The problem of the CISSP Exam in Simplified Chinese

Many CISSP exam candidates in Taiwan received an email from ISC2 today that the linear CISSP exam is not available in simplified Chinese until further notice due to irregularities in candidates’ results. Their exam appointments are either canceled or rescheduled. I’m unsure if it is a system malfunction or an exam irregularity problem. Suppose it’s an exam irregularity in the simplified Chinese exam. In that case, I’m glad to see the mitigation actions, as ISC2 has been doing a great job maintaining the integrity of the CISSP exam.

However, I hope ISC2 can make simplified Chinese available in Taiwan soon after the investigation. People in Taiwan use traditional Chinese daily and feel more comfortable with simplified Chinese than English. Taking English exams is more challenging for most Taiwanese than doing Simplified Chinese ones.

Taiwan and China are two independent countries. If something goes wrong in China, I hope treatments applied to Taiwan can be considered separately.

All is well!

Positive thinking is not a gift but a skill one must learn. Given an expression X – Y, one may see the minus symbol only or ignore that the varialble Y can be negative. If we can treat it as X + (-Y), consider everything is a “plus” operation, and focus on the truth, life would be much better.

All Cloud Models Support Multitenancy

Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models.

~ NIST SP 800-145

The three service models are SaaS, PaaS, and IaaS. The four deployment models are private cloud, community cloud, public cloud, and hybrid cloud. The five essential characteristics are 1) on-demand self-service, 2) broad network access, 3) resource pooling, 4) rapid elasticity, and 5) measured service. However, NIST SP 800-145 doesn’t mention the characteristic of multitenancy, which is specified in ISO/IEC 17788.

tenant: One or more cloud service users sharing access to a set of physical and virtual resources.

multi-tenancy: Allocation of physical or virtual resources such that multiple tenants and their computations and data are isolated from and inaccessible to one another.

Multi-tenancy: A feature where physical or virtual resources are allocated in such a way that multiple tenants and their computations and data are isolated from and inaccessible to one another. Typically, and within the context of multi-tenancy, the group of cloud service users that form a tenant will all belong to the same cloud service customer organization. There might be cases where the group of cloud service users involves users from multiple different cloud service customers, particularly in the case of public cloud and community cloud deployments. However, a given cloud service customer organization might have many different tenancies with a single cloud service provider representing different groups within the organization;

~ ISO/IEC 17788

I came across the following practice question from the CCSP OPT 3rd edition, which reads: “In a private cloud deployment, only Matthew’s company would have access to any resources hosted on the same physical hardware. This is not multitenancy.” Its explanation implies a private cloud has a single tenant, and multitenancy leads to a public cloud.

I disagree with the explanation. According to the above definitions in ISO/IEC 17788, all cloud services and deployment models should support multitenancy, regardless of whether it is a private or public cloud. A tenant refers to one or more cloud service users instead of a cloud service customer organization. A single cloud service customer can have multiple tenants.

Since NIST SP 800-145, NIST SP 500-292, and the CSA Cloud Security Glossary don’t define “multitenancy,” while ISO/IEC 17788 does so precisely, I suggest we align the concept of multitenancy with ISO/IEC 17788.


Matthew is reviewing a new cloud service offering that his organization plans to adopt. In this offering, a cloud provider will create virtual server instances under the multitenancy model. Each server instance will be accessible only to Matthew's company. What cloud deployment model is being used?
A. Hybrid cloud
B. Public cloud
C. Private cloud
D. Community cloud
B. The key to answering this question is recognizing that the multitenancy model
involves many different customers accessing cloud resources hosted on shared hardware. That makes this a public cloud deployment, regardless of the fact that access to a particular server instance is limited to Matthew's company. In a private cloud deployment, only Matthew's company would have access to any resources hosted on the same physical hardware. This is not multitenancy. There is no indication that Matthew's organization is combining resources of public and private cloud computing, which would be a hybrid cloud, or that the resource use is limited to members of a particular group, which would be a community cloud.
Source: CCSP Official Practice Tests, 3rd edition

Randomness

A true random number generator produces numeric sequences that are irregular (no recognizable patterns or periods), unpredictable, and irreproducible.

Pseudo-Random Sequences

“It looks random. This means that it passes all the statistical tests of randomness that we can find.” (Schneier)

Cryptographically Secure Pseudo-Random Sequences

“It is unpredictable. It must be computationally infeasible to predict what the next random bit will be, given complete knowledge of the algorithm or hardware generating the sequence and all of the previous bits in the stream.” (Schneier)

Real Random Sequences

It is irreproducible. “It cannot be reliably reproduced. If you run the sequence generator twice with the exact same input (at least as exact as humanly possible), you will get two completely unrelated random sequences.” (Schneier)

References

  • Bruce Schneier, Applied Cryptography: Protocols, Algorithms and Source Code in C,John Wiley & Sons, Inc.,1996

WISE Model: Mind Map v2.7.2

WISE Model: Mind Map v2.7.2
WISE Model: Mind Map v2.7.2

I organized cybersecurity concepts into the mind map along with the following definition:

“Information security is a discipline of protecting assets from threats through security controls to achieve confidentiality, integrity, and availability (CIA), support business, and create value and fulfill organizational mission and vision.”

The definition and the mind map are collectively called the WISE model. I hope it helps in your CISSP journey!

PS. I use “information security” and “cybersecurity” interchangeably, even though the Presidential Cybersecurity Policy, CISM, and many other sources may treat them differently. I use “information security” in a broad sense of asset security.

