Cryptograhy

Question 1

Cryptography

Answer 1

Encrypting data

Question 2

Cryptanalysis

Answer 2

Breaking encryption

Question 3

Cryptography Algorithm

Answer 3

A set of rules performing the locking/encryption and unlocking/decryption of data/information

Question 4

Cryptography Key

Answer 4

A value used with the algorithm to lock and unlock information

Question 5

Key Space

Answer 5

The maximum number of keys possible

e.g. key space of particular character set (e.g. 0-9)

Question 6

Entropy

Is high or low entropy desired for crypto key?

Answer 6

A measure of how random or unpredictable something is

e.g. using only lowercase letters a key would result in low entropy
using mix of upper, lower, numbers and special chars would result in high entropy

High entropy is desired, it would make it harder for an attacker to guess your keu

Question 7

Cryptoperiod

Answer 7

Length of time a particular crypto key may be used

Question 8

Work Factor

Answer 8

Estimated time or effort needed to break the encryption, usually measured by timing of brute force approach

The larger the key size, the greater the key space, the more secure your key becomes

Question 9

Avalanche Effect?

What methods does it apply to? Why?

Answer 9

Minor changes to the either the key or plaintext will result in a large change to the ciphertext

Important for both encryption and hashing

Prevents reversing ciphertext

Question 10

Kerckhoff’s Principle

Answer 10

The strength of your encryption should not rely on keeping your algorithm secret

It should rely instead on keeping the encryption keys a secret, as long as you can change them when needed

If keys compromised, just make a new one - cheap and easy
If algorithm is compromised - this is costly and complicated, all HW and SW that rely on encryption algorithm would need to be updated

Question 11

Symmetric Encryption

Advantage/Disadvantage

AKA

Answer 11

One key is used with the algorithm to encrypt and decrypt data

Only benefits confidentiality

Advantages: very fast and cheep
Disadvantages: key management is difficult because you have to distribute the key to decrypt; usually done using asymmetric encryption or out of band

AKA - Secret key, Single Key, Shared Key, Session Key

Question 12

List types of Ciphers

Answer 12

Steam
Block
Block Mode
Stream Mode

Question 13

Stream Ciphers

Answer 13

Generates ciphertext bit by bit or byte by byte

Used for encrypted data in transit

Popular Algorithms:
RC4 - old and not used anymore
Salsa and ChaCha commonly used in TLS

Question 14

Block Ciphers

Examples

Answer 14

Block ciphers can work in two modes: Stream or Block Mode

Block Mode - encrypts data at rest
Stream Mode - encrypts data in transit

Examples - AES, DES, 2DES, 3DES
Twofish, Blowfish
IDEA
RC2, RC5, RC6, RC7

Question 15

Asymmetric Encryption

Answer 15

Using a key pair (Public key and Private key)

The public key can be used by anyone

The private key is held by the subject that created the key pair and is kept PRIVATE. It should not be given to anyone.

Question 16

List Asymmetric Algorithm

Answer 16

RSA
ElGamal
ECC (Elliptic-Curve Cryptography)
Diffie-Hellman
Digital Sigital Algorithm

Question 17

RSA (Rivest-Shamir-Adleman)?

Use?

Answer 17

Asymmetric Algorithm

Encrypts tiny quantities of data

Question 18

ElGamal

Use

Answer 18

Asymmetric Algorithm

Exchanging a symmetric key

Question 19

ECC (Elliptic-Curve Cryptography)

Use

Answer 19

Asymmetric Algorithm

Creating digital signatures

Question 20

Diffie-Hellman

Use

Answer 20

Asymmetric Algorithm

A key agreement algorithm

DH is ued to negotiate symmetric keys between

Question 21

Digital Signature Algorithm

Use

Answer 21

Asymmetric Encryption

Designed by NIST to create digital signatures

NOT capable of exchanging symmetric keys

Question 22

Hashing

Answer 22

irreversible, one way function

We utilize hashes for integrity through the ability to detect any changes in a data set through the change in a hash

Question 23

Salt

Answer 23

something that should be added to passwords/passphrases before being hashed

makes password resistant to rainbow table and other attacks on hashes

Question 24

Which OS CANNOT salt passwords/passphrases

Answer 24

Microsoft Windows

SYSKEY in prior versions could encrypt hashes in the SAM file

Microsoft recommends mitigation: use Bitlocker to encrypt drive and protect SAM file from attackers

Question 25

Describe how Hash Algorithms work?

Answer 25

Take input file/data

Split the file/data into blocks, take first block and XOR with next and continue until the end block

The result is a hash or digest

Question 26

Common Hashing Algorithms?

Answer 26

MD2, 4, 5 - 128 bit

MD6 - 512 bit

SHA 1 - 160 bit

SHA2/3 - 224, 256, 384, 512

Question 27

Public Key Infrastructure

Answer 27

CA’s generate certificates containing the public keys of the users (or servers).

Users then distribute these certs to the people they want to communicate with.

Certificate recipients validate a certificate using the CA’s public key, which is pre-installed in their device from the operating system vendor, browser vendor or organization.

