Chapter 10: Understanding Crptography and PKI Flashcards
What is Integrity?
Ensures data has not been altered or tampered with intentionally or accidentally.
What is a Hash?
A fixed-length output (digest) created from data using a one-way algorithm.
What is Confidentiality?
Ensures that only authorized users can access sensitive data.
What is Encryption?
The process of converting readable data into an unreadable format to protect it.
What is Symmetric Encryption?
An encryption method where the same key encrypts and decrypts data.
What is a Stream Cipher?
Encrypts data one bit or byte at a time.
What is a Block Cipher?
Encrypts data in fixed-size chunks (blocks), usually 64 or 128 bits.
What is Asymmetric Encryption?
Uses a public key to encrypt and a private key to decrypts.
What is Steganography ?
Hides data within other data so it’s not noticeable.
What is Non-repudiation?
Ensures a sender cannot deny having sent a message.
What is Authentication?
Verifies the identity of a user, device, or process.
What is Hashing?
One-way function that coverts data into a fixed-sized string (hash).
What is a Checksum?
A value calculated from a data set to detect errors or changes.
What is Message Digest 5 (MD5)?
A widely used hash function producing a 128-bit hash value.
What is the Secure Hash Algorithm (SHA)?
A family of cryptographic hash functions designed by the NSA.
What is SHA-0?
The original version of SHA, published in 1993 but withdrawn due to flaws.
What is SHA-1?
Produces a 160-bit hash; used in SSL/TLS, but now considered weak.
What is SHA-2?
Includes SHA-224, SHA-256, SHA-384, and SHA-512. Widely used today.
What is SHA-3?
A different structure from SHA-2 and designed for future-proofing in case SHA-2 is broken.
What is the Hash-based Authentication Code (HMAC)?
A hash function combined with a secret key to verify message integrity and authenticity.
What is HMAC-MD5?
HMAC that uses MD5 as the underlying hash function.
What is HMAC-SHA-256?
Combines a message, a secret key, and SHA-256 to ensure data integrity and authenticity.
The hash of a file will always be the same no matter how many times you calculate it using the same hashing algorithm?
This is true.
What if an attacker changes both the message and sends a modified hash?
HMAC protects against this, because the secret key is unknown to the attacker.
What are Hash Collisions?
When two different inputs product the same hash output.
What is an Online Password Attack?
When an attacker tries to log in repeatedly through a live system.
What is an Offline Password Attack?
Attacker has access to stolen password hashes and brute-forces them locally.
What is a Dictionary Attack?
Attempts passwords from a pre-compiled list of common words and phrases.
What is a Brute Force Attack?
Tries every possible combination until the correct one is found.
What is a Password Spraying Attack?
Tries a few common passwords against many accounts.
What is a Pass the Hash Attack?
Attacker uses a stolen hashed password to authenticate without cracking it.
What is a Birthday Attack?
An attack that exploits the probability of hash collisions based on the birthday paradox.
What is the Birthday Paradox?
In cryptography, shows that hash collisions are more likely than expected. For an n-bit hash, a collision can occur in about 2^(n/2) attempts, not 2^n. This highlights the need for stronger hash functions to resist collision attacks.
What is a Rainbow Table Attack?
Uses a pre-computed table of hashes for common passwords to reverse hashes quickly.
What is Salting?
Adding a random string (salt) to each password before hashing.
What is Key Stretching?
Strengthens weak passwords by increasing the time it takes to hash them.
What is Bcrypt?
A key stretching and salting algorithm for securely hashing passwords.
What is PBKDF2?
A key stretching algorithm that strengthens passwords against brute-force attacks by using a password, salt, and multiple iterations to derive a cryptographic key.
What is Argon2?
Designed to resist GPU/ASIC attacks by using memory-hard functions.
What is the Blowfish block cipher?
A symmetric-key block cipher with a 64-bit block size and a key length up to 448 bits.
What is Data at rest?
Data that is stored on a device or backup.
What is Data in use?
Data that is actively being processed or accessed.
What are the two primary encryption methods?
Symmetric and Asymmetric?
What are the two elements in an encryption method?
A key and the algorithm.
What is Asymmetric Encryption?
Uses a pair of keys for encryption and decryption: a private key and a public key.
What is Symmetric encryption? AKA secret-key encryption and session-key encryption.
Uses one secret key for both encryption and decryption.
In regards to encryption algorithms, what is the key?
A secret value used to encrypt and decrypt data.
In regards to encryption algorithms, what is the algorithm itself?
The algorithm is the set of rules or procedures that defines how the encryption or decryption happens.
What is ROT13?
A simple cipher that rotates each letter by 13 positions in the alphabet.
What is Obfuscation?
Makes code or data harder to read or understand. Not true encryption.
What are Block Ciphers?
Encrypts data in fixed-sized blocks (e.g. 128 bits at a time).
What is the Advanced Encryption Standard (AES)?
Widely used in block ciphers —fast, secure, and standard.
What are Stream Ciphers?
Encrypts data bit-by-bit or byte-by-byte –like a flowing stream. Ideal for real-time use.
What are some of the strengths of AES?
It’s fast, efficient, and strong.
What is the Triple Data Encryption Standard (3DES)?
Applies DES three times for extra security. Nonetheless, considered deprecated. Use AES.
What is Blowfish?
A symmetric block cipher with a 64-bit block size and flexible key length.
What is Twofish?
