Error detection is the detection of errors caused by noise or other impairments during transmission from the transmitter to the receiver.
Error correction is the detection of errors and reconstruction of the original, error-free data.

~ Wikipedia

A true random number generator produces numeric sequences that are irregular (no recognizable patterns or periods), unpredictable, and irreproducible.

Pseudo-Random Sequences

“It looks random. This means that it passes all the statistical tests of randomness that we can find.” (Schneier)

Cryptographically Secure Pseudo-Random Sequences

“It is unpredictable. It must be computationally infeasible to predict what the next random bit will be, given complete knowledge of the algorithm or hardware generating the sequence and all of the previous bits in the stream.” (Schneier)

Real Random Sequences

It is irreproducible. “It cannot be reliably reproduced. If you run the sequence generator twice with the exact same input (at least as exact as humanly possible), you will get two completely unrelated random sequences.” (Schneier)

References

• Bruce Schneier, Applied Cryptography: Protocols, Algorithms and Source Code in C,John Wiley & Sons, Inc.,1996

What is information security? I propose the WISE Model as a cybersecurity conceptual model and explain it in Chinese. Your feedback is welcome!

何謂資訊安全？ 我提出了WISE Model作為學習資安的入門觀念架構. 歡迎大家不吝回饋與指正.

I organized cybersecurity concepts into the mind map along with the following definition:

“Information security is a discipline of protecting assets from threats through security controls to achieve confidentiality, integrity, and availability (CIA), support business, and create value and fulfill organizational mission and vision.”

The definition and the mind map are collectively called the WISE model. I hope it helps in your CISSP journey!

PS. I use “information security” and “cybersecurity” interchangeably, even though the Presidential Cybersecurity Policy, CISM, and many other sources may treat them differently. I use “information security” in a broad sense of asset security.

Ontology concerns claims about the nature of being and existence.

Barbie

• Ken is me.
• Ideas live forever. Humans not so much.
• You don’t need my permission (to become human).

Soundtrack: What was I made for?

RSA Highlights

• The plaintext‘s length must be less than or equal to the modulus’s size minus 88-bit padding, while OAEP padding typically adds 42 bytes. (1960 bits at most, given a 2048-bit modulus)
• The ciphertext’s length equals the modulus’s size (p x q). (A 128-bit plaintext generates a 2048-bit ciphertext, given a 2048-bit modulus)
• Because the size of hash values and symmetric keys is typically less than 512 bits, asymmetric cryptography is suitable for key exchange and digital signatures.
• However, because of the lack of forward secrecy support, RSA nowadays is deemed inappropriate for key exchange.
• “Forward secrecy (FS), also known as perfect forward secrecy (PFS), is a feature of specific key-agreement protocols that gives assurances that session keys will not be compromised even if long-term secrets used in the session key exchange are compromised.” (Wikipedia)

PKCS #1

         RSAPublicKey ::= SEQUENCE {
             modulus           INTEGER,  -- n
             publicExponent    INTEGER   -- e
         }

         RSAPrivateKey ::= SEQUENCE {
             version           Version,
             modulus           INTEGER,  -- n
             publicExponent    INTEGER,  -- e
             privateExponent   INTEGER,  -- d
             prime1            INTEGER,  -- p
             prime2            INTEGER,  -- q
             exponent1         INTEGER,  -- d mod (p-1)
             exponent2         INTEGER,  -- d mod (q-1)
             coefficient       INTEGER,  -- (inverse of q) mod p
             otherPrimeInfos   OtherPrimeInfos OPTIONAL
         }

Sample Code

The following is a snippet of C# code in LINQPad that demonstrates RSA Cryptography:

System
System.Security.Cryptography

void Main()
{
	string message = 
	"0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF"+
	"0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF"+
	"0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF"+
	"0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF01234";
	(message.Length * 8).Dump("message.Length"); //1960 bits
	
	RSAParameters key = RsaEncryption.GenerateKey(2048);
	key.Dump("Key per PKCS #1");

	var encryptedData = RsaEncryption.Encrypt(message, key);
	(encryptedData.Length * 8).Dump("encryptedData.Length");
	
	var decryptedData = RsaEncryption.Decrypt(encryptedData, key);
	(decryptedData.Length * 8).Dump("decryptedData.Length");
	
	/*
	string encryptedMessage = Convert.ToBase64String(encryptedData);
	string decryptedMessage = Encoding.UTF8.GetString(RsaEncryption.Decrypt(encryptedData, key));
	Console.WriteLine("Encrypted message: " + encryptedMessage);
	Console.WriteLine("Decrypted message: " + decryptedMessage);
	*/

