Chapter 3: Encryption and Related Technologies Flashcards

Question 1

Q

What is homomorphic encryption?

Answer

A

Allows encrypted information to be manipulated without decrypting it first (data in use)

Question 2

Q

What is multiparty computation?

Answer

A

Allows two or more computers to participate in a computation and compute a mathematical result without otherwise revealing private information

Question 3

Q

What does the term encrypt mean?

Answer

A

To convert information or data into a cypher or code

Question 4

Q

What is a cypher?

Answer

A

Mathematical transformations of data, in which data is scrambled according to some kind of function

Question 5

Q

What is a code?

Answer

A

Transformations that typically involve a one-to-one replacement of a word, letter, figure or symbol with another word, letter, figure or symbol

Question 6

Q

What is the difference between plaintext and cyphertext?

Answer

A

Plaintext - clear and readable text

Cyphertext - the encrypted message

Question 7

Q

What is the work factor?

Answer

A

The amount of effort that an adversary needs to expend to decrypt a message

Question 8

Q

What is threat modeling?

Answer

A

Understanding the adversary the system has been designed to protect against, the capabilities that adversary has, and the likely forms of attack the system may experience

Question 9

Q

What is a cryptographic system?

Answer

A

Collection of cryptographic algorithms, protocols, software and other items that use cryptography to achieve information security goals

Question 10

Q

What factors can cause cryptographic implementation flaws?

Answer

A

Bugs - Implementation errors
Back doors - Flaws that have been deliberately placed in a product for later exploitation
Weaknesses - Mathematical vulnerabilities that are unknown when they are developed and deployed but are later discovered
Obsolescence - Erosion over time

Question 11

Q

Why is entropy important?

Answer

A

Merely encrypting with an algorithm and a key is not sufficient to ensure security. It is also necessary to use randomness, also called entropy, so that an attacker observing the output of an encryption system cannot determine if the same message is encrypted a second time

Question 12

Q

Where must entropy be applied in modern cryptographic systems?

Answer

A

Both in creating keys and encrypting messages

Question 13

Q

List the 2 kinds of encryption algorithms

Answer

A

Secret key algorithms (aka symmetric)

Public key algorithms (aka asymmetric)

Question 14

Q

What is a symmetric or secret key algorithm?

Answer

A

Uses the same key to encrypt and decrypt the plaintext

Question 15

Q

What is an asymmetric or public key algorithm?

Answer

A

Designed so that the plaintext can be encrypted using only public information, but decrypting the cyphertext requires the use of private information

Question 16

Q

Is RSA a symmetric or asymmetric algorithm?

Answer

A

Asymmetric

Question 17

Q

What is the most common symmetric algorithm in use today?

Answer

A

AES - typically used with 128 or 256 bit keys

Question 18

Q

What is a brute force attack?

Answer

A

Try every possible key

Question 19

Q

What is another name for a brute force attack?

Answer

A

Key search attack

Question 20

Q

What technology will theoretically be capable of breaking 128-bit AES with relative ease?

Answer

A

A sufficiently large quantum computer

Though it is believes that it will not have the ability to crack AES-256 in any reasonable amount of time

Question 21

Q

Why is it a bad idea to develop your own encryption algorithm?

Answer

A

Secret algorithms are typically weaker because they have not been as widely tested
It is also difficult to understand the risk of using such an algorithm

Question 22

Q

What are the differences between a cryptographic key and a password?

Answer

A

With a cryptographic key
• Information must be mathematically transformed
• Does not decide whether or not to grant access
• Cannot be reset if the key is lost
• To change the key you have to decrypt then re-encrypt the information

With a password
• Access to the controlled information is mediated by a program
• Because the program is making decisions, it can be manipulated by other factors (ex. the system allows access without a password Thursdays at 5)
• Software accessed confidential parts of the program even when a password is not provided

Question 23

Q

Which private key algorithm was published by the US government in their Federal Information Processing Standard (FIPS) in 1977?

Answer

A

Data Encryption Standard (DES)

Question 24

Q

A public demonstration in 1998 showed that DES could be broken, what was the solution?

Answer

A

Encrypting a message with DES three time over, each time with a different key (a technique called triple DES or 3DES)

Question 25

Q

Why was cryptography not widely used until the rise of e-commerce in the 1990s?

