6. Cryptography and PDI

Question 1

Symmetric encryption

Asymmetric encryption-

Answer 1

Symmetric encryption- a two-way scheme in which encryption and decryption are both performed by the same key. AKA: Shared-key encryption.

Asymmetric encryption- a 2-way encryption scheme that uses paired private and public keys.

Question 2

Hashing
PRNG 
OTP
Salt
nonce

Answer 2

Hashing-Hashing can be used to verify integrity of an item, but it is not used for securely transferring secret keys or session keys.

PRNG (pseudorandom number generation) is the process by which an algorithm produces numbers that approximate randomness without being truly random.

OTP (one-time pad) is an unbreakable encryption mechanism. It consists of exactly the same number of characters as the plaintext and must be generated by a truly random algorithm.

Salt- cryptographic salt is a security countermeasure that mitigates the impact of a rainbow table attack by adding a random value to each plaintext input.

nonce -an arbitrary number used only once in a cryptographic communication, often to prevent replay attacks.

Question 3

ECC
ECDHE
DH

Answer 3

ECC- a public key encryption technique that leverages the algebraic structures of elliptic curves over finite fields. ECC is commonly used with wireless and mobile devices.
Elliptic curve- ECC- a public key encryption technique that leverages the algebraic structures of elliptic curves over finite fields. ECC is commonly used with wireless and mobile devices.

ECDHE- a variant of DH that incorporates the use of ECC and ephemeral keys

DH- Diffie Hellman- a cryptographic technique that provides for secure key exchange.
Diffe-hellman- DH- a cryptographic technique that provides for secure key exchange. Described in 1976, it formed the basis for most public key encryption implementations, including RSA, DHE, and ECDHE. The strength of a key used in DH exchange is determined by groups. The higher the number of the group the more secure the key is and the more processing overhead is added to computations.

Question 4

Key exchange-

Digital signatures-

Answer 4

Key exchange-any method by which cryptographic keys are transferred among users, thus enabling the use of a cryptographic algorithm.

Digital signatures- a message digest that has been encrypted again with a user’s private key.

Question 5

Diffusion- 
Confusion
collision- 
Steganography-
Obfuscation

Answer 5

Diffusion- a cryptographic technique that makes cyphertext change drastically upon even the slightest change in the plaintext input.

Confusion – a cryptographic technique that makes the relationship between an encryption key and its ciphertext as complex and opaque as possible.

collision- the act of two different plaintext inputs producing the same exact ciphertext output.

Steganography- an alternative encryption technique that hides a secret message by enclosing it in an ordinary file.

Obfuscation- a technique that essentially hides or camouflages code or other information so that it is harder to read by unauthorized users. Attempts to mitigate reverse engineering of software.

Question 6

Session keys

Ephemeral key-

Answer 6

Session keys- a single use symmetric key that is used for encrypting all messages in a single series of related communications. There are 2 primary reasons to use session keys

Ephemeral key- keys can be static or ephemeral. Static keys are intended to be used for a relatively long time and for many instances within a key-establishment process. Ephemeral keys are generated for each individual communication segment or session- EXAMPLE: Session keys.

Question 7

Data in transit-
Data in use
Data at rest-

Answer 7

Data in transit-A “data in transit” state is when data is transmitted over a network. The data can be sent over the WAN to its final location through a virtual private network (VPN).

Data in use-The “data in use” state is when data is present in volatile memory, such as system RAM or CPU cache. A file that was stored on encrypted drives can be edited. Storage providers like NetApp have storage encryption modules that handle the backend decryption and encryption processes for reading and writing data to disk.

Data at rest- A “data at rest” state means that the data is in some sort of persistent storage media. Examples of data include archived audiovisual media

Question 8

In-band key exchange

Out-of-band key exchange

Answer 8

In-band key exchange (over an unencrypted channel) uses asymmetric encryption. The secret key is encrypted with recipient’s public key and is decrypted by recipient’s private key.

Out-of-band key exchange involves sending the key by courier or transmitting it verbally. However, these methods increase the risk that the key will be compromised.

Question 9

Key stretching

Answer 9

Key stretching- is a technique that strengthens potentially weak cryptographic keys, such as passwords or passphrases created by people, against brute force attacks.

Original key is enhanced by running it through a key stretching algorithm.

Enhanced keys are usually larger than 128 bits, which makes them harder to crack via a brute force attack.

Techniques- repeatedly looping cryptographic hash functions, repeatedly looping block ciphers, configuring the cipher key schedule to increase the time it takes for the key to be set up.

Question 10

PFS

Answer 10

Perfect forward security-PFS- a characteristic of session encryption that ensures if a key used during a certain session is compromised, it should not affect data previously encrypted by that key.

Question 11

Security through obscurity
Low latency
High resiliency
Non-repudiation

Answer 11

Security through obscurity – the practice of attempting to hide the existence of vulnerabilities from others.

