Chapter 7 PKI and Cryptographic Applications Flashcards

1
Q

Describe RSA.

A

Rivest, Shamir, and Adleman proposed the standard in 1977, and it’s still the worldwide standard. Start with two prime numbers (200 digits long). Multiply them, then find a number that is less than the product of them. This is used to create the public key, with another number used as the private key.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Compare different symmetric and asymmetric key lengths.

A

128 bit symmetiric, 3072 bit RSA, and 256 bit elliptical curve all have the same strength.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Describe ElGamal.

A

Based on same math as Diffie Hellman. Originally had the benefit of being publicly available, although RSA now is as well. Doubles the size of any message. Based on standard discrete logarithm problem.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Describe Elliptical Curve Cryptography.

A

Based on elliptical curve discrete logarithmic problem. More efficient than RSA.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Describe Diffie Hellman.

A

The idea is that they generate a shared secret without ever transmitting it. They use PKI to generate a shared secret. It is hybrid cryptography. It is not technically an encryption protocol, but a key exchange protocol. Often used in TLS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Describe quantum cryptography.

A

Replaces binary 1 and 0 bits with multidimensional quantum bits called qubits. Quantum supremacy is the idea that quantum computers can solve problems that cannot currently be solved. Quantum key distribution is an approach to develop shared secrets similar to Diffie Hellman.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Describe SHA-1.

A

Produces 160 bit message digests.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Describe SHA-2

A

SHA-256 produces 256 bit MDs.

SHA-224 produces 224 bit MDs

SHA-512 produces 512 bit MDs.

SHA 384 produces 384 bit MDs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Describe MD5.

A

Produces 128 bit MDs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Describe RIPEMD.

A

Produces 128 MD bit MDs. Not secure. Same for RIPEMD-128.

RIPEMD-160 still secure.

RIPE 256 has the same level of security as 128, so 160 is more secure than 256.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Describe HAVAL.

A

Hash of Variable length. Can be 128, 160, 192, 224, and 256.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is HMAC?

A

Hashed message authentication mode. Guarantees integrity but not nonrepudiation because it uses a shared secret key. It is more efficient than digital signatures.

Can be combined with standard hashing algorithms.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What does NIST say about digital signatures?

A

All federally approved digital signature algorithms must use SHA-3.

Three algorithms may be used: DSA, a variant of ElGamal; RSA; Elliptical Curve DSA.

Being changed to RSA, ECDSA, and the Edwards Curve DSA.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What information should a digital certificate have?

A

–version of X509 used
–Serial number
–Signature algorithm identifier
–Issuer name
–Validity period
–Common nanmeof the cert and the distinguished name of the entity that owns the public key
–subject’s public key.

Certificate can include a wildcard so it’s good for subdomains, but you can only go one level.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is a registration authority?

A

Do not issue certificates but help CAs with authentication.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Describe the certificate lifecycle.

A

Enrollment–prove your identity to the CA. Once you have, you provide them with your public key via a certificate signing request (CSR). The CA then generates the .509 digital certificate. The CA signs the certificate using its private key. Simplest certificates are domain validation certs–verify you control the domain you say you control. Extended Validation certs provide you are legit business.

Distribution—CA sends the cert to the user.

Validation–when you receive a digital cert, you verify it by using the CA’s public key. You then check the validity period to make sure it has not expired. then you chek either the certificate revocation list (CRL) or Online Certificate Status Protocol (OCSP). Finally, make sure the certificate contains the data you expect.

Revocation–CA revokes a cert beause it was compromised, issued in error, the details changed, or the security association changed. Revocation is via the CRL (must download and cross-check), OCSP, or certificate stapling (web server ““staples”” an OCSP response to its cert. For a period, like 24 hours, the browser will know it is secure).

17
Q

What is certificate stapling?

A

Web server contacts the OCSP server. Attaches (staples) the response to the certificate. Browser does not need to recheck the server until the time stamp expires.

18
Q

What are the certificate formats?

A

Distinguished Encoding Rules (DER) is most common. .der, .crt, or .cer

Privacy Enhanced Mail is an ASCII text version of DER. stored as .pem or .crt.

