Chapter 4 - Advanced Cryptography And PKI

Question 1

Key strength

Answer 1

The resiliency of a key to resist attacks.

Question 2

Three primary characteristics that determine the resiliency of the key to attacks

Answer 2

1) Randomness
2) length of key
3) cryptoperiod

Question 3

Cryptoperiod

Answer 3

The length of time for which a key is authorized for use.

Question 4

Block cipher mode of operation

Answer 4

A process that specifies how block ciphers should handle plaintext.

Question 5

Most common block cipher modes of operation

Answer 5

1) Electronic Code Book (ECB)
2) Cipher Block Chaining (CBC)
3) Counter (CTR)
4) Galois/Counter (GCM)

Question 6

Electronic Code Book (ECB)

Answer 6

A process in which plaintext is divided into blocks and each block is then encrypted separately.

Question 7

Cipher Block Chaining (CBC)

Answer 7

A process in which each block of plaintext is XORed with the previous block of ciphertext before being encrypted.

Question 8

Counter (CTR)

Answer 8

A process in which both the message sender and receiver access a counter, which computes a new value each time a ciphertext block is exchanged.

Question 9

Galois/Counter (GCM)

Answer 9

A process that both encrypts and computes a message authentication code (MAC).

Question 10

Crypto service provider

Answer 10

A service used by an application to implement cryptography.

Question 11

Crypto modules

Answer 11

Cryptography modules that are invoked by crypto service providers.

Question 12

Algorithm input values

Answer 12

1) salt

2) nonce

Question 13

Nonce

Answer 13

A value that must be unique within some specified scope.

Question 14

Initialization vector (IV)

Answer 14

A nonce that is selected in a non-predictable way.

Question 15

Salt

Answer 15

A value that can be used to ensure that plaintext, when hashed, will not consistently result in the same digest.

Question 16

Digital certificate

Answer 16

A technology used to associate a users identity to a public key and that has been digitally signed by a trusted third party.

Question 17

Certificate Signing Request (CSR)

Answer 17

A user request for a digital certificate.

Ex. Car title application

Question 18

Intermediate certificate authority (CA)

Answer 18

An entity that processes the CSR and verifies the authenticity of the user on behalf of a certificate authority (CA).

Ex. Visit county courthouse

Question 19

Certificate Authority (CA)

Answer 19

The entity that is responsible for digital certificates. Also called a root CA.

Ex. Title sent from state DMV

Question 20

Certificate Repository (CR)

Answer 20

A publicly accessible centralized directory of digital certificates that can be used to view the status of a digital certificate.

Question 21

Certificate revocation list (CRL)

Answer 21

A list of certificate serial numbers that have been revoked.

Question 22

Online certificate status protocol (OCSP)

Answer 22

A process that performs a real-time lookup of a certificate’s status.

Question 23

Stapling

Answer 23

A process for verifying the status of a certificate by sending queries at regular intervals to receive a signed time-stamped response.

Question 24

Certificate chaining

Answer 24

Linking several certificates together to establish trust between all the certificates involved.

Question 25

User digital certificate

Answer 25

The end-point of the certificate chain.

Question 26

Root digital certificate

Answer 26

A certificate that is created and verified by a CA. The beginning point of the certificate chain.

Question 27

Pinning

Answer 27

Hard-coding a digital certificate within a program that is using the certificate.

Question 28

Key exchange

Answer 28

The handshake setup between web browser and web server.

Question 30

Domain validation digital certificate

Answer 30

Certificate that verifies the identity of the entity that has control over the domain name.

Question 31

Extended validation certificate (EV)

Answer 31

Certificate that requires more extensive verification of the legitimacy of the business than does a domain validation digital certificate.

Question 32

Wildcard digital certificate

Answer 32

Certificate used to validate a main domain along with all subdomains.

Question 33

Subject Alternative Name (SAN)

Answer 33

Also known as a Unified Communications Certificate (UCC), certificate primarily used for Microsoft Exchange servers or unified communications.

Question 34

Hardware and software digital certificates

Answer 34

1) machine digital certificate
2) code signing digital certificate
3) email digital certificate

Question 35

Machine digital certificate

Answer 35

Certificate used to verify the identity of a device in a network transaction.

