Chapter 2: Implementing Public Key Infrastructure

Question 1

This is an asymmetric encryption that has a Certificate Authority and the infrastructure to help with issuing and managing certificates.

Answer 1

Public Key Infrastructure (PKI)

Question 2

PKI has two different keys; hence why it is an asymmetric encryption. It also has a certificate hierarchy, called the Certificate Authority, that manages, issues, validates, and revokes certificates.

Answer 2

PKI Concepts

Question 3

It is the ultimate authority as it has the master key, or root key, for signing all certificates.

Answer 3

Certificate Authority

Question 4

The certificate authority gives signed certificates to the _____ who then turns around and issues the certificate to the requester.

Answer 4

Intermediary

Question 5

Always up and running so that people in the company can request a certificate and any time. This would not be allowed in a government or top-security environment.

Answer 5

Online CA

Question 6

This tends to be in a military or top-secret environment where the clearance and vetting must be completed first before even requesting a certificate. Turned

Answer 6

Offline CA

Question 7

Also known as a third-party CA and is the commercially accepted as an authority for issuing public certificates.
The benefit of using a third-party CA is that all of the management is handled by them; so all you have to do is purchase the service and download it.

Answer 7

Public CA

Question 8

This list allows you to check whether or not your certificate is valid. A certificate that is not valid will not work if you were trying to sell goods to other companies; this is known as a B2B transaction and it needs a public certificate.

Answer 8

Certificate Revocation List

Question 9

This certificate can only be used internally. Even though it is free; you must maintain the certificate and that can require a skill set from your company.

Answer 9

Private CA

Question 10

This authority validates and accepts the incoming requests from certificates from users an then notifies the CA to issue the certificates. These issued certificates are known as X509 certificates.

Answer 10

Registration Authority

Question 11

It could be the RA that issues the certificates to users. Subordinate CA could also be called an intermediary.

Answer 11

Subordinate CA

Question 12

This prevents the compromising of a CA and the issuing of fraudulent X509 certificates. It also prevents SSL man-in-the-middle attacks.

Answer 12

Certificate Pinning

Question 13

This type of certificate trust model in a PKI environment is the root certificate or master key that the whole chain of trust is derived from; this is the root CA.

Answer 13

Trust Anchor

Question 14

Comprised of two trust models:
Hierarchical Trust Model
Bridge Trust Model

This proves the authenticity of a certificate.

Answer 14

Trust Model

Question 15

This uses the hierarchy of the root CA down to the intermediary (also known as a subordinate); this is the normal PKI model.

Answer 15

Hierarchical Trust Model

Question 16

This type of trust is peer-to-peer, where two separate PKI environments trust each other. The CAs communicate with each other, and allow for cross certification.

Answer 16

Bridge Trust Model

Question 17

The chain of trust uses the CRL to verify the validity of a certificate. It normally consists of three layers, the certificate vendor, the vendor’s CA, and the computer where the certificate is installed.

Answer 17

Certificate Chaining

Question 18

Every time a certificate is used, it must be checked for validity.
It goes through usually three checkpoints:
Certificate Revocation List

Online Certificate Status Protocol(OCSP)

OCSP Stapling/Certificate Stapling

Certificate validity can only be done by the CRL or OCSP. OCSP is used only when the CRL is going slow or had been replaced by the OCSP

Answer 18

Certificate Validity

Question 19

This is the process of requesting a new certificate.

Answer 19

Certificate Signing Request(CSR)

Question 20

This holds the private keys for third parties and stores them in a Hardware Security Module.

Answer 20

Key Escrow

Question 21

Can either be a piece of hardware that is attached to a server or a portable device that holds onto the keys. It stores and manages certificates.

Answer 21

Hardware Security Module (HSM)

Question 22

If the user cannot access their data or their private key is corrupted, this helps recover the data. This needs to get the private key from the key escrow.

Answer 22

Data Recovery Agent(DRA)

Question 23

Two main types:
public key
private key

Answer 23

Certificates

Question 24

This key is sent to third parties to encrypt the data.

Answer 24

public key

Question 25

This key will decrypt the data.

Answer 25

private key

Question 26

The certificate is identified by its OID.

