WIXLIB

Copyright Taylor & Francis Group. Do Not Distribute.Domain 3: CryptographyCryptography is not limited to uses in access control and telecommunicationssecurity. Business continuity planning lends itself to cryptographic uses forprotecting data transferred to a hot site. A recovery site service provider mayneed to be one of the trusted parties having access to encryption keys for storagedata, for instance.Cryptography can depend on physical security as well. One example is thephysical security of the master key in a media encryption system. Storage ofthe key may leverage physical security by splitting it into key shares (known assplit knowledge; see section titled “Key Management”), with portions of theencryption key stored on separate smart cards in different safes, thereby limitingphysical access to the master encryption key. To expound on this examplefurther, the same key can reside within a hardware component of a cryptographicsystem, requiring specialized physical protection of the computing device itself.The US National Institute of Standards and Technology (NIST) FIPS 140-2defines standards for both hardware and software components of cryptographicmodules. The specialized physical protection of cryptographic modules requiredby FIPS 140-2 may include tamper-proof enclosures and means of destroying orzeroizing keys upon physical opening 4.4See the following for FIPS PUB 140-2 Security Requirements for Cryptographic s140-2/fips1402.pdf3CryptographyIn addition, many ISO standards also provide guidance for the securityarchitect in this area. ISO/IEC 18033-2:2006 specifies encryption systems(ciphers) for the purpose of data confidentiality. ISO/IEC 18033-2:2006specifies the functional interface of such a scheme, and in addition specifies anumber of particular schemes that appear to be secure against chosen ciphertextattack. The different schemes offer different trade-offs between securityproperties and efficiency 5. ISO/IEC 11770-1:2010 defines a general model ofkey management that is independent of the use of any particular cryptographicalgorithm 6. ISO/IEC 11770-1:2010 addresses both the automated and manualaspects of key management, including outlines of data elements and sequencesof operations that are used to obtain key management services 7. Examples ofthe use of key management mechanisms are included in the ISO 11568 series,which specifies the principles for the management of keys used in cryptosystems5See the following for ISO/IEC 18033-2:2006: http://www.iso.org/iso/home/store/catalogue tc/catalogue detail.htm?csnumber 379716See the following for ISO/IEC 11770-1:2010: http://www.iso.org/iso/home/store/catalogue ics/catalogue detail ics.htm?ics1 35&ics2 040&ics3 &csnumber 53456243ISSAP v2.indb 2437/18/2013 10:28:55 AM

Copyright Taylor & Francis Group. Do Not Distribute.Official (ISC)2 Guide to the ISSAP CBK: Second Editionimplemented within the retail-banking environment 8. If non-repudiation isrequired for key management, ISO/IEC 13888 is applicable 9. The fundamentalproblem is to establish keying material whose origin, integrity, timeliness and(in the case of secret keys) confidentiality can be guaranteed to both direct andindirect users. Key management includes functions such as the generation,storage, distribution, deletion and archiving of keying material in accordancewith a security policy (ISO 7498-2) 10.The core areas that benefit from cryptography deal with keeping dataconfidential, maintaining its integrity, guaranteeing authenticity not only of databut of those accessing the data as well as those from whom the data originates,and of ensuring non-repudiation for data originators.Message EncryptionSecure communication of messages is a traditional use of cryptography.Military communications have employed cryptography since at least the timeof the Greco-Persian wars, with techniques such as hiding messages within waxtablets. Commercial messaging systems transmitting across untrusted networksalso require encryption for privacy of messages. Corporate e-mail traffic maycontain various types of sensitive information including financial data, personalinformation, intellectual property, or trade secrets. In addition to needingconfidentiality for messages, e-mail can require authentication of the messagerecipient to the message, integrity of the message content, and non-repudiationof the message being sent or received.7There are several other ISO/IEC 11770 sub standards that the security architect will want tobecome familiar with in this context:ISO/IEC 11770-2:2008 Security Techniques – Key Management – Part 2: Mechanisms usingsymmetric techniquesISO/IEC 11770-3:2008 Security Techniques – Key Management – Part 3: Mechanisms usingasymmetric techniquesISO/IEC 11770-5:2011 Security Techniques – Key Management – Part 5: Group Key Management8See the following for ISO/IEC 11568-1:2005 Banking- Key Management(retail) – Part 1:Principles: http://www.iso.org/iso/home/store/catalogue tc/catalogue detail.htm?csnumber 349379See the following for ISO/IEC 13888-1:2009 Security Techniques – Non-repudiation– Part 1: General: http://www.iso.org/iso/home/store/catalogue ics/catalogue detail ics.htm?ics1 35&ics2 040&ics3 &csnumber 50432There are two other ISO/IEC 13888 sub standards that the security architect will want to becomefamiliar with in this context:A. ISO/IEC 13888-2:2010 Security Techniques – Non-repudiation – Part 2: Mechanisms usingsymmetric techniquesB. ISO/IEC 13888-3:2009 Security Techniques – Non-repudiation – Part 3: Mechanisms usingasymmetric techniques10See the following for ISO/IEC 7498-2:1989 Information processing systems – OpenSystems Interconnection – Basic Reference Model – Part 2: Security Architecture: http://www.iso.org/iso/home/store/catalogue tc/catalogue detail.htm?csnumber 14256244ISSAP v2.indb 2447/18/2013 10:28:55 AM

Copyright Taylor & Francis Group. Do Not Distribute.Domain 3: CryptographyMessaging security standards include: Secure Multi-Purpose Internet Mail Extensions (S/MIME): Thisextension of the MIME standards that specify e-mail formattingand encapsulation adds encryption of message content. S/MIMEalso uses a hashing algorithm for message integrity, public keycertificates for message authentication, and digital signatures toprovide non-repudiation of origin11. Privacy-Enhanced Mail (PEM): An early Internet EngineeringTask Force (IETF)-proposed standard for securing e-mail usingpublic-key cryptography with trusted distribution of public keysvia PKI, PEM was never widely used for securing e-mail12. Only PEM’s definition of header field format (PEM format) hasfound use as a common means of representing digital certificatesin ASCII form. Pretty Good Privacy (PGP): Originally developed by PhilZimmermann in 1991, PGP is a cryptosystem utilizing symmetrickey, asymmetric key, and message digest algorithms. Whenapplied to securing e-mail, PGP provides message authenticationby binding a public key to an e-mail address where the publickey is distributed to a community of users who trust eachother, commonly known as a web of trust. PGP with e-mailalso provides message encryption, uses a hashing algorithm formessage integrity, and digital signatures for non-repudiation13.Secure IP CommunicationTCP/IP is a standard communication protocol for information systemstoday. Various cryptographic protections are provided for data traveling overIP networks by the IPSec suite of open standards developed by the InternetEngineering Task Force (IETF)14. The IPSec set of standard protocols providescryptographic security services at Layer 3, the Network layer of the OSI model.11See the following for information on S/MIME and the current state of the S/MIMEworking group: http://datatracker.ietf.org/wg/smime/charter/12See the following for historical information on PEM:edu/ c.13See the following for an overview of PGP and how it works:pgpintro/14See the following for information on IPSEC:CryptographyIPSec includes two protocols: Authentication Header (AH) and EncapsulatingSecurity Protocol (ESP). The cryptographic benefits provided by them tf.org/wg/ipsec/charter/See the following for a good overview and detailed descriptions of how IPSEC works and all of theparts that make up IPSEC: 45ISSAP v2.indb 2457/18/2013 10:28:55 AM

Copyright Taylor & Francis Group. Do Not Distribute.Official (ISC)2 Guide to the ISSAP CBK: Second Edition AH: Authentication Header provides data origin authenticationand data integrity but does not provide confidentiality for the IPpayload and header that it protects. ESP: Encapsulating Security Protocol also provides data originauthentication and data integrity, and also offers confidentialityfor the IP payload it protects.IPSec operates in one of two modes: Transport mode: In transport mode, only the IP payload isprotected by the AH or ESP protections. Transport mode is usedfor end-to-end security between two systems, such as between aclient and a server. Tunnel mode: In tunnel mode, both the IP payload and the headerare protected, and a combination of AH and ESP protections canbe used. Tunnel mode sets up a virtual tunnel where multipleintermediaries may exist and is used for protecting traffic betweenhosts and network devices such as gateways or firewalls, routers,and VPN appliances.Secure TCP/IP communication is not limited to IPSec. Transport LayerSecurity (TLS) and its predecessor, Secure Sockets Layer (SSL), are additionalcryptographic protocols that provide communications security for TCP/IP15.TLS/SSL provides confidentiality, integrity, and authentication for securing datatraveling over IP networks. Authentication in TLS/SSL is commonly providedwhen an HTTP server proves to a client such as a browser that the server isauthentic, and may also be used for mutual or server-to-server authentication.TLS/SSL is often used to provide secure HTTP (HTTPS), and is also used forsecuring data communicating over other application level protocols, such as FileTransfer Protocol (FTP), Lightweight Directory Access Protocol (LDAP), andSimple Mail Transfer Protocol (SMTP).Remote AccessCryptographic controls are used when remote access is necessary. Examplesinclude the need for integrity protection to prevent man-in-the-middle spoofingand hijacking attacks and vendor remote network access to a customer’s datacenter, where the authentication and confidentiality of the network access areimportant. Likewise, remote access by telecommuting employees commonlyuses virtual private networks (VPNs), which provide encryption and userauthentication. Often, remote access means crossing boundaries where untrustednetworks are present. In such cases, the need for confidentiality increases.15See the following for the TLS v1.2 RFC:http://tools.ietf.org/html/rfc5246246ISSAP v2.indb 2467/18/2013 10:28:55 AM

Copyright Taylor & Francis Group. Do Not Distribute.Domain 3: CryptographyA VPN provides confidentiality by encrypting IP traffic and offeringauthentication between VPN endpoints. Because VPNs are often based onIPSec or SSL, the security benefits of the underlying protocols are provided.VPNs are implemented in the following architectures: Remote Access VPN: A remote access VPN provides security forremote users connecting to a central location via IP. Site-to-Site VPN: A site-to-site VPN provides communicationssecurity for separate locations in an organization that can connectover IP. Extranet VPN: An extranet or trading partner VPN provides anorganization with communications security when one or moreseparate organizations are connecting to that organization over IP.Point-to-Point Protocol (PPP) is another means of establishing remoteconnectivity. PPP, operating at the data link layer of the OSI model, was designedto be used with network layer protocols such as IP or IPX. By default, PPPdoes not provide any security or rely on any cryptographic controls. However,PPP does include an optional authentication phase and an optional encryptionfeature, PPP Encryption Control Protocol (ECP) 16.A common protocol for remote access that involves cryptographic controls isSecure Shell (SSH), which operates at the application layer of the OSI model.SSH can be used in a client-server model for remote administration of servers,and in combination with other protocols such as Secure File Transfer Protocol(SFTP) or Secure Copy (SCP). SSH encrypts the data it transfers, and providesauthentication using password- or public-key based methods. SSH also uses akeyed hash for integrity protection.Secure Wireless CommunicationThe most commonly used family of standards for Wireless Local AreaNetworks (WLANs) is Institute of Electrical and Electronics Engineers (IEEE)802.1117. 802.11 originally relied on the Wired Equivalent Privacy (WEP)16See the following for the PPP Encryption Control Protocol RFC 1968:org/html/rfc1968CryptographyWireless networks are commonly used for enhancing user mobility and extendingor even replacing wired IP networks. Their transmission is easily intercepted,so confidentiality is a must. Wireless transmissions can be more susceptible toman-in-the-middle attack than wired communication, so authentication is veryimportant.3http://tools.ietf.17See the following to download the IEEE 802.11-2012 copy of the 02.11-2012.pdfhttp://247ISSAP v2.indb 2477/18/2013 10:28:55 AM

Copyright Taylor & Francis Group. Do Not Distribute.Official (ISC)2 Guide to the ISSAP CBK: Second Editionsecurity method to provide confidentiality and integrity. WEP has been provedinsecure due to the way it implements its RC4 stream cipher algorithm; thus,WLANs using WEP are often vulnerable to eavesdropping and unauthorizedaccess.As a result, IEEE introduced a range of new security features designed toovercome the shortcomings of WEP in the IEEE 802.11i amendment. 802.11iintroduces the concept of a Robust Security Network (RSN), an element of theprotocol that allows a variety of encryption algorithms and techniques to be usedfor providing confidentiality and authentication18. Prior to the introduction of802.11i, the Wi-Fi Alliance, a global nonprofit industry association, createda protocol and certification program for wireless network components knownas Wi-Fi Protected Access (WPA). WPA, based on a draft of IEEE 802.11i,securely implements the RC4 stream cipher for more effective confidentialityand authentication. The biggest difference between WPA and the draft is thatWPA does not require support for the Advanced Encryption Standard (AES)strong encryption algorithm. WPA allows many existing IEEE 802.11 hardwarecomponents that cannot support the computationally intensive AES encryption.At the same time the IEEE 802.11i amendment was ratified, the Wi-FiAlliance introduced WPA2, its term for interoperable equipment that is capableof supporting IEEE 802.11i requirements. WPA2 certification is based onthe mandatory elements of the IEEE 802.11i standard, but there are somedifferences. WPA2 extends its certification program to include interoperabilitywith a set of common Extensible Authentication Protocol (EAP) methods.For example, WPA2 adds EAP-TLS, which is not a component of the 802.11istandard. WPA2 also excludes support for ad hoc networks, an 802.11i featurethat allows peer-to-peer network device communication.A short-range wireless protocol commonly used by many types of businessand consumer devices such as mobile phones, smart phones, personal computerperipherals, cameras, and video game consoles is Bluetooth. The Bluetoothspecification was developed, and is managed, by the Bluetooth Special InterestGroup, a privately held trade association19. By creating wireless Personal AreaNetworks (PANs), Bluetooth enables ad hoc communication between multiplewireless devices. Bluetooth optionally encrypts, but does not provide integrityprotection for the transmitted data. It is possible to easily modify a transmitted18See the following for NIST Special Publication 800-97 Establishing Wireless RobustSecurity Networks: A Guide to IEEE 802.11i: SP800-97.pdf19See the following for the Bluetooth Special Interest Group’s web site:bluetooth.org/About/bluetooth sig.htmhttps://www.248ISSAP v2.indb 2487/18/2013 10:28:56 AM

Copyright Taylor & Francis Group. Do Not Distribute.Domain 3: CryptographyBluetooth packet without being detected because only a simple cyclic redundancycheck (CRC) is appended to each packet, and no message authentication codeis used. Another security weakness with Bluetooth involves device pairing, theinitial exchange of keying material that occurs when two Bluetooth-enableddevices agree to communicate with one another. In version 2.0 and earlier ofthe Bluetooth specification, pairing is performed over a nonencrypted channel,allowing a passive eavesdropper to compute the link key used for encryption.Version 2.1 introduced the use of Elliptic Curve Diffie–Hellman (ECDH) publickey cryptography, which can be utilized by Bluetooth device developers forprotection against a passive eavesdropping attack. The Bluetooth specificationdefines its own stream cipher called E0. Several weaknesses have been identifiedin Bluetooth’s E0 stream cipher, which is not a Federal Information ProcessingStandards (FIPS)-approved algorithm and can be considered nonstandard[SP800-121]20 21.Version 3.0 High Speed (HS) of the Bluetooth Core Specification wasadopted by the Bluetooth SIG on 21 April 2009. The Bluetooth SIG completedthe Bluetooth Core Specification version 4.0 and it has been adopted as of 30June 2010. It includes Classic Bluetooth, Bluetooth high speed and Bluetoothlow energy protocols. Bluetooth high speed is based on Wi-Fi, and ClassicBluetooth consists of legacy Bluetooth protocols. General improvements inversion 4.0 include the changes necessary to facilitate BLE modes, as well theGeneric Attribute Profile (GATT) and Security Manager (SM) services withAES Encryption.Other Types of Secure CommunicationSecure communication is not limited to IP networks. Plain Old TelephoneService (POTS), including voice as well as data, needs encryption for ensuringconfidentiality. Encrypted telephones are no longer the domain of militarycommunications. Portable/wireless telephone headsets that include encrypted3CryptographyThe Security Manager (SM) is responsible for device pairing and keydistribution. The Security Manager Protocol (SMP) is defined as how the device’sSM communicates with its counterpart on the other device. The SM providesadditional cryptographic functions that may be used by other components ofthe stack.20See the following for an overview of security weaknesses with Bluetooth: http://www.yuuhaw.com/bluesec.pdfSee the following for a detailed explanation of the Correlation Attack on Bluetooth KeystreamGenerator E0: ee the following for the NIST Special Publication 800-121 Revision 1: Guide to BluetoothSecurity: -rev1/sp800-121 rev1.pdf249ISSAP v2.indb 2497/18/2013 10:28:56 AM

Copyright Taylor & Francis Group. Do Not Distribute.Official (ISC)2 Guide to the ISSAP CBK: Second Editiontransmission and reception are available in office supply stores f

237 Domain 3 Cryptography THE CRYPTOGRAPHY DOMAIN requires security architects to understand cryptographic methodologies and the use of cryptography to protect an organization's data storage and