3.0 Cryptographic Solutions

Question 1

The science and practice of altering data to make it unintelligible to unauthorized parties.

Answer 1

Cryptography

Question 2

Unencrypted data that is meant to be encrypted before it is transmitted, or the result of the decryption of encrypted data.

Answer 2

Plaintext

Question 3

Data that has been enciphered and cannot be read without the cipher key.

Answer 3

Ciphertext

Question 4

Operations that transform a plaintext into a ciphertext with cryptographic properties; also called a cipher.

Answer 4

Algorithm

Question 5

Scrambling the characters used in a message so that the message can be seen but not understood or modified unless it can be deciphered. Encryption provides for a secure means of transmitting data and authenticating users. It is also used to store data securely. Encryption uses different types of cipher and one or more keys. The size of the key is one factor in determining the strength of the encryption product.

Answer 5

Encryption

Question 6

In cryptography, a specific piece of information that is used in conjunction with an algorithm to perform encryption and decryption.

Answer 6

Key

Question 7

Two-way encryption scheme in which encryption and decryption are both performed by the same key. Also known as shared-key encryption.

Answer 7

Symmetric encryption

Question 8

Size of a cryptographic key in bits. Longer keys generally offer better security, but key lengths for different ciphers are not directly comparable.

Answer 8

Key length

Question 9

Cipher that uses public and private keys. The keys are mathematically linked, using either Rivel, Shamir, Adleman (RSA) or elliptic curve cryptography (ECC) alogrithms, but the private key is not derivable from the public one. An asymmetric key cannot reverse the operation it performs, so the public key cannot decrypt what it has encrypted, for example.

Answer 9

Asymmetric algorithm

Question 10

During asymmetric encryption, this key is freely distributed and can be used to perform the reverse encryption or decryption operation of the linked private key in the pair.

Answer 10

Public key

Question 11

In asymmetric encryption, the private key is known only to the holder and is linked to, but not derivable from, a public key distributed to those with whom the holder wants to communicate securely. A private key can be used to encrypt data that can be decrypted by the linked public key or vice versa.

Answer 11

Private key

Question 11

A concept in which an expanding list of transactional records listed in a public ledger is secured using cryptography.

Answer 11

Blockchain

Question 12

Distributed public record of transactions that underpins the integrity of blockchains.

Answer 12

Open public ledger

Question 13

The practice of concealing a file, message, image, or video within another file, message, image, or video.

Answer 13

Steganography

Question 14

A technique that essentially hides or camouflages code or other information so that it is harder to read by unauthorized users.

Answer 14

Obfuscation

Question 15

A technique for obscuring the presence of a message, often by embedding information within a file or other entity.

Answer 15

Steganography

Question 16

A de-identification method where generic or placeholder labels are substituted for real data while preserving the structure or format of the original data.

Answer 16

Data masking

Question 17

A de-identification method where a unique token is substituted for real data.

Answer 17

Tokenization

Question 18

In public key infrastructure (PKI), procedures and tools that centralizes generation and storage of cryptographic keys.

Answer 18

Key management system

Question 19

Specification for secure hardware-based storage of encryption keys, hashed passwords, and other user- and platform-identification information.

Answer 19

Trusted Platform Module (TPM)

Question 20

Methods exposed by a script or program that allow other scripts or programs to use it. For example, an _______ enables software developers to access functions of the TCP/IP network stack under a particular operating system.

Answer 20

Application programming interface (API)

Question 21

CPU extensions that protect data stored in system memory so that an untrusted process cannot read it.

Answer 21

Secure enclave

Question 22

A function that converts an arbitrary-length string input to a fixed-length string output. A cryptographic hash function does this in a way that reduces the chance of collisions, where two different inputs produce the same output.

Answer 22

Hashing algorithm

Question 23

A single hash function, symmetric cipher, or asymmetric cipher.

Answer 23

Cryptographic primitive

Question 24

A message digest encrypted using the sender’s private key that is appended to a message to authenticate the sender and prove message integrity.

Answer 24

Digital signature

Question 25

A security countermeasure that mitigates the impact of precomputed hash table attacks by adding a random value to each plaintext input.

Answer 25

Salt

Question 26

A technique that strengthens potentially weak input for cryptographic key generation, such as passwords or passphrases created by people, against brute force attacks.

