Domain 3 is massive domain! This page contains only cryptography.
Click here for the rest of Domain 3.
Basic Crypto, now part of Domain 3, is nothing to be afraid of nor nothing complicated. If you do not know crypto at all though, there are plenty of simple concepts AND acronyms you need to know.
Most of my students do VERY well on the crypto questions, despite this being a difficult area for most others.
Cryptography – The art and science of hidden writing, or as Wikipedia says, “The practice and study of techniques for secure communication.” Often shortened to “crypto.” Crypto has been used by humans for thousands of years (Egyptian Hieroglyphics are an example) and today crypto is primary based on mathematics and done by computers.
Cryptanalysis – Attacking crypto. Reasons to attack crypto include to see if it is any good. There are rarely mathematical proofs showing that a specific cryptosystem is “secure” but if cryptanalysts have been attacking a cryptosystem for years without much progress that is a very positive sign!
Cryptology – The overarching field which includes cryptography and cryptanalysis.
Plaintext – Unencrypted data, whether it is text, audio, video, smellovision, or something else.
Ciphertext – Encrypted data.
COCOM – Coordinating Committee for Multilateral Export Controls. An attempt by Western Block countries to prevent the export of advanced technologies including encryption technologies to “dangerous” countries. Formerly dissolved in 1994, it was followed up by Wassenaar Agreement which has similar goals. Of course the definition of dangerous countries depends on who you are.
Both focused on the export of technologies, and allowed symmetric key technology to be exported.
XOR – eXclusive OR. A simple and blazingly fast way to add two binary numbers and used extensively in encryption especially because it is so fast. It is binary addition without carry.
Diffusion – Dispersing (or “diffusing”) the plaintext within the ciphertext.
Confusion – The relationship between the plaintext and the ciphertext. The more confusion, the more randomness, and the better.
SKC – Secret Key Cryptography. The original type of crypto where the same keys are used to encrypt and decrypt. Examples include ROT n, DES, AES, IDEA, SAFER, RC4, RC5, and RC6.
ROT n – A symmetric substitution algorithm where each letter of the alphabet is replaced by the letter which comes “n” characters later in the alphabet.
Caesar Cipher – ROT 3. Yes, Julius Caesar used it. “a” is replaced by “d”, “b” is replaced by “e”, “c” is replaced by “f” etc. This is very easy to break using character frequency analysis.
DES – Data Encryption Standard. A very widespread symmetric encryption algorithm that is very fast. It was first developed in 1975 and not considered secure today because of its small key size, 56 bits. Triple DES is still widely used, for example by Web browsers.
ECB – Electronic Code Book, the default way (or “mode”) that the DES encryption algorithm is used.
CBC – Cipher Block Chaining, a mode of DES that utilizes an initialization vector to introduce randomness. This initialization vector is simply a random number that is combined (via the XOR operation) with the first block of plaintext before it is encrypted. Each subsequent block of plaintext is XORed with the previous ciphertext block before being encrypted.
CFB – Cipher FeedBack, a mode of DES similar to CBC. This is a streaming cipher, as opposed to ECB and CBC which are block ciphers, and suitable for use with streaming data such as streaming audio and streaming video.
OFB – Output FeedBack, a streaming mode of DES like CFB. OFB has the property that flipping a bit in the ciphertext flips the same bit in the plaintext, so many error correcting codes still function even when applied before encryption.
CTR – CounTeR Mode, a streaming mode of DES that uses an initialization vector (also called a “nonce” – which is simply a random number) which is combined with the first block of plaintext as in CBC, however this initialization vector is incremented and reused with each subsequent block. Used by IPSec.
IDEA – International Data Encryption Algorithm. A symmetric encryption algorithm. Used by PGP, Pretty Good Privacy, but not in widespread use otherwise.
SAFER – Secure And Fast Encryption Routine. A family of symmetric key algorithms. Bluetooth optionally uses a variant of SAFER.
AES – Advanced Encryption Standard. A symmetric key encryption algorithm chosen by the US government as a replacement for DES. It was chosen as the result of a contest by The Nation Institute of Standards and Technologies, NIST, in 2000, and was formerly known as Rijndael (pronounced “Rain Doll” unless you are Dutch, in which case you’d probably laugh at this pronunciation). It has variable block length and variable key length.
Rijndael - The algorithm used by AES.
RC4, RC5, RC6 – A family of symmetric key ciphers by Ron Rivest. Sometimes called “Ron’s Cipher” or Rivest’s Cipher.”
PKC – Public Key Cryptography. Also known as Asymmetric Cryptography. In public key cryptography, as opposed to secret key cryptography, keys come in pairs. If one key in the pair is used to encrypt something, only the other key in the key pair will decrypt it. Examples include RSA, El Gamal, and ECC.
In common usage, each party has a key pair, and the keys are referred to as the private key and the public key. The private key is kept private; no one else knows it. For example, it may live on a smart card and be further protected by a PIN. The public key is publicly available, often as part of a data structure called a Digital Certificate.
RSA – Rivest, Shamir, and Adelman, named after the three inventers of this very popular asymmetric key encryption algorithm. It is based on the mathematical fact that large prime integers are easy to multiply together, but the result is difficult to factor into the original factors, meaning the original large prime numbers. Or to put it even more simply: multiplication is easier than division.
ECC – Ecliptic Curve Cryptosystems. ECCs are public key cryptosystems and are ideal for small devices such as smart cards as ECC does NOT use a lot of resources such as power, CPU, and memory. The reason for this is that ECC provides a high level of security with relatively short key lengths, so the underlying mathematics are simpler and hence the resources required are minimal.
MD2, MD4, MD5 – Message Digest. These are hashing algorithms, used primarily for integrity. MD5 is used quite a bit and has a 128 bit hash value. MD5 is considered end of life.
SHA-1, SHA-2 – Secure Hashing Algorithm.
HMAC – Hashed Message Authentication Code, a cryptographic checksum.
PKI – Public Key Infrastructure. An infrastructure to distribute the public key of public-private key pairs (used in asymmetric cryptography). PKIs create Digital Certificates, which are data structures containing a name and associated public key, which are digitally signed by a central authority called a Certificate Authority.
CA – Certificate Authority, the part of a PKI which creates and digitally signs Digital Certificates, data structures containing a name and associated public key.
The best known CA on the Internet is Verisign, and many organizations have their own internal CAs.
Digital Certificate - A data structure that contains, at a minimum, a name and a public key, and that is digitally signed, most commonly by a Certificate Authority.
X.509 - X.509 is the standard for Public Key Infrastructure, which includes a standard format for Digital Certificates.
ORA – Organizational Registration Authority. A registration authority vets an entity before a CA will issue a Digital Certificate for it.
CRL – Certificate Revocation List. A list of Digital Certificates that have not expired (the expiration date in the certificate has not past) but that are not to be trusted. CRLs are typically stored in LDAP databases along with Digital Certificates.
A Digital Certificate may be added to a CRL for a multitude or reasons, such as suspected compromise of the associated private key, a name change perhaps due to marriage or religious conversion, retirement, death, etc.
OCSP – Online Certificate Status Protocol. An alternative and perhaps eventual replacement for CRLs. OCSP involves real time certificate status checks, as opposed to CRLs which are updated periodically.
Certification Practice Statement – A policy document from a Certificate Authority that defines their practices for issuing and managing Digital Certificates.
PGP – Pretty Good Privacy, a program used primarily for email encryption but which also supports file, directory, and partition encryption. Provides confidentiality (data encryption) and authentication (via digital signature). Based on a “Web of Trust” model instead of central authority like PKI (although later versions can work with a PKI).
Escrowed Encryption – A brain dead scheme proposed by the US government which allowed communication encryption but had a back door key that could be used for legitimate purposes by law enforcement. The key was split into two pieces and escrowed by two different government entities, and these key pieces could only be retrieved by court order. Escrowed Encryption was implemented by the Clipper Chip and used the Skipjack algorithm. Stupid idea that never took off due to public outcry.
SSL – Secure Sockets Layer, a cryptographic protocol that allows secure communications over the Internet and other untrusted networks. It supports digital certificates both on both the client and server side, but in practice most commonly only the server has a certificate and the client is authenticated “out of band” (for example by verification of a credit card or other information). TLS (see below) is a standards based replacement of SSL, and considered a later version, for example TLS 1.0 is often referred to as SSL 3.1.
TLS – Transport Layer Security, a standards based version and successor to SSL. Modern browsers and Web servers support TLS 1.0 or greater.
IPSec – IP Security. IPSec is best known as a VPN protocol used in IPv4 and IPv6. It is complex and provides much more than merely traditional VPN functionality.
AH – Authentication Header. An IPSec protocol that provides for integrity, origin authentication, but no confidentiality.
ESP – Encapsulating Security Payload. An IPSec protocol that provides for integrity, origin authentication, and confidentiality.
PFC – Perfect Forward Secrecy. PFS encrypts new session (secret) keys with previous keys.
SSH – Secure Shell. A protocol for making secure connections between machines. Often used for administering Unix and Linux machines remotely.
Steganography – Data hiding. Steganography gives you secrecy but not confidentiality. Cryptography gives you confidentially but not secrecy. For example if someone finds the data, commonly hidden in a file, it is plain text. Steganography and Cryptography are often combined.
Get a PDF of The CISSP Acronym Edge: CISSP Study & Review Guide - signup below & I'll send it to you.