20 - Cryptography

Question 1

What is cryptography?

Answer 1

The conversion of data into a scrambled code that is encrypted and sent across a private or public network. Used to protect important data.

Question 2

What are the types of cryptography?

Answer 2

• Symmetric: Uses the same key for encryption as it does for decryption
• Asymmetric: Uses different key for encryption and decryption.

Question 3

What is Government Access to Keys (GAK)?

Answer 3

Where the software companies provide copies of all keys to the government so that they can hold onto them in a secure manner. LE agencies will use to monitor suspicious communication.

Question 4

What is MD5?

Answer 4

Takes a message of arbitrary length as the input and then outputs a 128-bit fingerprint or message or message digest of the input. Not collision resistant. Use of latest algos such as SHA-2 and SHA-3 is recommended. Deployed for digital signatures, file integrity checking and storing passwords.

Question 5

What is SHA (Secure Hashing Algorithm)?

Answer 5

An algorithm to generate cryptographically secure one-way hash, published by NIST. Produces a 160-bit digest from a message with a maximum length of (264-1) bits, and it resembles the MD5 algorithm. There are currently 3 generations:

• SHA-0: No longer used.
• SHA-1: Produces 160 bit digest from a message with a maximum length of (264-1) bits and resembles the MD5 algorithm.
• SHA-2: Family of 2 similar hash functions with different block sizes: SHA-256 (32 bits) and SHA-512 (64 bits)
• SHA-3: Uses Sponge Construction in which message blocks are XORed into the bits of the state which is then invertibly permuted.

Question 6

What is RIPEMD-160 (RACE Integrity Primitives Evaluation Message Digest)?

Answer 6

A 160 bit hash algo in which the compression function consists of 80 stages made up of 5 blocks that execute 16 times each. Process repeats twice by combining the results at the bottom using modulo 32 addition.

Question 7

What is HMAC (Hash-based Message Authentication Code)?

Answer 7

Type of message authentication code that makes use of cryptographic key with a combination of a cryptographic hash function. Includes embedded hash function such as SHA-1 or MD5. Includes 2 stages for computing the hash:

• Inputs inner key and message to produce an internal hash
• Inputs the output from the first stage and outer key and produces the final HMAC code.

Question 8

What is PKI?

Answer 8

A set of hardware, software, people, policies, and procedures required to create, manage, distribute, use, store, and revoke digital signatures.

Question 9

What are the components of PKI?

Answer 9

• Certificate Management System: Generates, distributes, stores, and verifies certs
• Digital Signatures: establishes creds of a person for online transactions
• Validation Authority (VA): Stores certs with their public keys
• Certificate Authority (CA): Trusted entities that issue and verify digital certs
• End User: Requests, manages, and uses certs
• Registration Authority (RA): Acts as the verifier for the CA

Question 10

What are ciphers?

Answer 10

Algorithms used to encrypt or decrypt the data. Encipherment is the process of converting plain text into a cipher or code (reverse process is called decipherment).

Question 11

What are different types of ciphers?

Answer 11

• Classical: The most basic type which operate on alphabets.
  
  • Substitution: User replaces units of plaintext with ciphertext.
  • Transposition: Rearranging letters in the plain text according to a system.
• Modern: Provides message secrecy, integrity, and authentication of the sender.Based on type of key used:
  
  • Symmetric
  • Asymmetric
• Based on the type of input data:
  
  • Block ciphers: Algorithm operating on block (group of bits) of fixed size with an unvarying transformation specified by a symmetric key. Most modern ciphers are block ciphers.
  • Stream Ciphers: Symmetric key ciphers are plaintext digits combined with a key stream (pseudorandom cipher digit stream). The user applies the key to each bit, one at a time.

Question 12

What is the Data Encryption Standard (DES)?

Answer 12

Designed to encipher and decipher blocks of data consisting of 64 bits under control of a 56-bit key. Due to inherent weakness of DES some organizations repeat the process 3 times for added strength (3DES).

