Chapter 10 (Lecture 9) Flashcards
- Explain the process Bob should use if he wants to send a confidential message to Alice using asymmetric cryptography.
- Bob should encrypt the message using Alice’s public key and then transmit the encrypted message to Alice.
- Explain the process Alice would use to decrypt the message Bob sent in question 1.
(1. Explain the process Bob should use if he wants to send a confidential message to Alice using asymmetric cryptography.)
- Alice should decrypt the message using her private key.
- Explain the process Bob should use to digitally sign a message to Alice.
(question 1. one the series: Explain the process Bob should use if he wants to send a confidential message to Alice using asymmetric cryptography.)
- Bob should generate a message digest from the plain-text message using a hash function.
He should then encrypt the message digest using his own private key to create the digital signature.
Finally, he should append the digital signature to the message and transmit it to Alice.
- Explain the process Alice should use to verify the digital signature on the message from Bob in question 3.
[3. Explain the process Bob should use to digitally sign a message to Alice.
(1. Explain the process Bob should use if he wants to send a confidential message to Alice using asymmetric cryptography.)]
- Alice should decrypt the digital signature in Bob’s message using Bob’s public key.
She should then create a message digest from the plain-text message using the same hashing algorithm Bob used to create the digital signature.
Finally, she should compare the two message digests.
If they are identical, the signature is authentic.
- In the RSA public key cryptosystem, which one of the following numbers will always be largest?
A. e
B. n
C. p
D. q
- B. The number n is generated as the product of the two large prime numbers p and q. Therefore, n must always be greater than both p and q. Furthermore, it is an algorithm constraint that e must be chosen such that e is smaller than n. Therefore, in RSA cryptography, n is always the largest of the four variables shown in the options to this question.
- Which cryptographic algorithm forms the basis of the El Gamal cryptosystem?
A. RSA
B. Diffie-Hellman
C. 3DES
D. IDEA
- B. The El Gamal cryptosystem extends the functionality of the Diffie-Hellman key exchange protocol to support the encryption and decryption of messages.
- If Richard wants to send an encrypted message to Sue using a public key cryptosystem, which key does he use to encrypt the message?
A. Richard’s public key
B. Richard’s private key
C. Sue’s public key
D. Sue’s private key
- C. Richard must encrypt the message using Sue’s public key so that Sue can decrypt it using her private key. If he encrypted the message with his own public key, the recipient would need to know Richard’s private key to decrypt the message. If he encrypted it with his own private key, any user could decrypt the message using Richard’s freely available public key. Richard could not encrypt the message using Sue’s private key because he does not have access to it. If he did, any user could decrypt it using Sue’s freely available public key.
- If a 2,048-bit plain-text message were encrypted with the El Gamal public key cryptosystem, how long would the resulting ciphertext message be?
A. 1,024 bits
B. 2,048 bits
C. 4,096 bits
D. 8,192 bits
- C. The major disadvantage of the El Gamal cryptosystem is that it doubles the length of any message it encrypts. Therefore, a 2,048-bit plain-text message would yield a 4,096-bit ciphertext message when El Gamal is used for the encryption process.
- Acme Widgets currently uses a 1,024-bit RSA encryption standard companywide. The company plans to convert from RSA to an elliptic curve cryptosystem. If it wants to maintain the same cryptographic strength, what ECC key length should it use?
A. 160 bits
B. 512 bits
C. 1,024 bits
D. 2,048 bits
- A. The elliptic curve cryptosystem requires significantly shorter keys to achieve encryption that would be the same strength as encryption achieved with the RSA encryption algorithm. A 1,024-bit RSA key is cryptographically equivalent to a 160-bit elliptic curve cryptosystem key.
- John wants to produce a message digest of a 2,048-byte message he plans to send to Mary. If he uses the SHA-1 hashing algorithm, what size will the message digest for this particular message be?
A. 160 bits
B. 512 bits
C. 1,024 bits
D. 2,048 bits
- A. The SHA-1 hashing algorithm always produces a 160-bit message digest, regardless of the size of the input message. In fact, this fixed-length output is a requirement of any secure hashing algorithm.
- Which one of the following technologies is considered flawed and should no longer be used?
A. SHA-2
B. PGP
C. WEP
D. TLS
- C. The WEP algorithm has documented flaws that make it trivial to break. It should never be used to protect wireless networks.
