In section 3.6, Boyle and Panko discuss the Diffie-Hellman key agreement, which is a protocol that allows two parties to exchange a shared secret over a public channel while maintaining confidentiality.
I thought this process was a fascinating method to exchange key information while keeping the key secret per Kerckhoff’s principle. Keeping a symmetric key secret can be a challenge as both parties need this in order to encrypt and decrypt the message. The symmetric key can be intercepted and used by an eavesdropper to view the message if it’s sent over an insecure channel. Diffie-Hellman addresses this by allowing each party to contribute to the creation of a symmetric key without sending the entire key. This mitigates the risk of interception and allows for each party to send and receive encrypted messages using a shared symmetric key.
While aspects of the key are visible to eavesdroppers, it is mathematically taxing to calculate the key using current technology. This may change in the future when quantum computing becomes more accessible.
Hi Matt,
For me, based on the purpose of use, we can choose which algorithm is better. For example, Diffie Hellman can’t be used for signing digital signatures because it’s used shared key.
In section 3.11 of Boyle and Panko they introduce the attractions of IP Security and describe the tradeoffs between IPsec tunnel mode and transport mode in comparison to Secure Sockets Layer and Transport Layer Security. In figure 3-28 it showed 4 areas in which IPsec was a better option than SSL and TSL. It was central management support, transparency and protection through all higher layer traffic, compatible with IPv4/IPv6, and the modes of transportation(transport, tunnel). It offers strong security while requiring authentication when communicating through public keys and digital certificates, and has a strong control policy capability and is centralized making it easier to administer. However regardless of it being the gold standard, it is much more complex to use and more expensive. I really liked learning about this because I never heard of it so it caught my attention about its functionalities and where it stands in comparison to other methods of VPN’s as a IETF.
Agree, and In the section, Advance services require administration privileges it states that “..using SSL and TLS for either remote access or host to host communication to a web browser is dangerous because SSL/TLS leave the information on the client PC’s hard drives after the user finishes SSL and TLS session.” Despite being a very favored SSL/TLS is a huge security risk if used from public computers. SSL/TLS gat gateways allow plug-ins that erase all traces of a user’s sessions to be downloaded, however, this option is not available for public computer users as they do not have the administrative login to make any changes.
Cryptography provides a method of transmitting and storing data in a form that only those it is intended for can read and process. On page 148 of the textbook, you can find an in-the-news article summary about five hard drives that were seized by Brazilian authorities. For five months, the Brazilian National Institute of Criminology (NIC) was unsuccessful in cracking the encryption on the hard drives. The FBI was also unsuccessful after a 12-month effort using a variety of dictionary-based attacks. The reason being, the defendant used a 256-bit AES encryption algorithm to encrypt the drives. Last semester we learned that 100-300 bit encryption is considered more than enough to prevent brute force attacks as per the current computing power. Not to mention, AES 256 is virtually impenetrable using brute-force methods as it would take 2.29*10^32 years. AES-256 would take 2.29*10^32 years. This demonstrates it is not possible for a single PC to brute-force crack AES-256 encryption within the lifetime of a person, let alone the lifetime of the universe.
I thought this was interesting as well. Given the difficulty of cracking current encryption standards it makes sense for attackers to focus on other methods to breach the confidentiality of data. This is why social engineering, such as phishing, is so prevalent as adversaries can compromise confidentiality with less effort and skill. It’s both reassuring and concerning that these methods are so difficult to break through pure cryptanalysis.
Great points, especially the one pertaining to brute force. I am familiar with AES (Advance Encryption Standard) due to my studies of the CompTIA Security+ certifition. It supersedes the DES (Data Encryption Standard), which was published in 1977. Great Post!
Cryptography is a very important main security countermeasure, and its purpose is the confidentiality of security goals. Cryptography uses mathematical operations to protect information transmitted or stored on a computer between parties. In 3.1.11 it is mentioned, “The reality of cryptography is that it is not an authomatic protection. It only workd of companies have and enforce organizational processes that do not compromise the technical strengths of cryptography.” Even if cryptography is an effective However, this method still relies on good organizational discipline and personal habits. The sender and receiver must always maintain the confidentiality of the key before they can play the role of cryptography.
What interests me is the VPN mentioned in chapter 3.9. Because we have to use a VPN to connect Google and Tuportal in China. There are different security protection standards between SSL/TLS, the standard encryption method for VPNs, and IPsec. IPsec is the gold standard, and there are two modes of operation to provide a higher level of protection.
