6.0 Cryptography and PKI Flashcards
Any cryptographic algorithm that uses the same key to encrypt and decrypt.
Ex: AES, DES, 3DES, RC4, Blowfish, and Twofish
Symmetric Algorithm
Cryptographic algorithms that use two different keys—one key to encrypt and another to decrypt. Also called public key cryptography.
Ex: RSA, DSA, Diffie-Hellman,
Asymmetric Algorithm
A number created by executing a hashing algorithm against data, such as a file or a message.
It is commonly used for Integrity.
Ex:MD5, SHA-1, and HMAC
Hash
Bits added to a hash to make it resistant to rainbow table attacks.
Salt
The Process used to exchange keys between users who receive it. Keys can be exchanged in-band and out-of-band.
Key Exchange
An encrypted hash of a message, encrypted with the senders private key. It provides authentication, non-repudiation, and integrity.
Digital Signature
A cryptography concept that ensures small changes in plaintext result in significant changes in ciphertext.
Diffusion
A cryptography concept that indicates ciphertext is significantly different than plaintext.
Confusion
When two different inputs into a cryptographic hash produce the same output, this is known as a collision.
Collision
The practice of hiding data within data.
Steganography
An attempt to make something unclear or difficult to understand. Steganography methods use this to hide data within data.
Obfuscation
An encryption method that encrypts data as a stream of bits or bytes.
Stream Cipher
Encryption method that encrypts data in fixed-size blocks.
Block Cipher
A key that is generated for one immediate use only, and is never used again.
Ephemeral Key
Any data sent over a network. It is common to encrypt this.
Data-in-Transit
Any data stored on media. It is common to encrypt this.
Data-at-Rest
Any data currently being used by a computer. Because the computer needs to process the data, it is not encrypted while in use.
Data-in-use
A technique used to increase the strength of stored passwords. Its additional bits and can help thwart brute force and rainbow table attacks.
Key Stretching
A strong symmetric block cipher that encrypts data in 128-bit blocks. Can also use 128-bits, 192-bits, or 256-bits.
AES
A strong symmetric block cipher that encrypts data in 128-bit blocks. Can also use 128-bits, 192-bits, or 256-bits.
AES (Advanced Encryption Standard)
A legacy symmetric encryption standard used to provide confidentiality. It has been compromised and AES or 3DES should be used instead.
DES (Data Encryption Standard)
A Symmetric algorithm used to encrypt data and provide confidentiality. It is a block cipher that encrypts data in 64-bit blocks.
3DES
A symmetric stream cipher that can use between 40 and 2048 bits. Experts consider it cracked and recommend using stronger methods.
RC4 (Rivest Cipher 4)
A symmetric key block cipher. It encrypts data in 128-bit blocks and supports 128-, 192-, or 256- bit keys.
Twofish
A mode of operation used for encryption that effectively converts a block cipher into a stream cipher. It uses an IV for the first block and each subsequent block is combined with this previous block.
CBC (Cipher Block Chaining)
A mode of operation used for encryption. It combines the Counter (CTM) Mode with hashing techniques for data authenticity and confidentiality.
GCM
A mode of operation used for encryption. It combines the Counter (CTM) Mode with hashing techniques for data authenticity and confidentiality.
GCM (Galois/Counter Mode)
A legacy mode of operation used for encryption. It is weak and should not be used.
ECB (Electronic Codebook)
A mode of operation for encryption that combines an IV with a counter. The combined result is used to encrypt blocks.
CTM (Counter Mode)
An asymmetric algorithm used to encrypt data and digitally sign transmissions. It is named after its creators.
RSA (Rivest, Shamir, Adleman)
An encrypted hash of a message used for authentication, non-repudiation, and integrity. The sender’s private key encrypts the hash of the message.
DSA (Digital Signature Algorithm)
Uses Ephemeral Keys, which are re-created for each session.
DHE
Uses Elliptic Curve Cryptography to generate encryption keys.
ECDHE
Assymetric algorithm based upon mathematical problems involving the algebraic structure of elliptic curves over finite fields; suitable for use in small mobile devices because of the low computing power requirements.
ECC
Assymetric algorithm based upon mathematical problems involving the algebraic structure of elliptic curves over finite fields; suitable for use in small mobile devices because of the low computing power requirements.
ECC (Elliptic Curve Cryptography)
Cryptography application and protocol suite used in asymmetric cryptography. It is proprietary, but it also has an open source.
PGP (pretty good privacy)
Hashing algorithm used to compute fixed-length message digests of variable-length pieces of text, developed by Rin Rivest. It generates a 128-bit hash that is 32 hexadecimal characters long. Although this is still widely used, it has depreciated due to the potential for collisions, and is currently considered unsuitable for modern hashing algorithms.
