6.0 Cryptography

6.2 Given a scenario, use appropriate cryptographic methods.

Encryption is the process of translating data into code, making it unreadable to anyone who is not an intended recipient. To read an encrypted file, you must have access to a secret key or password that enables you to decrypt it. Unencrypted data is called plain text, while encrypted data is referred to as cipher text. There are two main types of encryption: asymmetric encryption (also called public-key encryption) and symmetric encryption.

  • WEP vs. WPA/WPA2 and preshared key

    Wired Equivalent Privacy (WEP) encryption is an outdated technology that was used to protect wireless networks. WEP is based on encrypting data transmitted between two wireless devices. It has become a somewhat insecure technology and should only be used in cases where it is the only technology supported.

    Wi-Fi Protected Access (WPA) is an improved standard of encryption for wireless protection, which eliminates some of the weaknesses associated with WEP and was designed to be the replacement for WEP. Most WEP devices can be upgraded to WPA. It is available in two versions, WPA-Enterprise for large networks, and WPA-Personal for small business and home networks. WPA typically uses the TKIP encryption protocol with a 128-bit per-packet key, meaning that it dynamically generates a new key for each packet.

    WPA2 is an updated version of WPA. Like WPA, WPA2 is available in both Enterprise and Personal versions. WPA2 uses an Advanced Encryption Standard (AES) rather than the TKIP protocol used by WPA and when supported, is recommended as a stronger, more secure form of wireless protection.

  • MD5

    MD5 is a widely used cryptographic hash function that produces a 128-bit (16-byte) hash value. Specified in RFC 1321, MD5 has been employed in a wide variety of security applications, and is also commonly used to check data integrity. MD5 was designed by Ron Rivest in 1991 to replace an earlier hash function, MD4. An MD5 hash is typically expressed as a 32-character hexadecimal number.

  • SHA

    One of a number of cryptographic hash functions published by the National Institute of Standards and Technology (NIST) as a U.S. Federal Information Processing Standard (FIPS).


    RIPEMD is a family of cryptographic hash functions based upon the design principles used in MD4, and is similar in performance to the more popular SHA-1.

  • AES

    AES is a specification for the encryption of electronic data that supersedes the Data Encryption Standard or DES. The algorithm described by AES is a symmetric-key algorithm, meaning the same key is used for both encrypting and decrypting the data. AES currently supports 128, 192 and 256-bit keys and encryption blocks.

  • DES

    DES is a previously predominant algorithm for the encryption of electronic data. It was highly influential in the advancement of modern cryptography in the academic world. DES is now considered to be insecure for many applications.

  • 3DES

    3DES is common name for the Triple Data Encryption Algorithm (TDEA or Triple DEA) block cipher, which applies the Data Encryption Standard (DES) cipher algorithm three times to each data block. The original DES cipher's key size of 56 bits was generally sufficient when that algorithm was designed, but the availability of increasing computational power made brute-force attacks feasible. Triple DES provides a relatively simple method of increasing the key size of DES to protect against such attacks, without the need to design a completely new block cipher algorithm.

  • HMAC

    HMAC is a specific construction for calculating a message authentication code (MAC) involving a cryptographic hash function in combination with a secret cryptographic key. As with any MAC, it may be used to simultaneously verify both the data integrity and the authenticity of a message.

  • RSA

    RSA is an algorithm for public-key cryptography that is based on the presumed difficulty of factoring large integers, the factoring problem. RSA stands for Ron Rivest, Adi Shamir and Leonard Adleman, who first publicly described it in 1978. A user of RSA creates and then publishes the product of two large prime numbers, along with an auxiliary value, as their public key. The prime factors must be kept secret. Anyone can use the public key to encrypt a message, but with currently published methods, if the public key is large enough, only someone with knowledge of the prime factors can feasibly decode the message.

  • RC4

    RC4 is a stream cipher. While remarkable for its simplicity and speed in software, multiple vulnerabilities have been discovered in RC4, rendering it insecure. It is especially vulnerable when the beginning of the output keystream is not discarded, or when nonrandom or related keys are used. Particularly problematic uses of RC4 have led to very insecure protocols such as WEP.

  • One-time-pads

    the one-time pad (OTP) is an encryption technique that cannot be cracked, but requires the use of a one-time pre-shared key the same size as the message being sent. In this technique, a plaintext is paired with a random secret key (also referred to as a one-time pad). Then, each bit or character of the plaintext is encrypted by combining it with the corresponding bit or character from the pad using modular addition. If the key is truly random, is at least as long as the plaintext, is never reused in whole or in part, and is kept completely secret, then the resulting ciphertext will be impossible to decrypt or break. It has also been proven that any cipher with the perfect secrecy property must use keys with effectively the same requirements as OTP keys. However, practical problems have prevented one-time pads from being widely used.