Question 13

What is Advanced Encryption Standard (AES)?

Answer 13

A symmetric-key algorithm that secures sensitive but unclassified material by US gov agencies. AES is an iterated block cipher which works by repeating the same operation multiple times.

Question 14

What are the RC4, RC5, and RC6 algorithms?

Answer 14

• RC4: A variable key size symmetric stream cipher with byte-oriented operations and is based on the use of a random permutation
• RC5: Parameterized algorithm with a variable block size, variable key size, and a variable number of rounds. 128 bit key
• RC6: Symmetric key block cipher derived from RC5 with two additional features:
  
  • Uses integer multiplication
  • Uses four 4-bit working registers

Question 15

What is Twofish?

Answer 15

Uses a block size of 128 bits and key sizes up to 256 bits. It is a Feistal cipher that uses a single key for both encrypt and decrypt.

Question 16

What is DSA (Digital Signature Algorithm)?

Answer 16

Helps in the generation and verification of digital signatures for sensitive and unclassified apps. A digital signature is a mathematical scheme used for the authentication of digital messages. Computation of the digital signature uses a set of rules (i.e., the DSA) and a set of parameters, in that the user can verify the identity of the signatory and integrity of the data. Uses public/private keys.

Question 17

What is RSA (Rivet Shamir Adleman)?

Answer 17

An internet and authentication system that is one of the de-facto encryption standards. It uses modular arithmetic and elementary number theories to perform computations using two large prime numbers. Based on the assumption that factoring is difficult to carry out, making it safe.

Question 18

What is Diffie-Hellman?

Answer 18

A cryptographic protocol that allows 2 parties to establish a shared key over an insecure channel.

Question 19

What is Message Digest (One-Way Hash) Functions?

Answer 19

Hash functions calculate a unique fixed-size bit string representation called a message digest of any arbitrary block of info. If any given bit of the function’s input is changed, then every output bit has a 50% chance of changing. It is computationally infeasible to have two files with the same message digest value.

Question 20

What is a Digital Signature?

Answer 20

Uses asymmetric cryptography to simulate the security properties of a signature in digital, rather than written form. May be further protected by encrypting the signed email for confidentiality.

Question 21

What is SSL?

Answer 21

An app layer protocol developed by Netscape for managing the security of a message transmission on the Internet. Uses RSA asymmetric (public key) encryption to encrypt data transferred over SSL connections. Offers Channelsecurity with 3 basic properties:

• Private Channel: All the messages are encrypted after a simple handshake is used to define a secret key.
• Authenticated Channel: The server endpoint of the conversation is always encrypted, whereas the client endpoint is optionally authenticated.
• Reliable Channel: Message transfer has an integrity check.

Question 22

What is Transport Layer Security (TLS)?

Answer 22

A protocol to establish a secure connection between a client and a server and ensure privacy and integrity of info during transmission. Uses RSA also with 1024 and 2048 bit strengths. Consists of 2 layers:

• TLS Handshake Protocol: It allows the client and server to authenticate each other, select encryption algo, and exchange symmetric key prior to data exchange.
• TLS Record Protocol: It provides secured connections with an encryption method such as DES.

Question 23

What is Pretty Good Privacy (PGP)?

Answer 23

A protocol used to encrypt and decrypt data that provides authentication and cryptographic privacy. PGP uses RSA for computing digital signatures and MD5 for computing message digests. PGP combines the best features of both conventional and public-key cryptography and is known as hybrid cryptosystem. Compresses data –> creates random key –> uses random key to encrypt compressed message –> random key is encrypted with recipient’s public key –> message and encrypted key are sent to receiver.

Question 24

What is Disk Encryption?

Answer 24

A technology which protects the confidentiality of the data stored on disk by converting it into an unreadable code using encryption software or hardware, preventing unauthorized users from accessing it.

Question 25

What is a rainbow table attack?

Answer 25

Where an attacker uses a precomputed table which contain word lists along with their hash values to attempt to reverse cryptographic hash functions.

Question 26

What are some countermeasures for cryptography attacks?

