• Tools
• Aescrypt - Individual files
• BitLocker and FileVault - Entire Disks
• Cipher Methods
• Mono-alphabetic
• Uses a single mapping from our alphabet
• Vulnerable to frequency analysis
• Poly-alphabetic
• Uses multiple mappings
• One-time pad
• Only uses cipher code once
• Theoretically unbreakable
• Random Number Generators
• PRNG
• Pseudo-random because the numbers will repeat after enough time.
• Fast and deterministic
• TRNG
• True-random but slow
• Encoding
• Binary representations of characters
• ASCII - 8 bit
• UTF-16 - 16 bits
• HSM
• Seperate physical device for crypto keys and processing
• TPM
• Handles disk encryption on a device and contains the encryption keys

• Combinations
• Not concerned with order
• Permutations
• Consider all options, including sequence
• Probability Theory
• Dependent, Independent, and Mutually Exclusive

• Secret Key encryption
• Uses a single key for both encryption and decryption.
• Sharing or transporting the key securely between entities is a challenge.
• Diffie-Hellman is a popular key exchange algorithm used to exchange secret keys.
• S-boxes are used in secret key ciphers to perform substitution during the encryption process.
• All current cipher codes can be cracked, and the work factor is used to measure the security of a code.
• Salting is the process of adding an initialization vector to the ciphering process to ensure that the ciphertext does not give the original plaintext when played back.
• Symmetric encryption
• There are two types of symmetric encryption: Block and Stream.
• Symmetric block encryption groups data into blocks and encrypts them, while stream encryption encrypts one bit at a time.
• Padding is used in block encryption to fill blocks to operating size when data doesn't fit perfectly.
• Block cipher modes include ECB, CBC, CFB, OFB, and CTR.
• IVs refer random value used to initialize the encryption process, which is combined with the key to generate the keystream.
• Stream encryption is faster and more suitable for real-time applications.

• Definition: a one-way encryption technique used to protect data integrity and authentication
• Process: producing a fixed-length output (message digest) from a variable-length input
• Weakness: same input produces the same output unless salt is applied
• Factors affecting hash signatures:
• Collision: when two different inputs produce the same hash signature
• Similar context attack: when part of the message has some significance to the original
• Full context attack: where an alternative message is created with the same hash signature and has a direct relatio
• APR1 format: addresses brute force attacks on MD5 by iterating the hash value 1,000 times
• SHA weakness: does not have a salted value, making it vulnerable to rainbow table and brute force attacks
• HMAC: a message authentication code that can be used to verify integrity of a message and involves hashing the message with a secret key

• Hashed value passwords: can be cracked with rainbow tables or brute force attacks
• One-time passwords (OTP):
• Definition: a better option than hashed value passwords
• Generated based on an initial seed or time
• Types:
• OTP: unique password to be created for each instance, based on an initial seed
• TOTP: unique passcode to be created for each instance, based on an initial seed and for a given time period
• HOTP: unique passcode to be created each instance, based on a counter value and an initial seed.

• Uses a key pair (public and private) for encryption and decryption.
• Only the public key should be shared or distributed.
• Is secure but often too slow for real-time communications.
• Main applications are identity checking and key protection.

• RSA is based on the difficulty of factorizing products of large prime numbers.
• Homomorphic encryption allows performing mathematical operations on ciphered values.
• Elliptic Curve is an improved solution over RSA with smaller keys and more difficult curves to crack. Bitcoins use Elliptic Curve cryptography with 32-byte private keys and 64-byte public keys.
• El Gamal is a public key method for encryption and digital signing, using discrete logarithms.
• Cramer-Shoup is an extension of El Gamal with a one-way hashing method to protect against attacks.
• The Paillier cryptosystem supports homomorphic encryption.

