Chapter 10

Question 1

What is symmetric encryption?

Answer 1

Symmetric encryption uses the same key to encrypt and decrypt data. It can either use a stream cipher or block cipher to encrypt data.

Question 2

What is the difference between block ciphers and stream ciphers?

Answer 2

Block cipher: Encrypts data in blocks. More complex and requires more time. High diffusion. Less susceptible to malicious insertions, a single error in a block can corrupt an entire block. Block ciphers require an initialization vector. Generally efficient to use when the size of the data is known, database files.

Stream cipher: Encrypts data one bit at a time. High performance requires fewer resources. lowe diffusion. A single error in a bit is not likely to corrupt subsequent bits. Generally efficient to use when the size of the data is unknown or if it is sent in streams (like streaming video or audio).

Question 3

What is asymmetric encryption?

Answer 3

Asymmetric encryption used a key pair (private and public key) to encrypt and decrypt data. Asymmetric encryption requires a public key infrastructure (PKI) to issue certificates.

It is also slow and inefficient compared to symmetric encryption.

Question 4

What is steganography?

Answer 4

steganography is the process of hiding or embedding information inside another piece of information ( a picture for example). It can provide a level of confidentiality, but not as well as encryption.

Question 5

What do digital signatures provide?

Answer 5

Authentication, Integrity, Nonrepudiation

Question 6

What is a digital in an email (its composition)?

Answer 6

A user’s digital signature is a hash of the email message encrypted with the sender’s private key.

Question 7

What’s the general difference between a hash and a checksum?

Answer 7

Hash: More cryptographically secure, produces much longer numeric outcomes.

Checksum: Normally used as a fast way to quickly check the integrity of data, not meant to be cryptographically secure.

Question 8

What is MD5 and what is its recommended use?

Answer 8

MD5 is a hashing algorithm that has since been compromised and is not safe for use cryptographically. MD5 however, is still used to get quickly check the integrity of data, as a checksum.
MD5 is highly susceptible to Hash Collision.

Question 9

What is HMAC and does it differ from MD5 and SHA?

Answer 9

Hash-based Message Authentication Code (HMAC) is similar to MD5 and SHA and it provides a fixed-length string of bits (HMAC-MD5, HMAC-SHA256).

Where it differs is it also uses a shared secret key to add additional randomness to the result and only the sender and the receiver know the secret key. It is able to provide both integrity and authenticity of data.

Question 10

Which secure protocols often use a version of HMAC?

Answer 10

IPsec and TLS often use a version of HMAC such as HMAC-MD5 or HMAC-SHA256

Question 11

What is a Hash Collision?

Answer 11

A Hash Collision occurs when a hashing algorithm creates the same hash for two different inputs.

Question 12

What’s the difference between Online and Offline password attacks?

Answer 12

Online password attacks: Attempts to discover passwords from an online system. Systems logs can be used to identify failed login attempts and locked accounts due to multiple failed attempts.

Offline password attacks: Attempts to discover passwords from a captured database or captured packet scan offline. This attack gives attackers more time to discover a password.

Question 13

What do Event ID 4625 and Event ID 4740 mean in Windows system log?

Answer 13

Event ID 4625: Multiple failed login attempts

Event ID 4740: Account locked due to multiple failed login attempts

Question 14

What is a dictionary attack?

Answer 14

A dictionary attack is a password attack. It uses a dictionary of common words/phrases and characters (1234) to guess accounts passwords (attempting every word). A dictionary can be used in a brute-force attack.

Question 15

What is the difference between a brute force attack and a spraying attack?

Answer 15

These are both brute-force password attacks they use different methods to get the same desired outcome.

Brute force attack: Uses a large number of passwords against a single account in an attempt to guess the account password, or force its way in.

Spraying attack: Uses single passwords in rotation on multiple accounts.

Question 16

What is Pass the Hass Attack?

Answer 16

In a pass-the-hash attack, an attacker discovers the hash of a user’s password and uses this hash to log on to systems as the user.

Things to keep in mind: Strong indicator of this attack is the usage of NTLM as the authentication package and or a logon process of NtLmSSP shown in Event ID 4624 in Windows security log.
Event 4672 determines the privilege used to connect

Question 17

What is a birthday attack?

Answer 17

Birthday attacks exploit hash collision and the birthday mathematical paradox which states: In a random group of 23 people there is a 50% chance that 2 of them were born on the same day out of the 366 days in a year.

In a birthday attack, the attacker aims to create a password that produces the same hash as a user’s password.

