6.0 Cryptography and PKI

Question 1

Any cryptographic algorithm that uses the same key to encrypt and decrypt.
Ex: AES, DES, 3DES, RC4, Blowfish, and Twofish

Answer 1

Symmetric Algorithm

Question 2

Cryptographic algorithms that use two different keys—one key to encrypt and another to decrypt. Also called public key cryptography.
Ex: RSA, DSA, Diffie-Hellman,

Answer 2

Asymmetric Algorithm

Question 3

A number created by executing a hashing algorithm against data, such as a file or a message.
It is commonly used for Integrity.
Ex:MD5, SHA-1, and HMAC

Answer 3

Hash

Question 4

Bits added to a hash to make it resistant to rainbow table attacks.

Answer 4

Salt

Question 5

The Process used to exchange keys between users who receive it. Keys can be exchanged in-band and out-of-band.

Answer 5

Key Exchange

Question 6

An encrypted hash of a message, encrypted with the senders private key. It provides authentication, non-repudiation, and integrity.

Answer 6

Digital Signature

Question 7

A cryptography concept that ensures small changes in plaintext result in significant changes in ciphertext.

Answer 7

Diffusion

Question 8

A cryptography concept that indicates ciphertext is significantly different than plaintext.

Answer 8

Confusion

Question 9

When two different inputs into a cryptographic hash produce the same output, this is known as a collision.

Answer 9

Collision

Question 10

The practice of hiding data within data.

Answer 10

Steganography

Question 11

An attempt to make something unclear or difficult to understand. Steganography methods use this to hide data within data.

Answer 11

Obfuscation

Question 12

An encryption method that encrypts data as a stream of bits or bytes.

Answer 12

Stream Cipher

Question 13

Encryption method that encrypts data in fixed-size blocks.

Answer 13

Block Cipher

Question 14

A key that is generated for one immediate use only, and is never used again.

Answer 14

Ephemeral Key

Question 15

Any data sent over a network. It is common to encrypt this.

Answer 15

Data-in-Transit

Question 16

Any data stored on media. It is common to encrypt this.

Answer 16

Data-at-Rest

Question 17

Any data currently being used by a computer. Because the computer needs to process the data, it is not encrypted while in use.

Answer 17

Data-in-use

Question 18

A technique used to increase the strength of stored passwords. Its additional bits and can help thwart brute force and rainbow table attacks.

Answer 18

Key Stretching

Question 19

A strong symmetric block cipher that encrypts data in 128-bit blocks. Can also use 128-bits, 192-bits, or 256-bits.

Answer 19

AES

Question 20

A strong symmetric block cipher that encrypts data in 128-bit blocks. Can also use 128-bits, 192-bits, or 256-bits.

Answer 20

AES (Advanced Encryption Standard)

Question 21

A legacy symmetric encryption standard used to provide confidentiality. It has been compromised and AES or 3DES should be used instead.

Answer 21

DES (Data Encryption Standard)

Question 22

A Symmetric algorithm used to encrypt data and provide confidentiality. It is a block cipher that encrypts data in 64-bit blocks.

Answer 22

3DES

Question 23

A symmetric stream cipher that can use between 40 and 2048 bits. Experts consider it cracked and recommend using stronger methods.

Answer 23

RC4 (Rivest Cipher 4)

Question 24

A symmetric key block cipher. It encrypts data in 128-bit blocks and supports 128-, 192-, or 256- bit keys.

Answer 24

Twofish

Question 25

A mode of operation used for encryption that effectively converts a block cipher into a stream cipher. It uses an IV for the first block and each subsequent block is combined with this previous block.

Answer 25

CBC (Cipher Block Chaining)

Question 26

A mode of operation used for encryption. It combines the Counter (CTM) Mode with hashing techniques for data authenticity and confidentiality.

Answer 26

GCM

Question 27

A mode of operation used for encryption. It combines the Counter (CTM) Mode with hashing techniques for data authenticity and confidentiality.

