1.4

Question 1

PKI stands for

Answer 1

Public Key Infrastructure

Question 2

Policies, procedures, hardware, software, and people that are responsible for creating, distributing, managing, storing, and revoking digital certificates

Also used to describe the binding of public keys to people or devices

Answer 2

PKI (Public Key Infrastructure)

Question 3

A type of encryption that uses a single, shared key to encrypt and decrypt data

Answer 3

Symmetric encryption

AKA secret key, shared secret

Question 4

A type of encryption that does not scale very well and is challenging to distribute

Answer 4

Symmetric encryption

AKA secret key, shared secret

Question 5

A type of encryption that is very fast and has little overhead

Answer 5

Symmetric encryption

AKA secret key, shared secret

Question 6

A type of encryption that uses two mathematically-related keys to encrypt and decrypt data

One key is public and one key is private; the private is used to decrypt data encrypted with the public key

The private key cannot be derived from the public key

Answer 6

Asymmetric encryption

Question 7

True/False

In asymmetric encryption, the public and private keys are created separately at different times

Answer 7

False. They are created simultaneously and are mathematically related.

Question 8

A third party that holds and manages decryption keys. This may be within your own organization.

ex. If there are large amounts of keys

ex. Necessary if the employee using that key is no longer part of the company, but the organization needs access to past messages

Answer 8

Key escrow

Question 9

A type of encryption that is slow to use and involves implementing complex mathematics with very large prime numbers (lots of overhead)

Answer 9

Asymmetric encryption

Question 10

A type of encryption that protects all of the data in an entire storage device

Answer 10

Full-disk encryption

Question 11

A type of encryption that protects all of the data in a partition

Answer 11

Partition-level encryption

Question 12

A type of encryption that protects a single file

Answer 12

File encryption

Question 13

Which types of encryption do BitLocker and FileVault provide? (2 types)

Answer 13

Full-disk and volume-level encryption

Question 14

Which type of encryption does EFS provide?

Answer 14

File encryption

Question 15

A type of encryption that protects a volume

Answer 15

Volume-level encryption

Question 16

Difference between a volume and a partition?

Answer 16

A partition is a logical division of a disk.

A volume is a logical assembly of two or more partitions used as a mass storage container.

As a filing cabinet, the filing cabinet itself is the disk drive. The drawers represent partitions. A volume is like labeling the top two drawers for “C” and the bottom two drawers “D”. C drawers are alphabetized, and D drawers are organized by date.

Question 17

A type of encryption that protects all the data stored in a database

Answer 17

Database-level encryption

Question 18

A type of encryption that encrypts all of the data stored in the database with a symmetric key

Answer 18

Transparent encryption

Question 19

A type of encryption that protects individual columns within a database.

It uses separate symmetric keys for each column.

Answer 19

Record-level encryption

Question 20

Why is record-level encryption useful? Why not just encrypt the entire database?

Answer 20

It makes querying the database very hard to do without unencrypting the entire database. This provides unnecessary risk.

By keeping some information (names, ID numbers) unencrypted, a typical user can search common info without having access to privileged information. SSNs and other sensitive info can remain encrypted.

Question 21

What type of encryption does HTTPS and VPNs provide?

Answer 21

Transport/communication encryption

Question 22

A type of encryption that protects data traversing through a network

Answer 22

Transport/communication encryption

Question 23

True/False

The people on both sides of the encryption need to agree on which type of encryption to use based on speed, security level, and complexity of implementation. They need to use compatible encryption methods.

Answer 23

True

Question 24

True/False

Smaller keys provide stronger encryption

Answer 24

False; the opposite is true

Question 25

A method of making a weak/small key stronger by performing the encryption algorithm multiple times on the single piece of data

Answer 25

Key stretching

Question 26

The method of sharing an encryption key across an insecure medium without physically transferring the key

Answer 26

Key exchange

Question 27

A key exchange method in which you send the symmetric key over a medium other than the internet/network (telephone, courier, in-person, etc.)

