Chapter 10 Understanding Cryptography and PKI Flashcards

1
Q

Integrity provides assurances that data has not been modified. Hashing ensures that data has retained integrity.

A

Confidentiality ensures that data is only viewable by authorized users. Encryption protects the confidentiality of data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Symmetric encryption uses the same key to encrypt and decrypt data.

A

Asymmetric encryption uses two keys (public and private) created as a matched pair.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

A digital signature provides authentication, non-repudiation, and integrity.

A

Authentication validates an identity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Non-repudiation prevents a party from denying an action.

A

Users sign emails with a digital signature, which is a hash of an email message encrypted with the sender’s private key.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Only the sender’s public key can decrypt the hash, providing verification it was encrypted with the sender’s private key.

A

Hashing verifies the integrity of data, such as downloaded files and email messages.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

A hash (sometimes listed as a checksum) is a fixed-size string of numbers or hexadecimal characters.

A

Hashing algorithms are one-way functions used to create a hash. You cannot reverse the process to re-create the original data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Passwords are often stored as hashes instead of the actual password. Salting the password thwarts many password attacks.

A

Two commonly used key stretching techniques are bcrypt and Password-Based Key Derivation Function 2 (PBKDF2). They protect passwords against brute force and rainbow table attacks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Common hashing algorithms are Message Digest 5 (MD5), Secure Hash Algorithm (SHA), and Hash-based Message Authentication Code (HMAC). HMAC provides both integrity and authenticity of a message.

A

Confidentiality ensures that data is only viewable by authorized users.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Encryption provides confidentiality of data, including data-at-rest (any type of data stored on disk) or data-in-transit (any type of transmitted data).

A

Block ciphers encrypt data in fixed-size blocks. Advanced Encryption Standard (AES) and Twofish encrypt data in 128-bit blocks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Stream ciphers encrypt data 1 bit or 1 byte at a time. They are more efficient than block ciphers when encrypting data of an unknown size or when sent in a continuous stream. RC4 is a commonly used stream cipher.

A

Cipher modes include Electronic Codebook (ECB), Cipher Block Chaining (CBC), Counter (CTM) mode, and Galois/ Counter Mode (GCM). ECB should not be used. GCM is widely used because it is efficient and provides data authenticity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Data Encryption Standard (DES), Triple DES (3DES), and Blowfish are block ciphers that encrypt data in 64-bit blocks. AES is a popular symmetric block encryption algorithm, and it uses 128, 192, or 256 bits for the key.

A

Asymmetric encryption uses public and private keys as matched pairs. • If the public key encrypted information, only the matching private key can decrypt it. • If the private key encrypted information, only the matching public key can decrypt it. • Private keys are always kept private and never shared. • Public keys are freely shared by embedding them in a certificate.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

RSA is a popular asymmetric algorithm. Many cryptographic protocols use RSA to secure data such as email and data transmitted over the Internet. RSA uses prime numbers to generate public and private keys.

A

Elliptic curve cryptography (ECC) is an encryption technology commonly used with small wireless devices.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Diffie-Hellman provides a method to privately share a asymmetric key between two parties. Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) is a version of Diffie-Hellman that uses ECC to re-create keys for each session.

A

Steganography is the practice of hiding data within a file. You can hide messages in the white space of a file without modifying its size. A more sophisticated method is by modifying bits within a file. Capturing and comparing hashes of files can discover steganography attempts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

When using digital signatures with email: • The sender’s private key encrypts (or signs). • The sender’s public key decrypts.

A

A digital signature provides authentication (verified identification) of the sender, non-repudiation, and integrity of the message. • Senders create a digital signature by hashing a message and encrypting the hash with the sender’s private key. Recipients decrypt the digital signature with the sender’s matching public key.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

When encrypting email: • The recipient’s public key encrypts. • The recipient’s private key decrypts. • Many email applications use the public key to encrypt a symmetric key, and then use the symmetric key to encrypt the email contents.

A

S/ MIME and PGP secure email with encryption and digital signatures. They both use RSA, certificates, and depend on a PKI. They can encrypt email at rest (stored on a drive) and in transit (sent over the network).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

TLS is the replacement for SSL. SSL is deprecated and should not be used.

A

TLS is the replacement for SSL. SSL is deprecated and should not be used. The web site’s public key encrypts a symmetric key. • The web site’s private key decrypts the symmetric key. • The symmetric key encrypts data in the session.

17
Q

Weak cipher suites (such as those supporting SSL) should be disabled to prevent downgrade attacks.

A

A Public Key Infrastructure (PKI) is a group of technologies used to request, create, manage, store, distribute, and revoke digital certificates. A PKI allows two entities to privately share symmetric keys without any prior communication.

18
Q

Most public CAs use a hierarchical centralized CA trust model, with a root CA and intermediate CAs. A CA issues, manages, validates, and revokes certificates.

