Chapter 10: PKI and Cryptographic Applications

Question 1

Describe public key cryptosystems.

Answer 1

Every user has a public and private key. Public keys are freely shared, and disclosing one does not introduce any weaknesses into the cryptosystem. The private key must remain confidential.

Question 2

Does setting up communications between users of public key cryptography require sharing private keys?

Answer 2

No

Question 3

How does a public key user create a ciphertext to send securely?

Answer 3

Encrypt it using the recipient’s public key. Only the holder of the corresponding private key can decrypt it.

Question 4

What is RSA?

Answer 4

A public key cryptosystem invented to Ron Rivest, Adi Shamir, and Leonard ADleman. Patented. It depends on the computational difficulty inherent in factoring large prime numbers.

Question 5

How should you select key length?

Answer 5

Based on the sensitivity of the data. More sensitive data requires longer keys.

Question 6

What is the disadvantage of El Gamal?

Answer 6

It doubles the size of any message it encrypts.

Question 7

Elliptic curve?

Answer 7

No notes

Question 8

What is a hash function?

Answer 8

A hash function is a one way function that takes a message of arbitrary length and generates a unique, generally shorter, value called a message digest.

Question 9

What is a message digest?

Answer 9

The output of a hash function

Question 10

What are the five requirements of a hash function according to RSA Security?

Answer 10

1. The input can be any length
2. The output has a fixed length
3. The hash function is relatively easy to compute for any input
4. The hash function is one-way
5. The hash function is collision-free

Question 11

What is the collision-free property?

Answer 11

It’s extremely hard to find two messages that produce the same hash value.

Question 12

What is SHA?

Answer 12

The Secure Hash Algorithm

Question 13

What is FIPS-180?

Answer 13

It defines the Secure Hash Algorithm

Question 14

What defines SHA?

Answer 14

FIPS-180

Question 15

What is the input range for SHA?

Answer 15

0-2,097,152 terabytes

Question 16

What is the output size for SHA?

Answer 16

160 bits

Question 17

How does SHA process input?

Answer 17

In 512-bit blocks. Blocks are padded if the message is too short to fill the block.

Question 18

Describe SHA-2?

Answer 18

It has four variants of SHA:

SHA-256 produces a 256-bit output from 512-bit blocks
SHA-224 produces a 224-bit output from 512-bit blocks
SHA-512 produces a 512-bit output from 1,024-bit blocks
SHA-384 uses a truncated output from SHA-512 using 1,024 bit blocks

Question 19

Why should MD2 not be used?

Answer 19

It was proven not to be a one-way function, and collisions can occur.

Question 20

Why should MD4 not be used?

Answer 20

Collisions can be found in under a minute.

Question 21

Add the hash value memorization chart

Answer 21

.

Question 22

What are the goals of a digital signature infrastruture system?

Answer 22

Assure the recipient that the message truly came from the claimed sender
Assure the recipient that the message was not altered

Question 23

What is HMAC and what does it do?

Answer 23

Hashed Message Authentication Code. It guarantees message integrity, but does not provide nonrepudiation.

Question 24

Why doesn’t HMAC provide nonrepudiation?

Answer 24

It uses a shared secret key, so either user could create a ciphertext and claim it came from the other.

Question 25

What is the Digital Signature Standard?

Answer 25

A NIST standard in FIPS 186-3 that specifies that federally approved digital signature algorithms must use SHA-1 or SHA-2. Also, the encryption algorithms that may be used are DSA (from FIPS 186-3), RSA, or the Elliptic Curve DSA

Question 26

What is the major strength of Public Key Infrastructure?

Answer 26

Facilitating encrypted communcations between parties previously unknown to each other.

Question 27

What is a digital certificate?

Answer 27

An endorsed copy of a public key, providing assurance that the owner is who they are claiming to be.

Question 28

What is a certificate authority?

Answer 28

Also called a CA. A neutral organization that offers notarization services for digital certificates. You prove who you are and they sign your certificate.

Question 29

What are the requirements to determine that a certificate is valid?

Answer 29

The digital signature of the CA is authentic
You trust the CA
The certificate is not listed on a certificate revocation list
The certificate actually contains the data you are trusting

Question 30

What is certificate revocation?

Answer 30

The process of asserting that a certificate is no longer valid.

Question 31

Why might a certificate be revoked?

Answer 31

It’s compromised (private key disclosed)
It was issued in error
The certificate details (names, etc) changed
The security association changed (employees leave, etc)

Question 32

What is the major disadvantage of CRLs?

Answer 32

They have to be periodically downloaded and checked, introducing latency.

