2.8 Encryption Flashcards
Cryptography concepts: what is cryptography for ?
To provide :
- confidentiality,
- integrity (with tamper-proof),
- non-repudiation
- authentication and access control (we know it’s really you)
Cryptography concepts: what is plaintext?
An unencrypted message (in clear)
Cryptography concepts: what is ciphertext?
An encrypted message
Cryptography concepts: what is cipher?
The algorithm used to encrypt and/or decrypt
Cryptography concepts: what is cryptanalysis?
The art of cracking encryption. Researchers are constantly trying to find weaknesses in ciphers
Cryptography concepts: what is keys?
Cryptographic key is informations that is added to the cypher to encrypt the plaintext. Larger keys are generally more secure.
Some encryption methods use one key and some use multiple key to add another layer of security
Cryptography concepts: how to strenghten a key?
- Use encryption methods that use the larger possible keys
- If you cannot use the 1st option, make a weak encryption key stronger by performing multiple processes: hash a password, hash the hash of the password etc
Cryptography concepts: what are the consequences of strenghten a key?
Brute force attacks would requiring reversing each of the hashes so the attacker has to spend much more time (even though the key is small)
Cryptography concepts: what is key stretching libraries?
Key stretching libraries are libraries that already exist for streching keys.
For ex bcrypt
Cryptography concepts: what is bcrypt and how it works ?
It is a key streching library.
Bcrypt generates hashes from passwords, and is an extension to the UNIX crypt library. Bcrypt uses blowfish cypher to perform multiple rounds of hashing
Cryptography concepts: what is PBKDF2 and how it works ?
Password-Based Key Derivation Function 2 (PBKDF2) is a key stretching library and can be use to make application much secure. It is part of RSA public key cryptography
Cryptography concepts: what is lightweight cryptography?
An encryption method that features a small footprint and/or low computational complexity (use less CPU).
Usually used for IoT devices and was created by NIST
Cryptography concepts: what is homomorphic encryption (HE)?
It is the conversion of data into ciphertext that can be analyzed and worked with as if it were still in its original form.
Cryptography concepts: what are the advantage of homomorphic encryption (HE)?
- Secyrely store data in the cloud
- Perform research on data without viewing the data
Symmetric & Asymetric cryptography: what is symmetric encryption?
Encryption where you use a single key to encrypt and decrypt the data.
Symmetric & Asymetric cryptography: what is the security issue w/ symmetric encryption?
If the key does become available for others to see, you will have to redo all of the encryption because everyone has copy of the key that can be used to decrypt this data
Symmetric & Asymetric cryptography: what is one of the challenge w/ symmetric encryption?
It doesn’t scale very well: It can be difficult to distribute the key across the network without first encrypting it.
And since the key hasn’t been sent across the network, there is no way to have a known key on both sides that you can use for the encryption process.
Symmetric & Asymetric cryptography: what is asymetric encryption?
The key use to encrypt and decrypt the message are different
Symmetric & Asymetric cryptography: what is public key cryptography?
It is just another name for asymetric encryption because there are multiple keys (2 or more): a public key and a private key.
Symmetric & Asymetric cryptography: what is private key ?
It’s a key that only the user have access. It’s private key because nobody else know what that key is.
Symmetric & Asymetric cryptography: what is public key ?
Public key is mathematically related to the private key and this is the key that you give to everybody. If someone wants to send an encrypted message to you, he needs to have the public key
Symmetric & Asymetric cryptography: how public & private keys are related ?
The 2 keys are mathematically related:
- Once somebody encrypts data with a public key, the only way to decrypt that information is by using the corresponding private key (the key that only the user have access).
- You can also encrypt info with your private key and the only people able to decrypt it would be those w/ the public key. It is used in digital signature
Symmetric & Asymetric cryptography: how key pair (public & private) are generated?
Key generation are:
- Build both the public & private key at the same time using a key generation program
- The generation program use a large range of number and randomization
Symmetric & Asymetric cryptography: what is the process for encrypting and decrypting information in asymetric cryptography?
Bob want to send an encrypted message to Alice. To encrypt the message he needs Alice’s public key to created the ciphertext. Once Alice the ciphertext message, she decrypt it using her private key and can see the message send by Bob.
Symmetric & Asymetric cryptography: how to fix the scale problem of symmetric key ?
By using asymmetric encryption to create a symmetric key on both sides without having to send that symmetric key across the network.
