### Unit 3: Cryptographic Models

One of the earliest ways to encrypt a message was with a substitution cipher developed by Julius Caesar, known as the Caesar cipher. Today, in the information age, cryptology involves the use of computers to create complex algorithms. In this unit, we examine various symmetric and asymmetric key algorithms, as well as hashing algorithms. Encryption is a tool that can be used to support all three tenets of the CIA triad, the goal of information security.

**Completing this unit should take you approximately 8 hours.**

Upon successful completion of this unit, you will be able to:

- describe the history of cryptography and the role of cryptography in information security systems;
- compare symmetric key and asymmetric key algorithms;
- discuss the different types of symmetric and asymmetric key algorithms; and
- evaluate hashing algorithms and their role in creating digital certificates.

### 3.1: Cryptographic History

As you begin this section on cryptography, it is important to review a brief history of the origins of cryptography to understand why cryptography was developed. The timeline of cryptography dates to the times of Julius Caesar and continues through some important times in our history during the first and second world wars. Cryptography is as important, or possibly more important today than it was in previous years due to advancements in technology. This unit describes the mechanism of the Caesar cipher and shows how to encipher your own message. This section also describes the one-time pad (OTP) and why it is secure.

Read this article to learn about the evolution of cryptography; the methods used to secure communication. One of the earliest methods of encryption you will read about is substitution ciphers. The beginning of WWI brought advancements in computational power; advancements that encouraged the development of electromechanical cipher machines used in WWII. One such infamous machine was the German Enigma machine, and the cracking of the enigma code was pivotal for the war. Today's modern cryptography uses computers to devise complex ciphers. As you read, take note of some important names and abbreviations in cryptographic history. Who was Shannon, Diffie, and Hellman? What do the abbreviations DES and AES represent and in what years were they developed? When was symmetric key cryptography used, and when was asymmetric cryptography developed?

Read this section on classical cryptosystems. Pay attention to the substitution cipher, the Vigenere cipher, and the Enigma cipher. As you read, consider these study questions: Who was the Vigenere cipher named after, and who first cracked the Vigenere cipher? Who cracked the Enigma cipher, and what repeated phrase at the end of every message helped to break the cipher? What is perfect secrecy?

### 3.1.1: The Caesar Cipher

After reading, you should be able to explain why this cipher is called the Caesar cipher, and you will be able to encipher a simple message using the Caesar substitution cipher.

Use this source as a tool to assist you to encipher a short message.

### 3.1.2: One-Time Pads

Read this source to understand why a one-time pad (OTP) is considered to be secure. Take note of the conditions that must be met to ensure the OTP cannot be broken.

### 3.2: Goals of Cryptography

Now that you understand why and how cryptography was developed, you will learn about the primary goals of cryptography. Cryptography is used today to protect the confidentiality and integrity of data. You saw that confidentiality and integrity were part of the CIA triad and are protected by cryptography, but additionally cryptography is used to provide for nonrepudiation and authenticity. Nonrepudiation means the sender cannot deny sending the data or message. An example of nonrepudiation is when an email is sent using a digital signature. Authentication is the acceptance of credentials to prove identity. When a user enters the correct username and password, the user is authenticated and is allowed access to the system. These are important concepts to understand as an organization may require the information systems professional to evaluate or to provide cryptographic methods of nonrepudiation and authenticity.

There are four main goals in cryptography: confidentiality, integrity, authentication, and non-repudiation Read the section on the goals of cryptography to understand each concept. Notice how the cryptographic goals segue with the CIA triad discussed in the previous unit with one addition: non-repudiation. Non-repudiation will be discussed in more detail in the next section of this unit.

Cryptology provides for confidentiality and non-repudiation. Confidentiality is protecting from unauthorized view, while non-repudiation is that the sender cannot deny sending the message. What method of encryption ensures confidentiality? What ensures non-repudiation? You should be able to explain how confidentiality and non-repudiation work together.

Cryptographic methods protect for confidentiality, authenticity, and integrity. Authenticity is proving who you are, and integrity is protecting the data from unauthorized changes. By reading this article you should be able to explain the concepts of confidentiality, authenticity, and integrity. What cryptographic methods can be used to provide for all three concepts?

Authentication was discussed in the previous section. This section will discuss different cryptographic methods to provide for authentication to include symmetric and asymmetric authentication. After watching, you should be able to explain authentication, the risks of impersonation, and be able to define certificates and certificate authorities.