Answer 26

• Give crypto keys to application or user directly.
• Deploy IDS
• Passphrases or passwords must be used to encrypt keys if stored on disk
• Keys should not be present in the source code or binaries
• For certificate signing, transfer of private keys should not be allowed
• Use 168 or 256 bit key sizes for symmetric and hash algorithms.
• Use 1536 and 2048 bit key sizes for asymmetric algorithms.
• Put a limit on number of operations per key
• Output of hash function should have larger bit length which makes it hard to decrypt.

Question 27

What is Threefish?

Answer 27

A large tweakable symmetric-key block cipher in which the block and key sizes are equal (256, 512, 1024 –> 72,72,80 rounds of computations)

Question 28

What are Serpent and TEA ciphers?

Answer 28

• Serpent: Uses a 128-bit symmetric block with 128, 192, or 256 bit key sizes. Involves 32 operating rounds on four 32-bit word blocks using 8 variable S-boxes with 4-bit entry and 4-bit exit.
• TEA (Tiny Encryption Algorithm): A Feistel cipher that uses 64 rounds. Uses 128 bit key on 64-bit blocks. Uses a constant that defined as 232/the golden ratio.

Question 29

What is CAST-128?

Answer 29

A symmetric-key block cipher. Has a 12 or 16 round Feistel network with 64 bit block size. Uses key size varying 40 to 128 bits in 8 bit increments. Used as a default cipher in GPG and PGP.

Question 30

What is GOST Block Cipher and Camelia?

Answer 30

• GOST Block Cipher: called Magma, a symmetric key block cipher. A 32 round Feistel network working on 64-bit blocks with 256 bit key length. Consists of an S-box that be kept secret and it contains approx 354 bits of secret info.
• Camellia: A symmetric key block cipher with either 18 rounds (128 bit keys) or 24 rounds (256 bit keys). Feistel cipher working with 128 bit blocks and has key sizes of 128, 192, and 256 bits

Question 31

What is YAK?

Answer 31

A public key based authenticated key exchange protocol. A variant of two pass HMQV protocol using ZKP for proving knowledge of secrets.

Question 32

What is Elliptic Curve, Quantum, and Homomorphic Encryption cryptography?

Answer 32

• Elliptic Curve: A modern public key cryptography developed to avoid larger cryptographic key usage. Depends on number theory and mathematical elliptic curves.
• Quantum: Based on quantum mechanics such as quantum key distribution (QKD)
• Homomorphic Encryption: Allows users to secure and leave their data in an encrypted format even while it is being processed or manipulated. Encryption and decryption are done by the same key holder.

Question 33

What is GNU Privacy Guard (GPG)?

Answer 33

A software replacement of PGP and free implementation of the OpenPGP standard. Also called hybrid encryption software as it uses both symmetric key cryptography and asymmetric key cryptography.

Question 34

What is Web of Trust (WOT)?

Answer 34

A trust model of PGP, OpenPGP, and GnuPG systems. A chain of a network in which individuals intermediately validate each other’s certificates using their signatures.

Question 35

what is the Related Key attack?

Answer 35

Exploits the mathematical relationship between keys in a cipher to gain access over encryption and decryption functions. Goal of the attacker is to find the related private/secret keys.

Question 36

what is the Padding Oracle attack?

Answer 36

(Vaudenay attack) where attackers exploit the padding validation of an encrypted message to decipher the ciphertext. Block ciphers are generally padded with additional random bits to make the length of the last block of the required size.

Question 37

What is the DROWN attack?

Answer 37

A cross protocol weakness that can communicate and initiate an attack on servers that support recent SSLv3/TLS protocol suites. Affects HTTPS and SSL and TLS

Question 38

What is Key Stretching?

Answer 38

Refers to the process of strengthening a key that might be slightly too weak, usually by making it longer.

• PBKDF2: Applies some function to the password/passphrase along with Salt to produce a derived key
• BCRYPT: Uses a derivation of the Blowfish algorithm.