🛈 Disclaimer: I must have heard all the stories mentioned below from someone somewhere sometime ago that I could not recall the exact sources by now.
Personally, I always feel the cybersecurity industry, in general, demonizes the CISSP and CCSP exams too much that course attendees often feel like climbing the Mount Everest when it is a 3-hour-family-friendly-hiking trail in front of them. That being said, going for a 3-hr hike still calls for :
Certain fitness level, i.e. the participants require to have certain security/ cloud knowledge.
Good preparation (sufficient water / sun protection/ good shoes), i.e. the participants need to be familiar with the exam outline, mock questions, and what to expect.
- Helpful guidance (GPS/ the trail map/ the lookout points), i.e. using the good study / exam material and focusing on the right topics.
I have not come across any formal surveys regarding the top-ranked notorious exam topics of CISSP or CCSP but I bet ‘cryptography’ makes top 3 at least, likely number 1.
Most of us come across the cryptographic area in real life as users, i.e. turning it on or off, and leave the detailed configuration to the industry default settings, compliance requirements (for example PCI DSS strong cryptography requirements) or vendor recommendations. Rarely, we need to know how cryptography works in detail. It has been my personal endeavour to make this ‘heavy’ topic ‘approachable’.
Open System Again
First of all, you need to believe in Open System over Security through Obscurity to start with – please see the first part of the previous blog.
Now, you trust the openness and robustness of cryptographic algorithms. Let’s look at the concept of ‘key’.
Algorithm, Key and Key Space
Say the algorithm that we choose is to ‘shift’ the alphabets: a to z (used in English and discard the upper/lower cases; we understand it is too easy to crack; this is for explaining purpose). When the message is ‘GO SOUTH’, we can shift by 1 the encrypted message becomes ‘HP TPVUI’. 1 is the key value here; there are 26 alphabets used in English; the available key value is 1-25.
We could tell the more choices of key values we have, the stronger / more secure the algorithm is. This is the concept of large key space.
Since the algorithm is widely known, protecting the key becomes one of the key missions of cryptography.
Symmetric Encryption
Here is where the tale usually begins – long long time ago, there were a king and his general …
The kingdom is under attack; the king ordered his general to defend the territory at the front line. Before the general departed, the two met and agreed how to communicate during the war: which algorithm and what is the secret key between them.
The general left for the battlefield; the war began; the king would issue commands, encrypt the message with the chosen algorithm and secret key, generate the ciphertext (encrypted message) then pass it to the messenger.
When the messenger successfully delivers the ciphertext, the general uses the same secret key and algorithm to decrypt. He receives the commands securely.
Potentially, the enemy could intercept the message by capturing the messenger, who does not know the secret key. The message remains safe.
This is Symmetric Encryption, fast to operate, efficient ciphertext size and secure. However, we could see quite some problems here :
If somehow the general loses the key, it’d be difficult to securely pass a new shared key. It calls for an ‘out of band’ communication channel. Remember the time you visited a physical branch and applied for e-banking, you’d be handed a machine printed secure PIN code.
- If the king would like to communicate securely with every officer, it requires a different key with each person. Imagine it is a big kingdom, potentially, millions of secure communication channels are needed.
Asymmetric Encryption
Back to the king and general, we assign them a pair of keys: public & private keys each. The 2 keys must be combined to perform decryption. Their public keys are distributed to anyone in the kingdom; their private keys are kept by themselves.
When the king wants to send a secret message to the general, he’d use the (asymmetric) algorithm with the general’s public to perform encryption.
When the general receives the encrypt message, he has his own private key (securely kept) to perform decryption. This operation delivers confidentiality.
As the defence effort progresses well, the king would like to reward everyone in the kingdom $1,000. With the proliferation of misinformation and fake news, the king would like his people to be sure the message is indeed from the king.
Everyone in the kingdom has the king’s public key, the king encrypts his message with his own private key. One can then open the encrypted message with the king’s public key and knows it is from the king. (Only the king has access to his own private key!) This operation delivers proof of origin.
The final question of the tale: how can the King send a secret command to the general and the general is sure it is from the King?
Please pause, answer to yourself, then see the answer –
The king first encrypts the message with his own private key (for proof of origin) then encrypts with the general’s public key (for confidentiality) (the order of the 2 operations can be negotiated/configured). After receiving the encrypted message, the general first decrypts with his private key then with the king’s public key. And Voila!
This is Asymmetric Encryption. The key management is simpler than symmetric :
However, asymmetric algorithms are generally slower to operate and cipher text is generally 10x bigger than symmetric one..
Could we have the best of both worlds?! Yes. Hybrid encryption. We shall leave that tale to next time then 👋
Check out our IBF-approved courses! There is no better time to upskill than now!