Ch10: Understanding Cryptography and PKI Flashcards
Hashing verifies…
integrity for data such as email, downloaded files, and files stored on a disk
Two popular hashing algorithms are
MD5 and SHA
HMAC verifies…
both integrity and authenticity of a message with the use of a shared secret
Protocols such as IPsec and TLS use
HMAC-MD5 and HMAC-SHA1
Hashing is a…
one-way function that creates a string of characters
Passwords are often stored as…
hashes, often salted
Bcrypt and PBKDF2 are…
key stretching techniques that help prevent brute force attacks and rainbow table attacks. Both salt the password
MD5, SHA, and HMAC are
hashing algorithms (not for encrypting data)
Encryption provides
confidentiality and helps ensure that data is viewable only by authorized users (data-at-rest or data-in-transit)
Random numbers are…
picked by chance
Pseudo-random numbers
appear to be random but are created by deterministic algorithms
In cryptology, confusion indicates…
that the ciphertext is significantly different than the plaintext
Diffusion cryptographic techniques ensure
small changes in the plaintext result in significant changes in the ciphertext
Stream ciphers
encrypt data a single bit or byte at a time in a stream
Block ciphers
encrypt data in a specific-sized block
Stream ciphers are more _ than block ciphers when encrypting data in a continuous stream
more efficient when encrypting data in a continuous stream
ECB mode is…
Electronic Codebook mode is deprecated and should not be used
CBC mode
Cipher Block Chaining mode combines each block with the previous block when encrypting data and sometimes suffers from pipeline delays
CTM mode
Counter mode combines an IV with a counter to encrypt each block
GCM
Galois/Counter mode combines counter mode with hashing techniques for integrity
RADIUS uses what type of encryption?
symmetric encryption
AES
AES is a strong symmetric block cipher
blocks: 128-bit
keys: 128, 192, 256-bit
DES/3DES
block ciphers that encrypt data in 64-bit blocks
3DES was designed as
a replacement for DES, but NIST selected AES as the current standard
Is 3DES still used?
Yes, in some applications where legacy hardware doesn’t support AES
RC4
symmetric stream cipher (most experts recommend using AES instead)
keys: 40 to 2048-bit
Blowfish
symmetric block cipher
blocks: 64-bit
keys: 32 to 448-bit
Twofish
symmetric block cipher
blocks: 128-bit
keys: 128, 192, 256-bit
NIST standard
AES
Which is faster - blowfish or AES-256?
Blowfish is faster
DES
symmetric block cipher
block size: 64-bit
key size: 56-bit
3DES
symmetric block cipher
blocks: 64-bit
keys: 56, 112, 168-bit
Symmetric encryption algorithms
AES, DES, 3DES, Blowfish, Twofish, RC4
Key element of several asymmetric encryption methods is…
they require a certificate and a PKI
Certificates are an important part of…
asymmetric encryption
Certificates include
public keys along with details on the owner of the certificate and the CA that issued the certificate
Certificate owners share their public key by…
sharing a copy of their certificate
RSA is widely used to…
protect data such as email and other data transmitted over the Internet (asymmetric encryption)
Diffie-Hellman is a…
secure method of sharing symmetric encryption keys over a public network
Elliptic Curve Cryptography is commonly used with…
small wireless devices
ECDHE
Elliptic Curve Diffie-Hellman Ephemeral is a version of Diffie-Hellman that uses elliptic curve cryptography to generate encryption keys
Steganography
hides messages or other data within a file
To detect changes in files that may indicate the use of steganography, use…
hashing
For email digital signatures, sign/encrypt with…
sender’s private key
For email encryption, encrypt with…
recipient’s public key
For web site encryption, encrypt with…
web site’s public key. Symmetric key encrypts data in the web site session
A digital signature is
an encrypted hash of a message
Digital signatures provide
authentication, non-repudiation, and integrity
Both TLS and SSL require…
certificates issued by Certificate Authorities (CAs)
Admins should disable….
weak cipher suites and weak protocols on servers
When a server has both strong and weak cipher suites, attackers can…
launch downgrade attacks bypassing the strong cipher suite and exploiting the weak cipher suite
PKI
A public key infrastructure is a group of technologies used to request, create, manage, store, distribute, and revoke digital certificates
You typically request certificates using..
a CSR (certificate signing request)
Process of requesting a certificate
Create RSA-based key pair (private first). Include public key in CSR. CA will embed the public key in the certificate (private key is not sent to CA).
CAs revoke certificates for several reasons including
when the private key is compromised or the CA is compromised
CRL
The certificate revocation list includes a list of revoked certificates and is publicly available
Alternative to using a CRL
OCSP (online certificate status protocol) returns answers such as good, revoked, or unknown
OCSP stapling
appends a digitally signed OCSP response to a certificate
Alternative to OCSP
Certificate stapling, where the certificate presenter appends the certificate with a timestamped digitally signed OCSP response from the CA
Public key pinning
web server sends a list of public key hashes that clients can use to validate certificates sent to clients in subsequent sessions
Public key pinning helps…
prevent attackers from impersonating a web site with a fraudulent certificate
CER
Binary certificate format
DER
ASCII certificate format
PEM
Most commonly used certificate format
Binary or ASCII certificate format
Can be used for almost any purpose
Can contain server certs, cert chains, keys, CRL
P7B
ASCII certificate format used to share the public key
Can contain certs, cert chains, CRL, never the private key
P12/PFX
Binary certificate format commonly used to store the private key with a certificate
Can contain certs, cert chains, and private keys