Introduction to Cryptography

Almost every organisation now has a need to send data across a network - in many cases a network not directly under its own control - such as the Internet. Any organisation doing this is concerned about two main issues:

How can we prevent someone from eavesdropping on our data transmissions?

How can we verify the identity of the other organisation we are communicating with?

Auditors will want to satisfy themselves and their management that suitable controls are in place to allow these two objectives to be met. In this 2-day course you will learn the essentials of cryptography - how it works, how it is deployed and used, and how it should be audited. We will take you through from basic techniques up to the modern cryptographic algorithms used in secure web sites, VPNs and wireless networks. You'll leave the course with a thorough understanding of the benefits and risks of cryptography and the ability to ask the right questions and evaluate the answers when you conduct your won audit of this critical area of IT security.

Suggested duration: 2 day2, but can be customised to your requirements

Agenda

Introduction – principles of cryptography
The terminology
Plaintext, cyphertext, algorithms and keys
Encryption attacks and how they are carried out
Costs and benefits of encryption
What should you encrypt and why?

Types of encryption algorithm
Symmetric encryption and how it works
Symmetric encryption problems – key management and distribution
Asymmetric encryption and how it works
Advantages of asymmetric encryption
Creating good quality encryption keys
Key security

Digital signatures to authenticate data and users
Hashes and message digests
Signing documents
Verifying digital signatures

Public key infrastructure
What is a PKI?
How is it established and maintained?
What can go wrong with a PKI – what can and can’t it do?
Digital Certificates
Principles of digital certificate verification
Certification and registration authorities
What’s in a digital certificate?
Certificate revocation

Common Authentication Systems
Microsoft’s NTLM
Kerberos
Two-factor access methods – tokens, smartcards and biometrics
Secure web sites and how they are set up
SSL and TLS
SSH for secure login and application tunnelling

Wireless Network Security
WLAN encryption options – the progression from WEP to the present
Weaknesses of WLAN encryption
Wireless encryption attacks and countermeasures

Virtual Private Networks
What is a VPN?
VPN setup
VPN encryption schemes
L2TP, PPTP and IPSec
Transport Mode and Tunnel Mode

Software demonstrations:
Symmetric and asymmetric encryption software
PGP and its uses
Basic PKI demo using a PGP key server
Demo of securing a web server with a digital certificate
VPN setup demo
Using SSH for secure login

A cryptography audit program