howy folks welcome to module three of Security Plus as you can see this third module of the course is called explaining appropriate cryptographic Solutions as for the course objectives that gets covered in this specific modle there will be three that get covered in this module the course folks the objectives that get covered in this specific module are as follow compare and contrast cryptographic algorithms then we've got explained the importance of public key infrastructure and digital certificates and then lastly folks the objective which is explain the importance of using appropriate cryptographic solutions for encryption and key exchange all right and then folks this module the course contains three subsections which we'll be covering the first section we'll be diving into is called cryptographic algorithms the second section we'll be covering is public key infrastructure and then the third and the last section be covering is cryptographic Solutions all right there you have it folks both the objectives as well as the sections will be covering in this module before we jump into the first section like usual do your homie here a favor and give this video a like it actually helps to get this free course where to more people that actually need it out there and then of course if you enjoy my content or if you'd like to know when I release more then well consider subscribing and with that folks let's jump into that first section of this [Music] [Music] module all right folks I'm going to start you guys off in the first section of this module cryptographic algorithms the first topic we've got up in this module is cryptographic Concepts so for you guys to well go a little bit further of encryption we first got to understand the concepts the basic concepts of encryption so starting you guys with the basics encryption and decryption is effectively known as encoding and decoding something this could be a message this can be a bulk amount of data it can be a lot of things but in a nutshell this is to go and encrypt something encoded n do it or to go and something you know the person that's receiving it or that wants to view the content that would be seen as decoding it now before anything gets done way in the beginning before you or somebody has encrypted something that data is normally known as plain text so that's before anything is done here so that's obviously before anything has actually been done here before any encryption takes place the information whether it be an email whether it be a document is referred to as plain text in other words unencoded once you or somebody has encrypted this message or this document that would then be referred to as Cipher text whereas some folks say a coded message so there's could obviously be many kinds of encryption you guys can use I'm sure by now a lot of you guys over the years would have heard there's many kinds of encryption you can use some of them are tools some of them are not tools some of them you just have to go and do on your own but in the end of the day if you going to encrypt something however you go and do it it is referred to as SCI text so that's the coded message then just in case you guys don't know the word Cipher is the means of change or the algorithm that's actually being used so if I say or if I ask you hey what Cipher are you using I'm basically asking you what means of change are you using are you using some sort of program are you using an algorithm is it the combination of the two what Cipher are you using to go and do your coding in other words your encoding or your encryption as some folks might say another term you folks might hear is Crypton analysis hoping I'm pronouncing that correctly I think it's cryptanalysis that folks is the art of cracking cryptographic systems so I suppose that is where you would say a hacker would go and mess with your stuff so if any of you folks have ever watched a good episode or a good movie that involves some sort of hacking or there's a hacker in there and you see them breaking in some something or cracking something and they'll mention hey it's got this Inc or it's got that encryption and they're going to break into this encryption or whatever that folks is called cryptanalysis the person is effectively going to go and try and crack this and the most common way to do that would probably be some form of Brute Force now I'm not sure how familiar some of you guys are of security but normally when we say Brute Force we mean cracking someone's password in it so if I go and guess your password especially if I'm using some sort of software we call that a Brute Force attack I'm guessing your password by trying obviously all kinds of possible combinations now the same concept can effectively be done here in Crypt analysis I'm going to be trying every possible combination of let's say your password key if there's going to be some sort of key involved and eventually if I get the key right I'm going to be able to see the plain text version of the information so if I crack it but the information still looks like jibber jabber just looks like nonsense all kinds of weird symbols and blah blah blah or the letters and the numbers and everything I see just doesn't make any sense then obviously I know I've gotten the key wrong if you get the key right the information should obviously make sense to you'll be like okay you know what this actually looks like something that a human being can comprehend and a human being can read then you know you did it successfully many ways you can go and do it but in the end of the day it does involve a lot of resources folks if you really want to be able to crack a a passet for encryption anything like that even a normal passet for that matter usually the person doing it will need a lot of processing power a lot of CPU power in other words a a lot of RAM and obviously a lot of other resources as well so you'll probably find that these people are going to be using some form of super computer very unlikely is going to be their own computer it's probably going to be a combination of computers working together to act as one which we refer to as a super computer another term what you're going to hear us talking about in this course folks is hashing algorithms so that's just one of many forms of encryption effectively it's very common to go and use that especially during investigations and things like that so if any of you guys are ever going to be involved in some sort of Investigation especially in it just because you're an it does not mean you can't be some sort of popo you know some person that does some sort of Investigation so if you do gather some sort of evidence you'll find that these folks like to go and use something called hashing I'm going to go and encrypt it with some sort of value and the person that wants to view this information has to use the same hash It's Kind like a password of sorts so I'm going to use a password of sorts to go to encrypt this contents and when it gets to your end maybe I'm going to send this information to you via hard via the mail via whatever and when it gets to your end you're going to be using the same hash and if you use the same hash you'll be able to see the same value as me now the person that has to go and decrypt the other side might not even be a different person for all we know this might be the very same person the hashing is just to ensure the Integrity of the information so that someone or something can't go and temper of it pretty much the same concept as any other kind of encryption now two popular kinds of ciphers when it comes to encryption folks is symmetric and asymmetric something we're going to go into deeper in just a couple of moments so just to give you guys a very basic overview of symmetric symmetric means the individuals are going to be using the same key so if I send you something or you send me something both of us are going to be using some sort of key to go and encode and decode in other words encrypt and decrypt but the key that I and you will be using is is going to be the same key there's benefits to that there's drawbacks to that if you look at as symmetric that is also a form of encryption but me and you will not be using the same key I'm just going to pretend this is me and you you know just for the sake of simplicity so you are going to be using a key that will probably be the public key so if you are the one sending me information you're going to be using a public key and if I'm the one receiving the information I'm going to be using a private key so of asymmetric there's normally a key pair that gets generated a private key and a public key the public key is what gets shared with the public with the people that's going to be involved so everybody that needs to send me information they will be using the public key to encrypt that information and only the person that holds the private key the key pair you know the one that's that's basically a pair of that public key only he or she will be