Chapter 2 Cryptography Definitions

Question 1

block cipher

Answer 1

A block cipher is a symmetric key cipher (meaning the same key is used to encrypt and decrypt) that operates on a group of bits called a block.

Question 2

Name 5 Block Ciphers

Answer 2

1. Advanced Encryption Standard (AES)
2. Triple Digital Encryption Standard (3DES)
3. Blowfish
4. Digital Encryption Standard (DES)
5. International Data Encryption Algorithm (IDEA)

Question 3

Stream Cipher

Answer 3

A stream cipher is a symmetric key cipher (meaning the same key is used to encrypt and decrypt), where the plaintext data to be encrypted is done a bit at a time against the bits of the key stream, also called a cipher digit stream.

Question 4

Symmetric algorithm

Answer 4

Symmetric algorithm An encryption algorithm that uses the same key to encrypt the data and decrypt the data.

Question 5

Asymmetric algorithm

Answer 5

Asymmetric algorithm An encryption algorithm that uses two different keys—a public key and a private key. Together they make a key pair.

Question 6

Hashing

Answer 6

Hashing is a method used to verify data integrity. For example, you can verify the integrity of a downloaded software image file from Cisco, and then verify its integrity using a tool such as the verify md5 command

Question 7

Name 3 different Hash Algorithms

Answer 7

1. Message Digest 5 (MD5): This hash creates a 128-bit digest.
2. Secure Hash Algorithm 1 (SHA-1): This hash creates a 160-bit digest.
3. Secure Hash Algorithm 2 (SHA-2): Options include a digest between 224 bits and 512 bits.

Question 8

HMAC

Answer 8

Hashed Message Authentication Code (HMAC) uses the mechanism of hashing, but kicks it up a notch. Instead of using a hash that anyone can calculate, it includes in its calculation a secret key of some type.

Question 9

What are three bennifits to digintal signatures?

Answer 9

1. Authentication
2. Data integrity
3. Nonrepudiation

Question 10

Digital certificates

Answer 10

Digital certificates can be used for clients who want to authenticate a web server to verify they are connected to the correct server using HTTP Secure (HTTPS), Transport Layer Security (TLS), or Secure Sockets Layer (SSL).

Question 11

CA

Answer 11

A certificate authority is a computer or entity that creates and issues digital certificates. Inside of a digital certificate is information about the identity of a device, such as its IP address, fully qualified domain name (FQDN), and the public key of that device.

Question 12

Root certificate

Answer 12

Root certificate A root certificate contains the public key of the CA server and the other details about the CA server.

Question 13

Identity certificate

Answer 13

Identity certificate An identity certificate is similar to a root certificate, but it describes the client and contains the public key of an individual host (the client).

Question 14

What are the relevant parts of a Certificate?

Answer 14

• Serial number: Issued and tracked by the CA that issued the certificate.
• Issuer: The CA that issued this certificate. (Even root certificates need to have their certificates issued from someone, perhaps even themselves.)
• Validity dates: The time window during which the certificate is considered valid. If a local computer believes the date to be off by a few years, that same PC may consider the certificate invalid due to its own error about the time. Using the Network Time Protocol (NTP) is a good idea to avoid this problem.
• Subject of the certificate: This includes the organizational unit (OU), organization (O), country (C), and other details commonly found in an X.500 structured directory. The subject of the root certificate is the CA itself. The subject for a client’s identity certificate is the client.
• Public key: The contents of the public key and the length of the key are often both shown. After all, the public key is public.
• Thumbprint algorithm and thumbprint: This is the hash for the certificate. On a new root certificate, you could use a phone to call and ask for the hash value and compare it to the hash value you see on the certificate. If it matches, you have just performed out-of-band verification (using the telephone) of the digital certificate.

Question 15

X.500

Answer 15

X.500 is a series of standards focused on directory services and how those directories are organized.

Question 16

X.500v3

Answer 16

X.509 Version 3 is a standard for digital certificates that is widely accepted and incorporates many of the same directory and naming standards. A common protocol used to perform lookups from a directory is the Lightweight Directory Access Protocol (LDAP).

Question 17

PKCS #10:

Answer 17

PKCS #10: This is a format of a certificate request sent to a CA that wants to receive its identity certificate. This type of request would include the public key for the entity desiring a certificate.

Question 18

PKCS #7:

Answer 18

PKCS #7: This is a format that can be used by a CA as a response to a PKCS #10 request. The response itself will very likely be the identity certificate (or certificates) that had been previously requested.

Question 19

PKCS #1

Answer 19

PKCS #1: The RSA cryptography standard.

Question 20

PKCS #12:

Answer 20

PKCS #12: A format for storing both public and private keys using a symmetric password-based key to “unlock” the data whenever the key needs to be used or accessed.

Question 21

PKCS #3

Answer 21

PKCS #3: Diffie-Hellman key exchange.

Question 22

CRL

Answer 22

Certificate revocation list (CRL): This is a list of certificates, based on their serial numbers, that had initially been issued by a CA but have since been revoked and as a result should not be trusted.

Question 23

OCSP

Answer 23

Online Certificate Status Protocol (OCSP): This is an alternative to CRLs. Using this method, a client simply sends a request to find the status of a certificate and gets a response without having to know the complete list of revoked certificates.

Question 24

AAA

Answer 24

Authentication, authorization, and accounting (AAA): Cisco AAA services also provide support for validating digital certificates, including a check to see whether a certificate has been revoked. Because this is a proprietary solution, it is not often used in PKI.

Question 25

IPsec

Answer 25

IPsec is a suite of protocols used to protect IP packets and has been around for decades. It is in use today for both remote-access VPNs and site-to-site VPNs. SSL is the new kid on the block in its application with remote-access VPNs. Let’s take a closer look at both these options.

Question 26

ESP and AH

Answer 26

ESP and AH: These are the two primary methods for implementing IPsec. ESP stands for Encapsulating Security Payload, which can perform all the features of IPsec, and AH stands for Authentication Header, which can do many parts of the IPsec objectives, except for the important one (the encryption of the data). For that reason, we do not frequently see AH being used.

Question 27

Encryption algorithms for confidentiality

Answer 27

Encryption algorithms for confidentiality: DES, 3DES, and AES.

Question 28

Hashing algorithms for integrity

Answer 28

Hashing algorithms for integrity: MD5 and SHA

Question 29

Authentication algorithms:

Answer 29

Authentication algorithms: Pre-shared keys (PSKs) and RSA digital

Question 30

Key management:

Answer 30

Key management: Examples of key management include Diffie-Hellman (DH), which can be used to dynamically generate symmetric keys to be used by symmetric algorithms; PKI, which supports the function of digital certificates issued by trusted CAs; and Internet Key Exchange (IKE), which does a lot of the negotiating and management needed for IPsec to operate.