. 1
( 5 .)



>>

CISSP Study Booklet on Cryptography
This simple study booklet is based directly on the ISC2 CBKdocument.
This guide does not replace in any way the outstanding value of the CISSP Seminar and the fact that you must have been involved into the security field for at least a few years if you intend to take the CISSP exam. This booklet simply intends to make your life easier and to provide you with a centralized resource for this particular domain of expertise.
This guide was created by Clement Dupuis on 5th April 1999

WARNING:
As with any security related topic, this is a living document that will and must evolve as other people read it and technology evolves. Please feel free to send me comments or input to be added to this document. Any comments, typo correction, etc… are most welcome and can be sending directly to: cdupuis@uniconseil.com

DISTRIBUTION AGREEMENT:
This document may be freely read, stored, reproduced, disseminated, translated or quoted by any means and on any medium provided the following conditions are met:
Every reader or user of this document acknowledges that he his aware that no guarantee is given regarding its contents, on any account, and specifically concerning veracity, accuracy and fitness for any purpose. Do not blame me if some of the exam questions are not covered or the correct answer is different from the content of this document. Remember: look for the most correct answer, this document is based on the seminar content, standards, books, and where and when possible the source of information will be mentioned.
No modification is made other than cosmetic, change of representation format, translation, correction of obvious syntactic errors.
Comments and other additions may be inserted, provided they clearly appear as such. Comments and additions must be dated and their author(s) identifiable. Please forward your comments for insertion into the original document.
Redistributing this document to a third party requires simultaneous redistribution of this license, without modification, and in particular without any further condition or restriction, expressed or implied, related or not to this redistribution. In particular, in case of inclusion in a database or collection, the owner or the manager of the database or the collection renounces any right related to this inclusion and concerning the possible uses of the document after extraction from the database or the collection, whether alone or in relation with other documents.

Cryptography

Description:
The Cryptography domain addresses the principles, means, and methods of securing information to ensure its integrity, confidentiality, and authenticity.

Expected Knowledge:
The professional should fully understand:
Basic concepts within cryptography.
Public and private key algorithms in terms of their applications and uses.
Cryptography algorithm construction, key distribution, key management, and methods of attack
Applications, constructions, and use of digital signatures
Principles of authenticity of electronic transactions and non-repudiation

The CISSP can meet the expectations defined above by understanding such Operations Security key areas of knowledge as:
Authentication
Certificate authority
Digital Signatures/Non-Repudiation
Encryption
Error Detecting/Correcting features
Hash Functions
Kerberos
Key Escrow
Messages Digest
MD5
SHA
HMAC
One-Time cipher keys
Private Key Algorithms
Applications and Uses
Algorithm Methodology
Key Distribution and Management
Key Generation/Distribution
Key Recovery
Key Storage and Destruction
Key Strenth
Complexity
Secrecy
Weak keys
Method of attack
Public key Algorithms
Application and uses
Algorithm Methodology
Key Distribution and Management
Key Distribution and Management
Key Storage and Destruction
Key Recovery
Key Strength
Complexity
Secrecy
Weak Keys
Methos of attack
Stream Cipher

Examples of Knowledgeability
Describe the ancient history of Cryptography
CISSP Seminar:
First appearance – Egypt > 4000 years ago
Scytale –Sparta – 400 BC
Paper wrapped on rod
Text written on paper
Paper removed – cipher text
Ceasar Cipher – Julius Caesar – Rome – 49 BC
7th Century AD – Arabs
Cipher Alphabets in magic – 855 AD
Leon Batista Alberti’s cipher disk – Italy – 1459 AD
Thomas Jefferson ciphering device- 1790- Stack of 26 disks
Each disk contained alphabet around face of edge in different order
Positioning bar attached to align letters in row
Created message by moving each disk to proper letter
Bar rotated fixed amount (the key)
Letters around new position (cipher text)
ROT 13 – Many UNIX system
Shifts letters 13 places
Not secured from frequency analysis
Encrypted twice-plain text
From Cryptography FAQ:
The story begins: When Julius Caesar sent messages to his trusted acquaintances, he didn't trust the messengers. So he replaced every A by a D, every B by a E, and so on through the alphabet. Only someone who knew the ``shift by 3'' rule could decipher his messages.
From CME’s Cryptography Timeline: (if you are really interested in knowing it all, or else jump over)

