Chapter 7 Flashcards
in asymmetric cryptography, which key is used to encrypt a message?
receiver’s public key
Which international standard was created by Rivest, Shamir, and Adleman?
RSA public key algorithm
which algorithm relies on a component of set theory known as super-increasing sets, rather than large prime numbers?
Merkle-Hellman
this algorithm is an extension of Diffie-Hallman, but its major disadvantage is that it doubles the size of any message that it encrypts
ElGamal
this algorithm involves the equation Q = xP; and even if Q and P are known, x is incredibly difficult to solve. The major advantage of this algorithm is that you do not need a large key size to obtain the same amount of security as very large keys used in other algorithms
Elliptic Curve
this algorithm relies on the ability of two users to generate a shared secret that they both know without ever actually transmitting it, and is used to set up TLS
Diffie-Hellman Key Exchange
5 requirements of hash functions
- input can be any length
- output is fixed length
- relatively easy to compute
- one-way function
- collision resistant
block size of HAVAL
1024-bit
hash values of HAVAL
128, 160, 192, 224, and 256-bits
SHA1 block size
512-bits
SHA-1 message digest size
160-bit
SHA-256 message digest size
256-bit
SHA-256 block size
512-bit
SHA-224 block size
512-bits
SHA-224 message digest size
224-bits
SHA-512 message digest size
512
SHA-512 block size
1024
SHA-384 message digest size
384
SHA-384 block size
1024-bits
which algorithm is the SHA-3 standard
Keccak
This standard provides the same security as SHA-2, but is slower so it is not commonly used
SHA-3
This hash algorithm was developed by Ronald Rivest, but collisions are possible
MD2, MD4, MD5
MD5 block size
512
MD5 message digest length
128 bits
what group of hashing functions is used as an alternative to SHA?
RIPEMD
RIPEMD message digest length
128-bit
Which variant of RIPEMD is still secure today?
RIPEMD-160
Which two major concepts do digital signature algorithms rely on?
public key encryption and hashing functions
4 steps of sending a digitally signed message
- hash the message
- encrypt the message digest using private key - this is the signature
- appends signature to plaintext message
- send the messages
3 steps of validating digital signatures.
- decrypt digital signature using sender’s public key
- hash the plaintext message
- compare the decrypted digest to the new digest to make sure they are the same
Which aspect of the CIA triad do digital signatures alone not address, and how can it be acheived?
they do not provide confidentiality. It can be acheived by encrypting the signed message with the receiver’s public key.
this signature algorithm is a partial digital signature. it guarantees the integrity of a message but not nonrepudiation.
HMAC
what is the FIPS standard for digital signatures?
DSS - Digital Signature Standard
what is the DSS for hashing functions?
SHA-3
what are the 3 acceptable DSS encryption algorithms?
DSA (Digital Signature Algorithm)
RSA
ECDSA
what are endorsed copies of a public key?
digital certificates
what is the international standard for digital certificates?
X.509
what information is included on a X.509 certificate? (7 items)
- version of X.509
- serial number
- signature algorithm
- issuer name (name of CA)
- validity period
- subject name (CN, DN)
- subject’s public key
what entities assist CAs by allowing them to remotely validate user identities?
Registration Authorities (RAs)
how do CAs protect their root certificates?
using an offline CA that is used as needed to create intermediate CAs
3 Certificate Lifecycle steps
- Enrollment
- Verification
- Revocation
which step of the certificate lifecycle involves proving your identity to the CA?
- Enrollment
which step of the certificate lifecycle involves the certificate signing request?
- Enrollment
which kind of certificate does the CA verify that the certificate subject has control of the domain name?
Domain validation certificate (DV)
which kind of certificate does the CA take steps to verify that the certificate owner is a legitimate business before issuing the certificate?
Extended Validation (EV) certificate
which step of the certificate lifecycle involves checking the validity of the various components of a certificate?
Verification
which protocol is used to check if certificates have been revoked?
OCSP (Online Certificate Status Protocol)
what do CAs distribute to revoke groups of certificates?