- What encryption technique does WPA use to protect wireless communications?
A. TKIP
B. DES
C. 3DES
D. AES
- A. WiFi Protected Access (WPA) uses the Temporal Key Integrity Protocol (TKIP) to protect wireless communications. WPA2 uses AES encryption.
- Richard received an encrypted message sent to him from Sue. Which key should he use to decrypt the message?
A. Richard’s public key
B. Richard’s private key
C. Sue’s public key
D. Sue’s private key
- B. Sue would have encrypted the message using Richard’s public key. Therefore, Richard needs to use the complementary key in the key pair, his private key, to decrypt the message.
- Richard wants to digitally sign a message he’s sending to Sue so that Sue can be sure the message came from him without modification while in transit. Which key should he use to encrypt the message digest?
A. Richard’s public key
B. Richard’s private key
C. Sue’s public key
D. Sue’s private key
- B. Richard should encrypt the message digest with his own private key. When Sue receives the message, she will decrypt the digest with Richard’s public key and then compute the digest herself. If the two digests match, she can be assured that the message truly originated from Richard.
- Which one of the following algorithms is not supported by the Digital Signature Standard?
A. Digital Signature Algorithm
B. RSA
C. El Gamal DSA
D. Elliptic Curve DSA
- C. The Digital Signature Standard allows federal government use of the Digital Signature Algorithm, RSA, or the Elliptic Curve DSA in conjunction with the SHA-1 hashing function to produce secure digital signatures.
- Which International Telecommunications Union (ITU) standard governs the creation and endorsement of digital certificates for secure electronic communication?
A. X.500
B. X.509
C. X.900
D. X.905
- B. X.509 governs digital certificates and the public key infrastructure (PKI). It defines the appropriate content for a digital certificate and the processes used by certificate authorities to generate and revoke certificates.
- What cryptosystem provides the encryption/decryption technology for the commercial version of Phil Zimmerman’s Pretty Good Privacy secure email system?
A. ROT13
B. IDEA
C. ECC
D. El Gamal
- B. Pretty Good Privacy uses a “web of trust” system of digital signature verification. The encryption technology is based upon the IDEA private key cryptosystem.
- What TCP/IP communications port is utilized by Transport Layer Security traffic?
A. 80
B. 220
C. 443
D. 559
- C. Secure Sockets Layer utilizes TCP port 443 for encrypted client-server communications.
- What type of cryptographic attack rendered Double DES (2DES) no more effective than standard DES encryption?
A. Birthday attack
B. Chosen ciphertext attack
C. Meet-in-the-middle attack
D. Man-in-the-middle attack
- C. The meet-in-the-middle attack demonstrated that it took relatively the same amount of computation power to defeat 2DES as it does to defeat standard DES. This led to the adoption of Triple DES (3DES) as a standard for government communication.
- Which of the following tools can be used to improve the effectiveness of a brute-force password cracking attack?
A. Rainbow tables
B. Hierarchical screening
C. TKIP
D. Random enhancement
- A. Rainbow tables contain precomputed hash values for commonly used passwords and may be used to increase the efficiency of password cracking attacks.
- Which of the following links would be protected by WPA encryption?
A. Firewall to firewall
B. Router to firewall
C. Client to wireless access point
D. Wireless access point to router
- C. The WiFi Protected Access protocol encrypts traffic passing between a mobile client and the wireless access point. It does not provide end-to-end encryption.
- What is the major disadvantage of using certificate revocation lists?
A. Key management
B. Latency
C. Record keeping
D. Vulnerability to brute force attacks
- B. Certificate revocation lists (CRLs) introduce an inherent latency to the certificate expiration process due to the time lag between CRL distributions.
- Which one of the following encryption algorithms is now considered insecure?
A. El Gamal
B. RSA
C. Skipjack
D. Merkle-Hellman Knapsack
- D. The Merkle-Hellman Knapsack algorithm, which relies upon the difficulty of factoring super-increasing sets, has been broken by cryptanalysts.
- What does IPSec define?
A. All possible security classifications for a specific configuration
B. A framework for setting up a secure communication channel
C. The valid transition states in the Biba model
D. TCSEC security categories
- B. IPSec is a security protocol that defines a framework for setting up a secure channel to exchange information between two entities.
How does RSA works?
Each user of the cryptosystem generates a pair of public and private keys
An RSA user creates and publishes a public key based on two large prime numbers, along with an auxiliary value. The prime numbers are kept secret. Messages can be encrypted by anyone, via the public key, but can only be decoded by someone who knows the prime numbers (Private Key)
Merkle-Hellman Knapsack
Encryption Based on super-increasing.
it is ineffective as it is already broken by cryptoanalysts
How is the Elliptic Curve Cryptography security?
The security of ECC depends on the ability to compute a point multiplication and the inability to compute the multiplicand given the original point and the product
It is widely believed that the elliptic curve discrete logarithm problem is harder to solve than RSA and Diffie-Hellman
Purpose of Hash Functions
Hash functions take a potentially long message and generate a unique output value derived from the content of the message
Some of the more common hashing algorithms in use today are
Message Digest 2 and 5 (MD2 and MD5)
Secure Hash Algorithm (SHA-0, SHA-1, and SHA-2)
Hashed Message Authentication Code (HMAC)
Basic Requirements for Hash Functions
- The input can be of any length
- The output has a fixed length
- The hash function is relatively easy to compute for any input
- The hash function is one-way
It is extremely hard (ideally, impossible) to determine the input when provided with the output - The hash function is collision free
It is extremely hard to find two messages that produce the same hash value
What are some Common hashing algorithms:
SHA,
MD2,
MD4,
MD5
Describe Secure Hash Algorithm (SHA-1)
- Takes an input of virtually any length
- Produces a 160-bit message digest
- processes a message in 512-bit blocks
- there are weaknesses in the SHA-1 algorithm
On Secure Hash Algorithm what are the differences from SHA-1 to SHA-2
SHA-1 and SHA-2 differ in several ways;
mainly, SHA-2 produces 224- or 256-sized digests, whereas SHA-1 produces a 160-bit digest;
SHA-2 can also have block sizes that contain 1024 bits, or 512 bits, like SHA-1.
Brute force attacks on SHA-2 are not as effective as they are against SHA-1.
SHA-2 is generally considered secure.
Goals of Digital Signatures
- Digitally signed messages assure the recipient that the message truly came from the claimed sender, and they enforce nonrepudiation
- Digitally signed messages assure the recipient that the message was not altered while in transit between the sender and recipient
How Does Digital Signature works
When Alice wants to digitally sign a message she’s sending to Bob, she
- Generates a message digest.
- Encrypts only the message digest using her private key
- Appends the signed message digest to the plain-text message
- Transmits the appended message to Bob
When Bob receives the digitally signed message, he
- Decrypts the digital signature using Alice’s public key
- Uses the same hashing function to create a digest of the full plain-text message
- Compares the decrypted message digest he received from Alice with the message digest he computed
What is the Digital Signature Standards for federal government use?
NIST specifies the digital signature algorithms acceptable for federal government use
must use the SHA-1 or SHA-2 hashing functions
DSA, RSA and ECDSA can be used for Infrastructure
What Digital certificates is used for?
Digital certificates provide communicating parties with the assurance that the people they are communicating with truly are who they claim to be
Normally using X.509
What is the Data inside a X509 Certificate?
X.509 contain the following data
- Version of X.509
- Serial number
- Signature algorithm identifier
Specifies the technique used by the certificate authority to digitally sign the contents of the certificate
- Issuer name
Identification of the certificate authority that issued the certificate
- Validity period
- Subject’s name
The distinguished name (DN) of the entity that owns the public key contained in the certificate
- Subject’s public key
What are Certificate Authorities
Certificate authorities (CAs) are neutral organizations offering notarization services for digital certificates
PKI relies upon a hierarchy of trust relationships
What are Certificate Registration Authorities ?
Registration authorities (RAs) assist CAs with the burden of verifying users’ identities prior to issuing digital certificates
What is a Certificate Path Validation (CPV)
means that each certificate in a certificate path from the root of the trust hierarchy down to the server or client in question is valid and legitimate
- When certificates expire or are replaced
This can break the chain of trust or the verification path
By forcing a re-verification of all stages of trust, you can reestablish all trust links and prove that the assumed trust remains assured
What are the Techniques to identify Revoked Certificates?
- Certificate Revocation Lists (CRLs)
Maintained by the CA’s as a batch process - Online Certificate Status Protocol (OCSP)
real time request to CA’s
Applied Cryptography on Portable Devices
Portable devices brings new risks to the world of computing, sometimes exposing sensitive information.
tools for disk encryption are offered like:
Bitlocker (windows)
FileVault (Mac)
TrueCrypt (Open source, linux, Mac, windows)
Applied Cryptography on Electronic Mail
Mostly based on Encrypt and Sign
It is the sender’s responsibility to ensure that proper mechanisms are in place to guarantee the security and privacy of a message or transmission
One of the most demanded applications of cryptography is encrypting and signing electronic mail messages
Applied Cryptography on S/MIME
The Secure Multipurpose Internet Mail Extensions (S/MIME) protocol has emerged as a likely standard for encrypted electronic mail
S/MIME utilizes the RSA encryption algorithm and has received the backing of major industry players, including RSA Security
S/MIME relies upon the use of X.509 certificates for exchanging cryptographic keys
Applied Cryptography on Web
secure web browsing has achieved widespread acceptance in recent years
This is mainly because of the strong movement toward electronic commerce
S-HTTP(HTTPS Today) and SSL
Applied Cryptography on Secure Sockets Layer (SSL)
SSL’s goal is to create secure communications channels that remain open for an entire web browsing session
SSL relies upon a combination of symmetric and asymmetric cryptography
When a user accesses a website,
- The browser retrieves the web server’s certificate and extracts its public key
- The browser creates a random symmetric key, encrypts it with the server’s public key, and then sends the encrypted key to the server
- The server decrypts the symmetric key using its own private key
- The two systems exchange all future messages using the symmetric key
This allows SSL to leverage the asymmetric cryptography while encrypting and decrypting the vast majority of the data using the faster symmetric algorithm.
Applied Cryptography on Secure HTTP (S-HTTP)
second major protocol used to provide security on the World Wide Web
- S-HTTP is not nearly as popular as SSL
It has two major differences with respect to SSL
- S-HTTP secures individual messages between a client and server rather than creating a secure communications channel
- S-HTTP supports two-way authentication between a client and a server rather than the server-only authentication supported by SSL
(Obsolete to HTTPS)
Applied Cryptography on Steganography
Steganography is the art of using cryptographic techniques to hide messages in plain sight, such as embedding a secret message within a picture or a web page
normally using for illegal but can be used by digital watermarks.
Applied Cryptography on E-commerce - SET
The Secure Electronic Transaction (SET) standard was developed jointly by Visa and MasterCard as a means for securing e-commerce transactions
SET utilizes a combination of RSA public key cryptography, DES private key cryptography, and digital certificates to secure electronic transactions
Applied Cryptography on Circuit Enryption
Link encryption
Protects entire communications circuits by creating a secure tunnel between two points using hardware/software solutions that encrypt all traffic entering one end of the tunnel and decrypts all traffic exiting the other end of the tunnel
End-to-end encryption
Protects communications between two parties (for example, a client and a server) and is performed independently of link encryption
Applied Cryptography on IPSec
The Internet Protocol Security (IPSec) standard is a standard architecture set forth by the Internet Engineering Task Force (IETF) for setting up a secure channel between two entities
IPSec does not dictate all implementation details but is an open, modular framework
IPSec uses public key cryptography to provide encryption, access control, nonrepudiation, and authentication, all using IP protocols
The primary use of IPSec is for virtual private networks (VPNs)
provides transport and tunnel mode
Applied Cryptography on Wireless Networking
Wired Equivalent Privacy (WEP)
and
Wifi Protected Access (WPA) (better)
Applied Cryptography on Attacks
Analytic attack
An algebraic manipulation that attempts to focus on the logic of the algorithm itself
Implementation attack
Exploits weaknesses in the implementation of a cryptography system
Statistical attack
Exploits statistical weaknesses in a cryptosystem, such as inability to produce random numbers and floating-point errors
Brute force
Attempts every possible valid combination for a key or password
Frequency analysis
Counting the number of times each letter appears in the cipher text, and using knowledge about letters frequency in English
Known plain text
The attacker has a copy of the encrypted message along with the plain-text message
Chosen cipher text
The attacker has the ability to decrypt chosen portions of the cipher-text and use them to discover the key
Chosen plain text
The attacker has the ability to encrypt plain-text messages of their choosing and can then analyze the output of the encryption algorithm
Meet in the middle
Used to defeat encryption algorithms that use two rounds of encryption
Birthday
Exploits flaws in the nature of hashing functions
Man in the middle & Replay