Cryptography explains how electronic signatures including digital signatures, digital certificates, and key-hashed message authentication codes work. It further explains the mathematical operations (i.e encryption and ciphertext for confidentiality and privacy) used to protect messages traveling between parties or store on a computer which makes it difficult for eavesdropper to intercept messages. Symmetric key encryption provides confidentiality because the sender and receiver must encrypt and decrypt with the shared key. We have seen that only the key needs to be kept secret for successful confidentiality and securing information systems. One method of thwarting an attackers exhaustive search in trying to learn the key is to simply make the key length so long that the time needed to crack the key is too long for practicality and this was explained in the reading and it which caught my attention is to increase a key’s length from the regular 8bits to 9bit would require a cryptanalyst to try half of 512 keys instead of half of 256. Cryptography remains a very important security countermeasures used to confidentiality and security of information systems and digital assets.
You are right, cryptography is one of the powerful ways to protect information. Public key encryption is a simple and good way to protect communications. Public keys can encrypt information and verify the identity of the recipient. The recipient can use the private key to authenticate the identity, ensuring the confidentiality of the information.
This chapter is interesting yet a little complex as there is so many ways to use to encrypt and decrypt a message. Encryption is a process used to convert the information into a code (cipher text) while being transmitted to the sender. Symmetric key is the encryption used for confidentiality as it gives more protection and it’s only one key used to encrypt and decrypt the message. It is stronger than asymmetric key as it gives more speed and faster to run. I can also add that because only one key is used to encrypt and decrypt the message, the key is much shorter than it is in asymmetric cryptography. Symmetric keys encryption ciphers contain AES, DES, RC4 and 3DES and RC4 is known as the weakest cipher in common use today. From what I read, AES is the strongest and has 128 bits longer and considered powerful enough to protect military top secret data.
I would say that encryption is very important in our daily lives especially that now all data or information are moving into the cloud. We really want our information to be delivered without any interception so cryptography remains a very strong security countermeasure for attacks.
I agree that strong encryption is critical in our lives and protects us individually and as a society. This is especially important as we share more of our lives online. There is a tradeoff with strong encryption as it secures both good and bad communications. The same encryption algorithm protects criminal and non-criminal communications. Ultimately I think having near unbreakable encryption serves the greater good despite the ability to be used by some for illicit activities. Encryption supports privacy which is an important right that must be protected. This is why strong open source encryption standards should be used.
The chapter talks about the concept of Cryptography. Cryptography is the use of mathematical operations to protect messages traveling between parties or stored on a computer. Cryptography is a branch of mathematics that is based on the transformation of data and can be used to provide several security services: confidentiality, identity authentication, data integrity authentication, source authentication, and support for non-repudiation. The use of cryptography relies heavily upon two basic components: an algorithm and a key. The algorithm is a mathematical function, and the key is a parameter used during the cryptographic process. SSL/TLS has a secure socket layer and transport layer of security protocols for communication which are authenticated and encrypted links between network computers. SSL certificate is a digital document that binds the identity of a website to cryptographic key pair consisting of a public and private key that are included in the certificate when a web browser is introduced to an encrypted communication session with a web server via the transport layer and HTTPS protocols.
Chapter three explains the essential information for IT security professionals. The takeaway concepts for the chapter explained how cryptographic systems provide secure communication. For confidentiality, the chapter explains that original plain text can be encrypted with the cipher and a key. As symmetric encryption, the same key is shared with sender and receiver, and recommended key length is 112 bits and longer. Another protection method is authentication, where the system requires the user to prove identity to get access. Also, the standards for cryptographic security are mentioned in the chapter, such as SSL/TLS and IPsec for VPN.
I agree with you and from the reading, Symmetric key is stronger than Asymmetric key and gives more speed. Symmetric key is used for confidentiality since it’s the same key to encrypt and decrypt the message, it will make it easier to know who stole the key in case an incident happens.
I found Chapter 3, cryptography to be a really interesting read.
It explains that cryptography is basically the study of secure communications techniques that allow only the sender and intended recipient of a message to view its contents. It explains Ciphers, they are for encrypting and decrypting data. A cipher converts the original message, called plaintext, into ciphertext using a key to determine how it is done.