Answer

A

Lack of workable public key cryptography
Export controls - government restricted the export of any computer technology that could perform cryptography
CPU speed

Question 26

Q

Which browser first incorporated transparent cryptography in 1995?

Answer

A

Netscape Navigator

Question 27

Q

What encryption protocol do web browsers use to automatically encrypt information as it travels between browser and web server?

Answer

A

Secure Socket Layer (SSL) - later renamed to Transport Layer Security (TLS)
Often called SSL/TLS today

Question 28

Q

What is a pluggable cryptographic protocol?

Answer

A

The single protocol supports the use of multiple hash functions and ciphers

Question 29

Q

How does TLS determine which algorithm to use?

Answer

A

TLS client connects to a TLS server, the two negotiate the most secure version of each algorithm from the set of algorithms that each implement

Question 30

Q

What does TLS not protect?

Answer

A

Knowing how much data is exchanged and what the endpoints are
Knowing that data is being exchanged at all
TLS provides neither anonymity or stealth

Question 31

Q

To achieve anonymity, it is necessary to hide one’s traffic within a crowd, which systems can do this?

Answer

A

Proxies and mix networks, also called onion routing networks

Question 32

Q

How do systems such as onion routing networks work?

Answer

A

Combine traffic from multiple computers into a single channel that is sent between multiple computers and then separating out the traffic again

Question 33

Q

How does the onion router (Tor) work?

Answer

A

Uses a sophisticated system that relies on multiple layers of encryption and sends every users’ traffic to at least three different computers in sequence, so that not even the nodes of the mix network know with whom the users are communicating

Question 34

Q

To offer stealth, it is necessary to masquerade one’s traffic so that it cannot be observed, how can this be done?

Answer

A

By hiding the traffic using a masking protocol or using steganography

Question 35

Q

TLS works at the transport layer, some internet telephone protocols use encryption at which layer?

Answer

A

Application layer

Question 36

Q

Which wireless network protocols have encryption built in?

Answer

A

802.11 WPA and WPA2

Question 37

Q

Which 2 approaches are commonly used to encrypt data at rest?

Answer

A

Application level encryption

Device level encryption

Question 38

Q

Application level encryption is also known as…

Answer

A

File-level or document-level encryption

Question 39

Q

Where is device-level encryption is applied?

Answer

A

It is built into the computer’s storage subsystem and performs encryption on a block-by-block basis

Question 40

Q

List the 3 approaches for working with encrypted data

Answer

A

Secure enclaves
Homomorphic encryption
Multiparty computation

Question 41

Q

What are secure enclaves?

Answer

A

They rely on modifications to the microprocessor to provide security
Some of these systems rely on curtained memory, which prevents the microprocessor from accessing the memory where the secure application is running
Another approach uses specialized hardware within the microprocessor to automatically encrypt memory as it is written and decrypt it as it is read

Question 42

Q

What is homomorphic encryption?

Answer

A

A collection of mathematical techniques for working with encrypted data

Question 43

Q

What is multiparty computation?

Answer

A

Multiparty computation is a class of algorithms that allows programs running on different computers to participate in computations such that results can be computed without compromising each party’s private data

Question 44

Q

What are digital signatures?

Answer

A

Using encryption to certify that a document has not been modified since some time in the past

Question 45

Q

What 2 kinds of cryptographic quantum technology have already been demonstrated in the laboratory?

Answer

A

Quantum computers

Quantum key distribution (QKD)

Question 46

Q

What is quantum key distribution (QKD)?

Answer

A

Approach for distributing an encryption key to two endpoints so that it is physically impossible (according to our understanding of physics) for a third party to get a copy of the key

Question 47

Q

List the 2 kinds of secret key algorithms

Answer

A

Stream ciphers

Block ciphers

Question 48

Q

What are stream ciphers?

Answer

A

Encryption algorithms that transform one byte of data at a time
The RC4 algorithm was widely used in the 1990s with the Netscape SSL protocol and is still somewhat used today, although its popularity is waning

Question 49

Q

What are block ciphers?

Answer

A

Transform a small block of data at one time, typically 16, 32 or 64 bytes
Both DES and AES are block ciphers

Question 50

Q

Which 2 mathematical functions are ciphers based on?