Successor to Blowfish, designed to be faster and more secure.
What is Key Exchange?
The secure sharing of a key between two parties.
What are Certificate Authorities (CA)?
A trusted organization that issues digital certificates to verify identities online.
What are Digital Certificates?
A file issued by a CA that confirms the ownership of a public key.
What are some common Digital Certificate elements?
Serial number, issuer, validity date, subject, public key, key usage, and certification attributes (CN, O, L, S, C).
What does Ephemeral mean?
Short-lived or temporary, used once and then discarded.
What is Perfect Forward Secrecy?
A property of secure systems where ephemeral keys are used so that even if one key is compromised, past communications remain secure.
What is an Ephemeral Key?
A key for one session only, then discarded.
What is Elliptic Curve Cryptographic (ECC)?
Uses elliptic curves to create small but strong encryption keys.
Since encryption algorithms do not change, how are they strengthened?
You increase the length of a key.
What is Rivest-Shamir-Adleman (RSA)?
A widely-used asymmetric encryption algorithm; often used in digital signatures and secure data transmission.
What is Audio Steganography?
Hides data inside audio files by slightly altering sound data.
What is Image Steganography?
Hides data in image files, often by changing the least significant bits of pixels.
What is Video Steganography?
Embeds data in video files using techniques like altering frames or audio.
What is Tokenization?
Replaces sensitive data with random tokens.
What is Masking?
Hides parts of sensitive data (e.g. --2315).
What is the Digital Signature Algorithm (DSA)?
An algorithm used to create digital signature; confirms a message’s integrity and authenticity.
What security benefits are achieved if a recipient can decrypt a digital signature?
Authentication, Non-repudiation, and Integrity.
What is the Secure/Multipurpose Internet Mail Extensions (S/MIME)?
A standard for email encryption and digital signing.
Are CAs required to support TLS?
Yes.
What is a Downgrade Attack?
A cyberattack where a secure connection is forced to use a weaker/older protocol or cipher.
What is the Blockchain?
A decentralized, immutable ledger of data (blocks) linked using cryptography.
What are Open Public Ledgers?
A blockchain that anyone can read, write to, or audit.
In the context of Cybersecurity, what is Entropy?
Randomness or unpredictability in data.
In the context of Cybersecurity, what is Predictability?
When an attacker can guess or calculate a value.
What are Weak Keys?
A short/small key (low entropy).
In the context of Cybersecurity, what is Longevity?
Refers to how long an encryption algorithm or key remains secure.
With symmetric encryption, should the same key be reused?
No, it makes the algorithm vulnerable to attack.
What is a Plaintext Attack?
An attacker that has access to unencrypted data that tries to find patterns or infer the encryption method to compromise the system.
What is a Chosen-Plaintext Attack?
The attacker chooses plaintexts and sees their encrypted outputs, which can help reverse-engineer the encryption algorithm/key.
What is a Cipher-only Attack?
The attacker only has access to the ciphertext to analyze for patterns to infer the encryption method to compromise the system.
What is Public Key Infrastructure (PKI)?
A framework of people, policies, and technology to manage digital certificates.
What are Intermediate CAs?
CAs that site between the root CA and the end-user certificate.
What is Certificate Chaining?
A chain of trust from the root CA to the end-user certificate via intermediates.
What is OpenSSL?
An open-source toolkit for implementing SSL/TLS encryption.
What are Certificate Singing Requests (CSR)?
A request sent to a Certificate Authority (CA) to obtain a digital certificate.
What is a Registration Authority (RA)?
A trusted entity that verifies user identities before a certificate is issued.
What reasons can a CA revoke a certificate?
Private key compromise, Change of affiliation, Superseded by another certificate, Cease of operation, Certificate hold, or Certificate holder’s request.
What are common issues with Invalid Certificates?
They’re expired, Certificate no longer trusted, Certificate Revoked.
What is a Certificate Revocation List (CRL)?
A list of revoked certificates that are no longer trusted.
What is the Online Certificate Status Protocol (OCSP)?
A real-time protocol for checking if a certificate is valid or revoked.
What is OCSP Stapling?
The server “staples” (includes) the OCSP response from the CA with its certificate during the TLS handshake.
What is Certificate Pinning?
A security technique where a client remembers (pins) a server’s public key or certificate.
What is Key Escrow?
A trusted third-party that holds a copy of encryption keys for legal or recovery purposes.
What is a Key Management System (KMS)?
A system used to generate, store, rotate, and destroy encryption keys securely.
What are some tasks handled by a KMS?
Key generation, Key storage, Key distribution, Key rotation, and Key retirement/revocation/destruction.
What are some Certificate Types?
Machine/computer, User,Email, Code signing, Self-signed, Root, Wildcard, Subject alternative name (SAN), Domain Validation, and Extended Validation.
What are the Certificate formats?
Canonical Encoding Rules (CER), Distinguished Encoding Rules (DER), P7B, P12, and Personal Information Exchange (PFX).
What is Canonical Encoding Rules (CER)?
A set of strict rules for encoding data in Abstract Syntax Notation One (ASN.1).
What is Distinguished Encoding Rules (DER)?
A binary format for data structures described by ASN.1.
What is P7B?
Certificate format used to store certificates and certificate chains (but no private keys).
What is P12?
A binary format for storing the full package: certificate(s) + private key(s).
What is Personal Information Exchange?
Same as P12 – used interchangeably.
