CompTIA Security+

Cryptography Algorithms

- The act of making something difficult to understand.
- Substitution Cipher - Substitutes one symbol for another.
- Example: ROT13 (rotate 13 places)

Could not load image

**XOR (eXclusive OR)**- a logical operation that outputs true only when inputs differ (one is true, the other is false).

The Exclusive-OR function in terms of OR and AND.

*Data Encryption Standard (DES)*- Adopted by NIST in 1977.
- Block cipher using 64-bit blocks (56-bit key + 8 bits of parity).
- Short key length subject to brute-force attacks.

*3DES (Triple DES)*- DES algorithm computed three times.
- Using a 'key bundle' three different DES keys, each of 56 bits = total bit strength of 168 bits (known as 3TDEA).
- Also options to reuse keys.
- Uses 48 rounds of computation.
- Offers high resistance to differential cryptana

*Advanced Encryption Standard (AES)*- Original name 'Rijndael"
- Free for any use public or private, commercial or non-commercial.
- Adopted by NIST in 2001.
- Block cipher with 128 block size.
- Three key lengths: 128, 192, and 256.
- It uses multiple encryption rounds to reach these key lengths:
- 10 rounds for 128-bit
- 12 rounds for 192-bit
- 14 rounds for 256-bit

*RC4 / RC5 / RC6 - Rivest Cipher*- RC4 - Stream Cipher
- RC5/6 - Block Ciphers
- Works with key sizes between 40 and 2048 bits.

*Blowfish / Twofish*- A symmetric block cipher that can use variable-length keys from 32 bits to 447 bits.
- Twofish uses 128-bit blocks.

*International Data Encryption Algorithm (IDEA)*- 128-bit key
- Similar to DES, but more secure due to having a longer key.
- Used in PGP.

*One-Time Pad (OTP)*- Most secure crypto implementation.
- Use of a key as long as the plain-text message.
- Only used once, then destroyed.

*Skipjack*- NSA developed block cipher used in clipper chip.
- Uses an 80-bit key to encrypt 64-bit blocks of data.

*GOST*- A Soviet and Russian government standard symmetric key block cipher.
- Block size of 64 bits.
- Developed to counter Data Encryption Standard (DES).

*Psuedo Random Number Generator (PRNG)*- A type of algorithm that generates a number that is "random enough" for cryptographic purposes.
- Used in AES, DES, and Blowfish.

*Counter Mode (CTR)*- Turns a block cipher into a stream cipher.
- Used to generate a keystream.
- Each block combines a nonce or IV with a sequentially assigned number to produce a unique counter block that is then encrypted.

*Cipher-Block Chaining (CBC)*- Uses an IV with the first block.
- Thereafter, each block of plain text is obfuscated with the cipher text from the previous block before it is encrypted.
- Introduces more diffusion & reduces effects of plain-text attacks.

*Electronic Code Book (ECB)*- The easiest method.
- Direct encryption of each block of input plaintext.
- Output is in form of blocks of encrypted ciphertext.

*Cipher Feedback Mode (CFB)*- Uses an initial chaining vector (ICV) in its processing.
- Performs cipher feedback encryption.
- Operates on segments instead of blocks.

*Galois/Counter Mode*- Used with symmetric-key key block ciphers.
- An authentication encryption designed to give both integrity and confidentiality.
- Used with 128 bit block ciphers.

- Uses two keys.
- One for encryption.
- One for decryption.

- Keys are mathematically related.
- Public / Private key encryption.
- Only the private key needs to be kept secret.
- Only the private key can decrypt the message.

- Extra computational overhead.
- Used primarily for:
- Secure exchange of shared keys for symmetric encryption.
- Digital signatures.

- Solves the issue of key exchange with symmetric encryption.
*Rivest, Shamir, and Adleman (RSA)*- Used for key exchange and digital signatures.
- Key can be any length.
- Algorithm works by multiplying two large prime numbers.
- Derives two different numbers: one public key and one private key.

*Diffie-Hellman Key Exchange (D-H)*- Two parties, without prior arrangement, can agree on a secret key that is known only to them.
- Only used to generate a shared key (not encryption).
- Key can be safely & secretly shared on a public network.