Answer 26

Object Identifier (OID)

Question 27

Self-signed Certificates
Wildcard
Domain Validation
Subject Alternate Name
Code Signing
Computer/Machine
User
Extended Validation

Answer 27

Types of Certificates

Question 28

This type of certificate is issued by the same entity that is using it. It doesn’t contain a CRL and it cannot be validated or trusted.

Answer 28

Self-Signing Certificate

Question 29

this type of certificate works for domains and subdomains. For example: securityplus.training has a web server and mail server. Using *.securityplus.training would take the place of a web.securityplus.training, and mail.securityplus.training so that the FQDN works for both.

Answer 29

Wildcard

Question 30

This type of certificate is equivalent to an X509 certificate that proves the ownership of a domain name.

Answer 30

Domain Validation

Question 31

This type of certificate can be used on multiple domain names, and you can also insert other information into an SAN certificate like an IP address.

Answer 31

Subject Alternate Name(SAN)

Question 32

This type of certificate is used to digitally sign software so that is guarantees authenticity.

Answer 32

Code Signing

Question 33

This type of certificate can be used to identify a computer on the domain.

Answer 33

Computer/Machine

Question 34

Proves authenticity of a user for the applications that they use.

Answer 34

User

Question 35

This type of certificate provides a higher level of trust in identifying the entity that is using the certificate. This is normally seen in the financial arena. Companies applying for this certification have to provide more information about their company.

Answer 35

Extended Validation

Question 36

(TIP)A wildcard certificate can be installed on multiple facing websites as a cheaper option. A self-signed certificate can be installed on internal face websites as a cheaper option.

Answer 36

TIP

Question 37

It is a type of cypher that has uses a substitution method that switches out messages for other images, letter, etc to maintain cryptography.

Answer 37

Substitution Cypher

Question 38

Type of rotation that moves the letter 13 places and uses the new letter.

Answer 38

ROT 13

Question 39

This type of encryption uses one key. It will use a private or shared key. This private key will encrypt or decrypt the data. The main reason for using this type of encryption is that it can encrypt large amounts of data very quickly. This encryption is either DES 56 bit, 3DES 168 bit, AES 256 bit, Twofish 128 bit, and Blowfish 64 bit. The smaller the key, the faster it is, but the bigger the key, the more secure it is. Uses block cypher to transfer data faster.

Answer 39

Symmetric Encryption

Question 40

This tunnel protects symmetric data when it is in transit. Its main purpose is to create a secure tunnel for symmetric data to pass through. It doesn’t encrypt data but creates a more secure tunnel.

Answer 40

Diffie Hellman(DH)

Question 41

This type of encryption uses two keys– a public key and a private key– it is also known as the PKI since it is complete with a CA and intermediary authorities.

Answer 41

Asymmetric Encryption

Question 42

TIP

Your private key, or a key pair, is never installed on another server. You always retain the private key just like your bank card. You give the public key away or install on another server.

Answer 42

Tip

Question 43

TIP

Encryption uses the recipients’ public key, where a digital signature used the sender’s private key.

Answer 43

TIP

Question 44

This symmetric algorithm comes in three strengths: 128-,192-, and 256-bits. It is commonly used for L2TP/IPSec VPNs.

Answer 44

Advanced Encryption Standard (AES)

Question 45

this symmetric algorithm groups data into 64-bit blocks, but for the purpose of the exam, it is seen as a 56-bit key, which makes it the fastest but weakest of the symmetric algorithms. This can be used for L2TP/IPSec VPNs, but it is weaker than AES.

Answer 45

Data Encryption Standard (DES)

Question 46

This symmetric algorithm applies the DES three times to make it a 168-bit key. It may also be used for L2TP/IPSec VPNs, but is still weaker than AES.

Answer 46

Triple DES (3DES)

Question 47

This symmetric algorithm is 40-bits long and is used by WEP. It is seen as a stream cipher.

Answer 47

Rivest Cipher 4 (RC4)

Question 48

This symmetric algorithm is a 64-bit key. It is faster than Twofish and it was originally designed for encryption with embedded systems.

Answer 48

Blowfish

Question 49

This symmetric algorithm is a 128-bit key. It is slower than Blowfish, but stronger. It was originally used for encryption with embedded systems.