• Secret-key encryption's major problem is passing the key between entities.
• Two methods for key exchange in symmetric cryptography are key exchange algorithms and public key encryption.
• Forward secrecy is important in key exchange, preventing compromise of long-term keys from compromising previous session keys.
• Ephemeral key methods use a different key for each connection, preventing all associated session keys from being breached if a long-term key is leaked.
• Diffie-Hellman is a widely used key exchange algorithm, but a weakness was discovered in its use of two popular parameters.
• DHE_EXPORT Downgrade attack involves forcing key negotiation to default to 512-bit prime numbers, but it can be combated by disabling export cipher suites, using ECDHE, or using a strong group.
• Diffie-Hellman has three groups with varying sizes of prime numbers.
• Diffie-Hellman suffers from man-in-the-middle attacks, but public key encryption is an improved method.
• The strength of Diffie-Hellman depends on the size of the prime number bases used.
• Select None if you do not want to use perfect forward secrecy.
• Select a group below:
• Group 1: 768-bit modulus (do not use in FIPS 140 mode)
• Group 2: 1024-bit modulus (do not use in FIPS 140 mode)
• Group 5: 1536-bit modulus (do not use in FIPS 140 mode)
• Group 14: 2048-bit modulus
• Elliptic curve groups:
• Group 19: 256-bit random curve
• Group 20: 384-bit random curve
• Group 21: 521-bit random curve
• Group 24: 2048-bit modulus with 256-bit prime order subgroup

• Common certificate applications:
• Server authentication
• Client authentication
• Code signing
• Email signing
• Time stamping
• IP security
• Windows hardware driver verification
• Smart card logon
• Document signing
• Public key transport
• Common certificate types:
• IKE
• PKCS #7
• PKCS #10
• RSA signatures
• X.509v3
• Public key transport in PKI:
• A digital certificate can be used for public key transport in PKI by securely sharing a certificate that contains the public key of the certificate owner, which can be validated by a trusted source.
• Obtaining a digital certificate signed by a trusted CA:
1. Generating a key-pair
2. Creating and submitting a Certificate Signing Request (CSR)
3. CA generating the digital certificate
4. CA signing the requester's digital certificate with its own private key and issuing the certificate to the requester.
• X.509 certificates:
• Can be in PEM (Base64 ASCII text) or DER (binary) format
• Common file types include .cer, .crt, .pem, .key, and .der.
• Authentication:
• End-to-end authentication requires user authentication to the end service
• Intermediate authentication only authenticates part of the conversation between entities.
• Key/certificate management:
1. Initialization (registration, key pair generation, certificate creation and distribution, certificate dissemination, and key backup)
2. Issued (certificate retrieval, validation, recovery, and update)
3. Cancellation (expiration, revocation, history, and archiving)
• Validity and revocation:
• Certificates have a validity period designated by a start and end date or expiration date.
• Certificates may be revoked prior to the original expiration date due to reasons such as issuing CA or cert compromise, affiliation change, or update/superseding.
• RFC 5280 defines "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile," with two main revocation states: revoked and hold.
• CRLs must be published by the CA who originally generated the targeted certificates, signed by the CA's private key, and checked against its public key.
• An alternative to CRL is the Online Certificate Status Protocol (OCSP), which is an online service used to check the validity of a certificate.

• VPNs
• IPSec
• Mechanisms
• ESP
• AH
• Connection Setup
• Phase 1
• Hash, encryption and key exchange methods are defined.
• Phase 2
• Policies are defined. Lifetime and AH/ESP
• Transport Modes
• End-to-End Tunneling
• Tunneled Connection over a Public Network with Unprotected Traffic
• Handshake
• UDP Port 500
• Protocol Number 50 for ESP and 51 for AH
• SSL/TLS
• Symmetric Key and Hashing Methods
• Tunnel Creation
• Flaws
• Export-Grade Ciphersuites
• DROWN
• POODLE
• FREAK
• Onion Routing
• Subscriber Computers
• Tor Network
• Volunteer Computers
• Reduced Traceability

Other VPNs

• Backdoor methods:
• Key escrow: a copy of the encryption key is kept in escrow for government use.
• NOBUS backdoor: only government agents can mathematically crack the encryption.
• Methods for intruders to crack a cipher:
• Exhaustive search: tries every possible key through brute force.
• Known plaintext attack: uses known ciphertext and plaintext to decrypt the rest of the message.
• Man-in-the-middle: intruder impersonates two parties to each other.
• Chosen-ciphertext: intruder sends a message to target and analyzes encrypted message.
• Active attack: intruder inserts or modifies messages.
• Replay system: intruder sends a legitimate message into the network at a future time.
• Cut-and-paste: intruder mixes parts of two encrypted messages to create a new message.
• Time resetting: resetting computer time or determining message creation time gives useful information.
• Time attack: determines user decryption time to find key.
• AES is generally secure, but poor implementation leaves it vulnerable to attacks such as brute force and copy-and-paste.
• RSA is susceptible to numerous attacks and cracking methods.