Answer 27

GCM (Galois/Counter Mode)

Question 28

A legacy mode of operation used for encryption. It is weak and should not be used.

Answer 28

ECB (Electronic Codebook)

Question 29

A mode of operation for encryption that combines an IV with a counter. The combined result is used to encrypt blocks.

Answer 29

CTM (Counter Mode)

Question 30

An asymmetric algorithm used to encrypt data and digitally sign transmissions. It is named after its creators.

Answer 30

RSA (Rivest, Shamir, Adleman)

Question 31

An encrypted hash of a message used for authentication, non-repudiation, and integrity. The sender’s private key encrypts the hash of the message.

Answer 31

DSA (Digital Signature Algorithm)

Question 32

Uses Ephemeral Keys, which are re-created for each session.

Answer 32

DHE

Question 33

Uses Elliptic Curve Cryptography to generate encryption keys.

Answer 33

ECDHE

Question 34

Assymetric algorithm based upon mathematical problems involving the algebraic structure of elliptic curves over finite fields; suitable for use in small mobile devices because of the low computing power requirements.

Answer 34

ECC

Question 35

Assymetric algorithm based upon mathematical problems involving the algebraic structure of elliptic curves over finite fields; suitable for use in small mobile devices because of the low computing power requirements.

Answer 35

ECC (Elliptic Curve Cryptography)

Question 36

Cryptography application and protocol suite used in asymmetric cryptography. It is proprietary, but it also has an open source.

Answer 36

PGP (pretty good privacy)

Question 37

Hashing algorithm used to compute fixed-length message digests of variable-length pieces of text, developed by Rin Rivest. It generates a 128-bit hash that is 32 hexadecimal characters long. Although this is still widely used, it has depreciated due to the potential for collisions, and is currently considered unsuitable for modern hashing algorithms.

Answer 37

MD5 (message digest 5)

Question 38

A series of hashing algorithms developed by NIST and the NSA which include ___-1, ____-2, and most recently ____-3 based on the Keccak hash function.

Answer 38

SHA (secure hashing algorithm)

Question 39

System used in conjunction with a hashing algorithm and symmetric key in order to both authenticate and verify the integrity of a message.

Answer 39

HMAC (High-Based Message Authentication Mode)

Question 40

A hash function used for integrity. It creates a fixed length hashe of 128, 160, 258, or 320 bits.

Answer 40

RIPEMD (RACE Integrity Primitives Evaluation Message Digest)

Question 41

A substitution cipher that uses a key of 13. to encrypt a message you would rotate each letter 13 spaces. To decrypt the message you would rotate each letter 13 spaces.

Answer 41

ROT13

Question 42

A wireless security protocol. It has been superseded by WPA2

Answer 42

WPA

Question 43

A wireless security protocol. It supports CCMP for encryption which is based on AES. It can use open mode, a pre-shared key, or enterprise mode.

Answer 43

WPA2

Question 44

A wireless security protocol. It has been superseded by WPA2

Answer 44

WPA (Wi-fi Protected Access)

Question 45

A wireless security protocol. It supports CCMP for encryption which is based on AES. It can use open mode, a pre-shared key, or enterprise mode.

Answer 45

WPA2 Wi-Fi protected access 2)

Question 46

An authentication framework that provides general guidance for authentication methods.

Answer 46

EAP

Question 47

A Cisco designed replacement for lightweight EAP. It supports certificates, but they are optional.

Answer 47

EAP-FAST

Question 48

An authentication framework that provides general guidance for authentication methods.

Answer 48

EAP (Extensible Authentication Protocol)

Question 49

A Cisco designed replacement for lightweight EAP. It supports certificates, but they are optional.

Answer 49

EAP-FAST (Extensible Authentication Protocol via secure Tunneling)

Question 50

An extension of EAP sometimes used with 802.1x. This is one of the most secure EAP standards and is widely implemented. It requires certificates on the 802.1x server on clients.

