ITPro.TV: CompTIA Security+ (SY0-601)

author: Nathan Acks
date: 2022-03-03

CompTIA Security+ Exam Cram

Cryptosystems

Cryptosystems are concerned with data confidentiality (encrypting) and integrity (hashing/signing).

Vocabulary:

Block cyphers are generally high diffusion algorithms, while stream ciphers are (necessarily) low diffusion.

Note that really, both the public and private keys in asymmetric encryption schemes and encrypt and decrypt messages - it’s just that you don’t use the public key to decrypt the actual message because everyone potentially has access to it. But the symmetry (heh) in asymmetric keys becomes apparent when you think about what a signature actually is - an encrypted hash of the plaintext.

Finally, the public key in asymmetric cryptography is generally derived from the private key (but the reverse is not possible). This means that it’s often (always?) possible to use the private half of an asymmetric keypair as a symmetric key (not that you’d actually want to do this…).

In a fully asymmetric cryptosystem, each user has a public/private keypair, and uses the recipients public key to encrypt messages to them. This is expensive though, so in general asymmetric cryptography is used in one of two ways:

Note that while forward secrecy protects against both the (future) disclosure of the private key and harvesting of all on-the-wire messages, it still fails if the attacker has continuous access to the memory of one party and/or the ability to influence the generation of per-message ephemeral secrets.

Other terms for symmetric keys: Secret keys, private keys, shared secrets.

Asymmetric key algorithms are also called public key algorithms.

Use of Proven Technologies and Implementations

Exam Cram emphasizes several times the efficiency of elliptic curve cryptography (ECC) and its application for mobile devices with more constrained computational or energetic profiles. Which I suspect means that a question like this is likely to be on the Security+ exam.

Steganography

Exam Cram indicates that the Security+ test is likely to have some kind of question about the difference between steganography and cryptography.

Cryptography Use Cases

To reiterate, a list of the roles of cryptography in security:

ITPro.TV: CompTIA Security+ (SY0-601)

Cryptography

Cryptography Concepts

[Cryptography] is trying to make us live in a world that’s “need to know”.

  • Dan Lowrie

The three states of data:

Important cyphers for low-power devices (SCADA, etc.)

Encryption And Steganography

Encryption is about ensuring confidentiality; steganography is about hiding information (which may - and probably should be! - itself cyphertext).

Interesting… ITPro.TV is defining a streaming cipher as operating byte-by-byte, whereas Exam Cram defined them as operating bit-by-bit. So either one of these is wrong, or the difference between stream and block cyphers are more a matter of degree than kind (I kind of suspect it’s the latter).

Stream cipher bullet points:

Block cipher bullet points:

Block cipher modes:

Hashing

Hashes are always fixed length (for a given hash type). Also, “message digest” == “fingerprint” == “hash”!

HMACs are “hashed message authentication codes” used to verify message integrity and authenticity. HMACs are not hash functions themselves, but are rather encrypted hashes that are appended to messages (so, a signature).

Checksums are not hashing algorithms, but serve a similar purpose.

A note about salts: You don’t want your salt(s) to become public, but it also doesn’t completely negate their value if they are leaked. The reason for this is that, so long as you are using unique salts in every instance, you are still preventing the use of mass password/data cracking. So even a leaked salt buys you time… But that’s the only thing it buys you at that point, so it’s still important to re-encrypt / re-hash / invalidate passwords, etc. if this happens!

Symmetric vs. Asymmetric Encryption

Symmetric cyphers:

Of these, only AES is considered strong these days.

Asymmetric cyphers:

Two applications/machines that try to communicate cryptographically need to first agree on a “cipher suite” - a set of cryptographic algorithms - to use. These are represented in a standard(ish) fashion as “standard name + key exchange + asymmetric cipher (with) symmetric cipher + symmetric cipher mode + HMAC”. For example:

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

Has the following parts: