Ch10: Understanding Cryptography and PKI Flashcards

1
Q

Hashing verifies…

A

integrity for data such as email, downloaded files, and files stored on a disk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Two popular hashing algorithms are

A

MD5 and SHA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

HMAC verifies…

A

both integrity and authenticity of a message with the use of a shared secret

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Protocols such as IPsec and TLS use

A

HMAC-MD5 and HMAC-SHA1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Hashing is a…

A

one-way function that creates a string of characters

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Passwords are often stored as…

A

hashes, often salted

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Bcrypt and PBKDF2 are…

A

key stretching techniques that help prevent brute force attacks and rainbow table attacks. Both salt the password

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

MD5, SHA, and HMAC are

A

hashing algorithms (not for encrypting data)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Encryption provides

A

confidentiality and helps ensure that data is viewable only by authorized users (data-at-rest or data-in-transit)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Random numbers are…

A

picked by chance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Pseudo-random numbers

A

appear to be random but are created by deterministic algorithms

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

In cryptology, confusion indicates…

A

that the ciphertext is significantly different than the plaintext

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Diffusion cryptographic techniques ensure

A

small changes in the plaintext result in significant changes in the ciphertext

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Stream ciphers

A

encrypt data a single bit or byte at a time in a stream

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Block ciphers

A

encrypt data in a specific-sized block

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Stream ciphers are more _ than block ciphers when encrypting data in a continuous stream

A

more efficient when encrypting data in a continuous stream

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

ECB mode is…

A

Electronic Codebook mode is deprecated and should not be used

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

CBC mode

A

Cipher Block Chaining mode combines each block with the previous block when encrypting data and sometimes suffers from pipeline delays

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

CTM mode

A

Counter mode combines an IV with a counter to encrypt each block

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

GCM

A

Galois/Counter mode combines counter mode with hashing techniques for integrity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

RADIUS uses what type of encryption?

A

symmetric encryption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

AES

A

AES is a strong symmetric block cipher

blocks: 128-bit
keys: 128, 192, 256-bit

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

DES/3DES

A

block ciphers that encrypt data in 64-bit blocks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

3DES was designed as

A

a replacement for DES, but NIST selected AES as the current standard

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Is 3DES still used?

A

Yes, in some applications where legacy hardware doesn’t support AES

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

RC4

A

symmetric stream cipher (most experts recommend using AES instead)
keys: 40 to 2048-bit

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Blowfish

A

symmetric block cipher

blocks: 64-bit
keys: 32 to 448-bit

28
Q

Twofish

A

symmetric block cipher

blocks: 128-bit
keys: 128, 192, 256-bit

29
Q

NIST standard

A

AES

30
Q

Which is faster - blowfish or AES-256?

A

Blowfish is faster

31
Q

DES

A

symmetric block cipher
block size: 64-bit
key size: 56-bit

32
Q

3DES

A

symmetric block cipher

blocks: 64-bit
keys: 56, 112, 168-bit

33
Q

Symmetric encryption algorithms

A

AES, DES, 3DES, Blowfish, Twofish, RC4

34
Q

Key element of several asymmetric encryption methods is…

A

they require a certificate and a PKI

35
Q

Certificates are an important part of…

A

asymmetric encryption

36
Q

Certificates include

A

public keys along with details on the owner of the certificate and the CA that issued the certificate

37
Q

Certificate owners share their public key by…

A

sharing a copy of their certificate

38
Q

RSA is widely used to…

A

protect data such as email and other data transmitted over the Internet (asymmetric encryption)

39
Q

Diffie-Hellman is a…

A

secure method of sharing symmetric encryption keys over a public network

40
Q

Elliptic Curve Cryptography is commonly used with…

A

small wireless devices

41
Q

ECDHE

A

Elliptic Curve Diffie-Hellman Ephemeral is a version of Diffie-Hellman that uses elliptic curve cryptography to generate encryption keys

42
Q

Steganography

A

hides messages or other data within a file

43
Q

To detect changes in files that may indicate the use of steganography, use…

A

hashing

44
Q

For email digital signatures, sign/encrypt with…

A

sender’s private key

45
Q

For email encryption, encrypt with…

A

recipient’s public key

46
Q

For web site encryption, encrypt with…

A

web site’s public key. Symmetric key encrypts data in the web site session

47
Q

A digital signature is

A

an encrypted hash of a message

48
Q

Digital signatures provide

A

authentication, non-repudiation, and integrity

49
Q

Both TLS and SSL require…

A

certificates issued by Certificate Authorities (CAs)

50
Q

Admins should disable….

A

weak cipher suites and weak protocols on servers

51
Q

When a server has both strong and weak cipher suites, attackers can…

A

launch downgrade attacks bypassing the strong cipher suite and exploiting the weak cipher suite

52
Q

PKI

A

A public key infrastructure is a group of technologies used to request, create, manage, store, distribute, and revoke digital certificates

53
Q

You typically request certificates using..

A

a CSR (certificate signing request)

54
Q

Process of requesting a certificate

A

Create RSA-based key pair (private first). Include public key in CSR. CA will embed the public key in the certificate (private key is not sent to CA).

55
Q

CAs revoke certificates for several reasons including

A

when the private key is compromised or the CA is compromised

56
Q

CRL

A

The certificate revocation list includes a list of revoked certificates and is publicly available

57
Q

Alternative to using a CRL

A

OCSP (online certificate status protocol) returns answers such as good, revoked, or unknown

58
Q

OCSP stapling

A

appends a digitally signed OCSP response to a certificate

59
Q

Alternative to OCSP

A

Certificate stapling, where the certificate presenter appends the certificate with a timestamped digitally signed OCSP response from the CA

60
Q

Public key pinning

A

web server sends a list of public key hashes that clients can use to validate certificates sent to clients in subsequent sessions

61
Q

Public key pinning helps…

A

prevent attackers from impersonating a web site with a fraudulent certificate

62
Q

CER

A

Binary certificate format

63
Q

DER

A

ASCII certificate format

64
Q

PEM

A

Most commonly used certificate format
Binary or ASCII certificate format
Can be used for almost any purpose
Can contain server certs, cert chains, keys, CRL

65
Q

P7B

A

ASCII certificate format used to share the public key

Can contain certs, cert chains, CRL, never the private key

66
Q

P12/PFX

A

Binary certificate format commonly used to store the private key with a certificate
Can contain certs, cert chains, and private keys