Cryptography and cryptographic systems are critical tools in the cybersecurity world. They help enable strong authentication, allow for integrity checks on data, and are utilized to keep data confidential. While there are many cryptography uses, there are equal amounts of ways and attempts to bypass it. Vulnerabilities in cryptographic systems can be some of the most impactful security flaws in an organization. The following topics are brief overviews of various types of cryptopgraphy and cryptographic systems.
The following subsections are the key areas we focused on during the Cryptography course. Each subsection will dive deeper into the professional and ethical responsibilities for their application.
When encrypting data, two common options are block ciphers and stream ciphers. Stream ciphers encrypt data one bit at a time while block ciphers break data into fixed-sized blocks. Breaking data down into fixed-size blocks allows for less complex but more secure data encryption. Common ciphers in symmetric block ciphers are Data Encryption Standard (DES) and Advanced Encryption Standard (AES). As a cybersecurity professional, it's essential to understand block ciphers and their use of encrypting data within the environment. This allows for the creation of strong encryption policies to help secure an organization's data. NIST provides guidance on block cipher modes in NIST SP 800-38A (https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf)
When transferring data, it's important to ensure the integrity and confidentiality of the data as it's in transit and once it's received. The cryptographic topics of hash functions, message authentication codes, and secure channels apply in this use case. Many are aware that the most common of these topics is secure channels. When viewing this website, you see a lock icon near the URL; this shows that the connection to this website is secure and encrypted. Hash functions provide the ability to quickly look at the integrity of a file and ensure it hasn't been manipulated or corrupted from the original form. You'll often see an SHA or MD5 hash provided for files on download sites to help you verify the file's integrity after it's been downloaded. Finally, message authentication codes are a way to identify that the message you're receiving is from the intended sender. NIST identifies three general-purpose MAC algorithms: HMAC, KMAC, and CMAC (https://csrc.nist.gov/Projects/Message-Authentication-Codes).
To maintain secure communications between systems, there needs to be the ability to create, share, and manage public and private keys within cryptographic systems. The topics of key distribution, key management, and public key infrastructure are the ways to manage keys in cryptographic systems. Symmetric cryptography requires the sharing of keys between both parties. Key sharing must be done before using encryption of the transmitted data. Key servers are one way to share public key information between parties. Many organizations such as OpenPGP (keys.openpgp.org), MIT (pgp.mit.edu), and Ubuntu (keyserver.ubuntu.com) run their own key servers as a way of sharing these keys. These key servers provide methods of signing/authenticating the keys to ensure authenticity, also known as key management. Key management is crucial in ensuring that expired or compromised keys are no longer trusted. Finally, Public Key Infrastructure is a method of distributing and managing keys on a larger, more structured scale. A common PKI we may be familiar with are those used by web browsers to track certificates utilized by the websites you use every day.
As a security professional, it's essential to understand the role of cryptography in your environment, where it should be used, and the strength of the various cryptographic systems being used. Since cryptography is a crucial component to ensuring the integrity and confidentiality of a system, creating a PKI and utilizing strong cipher suites and key sizes allows for better security of data in transit and at rest. However, it's also essential to understand the impact, especially on the performance, of encrypting and decrypting traffic and how that may affect your customers or end-users.
Since cryptography and cryptographic systems are utilized so widely in an organization, security professionals have an ethical requirement to ensure that the best solution is used. Whether it be implementing robust authentication methods, providing data integrity, or protecting data in transit/at rest, utilizing robust and proven cryptographic techniques helps ensure the organization's security. Also, robust cryptographic systems will grow with the organization allowing for adaption as use cases modernize.
While this was one of the more technical topics in the program, it's essential to understand the uses, and it was relatively easy to map each sub-topic above back to real life. To help ensure data privacy, cryptography has become such a big part of our daily lives that it's hard to use an electronic device without some form of cryptography being present. As I work with organizations to help them build strong cryptography practices, I know that the information I learned in this course will be valuable.
NIST. (n.d.). NIST SP 800-63 Digital Identity Guidelines. NIST Pages. Retrieved April 12, 2022, from https://pages.nist.gov/800-63-3/
NIST. (2017, January 4). Block Cipher Techniques | CSRC. NIST Computer Security Resource Center. Retrieved April 12, 2022, from https://csrc.nist.gov/Projects/block-cipher-techniques
NIST. (2020, June 22). CSRC Topics - cryptography | CSRC. NIST Computer Security Resource Center. Retrieved April 12, 2022, from https://csrc.nist.gov/Topics/Security-and-Privacy/cryptography