Help with Cryptography - What I Know

Hello,

I've been reading these boards the last few days as I have been studying for the Security+. I'm taking the exam on 7/20. I am studying with Darrill's book. It's a great read. I've been scoring mid 80s on the CompTIA Security+ practice exam and 90/100 on Darill's book exams, so I feel I have a good knowledge of most of the objectives. I just want to make sure I have a good foundation for the Cryptography as this is the one area that continues to trip me up (and it seems others as well). I know my scores would be higher if not for issues with Cryptography.

Please bear with me, as I wanted to lay out what I know (or think I know to be correct.) If you could please provide me with some input on my knowledge or correct my misunderstandings that would be great!

1.) Symmetric key encryption: Alice uses AES or some other symmetric key encryption algorithm to create a symmetric key so that she can securely send data to Bob. She will only send this symmetric key over a secure session. I know that one of the challenges with symmetric key encryption is the need to have the secure session to share the key. Once Bob receives the symmetric key, Alice then uses the symmetric key to encrypt her message. Since Bob has the symmetric key, he can use it to decrypt the message.
Questions:

How is this secure session created?
Is AES a hashing algorithm or an encrpytion algorithm? What is the difference between the two?

2.) Asymmetric encryption: Alice wants to securely send a message to Bob. She uses Bob's public key to encrypt a message using an asymmetric algorithm. Bob can then decrypt the message using his private key.
Questions:

Does an asymmetric algorithm work the same as an encryption algorithm?

3.) Asymmetric encryption using hashing = Digital signature. Essentially, the goal is to encrypt the hash of the message. Alice wants to securely send a message to Bob. She can hash the message using a hashing algorithm (MD5, SHA) to provide integrity for the message. She can then encrypt the hash with her private key. This creates the digital signature. Bob can then unencrypt the hash and compare it to his hash of the message. If the hashes are the same, he can verify integrity.
Questions:

If I hear the term hashing in conjunction with asymmetric encryption, should I assume that a digital signature is in use?

4.) Asymmetric encryption in conjunction with symmetric encryption: Asymmetric encryption is used to create a secure session. Once the secure session has been created, the users can use symmetric keys to encrypt data (perhaps a hash of a message? See question 5). I'm assuming that the users can then place hashes on the data transmitted in the secure session to additionally verify integrity (and use a symmetric key to encrypt the hash).

5.) Symmetric encryption with hashing: I don't recall hearing much about this. I'm assuming it's possible to to hash a message, then encrypt the hash with a symmetric key like as mentioned in question 4.

Again, thanks for taking the time to read through this and provide assistance!

Find more posts tagged with

Comments

NotHackingYou

1) The secure session over the internet is usually established using a digital certificate. The end user chooses a private key and encrypts it using the server's public key. Then, only the server can decrypt it with its private key.

AES is an encryption algorithm. The difference is that encryption is meant to hide the data until such a time when the algorithm can be repeated with the correct key (think password) to allow the original data to be read again.

Hashing is intended to be one way and not be decoded. For example, you would hash a password of 'texas123' and it would come out like 'Acvf234jfdfdwwd22223232dsdssdasd'. A user would then enter the password of texas123 and then the software would hash it and compare the hashes. If they are the same, the data is the same. If they are different, the data does not match. The original data is not intended to be revealed in hashing - only to determine if the original and the existing match.

2) Not sure I understand this question. The principal of an asymmetric vs symmetric encryption algorithm is the same - use X key to encrypt this data which is intended to be decrypted by X key (Symmetric) or Y key (asymmetric). The inner workings of the algorithms are quite complex and I don't think one needs to know exactly how they work for the Security+. Could you clarify?

3) Usually digital signature related stuff includes terms like non repudiation or 'prove the real sender sent it'. Other situations may encrypt a hash as well though I can't think of any offhand.

4) Asymmetric encryption is more resource intensive than symmetric. Usually, asymmetric encryption is used to establish and share a symmetric key. Symmetric encryption typically then is used during the remainder of the exchange.

5) Yes, this is possible but like in #3 I can't think of anything offhand that uses this.

Edited to add: Make sure you really spend some time on that CompTIA practice exam. The wording of the questions is in line with CompTIA's typical wording choices. The questions can be difficult to understand, so take your time and work through them until you can make sense of them. Understand why each wrong choice is wrong and why each right choice is right. Do as much research on each question as you have to until you can score a minimum of 90% on the practice test.

williarm

Hi Carl,

Thanks for your responses. They help clarify some things. For #2, everywhere I've read seems to label the algorithms as either an "asymmetric" or "symmetric" algorithm. This differentiation between the two makes me think there is a specific reason why one is labeled as an "asymmetric" or "symmetric" algorithm - ie that there are characteristics of each that make it either "asymmetric" or "symmetric". Does that help clarify?

Additionally, does everything I presented to you as far as my explanations of asymmetric, symmetric, digital signatures, etc. sound correct?

Thanks!

NotHackingYou

williarm wrote: »

Hi Carl,

Thanks for your responses. They help clarify some things. For #2, everywhere I've read seems to label the algorithms as either an "asymmetric" or "symmetric" algorithm. This differentiation between the two makes me think there is a specific reason why one is labeled as an "asymmetric" or "symmetric" algorithm - ie that there are characteristics of each that make it either "asymmetric" or "symmetric". Does that help clarify?

Additionally, does everything I presented to you as far as my explanations of asymmetric, symmetric, digital signatures, etc. sound correct?

Thanks!

The difference is the type of algorithm and the keys used. A symmetric algorithm will require the same key to decrypt that was used to encrypt. An asymmetric algorithm will require a different key to decrypt what was encrypted. Your explanations were close and were corrected/clarified in my original response.

I think you would be well served to read the cryptography chapter in Darril's book again. I read the whole book twice before taking my exam - I really feel like on the second run through I absorb more information.

Darril

Hi Williarm,

Welcome to the forums. You might like to create separate posts with a post focused on a single topic. You have a lot of information here and it's difficult to answer everything, especially when one thing comes across as not quite right.

Cryptography is a challenging topic for many people mostly because it's not something we normally have to deal with.

On symmetric/asymmetric, yes there is a reason why they are labeled differently. Symmetric implies similar or the same and asymmetric implies dissimilar or not the same. A symmetric DSL line has the same upload and download speeds. An asymetric DSL line has different upload and download speeds. Symmetric encryption uses the same key to encrypt and decrypt a piece of data. Asymmetric encryption uses one key to encrypt and a different key to decrypt the same piece of data

On 1) AES is not used to create a symmetric key. AES is a symmetric encryption algorithm.

On 2) Yes. An asymmetric algorithm is an asymmetric encryption algorithm.

On 3) Hashing has many uses so I wouldn't say that hashing = digital signature.

I think CarlSaiyed's suggestion of rereading the cryptography chapter is worthwhile. Maybe take some notes on three separate pages as you do so on these topics.

Symmetric encryption
Asymmetric encryption
Hashing

Write out the goal of each
Write out the process of each
List the algorithms used in each topic

Hope this helps.