Chapter 7 - PKI And Cryptographic Applications

Question 1

Hash Algorithm memorization Chart

Answer 1

Name Hash value length
HAVAL 128, 160, 192, 224, and 256 bits
HMAC Variable
MD2/4/5 128
Secure Hash Algorithm (SHA-1) 160
SHA-224. 224
SHA-256. 256
SHA-384. 384
SHA-512. 512

Question 2

4 simple rules of public key cryptography and digital signatures

Answer 2

• If you want to encrypt a message, use the recipient’s public key.
• If you want to decrypt a message sent to you, use your private key.
• If you want to digitally sign a message you are sending to someone else, use your private key.
• If you want to verify the signature on a message sent by someone else, use sender’s public key.

Question 3

Link encryption vs End-to-end encryption

Answer 3

The critical differences between link and end-to -end encryption is that in link encryption, all the data, including the header, trailer, address, and routing data is also encrypted. Therefore, each packet has to be decrypted at each hop so it can be properly routed to next hop and then re-encrypted before it can be sent sling its way.

When encryption happens at higher OSI layers, it is usually end-to-end encryption,and if encryption is done at the lower layers of OSI model, it usually link encryption.

Question 4

AH vs ESP

Answer 4

AH: provides assurances of message integrity and non repudiation. AH also provides authentication and access control and prevents replay attacks.

ESP: provides confidentiality and integrity of packet contents. It provides encryption and limited authentication and prevents replay attack.

Question 5

4 basic requirement for ISAKMP

Answer 5

• Authenticate communicating peers
• Create and manage security associations
• Provide key generation mechanism
• Protect against threats (for example, replay and denial-of-service attacks)

Question 6

Disadvantage of WPA

Answer 6

WPA does not provide an end-to-end security solution. It encrypts traffic only between a mobile computer and the nearest wireless access point. Once traffic hits the wired network, it’s in the clear again.

Question 7

Link encryption vs End-to-end encryption

Answer 7

The critical differences between link and end-to -end encryption is that in link encryption, all the data, including the header, trailer, address, and routing data is also encrypted. Therefore, each packet has to be decrypted at each hop so it can be properly routed to next hop and then re-encrypted before it can be sent sling its way.

When encryption happens at higher OSI layers, it is usually end-to-end encryption,and if encryption is done at the lower layers of OSI model, it usually link encryption.

Question 8

AH vs ESP

Answer 8

AH: provides assurances of message integrity and non repudiation. AH also provides authentication and access control and prevents replay attacks.

ESP: provides confidentiality and integrity of packet contents. It provides encryption and limited authentication and prevents replay attack.

Question 9

4 basic requirement for ISAKMP

Answer 9

• Authenticate communicating peers
• Create and manage security associations
• Provide key generation mechanism
• Protect against threats (for example, replay and denial-of-service attacks)

Question 10

Disadvantage of WPA

Answer 10

WPA does not provide an end-to-end security solution. It encrypts traffic only between a mobile computer and the nearest wireless access point. Once traffic hits the wired network, it’s in the clear again.

Question 11

Which cryptographic algorithm forms the basis of the EI Gamal cryptosystems?

Answer 11

The EI Gamal cryptosystems extends the functionality of the Diffie-Hellman key exchange protocol to support the encryption and decryption of messages.

Question 12

The disadvantage of EI Gamal

Answer 12

It doubles the length of any messages it encrypts. Therefore, a 2048 bit plain text message would yield a 4096 bit cipher text message when EI Gamal is used for the encryption process.

Question 13

Benefit of elliptic curve cryptosystems

Answer 13

It requires significantly shorter keys to achieve encryption that would be the same strength as encryption achieved with the RSA encryption algorithm. A 1,024 bit RSA key is cryptographically equivalent to a 160- bit elliptic curve cryptosystems key.

Question 14

Approved standard encryption algorithms

Answer 14

DSA
RSA
ELliptic Curve DSA

Question 15

meet in the middle attack

Answer 15

Meet in the middle defects encryption algorithms that use two rounds of encryption. This attack is the reason that double DES was quickly discarded as a viable enhancement to the DES encryption.

Question 16

What does The “Infrastructure “ of PKI methodology ensures?

Answer 16

The recipient’s identity can be positively verified by the sender because only the recipient with the proper matching key will be able to decrypt the message and get access.

Through the use of Public Key Infrastructure (PKI) the recipient’s identity can be positively verified by the sender.

The sender of the message knows he’s using a Public Key that belongs to a specific user. He can validate through the Certification Authority (CA) that a public key is in fact the valid public key of the receiver and the receiver is really who he claims to be. By using the public key of the recipient, only the recipient using the matching private key will be able to decrypt the message. When you wish to achieve confidentiality, you encrypt the message with the recipient public key.

