Modern Cryptography for Cybersecurity Professionals E-Book

Modern Cryptography for Cybersecurity Professionals

Learn how you can leverage encryption to better secure your organization's data

Lisa Bock

BIRMINGHAM—MUMBAI

Modern Cryptography for Cybersecurity Professionals

Copyright © 2021 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Group Product Manager: Wilson D'souza

Publishing Product Manager: Rahul Nair

Senior Editor: Arun Nadar

Content Development Editor: Romy Dias

Technical Editor: Shruthi Shetty

Copy Editor: Safis Editing

Project Coordinator: Shagun Saini

Proofreader: Safis Editing

Indexer: Manju Arasan

Production Designer: Prashant Ghare

First published: May 2021

Production reference: 2140621

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham

B3 2PB, UK.

ISBN 978-1-83864-435-2

www.packt.com

No one really knows how planes stay in the air. They do, however, know that lift, an aerodynamic force, allows them to take flight. I dedicate this book to all those that believed in me, had faith in my abilities, and gave me the lift to take off and excel in my field.

Contributors

About the author

Lisa Bock is an experienced author with a demonstrated history of working in the e-learning industry. She is a security ambassador with a broad range of IT skills and knowledge, including on Cisco Security, CyberOps, Wireshark, biometrics, ethical hacking, and IoT. Lisa is an author for LinkedIn Learning and an award-winning speaker who has presented at several national conferences. She holds an MS in computer information systems/information assurance from UMGC. Lisa was an associate professor in the IT department at Pennsylvania College of Technology (Williamsport, PA) from 2003 until her retirement in 2020. She is involved with various volunteer activities, and she and her husband Mike enjoy bike riding, watching movies, and traveling.

I'd like to thank Dr. Jacob Miller, long-time colleague at Pennsylvania College of Technology, who had the foresight to create an Information Assurance degree in 2003. His early effort exposed me to a field I genuinely love. In addition, I'd like to thank Anita Wood for her continued wisdom, advice, and ability to solve problems. Finally, I'd like to acknowledge the entire Packt editing team, who have helped me to become a better author, along with Product Manager Rahul Nair, with whom I have enjoyed collaborating over the years.

About the reviewer

Vipin Singh Sehrawat received his Ph.D. degree in computer science from The University of Texas at Dallas, USA, in 2019. He is currently working as Lead Cryptographer in the Data Security team of Seagate Research Group at Seagate Technology, Singapore. His research interests include cryptography, combinatorics, extremal set theory, information theory, number theory, software security, and network security.

