### Security Engineering

MicroCourse
Time
2 hours 59 minutes
Difficulty
Beginner
CEU/CPE
3

### Video Description

This lesson covers crypto definitions and shows participants the formula and algorithms behind these definitions. Also covered are the elements of cryptography and what makes an algorithm as well as a key desirable.

### Video Transcription

00:04
now, as I mentioned before, I try to teach cryptography like you have absolutely no experience with it. And I know many if you do, but I also know that there are a lot of you that have experience in other of the domains of C I s S P. And don't consider yourself cryptography experts by any stretch of the imagination. So I want to kind of, um,
00:23
take a few moments and just start from the bottom floor. And let's talk about just basic ideas
00:29
and make sure we're all on the same page when we use these terms. So I've got a very conceptual formula here. And the formula is that plain text plus something called an initialization vector plus an algorithm and an algorithm can also be called a cipher.
00:46
Cipher is the same thing as an algorithm and algorithm is the same thing is a cipher. There's never a reason I would say algorithm instead of cipher or vice versa
00:55
other than just to mix it up a little.
00:58
Okay. Ah, So an algorithm or cipher and then we also take a key, and all that together is going to give us a cipher text so I want to go through and I want to define these terms and make sure they make sense. Okay, So plain text
01:11
right off the bat, we understand what playing text is. It's unencrypted. Text could also be called clear text, but it's it's the message that we want to send its the text that were wanting to protect. Now the next thing is an initialization vector. And to give you an idea about an initialization vector,
01:30
what it does and what it is and why it's important. Um,
01:34
for those of you that have in p three players,
01:38
okay, and I'm actually gonna come to the next slide, you don't need to worry about the next slide just yet. So before the initialization vector to make sense of what this is and the kind of help understand if you take, um, for example, an MP three player and I know many of you do have MP three players and one of the things that we do
01:57
is we put the MP three player on shuffle or we randomize.
02:00
You know, I've got, like, 800 songs on my iPod, and every time I played, if I started the first track, I'd get bored. Not only ever hear the 1st 10 songs, so we shuffled. We ran the mines. But even if I have all these songs and I shuffle
02:15
for some reason, that same annoying song I don't even know why it's on my iPod in the first place seems to pop up more than others. And I'm not kidding about this. I actually down loaned my iPod to a friend of mine who was driving to Canada.
02:31
02:36
Uni
02:37
onto my iPod.
02:38
Now I'm driving down the road. I'm feeling kind of hip for somebody who's over 40 and let the stoplight at the Black Eyed Peas go out and kind of feeling it. And then all of a sudden the sun will come out. Tomorrow comes blasting through my radio speakers.
02:54
So
02:55
you know the question, then being I've got all of these songs, it's all random. Why would some songs come up more than others? Why does it seem like I don't have good, true random annexation? Well, I gotta tell you the truth, this isn't actually the algorithm or the mechanism that that MP three players use but this will just kind of give you an example.
03:14
So let's take some random numbers, okay? And I promise you these air random, they just
03:19
popped into my head and I jotted them down. So 7523494 truly random numbers just occurred to me.
03:29
Now, let's say with our iPod that we always started zero track and we add seven. Okay, so now we're on the seventh track, Then we add five. All right, We're on the 12th track. Minus two were at the 10th track. Plus three were on the 13th track plus 4 17
03:46
plus 9 26 track minus 4 22nd track. So we've got these random numbers and on performing random math. I just kind of threw those in there as well.
03:54
But the problem is, if we always started track zero, then we don't get randomness. But what if we started track 27 thence track 33 the next time and track 800 to the next and tracked 47? And if we modify our if we randomize the starting point,
04:14
04:16
and randomness is good when it comes to cryptography. So our golden hair let's randomize where we start. That makes our random process even more random,
04:27
randomly speaking.
04:29
So that's a good thing. If you've ever heard people talk about passwords and talk about salting passwords or using a seat, it's exactly the same idea is let's take this password
04:41
and combined some other random information with it to increase its complexity. Okay, we can talk about that more when we get to talking about hashing and passwords and what we do there. But ultimately,
04:51
the initialization vectors job is to add randomness at the start, and one other point there a, um, and a system computer can't just come up with a random number, you know, whereas you and I could go 17,433 a computer can't do that.
05:12
05:14
what the initialization vector comes from is it's actually something called a pseudo random number,
05:21
and you will never guess what generates a pseudo random number.
05:26
Wait for it,
05:27
wait for it.
05:29
It's called a pseudo random number generator. Yes, yes, it is. And basically that idea of being a pseudo random number, it looks like it's random it quacks like it's random. It walks like it's random, but it's not random. So maybe it could be based on CPU clock cycles, internal temperature,
05:48
various variables coming from all sorts of different directions.
05:53
So essentially it feels very random. But it has to be based on something ultimately, and it's usually something very complex that wouldn't be able to be imitated or predicted.
06:02
Okay, so that's your initialization vector.
06:05
Next, let's talk about the algorithm.
06:11
Uh, and I mentioned to you all that I am from North Carolina.
06:15
I am the proud product of the North Carolina public's assistance 49th and Nation baby, who
06:24
in our state motto,
06:27
at least we're not South Carolina.
06:30
So
06:31
I spent 12 years in the North Carolina public school system, and what you see in front of you, these air, all the math functions I've worked. That's all the math I know in this entire world. I can take any number and add to I can take any number of subtract two.
06:49
I can multiply by to divide by two,
06:53
take the square root of a race to the power of two. But that's all the math. I know that's my algorithm.
07:00
So the algorithm, when we talk about an algorithm, it's the collection of all the math functions that can be performed.
07:06
Okay, so in this case, I only have six very basic Mac out math algorithms or math functions. Rather, that's not very desirable. So when we talk about an algorithm there several things that we want from it, Um and we'll talk about theres a 2nd 1 thing I want to mention.
07:24
So ultimately everything comes down into ones and zeroes, right? Ultimately, whatever it is, whatever images,
07:31
ah, a series of numbers. So
07:35
in certain algorithms, the series of ones and zeros air chunked into what we call blocks. This is a block algorithm, and the block might be 64 bits, and each block goes through Siri's of thes math functions. So
07:53
this block of data meant good function. One where this number is
07:56
eyes taken into is at two. In the function six, the square root is taken up, but ultimately, the block of data goes through series of math functions. How many math functions and in what order is determined by the cute.
08:11
Okay, so the algorithm is the collection of math. The KIIS the instruction on how to use the map.
08:18
So when we do talk about our algorithm there several things that are desirable. First of all, we want good, complex math.
08:24
Nothing about Kelly's algorithm is complex. It all. It doesn't matter how longer complex the key is. If my math is this week, it'll be broken like that. There are a lot of things that are significant in cryptography more than just the length of the key. So from our algorithm,
08:43
we want what's called confusion
08:46
and confusion means good strong math
08:50
for substitution because at each function there's a substitution made for what waas and then what is after the function has been applied, so confusion means complex substitution.
09:03
Okay, confusion. We often hear about diffusion as well. Confusion and diffusion diffusion means
09:13
plain text is interspersed with the cipher text, and that just adds to the complexity.
09:18
There's also something called an avalanche. I doubt that that would be testable, but the idea there is a change in one piece of plain text would result in multiple changes in cipher text, and that makes it more difficult if somebody's trying to break the algorithm and they're changing one letter at a time.
09:37
It's not clear where the change is effective in the cipher text because many places erupt.
09:41
That's called Avalanche. There's also something called permutations in another word for permutation rounds of boxing. Match has 12 rounds,
09:52
so there's a cipher called Dez that encryption standard. We don't use it much today, but it was huge in the eighties and early nineties. And what desde if wasn't chunk its status into 64 bit blocks, and it would put each block of data through a series of math functions than it would do it again
10:13
and again and again.
10:15
So essentially, what would happen is Dez would encrypt each block of data 16 times. There were 16 permutations now does got broken, and we went from desk to triple this. What triple does does is it triples deaths. So each 64 bit block now goes through
10:33
48 permutations, and you can just think about what effect that would have on the processing
10:39
triple. Dez is a dog when it comes to processor utilization,
10:43
all right, and then the last desirable quality quality of an algorithm. We would like the algorithm to be open and that comes to us from a gentleman named Kirk off. This is Kirk offs principle.
10:58
And Kirk office felt very close to the way I have it on screen.
11:03
Very close. Um, Kirk off said they're two pieces that are used for secrecy.
11:09
The algorithm in the keep
11:11
Kharkov says if you keep the key secret, the algorithm can be open. And not just can the algorithm be open. But the algorithm should be
11:20
What?
11:22
Well, how many of you did not go to North Carolina public school systems?
11:28
Worse now, hairline.
11:31
I am. Imagine that's quite a few of you out there.
11:33
Okay, so maybe you know some better math than I do.
11:37
All right? Help me out. Help me make this more complex. The more people that can contribute to the algorithm, the more people that can help me build on it, help me break it down. But then put it back together. Stronger the better. And that's really the theory behind
11:54
the entire community that pushes for openness. Open algorithms, open source code open operating systems.
12:00
You know, the idea is, the more people looking at it, the better.
12:03
I'm gonna pause there just for a second, because um,
12:11
the I S C square
12:13
organization stands on the side of openness very firmly. As a matter of fact, you know, I've seen things that they put out that essentially say that proprietary, um, venders rely on what's called security through obscurity, meaning, If you can't see it, you can't break. You can't see my
12:33
house key
12:33
even though it's under the mat so you can't get in.
12:37
So they take a stance that open is betterthan closed.
12:41
I will tell you.
12:43
In my opinion,
12:46
well written code is well written code, whether it's open or closed.
12:50
So, you know, I kind of take a little bit of exception with that argument. There is some very good code out there that is close source. They don't rely on security through obscurity. They rely on good, well written code.
13:03
And, you know, if you followed the breach with open SSL, the fact that something is open does not guarantee peer reviews happening. Okay, so I'm not trying to go off on a tangent. But the point I want to make here is for the C. I S S P exam. We believe in Kirk offs principle. We support the principle of openness.
13:20
But there are many organizations and entities that don't. The government doesn't follow Kirk offs principle. They keep their algorithms
13:26
hidden and protected, so I don't think it's as clear as cut it. Clear cut is open is good closed as bad. But that's just something to chew on. Food for thought there all right. But ultimately, as we go back and just pop back here, we have the plain text.
13:43
We start with that initialization vector to add randomness. We have a Siri's of math functions and the instructions on how to use those math functions.
13:50
All of those together give us a cipher text. Okay, so hopefully that's a good introduction to some of the terms will pick up and get into some more concepts as we move forward.

### Security Engineering

Domain 3 covers engineering and management of security. Why do I need this certification? Security engineering is a field which requires cross-disciplinary knowledge in areas such as cryptography and site design security

### Instructed By

Kelly Handerhan
Senior Instructor