Identical symmetric keys are generated on both Bob and Alice side using:
- For Bob: Bob private key + Alice public key = symmetric key
- For Alice: Alice private key + Bob public key = symmetric key
So those 2 symmetrics key are the same but have never been send across the network. This process is used for Diffie-Hellman key exchange
Symmetric & Asymetric cryptography: how asymmetric encryption work from a system pov ?
Asymmetric encryption need large integers of very large prime factors nb and that calculation requires CPU overhead and resources on the machine to be able to encrypt and decrypt the information.
Symmetric & Asymetric cryptography: what Elliptic Curve Cryptography (ECC) ?
ECC uses curves (des courbes) instead of very large number (consumming CPU etc) to be able to create the asymetric keys that is use for public & private key encryption & decryption.
ECC can use smaller key to maintain the same security as non-ECC algorithms and require smaller amount of storage & data that would need to be transmitted across the network.
This allow to have access to the powerful features available with asymmetric encryption, while using mobile devices and IoT devices.
Hashing & Digital Signatures: what is hashes and what is it used for?
- It represent data as short string of text (refer to message digest or a fingerprint)
- One way trip: impossible to recover the original message from the digest so perfect solution for password storage
- Use to verify integrity
- Can be a digital signature that provide authentication, non repudiation and integrity
- Each hash should be unique
Hashing & Digital Signatures: give the most common hash example?
- SHA256: 256 bits which is 64 hexadecimal characters
- MD5
Hashing & Digital Signatures: what is collision?
When hashes algorithms create the same hash for different types of inputs. This occurs with MD5 so don’t use it
Hashing & Digital Signatures: are password stored ?
Yes, they are stored as salted hash. The hash is compared during the authentication process.
Hashing & Digital Signatures: what “adding some salt” means ?
“Salt” are random data added to a password when hashing.
Each user gets their own random salt and the salt is commonly stored with the password. Hence rainbow tables won’t work with salted hashes but if an attacker find the salt he can bruteforce the process.
Hashing & Digital Signatures: what is digital signatures ?
- It allow a user to send information to another party and have that person confirm that what they received is exactly the information that the user originally sent (integrity)
- It prove the source of the message (authentication)
- Also verufy that the signature is not fake (non-repudiation)
- Digital signatures is made with the private key from the original user and verify with the public key
Hashing & Digital Signatures: how to create a digital signatures ?
1/ Alice wants to send a message to Bob but she wants to make sure that Bob is able to verify that this message is legitimate and that it really came from Alice. Alice is going to hash the message. Then Alice will encrypt that hash using her private key wich will create the digital signature. The DS is then attached to the plaintext message.
2/ Once Bob receive the message, he’ll use Alice public key to decrypt the digital signature that she sent (which is en encrypted version of the hash). Then he will use the same hashing function as Alice on the plaintext message and then compre those hashes to ensure they the same. If the hashes match, the message is legitimate.
Cryptographic keys: what is cryptoraphic keys for?
Cryptographic keys make encryption and decryption possible.
Cryptographic keys: is it better if the key is smaller or larger ?
- Larger keys tend to be more secure (prevent bruteforce attack)
Cryptographic keys: what are the min key lenght for symmetric & asymmetric encryption?
- Symmetric encryption: 128 bit or larger
- Asymmetric encryption: larger than symmetric keys and use a complex calculation of prime nb, common to see key lenghts of 3072 bits or larger
Cryptographic keys: how key exchange can be done securely ?
Using an in-band key exchange which protect the key with additonal encryption: use asymmetric encryption to deliver a symmetric key
Cryptographic keys: what is a key session?
An ephemeral key that is used in only 1 session
Cryptographic keys: what is Diffie-Hellman key exchange?
It use public and private key cryptography to create an identical symmetric key on both side.
Cryptographic keys: what is the traditional web server encryption ?
SSL/TLS uses encryption keys to protect web server (that has a public & private key) communication.
Cryptographic keys: how to hack web server encryption ?
If you find the server’s private key, you can decrypt all of the data.
Cryptographic keys: why SSL/TLS is not enough for web server encryption ?
Because it is single point for all of the encryption so there needs to be other way to provide encryption to the server to prevent someone to decrypt it.
Cryptographic keys: how to prevent SSL/TLS lack of security for web server encryption ?
We can use a Perfect Forward Secrecy (PFS) which change the encryption process so the same private key is not used every time to be able to transfer the symmetric key across the network.
