6. Cryptography and PDI Flashcards
Symmetric encryption
Asymmetric encryption-
Symmetric encryption- a two-way scheme in which encryption and decryption are both performed by the same key. AKA: Shared-key encryption.
Asymmetric encryption- a 2-way encryption scheme that uses paired private and public keys.
Hashing PRNG OTP Salt nonce
Hashing-Hashing can be used to verify integrity of an item, but it is not used for securely transferring secret keys or session keys.
PRNG (pseudorandom number generation) is the process by which an algorithm produces numbers that approximate randomness without being truly random.
OTP (one-time pad) is an unbreakable encryption mechanism. It consists of exactly the same number of characters as the plaintext and must be generated by a truly random algorithm.
Salt- cryptographic salt is a security countermeasure that mitigates the impact of a rainbow table attack by adding a random value to each plaintext input.
nonce -an arbitrary number used only once in a cryptographic communication, often to prevent replay attacks.
ECC
ECDHE
DH
ECC- a public key encryption technique that leverages the algebraic structures of elliptic curves over finite fields. ECC is commonly used with wireless and mobile devices.
Elliptic curve- ECC- a public key encryption technique that leverages the algebraic structures of elliptic curves over finite fields. ECC is commonly used with wireless and mobile devices.
ECDHE- a variant of DH that incorporates the use of ECC and ephemeral keys
DH- Diffie Hellman- a cryptographic technique that provides for secure key exchange.
Diffe-hellman- DH- a cryptographic technique that provides for secure key exchange. Described in 1976, it formed the basis for most public key encryption implementations, including RSA, DHE, and ECDHE. The strength of a key used in DH exchange is determined by groups. The higher the number of the group the more secure the key is and the more processing overhead is added to computations.
Key exchange-
Digital signatures-
Key exchange-any method by which cryptographic keys are transferred among users, thus enabling the use of a cryptographic algorithm.
Digital signatures- a message digest that has been encrypted again with a user’s private key.
Diffusion- Confusion collision- Steganography- Obfuscation
Diffusion- a cryptographic technique that makes cyphertext change drastically upon even the slightest change in the plaintext input.
Confusion – a cryptographic technique that makes the relationship between an encryption key and its ciphertext as complex and opaque as possible.
collision- the act of two different plaintext inputs producing the same exact ciphertext output.
Steganography- an alternative encryption technique that hides a secret message by enclosing it in an ordinary file.
Obfuscation- a technique that essentially hides or camouflages code or other information so that it is harder to read by unauthorized users. Attempts to mitigate reverse engineering of software.
Session keys
Ephemeral key-
Session keys- a single use symmetric key that is used for encrypting all messages in a single series of related communications. There are 2 primary reasons to use session keys
Ephemeral key- keys can be static or ephemeral. Static keys are intended to be used for a relatively long time and for many instances within a key-establishment process. Ephemeral keys are generated for each individual communication segment or session- EXAMPLE: Session keys.
Data in transit-
Data in use
Data at rest-
Data in transit-A “data in transit” state is when data is transmitted over a network. The data can be sent over the WAN to its final location through a virtual private network (VPN).
Data in use-The “data in use” state is when data is present in volatile memory, such as system RAM or CPU cache. A file that was stored on encrypted drives can be edited. Storage providers like NetApp have storage encryption modules that handle the backend decryption and encryption processes for reading and writing data to disk.
Data at rest- A “data at rest” state means that the data is in some sort of persistent storage media. Examples of data include archived audiovisual media
In-band key exchange
Out-of-band key exchange
In-band key exchange (over an unencrypted channel) uses asymmetric encryption. The secret key is encrypted with recipient’s public key and is decrypted by recipient’s private key.
Out-of-band key exchange involves sending the key by courier or transmitting it verbally. However, these methods increase the risk that the key will be compromised.
Key stretching
Key stretching- is a technique that strengthens potentially weak cryptographic keys, such as passwords or passphrases created by people, against brute force attacks.
Original key is enhanced by running it through a key stretching algorithm.
Enhanced keys are usually larger than 128 bits, which makes them harder to crack via a brute force attack.
