Security+ Overview

Welcome to the Security+ Certi cation Course

This course will follow the o cial CompTIA book: CompTIA Security+ Study Guide for Exam: SYO-601

The content will follow the recommended topics however, I will provide the information using my own experience
and wording. If any information is quoted, I will provide the page number to reference. While you do not require
the book, you may purchase it if you would like to use it as a reference.

The ISBN is: 978-1-119-73625-7

This course will contain slides for each chapter, which you may use as a reference for review in addition to the
videos where I will explain and illustrate where possible.

COPYRIGHT CAREERUP LLC

ffi
fi
 Security+ Chapter 7
Chapter 7 - Cryptography and the Public Key Infrastructure

Domain 1: Threats, Attacks, and Vulnerabilities

Domain 2: Architecture and Design

Domain 3: Implementation

In this chapter, we’re going to learn about Cryptography! Now, from this point forward, I am going to focus on
teaching you the IMPORTANT areas and limit some of the de nitions.

What does this mean? Well, from this point forward, we’re going to see more examples and dive into “HOW”
some of the topics work. Of course, there will still be some topics that will require you to learn the de nitions and
meanings however, we are going to learn through examples and I will try to illustrate the concepts to help you gain
an even better understanding.

READY!? Great! Let’s get started!

COPYRIGHT CAREERUP LLC

fi
fi
 Security+ Chapter 7
Chapter 7 - Cryptography and the Public Key Infrastructure

So, what is Cryptography?

Cryptography aligns with the “C” in the “CIA Triad” and it helps maintain con dentiality. In plain words, it keeps
information from being read by someone who is not intended to read the message. The study of Cryptography
focuses on changing a message into a di erent form, which is unreadable by someone who is NOT the intended
reader.

HOW? Well, there are MANY di erent ways that a message can be “encrypted” or altered into an unreadable
format. The text is SCRAMBLED to keep someone from reading it, then UNSCRAMBLED by the reader.

A CIPHER is the method used to SCRAMBLE the characters and CIPHERING is the process of using the
CIPHER to scramble the letters.

There are TWO primary types of methods used for ciphering that do NOT rely on mathematical methods:

SUBSTITUTION and TRANSPOSITION

COPYRIGHT CAREERUP LLC

ff
ff
fi
 Security+ Chapter 7
Chapter 7 - Cryptography and the Public Key Infrastructure

SUBSTITUTION and TRANSPOSITION

Substitution cipher - This type of cipher changes or “substitutes” one character for another. The process of
transforming the characters into their unreadable format is “ENCRYPTING” and transforming them back into their
original format is known as “DECRYPTING”. Think of “EN” as applying the cipher method and “DE” as undoing
the ciphering.

For example: Let’s say we want to hide the word: TEST, you could develop your own KEY that provides a
substitution for each letter. You could create your own reference table such as:

6=T
%=E
9=S

Since the word “TEST” only uses the three letters above, if we apply a substitution cipher, our output or
“encrypted” word would be: 6%96, which would be di cult for someone to gure out if they did not have our key.

Another famous cipher was the “Caesar Cipher” which shifted the letters of the alphabet to encrypt messages.

COPYRIGHT CAREERUP LLC

ffi
fi
 Security+ Chapter 7

Chapter 7 - Cryptography and the Public Key Infrastructure

SUBSTITUTION and TRANSPOSITION

The Caesar Cipher takes the standard alphabet however, it shifts it THREE places to the right:

A - B - C - D - E - F - G - H - I - J - K - L - M - N - O - P - Q - R - S - T - U - V - W - X - Y - Z - Original
X - Y - Z - A - B - C - D - E - F -G - H - I - K - L - M - N - O - P - Q - R - S - T - U - V - W - Shifted by 3

So, if we use this cipher for the word: ROMAN, our encrypted word is: PMKXL

While this seems simple, consider back in those times, most people did not know how to read and the concept of
ciphers was not known. If the letters were captured by an enemy, they would not have the knowledge or idea to
try shifting letters. However, today those who study cryptography are often familiar with some of the common
techniques, and some more advanced techniques.

COPYRIGHT CAREERUP LLC

 Security+ Chapter 7

Chapter 7 - Cryptography and the Public Key Infrastructure

SUBSTITUTION and TRANSPOSITION

Another simple substitution cipher is “ROT13” except it changes every 13th letter of the alphabet, so A becomes
N, B becomes O, C becomes P such that each letter is the 13th letter as you count FORWARD.

It is similar to the Caesar cipher (3 shift) except, the ROT13 takes advantage of the 26 letters to apply a shift of 13
and uses a “rotation” hence the name “ROT13”.

For example, the word: STUDY becomes: FGHQL

Remember, since you are “rotating” by 13 places, the letters correspond to each other!

A B C D E F G H I J K L M

N O P Q R S T U V W X Y Z

COPYRIGHT CAREERUP LLC

 Security+ Chapter 7
Chapter 7 - Cryptography and the Public Key Infrastructure

Polyalphabetic Substitution

Polyalphabetic Substitution provides a method for changing the letters using a repeated key.

For example, suppose you wanted to encrypt a word or phrase, rst you create your KEY and reference the letters
of your KEY against a Vigenere ciper table - Reference Page: 182

Suppose we want to encrypt the word:

CYBERSECURITY

We create a KEY such as: ENCRYPT, and repeat the KEY to align the letters with the corresponding letters within
the Vigenere cipher table:

CYBERSECURITY
ENCRYPTENCRYP <— Notice the KEY letters repeat to use as a reference for each letter in the word.
_________________

You look up the cipher by aligning the two letters, to arrive at the corresponding cipher letter.

This is e ective as the KEY must be known along with the knowledge that the Vegnere cipher table was used.

COPYRIGHT CAREERUP LLC

ff
fi
 Security+ Chapter 7

Chapter 7 - Cryptography and the Public Key Infrastructure

Polyalphabetic Substitution

CYBERSECURITY
ENCRYPTENCRYP <— Notice the KEY letters repeat to use as a reference for each letter in the word.
_________________

You look up the cipher by aligning the two letters, to arrive at the corresponding cipher letter.

This is e ective as the KEY must be known along with the knowledge that the Vegnere cipher table was used.

EXAMPLE is illustrated in the program video.

COPYRIGHT CAREERUP LLC

ff
 Security+ Chapter 7
Chapter 7 - Cryptography and the Public Key Infrastructure

Transposition Substitution

Transposition moves or scrambles the letters in a speci c order and method.

First, the words are broken down into blocks of a designated size, the letters within each block are then shifted.

Example:

We need to protect networks :

We need to protect networks

eW eedn ot ectpro rksnetwo

The words within each block are transposed in a speci c manner. In this example, the letters were shifted to the
right 3 places. This can be altered as long as the ciper follows the method to encrypt and decrypt.

COPYRIGHT CAREERUP LLC

fi
fi
 Security+ Chapter 7
Chapter 7 - Cryptography and the Public Key Infrastructure

Cryptography Goals

Cryptography helps support the following FOUR goals:

1. Con dentiality
2. Integrity
3. Authentication
4. Nonrepudiation

Con dentiality - Maintaining the privacy of the data while at rest, in motion, or in use.

Integrity - Avoid unintended changes to the data without authorization.

Authentication - Veri es the claimed identity of the entity accessing the data.

Nonrepudiation - Provides the proof that the sender is authentic.

COPYRIGHT CAREERUP LLC

fi
fi
fi
 Security+ Chapter 7

Chapter 7 - Cryptography and the Public Key Infrastructure

Cryptography Concepts

Plain-text - The data in a human readable format and is the term used for data BEFORE it is encrypted.

Encryption - The process of transforming the data into an unreadable format using a speci c method.

Decryption - The process of returning the data to a human readable format FROM its encrypted state.

Cryptographic Keys - Number used for an encryption algorithm. Algorithms use speci c keys for encryption

Algorithm - Set of steps and rules, that describe the mathematical process of encrypting and decrypting OR
enciphering or deciphering data.

COPYRIGHT CAREERUP LLC

fi
fi
 Security+ Chapter 7

Chapter 7 - Cryptography and the Public Key Infrastructure

Cryptography Concepts

Ciphers - These are the algorithms that are used to encrypt or decrypt data.

There are two common Ciphers used:

Block Cipher - The data is divided into a set size of blocks and the Cipher algorithms encrypt or decrypt the data
for each block.

Stream Cipher - The data is encrypted or decrypted as the data is accessed one bit at a time.

COPYRIGHT CAREERUP LLC

 Security+ Chapter 7
Chapter 7 - Cryptography and the Public Key Infrastructure

Cryptography Concepts

Modern Cryptography - Highly complex algorithms are used along with long cryptographic keys to encrypt data.
The complexity provides the FOUR goals:

Con dentiality
Integrity
Authentication
Nonrepudiation

The complexity of the algorithm along with the key length provides higher security and o ers more protection
since decryption without knowledge of the algorithm or key requires more time and computing power.

There are THREE common encryption algorithms used today:

Symmetric Key encryption algorithms

Asymmetric Key encryption algorithms

Hashing Algorithms

COPYRIGHT CAREERUP LLC

fi
ff
 Security+ Chapter 7

Chapter 7 - Cryptography and the Public Key Infrastructure

Modern Cryptography

Symmetric Key Encryption Algorithms

When you hear the word “Symmetric” you often think “the same on both sides”

In Symmetric Key Encryption Algorithms, a “secret key” is used by all intended parties to encrypt and decrypt
data. Since the same key is used, the secret key MUST be secured to avoid unauthorized access to the data.

The bene t is speed, when asked questions concerning what algorithm is appropriate for operations that require
speed or bulk encryption, Symmetric Key Encryption Algorithms are used.

COPYRIGHT CAREERUP LLC

fi
 Security+ Chapter 7
Chapter 7 - Cryptography and the Public Key Infrastructure

Modern Cryptography

Asymmetric Key Encryption Algorithms

Asymmetric Key Encryption is also referred to as “Public Key Algorithms” and they use TWO keys:

Private Key - Private key that is NOT shared

Public Key - Public key that is shared with anyone

Asymmetric Key Encryption uses the OPPOSITE key to decrypt.

What this means is when data is encrypted with a Private Key, the Public Key is used to decrypt.

If a Public Key is used to encrypt, a Private Key is used to decrypt the data.

OPPOSITE Keys are used and the “Private” Key is NEVER shared.

COPYRIGHT CAREERUP LLC

 Security+ Chapter 7
Chapter 7 - Cryptography and the Public Key Infrastructure

Modern Cryptography

Asymmetric Key Encryption Algorithms

Asymmetric Key Encryption is also referred to as “Public Key Algorithms” and they use TWO keys:

Private Key - Private key that is NOT shared

Public Key - Public key that is shared with anyone

Asymmetric Key Encryption uses the OPPOSITE key to decrypt.

What this means is when data is encrypted with a Private Key, the Public Key is used to decrypt.

If a Public Key is used to encrypt, a Private Key is used to decrypt the data.

OPPOSITE Keys are used and the “Private” Key is NEVER shared.

COPYRIGHT CAREERUP LLC

 Security+ Chapter 7

Chapter 7 - Cryptography and the Public Key Infrastructure

Modern Cryptography

Asymmetric Key Encryption Algorithms

The number of keys needed for symmetric encryption is: n(n-1) / 2 hence, symmetric encryption algorithms do not
scale well since the number of keys required increases as the number of users increase.

Asymmetric encryption scales since it uses the Private and Public key pairs, this reduces the amount of keys
needed therefore the equation is n * 2 since “2” represents one for the Private Key and one for the Public Key.

COPYRIGHT CAREERUP LLC

 Security+ Chapter 7

Chapter 7 - Cryptography and the Public Key Infrastructure

Modern Cryptography

Asymmetric Key Encryption Algorithms

The number of keys needed for symmetric encryption is: n(n-1) / 2 hence, symmetric encryption algorithms do not
scale well since the number of keys required increases as the number of users increase.

Asymmetric encryption scales since it uses the Private and Public key pairs, this reduces the amount of keys
needed therefore the equation is n * 2 since “2” represents one for the Private Key and one for the Public Key.

Asymmetric Key Encryption also provides nonrepudiation since the opposite keys are required. If someone tries
to use an invalid Private OR Public Key, the decryption algorithm will not output the correct data. This requires
that the Public Key belong to the actual individual.

COPYRIGHT CAREERUP LLC

 Security+ Chapter 7
Chapter 7 - Cryptography and the Public Key Infrastructure

Modern Cryptography

Hashing Algorithms

Hashing Algorithms are used to compute a value using a speci c algorithm to output a value. These are used to
prove Integrity since any change will output a value that di ers from the output from the ORIGINAL data.

The output is known as a Message Digest as they “summarize” the data.

Consider a book, if you ran all the words in all the pages through a Hashing Algorithm, it will compute a value
based on all the words as the algorithm is applied.

If even a single character is changed ANYWHERE, the output will be di erent since the algorithm will calculate a
di erent value.

Imagine a book with 1,000 pages of text, what if a single character is changed “somewhere” within those 1,000
pages? How would you know?

This is where a Hashing Algorithm can be useful as it can determine if any changes have been made. Hashing
Algorithms play an important role in validating the Integrity of data.

COPYRIGHT CAREERUP LLC

ff
ff
fi
ff
 Security+ Chapter 7
Chapter 7 - Cryptography and the Public Key Infrastructure

Symmetric Cryptography

DES or “Data Encryption Standard” uses 64-bit block ciphers and has FIVE Modes:

ECB or Electronic Codebook Mode encrypts blocks using the same secret key. This was easy to crack due to
the same key being used. If any data was the same, the output was the same hence, the key could be derived
using Cryptanalysis techniques.

CBC or Cipher Block Chaining Mode combines blocks and uses the DES algorithm to encrypt the data by using
an Initialization Vector “IV”. The algorithm then combines the rst block and performs an XOR using the IV.

An XOR operation compares the character and asks “Are they di erent?” If they are then TRUE or “1” If they are
NOT di erent then FALSE or “0”

Examples

XOR(1, 0) = 1

XOR(1,1) = 0

COPYRIGHT CAREERUP LLC

ff
fi
ff
 Security+ Chapter 7
Chapter 7 - Cryptography and the Public Key Infrastructure

Symmetric Cryptography

CFB or Cipher Feedback Mode streams data and applies the XOR operation to the stream in the same fashion
as the CBC Mode algorithm.

OFB or Output Feeback Mode uses a seed value derived from an IV, which then uses DES to perform an XOR on
the plain text. The remaining data uses a seed value derived from the PREVIOUS encrypted data using the DES
algorithm. This helps avoid transmission errors.

CTR or Counter Mode uses a stream cipher that uses a counter to increment and create the seed values. This
also allows the encryption or decryption into independent steps.

Triple DES applies THREE di erent keys due to the single 56-bit key not being strong enough to withstand
modern Cryptanalysis. Using three di erent keys provides a key length of 168 bits (56x3=168) which increases
the encryption to an acceptable standard. Additional key operations are not needed as the TRIPLE keys are
deemed to be su cient to protect data.

COPYRIGHT CAREERUP LLC

ffi
ff
ff
 Security+ Chapter 7

Chapter 7 - Cryptography and the Public Key Infrastructure

Symmetric Cryptography

AES/Rijndael or Advanced Encryption Standard uses three key lengths: 128, 192, and 256 bit keys which
require multiple rounds of encryption: 10, 12, and 14 per length.

Due to the NIST FIPS 197 requirement in November 2001, AES/Rijndael encryption was mandated.

Adding the Rijndael block cipher allowed for 192 and 256 bit keys instead of only the 128 bit key.

This allowed the additional encryption to meet the FIPS 197 standard for sensitive but unclassi ed data
encryption.

COPYRIGHT CAREERUP LLC

fi
 Security+ Chapter 7

Chapter 7 - Cryptography and the Public Key Infrastructure

Symmetric Cryptography

Symmetric encryption algorithms use the same key and this means the key is MUST be exchanged in a secure
manner to avoid unintended audiences decrypting data.

There are THREE methods for exchanging Symmetric Keys:

1. O ine Distribution - Physically exchanging the keys using paper, storage, or other physical methods.
2. Public Key Encryption - An initial encrypted link can be established using Public Key Encryption, which is
then used to exchange the Symmetric Key.
3. Di e-Helman - This is an algorithm used to exchange keys by establishing a private key to establish
encrypted communications, then using the encrypted communication to exchange the Symmetric Key. This
di ers from “Public Key Encryption” since the two parties directly communicate to establish a secure
communication.

COPYRIGHT CAREERUP LLC

ffl
ff
ffi
 Security+ Chapter 7
Chapter 7 - Cryptography and the Public Key Infrastructure

Storage and Destruction of Symmetric Keys

Symmetric encryption algorithms use the same key which requires the keys to be changed after a member of the
party leaves OR if the key is compromised and it should be removed from the cryptosystem to prevent reuse.

Since the key may be used to decrypt information, the Symmetric Key should never be stored on the system that
contains the encrypted data.

In highly sensitive environments, the key may be split to require two individuals to provide each half in order for
the key to be used.

Key Escrow and Key Recovery

Key Escrow systems may be used to store keys in order to facilitate access to encrypted data by authorized
entities.

Fair Cryptosystem - The keys are divided into pieces and stored within independent third party. When authority is
given, the authorized entity may gain access to the keys.

Escrowed Encryption Standard - This provides the Government with the means to decrypt ciphertext.

COPYRIGHT CAREERUP LLC

 Security+ Chapter 7

Chapter 7 - Cryptography and the Public Key Infrastructure

Asymmetric Cryptography

Asymmetric Cryptography or “Public Key” cryptosystems use Private and Public Key pairs.

The most recognized Public Key cryptosystem is RSA - Named after Ronald Rivest, Adi Shamir, and Leonard
Aldleman who founded RSA Security.

Based on large prime numbers, the algorithm is used to generate Public and Private Key pairs.

(Note: In some of this material, we do not dive into the math, it is not necessary. You only need to be aware of the
algorithms and do not need to know how they work.)

COPYRIGHT CAREERUP LLC

 Security+ Chapter 7

Chapter 7 - Cryptography and the Public Key Infrastructure

Asymmetric Cryptography

Elliptic Curve uses an equation: y^2 = x^3 + ax + b to derive points on an elliptic curve and a point O, which is
located at in nity. The idea is that locating the points (P and Q) can be added together and is then extended to
form a second equation:

Q = xP

Given the complexity of locating the points AND “x” this can be used for encryption.

COPYRIGHT CAREERUP LLC

fi
 Security+ Chapter 7

Chapter 7 - Cryptography and the Public Key Infrastructure

Asymmetric Cryptography

Elliptic Curve uses an equation: y^2 = x^3 + ax + b to derive points on an elliptic curve and a point O, which is
located at in nity. The idea is that locating the points (P and Q) can be added together and is then extended to
form a second equation:

Q = xP

Given the complexity of locating the points AND “x” this can be used for encryption.

COPYRIGHT CAREERUP LLC

fi
 Security+ Chapter 7

Chapter 7 - Cryptography and the Public Key Infrastructure

Asymmetric Cryptography - Hash Functions

A Hash function outputs a value based on the data processed through an algorithm. These functions are used to
validate the Integrity of data by calculating a value. The value may also be known as: hash value, hash total,
CRC, ngerprint, digital ID, or checksum.

Hash functions have ve requirements:

1. The input may be any length - You may has a le, partition, hard drive, any data that has a beginning and end.
2. The output hash value output must be of a xed length no matter the size of the data (large or small).
3. The e ort to compute the hash value should be low.
4. The hash function is one-way therefore, the calculation should be di cult to derive (predict)
5. The hash values should avoid “collisions” meaning, di erent data should not output

COPYRIGHT CAREERUP LLC

ff
fi
fi
fi
fi
ff
ffi
 Security+ Chapter 7
Chapter 7 - Cryptography and the Public Key Infrastructure

Asymmetric Cryptography - Hash Functions: SHA

Secure Hash Algorithm (SHA) - SHA is a government standard hash function which is speci ed in the Secure
Hash Standards (SHS) and the Federal Information Processing Standard (FIPS) 180.

SHA-1 can take input of almost any length (the limit is around 2 terabytes) and it outputs a 160-bit message
digest.

The data is processed in 512-bit blocks and will use padding if the input is smaller than the 512-bit block size.

There are 4 variants of SHA since SHA-1 was proven to have weaknesses:

SHA-256 - Outputs a 256-bit message digest and also uses 512-bit blocks. (This is also commonly used)

SHA-224 - Outputs a 224-bit message digest and also uses 512-bit blocks.

SHA-512 - Outputs a 512-bit message digest and uses 1024-bit blocks.

SHA-384 - Outputs a 384-bit message digest and uses 1024-bit blocks.

COPYRIGHT CAREERUP LLC

fi
 Security+ Chapter 7

Chapter 7 - Cryptography and the Public Key Infrastructure

Asymmetric Cryptography - Hash Functions: MD5

MD5 was created by Ron Rivest.

This hashing algorithm also uses 512-bit blocks however, it uses 4 rounds of computation to create its message
digest. (Remember: “message digest” and “hash” or “hash value” all mean the same thing!

Typically, MD5 is not used due to collisions. However, if MD5 is an option or the only option, it CAN be used if
necessary.

COPYRIGHT CAREERUP LLC

 Security+ Chapter 7
Chapter 7 - Cryptography and the Public Key Infrastructure

Asymmetric Cryptography - Digital Signatures

Digital signatures use hashing algorithms to verify the identity of a sender in a Digital Signature System.

Why use a Digital Signature System?

• Sender validation
• Con rm Integrity (proof that the message was not altered)
• Enable public key cryptography, which may use a Third Party to verify identity
Public Key Cryptography Steps:

1. Sender generates a message digest (hash value) using the original message.
2. Sender encrypts the message digest using the Sender’s PRIVATE KEY - which creates the Digital Signature
3. Sender appends the message digest to the plaintext message
4. Sender then transmits the message to the Receiver
5. Receiver decrypts the Digital Signature with the Sender’s PUBLIC KEY
6. Receiver uses the same hash function to create a message digest of the message
7. Receiver then validates the decrypted message digest to the message digest computed using the Sender’s
PUBLIC KEY
8. If they match, the message is valid and integrity is also validated

COPYRIGHT CAREERUP LLC

fi
 Security+ Chapter 7

Chapter 7 - Cryptography and the Public Key Infrastructure

Asymmetric Cryptography - Hashed Message Authentication Code: HMAC

HMAC only guarantees integrity, it does not provide nonrepudiation —or— Proof of sender’s identity and receipt

A shared secret key is required to verify the digital signature. Since the shared secret key could potentially be
obtained by anyone, nonrepudiation is not provided.

COPYRIGHT CAREERUP LLC

 Security+ Chapter 7

Chapter 7 - Cryptography and the Public Key Infrastructure

Asymmetric Cryptography - Digital Signature Standard (DSS)

The National Institute of Standards and Technology (NIST) provides information on what digital signatures are
acceptable for federal government use in Federal Information Processing Standards (FIPS) 186-4.

It states that all approved digital signature standards must use SHA-3 hashing functions.

The following are approved:

1. Digital Signature Algorithm (DSA) - FIPS 186-4

2. RSA - ANSI X9.31
3. Elliptic Curve DSA - ANSI X9.62

COPYRIGHT CAREERUP LLC

 Security+ Chapter 7
Chapter 7 - Cryptography and the Public Key Infrastructure

Asymmetric Cryptography - Public Key Infrastructure (PKI) / Reference CompTIA Study Guide: Page 210

PKI plays an important role in allowing unknown parties to communicate and validate identify.

Certi cate Authorities (CA) are Trusted Third-Party entities that validate certi cate information.
(When you see the “green lock” in your browser, that indicates that the certi cate used is validated by a CA)
This prevents someone from creating a website and claiming an identity.

HOW? Since the CA is a Trusted Third-Party, the browser will validate the certi cate information with the CA to
determine whether the certi cate is valid or invalid otherwise known as self-signed. A self-signed certi cate is
not validated by a CA, therefore ANYONE could create one with any name.

Certi cates use X.509 standards and contain speci c information:

• X.509 Version
• Serial Number
• Signature Algorithm Identi er (what algorithm was used)
• Issuer Name (Name of the CA)
• Valid period (Date of certi cate expiration)
• Subject - Common Name (CN) - The owner’s name
• Subject Alternative Name (SAN) - Optional and may contain other information about the certi cate owner
• Subject’s PUBLIC KEY
COPYRIGHT CAREERUP LLC
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
 Security+ Chapter 7
Chapter 7 - Cryptography and the Public Key Infrastructure

Asymmetric Cryptography - Certi cate Authorities (CA)

Certi cate Authorities are Third-Party entities that validate certi cates. There are many di erent companies that
provide these services. A validated certi cate will have an associated cost, time period, and process. Browsers
and other programs have lists of certi cate authorities to validate certi cates. This is a commonly used process
found in most web browsers. Validation is used to provide a status commonly found using a “green lock” or “red
lock”.

Green means validated and Red means the certi cate is NOT validated. An invalidated site should NOT be
trusted.

Here is a list of some common Certi cate Authorities:

• Symantec
• IdenTrust
• Amazon Web Services
• Comodo
• DigiCert
• GoDaddy
• Entrust
• Google
• Microsoft
• There are MANY others!
COPYRIGHT CAREERUP LLC
fi
fi
fi
fi
fi
fi
fi
fi
ff
 Security+ Chapter 7
Chapter 7 - Cryptography and the Public Key Infrastructure

Asymmetric Cryptography - Certi cate Authorities (CA)

Enrollment:
The process of obtaining a validated certi cate follows proof of identity. In order to purchase and use a
certi cate, you must provide proof to the CA of who you are. This process is known as “enrollment” and requires
proof using the steps de ned by the certi cate authority (CA).

Veri cation:
When a certi cate is received, the certi cate must be validated by a CA to con rm whether is it valid or invalid.
This action is performed by rst con rming whether the certi cate is on the certi cate revocation list (CRL).
In some cases, the Online Certi cate Status Protocol (OCSP) is used to verify the certi cate’s status.

The following requirements must be met to con rm validation of a certi cate:

• Authentic Digital Signature
• CA must be trusted
• Certi cate must not be listed in the CA’s CRL
• The certi cate data must contain the appropriate data.

COPYRIGHT CAREERUP LLC

fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
 Security+ Chapter 7
Chapter 7 - Cryptography and the Public Key Infrastructure

Asymmetric Cryptography - Revocation

A certi cate will be revoked and listed on the CRL for the following reasons:

• Certi cate compromise

• Issuing error/mistake (unintentional or accidental issuing of a certi cate)
• Certi cate information mismatch
• Security Association change

The CRL is maintained by the CA and must be updated. Updates may use the Online certi cate Status Protocol
(OCSP) to ensure that the CRL lists are updated real-time.

Certi cate stapling - The web server uses the OCSP protocol to send its certi cate to the OCSP server instead of
the user contacting the CA.

Certi cate stapling saves resources by updating the certi cate between the web server and OCSP server to avoid
user independent queries from a CA.

COPYRIGHT CAREERUP LLC

fi
fi
fi
fi
fi
fi
fi
fi
fi
 Security+ Chapter 7

Chapter 7 - Cryptography and the Public Key Infrastructure

Asymmetric Cryptography - Certi cate Formats

There are di erent formats for Digital Certi cates:

• Distinguished Encoding Rules (DER) - Format: Binary - Extensions: .DER, .CRT, .CER
• Privacy Enhanced Mail (PEM) - Format: Text - Extensions: .PEM, .CRT
• Personal Information Exchange (PFX) - Format: Binary - Extensions: .PFX, .P12
• P7B - Format: Text - Extension: .P7B

Reference Page: CompTIA Security+ Study Guide: Page - 215

COPYRIGHT CAREERUP LLC

ff
fi
fi
 Security+ Chapter 7
Chapter 7 - Cryptography and the Public Key Infrastructure

Asymmetric Cryptography - Asymmetric Key Management

Managing the Private Key Infrastructure is important and should follow these steps:

1. Identify and choose the best encryption algorithm/system for the intended use.
2. The key length should be set the appropriate length and randomness (Typically: The longer the key, the more
secure)
3. Do not share secret keys, they should always be secured
4. Remove keys at de ned intervals or upon expiration
5. Key rotation period should be de ned
6. Keys should be backed up and encrypted. Also, the backups should be secured (physically and/or encrypted
at rest)
7. Hardware Security Modules (HSM) may be used to manage keys.

COPYRIGHT CAREERUP LLC

fi
fi
 Security+ Chapter 7
Chapter 7 - Cryptography and the Public Key Infrastructure

Asymmetric Cryptography - Cryptographic Attacks

Brute Force: This method uses combinations of possible characters to guess the key. This is the most ine cient
method however, a weak key or “known” passphrase may enable Brute Force to succeed.

Frequency Analysis: Analyzing encrypted blocks for any patterns or consistency may allow determination of the
encryption algorithm used to attempt to identify the key.

Known Plain Text: Comparing text that is known to the cipher text allows captured characters to be decrypted.

Chosen Plain Text: If the text is unknown, the attacker may use their own text to encrypt in order to identify
matching patterns or cipher text. Upon matching, this may allow an attacker to identify the encryption algorithm
used OR identify the key itself with enough data.

Related Key Attack: An attacker may use two di erent keys to compare outputs in order to match plain text if
known.

Birthday Attack: This method uses “collisions” to determine the algorithm by identifying matching outputs from
a given input. Commonly, the theory is in a set of people, two people may have the same birthday that matches.
this attack uses a similar concept where outputs may match and provide information on the encryption algorithm.

COPYRIGHT CAREERUP LLC

ff
ffi
 Security+ Chapter 7
Chapter 7 - Cryptography and the Public Key Infrastructure

Asymmetric Cryptography - Cryptographic Attacks

Downgrade Attack: The attacker will try to downgrade the level of encryption in order to identify the key.

Rainbow Tables: This attack uses computed hash outputs to match cipher text.

Salting: To help prevent Rainbow Table attacks, salting adds randomized characters to the plain text BEFORE
hashing.

Key Stretching: This method extends keys by using salting and hashing to create more complex encryption keys.

Exploiting Weak Keys: Attacks on poor implementations of encryption algorithms to derive the key.

Human Error: In correct use of encryption algorithms may cause data that that was intended to be encrypted to
be sent as plain text. If the encryption process is not followed, a user may unintentionally send plain text.

COPYRIGHT CAREERUP LLC

 Security+ Chapter 7
Chapter 7 - Cryptography and the Public Key Infrastructure

Asymmetric Cryptography - Cryptography Issues

Tor (formerly “The Onion Router”): may use encryption for hiding illegal activities.

Blockchain: This technology provides a ledger for transactions as each transaction is stored and is required to
create the next chain.

Lightweight Cryptography: In the case where a device may have limitations, cryptography may utilize speci c
hardware to perform encryption to save energy. Often, these devices are dedicated for encryption and allow
function in low or limited environments.

Homomorphic Encryption: This method allows encryption while protecting the identity of the individual. For
instance, you may want to encrypt data however, NOT provide YOUR information as the owner.

Quantum Computing: Based on Physics, Quantum computing uses enhanced computing methods for both
stronger encryption AND attacking encryption algorithms. Due to the high speeds used for processing, the time
for identifying keys may be reduced as calculations are able to be performed at faster than normal speeds.

COPYRIGHT CAREERUP LLC

fi