6.0 Cryptography & PKI Flashcards
Symmetric algorithm
Uses the same key to encrypt and decrypt data. Also known as secret key encryption.
DES
Data Encryption Standard. Symmetric block cipher. Encrypts data in 64-bit blocks with key of only 56 bits. Should not be used.
3DES (TDES)
Triple Data Encryption Standard. Symmetric block cipher. It encrypts data using the DES algorithm in three separate passes and uses multiple keys. Goes through 48 rounds when encrypting plaintext. Still used when legacy hardware doesn’t support AES.
AES
Advanced Encryption Standard. Strong symmetric block cipher that encrypts data in 128-bit blocks. The National Institute of Standards and Technology (NIST) adopted AES from the Rijndael encryption algorithm
Blowfish
Strong symmetric block cipher that is still widely used today. It encrypts data in 64-bit blocks and supports key sizes between 32 and 448 bits
Twofish
Related to Blowfish, but encrypts data in 128-bit blocks and it supports 128-, 192-, or 256-bit keys
RC4 (or ARC4)
Symmetric stream cipher and it can use between 40 and 2048 bit keys
IDEA
International Data Encryption Algorithm. Symmetric block cipher which uses 64-bit blocks to encrypt plaintext into Ciphertext with a 128-bit key. IDEA is used in PGP. Developed in Switzerland
GOST
Russian private key encryption standard that uses a 256-bit encryption key. GOST was developed as a counter to the Data Encryption Standard (DES). 64-bit block size. Symmetric block cipher
CAST-128 (or CAST5)
Symmetric key block cipher used in PGP and GPG
RC5
Private key encryption standard developed at MIT. Symmetric block cipher
Asymmetric algorithms
Also known as public key algorithms. The public key can be shared with anyone, whereas the private key is possessed only by the owner. The public key is used to encrypt the data while the private key is used to decrypt the data. Asymmetric ciphers use random number generation
Diffie-Hellman
A key exchange algorithm used to privately share a symmetric key between two parties
Diffie-Hellman Ephemeral
Uses ephemeral keys, generating different keys for each session
Elliptic Curve Diffie-Hellman Exchange
Uses ephemeral keys generated using ECC, another version ECDH, uses static keys
Elliptic Curve Diffie-Hellman (ECDH)
A key exchange protocol used in Public Key Infrastructure (PKI). It allows for establishing shared secrets between two parties
DSA
Digital Signature Algorithm. Used as the digital signature for the US government, and was developed by NIST and the NSA. Uses an encrypted hash of a message. The hash is encrypted with the sender’s private key
ECC
Elliptic curve cryptography. Doesn’t take as much processing power as the other cryptographic methods
PGP
Pretty Good Privacy. A method used to secure email communication. It can encrypt, decrypt, and digitally sign email
GPG
GNU Privacy Guard. Free software that is based on the OpenPGP standard
RSA
Rivest–Shamir–Adleman. Asymmetric encryption method using both a public key and a private key in a matched pair
Pseudo-random number generation
Used in symmetric ciphers
Random random number generation
Used in asymmetric ciphers
WEP
Wired Equivalent Privacy. Introduced as part of the original 802.11 standard ratified in 1997, its intention was to provide data confidentiality comparable to that of a traditional wired network
WPA
Wi-Fi Protected Access. An interim replacement for Wired Equivalent Privacy. WPA is designed to work with older wireless clients while implementing the 802.11i standard. WPA is susceptible to password-cracking attacks. WPA uses TKIP
WPA2
Wi-Fi Protected Access II. Permanent replacement for WEP and WPA. WPA2 supports CCMP (based on AES), which is much stronger than the older TKIP protocol and CCMP should be used instead of TKIP
OCSP
Online Certificate Status Protocol. OCSP allows the client to query the CA with the serial number of the certificate. OCSP is replacing CRL as OCSP is real-time
CRL
Certificate Revocation List. A method of validating a certificate. Can take up to 48 hours
CSR
Certificate Signing Request. A CSR is an encrypted message that validates the information required by the CA for issuing a certificate. Once it is verified by the CA, CSR inserts the generated public key into the certificate, which is then digitally signed with the private key of the CA
OID
Object Identifiers. An OID is a string of decimal numbers used to uniquely identify the objects (e.g., syntaxes, data elements, and other parts of distributed applications). OIDs are usually found in SNMP, X.500 directories, and OSI applications where uniqueness is crucial
MD5
Message Digest 5. A common hashing algorithm that produces a 128-bit hash
HMAC
Hash-based Message Authentication Code. – Fixed-length string of bits similar to other hashing algorithms such as MD5 and SHA-1. However, HMAC also uses a shared secret key to add some randomness to the result and only the sender and receiver know the secret key. HMAC verifies both the integrity and authenticity of a message
KHMAC
Keyed Hashing for Message Authenticate Code. Used to digitally sign packets that are transmitted on IPSec connections
RIPEMD
RACE Integrity Primitives Evaluation Message Digest. Hash function used for integrity, though it isn’t as widely used as MD5, SHA, and HMAC
SHA
Secure Hash Algorithm. Another hashing algorithm. There are several variations of SHA grouped into four families – SHA-0, SHA-1, SHA-2, and SHA-3. SHA-1 produces 160-bit checksum
EAP
Extensible Authentication Protocol. Provides a method for two systems to create a secure encryption key, also known as a Pairwise Master Key (PMK). Systems then use this key to encrypt all data transmitted between the devices. Both TKIP and AES-based CCMP use this key, though CCMP is much more secure
PEAP
Protected EAP. Provides an extra layer of protection for EAP. PEAP encapsulates and encrypts the EAP conversation in a Transport Layer Security (TLS) tunnel. PEAP requires a certificate on the server, but not the clients. A common implementation is with MS-CHAPv2
EAP-FAST
EAP-Flexible Authentication via Secure Tunneling. Cisco designed as a secure replacement for Lightweight EAP (LEAP). It supports certificates, but they are optional
EAP-TLS
One of the most secure EAP standards and is widely implemented. The primary difference between PEAP and EAP-TLS is that it requires certificates on the 802.1x server and on each of the wireless clients
EAP-TTLS
An extension of PEAP, allowing systems to use some older authentication methods such as Password Authentication Protocol (PAP) within a TLS tunnel. EAP-TTLS requires a certificate on the 802.1x server but not the clients
RADIUS Federation
RADIUS Federation is a group of RADIUS servers that assist with network roaming. The servers will validate the login credentials of a user belonging to another RADIUS server’s network