	//Digital Signature
	var hash = Sha256Hash.ComputeHash(message);
	BitConverter.ToString(hash).Dump("hash");
	(hash.Length * 8).Dump("hash.Length");
	
	var signature = DigitalSignature.Sign(hash, key);
	bool verified = DigitalSignature.Verify(hash, signature, key);

	(signature.Length * 8).Dump("signature.Length");
	verified.Dump("verified");
	//Console.WriteLine("Signature: " + signature);
	//Console.WriteLine("Verified: " + verified);
}

// Define other methods and classes here
public class Sha256Hash
{
	public static byte[] ComputeHash(string message)
	{
		byte[] hashValue;
		using (SHA256 sha256 = SHA256.Create())
		{
			hashValue = sha256.ComputeHash(Encoding.UTF8.GetBytes(message));
		}

		return hashValue;
	}
}

public class RsaEncryption
{
	public static byte[] Encrypt(string message, RSAParameters key)
	{
		byte[] encryptedData;
		using (RSACryptoServiceProvider rsa = new RSACryptoServiceProvider())
		{
			rsa.ImportParameters(key);
			encryptedData = rsa.Encrypt(Encoding.UTF8.GetBytes(message), false);
		}

		return encryptedData;
	}

	public static byte[] Decrypt(byte[] ciphertext, RSAParameters key)
	{
		byte[] decryptedData;
		using (RSACryptoServiceProvider rsa = new RSACryptoServiceProvider())
		{
			rsa.ImportParameters(key);
			decryptedData = rsa.Decrypt(ciphertext, false);
		}

		return decryptedData;
	}

	public static RSAParameters GenerateKey(int keySzie)
	{
		RSACryptoServiceProvider rsa = new RSACryptoServiceProvider(keySzie);
		return rsa.ExportParameters(true);
	}
}

public class DigitalSignature
{
	public static byte[] Sign(byte[] hash, RSAParameters key)
	{
		byte[] signature;
		using (RSACryptoServiceProvider rsa = new RSACryptoServiceProvider())
		{
			rsa.ImportParameters(key);
			signature = rsa.SignHash(hash, CryptoConfig.MapNameToOID("SHA256"));
		}

		return signature;
	}

	public static bool Verify(byte[] hash, byte[] signature, RSAParameters key)
	{
		using (RSACryptoServiceProvider rsa = new RSACryptoServiceProvider())
		{
			rsa.ImportParameters(key);
			return rsa.VerifyHash(hash, CryptoConfig.MapNameToOID("SHA256"), signature);
		}
	}
}

References

• PKCS #1: RSA Cryptography Specifications Version 2.2 (RFC 8017)
• RSAParameters Struct
• Forward secrecy

Evidence is presented to prove facts. Evidence can be materials or witnesses. Facts can be represented in natural language sentences, statements, assertions, or logical propositions. The proof is evidence accepted to believe facts are true or probably true. Investigation is the process of evidence identification, collection, preservation, analysis, review, processing, production, and presentation; investigation involving forensics or scientific knowledge is known as forensic investigation.

Software delivery is not deployment. Delivery hands over the software to the customer, while deployment installs and provisions the software to the production environment. We have to be cautious about the term CD. Does it mean continuous delivery or continuous deployment? Both share the same acronym but convey different ideas. Software or application is only one part of the information system that shall be certified and accredited (C&A) to get the authorization to operate (ATO). In other words, the information system is authorized instead of the software alone. Continuous deployment may not comply with the C&A process. It’s a security concern that the software development or IT operations team often ignores when implementing continuous deployment.

Quality refers to the “degree to which a set of inherent characteristics of an object fulfills requirements.” (ISO/TS 82304-2)

Software refers to “all or part of the programs, procedures, rules and associated documentation of an information-processing system.” (ISO 17894)

“In software development, a build is the process of converting source code files into standalone software artifact(s) that can be run on a computer, or the result of doing so.” (Wikipedia)

ISO Standards

• ISO/IEC/IEEE 15288:2023
  Systems and software engineering — System life cycle processes
• ISO/IEC/IEEE 12207:2017
  Systems and software engineering — Software life cycle processes
• ISO 9001:2015
  Quality management systems — Requirements
• ISO/IEC 20000-1:2018
  Information technology — Service management — Part 1: Service management system requirements
• ISO/IEC 19770-1:2017
  Information technology — IT asset management — Part 1: IT asset management systems — Requirements
• ISO/IEC 27000:2018
  Information technology — Security techniques — Information security management systems — Overview and vocabulary

References

• Software build