Question 28

Registration Authority (RA)

Answer 28

An authority in a network that verifies user request for a digital certificate and tells the CA to issue it.

The RA VERIFIES user credentials (verifies username/password conducts a background check, etc.)

Question 29

Certificate Authority

Answer 29

Signs, issues and manages certificates.

The CA users the subject’s Certificate Signing Request (CSR) to sign the subject’s certificate.

The CA also maintains the Certificate Revocation List (CRL)

Question 30

Certificate Revocation List

Answer 30

Contains serial numbers of the public certificates that have been revoked and should no longer be trusted

Question 31

Certificate revocation reason codes

Answer 31

KeyCompromise
CAcomprimise
affiliationChanged
Superseded
CessationOfOperation
CertificateHold

Question 32

Online Certificate Status Protocol (OCSP)

Answer 32

Check revoked certificates online in real time

Question 33

X.509 Certificate

Answer 33

Standard format or layout of a digital certificate, which includes:

• CA’s unique name
• Subject’s public key
• Subject’s X.500 name
• Unique certificate serial number given by the CA
• Beginning and ending dates (validity dates)
• CRL location
• CA’s digital signature

Question 34

Certificate Practices Statement

Answer 34

This outlines the CA’s rule of issuance of a certificate

Question 35

Certificate Signing Request

Answer 35

Used to request a digital certificate from RA

Question 36

Certificate Signing Request Process

Answer 36

1. The subject creates their public/private key pair
2. The subject generates a CSR and digitally signs it with their private key This contains a description of the subject as well as their public key and is sent to the RA
3. RA verifies the subjects identity. Once verified the RA sends the subjects key to the CA
4. The CA issues the subjects public key and a unique serial number, that validity date and the CRL/OCSP
5. The CA creates a digital signature on the subject’s public key
6. The subject’s public key is sent back to the subject

Question 37

Encryption Implementation - Data At Rest

Answer 37

For data lifecycle phases: store and archive (retention of data), use symmetric encryption

Question 38

Encryption Implementation - Data in Motion/Transit

Answer 38

For data lifecycle phases: share, can use IPSec, VPN and TLS

Question 39

Encryption Implementation - Data in Use

Answer 39

For data lifecycle phases: use, focuses on DRM

Typically the most difficult phase of data to protect

Question 40

Quantum Crytography

Answer 40

Use quantum physics for encryption purposes. Very new technology, with limited applications and expensive to implement.

Question 41

Homomorphic encryption

Answer 41

Homomorphic encryption is a theoretical phenomenon that would allow processing of encrypted material without needing to first decrypt it.

Question 42

What data encryption is available with possibly IaaS?

What data/access is protected and what is not?

Answer 42

basic storage level encryption - encryption is performed on the cloud storage solution with keys maintained by the CSP

only protects from media theft or loss but not CSP insider

volume storage encryption - encrypted data resides on volume storage via an encrypted container and will protect against physical loss or theft, external admins (CSP, MSP, CSB) accessing data, snapshot being taken or removed

will not protect against access attempts made through the instance

Question 43

How can volume level storage encryption be implemented

What cloud service model is it applicable to?

Answer 43

1. Instance based encryption - encryption engine on image and keys are managed externally
2. Proxy based image - encryption engine runs on proxy instance and handles cryptographic processing along with key management and storage
3. Oject-storage encryption - offers server-side encryption but less effective so encrypt data before it arrives to the cloud

Applicable to IaaS

Question 44

What data encryption is available with possibly PaaS and SaaS?

Answer 44

File level encryption

Application level encryption

Database encryption which offers

• File level encryption
• Transparent encryption
• Application level encryption
• Proxy Level encryption

Question 45

Describe File level encryption?

What cloud service model is it applicable to?

Answer 45

encryption engine implemented at client level using IRM and/or DRM

PaaS and SaaS

Question 46

Describe Application level encryption?

What cloud service model is it applicable to?

Answer 46

encryption engine resides in the application that utilizes object storage and encrypts the data before the data reaches the cloud

PaaS and SaaS

Question 47

Describe Database File level encryption?

What cloud service model is it applicable to?

Answer 47

The volume or folder of the database gets encrypted and the key resides on the instance

PaaS and SaaS

Question 48

Describe Database Transparent encryption?

What cloud service model is it applicable to?

Answer 48

The DBMS can encrypt specific portions of the DB like tables, rows/tuples, columns/attributes or the entire DB

The encryption engine and Keys reside within the DB and is encryption is transparent to the application

PaaS and SaaS

Question 49

Describe Database Application level encryption?

What cloud service model is it applicable to?

Answer 49

Encryption engine and keys reside within the application that is using the DB

PaaS and SaaS

Question 50

Describe Database Proxy level encryption?

What cloud service model is it applicable to?

