Chapter 7 Cryptography and the Public Key Infrastructure

Question 1

Substitution Cipher

Answer 1

Changes one symbol/character into another. the Identity of the character is changed, but it’s position is unchanged.
Caesar Cipher, ROT13
Polyalphabetic sub cipher uses multiple alphabets for the same message.

Question 2

Transposition Cipher

Answer 2

Character position changes but the value/identity remains the same.
Columnar Transpostion: chosen number of columns IS the key.

Question 3

Stenography

Answer 3

Embedding secret messages within another file like a picture.

Question 4

Four Fundamental Goals of Cryptography

Answer 4

Confidentiality, Integrity, Authentication, Nonrepudiation

Question 5

Confidentiality

Answer 5

Cryptographic systems must ensure data remains private at rest, in use, and in motion.
The preservation of secrecy for stored information and communication.

Question 6

Obfuscation

Answer 6

Intentionally making something difficult for humans to understand.

Question 7

Integrity

Answer 7

Ensures data is not altered without authorization. Digital signatures enforce the concept of integrity, and can be enforced through both public key (asymm) and secret key (symm) cryptosystems.

Question 8

Authentication

Answer 8

verifies the claimed identity of system users and is a major function of cryptosystems. Challenge response authentication ensures that Bob is who he claims to be.

Question 9

Nonrepudiation

Answer 9

provides assurance to the recipient that the message was originated by the sender and not a masquerade. Also prevents sender from claiming they didn’t send the message. Symmetric Key systems do NOT provide for Nonrepudiation!

Question 10

Kerchoff Principle

Answer 10

A cryptosystem should be secure even if everything about the system (except the private key) is public knowledge.

Question 11

Block Cipher vs. Stream Cipher

Answer 11

Block Cipher apply encryption algorithm to each chunk or block of a message at a time.
Stream Ciphers operate on one character or bit of a message/data stream at a time.

Question 12

Symmetric Key Algorithm (shared secret key)

Answer 12

relies on shared secret encryption key that is distributed to all participating members. Difficult to break with large key, however:
- Key distribution is a major problem
- Doesn’t have nonrepudiation
- Algorithm not scalable
- Keys must be regenerated often
+very fast, much faster than asymmetric key encryption

Question 13

Asymmetric Key Algorithm (public key)

Answer 13

Each user has a public key and a private key. Opposite keys must be used in tandem to encrypt or decrypt.
+ additional users only require creating one public/private key pair
+ Users can be removed easily
+ Key regeneration only required when private key is compromised
+ Provides for Integrity, authentication as well as nonrepudiation
+ Key distribution is simple
+ No pre-existing communication link necessary
- slow speed of operation

Question 14

DES/Triple DES (symmetric key)

Answer 14

DES is a 64-bit block cipher with 5 modes, the key is 56-bits long.
- uses exclusive (XOR) operation which produces a unique output each time.
Triple DES uses the same algorithm over again with different keys. DES-EEE3 notes the number of encryption operations. All variations are now considered equally secure.

Question 15

DES mode 1: ECB

Answer 15

Electronic Codebook Mode, simplest and least secure. encrypts block using chosen secret key.
Impractical on all but the shortest transmissions.

Question 16

DES Mode 2: CBC

Answer 16

Cipher Block Chaining uses an initializing vector (IV) randomly selected value to start process. combines IV with first block using XOR.
In CBC, errors propagate.

Question 17

DES Mode 3: CFB

Answer 17

Cipher Feedback Mode is a streaming version of CBC, so it processes data realtime.

Question 18

DES Mode 4: OFB

Answer 18

Output Feedback Mode is similar to CFB, but instead of XORing previous encrypted block, DES XOR’s the plain text with seed. No chaining function, so errors do not propagate.

Question 19

DES Mode 5: CTR

Answer 19

Counter Mode is a stream similar to CFB and OFB, but instead of seed, it uses a counter that increments each operation. Errors do not propagate.

Question 20

AES (symmetric key)

Answer 20

Advanced Encryption Standard is a symmetric block cipher that replaces DES. Allows 3 key strengths: 128, 192, 256. AES only processes 128 bit blocks but encryption rounds can be increased to reach the key size required.

Question 21

Key Exchange - 3 methods

Answer 21

Offline
Public Key Encryption- Many people use public key encryption (asymm) to set up comms link, then use secret key (symm) because of the superior speed.
Diffie-Hellman - algorithm that allows the exchange of secret keys over an unencrypted network.

Question 22

Diffie-Hellman

Answer 22

“Standard Discrete Logarithm” that allows the exchange of secret keys over an unsecured network.

