For possible considerations in the AIO 5th edition.
Reference Chapter 3 (Military Classifications)
Army Regulation AR25-2
Information Assurance
25 October 2007
1–5. Overview
a. The AIAP applies to ISs including, but not limited to, computers, processors, devices, or environments (operating in a prototype, test bed, stand-alone, integrated, embedded, or networked configuration) that store, process, access, or transmit data, including unclassified, sensitive (formerly known as sensitive but unclassified (SBU)), and classified data, with or without handling codes and caveats.
In short, SBU is a Department of State classification, and is not an authorized military (Army at least) classification.
I know we used this classification in the Air Force.
This is an interesting issue and I will research it further and come back to you on this.
Thanks for pointing it out.
shon
After futher researching this issue, these are used by government agencie and different military branches. So the statements in the book are true. This is also how (ISC)2 classifies them.
I have discovered an error in the cryptography section of your book. On p. 721 you have a section entitled “How would a Birthday Attack Take Place?”
In the scenario, Sue and Joe create a contract (call it m) and have it hashed, then save that hash. Sue then creates a different document (n) and continues making slight alterations to n until it matches the hash of m. Sue can only alter n to match the already saved hash of m. This does not represent a birthday attack, in fact it is just a brute-force attack.
For this to be a birthday attack, Sue would need to create both versions of the contract ahead of time, altering both versions to find any common collision instead of trying to match a specific predetermined hash. She would then present the “fair” contract to Joe, who would accept it and record the hash. Later she could present the “unfair” version which would match that same hash.
Thanks for writing in. Sorry it took so long to answer you, the whole site had a face lift. (smile)
Yes, I believe you are correct. In the industry considers a Birthday Attack as being a type of brute force attack. If you are looking for a collision before you send out a ‘fair document’, you have to go through many iterations to fine the same hash value. So the brute force is carried out to have a’fair’ and an ‘unfair’ documents.
A Birthday Attack does not specifically mean you do this brute force work before you release the document. A Birthday Attack just takes advantage of the possibility of a hash collision. As an attacker you CAN create it in your scenario, but there are times that an attacker would want to create the same hash that is already created. This is done when logs are changed and the attacker does not want anyone to know about his deeds.
In our industry you can find someone who says the definition of this term is X. Then you can read another resource that says this term is Y. In almost all cases I have seen of these incidents (AND I HAVE SEEN A LOT OF THEM) neither person is wrong, but that person either only knows a portion of the term or does not state the whole definition, thus people think what they see is the full definition.
I see many people get upset about SSL and ARP. Different resources will say SSL is either at the session layer of the OSI model or transport layer. People think one of the resources has to be incorrect, but they are not. SSL is made up of 2 protocols, one works at the session layer and one works at the transport layer. With ARP I have seen networking people argue intensely if it is at the network layer or the data link layer. It actually spans both layers, so neither resource is actual incorrect - it just does cover the topic at a deeper level.
For the CISSP exam you just need to know that a Birthday Attack takes place through forcing collisions.
March 11th, 2008 at 1:13 pm
Shon,
For possible considerations in the AIO 5th edition.
Reference Chapter 3 (Military Classifications)
Army Regulation AR25-2
Information Assurance
25 October 2007
1–5. Overview
a. The AIAP applies to ISs including, but not limited to, computers, processors, devices, or environments (operating in a prototype, test bed, stand-alone, integrated, embedded, or networked configuration) that store, process, access, or transmit data, including unclassified, sensitive (formerly known as sensitive but unclassified (SBU)), and classified data, with or without handling codes and caveats.
In short, SBU is a Department of State classification, and is not an authorized military (Army at least) classification.
Regards,
Alan Nees
Future CISSP
March 31st, 2008 at 4:14 pm
Hi,
Thanks for writing in.
I know we used this classification in the Air Force.
This is an interesting issue and I will research it further and come back to you on this.
Thanks for pointing it out.
shon
After futher researching this issue, these are used by government agencie and different military branches. So the statements in the book are true. This is also how (ISC)2 classifies them.
April 13th, 2008 at 11:18 pm
Hi Shon,
I have discovered an error in the cryptography section of your book. On p. 721 you have a section entitled “How would a Birthday Attack Take Place?”
In the scenario, Sue and Joe create a contract (call it m) and have it hashed, then save that hash. Sue then creates a different document (n) and continues making slight alterations to n until it matches the hash of m. Sue can only alter n to match the already saved hash of m. This does not represent a birthday attack, in fact it is just a brute-force attack.
For this to be a birthday attack, Sue would need to create both versions of the contract ahead of time, altering both versions to find any common collision instead of trying to match a specific predetermined hash. She would then present the “fair” contract to Joe, who would accept it and record the hash. Later she could present the “unfair” version which would match that same hash.
Thanks,
Tom
May 28th, 2008 at 2:10 pm
Hi Tom,
Thanks for writing in. Sorry it took so long to answer you, the whole site had a face lift. (smile)
Yes, I believe you are correct. In the industry considers a Birthday Attack as being a type of brute force attack. If you are looking for a collision before you send out a ‘fair document’, you have to go through many iterations to fine the same hash value. So the brute force is carried out to have a’fair’ and an ‘unfair’ documents.
A Birthday Attack does not specifically mean you do this brute force work before you release the document. A Birthday Attack just takes advantage of the possibility of a hash collision. As an attacker you CAN create it in your scenario, but there are times that an attacker would want to create the same hash that is already created. This is done when logs are changed and the attacker does not want anyone to know about his deeds.
In our industry you can find someone who says the definition of this term is X. Then you can read another resource that says this term is Y. In almost all cases I have seen of these incidents (AND I HAVE SEEN A LOT OF THEM) neither person is wrong, but that person either only knows a portion of the term or does not state the whole definition, thus people think what they see is the full definition.
I see many people get upset about SSL and ARP. Different resources will say SSL is either at the session layer of the OSI model or transport layer. People think one of the resources has to be incorrect, but they are not. SSL is made up of 2 protocols, one works at the session layer and one works at the transport layer. With ARP I have seen networking people argue intensely if it is at the network layer or the data link layer. It actually spans both layers, so neither resource is actual incorrect - it just does cover the topic at a deeper level.
For the CISSP exam you just need to know that a Birthday Attack takes place through forcing collisions.
Thanks,
shon