CCT 108: CISSP Cryptography Crash Course - Essential Algorithms and Concepts (Domain 3.5)

Unlock the latest CISSP exam insights and elevate your grasp on the cryptographic landscape with your host, Sean Gerber. Wichita's thawing frost mirrors the CISSP exam's refreshing changes, and we've got the scoop you need to stay on track. Rob Witcher joins in to dissect domain weight adjustments and new focal points in risk management and security architecture. With an eye towards the updated exam format, we assure you that these shifts are no cause for alarm but rather an opportunity to fine-tune your study strategy.

Wander with us through the enigmatic realm of cryptography as we clarify its integral role in securing digital communications. Our conversation illuminates the complexities of encryption algorithms, the pivotal distinction between symmetric and asymmetric key cryptography, and the non-negotiable imperative of protecting private keys. We draw relatable analogies to make these intricate concepts resonate, ensuring you're well-equipped to manage the cryptographic challenges you'll face in cyberspace.

Celebrating the transformative journey towards CISSP certification, we spotlight CISSP Cyber Training's contributions to your arsenal of security knowledge. As you gear up for the CISSP exam, remember it's not just about earning a credential—it's about fortifying a knowledge base for a thriving career in cybersecurity. With future episodes on the horizon, check out CISSPCybertraining.com to reinforce your expertise and stay ahead of the curve in this dynamic field.

Gain access to 30 FREE CISSP Exam Questions each and every month by going to FreeCISSPQuestions.com and sign-up to join the team for Free. 

TRANSCRIPT

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started, let's go, let's go. Good morning, this is Sean Gerber with CISSP Cyber Training, and I hope you all are having an awesome day today. Today is a great day. We are actually. We passed the Arctic blast that has hit my small little area of the world in Wichita, kansas, and so it's now starting to warm up and everything is starting to slowly thaw. So thank goodness for that, because all I can tell you it was cold. It was, yeah, bone chilling cold, but that's like. All I can say is I used to live up in South Dakota and North Dakota and that was colder, but it was actually very, very chilly and I negative 30 below wind chill factors. So it is an awesome thing that now we are finally coming out of that and we'll see. We've got a couple more months to go before spring starts to show up, so hopefully we don't have any more of these nice chilly days coming ahead, but you guys aren't here, obviously, to talk about weather, and therefore we want to move into something that is much more pressing to what you want to know about, and that is the CISSP right? Well, before we get started, we want to talk about a couple areas are just one specific as it relates to the changes that are coming in the CISSP exam. This information is coming from Rob Witcher, who is has desert is his company that he has, and they teach CISSP exams and so forth to various individuals. And a nice part about being in the CISSP world and what I have learned is that when it comes to learning the CISSP, people learn differently from other people, and so I'd highly recommend that if you go check them out, they probably might be able to help you. Or if you want to come to CISSP cyber training and I'm willing to help you, it doesn't really matter. We're all here to help you pass the CISSP exam. But Rob had a couple good points that he brought up as it relates to some of the changes that are occurring and, as it were, as when it comes to the exam and the April 15th deadline, that's actually when they're going to switch over the exams is it's really not a lot of very substantial substantive. That's a big $10 word. They're not a lot of big changes and these big changes are going to be. These changes are going to be relatively small, and so these are just a few of the areas that I'm going to kind of go over and then you from there, if you had any other questions, please feel free to reach out to me anytime. But, as it relates to the test, when they're talking about making some adjustments, there's the domain weights have slightly been adjusted with domain one that's your security and risk management, and it's increasing from 15 to 16. And domain eight is decreasing from basically 11 to 10. So they're they're feeling that there's more content that needs to be added to those domains. So therefore, they took a little bit of a small tweak to it. There has been a little bit of new material, while other topics have been updated, basically, and moved between the various domains, and we'll have some of that. All that will be put on CISP, cyber training once it occurs. But there's some, just some subtle changes. So what, if ever you're studying right now, if you go well, you know what. What am I going to do? I do have to restudy everything? No, you don't, not at all. This is a very small change and if you stick with what you currently have, you stick with the CISP blueprint, you will have a great. You'll be in a great position to pass the exam. I do not anticipate this is going to be something that would derail any of your studying efforts at all. It's just they're making some small modifications to the content and it's the one nice