Techniques- repeatedly looping cryptographic hash functions, repeatedly looping block ciphers, configuring the cipher key schedule to increase the time it takes for the key to be set up.
PFS
Perfect forward security-PFS- a characteristic of session encryption that ensures if a key used during a certain session is compromised, it should not affect data previously encrypted by that key.
Security through obscurity
Low latency
High resiliency
Non-repudiation
Security through obscurity – the practice of attempting to hide the existence of vulnerabilities from others.
Low latency- Cryptographic operations can end up adding significant processing time to data in any state. Therefore, one objective of cryptographic algorithms is to achieve low latency, where latency is generally defined as the time between when an input is added to the algorithm for processing and when the output is obtained.
High resiliency- Some algorithms provide high resiliency against information leakage. Leakage resiliency techniques either focus on eliminating the source of the leakage in whole or in part. Or, they focus on decoupling the link between leaked info and material that should be kept secret.
Non-repudiation- the security goal of ensuring that the party that sent a transmission or created data remains associated with that data and cannot deny sending or creating that data.
AES
DES
3DES
AES- Advanced Encryption Standard- a symmetric 128-, 192-, or 256-bit block cipher based on the Rijndael Algorithm developed by Belgian cryptographers Joan Daemen and Vincent Rijmen and adopted by the U.S government as its encryption standard to replace DES.
DES- Data Encryption Standard-A symmetric encryption algorithm that encrypts data in 64-bit blocks using a 56-bit key with 8 bits used for parity.
3DES-Triple DES- A symmetric encryption algorithm that encrypts data by processing each block of data three times, using different DES key each time.
RC4
Blowfish
Two fish
CBC
RC4-The RC4 cipher (also known as Arcfour) is a stream cipher using a variable length key (from 40 to 128 bits).
Blowfish- a freely available 64-bit block cipher algorithm that uses a variable key length. NO LONGER CONSIDERED STRONG, THOUGH IT DOES OFFER GREATER PERFORMANCE THAN DES.
Two fish- a symmetric key block cipher, similar to
blowfish, consisting of a block size of 128 bits and key sizes up to 256 bits.
CBC- Cipher Block Chaining- An encryption mode of operation where an exclusive or XOR is applied to the first plaintext block.
RSA
DSA
DHE
RSA- named for its designers- Rivest Shamir Adelman- first successful algorithm for public key encryption. It has a variable key length and block size. Still widely used and considered highly secure if it employs sufficiently long keys.
DSA-Digital Signature Algorithm- A public key encryption standard used for digital signatures that provides authentication and integrity verification for messages.
DHE- A variant of DH that uses ephemeral keys to provide secure key exchange.
PGP/GPG MD5 SHA RIPEMD HMVAC
PGP/GPG- PGP is proprietary email security and authentication software that uses a variation of public key cryptography to encrypt emails. GPG is an open source version of PGP that provides equivalent encryption and authentication services. Pretty Good Privacy and Privacy Guard.
MD5- Message digest 5- a hash algorithm based on RFC 1321, that produces a 128-bit hash value and is used in IPsec policies for data authentication.
SHA- Secure Hash Algorithm- A hash algorithm modeled after MD5 and considered the stronger of the 2. It has multiple versions that produce different sized hash values.
RIPEMD- Hashing Algorithm- RACE Integrity Primitives Evaluation Message Digest- based along the lines of the design principles used in the now obsolete MD4 algorithm. There are 128, 160, 256, and 320-bit versions called RIPEMD-128, RIPEMD-160, RIPEMD-256 and RIPED-320, respectively. The 256- and 320- bit versions reduce the chances of generating duplicate output hashes but do little in terms of higher levels of security. RIPEMD-160 was designed by the open academic community and is used less frequently than SHA-1
HMAC (hash-based message authentication code) is a means of generating a message authentication code (MAC) using the MD5 (HMAC-MD5), SHA-1 (HMAC-SHA1), or SHA-2 (HMACSHA2) algorithm. MAC is a means of proving the integrity and authenticity of a message.