6.0 Cryptography & PKI

Question 1

Symmetric algorithm

Answer 1

Uses the same key to encrypt and decrypt data. Also known as secret key encryption.

Question 2

DES

Answer 2

Data Encryption Standard. Symmetric block cipher. Encrypts data in 64-bit blocks with key of only 56 bits. Should not be used.

Question 3

3DES (TDES)

Answer 3

Triple Data Encryption Standard. Symmetric block cipher. It encrypts data using the DES algorithm in three separate passes and uses multiple keys. Goes through 48 rounds when encrypting plaintext. Still used when legacy hardware doesn’t support AES.

Question 4

AES

Answer 4

Advanced Encryption Standard. Strong symmetric block cipher that encrypts data in 128-bit blocks. The National Institute of Standards and Technology (NIST) adopted AES from the Rijndael encryption algorithm

Question 5

Blowfish

Answer 5

Strong symmetric block cipher that is still widely used today. It encrypts data in 64-bit blocks and supports key sizes between 32 and 448 bits

Question 6

Twofish

Answer 6

Related to Blowfish, but encrypts data in 128-bit blocks and it supports 128-, 192-, or 256-bit keys

Question 7

RC4 (or ARC4)

Answer 7

Symmetric stream cipher and it can use between 40 and 2048 bit keys

Question 8

IDEA

Answer 8

International Data Encryption Algorithm. Symmetric block cipher which uses 64-bit blocks to encrypt plaintext into Ciphertext with a 128-bit key. IDEA is used in PGP. Developed in Switzerland

Question 9

GOST

Answer 9

Russian private key encryption standard that uses a 256-bit encryption key. GOST was developed as a counter to the Data Encryption Standard (DES). 64-bit block size. Symmetric block cipher

Question 10

CAST-128 (or CAST5)

Answer 10

Symmetric key block cipher used in PGP and GPG

Question 11

RC5

Answer 11

Private key encryption standard developed at MIT. Symmetric block cipher

Question 12

Asymmetric algorithms

Answer 12

Also known as public key algorithms. The public key can be shared with anyone, whereas the private key is possessed only by the owner. The public key is used to encrypt the data while the private key is used to decrypt the data. Asymmetric ciphers use random number generation

Question 13

Diffie-Hellman

Answer 13

A key exchange algorithm used to privately share a symmetric key between two parties

Question 14

Diffie-Hellman Ephemeral

Answer 14

Uses ephemeral keys, generating different keys for each session

Question 15

Elliptic Curve Diffie-Hellman Exchange

Answer 15

Uses ephemeral keys generated using ECC, another version ECDH, uses static keys

Question 16

Elliptic Curve Diffie-Hellman (ECDH)

Answer 16

A key exchange protocol used in Public Key Infrastructure (PKI). It allows for establishing shared secrets between two parties

Question 17

DSA

Answer 17

Digital Signature Algorithm. Used as the digital signature for the US government, and was developed by NIST and the NSA. Uses an encrypted hash of a message. The hash is encrypted with the sender’s private key

Question 18

ECC

Answer 18

Elliptic curve cryptography. Doesn’t take as much processing power as the other cryptographic methods

Question 19

PGP

Answer 19

Pretty Good Privacy. A method used to secure email communication. It can encrypt, decrypt, and digitally sign email

Question 20

GPG

Answer 20

GNU Privacy Guard. Free software that is based on the OpenPGP standard

Question 21

RSA

Answer 21

Rivest–Shamir–Adleman. Asymmetric encryption method using both a public key and a private key in a matched pair

Question 22

Pseudo-random number generation

Answer 22

Used in symmetric ciphers

Question 23

Random random number generation

Answer 23

Used in asymmetric ciphers

Question 24

WEP

Answer 24

Wired Equivalent Privacy. Introduced as part of the original 802.11 standard ratified in 1997, its intention was to provide data confidentiality comparable to that of a traditional wired network

Question 25

WPA

Answer 25

Wi-Fi Protected Access. An interim replacement for Wired Equivalent Privacy. WPA is designed to work with older wireless clients while implementing the 802.11i standard. WPA is susceptible to password-cracking attacks. WPA uses TKIP

Question 26

WPA2

Answer 26

Wi-Fi Protected Access II. Permanent replacement for WEP and WPA. WPA2 supports CCMP (based on AES), which is much stronger than the older TKIP protocol and CCMP should be used instead of TKIP

Question 27

OCSP

Answer 27

Online Certificate Status Protocol. OCSP allows the client to query the CA with the serial number of the certificate. OCSP is replacing CRL as OCSP is real-time

Question 28

CRL

Answer 28

Certificate Revocation List. A method of validating a certificate. Can take up to 48 hours

Question 29

CSR

Answer 29

Certificate Signing Request. A CSR is an encrypted message that validates the information required by the CA for issuing a certificate. Once it is verified by the CA, CSR inserts the generated public key into the certificate, which is then digitally signed with the private key of the CA

Question 30

OID

Answer 30

Object Identifiers. An OID is a string of decimal numbers used to uniquely identify the objects (e.g., syntaxes, data elements, and other parts of distributed applications). OIDs are usually found in SNMP, X.500 directories, and OSI applications where uniqueness is crucial

Question 31

MD5

Answer 31

Message Digest 5. A common hashing algorithm that produces a 128-bit hash

Question 32

HMAC

Answer 32

Hash-based Message Authentication Code. – Fixed-length string of bits similar to other hashing algorithms such as MD5 and SHA-1. However, HMAC also uses a shared secret key to add some randomness to the result and only the sender and receiver know the secret key. HMAC verifies both the integrity and authenticity of a message

Question 33

KHMAC

Answer 33

Keyed Hashing for Message Authenticate Code. Used to digitally sign packets that are transmitted on IPSec connections

Question 34

RIPEMD

Answer 34

RACE Integrity Primitives Evaluation Message Digest. Hash function used for integrity, though it isn’t as widely used as MD5, SHA, and HMAC

Question 35

SHA

Answer 35

Secure Hash Algorithm. Another hashing algorithm. There are several variations of SHA grouped into four families – SHA-0, SHA-1, SHA-2, and SHA-3. SHA-1 produces 160-bit checksum

Question 36

EAP

Answer 36

Extensible Authentication Protocol. Provides a method for two systems to create a secure encryption key, also known as a Pairwise Master Key (PMK). Systems then use this key to encrypt all data transmitted between the devices. Both TKIP and AES-based CCMP use this key, though CCMP is much more secure

Question 37

PEAP

Answer 37

Protected EAP. Provides an extra layer of protection for EAP. PEAP encapsulates and encrypts the EAP conversation in a Transport Layer Security (TLS) tunnel. PEAP requires a certificate on the server, but not the clients. A common implementation is with MS-CHAPv2

Question 38

EAP-FAST

Answer 38

EAP-Flexible Authentication via Secure Tunneling. Cisco designed as a secure replacement for Lightweight EAP (LEAP). It supports certificates, but they are optional

Question 39

EAP-TLS

Answer 39

One of the most secure EAP standards and is widely implemented. The primary difference between PEAP and EAP-TLS is that it requires certificates on the 802.1x server and on each of the wireless clients

Question 40

EAP-TTLS

Answer 40

An extension of PEAP, allowing systems to use some older authentication methods such as Password Authentication Protocol (PAP) within a TLS tunnel. EAP-TTLS requires a certificate on the 802.1x server but not the clients

Question 41

RADIUS Federation

Answer 41

RADIUS Federation is a group of RADIUS servers that assist with network roaming. The servers will validate the login credentials of a user belonging to another RADIUS server’s network