Lesson 3: Cryptographic Solutions

Encryption Standards

Symmetric Encryption

Same key for encryption/decryption, fast but insecure key distribution

Algorithms:

• AES (256-bit): Gold standard for bulk encryption
• 3DES (168-bit): Legacy, being phased out
• Blowfish/Twofish: Older alternatives

Modes: CBC, GCM (with authentication)

Asymmetric Encryption

Key pairs (public/private), slow, used for small data like key exchange

Algorithms:

• RSA (2048-bit+): Key exchange/digital signatures
• ECC (256-bit+): Efficient for mobile devices
• Diffie-Hellman: Key exchange only (IKE)

Hashing

One-way function (no decryption), used for password storage and integrity checks

Algorithms:

• SHA-256/512: Current standard
• MD5 (128-bit): Broken, checksums only

Key Concepts

• Weak Keys: Easy to guess, short, not random
• Strong Keys: Long and random, resist brute-force
• Key Stretching: Make weak keys stronger (PBKDF2, bcrypt, scrypt)
• Key Exchange: Secure sharing of keys (Diffie-Hellman)
• Ephemeral Keys: Temporary keys for one session (ECDHE)
• Perfect Forward Secrecy (PFS): Uses ephemeral keys to protect past sessions

Encryption vs Digital Signatures

Encryption (Confidentiality):

• Alice encrypts with Bob's public key
• Bob decrypts with his private key

Digital Signature (Integrity + Authenticity):

• Alice signs hash with her private key
• Bob verifies with Alice's public key

PKI & Certificates

PKI (Public Key Infrastructure): Framework of CAs, certificates, software, services

X.509 Certificate Components:

• Subject (CN, SAN)
• Issuer (CA)
• Validity dates
• Key Usage (Digital Signature, Key Encipherment)

Formats: .pem (Base64), .der (Binary), .pfx/.p12 (with private key)

Certificate Authorities:

Hierarchy: Root CA → Intermediate CA → Leaf certificates

Trust Models:

• Public CA (DigiCert, Let's Encrypt)
• Private CA (Enterprise PKI)
• Self-signed (no chain of trust)

Revocation Methods:

• OCSP (Online Certificate Status Protocol): Real-time validation with CA
• CRL (Certificate Revocation List): List of revoked certificates
• CSR (Certificate Signing Request): Request sent to CA for certificate
• CA: Entity that issues and manages certificates

Key Management

Key Lifecycle:

Generation → Distribution → Storage → Rotation → Destruction

Secure Storage:

• HSM (Hardware Security Module): Tamper-proof hardware, supports key escrow
• TPM (Trusted Platform Module): On-board crypto processor for device keys
• Secure Enclave: Isolated CPU area (Apple Secure Enclave)

Key escrow: Storing encryption keys securely for recovery (FDE)

Key Exchange Protocols:

• KMIP: Standard for centralized key management
• PKCS#7/#12: Formats for key/cert transfer

Advanced Concepts

Perfect Forward Secrecy (PFS):

• Ephemeral keys for each session
• Prevents mass decryption if long-term key compromised
• Used in TLS 1.3

Blockchain:

Decentralized ledger with cryptographic hashing, immutable records

Obfuscation Techniques:

• Steganography: Hiding data in images (LSB method)
• Tokenization: Replacing sensitive data with tokens (PCI DSS)
• Data Masking: Redacting PII in databases