CISSP Domain 3 — Security Architecture and Engineering
Domain 3 — Security Architecture and EngineeringRoss Anderson Matthew Green
Security engineering and security architectural design are, of course, far more complicated and difficult than (ISC)2 material suggests. See the work of Ross Anderson and Matthew Green for the real stories.
Formal Security Models
These are formal and academic. They're listed here in order from most to least likely to appear on the exam. All you need to know about them is:
The easiest and most obvious, as it's focused on secrecy. Secrets should not flow down in a multi-level security model. Using the usual U.S. Government model, Confidential is the entry-level, the least sensitive controlled-access data; Top Secret is the most sensitive, and Secret is in the middle:
Someone with a Secret clearance should not be able to:
- Read Top Secret data
(no read up)
- Write into a Confidential space
(no write down)
There's no problem if they see Confidential data (read down) or write their output into a space where Top Secrety people can see it (write up).
This concept is too easy, so they put further labels on things:
|Simple Security property||No read up|
|Star property||No write down|
Certification exams are not about how things really work, or how to do things. A large percentage of the questions aren't really about recognizing what is most important. The exam questions are intentionally vague and poorly worded, and function to test your ability to memorize or figure out the certifier's sloppy and inconsistent terminology.
The Biba model, on the other hand, is focused on integrity and therefore trustworthiness. The easiest analogy is to think of a village with a monastery, where the monks copy scriptures. You only trust the integrity, thus the meaning or accuracy, of a document from above: Belief or trust flows down, not up.
- The chief priest, being the most enlightened being in the village, does not read or believe the possibly faulty copies produced by the monks, let alone the villagers' uninspired output.
- Monks read and believe what the chief priest gives them. They do not pay any attention to pamphlets written by the villagers.
- Villagers should read and believe scriptures copied by the monks. They also should believe the less frequent publications from the chief priest.
This has similar formal properties with converse meanings when you compare this to Bell—LaPadula:
|Simple Integrity property||No read down
(A subject cannot observe an object of lower integrity)
|Star property||No write up
(A subject cannot modify an object of higher integrity)
A subject cannot send logical service requests
to an object of higher integrity.
(The monks can't make requests of the chief priests, and the villagers can't ask anyone for help. The more enlightened layers will send new information down when they feel that it's appropriate.)
For both Bell-LaPadula and Biba: Reading is simple, all I have to do is look at the page. Writing is more involved, I must have a pen, and ink, and move the pen. So, "simple" ones have to do with reading, the others, "star", with writing.
Brewer and Nash, or the Chinese Wall model
This focuses on preventing conflicts of interest. A law firm or financial services firm might support clients who compete or conflict with each other. An individual staff member can choose to work with either client, but once they choose, they are limited to dealing with them only.
This is basically the story of the movie Wall Street. The character Bud Fox could have worked for his father's union of aircraft mechanics, or for the Wall Street trader Gordon Gekko, but his penetration of the metaphorical wall leads to trouble for everyone.
The Clark—Wilson model is the Biba model plus integrity at the transaction level, through the abstraction of well-formed transactions. Think of Amazon. They have an enormous and critical inventory database. Of course you aren't allowed to interact with it directly.
However, your interactions with their web pages do access the database through some limited, trusted, secure API. You click "Put this in my cart" and then "Check out", and each click drives a defined sequence of transactions. Everything you do followed their defined rules, and the end result is that you have modified their database, through the process of purchasing an item. Not directly, all through their trusted API.
You can say what you want to do, "Check out", but you can't specify how to do that. The forbidden "How" could have included dangerous extra parameters or modification of the transaction environment.
The Graham—Denning model defines three categories: objects, subjects, and rights.
Then defines a set of eight primitive commands that subjects can execute to have effects on objects or other subjects.
It's a small set of basic operations, or verbs. Simple is easier to get right, so it's more secure.
Harrison, Ruzzo, Ullman model
This model is like Graham—Denning, but less restrictive. It's also the least likely of this sequence to appear on the exam, "like Graham—Denning but less restrictive" is all I have ever bothered to know.
I'm surprised that CISSP doesn't go deeper into cryptography than it does, given the exam's reputation as academic and rigorous. Here is a set of terms you need to know.
- Plaintext or Cleartext
- Ciphertext or cryptogram
- Cryptosystem is the entire system — the cipher or algorithm, plus all the details of how the keys are generated, agreed upon or exchanged, and used.
- Cryptovariable is obviously the key, plus maybe an IV or other data.
- Initialization vector or IV means that even if you encrypt the same cleartext with the same key, the ciphertext will be different. Patterns won't leak through.
- Session key means you use a new randomly generated key for each message, or for each encrypted file, or for each web or VPN session. Breaking one message gives your attacker just that, it does not give them anything else. (and see the cryptanalytic attacks below)
- Key space and work factor
- Symmetric versus asymmetric
Asymmetric ciphers include
- Diffie-Hellman (not really, but for the test...)