Low latency- Cryptographic operations can end up adding significant processing time to data in any state. Therefore, one objective of cryptographic algorithms is to achieve low latency, where latency is generally defined as the time between when an input is added to the algorithm for processing and when the output is obtained.

High resiliency- Some algorithms provide high resiliency against information leakage. Leakage resiliency techniques either focus on eliminating the source of the leakage in whole or in part. Or, they focus on decoupling the link between leaked info and material that should be kept secret.

Non-repudiation- the security goal of ensuring that the party that sent a transmission or created data remains associated with that data and cannot deny sending or creating that data.

Question 12

AES
DES
3DES

Answer 12

AES- Advanced Encryption Standard- a symmetric 128-, 192-, or 256-bit block cipher based on the Rijndael Algorithm developed by Belgian cryptographers Joan Daemen and Vincent Rijmen and adopted by the U.S government as its encryption standard to replace DES.

DES- Data Encryption Standard-A symmetric encryption algorithm that encrypts data in 64-bit blocks using a 56-bit key with 8 bits used for parity.

3DES-Triple DES- A symmetric encryption algorithm that encrypts data by processing each block of data three times, using different DES key each time.

Question 13

RC4
Blowfish
Two fish
CBC

Answer 13

RC4-The RC4 cipher (also known as Arcfour) is a stream cipher using a variable length key (from 40 to 128 bits).

Blowfish- a freely available 64-bit block cipher algorithm that uses a variable key length. NO LONGER CONSIDERED STRONG, THOUGH IT DOES OFFER GREATER PERFORMANCE THAN DES.

Two fish- a symmetric key block cipher, similar to
blowfish, consisting of a block size of 128 bits and key sizes up to 256 bits.

CBC- Cipher Block Chaining- An encryption mode of operation where an exclusive or XOR is applied to the first plaintext block.

Question 14

RSA
DSA
DHE

Answer 14

RSA- named for its designers- Rivest Shamir Adelman- first successful algorithm for public key encryption. It has a variable key length and block size. Still widely used and considered highly secure if it employs sufficiently long keys.

DSA-Digital Signature Algorithm- A public key encryption standard used for digital signatures that provides authentication and integrity verification for messages.

DHE- A variant of DH that uses ephemeral keys to provide secure key exchange.

Question 15

PGP/GPG
MD5
SHA
RIPEMD
HMVAC

Answer 15

PGP/GPG- PGP is proprietary email security and authentication software that uses a variation of public key cryptography to encrypt emails. GPG is an open source version of PGP that provides equivalent encryption and authentication services. Pretty Good Privacy and Privacy Guard.

MD5- Message digest 5- a hash algorithm based on RFC 1321, that produces a 128-bit hash value and is used in IPsec policies for data authentication.

SHA- Secure Hash Algorithm- A hash algorithm modeled after MD5 and considered the stronger of the 2. It has multiple versions that produce different sized hash values.

RIPEMD- Hashing Algorithm- RACE Integrity Primitives Evaluation Message Digest- based along the lines of the design principles used in the now obsolete MD4 algorithm. There are 128, 160, 256, and 320-bit versions called RIPEMD-128, RIPEMD-160, RIPEMD-256 and RIPED-320, respectively. The 256- and 320- bit versions reduce the chances of generating duplicate output hashes but do little in terms of higher levels of security. RIPEMD-160 was designed by the open academic community and is used less frequently than SHA-1

HMAC (hash-based message authentication code) is a means of generating a message authentication code (MAC) using the MD5 (HMAC-MD5), SHA-1 (HMAC-SHA1), or SHA-2 (HMACSHA2) algorithm. MAC is a means of proving the integrity and authenticity of a message.

Question 16

BCRYPT

PBKDF2

Answer 16

Bcrypt-type of key stretching algorithm, a key-derivation function based on the Blowfish cipher algorithm. Uses cryptographic salt, but also adapts over time by increasing the iteration count.

PBKDF2- type of key stretching algorithm- Password Based Key Derivation Function 2- is part of the public key cryptography standards from RSA Labs. This key derivation function uses five input parameters to create a derived key.

Question 17

XOR

Answer 17

XOR- exclusive or- AN XOR operation outputs to true only if one input is true and the other input is false.

Question 18

ROT13

Answer 18

ROT13- rotate by 13- a simple substitution cipher that replaces a letter with the letter that is 13 letters after it in the alphabet.

Question 19

WPA
WPA2
CCMP
TKIP
EAP

Answer 19

WPA- WIFI Protected access- a wireless encryption protocol that generates a 128-bit key for each packet sent. Superseded by WPA2.

WPA2- WIFI Protected access 2- An improvement to the WPA protocol that implements all mandatory components of the 802.11i standard, including Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) encryption for increased security and a 128- bit encryption key.

