Chapter 10 Flashcards
Integrity
One of the three main goals of information security known as the CIA security triad
Integrity provides assurance that data or system configurations have not been modified
Audit logs and hashing are two methods used to ensure integrity
Compare with availability and confidentiality
Hash
A number created by executing a hashtag algorithm against data, such as a file or message
Hashing is commonly used for integrity
Common hashing algorithms are MD5, SHA-1, and HMAC
Confidentiality
One of three main goals of information security known as the CIA security triad
Confidentiality ensures that unauthorized entities cannot access data
Encryption and access controls help protect against the loss of confidentiality
Compare with availability and integrity
Encryption
A process that scrambles, or ciphers, data to make it unreadable
Encryption normally includes a public algorithm and a private key
Compare with Asymmetric and Symmetric Encryption
Digital Signature
An encryption hash of a message, encrypted with the sender’s private key
It provides authentication, non-reputation, and integrity
Authentication
The process that occurs when a user proves an identity, such as with a password
Non-Repudiation
The ability to prevent a party from denying an action
Digital Signatures and access logs provide non-repudiation
Patch File
Filler
SHA-1 Checksum
Filler
MD5
Message Digest 5 is a hashing function used to provide integrity
MD5 creates 128-bit hashes, which are also referred to as MD5 checksums
Experts consider MD5 cracked
SHA
Secure Hash Algorithm is a hashing function used to provide integrity
Versions include SHA-1, SHA-2, SHA-3
HMAC
Hash-based Message Authentication Code is a hashing algorithm used to verify integrity and authenticity of a message with the use of a shared secret
It is typically combined with another hashing algorithm such as SHA
RIPEMD
RACE Integrity Primitives Evaluation Message Digest is a hash function used for integrity
It creates fixed-length hashes of 128, 160, 256, or 320 bits
Key Stretching
A technique used to increase the strength of stored passwords
It adds additional bits (called salts) and can help thwart brute force and rainbow table attacks
Salt
A random set of data added to a password when creatig the hash
PBKDF2 and bcrypt are two protocols that use salts
Bcrypt
A key stretching algorithm
It is used to protect passwords
Bcrypt salts passwords with additional bits before encrypting them with Blowfish
This thwarts rainbow table attacks
PBKDF2
Password-Based Key Derivation Function 2 is a key stretching technique that adds additional bits to a password as a salt
It helps prevent brute force and rainbow table attacks
Data-at-rest
Any data stored on media
It’s common to encrypt sensitive data-at-rest
Data-In-Transit
Any data sent over a network
It’s common to encrypt sensitive data-in-transit
Data-In-Use
Any data currently being used y a computer
Because the computer needs to process the data, it is not encrypted while in use
Algorithm
Filler
Key
Filler
Random and Pseudo-Random Numbers
Filler
IV
Initialization Vector attack is a wireless attack that attempts to discover the IV
Legacy wireless security protocols are susceptible to IV attacks
Nonce
A number used once
Cryptography elements frequently use a nonce to add randomness
XOR
A logical operation used in some encryption schemes
XOR operations compare two inputs
If the two inputs are the same, it outputs True
If the two inputs are different, it outputs False
Confusion
A cryptography concept that indicates ciphertext is significantly different than plaintext
Diffusion
A cryptography concept that ensures that small changes in plaintext result in significant changes in ciphertext
Secret Algorithm
Filler
Weak/Deprecated Algorithms
Filler
High Resiliency
Filler
Block Cipher
An encryption method that encrypts data in fixed-sized blocks
Compare with stream cipher
StreamCipher
An encryption method that encrypts data as a stream of bits or bytes
Compare with block cipher
ECB
Electronic Codebook is a legacy mode of operation used for encryption
It is weak and should not be used
CBC
Cipher Block Chaining is a mode of operation used for encryption that effectively converts a block cipher into a stream cipher
It uses an IV for the first block and each subsequent block is combined with the previous block
CTM
Counter mode is a mode of operation used for encryption that combines an IV with a counter
The combined result is used to encrypt blocks
GCM
Galois/Counter Mode is a mode of operation used for incryption
It combines the counter (CTM) mode with hashing techniques for data authenticity and confidentiality
Symmetric Encryption
A type of encryption using a single key to encrypt and decrypt data
Compare with asymmetric encryption
Encryption Algorithm
Filler
Decryption Algorithm
Filler
Substitution Cipher
An encryption method that replaces characters with other characters
Plaintext
Text displayed in a readable format
Encryption converts plaintext to ciphertext
Ciphertext
The result of encrypting plaintext
Ciphertext is not in an easily readable format until it is decrypted
ROT13
A substitution cipher that uses a key of 13
To encrypt a message, you would rotate each letter 13 spaces
To decrypt a message, you would rotate each letter 13 spaces
Obfuscation