Table of Contents

Preface

Section 1: Securing Our Data

Chapter 1: Protecting Data in Motion or at Rest

Outlining the current threat landscape

Digitally transforming our world

Threatening the security of our data

Understanding security services

Investigating X.800

Introducing common cryptographic concepts

Trusting a TTP

Managing keys using the PKI

Getting to know Bob and Alice

Outlining substitution and transposition

Substituting characters

Transposing the text

Breaking the code

Summary

Questions

Further reading

Chapter 2: The Evolution of Ciphers

Early uses of cryptography

Using tattoos and scytales

Evaluating monoalphabetic ciphers

Recognizing polyalphabetic ciphers

Encoding transmissions during war

Communicating during wartime

Examining the Enigma machine

Entering the digital age

Innovating in the field of computing

Developing the early ciphers

Summary

Questions

Further reading

Chapter 3: Evaluating Network Attacks

Comparing passive and active attacks

Carrying out a passive attack

Launching an active attack

Protecting sensitive data

Understanding attack vectors

Providing defense mechanisms

Maintaining integrity

Protecting assets

Managing risk

Summary

Questions

Further reading

Section 2: Understanding Cryptographic Techniques

Chapter 4: Introducing Symmetric Encryption

Discovering the evolution of symmetric encryption

Protecting customer data

Developing the Feistel cipher

Creating the Lucifer cipher

Outlining symmetric algorithms

Understanding symmetric encryption

Describing the Data Encryption Standard

Illustrating the Advanced Encryption Standard

Identifying other symmetric algorithms

Scheduling the keys

Dissecting block and stream ciphers

Using a block cipher

Generating a stream

Comparing symmetric encryption operation modes

Using ECB

Adding feedback

Applying CTR mode

Securing wireless communications

Preventing eavesdropping

Comparing protocols

Summary

Questions

Further reading

Chapter 5: Dissecting Asymmetric Encryption

Realizing the need for asymmetric encryption

Securely exchanging a key

Outlining the PKCS

Understanding cryptographic requirements

Designing a strong algorithm

Generating a key pair

Managing keys

Using asymmetric encryption

Comparing public-key algorithms

Outlining RSA

Visualizing an elliptical curve

Providing PGP

Trusting public keys

Working with digital signatures

Providing core security services

Creating a digital signature

Summary

Questions

Further reading

Chapter 6: Examining Hash Algorithms

Describing a hash algorithm

Creating a hash

Employing a hash function

Identifying optimal hash properties

Generating a one-way function

Producing a fixed-size output

Consistently creating the same hash

Ensuring collision resistance

Comparing common hash algorithms

Using the message digest algorithm

Exploring the Secure Hash Algorithm (SHA)

Recognizing other hash algorithms

Authenticating a message

Creating a MAC

Encrypting and authenticating data

Summary

Questions

Further reading

Section 3: Applying Cryptography in Today's World

Chapter 7: Adhering to Standards

Understanding FIPS and PCI DSS

Outlining FIPS

Outlining PCI DSS

Staying compliant

Ensuring the privacy of patient data

Giving consumers control of their data

Enforcing protection in California

Leveraging encrypted data

Securing our data

Concealing malware

Holding files ransom

Exposing private information

Summary

Questions

Further reading

Chapter 8: Using a Public Key Infrastructure

Describing a PKI framework

Understanding how a PKI assures trust

Exchanging the keys

Understanding the components

Storing certificates

Revoking a certificate

Managing public keys

Creating a certificate

Trusting the root

Spoofing the process

Examining a certificate

Viewing a certificate

Recognizing the X.509 standard

Validating a certificate

Using certificates

Summary

Questions

Further reading

Chapter 9: Exploring IPsec and TLS

Using a VPN

Securing traffic using OpenVPN

Choosing a browser-based VPN

Using an SSH VPN

Using a VPN on a Windows machine

Outlining an IPsec VPN

Grasping the IPsec framework

Dissecting the AH protocol

Encapsulating the security payloads

Using operating modes

Generating a shared secret key with DH

Managing the keys using IKE

Setting up an IPsec profile

Understanding TLS

Understanding the handshake protocols

Dissecting the Record protocol

Summary

Questions

Further reading

Chapter 10: Protecting Cryptographic Techniques

Recognizing cryptographic attacks

Comparing various attacks

Using Kali Linux

Cracking WEP

Attacking the infrastructure

Guaranteeing trust

Violating trust

Influence of quantum computing

Describing quantum computing

Implementing quantum-resistant algorithms

Summary

Questions

Further reading

Assessments

Chapter 1 – Protecting Data in Motion or at Rest

Chapter 2 – The Evolution of Ciphers

Chapter 3 – Evaluating Network Attacks

Chapter 4 – Introducing Symmetric Encryption

Chapter 5 – Dissecting Asymmetric Encryption

Chapter 6 – Examining Hash Algorithms

Chapter 7 – Adhering to Standards

Chapter 8 – Using a Public Key Infrastructure

Chapter 9 – Exploring IPsec and TLS

Chapter 10 – Protecting Cryptographic Techniques

Other Books You May Enjoy

Preface

In today's world, it's important to have confidence while either transmitting or storing data. Cryptography can provide confidentiality, integrity, authentication, and non-repudiation. But just what exactly is involved when we use cryptographic techniques? Modern Cryptography for Cybersecurity Professionals will help you gain a better understanding of the cryptographic protocols and processes that are necessary to secure data.

