Chapter 10 Understanding cryptography and RKI Flashcards

1
Q

Integrity ensures?

A

That the data has not been modified. Hashing supports integrity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is a hash? a special feature? Common hashing protocol used today?

A

A calculated value creating a fixed length string. It cannot be reversed. SHA-3.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Confidentiality ensures? what supports it?

A

That the data is read only by the person that should. Encryption supports it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Symmetric vs asymmetric encryption?

A

symmetric, same key to decrypt and encrypt. Assymetric uses a public and private key pair instead.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is a cipher? two types?

A

An encryption technique, a stream cipher encrypts 1 bit at a time. Block ciphers encrypt in blocks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

In order to use asymmetric encryption what is required? - not keys but something else.

A

a PKI, public key infrastructure to issue certificates. This certificate identifies whether the key belongs to that person.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Aim of steneography?

A

to hide data, embed in code, pictures, sound etc. Providing confidentality.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is a digital signature made of and what does a digital signature provide when assigned to something?

A

It is a hash of an email message, encrypted with the user’s private key. Only the receivers public key can decrypt it. Authentication, non-repudiation, and integrity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Non-repudiation?

A

A party cannot deny that it is authentic.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What cryptographic hashing protocol is now less-secure/not used often?

A

MD-5.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

List the SHA and their uses?

A

SHA-0, not in use. SHA-1 weaknesses (not approved), SHA-2 & SHA-3 both in use.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Hashing - what is HMAC? why is it different? What protocols might use it?

A

Hash-based message authentication code, uses a secret key only the sender and receiver know. If the hash is replicated, without the key, it fails authenticity check. IPsec and TLS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the best algo for encrypting data? MD-5, HMAC, SHA-2 or SHA-3?

A

Hashes don’t encrypt data!

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

How do systems store passwords?

A

They calculate a hash, then when you type it in, it compares it to the stored hash value

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

An application creates the same hash from two different inputs, is this an issue?

A

Two passwords could be used for one password. Double the chances. It is a hash collision. MD5 susceptible to this.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Online vs offline password attacks

A

Trying passwords online such as brute forcing a web page or offline by obtaining a database of hashes, running tools to try find the password matching hash.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Why are spraying attacks so effective?

A

They bypass account lockouts by using a long list of accounts, trying the same password for all. By the time it loops back around the time period will have expired. May use dictionary and/or brute force.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Password attack clues? where to find?

A

Logs, authentication failure logs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is a pass the hash attack?

A

Attackers gain access to computer, admin priv, malware etc, they steal the password hash. Hashes should always be encrypted and passed over the network encrypted also.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What is a rainbow attack?

A

Using a rainbow table, a large table of already computed hashes of many words and combinations. Eliminates the lengthy process of first guessing -> hashing -> comparing. These are often performed offline.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Salting passwords? how?

A

Add a few random characters prior to hashing, increases complexity/difficulty of hash computed afterwards.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What is the process of key stretching?

A

Key stretching involves subjecting your passwords to multiple rounds of hashing, effectively turning a weak password into a more secure version. The more rounds you perform, the more secure your password becomes. Salting, on the other hand, provides an extra layer of defense.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Define data @ rest, in transit and in processing?

A

data @ rest: data stored
in transit: sent over the network
in processing: being used by a computer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Compare symmetric encryption to a house key

A

Same house key owned by wife, make a copy, give to husband, he can use the same key to open the house as well.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What type of key pair do block and stream ciphers use?

A

Symmetric

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What is AES? list some benefits of using it

A

AES is advanced encryption standard, a strong symmetric block cipher that encrypts data in 128 bits. It can use 128-256 bit sized keys. The higher, the more difficult to crack (better key strength)
- Fast
- efficient (less resource demanding)
- strong

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Blow and twofish? Advantage of blowfish?

A

Blowfish and twofish are block ciphers encrypting in either 64bit blocks or 128 (twofish), Blowfish is faster than AES which does 128 bit blocks. Blowfish also supports 32-448 bit keys. Very strong.

28
Q

Assymetric encryption.. a file is encrypted using Bob’s public key, it is meant for Bill, what does Bill use to decrypt it?

A

It is meant for bill, then bill must use his private key to decrypt it, as that is the matching key pair.

29
Q

Public and private keys, what should the owner’s do with them?

