Chapter 7: PKI and Cryptographic Applications

Question 1

Explain Merkle Hellman Knapsack

Answer 1

It is based on the difficulty of performing factoring operations. It relies on super-increasing sets rather than prime numbers.

Question 2

What is the use of key length

Answer 2

It is important to understand the capabilities of encryption algorithms used and choose a key length that provides an appropriate level of protection.

The more critical your data the stronger the key used to protect it should be.

Question 3

List some Asymmetric Cryptosystems

Answer 3

Cryptosystem Key Length

1. Rivest, Shamir, Adleman (RSA) 1024 bits
2. Digital Signature Algorithm (DSA) 1024 bits
3. Elliptic Curve 160 bits

Question 4

What is Diffie Hellman? (Recap)

Answer 4

Uses large integers and modular arithmetic to facilitate the secure exchange of secret keys over insecure channels. Uses standard logarithms

Question 5

Disadvantage of El Gamal Algorithm

Answer 5

This algorithm doubles the length of any message it encrypts. Uses standard logarithms

Question 6

Explain mathematical operation used in Elliptic Curve algorithms

Answer 6

ECC uses discrete logarithms.

Question 7

Explain Message Digest

Answer 7

Hash functions take a potentially long message and generate a unique output from the content of the message. This is known as the message digest.

Question 8

List some message digest synonyms

Answer 8

Hash, hash value, hash total, Cyclic Redundancy Checks, fingerprint, checksum and Digital ID

Question 9

List 5 RSA basic requirements

Answer 9

1. Input can be of any length
2. Output has a fixed length
3. Hash function is easy to compute for any input
4. Hash Function is one-way
5. Hash function is collision free

Question 10

List 4 common hashing algorithms

Answer 10

1. Secure Hash Algorithm (SHA)
2. Message Digest (MD2/4/5)
3. Hash Message Authentication Code (HMAC)
   4.

Question 11

Explain HAVAL

Answer 11

Hash of Variable Length (HAVAL) is a modification of MD5. It uses 1024 bit blocks and produces hash values of 128, 160, 192, 224, 256 bits.

Question 12

Explain SHA in terms of the name, Message Digest and Block Size

Answer 12

Secure Hash Algorithm (SHA)

Algorithm Message Digest Block Size
SHA 1 160 512
SHA 256 256 512
SHA 224 224 512
SHA 512 512 1024
SHA 384 384 1024

Question 13

Explain MD2

Answer 13

Message Digest 2 is used to provide a secure hash function for 8 bit processors. Pads the message so that its length is a multiple of 16 bytes.

Question 14

Explain MD4

Answer 14

MD4 supports 32 bit processors and increases the level of security.

It processes 512 bit blocks of messages.

Question 15

Explain MD5

Answer 15

MD5 processes 512 bit blocks of messages.

It is subject to collusions and preventing its use for message integrity.

Question 16

List 2 uses of digital signatures

Answer 16

1. Digitally signed messages assure the recipient that the message trully came from the claimed sender.
2. Ptovides assurance that the message was not altered between the sender and the recipient.

Question 17

Other uses of digital signatures

Answer 17

Digital signatures are used by software vendors to authenticate code distributions that are downloaded from the internet such as applets and software patches.

Question 18

Explain HMAC

Answer 18

Hashed Message Authentication Code algorithm implements a partial digital signature. It guarantees the integrity of a message during transmission but it does not provide for nonrepudiation.

HMAC can be combined with message digest generated algorithm like SHA 3 by using a shared secret key. It does not provide non repudiation because it relies on secret keys.

Question 19

List some common rules for encryption, decryption, message signing algorithms etc

Answer 19

1. If yo want to encrypt a message use the recipient’s public key
2. If you want to decrypt a message use your private key.
3. If you want to digitally sign a message that you are sending to someone else use your private key.
4. If you want to verify the signature on a message sent by someone else use the sender’s public key

Question 20

Explain Digital Signature Standard

Answer 20

Federal Information Processing Standard (FIPS) 186-4 is also known as Digital Signature Standard (DSS)

Question 21

List some DSS Aproved encryption Algorithms

Answer 21

1. Digital Signature Algorithm (DSA)- FIPS 186.4
2. Rivest-Shamir-Adleman (RSA)- ANSI X9.31
3. Elliptic Curve Digital Signature Algorithm (ECDSA)- ANSI X9.62

Question 22

Describe PKI

Answer 22

Public Key Infrastructure (PKI) is used to facilitate communications between parties previously known to each other. PKI relies on heirarchy of trust.

Question 23

Describe Digital Certificates

Answer 23

Digital Certificates provide communicating parties with the assurance that people are communicating with who they claim to be.

They are endorsed public key copies. Their construction is governed by an International standard known as X.509

Question 24

Describe Registration Authority

Answer 24

Registration Authority (RA) assist certificate Authorities with the burder on verifying users’ identities before issuing digital certificates.

Question 25

Describe Certificate Path Validation (CPV)

Answer 25

Certificate Path Validation (CPV) means that each certificate in a certificate path from the original start or root of trust down to the server or client in question is legitimate or valid.