We'll learn how encryption can protect data, whether in motion or at rest. You'll get a better understanding of symmetric and asymmetric encryption and learn how a hash is used. You'll also see how a public key infrastructure and certificates enable trust between parties, so we can confidently encrypt and exchange data. You'll then see the practical applications of cryptographic techniques, including passwords, email, and securely transmitting data using a Virtual Private Network (VPN).

Who this book is for

This book is appropriate for IT managers, security professionals, students, teachers, or anyone who would like to learn more about cryptography and reasons it is important in an organization as part of an overall security framework. Participants should have a basic understanding of encryption, knowledge of general networking terms and concepts, and an interest in the subject.

What this book covers

Chapter 1, Protecting Data in Motion or at Rest, provides an overview of the current threat landscape. You'll learn how encryption provides many security services, such as confidentiality, integrity, and authentication. We'll then review some common terms, along with two basic cryptographic concepts: substitution and transposition.

Chapter 2, The Evolution of Ciphers, takes us through some early uses of cryptography. We'll review monoalphabetic and polyalphabetic ciphers and compare different methods used to encode transmissions during wartime. We'll then learn about the development of the Lucifer and Feistel ciphers, as scientists recognized the need to secure digital data.

Chapter 3, Evaluating Network Attacks, compares passive and active attacks and outlines why it's essential to protect data so that it remains in its original, unaltered form. You'll then learn how using encryption can ensure data integrity and prevent it from being changed, destroyed, or lost in an unauthorized or accidental manner.

Chapter 4, Introducing Symmetric Encryption, steps through the evolution of symmetric (or secret key) encryption. We'll examine common algorithms, such as the Advanced Encryption Standard. We'll then dissect block and stream ciphers and compare the different operating modes. Finally, we'll take a look at some methods of securing wireless communications.

Chapter 5, Dissecting Asymmetric Encryption, outlines how asymmetric (or public key) encryption can be used in many ways, such as exchanging the shared secret key, securing email, and creating a digital signature. We'll compare algorithms such as Rivest, Shamir, Adleman (RSA) and Diffie-Hellman, along with a discussion on key management.

Chapter 6, Examining Hash Algorithms, explains that a hash algorithm is a one-way function that produces a fixed-length output called a message digest. We'll identify some of the optimal hash properties along with some common hash algorithms in use today. Finally, you'll learn how a message digest provides message authentication.

Chapter 7, Adhering to Standards, explains that security laws and standards exist to provide guidelines and best practices to prevent data loss. In addition, we'll compare ways that we can use encryption to protect data, but also how cybercriminals use encryption to conceal malicious activity.

Chapter 8, Using a Public Key Infrastructure, outlines how the Public Key Infrastructure (PKI) framework provides trust between two entities communicating on the internet by using a trusted third party that enables secure interactions between entities. We'll discuss key management and examine what happens when both parties exchange a certificate.

Chapter 9, Exploring IPsec and TLS, combines all of your knowledge of cryptography as we examine the concepts of a VPN. We'll begin by outlining several types of VPNs in use today and explain the concept of an Internet Protocol Security (IPsec) VPN, along with a Transport Layer Security (TLS) communication stream.

Chapter 10, Protecting Cryptographic Techniques, reviews common attacks designed to alter the integrity of our data or systems. We'll recognize how the PKI can be attacked, which can negate trust. Finally, we'll see how advances in technology will require quantum-resistant algorithms to encrypt and secure our data.

To get the most out of this book

When reading Modern Cryptography for Cybersecurity Professionals, you will learn the basics of how we secure data using encryption. In order to fully understand the concepts, I have provided several links in each chapter for additional research, which I encourage you to visit.

In addition, I have provided links that take you to sites to see some applications available online. For example, we'll visit sites that show us how letter frequency analysis works, how a hash algorithm transforms text, and what Morse code sounds like.

So that you can follow along, it's best to have an up-to-date browser such as Chrome, Firefox, or Safari on a Windows, macOS, or Linux machine.

Important note

Any web pages or email addresses are fictional. Any correlation with any real entities is purely coincidental.

