SEC 3302, Advanced IS Security 1

Course Learning Outcomes for Unit III

Upon completion of this unit, students should be able to:

1. Analyze access controls used to secure information systems (IS).
1.1 Compare virtual private network (VPN) solutions for use by remote workers.

2. Examine encryption types used for the physical security protection of an organization.

2.1 Compare encryption types used in VPNs.
2.2 Investigate how organizations protect data.

Required Unit Resources

Chapter 3: Cryptography

In order to access the following resources, click the links below. You can access transcripts for the videos by
clicking on the three dots below the video on the right, then clicking “Open transcript.”

Professor Messer. (2018, January 21). Hashing and digital signatures – CompTIA Security+ SY0-501 – 6.1

[Video]. YouTube. https://www.youtube.com/watch?v=OBdEhSPoDaY

Professor Messer. (2020, December 23). Cryptographic attacks – SY0-601 CompTIA Security+ : 1.2 [Video].

YouTube. https://www.youtube.com/watch?v=u_Ta0rVTL_g

Professor Messer. (2021, March 7). Cryptography concepts – SY0-601 CompTIA Security+ : 2.8 [Video].

YouTube. https://www.youtube.com/watch?v=A6HNd1EGfIc

Professor Messer. (2021, March 29). Cryptography limitations – SY0-601 CompTIA Security+ : 2.8 [Video].

YouTube. https://www.youtube.com/watch?v=m9DA0k0Ctz8

Unit Lesson

Cryptography—Complexity by Design

Cryptography is one of the most sophisticated and complex topics we will cover. This is because
cryptography, encryption, and decryption generally involve purposefully complicated mathematical operations
to keep messages secret when they are traveling between a sender and recipient. Cryptography is a
discipline built around maintaining confidentiality, and if it were not complicated, it would easily be cracked
and rendered useless. If you need any convincing, simply Google the RSA (Rivest-Shamir-Adleman)
algorithm used in cryptography. Mercifully, the algorithm will not be discussed in this lesson, but a little
research can go a long way in showing you just how complicated cryptography can get.

Evolutions of Cryptography

Boyle and Panko (2021) tell us that cryptography has been around for thousands of years. Throughout
history, military leaders have had to keep their plans secret, government officials have had to keep their
conversations private, and children have tried to convey “sensitive information” to their friends using secret
language. In other words, when you substituted numbers or symbols for the alphabet to speak in code to your
friends, you were also using a simple form of cryptography. The same can be said for the most sophisticated
and impactful messages conveyed in code by empires past.

UNIT III STUDY GUIDE
Cryptography

SEC 3302, Advanced IS Security 2

UNIT x STUDY GUIDE
Title

Even in antiquity, cryptography was used on cave walls in non-standard hieroglyphs. Arabs would later
develop various cryptanalytic (i.e., code-breaking) techniques, including some for polyalphabetic ciphers,
which is a technique where multiple substitution alphabets are used. During the same period, the first
descriptions of frequency analysis would emerge, which is a form of cryptanalysis in which the frequency of
letters or groups of letters is studied to decipher the ciphertext.

Most notably, during World War II, the Germans used a cryptography machine known as Enigma to send
coded messages. Unfortunately for them, mathematician Marian Rejewski cracked Enigma’s code using
mathematics and some limited documentation acquired from a German clerk. However, Germans were able
to crack some of the codes used by Allied Forces, such as Naval Cipher No. 3, which ultimately allowed them
to sink several Atlantic convoys.

Cryptography has come a long way since the 1940s. Nowadays, complex algorithms must have a key to
encrypt and decrypt information. The keys convert readable text, or “plaintext,” into a seemingly random
stream of bits called ciphertext. This process requires a cipher, which is a mathematical process used in both
encrypting and decrypting. It also requires a key, which can consist of 40 to 40,000 bits. Each key will
generate a different ciphertext. The longer the keys are, the harder it is to crack the code. Characters may be
substituted or transposed multiple times. Also, most of the time, encryption is performed in the bits and not
the actual character.

Cryptography uses strings of characters, called keys, for both encryption and decryption of

information. Processing the information contained in a key through a cryptographic algorithm results
in encoding or decoding of cryptographic data.

(Faithiecannoise, n.d.)

Symmetric Key Encryption Ciphers

There is a symbiotic relationship between the hacking skills of hackers and the encryption skills of information
technology (IT) professionals. As hackers increase their encryption cracking skills, algorithms
simultaneously—and necessarily—evolve and continue to improve. Many encryption ciphers have been
created and used over time. While they all have the same goal of producing an encrypted message, in
comparison, they use differing levels of computing requirements, speed, and strength.

Ciphers that are the fastest and most efficient in computer processing are often the easiest to crack. For
instance, RC4 is fast and efficient but gives minimal protection if not used properly. In contrast, Advanced
Encryption Standard offers key lengths in 128 bits, 192 bits, and 256 bits. Even the 128-bit version would take
100 trillion years to crack using brute force. The computing requirements, however, are more demanding.

A key’s processing requirements must be considered. In IT, you have to think about any system function that
has a “cost” to your resources. You may have all of the random access memory (RAM), central processing
unit (CPU), and storage you need; however, if you work for an organization that does not freely spend money,

SEC 3302, Advanced IS Security 3

UNIT x STUDY GUIDE
Title

you have to consider the cost. The same thing applies to adding a field to a table in a database. If the table
will have a billion rows and your field could have four characters versus eight characters, you should choose
what will save space.

Confidentiality, Data Integrity, and Authentication

Now that we have talked about the basics of cryptography, what makes up a cryptographic system? Boyle
and Panko (2021) describe a cryptographic system as a packaged set of cryptographic countermeasures
necessary for protecting dialogues. It is also referred to as a cryptosystem. Parties using the system have to
agree on which standard they are going to use to communicate.

There are steps that two parties will take when they agree to communicate through a cryptographic system
standard. These steps include the handshaking stages, initial authentication, keying, and ongoing
communication. We will not explain these steps here because the textbook gives you a good explanation and
a visual depiction of each work. However, they work very well with our next topic.

Cryptography and encryption techniques can provide essential things: confidentiality, data integrity, and
authentication. Confidentiality and authentication refer to limiting information to authorized users. This
involves using authentication methods that are also part of encryption. Authentication is a process in which a
user’s identity is verified. During the authentication process, someone known as a supplicant is trying to prove
their identity and someone else, called a verifier, will verify the information. Credentials are sent, and if all is
well, the two will shake hands, meaning that they will be able to establish a connection.

Data integrity refers to the process of ensuring that the data being passed has not been changed along the
journey. Hashing is also used in cryptography. One example of how hashing can be used is this: If you take
a sentence and apply a hash algorithm to it, you will get a short number. For example, 21 divided by 5 is 4
with a remainder of 1, so 1 is your hash. If you change the 21 to 22, then your hash is 2. The same applies to
text. If you apply a hash algorithm to a sentence, you will get a hash number. If you change the sentence, you
will get a different number. This can be used to make sure that the message you have received did not
change in transit.

Did you ever see the 2014 movie The Imitation Game, starring Benedict Cumberbatch?

Cumberbatch played British mathematician Alan Turing, who designed a device that used hashing
to crack the German Enigma code and decrypt German intelligence messages during World War II.
Common hashing functions include MD5, SHA1, and SHA 256. In the photo above, a man turns a

cryptography switch to change the hash algorithm to SHA-256.
(Le Moal, n.d.)

Deep Dive on Hashing and Evidentiary Implications

SEC 3302, Advanced IS Security 4

UNIT x STUDY GUIDE
Title

Before we move on, what is a very important, practical way that a hash can be used? How about in computer
forensics? Suppose you are an IT forensics technician, and you have been given a hard drive to inspect and
pull information from for evidence. Because digital evidence must be preserved, just like physical evidence, it
must be duplicated—or imaged—in a way that ensures no changes will be made to the original files. After
imaging, the digital forensics technician must ensure that the original and duplicated copies are exactly the
same. But how?

As you may have guessed, the answer lies in hashing. Hash algorithm values are used for verification—they
take any amount of data (input) and create a fixed-length value (output) known as a hash, which acts as a
unique reference number for the original data. Because hash values are fixed in length and made up of a
combination of digits unique to the original data they reference, the values are extremely sensitive to changes
in original data, down to the bit. If hash values between the original image and the copy match, the
investigator has verified that the original and duplicate are the same. Courts can then accept this information
as evidence.

VPNs

Many people are unaware that virtual private networks (VPNs) are created using a cryptographic system. The
use of the cryptographic system allows secure communication over an untrusted network, like a wireless local
area network (LAN). Many organizations enjoy the use of remote access VPNs so their workers can connect
offsite. VPNs are attractive because they are so inexpensive compared to other options like (wide area
networks (WANs). The textbook discusses several types of VPNs, such as host-to-host, remote access, and
site-to-site. Be sure to familiarize yourself with these options.

Some of these manifestations of VPNs appear in our everyday lives, even as consumers. For instance, when
you purchase something online, you are first connected to an e-commerce server. The server, in turn, will
create a host-to-host VPN between itself and your browser. This technique allows for confidential, and
therefore safe, communication between yourself and the server so you can create a secure transaction. In
remote access VPNs, users connect to a VPN gateway. Before the user is given access, he or she must first
be authenticated. Another iteration of VPNs allow site-to-site communication. Each of these VPN types is
considered a cryptographic system. There are standards for VPNs, such as Secure Sockets Layer (SSL) and
Transport Layer Security (TLS), which are discussed in more detail in your textbook.

Internet Protocol Security (IPsec)

The strongest VPN system is the most important standard to learn. It is a family of Internet Engineering
Task Force (IETF) cryptographic standards that is known as IPsec. IPsec operates at the internet rather than
the transport layer, protecting everything in the IP packet data field. It is also completely transparent at the
higher levels. Please review the discussion on this standard in the textbook, as it involves important concepts
in IT security.

References

Boyle, R. J., & Panko, R. R. (2021). Corporate computer security (5th ed.). Pearson.

https://online.vitalsource.com/#/books/9780135823354

Faithiecannoise. (n.d.). Matching keys made of circuits & led lights, encryption & cryptography (ID 79973735)

[Photograph]. Dreamstime. https://www.dreamstime.com/stock-photo-matching-keys-made-circuits-
led-lights-encryption-crypto-algorithms-cryptography-concepts-public-private-electronic-
image79973735

Le Moal, O. (n.d.). Cryptography concept, cryptographic hash algorithm, SHA-2 (ID 111330522) [Photograph].

Dreamstime. https://www.dreamstime.com/cryptography-concept-cryptographic-hash-algorithm-sha-
man-turning-cryptography-switch-to-change-cryptographic-hash-algorithm-image111330522