Chapter 7: PKI and Cryptographic Applications Flashcards
Explain Merkle Hellman Knapsack
It is based on the difficulty of performing factoring operations. It relies on super-increasing sets rather than prime numbers.
What is the use of key length
It is important to understand the capabilities of encryption algorithms used and choose a key length that provides an appropriate level of protection.
The more critical your data the stronger the key used to protect it should be.
List some Asymmetric Cryptosystems
Cryptosystem Key Length
- Rivest, Shamir, Adleman (RSA) 1024 bits
- Digital Signature Algorithm (DSA) 1024 bits
- Elliptic Curve 160 bits
What is Diffie Hellman? (Recap)
Uses large integers and modular arithmetic to facilitate the secure exchange of secret keys over insecure channels. Uses standard logarithms
Disadvantage of El Gamal Algorithm
This algorithm doubles the length of any message it encrypts. Uses standard logarithms
Explain mathematical operation used in Elliptic Curve algorithms
ECC uses discrete logarithms.
Explain Message Digest
Hash functions take a potentially long message and generate a unique output from the content of the message. This is known as the message digest.
List some message digest synonyms
Hash, hash value, hash total, Cyclic Redundancy Checks, fingerprint, checksum and Digital ID
List 5 RSA basic requirements
- Input can be of any length
- Output has a fixed length
- Hash function is easy to compute for any input
- Hash Function is one-way
- Hash function is collision free
List 4 common hashing algorithms
- Secure Hash Algorithm (SHA)
- Message Digest (MD2/4/5)
- Hash Message Authentication Code (HMAC)
4.
Explain HAVAL
Hash of Variable Length (HAVAL) is a modification of MD5. It uses 1024 bit blocks and produces hash values of 128, 160, 192, 224, 256 bits.
Explain SHA in terms of the name, Message Digest and Block Size
Secure Hash Algorithm (SHA)
Algorithm Message Digest Block Size
SHA 1 160 512
SHA 256 256 512
SHA 224 224 512
SHA 512 512 1024
SHA 384 384 1024
Explain MD2
Message Digest 2 is used to provide a secure hash function for 8 bit processors. Pads the message so that its length is a multiple of 16 bytes.
Explain MD4
MD4 supports 32 bit processors and increases the level of security.
It processes 512 bit blocks of messages.
Explain MD5
MD5 processes 512 bit blocks of messages.
It is subject to collusions and preventing its use for message integrity.
List 2 uses of digital signatures
- Digitally signed messages assure the recipient that the message trully came from the claimed sender.
- Ptovides assurance that the message was not altered between the sender and the recipient.
Other uses of digital signatures
Digital signatures are used by software vendors to authenticate code distributions that are downloaded from the internet such as applets and software patches.
Explain HMAC
Hashed Message Authentication Code algorithm implements a partial digital signature. It guarantees the integrity of a message during transmission but it does not provide for nonrepudiation.
HMAC can be combined with message digest generated algorithm like SHA 3 by using a shared secret key. It does not provide non repudiation because it relies on secret keys.
List some common rules for encryption, decryption, message signing algorithms etc
- If yo want to encrypt a message use the recipient’s public key
- If you want to decrypt a message use your private key.
- If you want to digitally sign a message that you are sending to someone else use your private key.
- If you want to verify the signature on a message sent by someone else use the sender’s public key
Explain Digital Signature Standard
Federal Information Processing Standard (FIPS) 186-4 is also known as Digital Signature Standard (DSS)
List some DSS Aproved encryption Algorithms
- Digital Signature Algorithm (DSA)- FIPS 186.4
- Rivest-Shamir-Adleman (RSA)- ANSI X9.31
- Elliptic Curve Digital Signature Algorithm (ECDSA)- ANSI X9.62
Describe PKI
Public Key Infrastructure (PKI) is used to facilitate communications between parties previously known to each other. PKI relies on heirarchy of trust.
Describe Digital Certificates
Digital Certificates provide communicating parties with the assurance that people are communicating with who they claim to be.
They are endorsed public key copies. Their construction is governed by an International standard known as X.509
Describe Registration Authority
Registration Authority (RA) assist certificate Authorities with the burder on verifying users’ identities before issuing digital certificates.
Describe Certificate Path Validation (CPV)
Certificate Path Validation (CPV) means that each certificate in a certificate path from the original start or root of trust down to the server or client in question is legitimate or valid.
