Chapter 10 Understanding Cryptography and PKI

Question 1

Integrity provides assurances that data has not been modified. Hashing ensures that data has retained integrity.

Answer 1

Confidentiality ensures that data is only viewable by authorized users. Encryption protects the confidentiality of data.

Question 2

Symmetric encryption uses the same key to encrypt and decrypt data.

Answer 2

Asymmetric encryption uses two keys (public and private) created as a matched pair.

Question 3

A digital signature provides authentication, non-repudiation, and integrity.

Answer 3

Authentication validates an identity.

Question 4

Non-repudiation prevents a party from denying an action.

Answer 4

Users sign emails with a digital signature, which is a hash of an email message encrypted with the sender’s private key.

Question 5

Only the sender’s public key can decrypt the hash, providing verification it was encrypted with the sender’s private key.

Answer 5

Hashing verifies the integrity of data, such as downloaded files and email messages.

Question 6

A hash (sometimes listed as a checksum) is a fixed-size string of numbers or hexadecimal characters.

Answer 6

Hashing algorithms are one-way functions used to create a hash. You cannot reverse the process to re-create the original data.

Question 7

Passwords are often stored as hashes instead of the actual password. Salting the password thwarts many password attacks.

Answer 7

Two commonly used key stretching techniques are bcrypt and Password-Based Key Derivation Function 2 (PBKDF2). They protect passwords against brute force and rainbow table attacks.

Question 8

Common hashing algorithms are Message Digest 5 (MD5), Secure Hash Algorithm (SHA), and Hash-based Message Authentication Code (HMAC). HMAC provides both integrity and authenticity of a message.

Answer 8

Confidentiality ensures that data is only viewable by authorized users.

Question 9

Encryption provides confidentiality of data, including data-at-rest (any type of data stored on disk) or data-in-transit (any type of transmitted data).

Answer 9

Block ciphers encrypt data in fixed-size blocks. Advanced Encryption Standard (AES) and Twofish encrypt data in 128-bit blocks.

Question 10

Stream ciphers encrypt data 1 bit or 1 byte at a time. They are more efficient than block ciphers when encrypting data of an unknown size or when sent in a continuous stream. RC4 is a commonly used stream cipher.

Answer 10

Cipher modes include Electronic Codebook (ECB), Cipher Block Chaining (CBC), Counter (CTM) mode, and Galois/ Counter Mode (GCM). ECB should not be used. GCM is widely used because it is efficient and provides data authenticity.

Question 11

Data Encryption Standard (DES), Triple DES (3DES), and Blowfish are block ciphers that encrypt data in 64-bit blocks. AES is a popular symmetric block encryption algorithm, and it uses 128, 192, or 256 bits for the key.

Answer 11

Asymmetric encryption uses public and private keys as matched pairs. • If the public key encrypted information, only the matching private key can decrypt it. • If the private key encrypted information, only the matching public key can decrypt it. • Private keys are always kept private and never shared. • Public keys are freely shared by embedding them in a certificate.

Question 12

RSA is a popular asymmetric algorithm. Many cryptographic protocols use RSA to secure data such as email and data transmitted over the Internet. RSA uses prime numbers to generate public and private keys.

Answer 12

Elliptic curve cryptography (ECC) is an encryption technology commonly used with small wireless devices.

Question 13

Diffie-Hellman provides a method to privately share a asymmetric key between two parties. Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) is a version of Diffie-Hellman that uses ECC to re-create keys for each session.

Answer 13

Steganography is the practice of hiding data within a file. You can hide messages in the white space of a file without modifying its size. A more sophisticated method is by modifying bits within a file. Capturing and comparing hashes of files can discover steganography attempts.

Question 14

When using digital signatures with email: • The sender’s private key encrypts (or signs). • The sender’s public key decrypts.

Answer 14

A digital signature provides authentication (verified identification) of the sender, non-repudiation, and integrity of the message. • Senders create a digital signature by hashing a message and encrypting the hash with the sender’s private key. Recipients decrypt the digital signature with the sender’s matching public key.

Question 15

When encrypting email: • The recipient’s public key encrypts. • The recipient’s private key decrypts. • Many email applications use the public key to encrypt a symmetric key, and then use the symmetric key to encrypt the email contents.

Answer 15

S/ MIME and PGP secure email with encryption and digital signatures. They both use RSA, certificates, and depend on a PKI. They can encrypt email at rest (stored on a drive) and in transit (sent over the network).

Question 16

TLS is the replacement for SSL. SSL is deprecated and should not be used.

Answer 16

TLS is the replacement for SSL. SSL is deprecated and should not be used. The web site’s public key encrypts a symmetric key. • The web site’s private key decrypts the symmetric key. • The symmetric key encrypts data in the session.

Question 17

Weak cipher suites (such as those supporting SSL) should be disabled to prevent downgrade attacks.

Answer 17

A Public Key Infrastructure (PKI) is a group of technologies used to request, create, manage, store, distribute, and revoke digital certificates. A PKI allows two entities to privately share symmetric keys without any prior communication.

Question 18

Most public CAs use a hierarchical centralized CA trust model, with a root CA and intermediate CAs. A CA issues, manages, validates, and revokes certificates.

