Chapter 10 Understanding cryptography and RKI

Question 1

Integrity ensures?

Answer 1

That the data has not been modified. Hashing supports integrity.

Question 2

What is a hash? a special feature? Common hashing protocol used today?

Answer 2

A calculated value creating a fixed length string. It cannot be reversed. SHA-3.

Question 3

Confidentiality ensures? what supports it?

Answer 3

That the data is read only by the person that should. Encryption supports it.

Question 4

Symmetric vs asymmetric encryption?

Answer 4

symmetric, same key to decrypt and encrypt. Assymetric uses a public and private key pair instead.

Question 5

What is a cipher? two types?

Answer 5

An encryption technique, a stream cipher encrypts 1 bit at a time. Block ciphers encrypt in blocks.

Question 6

In order to use asymmetric encryption what is required? - not keys but something else.

Answer 6

a PKI, public key infrastructure to issue certificates. This certificate identifies whether the key belongs to that person.

Question 7

Aim of steneography?

Answer 7

to hide data, embed in code, pictures, sound etc. Providing confidentality.

Question 8

What is a digital signature made of and what does a digital signature provide when assigned to something?

Answer 8

It is a hash of an email message, encrypted with the user’s private key. Only the receivers public key can decrypt it. Authentication, non-repudiation, and integrity.

Question 9

Non-repudiation?

Answer 9

A party cannot deny that it is authentic.

Question 10

What cryptographic hashing protocol is now less-secure/not used often?

Answer 10

MD-5.

Question 11

List the SHA and their uses?

Answer 11

SHA-0, not in use. SHA-1 weaknesses (not approved), SHA-2 & SHA-3 both in use.

Question 12

Hashing - what is HMAC? why is it different? What protocols might use it?

Answer 12

Hash-based message authentication code, uses a secret key only the sender and receiver know. If the hash is replicated, without the key, it fails authenticity check. IPsec and TLS.

Question 13

What is the best algo for encrypting data? MD-5, HMAC, SHA-2 or SHA-3?

Answer 13

Hashes don’t encrypt data!

Question 14

How do systems store passwords?

Answer 14

They calculate a hash, then when you type it in, it compares it to the stored hash value

Question 15

An application creates the same hash from two different inputs, is this an issue?

Answer 15

Two passwords could be used for one password. Double the chances. It is a hash collision. MD5 susceptible to this.

Question 16

Online vs offline password attacks

Answer 16

Trying passwords online such as brute forcing a web page or offline by obtaining a database of hashes, running tools to try find the password matching hash.

Question 17

Why are spraying attacks so effective?

Answer 17

They bypass account lockouts by using a long list of accounts, trying the same password for all. By the time it loops back around the time period will have expired. May use dictionary and/or brute force.

Question 18

Password attack clues? where to find?

Answer 18

Logs, authentication failure logs.

Question 19

What is a pass the hash attack?

Answer 19

Attackers gain access to computer, admin priv, malware etc, they steal the password hash. Hashes should always be encrypted and passed over the network encrypted also.

Question 20

What is a rainbow attack?

Answer 20

Using a rainbow table, a large table of already computed hashes of many words and combinations. Eliminates the lengthy process of first guessing -> hashing -> comparing. These are often performed offline.

Question 21

Salting passwords? how?

Answer 21

Add a few random characters prior to hashing, increases complexity/difficulty of hash computed afterwards.

Question 22

What is the process of key stretching?

Answer 22

Key stretching involves subjecting your passwords to multiple rounds of hashing, effectively turning a weak password into a more secure version. The more rounds you perform, the more secure your password becomes. Salting, on the other hand, provides an extra layer of defense.

Question 23

Define data @ rest, in transit and in processing?

Answer 23

data @ rest: data stored
in transit: sent over the network
in processing: being used by a computer

Question 24

Compare symmetric encryption to a house key

Answer 24

Same house key owned by wife, make a copy, give to husband, he can use the same key to open the house as well.

Question 25

What type of key pair do block and stream ciphers use?

Answer 25

Symmetric

Question 26

What is AES? list some benefits of using it

Answer 26

AES is advanced encryption standard, a strong symmetric block cipher that encrypts data in 128 bits. It can use 128-256 bit sized keys. The higher, the more difficult to crack (better key strength)
- Fast
- efficient (less resource demanding)
- strong

Question 27

Blow and twofish? Advantage of blowfish?

Answer 27

Blowfish and twofish are block ciphers encrypting in either 64bit blocks or 128 (twofish), Blowfish is faster than AES which does 128 bit blocks. Blowfish also supports 32-448 bit keys. Very strong.