Most of the resources will be found online, however, there are a few chapters that I will use specialized software, such as:

In Chapter 6, Examining Hash Algorithms, we'll cover how you can easily run a checksum on any file by using 7-Zip. To obtain a copy of 7-Zip, go to https://www.7-zip.org/.

In Chapter 9, Exploring IPsec and TLS, we'll take a look at PuTTY, a free SSH client you can use on a Windows system to access a single other host via Telnet and remote login (rlogin). To obtain a copy of PuTTY, go to https://www.putty.org/.

I encourage you to go to the sites I have provided to supplement your knowledge.

Download the color images

We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: http://www.packtpub.com/sites/default/files/downloads/9781838644352_ColorImages.pdf.

Conventions used

There are a number of text conventions used throughout this book.

Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "The Nmap scan shows the open and listening ports on host 10.0.0.167."

Tips or important notes

Appear like this.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, mention the book title in the subject of your message and email us at [email protected].

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.

Piracy: If you come across any illegal copies of our works in any form on the Internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Reviews

Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you!

For more information about Packt, please visit packt.com.

Section 1: Securing Our Data

In this section, we'll take a look at the current threat landscape so that you can better understand the reasons why we need to secure our data. First we'll outline how encryption can protect the data, whether in motion or at rest, by providing security services, such as confidentiality, integrity, and authentication. We'll then take a brief look at the evolution of ciphers over time, along with the development of Lucifer and Feistel ciphers, as scientists recognized the need to secure digital data. Finally, we'll compare some of the various network attacks that can alter the integrity of our data.

This section comprises the following chapters:

Chapter 1: Protecting Data in Motion or at Rest

We live in an exciting yet challenging time. Every second of the day there are zettabytes of data traveling over networks and the internet. Data is constantly being sent and received from our homes, cars, businesses, and billions of Internet of Things (IoT) devices. In this chapter, you'll gain an appreciation for the need to secure our data in a dynamic digital world. We'll begin with a brief look at how, over the past few decades, we have seen advances in technology that have resulted in more of our data being exchanged. Concurrent to the advances in technology, we have seen an increase in the type and amount of threats to our data.

So that you understand the many resources available on guidelines for ensuring our data is not compromised, we'll take a look at the Security architecture for Open Systems Interconnection for CCITT applications, also known as X.800. You'll learn how encryption provides many security services, which include ensuring confidentiality, integrity, authentication, forward secrecy, non-repudiation, and enhanced privacy guarantees. In addition, we'll outline some common cryptographic concepts, such as Trusted Third Party (TTP) and the Public Key Infrastructure (PKI). We'll also cover how we use the story of Bob, Alice, and other personalities to help us understand complex technical concepts.

We'll then cover some basic encryption techniques. You'll see how using substitution or transposition can scramble data into an unreadable form that won't make sense unless you have the key to decrypt the message. In order to better understand substitution and transposition, we will discuss some illustrative examples that employ two basic ciphers, namely pigpen and rail fence. Finally, we'll outline some basic techniques, such as letter frequency analysis, which can be used to break some codes.

This chapter covers the following main topics:

Outlining the current threat landscape

Over the past three decades, there has been substantial growth in the amount of digital data, both at rest and in transit. The digital wave has become an ocean of all types of data, such as email, movies, images, and tweets. With this growth comes the threat of attacks on our data, which we face on a daily basis.

In this section, we'll take a look at how our world has transformed with the adoption of digital technology, along with an overview of the current threat landscape.

Let's start with a look at the growth in digital information over the years.

Digitally transforming our world

In 1946, the world got a glimpse of the future. That was the year that the Moore School of Electrical Engineering of the University of Pennsylvania introduced the Electronic Numerical Integrator and Computer (ENIAC) system. The ENIAC was enormous, as it filled a room and was capable of performing calculations faster than any other computer at the time.

