Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CISSP > Chapter 7 > Flashcards

Chapter 7 Flashcards

1
Q

Asymmetric (Public) key cryptosystems

A

RSA
Diffie-Hellman
ElGamal
Eliptic Curve (ECC)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

5 Requirements for hash functions

A
  1. Variable length of input
  2. Fixed length of output (hash)
  3. Hash function relatively easy to compute
  4. Must be one-way function
  5. Collision resistant
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Common Hash Algorithms

A

SHA-1 - insecure and deprecated; 128-bit hash

SHA-2:
- SHA-256 (256 bit hash)
- SHA-224 (224 bit hash)
- SHA-512 (512 bit hash)
- SHA-384 (384 bit hash)

SHA-3: same level of security but slower than SHA-2

MD5 - 128 bit hash

RIPEMD:
- RIPEMD-160 - only secure variant; 160 bit hash

HAVAL: similar to MD5 but variable hash lengths (128, 160, 192, 224, 256 bits)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Digital signatures

A

2 goals: non-repudiation and authenticity

HMAC hybrid - use shared key encryption instead of public key; no non-repudiation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Digital Signature Standard (DSS)
Mandated FIPS for gov’t use

A

SHA-3 for hash (message digest)

For encryption:
1. RSA
2. Eliptic curve DSA (ECDSA)
3. Edward curve DSA (EdDSA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Dig Certificates - X.509

  • Endorsed copies of an individual’s public key
A
  • Ver of X.509
  • Serial ID
  • Signature algorithm
  • Issuer name
  • Validity period
  • Subject’s name
  • Subject’s public key
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Certificate Authorities (CA)

A
  • Registration Authorities (RA) to help with verification of applicants
  • Root CA often offline (disonnected and powered off)
  • Intermediate CA issue certs on behalf of root CA
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Certificate life-cycle

A
  1. Enrollment
    - CSR submission
    - Domain validation (DV) - simple check for domain ownership
    - Extended validation (EV) - verify legitimate business
    - CA issues certificate
  2. Cert Verification
    - verify trust
    - subject name matches
    - check validity via Cert Revocation List (CRL) or via OCSP
  3. Revocation
    - when compromised
    - issued in error
    - contents have changed
    - security association changed (e.g. subject no longer employed by org)

Certificate pinning - cert (public key) associated with site for extended time

Certificate stapling - OCSP server staples OSCP response with cert and sends to website server; reduce repeated requests to OCSP; good for 24 hours usually

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Certificate formats

A

Common:
- DER - binary (.der, .crt, .cer)
- PEM - ascii (.pem, .crt)

Windows:
- PFX - binary (.pfx, .p12)
- P7B - ascii

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

HSM (hardware security module)

A
  • manage keys
  • hardware acceleration of encryption
  • use keys without need to know actual key
  • tamper resistant
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Email security

A

PGP - includes digital signature with email

S/MIME - use RSA and X.509 certs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

TLS operation

(TLS 1.2 or 1.3)

A
  1. Client decrypts server cert for public key
  2. Client creates ephemeral key, encrypts with server public key, sends to server
  3. Server encrypts its ephemeral key with private key, sends to client

Enumerates the following:
1. Key exchange algorithm (not TLS 1.3)
2. Authentication method (public key algorithm)
3. Bulk encryption method (symmetric key algorithm)
4. Hash algorithm for MD’s

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Tor (The Onion Router)

[Dark Web]

A

Network traffic routed through different relay nodes, each with layer of encryption, a.k.a. Perfect Forward Secrecy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Network Encryption

A

Link encryption - lower layers of OSI (all including routing data encrypted)
End-to-end encryption - higher layers of OSI (routing data not encrypted)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

SSH2

A

Better than SSH, includes DH key exchange, multiple sessions in single SSH connection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

IPSEC

A

AH (Authentication Header) - authentication
ESP (Encapsulated Security Payload) - payload encryption with limited authen

Transport mode - end-to-end encryption; only data payload is encrypted
Tunnel mode - entire packet (data + header) encrypted, i.e. link encryption

Uses SA (security associations) channels; simplex

17
Q

Blockchain

A

Distributed across many different systems
Protected from being tampered with

18
Q

Cryptographic attacks

A
  1. Analytic attack - focus on algorithm
  2. Implementation attack - focus on implementation of algorithm
  3. Statistical attack - exploit number related vulnerabilities in OS or hardware
  4. Brute force attack
  5. Fault injection attack
  6. Side Channel attack
  7. Timing attack - based on how long encryption takes
  8. Ciphertext only and frequency analysis - have access to ciphertext only
  9. Known plaintext attack - have access to both plaintext and ciphertext to determine key
  10. Chosen plaintext - access to ciphertext of chosen plaintext
  11. Chosen ciphertext - ability to decipher some ciphertext and use that to discover key
  12. Meet-in-the-middle attack - targets 2DES
  13. Man-in-the-middle (or on-path) attack
  14. Birthday attack - collision or reverse hash attack; take adv of hash collisions
  15. Replay attack

CISSP (22 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions