CISSP: Domain 3, Module 4
The course is part of this learning path
This course is the 4th of 6 modules of within Domain 3 of the CISSP, covering security architecture and engineering
The objectives of this course are to provide you with and understanding of:
- The history of cryptography across the era's
- The principles and life-cycles of cryptography
- Public Key Infrastructure, known as PKI and the components involved
- Digital signatures and how they are used
- Digital rights management (DRM) and associated solutions
This course is designed for those looking to take the most in-demand information security professional certification currently available, the CISSP.
Any experience relating to information security would be advantageous, but not essential. All topics discussed are thoroughly explained and presented in a way allowing the information to be absorbed by everyone, regardless of experience within the security field.
If you have thoughts or suggestions for this course, please contact Cloud Academy at firstname.lastname@example.org.
About the Author
Mr. Leo has been in Information System for 38 years, and an Information Security professional for over 36 years. He has worked internationally as a Systems Analyst/Engineer, and as a Security and Privacy Consultant. His past employers include IBM, St. Luke’s Episcopal Hospital, Computer Sciences Corporation, and Rockwell International. A NASA contractor for 22 years, from 1998 to 2002 he was Director of Security Engineering and Chief Security Architect for Mission Control at the Johnson Space Center. From 2002 to 2006 Mr. Leo was the Director of Information Systems, and Chief Information Security Officer for the Managed Care Division of the University of Texas Medical Branch in Galveston, Texas.
Upon attaining his CISSP license in 1997, Mr. Leo joined ISC2 (a professional role) as Chairman of the Curriculum Development Committee, and served in this role until 2004. During this time, he formulated and directed the effort that produced what became and remains the standard curriculum used to train CISSP candidates worldwide. He has maintained his professional standards as a professional educator and has since trained and certified nearly 8500 CISSP candidates since 1998, and nearly 2500 in HIPAA compliance certification since 2004. Mr. leo is an ISC2 Certified Instructor.
Welcome back, and we're going to continue our discussion of Domain Three: Security Engineering. So, here you see the module topics we're going to cover during these next several slides. We're going to cover a little bit of history of cryptography, some of the emerging technologies, and then we're going to dig into some key concepts about cryptography, the lifecycle, PKI, key management practices, distribution of keys, digital signatures, digital rights management, and we're going to conclude with methods of cryptographic cryptanalytic attacks.
So, the cryptographic process, to put it very simply, we take a plain text, anything human-readable, we run it through some form of cryptographic system, and that produces our ciphertext. The human readable input has been transformed into a non human-readable output. Now, just for the sake of history, cryptography comes from the word in Greek, . Now, , means hidden, or secret, and , also from the Greek, means writing. Putting these two words together, we come up with our cryptographic systems. Now, in the process of doing cryptography, one of the key elements is heightening the amount of randomness because one of the things that we use as humans to recognize what we're reading is patterns, word patterns, word length, vowel presence, and so on.
In cryptography, what we're trying to defeat is pattern recognition, to put it at its simplest. And running it through a cryptographic system, what we attempt to do through the application of the mathematical processes and randomness is to destroy those patterns. Now, cryptography, as a practice goes back many, many centuries, there is evidence that the cryptographic type operations that we're using today had their origins back several thousand years. For example, Egyptian hieroglyphics. Though they were not intentionally cryptographic the pictographic type of writing that it was, was indecipherable to anyone not trained to read it. Therefore, it was functionally cryptographic. The Spartan scytale, which came sometime later, around 400 BC, was more of a mechanical method that used a rod of a certain size, a papyrus strip, the paper of the day. And the sender would create the message, write it on the papyrus as it was wrapped around the rod. And then, it would be taken and stuffed into a messengers bag, who would then by foot, run it out to whoever the recipient was going to be, who would then take a rod of equivalent size and rewrap the papyrus surrounded, thus aligning the letters and making the message readable. This method required, just like you had to learn how to read hieroglyphics. This method required that someone know how to wrap it, what the diameter of the rod was, and of course, they had to be able to read and write the language of the day, predominantly Greek.
We move forward several hundred years into the mechanical era. And here we have two examples. A cipher wheel, a set of drums that can align letters in a certain way that can create the code or overlapping discs, which in its own way, would show a coding-decoding process by realigning the letters, by aligning, as in this case, A and T. And then, you would simply take the letters from one and transpose them using letters from the other with that alignment as the key to how you would decipher the message. We move forward a bit to the electromechanical era. Now, this was based on the performance of the algorithm on a numeric value of a letter rather than on the letter itself. So, we have the first steps towards what we use today, in that, now we're using numeric values of letters rather than the actual language. And this provided a natural transition into our current day, the electronic era.
And of course, in the electronic era, this is all based on computer performance of these algorithms to operate on plain text, or cipher text inputs and produce the corresponding reverse output. These fall into categories of symmetric and asymmetric, and a comparable complementary technology, which is not encryption, but one that is used frequently with it, hashing. Further advances have been made to the point that we are now on the brink of developing true quantum cryptography. Now, unlike the systems that we've used before, which made use of a binary mathematical encoding system, this one uses protocol systems and procedures, which enable the creation and distribution of secret keys, but it is based on the principles of light and quantum physics to produce that secure data. To put it shortly, it is a base-36 system, reflecting the fact that quantum can occupy as many as 36 distinct discrete states, some of them as in superposition, more than two at a time, instead of the base-2 binary system we currently use with electrically based systems. This is a very radically different premise, in that, the security of this system is based on known physical laws, with its virtually infinite variation, rather than the mathematical difficulties of calculating various elements, various values such as key length, rounds of encryption, and so forth.