20 - Cryptography Flashcards
What is cryptography?
The conversion of data into a scrambled code that is encrypted and sent across a private or public network. Used to protect important data.
What are the types of cryptography?
- Symmetric: Uses the same key for encryption as it does for decryption
- Asymmetric: Uses different key for encryption and decryption.
What is Government Access to Keys (GAK)?
Where the software companies provide copies of all keys to the government so that they can hold onto them in a secure manner. LE agencies will use to monitor suspicious communication.
What is MD5?
Takes a message of arbitrary length as the input and then outputs a 128-bit fingerprint or message or message digest of the input. Not collision resistant. Use of latest algos such as SHA-2 and SHA-3 is recommended. Deployed for digital signatures, file integrity checking and storing passwords.
What is SHA (Secure Hashing Algorithm)?
An algorithm to generate cryptographically secure one-way hash, published by NIST. Produces a 160-bit digest from a message with a maximum length of (264-1) bits, and it resembles the MD5 algorithm. There are currently 3 generations:
- SHA-0: No longer used.
- SHA-1: Produces 160 bit digest from a message with a maximum length of (264-1) bits and resembles the MD5 algorithm.
- SHA-2: Family of 2 similar hash functions with different block sizes: SHA-256 (32 bits) and SHA-512 (64 bits)
- SHA-3: Uses Sponge Construction in which message blocks are XORed into the bits of the state which is then invertibly permuted.
What is RIPEMD-160 (RACE Integrity Primitives Evaluation Message Digest)?
A 160 bit hash algo in which the compression function consists of 80 stages made up of 5 blocks that execute 16 times each. Process repeats twice by combining the results at the bottom using modulo 32 addition.
What is HMAC (Hash-based Message Authentication Code)?
Type of message authentication code that makes use of cryptographic key with a combination of a cryptographic hash function. Includes embedded hash function such as SHA-1 or MD5. Includes 2 stages for computing the hash:
- Inputs inner key and message to produce an internal hash
- Inputs the output from the first stage and outer key and produces the final HMAC code.
What is PKI?
A set of hardware, software, people, policies, and procedures required to create, manage, distribute, use, store, and revoke digital signatures.
What are the components of PKI?
- Certificate Management System: Generates, distributes, stores, and verifies certs
- Digital Signatures: establishes creds of a person for online transactions
- Validation Authority (VA): Stores certs with their public keys
- Certificate Authority (CA): Trusted entities that issue and verify digital certs
- End User: Requests, manages, and uses certs
- Registration Authority (RA): Acts as the verifier for the CA
What are ciphers?
Algorithms used to encrypt or decrypt the data. Encipherment is the process of converting plain text into a cipher or code (reverse process is called decipherment).
What are different types of ciphers?
-
Classical: The most basic type which operate on alphabets.
- Substitution: User replaces units of plaintext with ciphertext.
- Transposition: Rearranging letters in the plain text according to a system.
-
Modern: Provides message secrecy, integrity, and authentication of the sender.Based on type of key used:
- Symmetric
- Asymmetric
-
Based on the type of input data:
- Block ciphers: Algorithm operating on block (group of bits) of fixed size with an unvarying transformation specified by a symmetric key. Most modern ciphers are block ciphers.
- Stream Ciphers: Symmetric key ciphers are plaintext digits combined with a key stream (pseudorandom cipher digit stream). The user applies the key to each bit, one at a time.
What is the Data Encryption Standard (DES)?
Designed to encipher and decipher blocks of data consisting of 64 bits under control of a 56-bit key. Due to inherent weakness of DES some organizations repeat the process 3 times for added strength (3DES).
What is Advanced Encryption Standard (AES)?
A symmetric-key algorithm that secures sensitive but unclassified material by US gov agencies. AES is an iterated block cipher which works by repeating the same operation multiple times.
What are the RC4, RC5, and RC6 algorithms?
- RC4: A variable key size symmetric stream cipher with byte-oriented operations and is based on the use of a random permutation
- RC5: Parameterized algorithm with a variable block size, variable key size, and a variable number of rounds. 128 bit key
-
RC6: Symmetric key block cipher derived from RC5 with two additional features:
- Uses integer multiplication
- Uses four 4-bit working registers
What is Twofish?
Uses a block size of 128 bits and key sizes up to 256 bits. It is a Feistal cipher that uses a single key for both encrypt and decrypt.
What is DSA (Digital Signature Algorithm)?
Helps in the generation and verification of digital signatures for sensitive and unclassified apps. A digital signature is a mathematical scheme used for the authentication of digital messages. Computation of the digital signature uses a set of rules (i.e., the DSA) and a set of parameters, in that the user can verify the identity of the signatory and integrity of the data. Uses public/private keys.
What is RSA (Rivet Shamir Adleman)?
An internet and authentication system that is one of the de-facto encryption standards. It uses modular arithmetic and elementary number theories to perform computations using two large prime numbers. Based on the assumption that factoring is difficult to carry out, making it safe.
What is Diffie-Hellman?
A cryptographic protocol that allows 2 parties to establish a shared key over an insecure channel.
What is Message Digest (One-Way Hash) Functions?
Hash functions calculate a unique fixed-size bit string representation called a message digest of any arbitrary block of info. If any given bit of the function’s input is changed, then every output bit has a 50% chance of changing. It is computationally infeasible to have two files with the same message digest value.
What is a Digital Signature?
Uses asymmetric cryptography to simulate the security properties of a signature in digital, rather than written form. May be further protected by encrypting the signed email for confidentiality.
What is SSL?
An app layer protocol developed by Netscape for managing the security of a message transmission on the Internet. Uses RSA asymmetric (public key) encryption to encrypt data transferred over SSL connections. Offers Channelsecurity with 3 basic properties:
- Private Channel: All the messages are encrypted after a simple handshake is used to define a secret key.
- Authenticated Channel: The server endpoint of the conversation is always encrypted, whereas the client endpoint is optionally authenticated.
- Reliable Channel: Message transfer has an integrity check.
What is Transport Layer Security (TLS)?
A protocol to establish a secure connection between a client and a server and ensure privacy and integrity of info during transmission. Uses RSA also with 1024 and 2048 bit strengths. Consists of 2 layers:
- TLS Handshake Protocol: It allows the client and server to authenticate each other, select encryption algo, and exchange symmetric key prior to data exchange.
- TLS Record Protocol: It provides secured connections with an encryption method such as DES.
What is Pretty Good Privacy (PGP)?
A protocol used to encrypt and decrypt data that provides authentication and cryptographic privacy. PGP uses RSA for computing digital signatures and MD5 for computing message digests. PGP combines the best features of both conventional and public-key cryptography and is known as hybrid cryptosystem. Compresses data –> creates random key –> uses random key to encrypt compressed message –> random key is encrypted with recipient’s public key –> message and encrypted key are sent to receiver.
What is Disk Encryption?
A technology which protects the confidentiality of the data stored on disk by converting it into an unreadable code using encryption software or hardware, preventing unauthorized users from accessing it.
What is a rainbow table attack?
Where an attacker uses a precomputed table which contain word lists along with their hash values to attempt to reverse cryptographic hash functions.
What are some countermeasures for cryptography attacks?
- Give crypto keys to application or user directly.
- Deploy IDS
- Passphrases or passwords must be used to encrypt keys if stored on disk
- Keys should not be present in the source code or binaries
- For certificate signing, transfer of private keys should not be allowed
- Use 168 or 256 bit key sizes for symmetric and hash algorithms.
- Use 1536 and 2048 bit key sizes for asymmetric algorithms.
- Put a limit on number of operations per key
- Output of hash function should have larger bit length which makes it hard to decrypt.
What is Threefish?
A large tweakable symmetric-key block cipher in which the block and key sizes are equal (256, 512, 1024 –> 72,72,80 rounds of computations)
What are Serpent and TEA ciphers?
- Serpent: Uses a 128-bit symmetric block with 128, 192, or 256 bit key sizes. Involves 32 operating rounds on four 32-bit word blocks using 8 variable S-boxes with 4-bit entry and 4-bit exit.
- TEA (Tiny Encryption Algorithm): A Feistel cipher that uses 64 rounds. Uses 128 bit key on 64-bit blocks. Uses a constant that defined as 232/the golden ratio.
What is CAST-128?
A symmetric-key block cipher. Has a 12 or 16 round Feistel network with 64 bit block size. Uses key size varying 40 to 128 bits in 8 bit increments. Used as a default cipher in GPG and PGP.
What is GOST Block Cipher and Camelia?
- GOST Block Cipher: called Magma, a symmetric key block cipher. A 32 round Feistel network working on 64-bit blocks with 256 bit key length. Consists of an S-box that be kept secret and it contains approx 354 bits of secret info.
- Camellia: A symmetric key block cipher with either 18 rounds (128 bit keys) or 24 rounds (256 bit keys). Feistel cipher working with 128 bit blocks and has key sizes of 128, 192, and 256 bits
What is YAK?
A public key based authenticated key exchange protocol. A variant of two pass HMQV protocol using ZKP for proving knowledge of secrets.
What is Elliptic Curve, Quantum, and Homomorphic Encryption cryptography?
- Elliptic Curve: A modern public key cryptography developed to avoid larger cryptographic key usage. Depends on number theory and mathematical elliptic curves.
- Quantum: Based on quantum mechanics such as quantum key distribution (QKD)
- Homomorphic Encryption: Allows users to secure and leave their data in an encrypted format even while it is being processed or manipulated. Encryption and decryption are done by the same key holder.
What is GNU Privacy Guard (GPG)?
A software replacement of PGP and free implementation of the OpenPGP standard. Also called hybrid encryption software as it uses both symmetric key cryptography and asymmetric key cryptography.
What is Web of Trust (WOT)?
A trust model of PGP, OpenPGP, and GnuPG systems. A chain of a network in which individuals intermediately validate each other’s certificates using their signatures.
what is the Related Key attack?
Exploits the mathematical relationship between keys in a cipher to gain access over encryption and decryption functions. Goal of the attacker is to find the related private/secret keys.
what is the Padding Oracle attack?
(Vaudenay attack) where attackers exploit the padding validation of an encrypted message to decipher the ciphertext. Block ciphers are generally padded with additional random bits to make the length of the last block of the required size.
What is the DROWN attack?
A cross protocol weakness that can communicate and initiate an attack on servers that support recent SSLv3/TLS protocol suites. Affects HTTPS and SSL and TLS
What is Key Stretching?
Refers to the process of strengthening a key that might be slightly too weak, usually by making it longer.
- PBKDF2: Applies some function to the password/passphrase along with Salt to produce a derived key
- BCRYPT: Uses a derivation of the Blowfish algorithm.