What does enrollment mean in terms of generation and destruction of PKI
This involves proving yourself to some CA in some manner. This can involve credit report checking and identity verification.
Explain the verification process for CAs
- You verify the Certificate by checking the CA’s digital signature using the CA’s public key.
- Check the certificate was not revoked using certificate revocation list or Online Certificate Status Protocol. (OCSP)
List some reasons for revocation of certificates
- Certificate was compromised.
- The certificate was erroneously issued
- Details of the certificate changed
- Security Association changed
Describe Control Revocation Lists
It contains the serial number of certificates that have been issued by a CA and have been revoked with the date and time the revocation went into effect
Online Certificate Status Protocol (OCSP)
This protocol eliminates the latency inherent in the use of certicate revocation lists by providing a means for real time certificate verifications.
Describe HSMs
Hardware Security Modules (HSMs) also provide a way to manage encryption keys. they store encryption keys in a secure manner that prevent humans from ever needing to work directly with the keys.
Describe Trusted Platform Modules
TPMs provides the operating systems with access to the keys preventing someone form removing the drive from one device and inserting it into another device to access the drive’s data.
For email confidentiality
Encrypt the message
You must hash a message
if it must maintain integrity
When do you use digitally signatures for messages?
when your message needs non repudiation, integrity and authentication
When should you encrypt a message
if message requires integrity
Describe PGP
Pretty Good Privacy (PGP) imbibe the web of trust concept which means that you must be trusted by one or more PGP users to begin using the system. this is combines the CA hierarchy.
PGP is available in 2 versions, they are
Commercial version Freeware Version
Key Exchange- RSA Diffie Hellman
Msg Digest- MD5 SHA1
Encryption/Decryption IDEA CAST(128 bit)
Describe S/MIME
Secure/Multipurpose Internet Mail Extensions (S/MIME)
protocol has emerged as a defacto standard for encrypted email. It uses RSA encryption algorithm and relies on the use of X.509 certificates for exchanging cryptographic keys.
RSA is the only public keys supported by S/MIME. The protocol also supports AES and 3DES symmetric algorithms.
Discuss the 2 technologies that are responsible for the security of web browsers
- Secure Socket Layer (SSL): relies on the exchange of digital server certificates to negotiate encryption decryption parameters between browser and web servers.
A common attack known as Padding Oracle On Downgraded Legacy Encryption (POODLE)
- Transport Socket Layer (TSL):
What is HTTPS?
Hypertext Transfer Protocol Secure (HTTPS) uses port 443.
What is Steganography?
Steganography is the art of using cryptographic techniques to embed secret messages within another message.
Explain Digital Rights Movement
Digital Rights Movement (DRM) uses encryption to force copyright restrictions on digital media.
2 common technologies used to protect mass distributed media are
- High Bandwidth Digital Content Protection (HBDCP)
2. Advanced Access Content Systems (AACS)
Types of Encryption techniques to protect data traveling over networks are
- Link Encryption: protects entire communications circuits by creating a secure tunnel between 2 ports using either a hardware solution or software solution that encrypts all data entering one end of the tunnel.
- End to End Encryption: protects communication between 2 parties and is performed independently of link communication.
The critical difference between link data and end to end encryption is
In Link data, all the data, including the header, trailer, address and routing data is also encrypted. Therefore each data has to be decrypted at each hop and the re-encrypted before it can then be sent. This slows things down.
End to end encryption does not encrypt the header, trailer, address and routing data so it moves faster from point to point and is more susceptible to sniffers and eavesdroppers.
Encryption at the higher end of the OSI Layer is
End to end Encryption
Encryption at the lower end of the OSI Layer is
Link Encryption
List some examples of end to end encryption
Secure Shell (SSH), File Transfer Protocol, Telnet and rlogin.
Describe IPsec
Internet Protocol Security (IPsec) can be used to connect two networks. It does not dictate all the implementation but is open. It uses public key cryptography to provide encryption, access control, nonrepudiation and message authentication using all IP based protocol.
The primary purpose of IPsec is for virtual private networks (VPNs). IPSec can operate in either transport or tunnel mode. It is commonly paired with Layer 2 Tunneling Protocol L2TP.
