Chapter 7 - Cryptography and the PKI

Question 1

Cryptography

Answer 1

Cryptography is the practice of encoding information in a manner that it cannot be decoded without access to the required decryption key.

Question 2

Cipher

Answer 2

A Cipher is a method used to scramble or obfuscate characters to hide their value.

Question 3

Substitution Cipher

Answer 3

A Substitution Cipher is a type of coding or ciphering system that changes one character or symbol into another.

Question 4

Transposition Cipher

Answer 4

A Transposition Cipher involves transposing or scrambling the letters in a certain manner. Typically, the message is broken into blocks of equal size, and each block is then scrambled.

Question 5

Steganography

Answer 5

Steganography is the art of using cryptographic techniques to embed secret messages within another file. These algorithms work by making alterations to the least significant bits of the many bits that make up image/video/audio/text files.

Question 6

What are the four fundamental goals of cryptography?

Answer 6

1. Confidentiality
2. Integrity
3. Authentication
4. Non-repudiation

Question 7

Confidentiality

Answer 7

Confidentiality ensures that data remains private when it is at rest, when it is in transit, and when it is in use.

Question 8

Obfuscation

Answer 8

Obfuscation is the practice of making it intentionally difficult for humans to understand how code works.
Obfuscation is a concept closely related to confidentiality.

Question 9

Full-Disk Encryption (FDE)

Answer 9

Full-Disk Encryption (FDE) is a form of encryption where all the data on a hard drive is automatically encrypted, including the operating system and system files. With this method, data is still vulnerable if the system is compromised while running.

Question 10

Symmetric Cryptosystems

Answer 10

Symmetric Cryptosystems use a shared secret key available to all users of the cryptosystem. Symmetric Key Cryptography is also called Secret Key Cryptography and Private Key Cryptography.

Question 11

Asymmetric Cryptosystems

Answer 11

Asymmetric Cryptosystems use individual combinations of public and private keys for each user of the system.

Question 11

Key Space

Answer 11

For a cryptographic algorithm, the Key Space is the range of values that are valid for use as a key for a specific algorithm.

Question 12

Block Ciphers

Answer 12

Block Ciphers operate on ‘chunks’ of a message and apply the encryption algorithm to an entire chunk at the same time. Most modern encryption algorithms implement some type of block cipher.

Question 13

Stream Ciphers

Answer 13

Stream Ciphers operate on one character or bit of a message at a time.

Question 14

What are some of the weaknesses associated with symmetric key cryptography?

Answer 14

1. Key exchange must be secure
2. Does not implement non-repudiation
3. The algorithm does not scale well
4. Keys must be regenerated often

Question 15

Hash Collisions

Answer 15

A Collision is where a hash function produces the same value for two different methods. This typically leads to the deprecation of said hashing algorithm.

Question 16

3DES

Answer 16

3DES is an adapted version of DES (Data Encryption Standard) that simply uses the DES algorithm three different times with three different encryption keys. Both of these algorithms are considered insecure.

Question 17

AES

Answer 17

The Advanced Encryption Standard cipher allows the use of three key strengths: 128 bits, 192 bits, and 256 bits. Today, AES plays an essential role in wireless network security, the Transport Layer Security (TLS) protocol and file/disk encryption.

Question 18

Key Management Practices

Answer 18

Key Management Practices, the extraordinary measures taken to protect the security of encryption keys, include safeguards surrounding the creation, distribution, storage, destruction, recovery and escrow of keys.

Question 19

What are the three main methods used to exchange secret symmetric keys securely?

Answer 19

1. Offline distribution
2. Public key encryption
3. Diffie-Hellman key exchange algorithm

Question 20

Split Knowledge

Answer 20

Split Knowledge refers to providing two different individuals with half of the symmetric key. They must collaborate to re-create the entire key.

Question 21

Key Escrow

Answer 21

Key Escrow systems have a third party store a protected copy of the key for use in an emergency.

Question 22

RSA

Answer 22

The RSA Public Key Algorithm remains a worldwide standard for asymmetric cryptography today. The RSA algorithm depends on the computational difficulty inherent in factoring large prime numbers.

Question 23

Hash Function

Answer 23

Hash Functions take a potentially long message and generate a unique output value derived from the content of the message. A good Hash Function will accept an input of any length and produce an output of a fixed length, regardless of the length of the input.

Question 24

Message Digest

Answer 24

A Message Digest is the unique output generated by a hash function. Some synonyms for this term include hash, hash value, hash total, checksum and CRC.

Question 25

Secure Hash Algorithm (SHA)

Answer 25

The Secure Hash Algorithm and its successors, SHA-1, SHA-2, and SHA-3 are government standard hash functions promoted by NIST. While the cryptographic community generally considers the SHA-2 algorithms secure, they are not as secure as the SHA-3 standard which was announced in 2015.

Question 26

MD5

Answer 26

MD5 is a now deprecated hash function developed by Ron Rivest in 1991. This hash function is no longer considered secure due to collisions.

Question 27

What are the two distinct goals of digital signatures?

Answer 27

1. Digitally signed messages assure the recipient that the message truly came from the claimed sender.
2. Digitally signed messages assure the recipient that the message was not altered while in transit between the sender and recipient.

Question 28

Suppose Alice wants to digitally sign a message she’s sending to Bob. What are the steps to this process?

Answer 28

1. Alice generates a message digest of the original plain-text message using one of the cryptographically secure hashing algorithms.
2. Alice then encrypts only the message digest using her private key. This encrypted message digest is the digital signature.
3. Alice appends the signed message digest to the plain-text message.