A very important topic was Symmetric encryption. Which is a type of encryption where only one key is used to both encrypt and decrypt electronic information. The entities communicating via symmetric encryption must exchange the key so that it can be used in the decryption process. This encryption method differs from asymmetric encryption where a pair of keys, one public and one private, is used to encrypt and decrypt messages.
A section that stood out to me was 3.1.10, where it was talking about increasing the key length and how each additional bit doubles the time it takes to crack the key. What I found very interesting was it explained some countries put a cap on key lengths for exporting products and its a 40 bit cap to ensure that the government will be able to crack the keys if they need to do so. I found this very interesting and truly wondered which countries have this policy, as it is basically saying you can secure your information to everyone but us the government.
I found cryptography chapter to be long and complex, but yet useful. I particularly liked section 3.9 which is about cryptographic systems. Cryptographic systems combine all of the cryptographic protections, including confidentiality, authentication, and integrity into a single system. Cryptographic systems protect user dialogues from attackers and eliminate the need for users to understand the specific cryptographic details. It was interesting to learn the working of a VPN – A VPN is a cryptographic system that provides secure communication over an untrusted network (the Internet, a wireless LAN, etc.)
I agree in the assessment that cryptography is very complex. I also had the same takeaway that encryption can cover confidentiality, authentication, and integrity into a single system. Having a technology like VPN available to protect communication can be useful in a variety of settings. It is useful for corporations and individuals alike. However, in regards to the VPN communication, it is only as secure as the service provider allows it to be. In other words, if you have a VPN service that keeps logs and sells data of your communication then it would defeat the purpose of the VPN in the first place. In this case it is likely the end user would not even be aware of these shady activities. Whoever is hosting the VPN server controls all of the communication and has the power to peer into any of the communications that they would like to. This really comes into play at the consumer level and is what makes it so important to find a trustworthy VPN service.
Great comment! I liked how you explained in a simple way what cryptography is. It’s an interesting and complex chapter for someone who are new in IT. There is a lot of terms that came out of the reading but the key terms were confidentiality, authentication, and integrity. It’s also very important in our daily lives as you do not want unauthorized people to hack your cell phone for example since it’s the one object we use the most and must be well protected.
In this chapter, the author introduced readers the core cryptographic concepts. Cryptography has a long history. The chapter explained how cryptographic systems provide secure communication. Moreover, these systems begin with three initial handshaking stages: the negotiation of sets of security methods and options, the initial authentication, and keying. After these stages, these systems move into an ongoing communication stage. This chapter mentioned about VPN that are also cryptographic systems and provide secure communication over untrusted network. This part of the chapter introduced me about different security protection standards and IPsec is the gold one.
Great post! Yes I also noticed that there is different stages for cryptography/encryption which I was not really aware. I found this chapter interesting because communication is key in our daily lives and we can see in depth how messages are being coded and transmitted to the sender and vice versa.
This chapter briefly discusses quantum cryptography which I find to be a large future problem because its quantum computing is realized it will break all traditional cryptography overnight. Fortunately, in its current stages it is years away from actually breaking anything more than a few bits. Why quantum cryptography is such a lethal threat is because of its ability to solve problems simultaneously instead of through a normal binary routine of solving one by one. This is mainly because quantum computers use “Q-bits” which aren’t normal binary (0 or 1). Instead, quantum computers can use any number between 0 & 1. Meaning a q-bit can be .4 or .7 which from a data perspective can change how a computer processes information completely. Instead of traditional cryptographic methods, quantum cryptography will not have to keep processing power in mind since the encryption keys are as long as the message. What I would want to know is if there are draw-backs to this – or if quantum computing just simply doesn’t care for the processing power required for ensured confidentiality.
Hi Mike,
Q-bits is a new term to me, so I do not know how Q-bits involve in quantum cryptography. However, I wonder that whether quantum cryptography will still unbreakable for a couple of decades later.
Chapter 3 discusses many cryptographic concepts that are necessary for security professionals to know. One of the main concepts I learned about was using encryption for confidentiality. This is when your original plaintext message is encrypted with a cipher and key. By doing this, you form a cipher text which is unable to be read by anybody attempting to intercept this message. In order to receive the original message, the receiver would have to apply the cipher in reverse. I found the discussion about encryption interesting because it taught me about a form of protecting private data as well as enhancing the security of communication.
Yes it is also interesting to see how scammers use plain text message to bypass phishing filters that are set by programs in order to get by into the inbox folder of the targeted user.
There was a lot of information in the Cryptography chapter that I found to be insightful. The section on Quantum Security specifically stood out to me while I was reading. The complexity that goes into any sort of quantum computing is fascinating. Quantum key cracking is a topic that I found myself thinking about long after the reading. The potential to crack thousands of keys at once is a very powerful tool. It also raises an interesting question of how safe our current encryption methods are. Our encrypted data can be harvested and saved for a much later time in the future when quantum computing is even more powerful. When it reaches that point, these once extremely secure keys and ciphers become easily cracked with quantum computing. This means that data we think of as secure today can be viewed as easily and something completely unencrypted in the future. How can any corporations even protect against something like that?
Thanks for sharing Ryan you brought up a great point about whether data that’s considered secure today perhaps won’t be tomorrow. I’m sure security departments within corporations must struggle with this question since it seems to fall into the “how do we protect against what we don’t know about” bucket. While sure they may have considered the data could be harvested for later but ultimately the difficult part is identifying ways to overcome potential attacks. I believe strong security awareness training for employees is crucial with an emphasis on educating users to deploy strong password practices. This way, non-technical users will understand why reusing previously used passwords is a bad practice. Ideally in the long term this will limit the number of active passwords that have been harvested.
Cryptography is the use of mathematical operations to protect messages traveling between parties or stored on a computer. Encryption is the process of changing plaintext into cipher-text for the purpose of security or privacy. These words can sometimes be used interchangeably. A common security goal is confidentiality, which means that people who intercept messages cannot read them. Confidentiality requires a type of cryptography called encryption for confidentiality; which was the original purpose of cryptography.
I found section 3.8 of this week’s reading to be interesting. Quantum physics can be used to transmit a key the length of an entire message between two parties. Key cracking a key that is this long is incredibly difficult and cryptanalysis can’t crack this type of encryption. Additionally, if a MITM attack is used to try to access key information, the attack is immediately noticed and the key is not used. Many organizations don’t use this type of key because it requires significant resources and isn’t necessary for most purposes.
Quantum computing is both fascinating and horrifying since if they are developed, they will likely break the entire cybersecurity world over night. Mainly because world governments would utilize this new technology to break encryption and could spy on foreign agencies at ease – what was once a secure connection could now be compromised. Luckily at the current moment this is not possible (at least to our knowledge). However, I think that as we make advances, we will see a “space race” type style between different powerful world organizations and governments to see who can build the first functional quantum computer.
In this week’s reading, I found that section 3.1.10, “Symmetric Key Encryption”, had some pretty interesting information. Exhaustive searching & key length were the parts in particular that I found pretty cool. For example, If a key is 8 bits long, it will take the cryptanalyst an average of only 128 tries to find the correct key. With each additional bit added to the key, this length doubles (9 bits=256 tries). By the time the key length is at 112 bits, the exhaustive search time has increased so exponentially that it will now take a cryptanalyst 72 quadrillion attempts, which doesn’t seem very realistic. What I found most interesting about this section, though, is that in the 70’s a key that was 56 bits long was considered “strong”, IE prohibitively time-consuming to crack. Today, a a key of that length can be cracked very easily. NIST currently recommends that keys be at least 112 bits to be considered strong, and they predict that by the 2030s keys will need to be up to 128 bits long. All in all, I just found it very intriguing that a key that may have been impossible to decrypt not too long ago can now be done so with much less effort.
I found the use of virtual private networks (VPN) as a cryptographic system to secure communication over untrusted networks very interesting from the chapter 3 reading. We learned that VPN’s are better option than wide area networks since they are cheaper to operate and provide greater security. The chapter touches on three specific kinds of VPN’s including:
– Host-to-host: Connects a single client over an untrusted network to a single server;
– Remote access: Connects a single remote PC over an untrusted network to a site. Remote access VPN’s can provide remote employees secure access to their internal corporate networks as well as authentication into a VPN gateway in order to access other resources on the site; and
Site-to-site: Protect all traffic flowing over an untrusted network between a pair of sites. Site-to-site VPN’s are useful when securing traffic between two corporate sites or a corporate site and a customer site.
In section 3.6, Boyle and Panko discuss the Diffie-Hellman key agreement, which is a protocol that allows two parties to exchange a shared secret over a public channel while maintaining confidentiality.
I thought this process was a fascinating method to exchange key information while keeping the key secret per Kerckhoff’s principle. Keeping a symmetric key secret can be a challenge as both parties need this in order to encrypt and decrypt the message. The symmetric key can be intercepted and used by an eavesdropper to view the message if it’s sent over an insecure channel. Diffie-Hellman addresses this by allowing each party to contribute to the creation of a symmetric key without sending the entire key. This mitigates the risk of interception and allows for each party to send and receive encrypted messages using a shared symmetric key.
While aspects of the key are visible to eavesdroppers, it is mathematically taxing to calculate the key using current technology. This may change in the future when quantum computing becomes more accessible.
Hi Matt,
For me, based on the purpose of use, we can choose which algorithm is better. For example, Diffie Hellman can’t be used for signing digital signatures because it’s used shared key.
In section 3.11 of Boyle and Panko they introduce the attractions of IP Security and describe the tradeoffs between IPsec tunnel mode and transport mode in comparison to Secure Sockets Layer and Transport Layer Security. In figure 3-28 it showed 4 areas in which IPsec was a better option than SSL and TSL. It was central management support, transparency and protection through all higher layer traffic, compatible with IPv4/IPv6, and the modes of transportation(transport, tunnel). It offers strong security while requiring authentication when communicating through public keys and digital certificates, and has a strong control policy capability and is centralized making it easier to administer. However regardless of it being the gold standard, it is much more complex to use and more expensive. I really liked learning about this because I never heard of it so it caught my attention about its functionalities and where it stands in comparison to other methods of VPN’s as a IETF.
Agree, and In the section, Advance services require administration privileges it states that “..using SSL and TLS for either remote access or host to host communication to a web browser is dangerous because SSL/TLS leave the information on the client PC’s hard drives after the user finishes SSL and TLS session.” Despite being a very favored SSL/TLS is a huge security risk if used from public computers. SSL/TLS gat gateways allow plug-ins that erase all traces of a user’s sessions to be downloaded, however, this option is not available for public computer users as they do not have the administrative login to make any changes.
Hi Wilmer,
I would love to know more about IETF. For you, what are the benefit to use IETF instead of IPsec?
Cryptography provides a method of transmitting and storing data in a form that only those it is intended for can read and process. On page 148 of the textbook, you can find an in-the-news article summary about five hard drives that were seized by Brazilian authorities. For five months, the Brazilian National Institute of Criminology (NIC) was unsuccessful in cracking the encryption on the hard drives. The FBI was also unsuccessful after a 12-month effort using a variety of dictionary-based attacks. The reason being, the defendant used a 256-bit AES encryption algorithm to encrypt the drives. Last semester we learned that 100-300 bit encryption is considered more than enough to prevent brute force attacks as per the current computing power. Not to mention, AES 256 is virtually impenetrable using brute-force methods as it would take 2.29*10^32 years. AES-256 would take 2.29*10^32 years. This demonstrates it is not possible for a single PC to brute-force crack AES-256 encryption within the lifetime of a person, let alone the lifetime of the universe.
I thought this was interesting as well. Given the difficulty of cracking current encryption standards it makes sense for attackers to focus on other methods to breach the confidentiality of data. This is why social engineering, such as phishing, is so prevalent as adversaries can compromise confidentiality with less effort and skill. It’s both reassuring and concerning that these methods are so difficult to break through pure cryptanalysis.
Hey Elizabeth,
Great points, especially the one pertaining to brute force. I am familiar with AES (Advance Encryption Standard) due to my studies of the CompTIA Security+ certifition. It supersedes the DES (Data Encryption Standard), which was published in 1977. Great Post!
Cryptography is a very important main security countermeasure, and its purpose is the confidentiality of security goals. Cryptography uses mathematical operations to protect information transmitted or stored on a computer between parties. In 3.1.11 it is mentioned, “The reality of cryptography is that it is not an authomatic protection. It only workd of companies have and enforce organizational processes that do not compromise the technical strengths of cryptography.” Even if cryptography is an effective However, this method still relies on good organizational discipline and personal habits. The sender and receiver must always maintain the confidentiality of the key before they can play the role of cryptography.
What interests me is the VPN mentioned in chapter 3.9. Because we have to use a VPN to connect Google and Tuportal in China. There are different security protection standards between SSL/TLS, the standard encryption method for VPNs, and IPsec. IPsec is the gold standard, and there are two modes of operation to provide a higher level of protection.
Cryptography explains how electronic signatures including digital signatures, digital certificates, and key-hashed message authentication codes work. It further explains the mathematical operations (i.e encryption and ciphertext for confidentiality and privacy) used to protect messages traveling between parties or store on a computer which makes it difficult for eavesdropper to intercept messages. Symmetric key encryption provides confidentiality because the sender and receiver must encrypt and decrypt with the shared key. We have seen that only the key needs to be kept secret for successful confidentiality and securing information systems. One method of thwarting an attackers exhaustive search in trying to learn the key is to simply make the key length so long that the time needed to crack the key is too long for practicality and this was explained in the reading and it which caught my attention is to increase a key’s length from the regular 8bits to 9bit would require a cryptanalyst to try half of 512 keys instead of half of 256. Cryptography remains a very important security countermeasures used to confidentiality and security of information systems and digital assets.
Hi Oluwaseun,
You are right, cryptography is one of the powerful ways to protect information. Public key encryption is a simple and good way to protect communications. Public keys can encrypt information and verify the identity of the recipient. The recipient can use the private key to authenticate the identity, ensuring the confidentiality of the information.
This chapter is interesting yet a little complex as there is so many ways to use to encrypt and decrypt a message. Encryption is a process used to convert the information into a code (cipher text) while being transmitted to the sender. Symmetric key is the encryption used for confidentiality as it gives more protection and it’s only one key used to encrypt and decrypt the message. It is stronger than asymmetric key as it gives more speed and faster to run. I can also add that because only one key is used to encrypt and decrypt the message, the key is much shorter than it is in asymmetric cryptography. Symmetric keys encryption ciphers contain AES, DES, RC4 and 3DES and RC4 is known as the weakest cipher in common use today. From what I read, AES is the strongest and has 128 bits longer and considered powerful enough to protect military top secret data.
I would say that encryption is very important in our daily lives especially that now all data or information are moving into the cloud. We really want our information to be delivered without any interception so cryptography remains a very strong security countermeasure for attacks.
I agree that strong encryption is critical in our lives and protects us individually and as a society. This is especially important as we share more of our lives online. There is a tradeoff with strong encryption as it secures both good and bad communications. The same encryption algorithm protects criminal and non-criminal communications. Ultimately I think having near unbreakable encryption serves the greater good despite the ability to be used by some for illicit activities. Encryption supports privacy which is an important right that must be protected. This is why strong open source encryption standards should be used.
The chapter talks about the concept of Cryptography. Cryptography is the use of mathematical operations to protect messages traveling between parties or stored on a computer. Cryptography is a branch of mathematics that is based on the transformation of data and can be used to provide several security services: confidentiality, identity authentication, data integrity authentication, source authentication, and support for non-repudiation. The use of cryptography relies heavily upon two basic components: an algorithm and a key. The algorithm is a mathematical function, and the key is a parameter used during the cryptographic process. SSL/TLS has a secure socket layer and transport layer of security protocols for communication which are authenticated and encrypted links between network computers. SSL certificate is a digital document that binds the identity of a website to cryptographic key pair consisting of a public and private key that are included in the certificate when a web browser is introduced to an encrypted communication session with a web server via the transport layer and HTTPS protocols.
Chapter three explains the essential information for IT security professionals. The takeaway concepts for the chapter explained how cryptographic systems provide secure communication. For confidentiality, the chapter explains that original plain text can be encrypted with the cipher and a key. As symmetric encryption, the same key is shared with sender and receiver, and recommended key length is 112 bits and longer. Another protection method is authentication, where the system requires the user to prove identity to get access. Also, the standards for cryptographic security are mentioned in the chapter, such as SSL/TLS and IPsec for VPN.
Hi Miray,
I agree with you and from the reading, Symmetric key is stronger than Asymmetric key and gives more speed. Symmetric key is used for confidentiality since it’s the same key to encrypt and decrypt the message, it will make it easier to know who stole the key in case an incident happens.
I found Chapter 3, cryptography to be a really interesting read.
It explains that cryptography is basically the study of secure communications techniques that allow only the sender and intended recipient of a message to view its contents. It explains Ciphers, they are for encrypting and decrypting data. A cipher converts the original message, called plaintext, into ciphertext using a key to determine how it is done.
