7 - PKI and Cryptographic Applications Flashcards

1
Q

What is the difference between private and public-key cryptosystems?

A
  • Public Key Cryptosystem: Relies on pairs of keys assigned to each user of the cryptosystem, one public key and one private key. The public key can be used by anyone who is interested in communicating with the private key holder.
  • Private Key Cryptosystem: A private key is used by both parties of communication to decrypt the plaintext.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is RSA?

A

Named after Ronald Rivest, Adi Shamir, and Leonard Adleman. They patented the algorithm and formed RSA Security. Depends on the computational difficulty inherent in factoring large prime numbers.

  1. Choose two large prime numbers (~200 digits each), labeled p and q.
  2. Compute the product of those 2 numbers: n = p * q
  3. Select a number, e, that satisfies the following two requirements:
    1. e is less than n
    2. e and (p-1)(q-1) are relatively prime - that is, the two numbers have no common factors other than 1.
  4. Find a number, d, such that (ed-1) mod (p-1)(q-1)=1
  5. Distribute e and n as the public key to all cryptosystem users. Keep d secret as the private key.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is El Gamal?

A

The algorithm developed by Dr. T El Gamal in 1985 is based on the premise that the Diffie-Hellman algorithm could be extended to support an entire public-key cryptosystem. It was released straight into the public domain, it was not patented and private.

One of the major disadvantages of this system is that it doubles the length of any message it encrypts which presents a major hardship when encrypting long messages that will be transmitted over a narrow bandwidth comms circuit.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is the Elliptic Curve algorithm?

A

Independently proposed by separate mathematicians, Neal Koblitz at the University of Washington and Victor Miller at IBM, that utilizes the application of elliptic curve cryptography (ECC).

Based on the elliptical curve algorithm, where an elliptical curve group is made up of points on the elliptical curve along with the point O located at infinity. Two points within the same elliptic curve group (P and Q) can be added together with an elliptic curve algo: P + Q

The problem can be extended to involve multiplication by assuming that Q is a multiple of P, meaning the following:

Q = xP

Scientists believe it is extremely hard to find x, even if P and Q are already known. The RSA key of 1,024 bits is cryptographically equivalent to a 160-bit elliptic curve cryptosystem key.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are the 5 requirements of a hash function ?

A
  1. The input can be of any length
  2. The output has a fixed length
  3. The hash function is relatively easy to compute for any input
  4. The hash function is one-way (extremely hard to determine the input from the given output)
  5. The hash function is collision-free (it is hard to find 2 messages that produce the same hash value)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are hash functions?

A

They take a potentially long message and generate a unique output value derived from the content of the message. This value is called a message digest. Message digests can be generated by the sender of a message and transmitted to the recipient along with the full message in order for the recipient to recompute the digest and use it to verify the authenticity of the message. Message digests can also be used to implement a digital signature.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are some common types of Hash Functions?

A
  • SHA (Secure Hash Algorithm): Government standard hash functions promoted by NIST.
    • SHA-1: Produces a 160-bit message digest. Processes a message in 512-bit blocks (it will pad the message if it doesn’t meet this size).
    • SHA-2: Has 4 variants:
      • SHA-256 produces a 256-bit message digest using a 512-bit block size.
      • SHA-224 uses a truncated version of SHA-256 to produce a 224-bit message digest using the same block size.
      • SHA-512 produces a 512-bit message digest using 1,024-bit block size.
      • SHA-384 uses a truncated version of 512 to produce a 384-bit digest using 1,024-bit block size.
  • MD2 (Message Digest 2): Developed by Ronald Rivest of RSA fame in 1989. It pads the message so that its length is a multiple of 16 bytes. A 16-byte checksum is then computed and appended to the message. A 128-bit digest is then generated from this unit. It was later discovered without the checksum collisions were occurring.
  • MD4 (Message Digest 4): Enhanced version of MD2. It pads the message to ensure it is 64 bits less than a multiple of 512.The algorithm then processes 512-bit blocks of the message in 3 rounds of computation resulting in 128-bit digest.
  • MD5 (Message Digest 5): Processes 512-bit blocks of message in 4 rounds of computation that produces a 128-bit digest. Also must be 64 bits less than a multiple of 512 bits. This was found to have collisions.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are Collisions?

A

Collisions are when message digests are the same for 2 (or more) different messages.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is a Digital Signature?

A

It is when a sender generates a message digest of a plaintext message and then encrypts it with their private key. The recipient will then decrypt the message digest with the sender’s public key and confirm the message digest matches the sender’s (both parties need to be using the same hashing algo).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are the goals of a Digital Signature?

A

Digital signatures have 2 distinct goals:

  1. Non-Repudiation: Assures the recipient that the message truly came from the claimed sender.
  2. Integrity: Assures the recipient the message was not altered while in transit between the sender and recipient. Protects against malicious and accidental modification of messages.

Digital Signatures rely on public cryptography and hashing functions. Digital Signatures ensure integrity, authentication, and nonrepudiation are met.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is HMAC?

A

The Hashed Message Authentication Code (HMAC) implements a partial digital signature and uses a shared secret key.