*Diffie-Hellman Ephemeral (DHE)*- Uses a different key for every conversation.
- Supports perfect forward secrecy.

*Elliptical Curve Cryptography (ECC)*- Technique using elliptical curves to calculate simple but difficult-to-break encryption keys.
- Uses smaller key sizes to obtain the same level of security (160-bit ECC = 1024-bit RSA).
- Requires fewer resources than RSA.

*Elliptical Curve Diffie-Hellman Ephemeral (ECDHE)*- Variant of DHE using ECC for perfect forward secrecy.

*El Gamal*- An extension to the Diffie-Hellman using an ephemeral key.

*Pretty Good Privacy (PGP) and GNU Privacy Guard (GPG)*- Developed by Phillip R. Zimmerman in 1991.
- Used to encrypt and sign email messages.
- Establishes a web of trust between the users.
- A web of trust implies that the users generate and distribute their public keys.
- These keys are signed by users for each other, establishing a community of users who trust each other for communication.
- Every user has a collection of signed public keys stored in a file known as a web ring.

- PGP provides the following functionalities:
- Confidentiality through the International Data Encryption Algorithm (IDEA).
- Integrity through the Message Digest 5 (MD5) hashing algorithm.
- Authentication through public key certificates.
- Non-repudiation through encrypted signed messages.

- AKA Merkle-Hellman Knapsack Crypotosystem
- One of the earliest public key cryptosystems.

- 'Digital fingerprint'
- Work by taking a string of any length and producing a fixed-length string for output.
- Changing the original changes the hash value.
- Originator takes a hash of the file and provides hash to receiver.
- Receiver takes hash of file and compares with original to ensure file integrity.

*Secure Hash Algorithm (SHA, SHA-1, SHA-2, SHA-3)*- Developed by the US NSA
- SHA-1 can generate a 160-bit hash from any variable-length string of data.
- SHA-2 = SHA-22, SHA-256, SHA-348, and SHA-512 (based on their digest lengths)
- SHA-3, published in 2012, not widely used yet.

*Message Digest Algorithm (MD2, MD4, MD5)*- The most widely known hashing function.
- Produces a 16-byte hash value, usually expressed as a 32 digit hexadecimal number.
- Considered compromised. Rainbow tables have been published which allow people to reverse MD5 hashes made without good salts.

*Message Authentication Code (MAC)*- Authentication of messages using a secret key.
- Used in electronic fund transfers to protect against fraud.

*Hash-Based Message Authentication Code (HMAC)*- HMAC combines a cryptographic hash function and a secret crypto key.
- HMAC does not encrypt the message, only the key.

*Keyed Hashing for Message Authentication Code (KHMAC)*- Used to digitally sign packets that are transmitted on Internet Protocol Security (IPSec) connections.

*RACE Integrity Primitives Evaluation Message Digest (RIPEMD)*- Design based on MD4.
- 160-bit version of the algorithm (RIPEMD-160) performs comparably to SHA-1.

*HAVAL*- Processes 1024-bit block sizes of information.
- Creates message digests of variable sizes rather than a fixed output value.
- Produces hashes in lengths of 128, 160, 192, 224, and 256.

*Rainbow Table*- A pre-computed table for reversing cryptographic hash functions.
- All of the possible hashes are computed in advance.

*Salt*- Random data that is used as an additional input to hash

- Processes used to take a weak key and make it stronger, usually by making it longer.
*Bcrypt*- Based on the blowfish algorithm.
- Provides an adaptive hash function based on a key factor.

*Password-Based Key Derivation Function 2 (PBKDF2)*- Algorithm applies a pseudo-random function to the password combined with a salt of at least 64 bits, and then repeats the process at least 1000 times.

â€‹

â€‹

Last modified 1yr ago

Copy link

On this page

Obfuscation

Symmetric Algorithms

Cipher Modes

Asymmetric Encryption

Asymmetric Algorithms

Hashing

Hashing Algorithms

Rainbow Tables and Salts

Key Stretching