- El Gemal (Professor El Gemal figured how to do what Diffie and Hellman were trying to do, when they instead discovered a secure way to agree on a shared secret in an insecure environment)
- Elliptic-curve or ECC
- RC4 (we shouldn't use it, but it's entrenched in the test just as it was in the real world)
- Salsa and ChaCha, used in TLS
- DES and 3DES because they have been so entrenched
- AES aka Rijndael
- Electronic Code Book or ECB (terribly insecure outside some obscure situations)
- Cipher Block Chaining or CBC (fine for stored bulk data like files, dangerous for use in TLS)
- Galois/Counter Mode or GCM (makes a block cipher stream-like and provides authenticated encryption, this is the way to use AES within TLS)
- Cipher Feedback Mode or CFM (makes a block cipher stream-like)
- Output Feedback Mode or OFM (makes a block cipher stream-like)
- Counter Mode or CTR (makes a block cipher stream-like)
- Counter Mode with CBC Message Authentication Mode Protocol or CCMP (part of 802.11i or Wi-Fi security, stream-like and authenticated)
which change format without providing security.
For example, HTML representation of Unicode,
Щfor Cyrillic Щ or
ωfor Greek ω instead of the UTF-8 characters. The exam does not consider the use of code words for security, such as the Japanese Imperial Fleet first replacing
AFbefore encrypting that with the JN25 cipher.
appears on the exam as:
My message to you starts with a header:
"Let's use AES with randomly-generated key
01101000101....", encrypted with an asymmetric cipher using your public key. Then the bulk of the message is the result of what the header said: using a symmetric cipher (like AES) and that key. Symmetric is computationally efficient, but we need a shared secret key. Asymmetric lets us share the secret.
- Substitution versus transposition
- Monoalphabetic substitution cipher, big name for a trivially broken cipher, see Poe's story "The Gold Bug" for a tutorial on how to do that. A Polyalphabetic substitution cipher was also broken back in Poe's time, it's a little more work but still easily broken with pencil and paper.
- One-Time Pad is unbreakable if correctly used, but it's impractical for most situations.
- Steganography and covert channel and null cipher, these are different concepts but they're related.
- Confusion versus Diffusion, and, related to diffusion, especially for a stream cipher, functional complexity so each keystream bit depends on most or all of the cryptovariable bits
- Kerckhoff's Principle — if you think you have to keep the algorithm secret, then you're hiding a weakness. The strongest ciphers are those for which you don't worry about your adversary having a copy of the code. Or, really, having the entire cryptosystem except for the cryptovariable you used to convert your cleartext into ciphertext. See what I did there? Make sure you can use these terms in sentences, because the exam certainly does!
- Avalanche effect
- Perfect Forward Security or PFS
- Collision (issue with hash functions: multiple inputs produce the same output) versus key clustering (issue with ciphers, multiple keys produce the same ciphertext from the same cleartext)
- MD5 because history
- SHA-1 should be history soon
- SHA-2 is a family including SHA-256 and SHA-512. May be written "SHA-2" to mean one of them, "SHA-256" and "SHA-512", or "SHA-2-256" and "SHA-2-512". Less likely, SHA-224 and SHA-384 could show up.
- SHA-3 — there was a big scare when the weaknesses in MD5 and SHA-1 came out, and US NIST announced a contest to replace the SHA-2 family. Keccak, designed by a team including a member of the Rijndael/AES team (Go, Belgium!) won, but... It turns out we didn't need SHA-3 immediately after all. Some day it will be a drop-in replacement for the SHA-2 suite.
- Known plaintext
- Chosen plaintext
- Chosen ciphertext
- Linear cryptanalysis
- Differential cryptanalysis
- Side channel attack
- Fault analysis
- Probing attack
- The situations:
- Message Integrity Control or MIC (it hasn't been changed, just a hash will do this) versus Message Authentication Code or MAC (it hasn't been changed and it came from a specific sender, so maybe a hash of the payload plus a shared secret key, thus an HMAC)
- Link encryption would be handled for you by the people running the link (satellite, fiber, etc). It encrypts the raw bit stream, headers and all, so the routing data (practically speaking today, the IP header) is also encrypted.
PKI or Public Key Infrastructure
- X.509v3, the standard format for a digital certificate
- Certificate Authority versus a Registration Authority
- Certificate Revocation List or CRL, which you might check via OCSP
Quantum Defense and Offense
Quantum cryptography is for defense, to protect secrets. It's used for QKD or quantum key distribution, where you use single-photon signalling to securely exchange a key to be used with a conventional symmetric cipher like AES.
Quantum computing is for offense or cryptanalysis, to attack secrets. A general-purpose quantum could quickly solve problems which are otherwise impractically difficult, thus breaking all the asymmetric ciphers we now use to protect key exchange: factoring (RSA), discrete logarithm (ECC, Diffie-Hellman, El Gemal).
Now That You Know Cryptography...
There are some questions where knowing all the technology doesn't give you the correct answer. You must carefully analyze the English prose.
(ISC)2 isn't as bad as CompTIA about doing this, but they still do it on some questions.
I have some examples on my CompTIA Security+ study
Try the first question on each of these quizzes:
CompTIA Security+ Domain 5 quiz CompTIA Security+ Domain 6 quiz