A

Keep private, private, never shared. Public is embedded within a shared certificate, owner shares it with those who need it. Remembering that a PKI and thus certificates are needed for asymmetric encryption.

30
Q

Why might you encrypt it with a private key vs encrypting it with a public key?

A

Private key encryption with public opening allows the receiver to be assured it was sent by X sender. The message isn’t particularly confidential in this case.
Public key encryption - > private decryption is for confidentiality, only the receiver can open it.

31
Q

What information is available on viewing a certificate?

A

Serial number (unique cert identifier)
Issuer: certificate authority that issued it
Validity dates: valid from… to:
Subject: Owner of certificate
Public key:
Usage: for encryption, authentication or both

32
Q

Ephemeral key vs static and perfect forward secrecy?

A

Ephemeral = short, recreated keys, Used for one time sessions. Keeps changing.

Static = used for certificates and doesn’t change.

Perfect forward secrecy - ephemeral keys comply with this which is that a cryptographic system generates random public keys (no algo) each time. No key is reused, past key hacks don’t compromise future keys.

33
Q

Use case of ECC? why??

A

Elliptical curve cryptography, low power, strong encryption, used for devices with less processing power. Small wireless devices, phones

34
Q

What are the three modes of operation?

A

Authenticated, counter, unauthenticated.

35
Q

How does a end user and website establish an authenticated mode of operation?

A

End user and website share symmetric keys in an established session. Only the end user and website know these keys. One key encrypts webpages before sending them (the website). The second key is used with a hash function on ciphertext (encrypted text) to create a MAC (message authentication code). The ciphertext and MAC are sent to the enduser. End user then uses this second key with the hash function to recalculate the MAC. Then the first key is used to decrypt the ciphertext.

36
Q

How does counter mode cipher work?

A

block cipher converted to stream cipher, combines initialization vector with a counter and encrypts each plaintext block. This results in a different encryption key for each block. Very secure. Provides authenticated encryption.

37
Q

What does unauthenticated mode of operation do?

A

It provides confidentiality with encryption but no authenticity.

38
Q

What file types are commonly used with steganography? how to tell?

A

Audio, image and video. Hash comparisons.

39
Q

What keys (and thus encryption time) for
Email signatures?
Email encryption?
Website encryption?

A

Email sig: Sender’s private key encrypts/signs. Sender’s public key decrypts.
Email encryption: Receivers public key encrypts. Receivers private key decrypts. Receiver’s private key decrypts it.
Website: website’s public key encrypts. Websites private key decrypts. A symmetric key encrypts data in the website session however.

39
Q

How are keys shared for symmetric encryption?

A

Asymmetric encryption is used to privately share a symmetric key. Symmetric encryption encrypts the data.

39
Q

Why use the private key to encrypt when everyone with the public key can decrypt?

A

Because in this way you are not hiding the content of the document, you are asserting that you created it. Thus why a private key is used for a digital signature. It is YOURS. Validating integrity.

40
Q

What are the steps on both sides of digitally signing an email?

A

Sender:
1. Application hashes the message.
2. Application retrieves sender’s private key. Encrypts the hash.
3. Application sends both the encrypted hash and unencrypted message.

Receiver:
1. Retrieves senders public key (from public certificate, previously sent or retrieved via network).
2. Decrypts the encrypted hash with sender’s public key.
3. calculates hash on received message.
4. Compares the decrypted hash with the calculated hash.

41
Q

Encrypting an email (contents of email).. what are the steps?

A
  1. Lisa sends Bart her public key.
  2. Bart encrypts it with the public key
  3. Only Lisa’s private key decrypts it.
    For confidentiality.
42
Q

Why would symmetric and asymmetric encryption be used in place of each other?

A

Symmetric is very quick albeit less secure. Assymetric is slow and inefficient. It depends on the context.

43
Q

How might email utilize both symmetric and assymetric? what are the steps

A

Hybrid encryption is a combination of symmetric and asymmetric encryption. It uses asymmetric encryption to exchange symmetric keys, and then uses symmetric encryption to encrypt and decrypt data.
**remembering symmetric keys are not the same as public keys and can be secret this way.

Sender encrypts email with a symmetric key (fast, efficient), and receives a certificate with receivers public key. The public key is then used (asymmetrically) to encrypt the symmetric key.

The receiver decrypts the symmetric key with his private key, then decrypts the email with the decrypted symmetric key.