Question 36

Code signing digital certificate

Answer 36

Certificate used by software developers to digitally sign a program to prove that the software comes from the entity that signed it and that no unauthorized third party has altered it.

Question 37

Email digital certificate

Answer 37

A certificate that allows a user to digitally sign and encrypt mail messages.

Question 38

All X.509 certificates follow the standard ITU-T X.690, which specifies one of three different encoding formats..

Answer 38

1) Basic Encoding Rules (BER)
2) Canonical Encoding Rules (CER)
3) Distinguished Encoding Rules (DER)

Question 39

Privacy Enhancement Mail (PEM)

Answer 39

An X.509 file format that is designed to provide confidentiality and integrity to emails, it uses DER encoding and can have multiple certificates.

Question 40

Personal Information Exchange (PFX)

Answer 40

An X.509 file format that is the preferred file format for creating certificates to authenticate applications or websites, PFX is password protected because it contains both private and public keys.

Question 41

PKCS#12

Answer 41

An X.509 file format that is one of a numbered set of 15 standards defined by RSA Corporation, it is based on the RSA public key algorithm and like PFX contains both private and public keys.

Question 42

Public key infrastructure (PKI)

Answer 42

The underlying infrastructure for the management of public keys used in digital certificates.

Question 43

Three PKI trust models

Answer 43

1) hierarchical trust model
2) distributed trust model
3) bridge trust model

Question 44

Hierarchical trust model

Answer 44

PKI trust model that assigns a single hierarchy with one master CA who signs all digital certificate authorities with a single key.

Question 45

Distributed Trust model

Answer 45

PKI trust model that assigns multiple CA’s to sign digital certificates.

Question 46

Bridge trust model

Answer 46

PKI trust model where one CA acts as facilitator to interconnect all other CA’s. The facilitator CA does not issue digital certificates; instead, it acts as the hub between hierarchical trust models and distributed trust models.

Question 47

Certificate policy

Answer 47

A published set of rules that govern the operation of a PKI. Provides recommended baseline security requirements for the use and operation of CA, intermediate CA, and other PKI components.

Question 48

Certificate Practice Statement (CPS)

Answer 48

Describes in detail how the CA uses and manages certificates.

Question 49

Object identifier (OID)

Answer 49

A designator made up of a series of numbers separated with a dot which names an object or entity.

Question 50

Key escrow

Answer 50

A process in which keys are managed by a third party, such as a trusted CA.

Question 51

Secure Sockets Layer (SSL)

Answer 51

An early and widespread cryptographic transport algorithm; now considered obsolete.

Question 52

Transport Layer Security (TLS)

Answer 52

A widespread cryptographic transport algorithm. Current versions v1.1 and v1.2 are considered secure.

Question 53

Secure Shell (SSH)

Answer 53

An encrypted alternative to the Telnet protocol that is used to access remote computers.

Question 54

Hypertext Transport Protocol Secure (HTTPS)

Answer 54

HTTP sent over SSL (Secure Sockets Layer) or TLS (Transport Layer Security).

Question 55

Secure/Multipurpose Internet Mail Extensions (S/MIME)

Answer 55

A protocol for securing email messages.

Question 56

Secure Real-time Transport Protocol (SRTP)

Answer 56

A protocol for providing protection for Voice over IP (VoIP) communications.

Question 57

Internet Protocol Security (IPsec)

Answer 57

A protocol suite for securing Internet Protocol (IP) communications.

Question 58

Authentication Header (AH)

Answer 58

An IPSec protocol that authenticates that packets received were sent from the source.

Question 59

Encapsulating Security Payload (ESP)

Answer 59

An IPSec protocol that encrypts packets.

Question 60

Transport mode

Answer 60

An IPSec mode that encrypts only the data portion (pay-load) of each packet yet leaves the header unencrypted.

Question 61

Tunnel mode

Answer 61

An IPSec mode that encrypts both the header and the data portion.

Question 62

Session keys

Answer 62

Symmetric keys used to encrypt and decrypt information exchanged during the session and to verify its integrity.