An attempt to make something unclear or difficult to understand
Steganography methods use obfuscation to hide data within data
AES
Advanced Encryption Standard is a strong symmetric block cipher that encrypts data in 128-bit blocks
AES can use key sizes of 128 bits, 192 bits, 256 bits
Fast
Filler
Efficient
Filler
Strong
Filler
DES
Data Encryption Standard is a legacy symmetric encryption standard used to provide confidentiality
It has been compromised and AES or 3DES should be used instead
3DES
Triple Digital Encryption Standard is a symmetric algorithm used to encrypt data and provide confidentiality
It is a block cipher that encrypts data in 64-bit blocks
RC4
A symmetric stream cipher that can use between 40 and 2,048 bits
Experts consider it cracked and recommend using stronger alternatives
Blowfish
A strong symmetric block cipher
It encrypts data in 64-bit blocks and supports key sized between 32 and 448 bits
Compare with Twofish
Twofish
A symmetric key block cipher
It encrypts data in 128-bit blocks and supports 128-, 192-, or 256-bit keys
Compare with Blowfish
Asymmetric Encryption
A type of encryption using two keys to encrypt and decrypt data
It uses a public key and a private key
Compare with symmetric encryption
Public Key
Part of a matched key pair used in asymmetric encryption
The public key is publicly available
Compare with private key
Private Key
Part of a matched key pair used
Certificate
A digital file used for encryption, authentication, digital signatures, and more
Public certificates include a public key used for asymmetric encryption
Serial Number
Filler
Issuer
Filler
Validity Dates
Filler
Subject
Filler
Usage
Filler
RSA
Rivest, Shamir, and Adleman is an asymmetric algorithm used to encrypt data and digitally sign transmissions
It is named after its creators, Rivest, Shamir, and Adleman
Ephemeral
An ephemeral key is a type of key used in cryptography
Ephemeral keys have very short lifetimes and are re-created for each session
Perfect Forward Secrecy
A characteristic of encryption keys ensuring that keys are random
Perfect forward secrecy methods do not use deterministic algorithms
DHE
Filler
ECDHE
Filler
Steganography
The practice of hiding data within data
For example, it’s possible to embed text files within an image, hiding them from casual users
It is one way to obscure data to hide it
DSA
Digital Signature Algorithm is an encrypted hash of a message used for authentication, non-repudiation, and integrity
The sender’s private key encrypts the hash of the message
Hashing
Filler
S/MIME
Secure/Multipurpose Internet Mail Extensions is a popular standard used to secure email
S/MIMI provides confidentiality, integrity, authentication, and non-repudiation
Cipher Suites
Filler
Crypto Module
A set of hardware, software, and/or firmware that implements cryptographic functions
Compare with crypto service provider
Crypto Service Providers
A software library of cryptographic standards and algorithms
These libraries are typically distributed within crypto modules
Downgrade Attack
A type of attack that forces a system to downgrade its security
The attacker then exploits the lesser security control
PKI
Filler
Root Certificate
A PKI certificate identifying a root CA
Certificate Chaining
A process that combines all certificates within a trust model
It includes all the certificates in the trust chain from the root CCA down to the certificate issued to the end user
CSR
Certificate signing request is a method of requesting a certificate from a CA
It starts by creating an RSA-based private/public key pair and then including the public key in the CSR
Expired
Filler
Certificate Not trusted
Filler
Improper Certificate and Key management
Filler
OCSP
Online Certificate Status Protocol is an alternative to using a CRL
It allows entities to query a CA with the serial number of a certificate
The CA answers with good, revoked, or unknown
Stapling
The process of appending a digitally signed OCSP response to a certificate
It reduces the overall OCSP traffic sent to CA
Pinning
A security mechanism used by some web sites to prevent web site impersonation
Web sites provide clients with a list of public key hashes
Clients store the list and use it to validate the web site
Key Escrow
The process of placing a copy of a private key in a safe environment
Machine/Computer
Filler
User
Filler
Filler
Code Signing
The process of assigning a certificate to code
The certificate includes a digital signature and validates the code
Self-Signed
Filler
Wildcard
Filler
SAN
Filler
Domain Validation
Filler
Extended Validation
Filler
CER
Canonical Encoding Rules are a base format for PKI certificates
They are binary encoded files
Compare with DER
DER
Distinguished Encoding Rules are a base format for PKI certificates
They are BASE64 ASCII encoded files
Compare with CER
PEM
Privacy Enhanced Mail is a common format for PKI certificates
It can use either CER (ASCII) or DER (Binary) formats and can be used for almost any type of certificates
P7B
PKCS#7 is a common format for PKI certificates
They are DER-based (ASCII) and commonly used to share public keys
P12
PKCS#12 is a common format for PKI certificates
They are CER-based (Binary) and often hold certificates with the private key
They are commonly encrypted
PFX
Personal information Exchange is a common format for PKI certificates
It is the predecessor to P12 certificates