Bob would then decrypt this message digest with Alice’s public key and then perform the same hash function on the plain-text message received from Alice. If the two message digests are identical, he knows the message was sent by Alice and that it was not modified in transit.

Question 29

Hash-Based Message Authentication Code (HMAC)

Answer 29

The HMAC algorithm implements a partial digital signature. It guarantees the integrity of a message during transmission, but it does not provide for non-repudiation. It represents a halfway point between unencrypted use of a message digest algorithm and computationally expensive digital signature algorithms based on public key cryptography.

Question 30

Public Key Infrastructure (PKI)

Answer 30

The Public Key Infrastructure is a hierarchy of trust relationships that permit combining asymmetric cryptography with symmetric cryptography along with hashing and digital certificates, resulting in hybrid cryptography.

Question 31

Digital Certificate

Answer 31

Digital Certificates provide communicating parties with the assurance that the people they are communicating with truly are who they claim to be. Digital Certificates are essentially endorsed copies of an individual’s public key.

Question 32

X.509

Answer 32

X.509 is the international standard that describes the construction of digital certificates.

Question 33

Certificate Authority (CA)

Answer 33

Certificate Authorities are neutral organizations that offer notarization (verification) services for digital certificates.

Question 34

Registration Authority (RA)

Answer 34

Registration Authorities assist CAs with the burden of verifying users’ identities prior to issuing digital certificates.

Question 35

Enrollment (CA)

Answer 35

The process of proving one’s identity to a CA is called Enrollment.

Question 36

Certificate Signing Request (CSR)

Answer 36

Once you’ve satisfied the certificate authority regarding your identity, you provide them with your public key in the form of a Certificate Signing Request. The CA will then create an X.509 digital certificate containing your identifying information and a copy of your public key.

Question 37

Certificate Revocation List (CRL)

Answer 37

Before accepting a digital certificate as valid, you should first check with Certificate Revocation Lists to ensure that the certificate was not recently revoked.

The Online Certificate Status Protocol (OCSP) is another way of checking the status of a certificate.

Question 38

Certificate Pinning

Answer 38

Certificate Pinning approaches instruct the browser to attach a certificate to a subject for an extended period of time. This allows users or administrators to notice and intervene if a certificate changes unexpectedly.

Question 39

How does the Online Certificate Status Protocol (OCSP) work?

Answer 39

The Online Certificate Status Protocol works by having the client send an OCSP request to the CA’s OCSP server. The server will respond with a status of good, revoked, or unknown.

Question 40

Certificate Stapling

Answer 40

Certificate Stapling is an extension to the Online Certificate Status Protocol that relieves some of the burden placed upon certificate authorities by the original protocol.

Question 40

What are some of the common file formats for digital certificates?

Answer 40

Distinguished Encoding Rules (DER)
- The most common format
- Common file extensions include (.der, .crt, and .cer)

Privacy Enhanced Mail (PEM)
- ASCII text version of DER format
- Common file extensions include .pem and .crt

Personal Information Exchange (PFX)
- Commonly used by Windows systems
- Common extensions include .pfx and .p12

P7B
- Also used in Windows systems
- Uses the .p7b file extension (for text format)

Question 41

Hardware Security Module (HSM)

Answer 41

Hardware Security Modules store and manage encryption keys in a secure manner that prevents humans from ever needing to work directly with the keys. HSMs can be a simple device such as a USB drive or a complex enterprise product that resides in a datacenter.

Question 42

Frequency Analysis

Answer 42

Frequency Analysis involves looking at the blocks of an encrypted message to determine if any common patterns exist. This does not work on modern algorithms.

Question 43

Downgrade Attack

Answer 43

A Downgrade Attack is sometimes used against secure communications such as TLS in an attempt to get the user or system to inadvertently shift to less secure cryptographic modes.

Question 44

Birthday Attack

Answer 44

A Birthday Attack is a brute-force collision attack that exploits the mathematics behind the birthday problem in probability theory.

Question 45

Rainbow Table Attacks

Answer 45

Rainbow Table Attacks attempt to reverse hashed password values by precomputing the hashes of common passwords. The attacker takes a list of common passwords and runs them through the hash function to generate the rainbow table.

Question 46

Key Stretching

Answer 46

Key Stretching is used to create encryption keys from passwords in a strong manner. The Password-Based Key Derivation Function v2 (PBKDF2) uses thousands of iterations of salting and hashing to generate encryption keys that are resilient against attack.

Question 47

Perfect Forward Secrecy

Answer 47

Perfect Forward Secrecy, a technology used by Dark Web browsers such as Tor, involves layers of encryption to prevent nodes in the relay chain from reading anything other than the specific information they need to accept and forward the traffic.

Question 48

Blockchain

Answer 48

The Blockchain is a distributed and immutable open public ledger. This means that it can store records in a way that distributes those records among many different systems located around the world and do so in a manner that prevents anyone from tampering with those records.

Question 49

Homomorphic Encryption

Answer 49

Homomorphic Encryption encrypts data in a way that preserves the ability to perform computation on that data. When you encrypt data with a Homomorphic algorithm and then perform computation on that data, you get a result that, when decrypted, matches the result you would have received if you had performed the computation on the plain-text data in the first place.

Question 50

Quantum Computing

Answer 50

Quantum Computing is an emerging field that attempts to use quantum mechanics to perform computing and communication tasks.