Solved

CISSP Examination: Can someone give me a breakdown of different encryption methods I would need to know?

Posted on 2016-08-22
4
24 Views
Last Modified: 2016-09-12
I'm interested in learning about encryption methods that are relevant to industry today. AES-256 vs. 3DES vs. DES vs. SSL/TLS vs PPTP vs. IPSec vs. OTHERS.

What is the difference, what are obvious ways to identify each, and what are the main uses of each? Please break down into quick notes on each, which can assist myself and others to absorb the material quickly. I have been reading wiki pages and I would like this information condensed and ELI5'd.

Thanks,
Tanner
0
Comment
Question by:Tanner Briggs
  • 3
4 Comments
 
LVL 61

Accepted Solution

by:
btan earned 300 total points (awarded by participants)
Comment Utility
In short, the difference is the strength of each algorithm and he application use case for them. For e.g,.
  • 3DES and DES are symmetric and the 3DES is stronger and DES is no more recommended, in fact, the stronger one is AES
  • SSL/TLS includes are both for Key exchange/Auth/Encryption - see the Openssl link to see the list of cipher applicable
  • PPTP vs. IPSec - these are for VPN purposes and the link has comparison to help in understanding. IPsec can support higher keylength used for greater security. (http://www.giganews.com/vyprvpn/compare-vpn-protocols.html)

Some useful website to help beef the understanding are
- Learn cryptography (https://learncryptography.com/) has flash and basic on the coverage
- Key length (https://www.keylength.com/en/4/)  shows the strength in cipher (how long it can withstand brute forcing)
- OWASP guide to crypto (https://www.owasp.org/index.php/Guide_to_Cryptography)

Large part for you to focus is the use case of what cipher (symmetric & asymmetric, hashes) is applicable for key exchange, encryption, authentication etc in a cipher suite. For e.g. if you see this string such as "TLS_RSA_WITH_RC4_128_SHA", what does each means - good reference is the Openssl list https://www.openssl.org/docs/manmaster/apps/ciphers.html

Those cipher common application include:
 -Remote access such as IPsec VPN
 -Certificate based authentication
 -Securing confidential or sensitive information
 -Obtaining non-repudiation using digital certificates
 -Online orders and payments
 -Email and messaging security such as S/MIME
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 200 total points (awarded by participants)
Comment Utility
You don't need to know that much about the ciphers and algorythms themselves, but you do need to know about their features and concepts. Key exchange, perfect fwd secrecy, integrity, authentication ,non-repudiation, message authentication, digital signatures etc. You will also need to learn about hash and algorithm limitations, but I don't remember much about that on the test.
A good start are my two articles here:
https://www.experts-exchange.com/articles/12134/Choosing-the-right-encryption-for-your-needs.html
https://www.experts-exchange.com/articles/12386/How-secure-are-passwords.html
-rich
0
 
LVL 61

Assisted Solution

by:btan
btan earned 300 total points (awarded by participants)
Comment Utility
Agree with RichRumble. We are not cryptographer but we need to know what are the best practices as likely it is more of compliance to make sure strong cipher is adopted and not leave the "hole" open to attacks. The best practices as shared in my previous post is to share the application of those crypto as part of the security posture. For e.g. in website adoption of SSL, the online free service (https://www.ssllabs.com/ssltest/) to examine the cipher on use for key exchange, PFS, encryption and certificate used can be done for health check and compliance requirement.
0
 
LVL 61

Expert Comment

by:btan
Comment Utility
concept and information explained
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now