Question 33

What is OCSP

Answer 33

Online Certificate Status Protocol

Question 34

What does OCSP do?

Answer 34

It provides for realtime certificate revocation checking.

Question 35

What are the rules for asymmetric key management?

Answer 35

Choose key lengths appropriately for security requirements
Keep private keys private
Retire keys appropriately
Back up your keys

Question 36

What are the rules about encrypting mail?

Answer 36

If you need confidentiality, encrypt.
If you need integrity, hash
If you need authentication, integrity, and/or non-repudiation, digitally sign.
If your message requires confidentiality, integrity, authentication, and nonrepudiation, encrypt and digitally sign.

Question 37

What is PGP?

Answer 37

A secure email system developed in 1991 that combines a CA hierarchy with a web-of-trust concept.

Question 38

What is S/MIME?

Answer 38

Secure Multipurpose Internet Mail Extensions protocol. De facto standard for encrypted email. Uses RSA, relies on X.509 certificates.

Question 39

What port should secure web applications be found on?

Answer 39

443/tcp

Question 40

What are the merits of SSL/TLS?

Answer 40

You can tunnel anything, and it secures the entire path.

Question 41

What is steganography?

Answer 41

Using cryptographic techniques to embed secret messages within another message.

Question 42

What is a steganography tool worth knowing about?

Answer 42

The X1A0 Stego tool

Question 43

What is steganography generally used for?

Answer 43

Hiding text in images.

Question 44

What are the two types of encryption techniques used to protect data traveling over a network?

Answer 44

Link encryption and end-to-end encryption

Question 45

Describe link encryption

Answer 45

Protects entire communcation circuits by creating a secure tunnel between two points using a hardware or software solution.

Question 46

Describe end-to-end encryption

Answer 46

Protects communication between two parties and is performed independently of link encryption. TLS, for example.

Question 47

What is IPsec?

Answer 47

A protocol that uses public key crypto to provide encryption, access control, nonrepudiation, and message authentication using IP protocols.

Question 48

What is the primary use of IPsec?

Answer 48

VPNs.

Question 49

What protocol is IPsec commonly paired with?

Answer 49

L2TP (Layer 2 Tunnelling Protocol)

Question 50

What is WEP?

Answer 50

Wired Equivalency Protocol, 64 and 128 bit encryption for wiresless LANs. IEEE 802.11. Significantly flawed and insecure.

Question 51

What is WPA?

Answer 51

WiFi Protected Access. Implements the Temporal Key Integrity Protocol (TKIP) to eliminate the insecurities of WEP.

Question 52

What is WPA2?

Answer 52

Improved version of WPA. Commonly considered the best option today.

Question 53

What is IEEE 802.1X?

Answer 53

A wireless security standard that provides a flexible framework for authentication and key management in wired and wireless networks.

Question 54

What is an analytic attack?

Answer 54

Algebraic manipulation that attempts to reduce the complexity of an algorithm. Focuses on the logic of the algorithm itself.

Question 55

What is an implementation attack?

Answer 55

An attack that exploits weaknesses in the implementation of a cryptography system. Focuses on exploiting the software code, not the methodology.

Question 56

What is a statistical attack?

Answer 56

Exploits statistical weaknesses like floating point errors and inability to produce truly random numbers. Looks for vulnerabilities in the hardware or OS hosting the application.

Question 57

What is a brute force attack?

Answer 57

One that attempts every possible valid combination for a key or password.

Question 58

What is frequency analysis or ciphertext-only attacks?

Answer 58

.

Question 59

What is a known plaintext attack?

Answer 59

Having a copy of a plaintext and the corresponding ciphertext greatly assists in breaking weaker codes.

Question 60

What is a chosen ciphertext attack?

Answer 60

The attacker has the ability to decrypt chosen portions of the ciphertext and used the decrypted portion to discover the key.

Question 61

What is a chosen plaintext attack?

Answer 61

The attacker has the ability to encrypt plaintext messages of their choosing and can analyze the resulting ciphertext.

Question 62

What is a meet in the middle attack?

Answer 62

Used to defeat encryptions that use two rounds of encryption. This is why 2DES isn’t used. Only generally twice as hard as one round, not n**2 as hard.

Question 63

What is a man in the middle attack?

Answer 63

A malicous individual between two communicating parties intercepts all communications and masquerades as each party to the other.

Question 64

What is a birthday attack?

Answer 64

Also called a collision attack or reverse hash matching, seeks to find flaws in the one-to-one nature of hash functions.

Question 65

What is a reply attack?

Answer 65

Useful against cryptosystems that don’t use temporal protection. Intercept encrypted message and send it later to open a new session.