1.4 Flashcards
Public Key Infrastructure, Encrypting data, Key exchange, Encryption technologies, Obfuscation, Hashing and digital signatures, Blockchain technology, Certificates
PKI stands for
Public Key Infrastructure
Policies, procedures, hardware, software, and people that are responsible for creating, distributing, managing, storing, and revoking digital certificates
Also used to describe the binding of public keys to people or devices
PKI (Public Key Infrastructure)
A type of encryption that uses a single, shared key to encrypt and decrypt data
Symmetric encryption
AKA secret key, shared secret
A type of encryption that does not scale very well and is challenging to distribute
Symmetric encryption
AKA secret key, shared secret
A type of encryption that is very fast and has little overhead
Symmetric encryption
AKA secret key, shared secret
A type of encryption that uses two mathematically-related keys to encrypt and decrypt data
One key is public and one key is private; the private is used to decrypt data encrypted with the public key
The private key cannot be derived from the public key
Asymmetric encryption
True/False
In asymmetric encryption, the public and private keys are created separately at different times
False. They are created simultaneously and are mathematically related.
A third party that holds and manages decryption keys. This may be within your own organization.
ex. If there are large amounts of keys
ex. Necessary if the employee using that key is no longer part of the company, but the organization needs access to past messages
Key escrow
A type of encryption that is slow to use and involves implementing complex mathematics with very large prime numbers (lots of overhead)
Asymmetric encryption
A type of encryption that protects all of the data in an entire storage device
Full-disk encryption
A type of encryption that protects all of the data in a partition
Partition-level encryption
A type of encryption that protects a single file
File encryption
Which types of encryption do BitLocker and FileVault provide? (2 types)
Full-disk and volume-level encryption
Which type of encryption does EFS provide?
File encryption
A type of encryption that protects a volume
Volume-level encryption
Difference between a volume and a partition?
A partition is a logical division of a disk.
A volume is a logical assembly of two or more partitions used as a mass storage container.
As a filing cabinet, the filing cabinet itself is the disk drive. The drawers represent partitions. A volume is like labeling the top two drawers for “C” and the bottom two drawers “D”. C drawers are alphabetized, and D drawers are organized by date.
A type of encryption that protects all the data stored in a database
Database-level encryption
A type of encryption that encrypts all of the data stored in the database with a symmetric key
Transparent encryption
A type of encryption that protects individual columns within a database.
It uses separate symmetric keys for each column.
Record-level encryption
Why is record-level encryption useful? Why not just encrypt the entire database?
It makes querying the database very hard to do without unencrypting the entire database. This provides unnecessary risk.
By keeping some information (names, ID numbers) unencrypted, a typical user can search common info without having access to privileged information. SSNs and other sensitive info can remain encrypted.
What type of encryption does HTTPS and VPNs provide?
Transport/communication encryption
A type of encryption that protects data traversing through a network
Transport/communication encryption
True/False
The people on both sides of the encryption need to agree on which type of encryption to use based on speed, security level, and complexity of implementation. They need to use compatible encryption methods.
True
True/False
Smaller keys provide stronger encryption
False; the opposite is true
A method of making a weak/small key stronger by performing the encryption algorithm multiple times on the single piece of data
Key stretching
The method of sharing an encryption key across an insecure medium without physically transferring the key
Key exchange
A key exchange method in which you send the symmetric key over a medium other than the internet/network (telephone, courier, in-person, etc.)
Out-of-band key exchange
A key exchange method in which you send the symmetric key over the network, protected with additional asymmetric encryption
This is common for keys that are used for only a short period of time ex. Session keys
In-band key exchange
True/False
Session keys are ephemeral keys, which means they need to be changed often
Session keys also need to be unpredictable
True
An algorithm that combines public and private keys in order to generate the same symmetric key on both sides of the communication, without actually sending the key.
For example, Bob’s laptop combines Bob’s private key and Alice’s public key to make a symmetric key.
Alice’s laptop combines Alice’s private key and Bob’s public key to make a symmetric key.
Because they are both mathematically related, the same symmetric key is generated.
Key exchange algorithm
AKA public and private key cryptography
A standardized piece of hardware specifically designed to provide cryptographic functions for the device it is installed on
It is a cryptographic processor. It can generate random numbers or keys.
It also has persistent memory, meaning there are unique keys that are burned in during manufacturing that can help with full disk encryption.
TPM (Trusted Platform Module)
2 types of memory possessed by the TPM
Persistent memory
There are unique keys burned into it during manufacturing that can be used for full disk encryption
Versatile memory
It can store different sets of keys and hardware configuration information
It can securely store BitLocker keys
True/False
The TPM’s password can be thwarted by dictionary and brute force attacks
False
There is no way to use these methods to thwart the password protection on a TPM
A piece of hardware that provides cryptographic functions (similar to the TPM) for large environments (ex. datacenters)
This hardware is able to store thousands of cryptographic keys
They are typically clustered and use redundant power for availability
HSM (Hardware Security Module)
HSM stands for
Hardware Security Module
TPM stands for
Trusted Platform Module
True/False
HSMs typically have plug-in cards or separate hardware devices specifically designed for very fast cryptographic functions, in order to perform these functions directly on the machine
True
What system is used to centralize the management of cryptographic keys from one single management console?