If the password could only be one of 366 possibilities, the attacker has a 50% chance of guessing it after 23 attempts. This attack is stopped by increasing the number of bits in a hash to increase the number of possible hashes. MD5 is susceptible to birthday attacks (128 bits hash), whereas SHA-3 is not (512 bits hash).

Question 18

What is a Rainbow Table Attack?

Answer 18

A Rainbow Table Attack attempts to guess a user’s password from the hash.

Rainbow tables are huge databases of password and their hash. If an attacker gets a hash of a user password they can use a Rainbow table to see if the user’s hash matches any hash in the table. If there is a match, then the attacker knows the password or at least a password that produces the same hash as the user’s password.

Rainbow Tables are normally used in offline attacks.

Question 19

What is salting a password?

Answer 19

Password salting adds additional characters to a password before it is hashed, this adds complexity to the password and produces a hash that is different than the hash of just the password itself.

Salting is a great way to stop rainbow table attacks, dictionary attacks, brute force attacks, and other password attacks.

Question 20

What is Key Stretching?

Answer 20

Key Stretching is used to increase the strength of the stored password by adding a cryptographic stretching algorithm to a salted password.

Three common key stretching algorithms are bcrypt, PBKDF2, Argon2.

Question 21

What is bcrypt?

Answer 21

Bcrypt is used in many Unix/Linux environments to safeguard passwords. It does this by salting a password and using blowfish to encrypt the salted password. It goes through this process of salting and encrypting many times.

Question 22

What is PBKDF2?

Answer 22

Password-based Key Derivation Function 2 protects a user password by adding salt of at least 64 bits to a password before adding additional randomness to the password using HMAC or a similar function. This process can be repeated as many times as desired to increase the

Question 23

What is Argon2?

Answer 23

Argon2 works the same as PBKDF2 and Bcrypt, by adding salts and running the slats output through an algorithm several times to increase the security of a password.

There are several versions of Argon2.

Question 24

What are the 3 common symmetric algorithms outlined in the book?

Answer 24

AES: Advance encryption standard

3DES: 3DEs or Trippes DES (Data Encryption Standard) is an improvement of the legacy DES algorithm, 64-bit Block cipher.

Blowfish & Twofish

Question 25

What is AES and what are its benefits?

Answer 25

AES: Advance encryption standard, is a strong symmetric block cipher that encrypts data in 128-bit blocks. AES can use various key sizes to encrypt data (128bits, 192bits, 256bits), the larger the key the stronger the encryption (that is universal for mostly all encryption algorithms).

Benefits of AES:
Fast - encrypts/decrypts data on one pass
Efficient - AES uses fewer resources as compared to other encryption symmetric algorithms
Strong - provides strong encryption, which provides a strong level of confidentiality

Question 26

What is 3DES?

Answer 26

3DES: 3DEs or Trippes DES (Data Encryption Standard) is an improvement of the legacy DES algorithm. 64-bit Block cipher. 3DES uses 3 separate passes and multiple keys to encrypt and decrypt, use more resources, and is slower than AES. Can be used as an alternative when AES is not supported. Provides strong encryption, key sizes (56 bits, 112 bits, and 168 bits).

Question 27

What are blowfish and twofish?

Answer 27

Blowfish: A block cipher that encrypts in 64 bits blocks, and supports key sizes between 32 bits and 448 bits.

Twofish: related to blowfish, but encrypts data in 128-bit blocks and it supports 128-192- or 256-bit keys.

Question 28

What are certificates?

Answer 28

A certificate is a digital document that typically includes the public key and information on the owner of the certificate. Certificate Authorities (CA) issue and manage certificates.

Certificates are used for a variety of purposes, including asymmetric encryption, authentication, and digital signatures.

Question 29

What are ephemeral keys and what is its benefit?

Answer 29

Ephemeral keys are temporary key pairs typically used for a single session and discarded. in contrast, certificates are based on static keys, which are embedded and can be used for the life cycle of the certificate.

Perfect forward secrecy: simply put, ephemeral keys are randomly generated even given the same input. This ensures that systems are not resuing session keys and that the compromisation of a key has no bearing on other keys.

Question 30

What is elliptic curve cryptography?

Answer 30

Elliptic curve cryptography is a method of cryptography that uses few resources as compared with other cryptographic methods. It produces key sizes that are much smaller than but it’s able to achieve the same level of security as larger keys.

a 256-bit elliptic curve public key can provide the same security benefit as a 3072-bit key used with digital signature algorithm (DSA).

Question 31

What are the 3 aspects of quantum computing that are used for security?

Answer 31

Quantum computing utilizes superpositioning, qubit entanglement, and no-cloning theorem.

Superposition: Bits (1&0) are superposition onto each other to create a quantum bit or qubit for short. Simplistic speaking it’s a bit that is both a 1 and 0 at the same time.

Qubit entanglement: In regular computing bits are not dependent on each other’s value. A 1 is not dependent on a 0 and vice versa. In quantum computing, the qubits are dependent on each other’s values.

No-cloning: When data is stored in a quantum state it is nearly impossible to copy or read it because any attempt to do so causes a change in the data itself. This can also serve as an indication of an attack.

Question 32

What is lightweight cryptography and how is it typically used?

Answer 32

Lightweight cryptography generally refers to cryptography deployed on smaller devices (RFID tags, sensor nodes, smart cards, and IoT devices).

Lightweight cryptography uses fewer resources to provide the desired security for these devices, without diminishing the device’s performance.

Question 33

What is homomorphic encryption?

Answer 33

Homomorphic encryption allows data to stay encrypted while it is being used or processed. Homomorphic encryption method works best when data is stored and manipulated as integers.

Question 34

What are the 3 common encryption modes of operation used with encryption?

Answer 34

Authenticated: This mode ensures confidentiality through encryption and authenticity of data by using a Message Authentication Code (MAC) with a symmetric key.

Counter Mode Cipher (CTR): Allows block cipher to function as stream ciphers. CTR uses an IV combined with a counter to produce varying keys. It provides authentication and authenticity as well.

Unauthenticated: This mode just provides authentication through encryption but that’s it. It does not ensure the integrity of data.

Question 35

What keys are used to encrypt and decrypt an email’s digital signature?

Answer 35

The sender’s private key encrypts the hash of the message (digital signature).

The receiver of the email will use the sender’s public key to decrypt the hash of the message (digital signature).

The sender’s public key is sent along with the email in a certificate. The public key is a S/MIME.p7s format file.

Question 36

Digital signatures provide what 3 key benefits?

Answer 36

Authentication: The sender of the email is authenticated by using a digital signature because their private key is unique to them.

Non-repudiation: When a sender signs an email with a digital signature they cannot later deny it was them that sent it.

Integrity: The matching hash of the message will ensure the receiver of the email that the message has not been corrupted or modified along the way.

Question 37

What keys are used to encrypt and decrypt an email?

Answer 37

The sender of the email will use the recipient’s public key (they key this key from their certificate) to encrypt the email message.

The receiver of the email then uses his private key to decrypt the email.

For added step for authenticity, integrity, and non-repudiation, the sender could also digitally sign that encrypted email message.

Question 38

What is the process of encrypting an email message only using asymmetric encryption?

Answer 38

1 - The sender retrieves the recipient’s public key from their certificate.
2 - The sender then encrypts the email message with the recipient’s public key and sends the message to the desired recipient.
3 - The recipient gets the messages and uses their private key to decrypt the email message.

This method is a few email applications.

Question 39

What is the process of encrypting an email message using asymmetric and symmetric encryption?

Answer 39

1) Sender encrytps the email message with the symmetric encrytpion they would like to use (AES, 3Ds, Blowfish/Twofish, etc.,)
2) The sender retreive the reciptient’s public Key from thier cetrificate and encrypts the symmetric key used to encrypt the emial message, and sends the messages to the precepitent.
3) The recpitent receive the encrypted email and uses thier paired private key to decrypt the the symmetric key.
4) once the symmertic key is decrypted, the recipient that uses the symmetric key to decrypt the emial message.

Question 40

What is S/MIME?

Answer 40

Secure Multipurpose Internet Mail Extension (S/MIME) is one of the most frequently used methods to digitally sign and encrypt an email. S/MIME uses both asymmetric and symmetric encryption. It is able to encrypt emails at rest and in transit.

Question 41

What ports are used to implement S/MIME on POP3-over-TLS, SMTP-over-TLS, and IMAP-over-TLS?

Answer 41

Port 995 for POP3-over-TLS
Port 587 for SMTP-over-TLS
Port 993 for IMAP-over-TLS

Question 42

What is the process of encrypting an HTTPS session using asymmetric and symmetric encryption?

Answer 42

1) The client first requests an HTTPS session from a website server by clicking on an HTTPS link or by typing an HTTPS URL into a web browser
2) The web server responds to the client’s request by sending its certificate to the client which holds its public key
3) The client identifies a symmetric key it would like to use for the session (also called a session key) and encrypts it with the web server’s public key
4) The key is then sent to the web server where it uses its private key to decrypt the symmetric key
5) Now that both the client and the web server know the session key a service session is now established and data can be securely shared between the client and the website.