Answer 49

Twofish

Question 50

This Asymmetric algorithm does not encrypt the data. Its main purpose is to establish a secure session so that symmetric data can travel through it. More like a tunneling protocol in a way. Keys are created in the Internet Key Exchange on UDP port 500 to set up the secure session for the L2TP/IPSec VPNs.

Answer 50

Diffie Hellman (DH)

Question 51

Used for a Diffie Hellman handshake; DH creates keys inside of this exchange.

Answer 51

Internet Key Exchange

Question 52

This asymmetric algorithm was named after the three people that designed it. The keys here were the first public and private key pairs and they start at 1,024-bit, 2,046-bit, 3,072-bit, and 4096-bits. They are used for digital signatures and encryption.

Answer 52

Rivest, Shamir, and Adelman (RSA)

Question 53

This asymmetric algorithm are sued for digital signatures; they start at 512-bits, but their 1,024-bit and 2,026-bit keys are faster than RSA for digital signatures.

Answer 53

Digital Signature Algorithm (DSA)

Question 54

This asymmetric algorithm is a small, but fast key that is used in small mobile devices. However, AES-256 is used in military-grade mobile cell phones. It uses less processing power than other encryptions listed.

Answer 54

Elliptic Curve Cryptography (ECC)

Question 55

This asymmetric algorithm is a short-lived key. It is used for a single session. and there are two of them:

Diffie Hellman Ephemeral(DHE)

Elliptic Curve Diffie Hellman Ephemeral (ECDHE)

Answer 55

Ephemeral Keys

Question 56

This asymmetric algorithm is used between two users for both asymmetric encryption and digital signatures. For this algorithm to work, you’ll need a private key and a public key. The first stage is to exchange the keys. It uses RSA keys.

Answer 56

Pretty Good Privacy (PGP)

Question 57

This asymmetric algorithm is the free version of OpenPGP; it is also known as PGP. It also uses RSA keys.

Answer 57

GnuPG

Question 58

(TIP)PGP is used for encryption between two people. S/MIME is used for digital signatures between two people.

Answer 58

TIP

Question 59

This key stretching algorithm is a password-hashing algorithm based on the blowfish cipher. It is used to salt the passwords. A random string is appended to the password to increase the password length to help increase the compute time for a brute-force attack.

Answer 59

BCRYPT

Question 60

This key stretching algorithm stores passwords with a random salt and with the password hash using HMAC. It then iterates, which forces the regeneration of every password and prevents any rainbow table attack.

Answer 60

PBKDF2

Question 61

(TIP)Symmetric encryption is used to encrypt large amounts of data as they have small, fast keys and use block ciphers.

Answer 61

TIP

Question 62

This cipher mode is a method of encrypting text (this produces ciphertext) in which a cryptographic key and algorithm are applied to each binary digit in a data stream, one bit at a time. It is normally used by an asymmetric encryption.

Answer 62

Stream Cipher

Question 63

This cipher method is where blocks of data is taken and then encrypted; for example, 128 bits of data may be ciphered at a time. This is the more popular method today and it is much faster than a stream cipher. It is used with a symmetric encryption with the exception of RC4.

Answer 63

Block Cipher

Question 64

This mode of operation uses a random value as a secret key for data encryption. This secret number, also called a nonce, is used only time in any session. It is usually about the same size as the length of an encryption key or the block of the cipher in use. This mode of operation, it is known as a starter variable.

Answer 64

Initialization Vector (IV)

Question 65

Used as a secret key for the encryption and is used only one time in any session.

Answer 65

nonce

Question 66

This mode of operation adds XOR to each of the plaintext block from the ciphertext block that was previously produced. The first plaintext block has an IV that you XOR, and you then encrypt that block of plaintext. The next block of plaintext before you encrypt this block. When decrypting a ciphertext block, you need the XOR from the previous ciphertext block. If you are missing any blocks, then the decryption cannot be done.

Answer 66

Cipher Block Chaining (CBC)

Question 67

This mode of operation replaces each block of the clear text with the block of ciphertext. The same plaintext will result in the same ciphertext. The blocks are independent from the other blocks. CBC is much more secure.

Answer 67

Electronic Code Book(ECB)

Question 68

This mode of operation is a block cipher mode of operation that uses universal hashing over binary Galois field to provide authenticated encryption. It can be implemented in hardware and software to achieve high speeds with low cost and low latency.