RSA Cryptography

Left-side: the output of C# code in LINQPad

RSA Highlights

  • The plaintext‘s length must be less than or equal to the modulus’s size minus 88-bit padding, while OAEP padding typically adds 42 bytes. (1960 bits at most, given a 2048-bit modulus)
  • The ciphertext’s length equals the modulus’s size (p x q). (A 128-bit plaintext generates a 2048-bit ciphertext, given a 2048-bit modulus)
  • Because the size of hash values and symmetric keys is typically less than 512 bits, asymmetric cryptography is suitable for key exchange and digital signatures.
  • However, because of the lack of forward secrecy support, RSA nowadays is deemed inappropriate for key exchange.
  • “Forward secrecy (FS), also known as perfect forward secrecy (PFS), is a feature of specific key-agreement protocols that gives assurances that session keys will not be compromised even if long-term secrets used in the session key exchange are compromised.” (Wikipedia)

PKCS #1

         RSAPublicKey ::= SEQUENCE {
             modulus           INTEGER,  -- n
             publicExponent    INTEGER   -- e
         }

         RSAPrivateKey ::= SEQUENCE {
             version           Version,
             modulus           INTEGER,  -- n
             publicExponent    INTEGER,  -- e
             privateExponent   INTEGER,  -- d
             prime1            INTEGER,  -- p
             prime2            INTEGER,  -- q
             exponent1         INTEGER,  -- d mod (p-1)
             exponent2         INTEGER,  -- d mod (q-1)
             coefficient       INTEGER,  -- (inverse of q) mod p
             otherPrimeInfos   OtherPrimeInfos OPTIONAL
         }

Sample Code

The following is a snippet of C# code in LINQPad that demonstrates RSA Cryptography:

System
System.Security.Cryptography

void Main()
{
	string message = 
	"0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF"+
	"0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF"+
	"0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF"+
	"0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF01234";
	(message.Length * 8).Dump("message.Length"); //1960 bits
	
	RSAParameters key = RsaEncryption.GenerateKey(2048);
	key.Dump("Key per PKCS #1");

	var encryptedData = RsaEncryption.Encrypt(message, key);
	(encryptedData.Length * 8).Dump("encryptedData.Length");
	
	var decryptedData = RsaEncryption.Decrypt(encryptedData, key);
	(decryptedData.Length * 8).Dump("decryptedData.Length");
	
	/*
	string encryptedMessage = Convert.ToBase64String(encryptedData);
	string decryptedMessage = Encoding.UTF8.GetString(RsaEncryption.Decrypt(encryptedData, key));
	Console.WriteLine("Encrypted message: " + encryptedMessage);
	Console.WriteLine("Decrypted message: " + decryptedMessage);
	*/

	//Digital Signature
	var hash = Sha256Hash.ComputeHash(message);
	BitConverter.ToString(hash).Dump("hash");
	(hash.Length * 8).Dump("hash.Length");
	
	var signature = DigitalSignature.Sign(hash, key);
	bool verified = DigitalSignature.Verify(hash, signature, key);

	(signature.Length * 8).Dump("signature.Length");
	verified.Dump("verified");
	//Console.WriteLine("Signature: " + signature);
	//Console.WriteLine("Verified: " + verified);
}

// Define other methods and classes here
public class Sha256Hash
{
	public static byte[] ComputeHash(string message)
	{
		byte[] hashValue;
		using (SHA256 sha256 = SHA256.Create())
		{
			hashValue = sha256.ComputeHash(Encoding.UTF8.GetBytes(message));
		}

		return hashValue;
	}
}

public class RsaEncryption
{
	public static byte[] Encrypt(string message, RSAParameters key)
	{
		byte[] encryptedData;
		using (RSACryptoServiceProvider rsa = new RSACryptoServiceProvider())
		{
			rsa.ImportParameters(key);
			encryptedData = rsa.Encrypt(Encoding.UTF8.GetBytes(message), false);
		}

		return encryptedData;
	}

	public static byte[] Decrypt(byte[] ciphertext, RSAParameters key)
	{
		byte[] decryptedData;
		using (RSACryptoServiceProvider rsa = new RSACryptoServiceProvider())
		{
			rsa.ImportParameters(key);
			decryptedData = rsa.Decrypt(ciphertext, false);
		}

		return decryptedData;
	}

	public static RSAParameters GenerateKey(int keySzie)
	{
		RSACryptoServiceProvider rsa = new RSACryptoServiceProvider(keySzie);
		return rsa.ExportParameters(true);
	}
}

public class DigitalSignature
{
	public static byte[] Sign(byte[] hash, RSAParameters key)
	{
		byte[] signature;
		using (RSACryptoServiceProvider rsa = new RSACryptoServiceProvider())
		{
			rsa.ImportParameters(key);
			signature = rsa.SignHash(hash, CryptoConfig.MapNameToOID("SHA256"));
		}

		return signature;
	}

	public static bool Verify(byte[] hash, byte[] signature, RSAParameters key)
	{
		using (RSACryptoServiceProvider rsa = new RSACryptoServiceProvider())
		{
			rsa.ImportParameters(key);
			return rsa.VerifyHash(hash, CryptoConfig.MapNameToOID("SHA256"), signature);
		}
	}
}

References

Weight and Sufficiency of Evidence

Evidence is presented to prove facts. Evidence can be materials or witnesses. Facts can be represented in natural language sentences, statements, assertions, or logical propositions. The proof is evidence accepted to believe facts are true or probably true. Investigation is the process of evidence identification, collection, preservation, analysis, review, processing, production, and presentation; investigation involving forensics or scientific knowledge is known as forensic investigation.

Continue reading