Answer 50

EAP-TLS (Extensible Authentication Protocol- Transport Layer Security)

Question 51

AN extension of EAP sometimes used with 802.1x It allows systems to use some older authentication methods such as PAP within a TLS tunnel. It requires a certificate on the 802.1x server but not on the clients.

Answer 51

EAP-TTLS (Extensible Authentication Protocol- Tunneled Transport Layer Security)

Question 52

A wireless mode that uses pre-shared keys for security.

Answer 52

PSK

Question 53

A wireless mode that uses an 802.1x server for security. It forces users to authenticate with a username and a password.

Answer 53

Enterprise Mode

Question 54

An authentication process that requires the user to do something in order to complete the enrollment process. Examples include pressing a button on the router within a short time period, entering a PIN, or bringing the new device close.

Answer 54

WPS (Wi-Fi Protected Setup)

Question 55

An organization that manages , issues and signs certificates. They are a main element of PKI.

Answer 55

CA

Question 56

A list of certificates that a CA has revoked. Certificates are commonly revokes if they are compromised, or issued to an employee who has left the organization.

Answer 56

CRL

Question 57

An alternative to using a CRL. It allows entities to query a CA with the serial number of a certificate. The CA answers with Good, revoked, or unknown.

Answer 57

OCSP

Question 58

An organization that manages , issues and signs certificates. They are a main element of PKI.

Answer 58

CA (Certificate Authority)

Question 59

A list of certificates that a CA has revoked. Certificates are commonly revokes if they are compromised, or issued to an employee who has left the organization.

Answer 59

CRL Certificate Revocation List

Question 60

An alternative to using a CRL. It allows entities to query a CA with the serial number of a certificate. The CA answers with Good, revoked, or unknown.

Answer 60

OCSP Online Certificate Status Protocol

Question 61

A method of requesting a certificate from a CA. It starts by creating an RSA-based public/private key pair then includes the public key in this.

Answer 61

CSR

Question 62

A security mechanism used by some web sites to prevent web site impersonation. Websites provide clients with a list of public key hashes. Clients store the list and use it to validate the website.

Answer 62

Pinning

Question 63

The process of appending a digitally signed OCSP response to a certificate. It reduces the overall OCSP traffic sent to a CA.

Answer 63

Stapling

Question 64

The process of placing a copy of a private key in a safe environment.

Answer 64

Key Escrow

Question 65

A certificate that combines all certificates within the trust model. It includes all of the certificates in the trust chain from the root CA down to the certificate issued to the end user.

Answer 65

Certificate Chaining

Question 66

A certificate that can be used for multiple domains with the same root domain. It starts with an asterisk.

Answer 66

Wildcard

Question 67

A server that can take a pool of hard disks and present them over the network as any number of logical disks.

Answer 67

SAN

Question 68

The process of assigning a certificate to code. The certificate includes a digital signature and validates the code.

Answer 68

Code signing

Question 69

A popular standard used to secure emails. This provides confidentiality, integrity, authentication, and non-repudiation.

Answer 69

S/MIME

Question 70

A server that can take a pool of hard disks and present them over the network as any number of logical disks.

Answer 70

SAN (Storage Area Network)

Question 71

A base format for PKI certificates. They are BASE64 ASCII encoded files.

Answer 71

DER

Question 72

Binary encoded files that is a base format for PKI certificates.

Answer 72

CER

Question 73

A common format for PKI certificates. It can either be CER (SDCII) or DER (binary) formats and can be used for almost any type of certificate.

Answer 73

PEM

Question 74

A common format for PKI certificates. It is the predecessor to P12 Certificates.

Answer 74

PFX

Question 75

A common format for PKI certificates. They are CER based (binary) and often hold certificates with the private key. They are commonly encrypted.

Answer 75

P12

Question 76

A common format for PKI certificates. They are DER-based (ASCII) and commonly used to share public keys.

Answer 76

P7B