### 3.3: Comparing Cryptographic Algorithms

This section describes the three different methods of encryption: symmetric, asymmetric, and hashing. As you saw in the history of cryptography, symmetric key cryptography was the primary encryption method until asymmetric encryption was developed in the 1970s. Both encryption methods need a method of encryption and decryption, but hashing is one-way function as it cannot be reversed. The following sections will describe the attributes and the purposes of these three encryption methods, and it will describe how hashing is used in conjunction with asymmetric encryption.

### 3.3.1: Symmetric Key Algorithms

This article describes symmetric key ciphers. As you read the article, take note of the major issue associated with key distribution of symmetric key ciphers and the advantage of symmetric key ciphers over asymmetric key ciphers.

Watch this video where Alice sends a message to Bob that has been encrypted with a symmetric key. If Bob wants to read the message, what key does he use to decrypt the message?

### 3.3.2: Asymmetric Key Algorithms

Asymmetric ciphers have two keys: public and private. While reading, take note of which key encrypts the message and which key decrypts the message. What is a known weakness to this type of encryption?

Watch this video where this time Alice sends a message to Bob that has been encrypted with an asymmetric key. If Bob wants to read the message, what key does he use to decrypt the message?

### 3.3.3: Hashing Algorithms

A cryptographic hash algorithm can provide for integrity. When reading this article, pay attention to the section on applications of hash functions. The scenario with Alice and Bob is a good example of how a cryptographic hash can provide for message integrity. Be sure to understand the concept of a digest and try to comprehend the issue of a collision and the birthday paradox. You will learn more about the birthday paradox in a subsequent section.

This video will provide a more in-depth view of hashing. From this video, you should learn more about hash collisions, the avalanche affect, and make note of the names of hashing algorithms. You will learn more about the hashing algorithms mentioned in the video later in this unit.

### 3.4: Types of Key Algorithms

To secure communication, a set of defined mathematical rules called algorithms are used for encryption. In this section, you will learn some of the different types of encryption algorithms used in symmetric and asymmetric encryption. You will start with symmetric encryption and learn about DES, 3DES, AES, RC4, RC5, RC6, Blowfish, and Twofish algorithms. For asymmetric encryption, you will learn about the RSA, DSA, PGP, GPG, Diffie-Hellman, and Elliptic-curve algorithms.

### 3.4.1: Symmetric Key Algorithms

You already learned about symmetric key ciphers and the major issue with symmetric keys. Read the section in this article on symmetric key encryptions to learn more about the advantages and disadvantages of symmetric keys. There is more information about symmetric key ciphers in this article that will be covered in more detail later in this unit, but this article will give you a preview of 3DES, IDEA, and AES ciphers. View the flashcard tool as well to better understand and to learn the terms used in cryptography such as plaintext, ciphertext, key, encryption, decryption, countermeasure, symmetric key encryption, and block cipher.

### 3.4.1.1: DES

This article explains data encryption standard (DES), an algorithm used in symmetric encryption. To understand the timeline of encryption algorithms in history, pay attention to the year this algorithm was created, the name of company that created it, and the name of the technique that made DES a vulnerable algorithm. Note that DES could also be cracked via brute force. What makes DES vulnerable to a brute force attack?

DES is no longer used but was a very popular algorithm at one time. The principal of DES is important to understand because it is used in other ciphers. If DES encrypts 64 message bits, why is the effective key size only 56 bits? Why is DES no longer used?

### 3.4.1.2: 3DES

The next step up from DES is triple DES, or 3DES. Watch this video to learn why triple DES was used instead of double DES. Explain what 3DES is in relation to DES.

In this video the three key versions of 3DES, the length of each effective key, and the strength of each version is explained. If all three keys were the same, do you understand why 3DES would just be DES?

### 3.4.1.3: AES

- Read this article on advanced encryption standard (AES) to understand the key sizes of AES in relation to the key size of 3DES. What is another name for AES?
In this video, you will learn the process of encryption using AES. Notice what year AES was developed and why there was a need for a new encryption algorithm. How much faster is AES than 3DES?

### 3.4.1.4: Ciphers (RC4, RC5, RC6, Blowfish, Twofish)

RC4, RC5, and RC6 were series of algorithms developed in succession by RSA Security. The name RSA is an abbreviation taken from the names of the three owners: Rivest, Shamir, and Adleman. These three names will appear again in a subsequent section. In the article on the Rivest ciphers there are three sections you should read, one about each type of encryption. Notice the differences in block size, key size, and the number of rounds used in each algorithm. Then read and view the information on two more ciphers: blowfish and twofish. These ciphers also have the same creator and were created in succession. As you review this material, you will see that RC6 and twofish were created for the AES competition. Unfortunately, neither twofish nor RC6 were selected in the competition.