Answer 26

Key stretching

Question 27

A cryptographic hashing algorithm created to address possible weaknesses in multi-domain authentication (MDA).

Answer 27

Secure Hash Algorithm (SHA)

Question 28

A cryptographic hash function producing a 128-bit output.

Answer 28

Message-Digest Algorithm 5 (MD5)

Question 29

Information that is primarily stored on specific media, rather than moving from one medium to another.

Answer 29

Data at rest

Question 30

Information that is being transmitted between two hosts, such as over a private network or the internet.

Answer 30

Data in transit (or data in motion)

Question 31

Information that is present in the volatile memory of a host, such as system memory or cache.

Answer 31

Data in use (or data in processing)

Question 32

Encryption scheme applied to data-in-motion, such as WPA, IPsec, or TLS.

Answer 32

Transport/communication encryption

Question 33

Any method by which cryptographic keys are transferred among users, thus enabling the use of a cryptographic algorithm.

Answer 33

Key exchange

Question 34

A method used to verify both the integrity and authenticity of a message by combining a cryptographic hash of the message with a secret key.

Answer 34

Hash-based Message Authentication Code (HMAC)

Question 35

Encryption of all data on a disk (including system files, temporary files, and the page file) that can be accomplished via a supported OS, third party software, or at the controller level by the disk device itself.

Answer 35

Full disk encryption (FDE)

Question 36

A disk drive where the controller can automatically encrypt data that is written to it.

Answer 36

Self-encrypting drives (SED)

Question 37

In storage encryption, the private key that is used to encrypt the symmetric bulk media encryption key (MEK). This means that a user must authenticate to decrypt the MEK and access the media.

Answer 37

Key Encryption Key (KEK)

Question 38

Standards for implementing device encryption on storage devices.

Answer 38

Opal Storage Specification

Question 39

What is the Public Key Infrastructure Hierarchy?

Answer 39

From the top:
Certificate Authority (CA)
Root CA (self signed and validates other CAs)
Intermediate CA
Issuing CA

Question 40

What is PGP and GPG

Answer 40

Pretty Good Privacy and GNU Privacy guard are both methods of encrypting data, messages, and email. However, GPG is open sourced for linux while PGP is not.

Question 41

Public key infrastructure (PKI)

Answer 41

A framework of certificate authorities, digital certificates, software, services, and other cryptographic components deployed for the purpose of validating subject identities.

Question 42

Third party CAs

Answer 42

In PKI, a public CA that issues certificates for multiple domains and is widely trusted as a root trust by operating systems and browsers.

Question 43

Digital certificate

Answer 43

Identification and authentication information presented in the X.509 format and issued by a certificate authority (CA) as a guarantee that a key pair (as identified by the public key embedded in the certificate) is valid for a particular subject (user or host).

Question 44

Public Key Cryptography Standards (PKCS)

Answer 44

A series of standards defining the use of certificate authorities and digital certificates.

Question 45

Certificate signing request (CSR)

Answer 45

A Base64 ASCII file that a subject sends to a CA to get a certificate.

Question 46

Common name (CN)

Answer 46

An X500 attribute expressing a host or username, also used as the subject identifier for a digital certificate.

Question 47

Subject alternative name (SAN)

Answer 47

A field in a digital certificate allowing a host to be identified by multiple host names/subdomains.

Question 48

Wildcard

Answer 48

In PKI, a digital certificate that will match multiple subdomains of a parent domain.

Question 49

Certificate revocation list (CRL)

Answer 49

A list of certificates that were revoked before their expiration date.

Question 50

Online Certificate Status Protocol (OCSP)

Answer 50

Allows clients to request the status of a digital certificate, to check whether it is revoked.

Question 51

Root certificate

Answer 51

In PKI, a certificate authority that issues certificates to intermediate certificate authorities in a hierarchical structure.

Question 52

Certificate chaining/Chain of trust

Answer 52

A method of validating a certificate by tracing each CA that signs the certificate up through the hierarchy to the root CA.

Question 53

Escrow

Answer 53

In key management, the storage of a backup key with a third party.

Question 53

Self-signed certificate

Answer 53

A digital certificate that has been signed by the entity that issued it, rather than by a certificate authority.

Question 54

Elliptic Curve Cryptography is one of the newer methods being implemented. ECC can generate smaller keys that are more secure than most other methods. Many websites today use ECC to secure connections and data transmissions.

