1. Cryptography II
Domain 5
Pages 790-821
Official CISSP CBK Third Edition
Jem Jensen
StaridLabs

2. A Quick Recap
● Converting plaintext into ciphertext through
transpositions or substitutions
● Spartan Scytale – Wrap message (written on a
belt/strap) around a stick to decipher
● Caesar cipher – shift the whole alphabet
● Nazi Enigma machines
● Key – used to encrypt/decrypt the plaintext

3. Substitution Ciphers
● Replaces a letter for a letter
● Like in the newspaper!
● Examples:
– Caesar cipher
– Decoder ring

4. Playfair Cipher
● Used through WW2
● Pre-shared keyword (Ex: CRYPTO)
● Keyword is fed into a table, followed by the
remaining alphabet
– Merge I&J
C R Y P T
O A B D E
F G H I/J K
L M N Q S
U V W X Z

5. Playfair Cipher
● Break apart plaintext into pairs
– Sprinkle filler characters (Ex: K)
WE AR EK ST AR IK DL AK BS

6. Playfair Cipher
● Draw a box between the 2 letters in the pair
– If the box is larger than 1xn, swap letters with the
other 2 corners (Ex: WE = BZ)
– If the box is only 1 row thick, use the next letter in
line (Ex: AR=RV)
C R Y P T
O A B D E
F G H I/J K
L M N Q S
U V W X Z

7. Transposition Cipher
● Change the order of letters
● Like pig latin!
● Move first letter of a word to the end
● Add an “a” sound at the end
● Et-gay ti-ay?

8. Rail Fence
● Like writing the message on a fence then tilting the posts to
the side
● Draw a box with 2+ columns thick
● Enter the text in a zig-zag fashion
● Read the text across the columns for encrypted version
(Ex: gvecslirmaieahodeael)
● Susceptible to frequency analysis

9. A quick side note
● Frequency analysis
● E, T, A, & O are the most common letters in English
words
● Z, Q, & X are the least used
● If you know a message is in English and you see a lot of
E, T, A & Os or very few Z, Q, or X – you know it's a
transposition cipher and can probably start guessing
some letters correctly

10. Rectangular Substitution Table
● Sender and receiver agree on table dimensions
and the order to read the message (Ex: 4x4
table, read top to bottom, left to right)
= WERAESIBATDSRAL
Also susceptible to frequency analysis
W E A R
E S T A
R I D L
A B S

11. Monoalphabetic Cipher
● Like a Caesar cipher except we scramble the
alphabet instead of shifting it
CAESAR
MONO
Ex: In the above Caesar, FEED=IHHG
In the above Mono, FEED=IWWU
A B C D E F ... ... Y Z
M G P U W I ... ... T K
A B C D E F ... ... Y Z
D E F G H I ... ... B C

12. Polyalphabetic Cipher
● Like a monoalphabetic except we add more rows
of scrambled alphabets
POLY
Ex: In the Mono, FEED=IWWU
In the above Poly, FEED=IXWC
A B C D E F ... ... Y Z
M G P U W I ... ... T K
N B V C X Z ... ... F W

13. Blaise De Vigenére
● Transposition table

14. Blaise De Vigenére
● Sender/receiver have a pre-shared keyword
● Locate the intersection of the keyword with the plaintext for the
cipher equivalent
Example
Keyword: CABBAGE
Plaintext: FEEDBOB
Ciphertext: HEFEBUF

15. Modular Mathematics
● Modulus/Modulo Operation
● The remainder after dividing a number by n
Example
5 mod 2 : 5/2 : 3/2 = 1
4 mod 2 : 4/2 : 4/2 = 0

16. Running Key Cipher
● Since there are 26 letters in the alphabet, we'll use mod
26
Ciphertext = (plaintext + key) mod 26
C = P + K (mod 26)
● Example:
Plaintext: E (or 4) C = (4 + 22) mod 26 = 0
Key: W (or 22) Ciphertext: A
A B C D E F ... ... Y Z
0 1 2 3 4 5 ... ... 24 25

17. Running Key Cipher
● To translate CHEEK using the key of FEED:
● The longer the key, the better, since there's less repetition
Ptxt C H E E K
Key F E E D F
n(P) 2 7 4 4 10
n(K) 5 4 4 3 5
n(C) 7 11 8 7 15
Ctxt H L I H P

18. One-time Pads
● Gilbert Vernam asserted that a cipher key as
long as the plaintext (that doesn't repeat)
should be unbreakable
● Requires a sender and receiver to exchange
the long key beforehand (ex: book ciphers)
● Ideally the key is randomly chosen values like
letters, numbers, Geiger counter readings

19. One-time Pads
● Key of ksosdfshepwlqz
● The key could be longer than the plaintext
Ptxt D O N O T
Key K S O S D
n(P) 3 14 13 14 19
n(K) 10 18 14 18 3
n(C) 13 32 27 6 22
Ctxt N B G W S

20. A step back
● So what have we learned?
● Crypto can provide integrity controls
● If the message was altered by a modification or error, it
won't decrypt
● Some degree of authentication
● Only the people who have the key should be able to use
it. If we only share the key with one person, we can know
it's them

21. Symmetric Cryptography
● The sender and receiver use a single shared
key for encryption/decryption
● Key management is the biggest problem
● We can't send the keys over the same channel we're
trying to encrypt!
● Send the key via out-of-band distribution (ex: fax, mailing
a CD, calling on the phone)

22. Symmetric Cryptography
● Fast, secure cheap
● Doesn't provide non-reputiation
● Limited message integrity and access control
● We can tell the message changed and it requires the key
in order to be read
● Physical example:
● 10 people have a key to the server room. Who entered at
11pm? We only know it was one of the 10

23. Examples of Symmetric Algorithms
● Caesar Cipher
● Spartan Scytale
● Enigma Machines

24. DES
● Data Encryption Standard
● Harst Feistal
● Take input block, divide it in half, and XOR several times
– Each XOR is called a round
● Became gov't standard in 1977
● Repaced by AES

25. Block Cipher Modes
● ECB – Electronic Codebook Mode
● Essentially a digital representation of a codebook. Feed in
plaintext and it outputs the ciphertext using a table
● Useful for very short messages to reduce repeating (64-bit)
● CBC – Cipher Block Chaining Mode
● Uses an IV and chaining function so that subsequent output
will be different even if the input was identical
● Initial input block is XORed with the randomly chosen IV
● Output if then XORed with next input

26. Block Cipher Modes
● CFB – Cipher Feedback Mode
● Input broken into segments (usually 8 bit)
● Segments are XORed with a random IV
● Previous segment is XORed with the next segment
● Drawback – if a bit is corrupted, everything after will be too
● OFB – Output Feedback Mode
● Like CFB but uses encrypted keystream instead of ciphertext so
that one corruption won't affect future encryption
● Can also generate keystream ahead of time for future use
● CTR – Counter Mode
● Like OFB but increments a counter for keystream
● Allows for out-of-order processing

27. Pros/Cons of DES
● Fast
● Breaking DES was unrealistic back in the day
● Susceptible to brute-forcing since key is only 56
bits long

28. Double DES
● Since brute forcing if our main method of
attack... let's just double the key!
● Done by running DES over DES with diff keys
Yo dawg! I heard
you like DES so I
DESed your DES
so you can DES
while you DES!

29. Double DES
● Meet in the middle attack
● Double DES had hoped that their “key
doubling” would result in an attack taking
exponentially longer
● Can still brute force
● Just takes twice as long
● Step 1: Encrypt plaintext with all
possible keys
● Step 2: Decrypt using all possible
keys

30. Triple DES (3DES)
● Third time's the charm!
● Eliminates meet in the middle attack
I don't know many more
times can I DES the
DES with a DES...

31. AES
● Beat out 3DES in terms of:
● Security
● Speed
● Larger block size
● Rijndael algorithm

32. CCMP
● Counter mode cipher block chaining message
authentication code protocol
● AES with 128 bit key
● 48 bit IV
– Prevents replay attacks
● CTR counter
– Provides data privacy
● MIC – message integrity check code
● Used in 802.11i standard

33. Algorithms
● Rijndael
● Substitute bytes (s-box substitution)
● shift rows (transposition)
● mix columns (substitution)
● add round key (XOR with this round's key)
● IDEA (1991)
● 8 rounds of transposition and substitution
● CAST (1996)
● 48 rounds

34. Algorithms
● SAFER
● Patent-free, 64 or 128 bit
● Used in bluetooth
● Blowfish
● Extremely fast and memory efficient
● Slow to regenerate keys
● Currently unreakable
● Twofish

35. Algorithms
● RC5
● RSA algorithm
● Very adaptable – 4 modes of operation
● RC4 (1987)
● Stream cipher
● Varying length keys

36. Pros/Cons of Symmetric Algorithms
● Very fast, secure
● Can be implemented in hardware and software
● Key management can be difficult
● Can be challenges with distributing the keys
● Manage additional out of bound channel
● Can't provide non-reputiation

37. Next Week:
Asymmetric Algorithms!