CISSP Study Booklet on Cryptography
This simple study booklet is based directly on the ISC2 CBKdocument.
This guide does not replace in any way the outstanding value of the CISSP Seminar and the fact that you must have been involved into the security field for at least a few years if you intend to take the CISSP exam. This booklet simply intend to make your life easier and to provide you with a centralized resource for this particular domain of expertise.
This guide was created by Clement Dupuis on 5th April 1999
WARNING:
As with any security related topic, this is a living document that will and must evolve as other people read it and technology evolves. Please feel free to send me comments or input to be added to this document. Any comments, typo correction, etc… are most welcome and can be send directly to: cdupuis@uniconseil.com
DISTRIBUTION AGREEMENT:
This document may be freely read, stored, reproduced, disseminated, translated or quoted by any means and on any medium provided the following conditions are met:
· Every reader or user of this document acknowledges that he his aware that no guarantee is given regarding its contents, on any account, and specifically concerning veracity, accuracy and fitness for any purpose. Do not blame me if some of the exam questions are not covered or the correct answer is different from the content of this document. Remember: look for the most correct answer, this document is based on the seminar content, standards, books, and where and when possible the source of information will be mentioned.
· No modification is made other than cosmetic, change of representation format, translation, correction of obvious syntactic errors.
· Comments and other additions may be inserted, provided they clearly appear as such. Comments and additions must be dated and their author(s) identifiable. Please forward your comments for insertion into the original document.
· Redistributing this document to a third party requires simultaneous redistribution of this licence, without modification, and in particular without any further condition or restriction, expressed or implied, related or not to this redistribution. In particular, in case of inclusion in a database or collection, the owner or the manager of the database or the collection renounces any right related to this inclusion and concerning the possible uses of the document after extraction from the database or the collection, whether alone or in relation with other documents.
Cryptography
Description :
The Cryptography domain addresses the principles, means, and methods of securing information to ensure its integrity, confidentiality, and authenticity.
Expected Knowledge :
The professional should fully understand :
· Basic concepts within cryptography.
· Public and private key algorithms in terms of their applications and uses.
· Cryptography algorithm construction, key distribution, key management, and methods of attack
· Applications, constructions, and use of digital signatures
· Principles of authenticity of electronic transactions and non-repudiation
The CISSP can meet the expectations defined above by understanding such Operations Security key areas of knowledge as :
· Authentication
· Certificate authority
· Digital Signatures/Non-Repudiation
· Encryption
· Error Detecting/Correcting features
· Hash Functions
· Kerberos
· Key Escrow
· Messages Digest
· MD5
· SHA
· HMAC
· One-Time cipher keys
· Private Key Algorithms
· Applications and Uses
· Algorithm Methodology
· Key Distribution and Management
· Key Generation/Distribution
· Key Recovery
· Key Storage and Destruction
· Key Strenth
o Complexity
o Secrecy
o Weak keys
· Method of attack
· Public key Algorithms
· Application and uses
· Key Strength
· Complexity
· Secrecy
· Weak Keys
· Methos of attack
· Stream Cipher
Examples of Knowledgeability
Describe the ancient history of Cryptography
CISSP Seminar :
· First appearance – Egypt > 4000 years ago
· Scytale –Sparta – 400 BC
· Paper wrapped on rod
· Text written on paper
· Paper removed – cipher text
· Ceasar Cipher – Julius Caesar – Rome – 49 BC
· 7th Century AD – Arabs
· Cipher Alphabets in magic – 855 AD
· Leon Batista Alberti’s cipher disk – Italy – 1459 AD
· Thomas Jefferson ciphering device- 1790- Stack of 26 disks
· Each disk contained alphabet around face of edge in different order
· Positioning bar attached to align letters in row
· Created message by moving each disk to proper letter
· Bar rotated fixed amount (the key)
· Letters around new position (cipher text)
· ROT 13 – Many UNIX system
· Shifts letters 13 places
· Not secured from frequency analysis
· Encrypted twice-plain text
From Cryptography FAQ :
The story begins: When Julius Caesar sent messages to his trusted acquaintances, he didn't trust the messengers. So he replaced every A by a D, every B by a E, and so on through the alphabet. Only someone who knew the ``shift by 3'' rule could decipher his messages.
From CME’s Cryptography Timeline : (if you are really interested in knowing it all, or else jump over)
Date
C or G
Source
Info
about 1900 BC
civ
Kahn p.71
An Egyptian scribe used non-standard hieroglyphs in an inscription. Kahn lists this as the first documented example of written cryptography.
1500 BC
Civ
Kahn p.75
A Mesopotamian tablet contains an enciphered formula for the making of glazes for pottery.
500-600 BC
Kahn p.77
Hebrew scribes writing down the book of Jeremiah used a reversed-alphabet simple substitution cipher known as ATBASH. (Jeremiah started dictating to Baruch in 605 BC but the chapters containing these bits of cipher are attributed to a source labeled ``C'' (believed not to be Baruch) which could be an editor writing after the Babylonian exile in 587 BC, someone contemporaneous with Baruch or even Jeremiah himself.) ATBASH was one of a few Hebrew ciphers of the time.
487 BC
Govt
Kahn p.82
The Greeks used a device called the ``skytale'' -- a staff around which a long, thin strip of leather was wrapped and written on. The leather was taken off and worn as a belt. Presumably, the recipient would have a matching staff and the encrypting staff would be left home.
[Note: an article in Cryptologia late in 1998 makes the case that the cryptographic use of the skytale may be a myth.]
50-60 BC
Kahn p.83
Julius Caesar (100-44 BC) used a simple substitution with the normal alphabet (just shifting the letters a fixed amount) in government communciations. This cipher was less strong than ATBASH, by a small amount, but in a day when few people read in the first place, it was good enough. He also used tansliteration of Latin into Greek letters and a number of other simple ciphers.
0-400?
Burton
The Kama Sutra of Vatsayana lists cryptography as the 44th and 45th of 64 arts (yogas) men and women should know and practice. The date of this work is unclear but is believed to be between the first and fourth centuries, AD. [Another expert, John W. Spellman, will commit only to the range between the 4th century BC and the 5th century AD.] Vatsayana says that his Kama Sutra is a compilation of much earlier works, making the dating of the cryptography references even more uncertain.
Part I, Chapter III lists the 64 arts and opens with: ``Man should study the Kama Sutra and the arts and sciences subordinate thereto [....] Even young maids should study this Kama Sutra, along with its arts and sciences, before marriage, and after it they should continue to do so with the consent of their husbands.'' These arts are clearly not the province of a government or even of academics, but rather are practices of laymen.
In this list of arts, the 44th and 45th read:
· The art of understanding writing in cipher, and the writing of words in a peculiar way.
· The art of speaking by changing the forms of words. It is of various kinds. Some speak by changing the beginning and end of words, others by adding unnecessary letters between every syllable of a word, and so on.
200's
Kahn p.91
``The so-called Leiden papyrus [...] employs cipher to conceal the crucial portions of important [magic] recipes''.
725-790?
Govt/(civ)
Kahn p.97
masterkom