Cryptographic Basics
Before you start to sweat the thought of learning cryptography for the CISSP exam, it's good to know that you won't need to learn the interworkings of these systems; no advanced math degree is required. The exam expects you to know only a basic understanding of the systems and their strengths and weaknesses. Following are some common terms used in this chapter:
- Algorithm A set of rules or ordered steps used to encrypt and decrypt data.
- Cryptographic key A key is a piece of information that controls how the cryptographic algorithm functions. It can be used to control the transformation of plain text to cipher text, or cipher text to plain text. As an example, the Caesar cipher uses a key that moves forward three characters to encrypt and back by three characters to decrypt.
- Encryption Transforming data into an unreadable format. As an example, using Caesar's cipher to encrypt the word cat would result in fdw. Encryption here has moved each character forward by three letters.
- Cryptanalysis The act of obtaining plain text from cipher text without a cryptographic key. It is used by governments, the military, enterprises, and malicious hackers to find weaknesses and crack cryptographic systems.
- Digital signature A hash value that has been encrypted with the private key of the sender. It is used for authentication and integrity.
- Plain text Clear text that is readable.
- Cipher text Data that is scrambled and unreadable.
When plain text is converted into cipher text, the transformation can be accomplished in basically two ways:
- Block ciphers Function by dividing the message into blocks for processing
- Stream ciphers Function by dividing the message into bits for processing
Symmetric and asymmetric cryptography are the two basic types. Symmetric cryptography uses a single shared key. Asymmetric cryptography uses two keys, one public and one private. Both of these concepts are discussed in more detail later in the chapter. At this point, it is important to understand that, for both symmetric and asymmetric cryptography, data is encrypted by using a key. The key is fed into the encryption algorithm to tell the algorithm what mathematical functions, permutation, substitution, or binary math to perform.
The key size goes a long way in determining the strength of the cryptosystem. As an example, imagine that you're contemplating buying a combination lock for your prized baseball card collection. One lock has three digits, while the other has four, as shown in Figure 11.1.
Figure 11.1. Key size and strength.
Maybe you don't think that just a one-digit increase can make much of a difference. Well, for the three-digit lock, there's a total of 1,000 possible combinations, but the four-digit lock has a total of 10,000 possible combinations. As you can see, the more possible keys or combinations there are, the longer it will take an attacker to guess the right key or combination needed to gain access to your most prized collection. Although key size is important, though, it's also important that the key remain secret. You could buy a seven-digit combination lock, but it would do you little good if everyone knew the combination was your phone number.
Depending on how cryptography is used, it can provide three main items to help ensure security:
- Confidentiality
- Integrity
- Nonrepudiation