Cryptography and Authentication Cheat Sheet

Posted on Oct 25, 2024 in Computers

Cryptography Cheat Sheet

General Concepts

  • Cryptography: The study of encryption principles and methods.
  • Cryptanalysis: The process of deciphering ciphertext without knowing the key.
  • Cryptosystem: A system that combines algorithms, keys, and key management to perform cryptographic operations.
  • CIA Triad:
    • Confidentiality: Protects against unauthorized disclosure.
    • Integrity: Protects against unauthorized modification.
    • Availability: Ensures reliable access to information.

Key Terminology

  • Plaintext: The original message to be encrypted.
  • Ciphertext: The encrypted message.
  • Encryption: The process of converting plaintext into ciphertext.
  • Decryption: The process of converting ciphertext back into plaintext.
  • Key: A secret value used in both encryption and decryption.
  • Kerckhoff’s Principle: The security of a cryptosystem should depend only on the secrecy of the key, not the algorithm.

Symmetric Encryption (Secret Key)

  • One-Time Pad (OTP): A cipher that uses a random key as long as the message. It provides perfect secrecy but is impractical for key distribution.
  • Stream Cipher: Uses a pseudorandom generator (PRG) to generate a keystream XORed with the plaintext.
  • Block Cipher: Encrypts fixed-size blocks of data (e.g., AES, DES). Requires modes of operation for longer messages.
  • Common Block Cipher Modes:
    • ECB (Electronic Codebook): Insecure due to predictable patterns; avoid using.
    • CBC (Cipher Block Chaining): Uses a random IV for enhanced security.
    • CTR (Counter Mode): Transforms a block cipher into a stream cipher.

Modern Block Ciphers

  • DES (Data Encryption Standard): A 56-bit key Feistel cipher, now considered insecure.
  • AES (Advanced Encryption Standard): A secure and efficient SPN with 128, 192, or 256-bit keys.

Public-Key Cryptography (PKC)

  • Diffie-Hellman Key Exchange: Establishes a shared secret over an insecure channel.
  • RSA:
    • Based on factoring large numbers.
    • Public key encrypts; private key decrypts.
    • Requires proper padding schemes for security.

Message Authentication Codes (MAC)

  • MAC: Provides message integrity and authentication using a shared secret key.
  • HMAC (Hash-Based MAC): Combines a hash function (e.g., SHA-256) with a secret key.

Hash Functions

  • Collision Resistance: Infeasible to find two inputs with the same hash output.
  • Examples: SHA-256 (256-bit output).
  • Merkle-Damgård Construction: Builds hash functions from compression functions.

Authenticated Encryption (AE)

  • Encrypt-then-MAC: Encryption followed by MAC for confidentiality and integrity.
  • AE Security: Protects against passive and active attacks (CPA and CCA security).

Security Models

  • CPA (Chosen-Plaintext Attack): Attacker encrypts chosen plaintexts.
  • CCA (Chosen-Ciphertext Attack): Attacker decrypts chosen ciphertexts.

Attacks on Ciphers

  • Linear/Differential Cryptanalysis: Exploits statistical patterns.
  • Birthday Attack: Finds hash collisions with complexity 2^(n/2).

Digital Signatures

  • Ensures authenticity and non-repudiation using private/public keys.

Best Practices

  • Use established standards (AES, RSA, HMAC).
  • Use randomized encryption (random IVs).
  • Combine encryption with MAC.

Authentication: Types & Techniques

  1. Password-Based Authentication

    • Something You Know: Secret PIN or password.
    • Vulnerabilities: Phishing, eavesdropping, offline attacks.
    • Mitigations: Salting, slow hashing, OTPs.

  2. Token-Based Authentication

    • Something You Have: Smartcards, OTP tokens.
    • Used in 2FA.
    • Vulnerabilities: Phishing, replay attacks, theft.
    • Mitigations: Challenge-response, physical security.

  3. Biometric Authentication

    • Something You Are: Fingerprints, iris scans, etc.
    • Challenges: FAR, FRR, spoofing.

Password Attacks & Defenses

  • Attacks: Dictionary attacks, guessing, phishing, replay.
  • Defenses:
    • Salting: Adds random data to passwords before hashing.
    • Slow Hashing: PBKDF2, Scrypt.
    • OTPs: Time-based (TOTP) or event-based (HOTP).

Challenge-Response Protocols

  • Avoids revealing passwords.
  • Verifier sends a challenge; the prover responds using a secret.
  • Digital signatures enhance security.

Authorization: Models & Types

  1. Access Control Matrix

    • Represents subject permissions over objects.
    • Inefficient for large systems.

  2. Access Control Lists (ACLs)

    • Permissions stored by object.
    • Common in file systems.
    • Easy to modify object permissions.

  3. Capabilities (C-Lists)

    • Permissions stored by subject.
    • Focuses on user delegation.
    • User-oriented.

Access Control Models

  1. Discretionary Access Control (DAC)

    • Users control access to their objects.
    • Vulnerable to malware.

  2. Mandatory Access Control (MAC)

    • System-wide policy defines access.
    • Used for confidentiality (e.g., Bell-LaPadula).

  3. Role-Based Access Control (RBAC)

    • Access based on roles.
    • Easier to manage permissions.
    • Role hierarchies (RBAC1).

  4. Attribute-Based Access Control (ABAC)

    • Access based on attributes.
    • Flexible but computationally expensive.

File Permissions (POSIX)

  1. Owner/Group/Others

    • Read, write, execute permissions.

  2. Permission Types

    • Read (r), Write (w), Execute (x).
    • Example: rwxr-xr--

Unix DAC Features

  • chmod/chown: Modify permissions.
  • Extended ACLs: Additional permissions.

Combining Access Control Models

  • DAC and MAC can be combined.