able to decrypt that information now just something interesting if you are going to go encrypt that information using my public key you cannot use that same public key to go and decrypt the information nope so you can only encrypt it using let's say the public key and you can only go and decrypt it using the private key now there are cases people will go and use the private key to go and encrypt and then the public key to go and decrypt you know as long as you use the one and then the opposite one to go and decrypt it'll work but the public key is the one that's normally known to the public which is why the sender will use the public key and the receiver will normally go and use used the private key the private key is well usually private hence the name so whichever key is the one that encrypts you've got to use the opposite key of the pair to go and decrypt it's just usually going to be a case of the public key is the one that's going to go and do the encrypting because that's the sender and the public key is normally known to the public so whoever needs to send you information you will go and share your public key with those individuals might be one person might be multiple people and then the person receiving it which will probably be you you're going to be using your private key of that pair to go and decrypt the information as for the symmetric one we mentioned earlier with that one the keys are the same me and you are going to be using the same key to go and encrypt and decrypt information symmetric has got benefits in a sense of if you've got large amounts of data bulk data do you need to go encrypt yes symetric is going to work it's a heck of a lot quicker folks to go and do your encryption it's not as secure as asymmetric but it is very fast a asymmetric is generally seen as a little bit more secure but it doesn't really work with large amounts of data which is often going to be the case so since aetric is so resource intensive I mean you're going to need a lot of CPU power and stuff to go and do encryption of large amounts of data it is actually better to go and use symmetric encryption for the large amounts of data and then those two keys remember the keys are going to be the same so if symmetric me and you are going to be using the same key instead I just use asymmetric to encrypt the key I'm going to send you so it's kind of like a double encryption if you want to think about it I'm going to use symmetric to encrypt all the data so me and you are going to be using the same key to go and open that and if you don't have the key or if I need to give you the key for the symmetric I can use asymmetric encryption to go and encrypt the key for the symmetric if that makes sense so I can go and use the word banana as my password for symmetric you and me are both going to use the word banana to go and encrypt and decrypt that large amount of data but for me to give you that password I'm going to use the word asymmetric to encrypt that key because it's just one word One phrase we're not going to need a r of processing power to do that since it's literally just one phrase we're going to be encrypting so of asymmetric there will have a public key and a private key so if I'm the one that's going to be sending it to you I'm going to use a public key to encrypt that word banana and you're going to use a private key to decrypt the word banana and once you got the word banana you're going to use that to go and decrypt the large amount of data which was encrypted using symmetric encryption all right folks I'm going to move you on to the next topic and that is just to go a little bit deeper into the topic of symmetric encryption something we have just mentioned so as you guys know symmetric encryption both me and you are going to be using the same key or whoever is going to be using this encryption encryption uses a reversible process let's just call that an algorithm based on a key that is only known by authorized users you'll notice I said a key based on a key not multiple Keys one key so everybody that's going to be using this symmetric encryption or it's going to be part of this little group this could be two people can be five people can be 10 people if there's 10 people in this group and we're going to be sharing information all 10 of us can actually use the exact same key so if I send something to you and I want to encrypt it I use this key which is maybe the word banana and if anybody else in this group of 10 people receives this information they use the exact same word once again the word banana to go and decrypt the information so there's a key one key which is only known by group of authorized users so it's got a benefit in the sense of it's easy it's got the benefit of I can use this for large amounts of data but it does have a downside like I mentioned earlier so this symmetric encryption folks is substitution and transposition the process here folks it should be complex to unravel without the key the whole IDE idea here and quite frankly idea of all kinds of encryption is the process should be so freaking complex the whole idea is they should not be able to do it without the key they need the key to get the information the problem is storing that key getting it to the people that needs it and securing the key so in general the encryption is pretty good it's the key that's the problem yes there's only one key so that makes it actually pretty easy but keeping that key safe secure and getting it to the people that needs it that's the problem here here so with symmetric and algorithms the same key is used for encryption and decryption should I say encoding and decoding if you want to call it that it's very fast that's a very good benefit here it's fast so in other words it's suitable for bulk encryption of large amounts of data if you want to go encrypt a very large amount of data yes it's great for that the problem one of the problems I've been mentioning up until now is it's storing and distributing that key which is why I use the example earlier where I said you can go and use symmetric encryption possibly to go encrypt the bulk of your data and since we are so concerned about the freaking key here you can use a more secure encryption a slower encryption like asymmetric encryption which uses a key pair a private key and a public key generally and is not something you want to go and use of large amounts of data but if we only want to encrypt a password or a key like the symmetric key yes you can do that so so think of this as double encryption you use your symmetric to do the bulk of your work because it's a lot faster once you've got the key for that the key and the key alone is what's going to get encrypted by your asymmetric encryption with the private key and the public key the person encrypting it will probably go and use the public key and the people you're going to send this key to they will use the private key now of symmetric algorithms folks this gives you confidentiality only the sender and the recipients they both know the same key since it is the same key it's only of asymmetric that the sender and the recipient will use two different Keys it's a key pair of symmetric no it is the same key that people are going to be using all right folks I'm going to move you on to another quick topic here key lengths we're about to get to asymmetric encryption again um I know I did briefly mention to you guys what symmetric was and asymmetric was and then we specifically went and covered symmetric encryption now just a quick topic before I forget about it key length so the longer your key length is in any form of encryption the better the more secure it is and the more processing power that perpetrator is going to require to be able to crack it so the key ensures Cipher text that's the stuff that's not encrypted it ensures that this remains protected even when the operation of the algorithm is known so if I know what kind of coding you're using or encoding using we call that the operation it doesn't matter as long as this freaking key is very long and end of the day you can even tell me what it is you're using you can write it down on a piece of paper for me but if that key of yours is so freaking long yeah it's not really going to help me much because I'm going to need a lot of processing power wheel to crack that and it's not always possible guys now folks there is something called a key space if you don't know what the key space is because this is something that's going to be mentioned quite a few times when we talk about encryption a key space is effectively the range of values the key could possibly B the longer the key space the better because that means it's harder for me to go and crack it you'll find that some folks will mention the term I use 128bit encryption or I use 256bit encryption so the more bits you've got the better for you because that means there's just so much more possible combinations to the point where it's not billions it might be trillions or even