A

Root certificates of trusted CAs are stored on computers. If a CA’s root certificate is not in the trusted store, web users will see errors indicating the certificate is not trusted or the CA is not recognized.

19
Q

You request a certificate with a certificate signing request (CSR). You first create a private/ public key pair and include the public key in the CSR.

A

CAs revoke certificates when an employee leaves, the private key is compromised, or the CA is compromised. A CRL identifies revoked certificates as a list of serial numbers.

20
Q

The CA publishes the CRL, making it available to anyone. Web browsers can check certificates they receive from a web server against a copy of the CRL to determine if a received certificate is revoked.

A

Public key pinning provides clients with a list of hashes for each public key it uses.

21
Q

Certificate stapling provides clients with a timestamped, digitally signed OCSP response. This is from the CA and appended to the certificate.

A

User systems return errors when a system tries to use an expired certificate.

22
Q

A key escrow stores a copy of private keys used within a PKI. If the original private key is lost or inaccessible, the copy is retrieved from escrow, preventing data loss.

A

Wildcard certificates use a * for child domains to reduce the administrative burden of managing certificates. Subject Alternative Name (SAN) certificates can be used for multiple domains with different domain names.

23
Q

A domain validated certificate indicates that the certificate requestor has some control over a DNS domain. Extended validation certificates use additional steps beyond domain validation to give users a visual indication that they are accessing the site.

A

CER is an ASCII format and DER is a binary format.

24
Q

PEM is the most commonly used certificate format and can be used for just about any certificate type.

A

P7B certificates are commonly used to share public keys. P12 and PFX certificates are commonly used to hold the private key.

25
Q

• TLS uses asymmetric encryption to securely share the symmetric key. • TLS uses symmetric encryption to encrypt the session data.

A

Symmetric key cryptography excels in speed, efficiency, and the ability to handle large amounts of data easily. The disadvantages primarily involve scalability and key exchange.

26
Q

Asymmetric key cryptography does great key exchange, but features slower speed compared to symmetric key cryptography and doesn’t handle large amounts of data very efficiently.

A

Hashing provides integrity in the CIA of security by creating unique numbers for data and originators of information.

27
Q

Hybrid cryptography leverages the advantages of both symmetric and asymmetric key cryptography together and eliminates their disadvantages.

A

• DES • 3DES • AES • Blowfish • Twofish • RC4

28
Q

DES uses five different cipher modes: • ECB • CBC • CFB • OFB • CTR

A

You need to know the different characteristics of DES for the exam—16 rounds of encryption, 64-bit blocks, 56-bit keys, and five cipher modes of operation.

29
Q

Although AES is the official U.S. standard, both Blowfish and Twofish are exceptionally good encryption algorithms. Both use 64-bit blocks and both perform 16 rounds of encryption. Blowfish can use key sizes from 32 to 448 bits, and Twofish uses key sizes of 128 bits, 192 bits, and 256 bits. Longer keys provide better key strength.

A

RC4 is likely the only example of a streaming cipher you will see on the exam. All the other symmetric algorithms discussed throughout this book are block ciphers.

30
Q

RSA uses one round of encryption, and its typical key sizes range from 1024 to 4096 bits.

A

Let’s look, in order, at these cryptosystems:

  • RSA
  • Diffie-Hellman
  • PGP/ GPG
  • ECC
  • ElGamal
31
Q
Let’s look at these cryptosystems: • DES 
• 3DES 
• AES 
• Blowfish 
• Twofish 
• RC4
A

we’ll explore the four most common hashing algorithms:

  • MD5
  • SHA
  • RIPEMD
  • HMAC
32
Q

HMAC can use hashing functions and symmetric keys to produce a message authentication code (MAC), used to ensure both integrity and authenticity of a message.

A
Symmetric Encryption 
AES 
DES 
3DES 
RC4 
Blowfish and Twofish 
————————————-
Asymmetric Encryption
RSA
Elliptic Curve Cryptography
Diffie-Hellman
The Rayburn Box
33
Q

Web page and does the following: 1. Encrypts the page with the client’s public key. 2. Hashes the page. 3. Encrypts the hash with the server’s private key. 4. Sends the page, the public key, and the hash to the client.

A

Now it’s the client’s turn: 1. The client decrypts the hash using the server’s public key to verify it really came from the server. (Only the server’s public key can decrypt something encrypted with the server’s private key.) 2. The client decrypts the message with the client’s private key.

34
Q

PKI uses not only asymmetric algorithms and keys, but also symmetric algorithms and keys and hashing algorithms, all working together to perform different functions and provide services.

A

The primary standard used in PKI is the X. 509 standard, which describes the certificate format and how it is used.

35
Q

Ephemeral key has a very short lifetime and is re-created for each session.

A

PFS or Perfect forward secrecy is an important characteristic that ephemeral keys comply with in asymmetric encryption. Perfect forward secrecy indicates that a cryptographic system generates random public keys for each session and it doesn’t use a deterministic algorithm to do so.