Chapter 7: PKI and Cryptographic Applications Flashcards

1
Q

Explain Merkle Hellman Knapsack

A

It is based on the difficulty of performing factoring operations. It relies on super-increasing sets rather than prime numbers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is the use of key length

A

It is important to understand the capabilities of encryption algorithms used and choose a key length that provides an appropriate level of protection.

The more critical your data the stronger the key used to protect it should be.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

List some Asymmetric Cryptosystems

A

Cryptosystem Key Length

  1. Rivest, Shamir, Adleman (RSA) 1024 bits
  2. Digital Signature Algorithm (DSA) 1024 bits
  3. Elliptic Curve 160 bits
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is Diffie Hellman? (Recap)

A

Uses large integers and modular arithmetic to facilitate the secure exchange of secret keys over insecure channels. Uses standard logarithms

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Disadvantage of El Gamal Algorithm

A

This algorithm doubles the length of any message it encrypts. Uses standard logarithms

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Explain mathematical operation used in Elliptic Curve algorithms

A

ECC uses discrete logarithms.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Explain Message Digest

A

Hash functions take a potentially long message and generate a unique output from the content of the message. This is known as the message digest.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

List some message digest synonyms

A

Hash, hash value, hash total, Cyclic Redundancy Checks, fingerprint, checksum and Digital ID

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

List 5 RSA basic requirements

A
  1. Input can be of any length
  2. Output has a fixed length
  3. Hash function is easy to compute for any input
  4. Hash Function is one-way
  5. Hash function is collision free
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

List 4 common hashing algorithms

A
  1. Secure Hash Algorithm (SHA)
  2. Message Digest (MD2/4/5)
  3. Hash Message Authentication Code (HMAC)
    4.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Explain HAVAL

A

Hash of Variable Length (HAVAL) is a modification of MD5. It uses 1024 bit blocks and produces hash values of 128, 160, 192, 224, 256 bits.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Explain SHA in terms of the name, Message Digest and Block Size

A

Secure Hash Algorithm (SHA)

Algorithm Message Digest Block Size
SHA 1 160 512
SHA 256 256 512
SHA 224 224 512
SHA 512 512 1024
SHA 384 384 1024

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Explain MD2

A

Message Digest 2 is used to provide a secure hash function for 8 bit processors. Pads the message so that its length is a multiple of 16 bytes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Explain MD4

A

MD4 supports 32 bit processors and increases the level of security.

It processes 512 bit blocks of messages.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Explain MD5

A

MD5 processes 512 bit blocks of messages.

It is subject to collusions and preventing its use for message integrity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

List 2 uses of digital signatures

A
  1. Digitally signed messages assure the recipient that the message trully came from the claimed sender.
  2. Ptovides assurance that the message was not altered between the sender and the recipient.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Other uses of digital signatures

A

Digital signatures are used by software vendors to authenticate code distributions that are downloaded from the internet such as applets and software patches.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Explain HMAC

A

Hashed Message Authentication Code algorithm implements a partial digital signature. It guarantees the integrity of a message during transmission but it does not provide for nonrepudiation.

HMAC can be combined with message digest generated algorithm like SHA 3 by using a shared secret key. It does not provide non repudiation because it relies on secret keys.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

List some common rules for encryption, decryption, message signing algorithms etc

A
  1. If yo want to encrypt a message use the recipient’s public key
  2. If you want to decrypt a message use your private key.
  3. If you want to digitally sign a message that you are sending to someone else use your private key.
  4. If you want to verify the signature on a message sent by someone else use the sender’s public key
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Explain Digital Signature Standard

A

Federal Information Processing Standard (FIPS) 186-4 is also known as Digital Signature Standard (DSS)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

List some DSS Aproved encryption Algorithms

A
  1. Digital Signature Algorithm (DSA)- FIPS 186.4
  2. Rivest-Shamir-Adleman (RSA)- ANSI X9.31
  3. Elliptic Curve Digital Signature Algorithm (ECDSA)- ANSI X9.62
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Describe PKI

A

Public Key Infrastructure (PKI) is used to facilitate communications between parties previously known to each other. PKI relies on heirarchy of trust.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Describe Digital Certificates

A

Digital Certificates provide communicating parties with the assurance that people are communicating with who they claim to be.