CCMP- Counter Mode with Cipher Block Chaining Message Authentication Code Protocol- an AES-cipher-based encryption protocol used in WPA2.

TKIP-a wireless cryptographic protocol-Temporal Key Integrity Protocol- a security protocol created by IEEE 802.11i task group to replace WEP.

EAP- a wireless authentication protocol-Extensible Authentication Protocol- a framework that enables clients and servers to authenticate with each other using one of a variety of plug-ins. Does not specify which authentication method should be used, therefore enables the choice of a wide range of current authentication methods and allows for the implementation of future authentication methods.

Question 20

EAP-FAST-EAP
EAP-TLS- EAP
EAP-TTLP-EAP
LEAP
PEAP
IEEE 802.1X

Answer 20

EAP-FAST-EAP- Flexible authentication via secure tunneling- meant to be a replacement of LEAP and addresses its shortcomings

EAP-TLS- EAP- Transport Layer Security- requires a client-side certificate for authentication using SSL/TLS.

EAP-TTLP-EAP-Tunneled Transport Layer Security- which enables a client and server to establish a secure connection without mandating a client-side certificate.

LEAP- Lightweight Extensible Authentication Protocol- Cisco Systems proprietary EAP implementation.

PEAP-a wireless authentication protocol- Protected Extensible Authentication Protocol- an open standard developed by a coalition made up of Cisco systems, Microsoft and RSA security. Like 802.1.X PEAP is not technically an EAP method but a way of encapsulating

EAP communications using an SSL/TLS tunnel. Similar in function to EAP-TTLS. EAP-TTLS supports more authentication protocols than PEAP.

IEEE 802.1X- a wireless authentication protocol- a standard for encapsulating EAP communications over a LAN. Adapted later to work with WLAN tech. Provides port-based authentication.

Question 21

RADIUS Federation
PSK
WPS

Answer 21

RADIUS Federation-RADIUS is a network authentication protocol and federation implies a shared level of trust among disparate networks. The 802.1X standard is often used with RADIUS to carry out port-based authentication.

PSK-pre-shared key- a string of text that a VPN or other network service expects to receive prior to any other credentials. In the context of WPA/2-Personal, the key is generated from the wireless password.

WPS- Wi-Fi protected set-up- an insecure feature of
WPA and WPA2 that allows enrollment in a wireless network based on an 8-digit PIN.

Question 22

Ca
Registration Authority
CRL
OCSP
CSR
Digital Certificate 
PKI
Private Key 
Object Identifiers

Answer 22

Ca- Certificate authority- A server that can issue digital certificates and maintains the associated public/ private key pairs.
Registration Authority- RA- An RA server is responsible for certifying users and devices identities and approving or denying requests for digital signatures.

CRL- Certificate revocation list- A list of certificates that were revoked before their expiration date.

OCSP-Online Certificate Status Protocol- is an HTTP-based alternative to a CRL for dynamically checking the status of revoked certificates.

CSR- Certificate signing request- A message sent to a certificate authority in which a resource applies for a certificate.

Digital Certificate – are the most fundamental component of a PKI and the overarching task of a PKI is to manage digital certificates in a variety of ways. A digital certificate is an electronic document that associates credentials with a public key. Both users and devices can hold certificates. The certificate validates the certificate holders ID through a digital signature and is also a way to distribute the holders public key. In addition, a certificate contains info about the holders ID.

PKI- public key infrastructure-a system that is composed of certificate authorities, certificates, software, services, and other cryptographic components, for the purpose of enabling authenticity and validation of data and entities.

Private Key the component of asymmetric encryption that is kept secret by one party during two-way encryption.

Object Identifiers- OID- PKI Component- the identity information included in a certificate is provided through OIDs. There are multiple OIDs associated with common certificate types and each OID defines a certain dimension of the certificate’s owners Identity. OIDs are formatted as a series of numbers divided by periods.

Question 23

Stapling
Pinning
Trust Model
Key escrow
Certificate chaining

Answer 23

Stapling – a method of checking the status of digital certificates where a web-based server queries the OCSP server at specific intervals and the OCSP server responds by providing a time-stamped digital signature. The web server appends this signed response to the SSL/TLS handshake with the client so that the client can verify the certificates status.

Pinning- A method of trusting digital certificates that bypasses the CA hierarchy and chain of trust to minimize man-in- the-middle attacks.

Trust Model- Ca Hierarchy- is a single CA or group of CAs that work together to issue digital certificates. Each CA in the hierarchy has a parent-child relationship with the CA directly above it.

Key escrow – an alternative to key backups, can be used to store private keys securely, while allowing one or more trusted third parties access to the keys under predefined conditions.

Certificate chaining – a linked path of verification and validation to ensure the validity of digital certificates issuer