Chapter 2: Public Key Infrastructure Flashcards
is a asymmetric encryption that has a Certificate Authority and the associated infrastructure to support issuing and managing certificates.
Public Key Infrastructure (PKI)
the ultimate authority as it holds the master key, also known as the root key, for signing all the certificates that it gives the Intermediary who issues the certificate to the requester.
Certificate Authority (CA)
internal online CA is always up and running so that people in the company can request a certificate at any time of the day or night.
Online CA
is for military or secure environment where clearance and vetting must be completed before someone can be issued with a certificate.
Offline CA
is also known as a third party CA and is commercially accepted as an authority for issuing pubic certificates—examples include Sectigo, Symantec, Go Daddy..
Public CA
can only be used internally. However, you must maintain the CA.
Private CA
validates and accepts the incoming requests for certificates from users on the network and notifies the CA to issue the certificates. The certificates thare used are known as X509 certificates.
Registration Authority (RA)
prevents the compromising of the CA and the issuing of fraudulent X509 certificates. It prevents SSL man in the middle attacks.
Certificate Pinning
in PKI environment is the root certificate from which the whole chain of trust is derived; this is the root CA
Trust Anchor
proves the authenticity of a certificate
Trust Model
Type of Trust Model that uses hierarchy from the root CA down to the intermediary
Hierarchical Trust Model
peer to peer trust model where two separate PKI environments trust each other
Bridge Trust Model
this chain of trust is used to verify who the CA is. The chain normally has three layers—certificate vendor, the vendors CA, and the computer where the certificate is installed.
Certificate Chaining
first stage in checking whether a certificate is valid. If the certificate is not valid it will be entered into the ____
Certificate Revocation List (CRL
If the CRL is going slow; it is much faster than the CRL and can take the load from CRL in a busy environment
Online Certificate Status Protocol (OSCP)
is used when a web server bypasses the CRL to use the OSCP for faster certificate validation.
OSCP Stapling/Certificate Stapling
This is the process of requesting a new certificate.
Certificate Signing Request (CSR)
holds the private keys for third parties and stores them in a Hardware
Key Escrow
is a device that can store digital keys. It could be as simple as an external hard drive.
Security Module
can be a piece of hardware attached to the server or a portable device that is attached to store the keys.
Hardware Security Module (HSM)
if a user cannot access their data because their private key is corrupted, the ___ will recover the data. The ____needs to get a copy of the private key from the key escrow.
Data Recovery Agent (DRA)
the OID on a certificate is similar to a serial number on a banknote. Banknotes are identified by their serial number. The certificate is identified by the OID.
Object Identifier (OID)
moving a letter three places one way or another to encrypt
Substitution Cipher
variation of the Caesar cipher, rotating the letters 13 times.
ROT13
only uses one key, which is known as the secret key. The same key encrypts and decrypts the data. The risk is if the key is stolen the attacker gets the key to the kingdom.
Symmetric Encryption
Name all of the Symmetric Encryptions
DES 56 bit; 3DES 168 bit; AES 256 bit; Twofish 128 bit; Blowfish 64 bit
when symmetric data is in transit, it is protected by Diffie Hellman, whose main purpose is to create a secure tunnel for symmetric data to pass through. It does not encrypt the data but creates a secure tunnel.
Diffie Hellman (DH)
uses two keys, a private and public key. (PKI is an example of this)
Asymmetric Encryption
The first stage in digital signatures is to exchange public keys, the same principal as encryption. George wants to send Mary an email and he wants to ensure it has not been altered in transit. —digital signature uses the sender’s private key
Digital Signature
comes in three key strengths: 128, 192, and 256.
-commonly used for L2TP/IPSec VPNs
(type of symmetric encryption)
Advanced Encryption Standard (AES)
groups data into 64 bit blocks, but for purpose of exam 56 bit.
-fastest but weakest
-could be used for L2TP/IPSec VPNs
(type of symmetric encryption)
Data Encryption Standard (DES)
applies the DES key three times and is said to be 168 bit key.
