Domain 05 - Cryptography

Cryptography is often considered one of the most complex CISSP domains, but this session breaks it down into its theoretical core, making it more accessible. Cryptography is the study and application of mathematical algorithms and data transformations to secure information by ensuring confidentiality, integrity, and authentication. This session begins with core definitions. Cryptography protects data, cryptanalysis breaks it, and cryptology is the broader study of both. Concepts like plaintext, ciphertext, encryption, decryption, algorithms, keys, and cryptosystems are clearly defined. You’ll learn about keyspace, how key length affects complexity, and why key management is the critical weakness in symmetric systems. You’ll be introduced to classic cryptographic methods including substitution and transposition ciphers, polyalphabetic ciphers, the Vigenère cipher, and running key ciphers. Examples such as the Greek scytale, Morse code, Pig Latin, and Enigma highlight the evolution from ancient to modern encryption techniques. One-time pads, although theoretically unbreakable, are explained with their real-world limitations. Claude Shannon’s principles of confusion and diffusion are introduced, as well as transformation techniques such as substitution, permutation, compression, expansion, padding, key mixing, and XOR. The session then transitions into symmetric key cryptography, exploring stream and block ciphers, Data Encryption Standard (DES), Triple DES, and Advanced Encryption Standard (AES). Modes like ECB, CBC, CFB, OFB, and CTR are explained with use cases, strengths, and limitations. Public key or asymmetric cryptography is introduced through Diffie-Hellman, RSA, and elliptic curve cryptography. You’ll see how asymmetric systems use key pairs and solve hard mathematical problems like factoring and discrete logarithms. The strengths and weaknesses of asymmetric methods are covered, including their computational intensity and role in key distribution, encryption, and digital signatures. Hash functions are detailed, with a focus on message integrity, one-way functionality, collision resistance, and common algorithms like MD5, SHA-1, and SHA-2. The video explains their use in message authentication codes (MACs), HMACs, and CBC-MACs. Hash collisions, birthday attacks, and the importance of strong, non-predictable hash functions are emphasised. Digital signatures are explored for authenticity and non-repudiation using asymmetric keys. The signature process is explained in detail: the sender encrypts a hash with their private key, and the recipient uses the public key to verify the signature and hash. Key management, the Achilles heel of cryptography, is covered through best practices in key generation, distribution, verification, storage, revocation, and multi-party control. You’ll understand key derivation functions and how trust models influence secure communication, including the role of public key infrastructure (PKI), certificate authorities, and cross-certification. Digital certificate content and X.509 structures are examined to show how authenticity is maintained in electronic communications. Cryptography’s practical applications in confidentiality, integrity, authentication, and non-repudiation are highlighted. Use cases include data storage, secure email, and protocol protection. Hybrid cryptographic systems like PGP, using both symmetric and asymmetric components, are discussed alongside secure email protocols such as MSP, PEM, MOS, S/MIME, and OpenPGP. Secure network protocols are also addressed, including HTTPS, SSH, SSL/TLS, IPsec, WPA, and 802.11i. Legal and regulatory issues around cryptography include export/import controls, domestic policies, and international agreements such as the Wassenaar Arrangement and the Council of Europe Convention on Cybercrime. Cryptanalysis—the science of breaking encryption—is broken down into methods like brute force, known plaintext, chosen plaintext, ciphertext-only, meet-in-the-middle, and side-channel attacks. Attack techniques include slide attacks, man-in-the-middle, and social engineering. Weak implementations, short key lengths, poor randomness, and key clustering are shown to reduce cryptographic strength. The importance of selecting publicly reviewed and proven algorithms is emphasised. Security by obscurity is discouraged in favour of publicly evaluated, high-work-factor algorithms that have stood the test of time. The session concludes with a look at information hiding through steganography, its techniques and implications, and examples such as hiding data in image files using least significant bits.