Answer

A

Substitution

Transposition

Question 51

Q

What is substitution in encryption?

Answer

A

Substitutes one pattern for another according to a code book

Question 52

Q

What is transposition in encryption?

Answer

A

Scrambling the bits within a set of bytes

Question 53

Q

Traditionally, do steam ciphers use substitution or transposition?

Answer

A

Substitution

Question 54

Q

Traditionally, do block ciphers use substitution or transposition?

Question 55

Q

Which is generally considered safer, stream ciphers or block ciphers? Why?

Answer

A

Because stream ciphers typically only use substitution and block ciphers use both substitution and transposition, block ciphers are somewhat more secure

Question 56

Q

What is the drawback of block ciphers versus stream ciphers?

Answer

A

Block ciphers are generally slower because they perform both substitution and transposition
Though today’s computer are fast enough to allow stream ciphers to be used as block ciphers and vice versa in the majority of applications

Question 57

Q

Which algorithm was adopted by the US government in 2001?

Question 58

Q

What weaknesses does AES have?

Answer

A

Currently regarded as containing no significant algorithmic weaknesses

Question 59

Q

How does AES work?

Answer

A

Consists of an inner mathematical operations that is repeated
AES-128 repeats this function 10 times and is said to have 10 rounds
AES-192 has 12 rounds
AES-256 has 14 rounds
Each round makes it harder to decrypt

Question 60

Q

Which encryption algorithm has the US National Security Agency (NSA) for top secret information?

Answer

A

AES-256 (but not AES-128)

Question 61

Q

Why do some organizations use triple DES over AES?

Answer

A

They believe it is more thoroughly understood than AES

Question 62

Q

Which algorithm was developed by the Chinese government?

Question 63

Q

What are lightweight encryption algorithms?

Answer

A

Algorithms designed to encrypt small amounts of data - just a few bytes - or that must run in low-powered environments

Question 64

Q

List 2 examples of lightweight encryption algorithms

Answer

A

SIMON and SPECK, both developed by the NSA

Answer 62

A

The process of trying to decipher an encrypted message without knowing the key

Answer 63

A

Analyzing individual mathematical operations that create the encryption algorithm and correlating many applications of the algorithm over a large set of data

Answer 64

A

Known ciphertext attack
Known plaintext attack
Chosen plaintext attack
Differential cryptanalysis
Related key attack

Answer 65

A

Given a ciphertext C, the attacker can determine the plaintext P

Answer 66

A

Given a plaintext P and a ciphertext C, the attacker can determine the encryption key K

Answer 67

A

Given a plaintext P of the attacker’s choosing and the encrypted ciphertext C of that message, the attacker can determine the encryption key K

Answer 68

A

Given a number of similar plaintext messages P1 through PN and the corresponding ciphertext messages C1 through CN, the attacker can determine encryption key K

Answer 69

A

Given a number of related keys and a collection of ciphertext encrypted with each key, it is possible to learn some or all of the keys, and therefore decrypt some or all of the ciphertext

Answer 70

A

The change to the substitution boxes that NSA had applied to the original 128-bit algorithm submitted by IBM had made the algorithm stronger

Answer 71

A

It could be brute-forced by Deep Crack (a million-dollar special-purpose computer created for the purpose of demonstrating the weakness of the algorithm

Answer 72

A

A microchip with encryption embedded, developed by the US government in the mid-1990s

Answer 73

A

Featured a mandatory key escrow that would have let the U.S. government decode Clipper-encoded messages with a valid court order
Hardware vendors did not want to accept the additional costs and manufacturing complexities of adding a U.S. government chip to their products
Organizations that needed more than 56 bits of security but still wished to follow government standards could simply use triple DES or 3DES

Answer 74

A

DES
3DES (triple DES)
RC4
AES

Answer 75

A

Block cipher

Answer 76

A

Block cipher

Answer 77

A

Stream cipher

Answer 78

A

Block cipher

Answer 79

A

40-2048 bits

Answer 80

A

128, 192 or 256 bits

Answer 81

A

8 bits (1 byte)

