Chapter 10 Understanding Cryptography and PKI Flashcards
Integrity provides assurances that data has not been modified. Hashing ensures that data has retained integrity.
Confidentiality ensures that data is only viewable by authorized users. Encryption protects the confidentiality of data.
Symmetric encryption uses the same key to encrypt and decrypt data.
Asymmetric encryption uses two keys (public and private) created as a matched pair.
A digital signature provides authentication, non-repudiation, and integrity.
Authentication validates an identity.
Non-repudiation prevents a party from denying an action.
Users sign emails with a digital signature, which is a hash of an email message encrypted with the sender’s private key.
Only the sender’s public key can decrypt the hash, providing verification it was encrypted with the sender’s private key.
Hashing verifies the integrity of data, such as downloaded files and email messages.
A hash (sometimes listed as a checksum) is a fixed-size string of numbers or hexadecimal characters.
Hashing algorithms are one-way functions used to create a hash. You cannot reverse the process to re-create the original data.
Passwords are often stored as hashes instead of the actual password. Salting the password thwarts many password attacks.
Two commonly used key stretching techniques are bcrypt and Password-Based Key Derivation Function 2 (PBKDF2). They protect passwords against brute force and rainbow table attacks.
Common hashing algorithms are Message Digest 5 (MD5), Secure Hash Algorithm (SHA), and Hash-based Message Authentication Code (HMAC). HMAC provides both integrity and authenticity of a message.
Confidentiality ensures that data is only viewable by authorized users.
Encryption provides confidentiality of data, including data-at-rest (any type of data stored on disk) or data-in-transit (any type of transmitted data).
Block ciphers encrypt data in fixed-size blocks. Advanced Encryption Standard (AES) and Twofish encrypt data in 128-bit blocks.
Stream ciphers encrypt data 1 bit or 1 byte at a time. They are more efficient than block ciphers when encrypting data of an unknown size or when sent in a continuous stream. RC4 is a commonly used stream cipher.
Cipher modes include Electronic Codebook (ECB), Cipher Block Chaining (CBC), Counter (CTM) mode, and Galois/ Counter Mode (GCM). ECB should not be used. GCM is widely used because it is efficient and provides data authenticity.
Data Encryption Standard (DES), Triple DES (3DES), and Blowfish are block ciphers that encrypt data in 64-bit blocks. AES is a popular symmetric block encryption algorithm, and it uses 128, 192, or 256 bits for the key.
Asymmetric encryption uses public and private keys as matched pairs. • If the public key encrypted information, only the matching private key can decrypt it. • If the private key encrypted information, only the matching public key can decrypt it. • Private keys are always kept private and never shared. • Public keys are freely shared by embedding them in a certificate.
RSA is a popular asymmetric algorithm. Many cryptographic protocols use RSA to secure data such as email and data transmitted over the Internet. RSA uses prime numbers to generate public and private keys.
Elliptic curve cryptography (ECC) is an encryption technology commonly used with small wireless devices.
Diffie-Hellman provides a method to privately share a asymmetric key between two parties. Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) is a version of Diffie-Hellman that uses ECC to re-create keys for each session.
Steganography is the practice of hiding data within a file. You can hide messages in the white space of a file without modifying its size. A more sophisticated method is by modifying bits within a file. Capturing and comparing hashes of files can discover steganography attempts.
When using digital signatures with email: • The sender’s private key encrypts (or signs). • The sender’s public key decrypts.
A digital signature provides authentication (verified identification) of the sender, non-repudiation, and integrity of the message. • Senders create a digital signature by hashing a message and encrypting the hash with the sender’s private key. Recipients decrypt the digital signature with the sender’s matching public key.
When encrypting email: • The recipient’s public key encrypts. • The recipient’s private key decrypts. • Many email applications use the public key to encrypt a symmetric key, and then use the symmetric key to encrypt the email contents.
S/ MIME and PGP secure email with encryption and digital signatures. They both use RSA, certificates, and depend on a PKI. They can encrypt email at rest (stored on a drive) and in transit (sent over the network).