Question 43

What is a plain text attack a.k.a know plain text attack?

Answer 43

This is a cryptographic attack in which the attacker has both a portion or the whole plain text and the encrypted version of that text. Using both data, they are able to discover the encryption and decryption methods and use it to decrypt other text or the rest of the cipher text.

Question 44

What is a chosen plain text attack?

Answer 44

This is a cryptographic attack in which the attacker has chosen a portion of the cipher that may be common (like warnings at the end of emails indicating proprietary use) and attempt various method to decrypt the chosen text. if successful, they can decrypt the rest of the message.

Question 45

What is a ciphertext-only attack?

Answer 45

This a cryptographic attack in which the attacker has no knowledge of the plain text and is attempting to decrypt the ciphertext.

Question 46

What is high resiliency in cryptography?

Answer 46

High resiliency refers to the security of an encryption key even if an attacker discovers part of the key. A strong encryption algorithm ensures that if leakage occurs (a portion of the key is discovered) it does not compromise the encryption key.

Question 47

Hows is obfuscation best supported?

Answer 47

Obfuscation is best supported through the use of steganography. Security through obscurity.

Question 48

How do cryptographic concepts support low-power devices?

Answer 48

The use of elliptic curve cryptography and other lightweight cryptography algorithms support deploying cryptography on low-power devices. This includes wireless devices, and any IoT devices.

Question 49

What is OCSP and how does it support low latency?

Answer 49

Online Certificate Status Protocol (OCSP) provides real-time verification of a certificate revocation status.

Normally certificate revocation lists (CRL) are cached, however, this doesn’t always provide the client with the most up-to-date information regarding a certificate status. To decrease the latency of the client waiting until the CRL is refreshed in the cache, using OCSP the client can request the status of a certificate with the CA or the certificate revocation list issuer, who runs the certificated serial number against its data base and respond to the client in real-time.

Question 50

What are CAs and what do they do?

Answer 50

Certificate authority issues, manages, validates, and revokes certificates. They can be large public orgs or small internal.

Question 51

What is a root certificate?

Answer 51

A root certificate identifies and verifies the CA as a trusted CA. The root certificate is placed into a trusted root CA store. This is the equivalent of the DVM providing a document (certificate) that they are trusted to issue identification cards (general ID, permits, driver’s licenses, etc.,)

Question 52

What is the hierarchical (aka centralized) trust model?

Answer 52

This model established a chain of authority, identifying the root CA (the first in the chain) down to the child CA (the last in the chain).

The public CA creates the first CA within its org, known as the root CA.
If desired, the root CA can create intermediate CAs and issues them certificates.
The intermediate CAs can create child CAs and issue them certificates.
The child CAs can issue certificates to devices and end users.

When attempting to establish an HHTPS session with a web browser, the client verifies the certificate, as well as the chain of authority. Also, any one of the CAs mentioned above can issue certificates to devices and end users, not just the child CA.

Question 53

What is it called when certificates starting at the root CA down to the end user are linked together?

Answer 53

Certificate Chaining

Question 54

What is the process for requesting a certificate from a CA?

Answer 54

If a website would like to provide HTTPS sessions it would have to fill out a CA’s certificate signing request (CSR).

The owner of the website would create their public and private key pair.

Then they would identify a CA they would like to use and fill out the CSR form. Within this form, the owner would provide information like what the certificate would be used for, info on the website, the public key, the org, and the owner.

After the form is filled out, the CA will conduct their due diligence and verify the requester’s identity. Depending on the purpose of the certificate, this can be an extensive process or as simple as using the credit card used for payment.

Question 55

What is an RA?

Answer 55

In a large organization, the registration authority (RA) can assist the CA with collecting registration information. The RA DOES NOT ISSUE certificate.

Question 56

What is an alternative to the CRL, and what use case does it support?

Answer 56

An alternate to the Certificate Revocation List (CRL), is the Online Certificate Status Protocol (OCSP) which verifies a certificate in real time by using the serial number of the certificate in question.

CAs respond to the client with a response of good, revoked, or unknown (possible forgery if unknown).

OCSP supports the use case of low latency, as clients can get a response from the CA in real-time, and not have to wait for a new CRL to be downloaded before verification can occur.

Question 57

What was a good way to decrease real-time traffic to the CA for the verification of certificates?

Answer 57

OCSP stapling.

OCSP stapling gives a certificate presenter (web browsers, etc) a signed (digital signature) time stamp response from the CA which the presenter can provide to the client along with their certificate and public key. This way the client has no need to send traffic to the CA requesting verification.

Question 58

What is key pinning?