more than trillions of possible combinations you're going to need a really really really beefed up super computer to be able to crack that now believe it or not this is not part of the course by the way there are certain levels of encryption which is actually illegal in some countries you're allowed to go and do encryption but only up to a certain amount of bits according to the government of certain countries not something that's part of this course not something that will be asked in the exam this is just food for thought a little something extra I thought I would mention to you guys some governments I'm not going to say who but I can you can ask me privately in Discord server if you guys want to there are some governments out there that don't like it when you use encryption it's too tight too secure because then they can't crack it and they don't like that they feel very uncomfortable about that you can imagine why especially during times of well unrest so yeah believe it or not you can only use it up to a certain amount of bits in certain countries because they feel uncomfortable about it because they feel you might be up to something not so nice yeah but to me personally I wouldn't feel very secure if my government can get into my data because what's the point of using encryption then wouldn't you say anyway folks so the range of key values is the key space longer key bit length means larger key spaces this protects you against Brute Force cryptanalysis remember folks brute force is to go and crack something by guessing it when I say guessing it I don't mean we as human beings are going to go and guess it that's physically impossible you are going to be using some sort of software most likely with a superc computer of some kind to go and crack all the possible combinations it's going to check all the possible combinations the more the possible combinations are the longer it's going to take and the more resources you're going to need you're going to need a hacker for a lot more CPU power and a Hecker for a lot more RAM and so on and so forth so one computer even if you've got the latest the latest on the market ain't going to cut it you're going to have to go and combine many computers possibly many servers together to be able to crack that thing so the larger your key space is the better for you in this encryption now folks there are a few out there that's got some decent amount of key space out there those would be a and AES 256 now folks in case you didn't know key for modern symmetric ciphers they use a Ser randomly generated number of bits the number of bits is the key length for example the most commonly used symmetric Cipher folks is the advanced encryption standard which we call AES for short that's the most commonly used one now this can be used with two key lengths the first of which is AES 128 now that uses a 128bit key length a bit can have one of two values which can either be zero or one so the number of possible key values is two multiplied by itself a number of times equivalent to the key length this folks is written as 2 to the power of 128 where two is the base and 128 is the exponent now AES 256 that has a key space of two to the power of 256 this key space is not twice as large as a 128 it is many trillions of times bigger and consequently significantly more resistant to Brute Force attacks a lot of people are under the impression that if I say AES 256 that it's twice as good as AES 128 but that's not the case it's actually trillions of times more secure so yeah don't judge your book by its cover folks so that in mind find folks a 256bit key is exponentially stronger than a 128bit key it's not just twice as strong it is trillions of times stronger so if you can go and use aes256 I would definitely very much encourage you to do so largic keys they requireing use way more CPU power way more memory and of course just in general way more power and that is obviously something we know that most users don't have access to I suppose if you're in the right space and you've got the right contacts and the right resources Maybe a government employee maybe the government has hired you to be up to something not so good then you might potentially have access to these resources because governments they've got huge budgets and they sometimes want you to go and use this during times of not so nice unrest I'm not going to use those words because the poo on YouTube is not going to like it but during times of unrest the governments will sometimes hire employees to go and do stuff well against other countries and they will give you the resources you need all right folks and then like I said earlier let's get back to asymmetric encryption we did briefly cover this earlier and I think by now you guys probably know that this uses a key pair something I've said so many times before in this video uses a key pair which consists of a private and a public key the people encrypting they would normally use a public key and the person that receives the information he or she would normally use a private key to go and decrypt the information I've also mentioned to you guys this key pair is normally used for small amounts of data not for large amounts of data if you've got a large amount of data it's probably going to be better to go and use a symmetric encryption if it's a small amount of data maybe you just want to go and encrypt another key possibly that you would go and use asymmetric encryption for so this public private key pair folks if the public key encrypts only the private key can go and decrypt and there are cases where people go to use the private key to go on encrypt and then the public key would be used to go and decrypt but it's not something we would recommend normally the public key is the one that's going to go do the encrypting and the private key is going to be the one that does the decrypting whichever key you use to go and encrypt that key cannot be used to go on decrypt the information something worth noting which is very important to know the private key cannot be derived from the public key so if someone happens to see or know what the public key is it's impossible to figure out what the private key is by looking at what the public key is it's completely and totally randomly generated the private key considering that this is used to go decrypt the information it must at all times be kept secret so very few people would know what this is possibly just one person and it's extremely important that you keep this very safe and secure folks it should not land in the wrong hands the public folks that is very easy to distribute how you get it to them it doesn't matter I mean the whole name tells you it's public it's known to the public so it means nothing to the general public they can use that to encrypt it is the private key that you need to ensure is private any anybody can have the public key even the general public that's not going to be encrypting information even V can see another key for the public key the private one is the only one that you need to keep private hence the name now this asymmetric encryption as I've said and I'm going to keep saying this because this is something they will test you on in the exam folks it is used for small amounts of authentication data this is not something you would normally go and use for very large amounts of data I suppose it's possible but it's going to require such a vast amount of resources in a sense of memory CPU power and even power just in general that it's just not feasible so if you're going to try it you're going to see it's not going to end well for you your machine is most likely going to crash even if you're going to try and use that so it's very much better to go and use symmetric encryption for large amounts of data once you get that key which is going to be the same key that's used to encrypt the decrypted data then you can go and look at something like asymmetric encryption to go and encrypt that key there's different ciphers ciphers is what's used to actually go encrypt the technology the EIT there's different ciphers that have different recommended key lengths depending on the cipher you or this person uses there's a different recommended key length for that um just to give you guys a ballpark idea here you get something called R vest Shamir AR that is called RSA for short and it's got a cipher of 2,48 bits or better so I'm not sure if I'm butchering that name I'm probably butchering it since I'm not in English but um RSA is what we call it for short I just know this is RSA so you're probably going to forget what it stands for not that matters they will not test you on the name they will just check if you know what the minimum recommended bits is for this then you also get epileptic curve cryptography which we call ECC for short I just know it as ECC for short and this has got a minimum length of 256 bits or better all right folks I'm going to move you on to another topic here another form of encryption if