Question 23

Key Escrow

Answer 23

Key escrow allows an authority to obtain a cryptographic key from a central storage facility or 2+ parties holding a split key. This may be a result of a court order or other authoritative motive.

Question 24

RSA (public key/asymm)

Answer 24

RSA public key algorithm remains the worldwide standard. Relies on computational difficulty of factoring large prime numbers.

Question 25

How to determine key length?

Answer 25

Weigh the difficulty of defeating a given key length against the importance of the data.

Question 26

Elliptic Curve Cryptography

Answer 26

Elliptic curve equation, must be solve for X, extremely difficult to do, even with known variables. Believed to be more difficult than the prime factorization in RSA or the standard discrete logarithm by Diffie-Hellman.
*Provides equal strength to RSA but uses a shorter key length.

Question 27

What is the purpose of Hash Functions in relation to cryptography?

Answer 27

Take a potentially long message and generate a unique output value derived from the message content. This value is known as the message digest. Hash functions can be used to implement a digital signature algorithm.

Question 28

What are the Five Requirements of a cryptographic hash function?

Answer 28

1. They accept input of any length.
2. They produce output of fixed length.
3. The hash value is relatively easy to compute.
4. The hash function is one way (extremely hard to determine input solely from output).
5. The hash function is collision free.

Question 29

SHA (secure hash algorithm) Symmetric

Answer 29

SHA is a ONE WAY HASH FUNCTION.
SHA-2 algorithms considered secure but theoretically suffer same weakness as SHA-1.
In 2015 Keccak algorithm became the SHA-3 Standard. 512-bit.

Question 30

MD5
What is it?
How many bit blocks?
Problems?

Answer 30

One way hash function.
Like SHA, MD5 processes 512-bit blocks but uses 4 rounds of computation.
Suffers from collisions and is therefore considered inferior to SHA.

Question 31

Digital Signatures:

What are the two distinct goals of Digital Signatures?

Answer 31

1. Assure the recipient that the message truly came from the claimed sender
2. Assure the recipient that the message was not altered in transit

• Digital signatures do not actually provide any security or privacy on their own.

Question 32

HMAC

Hashed Message Authentication Code

Answer 32

HMAC Algorithm implements partial digital signature- guarantees the integrity of a message but does NOT provide for nonrepudiation.
Can be combined with any standard message digest (hash) generation algorithm (SHA-3) by using a shared secret key (symm). In such instance, only communicating parties can verify the digital sig.

• Think of HMAC like a halfway point between unencrypted message digest algorithm and digital signature algorithms based on public key cryptography.

Question 33

Digital Signature Standard (DSS)

Answer 33

NIST specified 3 digital signature algorithms:

• Digital Signature Algorithm (DSA)
• RSA
• Elliptic Curve DSA

*All must use the SHA-3 hashing functions.

Question 34

Key Selection:
David would like to send Mike a message using an asymmetric encryption algorithm. What key should he use to encrypt the message?
A. David Public Key
B. David Private Key
C. Mike Public Key
D. Mike Private Key

Answer 34

Mike’s Public Key.

Question 35

Key Selection:
Mike receives a message David encrypted for him using an asymmetric encryption algorithm, what key should he use to decrypt the message?
David's Public Key
David's Private Key
Mike's Public Key
Mike's Private Key

Answer 35

Mike’s Private Key

Question 36

Key Selection:
David wishes to digitally sign a message he is sending to mike using an asymmetric encryption algorithm. What key should David use to create the digital signature?
David's Public Key
David's Private Key
Mike's Public Key
Mike's Private Key

Answer 36

David’s Private Key

Question 37

Key Selection:
Mike receives a digitally signed message from David, what key should Mike use to verify the digital signature?
David's Public Key
David's Private Key
Mike's Public Key
Mike's Private Key

Answer 37

David’s Public Key

Question 38

Digital Certificates

Answer 38

Digital Certificates provide communicating parties with the assurance that the people they are communicating with are who they claim to be. Essentially endorsed copies of an individual’s public key.
- Governed by international standard X.509

Question 39

What is a wildcard (in certificate name)

Answer 39

The wildcard indicates that the certificate is good for subdomains as well, designated by asterisk symbol.

Question 40

Public Key Infrastructure

Answer 40

Manages digital certificates, facilitates communication between parties. Hierarchy of trust relationships. These trusts permit combining asymmetric and symmetric cryptography as well as hashing and digital certificates giving us hybrid cryptography.

