Chapter 2 Cryptography Definitions Flashcards

1
Q

block cipher

A

A block cipher is a symmetric key cipher (meaning the same key is used to encrypt and decrypt) that operates on a group of bits called a block.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Name 5 Block Ciphers

A
  1. Advanced Encryption Standard (AES)
  2. Triple Digital Encryption Standard (3DES)
  3. Blowfish
  4. Digital Encryption Standard (DES)
  5. International Data Encryption Algorithm (IDEA)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Stream Cipher

A

A stream cipher is a symmetric key cipher (meaning the same key is used to encrypt and decrypt), where the plaintext data to be encrypted is done a bit at a time against the bits of the key stream, also called a cipher digit stream.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Symmetric algorithm

A

Symmetric algorithm An encryption algorithm that uses the same key to encrypt the data and decrypt the data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Asymmetric algorithm

A

Asymmetric algorithm An encryption algorithm that uses two different keys—a public key and a private key. Together they make a key pair.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Hashing

A

Hashing is a method used to verify data integrity. For example, you can verify the integrity of a downloaded software image file from Cisco, and then verify its integrity using a tool such as the verify md5 command

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Name 3 different Hash Algorithms

A
  1. Message Digest 5 (MD5): This hash creates a 128-bit digest.
  2. Secure Hash Algorithm 1 (SHA-1): This hash creates a 160-bit digest.
  3. Secure Hash Algorithm 2 (SHA-2): Options include a digest between 224 bits and 512 bits.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

HMAC

A

Hashed Message Authentication Code (HMAC) uses the mechanism of hashing, but kicks it up a notch. Instead of using a hash that anyone can calculate, it includes in its calculation a secret key of some type.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are three bennifits to digintal signatures?

A
  1. Authentication
  2. Data integrity
  3. Nonrepudiation
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Digital certificates

A

Digital certificates can be used for clients who want to authenticate a web server to verify they are connected to the correct server using HTTP Secure (HTTPS), Transport Layer Security (TLS), or Secure Sockets Layer (SSL).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

CA

A

A certificate authority is a computer or entity that creates and issues digital certificates. Inside of a digital certificate is information about the identity of a device, such as its IP address, fully qualified domain name (FQDN), and the public key of that device.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Root certificate

A

Root certificate A root certificate contains the public key of the CA server and the other details about the CA server.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Identity certificate

A

Identity certificate An identity certificate is similar to a root certificate, but it describes the client and contains the public key of an individual host (the client).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are the relevant parts of a Certificate?

A
  • Serial number: Issued and tracked by the CA that issued the certificate.
  • Issuer: The CA that issued this certificate. (Even root certificates need to have their certificates issued from someone, perhaps even themselves.)
  • Validity dates: The time window during which the certificate is considered valid. If a local computer believes the date to be off by a few years, that same PC may consider the certificate invalid due to its own error about the time. Using the Network Time Protocol (NTP) is a good idea to avoid this problem.
  • Subject of the certificate: This includes the organizational unit (OU), organization (O), country (C), and other details commonly found in an X.500 structured directory. The subject of the root certificate is the CA itself. The subject for a client’s identity certificate is the client.
  • Public key: The contents of the public key and the length of the key are often both shown. After all, the public key is public.
  • Thumbprint algorithm and thumbprint: This is the hash for the certificate. On a new root certificate, you could use a phone to call and ask for the hash value and compare it to the hash value you see on the certificate. If it matches, you have just performed out-of-band verification (using the telephone) of the digital certificate.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

X.500

A

X.500 is a series of standards focused on directory services and how those directories are organized.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

X.500v3

A

X.509 Version 3 is a standard for digital certificates that is widely accepted and incorporates many of the same directory and naming standards. A common protocol used to perform lookups from a directory is the Lightweight Directory Access Protocol (LDAP).

17
Q

PKCS #10:

A

PKCS #10: This is a format of a certificate request sent to a CA that wants to receive its identity certificate. This type of request would include the public key for the entity desiring a certificate.

18
Q

PKCS #7:

A

PKCS #7: This is a format that can be used by a CA as a response to a PKCS #10 request. The response itself will very likely be the identity certificate (or certificates) that had been previously requested.

19
Q

PKCS #1

A

PKCS #1: The RSA cryptography standard.

20
Q

PKCS #12:

A

PKCS #12: A format for storing both public and private keys using a symmetric password-based key to “unlock” the data whenever the key needs to be used or accessed.

21
Q

PKCS #3

A

PKCS #3: Diffie-Hellman key exchange.

22
Q

CRL

A

Certificate revocation list (CRL): This is a list of certificates, based on their serial numbers, that had initially been issued by a CA but have since been revoked and as a result should not be trusted.

23
Q

OCSP

A

Online Certificate Status Protocol (OCSP): This is an alternative to CRLs. Using this method, a client simply sends a request to find the status of a certificate and gets a response without having to know the complete list of revoked certificates.

24
Q

AAA

A

Authentication, authorization, and accounting (AAA): Cisco AAA services also provide support for validating digital certificates, including a check to see whether a certificate has been revoked. Because this is a proprietary solution, it is not often used in PKI.

25
Q

IPsec

A

IPsec is a suite of protocols used to protect IP packets and has been around for decades. It is in use today for both remote-access VPNs and site-to-site VPNs. SSL is the new kid on the block in its application with remote-access VPNs. Let’s take a closer look at both these options.

26
Q

ESP and AH

A

ESP and AH: These are the two primary methods for implementing IPsec. ESP stands for Encapsulating Security Payload, which can perform all the features of IPsec, and AH stands for Authentication Header, which can do many parts of the IPsec objectives, except for the important one (the encryption of the data). For that reason, we do not frequently see AH being used.

27
Q

Encryption algorithms for confidentiality

A

Encryption algorithms for confidentiality: DES, 3DES, and AES.

28
Q

Hashing algorithms for integrity

A

Hashing algorithms for integrity: MD5 and SHA

29
Q

Authentication algorithms:

A

Authentication algorithms: Pre-shared keys (PSKs) and RSA digital

30
Q

Key management:

A

Key management: Examples of key management include Diffie-Hellman (DH), which can be used to dynamically generate symmetric keys to be used by symmetric algorithms; PKI, which supports the function of digital certificates issued by trusted CAs; and Internet Key Exchange (IKE), which does a lot of the negotiating and management needed for IPsec to operate.