CRL - Certificate Revocation Lists
when browsers attach a certificate to a subject for an extended period of time
certificate pinning
this is an extension to the OCSP; where the web server sends clients a timestamped response from an OCSP server to alleviate some of the burden of all the clients individually sending requests
Certificate Stapling
maximum response time within which a CA will perform a requested revocation
revocation request grace period
4 reasons to revoke a certificate
- certificate was compromised
- erroneously issued
- details changed
- security association changed
4 digital certificate formats
Distinguished Encoding Rules (DER)
Privacy Enhanced Mail (PEM)
Personal Information Exchange (PFX)
P7B
Binary digital certificate formats (2)
DER and PFX
Text digital certificate formats (2)
PEM and P7B
.der digital certificate format
DER - Digital Encoding Rules
.crt Digital certificate format
DER - Distinguished Encoding Rules
PEM - Privacy Enhanced Mail
.cer digital certificate format
DER - Distinguished Encoding Rules
.pem digital certificate format
PEM - Privacy Enhanced Mail
.pfx digital certificate format
PFX - Personal Information Exchange
.p12 digital certificate format
PFX - Personal Information Exchange
most common binary digital certificate format
DER - Digital Encoding Rules
ASCII text version of DER format
PEM - Privacy Enhanced Mail
can you tell if a .crt file is binary or text without looking at the contents of the file?
No, this extension is used for both DER (binary) and PEM (text) formats,
digital certificate that is commonly used by windows systems
PFX - Personal Information Exchange
ASCII text Windows digital certificate format
P7B
most well known example of hybrid cryptography
TLS - Transport Layer Security
in hybrid cryptography, what method is used to distribute keys?
asymmetric/public key cryptography
a chip that resides on the motherboard of the devices that can store and manage keys used for full disk encryption
TPM - Trusted Platform Module
which secure email system combines the CA hierarchy with the “web of trust”
PGP - Pretty Good Privacy
which secure email system uses the RSA encryption algorithm?
S/MIME
How can you protect your organization from POODLE attacks?
Only allow connections to sites using TLS (via active directory browser configurations or a proxy)
what is the minimum secure version of TLS?
TLS 1.2
hiding messages within another message by altering the least significant bits
steganography
two methods of circuit encryption
- Link encryption
- end-to-end encryption
which type of circuit encryption encrypts the header data?
link encryption
which kind of encryption is SSH?
end-to-end
what are the two big components of an IPsec connection?
AH - Authentication Header
ESP - Encapsulating Security Payload
which part of IPsec provides message integrity and non-repudiation?
AH - Authentication Header
which part of IPsec provides confidentiality with encryption?
Encapsulating Security Payload (ESP)
IPsec modes of operation
transport mode - only the payload is encrypted (end-to-end encryption)
tunnel mode - header is encrypted (link encryption)
a distributed and immutable public ledger
blockchain
cryptography in situations where computing power and energy are limited
lightweight cryptography
purpose of homomorphic encryption
being able to perform calculations on data that may include PII or PHI so that the data is never revealed to the researcher.
attacks that use algebraic manipulation to reduce the complexity of the algorithm
analytic attack
exploits weaknesses in the implementation of a crypto system - exploits the software code used to program the encryption
implementation attack
exploits statistical weaknesses in a cryptosystem
statistical attack
compromising the integrity of a device by causing some kind of external fault (high-voltage, temperature extremes) to induce a malfunction
fault injection attack
using information like power consumption or EM radiation to monitor system activity and retrieve information that is actively being encrypted
Side-Channel Attack
a random value added to the end of a password before the OS hashes the password
salt
counting the number of times each letter appears in the cipher text and using knowledge of language and frequently used letters to attempt to crack cyphertext
freqency analysis/ciphertext-only attack
attack cracks an encryption code by having both a ciphertext and plain text version of a message
known plaintext attack
attacker obtains the ciphertexts corresponding to a set of plaintexts of their own choosing in order to derive the key used
chosen plaintext
attacker decrypts chosen portions of the ciphertext message to discover the key
chosen ciphertext
attacker encrypts plaintext message using every possible key (k1) and the ciphertext is decrypted using all possible keys (k2). When a match is found, the key pair is used to defeat the double encryption method in use.
Meet in the Middle
attacker intercepts all communications between two parties, including the setup of a cryptographic session
man in the middle
attacker finds flaws in a hashing function where two inputs can produce the same output
Birthday attack, collision attak, reverse hash matching
attacker intercepts a request for authentication and then replays the captured message to open a new session
replay attack