thing about the CISP is, if you work on it and you study it, the content itself for the most part. I've seen a few deletions in the past, but for the most part they keep adding content to it and maybe just tweaking it slightly. So the information you get isn't typically wrong. It's just maybe a little bit changed. Now the computer based exam will be three hours and with about between 100 and 150 questions, so it's just a small, subtle change from what it had before. Okay, so here's some of the changes and we'll go through the main domains that have been affected in this April 15 change are domain ones three, five, seven and eight. So domain one, which is your security risk management domain, they've made some changes around fair, that's your risk management piece around fair and around Tara. They've also increased emphasis on business continuity, resiliency and the external dependencies that are tied to it, which you hear on those podcasts quite a bit. We get into that. They're also going to focus on evaluating, applying, sustaining security government governance principles and then, along with some information around cybersecurity, insurance policies. All of those are obviously are relative in today's day and age. Then they're they brought in this and this is actually new. I hadn't heard of this before, but it's kiss, it's keep it simple and small, which is this is in domain three of the security architecture and engineering, and I do agree with that completely that the smaller the footprint, obviously the better added trust, but verify to zero trust. And then they also had some more information added around OT security. Domain five identity and access management. They expanded the coverage of access control methods such as a back and P back, and then there's new material on authentication methods for identifying, proofing. Obviously, service account management is another factor that they brought into which I deal with routinely, and that's that's in domain five. Domain seven of security operations. They've enhanced the focus on security orchestration, automation and response. That's the sore concepts. And then they've enhanced, focused on communication with their stakeholders and regulators. Last one domain eight is around software development security. They've had a. They've added a scaled agile framework, which is actually kind of new to me I've never heard of the scaled agile framework before. And then they're the application security, such as SAS, das, and I asked there more content around application security and those domains. And then, finally, there's information related to the managed services for various enterprises. So, as you can see, they made some. We've talked about all of this and CISP cyber training pretty much I shouldn't say all of it. I didn't talk about the scaled agile framework, but we've talked about much everything else in here, and so what I anticipate is these are just going to be some subtle changes to overall content that we have, and I'll be making some changes to that content as we see fit. There'll probably be a podcast coming out around how that may change as to my overall training program on CISP cyber training, and then you'll have all of that as well. But again, if you've already started the process of studying, I would not be worried about, if you have don't get these updates, that you're going to fail the exam. I do not feel that that's going to be the case at all, and we'll get you those updates as soon as I have them. All right, so let's roll into this lesson, for today we're going to go over 3.5.4. This is cryptographic systems, and we're going to get into some of the basics that you're going to understand, have to deal with when it comes to studying for the CISP exam and then also as a security professional what you may be talking about with others in your organization. Okay, so we're going to be focusing on cryptographic systems, the functions, vulnerabilities and the secure implementation and how you would do that around the various security architectures that you'd put in place. So we're just going to go over the basics around this. How each of these are deployed within your environment really is a one off type of situation you're going to have to walk through, but you need to understand the basics to determine whether or not you want to deploy certain types of capabilities, encryptions and so forth, and it's just you'll. You'll see, as we get into some of the various algorithms that are being used, what are some of the benefits and one of the the cons, basically, of putting them in place. Alright, so let's get into what is cryptograph, cryptography? I keep saying that wrong. I always goof that up, but it's the science of secure communication using encryption and decryption, and you hear a lot about this in the news of having encryption capabilities of various products and you feel that you have to have a good understanding of it and it seems like voodoo magic for this to work, but really is to. Realistically, it is a very basic principle but to make it happen in today's world it can be very complex, and so that's the part that where it gets really confusing for individuals. But you're basically taking a piece of content and you are creating either a secure communication path you know a tunnel between point A and point B or you are actually ended up putting a cipher, or you're putting some level of