44
Q

What is one of the most popular standards used for signing digital signatures? What ports?

A

Secure/multipurpose internet mail extensions. S/MIME
POP3 - 995 - over TLS
SMTP (587P) - over TLS
IMAP 993 - over TLS

45
Q

What type of key exchange does HTTPS use?

A

Both symmetric (encrypted via assymetric first) then symmetric is used to encrypt and decrypt the session data

46
Q

A server has both SSL and TLS installed. The client for some reason can’t use TLS? it used to be able to but now it must resort to using SSL. If this is an attack, what is it trying to achieve?

A

It is a downgrade/TLS/SSL stripping attack. Trying to take advantage of lesser security.

47
Q

What is Entropy in cryptography?

A

Refers to the randomness of cryptographic algorithm. Higher random = better security.

48
Q

What are some limitations/factors involved in selecting the right tools?

A
  1. Resources (security vs cost)
  2. Speed & time (quick or slow?)
  3. Size/memory and CPU usage
  4. Entropy
  5. Predictability
  6. Key size (weak, short vs long, secure)
  7. Longevity (how long you can use an algo)
  8. Reusability (keys shouldn’t be reused)
49
Q

What does it mean to “Support high resilience” in cryptography

A

This refers to security of an encryption key, even if the attacker discovers part of the key.

50
Q

What is PKI exactly?

A

It is a group of technologies used to request, create, manage, store, distribute and revoke digital certificates. It allows two strangers (for example) to communicate without knowing each other previously, in a secure way through an insecure public medium(internet)

51
Q

What does a CA do?

A

cert authority, issues, manages, validates and revokes certificates. Can be large businesses/groups or on a single server within a private company.

52
Q

What is the structure and purpose of a hierarchal CA?

A

Root CA issues cert to intermediate CAs. Intermediate CAs issue certs to child CAs. Child CAs issue to devices/end users. It is the most common trust model. When an organization gets big enough this is the best method. Small organizations won’t do this.

53
Q

Just started a business with a website, it needs a certificate, what needs to be done?

A

Need to create a certificate signing request, purpose, website info, public key. The CA validates the identity and creates the certificate with the public key (the process may be more complex depending on its nature).

54
Q

What is the role of an RA?

A

Registration authority helps the CA by collecting registration information. It doesn’t issue certificates, only assists.Verifies user requests, authenticates users, collects information. Checks if the user is allowed to request a certificate from a website or an application. If successful, it forwards the request to the CA.

55
Q

Why do CAs have a root certificate? where could these be stored? benefits?

A

Usually a trusted root CA storage (this may be offline) which communicates its functions with the imtermediate and child CAs that are online. This way the root CA isn’t compromised if the intermediate/child is, and can issue a new cert.

56
Q

When do you need to update or revoke a certificate? what does this?

A

When it expires (valid from-to is set), and when it is compromised, a CA revokes it.

57
Q

Common certificate issues? web browser doesn’t think it’s valid to use..

A

Expired, not trusted (not issued by trusted CA), revoked.

58
Q

How are certificates validated?

A

Usually through a certificate revocation list (CRL) which can be given to an enduser by the CA. Then stored in the cache for future use. Otherwise an online certificate status protocol (OCSP) which allows user to query the CA with a serial number.

59
Q

A website has an extra header, this includes a list of hashes derived from valid public keys the website uses. What is this called?

A

Public key pinning.

60
Q

A website wants to prevent attackers from impersonating it with fraudulent certificates. How does it do this?

A

Sends a list of public key hashes that clients can use to validate certificates (Public key pinning).

61
Q

Placing a private key in a safe environment is called? what is an example of some safe environments?

A

Possibly a third party, internal, such as a security agent/recovery agent.

62
Q

What are some common certificate uses?

A

Machine/computer - issued to a device, identifies a computer.

User - used for encryption/authentication, smart cards.

Email - encryption and digital signatures

Code signing - validate authentication of .exe or scripts. Maintains it’s integrity.

Self-signed - not issued by trusted CA, usually private. Eliminates the cost of purchasing certs from public CAs.

Root = root cert issues by root CA

Wildcard - wild certs start with * can be used for multiple domains, if they have the same root domain, i.e random.google.com and random1.google.com = *.google.com

Subject alternative name = same as above but google owns android.com etc.

Domain validation =

63
Q
A