This system allows you to:
Associate keys with specific users
Regularly rotate the keys
Log key use and important events
It also keeps the keys separate from the data that you are trying to protect
Key management system
A security processor built into devices that is dedicated to maintaining privacy by separating sensitive data from other processes.
It is isolated from the main processor
Secure enclave
Secure enclave features (5)
Has its own boot ROM
True RNG
Real-time memory encryption
Root cryptographic keys
Performs AES encryption in hardware
And more…
The process of making something difficult (but not impossible) to understand
Hiding something in plain sight
Obfuscation
Hiding information within an image
Steganography
Steganography is a type of security through ____.
Obscurity
Steganography is Greek for
“concealed writing”
In steganography, what is the document/file that contains the data you are hiding?
Covertext
5 types of steganography
Network-based
Embed msgs in TCP packets
Image-based
Embed the msg in the image
Invisible watermarks
Yellow dots on printers
Audio
Interlacing a secret msg w/in the audio
Video
Larger scale of image steganography
Manage signal-to-noise ratio
Can transfer A LOT of info
Which type of steganography has the potential to convey the most information?
Video
A type of obfuscation where sensitive data is replaced by a non-sensitive placeholder
When the token is sent, the client on the other side makes the connection to the actual sensitive data
If the data is captured via MITM, that token is useless
ex. SSN 266-12-1112 is now 691-61-8539
Tokenization
Which type of obfuscation is commonly used when paying with an iPhone or smart watch at a grocery store?
Tokenization
Specifically a one-time-use token
True/False
Tokenization is mathematically related to the data it is protecting
False
Unlike encryption or hashing, the token has no relation to the actual data. That way, it is very safe.
A type of obfuscation where you hide parts of the original data
Commonly, this type is used to only visually hide the data; it may be intact in storage
Data masking
4 types of data masking techniques
Substituting
Shuffling
Encrypting
Masking out
A representation of data as a short string of text
Hash
AKA message digest, fingerprint
True/False
Hashing is the same thing as encryption
False
It is possible to recover the original data from encryption if given the key
It is impossible to recover the original data from a hash
This occurs when two different data inputs create the same hash
Collision
Which encryption algorithm has a problem with collision?
MD5 - don’t use it for anything important
This problem was discovered in 1996
Random data added to a password when hashing
Salt
Which type of attack does salting thwart?
Rainbow tables
True/False
When implementing salting, the same salt gets used for each employee
False
Each user gets their own unique salt
What 3 things are hashes used for in the form of a digital signature?
Integrity
Authentication
Non-repudiation
True/False
Using a digital signature is the opposite of using asymmetric encryption
True
When using asymmetric encryption, the data is encrypted with the public key and decrypted with the private key
When using a digital signature, the data is encrypted with the private key and decrypted with the public key
That way, you know that no one else could have signed it, and anyone is able to verify the sender
The block chain is commonly known as
A distributed ledger
An open public ledger
4 practical applications for the block chain
Payment processing
Digital identification
Supply chain monitoring
Digital voting
And more…
What are added to blocks in the block chain in order to ensure integrity?
Hashes
What 3 things is a public key certificate made up of?
Public key
Digital signature
Other details about the key holder
How do you build trust from something unknown?
Someone/something trustworthy provides their approval
An inherently trusted component is known as…
(this can be an HSM, TPM, secure enclave, CA, etc.)
Root of trust
A trusted entity that digitally signs the certificates on websites. This entity is responsible for vetting requests, verifying the certificate owner, and may collect other information.
A signature from this entity allows your browser to trust the website.
CA
A CA that is owned by you/your own organization
Private CA
A certificate that can be used for any device that shares the FQDN listed in the SAN attribute
The certificate can support many different domains
Wildcard certificate
SAN stands for (in terms of certificates)
Subject Alternative Name
What is the SAN attribute when creating a certificate?
Allows the certificate to support many different domains (a wildcard certificate)
CRL stands for
Certificate Revocation List
A list of revoked digital certificates, managed by a CA
CRL (Certificate Revocation List)
A protocol that allows web browsers to verify the status of digital certificates in real time
The validity of the certificate is then “stapled” into the SSL/TLS handshake at the beginning of the connection
OCSP (Online Certificate Status Protocol)
The method of embedding the status of a digital certificate during the SSL/TLS handshake when connecting to a website
OCSP stapling
What 2 things does a website owner need to send to generate a CSR?
Applicant’s public key
Applicant identifying information
CSR stands for
Certificate signing request
A request given to a CA to sign a certificate
CSR (Certificate Signing Request)
What kind of key exchange is used for keys that are only used for a short period of time? (Ex. Session keys)
In-band key exchange