-could be used for L2TP/IPSec VPNs
(type of symmetric encryption)
Triple DES (3DES)
is 40 bits and is used by WEP
-seen as stream cipher
Rivest Cipher (RC4)
does not encrypt the session. It creates secure session so that symmetric data can travel down
-creates the keys used in the IKE Internet Key Exchange:
-uses UDP port 500 to set up secure sessions for L2TP/IPSec VPN
-once secure tunnel has been created then the symmetrically encrypted data flows down the tunnel
-Type of Assymmetric Algorithm
Diffie Hellman (DH)
is named after the three people who invented the algorithm. The keys were first private and public key pairs.
-start at 1024, 2048, 3072, and 4096 bits.
-used for encryption and digital signatures
Rivest, Shamir, and Adelman (RSA)
keys are used for digital signatures
-start at 512 bits, but 1024 and 2048 bit keys are faster than RSA for digital signatures
Digital Signature Algorithm (DSA)
small, fast key that is used for encryption in small mobile devices.
-AES 256 is used in military mobile cell phones
-uses less processing than other encryptions
-type of assymmetric encryption
Elliptic Curve Cryptography (ECC)
short lived keys–used for a single session
ephemeral keys
used between two users to set up symmetric encryption and digital signature. For ____to operate you need a private and public key pair.
Pretty Good Privacy (PGP)
uses a block cipher and encrypts large blocks of data much faster than the asymmetric technique
Symmetric Encryption
much more secure as it has two keys and used DH to create a secure tunnel for the symmetric data.
Asymmetric Encryption
Difference Between Digital Signatures and Encryption
-Digital Signature verifies the identity of the sender. It provides authenticity, integrity, and non-repudiation.
*Used in document signing/email/legal compliance and electronic transactions
-Encryption provides confidentiality.
*used in areas like secure communication/data storage/financial transactions/safeguarding personal information
is a binary operand from Boolean algebra.
-Two bits that are the same: 0
-Two bits that are different: 1
-_____is commonly used with AES
XOR Exclusive OR
is where you append a random set of characters to a password to increase the size of the password and its hash.
Key Stretching
is a technique where random characters are appended to a password before it is hashed. This makes the password longer; it is similar to key stretching and increases the compute time for brute force attacks
Salting Passwords
method of encrypting text (to produce cyphertext) in which cryptographic key and algorithm are applied to each binary digit in a data stream one bit at a time. It is normally used by asymmetric encryption.
Stream Cipher
where a bock of data is taken and then encrypted; for example 128 bits of data may be encrypted at each time. It is used by symmetric encryption with the exception of RC4
Block Cipher
this is a random value used as a secret key for data encryption. This number also called a nonce is employed only one time in any session.
Initialization Vector (IV)
turns a block cipher into a stream cipher. It generates the next keystream block by encrypting successive values of a counter rather than an IV.
Counter Mode (CTR)
is a one-way function that turns a file or string of text into a unique digest of the message.
-(SHA1), SHA2, SHA3, and MD5
Hashing
is data that is not being used and is stored either on a hard drive or external storage.
Data at Rest
when purchasing items, we use TLS, SSL, or HTTPS to encrypt the session before we enter the credit card details.
Data in Transit/Motion
when we launch an application such as word, we are not running the data from the disk drive but running the application in the RAM; this is volatile memory, meaning when you should power down the computer the contents are erased.
Data in Use/Processing
could use bitlocker to encrypt a whole drive. A desktop or laptop would need a Trusted Platform Module chip built into the motherboard to protect encryption keys
-Tablets and phones will need a full disk encryption to encrypt the device
-USB or Removable Drive- we can use a FDE
Full Disk Encryption (FDE)
the process where you take the source code and make it look obscure, so that if it is stolen, it would not be understood.
Obfuscation
where a document, image, audio file, or video file can be hidden inside another document image. The document image or file will be larger and images will have lower resolution.
Steganography
technique where you can change one character of the input, which will change multiple bits of the output.
Diffusion
