3DES Multi Key Explained

cashew

I posted this question on the CCCURE forums and wanted to share an excellent response from a member there detailing the question. This helped me out a lot. It went back and forth for quite a few, but I'm going to only include my initial post and the best answer. Also as I was reminded, do not dig deep into the concepts too much.

http://www.cccure.org/ftopicp-32896.html#32896

The 3DES symmetric process works as follows:

Encrypt with the first key
Decrypt with the second key
Encrypt with the first key

I guess the thing that is throwing me off is how can you decrypt the ciphertext using a second key? My understanding of symmetric based private key implementations must use the same key to encrypt/decrypt.

So how can you decrypt with a second key when it was initially encrypted with the first (different)?

---

I agree that you probably do not need this for the test. However, let's go into an analogy, because I sometimes have difficulty understanding the basic process if I am caught up in more abstract issues. In the deciphering/decrypting process you would need to apply all the original keys.

Rather than a backup process, let's think about it this encryption process in terms of a letter. Let's do 3DES-EDE3, encrypt, decrypt, and encrypt with three different keys. The first encryption step is writting a letter (plaintext) and put it into a sealed standard envelope (first key). Now, you decrypt the letter with the an incorrect key (second key), or in this example you open the letter by ripping it in half instead of along the top. Then, in the third encryption process you put the ripped letter into a big shipping box (third key). In order to decrypt you cannot just open the original standard envelop. You have to reverse the packaging process by opening the shipping box, putting the two halves of the letter together, then opening the small envelop.

tiersten

The encrypt, decrypt and encrypt sequence is for backwards compatibility. If you set the 2nd key to be the same as the 1st key then you're just doing regular DES.

The actual names for the processes where you encrypt and decrypt can be swapped around if you want. You just have to make sure whoever is on the receiving end also knows you've swapped it. Decrypting ciphertext with the wrong key or plaintext is basically encrypting it.

cashew

Right, so when you unencrypt it with a different key it will decipher garbage, then you encrupt it again with the 1st key to add another layer.

That's what makes EEE3 so powerful, in the sense that 3 different keys are used from the keyspace right?

JDMurray

cashew wrote:

Right, so when you unencrypt it with a different key it will decipher garbage, then you encrupt it again with the 1st key to add another layer.

You're describing EDE2 (encrypt(k1)-decrypt(k2)-encrypt(k1)) which uses 2 keys. The stronger implementation is with 3 keys (encrypt(k1)-decrypt(k2)-encrypt(k3)).

cashew

JDMurray wrote:

cashew wrote:

Right, so when you unencrypt it with a different key it will decipher garbage, then you encrupt it again with the 1st key to add another layer.

You're describing EDE2 (encrypt(k1)-decrypt(k2)-encrypt(k1)) which uses 2 keys. The stronger implementation is with 3 keys (encrypt(k1)-decrypt(k2)-encrypt(k3)).

Isn't there a EEE3 for encryption with 3 different keys with no decryption?

JDMurray

cashew wrote:

Isn't there a EEE3 for encryption with 3 different keys with no decryption?

Yes.

Have a look at http://en.wikipedia.org/wiki/Triple_DES

cashew

Thanks JD, I think we are the next line of recruits to join the ranks of CISSP! I sit mine in February in Atlanta. By the way, I saw Zack and Miri (Kevin Smith's recent work) and thought it was awesome!

dynamik

This is somewhat off-topic, but how do you guys like the cccure.org forums? I'm somewhat of a noob, so I've just been looking at the SSCP forums, but I haven't been impressed. I've seen some links to **** and pirated resources that haven't been remove, and a lot of people have been advocating using nothing but a CBT and the cccure.org practice questions to pass. I'm not saying that those aren't good resources, but I don't feel like that's enough to master the material. Oh well, that just makes me appreciate these forums that much more

Seriously, I've only seen one or two other guys besides JD that are even tolerable thus far...

I suppose I'm a bit biased though...

cashew

CCCURE is tailored for the CISSP, SSCP, and others (while vendor neutral it's a ISC2 whore). Whenever I post there, I always get a well defined answer or atleast a topic for debate. There's some pretty sharp people there, but this forum is nice as well. Here I feel my due diligence in needed and I contribute to MCSE questions and Security+ questions. Once I get my CISSP I will talk more with my chin in the air, until then I rely on resources like JD and others for answers.

Back to the topic, CCCURE is recognized and an excellent source, however posting here you will get a fast answer. If I see a question presented on info sec and I cannot answer it, I usually can reference a text or a friend w/ experience. When everything is said and done. CCCURE is awesome, but TechExams can't be beat!

Slowhand

dynamik wrote:

Seriously, I've only seen one or two other guys besides JD that are even tolerable thus far...

Is that in general, or just on the cccure forums?

cashew

Slowhand wrote:

dynamik wrote:

Seriously, I've only seen one or two other guys besides JD that are even tolerable thus far...

Is that in general, or just on the cccure forums?

To tell you the truth I know my stuff quite well. I have over 5 years info sec experience as well as an MCSE and Security +. Slowhand and JD are knowledgeabl. I know my stuff as well, so if you post here you will definately get a responsive yet reputable answer.

JDMurray

I would start out in the CISSP CBK discussion forum. Most of the activity is there. I'm in the process of reading through all 1700+ posts dating back as far as 2005 and taking study notes. Some very good information on interpreting questions, facts about CBK stuff, and the usual rambling from semi-informed people.

And yes, they aren't as hard-nosed about **** there as we are here at TE. They warn against them, but they don't take any action against members that mention or use them. And frankly, a CISSP **** is only a false sense of security that you will pass.

dynamik

Yea, that's my project for the next few weeks. I was hoping the CISSP forums would be better. The SSCP forums only have 43 posts, so I was able to burn through that like nothing. Shednik turned me on to ethicalhacker.net, and I currently have 148 pages of unread threads, so that one's going to take a bit longer.

cashew

dynamik wrote:

Yea, that's my project for the next few weeks. I was hoping the CISSP forums would be better. The SSCP forums only have 43 posts, so I was able to burn through that like nothing. Shednik turned me on to ethicalhacker.net, and I currently have 148 pages of unread threads, so that one's going to take a bit longer.

I have not taken the SSCP but have the book. There are only 7 CBK's compared to the CISSP's 10 CBK's. If my employer will pay for my exam and commit to the application of the appropriate 180 cbks a year (120 from CISSP and 60 from SSCP). JD is a SSCP, but I'm about to become a CISSP and will probably transition to CISM and GIAC. That's management though which is where i'm destined. You want to stay technical, go the CISSP route with CISA. You'll get paid!

JDMurray

cashew wrote:

You want to stay technical, go the CISSP route with CISA. You'll get paid!

Except that neither the CISSP nor the CISA are technical certs. The Security+, SSCP, and GSEC are far more technical in content.

cashew

Maybe true, but my experience and MCSE enables me to run circles around our admins with issue pertaining to our enviroment. CISA, CISSP, GIAC, etc. w/ experience will outweight any technical cert to existance, unless you're a CCIE, then your a bad ass hands down no?

gwamaka

JDMurray wrote:

cashew wrote:

You want to stay technical, go the CISSP route with CISA. You'll get paid!

Except that neither the CISSP nor the CISA are technical certs. The Security+, SSCP, and GSEC are far more technical in content.

This question is for JD....long did it take you to prepare for SSCP exam? I am planning to take this exam sometimes next year. I am looking into allocating 2 weeks of study time per domain, 2 to 3 hours per day on week days and 5 hours for both Saturdays and Sundays. This will give me about 3.5 months of prep time give or take. Does this sound reasonable?

I have a very strong foundation in Telecommunication and Network Security domain and I am comfortable with two more other domains even though I haven't been involved in those areas recently. I am also sitting for the Security+ exam this December.

I read people using Shon Harris's AIO guide for SSCP, is this the best study guide for both SSCP and CISSP? What about the SSCP's Official guide from ISC2, is it a good read for preparing for this exam.

Sorry for bombarding you with lots of questions.

JDMurray

gwamaka wrote:

This question is for JD....long did it take you to prepare for SSCP exam? ... This will give me about 3.5 months of prep time give or take. Does this sound reasonable?

I gave it about three months of study time, the last three weeks of which was a real cram to make sure I had everything memorized that I could. How much time you need depends on how much of the SSCP CBK you already know and how well you study. Only you will know when you feel ready to take the exam.

gwamaka wrote:

I have a very strong foundation in Telecommunication and Network Security domain and I am comfortable with two more other domains even though I haven't been involved in those areas recently. I am also sitting for the Security+ exam this December.

The Security+ is highly recommended as your first security cert. I've also read of people recommending the CISA before the CISSP. There is some overlap in the exam material, with the CISA having a less-broad and more-focused body of knowledge to cover than the "mile-wide" CISSP.

gwamaka wrote:

I read people using Shon Harris's AIO guide for SSCP, is this the best study guide for both SSCP and CISSP? What about the SSCP's Official guide from ISC2, is it a good read for preparing for this exam.

I used primarily the OIG SSCP and Harris' AIO3. Just remember you don't need to study the physical security, application security, and law/ethics stuff in the CISSP material for the SSCP. There's also a lot of good info in the Wikipedia. Additional resources may be necessary depending on what you don't already know. Read my blog article for more tips.

gwamaka wrote:

Sorry for bombarding you with lots of questions.

It's no problem; that's what I'm here for.

gwamaka

Thanks JD ! This is some very helpful information !

One more question.... I see there some few domains in SSCP that do not seem to have a one to one mapping with those on CISSP. I am talking about these:
- Analysis and monitoring
- Malicious code

Is this accurate ? This means when you clear the SSCP exam, you have actually covered only 5 of the domains that are in CISSP and not 7 domains per se.

JDMurray wrote:

gwamaka wrote:

This question is for JD....long did it take you to prepare for SSCP exam? ... This will give me about 3.5 months of prep time give or take. Does this sound reasonable?

I gave it about three months of study time, the last three weeks of which was a real cram to make sure I had everything memorized that I could. How much time you need depends on how much of the SSCP CBK you already know and how well you study. Only you will know when you feel ready to take the exam.

gwamaka wrote:

I have a very strong foundation in Telecommunication and Network Security domain and I am comfortable with two more other domains even though I haven't been involved in those areas recently. I am also sitting for the Security+ exam this December.

The Security+ is highly recommended as your first security cert. I've also read of people recommending the CISA before the CISSP. There is some overlap in the exam material, with the CISA having a less-broad and more-focused body of knowledge to cover than the "mile-wide" CISSP.

gwamaka wrote:

I read people using Shon Harris's AIO guide for SSCP, is this the best study guide for both SSCP and CISSP? What about the SSCP's Official guide from ISC2, is it a good read for preparing for this exam.

I used primarily the OIG SSCP and Harris' AIO3. Just remember you don't need to study the physical security, application security, and law/ethics stuff in the CISSP material for the SSCP. There's also a lot of good info in the Wikipedia. Additional resources may be necessary depending on what you don't already know. Read my blog article for more tips.

gwamaka wrote:

Sorry for bombarding you with lots of questions.

It's no problem; that's what I'm here for.

JDMurray

gwamaka wrote:

One more question.... I see there some few domains in SSCP that do not seem to have a one to one mapping with those on CISSP. I am talking about these:
- Analysis and monitoring
- Malicious code

Is this accurate ? This means when you clear the SSCP exam, you have actually covered only 5 of the domains that are in CISSP and not 7 domains per se.

The SSCP CBK is not a subset of the CISSP CBK. Some of the domains have about the same name, and some of the information does overlap, but the SSCP CBK is not directly derived from the CISSP CBK. You will find Analysis and Monitoring (Auditing and Monitoring in Operations Security and Access Controls) and Malicious Code (Malware in Application Security) in the CISSP CBK, but in much less detail than presented in the SSCP CBK.

JDMurray

Here's a discussion thread that's an example of the opinions of **** over at www.cccure.org. They advise against them for all the right reasons: http://www.cccure.org/ftopic-2782-0-days0-orderasc-code.html