# CompTIA® Security+ Exam Notes : Explain cryptography algorithms and their basic characteristics

## 6. Cryptography and PKI

#### 6.2 Explain cryptography algorithms and their basic characteristics

Symmetric Algorithms:

Standard (AES) is an encryption standard adopted by the U.S. government. The standard comprises three block ciphers, AES-128, AES-192 and AES-256, adopted from a larger collection originally published as Rijndael. The standard is slowly replacing its predecessor DES and 3DES.

1. AES (Advanced Encryption Standard) is more secure than DES or 3DES.

2. AES is a symmetric block cipher that can encrypt (encipher) or decrypt (decipher) information

3. AES is based on Rijndael algorithm

Hashing Algorithms: Hash algorithms produce a hash of a message and encrypt it. They use a mathematical formula for hashing, and it is extremely difficult to tamper with the message and still produce the same hash. Basically, Hashing enable a recipient to check whether a message is received intact without being tampered by a third party.

1. SHA (Secure Hashing Algorithms): There are several Secure Hashing Algorithms and they primarily differ in the hash length. They are SHA-1, SHA-256, SHA-384 and SHA-512. In SHA-1 the bit length is 160 bits, in SHA-256 it is 256 bits, for SHA-384, 384 bits and in SHA-512 it is 512 bits.

2. MD2, MD4, MD5 (Message Digest Series Algorithms): These are another type of hash algorithms. These algorithms were developed by Rivest. All three algorithms take a message of arbitrary length and produce a 128-bit message digest. MD2 is meant for 8 bit machines and MD4, MD5 are suitable for 32 bit machines. These algorithms are primarily used for digital signature applications.

MD5 hash is 128 bits long and displayed as 32 hexadecimal characters. That is MD5 length in bits : 32*4 or 128 bits.

MD5("The quick brown fox jumps over the lazy dog.")

gives hexadecimal: e4d909c290d0fb1ca068ffaddf22cbd0

As can be seen above, it is 32 hex characters long.

SHA (Secure Hash Algorithm) comes in different flavors.

SHA-1 length in hex is 40 i.e. it's length in bits : 40*4 or 160 bits.

Example of SHA-1 Hash:

SHA1("The quick brown fox jumps over the lazy cog")

gives hexadecimal: de9f2c7fd25e1b3afad3e85a0bd17d9b100db4b3

As ca be seen above, it is 40 hex characters long in the above example.

SHA-2 includes four versions: SHA-224, SHA-256, SHA-384, and SHA-512. The numbers represent the number of bits in the hash. For example, SHA-256 creates 256-bit hashes.

SHA-3 includes multiple versions with hashes of 224 bits, 256 bits, 384 bits, and 512 bits.

Block cipher: Block cipher derives its name from the fact that a block of data is taken at a time to cipher.

Asymmetric Algorithms:

PGP (Pretty Good Privacy): PGP can use Diffie-Hellman or RSA algorithms, but not AES or DES. PGP is used primarily for securing email communications. PGP uses public-key encryption for sending and receiving email messages. Diffie-Hellman and RSA algorithms are used for encryption/ decryption of PGP messages.

PGP certificates differ from X.509 certificates in two ways:

1. PGP certificates are issued (signed) by normal people while the X.509 certificates must be issued by a professional CA, and

2. PGP implements a security fault tolerance mechanism, called the Web of Trust. Here an individual is allowed to sign and issue certificates to people they know.

Diffie-Hellman:

ECDHE: Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) allows entities to negotiate encryption keys securely over a public network.

Key Stretching Algorithms:

Bcrypt and Password-Based Key Derivation Function 2 (PBKDF2) are key stretching algorithms. It is used to make a short key, typically a password or passphrase, more secure against a brute force attack by increasing the time it takes to test each possible key. Usually, passwords are short and we don't remember long passwords. Short passwords are easy to crack by brute force method.

PKI Trust Models:

Hierarchical: A root CA at the top controls all the subordinate CAs. The subordinate CAs are next in the hierarchy, and they only trust information provided by the root CA. In a strict hierarchy, however, a root CA normally issues or revokes certificates only on an occasional basis. Therefore, the root CA usually works offline to protect its key infrastructure.

Bridge: In a bridge trust model, a peer-to-peer relationship exists between the root CAs. The root CAs can communicate with each other, allowing cross certification.

Mesh: The mesh trust model expands the concepts of the bridge model by cross connecting multiple root CAs. Each of the root CAs can also communicate with the intermediate CAs in their respective hierarchies. This structure may be useful in a situation where several organizations must cross-certify certificates. The major disadvantage of a mesh is that each root CA must be trustworthy in order to maintain security. Further, the complexity grows exponentially with each node, and becomes difficult to use and maintain when the numbers become large.

Hybrid: When independent enterprises establish separate subordinated hierarchies, and then develop a need to communicate, some form of cross-certification must be applied to link the hierarchies. The hybrid trust model has the following properties:

1. Multiple root CAs exist

2. All non-root CAs are certified within a root CA's hierarchy, with paths certified both "downward" from the root and "upward" towards it

3. Root CAs establish a cross-certified mesh among themselves, so each hierarchy can reach every other hierarchy via a single cross-certificate at the root level

4. Selective cross-certification between non-root CAs is permitted

Note that wildcard certificate supports only one private/public key pair.

Security+ Cram Notes Contents