The key is changed at each session using ECDHE hence requiring more computing power. The browser should also support PFS
Cryptographic keys: what is Elliptic curve or Diffie-Hellman ephemeral (ECDHE) ?
Same as PFS: a way to prevent the lack of security for SSL/TLS encryption by changing the private key for each session (1 key = 1 session).
Steganography: what is steganography?
Type of obfuscation which hide data into an image, video or audio file.
Steganography: what are the different way to hide information using steganography?
- Network base: embed messages in TCP packets
- Use an image
- Invisible watermark
Quantum computing: what is quantum computing?
Computing based on quantum physics rqther than being based on classical physics that uses bits (1 and 0).
In Quantum computing they use qubits instead of bits
Quantum computing: what is qubits ?
Qubits (quantum bits) are smaller form or information meaning it can store more information than binary system due to its bits.
Qubits are 0, 1 and any combinaison between 0 & 1 simutanously makint the piece of info smaller
Quantum computing: what is the advantage of quantum computing?
- Search quickly through large DB in a short period of time
- Help in simulation: weather prediction, medical advances, astrophysics
Quantum computing: is quantum computing be an issue to cryptography and why?
Yes, it breaks our existing encryption mechanisms because today’s encryption use very large prime nb to be able to create the complexity required to keep all of our data encrypted. But quantum computer are able to perform these very large calculation in a very short period of time. So it make our encryption useless because quantum computers would be able to brute force all the encrypted data quickly
Quantum computing: what is NTRU?
A new way of performing encryption with quantum computing that use closet vector problem instead of very large prime nb
Stream & block ciphers: what is a stream cipher ?
It is used in symmetric encryption and is an encryption technique that works byte by byte to transform plain text into code that’s unreadable to anyone without the proper key.
Stream & block ciphers: what is the advantage of stream cipher ?
High speed, low hardware compexity
Stream & block ciphers: what is a block cipher ?
It is used in symmetric encryption and take a block of bytes and encrypt that entire block (often 64-bit or 128-bit blocks) . There are different block cipher operation
Stream & block ciphers:
what are the different block cipher operation?
- ECB: each block is encrypted with the same encryption key
- CBC: different set of input and output is perfmor to the data to add some randomization (XORed)
- CTR: encrypt succesive values of a “counter”
- GCM: encyrption with authentication, commonly used in packetized data (network security, SSH, TLS)
Blockchain: what is a blockchain?
A distributed ledger distributed across multiple devices and a way to keep track of transactions
Blockchain: what is the blockchain process?
1/ A transaction is requested (transferring bitcoins, medical records, data backup)
2/ The transaction is sent to every computer (or node) in a decentralized network to be verified
3/ Once the transaction is verified, it is added to a new block of data containing other recently verified transactions
4/ The hash is added to the new block of verified transactions
5/ Once the hash is completed, the block is added to the end of the blockchain which then pdated to all nodes in the network for security maintening the distributed ledger
Blockchain: what is the constrainst with maintaining a distributed ledger in blockchain process ?
If any blocks are altered, its hash and all following hashes in the chain are automatically recalculated.
The altered chain will not longer match the chains stored by the rest of the network and will be rejected.
Cryptography limitations: what is the consequences of bad cryptography implementation?
- Bad implementation (platform, cryptographic options etc) can lead to security issues. Ex: use hashing to store password without a salt
Cryptography limitations: what are the cryptography limitations?
- Speed
- Size
- Weak keys
- Time
- Longevity
- Key reuse
- Resources vs security constrainst
Cryptography limitations: what is key reuse?
Reusing the same key reduces the complexity (less cost, administrative overhead and effort to recertify). However if the key is compromised everything using that key is at risk
Cryptography limitations: what is resources vs security constrainst?
Some devices (like IoT) have limited CPU, memory and power which is a security constrainst because it’s difficult to maintain and update security components.
Cryptography limitations: what is speed limitation ?
cryptography needs CPU, CPU needs power
Cryptography limitations: what is size limitation ?
block cipher encrypt 16 bytes/128 bits, if we decide to encrypt 8 bytes it will double the storage size
Cryptography limitations: what is weak key limitation ?
large key are more difficult to bruteforce
Cryptography limitations: what is time limitation ?
encryption take time, asymmetric is slower than symmetric
Cryptography limitations: what is longevity limitation ?
some cryptographic technology can becomes less secure