When computers first appeared, the cost to own and operate a system was extremely high. Ordinary citizens knew very little about computers. Due to their prohibitively large costs, computer systems were owned mainly by governments, industry, and universities. In 1980, the cost of a gigabyte (GB) hard drive was approximately $1.2 million. By 1990, the price was down to $8,000, and costs continued to decrease. As shown in the following graphic, from 1995 to 2000, the price of drives per GB went down substantially:

Figure 1.1 – The cost of hard drives per gigabyte

By 2010, the cost of drives per GB was approximately $0.10. Along with the cost of hard drives, the price of computers in general went down as well. With more affordable pricing, more and more businesses and consumers were embracing technology, as we'll see next.

Rapidly advancing technology

The industry continued to develop desktops, laptops, games, mobile devices, and IoT devices that began to collect and exchange more and more data. Concurrently, businesses, universities, governments, and consumers began to invest heavily in information technology, spending billions on hardware and software designed to improve the quality of life.

Today, a large percentage of the world is using digital technology and the internet, for a wide variety of purposes. Applications include e-commerce, social media, mobile banking, and email, all generating data.

Data includes anything you can see or hear and can be digitized in a multitude of different types and formats, including the following:

Some may argue that not all data needs to be protected. However, much of the data that is in storage on a server or in motion while traveling across the network should be encrypted, mainly because this flood of data represents an opportunity for cybercriminals to obtain and exploit the data.

Every minute of every day, companies face a variety of threats to the security of their data. Let's explore this concept next.

Threatening the security of our data

Early systems, such as the ENIAC, were standalone systems and not networked. The biggest threat to these systems was a physical attack, such as someone destroying the components. As time passed, and businesses began to adopt computer technology, there still remained little threat to the security of data.

From the 1960s through to the 1990s, scientists developed protocols for the Advanced Research Projects Agency Network (ARPANET), which was the precursor to what we know now as the internet. Some significant events during this time period include the following:

While there were a few reports of viruses making their way through computer systems, most anyone who worked with or knew about the internet never thought anything malicious could happen. That was until 1988, when Robert Morris, a Cornell University student, wrote and released a worm.

Important note

A worm is a self-propagating virus that can spread on its own.

The worm, later dubbed the Morris worm, created a crippling effect on the fledgling internet. As a result, Robert Morris was tried and convicted under the 1986Computer Fraud and Abuse Act. Soon afterward, the idea of cybersecurity began to take hold. And more specifically, it became more apparent that our data could be at risk.

Over the next three decades, many more threats emerged, such as social engineering, malware, and denial of service attacks:

As outlined, there are many different types of data, such as images, documents, and video. Data can be a part of an organization, such as a business or government entity, or belong to an individual. Let's compare the two next.

Categorizing data

Data can represent either an individual's information or details that relate to a business or organization.

An individual's private data is generally referred to as Personally Identifiable Information (PII), which is information that can be used to identify someone. PII can include bank account records, social security numbers, or credit card information.

Proprietary business data includes information that if exposed can result in harm to the organization. Protected business data includes financial data, earnings reports, employee records, and trade secrets.

On any network, there are several goals or services we strive to provide, such as confidentiality, integrity, and availability. Let's explore this concept in the next section.

Understanding security services

Today, there are many threats to the security of our data. Therefore, it's imperative that we remain vigilant in protecting our networks and data from attack or unauthorized access. In this section, we'll take a look at some of the security services designed to assure our data is protected. We'll also see how cryptographic techniques can help ensure data is not modified, lost, or accessed in an unauthorized manner.

There are many guidelines that outline how to provide data security. One document that helps list security concepts is the International Telecommunications Union (ITU) Security architecture for Open Systems Interconnection for CCITT applications, also known as X.800. Let's take a look.

Investigating X.800

The Consultative Committee for International Telephony and Telegraphy (CCITT), now known as the International Telecommunications Union - Telecommunication Standardization Sector (ITU-T), recognized the need to provide a secure architecture when dealing with data transmission. More specifically, they wanted to outline the general framework of security services that should be implemented within the Open Systems Interconnection (OSI) model.

Important note

The OSI model is a seven-layer representation of how systems communicate with one another. The OSI model is well recognized among network professionals, as it breaks down the function of each layer.