Answer 82

A

Not secure; do not use

Answer 83

A

Secure but slow; not widely used

Answer 84

A

Was widely used in SSL and WEP; increasingly deprecated

Answer 85

A

Widely used; generally thought to be secure

Answer 86

A

Techniques for combining repeated invocations of block algorithms so that they can be used on more data

Answer 87

A

Electronic codebook (ECB)
Cipher block chaining (CBC)
Counter mode (CTR)
Authenticated encryption (AE)

Answer 88

A

Simplest
Least secure
Uses the same key for each block of data

Answer 89

A

Encrypting each block as a function of the block’s plaintext and the previous block’s cyphertext
Same block of plaintext will be encrypted differently each time
Because the first block of the message doesn’t have a previous block, it is encrypted by combining the plaintext and a randomly generated block of data called the initialization vector (IV)
Must begin decrypting from the first block in the sequence

Answer 90

A

Similar to CBC, except that the IV is replaced with a counter
Possible to start decrypting at any point in the encrypted data
Popular choice for disk encryption algorithms
Errors in the cipher text do not propagate, and CTR encryption and decryption can be parallelized
Despite these advantages, not widely used

Answer 91

A

Family of modes that provide for both confidentiality and authentication
Rely on additional information that is injected into the ciphertext so that the decrypting program can verify that decryption was performed using the correct key
Authenticated encryption modes have been patented and, as a result, they are not widely used

Answer 92

A

Truly random

Used as infrequently as possible (ideally just to protect a single message)

Answer 93

A

Many microprocessors have a hardware random number generator that acquire entropy from thermal noise

Answer 94

A

Documents with passwords
Block-level disk encryption
Persistent VPNs
TLS
Wireless networks
Encrypted databases
Cryptographic erasure and retention rules
Secret sharing

Answer 95

A

One of the most common uses

Microsoft and Adobe use it

Answer 96

A

At the driver layer, separately encrypting each disk sector

Typically use a variant of counter mode so that any disk block can be decrypted without decrypting the adjacent block

Answer 97

A

System administrator would create a random encryption key and program it into all systems that require access to the VPN

Answer 98

A

After a cryptographic session is established using asymmetric cryptography, symmetric encryption algorithms are used for bulk data encryption

Answer 99

A

WPA2 encryption system requires that all units be programmed with the same passphrase or key
This passphrase or key is then used to derive a specific symmetric encryption key used to secure data sent over the wireless network

Answer 100

A

The entire database file can be encrypted with a single key; individual rows or columns can be encrypted; rows, columns or cells can be encrypted with keys stored in other rows, columns or cells; the database can be encrypted but the index left unencrypted to allow for rapid searching; and so on

Answer 101

A

If the drive is encrypted with a key, the entire contents of the hard drive can be rendered indecipherable by erasing the key

Answer 102

A

A single document can be encrypted with a single key that is then split into multiple shares using a mathematical approach called secret sharing
For example, if an organization has seven auditors, the key could be split so that any three auditors, working together, can recover the encrypted data

Answer 103

A

Fast mathematical functions that take an input of any length and produce a small output (typically 16-64 characters) that looks random

Answer 104

A

The output cannot be predicted from the input without running the algorithm
Changing any bit in the input will change, on average, half of the bits in the output

Answer 105

A

Different hash functions will produce different outputs for the same document, so in addition to knowing a document’s hash, it is important to know the algorithm that was used to produce the hash. Some hash functions can also be keyed, so that the document’s cryptographic hash depends on the algorithm, the document and the key.
Even though no two people have been found to have the same fingerprints, it is possible for many different documents to have the same hash value
People’s fingerprints change over time and each set of fingerprints from the same individual is slightly different. Human fingerprints must be matched with a comparison function that allows for slight variations. Cryptographic hashes, by contrast, are precisely matched bit for bit.
Latent prints left at the scene of a crime are typically partial prints and can sometimes match many different people. Only an expert can determine whether or not two prints actually match. File hashes, on the other hand, are always complete and can be matched by anyone, or any program—no special training is required.