A very important topic was Symmetric encryption. Which is a type of encryption where only one key is used to both encrypt and decrypt electronic information. The entities communicating via symmetric encryption must exchange the key so that it can be used in the decryption process. This encryption method differs from asymmetric encryption where a pair of keys, one public and one private, is used to encrypt and decrypt messages.
A section that stood out to me was 3.1.10, where it was talking about increasing the key length and how each additional bit doubles the time it takes to crack the key. What I found very interesting was it explained some countries put a cap on key lengths for exporting products and its a 40 bit cap to ensure that the government will be able to crack the keys if they need to do so. I found this very interesting and truly wondered which countries have this policy, as it is basically saying you can secure your information to everyone but us the government.
I found cryptography chapter to be long and complex, but yet useful. I particularly liked section 3.9 which is about cryptographic systems. Cryptographic systems combine all of the cryptographic protections, including confidentiality, authentication, and integrity into a single system. Cryptographic systems protect user dialogues from attackers and eliminate the need for users to understand the specific cryptographic details. It was interesting to learn the working of a VPN – A VPN is a cryptographic system that provides secure communication over an untrusted network (the Internet, a wireless LAN, etc.)
Hi Shubham,
I agree in the assessment that cryptography is very complex. I also had the same takeaway that encryption can cover confidentiality, authentication, and integrity into a single system. Having a technology like VPN available to protect communication can be useful in a variety of settings. It is useful for corporations and individuals alike. However, in regards to the VPN communication, it is only as secure as the service provider allows it to be. In other words, if you have a VPN service that keeps logs and sells data of your communication then it would defeat the purpose of the VPN in the first place. In this case it is likely the end user would not even be aware of these shady activities. Whoever is hosting the VPN server controls all of the communication and has the power to peer into any of the communications that they would like to. This really comes into play at the consumer level and is what makes it so important to find a trustworthy VPN service.
Hi Shubham,
Great comment! I liked how you explained in a simple way what cryptography is. It’s an interesting and complex chapter for someone who are new in IT. There is a lot of terms that came out of the reading but the key terms were confidentiality, authentication, and integrity. It’s also very important in our daily lives as you do not want unauthorized people to hack your cell phone for example since it’s the one object we use the most and must be well protected.
In this chapter, the author introduced readers the core cryptographic concepts. Cryptography has a long history. The chapter explained how cryptographic systems provide secure communication. Moreover, these systems begin with three initial handshaking stages: the negotiation of sets of security methods and options, the initial authentication, and keying. After these stages, these systems move into an ongoing communication stage. This chapter mentioned about VPN that are also cryptographic systems and provide secure communication over untrusted network. This part of the chapter introduced me about different security protection standards and IPsec is the gold one.
Hi Hang,
Great post! Yes I also noticed that there is different stages for cryptography/encryption which I was not really aware. I found this chapter interesting because communication is key in our daily lives and we can see in depth how messages are being coded and transmitted to the sender and vice versa.
This chapter briefly discusses quantum cryptography which I find to be a large future problem because its quantum computing is realized it will break all traditional cryptography overnight. Fortunately, in its current stages it is years away from actually breaking anything more than a few bits. Why quantum cryptography is such a lethal threat is because of its ability to solve problems simultaneously instead of through a normal binary routine of solving one by one. This is mainly because quantum computers use “Q-bits” which aren’t normal binary (0 or 1). Instead, quantum computers can use any number between 0 & 1. Meaning a q-bit can be .4 or .7 which from a data perspective can change how a computer processes information completely. Instead of traditional cryptographic methods, quantum cryptography will not have to keep processing power in mind since the encryption keys are as long as the message. What I would want to know is if there are draw-backs to this – or if quantum computing just simply doesn’t care for the processing power required for ensured confidentiality.
Hi Mike,
Q-bits is a new term to me, so I do not know how Q-bits involve in quantum cryptography. However, I wonder that whether quantum cryptography will still unbreakable for a couple of decades later.
Chapter 3 discusses many cryptographic concepts that are necessary for security professionals to know. One of the main concepts I learned about was using encryption for confidentiality. This is when your original plaintext message is encrypted with a cipher and key. By doing this, you form a cipher text which is unable to be read by anybody attempting to intercept this message. In order to receive the original message, the receiver would have to apply the cipher in reverse. I found the discussion about encryption interesting because it taught me about a form of protecting private data as well as enhancing the security of communication.