Answer 18

Root certificates of trusted CAs are stored on computers. If a CA’s root certificate is not in the trusted store, web users will see errors indicating the certificate is not trusted or the CA is not recognized.

Question 19

You request a certificate with a certificate signing request (CSR). You first create a private/ public key pair and include the public key in the CSR.

Answer 19

CAs revoke certificates when an employee leaves, the private key is compromised, or the CA is compromised. A CRL identifies revoked certificates as a list of serial numbers.

Question 20

The CA publishes the CRL, making it available to anyone. Web browsers can check certificates they receive from a web server against a copy of the CRL to determine if a received certificate is revoked.

Answer 20

Public key pinning provides clients with a list of hashes for each public key it uses.

Question 21

Certificate stapling provides clients with a timestamped, digitally signed OCSP response. This is from the CA and appended to the certificate.

Answer 21

User systems return errors when a system tries to use an expired certificate.

Question 22

A key escrow stores a copy of private keys used within a PKI. If the original private key is lost or inaccessible, the copy is retrieved from escrow, preventing data loss.

Answer 22

Wildcard certificates use a * for child domains to reduce the administrative burden of managing certificates. Subject Alternative Name (SAN) certificates can be used for multiple domains with different domain names.

Question 23

A domain validated certificate indicates that the certificate requestor has some control over a DNS domain. Extended validation certificates use additional steps beyond domain validation to give users a visual indication that they are accessing the site.

Answer 23

CER is an ASCII format and DER is a binary format.

Question 24

PEM is the most commonly used certificate format and can be used for just about any certificate type.

Answer 24

P7B certificates are commonly used to share public keys. P12 and PFX certificates are commonly used to hold the private key.

Question 25

• TLS uses asymmetric encryption to securely share the symmetric key. • TLS uses symmetric encryption to encrypt the session data.

Answer 25

Symmetric key cryptography excels in speed, efficiency, and the ability to handle large amounts of data easily. The disadvantages primarily involve scalability and key exchange.

Question 26

Asymmetric key cryptography does great key exchange, but features slower speed compared to symmetric key cryptography and doesn’t handle large amounts of data very efficiently.

Answer 26

Hashing provides integrity in the CIA of security by creating unique numbers for data and originators of information.

Question 27

Hybrid cryptography leverages the advantages of both symmetric and asymmetric key cryptography together and eliminates their disadvantages.

Answer 27

• DES • 3DES • AES • Blowfish • Twofish • RC4

Question 28

DES uses five different cipher modes: • ECB • CBC • CFB • OFB • CTR

Answer 28

You need to know the different characteristics of DES for the exam—16 rounds of encryption, 64-bit blocks, 56-bit keys, and five cipher modes of operation.

Question 29

Although AES is the official U.S. standard, both Blowfish and Twofish are exceptionally good encryption algorithms. Both use 64-bit blocks and both perform 16 rounds of encryption. Blowfish can use key sizes from 32 to 448 bits, and Twofish uses key sizes of 128 bits, 192 bits, and 256 bits. Longer keys provide better key strength.

Answer 29

RC4 is likely the only example of a streaming cipher you will see on the exam. All the other symmetric algorithms discussed throughout this book are block ciphers.

Question 30

RSA uses one round of encryption, and its typical key sizes range from 1024 to 4096 bits.

Answer 30

Let’s look, in order, at these cryptosystems:

• RSA
• Diffie-Hellman
• PGP/ GPG
• ECC
• ElGamal

Question 31

Let’s look at these cryptosystems: • DES 
• 3DES 
• AES 
• Blowfish 
• Twofish 
• RC4

Answer 31

we’ll explore the four most common hashing algorithms:

• MD5
• SHA
• RIPEMD
• HMAC

Question 32

HMAC can use hashing functions and symmetric keys to produce a message authentication code (MAC), used to ensure both integrity and authenticity of a message.

Answer 32

Symmetric Encryption 
AES 
DES 
3DES 
RC4 
Blowfish and Twofish 
————————————-
Asymmetric Encryption
RSA
Elliptic Curve Cryptography
Diffie-Hellman
The Rayburn Box

Question 33

Web page and does the following: 1. Encrypts the page with the client’s public key. 2. Hashes the page. 3. Encrypts the hash with the server’s private key. 4. Sends the page, the public key, and the hash to the client.

Answer 33

Now it’s the client’s turn: 1. The client decrypts the hash using the server’s public key to verify it really came from the server. (Only the server’s public key can decrypt something encrypted with the server’s private key.) 2. The client decrypts the message with the client’s private key.

Question 34

PKI uses not only asymmetric algorithms and keys, but also symmetric algorithms and keys and hashing algorithms, all working together to perform different functions and provide services.

Answer 34

The primary standard used in PKI is the X. 509 standard, which describes the certificate format and how it is used.

Question 35

Ephemeral key has a very short lifetime and is re-created for each session.

Answer 35

PFS or Perfect forward secrecy is an important characteristic that ephemeral keys comply with in asymmetric encryption. Perfect forward secrecy indicates that a cryptographic system generates random public keys for each session and it doesn’t use a deterministic algorithm to do so.