Answer 27

Out-of-band key exchange

Question 28

A key exchange method in which you send the symmetric key over the network, protected with additional asymmetric encryption

This is common for keys that are used for only a short period of time ex. Session keys

Answer 28

In-band key exchange

Question 29

True/False

Session keys are ephemeral keys, which means they need to be changed often

Session keys also need to be unpredictable

Answer 29

True

Question 30

An algorithm that combines public and private keys in order to generate the same symmetric key on both sides of the communication, without actually sending the key.

For example, Bob’s laptop combines Bob’s private key and Alice’s public key to make a symmetric key.

Alice’s laptop combines Alice’s private key and Bob’s public key to make a symmetric key.

Because they are both mathematically related, the same symmetric key is generated.

Answer 30

Key exchange algorithm

AKA public and private key cryptography

Question 31

A standardized piece of hardware specifically designed to provide cryptographic functions for the device it is installed on

It is a cryptographic processor. It can generate random numbers or keys.

It also has persistent memory, meaning there are unique keys that are burned in during manufacturing that can help with full disk encryption.

Answer 31

TPM (Trusted Platform Module)

Question 32

2 types of memory possessed by the TPM

Answer 32

Persistent memory
There are unique keys burned into it during manufacturing that can be used for full disk encryption

Versatile memory
It can store different sets of keys and hardware configuration information
It can securely store BitLocker keys

Question 33

True/False

The TPM’s password can be thwarted by dictionary and brute force attacks

Answer 33

False

There is no way to use these methods to thwart the password protection on a TPM

Question 34

A piece of hardware that provides cryptographic functions (similar to the TPM) for large environments (ex. datacenters)

This hardware is able to store thousands of cryptographic keys

They are typically clustered and use redundant power for availability

Answer 34

HSM (Hardware Security Module)

Question 35

HSM stands for

Answer 35

Hardware Security Module

Question 36

TPM stands for

Answer 36

Trusted Platform Module

Question 37

True/False

HSMs typically have plug-in cards or separate hardware devices specifically designed for very fast cryptographic functions, in order to perform these functions directly on the machine

Answer 37

True

Question 38

What system is used to centralize the management of cryptographic keys from one single management console?

This system allows you to:
Associate keys with specific users
Regularly rotate the keys
Log key use and important events

It also keeps the keys separate from the data that you are trying to protect

Answer 38

Key management system

Question 39

A security processor built into devices that is dedicated to maintaining privacy by separating sensitive data from other processes.

It is isolated from the main processor

Answer 39

Secure enclave

Question 40

Secure enclave features (5)

Answer 40

Has its own boot ROM
True RNG
Real-time memory encryption
Root cryptographic keys
Performs AES encryption in hardware

And more…

Question 41

The process of making something difficult (but not impossible) to understand

Hiding something in plain sight

Answer 41

Obfuscation

Question 42

Hiding information within an image

Answer 42

Steganography

Question 43

Steganography is a type of security through ____.

Answer 43

Obscurity

Question 44

Steganography is Greek for

Answer 44

“concealed writing”

Question 45

In steganography, what is the document/file that contains the data you are hiding?

Answer 45

Covertext

Question 46

5 types of steganography

Answer 46

Network-based
Embed msgs in TCP packets

Image-based
Embed the msg in the image

Invisible watermarks
Yellow dots on printers

Audio
Interlacing a secret msg w/in the audio

Video
Larger scale of image steganography
Manage signal-to-noise ratio
Can transfer A LOT of info

Question 47

Which type of steganography has the potential to convey the most information?

Answer 47

Video

Question 48

A type of obfuscation where sensitive data is replaced by a non-sensitive placeholder

When the token is sent, the client on the other side makes the connection to the actual sensitive data

If the data is captured via MITM, that token is useless

ex. SSN 266-12-1112 is now 691-61-8539

Answer 48

Tokenization

Question 49

Which type of obfuscation is commonly used when paying with an iPhone or smart watch at a grocery store?

