Chapter 10 Understanding Cryptography and PKI Flashcards
Integrity provides assurances that data has not been modified. Hashing ensures that data has retained integrity.
Confidentiality ensures that data is only viewable by authorized users. Encryption protects the confidentiality of data.
Symmetric encryption uses the same key to encrypt and decrypt data.
Asymmetric encryption uses two keys (public and private) created as a matched pair.
A digital signature provides authentication, non-repudiation, and integrity.
Authentication validates an identity.
Non-repudiation prevents a party from denying an action.
Users sign emails with a digital signature, which is a hash of an email message encrypted with the sender’s private key.
Only the sender’s public key can decrypt the hash, providing verification it was encrypted with the sender’s private key.
Hashing verifies the integrity of data, such as downloaded files and email messages.
A hash (sometimes listed as a checksum) is a fixed-size string of numbers or hexadecimal characters.
Hashing algorithms are one-way functions used to create a hash. You cannot reverse the process to re-create the original data.
Passwords are often stored as hashes instead of the actual password. Salting the password thwarts many password attacks.
Two commonly used key stretching techniques are bcrypt and Password-Based Key Derivation Function 2 (PBKDF2). They protect passwords against brute force and rainbow table attacks.
Common hashing algorithms are Message Digest 5 (MD5), Secure Hash Algorithm (SHA), and Hash-based Message Authentication Code (HMAC). HMAC provides both integrity and authenticity of a message.
Confidentiality ensures that data is only viewable by authorized users.
Encryption provides confidentiality of data, including data-at-rest (any type of data stored on disk) or data-in-transit (any type of transmitted data).
Block ciphers encrypt data in fixed-size blocks. Advanced Encryption Standard (AES) and Twofish encrypt data in 128-bit blocks.
Stream ciphers encrypt data 1 bit or 1 byte at a time. They are more efficient than block ciphers when encrypting data of an unknown size or when sent in a continuous stream. RC4 is a commonly used stream cipher.
Cipher modes include Electronic Codebook (ECB), Cipher Block Chaining (CBC), Counter (CTM) mode, and Galois/ Counter Mode (GCM). ECB should not be used. GCM is widely used because it is efficient and provides data authenticity.
Data Encryption Standard (DES), Triple DES (3DES), and Blowfish are block ciphers that encrypt data in 64-bit blocks. AES is a popular symmetric block encryption algorithm, and it uses 128, 192, or 256 bits for the key.
Asymmetric encryption uses public and private keys as matched pairs. • If the public key encrypted information, only the matching private key can decrypt it. • If the private key encrypted information, only the matching public key can decrypt it. • Private keys are always kept private and never shared. • Public keys are freely shared by embedding them in a certificate.
RSA is a popular asymmetric algorithm. Many cryptographic protocols use RSA to secure data such as email and data transmitted over the Internet. RSA uses prime numbers to generate public and private keys.
Elliptic curve cryptography (ECC) is an encryption technology commonly used with small wireless devices.
Diffie-Hellman provides a method to privately share a asymmetric key between two parties. Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) is a version of Diffie-Hellman that uses ECC to re-create keys for each session.
Steganography is the practice of hiding data within a file. You can hide messages in the white space of a file without modifying its size. A more sophisticated method is by modifying bits within a file. Capturing and comparing hashes of files can discover steganography attempts.
When using digital signatures with email: • The sender’s private key encrypts (or signs). • The sender’s public key decrypts.
A digital signature provides authentication (verified identification) of the sender, non-repudiation, and integrity of the message. • Senders create a digital signature by hashing a message and encrypting the hash with the sender’s private key. Recipients decrypt the digital signature with the sender’s matching public key.
When encrypting email: • The recipient’s public key encrypts. • The recipient’s private key decrypts. • Many email applications use the public key to encrypt a symmetric key, and then use the symmetric key to encrypt the email contents.
S/ MIME and PGP secure email with encryption and digital signatures. They both use RSA, certificates, and depend on a PKI. They can encrypt email at rest (stored on a drive) and in transit (sent over the network).
TLS is the replacement for SSL. SSL is deprecated and should not be used.
TLS is the replacement for SSL. SSL is deprecated and should not be used. The web site’s public key encrypts a symmetric key. • The web site’s private key decrypts the symmetric key. • The symmetric key encrypts data in the session.
Weak cipher suites (such as those supporting SSL) should be disabled to prevent downgrade attacks.
A Public Key Infrastructure (PKI) is a group of technologies used to request, create, manage, store, distribute, and revoke digital certificates. A PKI allows two entities to privately share symmetric keys without any prior communication.
Most public CAs use a hierarchical centralized CA trust model, with a root CA and intermediate CAs. A CA issues, manages, validates, and revokes certificates.
Root certificates of trusted CAs are stored on computers. If a CA’s root certificate is not in the trusted store, web users will see errors indicating the certificate is not trusted or the CA is not recognized.
You request a certificate with a certificate signing request (CSR). You first create a private/ public key pair and include the public key in the CSR.
CAs revoke certificates when an employee leaves, the private key is compromised, or the CA is compromised. A CRL identifies revoked certificates as a list of serial numbers.
The CA publishes the CRL, making it available to anyone. Web browsers can check certificates they receive from a web server against a copy of the CRL to determine if a received certificate is revoked.
Public key pinning provides clients with a list of hashes for each public key it uses.
Certificate stapling provides clients with a timestamped, digitally signed OCSP response. This is from the CA and appended to the certificate.
User systems return errors when a system tries to use an expired certificate.
A key escrow stores a copy of private keys used within a PKI. If the original private key is lost or inaccessible, the copy is retrieved from escrow, preventing data loss.
Wildcard certificates use a * for child domains to reduce the administrative burden of managing certificates. Subject Alternative Name (SAN) certificates can be used for multiple domains with different domain names.
A domain validated certificate indicates that the certificate requestor has some control over a DNS domain. Extended validation certificates use additional steps beyond domain validation to give users a visual indication that they are accessing the site.
CER is an ASCII format and DER is a binary format.
PEM is the most commonly used certificate format and can be used for just about any certificate type.
P7B certificates are commonly used to share public keys. P12 and PFX certificates are commonly used to hold the private key.