If the sender would wish to prove to the recipient that he is really who he claims to be then the sender would apply a digital signature on the message before encrypting it with the public key of the receiver. This would provide Confidentiality and Authenticity of the message.

A PKI (Public Key Infrastructure) enables users of an insecure public network, such as the Internet, to securely and privately exchange data through the use of public key-pairs that are obtained and shared through a trusted authority, usually referred to as a Certificate Authority.

The PKI provides for digital certificates that can vouch for the identity of individuals or organizations, and for directory services that can store, and when necessary, revoke those digital certificates. A PKI is the underlying technology that addresses the issue of trust in a normally untrusted environment.

Question 17

A Ticket Granting Service is a part of kerberos and not PKI.

Answer 17

A Ticket Granting Service is a part of kerberos and not PKI.

Question 18

Explains how digital signature works?

Answer 18

The digital signature is used to achieve integrity, authenticity and non-repudiation. In a digital signature, the sender’s private key is used to encrypt the message digest of the message. Encrypting the message digest is the act of Signing the message. The receiver will use the matching public key of the sender to decrypt the Digital Signature using the sender’s public key.

A digital signature (not to be confused with a digital certificate) is an electronic signature that can be used to authenticate the identity of the sender of a message or the signer of a document, and possibly to ensure that the original content of the message or document that has been sent is unchanged. Digital signatures cannot be forged by someone else who does not possess the private key, it can also be automatically time-stamped. The ability to ensure that the original signed message arrived means that the sender cannot easily repudiate it later.

A digital signature can be used with any kind of message, whether it is encrypted or not, simply so that the receiver can be sure of the sender’s identity and that the message arrived intact. A digital certificate contains the digital signature of the certificate-issuing authority so that anyone can verify that the certificate is real and has not been modified since the day it was issued.

Question 19

Which of the following services is NOT provided by the digital signature standard (DSS)?

Answer 19

DSS provides Integrity, digital signature and Authentication, but does not provide Encryption.

Question 20

What edoes NOT concern itself with key management?

Answer 20

Cryptology is the science that includes both cryptography and cryptanalysis and is not directly concerned with key management. Cryptology is the mathematics, such as number theory, and the application of formulas and algorithms, that underpin cryptography and cryptanalysis.

Question 21

Differences between ciphertext-only attack, known-plaintext attack, and chosen-cipher text attack

Answer 21

In a ciphertext-only attack, the attacker has the ciphertext of several messages encrypted with the same encryption algorithm. Its goal is to discover the plaintext of the messages by figuring out the key used in the encryption process. In a known-plaintext attack, the attacker has the plaintext and the ciphertext of one or more messages. In a chosen-ciphertext attack, the attacker can chose the ciphertext to be decrypted and has access to the resulting plaintext.

Question 22

message can be encrypted and digitally signed, which provides _______________

Answer 22

The correct answer is: Confidentiality, Authentication, Non-repudiation, and Integrity.

For the purpose of the exam, one needs to be very clear on all the available choices within cryptography, because different steps and algorithms provide different types of security services:

A message can be encrypted, which provides confidentiality.
A message can be digitally signed, which provides authentication, nonrepudiation, and integrity.
A message can be hashed, which provides integrity.
A message can be encrypted and digitally signed, which provides confidentiality, authentication, nonrepudiation, and integrity.

Question 23

Digital Envelope

Answer 23

A Digital Envelope is used to send encrypted information using symmetric keys, and the relevant session key along with it. It is a secure method to send electronic document without compromising the data integrity, authentication and non-repudiation, which were obtained with the use of symmetric keys.

Question 24

PKI components

Answer 24

A public key infrastructure consists of:
A certificate authority (CA) that issues and verifies digital certificate. A certificate includes the public key or information about the public key
A registration authority (RA) that acts as the verifier for the certificate authority before a digital certificate is issued to a requester
A Subscriber is the end user who wish to get digital certificate from certificate authority.

Question 25

Digital signature

Answer 25

Digital signatures provide authentication and integrity, which forms nonrepudiation. They do not provide confidentiality: the plaintext remains unencrypted.

Question 26

most secure form of triple-DES encryption

Answer 26

Triple DES with three distinct keys is the most secure form of triple-DES encryption. It can either be DES-EEE3 (encrypt-encrypt-encrypt) or DES-EDE3 (encrypt-decrypt-encrypt). DES-EDE1 is not defined and would mean using a single key to encrypt, decrypt and encrypt again, equivalent to single DES. DES-EEE4 is not defined and DES-EDE2 uses only 2 keys (encrypt with first key, decrypt with second key, encrypt with first key again).

Question 27

What can use RC4 for encryption?

Answer 27

SSL can use a wide variety of key algorithms including RC4, RC2, DES, 3DES, Idea, Fortezza, AES and others.

WEP uses the RC4 encryption algorithm

Question 28

What is the size of the key that was used in the Clipper Chip?

Answer 28

80 bits