Personal Information Exchange (PFX) commonly used in windows. uses either .pfx or .p12

P7B also used in Windows and stored in ASCII.

19
Q

What is a Trusted Platform Module?

A

A chip on the motherboard. Storages and manages the keys used for FDE.

20
Q

What does a digital signature provide an email?

A

Authentication, integrity, and nonrepudiation.

21
Q

Describe PGP.

A

Uses a web of trust. One or more PGP users must vouch for you. Often a plug-in to web based email. used in ProtonMail, StartMail, Mailvelope, SafeGmail, and Hushmail.

22
Q

Describe S/MIME.

A

Uses the RSA algorithm. Used in Outlook, Apple mail, and G Suite Enterprise. Relies on X509 certs. Most Web-based email requires browser plug-ins.

23
Q

Describe the TLS cipher suite.

A

Will provide the key exchange algorithm, authentication algorithm, bulk encryption algorithm, and hash algorithm.

24
Q

What is Link Encryption?

A

Protects the entire communications circuit by creating a secure tunnel between two points. Usually done at lower levels of the OSI model.

25
Q

What is end-to-end encryption?

A

Protects communications between two parties but does not encrypt the header, trailer, address, and routing data. Usually done at higher level of the OSI model.

26
Q

What is IPsec?

A

The authentication header (AH) provides assurance of integrity and nonrepudation. The Encapsulating Security Payload (ESP) provides confidentiality and integrity of payload contents. Both prevent replay attacks.

Transport mode only encrypts the packet payload. This is for peer-to-peer communication. Tunnel mode encrypts the whole header, and is designed for link encryption.

You set up a session by creating a security association (SA). Two-way requires two SAs, and if needed for AH and ESP, you need four SAs.

27
Q

Describe cryptographic attacks.

A

Analytic attack–algebraic manipulation of the algorithm so it is less complex.

Implementation attack–exploits weaknesses in the implementation of the cryptographic ssytem. Focuses on exploiting the code, not just errors and flaws, but the methodology used to program the encryption system.

Statistical attack–exploits statistical weaknesses in a cryptosystem, such as floating point errors.

Brute force attack–Trying every possible valid combination for a key or password.

Fault injection attack–attempting to compromise the integrity of a cryptographic device by causing some sort of external fault.

Side-channel attack–Taking advantage of the footprints of activity that computer systems create, such as power consumption, to actively monitor activity and retrieve information being encrypted.

Timing attack–Example of a side channel attack where the attacker measures how long cryptographic operations take, gaining information about the cryptographic process.

Frequency Analysis and the Ciphertext-Only Attack —Count the number of times each letter appears in the ciphertext. If common letters like E, T, and A are also in the most common in the ciphertext, probably dealing with a transposition cipher. If other letters are most common, probably a substitution cipher.

Known Plaintext—If you have the encrypted message and the plaintext message used to generate the ciphertext, you may be able to break weaker codes.

Chosen Plaintext—Attacker obtains ciphertexts corresponding to a set of plaintexts it has chosen. Allows the attacker to attempt to derive the key. Differential cryptanalysis uses this.

Chosen Ciphertext—attacker has the ability to decrypt chosen portions of the ciphertext message and uses the decrypted portion to derive the key.

Meet in the Middle—Used to defeat encryption algorithms that use two rounds of encryption. This is why 2DES didn’t work. Attacker uses a known plaintext message. It is then encrypted using every possible key, and the equivalent ciphertext decrypted using every possible key. When a match is found, you have both portions of encryption.

Man in the Middle—a malicious actor sits between two parties and intercepts the initial setup of the session. the attacker responds to the originator’s initialization requests and sets up a secure session. Then establishes a second session with the intended recipient. AKA on-path attack.

birthday—AKA collision or reverse hash matching. Seeks to substitute in a digitally signed communication a different message producing the same hash.

Replay—Attacker intercepts an encrypted message between the parties, often a request for authentication, and then replays the message to open a new session. This is why you should include a timestamp and expiration period in each message, use a challenge-response mechanism, and encrypt authentication sessions with ephemeral keys.

28
Q

What is certificate pinning?

A

Certificate pinning–Browsers attach a cert to a subject for an extended time, so they notice when a cert changes. Security mechanism.