of encryption on a document, a piece of content, and then that is protecting it so somebody else can't gain access to it, and then when you're deep, that's the encryption part, and then decrypting it obviously is just reversing that whole process, just so that you have access to it. This has been going on for since the beginning of time, when people have communications that they want to happen with others and they don't want individuals to read it, and this can be done in multiple different ways. You name it, but some of the ones you'll see in movies are the invisible inks. But there's lots of different ways that this can occur and it's an art on how this is done in a way that can be done, in a way that's safe and secure for the overall process. Now the main thing is is you, if you want to like, send a secure message to somebody we'll say, alice is an example and they want to send it to Bob and they want to send it through an untrusted environment obviously the internet. This is where you ensure you add the cryptography that will ensure that Bob can read it even if somebody intercepts it. And as you're dealing with this in the security space, especially when you're talking data loss prevention, you want to ensure that you have some level of security built in. Now it can be as simple as you encrypt it and you give it to Bob, or it could even get more complex, where it's encrypted and only Bob can open it on this email address, at this location and at this time, and then Bob can have the access to it. But if it's not Bob, if it's not that time and if it's not that location, no one can gain access to it. So that is parts of cryptography where we're at today and it's only going to enhance and get better as time goes on. Now, as we get into algorithms that work with cryptography, these algorithms are mathematical formulas that are used specifically for the encryption and decryption of this overall data. So, if you're going to have the tunnels, you're going to have the data. It's going to have to be encrypted and decrypted. Well, the algorithms are the formulas that create this. Now, again, I'm giving you a very basic understanding of this. If you really like cryptography, I would recommend you go check out a guy by the name of Bruce Schneier. He's got. He is big into crypto, he's very good at it and he's been doing it for gobs of years extremely good at it. So check out Bruce Schneier if you really want to understand more about cryptography. Now you've got to think about each of these as a recipe and that you're basically going and scrambling and unscrambling these various messages or these recipes themselves. Now there's the popular ones that are out there. You have symmetric, symmetric key cryptography and you have asymmetric key cryptography. Now, those are the key ones that you'll hear a lot about when it comes to on the CISP and when you're in working in the overall security space. Now, symmetric key cryptography uses a single shared key for both encryption and decryption. So an example would be is if you had a padlock that both Alice and Bob have, that would be a shared encryption and decryption capability. So they both know it. Asymmetric key cryptography they use a separate public and private keys. So now this is where it gets a little complicated, because I would always get confused. I'm going what is this? And I still, honestly, I'll go start going through this again. I go wait a minute, how did that work? Again? But no, when you're dealing with asymmetric key cryptography, you have separate public and private keys. So how this works is Alice would encrypt with Bob's public key, and Bob's public key is available to everybody, everybody can see it. But Alice will encrypt with Bob's public key, but only Bob can decrypt with his private key. So each person will have a private key, but he's the only one that can decrypt it because he has his private key. If he loses that private key, if it goes away, you know if somebody else gets it? Well, now they can decrypt all of Bob's messages. So it's important that Bob maintains control of his private key. So as an example of this and this can be one, something that you can consider just kind of as a outside real life example is that if you think of you have a mailbox and this mailbox has a public slot for anyone to put letters in it, well, only Bob has the key to open that so you can put stuff in it, but the only Bob is able to be the one that can actually do it With a mailbox with a public slot and a keyhole represents the asymmetric key cryptography. So you just just think of it that way, kind of break it down into something you can kind of understand a little bit better. I will tell you that this is probably one of the areas that gets a lot of my students they talk to me about. They get a little confused, and it because it can be a little bit overwhelming. But when you deal with symmetric and asymmetric remember symmetric, they have a single shared key. Asymmetric, you have a shared public key but you have them private keys. So you hear the term cryptographic systems. Now, what these are is they combine algorithms, protocols and the key management procedures to protect the specific information. Now we're going to talk about key management and that's a big factor of how do you maintain and manage these keys, especially when you get into the cloud world. When we had all on-prem servers key management, you had a key management server that was sitting within your data center and it was relatively easy to. I say easy, but it was more easy to maintain that. Now that you have cloud systems that are dispersed all over the place, it's very important that you have a good, strong key management system that you can use to store all of your various keys. Now the clouds I know I've dealt with AWS. Their key management system works very well. You just have to make sure you architect it to include how you're going to incorporate key management into your overall infrastructure Hashing algorithms so these generate a unique fixed length fingerprint of data. So you have the SHAF 256, you have the MD5R as an example. Now what this really comes down to is, let's say, you send an email to Bill. Bill sends an email. You are going to send it to Bill. You send this email, you then hash it with an MD5 hash. You then it creates this, this fingerprint of it, and, based on the context and the content within your email, it creates this, basically this hash. You then send it to Bill. Bill then compares. Now, bill doesn't do this, it all does this automatically compares the MD5 hashes. Well, if the MD5 hashes are the same, then it's good, the email has not been tampered with. However, if someone had added one character to that email, the MD5 hashes would not, would not equal, they would not be the same. So therefore it would show that there's someone had actually tampered with that email. So this is the importance of the hashing algorithms they create a fingerprint to ensure that there's data integrity of this overall email system that's going out. So just kind of think of it that way. Now, digital signatures these provide authentication and non repudiation using asymmetric keys. So remember, as we talked about, with asymmetric keys before, you have public and private keys. So Bob would digitally sign this message with his private key. Okay, so he's same thing with encryption, but he's doing it now. He's signing this with his private key, proving that he sent it and then preventing him from potentially later denying he didn't do it. Now you'll see this. A lot of the government has been has been doing this for many years of adding digital signatures. Corporations will do this as well, but it does add overhead. But a digital signature is a good way to prove that, yes, bill's computer account. Okay, did send that. Now, typically what will happen is you'll have that digital signature will be set, will be set to what they call a cat card or a common access card, and it has, like your credit card that you use, it has a chip in it and that chip will be has your digital signature associated with it. So you have that second form of identity. You shove it in the cat reader, into that reader. It then signs your document from you and it's sent off. That it works really well to to help ensure that you have non repudiation as it relates to the overall email that was sent out. So it's just like signing a digital signature with your hand, but it's using a piece of equipment or a cat card to do that for you. Okay, so symmetric key algorithms this is a shared key for both encryption and decryption. So let's get into some of the various algorithms that are out there and available. One is AES and this is called advanced encryption standard. Now, it's considered the gold standard for symmetric encryption and it does offer real strong security and very good performance. So this is one you'll see a lot of. As you're out and you're in your environment, you'll see, aes is the primary one. I don't see a lot of the ones that we go through. Every once in a while see them, but I don't typically see these various algorithms. But AES is considered the gold standard Now. It's used commonly using various applications to include file encryption, secure communication protocols and disk encryption. Now it was. It was adopted in 2001. So it's going on 23 years old, 24 years old, not 23, 23 years old, and it does support 128, 192 and 256 bit keys. I will say that it the 256 is what you see. A lot of that 128 is will pop up when you're dealing with older type equipment that maybe have been around for a little while, but it does support 128, 192 and 256. I don't see a lot of 192 up there. It's either with 128 or 256. It's widely used within Wi Fi security of WPA to VPNs, file encryption, such as your seven zip, wind zip and so forth, and then overall disk encryption such as BitLocker and File Vault. You will deal a lot with BitLocker. I deal a lot with BitLocker and it's a great tool that you can use within disk encryption for your windows environment. So those that's AES, again, common gold standard used highly within the overall ecosystem of the encryption world. The next one is DESD. This is data encryption standard. Now, I'm an old guy and so I remember when DESD was out, but it is not one that is highly used at this point in time. It's an older algorithm that really is now considered pretty much insecure due to its small key size and it is still relevant for understanding it. But when it comes right down to it and it is used in some cases I have seen it, but for the most part it's not something that you'd want to enable. The problem with also enabling DESD and I will just kind of be blunt If I put DESD in so if I enable it on a system because it's only using a 56 bit key size, if I use that on us as part