MD5 (message digest 5)
A series of hashing algorithms developed by NIST and the NSA which include ___-1, ____-2, and most recently ____-3 based on the Keccak hash function.
SHA (secure hashing algorithm)
System used in conjunction with a hashing algorithm and symmetric key in order to both authenticate and verify the integrity of a message.
HMAC (High-Based Message Authentication Mode)
A hash function used for integrity. It creates a fixed length hashe of 128, 160, 258, or 320 bits.
RIPEMD (RACE Integrity Primitives Evaluation Message Digest)
A substitution cipher that uses a key of 13. to encrypt a message you would rotate each letter 13 spaces. To decrypt the message you would rotate each letter 13 spaces.
ROT13
A wireless security protocol. It has been superseded by WPA2
WPA
A wireless security protocol. It supports CCMP for encryption which is based on AES. It can use open mode, a pre-shared key, or enterprise mode.
WPA2
A wireless security protocol. It has been superseded by WPA2
WPA (Wi-fi Protected Access)
A wireless security protocol. It supports CCMP for encryption which is based on AES. It can use open mode, a pre-shared key, or enterprise mode.
WPA2 Wi-Fi protected access 2)
An authentication framework that provides general guidance for authentication methods.
EAP
A Cisco designed replacement for lightweight EAP. It supports certificates, but they are optional.
EAP-FAST
An authentication framework that provides general guidance for authentication methods.
EAP (Extensible Authentication Protocol)
A Cisco designed replacement for lightweight EAP. It supports certificates, but they are optional.
EAP-FAST (Extensible Authentication Protocol via secure Tunneling)
An extension of EAP sometimes used with 802.1x. This is one of the most secure EAP standards and is widely implemented. It requires certificates on the 802.1x server on clients.
EAP-TLS (Extensible Authentication Protocol- Transport Layer Security)
AN extension of EAP sometimes used with 802.1x It allows systems to use some older authentication methods such as PAP within a TLS tunnel. It requires a certificate on the 802.1x server but not on the clients.
EAP-TTLS (Extensible Authentication Protocol- Tunneled Transport Layer Security)
A wireless mode that uses pre-shared keys for security.
PSK
A wireless mode that uses an 802.1x server for security. It forces users to authenticate with a username and a password.
Enterprise Mode
An authentication process that requires the user to do something in order to complete the enrollment process. Examples include pressing a button on the router within a short time period, entering a PIN, or bringing the new device close.
WPS (Wi-Fi Protected Setup)
An organization that manages , issues and signs certificates. They are a main element of PKI.
CA
A list of certificates that a CA has revoked. Certificates are commonly revokes if they are compromised, or issued to an employee who has left the organization.
CRL
An alternative to using a CRL. It allows entities to query a CA with the serial number of a certificate. The CA answers with Good, revoked, or unknown.
OCSP
An organization that manages , issues and signs certificates. They are a main element of PKI.
CA (Certificate Authority)
A list of certificates that a CA has revoked. Certificates are commonly revokes if they are compromised, or issued to an employee who has left the organization.
CRL Certificate Revocation List
An alternative to using a CRL. It allows entities to query a CA with the serial number of a certificate. The CA answers with Good, revoked, or unknown.
OCSP Online Certificate Status Protocol
A method of requesting a certificate from a CA. It starts by creating an RSA-based public/private key pair then includes the public key in this.
CSR
A security mechanism used by some web sites to prevent web site impersonation. Websites provide clients with a list of public key hashes. Clients store the list and use it to validate the website.
Pinning
The process of appending a digitally signed OCSP response to a certificate. It reduces the overall OCSP traffic sent to a CA.
Stapling
The process of placing a copy of a private key in a safe environment.
Key Escrow
A certificate that combines all certificates within the trust model. It includes all of the certificates in the trust chain from the root CA down to the certificate issued to the end user.
Certificate Chaining
A certificate that can be used for multiple domains with the same root domain. It starts with an asterisk.
Wildcard
A server that can take a pool of hard disks and present them over the network as any number of logical disks.
SAN
The process of assigning a certificate to code. The certificate includes a digital signature and validates the code.
Code signing
A popular standard used to secure emails. This provides confidentiality, integrity, authentication, and non-repudiation.
S/MIME
A server that can take a pool of hard disks and present them over the network as any number of logical disks.
SAN (Storage Area Network)
A base format for PKI certificates. They are BASE64 ASCII encoded files.
DER
Binary encoded files that is a base format for PKI certificates.
CER
A common format for PKI certificates. It can either be CER (SDCII) or DER (binary) formats and can be used for almost any type of certificate.
PEM
A common format for PKI certificates. It is the predecessor to P12 Certificates.
PFX
A common format for PKI certificates. They are CER based (binary) and often hold certificates with the private key. They are commonly encrypted.
P12
A common format for PKI certificates. They are DER-based (ASCII) and commonly used to share public keys.
P7B