Answer 49

Tokenization

Specifically a one-time-use token

Question 50

True/False

Tokenization is mathematically related to the data it is protecting

Answer 50

False

Unlike encryption or hashing, the token has no relation to the actual data. That way, it is very safe.

Question 51

A type of obfuscation where you hide parts of the original data

Commonly, this type is used to only visually hide the data; it may be intact in storage

Answer 51

Data masking

Question 52

4 types of data masking techniques

Answer 52

Substituting
Shuffling
Encrypting
Masking out

Question 53

A representation of data as a short string of text

Answer 53

Hash

AKA message digest, fingerprint

Question 54

True/False

Hashing is the same thing as encryption

Answer 54

False

It is possible to recover the original data from encryption if given the key

It is impossible to recover the original data from a hash

Question 55

This occurs when two different data inputs create the same hash

Answer 55

Collision

Question 56

Which encryption algorithm has a problem with collision?

Answer 56

MD5 - don’t use it for anything important

This problem was discovered in 1996

Question 57

Random data added to a password when hashing

Answer 57

Salt

Question 58

Which type of attack does salting thwart?

Answer 58

Rainbow tables

Question 59

True/False

When implementing salting, the same salt gets used for each employee

Answer 59

False

Each user gets their own unique salt

Question 60

What 3 things are hashes used for in the form of a digital signature?

Answer 60

Integrity
Authentication
Non-repudiation

Question 61

True/False

Using a digital signature is the opposite of using asymmetric encryption

Answer 61

True

When using asymmetric encryption, the data is encrypted with the public key and decrypted with the private key

When using a digital signature, the data is encrypted with the private key and decrypted with the public key
That way, you know that no one else could have signed it, and anyone is able to verify the sender

Question 62

The block chain is commonly known as

Answer 62

A distributed ledger

An open public ledger

Question 63

4 practical applications for the block chain

Answer 63

Payment processing
Digital identification
Supply chain monitoring
Digital voting

And more…

Question 64

What are added to blocks in the block chain in order to ensure integrity?

Answer 64

Hashes

Question 65

What 3 things is a public key certificate made up of?

Answer 65

Public key
Digital signature
Other details about the key holder

Question 66

How do you build trust from something unknown?

Answer 66

Someone/something trustworthy provides their approval

Question 67

An inherently trusted component is known as…

(this can be an HSM, TPM, secure enclave, CA, etc.)

Answer 67

Root of trust

Question 68

A trusted entity that digitally signs the certificates on websites. This entity is responsible for vetting requests, verifying the certificate owner, and may collect other information.

A signature from this entity allows your browser to trust the website.

Answer 68

CA

Question 69

A CA that is owned by you/your own organization

Answer 69

Private CA

Question 70

A certificate that can be used for any device that shares the FQDN listed in the SAN attribute

The certificate can support many different domains

Answer 70

Wildcard certificate

Question 71

SAN stands for (in terms of certificates)

Answer 71

Subject Alternative Name

Question 72

What is the SAN attribute when creating a certificate?

Answer 72

Allows the certificate to support many different domains (a wildcard certificate)

Question 73

CRL stands for

Answer 73

Certificate Revocation List

Question 74

A list of revoked digital certificates, managed by a CA

Answer 74

CRL (Certificate Revocation List)

Question 75

A protocol that allows web browsers to verify the status of digital certificates in real time

The validity of the certificate is then “stapled” into the SSL/TLS handshake at the beginning of the connection

Answer 75

OCSP (Online Certificate Status Protocol)

Question 76

The method of embedding the status of a digital certificate during the SSL/TLS handshake when connecting to a website

Answer 76

OCSP stapling

Question 77

What 2 things does a website owner need to send to generate a CSR?

Answer 77

Applicant’s public key
Applicant identifying information

Question 78

CSR stands for

Answer 78

Certificate signing request

Question 79

A request given to a CA to sign a certificate

Answer 79

CSR (Certificate Signing Request)

Question 80

What kind of key exchange is used for keys that are only used for a short period of time? (Ex. Session keys)

Answer 80

In-band key exchange