Cryptography is one of the more difficult concepts to master when studying for a certification like CISSP. I know from my own experience it’s really easy to let the details overwhelm you. After seeing an acquaintance’s Linkedin post, I thought I’d write about cyber security and cryptography and what you really need to know.
Let me start with one thing. I have never, ever had to encode or decode anything by hand. I’m very confident I can stay employed another 20 years in the cyber security field and never have to do the math myself.
If you like the math, fantastic. Go become a cryptographer. We need more Bruce Schneiers in the world. If you don’t like the math, that’s OK. You can be like me instead. I’m not famous but I’ve been a useful employee everywhere I’ve been. Just as importantly, I’ve been able to make a good living. You can too.
Know the current encryption schemes
Just being able to recognize current encryption schemes is incredibly useful. Know what things like AES, TLS, and RSA are. Know what you use them for. I encrypt a laptop hard drive with AES. I encrypt web traffic with TLS, which includes some other underlying technologies including AES.
Know some common obsolete encryption schemes
I never realized how much of my time as a security analyst I would spend finding and pointing out obsolete encryption on old computers. One extreme case was when a former client had an important Excel worksheet full of sensitive data encrypted with RC2 and a five-character dictionary password.
“We’ve been doing it that way for 20 years and nothing bad has happened, so why is this a problem?”
Get used to that reaction. And get used to saying that encryption schemes and passwords that were OK to use 20 years ago are easy for new computers to break in a matter of minutes today. Remember to be diplomatic.
It helps to know that DES gave way to AES and SSL gave way to TLS. Going obsolete is a fact of life in cryptography.
Also make sure you know what the Enigma machine was and what the consequences were of its encryption being broken. It doesn’t hurt to know that poor operating procedures created a de facto backdoor. You may see the Enigma on your test. Being able to explain the lessons of Enigma helps from time to time in the real world.
A tip for taking the test and surviving in the field
Whichever book you’re using to study will talk about dozens of encryption schemes. What’s more important than knowing how they work is how they relate to each other. A good exercise (I’ll leave it to you) is to write down each scheme the book mentions and map out how they relate. For example, knowing that good TLS 1.2 relies on Diffie-Hellman, RSA, AES, and SHA is useful information. As a security analyst, I regularly came across systems that didn’t use good TLS 1.2. You’ll find RSA and AES in use in other places too.
While it would be fair game to have you encode or decode a two-word phrase on the test, I would be surprised if the question showed up on your test. There are many other things you’re more likely to encounter in the real world, and I’ll argue those are more important to test you on.
Treat crypto like ports
One of the things I did years ago to pass Security+ was memorize a bunch of ports. I still remember that SSH is port 22, SMB is ports 137-139 and 445, HTTP is port 80 and HTTPS is port 443. At one time I probably knew a few dozen of them, but there are probably only 10-15 I regularly have to deal with so those are the ones I remember now.
If you’re trying to pass CISSP or something similar, memorize the acronym DEER MRS CARBIDS, which groups common encryption schemes into asymmetric, hash, and symmetric.
For each scheme in the acronym, it helps if you can tell me a few more things about it. What key lengths can it take? Is it obsolete? If it is, what replaced it?
Memorizing all of that is harder than memorizing a list of ports. But it’s a lot easier than memorizing a bunch of math you’re never going to use.
DEER MRS CARBIDS
Asymmetric: encrypt with 1 key, decrypt with other Key
D – Diffie-Hellman
E – El Gamal: DH +nonrepudiation
E – ECC
R – RSA
Hash- one-way algorithm, no key
M – MD5
R – RIPEMD (160)
S – SHA (3)
Symmetric: Encryption, one key
C – CAST
A – AES: 128k, 10r; 192k, 12 r; 256k, 14r
R – RC 4, 5, 6
B – BLOWFISH: 23-448k, 64bit block
I – IDEA : 128k, 64bit block
D – DES-64-bit block, 16r
S – SERPENT
Remember this, and that ought to give you enough background in cyber security and cryptography to get you through that part of the test.