While you watch, consider these questions: What type of cipher is RC4? Who designed RC4 and in what year? In what applications is RC4 used? What are the limitations and the benefits of using RC4?

Read the section on RC4 in this article. Try to mentally follow the steps for encryption with the algorithm. What are some of the strengths and weaknesses of RC4 as noted in this article?

The RC5 algorithm was derived from the RC4 algorithm. While you read take note of the year RC5 was published. How much time was there between the development of RC4 and RC5? What type of symmetric cipher is RC5? Compare the three components of RC5 with the components of AES, do you see any similarities?

RC6 was developed for an advanced encryption standard (AES) competition but was not selected by the National Institute of Standards and Technology (NIST). In what year was it published, and who developed it? How is RC6 different from RC5?

The Blowfish cipher has been studied in information security for more than 20 years. As you learn about this cipher, pay attention to the creator and the year it was created. Is Blowfish still in use? Why is it in use, or why is it not in use? What type of cipher is Blowfish? What is the key length of Blowfish? Why would the Twofish cipher be chosen over Blowfish? Why would Blowfish be chosen over DES or IDEA?

Twofish succeeded blowfish and was also designed by Schneier. Read the section on the twofish cipher to learn about the length of the algorithm, and the types of environments where twofish can be used.

### 3.4.2: Asymmetric Key Algorithms

We discussed symmetric key algorithms first since they are easier to understand. Asymmetric key algorithms have an advantage in that no key distribution is required, but asymmetric keys are more complex in that they require more management oversight. This section will explain asymmetric key distribution, public-key cryptography, RSA, digital signature algorithm (DSA), pretty good privacy (PGP), GNU privacy guard, Diffie-Hellman cryptography, and elliptic-curve cryptography (ECC).

Previously you learned about asymmetric key algorithms and you should understand that asymmetric encryption requires two keys: public and private. As a review, using the flashcards define asymmetric key encryption, public key, private key, and digital certificate. Then read the section on asymmetric encryption.

### 3.4.2.1: RSA

Do you find asymmetric encryption and the use of a public and private key difficult to comprehend or explain? This video will explain asymmetric encryption, or non-secret encryption, and leads into RSA the first symmetric algorithm. Watch this video for a visual explanation of asymmetric encryption and RSA. On what principle is RSA based? Make note of the year RSA was developed and why it is called RSA.

RSA is an asymmetric algorithm and is attributed to three people but reading this article will explain who developed the algorithm years earlier. When reading this article, try to understand the section on key generation, encrypting messages, decrypting messages, and signing messages. Most importantly, note the speed of RSA in comparison to DES that was discussed in the section on symmetric key encryption. Also note how attacks such as man-in-the-middle and RSA blinding attacks can be avoided.

### 3.4.2.2: DSA

Digital signature algorithm (DSA) is used for authentication and is considered a signature algorithm. When reading section three of this article, pay the most attention to the steps in the scenario with Alice and Bob on how to obtain a digital signature using a private and public key, and how a digital signature verification is produced. To keep a basic idea on a timeline, also pay attention to the year that DSA was proposed. Attempt to follow through the reading on DSA key generation, signature generation, and signature verification although you are not expected to be able to explain these steps.

### 3.4.2.3: Pretty Good Privacy (PGP)

Pretty good privacy, known as PGP, is an open-source program that provides data encryption and is often used for email. This program uses a public and a private key for encryption and decryption, as you might expect. Read this article to understand how you can use PGP to encrypt email sent from your personal computer.

Now that you understand how PGP can be used, read this article to learn who developed PGP while taking note of the year it was developed. Be sure to read the sections on how PGP works as well as the encryption-decryption process using the public and private keys. As you will notice, the public keys versions are RSA that was previously discussed, and Diffie-Hellman that will be discussed in a later section.

To learn more in-depth information about PGP such as downloading and installing and learning how to create a key using, you may choose to watch this video.

### 3.4.2.4: GPG

GPG, also known as GNU privacy guard, is the successor to PGP discussed in the previous section. While watching, determine is GPG uses symmetric or asymmetric cryptography. What is a key pair, and what is the purpose of the passphrase in GPG? You can continue to watch this video to learn how to use GPG in MS Windows.

If you use Linux and are interested, watch this video to learn how to install and use GPG in a Linux system. You will learn to generate a key pair and to encrypt files using GPG.

### 3.4.2.5: Diffie-Hellman

In the history of cryptography section, you read about two important people: Diffie and Hellman. This article will discuss the Diffie-Hellman algorithm and how it is used to encrypt and decrypt. What year was the Diffie-Hellman algorithm published? What algorithm that have you already learned about works similar to Diffie-Hellman?

Watch this video that works through a scenario to communicate a secret over the Internet using a Diffie-Hellman algorithm. Pay attention to the actions of Alice and Bob, what they can see or cannot see, and notice the size of the prime numbers used to calculate the Diffie-Hellman algorithm.

### 3.4.2.6: Elliptic-Curve Cryptography

Elliptic curve cryptography is based elliptic curve theory that uses smaller key sizes thereby increasing speed. The mathematics used is that of elliptic curves and finite fields. In this article, note that the mathematical equations are based on algebra and calculus, but the finite fields are based on modular mathematics. While you are not expected to memorize formulas or calculate the algorithm, viewing this page should help you to understand why elliptic curve cryptography is difficult to break.

In this video, you will see why elliptic curve cryptography is an important algorithm. The video will also show the mathematics behind the algorithm. While you are not expected to understand the mathematics behind the algorithm, be sure to make note of how elliptic curve cryptography compares to RSA, which was discussed in a previous section.

### 3.5: Hashing Algorithms

Hashing algorithms are used to provide data integrity, proving that the data has not been altered. Hashing can be important to review when downloading a patch for a system. If the hash does not match the published hash, then the patch may not be authentic and should not be downloaded or uploaded to the system. We will discuss several types of hashing algorithms: message digest 5 (MD5), secure hash algorithm (SHA-0, SHA-1, SHA-2, and SHA-3), and hashed message authentication code (HMAC). Notice the differences and the similarities between symmetric and asymmetric cryptography and hashing algorithms and how the tenets of the CIA triad are protected.

A hash is a cryptographic algorithm, but it differs from symmetric and asymmetric cryptography in that it does not use a public or private key. The input to a hash cannot be reverse calculated from the hash. Watch this video and note the computational and inversion requirements of a hash. Does hashing provide for confidentiality or integrity?

### 3.5.1: Digital Certificates

Your typed name at the bottom of an email is not proof that you are the sender of an email. Public keys are used to create digital certificates to provide proof of the identity of a sender. Read this article to understand the need for digital certificates. Pay attention to certificate chains and the importance of the element of trust.

The history of message digests and algorithms is discussed in this video. According to this narrator, which tenet of the CIA triad is the most important, and which tenet does a message digest protect? Pay attention to the fact that a message digest does not involve the use of a key. What inspires the development of new ciphers? How do you get more security when adding crypto algorithms? What ciphers are considered the industry standards and are in use today?

### 3.5.2: Message Digest 5 (MD5)

Read this article about MD5, a hash function. You should learn who developed MD5 and note the approximate year. Pay attention to the purposes of MD5, the size of the output, and why it is no longer used for digital certificates.

### 3.5.3: Secure Hash Algorithm (SHA-0, SHA-1, SHA-2, and SHA-3)

Another hash or one-way algorithm is the secure hash algorithm (SHA). What hash is SHA based on, who created it, and what are the names of the three SHA algorithms? Which SHA is no longer in use?

The Federal Information Processing Standards Publication 202 (FIPS PUB 202) discusses the secure hash algorithm-3, known as SHA-3. When reading the introductory section on pages 1 and 2, pay attention to the origin of the algorithm, and the terms hash function, message digest, and extendable-output function (XOF). What special properties was SHA-3 designed to provide? What are the digest lengths in the FIPS-approved hash functions?

### 3.5.4: Hashed Message Authentication Code (HMAC)

To understand a hashed message authentication code (HMAC) you must understand a message authentication code (MAC). First, view the diagram with the subtitle "computing a MAC versus computing an HMAC". Then read the text below the diagram. How does a MAC become an HMAC? What is the purpose of an HMAC?

### Unit 3 Assessment

- Receive a grade
Take this assessment to see how well you understood this unit.

- This assessment
**does not count towards your grade**. It is just for practice! - You will see the correct answers when you submit your answers. Use this to help you study for the final exam!
- You can take this assessment as many times as you want, whenever you want.

- This assessment