They are endorsed public key copies. Their construction is governed by an International standard known as X.509

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Describe Registration Authority

A

Registration Authority (RA) assist certificate Authorities with the burder on verifying users’ identities before issuing digital certificates.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Describe Certificate Path Validation (CPV)

A

Certificate Path Validation (CPV) means that each certificate in a certificate path from the original start or root of trust down to the server or client in question is legitimate or valid.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What does enrollment mean in terms of generation and destruction of PKI

A

This involves proving yourself to some CA in some manner. This can involve credit report checking and identity verification.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Explain the verification process for CAs

A
  1. You verify the Certificate by checking the CA’s digital signature using the CA’s public key.
  2. Check the certificate was not revoked using certificate revocation list or Online Certificate Status Protocol. (OCSP)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

List some reasons for revocation of certificates

A
  1. Certificate was compromised.
  2. The certificate was erroneously issued
  3. Details of the certificate changed
  4. Security Association changed
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Describe Control Revocation Lists

A

It contains the serial number of certificates that have been issued by a CA and have been revoked with the date and time the revocation went into effect

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Online Certificate Status Protocol (OCSP)

A

This protocol eliminates the latency inherent in the use of certicate revocation lists by providing a means for real time certificate verifications.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Describe HSMs

A

Hardware Security Modules (HSMs) also provide a way to manage encryption keys. they store encryption keys in a secure manner that prevent humans from ever needing to work directly with the keys.

32
Q

Describe Trusted Platform Modules

A

TPMs provides the operating systems with access to the keys preventing someone form removing the drive from one device and inserting it into another device to access the drive’s data.

33
Q

For email confidentiality

A

Encrypt the message

34
Q

You must hash a message

A

if it must maintain integrity

35
Q

When do you use digitally signatures for messages?

A

when your message needs non repudiation, integrity and authentication

36
Q

When should you encrypt a message

A

if message requires integrity

37
Q

Describe PGP

A

Pretty Good Privacy (PGP) imbibe the web of trust concept which means that you must be trusted by one or more PGP users to begin using the system. this is combines the CA hierarchy.

38
Q

PGP is available in 2 versions, they are

A

Commercial version Freeware Version
Key Exchange- RSA Diffie Hellman
Msg Digest- MD5 SHA1
Encryption/Decryption IDEA CAST(128 bit)

39
Q

Describe S/MIME

A

Secure/Multipurpose Internet Mail Extensions (S/MIME)
protocol has emerged as a defacto standard for encrypted email. It uses RSA encryption algorithm and relies on the use of X.509 certificates for exchanging cryptographic keys.

RSA is the only public keys supported by S/MIME. The protocol also supports AES and 3DES symmetric algorithms.

40
Q

Discuss the 2 technologies that are responsible for the security of web browsers

A
  1. Secure Socket Layer (SSL): relies on the exchange of digital server certificates to negotiate encryption decryption parameters between browser and web servers.

A common attack known as Padding Oracle On Downgraded Legacy Encryption (POODLE)

  1. Transport Socket Layer (TSL):
41
Q

What is HTTPS?

A

Hypertext Transfer Protocol Secure (HTTPS) uses port 443.

42
Q

What is Steganography?

A

Steganography is the art of using cryptographic techniques to embed secret messages within another message.

43
Q

Explain Digital Rights Movement

A

Digital Rights Movement (DRM) uses encryption to force copyright restrictions on digital media.

44
Q

2 common technologies used to protect mass distributed media are

A
  1. High Bandwidth Digital Content Protection (HBDCP)

2. Advanced Access Content Systems (AACS)

45
Q

Types of Encryption techniques to protect data traveling over networks are

A
  1. Link Encryption: protects entire communications circuits by creating a secure tunnel between 2 ports using either a hardware solution or software solution that encrypts all data entering one end of the tunnel.
  2. End to End Encryption: protects communication between 2 parties and is performed independently of link communication.
46
Q

The critical difference between link data and end to end encryption is

A

In Link data, all the data, including the header, trailer, address and routing data is also encrypted. Therefore each data has to be decrypted at each hop and the re-encrypted before it can then be sent. This slows things down.

End to end encryption does not encrypt the header, trailer, address and routing data so it moves faster from point to point and is more susceptible to sniffers and eavesdroppers.

47
Q

Encryption at the higher end of the OSI Layer is

A

End to end Encryption

48
Q

Encryption at the lower end of the OSI Layer is

A

Link Encryption

49
Q

List some examples of end to end encryption

A

Secure Shell (SSH), File Transfer Protocol, Telnet and rlogin.

50
Q

Describe IPsec

A

Internet Protocol Security (IPsec) can be used to connect two networks. It does not dictate all the implementation but is open. It uses public key cryptography to provide encryption, access control, nonrepudiation and message authentication using all IP based protocol.

The primary purpose of IPsec is for virtual private networks (VPNs). IPSec can operate in either transport or tunnel mode. It is commonly paired with Layer 2 Tunneling Protocol L2TP.