Date
C or G
Source
Info
about 1900 BC
civ
Kahn p.71
An Egyptian scribe used non-standard hieroglyphs in an inscription. Kahn lists this as the first documented example of written cryptography.
1500 BC
Civ
Kahn p.75
A Mesopotamian tablet contains an enciphered formula for the making of glazes for pottery.
500-600 BC
Civ
Kahn p.77
Hebrew scribes writing down the book of Jeremiah used a reversed-alphabet simple substitution cipher known as ATBASH. (Jeremiah started dictating to Baruch in 605 BC but the chapters containing these bits of cipher are attributed to a source labeled ``C'' (believed not to be Baruch) which could be an editor writing after the Babylonian exile in 587 BC, someone contemporaneous with Baruch or even Jeremiah himself.) ATBASH was one of a few Hebrew ciphers of the time.
487 BC
Govt
Kahn p.82
The Greeks used a device called the ``skytale'' -- a staff around which a long, thin strip of leather was wrapped and written on. The leather was taken off and worn as a belt. Presumably, the recipient would have a matching staff and the encrypting staff would be left home.
[Note: an article in Cryptologia late in 1998 makes the case that the cryptographic use of the skytale may be a myth.]
50-60 BC
Govt
Kahn p.83
Julius Caesar (100-44 BC) used a simple substitution with the normal alphabet (just shifting the letters a fixed amount) in government communciations. This cipher was less strong than ATBASH, by a small amount, but in a day when few people read in the first place, it was good enough. He also used tansliteration of Latin into Greek letters and a number of other simple ciphers.
0-400?
Civ
Burton
The Kama Sutra of Vatsayana lists cryptography as the 44th and 45th of 64 arts (yogas) men and women should know and practice. The date of this work is unclear but is believed to be between the first and fourth centuries, AD. [Another expert, John W. Spellman, will commit only to the range between the 4th century BC and the 5th century AD.] Vatsayana says that his Kama Sutra is a compilation of much earlier works, making the dating of the cryptography references even more uncertain.
Part I, Chapter III lists the 64 arts and opens with: ``Man should study the Kama Sutra and the arts and sciences subordinate thereto [....] Even young maids should study this Kama Sutra, along with its arts and sciences, before marriage, and after it they should continue to do so with the consent of their husbands.'' These arts are clearly not the province of a government or even of academics, but rather are practices of laymen.
In this list of arts, the 44th and 45th read:
The art of understanding writing in cipher, and the writing of words in a peculiar way.
The art of speaking by changing the forms of words. It is of various kinds. Some speak by changing the beginning and end of words, others by adding unnecessary letters between every syllable of a word, and so on.
200's
Civ
Kahn p.91
``The so-called Leiden papyrus [...] employs cipher to conceal the crucial portions of important [magic] recipes''.
725-790?
Govt/(civ)
Kahn p.97
Abu `Abd al-Rahman al-Khalil ibn Ahmad ibn `Amr ibn Tammam al Farahidi al-Zadi al Yahmadi wrote a (now lost) book on cryptography, inspired by his solution of a cryptogram in Greek for the Byzantine emperor. His solution was based on known (correctly guessed) plaintext at the message start -- a standard cryptanalytic method, used even in WW-II against Enigma messages.
855
Civ
Kahn p.93
Abu Bakr Ahmad ben `Ali ben Wahshiyya an-Nabati published several cipher alphabets which were traditionally used for magic.
---
Govt
Kahn p.94
``A few documents with ciphertext survive from the Ghaznavid government of conquered Persia, and one chronicler reports that high officials were supplied with a personal cipher before setting out for new posts. But the general lack of continuity of Islamic states and the consequent failure to develop a permanent civil service and to set up permanent embassies in other countries militated against cryptography's more widespread use.''
1226
Govt
Kahn p.106
``As early as 1226, a faint political cryptography appeared in the archives of Venice, where dots or crosses replaced the vowels in a few scattered words.''
about 1250
Civ
Kahn p.90
Roger Bacon not only described several ciphers but wrote: ``A man is crazy who writes a secret in any other way than one which will conceal it from the vulgar.''
1379
Govt/civ
Kahn p.107
Gabrieli di Lavinde at the request of Clement VII, compiled a combination substitution alphabet and small code -- the first example of the nomenclator Kahn has found. This class of code/cipher was to remain in general use among diplomats and some civilians for the next 450 years, in spite of the fact that there were stronger ciphers being invented in the meantime, possibly because of its relative convenience.
1300's
Govt
Kahn p.94
`Abd al-Rahman Ibn Khaldun wrote "The Muqaddimah", a substantial survey of history which cites the use of ``names of perfumes, fruits, birds, or flowers to indicate the letters, or [...] of forms different from the accepted forms of the letters'' as a cipher among tax and army bureaus. He also includes a reference to cryptanalysis, noting ``Well-known writings on the subject are in the possession of the people.'' [p.97]
1392
Civ
Price p.182-7
"The Equatorie of the Planetis", possibly written by Geoffrey Chaucer, contains passages in cipher. The cipher is a simple substitution with a cipher alphabet consisting of letters, digits and symbols.
1412
Civ
Kahn p.95-6
Shihab al-Din abu `l-`Abbas Ahmad ben `Ali ben Ahmad `Abd Allah al-Qalqashandi wrote "Subh al-a `sha", a 14-volume Arabic encyclopedia which included a section on cryptology. This information was attributed to Taj ad-Din `Ali ibn ad-Duraihim ben Muhammad ath-Tha`alibi al-Mausili who lived from 1312 to 1361 but whose writings on cryptology have been lost. The list of ciphers in this work included both substitution and transposition and, for the first time, a cipher with multiple substitutions for each plaintext letter. Also traced to Ibn al-Duraihim is an exposition on and worked example of cryptanalysis, including the use of tables of letter frequencies and sets of letters which can not occur together in one word.
1466-7
Civ
Kahn p.127
Leon Battista Alberti (a friend of Leonardo Dato, a potifical secretary who might have instructed Alberti in the state of the art in cryptology) invented and published the first polyalphabetic cipher, designing a cipher disk (known to us as the Captain Midnight Decoder Badge) to simplify the process. This class of cipher was apparently not broken until the 1800's. Alberti also wrote extensively on the state of the art in ciphers, besides his own invention. Alberti also used his disk for enciphered code. These systems were much stronger than the nomenclator in use by the diplomats of the day and for centuries to come.
1473-1490
Civ
Kahn p.91
``A manuscript [...] by Arnaldus de Bruxella uses five lines of cipher to conceal the crucial part of the operation of making a philosopher's stone.''
1518
Civ
Kahn p.130-6
Johannes Trithemius wrote the first printed book on cryptology. He invented a steganographic cipher in which each letter was represented as a word taken from a succession of columns. The resulting series of words would be a legitimate prayer. He also described polyalphabetic ciphers in the now-standard form of rectangular substitution tables. He introduced the notion of changing alphabets with each letter.
1553
Civ
Kahn p.137
Giovan Batista Belaso introduced the notion of using a passphrase as the key for a repeated polyalphabetic cipher. (This is the standard polyalphabetic cipher operation mis-named ``Vigenere'' by most writers to this day.)
1563
Civ
Kahn p.138
Giovanni Battista Porta wrote a text on ciphers, introducing the digraphic cipher. He classified ciphers as transposition, substitution and symbol substitution (use of a strange alphabet). He suggested use of synonyms and misspellings to confuse the cryptanalyst. He apparently introduced the notion of a mixed alphabet in a polyalphabetic tableau.
1564
Civ
Kahn p.144(footnote)
Bellaso published an autokey cipher improving on the work of Cardano who appears to have invented the idea.
1623
Civ
Bacon
Sir Francis Bacon described a cipher which now bears his name -- a biliteral cipher, known today as a 5-bit binary encoding. He advanced it as a steganographic device -- by using variation in type face to carry each bit of the encoding. [See Bacon's writings on-line.]
1585
Civ
Kahn p.146
Blaise de Vigenere wrote a book on ciphers, including the first authentic plaintext and ciphertext autokey systems (in which previous plaintext or ciphertext letters are used for the current letter's key). [Kahn p.147: both of these were forgotten and re-invented late in the 19th century.] [The autokey idea survives today in the DES CBC and CFB modes.]
1790's
civ/govt
Kahn p.192, Cryptologia v.5 No.4 pp.193-208
Thomas Jefferson, possibly aided by Dr. Robert Patterson (a mathematician at U. Penn.), invented his wheel cipher. This was re-invented in several forms later and used in WW-II by the US Navy as the Strip Cipher, M-138-A.
1817
Govt
Kahn p.195
Colonel Decius Wadsworth produced a geared cipher disk with a different number of letters in the plain and cipher alphabets -- resulting in a progressive cipher in which alphabets are used irregularly, depending on the plaintext used.
1854
Civ
Kahn p.198
Charles Wheatstone invented what has become known as the Playfair cipher, having been publicized by his friend Lyon Playfair. This cipher uses a keyed array of letters to make a digraphic cipher which is easy to use in the field. He also re-invented the Wadsworth device and is known for that one.
1857
Civ
Kahn p.202
Admiral Sir Francis Beaufort's cipher (a variant of what's called ``Vigenere'') was published by his brother, after the admiral's death in the form of a 4x5 inch card.
1859
Civ
Kahn p.203
Pliny Earle Chase published the first description of a fractionating (tomographic) cipher.
1854
Civ
Cryptologia v.5 No.4 pp.193-208
Charles Babbage seems to have re-invented the wheel cipher.
1861-1980
Civ
Deavours
``A study of United States patents from the issuance of the first cryptographic patent in 1861 through 1980 identified 1,769 patents which are primarily related to cryptography.'' [p.1]
1861
civ/(govt)
Kahn p.207
Friedrich W. Kasiski published a book giving the first general solution of a polyalphabetic cipher with repeating passphrase, thus marking the end of several hundred years of strength for the polyalphabetic cipher.
1861-5
Govt
Kahn p.215
During the Civil War, possibly among other ciphers, the Union used substitution of select words followed by word columnar-transposition while the Confederacy used Vigenere (the solution of which had just been published by Kasiski).
1891
Govt/(civ)
Cryptologia v.5 No.4 pp.193-208
Major Etienne Bazeries did his version of the wheel cipher and published the design in 1901 after the French Army rejected it. [Even though he was a military cryptologist, the fact that he published it leads me to rate this as (civ) as well as govt.]
1913
Govt
Cryptologia v.5 No.4 pp.193-208
Captain Parket Hitt reinvented the wheel cipher, in strip form, leading to the M-138-A of WW-II.
1916
Govt
Cryptologia v.5 No.4 pp.193-208
Major Joseph O. Mauborgne put Hitt's strip cipher back in wheel form, strengthened the alphabet construction and produced what led to the M-94 cipher device.
1917
Civ
Kahn p.371
William Frederick Friedman, later to be honored as the father of US cryptanalysis (and the man who coined that term), was employed as a civilian cryptanalyst (along with his wife Elizebeth) at Riverbank Laboratories and performed cryptanalysis for the US Government, which had no cryptanalytic expertise of its own. WFF went on to start a school for military cryptanalysts at Riverbank -- later taking that work to Washington and leaving Riverbank.
1917
Civ
Kahn p.401
Gilbert S. Vernam, working for AT&T, invented a practical polyalphabetic cipher machine capable of using a key which is totally random and never repeats -- a one-time-tape. This is the only provably secure cipher, as far as we know. This machine was offered to the Government for use in WW-I but it was rejected. It was put on the commercial market in 1920.
1918
Govt
Kahn p.340-5
The ADFGVX system was put into service by the Germans near the end of WW-I. This was a cipher which performed a substitution (through a keyed array), fractionation and then transposition of the letter fractions. It was broken by the French cryptanalyst, Lieutenant Georges Painvin.
1919
Civ
Kahn p.420
Hugo Alexander Koch filed a patent in the Netherlands on a rotor based cipher machine. He assigned these patent rights in 1927 to Arthur Scherbius who invented and had been marketing the Enigma machine since about 1923.
1919
Civ
Kahn p.422
Arvid Gerhard Damm applied for a patent in Sweden for a mechanical rotor cipher machine. This machine grew into a family of cipher machines under the direction of Boris Caesar Wilhelm Hagelin who took over the business and was the only one of the commercial cryptographers of this period to make a thriving business. After the war, a Swedish law which enabled the government to appropriate inventions it felt important to defense caused Hagelin to move the company to Zug Switzerland where it was incorporated as Crypto AG. The company is still in operation, although facing controversy for having allegedly weakened a cipher product for sale to Iran.
1921

. 1
( 5 .)



>>