Chapter 4 - Advanced Cryptography And PKI Flashcards
Key strength
The resiliency of a key to resist attacks.
Three primary characteristics that determine the resiliency of the key to attacks
1) Randomness
2) length of key
3) cryptoperiod
Cryptoperiod
The length of time for which a key is authorized for use.
Block cipher mode of operation
A process that specifies how block ciphers should handle plaintext.
Most common block cipher modes of operation
1) Electronic Code Book (ECB)
2) Cipher Block Chaining (CBC)
3) Counter (CTR)
4) Galois/Counter (GCM)
Electronic Code Book (ECB)
A process in which plaintext is divided into blocks and each block is then encrypted separately.
Cipher Block Chaining (CBC)
A process in which each block of plaintext is XORed with the previous block of ciphertext before being encrypted.
Counter (CTR)
A process in which both the message sender and receiver access a counter, which computes a new value each time a ciphertext block is exchanged.
Galois/Counter (GCM)
A process that both encrypts and computes a message authentication code (MAC).
Crypto service provider
A service used by an application to implement cryptography.
Crypto modules
Cryptography modules that are invoked by crypto service providers.
Algorithm input values
1) salt
2) nonce
Nonce
A value that must be unique within some specified scope.
Initialization vector (IV)
A nonce that is selected in a non-predictable way.
Salt
A value that can be used to ensure that plaintext, when hashed, will not consistently result in the same digest.
Digital certificate
A technology used to associate a users identity to a public key and that has been digitally signed by a trusted third party.
Certificate Signing Request (CSR)
A user request for a digital certificate.
Ex. Car title application
Intermediate certificate authority (CA)
An entity that processes the CSR and verifies the authenticity of the user on behalf of a certificate authority (CA).
Ex. Visit county courthouse
Certificate Authority (CA)
The entity that is responsible for digital certificates. Also called a root CA.
Ex. Title sent from state DMV
Certificate Repository (CR)
A publicly accessible centralized directory of digital certificates that can be used to view the status of a digital certificate.
Certificate revocation list (CRL)
A list of certificate serial numbers that have been revoked.
Online certificate status protocol (OCSP)
A process that performs a real-time lookup of a certificate’s status.
Stapling
A process for verifying the status of a certificate by sending queries at regular intervals to receive a signed time-stamped response.
Certificate chaining
Linking several certificates together to establish trust between all the certificates involved.
User digital certificate
The end-point of the certificate chain.
Root digital certificate
A certificate that is created and verified by a CA. The beginning point of the certificate chain.
Pinning
Hard-coding a digital certificate within a program that is using the certificate.
Key exchange
The handshake setup between web browser and web server.
Domain validation digital certificate
Certificate that verifies the identity of the entity that has control over the domain name.
Extended validation certificate (EV)
Certificate that requires more extensive verification of the legitimacy of the business than does a domain validation digital certificate.
Wildcard digital certificate
Certificate used to validate a main domain along with all subdomains.
Subject Alternative Name (SAN)
Also known as a Unified Communications Certificate (UCC), certificate primarily used for Microsoft Exchange servers or unified communications.
Hardware and software digital certificates
1) machine digital certificate
2) code signing digital certificate
3) email digital certificate
Machine digital certificate
Certificate used to verify the identity of a device in a network transaction.
Code signing digital certificate
Certificate used by software developers to digitally sign a program to prove that the software comes from the entity that signed it and that no unauthorized third party has altered it.
Email digital certificate
A certificate that allows a user to digitally sign and encrypt mail messages.
All X.509 certificates follow the standard ITU-T X.690, which specifies one of three different encoding formats..
1) Basic Encoding Rules (BER)
2) Canonical Encoding Rules (CER)
3) Distinguished Encoding Rules (DER)
Privacy Enhancement Mail (PEM)
An X.509 file format that is designed to provide confidentiality and integrity to emails, it uses DER encoding and can have multiple certificates.
Personal Information Exchange (PFX)
An X.509 file format that is the preferred file format for creating certificates to authenticate applications or websites, PFX is password protected because it contains both private and public keys.
PKCS#12
An X.509 file format that is one of a numbered set of 15 standards defined by RSA Corporation, it is based on the RSA public key algorithm and like PFX contains both private and public keys.
Public key infrastructure (PKI)
The underlying infrastructure for the management of public keys used in digital certificates.
Three PKI trust models
1) hierarchical trust model
2) distributed trust model
3) bridge trust model
Hierarchical trust model
PKI trust model that assigns a single hierarchy with one master CA who signs all digital certificate authorities with a single key.
Distributed Trust model
PKI trust model that assigns multiple CA’s to sign digital certificates.
Bridge trust model
PKI trust model where one CA acts as facilitator to interconnect all other CA’s. The facilitator CA does not issue digital certificates; instead, it acts as the hub between hierarchical trust models and distributed trust models.
Certificate policy
A published set of rules that govern the operation of a PKI. Provides recommended baseline security requirements for the use and operation of CA, intermediate CA, and other PKI components.
Certificate Practice Statement (CPS)
Describes in detail how the CA uses and manages certificates.
Object identifier (OID)
A designator made up of a series of numbers separated with a dot which names an object or entity.
Key escrow
A process in which keys are managed by a third party, such as a trusted CA.
Secure Sockets Layer (SSL)
An early and widespread cryptographic transport algorithm; now considered obsolete.
Transport Layer Security (TLS)
A widespread cryptographic transport algorithm. Current versions v1.1 and v1.2 are considered secure.
Secure Shell (SSH)
An encrypted alternative to the Telnet protocol that is used to access remote computers.
Hypertext Transport Protocol Secure (HTTPS)
HTTP sent over SSL (Secure Sockets Layer) or TLS (Transport Layer Security).
Secure/Multipurpose Internet Mail Extensions (S/MIME)
A protocol for securing email messages.
Secure Real-time Transport Protocol (SRTP)
A protocol for providing protection for Voice over IP (VoIP) communications.
Internet Protocol Security (IPsec)
A protocol suite for securing Internet Protocol (IP) communications.
Authentication Header (AH)
An IPSec protocol that authenticates that packets received were sent from the source.
Encapsulating Security Payload (ESP)
An IPSec protocol that encrypts packets.
Transport mode
An IPSec mode that encrypts only the data portion (pay-load) of each packet yet leaves the header unencrypted.
Tunnel mode
An IPSec mode that encrypts both the header and the data portion.
Session keys
Symmetric keys used to encrypt and decrypt information exchanged during the session and to verify its integrity.