Answer 68

Galois/Counter Mode (GCM)

Question 69

This mode of operation turns a block cipher into a stream cipher. It generates the next key stream block by encrypting successive values of a counter rather than an IV.

Answer 69

Counter Mode (CTR)

Question 70

Quantum computing uses qubits, which can be switched on or off at the same time for somewhere in between.

Answer 70

superposition

Question 71

For the purpose of the security plus exam, hashing is a one-way function cannot be reversed.

Answer 71

One-Way Function (Hashing)

Question 72

This is a 128-bit hashing function. It has since been replaced by a 160-256-and 320 version. For the purpose of the exam, just know that it hashes data.

Answer 72

RIPEMD

Question 73

This service provider provides support for the AES algorithm.

Answer 73

Microsoft AES Cryptographic Provider

Question 74

This supports hashing and data signing with DSS and key exchanging for DH.

Answer 74

Microsoft DDS and DH/Channel Cryptographic

Question 75

This type of data is data not being used and is stored either on a hard drive or external storage.

Desktops and laptops: Can use bitlocker, with is known by the exam as Full disk encryption. These devices would need a TPM chip built into the MoBo. Data Loss Prevention is used to guard against data being stolen via USB.

Tablets/Phones/USB or removable Drive: Will need Full Device Encryption to stop data being stolen.

Answer 75

Data-at-Rest

Question 76

DLP works on a regular expression or a pattern match. Once that value has been matched, the data is blocked.

Answer 76

Data Loss Prevention

Question 77

This type of data is used when purchasing items, TLS, SSL, HTTPS to encrypt the session before we enter the credit card information. If we are remote users, we would use we would use a
VPN to tunnel into the workplace to access the data. TLS is normally used to encrypt emails as they travel between mail servers.

Answer 77

Data-in-Transit

Question 78

When we use memory on a device, it is in random access memory or a faster block of memory called the CPU cache. We can protect this data by using full memory encryption.

Answer 78

Data-in-Use

Question 79

The process where you take source code and make it look obscure, so that if it is stolen, it would not be understood. It is used to mask data.

Answer 79

Obfuscation

Question 80

It is an algorithm that uses mathematical formulas to produce sequences of random numbers. These random numbers can be used when generating data encryption keys.

Answer 80

Pseudo-Random Number Generator (PRNG)

Question 81

It doesn’t link the session key to the server’s private key. Therefore, even if a VPN server is compromised, the attacker cannot use the Servers private key to decrypt the session.

Answer 81

Perfect Forward Secrecy

Question 82

This Attack happens when an attacker tries to match the hash; if the hash is matched, it is known as a collision, and this could compromise systems.

Answer 82

Collision

Question 83

This is where a document, image, audio file, or video file can be hidden in another document, image, audio file, or video file.

Answer 83

Steganography

Question 84

allows an accountant to run calculations against data while it is still encrypted and could be used with data in the cloud.

Answer 84

Homomorphic Encryption

Question 85

This is a technique where you change one character of the input, which will ultimately change multiple bits of the output.

Answer 85

Diffusion

Question 86

(TIP)We should not be using a key of fewer than 2046 bits as this is too insecure.

Answer 86

TIP

Question 87

(TIP)When people access a company’s network from a remote location, they should use a L2TP/IPSec VPN tunnel, using AES as the encryption method to create a secure tunnel across the network and to prevent a man-in-the-middle attack. Encryption should be coupled with mandatory access control to ensure the data is secure and kept confidential.

Answer 87

TIP

Question 88

(TIP)

Two reasons for integrity:
Hashing to ensure the beginning hash and the ending hash is not tampered with and can be used as admissible data.

Another is digitally signing your emails to ensure that they have not been tampered with during the transit stage.

Answer 88

TIP

Question 89

When you digitally sign an email, you cannot deny that it is from you. This causes it to be legally binding.

Answer 89

Non-Repudiation

Question 90

These devices will need to use an ECC for encryption because they do not have the processing power for conventional encryption.

Answer 90

Internet of Things (IOT) Devices

Question 91

(TIP)

We should be using at least a two factor authentication. Installing a RADIUS server adds an additional layer to authentication to ensure that authentication from the endpoints is more secure.

Answer 91

TIP