Ch10: Understanding Cryptography and PKI

Question 1

Hashing verifies…

Answer 1

integrity for data such as email, downloaded files, and files stored on a disk

Question 2

Two popular hashing algorithms are

Answer 2

MD5 and SHA

Question 3

HMAC verifies…

Answer 3

both integrity and authenticity of a message with the use of a shared secret

Question 4

Protocols such as IPsec and TLS use

Answer 4

HMAC-MD5 and HMAC-SHA1

Question 5

Hashing is a…

Answer 5

one-way function that creates a string of characters

Question 6

Passwords are often stored as…

Answer 6

hashes, often salted

Question 7

Bcrypt and PBKDF2 are…

Answer 7

key stretching techniques that help prevent brute force attacks and rainbow table attacks. Both salt the password

Question 8

MD5, SHA, and HMAC are

Answer 8

hashing algorithms (not for encrypting data)

Question 9

Encryption provides

Answer 9

confidentiality and helps ensure that data is viewable only by authorized users (data-at-rest or data-in-transit)

Question 10

Random numbers are…

Answer 10

picked by chance

Question 11

Pseudo-random numbers

Answer 11

appear to be random but are created by deterministic algorithms

Question 12

In cryptology, confusion indicates…

Answer 12

that the ciphertext is significantly different than the plaintext

Question 13

Diffusion cryptographic techniques ensure

Answer 13

small changes in the plaintext result in significant changes in the ciphertext

Question 14

Stream ciphers

Answer 14

encrypt data a single bit or byte at a time in a stream

Question 15

Block ciphers

Answer 15

encrypt data in a specific-sized block

Question 16

Stream ciphers are more _ than block ciphers when encrypting data in a continuous stream

Answer 16

more efficient when encrypting data in a continuous stream

Question 17

ECB mode is…

Answer 17

Electronic Codebook mode is deprecated and should not be used

Question 18

CBC mode

Answer 18

Cipher Block Chaining mode combines each block with the previous block when encrypting data and sometimes suffers from pipeline delays

Question 19

CTM mode

Answer 19

Counter mode combines an IV with a counter to encrypt each block

Question 20

GCM

Answer 20

Galois/Counter mode combines counter mode with hashing techniques for integrity

Question 21

RADIUS uses what type of encryption?

Answer 21

symmetric encryption

Question 22

AES

Answer 22

AES is a strong symmetric block cipher

blocks: 128-bit
keys: 128, 192, 256-bit

Question 23

DES/3DES

Answer 23

block ciphers that encrypt data in 64-bit blocks

Question 24

3DES was designed as

Answer 24

a replacement for DES, but NIST selected AES as the current standard

Question 25

Is 3DES still used?

Answer 25

Yes, in some applications where legacy hardware doesn’t support AES

Question 26

RC4

Answer 26

symmetric stream cipher (most experts recommend using AES instead)
keys: 40 to 2048-bit

Question 27

Blowfish

Answer 27

symmetric block cipher

blocks: 64-bit
keys: 32 to 448-bit

Question 28

Twofish

Answer 28

symmetric block cipher

blocks: 128-bit
keys: 128, 192, 256-bit

Question 29

NIST standard

Answer 29

AES

Question 30

Which is faster - blowfish or AES-256?

Answer 30

Blowfish is faster

Question 31

DES

Answer 31

symmetric block cipher
block size: 64-bit
key size: 56-bit

Question 32

3DES

Answer 32

symmetric block cipher

blocks: 64-bit
keys: 56, 112, 168-bit

Question 33

Symmetric encryption algorithms

Answer 33

AES, DES, 3DES, Blowfish, Twofish, RC4

Question 34

Key element of several asymmetric encryption methods is…

Answer 34

they require a certificate and a PKI

Question 35

Certificates are an important part of…

Answer 35

asymmetric encryption

Question 36

Certificates include

Answer 36

public keys along with details on the owner of the certificate and the CA that issued the certificate

Question 37

Certificate owners share their public key by…

Answer 37

sharing a copy of their certificate

Question 38

RSA is widely used to…

Answer 38

protect data such as email and other data transmitted over the Internet (asymmetric encryption)

Question 39

Diffie-Hellman is a…

Answer 39

secure method of sharing symmetric encryption keys over a public network

Question 40

Elliptic Curve Cryptography is commonly used with…

Answer 40

small wireless devices

Question 41

ECDHE

Answer 41

Elliptic Curve Diffie-Hellman Ephemeral is a version of Diffie-Hellman that uses elliptic curve cryptography to generate encryption keys

Question 42

Steganography

Answer 42

hides messages or other data within a file

Question 43

To detect changes in files that may indicate the use of steganography, use…

Answer 43

hashing

Question 44

For email digital signatures, sign/encrypt with…

Answer 44

sender’s private key

Question 45

For email encryption, encrypt with…

Answer 45

recipient’s public key

Question 46

For web site encryption, encrypt with…

Answer 46

web site’s public key. Symmetric key encrypts data in the web site session

Question 47

A digital signature is

Answer 47

an encrypted hash of a message

Question 48

Digital signatures provide

Answer 48

authentication, non-repudiation, and integrity

Question 49

Both TLS and SSL require…

Answer 49

certificates issued by Certificate Authorities (CAs)

Question 50

Admins should disable….

Answer 50

weak cipher suites and weak protocols on servers

Question 51

When a server has both strong and weak cipher suites, attackers can…

Answer 51

launch downgrade attacks bypassing the strong cipher suite and exploiting the weak cipher suite

Question 52

PKI

Answer 52

A public key infrastructure is a group of technologies used to request, create, manage, store, distribute, and revoke digital certificates

Question 53

You typically request certificates using..

Answer 53

a CSR (certificate signing request)

Question 54

Process of requesting a certificate

Answer 54

Create RSA-based key pair (private first). Include public key in CSR. CA will embed the public key in the certificate (private key is not sent to CA).

Question 55

CAs revoke certificates for several reasons including

Answer 55

when the private key is compromised or the CA is compromised

Question 56

CRL

Answer 56

The certificate revocation list includes a list of revoked certificates and is publicly available

Question 57

Alternative to using a CRL

Answer 57

OCSP (online certificate status protocol) returns answers such as good, revoked, or unknown

Question 58

OCSP stapling

Answer 58

appends a digitally signed OCSP response to a certificate

Question 59

Alternative to OCSP

Answer 59

Certificate stapling, where the certificate presenter appends the certificate with a timestamped digitally signed OCSP response from the CA

Question 60

Public key pinning

Answer 60

web server sends a list of public key hashes that clients can use to validate certificates sent to clients in subsequent sessions

Question 61

Public key pinning helps…

Answer 61

prevent attackers from impersonating a web site with a fraudulent certificate

Question 62

CER

Answer 62

Binary certificate format

Question 63

DER

Answer 63

ASCII certificate format

Question 64

PEM

Answer 64

Most commonly used certificate format
Binary or ASCII certificate format
Can be used for almost any purpose
Can contain server certs, cert chains, keys, CRL

Question 65

P7B

Answer 65

ASCII certificate format used to share the public key

Can contain certs, cert chains, CRL, never the private key

Question 66

P12/PFX

Answer 66

Binary certificate format commonly used to store the private key with a certificate
Can contain certs, cert chains, and private keys