X.800 outlines recommended security services, along with best-practice logical and physical controls that help protect each service. In addition to logical and physical controls, the document outlines various cryptographic techniques that should be used, such as the following:

The document lists the main security services designed to protect data, which include confidentiality, integrity, authentication, and non-repudiation.

Let's take a look at each of these and how they can be achieved, starting with confidentiality.

Ensuring confidentiality

While we may not feel that all data should be rigorously protected, in today's world, it's best to keep most, if not all, data protected from prying eyes. Confidentiality means keeping private data private by protecting against unauthorized disclosure.

An example of a violation of confidentiality would be if a malicious actor were to gain access to a company's proprietary trade secrets or customer database.

A data breach of client information can cause business harm and result in a tarnished reputation and loss of trust. To ensure confidentiality, businesses and individuals should restrict access by using access control methods that allow only authorized people, devices, or processes to have access to the data.

In addition, we can protect data confidentiality by using encryption. That way, if someone were to gain access to the information, it would be meaningless, unless they have a key to decrypt the data.

Another service is to ensure data integrity, as we'll see next.

Safeguarding integrity

Providing integrity ensures that data is not modified, lost, or destroyed in either an accidental or unauthorized manner.

An example of a violation of integrity would be someone gaining access to their payroll file and changing their salary from $30,000 to $40,000.

To protect integrity, use access control methods and employ strong audit policies. In addition, monitor the network for unusual or suspicious activity and use software designed to compare cryptographic hash values for unauthorized changes to the data.

One example of software that monitors for unauthorized changes in the filesystem is called Tripwire, which acts as a software intrusion detection system.

Tripwire works in the following manner:

In the following figure, the hash value of the baseline file is not the same as the hash value of the checked file:

Figure 1.2 – A hash value that does not match the baseline

If the hash value does not match, this will send an alert that there is a violation of the integrity of the file.

Another service that is paramount on a network is authentication, as we'll see next.

Providing authentication

When something or someone is authentic, we are assured that it is true or genuine. For example, when you go to a bank to cash a check, the bank will require you to produce identification to prove who you are.

A violation of authentication occurs when spoofing techniques are used. For example, malicious actors often use an email address that spoofs the name to look like someone you know. This is a social engineering technique that is used to get you to open a file or complete some action.

When dealing with an entity on a network, it's especially important to guarantee authenticity, as this assures both parties that the message has originated from an authorized source. One way to prove authentication is by using a message authentication code, which is a small block of code used to authenticate the origin of the message.

Another security service is non-repudiation, which prevents an entity from denying that they either sent or received a communication.

Certifying non-repudiation

Non-repudiation is preventing a party from denying participation in a communication and can be used in both sides of a conversation to prevent either party from denying their involvement. By using a digital signature, non-repudiation can be achieved in the following manner:

To understand the importance of providing non-repudiation, let's outline the concept using a scenario in the following section.

Denying involvement

Every day, busy professionals send and receive emails. So that you can better understand how this works, I'll outline the concept in a story where using a digital signature when sending an email could help provide non-repudiation.

Bob is an office manager for a large payroll department. The supervisor is Jessica, who oversees the day-to-day operations of the department. Jessica is generally busy, with many tasks and meetings throughout the day.

Jessica's administrative assistant, Paul, notices that Jessica's birthday is in 2 days. Paul emails Bob to purchase a birthday cake and plan a surprise party and invite the whole office. Bob completes all the necessary arrangements and lets Paul and the department know that everything is ready for Friday.

On Friday, Jessica returns from her morning meeting, where she is greeted by the entire department wishing her a happy birthday. Jessica looks around the room and is visibly upset, and states, "you shouldn't have done this." She then retreats to her office and closes the door.

Later that morning, Jessica calls Bob and Paul into her office and tells them that she knows they meant well, but she didn't appreciate the attention. Paul states that he has no idea how this happened. Bob replies to Paul, "you sent me an email telling me to plan the event!" Paul answers, "no I didn't."

At that point, Bob has no recourse but to take the blame, as Paul has repudiated the fact that he had requested the party.