Question 41

Hybrid Cryptography

Answer 41

The combination of symmetric (shared secret key) and asymmetric (public key) encryption algorithms as well as hashing and digital certificates.

Question 42

Certificate Authorities (CA)

Answer 42

CAs are the glue that binds the PKI together. These neutral organizations offer notarization of digital certificates. Trust in these organizations is paramount.

Question 43

Registration Authorities (RA)

Answer 43

Assist CAs with the burden of verifying users’ identity prior to issuing digital certificates.

Question 44

CA infrastructure

What are the 3 levels of CAs?

Answer 44

Root is top level of a CA and should be kept offline unless needed to protect its integrity and confidentiality.
intermediate CAs serve online and issue certificates on a routine basis
Leaf CAs are below intermediate CAs and further isolate issues should they occur.

• this concept is known as certificate chaining.

Question 45

Self Signed Certificate/Internal CA

Answer 45

These can be used inside an organization. While the certificates won’t be trusted by the browsers of external users, internal systems can be configured to trust the internal CA.
- Saves cost

Question 46

Enrollment of Digital Certificate

Answer 46

Provide your public key in the form of a CSR (certificate signing request). The CA creates a X.509 digital certificate then digitally signs it.

Question 47

Domain Validation vs. Extended Validation

Answer 47

Domain Validation is the simplest and most common certificate; it verifies the subject has control of the domain name.
Extended Validation certificates provide assurance that the certificate owner is a legitimate business owner before issuing a certificate.

Question 48

Certificate Verification

Answer 48

When you receive a digital signature from someone you want to communicate with, you verify the certificate by checking the CA’s digital signature using the CAs public key. Next you ccheck that the certificate was not revoked using a Certificate Revocation List (CRL) or the Online Certificate Status Protocol (OCSP)

Question 49

Certificate Stapling

Answer 49

the process of appending a digitally signed OCSP response to a certificate. This reduces overall OCSP traffic sent to the CA.

Question 50

Certificate Pinning

Answer 50

Instruct browsers to attach a certificate to a subject for an extended period of time. When sites use pinning, the browser associates that site with their public key.

Question 51

Certificate Formats - DER, PEM, PFX, P7B
Which are binary/ACSII?
Which are used by Windows?

Answer 51

DER- most common, binary format .DER, .CRT, .CER
PEM ACSII version of DER .PEM or .CRT

PFX used by windows, binary .PFX .P12
P7B used by windows, ASCII .P7B

Question 52

Asymmetric Key Management

Answer 52

1. Chose Encryption System Wisely
2. Select Keys appropriately
3. Keep Private Key Secret!
4. Retire old keys
5. change key pair regularly
6. back up your key
7. HSM provide effective way to manage keys

Question 53

Attacks: Brute Force

Answer 53

Trying every possible key/PW until one works

Question 54

Attacks: Frequency Analysis

Answer 54

looking at the blocks of an encrypted message for common patterns - doesn’t fucking work on modern algorithms

Question 55

Attacks: Known Plain Text

Answer 55

This attack relies on the attacker having pairs of known plain text along with the corresponding ciphertext. This gives the attacker a place to start attempting to derive the key.

Question 56

Chosen Plain Text Attack

Answer 56

The attacker can specify his own plaintext then encrypt it. He can carefully craft the plain text to learn characteristics about the algorithm. For example, if the Vigenere cipher is used, it is very easy to extract the key length and recover the key by repeating a letter “aa”.
Chosen plain text attacks are much more powerful than known plain text attacks.

Question 57

Related Key Attack

Answer 57

any attack where the attacker can observe the operation of a cipher under several different keys whose values are initially unknown, but where some mathematical relationship connecting the keys is known to the attacker. For example, the attacker might know that the last 80 bits of the keys are always the same.

Question 58

Attacks: Birthday Attack

Answer 58

Probability based attack; how many people would you need to have in a room to have a strong likelihood that two would have the same birthday?

Question 59

Attacks: Downgrade Attack

Answer 59

Attempts to get the user to switch to a less secure cryptographic mode.

Question 60

Attacks:: Rainbow Tables

Answer 60

Attempt to reverse hashed password value by precomputing the hashes of common password.

Question 61

How to prevent rainbow tables attack?

Answer 61

Salting, which is adding random characters to passwords before hashing.

Question 62

Blockchain

Answer 62

a distributed, immutable public ledger that no one can tamper with. Foundational technology for bitcoin and is primarily used for cryptocurrency.

Question 63

Homomorphic Encryption

Answer 63

Sometimes you need to protect the privacy of individuals but still need to perform calculations on data.