Yes it is also interesting to see how scammers use plain text message to bypass phishing filters that are set by programs in order to get by into the inbox folder of the targeted user.
There was a lot of information in the Cryptography chapter that I found to be insightful. The section on Quantum Security specifically stood out to me while I was reading. The complexity that goes into any sort of quantum computing is fascinating. Quantum key cracking is a topic that I found myself thinking about long after the reading. The potential to crack thousands of keys at once is a very powerful tool. It also raises an interesting question of how safe our current encryption methods are. Our encrypted data can be harvested and saved for a much later time in the future when quantum computing is even more powerful. When it reaches that point, these once extremely secure keys and ciphers become easily cracked with quantum computing. This means that data we think of as secure today can be viewed as easily and something completely unencrypted in the future. How can any corporations even protect against something like that?
Thanks for sharing Ryan you brought up a great point about whether data that’s considered secure today perhaps won’t be tomorrow. I’m sure security departments within corporations must struggle with this question since it seems to fall into the “how do we protect against what we don’t know about” bucket. While sure they may have considered the data could be harvested for later but ultimately the difficult part is identifying ways to overcome potential attacks. I believe strong security awareness training for employees is crucial with an emphasis on educating users to deploy strong password practices. This way, non-technical users will understand why reusing previously used passwords is a bad practice. Ideally in the long term this will limit the number of active passwords that have been harvested.
Cryptography is the use of mathematical operations to protect messages traveling between parties or stored on a computer. Encryption is the process of changing plaintext into cipher-text for the purpose of security or privacy. These words can sometimes be used interchangeably. A common security goal is confidentiality, which means that people who intercept messages cannot read them. Confidentiality requires a type of cryptography called encryption for confidentiality; which was the original purpose of cryptography.
I found section 3.8 of this week’s reading to be interesting. Quantum physics can be used to transmit a key the length of an entire message between two parties. Key cracking a key that is this long is incredibly difficult and cryptanalysis can’t crack this type of encryption. Additionally, if a MITM attack is used to try to access key information, the attack is immediately noticed and the key is not used. Many organizations don’t use this type of key because it requires significant resources and isn’t necessary for most purposes.
Hi Amelia,
Quantum computing is both fascinating and horrifying since if they are developed, they will likely break the entire cybersecurity world over night. Mainly because world governments would utilize this new technology to break encryption and could spy on foreign agencies at ease – what was once a secure connection could now be compromised. Luckily at the current moment this is not possible (at least to our knowledge). However, I think that as we make advances, we will see a “space race” type style between different powerful world organizations and governments to see who can build the first functional quantum computer.
In this week’s reading, I found that section 3.1.10, “Symmetric Key Encryption”, had some pretty interesting information. Exhaustive searching & key length were the parts in particular that I found pretty cool. For example, If a key is 8 bits long, it will take the cryptanalyst an average of only 128 tries to find the correct key. With each additional bit added to the key, this length doubles (9 bits=256 tries). By the time the key length is at 112 bits, the exhaustive search time has increased so exponentially that it will now take a cryptanalyst 72 quadrillion attempts, which doesn’t seem very realistic. What I found most interesting about this section, though, is that in the 70’s a key that was 56 bits long was considered “strong”, IE prohibitively time-consuming to crack. Today, a a key of that length can be cracked very easily. NIST currently recommends that keys be at least 112 bits to be considered strong, and they predict that by the 2030s keys will need to be up to 128 bits long. All in all, I just found it very intriguing that a key that may have been impossible to decrypt not too long ago can now be done so with much less effort.
I found the use of virtual private networks (VPN) as a cryptographic system to secure communication over untrusted networks very interesting from the chapter 3 reading. We learned that VPN’s are better option than wide area networks since they are cheaper to operate and provide greater security. The chapter touches on three specific kinds of VPN’s including:
– Host-to-host: Connects a single client over an untrusted network to a single server;
– Remote access: Connects a single remote PC over an untrusted network to a site. Remote access VPN’s can provide remote employees secure access to their internal corporate networks as well as authentication into a VPN gateway in order to access other resources on the site; and
Site-to-site: Protect all traffic flowing over an untrusted network between a pair of sites. Site-to-site VPN’s are useful when securing traffic between two corporate sites or a corporate site and a customer site.