  • NTLM

    A suite of Microsoft security protocols that provides authentication, integrity, and confidentiality to users. NTLM is the successor to the authentication protocol in Microsoft LAN Manager (LANMAN), an older Microsoft product, and attempts to provide backwards compatibility with LANMAN. NTLM version two (NTLMv2), which was introduced in Windows NT 4.0 SP4, enhances NTLM security by hardening the protocol against many spoofing attacks, and adding the ability for a server to authenticate to the client. Microsoft no longer recommends NTLM in applications.

  • NTLMv2

    NTLM version 2 was introduced in Windows NT 4.0 SP4 to enhance NTLM security by hardening the protocol against many spoofing attacks, and adding the ability for a server to authenticate to the client.

  • Blowfish

    Blowfish is a symmetric-key block cipher, designed in 1993 by Bruce Schneier and included in a large number of cipher suites and encryption products. Blowfish provides a good encryption rate in software and no effective cryptanalysis of it has been found to date. However, the Advanced Encryption Standard (AES) now receives more attention.


    A data encryption and decryption computer program that provides cryptographic privacy and authentication for data communication. PGP is often used for signing, encrypting and decrypting texts, E-mails, files, directories and whole disk partitions to increase the security of e-mail communications.

    GPG, also known as GNU Privacy Guard, is a hybrid-encryption software program because it uses a combination of conventional symmetric-key cryptography for speed, and public-key cryptography for ease of secure key exchange, typically by using the recipient's public key to encrypt a session key which is only used once. This mode of operation is part of the OpenPGP standard and has been part of PGP from its first version.

  • TwoFish

    Twofish is a symmetric key block cipher with a block size of 128 bits and key sizes up to 256 bits. It was one of the five finalists of the Advanced Encryption Standard contest, but it was not selected for standardization. Twofish is related to the earlier block cipher Blowfish.

  • DHE

    DHE (Diffie–Hellman key exchange) is a specific method of securely exchanging cryptographic keys over a public channel and was one of the first public-key protocols as originally conceptualized by Ralph Merkle and named after Whitfield Diffie and Martin Hellman. DHE is one of the earliest practical examples of public key exchange implemented within the field of cryptography.


    ECDHE is an anonymous key agreement protocol that allows two parties, each having an elliptic curve public–private key pair, to establish a shared secret over an insecure channel. This shared secret may be directly used as a key, or to derive another key which can then be used to encrypt subsequent communications using a symmetric key cipher. It is a variant of the Diffie–Hellman protocol using elliptic curve cryptography.

  • CHAP

    CHAP is an authentication scheme used by Point to Point Protocol (PPP) servers to validate the identity of remote clients.

  • PAP

    PAP is an authentication protocol that uses a password. PAP is used by Point to Point Protocol to validate users before allowing them access to server resources. Almost all network operating system remote servers support PAP. PAP transmits unencrypted ASCII passwords over the network and is therefore considered insecure. It is used as a last resort when the remote server does not support a stronger authentication protocol, like CHAP or EAP.

  • Comparative strengths and performance of algorithms

  • Use of algorithms with transport encryption

    • SSL

      SSL is a cryptographic protocol that provides communication security over the Internet. TLS and SSL encrypt the segments of network connections at the Application Layer for the Transport Layer, using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity.

    • TLS

      TLS is a cryptographic protocol that provides communication security over the Internet. TLS and SSL encrypt the segments of network connections at the Application Layer for the Transport Layer, using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity.

    • IPSec

      IPSec is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session.

    • SSH

      Secure Shell (SSH) is a cryptographic remote login protocol for secure data communication over an unsecured network. Designed as a replacement for telnet and rlogin, which send information in plaintext, SSH provides strong host-to-host and user authentication as well as secure encrypted communications to provide confidentiality and integrity of data.

      • Two major versions of the SSH protocol are in widespread use, SSH-1 and SSH-2. SSH2 is more secure, and includes SFTP, which is similar to FTP, but is SSH2 encrypted.
      • SSH client and server programs can use a number of encryption methods.
      • SSH supports data stream compression between the client and the server.

    • HTTPS

      Hypertext Transfer Protocol Secure (HTTPS) is a combination of Hypertext Transfer Protocol (HTTP) with SSL/TLS protocol. It provides encrypted communication and secure identification of a network web server. HTTPS connections are often used for payment transactions on the World Wide Web and for sensitive transactions in corporate information systems. HTTPS is a lower level Application Layer protocol that typically uses TCP port 443 by default.

  • Cipher suites

    • Strong vs. weak ciphers

  • Key stretching

    • PBKDF2
    • Bcrypt