While Bob could have printed the email from Paul to attempt to prove that Paul requested the party, this may not be sufficient, as it is possible to spoof (or recreate) an email. However, if Paul had sent the email using a digital signature, this would prove that he had sent the email. At that point, Bob could have defended himself and let Jessica know what really happened.

Using a digital signature to prevent non-repudiation is not always required; however, in a high-stakes situation, such as a financial transaction, this can be especially important.

On any network, it's also important to ensure availability, as we'll see next.

Assuring availability

Availability is the assurance that resources are available to authorized devices, users, and/or processes on the network.

A violation of availability would be a DoS attack designed to interrupt or suspend services to legitimate users.

Although ensuring availability is an important concept, we cannot use a cryptographic method to ensure this service. However, there are other ways to protect availability, such as using intrusion detection and prevention. In addition, the network administrator should also keep systems up to date with all security patches, and upgrade systems and devices when necessary.

As outlined, encryption and cryptographic techniques are some of the ways through which we can protect against the constant threats to the security of our data. In the next section, let's take a look at a few of the cryptographic concepts that you might encounter.

Introducing common cryptographic concepts

In order to securely exchange data, we use more than just encryption algorithms. We also use several cryptographic tools and techniques. When discussing these concepts, you will hear terms such as symmetric and asymmetric encryption, along with cryptographic hash.

Important note

You will get a better understanding of these terms as we progress through the chapters. If you need a quick review, visit https://www.makeuseof.com/tag/encryption-terms/ for an explanation of 11 of the most common encryption terms.

In this section, we'll provide the broad strokes of the concepts of a TTP and the PKI to help your understanding. In addition, since you'll often see an explanation of a complex topic using the names of fictional characters, we'll talk about the story of Bob and Alice.

We'll go into the details of the aforementioned terms and others as the book progresses. For now, let's start with the importance of a TTP.

Trusting a TTP

Think about doing a transaction on the internet. When you go to an online shopping site, you will want to encrypt your transactions to provide confidentiality as you exchange data with the website. Let's consider the following scenario.

Alice wants to purchase some pet supplies for her two cats. She heads out to the pet supply store, Kiddikatz. If the communication is not encrypted, the transaction could be intercepted and read by Mallory, a malicious active attacker, as part of a Man-in-The-Middle (MiTM) attack, as shown in the following graphic:

Figure 1.3 – A MiTM attack

To prevent a MiTM attack, Alice will use Transport Layer Security (TLS) to encrypt and secure the transaction. Prior to the transaction, both parties will need to exchange keys. That is where the TTP becomes important.

A TTP is necessary in a hybrid cryptosystem. In a faceless, nameless environment such as the internet, TTPs helps us to communicate securely on the web.

The idea of a TTP works by using transitive trust. As shown in the following graphic, we see that if Alice trusts the TTP, and Kiddikatz trusts the TTP, then Alice automatically trusts Kiddikatz:


Figure 1.4 – A transaction using a TTP

We know that TTPs are important in a digital transaction. Next, let's see how you can determine whether or not a site can be trusted.

Ensuring trust on the network

When you go to your browser and you see a lock next to the web address, that means you can trust the site. As shown in the following screenshot, we can see that the site for Packt Publishing is a secure connection:

Figure 1.5 – Secure website for Packt Publishing

Some companies that provide this trust include Verisign, Cloudflare, Google Trust Services, and Thawte. All of this is made possible because of the PKI, as outlined next.

Managing keys using the PKI

As we have seen, a TTP provides the trust required when completing transactions on the internet. During a transaction, all entities are able to securely communicate with one another by using the PKI.

Although the term Public Key Infrastructure implies that the PKI generates keys, that is not the case. Instead, the PKI generates a digital certificate to securely distribute keys between a server (such as a web server) and a client. PKI uses a TTP to generate a certificate, which provides the authentication for each entity.

Let's step through the process of distributing public keys by using a certificate.

Obtaining the certificates

Encryption algorithms use keys. There are two main types of encryption. The type of encryption will determine whether one or two keys are used. The difference is as follows: