Sunday, November 30, 2014

Chapter 11: Change Control Process

  1. Request for a change to take place
    • present to individual or group responsible for approving changes and overseeing activities of changes within an environment
  2. Approval of the change
    • justify reason for change and clearly show benefits and possible pitfalls of change
  3. Documentation of the change
    • after approval of change, enter it into a log and update it according to changes
  4. Tested and presented
    • changes have to be fully tested, this uncovers unforeseen results
  5. Implementation
    • schedule that outlines projected phases of changes being implemented
  6. Report change to management
    • full report summarizing changes, and submit it to management


Posted by at No comments:
Chapter 11: After a System Crash

  • Steps to take when a system crashes:
    1. Enter into single user or safe mode:
      • System cold start takes place when the system's is unable to automatically recover itself to a secure state. This is when an administrator gets involved.
      • The systems will have two options:
        1. Automatically boot up to a "single user mode"
        2. Manually boot up to a "recovery console"
      • The administrator must physically be at the console or have deployed external technology such as secured dial-in/dial-back modems attached to serial console ports or remote keyboard video mouse [KVM] switches attacked to graphic consoles.
    2. Fix issues and recover files:
      • Single user mode:
        • Admin salvages file systems from damage that may have occurred as a result of the unclean, sudden shutdown of the system, and attempts to identify cause of the shutdown to prevent it from recurring.
    3. Validate critical files and operations:
      • If the shutdown suggests corruption then the admin must validate the contents of configuration files and ensure system files are consistent with their expected state.
Posted by at No comments:
Chapter 11: Assurance Level

  • Two types of assurance:
    1. Operational Assurance:
      • Concentrates on the product's architecture, embedded features, and functionality that enable a customer to continually obtain the necessary level of protection when using the product
      • Examples:
        • Access control mechanisms
        • Separation of privileged and user program code
        • Auditing and monitoring capabilities
        • Covert channel analysis
        • Trusted recovery (when product experiences unexpected circumstances)
    2. Life-Cycle Assurance:
      • How product was developed and maintained because each stage of the product life cycle has standards and expectations it must fulfill before it can be deemed a highly trusted product.
        • Examples:
          • Design specifications
          • Clipping-level configurations
          • Unit and integration testing
          • Configuration management
          • Trusted distribution
Posted by at No comments:

Sunday, November 16, 2014

Chapter 11: Security and Network Personnel

  • The security administrator should not report to the network administrator of their responsibilities have different focuses. Network administrators have a focus on high availability and performance of the network and resources. The focus on performance and user functionality is usually a trade-off for security. 
  • The following tasks are tasks that should be carried out my security administrators:
    • Implements and maintains security devices and software
      • security products require monitoring and maintenance to get their full value, this includes version updates and upgrades.
    • Carry out security assessments
      • security administrator identify vulnerabilities in the system, networks, software, and in-house developed products used by a business
      • assessments enable business to understand risks it faces in order to make sensible business decisions about products and services it considers purchasing, risk mitigation strategies i chooses to fund vs. risks it chooses to accept.
    • Creates and maintains user profiles and implements and maintains access control mechanisms
    • Configures and maintains security labels in mandatory access controls (MAC) environments
      • MAC environments are mostly found in government and military agencies.
      • Access decisions are based on comparing object's classification and subject's clearance.
    • Sets initial passwords for users
      • New accounts must be protected from attackers who might know patterns used for passwords.
    • Reviews audit logs
Posted by at No comments:

Friday, November 14, 2014

Chapter 11: Administrative Management

  • One aspect of administrative management is dealing with personnel issues which include separation of duties and job rotation. 
  • Separation of duties:
    • The objective is to ensure that one person acting alone cannot comprise the company's security in any way.
    • High-risk activities are broken up into different parts and distributed to different individuals or departments this prevents any one person from having too much authority. 
    • This decreases the changes of fraud unless collision is committed. Collision is when more then one person is needed to commit an act against policy. 
    • Separation of duties can help prevent mistakes and minimize conflict of interest that can take place if one person is performing a task from beginning to end. 
      • E.g. a programmer should not be the only one testing her own code. 
  • Job rotation:
    • Over time, more then one person fulfills the tasks of one position within the company. 
    • How job rotation is helpful for the company is that this allows the company to have more then one person who understands the tasks and responsibilities of a specific job title. This allows for backup and redundancy when a person leaves a company or is absent. 
    • Job rotation also helps identify fraudulent activities.
Posted by at No comments:
Chapter 11: Security Operations

  • Operation security is about configuration, performance, fault tolerance, security, and accounting and verification management to ensure that proper standards of operations and compliance requirements are met (Harris, 1234).
  • Operations security is also about ensuring people, applications, equipment, and overall environment are properly and adequately secured. 
  • Another large part of operations security includes ensuring the physical and environmental concerns are adequately addressed. This includes things such as temperature and humidity controls, media reuse, disposal, and destruction of media containing sensitive information. 
Posted by at No comments:

Tuesday, November 11, 2014

Chapter 10: Software Development Models Overview

  1. Break and Fix:
    1. No real planning up front
    2. Flaws are reactively dealt with after release with the creation of patches and updates
  2. Waterfall:
    1. Sequential approach that requires each phase to complete before the next one can begin.
    2. Difficult to integrate changes
    3. Inflexible model
  3. V-model:
    1. verification and validation is emphasized at each phase
    2. Testing takes place throughout the project, not just at the end
  4. Prototyping:
    1. A model or sample is created from the code for proof-of-concept purposes
  5. Incremental:
    1. Multiple development cycles carried out on a pice of software throughout its development stages
    2. Each stage provides a usable version of software
  6. Spiral:
    1. Interactive approach
    2. Emphasizes risk analysis per iteration
    3. Allows for customer feedback to be integrated through a flexible evolutionary approach
  7. Rapid Application Development:
    1. combines prototyping an d iterative development procedures with goal of accelerating software development process
  8. Agile:
    1. Iterative and incremental development processes that encourages team-base collaboration
    2. Flexible and adaptive


Posted by at No comments:
Chapter 10: Software Development Life Cycle

  • Software development deals with putting repeatable and predictable processes in place which helps to ensure functionality, cost, quality, and delivery schedule requirements are met. 
  • Software Development Life Cycle (SDLC) in general covers the following areas:
    • Requirements gathering:
      • Answers the "why, what, and for whom" in why do we create this software, what will the software do, and for whom the software will be created?
      • In this phase, everyone attempts to understand why the project is needed and what the scope of the project will be. 
      • The team examines software's requirements and proposed functionality, brainstorming sessions take place, and obvious restrictions are reviewed. 
      • This is where you can evaluate products currently on the market and identify demands that aren't met by current vendors.
      • From a security aspect, the following items should be accomplished in this phase:
        • Security requirements
        • Security risk assessment
        • Privacy risk assessment
        • Risk-level acceptance
    • Design:
      • Design in SDLC covers "how" the software will accomplish the goals that are identified.
      • The design phase maps theory and reality
      • Theory encompasses all the requirements that were identified in previous phases and outlines how the product is actually going to accomplish these requirements.
      • Software requirements commonly come in three models:
        • Information model (dictates type of information to be processed and how it will be processed)
        • Functional model (outlines tasks and functions application needs to carry out)
        • Behavioral model (Explains states the application will be in during and after specific transitions take place)
      • From a security standpoint, the following items should be accomplished:
        • Attack surface analysis:
          • Attack surface - what is available to be used by attackers against the product itself.
          • Attack surface analysis - identifies and reduces amount of code and functionality accessible to untrusted users. 
        • Threat modeling:
          • Systematic approach used to understand how different threats could be realized and how a successful compromise could take place.
    • Development:
      • Development is when the actual programming of the software and the code has to meet specifications laid out in the design phase.
      • The software design created in the previous phase (design) is broken down into defined deliverables, and programmers develop code to meet the deliverable requirements. 
      • Computer-aided software engineering (CASE):
        • Any type of software tool 
        • Allows for automated development of software (i.e. program editors, debuggers, code analyzers, version-control mechanisms etc.)
    • Testing/Validation:
      • We have to validate software to ensure the goals are met and the software works as planned.
      • Formal/informal testing should be done as soon as possible.
      • Unit testing:
        • Start very early in development
        • After programmer develops a component (unit of code) it is tested with several different input values in many different situations
        • It isolates each part of the software and show that the individual parts are correct 
        • Continues throughout development phase
      • Different types of testing:
        • Unit testings:
          • Individual components in a controlled environment where programmers validate structure, logic, and boundary conditions.
        • Integration testing:
          • Verifying components work together as outlined in design specifications.
        • Acceptance testing:
          • Ensures code meets customer requirements 
        • Regression testing:
          • When changes are made to the system, you have to retest it to ensure functionality, performance, and protection.
    • Release/maintenance:
      • After the software is developed and deployed, you have to ensure that it is properly configured, patched, and monitored. 
  • The difference in the software development life cycle and the system development life cycle is how each goal is accomplished. System development life cycle has a focus on operations which the IT department usually follows. Software development life cycle focuses more on design and programming and software engineers and coders usually follow this model. 
Posted by at No comments:

Chapter 10: System Development Life Cycle
  • A life cycle is a representation of development changes and a project has the following life cycle: initiation, planning, execution and controlling, and closure.
  • A system's life cycle consist of the following phases: initiation, acquisition/development, implementation, operation/maintenance, and disposal. 
  • The basic components of the system development life cycle:
    • Initiation is needed for a new system to be defined
      • When the company establishes a need for a specific system
      • Answer the questions "What do we need and why do we need it?"
      • Primary risk assessment is carried out to develop an initial description of the confidentiality, integrity, and availability requirements of the system.
        • the assessment defines the environment in which the system will operate within any identified vulnerabilities.
    • Acquisition/development is when a new system is either created or purchased
      • "buy" or "build" decision - the organization needs to evaluate ithe need for the system and see if it can be developed in-house or if it needs to be purchased from a vendor.
      • Activities that need to take place:
        • Requirements analysis
        • Formal risk assessment
        • Security functional requirements analysis
        • Security assurance requirements analysis
        • Third-party evaluations
        • Security plan
        • Security test and evaluation plan
    • Implementation is when a new system is installed into production environment
      • Before a system can be formally installed within the production environment a certification and accreditation (C&A) processes has to be performed.
      • Certification: the technical testing of a system.
      • Accreditation: formal authorization given by management to allow a system to operate in a specific environment.
    • Operation/maintenance is when the system is used and cared for
      • Within the implementation phase, baselines were set pertaining to the system's hardware, software, and firmware configuration.
      • In the operation/maintenance phase, continuous monitoring needs to take place to ensure that the baselines are always met. 
    • Disposal is when the system is removed from the production environment
      • Disposal activities need to ensure that orderly termination of systems that no longer provide a needed function can take place and all the necessary data are preserved.
Posted by at No comments:

Friday, November 7, 2014

Chapter 10: Different Environments Demand Different Security 

 Environment vs. Application
  • Software controls can be implemented by the operating system or by the application, but usually its a combination of both.
  • Application controls and database management controls are specific to their needs and security compromises they understand.
  • Application:
    • Application protects data by allowing only certain types of inputs and not permitting certain users to view data kept in sensitive database fields.
    • It does not protect against users inserting bogus data into Address Resolution Protocol (ARP) table.
  • The downsides to relying mainly on operating system controls:
    • Although they can control a subject's access to different objects and restrict the actions of that subject within the system, they do not necessarily restrict the subject's actions within an application.  
      •  In other words, if an application has a security vulnerability within its own programming code, it is hard for the operating system to predict and control this vulnerability. 
Functionality vs. Security
  • Trying to account for all the "what-ifs" and programming with caution can reduce the overall functionality of the application.
  • You have to balance functionality and security but in the development world functionality is more important. 
  • Each module of the system should be capable of being tested individually and in concert with other modules so the product can be more secure because flaws could be exploited early on.
Implementation and Default Issues
  • Most security has to be configured and turned on after installation.
  • Settings have to be configured to properly integrate it into different environments.
  • When a security application or device is installed, it should default to "No Access" because when a user installs a packet-filter firewall, it should not allow any packets to pass into the network that were not specifically granted access.
  • A fine balance exists between security, functionality, and user-friendliness.
  • A user-friendly application requires a lot of extra coding for potential user errors, dialog boxes, wizards, and step-by-step instructions, this could result in bloated codes that can create unforeseeable compromises because of extra coding. 
  • Various servers are enabled when a system is installed.
  • Implementation errors and misconfigurations are common items that cause a majority of security issues in network environments. 
Posted by at No comments:
Chapter 10: Software Development Security
  • To help implement security into a software you have to understand the security needs of a piece of software, implement the right controls and mechanisms, thoroughly test the mechanisms and how they integrate into the application, follow structured development methodologies, and provide secure and reliable distribution methods. 
  • Today, network and security administrations are having to integrate different applications and computer systems to keep up with their company's demand for expandable functionality.
  • The usual trend of dealing with security, figure 10-1 from CISSIP All-in-One Exam Guide:
Posted by at No comments:

Wednesday, November 5, 2014

Chapter 9: Complexities in Cybercrime- International Issues

  • Council of Europe (CoE) Convention on Cybercrime:
    • Is an example to create a standard international response to cybercrime.
    • It is the first international treaty seeking to address computer crimes by coordinating national laws and improving investigative techniques and international cooperation.
    • Objectives include:
      • Creating a framework for establishing jurisdiction and extradition of the accused
  • Organization for Economic Co-operation and Development (OECD):
    • Global organization that move data across other country boundaries must be aware and follow the Organization for Economic Co-operation and Development (OECD).
    • The OECD is an international organization that helps different governments come together and tackle the economic, social, and governance challenges of a globalized economy. 
    • The OECD came up with guidelines for various countries to follow so that data are properly protected and everyone follows the same types of rules.
    • The core principles defined by the OECD are as follows:
      • Collection of personal data should be limited, obtained by lawful and fair means, and with the knowledge of the subject.
      • Personal data should be kept complete and current, and be relevant to the purposes for which it is being used.
      • Subjects should be notified of the reason for the collection of their personal information at the time that it is collected, and organizations should only use it for that stated purpose.
      • Only with the consent of the subject or by the authority of law should personal data be disclosed, made available, or used for purposes other then those previously stated.
      • Reasonable safeguards should be put in place to protect personal data against risks such as loss, unauthorized access, modification, and disclosure.
      • Developments, practices, and policies regarding personal data should be openly communicated. In addition, subjects should be able to easily establish the existence and nature of personal data, its use, and the identity and usual residence of the organization in possession of that data.
      • Subjects should be able to find out whether an organization has their personal information and what that information is, to correct erroneous data, and to challenge denied request to do so.
      • Organizations should be accountable for complying with measures that support the previous principles.
Posted by at No comments:
Chapter 9: Complexities in Cybercrime - The Evolution of Attack

  • Advanced Persistent Threat (APT)
    • APT differs from regular attackers in that it is a common group of attackers, not just one hacker, which combine knowledge and abilities to carry out whatever exploit that will get them into the environment they seek.
    • APT are focused and motivated to aggressively and successfully penetrate a network with variously different attack methods.
    • This type of attack is coordinated by human involvement, rather then various types of threats that goes through automated steps to inject its payload.
    • The APT has specific goals and is commonly highly organized and well funded, this makes it the biggest threat of all. 
    • An APT is commonly custom-developed malicious code that is build specifically for its target, it has multiple ways of hiding itself once it infiltrates the environment, may be able to polymorph itself in replication capabilities, and has several different "anchors" so eradicating it is difficult if it is discovered. 
    • The attacker put the code through barrage of tests against the most up-to-date detection applications on the market so APT infiltrations are usually very hard to detect with host-based solutions. 

Posted by at No comments:

Thursday, October 30, 2014

Chapter 9: Complexities in Cybercrime

  • Most hackers never get caught because there aren't enough investigators to investigate the attack and the individuals who actually investigate the crime are behind in their abilities and expertise compare to the hacker. 
    • Within the United States, local law enforcement departments, the FBI, and the Secret Service investigate computer crimes.
  • Also, hackers hide their identity by using innocent people's computers to cary out the brimes for them. The attacker install malicious software on a computer that stays dormant until the attacker tells it what system to attack and when.
  • Zombies are the compromised systems.
  • Bots are the software installed on the zombies.
  • Botnet is a term to describe several compromised systems.
  • You can visit www.cybercrime.gov to find all the current and pass prosecuted cyber crimes that have taken place int he United States. 

Posted by at No comments:
Chapter 9: Legal, Regulations, Investigations, and Compliance
  • The Crux of Computer Crime Laws:
    • Also referred to as cyberlaw
    • Deals with core issues of unauthorized modification or destruction, disclosure of sensitive information, unauthorized modification or destruction, disclosure of sensitive information, unauthorized access, and the user of malware (malicious software).
    • Laws were created to combat three categories of crime:
      • Computer-Assisted Crime
      • Computer-Targeted Crime
      • Computer is incidental
    • Computer-assisted crime:
      • This is where the computers are used as a tool to help in carrying out a crime.
      • Examples:
        • Attacking financial systems to carry out theft of funds and/or sensitive information
        • Obtaining military and intelligence material by attacking military systems
        • Carrying out industrial spying by attacking competitors and gathering confidential business data
        • Carrying out information warfare activities by attacking critical national infrastructure systems
        • Carrying out hactivism, which is protesting a government or company’s activities by attacking their systems and/or defacing their web sites
    • Computer-targeted crime:
      • Computer-targeted crimes are where a computer was the victim of an attack that was meant to harm it (and its owners) specifically.
      • Example:
        • Distributed Denial-of-Service (DDoS) attacks
        • Capturing passwords or other sensitive data
        • Installing malware with the intent to cause destruction
        • Installing rootkits and sniffers for malicious purposes
        • Carrying out a buffer overflow to take control of a system 
    • Computer-targeted crime:
      • A computer is not necessarily the attacher or the attackee, but a computer was involved when the crime was carried out. 
Posted by at No comments:

Tuesday, October 28, 2014

Chapter 8: Risk Assessment
  • The assessment takes into account the organization's tolerance for continuity risks.
  • The assessment should identify, evaluate, and record all relevant items, which include the following:
    • Vulnerabilities for all of the organization's most time-sensitive resources and activities
    • Threats and hazards to the organization's most urgent resources and actives
    • Measures that cut the possiblity, length, or effect of a disruption or critical services and products
    • Single points of failure, that is, concentrations of risk that threaten business continuity
    • Continuity risks from concentrations of critical skills or critical shortages of skills
    • Continuity risks due to outsourced vendors and suppliers
    • Continuity risks that the BCP program has accepted, that are handled elsewhere, or the the BCP program does not address
  • The end results of a risk assessment include:
    • Identifying and documenting single points of failure
    • Making a prioritized list of threats to the particular business processes of the organization
    • Putting together information for developing a management strategy for risk control, and for developing action plans for addressing risk
    • Documenting acceptance of identified risks, or documenting acknowledgement of risks that will not be addressed
  • Risk assessment equation:
    • Risk = Threat x Impact xProbability
Posted by at No comments:

Saturday, October 25, 2014

Chapter 8: BCP Policy
  • The BCP policy is the framework for and governance of designing and building the BCP effort. 
  • The policy outlines the BCP purpose and provides an overview of principles of the organization and those behind BCP. 
  • The policy includes its scope, mission statement, principles, guidelines, and standards. 
  • Steps to drawing up a policy:
    • Identify and document the components of the policy.
    • Identify and define policies of the organization that the BCP might effect.
    • Identify pertinent legislation, laws, regulations, and standards.
    • Identify "good industry practice" guidelines by consulting with industry experts.
    • Perform a gap analysis. Find out where the company is in terms of continuity planning, and spell out where it wants to be at the end of the BCP process.
    • Compose a draft of the new policy.
    • Have different departments within the organization review the draft.
    • Put the feedback from the department into a revised draft.
    • Get the approval of top management on the new policy.
    • Publish a final draft, and distribute the publicized it throughout the organization. 
  • Business Impact Analysis (BIA):
    • BIA is a functional analysis
    • A team collects data through interviews and documentary sources
    • BIA is used to document business functions, activities, and transactions
    • BIA develops a hierarchy of business functions
    • BIA steps:
      • Select individuals to interview for data gathering
      • Create data-gathering techniques (surveys, questionnaires, qualitative and quantitative approaches)
      • Identify the company's critical business functions
      • Identify the resources these functions depend upon
      • Calculate how long these functions can survive without these resources
      • Identify vulnerabilities and threats to these functions
      • Calculate the risk for each different business function
      • Document findings and report them to management
Posted by at No comments:
Chapter 8: BCP Project Components

  • Initiation Phase:
    • The initiation phase is where the company has to figure out what it is doing and why. 
    • A business continuity coordinator must be identified. 
      • A business continuity coordinator will be the leader for the Business Continuity Plan (BCP).
      • They will oversee the development, implementation, and testing of the continuity and disaster recovery plan. 
      • They will need to coordinate with a lot of different departments.
      • A business continuity coordinator will have to have direct access to management and have the credibility and authority to carry out leadership tasks. 
    • A BCP committee has to be put together.
      • The committee should be made up of representatives from at least the following departments:
        • Business units
        • Senior management
        • IT department
        • Security department
        • Communications department
        • Legal department
Posted by at No comments:
Chapter 8: Business Continuity and Disaster Recovery

Disaster Recovery Plan (DRP):
  • The DRP is in effect when everything is still in emergency mode and critical systems need to be back online.
  • Goal of disaster recovery is to minimize the effects of a disaster or disruption.
  • Taking necessary steps to ensure resources, personnel, and business processes are able to resume operations in a timely manner.

Business Continuity Plan (BCP):
  • BRP involves getting critical systems to another environment while repair of the original families is under day.
  • Getting the right people to the right place during the disaster times.
  • Performing business in a different mode until regular conditions are back in place.
  • Dealing with customers, partners, and shareholders through different channels until everything returns to normal.

Business Continuity Management (BCM):
  • BCM is a general management process that should cover both BRP and DRP.
  • Main objective is to allow the organization to continue to perform business operations under various conditions.  

Standards and Best Practices:
Special Publication 800-34, Continuity Planning Guide for Information Technology System is what the US government organizations must have and “good to have” for other nongovernment entities.
  • Develop the continuity planning policy statement
  • Conduct the business impact analysis (BIA)
  •  Identify preventive controls
  • Develop recovery strategies
  • Develop the contingency plan
  • Test the plan and conduct training and exercise
  • Maintain the plan


Posted by at No comments:

Wednesday, October 22, 2014

Chapter 7: Key Management         

  • Keys must be distributed securely to the right entities and updated continuously.
  • Keys must be protected as they are transmitted and while they are being stored on each workstation and server.
  • Keys must be generated, destroyed, and recovered properly.
  • Key management can be handled through manual or automatic processes.
  • Keys are stored before and after distribution.
  • The key, algorithm that will use the key, configurations, and parameters are stored in a module that also needs to be protected.

Chapter 7: Key Management Principles
  • Keys should not be available in cleartext.
  • All key distribution and maintenance should be automated and hidden from the user and these processes should be integrated into software or the operating system.
  • Backup copies of the key should be available and easily accessible when required.
  • The key recovery process could require two or more other individuals to present their private keys or authentication information and these individuals should not all be members of the IT department.
  • Rules for Keys and Key Management
    • The key length should be long enough to provide the necessary level of protection.
    • Keys should be stored and transmitted by secure means.
    • Keys should be extremely random, and the algorithms should use the full spectrum of the keyspace.
    • The Key’s lifetime should correspond with the sensitivity of the data it is protecting. (Less secure data may allow for a longer key lifetime, whereas more sensitive data might require a shorter key lifetime.)
    • The more the key is used, the shorter its lifetime should be
    • Keys should be backed up or escrowed in case of emergencies.
    • Keys should be properly destroyed when their lifetime comes to an end. 

Posted by at No comments:
Chapter 7: Types of Symmetric Systems
  •  Data Encryption Standard (DES)
  • 3DES (Triple DES)
  • Blowfish
  • Twofish
  •  International Data Encryption Algorithm (IDEA)
  •  RC4, RC5, and RC6
  • Advanced Encryption Standard (AES)
  •  Secure and Fast Encryption Routine (SAFER)
  •  Serpent

Data Encryption Standard:
History:
  • 1974, IBM’s 128-bit algorithm (Lucifer) that was modified by the NSA (National Institute of Standards and Technology) to 64-bits which became a national cryptographic standard in 1977 and an American National Standards Institute (ANSI) standard in 1978.
  • NSA announced that it would no longer endorse DES and DES-based products would no longer fall under compliance with Federal standard 1027 starting January 1988. This was not accepted well and eventually NSA extended the life of DES another 5 years.
  • DES was eventually broken by Electronic Frontier Foundation who built a computer system that broke DES in 3 days and lead to the creation of 3DES and DES was later replaced by Rijndael algorithm as the Advanced Encryption Standard (AES) by NIST. 

How does DES work?
DES is a symmetric block encryption algorithm. This means that when 64-bit blocks of plaintext go in, 64-bit blocks of ciphertext comes out. Since it’s symmetric, the same key is used for encryption and decryption. When DES algorithm is applied to data, it divides the message into blocks and operates on them one at a time. The blocks are then put into 16 rounds of transposition and substitution functions.

What does it mean to be “broken”?

Algorithms are considered to be broken if someone uncovers a key that is used during an encryption process. You can break an algorithm by brute force attack of by identifying weaknesses in the algorithm itself.
Posted by at No comments:

Tuesday, October 14, 2014


Chapter 7: Running and Concealment Ciphers:
  • Running Key Cipher:
    • Can use a key that does not require an electronic algorithm and bit alternation.
    • Uses components in the physical world.
    • Example:
      •  An algorithm that is a set of books agreed upon by the sender and receiver. The key in this cipher could be a book page, line number, and column count.
  • Concealment Cipher:
    • This type of cipher is a message within a message.
    • Example:
      • Suppose it was agreed upon to have a key with every third word within a message. If a secret message was sent that read, “The saying, ‘The time is right’ is now cow language, so is not a dead subject.” Because the key is every third word, the secret message within the message would be “The right cow is dead.”

Posted by at No comments:
Subscribe to: Comments (Atom)