you will hashing so for those of you not familiar with hashing yet this is actually a very common one it is a cryptographic hashing algorithm and this produces a fixed length string of bits from an input plain text that can be of any length guys the output can be referred to as a hash or in some cases this is called a message digest so if you hear me say hash I could possibly also be meaning digest or if you hear me saying digest I actually also mean hash it's one and the same so this function folks is obviously designed so that is impossible to recover the plain text Data from the digest which is also called One Way by the way and so that different inputs are unlikely to produce the same output which we call a collision now folks hashing algorithms are obviously used to well prove Integrity if I send you a message or if I want to send you a file an EXE file how do you know this file is actually from me yes there's many kinds of things we can use out there I mean you can go use a digital signature if you really want to not the topic right now but it is a topic in this video by the way so stay tuned for digital signatures you get many kinds of that as well but for now let's talk about hashing if I'm about to send you a file a message um whatever how do you know that it's original that it's authentic that it's from me and that it's not from someone else or that someone or something has not intercepted this message to this file and changed it in some sort of way one of the things we can use for that folks is something called hashing so what's going to happen is if I want to go and encrypt a file a message or whatever this is I'm going to provide my password and that is going to convert this to a hash which is always a fixed value it doesn't matter if this is a long message I'm encrypting a short message a big file or a small f a small file the hash will always be a fixed length so I'm going to type in my password whatever it is I'm encrypting is going to get converted to a fixed value hash and then the person receiving it he or she or it it's probably going to be he or she they are going to compare that hash value of mine to theirs and if it checks out then they know it's original if it does not check out it's not going to work so if I send you a file a message and somebody intercepts this they can even go and send the exact same message as me their hash won't be the same as mine they're not going to know what the hash is if they don't know what the hash is and they produce some sort of other random hash when my friend or my colleague receives this message and they see the hash is different than the one they've got on file then they know the message or the file is not original Integrity has been compromised but if it's the same hash value then they know they've got Integrity so it's just these days guys I'm sure you've seen how many weird things you get out there there's always some weasel out there that's got nothing better to do of their time probably living in their mom's basement and he or she they are going to intercept your message and they're going to change that message or that file in some sort of way to the point where you no longer know whether it's authentic or not so I can give you guys another example if I go and upload a program a file a setup file an exe file to our website I can actually go and encrypt it using hashing and when you download it from the same website to ensure that this is original and somebody has not tampered of this to ensure that it's not malware possibly you can go and compare that hash value of that file to the one you've got on file and if it matches then you know it's original Integrity has not been compromised and it's safe if the hash is changed yeah I wouldn't launch that folks anyway folks so the one way I spoke of earlier just in case that term confused you that would be the plain text Data from the digest so the plain text Data from the digest that is the one way and it cannot be recovered from the digest it's impossible to do so what's also pretty cool about this hashing is it's impossible to get the same output so due to using hashing no two values will give you the same output every output is referred to as a collision and since no two values will ever give you the same output it gives us what we refer to as anticollision you're not going to have the same collisions in other words the same output so we might as well call this anticollision no two plain texts are likely to ever produce the same digest which is referred to as output now hashing folks this can be used for for many things I mean like we spoke about symmetric encryption earlier and asymmetric encryption each of these are used for their own for their own purposes but hashing I suppose is limited by your imagination so this is generally from my experience used for password storage and for check simps and this gives you of course Integrity all right folks and then before we move on to the next topic here there are two popular implementation of hash algorithms we haven't actually talked about any implementation so just to give you guys two examples I'm going to start you guys off with secure hash algorithm so we just call this sha for short not sure if I'm pronouncing that correctly but I just call this sha sh haa now this folks is considered the strongest algorithm there are variants that produce different sized outputs remember the outputs are called digests with longer digest considered more secure the longer the Digest is the more secure it is the most popular variant of this sha would be sha 256 which produces a 256bit digest you remember earlier we spoke about 128 bits and 256 bits and obviously we said 256bit is well there's trillions of more combinations compared to 128 it's not just double the size of output it's trillions of more possible combinations it could possibly be and then folks another popular implementation of hash would be message digest algorithm number five this folks is kind of an old one it produces only 128bit digest and this md5 is not considered to be quite as safe for use as the Sha 256 we just spoke of but unfortunately this might actually still be required from time to time for compatibility reasons between products I mean sometimes some companies have some old technology in place and um due to that you know what platform you do dealing with what company dealing with sometimes we need to go and use the old technology simply because of compatibility it's obviously not our first choice but some encryption is better than no encryption right all right folks let's move on to the last Topic in this specific section that would be digital signatures so let's start things off by talking about using public key cryptography with hashing now folks public key cryptography can authenticate a sender because they can control a private key that produces messages in a way that no one else can hashing however that proves Integrity by Computing a unique fixed size message digest from any variable length input now these two cryptographic ciphers can be combined to make what you guys know as a digital signature now me just saying digital signature I mean that can probably mean a lot of things I mean heck this can even be a scanned version of a hand signature that I'm just slapping onto a document that could technically classify as a digital signature but that's not exactly what we mean by digital signature in this context here here today in this course when we say digital signature we're referring to a variation of encryption mean this whole module is about encryption in case you guys haven't noticed so to help this make a little bit more sense digital signatures folks is something we'll use that provides us with what we called Integrity authentication and non- repudiation so if I send you an email how do you notice emails from me besides using some of the other encryptions we've spoken about one thing you can use is a digital signature so the digital signature will basically authenticate this is actually from me you know you can see okay well this email looks like it really is from burning I stick the Integrity is there but a digital signature has been compromised or it's not there at all then you know this email is not really from me digital signatures can also be used for authentication like I said just to prove that I am who I claim to be and of course non-repudiation let me give you folks an example all right so step one I'm going to give you guys four steps here the sender let's call this person shirely she creates a digest of a message using a pre-agreed hash algorithm such as Sha 256 then she performs ass signing operation on this digest using her chosen asymmetric Cipher and private key so that will be step one step two surely now attaches the digital signature to the message and sends both the signature and the message to someone called Elon now Elon he verifies the signature using Shirley's public key obtaining the original hash and lastly folks step four