Answer 54

Elliptic Curve Cryptography (ECC)

Question 55

This cryptography method is used quite often in messaging apps. Instead of the same key being used for an entire conversation or session on a website, each transmission is encrypted with a different unique key.

Answer 55

Perfect Forward Secrecy

Question 56

RSA was developed by Ron Rivest, Adi Shamir, and Leonard Adleman. RSA was released shortly after Diffie-Hellman in 1977.
RSA is still one of the most commonly used algorithms and helped define the process of using a public key to encrypt data and a private key to decrypt the data.
RSA is used extensively for creating digital signatures.

Answer 56

Rivest-Shamir-Adleman (RSA)

Question 57

Its purpose was to allow two users who have never met to safely create a shared key over a public channel such as the internet.

The two users agree on two numbers: a prime number (P) and a generator (g). These numbers can be shared publicly.
Each user then randomly generates a private number, or key, unique to themselves.
Using the prime number, generator, and private key, each user generates a public key using the following formula:
(G^ private number) MOD P
The users exchange their public keys, which are then used to create a shared secret key using the following formula:
(Shared Public Key^ private number) MOD P
Because each public key was generated using the same prime number and generator, each user will come up with the same number for the shared secret key.
If a hacker intercepted any of the exchanges, they could not reverse the process without knowing each user’s secret number.
is frequently implemented in security protocols such as TLS, IPSec, SSH, and others.

Answer 57

Diffie-Hellman

Question 58

___ is only used for creating digital signatures.
It uses a different algorithm than RSA but provides the same level of security.

Answer 58

Digital Signature Algorithm (DSA)

Question 59

is the simplest mode of operation.
Each block of plaintext data is encrypted separately.
Blocks of data can be encrypted simultaneously, allowing for faster encryption.
The biggest disadvantage is that blocks with identical data will generate the same ciphertext.

Answer 59

Electronic Code Book (ECB)

Question 60

is similar to ECB, except this mode uses an initialization vector (IV).
The IV is a starting variable that is XORed with the plaintext of the current block to encrypt the data.
The IV for the starting block is a randomly generated value. Each subsequent IV is the ciphertext from the previous block. ___ is more secure than ECB due to the IV, but it is slower because blocks cannot be encrypted simultaneously.

Answer 60

Cipher Block Chaining (CBC)

Question 61

also uses an IV, but instead of using it on the plaintext, the IV is encrypted first. That output is then XORed with the plaintext to create the block of ciphertext.
This is the equivalent of using a one-time pad to encrypt the data.
The IV for the starting block is a randomly generated value. Each subsequent IV is the ciphertext from the previous block.

Answer 61

Cipher Feedback mode (CFB)

Question 62

This mode is identical to CFB except for the IV used after the first round.
The output of the IV encryption is used as the next block’s ciphertext.

Answer 62

Output Feedback mode (OFB)

Question 63

Instead of using an initialization vector, uses a nonce combined with a counter that is encrypted.
A nonce is a random string used for all blocks during the encryption process.
The encrypted output of the nonce and counter is then XORed with the plaintext to create the ciphertext.
The counter increments for each block. This ensures that each block uses a different value so that even if blocks have the same data, the ciphertext will be different.

Answer 63

Counter mode (CTR)

Question 64

All other modes of operation are unauthenticated forms of encryption. provides both encryption and authentication.
It works like Counter mode, except the ciphertext is combined with a special hash.
The output of the ciphertext and hash contains the encrypted data and a Message Authentication Code (MAC) that gives assurance that the message has not been tampered with.
Because this mode is extremely efficient and provides authentication, it is often used with network communications such as 802.11 and when sending encrypted data to a web server using TLS or SSH.
There are other encryption methods that also provide authentication, but this is the most widely used method.

Answer 64

Galois Counter mode (GCM)

Question 65

allows only select simple math functions (such as addition) to be performed. This means that only one math function can be performed an unlimited number of times on the encrypted values.

Answer 65

Partially homomorphic encryption (PHE)

Question 66

___ allows more complex math (such as multiplication) to occur. However, it can only be performed a limited number of times.

Answer 66

Somewhat homomorphic encryption (SHE)

Question 67

This method can handle both simple and advanced math functions (such as addition and multiplication) being performed an unlimited number of times on the encrypted values. This is still in the developmental stage.

Answer 67

Fully homomorphic encryption (FHE)