Describe the 2 major components of IPSec
- Authentication Header: integrity and nonrepudiation. AH also provides authentication and access control and prevents relay attacks.
- • Encapsulating Security Payload (ESP): confidentiality and integrity of packet content. It provides encryption and limited authentication prevents replay attacks.
Describe the 2 major components of IPSec
- Authentication Header: integrity and nonrepudiation. AH also provides authentication and access control and prevents relay attacks.
- Encapsulation Payload: provides integrity and confidentiality of its content. It also provides encryption and authentication and prevents relay attacks.
Describe Digital Rights Movement
DRM software uses encryption to enforce copyright restrictions on media.
E-book DRM this involves the most successful deployment of DRM technology. e.g. Adobe uses (ADEPT) Adobe Digital Experience Protection Technology.
Describe High Bandwidth Digital Content Protection (HBDCP)
Provides DRM protection for content sent over digital connections including HDMI, Display port and DVI interfaces
Describe Advanced Access Content System (AACS)
Protect the content on bluray and HD DVD media.
Explain ISAKMP
Internet Security Association Key Management Protocol (ISAKMP), this involves the security support services for IPsec by negotiating, establishing modifying and deleting security associations.
4 Steps as set forth in internet RFC 2408:
- Authenticate Communicating Peers
- Create and manage security associations
- Provide key generation mechanisms
- Protect against threat
Link Encryption and End to End Encryption
It includes link encryption i.e. encryption of all data and end to end encryption i.e. protection of communication between 2 parties. e.g. SSH, FTP, Telnet and r login.
Explain WEP
Wired Equivalent Privacy (WEP) provides 64 and 128 bit encryption options to protect communications within the wireless LAN. This is not safe and should not be used.
Explain WPA
Wifi Protected Access (WPA) improves on WEP encryption by implementing the Temporal Key Integrity Protocol (TKIP). WPA2 adds AES cryptography.
WPA encrypts traffic between a mobile computer and the nearest wireless access point. Once the traffic hits the wired network it becomes clear again.
Describe cryptographic attacks
- Analytic Attacks: this is an algebraic manipulation that attempts to reduce the complexity of algorithm.
- Implementation Attack: exploits weaknesses in the implementation of a cryptographic system.
- Statistical Attack: exploits statistical weaknesses in a cryptosystem. eg. floating errors,
- Brute Force Attack: attempts every valid combination for a key or password.
Two modifications that attackers make to enhance the effectiveness of brute force attacks are
- Rainbow Tables: this provide precomputed values for cryptographic hashes. These are common for cracking passwords stored in hash form.
- Specialized scalable computing hardware designed to conduct brute force attacks.
Explain Salting
Cryptographic salts are random values added to the end of passwords before the operating system hashes the password. The salt is stored in the password file along with the hash.
Examples of hashing functions are: PBKDF2, bcrypt, scrypt. They allow for creation of hashes using salt and also incorporate a technique known as key stretching that makes it computationally difficult to perform single password guess.
Explain ciphertext only attacks
Cipher text only attacks: This involves having ciphertext message as the only information at your disposal.
Explain Known Plaintext
The attacker has the encrypted message along with the plain message used to generate the ciphertext
Explain chosen ciphertext attack
The attacker has the ability to decrypt chosen portions of the ciphertext message and then uses the decrypted portion of the message to discover the key.
Explain chosen plaintext attack
The attacker can encrypt plaintext messages of their choosing and analyze the ciphertext output of the chosen algorithm
Explain meet in the middle attack
Meet in the middle attack is used to defeat encryption algorithms that involve 2 rounds of encryptions. This is the reason why 2DES was discarded and replaced with 3DES
Explain man in the middle attack
this is a malicious individual that sits between 2 communicating parties and intercepts all communications. The attacker responds to the originator’s initialization requests and sets up a secure session with the originator. The attacker then sets up a second secure session with the intended recipient using a different key and posing as the originator.
Explain Birthday Attack
Birthday Attack is also known as collision attack or reverse hashing attack. In this attack, malicious individuals seek to substitute a digitally signed communication with a different message that produces the same message digest, thereby maintaining the validity of the original digital signature.
Explain Replay Attack
Replay Attack occurs when an a malicious individual intercepts an encrypted message between 2 parties and the replay the captured message in a different session.
a
a
b
b
c
c
d
d
e
e
