3DES Multi Key Explained
I posted this question on the CCCURE forums and wanted to share an excellent response from a member there detailing the question. This helped me out a lot. It went back and forth for quite a few, but I'm going to only include my initial post and the best answer. Also as I was reminded, do not dig deep into the concepts too much.
http://www.cccure.org/ftopicp-32896.html#32896
The 3DES symmetric process works as follows:
Encrypt with the first key
Decrypt with the second key
Encrypt with the first key
I guess the thing that is throwing me off is how can you decrypt the ciphertext using a second key? My understanding of symmetric based private key implementations must use the same key to encrypt/decrypt.
So how can you decrypt with a second key when it was initially encrypted with the first (different)?
I agree that you probably do not need this for the test. However, let's go into an analogy, because I sometimes have difficulty understanding the basic process if I am caught up in more abstract issues. In the deciphering/decrypting process you would need to apply all the original keys.
Rather than a backup process, let's think about it this encryption process in terms of a letter. Let's do 3DES-EDE3, encrypt, decrypt, and encrypt with three different keys. The first encryption step is writting a letter (plaintext) and put it into a sealed standard envelope (first key). Now, you decrypt the letter with the an incorrect key (second key), or in this example you open the letter by ripping it in half instead of along the top. Then, in the third encryption process you put the ripped letter into a big shipping box (third key). In order to decrypt you cannot just open the original standard envelop. You have to reverse the packaging process by opening the shipping box, putting the two halves of the letter together, then opening the small envelop.
http://www.cccure.org/ftopicp-32896.html#32896
The 3DES symmetric process works as follows:
Encrypt with the first key
Decrypt with the second key
Encrypt with the first key
I guess the thing that is throwing me off is how can you decrypt the ciphertext using a second key? My understanding of symmetric based private key implementations must use the same key to encrypt/decrypt.
So how can you decrypt with a second key when it was initially encrypted with the first (different)?
I agree that you probably do not need this for the test. However, let's go into an analogy, because I sometimes have difficulty understanding the basic process if I am caught up in more abstract issues. In the deciphering/decrypting process you would need to apply all the original keys.
Rather than a backup process, let's think about it this encryption process in terms of a letter. Let's do 3DES-EDE3, encrypt, decrypt, and encrypt with three different keys. The first encryption step is writting a letter (plaintext) and put it into a sealed standard envelope (first key). Now, you decrypt the letter with the an incorrect key (second key), or in this example you open the letter by ripping it in half instead of along the top. Then, in the third encryption process you put the ripped letter into a big shipping box (third key). In order to decrypt you cannot just open the original standard envelop. You have to reverse the packaging process by opening the shipping box, putting the two halves of the letter together, then opening the small envelop.
Comments
-
tiersten Member Posts: 4,505The encrypt, decrypt and encrypt sequence is for backwards compatibility. If you set the 2nd key to be the same as the 1st key then you're just doing regular DES.
The actual names for the processes where you encrypt and decrypt can be swapped around if you want. You just have to make sure whoever is on the receiving end also knows you've swapped it. Decrypting ciphertext with the wrong key or plaintext is basically encrypting it. -
cashew Member Posts: 122 ■■□□□□□□□□Right, so when you unencrypt it with a different key it will decipher garbage, then you encrupt it again with the 1st key to add another layer.
That's what makes EEE3 so powerful, in the sense that 3 different keys are used from the keyspace right? -
JDMurray Admin Posts: 13,091 Admincashew wrote:Right, so when you unencrypt it with a different key it will decipher garbage, then you encrupt it again with the 1st key to add another layer.
-
cashew Member Posts: 122 ■■□□□□□□□□JDMurray wrote:cashew wrote:Right, so when you unencrypt it with a different key it will decipher garbage, then you encrupt it again with the 1st key to add another layer.
Isn't there a EEE3 for encryption with 3 different keys with no decryption? -
JDMurray Admin Posts: 13,091 Admincashew wrote:Isn't there a EEE3 for encryption with 3 different keys with no decryption?
Have a look at http://en.wikipedia.org/wiki/Triple_DES -
cashew Member Posts: 122 ■■□□□□□□□□Thanks JD, I think we are the next line of recruits to join the ranks of CISSP! I sit mine in February in Atlanta. By the way, I saw Zack and Miri (Kevin Smith's recent work) and thought it was awesome!
-
dynamik Banned Posts: 12,312 ■■■■■■■■■□This is somewhat off-topic, but how do you guys like the cccure.org forums? I'm somewhat of a noob, so I've just been looking at the SSCP forums, but I haven't been impressed. I've seen some links to **** and pirated resources that haven't been remove, and a lot of people have been advocating using nothing but a CBT and the cccure.org practice questions to pass. I'm not saying that those aren't good resources, but I don't feel like that's enough to master the material. Oh well, that just makes me appreciate these forums that much more
Seriously, I've only seen one or two other guys besides JD that are even tolerable thus far...
I suppose I'm a bit biased though... -
cashew Member Posts: 122 ■■□□□□□□□□CCCURE is tailored for the CISSP, SSCP, and others (while vendor neutral it's a ISC2 whore). Whenever I post there, I always get a well defined answer or atleast a topic for debate. There's some pretty sharp people there, but this forum is nice as well. Here I feel my due diligence in needed and I contribute to MCSE questions and Security+ questions. Once I get my CISSP I will talk more with my chin in the air, until then I rely on resources like JD and others for answers.
Back to the topic, CCCURE is recognized and an excellent source, however posting here you will get a fast answer. If I see a question presented on info sec and I cannot answer it, I usually can reference a text or a friend w/ experience. When everything is said and done. CCCURE is awesome, but TechExams can't be beat! -
Slowhand Mod Posts: 5,161 Moddynamik wrote:Seriously, I've only seen one or two other guys besides JD that are even tolerable thus far...
Free Microsoft Training: Microsoft Learn
Free PowerShell Resources: Top PowerShell Blogs
Free DevOps/Azure Resources: Visual Studio Dev Essentials
Let it never be said that I didn't do the very least I could do. -
cashew Member Posts: 122 ■■□□□□□□□□Slowhand wrote:dynamik wrote:Seriously, I've only seen one or two other guys besides JD that are even tolerable thus far...
To tell you the truth I know my stuff quite well. I have over 5 years info sec experience as well as an MCSE and Security +. Slowhand and JD are knowledgeabl. I know my stuff as well, so if you post here you will definately get a responsive yet reputable answer. -
JDMurray Admin Posts: 13,091 AdminI would start out in the CISSP CBK discussion forum. Most of the activity is there. I'm in the process of reading through all 1700+ posts dating back as far as 2005 and taking study notes. Some very good information on interpreting questions, facts about CBK stuff, and the usual rambling from semi-informed people.
And yes, they aren't as hard-nosed about **** there as we are here at TE. They warn against them, but they don't take any action against members that mention or use them. And frankly, a CISSP **** is only a false sense of security that you will pass. -
dynamik Banned Posts: 12,312 ■■■■■■■■■□Yea, that's my project for the next few weeks. I was hoping the CISSP forums would be better. The SSCP forums only have 43 posts, so I was able to burn through that like nothing. Shednik turned me on to ethicalhacker.net, and I currently have 148 pages of unread threads, so that one's going to take a bit longer.
-
cashew Member Posts: 122 ■■□□□□□□□□dynamik wrote:Yea, that's my project for the next few weeks. I was hoping the CISSP forums would be better. The SSCP forums only have 43 posts, so I was able to burn through that like nothing. Shednik turned me on to ethicalhacker.net, and I currently have 148 pages of unread threads, so that one's going to take a bit longer.
I have not taken the SSCP but have the book. There are only 7 CBK's compared to the CISSP's 10 CBK's. If my employer will pay for my exam and commit to the application of the appropriate 180 cbks a year (120 from CISSP and 60 from SSCP). JD is a SSCP, but I'm about to become a CISSP and will probably transition to CISM and GIAC. That's management though which is where i'm destined. You want to stay technical, go the CISSP route with CISA. You'll get paid! -
cashew Member Posts: 122 ■■□□□□□□□□Maybe true, but my experience and MCSE enables me to run circles around our admins with issue pertaining to our enviroment. CISA, CISSP, GIAC, etc. w/ experience will outweight any technical cert to existance, unless you're a CCIE, then your a bad ass hands down no?
-
gwamaka Member Posts: 32 ■■□□□□□□□□JDMurray wrote:cashew wrote:You want to stay technical, go the CISSP route with CISA. You'll get paid!
This question is for JD....long did it take you to prepare for SSCP exam? I am planning to take this exam sometimes next year. I am looking into allocating 2 weeks of study time per domain, 2 to 3 hours per day on week days and 5 hours for both Saturdays and Sundays. This will give me about 3.5 months of prep time give or take. Does this sound reasonable?
I have a very strong foundation in Telecommunication and Network Security domain and I am comfortable with two more other domains even though I haven't been involved in those areas recently. I am also sitting for the Security+ exam this December.
I read people using Shon Harris's AIO guide for SSCP, is this the best study guide for both SSCP and CISSP? What about the SSCP's Official guide from ISC2, is it a good read for preparing for this exam.
Sorry for bombarding you with lots of questions. -
JDMurray Admin Posts: 13,091 Admingwamaka wrote:This question is for JD....long did it take you to prepare for SSCP exam? ... This will give me about 3.5 months of prep time give or take. Does this sound reasonable?gwamaka wrote:I have a very strong foundation in Telecommunication and Network Security domain and I am comfortable with two more other domains even though I haven't been involved in those areas recently. I am also sitting for the Security+ exam this December.gwamaka wrote:I read people using Shon Harris's AIO guide for SSCP, is this the best study guide for both SSCP and CISSP? What about the SSCP's Official guide from ISC2, is it a good read for preparing for this exam.gwamaka wrote:Sorry for bombarding you with lots of questions.
-
gwamaka Member Posts: 32 ■■□□□□□□□□Thanks JD ! This is some very helpful information !
One more question.... I see there some few domains in SSCP that do not seem to have a one to one mapping with those on CISSP. I am talking about these:
- Analysis and monitoring
- Malicious code
Is this accurate ? This means when you clear the SSCP exam, you have actually covered only 5 of the domains that are in CISSP and not 7 domains per se.JDMurray wrote:gwamaka wrote:This question is for JD....long did it take you to prepare for SSCP exam? ... This will give me about 3.5 months of prep time give or take. Does this sound reasonable?gwamaka wrote:I have a very strong foundation in Telecommunication and Network Security domain and I am comfortable with two more other domains even though I haven't been involved in those areas recently. I am also sitting for the Security+ exam this December.gwamaka wrote:I read people using Shon Harris's AIO guide for SSCP, is this the best study guide for both SSCP and CISSP? What about the SSCP's Official guide from ISC2, is it a good read for preparing for this exam.gwamaka wrote:Sorry for bombarding you with lots of questions. -
JDMurray Admin Posts: 13,091 Admingwamaka wrote:One more question.... I see there some few domains in SSCP that do not seem to have a one to one mapping with those on CISSP. I am talking about these:
- Analysis and monitoring
- Malicious code
Is this accurate ? This means when you clear the SSCP exam, you have actually covered only 5 of the domains that are in CISSP and not 7 domains per se. -
JDMurray Admin Posts: 13,091 AdminHere's a discussion thread that's an example of the opinions of **** over at www.cccure.org. They advise against them for all the right reasons: http://www.cccure.org/ftopic-2782-0-days0-orderasc-code.html