Answer 58

The purpose of Key Pinning is to inhibit attackers from impersonating a website by using fraudulent certificates.

When an HTTP request is made by the client, the certificate presenter responds with an extra header. The extra header includes a list of hashes derived from valid public keys used by the website. When the client visits the website again, it recalculates the hash to verify that it is the same website.

Question 59

What are key Escrows?

Answer 59

Key escrows are used to safeguard backups of a private key. If the key is lost, a designated individual in an org can retrieve the key (Recovery Agent).

Question 60

Certificates issued primarly to machine/computers (devices) are called what?

Answer 60

Machine certificate or computer certificate

Question 61

Certificate issued to users for encryption. authentication, smart cards, and more are called?

Answer 61

User certificate

Microsoft systems can create certificates allowing the user to encrypt data using Encrypting File Systems (EFS).

Question 62

What are code signing certificates used for?

Answer 62

Code signing certificates are often used to validate the authentication of executable applications or files. This is done by verifying that a code has not been modified before it is run.

Question 63

What are the pros and cons of a self-signed certificate?

Answer 63

Self-signed certificates are issued by a CA with a private org.

Pros:
no cost to the org to produce these certificates as they are not buying them from a publicly trusted CA.
They are used internally.

Cons:
They are not issued by a trusted CA, hence they are not trusted to be used externally

Question 64

Who issues a root certificate?

Answer 64

Root certificates are issued by the root CAs

Question 65

What is a wildcard certificate?

Answer 65

Wildcard certificates start with an asterisk(*). They can be used with multiple domains if each domain name contains the same root domain.

Google.com is the root domain, so a wildcard certificate can be used for account.google.com or support.google.com

Question 66

What is a subject alternative name certificate (SAN)?

Answer 66

Subject alternative name certificates (SAN) are used for multiple domains that have different names but are owned by the same organization.
Ex: Google uses SANs of *google.com, *android.com, *.cloud.google.com

It is also used for systems with the same base domain names, but different top-level domains.
Ex: Google uses a single SAN for google.com, and google.net

Question 67

What is the purpose of a Domain Validated (DV) certificate?

Answer 67

A domain-validated certificate provides additional evidence to clients that visit a particular website with a DV that the site or organization is trustworthy

Question 68

What is the purpose of an Extended Validated (EV) certificate?

Answer 68

Extended validated certificate foes beyond that of a DV certificate. Sites using EV certificates have the organization appear in the browser before the URL. An EV certificate like a DV certificate simply aims to provide more assurance to the client that the site and organization are trustworthy.

EVs are on the decline because most users do not bother to check for them.

Question 69

What are the two file types that certificates are stored in?

Answer 69

Binary files or BASE64 American Standard Code for Information Interchange (ASCII) encoded files.

Binary files are stored as 1s and 0s

BASE64 encoding converts binary data to American Standard Code for Information Interchange (ASCII) string format.

Question 70

What are the two base formats for certificates, their extension, and their common purpose?

Answer 70

Canonical Encoding Rules (CER) - the common extension for this base format is .cer: used for ASCII certificates

Distinguished Encoding Rules (DER) - the common extension for this base format is .der: uses for binary certificates

Question 71

What file types are Distinguished Encoding Rules (DER) and Canonical Encoding Rules (CER) stored in?

Answer 71

Distinguished Encoding Rules (DER) are stored as binary files - files types to do include headers and footers compared to ASCII

Canonical Encoding Rules (CER) are stored as American Standard Coding for Information Interchange files

Question 72

What are the extensions for the Privacy Enhanced Mail (PEM) base certificate format, its file type, and its use?

Answer 72

Privacy Enhanced Mail (PEM) base certificate uses the following extensions:
.pem, .cer. crt, .key

File storage type: can be Binary or ASCII

PEM purpose: this base type can be used for almost any certificate purpose, including share public keys within a certificate, request a certificate from a CA as a CSR, install a private key on a server, publish a CRL, or share the full certificate chain.

Question 73

What are the extensions for the P7B base certificate format, its file type, and its use?

Answer 73

P7B base certificate uses the following extensions:
.p7b, .p7c

File storage type: ASCII (CER)

P7B: this base type can be used to share public keys. P7B certificates can also contain a public key, certificate chain, or CRL, but NEVER a private key.

Question 74

What are the extensions for the P12/PFX base certificate format, its file type, and its use?

Answer 74

P12/PFX base certificate uses the following extensions:
.p12, .pfx

File storage type: Binary (DER)

P7B: this base type can be used to share private keys. P12/PFX certificates can also contain a public key, certificate chain, or private keys.