Answer 106

A

Multiple documents having the same hash value

They are the mark of a hash that is no longer secure

Answer 107

A

Digital signatures combine hash functions with public key cryptography in a way that makes it possible to certify that a document has not been changed since it was digitally signed

Answer 108

A

MD5
SHA-1
SHA-256
SHA-384
SHA-512
SHA3-224
SHA3-256
SHA3-384
SHA3-512

Answer 109

A

Deprecated; should not be used in applications that require confidentiality or integrity

Answer 110

A

Being phased out; should not be used for new applications

Answer 111

A

Widely used

Answer 112

A

Chosen by NIST through an open competition in 2013; significantly slower than SHA-256 without hardware support

Answer 113

A

Converting pass phrases to cryptographic keys
Identifying versions of documents
Digitally signing documents

Answer 114

A

Attackers have compiled lists of billions of hashes of popular passwords and passphrases

Answer 115

A

Combine the provided passphrase and a random number, called a nonce, and to hash the two together many thousands of times

Answer 116

A

Asymmetric

Answer 117

A

Asymmetric - symmetric keys are simply random collections of bits, while asymmetric keys are numbers with specific mathematical properties
Public keys (asymmetric) are public, so an attacker who is targeting a public key system can create any number of chosen plaintext/ciphertext pairs

Answer 118

A

RSA
The Digital Signature Algorithm (FIPS-186)
Elliptic Curve Cryptography

Answer 119

A

Relies on the fact that it is easy to multiply two prime numbers together to create a composite, but it is relatively difficult to take a composite number and decompose it into its prime factors
Private and public keys are interchangeable; that is, messages encrypted with the RSA public key can be decrypted with the private key, and messages encrypted with the private key can be decrypted with the public key
Can be used both for message secrecy and for digital signatures

Answer 120

A

Public key algorithm created by the U.S. government in the 1990s as an alternative to RSA
Was not covered by the RSA patent
Could be used for digital signature but not for encryption
Required significantly more computational effort to verify signatures than does RSA

Answer 121

A

Both the RSA and DSA algorithms make use of mathematical properties that arise from performing mathematics
It is possible to perform the same kinds of operations in a different kind of mathematical range called an elliptic curve
Has the advantage of making it dramatically harder to factor numbers and, thus, crack a public key
Public key cryptography performed in elliptic curves can achieve the same security with much smaller keys, making the resulting cryptography faster and more energy efficient

Answer 122

A

Even though they work, they do not provide compelling advantages compared to existing standards, and their lack of widespread adoption means that any implementations are more likely to have significant security vulnerabilities

Answer 123

A

Certify that a document has not been modified
Physical signatures can be forged
You can’t lift a digital signature and put it on another document
Digital signatures can be stores separately from the document

Answer 124

A

Integrity - they certify that a document has not been modified

Answer 125

A

Non-repudiation is the assurance that someone cannot deny the validity of something

Answer 126

A

The only way to dispute the authenticity of a digital signature is by making a claim that the private key was compromised or by asserting the digital signature scheme it itself mathematically broken

Answer 127

A

The document is stored separate from the signature
Commitments can be used to implement closed-bid auctions in a manner that not even the auctioneer knows the identities of the bidders

Answer 128

A

By combining 2 mathematical techniques:
• A program first computes a hash value
• It then encrypts the hash value with an asymmetric signing key

Answer 129

A

The signature is decrypted with the verification key (the public key)
The document is hashed and that value is compared to the decrypted hash to confirm they are identical

Answer 130

A

Relying party (RP)

Answer 131

A

Certificate authorities

Answer 132

A

Public Key Infrastructure

Answer 133

A

A set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption

Answer 134

A

Today’s public keys are mostly used to certify the identity of organizations—and in particular, their web servers—not individuals

Answer 135

A

They are digitally signed by an organization trusted to certify that the public key belongs to the organization

Answer 136

A

PKI operates mostly behind the scenes, securing web servers, mobile phones, secure chat and even chip-based credit cards

Answer 137

A

Today’s PKI implementations have proven to be too complicated for most computer users to comprehend and too technical for them to care much about it

Answer 138

A

An entity that a particular public key belongs to

For example, Equifax Security CA

Answer 139

A

On a web server, it’s a promise made by a third party, the certificate authority, that the public key on the certificate really does belong to the organization that operates a web server

Answer 140

A

Server’s public key
Server’s domain name system (DNS) name
Name of the company

Answer 141

A

The organization fills in a document called a certificate signing request (CSR)