This is faster than digital signatures based in PKI.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is the Digital Signature Standard?

A

The Digital Signature Standard (DSS) specifies that all federally approved digital signature algos must use the SHA-3 hashing functions. It also specifies the encryption algos that can be used to support a digital signature infrastructure:

  1. Digital Signature Algorithm (DSA)
  2. Rivest-Shamir- Adlemen (RSA)
  3. Elliptic Curve DSA (ECDSA)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are Digital Certificates?

A

Certificates are endorsed copies of an individual’s public key. They are usually signed by a trusted Certificate Authority (CA) to prove that the public key is legitimate. Certificates are usually governed by an international standard: X.509 This means they contain the following data:

  • The version of X.509 (current version is 3)
  • Serial number
  • Signature Algorithm (the technique used by the CA to digitally sign the contents of the cert)
  • Issuer name
  • Validity period
  • Subjects name (contains the Distinguished Name, DN)
  • Subjects public key
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is a Certificate Authority?

A

Neutral organizations that offer notarization services for digital certificates. In order to obtain a digital cert from a reputable CA, you must prove your identity to the satisfaction of the CA. Browser developers preconfigure browsers to trust the major CA’s to avoid placing the burden of setting up trusted CA’s on the users.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is a Registration Authority?

A

They assist CAs with the burden of verifying users’ identities prior to issuing digital certificates.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is the Certificate Path Validation (Chain of Trust)?

A

It is where each certificate in a certificate path from the original start or root of trust down to the server/client is trusted. If intermediaries are broken then the whole chain has to be re-setup.

17
Q

What is the Certificate Lifecycle?

A
  • Enrollment: You must first prove your identity in some manner. This sometimes requires supplying documentation and being vouched for. You will then provide them with a copy of your public key. The CA then digitally signs the certficate with their private key and provides the requestor with a copy of the certificate.
  • Verification:
    • Checking the CA’s digital signature using the CA’s public key.
    • You trust the CA
    • You must also check if the certificate has been revoked by using a Certificate Revocation List (CRL) / Online Certificate Status Protocol (OCSP).
    • The certificate actually contains the data you are trusting.
  • Revocation: This happens for a variety of reasons:
    • The certificate was compromised (cert owner accidentally gave away the private key)
    • The certificate was erroneously issued
    • The details of the cert had been changed (ex. subject’s name)
    • The security association changed (the subject is no longer employed by the org sponsoring the certificate)
18
Q

What are Revocation Lists and Online Status Protocol?

A
  • Certificate Revocation List (CRL): Maintained by the CA’s and contain the serial numbers of certs that have been revoked. The downside is they have to be downloaded and or referenced.
  • Online Status Protocol (OCSP): This provides a real-time certification verification list.
19
Q

What are some best practices for Asymmetric Key Management?

A
  • Choose your encryption wisely system wisely that has been properly vetted by industry experts
  • Select your keys in an appropriate manner that has proper balance of length, performance, and is truly random.
  • Keep your private key secure.
  • Retire keys when they served their useful purpose.
  • Back up your key.
  • Hardware Security Modules (HSMs): Provides an effective way to manage encryption keys (ex. Yubikey).
20
Q

What is a Trusted Platform Module (TPM)?

A

A TPM is a chip that resides on the motherboard of a device that is used for Full Disk Encryption (FDE) solutions, storage, and management of keys. TPM’s also prevent someone from removing the drive from one device and plugging it into another.

21
Q

How is email encrypted?

A
  • Best practices:
    • If you need confidentiality, encrypt
    • If you need integrity, hash
    • If you need authentication and/or nonrepudiation, digitally sign.
  • Pretty Good Privacy (PGP): Developed by Phil Zimmerman in 1991.
    • Commercial: Uses RSA for key exchange, IDEA for encryption, and MD5 for hashing.
    • Freeware: Diffie-Hellman key exchange, Carlisle Adams /Stafford Tavares (CAST) 128-bit encryption algo, and the SHA-1 hashing function.
  • S/MIME (Secure/Multipurpose Internet Mail Extensions): Uses RSA for encryption. Relies on X.509 certs for exchanging keys and digital signatures.
22
Q

How can web applications be encrypted?

A
  • Secure Sockets Layer (SSL): Developed by Netscape to provide client/server encryption for web traffic. Hypertext Transfer Protocol Secure (HTTPS) uses port 443 to negotiate encrypted communications sessions between web servers and browser clients.
    • User accesses a website, the browser retrieves the web server’s certificates and extracts the server’s public key from it.
    • The browser creates a random symmetric key, uses the server’s public key to encrypt it, and then sends the encrypted symmetric key to the server.
    • The server then decrypts the symmetric key using its own private key, and then the 2 systems exchange all future messages using the symmetric key.
  • Transport Layer Security (TLS): Proposed as a replacement for SSL in 1999. Uses HTTPS over 443. Early versions of TLS used to be able to revert communications to SSL v3.0 when both parties did not support TLS but in 2011 TLS v1.2 dropped this backaward compatibility.
23
Q

What is Steganography?