Elon V calculates his own digest for the document using the same algorithm as Shirley and then Compares it with Shirley's hash so there's a bit of a an example for you guys as to how this whole process would work so for me just to say hey I'm going to go and slap a digital signature onto a mail or something that sounds pretty St that sounds pretty straightforward but unfortunately when know in life especially when it comes to it encryption things are unfortunately not always that simple folks all right so I'm going to finally move you guys on to the second main section in this module that would be public key infrastructure all right folks the first topic up we've got in this section is certificate authorities which we generally just refer to as a CA for short now when it comes to certificate authorities the first topic I want to bring to your attention is public key infrastructure the whole infrastructure regarding public keys now if just me and you are communicating I mean that's one thing you know we can go and use you know symmetric encryption asymmetric encryption you know let's say this is asymmetric encryption where we use a key pair a private key and a public key so it's just between me and you or two individuals then it can kind of sort of work it's not end of the world the problem with this scenario is if I need to go and visit the website or you need to go and visit the website so yes we can go and use key ke you know the website can also give you a public key that you can go and use to access the website but how do I know this public key was actually published by that website how do I know this public key was not given to me by some threat actor a threat actor in case you guys don't remember from a previous module is a hacker a perpetrator a bad guy in it so yes great I've got a public key to go and access this website of sorts let's say this is a shopping website the problem is I don't know if this public key was actually issued by the very site I'm visiting so yeah it's it's a bit of a problem folks and that is where the certificate authorities come into the picture a certificate Authority is an entity that's going to go and issue you of a key a public key and then that's going to be in the form of a certificate now folks what makes this you know trustworthy is the fact that this certificate Authority is normally a third party a very wellknown third party an example of such a certificate Authority will probably be God Daddy I'm not promoting or demoting any certificate authorities here I'm just giving you guys an example you guys can go relate to so if we go look at a third party like God Daddy they will go and validate this public key so if you see or you know whatever system you're using sees that this public key was issued by a wellknown certificate Authority like God Daddy it's going to know it and it's going to trust it it recognizes the certificate of Authority now sometimes we do have our own certificate authorities you know inside our own companies not really the topic here right now but a lot of companies if they've got their own internal websites they would have their own internal certificate authority issue keys for this website the downside of that is since that internal certificate Authority is not a very well-known one every time one of your users inside your company tries to visit your own website they're going to get a bit of a a warning message of sorts when they're try to visit this website it's going to say this this is a a potentially harmful website the certificate is not recognized this a certificate great but it's not recognized and that's because it was issued from a certificate Authority which is not well known if it's your own certificate of authority and you know it's safe then obviously you can just tell your users guys you're going to get an error that says there's a certificate it's not recognized please just say continue anyway it's our own certificate Authority and the chances are they're not even going to know what a certificate Authority is you tell them you know what just ignore that just click on next but only do that on our own website don't do that on any other website so there going to be cases this is going to happen I see it happen all the time in companies where they'll have a their own little certificate of authority inside the company issue a certificate for their own internal website but if you've got a website that's meant for the public you rather want to go and get yourself a very well-known certificate Authority something like goat daddy to go and issue that key or validate that key and then know when people people's browsers goes and visit this website you know especially if you go look at browsers like um Chrome or Firefox those browsers they recognize GoDaddy or certificate authorities like GoDaddy so they see this key has been validated by that entity automatically the page is going to load no issues but if the website has a certificate that's been issued by certificate Authority that your browser does not recognize you are going to get a popup it says listen bro this looks funky this looks suspicious are you sure you want to proceed like when you try and visit your own internal website and that certificate was maybe issued by your own certificate Authority if you guys don't know what a certificate Authority is it's usually a server of sorts if it's internal a certificate Authority folks is a repository of certificates and public Keys issued to verify subjects these subjects includes but is not limited to things like websites you get thir party CA that will be Go Daddy that's going to be a very well-known example these thirdparty Casa which are normally the more recognized ones it's an entity that has established a widespread trust in its policies and procedures for issuing certificates that's why I'm telling you guys if you get a certificate that has been issued by an entity like that like God daddy that is a very welln one it's an established one everybody knows it everybody trusts it and this is normally going to happen automatically your browser but if you get a certificate that's issued from a third party that's maybe not so well known I'm not saying it's suspicious but the chances are you or the users are going to get some sort of funky message that's going to pop up if it's going to be the general public you don't want that popping up because that's going to scare people away from your website even though your website safe we don't want to scare people so it's usually better you know to just go and get yourself a well-known third party CA get your certificate signed by them and at least then you're not going to get any weird popups popping up on people's machines potentially scaring these folks away all right and then folks I'm going to move you on to a topic called digital certificates very much the same as the previous topic not exactly the same now this is unfortunately going to be the last topic for this second main section so the second main section is obviously a heck of a lot shorter than the first one so with digital certificates verse is essentially a wrapper for a subject's public key the subject I'm referring to could either be a used or it could be something like a computer or a server so let's just call this a subject since it could be either or now folks this public key it contains information about the subject and the certificate's issuer the certificate is digitally signed to prove that it was issued to the subject by particular certificate of authority like the Go Daddy we spoke of earlier so the subject could for example be a human user so this could be for things like certificates allowing the signing of messages that's just an example Le or like I said the subject could be a computer server so this would then be for things like a website server hosting confidential transactions just as an example these digital certificates they obviously contain lots of information they contain information that identifies the subject plus the usage validity and of course lots of other things they come with different standards I'm going to mention two to you folks the first one I've got for you is x509 public key infrastructure which we just sometimes referred to as pki iix for short and then we've got pkcs which is referred to as public key cryptographic standards in case you guys didn't know all right folks I'm going to move you into the third and the last section in this module cryptographic Solutions all right first topic up in this section encryption supporting confidentiality so let's first start talking about the data States you actually get you get data at rest data in transit and data in use now those are the three different kinds of States you'll find your data in and we need to think about encryption when it comes to all three these data States the whole idea is we don't want people to be able to get a hold of our data so if the data is stored somewhere in a hard drive we don't want people to get a hold of it if the data is in motion somewhere maybe it's moving from one location to another possibly over a network maybe even a VPN connection we don't want people to be able to intercept that and if the data is just in use in some place like your RAM or your CPU we also don't want something or someone to be able to intercept that and if they do the idea is that it should be useless to them so we should always compensate for worst case scenario so what if someone or something were to able to get a hold of our data will they be able to use it will they be able to understand it no they will not at least as long as you're using encrypto that's the idea so if that is encrypted it does not matter if the dis storing the information is stolen or if it can be intercepted when it's transferred over a network because the threat actor that will be the hacker folks will not be able to understand or change what has been stolen this use of encryption fulfills the goal of confidentiality which means your information remains private it doesn't matter if they get a hold of it it's still going to be confidential that is why you'll find so many companies if they issue their users or employees of something like a laptop that belongs to the company it's normally a requirement from the company that users use some form of encryption something like bit Locker encryption so that if this laptop were to land in the wrong hands maybe they forget it on the bus they forget it in the taxi or it gets stolen out of their car If This Were to be the case the information on the laptop is at least safe they can probably go and sell them laptop for spare parts if they really want to but the end of the day at least we can sleep at night knowing the data is going to be safe so when deploying cryptographic system to protect data assets folks consideration must be given to all the ways the information could potentially be intercepted so that will be the three ones I've just mentioned you guys data can be described as being in free of these states the first one I mentioned you guys was Data at rest so that means the data is not moving around so this is the state when data is in some sort of persistent storage media in other words it's just being stored somewhere like on your hard drive the second state is data in transit which we sometimes just refer to as data in motion so this is the state when data is transmitted over a network in some sort of way and the third state which we refer to as data in use some people call this data in processing is the state when data is present in volatile memory such as RAM or CPU registers or even your CPU cach now something that we need to keep in mind is when we talk about bulk encryption unfortunately a lot of people have bulk encryption need to do this could just be on a normal laptop or desktop this could be on a server or it could be otherwise now believe it or not we have actually somewhat covered this topic earlier in this module when I told you guys which kind of encryption would be better suited for bulk encryption and what kind of encryption would be better for small amounts of data so in case you guys don't remember symmetric encryption is normally better suited for large amounts of data that means me and you are both going to be using the same key so if me and you are exchanging information especially if it's very large amounts of data we are going to be using symmetric encryption very very fast very easy but it's not the most secure if it's a very small amount of data it's better to go and use asymmetric encryption because that that's going to be a key pair a private key and a public key unfortunately it's very slow and very efficient in that manner so what we suggest you do is go and use symmetric encryption for the bulk of your information go and encrypt the bulk of it with your symmetric encryption and once you've got the key for that for me to get the key to you or for you to get the key to me we can use asymmetric encryption for just that because it's just a key we're going to be encrypting that's going to be a key pair a private key in a public key so ideally the person that's going to be doing the encrypting they need to ideally use the public key I mean anyone can actually have access to the public key it's public knowledge sometimes and then the person that's going to be doing the decrypting he or she would be using the private key so using a private as symmetri key is inefficient for large amounts of data why because it's slow guys it is super slow it's very secure but it's super slow so for large amounts of data it's just not efficient instead you rather go use symmetric encryption and just go and encrypt the key for the symmetric encryption using asymmetric the private key key encryption key guys is used to encrypt a symmetric key so that's normally how we would go and do that all right folks moving you on to the topic of disk and file encryption all right so you guys can probably guess what this is going to be about I mean it's to go and encrypt a hard drive or while your files on your computer so data at rests something we did mention earlier incompasses a great many storage mechanisms folks these can be thought off in terms of encryption levels lower levels such as encrypting a whole dis have the advantage of Simplicity it's very easy peasy but it can however be complex to manage when you've got multiple users that need to access this data so that's going to be a bit of a pickle of a situation higher levels however such as a flying encryption via the file system or via database management system can be combined with granular access controls now folks full dis and partition encryption or let's just say full dis encryption fde for short refers to a product that encrypts the whole contents of a storage device so in other words the whole freaking hard drive inside your laptop desktop or server we can encrypt the whole hard drive everything or just maybe just a all partition but normally we'll just go up the whole hard drive because we're paranoid this includes metadata areas not normally accessible using your ordinary operating system file explorer tools now full dis encryption also encrypts free space areas guys it literally encrypts everything whether there de on the hard drive or not it encrypts absolutely everything which is what we want full dis encryption primarily protects against physical theft of the hard drive so if someone steals your laptop or your desktop it's probably going to to be your laptop then we don't have to be concerned because the whole hard drive has been encrypted they might as well take the hard drive out of that laptop throw it in the dban get a new hard drive and then maybe they can go and use the machine but they're definitely not getting their hands on the data a stolen disc can usually be mounted on any computer and then the Fred actor in other words the hacker they can normally go and take ownership of all the data files but if it's encrypted yeah so this is not possible if the dis is encrypted because it must be unlocked by the user credentials to access the decryption key folks many storage devices can perform self encryption using a cryptographic product built into the dis firmware and um I think a very good example for that I can give you guys that's a full hard drive encrypting tool probably be something like bit Locker you get other ones out there but that's probably one of the most well-known ones out there is something like Windows bit Locker a self encrypting Drive in other words s could be a hard drive a solid state drive or even a flash drive the disk firmware implements crypto processor to store the keys so that they are not directly exposed to your operating system that mounts the disc which is ideally what we want a hard drive or should I say a solidate drive these days can be divided into separate logical areas called partitions think of this as a pile that you keep just keep slicing into pieces each partition folks can can be formatted of a different file system and mounted as a drive or volume in the operating system this is something you guys would have learned on A+ if any of you guys did an A+ some dis encryption products might be able to encrypt these partitions selectively rather than a whole hard drive so some of them unfortunately just encrypts the whole hard drive and then you get some of them if you've got a fancy fancy one it might actually give you the option to just go encrypt one of these little slices of the pie instead of the whole pie the partitions could be encrypted using different keys for example a dis could contain the boot system and data partitions the boot and system partitions could be left unencrypted as they contain only well the operating system files let's face it while the data partition is protected by using encryption because that's what's actually sensitive here that's what's unique to you and that's ultimately what we don't want Landing in the wrong hands if we look at volume and file encryption a volume is any storage resource of a sing single file system put another way a volume is the way the operating system sees a storage resource the technology underlying the volume might be removable disc or partition on a hard drive for solate drive it could also be a raid array consequently a volume encrypting product is likely to refer to one that is implemented as a software application rather than by disk firmware for example while they might Loosely be referred to as dis encryption Microsoft's bit locker and Apple's file Vault products perform volume encryption folks I did mention bit Locker to you guys earlier as well haven't mentioned Apple's one yet I keep forgetting about Apple so Apple's also got something called file Vault now a volume encryption product may or may not encrypt free space and or file metadata folks a file encryption product is software that applies encryption to individual files or perhaps f fers and directories this might depend on the file system support that you've got for going for yourself for example Microsoft's encryption file system which we just call EFS for short that requires the volume to be formatted with NTFS so if any of you guys are using Microsoft and if you formatted one of your hard drives as NTFS that's the file system one of the many benefits we actually get with the NTFS file system is something called EFS encryption file system this allows you you or us it to go encrypt a specific file or specific folder I don't really see people using it that that much these days I think it's probably got to do a lot of the fact that people don't really share machines that much so maybe if you go back I don't know 15 20 25 years back in time when a lot of us shared machines so if there's a computer in your home if you were lucky enough to have a computer in your home you'll probably be sharing this with your wife your husband your kids and all that and sometimes there's certain things you don't want your kids to see so then you can go and use encryption five encryption that is and um I suppose the same applied at the office environment some employees would sometimes Shar a machine many moons ago nowadays you'll find everybody's got their own computer both at home and the office and everybody's got their own cell phone and tablet and stuff like that so we don't really use EFS as much as we used to I'm not saying people don't use it but it's absolutely not as much as we used to go and use it so in the old days if me and you shared a computer I might have something on this computer that I don't want you to see maybe it's my salary past load so if that's the case I could go and encrypt that file folder and generally how this would work is whichever account was logged in that's the account will have access to that file or folder that was encrypted and then when you log in of your own account and you try and access my folder you will be able to see it sometimes you'll notice the font is highlighted in green for you to show that this folder is been encrypted but if you try and access it from a different account you're going to get an error message that says access denied but you can also go to encrypt your own files and folders and if I log back in on my account I'm going to see the same stuff green font on the folder of file and if I try and access it it's going to say access denied so it's quite nice if we're sharing machines but since most of us don't share machines exactly anymore it's kind of falling through the M now people don't really use it as much as they used to full disk encryption on the hand that is still very much used folks because all companies are concerned about people losing their assets so if it's a laptop that's on the go this laptop leaves the company premises you can imagine why some companies will feel uncomfortable about that the same can be said about flash drives the same can be said about external hard drives if there's something sensitive on there company information the company would normally require for you or the user to go and encrypt these drives so just to summarize folks full dis and partition encryption that could be something like bit Locker if we talk about Windows or that Vault we spoke about earlier if it we're talking about Apple so this encrypt the whole dis or partition on a hard drive and this is often performed by Drive firmware self encrypting other words when you've got volume and file encrypting which is generally you know performed by operating system software like the EFS we spoke about earlier and this usually requires a file system that supports it like the NTFS file system otherwise it ain't going to work all right folks moving on to the topic of salting and key stretching yes folks that's a thing I'm not making it up I kid you not you can go and look this up on Google it's a thing it does exist salting and key stretching okay so the values used for a private key or should I say secret key must be selected at random guys don't just go and choose an actual word like the word banan that's not very secure you need to go and use random characters uppercase lowercase numbers and symbols when choosing a secret or a private key this just makes it so much harder for the perpetrator the threat actor to get a hold of it in the end of the day so if there was something predictable about the way the value of the key was derived it has less entropy low entropy is a particular concern whenever a cryptographic system makes use of user generated data such as a password users folks tend to select low entropy passwords at least most of do because they're easier to remember this type of data is too short and too ordered to be a good seed for key generation salting and key stretching help to protect PW derived cryptographic secrets from Discovery through CPT analysis so they help people by making their stuff more secure so at the end of the day if you just going to go use an easy password it's not going to help you much so the whole idea is to make it harder for people to go use Crypt analysis to figure out what you were using now salting folks with salting cryptographic hash functions are often used for password storage and transmission a hash cannot be decrypted back to the plain text password that generated it hash functions are one way however passwords stored as hashes are vulnerable to brute force and dictionary attacks in other words people can go and guess them a threat actor can generate hashes to try and find a match for a hash captured from nto traffic or a password file a Brute Force attack simply runs through every possible combination of letters numbers and symbols and add dictionary attack creates hashes of common words and phrases you know it's just a calculator guess in other words both of these attacks though can be slowed down by adding assault value when creating the hash aaed hash is computed as follows I'm going to give you guys an example on the screen so there we go so when I say salt this could be a random character so of instead of salt you can go and add 1 2 3 4 or 5 6 789 or just some random four numbers or whatever Plus your password so you're going to just go add a little extra oomph an extra little genen Squire to it and it's going to make it so much harder for someone to be able to figure out what this is so a unique random salt value should be generated for each user account folks this mitigates the risk that if users choose identical plain text passwords there would be identical hash values in the password file the salt is not kept secret because any system verifying the hash must know the value of the salt it simply means that the attacker cannot use pre-computer tables of hashes it's just to slow them down never to stop them there's nothing you can use that will ever stop these people we just want to make it so darn Das difficult for these people to the point where they hopefully give up so the hash values must be recompiled with the specific salt value for each password folks and then with key stretching this takes a key that's generated from a user's password plus a random salt value and repeatedly converts it to a longer and more disordered key the initial key may be put through thousands of rounds of hashing this might not be difficult for the attacker to replicate so it doesn't actually make the key stronger it does slow the attack down because the attacker has to do all this extra processing for each possible key Valu it's just to make their life a little difficult it's actually all we're trying to achieve here all right folks so in conclusion we can say a lot of this stuff is not necessarily to stop the Fred actor and other words the hacker it's just to make their life Dawn gosh difficult we want to make it so inconvenient for them to try and crack this stuff and break into this stuff to the point where they'll hopefully move on to the next person end of the day no security will ever stop any perpetrator any Fred actor it is just to make it so difficult to the point where'll be like you know what it's not worth the time of the effort all right I'm going to move you guys on to the topic of blockchain this is something you guys may or may not have heard of especially if you look at things like cryptocurrency I think this all started with something like Bitcoin and nowadays we of course have so many kinds of cryptocurrency it's enough to make you go mad now blockchain is not just used for cryptocurrency folks it's used for many things blockchain is a concept in which an expanding list of transactional Records is secured using cryptography each record is referred to as a block and is run through a hash function the hash value of the previous Block in the chain is added to the hash calculation of the next block in the chain this guys ensures that each successive block is cryptographically linked so you cannot go temper of these blocks add one remove one or change one because they're all cryptographically linked since they follow one another each block essentially validates the hash of the previous block all the way through to the beginning of the chain ensuring each historical transaction has not been tampered with in addition to this each block typically includes a timestamp of one or more transactions as well as the data involved D in the transactions themselves now the blockchain folks is recorded in an open public Ledger this Ledger does not exist as an individual file on a single computer instead rather one of the most important characteristics of a blockchain is that it's decentralized and this is not for obvious reasons if you look at what we use this for The Ledger is distributed across a peer-to-peer Network in order to mitigate the risks associated with having a single point of failure or compromise blockchain users folks can therefore trust each other equally likewise another defining quality of blockchain is its openness everyone has the same ability to view every transaction on a blockchain so it's very open lots of transparency now folks blockchain technology has a variety of potential applications it can ensure the integrity and transparency of financial transaction actions legal contracts copyright and intellectual property protection online voting systems identity management systems and data storage and much much more it's also pretty cool to know that with a blockchain transactions cannot be deleted or reversed it's going to stay in place you can go and cover Your Tracks in that aspect so considering that we've got that in mind is obviously very widely used for cryptocurrencies like I said in the beginning there of course originally started this this whole concept of something like Bitcoin at least I think that was the first one and now as time went by over the years there's obviously lots of cryptocurrencies where they use the exact same concept so transactions cannot be deleted guys but it's also quite difficult to go and track these transactions but that's a side topic it's got nothing to do with this specific course right now topic for a different day all right and then folks I'm going to move you on to the last Topic in this section and for the module which is opas casc I can't even pronounce that so I'm probably butchering the name I'm going to try that again obfuscation so this is the art of making a message or should I say data difficult to find it is security by op scrutiny which is normally dicated there are some uses for alisation Technologies however so to give you guys a couple examples let's start you guys off by stenography so this literally means hidden writing in case you guys didn't know you're hiding information within some something else you're embedding something within something else so this embeds information within an unexpected Source a message hidden in a picture for instance this could be in a video so if you guys have ever seen a good spy movie or a good spy episode you might have a painting or a picture which looks like a normal painting a normal picture meanwhile there's a hidden message within this picture of painting and we can actually believe it or not achieve the same goal of videos it's actually a little less common series of videos but it is possible so the container document or file is called the cover text the message can be encrypted by some mechanism before embedding it providing confidentiality the technology can also provide Integrity or of course non-repudiation for example it could show that something was printed on a particular device at a particular time which could demonstrate that it was genuine or fake depending of course on the context then we've got something called Data masking now data masking folks can mean that all or part of the contents of a database field are redacted by substituting all character strings with X for example you guys might actually see this of all kinds of random nonsense as well I mean if you go to an ATM for crying out loud and you try and type in your pen you'll find it just looks like weird little asteris signs if you go and type in your password onto a website often you'll find it shows you all kinds of weird symbols instead of the actual password so similar to that it's probably not the exact same thing but it's freaking close a field might be partially redacted to preserve metad data for analysis purposes for example in a telephone number the dialing prefix might be retained but the subscriber number is reducted data masking can also use Technologies to preserve the original format of the field and then lastly well second lastly we've got token a now this folks means that all or part of the value of the database field is replaced with randomly generated token this token is stored with the original value on a token server or a token Vault separate from the production database an authorized query or app can retrieve the original value From the Vault if the necessary so tokenization is reversible now tokenization is used as a substitute for encryption because from a regulatory perspective an encrypted field is the same value as the original data folks the data masking and tokenization are used for deidentification yep deidentification obfuscates personal data from databases so that can be shared without compromising any privacy all right folks that is it for module 3 I hope you've learned something in this module there was obviously a lot of encryption talk in this specific module so in the next module we'll talk a little bit about something else um not so much about encryption so I think you guys are probably tired of encryption so if you've learned something in this module do me a favor give the video a like and then um if you really want to you can actually mention the comment section down below what you've learned that you might not otherwise have known before and then of course if you'd like to know when I release module 4 for the course then maybe consider subscribing as well guys before you all disappear just a thank you and a shout out to all the supporters and the sponsors of this channel so for those of you clicking on the thanks button below the video if it's available in your country thank you very much for those donations for those of you making direct PayPal donations so just buying me a coffee or a milkshake by the way guys you can find all of this information in the video description down below with the timestamps of this video and then of course for those of you making PayPal donations there is a list of all those names and then there is a list of the patreons there's actually hundreds of them but most of the people prefer to stay anonymous so if you do become a patreon on my patreon then I will normally ask you if you'd like to have your name displayed this is only on the paid TI not a free tier and then if you decide to have your name displayed you can nor choose what name needs to be displayed but n out of 10 people prefer to stay Anonymous so these are just the people that's that's actually allowed me to display their names so there is a couple of patreons lots and lots of patreons thank you very much for the support guys and then lastly for the guys that's new on my channel if you did not know the channel does have a Discord server the link is also in the video description down below it's literally the very last link in the video description just go and check that out if the link doesn't know just let me know in the comment section but usually it does work for most people so it's not supposed to say the link is expired the link does not expire uh but you never know I guess so if you if the link does not work guys if you're in Discord just run a search for free IT training that's the name of the server it's called free IT training so while you're in Discord click on the bottom left and then you're going to find a search bar at the top right of Discord just run a search for free IT training and that will also get you to the Discord server all right folks I will see you in module 4 of Security Plus [Music] [Music]