The Certificate Authority:
•	verifies the information
•	puts it on the certificate
•	signs the certificate with their private key
•	Gives it back to the organization

The organization puts the certificate on their web server

Answer 142

A

The browser:
• computes the cryptographic hash of all the information on the certificate other than the signature
• takes the signature that’s on the certificate and decrypts the signature with the CA’s public key
• checks that the 2 values match

Answer 143

A

The browser must have a copy of the CAs public key

The CA must have behaved in a trustworthy manner

Answer 144

A

PKI applied to individuals rather than organizations

Answer 145

A

A means for the individual to securely maintain their private key and to use it to prove their identity

Answer 146

A

Stored inside a smart card or another kind of physical token - this is the most secure means and may be combined with a PIN to further secure it
Stored in an encrypted file on the user’s computer - typically requires a password

Answer 147

A

Key does not leave the card

* Card is normally removed when not in use

Answer 148

A

Alternative to usernames and passwords for website authentication
Add signed name to a document
Certify the contents of a digital document
Digitally sign software

Answer 149

A

They are valuable and can be stolen
They can be destroyed
Allows the CA a means to identify keys that should no longer be used or trusted

Answer 150

A

When a certificate is issued, the certificate’s owner can also obtain a revocation certificate.to be published if the private key is compromised
Most CAs operate a certificate revocation list (CRL)
Most CAs operate an online certificate revocation service

Answer 151

A

Online Certificate Status Protocol (OCSP)

Answer 152

A

No - companies (such as Microsoft, Google and Apple) need to publish patches for their browser software to remove a CA

Answer 153

A

Because digital certificates have validity periods

Answer 154

A

Using the internet Network Time Protocol (NTP)
Using a global positioning system (GPS) receiver
Learning the time from a cellular network
Using the Windows Time Service

Answer 155

A

No, none of the current protocols use cryptography to assure that the time provided is correct

Answer 156

A

Modern web browsers have more than 100 CAs built-in (some with suspicious names like AAA Certificate Services)
No practical way for users to distinguish between high-quality CAs and bargain basement ones
All CAs are equally trusted
Different CAs use different security standards

Answer 157

A

Publish Certification Authority Authorization (CAA) records with their DNS to inform web browsers to only trust certificates from a specific authority

Answer 158

A

An attempt to create a high-quality certificate
CAs are supposed to demand higher levels of assurance
They provide more information about the provider
More expensive

Answer 159

A

They argued against the very premise of EV certificates, saying that the rigorous checking of identity and liability protection were supposed to be part of the original certificates

Answer 160

A

The provide additional branding, but they do not appear to provide the additional security hoped for by their creator

Answer 161

A

One that combined symmetric cryptography, cryptographic hash functions and asymmetric cryptography
Most systems nowadays are hybrid

Answer 162

A

S/MIME

Pretty Good Privacy (PGP)

Answer 163

A

Email messages are digitally signed to verify the sender and encrypted so that they can only be deciphered by their intended recipient

Answer 164

A

Using S/MIME requires that email correspondents first obtain digital certificates

Answer 165

A

They generally provide digital certificates to their users

Example, US government provides digital certificates stored on cards to their employees

Answer 166

A

Uses an alternative model for PKI called the Web of Trust
Instead of relying on CAs to certify an individual’s public key, individuals create their own PGP pubic keys and then publish those keys either on a web page or by uploading the key to the PGP key server

Answer 167

A

Small groups of technologists

Answer 168

A

Encrypting movies and other kinds of digital media

Offers a cryptographic erasure function to block access to a document after a time period has expired

Answer 169

A

Access patterns of reads and writes can still reveal privacy-sensitive information

Answer 170

A

A system that has the property that monitoring reads or writes between the user, and the database reveals no side channel information
ORAM systems typically perform additional read-and-write operations to different parts of memory whenever any information is read or written

Answer 171

A

A range of protocols in which data can be retrieved from a database without revealing to the database or another observer the information that is retrieved

Answer 172

A

PIR systems are a subset of ORAM systems, in that they provide for data access but not necessarily for data modification

Brainscape's Knowledge GenomeTM

Chapter 3: Encryption and Related Technologies Flashcards

Brainscape's Knowledge Genome^TM