Question 28

Assymetric encryption.. a file is encrypted using Bob’s public key, it is meant for Bill, what does Bill use to decrypt it?

Answer 28

It is meant for bill, then bill must use his private key to decrypt it, as that is the matching key pair.

Question 29

Public and private keys, what should the owner’s do with them?

Answer 29

Keep private, private, never shared. Public is embedded within a shared certificate, owner shares it with those who need it. Remembering that a PKI and thus certificates are needed for asymmetric encryption.

Question 30

Why might you encrypt it with a private key vs encrypting it with a public key?

Answer 30

Private key encryption with public opening allows the receiver to be assured it was sent by X sender. The message isn’t particularly confidential in this case.
Public key encryption - > private decryption is for confidentiality, only the receiver can open it.

Question 31

What information is available on viewing a certificate?

Answer 31

Serial number (unique cert identifier)
Issuer: certificate authority that issued it
Validity dates: valid from… to:
Subject: Owner of certificate
Public key:
Usage: for encryption, authentication or both

Question 32

Ephemeral key vs static and perfect forward secrecy?

Answer 32

Ephemeral = short, recreated keys, Used for one time sessions. Keeps changing.

Static = used for certificates and doesn’t change.

Perfect forward secrecy - ephemeral keys comply with this which is that a cryptographic system generates random public keys (no algo) each time. No key is reused, past key hacks don’t compromise future keys.

Question 33

Use case of ECC? why??

Answer 33

Elliptical curve cryptography, low power, strong encryption, used for devices with less processing power. Small wireless devices, phones

Question 34

What are the three modes of operation?

Answer 34

Authenticated, counter, unauthenticated.

Question 35

How does a end user and website establish an authenticated mode of operation?

Answer 35

End user and website share symmetric keys in an established session. Only the end user and website know these keys. One key encrypts webpages before sending them (the website). The second key is used with a hash function on ciphertext (encrypted text) to create a MAC (message authentication code). The ciphertext and MAC are sent to the enduser. End user then uses this second key with the hash function to recalculate the MAC. Then the first key is used to decrypt the ciphertext.

Question 36

How does counter mode cipher work?

Answer 36

block cipher converted to stream cipher, combines initialization vector with a counter and encrypts each plaintext block. This results in a different encryption key for each block. Very secure. Provides authenticated encryption.

Question 37

What does unauthenticated mode of operation do?

Answer 37

It provides confidentiality with encryption but no authenticity.

Question 38

What file types are commonly used with steganography? how to tell?

Answer 38

Audio, image and video. Hash comparisons.

Question 39

What keys (and thus encryption time) for
Email signatures?
Email encryption?
Website encryption?

Answer 39

Email sig: Sender’s private key encrypts/signs. Sender’s public key decrypts.
Email encryption: Receivers public key encrypts. Receivers private key decrypts. Receiver’s private key decrypts it.
Website: website’s public key encrypts. Websites private key decrypts. A symmetric key encrypts data in the website session however.

Question 39

How are keys shared for symmetric encryption?

Answer 39

Asymmetric encryption is used to privately share a symmetric key. Symmetric encryption encrypts the data.

Question 39

Why use the private key to encrypt when everyone with the public key can decrypt?

Answer 39

Because in this way you are not hiding the content of the document, you are asserting that you created it. Thus why a private key is used for a digital signature. It is YOURS. Validating integrity.

Question 40

What are the steps on both sides of digitally signing an email?

Answer 40

Sender:
1. Application hashes the message.
2. Application retrieves sender’s private key. Encrypts the hash.
3. Application sends both the encrypted hash and unencrypted message.

Receiver:
1. Retrieves senders public key (from public certificate, previously sent or retrieved via network).
2. Decrypts the encrypted hash with sender’s public key.
3. calculates hash on received message.
4. Compares the decrypted hash with the calculated hash.

Question 41

Encrypting an email (contents of email).. what are the steps?

Answer 41

1. Lisa sends Bart her public key.
2. Bart encrypts it with the public key
3. Only Lisa’s private key decrypts it.
   For confidentiality.

Question 42

Why would symmetric and asymmetric encryption be used in place of each other?

Answer 42

Symmetric is very quick albeit less secure. Assymetric is slow and inefficient. It depends on the context.

Question 43

How might email utilize both symmetric and assymetric? what are the steps

Answer 43

Hybrid encryption is a combination of symmetric and asymmetric encryption. It uses asymmetric encryption to exchange symmetric keys, and then uses symmetric encryption to encrypt and decrypt data.
**remembering symmetric keys are not the same as public keys and can be secret this way.

Sender encrypts email with a symmetric key (fast, efficient), and receives a certificate with receivers public key. The public key is then used (asymmetrically) to encrypt the symmetric key.