Question 26

What does enrollment mean in terms of generation and destruction of PKI

Answer 26

This involves proving yourself to some CA in some manner. This can involve credit report checking and identity verification.

Question 27

Explain the verification process for CAs

Answer 27

1. You verify the Certificate by checking the CA’s digital signature using the CA’s public key.
2. Check the certificate was not revoked using certificate revocation list or Online Certificate Status Protocol. (OCSP)

Question 28

List some reasons for revocation of certificates

Answer 28

1. Certificate was compromised.
2. The certificate was erroneously issued
3. Details of the certificate changed
4. Security Association changed

Question 29

Describe Control Revocation Lists

Answer 29

It contains the serial number of certificates that have been issued by a CA and have been revoked with the date and time the revocation went into effect

Question 30

Online Certificate Status Protocol (OCSP)

Answer 30

This protocol eliminates the latency inherent in the use of certicate revocation lists by providing a means for real time certificate verifications.

Question 31

Describe HSMs

Answer 31

Hardware Security Modules (HSMs) also provide a way to manage encryption keys. they store encryption keys in a secure manner that prevent humans from ever needing to work directly with the keys.

Question 32

Describe Trusted Platform Modules

Answer 32

TPMs provides the operating systems with access to the keys preventing someone form removing the drive from one device and inserting it into another device to access the drive’s data.

Question 33

For email confidentiality

Answer 33

Encrypt the message

Question 34

You must hash a message

Answer 34

if it must maintain integrity

Question 35

When do you use digitally signatures for messages?

Answer 35

when your message needs non repudiation, integrity and authentication

Question 36

When should you encrypt a message

Answer 36

if message requires integrity

Question 37

Describe PGP

Answer 37

Pretty Good Privacy (PGP) imbibe the web of trust concept which means that you must be trusted by one or more PGP users to begin using the system. this is combines the CA hierarchy.

Question 38

PGP is available in 2 versions, they are

Answer 38

Commercial version Freeware Version
Key Exchange- RSA Diffie Hellman
Msg Digest- MD5 SHA1
Encryption/Decryption IDEA CAST(128 bit)

Question 39

Describe S/MIME

Answer 39

Secure/Multipurpose Internet Mail Extensions (S/MIME)
protocol has emerged as a defacto standard for encrypted email. It uses RSA encryption algorithm and relies on the use of X.509 certificates for exchanging cryptographic keys.

RSA is the only public keys supported by S/MIME. The protocol also supports AES and 3DES symmetric algorithms.

Question 40

Discuss the 2 technologies that are responsible for the security of web browsers

Answer 40

1. Secure Socket Layer (SSL): relies on the exchange of digital server certificates to negotiate encryption decryption parameters between browser and web servers.

A common attack known as Padding Oracle On Downgraded Legacy Encryption (POODLE)

2. Transport Socket Layer (TSL):

Question 41

What is HTTPS?

Answer 41

Hypertext Transfer Protocol Secure (HTTPS) uses port 443.

Question 42

What is Steganography?

Answer 42

Steganography is the art of using cryptographic techniques to embed secret messages within another message.

Question 43

Explain Digital Rights Movement

Answer 43

Digital Rights Movement (DRM) uses encryption to force copyright restrictions on digital media.

Question 44

2 common technologies used to protect mass distributed media are

Answer 44

1. High Bandwidth Digital Content Protection (HBDCP)

2. Advanced Access Content Systems (AACS)

Question 45

Types of Encryption techniques to protect data traveling over networks are

Answer 45

1. Link Encryption: protects entire communications circuits by creating a secure tunnel between 2 ports using either a hardware solution or software solution that encrypts all data entering one end of the tunnel.
2. End to End Encryption: protects communication between 2 parties and is performed independently of link communication.

Question 46

The critical difference between link data and end to end encryption is

Answer 46

In Link data, all the data, including the header, trailer, address and routing data is also encrypted. Therefore each data has to be decrypted at each hop and the re-encrypted before it can then be sent. This slows things down.

End to end encryption does not encrypt the header, trailer, address and routing data so it moves faster from point to point and is more susceptible to sniffers and eavesdroppers.

Question 47

Encryption at the higher end of the OSI Layer is

Answer 47

End to end Encryption

Question 48

Encryption at the lower end of the OSI Layer is

Answer 48

Link Encryption

Question 49

List some examples of end to end encryption

Answer 49

Secure Shell (SSH), File Transfer Protocol, Telnet and rlogin.

Question 50

Describe IPsec

Answer 50

Internet Protocol Security (IPsec) can be used to connect two networks. It does not dictate all the implementation but is open. It uses public key cryptography to provide encryption, access control, nonrepudiation and message authentication using all IP based protocol.

The primary purpose of IPsec is for virtual private networks (VPNs). IPSec can operate in either transport or tunnel mode. It is commonly paired with Layer 2 Tunneling Protocol L2TP.