• Most conventional cryptosystems are unsuitable for implementation in IoT, embedded systems, and RFID due to their high processing power, physical space, and battery power requirements.
• Light-weight cryptography refers to cryptosystems that can provide cryptographic functions while requiring less processing power, physical space, and battery power than conventional cryptosystems.
• NIST categorizes devices into two spectra:
• Conventional cryptography for servers, desktops, tablets, and smartphones.
• Light-weight cryptography for embedded systems, RFID, and sensor networks.
• Quantum computers can break most existing RSA implementations due to their fast multiplication circuits.
• A Merkle tree is a hash tree that provides verification of large-scale data structures.
• Lattice-based cryptography is being investigated because of its quantum robustness, unlike existing public key methods such as RSA and Diffie-Hellman cryptosystems which can be broken with quantum computers.

• Bitcoin
• Uses blockchain technology to protect against overspending.
• Created through mining, which involves using computers to perform complex calculations.
• New blocks of transactions are added to the blockchain every 10 minutes through a mining process.
• The blockchain is a publicly available ledger that records transactions and allows the Bitcoin network to know the number of bitcoins a user has.
• Ethereum
• Built on the Bitcoin/Blockchain concept and includes the concept of smart contracts.
• Smart contracts are programs stored on a blockchain that run when predetermined conditions are met.
• Gas is the unit used to measure the amount of work required to perform a single Keccak-256 hash in Ethereum applications.
• Enables users to create their own contracts that will be strictly abided by.
• Hyperledger
• Common option for implementing blockchain.
• Offers the smart contract feature.

• Encryption schemes used with Wi-Fi:
  • 40-bit RC4 (WEP)
  • TKIP with 128-bit RC4 (WPA)
  • 128-bit AES-CCMP (WPA-2)
• RC4 key limitations and increase:
  • RC4 key was initially limited to 40 bits due to export restrictions
  • It was later increased to 128 bits
• Weaknesses of WEP:
  • Small IV
  • Susceptibility to weak key attacks
  • Lack of protection against message replay and tampering
  • No key updates
• WPA addressing WEP weaknesses:
  • Supporting TKIP
  • Increasing IV value to 48 bits
  • Focusing on WPA-PSK and WPA Enterprise
• Advancements in WPA-2:
  • Adding AES-CCMP
  • Supporting Personal and Enterprise modes
• WPA Enterprise:
  • Includes MIC to guard against bit flipping attacks identified within WEP
• Mobile phone networks/GSM encryption:
  • A5/1 or A5/2 encryption has been targeted by crackers
  • A5/3 is the upgrade to A5/1 and uses a block cipher
• Alternative to AES for TLS connections:
  • Google proposed ChaCha20 as an alternative to AES
  • Stream ciphers can be faster than block ciphers.

• AES: Symmetric Encryption
• AES w/ GCM: Authenticated Symmetric Encryption
• ECDSA: Digital Signatures
• ECDH: Key Agreement
• SHA2 (SHA256-SHA-384): Message Digest

• AES w/ 256 bit keys: Symmetric
• ECDH and ECDSA with curve P-384: Key Agreement and Digital Sigs
• SHA-2 with 384: Message Digests
• DH with 3072 bit modulus: Key Agreement
• RSA with 3072 modulus: Digital Sigs and Key Exchange

• Lattice-Based
• Based on the hardness of certain problems in lattice theory, such as the shortest vector problem or the closest vector problem.
• Multivariate
• Based on the difficulty of solving systems of multivariate equations over finite fields
• Hash-Based
• Based on the use of one-way hash functions
• One of the most well-known hash-based schemes is the Merkle signature scheme, which uses a hash tree structure to sign messages.
• Code-Based
• Code-based cryptography is based on the hardness of certain coding theory problems, such as the decoding problem or the syndrome decoding problem because they require solving a large system of linear equations.
• Supersingular Elliptic Curve Isogeny Cryptography
• Based on the use of isogenies, which are maps between elliptic curves that preserve certain algebraic properties
• Symmetric Key Quantum Resistance
• One example of a quantum-resistant symmetric key scheme is the AES-256 algorithm, which uses a 256-bit key and is believed to be secure against attacks by quantum computers

Cryptographic

Non-Cryptographic