• Telnet—Serves as a terminal emulation protocol 

• X Windows—Serves as a distributed windowing and graphics system used for communication 

between X terminals and UNIX workstations 

• Network File System (NFS), External Data Representation (XDR), and Remote Procedure Call 

(RPC)—Work together to enable transparent access to remote network resources 

• Simple Mail Transfer Protocol (SMTP)—Provides electronic mail services 

• Domain Name System (DNS)—Translates the names of network nodes into network addresses

CopyRight @ yogendra singh negi