Question 51

Describe the 2 major components of IPSec

Answer 51

1. Authentication Header: integrity and nonrepudiation. AH also provides authentication and access control and prevents relay attacks.
2. • Encapsulating Security Payload (ESP): confidentiality and integrity of packet content. It provides encryption and limited authentication prevents replay attacks.

Question 52

Describe the 2 major components of IPSec

Answer 52

1. Authentication Header: integrity and nonrepudiation. AH also provides authentication and access control and prevents relay attacks.
2. Encapsulation Payload: provides integrity and confidentiality of its content. It also provides encryption and authentication and prevents relay attacks.

Question 53

Describe Digital Rights Movement

Answer 53

DRM software uses encryption to enforce copyright restrictions on media.

E-book DRM this involves the most successful deployment of DRM technology. e.g. Adobe uses (ADEPT) Adobe Digital Experience Protection Technology.

Question 54

Describe High Bandwidth Digital Content Protection (HBDCP)

Answer 54

Provides DRM protection for content sent over digital connections including HDMI, Display port and DVI interfaces

Question 55

Describe Advanced Access Content System (AACS)

Answer 55

Protect the content on bluray and HD DVD media.

Question 56

Explain ISAKMP

Answer 56

Internet Security Association Key Management Protocol (ISAKMP), this involves the security support services for IPsec by negotiating, establishing modifying and deleting security associations.

4 Steps as set forth in internet RFC 2408:

1. Authenticate Communicating Peers
2. Create and manage security associations
3. Provide key generation mechanisms
4. Protect against threat

Question 57

Link Encryption and End to End Encryption

Answer 57

It includes link encryption i.e. encryption of all data and end to end encryption i.e. protection of communication between 2 parties. e.g. SSH, FTP, Telnet and r login.

Question 58

Explain WEP

Answer 58

Wired Equivalent Privacy (WEP) provides 64 and 128 bit encryption options to protect communications within the wireless LAN. This is not safe and should not be used.

Question 59

Explain WPA

Answer 59

Wifi Protected Access (WPA) improves on WEP encryption by implementing the Temporal Key Integrity Protocol (TKIP). WPA2 adds AES cryptography.

WPA encrypts traffic between a mobile computer and the nearest wireless access point. Once the traffic hits the wired network it becomes clear again.

Question 60

Describe cryptographic attacks

Answer 60

1. Analytic Attacks: this is an algebraic manipulation that attempts to reduce the complexity of algorithm.
2. Implementation Attack: exploits weaknesses in the implementation of a cryptographic system.
3. Statistical Attack: exploits statistical weaknesses in a cryptosystem. eg. floating errors,
4. Brute Force Attack: attempts every valid combination for a key or password.

Question 61

Two modifications that attackers make to enhance the effectiveness of brute force attacks are

Answer 61

1. Rainbow Tables: this provide precomputed values for cryptographic hashes. These are common for cracking passwords stored in hash form.
2. Specialized scalable computing hardware designed to conduct brute force attacks.

Question 62

Explain Salting

Answer 62

Cryptographic salts are random values added to the end of passwords before the operating system hashes the password. The salt is stored in the password file along with the hash.

Examples of hashing functions are: PBKDF2, bcrypt, scrypt. They allow for creation of hashes using salt and also incorporate a technique known as key stretching that makes it computationally difficult to perform single password guess.

Question 63

Explain ciphertext only attacks

Answer 63

Cipher text only attacks: This involves having ciphertext message as the only information at your disposal.

Question 64

Explain Known Plaintext

Answer 64

The attacker has the encrypted message along with the plain message used to generate the ciphertext

Question 65

Explain chosen ciphertext attack

Answer 65

The attacker has the ability to decrypt chosen portions of the ciphertext message and then uses the decrypted portion of the message to discover the key.

Question 66

Explain chosen plaintext attack

Answer 66

The attacker can encrypt plaintext messages of their choosing and analyze the ciphertext output of the chosen algorithm

Question 67

Explain meet in the middle attack

Answer 67

Meet in the middle attack is used to defeat encryption algorithms that involve 2 rounds of encryptions. This is the reason why 2DES was discarded and replaced with 3DES

Question 68

Explain man in the middle attack

Answer 68

this is a malicious individual that sits between 2 communicating parties and intercepts all communications. The attacker responds to the originator’s initialization requests and sets up a secure session with the originator. The attacker then sets up a second secure session with the intended recipient using a different key and posing as the originator.

Question 69

Explain Birthday Attack

Answer 69

Birthday Attack is also known as collision attack or reverse hashing attack. In this attack, malicious individuals seek to substitute a digitally signed communication with a different message that produces the same message digest, thereby maintaining the validity of the original digital signature.

Question 70

Explain Replay Attack

Answer 70

Replay Attack occurs when an a malicious individual intercepts an encrypted message between 2 parties and the replay the captured message in a different session.

Question 71

a

Answer 71

a

Question 72

b

Answer 72

b

Question 73

c

Answer 73

c

Question 74

d

Answer 74

d

Question 75

e

Answer 75

e