The receiver decrypts the symmetric key with his private key, then decrypts the email with the decrypted symmetric key.

Question 44

What is one of the most popular standards used for signing digital signatures? What ports?

Answer 44

Secure/multipurpose internet mail extensions. S/MIME
POP3 - 995 - over TLS
SMTP (587P) - over TLS
IMAP 993 - over TLS

Question 45

What type of key exchange does HTTPS use?

Answer 45

Both symmetric (encrypted via assymetric first) then symmetric is used to encrypt and decrypt the session data

Question 46

A server has both SSL and TLS installed. The client for some reason can’t use TLS? it used to be able to but now it must resort to using SSL. If this is an attack, what is it trying to achieve?

Answer 46

It is a downgrade/TLS/SSL stripping attack. Trying to take advantage of lesser security.

Question 47

What is Entropy in cryptography?

Answer 47

Refers to the randomness of cryptographic algorithm. Higher random = better security.

Question 48

What are some limitations/factors involved in selecting the right tools?

Answer 48

1. Resources (security vs cost)
2. Speed & time (quick or slow?)
3. Size/memory and CPU usage
4. Entropy
5. Predictability
6. Key size (weak, short vs long, secure)
7. Longevity (how long you can use an algo)
8. Reusability (keys shouldn’t be reused)

Question 49

What does it mean to “Support high resilience” in cryptography

Answer 49

This refers to security of an encryption key, even if the attacker discovers part of the key.

Question 50

What is PKI exactly?

Answer 50

It is a group of technologies used to request, create, manage, store, distribute and revoke digital certificates. It allows two strangers (for example) to communicate without knowing each other previously, in a secure way through an insecure public medium(internet)

Question 51

What does a CA do?

Answer 51

cert authority, issues, manages, validates and revokes certificates. Can be large businesses/groups or on a single server within a private company.

Question 52

What is the structure and purpose of a hierarchal CA?

Answer 52

Root CA issues cert to intermediate CAs. Intermediate CAs issue certs to child CAs. Child CAs issue to devices/end users. It is the most common trust model. When an organization gets big enough this is the best method. Small organizations won’t do this.

Question 53

Just started a business with a website, it needs a certificate, what needs to be done?

Answer 53

Need to create a certificate signing request, purpose, website info, public key. The CA validates the identity and creates the certificate with the public key (the process may be more complex depending on its nature).

Question 54

What is the role of an RA?

Answer 54

Registration authority helps the CA by collecting registration information. It doesn’t issue certificates, only assists.Verifies user requests, authenticates users, collects information. Checks if the user is allowed to request a certificate from a website or an application. If successful, it forwards the request to the CA.

Question 55

Why do CAs have a root certificate? where could these be stored? benefits?

Answer 55

Usually a trusted root CA storage (this may be offline) which communicates its functions with the imtermediate and child CAs that are online. This way the root CA isn’t compromised if the intermediate/child is, and can issue a new cert.

Question 56

When do you need to update or revoke a certificate? what does this?

Answer 56

When it expires (valid from-to is set), and when it is compromised, a CA revokes it.

Question 57

Common certificate issues? web browser doesn’t think it’s valid to use..

Answer 57

Expired, not trusted (not issued by trusted CA), revoked.

Question 58

How are certificates validated?

Answer 58

Usually through a certificate revocation list (CRL) which can be given to an enduser by the CA. Then stored in the cache for future use. Otherwise an online certificate status protocol (OCSP) which allows user to query the CA with a serial number.

Question 59

A website has an extra header, this includes a list of hashes derived from valid public keys the website uses. What is this called?

Answer 59

Public key pinning.

Question 60

A website wants to prevent attackers from impersonating it with fraudulent certificates. How does it do this?

Answer 60

Sends a list of public key hashes that clients can use to validate certificates (Public key pinning).

Question 61

Placing a private key in a safe environment is called? what is an example of some safe environments?

Answer 61

Possibly a third party, internal, such as a security agent/recovery agent.

Question 62

What are some common certificate uses?

Answer 62

Machine/computer - issued to a device, identifies a computer.

User - used for encryption/authentication, smart cards.

Email - encryption and digital signatures

Code signing - validate authentication of .exe or scripts. Maintains it’s integrity.

Self-signed - not issued by trusted CA, usually private. Eliminates the cost of purchasing certs from public CAs.

Root = root cert issues by root CA

Wildcard - wild certs start with * can be used for multiple domains, if they have the same root domain, i.e random.google.com and random1.google.com = *.google.com

Subject alternative name = same as above but google owns android.com etc.

Domain validation =