A

Steganography is the art of using cryptographic techniques to embed secret messages within another message. These algorithms work by making alterations to the least significant bits of the many bits that make up image files. The changes are so minor, there is no noticeable effect on the image.

This technology can be used to watermark intellectual property.

24
Q

What are some forms of Digital Rights Management (DRM)? (And what is it?)

A

DRM uses encryption to enforce copyright restrictions on digital media. All DRM schemes in use today share a fatal flaw in that each device accessing the content must have access to the decryption key. Users can manipulate device to gain access to key and distribute.

  • Music DRM
  • Movie DRM
    • High-Bandwidth Digital Content Protection (HDCP): Hackers released key they rendered this obsolete
    • Advanced Access Content System (AACS): Protects content on BluRay and HD DVD but also rendered obsolete.
  • E-Book DRM
  • Video Game DRM
  • Document DRM
25
Q

What are some Cryptographic Networking applications?

A
  • Circuit Encryption: Admins use 2 different techniques to secure data traveling over networks.
    • Link Encryption: Creates a secure tunnel between 2 points using either hardware or software that encrypts all traffic entering and exiting the tunnel.
    • End-to-End Encryption: Protects communications between 2 parties such as using TLS.
    • The difference between these 2 is Link Encryption encyrpts the whole packet including header, trailer, etc whereas End-to-End only encrypts the data. End-to-End is faster but more susceptible to sniffing.
    • SSH is End-to-End
  • IPsec (Internet Protocol Security): Can connect 2 networks or 2 indiviudal machines. Uses public key cryptography to provide encryption, access control, nonrepudiation, etc. The primary use of IPsec is VPN’s and is commonly paired with Layer 2 Tunneling Protocol (L2TP).
    • The 2 main components of IPsec are:
      • Authentication Header (AH): Provides assurance of message integrity and nonrepudiation.
      • Encapsulating Security Payload (ESP): Provides confidentiality and integrity of packet contents.
    • The 2 modes are:
      • Transport Mode: Only the packet payload is encrypted
      • Tunneling Mode: The entire packet, including the header, is encrypted.
    • Security Association: Represents the communication session and records any any configuration and status information about the connection. It is a simplex connection which is one way (if you want 2 -way then set up 2 associations).
  • ISAKMP (Internet Security Associations and Key Management Protocol): Provides background security support services for IPsec by negotiating, establishing, modifying, and deleting security associations. These manage SA’s. The four basic requirements:
    • Authenticate communicating peers
    • Create and manage security associations
    • Provide key generations mechanisms
    • Protect against threats
  • Wireless Networking: There are 2 types of wireless security:
    • Wired Equivalent Privacy (WEP): WEP provides 64 and 128-bit encryption options to protect communications within the wireless LAN.
    • WiFi Protected Access (WPA): Improves on WEP encryption by implementing the Temporal Key Integrity Protocol (TKIP). WPA2 adds AES cryptography. It is not end-to-end encryption, only from device to nearest wireless access point (WAP).
    • 802.1x: Provides a flexible framework for authentication and key management in wired and wireless networks. The client runs a piece of software called the supplicant which communicates with the authentication server and after authentication the WAP allows the client to access the network.
26
Q

What are some known Cryptographic Attacks?

A
  • Analytic Attack: An algebraic manipulation that attempts to reduce the complexity of the algorithm. Focuses on the logic itself.
  • Implementation Attack: Focuses on exploiting the software code, not just errors and flaws but the methodology itself.
  • Statistical Attack: Exploits statistical weaknesses in a cryptosystem such as floating-point errors and the inability to produce truly random numbers. Attempts to find vulnerabilities in the OS or hardware the cryptography is hosted in.
  • Brute Force: Attempts every possible valid combination for a key or password. Involves using massive amounts of processing power to methodically guess the key. **Brute force attacks can be successful given enough time but every additional bit of key length doubles the time to perform a brute-force attack because the number of potential key doubles.** 2 things that can enhance the effectiveness:
    • Rainbow Tables
    • Scalable hardware
  • Frequency Analysis and the Ciphertext Only Attack: Counting the number of times each letter appears in the ciphertext in order to determine what the word is.
  • Known Plaintext: When the attacker has a copy of the plaintext and ciphertext message and uses it to break the code.
  • Chosen Ciphertext: Attacker has the ability to decrypt chosen portions of ciphertext and use that portion to discover the key.
  • Chosen Plaintext: Attacker has the ability to encrypt plaintext messages of their choosing.
  • Meet in the Middle: The attacker uses a known-plaintext message, encrypts with every known possible key (k1), and the equivalent ciphertext is decrypted using all possible keys (k2). When a match is found, this represents both portions of the double encryption.
  • Man in the Middle: A malicious individual sits between two communicating parties and intercepts all communications.
  • Birthday: aka a Collision Attack or Reverse Hash Matching, seeks to find flaws in the one-to-one nature of hashing functions.
  • Replay: Where a malicious individual intercepts an encrypted message between two parties and then later “replays” the captured message to open a new session.