PACE-IT, Security+ 6.2: Cryptographic Methods (part 1)

Cryptographic methods I.

Page 2

Instructor, PACE-IT Program – Edmonds Community College

Areas of Expertise Industry Certifications PC Hardware Network

Administration IT Project

Management

Network Design User Training IT Troubleshooting

Qualifications Summary

Education M.B.A., IT Management, Western Governor’s University B.S., IT Security, Western Governor’s University

Entrepreneur, executive leader, and proven manger with 10+ years of experience turning complex issues into efficient and effective solutions. Strengths include developing and mentoring diverse workforces, improving processes, analyzing business needs and creating the solutions required— with a focus on technology.

Brian K. Ferrill, M.B.A.

Page 3


– Cipher suites.

– Cryptographic implementations.

PACE-IT.

Page 4

Cipher suites.Cryptographic methods I.

Page 5

Cipher suites.

In most cases, a single cryptographic method will not provide the required level of security that most organizations seek.

The solution is to use a cipher suite to provide the necessary security. A cipher suite is when a group of cryptographic solutions are combined to provide user authentication, encryption, and message authentication solutions into a single set.One measure of the strength of the cipher suite is the number of bits that make up the keys. The longer (more bits) the key set, the stronger the cipher—which will lead to a stronger cipher suites. One thing to remember: the stronger the cipher suite, the more computing power and time it will take when in use.


Page 6

Cryptographic implementations.Cryptographic methods I.

Page 7

Cryptographic implementations.

– PAP (password authentication protocol).

» An authentication protocol that does not use any cryptographic methods to ensure the integrity of the message.

• The username and password are sent in clear text; this is not a secure solution.

– CHAP (Challenge-Handshake Authentication Protocol).

» A cryptographic authentication protocol used to authenticate remote clients based on hashed values.

• The client combines its password with a key supplied by the server to generate a hashed value (MD5 is the algorithm used to generate that message digest).

• The client sends the hashed value (message digest) back to the server, which then compares what was received against a stored value.

• If the values match, the client is authenticated and then given access to authorized resources.

» CHAP is considered to be a type of HMAC (Hash-based Message Authentication Code).


Page 8


– RIPEMD (RACE Integrity Primitives Evaluation Message Digest).

» A cryptographic hashing algorithm developed as an open source solution.

» When implemented, the most common version is RIPEMD-160 (uses a 160-bit hashing function).

• There are also 128, 256, and 320-bit versions.

– NTLMv2 (NT LAN Manager version 2).

» A cryptographic hashing process used in Windows operating systems for storing passwords in the registry as hashed values.

• Uses HMAC-MD5 (HMAC using Message Digest 5) as the method of creating and storing the message digest.

» Replaced NTLM, which used MD4 as the hashing algorithm for the HMAC.


Page 9


– MD (Message Digest).» A cryptographic hashing algorithm developed by Ron

Rivest as a method of using hashed values for authentication purposes, particularly to ensure that the data that is received is the data that was sent.

» MD5 is the most popular version and always generates a 128-bit hashed value.

• While still in use, MD5 has been proven to be a broken cryptographic solution and should not be used for mission critical security needs.

– SHA (Secure Hash Algorithm).» A cryptographic hashing algorithm developed by the NSA

(National Security Agency) as a method of using hashed values for authenticating data—to ensure the data’s integrity.

» SHA-1 is the most popular version and always generates a 160-bit hashed value.

• In theory, SHA-1 has been broken (the theoretical weaknesses have yet to be proven) and most U.S. government agencies now require the use of SHA-2—an improved version of the original SHA family of hashing algorithms.


Page 10

What was covered.Cryptographic methods I.

In most cases, a single cryptographic implementation will not provide adequate security. The solution is to use a cipher suite, which is a combination of different cryptographic products to provide data integrity services, user authentication, and encryption. The strength of the cipher suite is dependent on the bit strength of the security keys that are used.

Topic

Cipher suites.

Summary

PAP doesn’t employ any cryptographic methods and should not be used. Some common implementations of cryptography that rely upon hashing to provide integrity checks include: CHAP, RIPEMD, NTLMv2, MD, and SHA.


Page 11

THANK YOU!

This workforce solution was 100 percent funded by a $3 million grant awarded by the U.S. Department of Labor's Employment and Training Administration. The solution was created by the grantee and does not necessarily reflect the official position of the U.S. Department of Labor. The Department of Labor makes no guarantees, warranties, or assurances of any kind, express or implied, with respect to such information, including any information on linked sites and including, but not limited to, accuracy of the information or its completeness, timeliness, usefulness, adequacy, continued availability or ownership. Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53.PACE-IT is an equal opportunity employer/program and auxiliary aids and services are available upon request to individuals with disabilities. For those that are hearing impaired, a video phone is available at the Services for Students with Disabilities (SSD) office in Mountlake Terrace Hall 159. Check www.edcc.edu/ssd for office hours. Call 425.354.3113 on a video phone for more information about the PACE-IT program. For any additional special accommodations needed, call the SSD office at 425.640.1814. Edmonds Community College does not discriminate on the basis of race; color; religion; national origin; sex; disability; sexual orientation; age; citizenship, marital, or veteran status; or genetic information in its programs and activities.