of my encryption strategy. Now what ends up happening is, as time goes on, that becomes less and less obviously secure. But I have to figure out how do I incorporate with my overall strategy of encryption and, to be blunt, it's better off just keeping it off. I don't want to, but it adds more overhead than the value it would provide to ensure that your the encryption is in place. It was developed in the 70s and it is considered insecure because it is only 56 bit. The next one is triple DESD. Okay, three. You'll see three DES. And this is DES is data, or it's dang delta echo Sierra. I can't even remember my stinking phonetic alphabet. Yeah, it's delta echo Sierra. So you get DESD as data encryption standard and then you have triple DES, which is triple data encryption standard. That's three days. You'll see three delta echo Sierra. Now, this is an extension of DESD that applies to it three times, basically to increase the security. However, this has been phased out due to a ES is importance growing within the encryption environment? Now it does just apply it more or less three times to help increase it. But yeah, that was whether I haven't seen. Really honestly, I've never seen triple does being used, but I'm sure it's out there. Obviously, they wouldn't have you learn it on the CIS is be if it wasn't out there. The next one is blowfish. Now, this is a fast and flexible algorithm with really good security, but it and it's less widely used than AES. It was created in 93, and it's known for its speed and flexibility. I is not widely adopted as AES, but supposedly it's used within password managers and file encryption tools. I have not personally seen much of its use, but that's a great concept because it could very well be used in those situations. I did not know that when you're dealing with RiverFest, this is RC4, a Rivest Cipher 4, not RiverFest. We have a RiverFest here in Wichita, so hence that's why it globed onto that Rivest Cipher 4. Now, this is a stream cipher, once popular for wireless encryption, but is considered vulnerable and generally not recommended. I have seen this and it was tied popularly with wireless encryption such as WEP. Wep obviously was been phased out back in the early 2000s. It was not. It was pretty vulnerable and that's when WPA version came in for maintaining the wireless communications. Again, lots of vulnerabilities with. It is not used, not recommended. However, since it's something that you may see in the world and in the environment, you need to understand that. So, in the event of your security professional and you see RC4 is being used within your wireless environment, then you may want to discontinue it and shut it down and figure out how to do that in a different way, what I've done in the past. When you have and this is something to consider from an architecture point of view if you have a situation where there's wireless is being, you don't have a good protocol to ensure wireless communications are encrypted. You then would want to create some level of an IPsec tunnel that would go between what point A and point B. So if you had a wireless communication and it was, maybe it's point to point and you have to say, for example, wep is your only option, that's built into the overall products of your wireless access point you would want to turn that off and then potentially put in place an IPsec tunnel that would go from point A to point B, and that IPsec tunnel would provide you much more security than ensuring or leaving WEP on, because WEP would give you one of those situations where you'd have a false sense of security, thinking, well, hey, I've got wireless encryption on, I'm good to go, and you actually would be in a much worse position than if you just created an IPsec tunnel between the two. The downside with all that is is if that tunnel breaks, if it goes down, it now requires a much more hands on approach to ensure that you turn it back up. That it would be why you would want to go in and replace that hardware, that wireless access point, and put in new, updated equipment to ensure that it's best protected. So that's the tradeoff you have. So you're going to roll into a situation, I guarantee you, that you're going to come to a point where you'll have outdated equipment. You won't have a budget to fix it. They're going to want you to fix it and therefore you're going to have to come up with ideas on how to do that. Ipsec tunnels is a great option. It will work. But it's a lot of hands on manual overhead and in reality the cost of a wireless access point, a commercial grade one, isn't that expensive because the opportunity costs that you would spend just trying to upgrade these systems or just trying to maintain that IPsec tunnel, you'll more than then overcome that with putting in new equipment. So again, I got there's a little bit of a rabbit hole, but I just wanted to kind of express to you that's an example of how you will end up running into these types of older types of equipment and you're going to have to make a judgment call. They may come back and say you don't have a budget to make a judgment call, so you're going to have to make it work. Then just know that you're going to end up having more of a manual process in place. Okay, next one is asymmetric key algorithms, right. So we talk about this. This is where they have the public key that's shared, but then they have their own individual