51
Q

Describe the 2 major components of IPSec

A
  1. Authentication Header: integrity and nonrepudiation. AH also provides authentication and access control and prevents relay attacks.
  2. • Encapsulating Security Payload (ESP): confidentiality and integrity of packet content. It provides encryption and limited authentication prevents replay attacks.
52
Q

Describe the 2 major components of IPSec

A
  1. Authentication Header: integrity and nonrepudiation. AH also provides authentication and access control and prevents relay attacks.
  2. Encapsulation Payload: provides integrity and confidentiality of its content. It also provides encryption and authentication and prevents relay attacks.
53
Q

Describe Digital Rights Movement

A

DRM software uses encryption to enforce copyright restrictions on media.

E-book DRM this involves the most successful deployment of DRM technology. e.g. Adobe uses (ADEPT) Adobe Digital Experience Protection Technology.

54
Q

Describe High Bandwidth Digital Content Protection (HBDCP)

A

Provides DRM protection for content sent over digital connections including HDMI, Display port and DVI interfaces

55
Q

Describe Advanced Access Content System (AACS)

A

Protect the content on bluray and HD DVD media.

56
Q

Explain ISAKMP

A

Internet Security Association Key Management Protocol (ISAKMP), this involves the security support services for IPsec by negotiating, establishing modifying and deleting security associations.

4 Steps as set forth in internet RFC 2408:

  1. Authenticate Communicating Peers
  2. Create and manage security associations
  3. Provide key generation mechanisms
  4. Protect against threat
57
Q

Link Encryption and End to End Encryption

A

It includes link encryption i.e. encryption of all data and end to end encryption i.e. protection of communication between 2 parties. e.g. SSH, FTP, Telnet and r login.

58
Q

Explain WEP

A

Wired Equivalent Privacy (WEP) provides 64 and 128 bit encryption options to protect communications within the wireless LAN. This is not safe and should not be used.

59
Q

Explain WPA

A

Wifi Protected Access (WPA) improves on WEP encryption by implementing the Temporal Key Integrity Protocol (TKIP). WPA2 adds AES cryptography.

WPA encrypts traffic between a mobile computer and the nearest wireless access point. Once the traffic hits the wired network it becomes clear again.

60
Q

Describe cryptographic attacks

A
  1. Analytic Attacks: this is an algebraic manipulation that attempts to reduce the complexity of algorithm.
  2. Implementation Attack: exploits weaknesses in the implementation of a cryptographic system.
  3. Statistical Attack: exploits statistical weaknesses in a cryptosystem. eg. floating errors,
  4. Brute Force Attack: attempts every valid combination for a key or password.
61
Q

Two modifications that attackers make to enhance the effectiveness of brute force attacks are

A
  1. Rainbow Tables: this provide precomputed values for cryptographic hashes. These are common for cracking passwords stored in hash form.
  2. Specialized scalable computing hardware designed to conduct brute force attacks.
62
Q

Explain Salting

A

Cryptographic salts are random values added to the end of passwords before the operating system hashes the password. The salt is stored in the password file along with the hash.

Examples of hashing functions are: PBKDF2, bcrypt, scrypt. They allow for creation of hashes using salt and also incorporate a technique known as key stretching that makes it computationally difficult to perform single password guess.

63
Q

Explain ciphertext only attacks

A

Cipher text only attacks: This involves having ciphertext message as the only information at your disposal.

64
Q

Explain Known Plaintext

A

The attacker has the encrypted message along with the plain message used to generate the ciphertext

65
Q

Explain chosen ciphertext attack

A

The attacker has the ability to decrypt chosen portions of the ciphertext message and then uses the decrypted portion of the message to discover the key.

66
Q

Explain chosen plaintext attack

A

The attacker can encrypt plaintext messages of their choosing and analyze the ciphertext output of the chosen algorithm

67
Q

Explain meet in the middle attack

A

Meet in the middle attack is used to defeat encryption algorithms that involve 2 rounds of encryptions. This is the reason why 2DES was discarded and replaced with 3DES

68
Q

Explain man in the middle attack

A

this is a malicious individual that sits between 2 communicating parties and intercepts all communications. The attacker responds to the originator’s initialization requests and sets up a secure session with the originator. The attacker then sets up a second secure session with the intended recipient using a different key and posing as the originator.

69
Q

Explain Birthday Attack

A

Birthday Attack is also known as collision attack or reverse hashing attack. In this attack, malicious individuals seek to substitute a digitally signed communication with a different message that produces the same message digest, thereby maintaining the validity of the original digital signature.

70
Q

Explain Replay Attack

A

Replay Attack occurs when an a malicious individual intercepts an encrypted message between 2 parties and the replay the captured message in a different session.

71
Q

a

A

a

72
Q

b

A

b

73
Q

c

A

c

74
Q

d

A

d

75
Q

e

A

e