***
< [Home](https://github.com/SeanOhAileasa) | [README](https://github.com/SeanOhAileasa/asp-cryptography-and-pki/blob/main/README.md) >

## CompTIA CASP+
###### Topic: ``Cryptography and PKI``
***

Course material for the ``CompTIA CASP+`` certification.

<a id="top"></a>
***
## Table of Contents
***

### [Cryptography Concepts](#A) <br/><br/> 

<hr width=50%;>

### [Symmetric and Asymmetric Encryption](#B) <br/><br/> 

<hr width=50%;>

### [Cryptography and Storage](#D) <br/><br/> 

<hr width=50%;>

### [Protecting Files with Encrypting File System](#E) <br/><br/> 

<hr width=50%;>

### [Protecting Disk Volumes with BitLocker](#F) <br/><br/> 

<hr width=50%;>

### [Cryptography and Network Communications](#G) <br/><br/> 

<hr width=50%;>

### [Enabling IPsec to Secure IP Traffic](#H) <br/><br/> 

<hr width=50%;>

### [The PKI Hierarchy](#I) <br/><br/> 

<hr width=50%;>

### [PKI Certificates](#J) <br/><br/> 

<hr width=50%;>

### [Deploying a Private Certificate Authority](#K) <br/><br/> 

<hr width=50%;>

### [Configuring Custom Certificate Templates](#L) <br/><br/> 

<hr width=50%;>

### [Issuing PKI Certificates](#M) <br/><br/> 

<hr width=50%;>

### [Generating Certificates in the Cloud](#N) <br/><br/> 

<hr width=50%;>

### [Generating File Hashes](#O) <br/><br/> 

<hr width=50%;>

***
## END

< [Table of Contents](#top) | [References](#references) >
<a id="A"></a>
***
### Cryptography Concepts
***

![image.png](attachment:image.png)

``Cryptography`` has been around in one form or another for thousands of years. The overall idea with cryptography is to protect sensitive data - make sure that it can only be accessed by authorized parties. 

``Cryptanalysis``, on the other hand, is the study of cryptosystems looking for weaknesses with the overall goal of improving things like crypto ecosystems and algorithms to make sure that they are harder to break into.

![image.png](attachment:image.png)

Cryptography can be used in many different ways, such as:

- Encrypting and digitally signing email messages with S/MIME.


- Securing web transactions over HTTPS


- Securing remote Linux management via Secure Shell or SSH (encrypted remote management session).


- Encrypting files that are stored on a disk. 


- Authenticating a device such as a smartphone to a VPN might use a cryptographical digital certificate. 


- Verifying that collected digital evidence, such as a forensic copy or image of a hard disk - verifying that its not been tampered with - (hashing).

Crypto is used everywhere and it's been around for a very long time.

![image.png](attachment:image.png)

The CIA Security Triad comes from Confidentiality, Integrity and Availability. 

- ``Confidentiality`` really deals with things like encryption, so making sure sensitive data is kept confidential. 


- ``Integrity`` is used to ensure the accuracy of data to make sure it's not been tampered with.


- ``Availability`` ensures that IT systems and data are available when needed and that they perform at expected levels.

![image.png](attachment:image.png)

With encryption we might have plaintext such as ``The quick brown fox jumps over the lazy dog`` - not yet been encrypted. 

What we can do is feed that plaintext along with an encryption key into an algorithm - a cryptographic algorithm is a mathematical function that takes input. In this case, encryption key and plaintext, and the resultant output is the encrypted data, otherwise called Ciphertext - cryptographic keys should be rotated or changed periodically for security, so that a compromised key is no longer usable for new transactions. 

![image.png](attachment:image.png)

The other thing to think about is the role that hardware can play in a cryptographic ecosystem.

Trusted Platform Module or ``TPM`` is a chip that might be embedded on your motherboard, or you might be able to add it to a motherboard that provides cryptographic functions such as enabling secure boot, which means we're checking the integrity or hashes of known operating system files to make sure they haven't been compromised, but TPM can also be used with software like Microsoft BitLocker to store decryption keys, for BitLocker encrypted disk volumes. 

Hardware Security Module or ``HSM`` is a tamper resistant device that connects to the network that's designed to do cryptographic operations. It might be involved in PKI, certificate generation or management, or cryptographic key generation or management. It can even be used to offload cryptographic functions from servers to allow them to use their processing power for other purposes. 

![image.png](attachment:image.png)

``Availability`` is an important part of security, for example, we need to make sure that IT systems and data that are considered mission critical are available at all times and that they perform well.

We can enable redundancy at the server level by having multiple servers serving up an app, perhaps in a load balanced environment using alternate sites like the cloud, so that if we have a problem with our primary location, such as on premises, perhaps a power outage, fire, or flood, we have data and our systems available in another location. We might enable disk mirroring so that the failure of 1 disk doesn't mean we cannot get to the contents of the disk. Disk mirroring uses at least two disks writing to one disk writes to a secondary disk, so if one disk fails, you still have another disk up and running without missing a beat.

Data backups are important for availability in case data is deleted, corrupted, or heaven forbid encrypted by ransomware. 

Availability also includes service level agreements or SLA documents which guarantee uptime for services from a service provider, such as in cloud computing. 

![image.png](attachment:image.png)

Cryptographic keys can be used in a number of ways.

When we talked about ``Key Escrow``, what we're really talking about is having cryptographic keys in the hands of a third party, so that if we need to decrypt, then the key has to be acquired from that third party. Ideally, that third party is done in a legal context. 

Also have ``Key Stretching`` available through ``PBKDF2`` - **Password Based Key Derivation Function version 2** - which uses secure hashing algorithm to essentially make a key or in initial password much more complex with salting it so that it's less vulnerable to brute force attacks, so that's key stretching. 

![image.png](attachment:image.png)

The next consideration in crypto is whether we're working with a stream or a block cipher. 

Remember, a cipher is nothing more than a cryptographic function or cryptographic algorithm whichever term you would prefer to use.

Now when we talk about ``Stream Ciphers`` were talking about a cryptographic function that's designed to process individual items one at a time - talking about data items, such as one bit at a time. It uses a symmetric key. A symmetric key means the same key that's used to encrypt is also used to decrypt. It's the same symmetry, so symmetric key. This is considered to be faster than a block cipher, which we'll talk about in just a moment - examples of stream ciphers include Salsa 20 and Cha cha.

``Block Ciphers`` are a little bit different because they're designed not to process individual data items one at a time at the bit level, for example, but instead they are designed to process blocks of data. They too use a symmetric key. However, smaller chunks of data that are not consistent in size with larger chunks of data might need to be padded as they call it, to ensure that we always have a consistent block size for processing.

![image.png](attachment:image.png)

When we talk about block ciphers, they each have a number of modes of operation they can be configured to run in:

- Electronic code book or ``ECB`` - means that large messages get broken down into smaller blocks, each block is encrypted separately. 


- Cipher block chaining or ``CBC`` uses what's called an initialization vector or an IV - randomized value, and that means that encrypting the exact same plaintext would still result in different ciphertext because we're using a different IV. 


- Galois counter mode otherwise referred to as ``GCM``, is used for parallel pipeline computing, so for optimized computing, the idea is that there's a numeric counter value that changes for each encrypted block of data. 


- Output feedback mode, ``OFB`` - means that the block cipher runs in a stream cipher mode - there's no padding required for consistent block sizes because it's running as a stream cipher, and the initialization vector or IV is encrypted.

< [Table of Contents](#top) | [References](#references) >
<a id="B"></a>
***
### Symmetric and Asymmetric Encryption
***

< [Table of Contents](#top) | [References](#references) >
<a id="C"></a>
***
### Hashing and Digital Signatures
***

< [Table of Contents](#top) | [References](#references) >
<a id="D"></a>
***
### Cryptography and Storage
***

< [Table of Contents](#top) | [References](#references) >
<a id="E"></a>
***
### Protecting Files with Encrypting File System
***

< [Table of Contents](#top) | [References](#references) >
<a id="F"></a>
***
### Protecting Disk Volumes with BitLocker
***

< [Table of Contents](#top) | [References](#references) >
<a id="G"></a>
***
### Cryptography and Network Communications
***

< [Table of Contents](#top) | [References](#references) >
<a id="H"></a>
***
### Enabling IPsec to Secure IP Traffic
***

< [Table of Contents](#top) | [References](#references) >
<a id="I"></a>
***
### The PKI Hierarchy
***

< [Table of Contents](#top) | [References](#references) >
<a id="J"></a>
***
### PKI Certificates
***

< [Table of Contents](#top) | [References](#references) >
<a id="K"></a>
***
### Deploying a Private Certificate Authority
***

< [Table of Contents](#top) | [References](#references) >
<a id="L"></a>
***
### Configuring Custom Certificate Templates
***

< [Table of Contents](#top) | [References](#references) >
<a id="M"></a>
***
### Issuing PKI Certificates
***

< [Table of Contents](#top) | [References](#references) >
<a id="N"></a>
***
### Generating Certificates in the Cloud
***

< [Table of Contents](#top) | [References](#references) >
<a id="O"></a>
***
### Generating File Hashes
***

***
## END

< [Table of Contents](#top) >
<a id="references"></a>
***
## References
***

skillsoft, "Cryptography and PKI," [skillsoft.com](https://web.archive.org/web/20221102151824/https://www.skillsoft.com/get-free-trial), n.d..

***
## END

< [Table of Contents](#top) | [References](#references) >
<a id="appendix"></a>
***
## Appendix
***

***
## END

In [1]:
from IPython.display import display,HTML
display(HTML("<style>.container { width:100% !important; }</style>"))

# END JUPYTER NOTEBOOK