private keys. Okay, so the first one is the Rivest, chameer, adelman RSA. Okay, I can't say that these are. You can tell these are all really smart guys with not names like Smith. I wish they did have names like Smith, it'd be a whole lot easier. But Riverfest, riverfest, rivest, chameer and Adelman RSA Okay, this is a widely used algorithm for key exchange, digital signatures and encryptions and it's based on the difficulty of factoring very large prime numbers. It's used widely as a key exchange, digital signatures and encryption, obviously, and it's the foundation for HTTPS and email security, which is your S slash MIME and your overall digital signatures. So RSA has been around for a long time and it's kind of the backbone for when you're dealing with this type of level of encryption. Ecc is an elliptic curve cryptography. Now I started seeing a lot more of this in IoT type environments as well because it has a small key size. Now it's a newer algorithm, offers similar security to RSA, but their smaller key sizes, making it much more efficient for mobile devices IoT devices. They typically don't have a lot of computing power. I mean they do in comparison to what I experienced back in the 80s and 90s but overall they don't have a lot of computing power and so therefore, the smaller key size is very important and is helpful. So they're gaining popularity in mobile and IoT just because of those efficiencies, and I guess they were using Bitcoin and other cryptocurrencies as well, and that would make sense, because if you got a miner which I did then as it's going through and it's chugging away at that Bitcoin, it would be good to have some level of something faster. Diffie Hellman. Now, this is a key exchange protocol for securely establishing a shared secret over an insecure channel. It's often used in conjunction with other algorithms for secure communications. It's a key exchange protocol and it's not specifically used for encryption itself. It's used to design specifically to establish shared keys for symmetric encryption. It's the foundation of secure communication protocols such as TLS and SSH. The next one is El Gamal. This is a symmetric algorithm used for encryption and digital signatures. It's obviously less common than RSA, because I've only heard of it a few times. It's not nearly as prevalent as RSA and it is used in some digital signature schema. Now we talked a little bit briefly at the beginning. A little bit about hashing algorithms. So there's two primary ones that are used. There's the SHA-2 and then there's the MD-5. Now, the SHA-2 is a secure hash algorithm too, and it's a family of algorithms which include the SHA-256 and 512. Again, they're used for integrity verification, digital signatures and password storage. The family is considered the most secure and, when it comes to integrity verification, that is the primary use of them. They do integrity checks for software downloads and, obviously, in the blockchain world, sha-2 is a common used hashing algorithm. Md-5 is an older hash algorithm that is no longer considered secure due to collision vulnerabilities, which basically means you run into situations between the MD-5 hashes that can be similar and it will have a collision and it's relevant for understanding the overall cryptography and aspects, but because of those vulnerabilities and those collision vulnerabilities, it is something that they don't recommend it's use Now. Will you see it? Yes, you will probably see it within your environment. Okay, that's all we've got for you today, but this was over domain 3.5.4. This is cryptography. Main thing was to cover some of the algorithms and the overall process. Again, just kind of a quick review. We talked about symmetric and asymmetric cryptography. Again, the symmetric deals with the single shared key. The asymmetric cryptography deals with the separate public and private keys. We talked about the different hashing algorithms Obviously the SHA-2 versions of the SHA-256 and then MD-5. And then we talked about the various key algorithms that would deal with is AES, des, triple DES, blowfish and the RC-4, riverfest no, rivest-4. And then, from an asymmetric key algorithm, we talked about RSA, ecc, diffie, hellman and El Gamal. Okay, I hope you guys have a wonderful day. Go over to CISSP Cyber Training. Catch me what we've got. We've got a lot of great content. Again, we'll have all the updates to the new CISSP exam We'll be coming out. We'll have all of that available for you. It is going to be awesome. I guarantee you. We're here to help. Helped another couple of people yesterday past the CISSP the first time Awesome. I cannot express how much that is so cool. I got into this whole thing just to help people pass the CISSP and I love the feedback that I'm getting when individuals pass the exam and then when I get the other feedback I get, which is really awesome as well is that they feel confident that they're not just passing the exam and moving on. They feel much more strongly knowledge. I'm using really bad words Better knowledge around security and understanding security, and that's a big factor of the part of why CISSP Cyber Training is here. It's to help you have a better understanding of cyber and to be able to take that into the future and into your career. Again, go check out CISSPCybertrainingcom and we're here to help you. We'll catch you on the flip side, see ya.