Answer 50

Encryption engine is separate from the application or DB or using a 3rd party vendor tor MSSP

PaaS and SaaS

Question 51

Best practices particular to cloud with Key Management

Answer 51

Keys should be separate from CSP

Question 52

What are the challenges with Encryption Management in the Cloud

Answer 52

Access to keys; should not be accessible by CSP
Key storage; It is difficult to securely store keys in the cloud
Backup and replication: data can be backed up and replicated across different formats, affects the ability of short and long term keys to maintained and managed effectively

Question 53

Key Management Options in the Cloud

Answer 53

1. XML Key Management Specification (XKMS 2.0)
2. Key Management Interoperability Protocol (KMIP)
3. Trusted Platform Module (TPM)
4. Hardware Security Module (HSM)
5. Key Escrow

Question 54

Describe XML Key Management Specification (XKMS 2.0)

Answer 54

defines protocols for distributing and registering public keys (used for XML encryption and digital signature) and key management

Question 55

Describe Key Management Interoperability Protocol (KMIP)

Answer 55

An open source communication protocol that defines message formats for the manipulation of keys on a key management server

Question 56

Describe Trusted Platform Module (TPM)

Answer 56

A crypto chip on the main board of a device that can GENERATE and STORE encryption keys, as well as perform hardware based encryption/decryption

It can also allow cloud based applications to authenticate hardware devices

(Think Tiny Platform Module)

Question 57

How does TPM interact with the host device

Answer 57

3 Roots of Trust (which can be externally authenticated by means of a Certificate Authority)

1. Root of Trust for Measurement - first set of instructions executed when a chain of trust is established
2. Root of Trust for Storage - The TPM memory is shielded from access by any entity other than the TPM
3. Root of Trust for Reporting - Typically, a digitally signed digest of the contents of selected values within a TPM

Question 58

Describe Hardware Security Module (HSM)

Answer 58

A physical device that can be added to a computer or attached to the network

can provide crypto processing, manage keys for encryption and authentication and can securely store keys

Think Humongous Security Module

Question 59

Describe Key Escrow

Answer 59

3rd party maintains a copy of keys

Key escrow implements M of N - requires some number (M) of the total number of (N) agents to perform the task, e.g. retrieve or copy key; e.g. 2 of 8 recovery agents are required to restore a user’s private key from key escrow

M of N AKA - Dual Control or TPI (Two Person Integrity)

Question 60

List cloud common key management approaches

Answer 60

Remote KMS

Client-side Key Management

Question 61

Remote Key Management System (KMS)

Answer 61

The cloud customer owns, operates and maintains the KMS on premise

A remote key management service is one that is owned, operated, and maintained on premises by the customer. This configuration gives the customer complete control over who can generate or access cryptographic keys.

Question 62

What is required to maintain CIA?

Answer 62

Remote KMS requires constant network connectivity between the cloud customer and CSP; disruptions in connectivity may prevent encryption and decryption functions from operating.

Question 63

Client-side Key Management

Answer 63

KMS is provided by CSP and is shipped to the customer to reside on premise

The keys are generated, held, and retained by the cloud customer

Assures better integration with the cloud environment.

Mainly used for SaaS

Question 64

Options for Key Storage in the Cloud

Answer 64

Internally Managed
Externally Managed
Managed by 3rd party

Question 65

Internally Managed Key Storage

Answer 65

keys are stored on the VM or application component that is acting as the encryption engine

used for storage level, internal database or backup application encryption

Question 66

Externally Managed Key Storage

Answer 66

keys are maintained SEPARATELY from the encryption engine

Question 67

3rd Party Managed Keys

Answer 67

a trusted 3rd party provides key escrow service

Question 68

Quantum Computing

Answer 68

uses PHYSICS and quantum science, and instead of bits, it uses qubits (0,1, or both), to allow quantum computers to compute multiple data states at the same time

Question 69

Neural Networks

Answer 69

computing systems inspired by how human and/or animal brains work

Question 70

Bit Spliting

Types of Bit Splitting

Answer 70

Splitting up the encrypted data into bits and storing this information across several cloud storage services

An erasure coding encryption implementation

2 Types of Bit Splitting

1. Secret Sharing Made Short (SSMS) - better availability
2. All-Or-Nothing-Transform-with-Reed-Solomon (AONT-RS) - more confidential

Question 71

Benefits of Bit Splitting

Answer 71

-Better confidentiality
-Harder to acquire the data for legal process as the data is distributed between different geographies or jurisdictions
Scalable and reduce the risk of vendor lock-in

Question 72

Challenges of Bit Splitting

Answer 72

• Increase processing overhead
• Data in transit needs to be available and uphold confidentiality
• Availability risks
• Cost increase
• Storage requirements

Question 73

Bit Splitting Methods

Answer 73

Secret Sharing Made Short

All-or-Nothing-Transform with Reed-Solomon (AONT-RS)

Question 74

Secret Sharing Made Short (SSMS)

Answer 74

3 Phases:

1. Encrypt information
2. Use Information Disperse Algorithm (IDA) - splits the data using erasure coding into fragments
3. Splits the crypto key using the secret sharing algorithm

Question 75

What is the advantage of using you own key management system vs a public CSP’s?

Answer 75

When using public cloud, customers often want to use their own key management system as an added layer of privacy and control over their data. In doing so, customers remove dependency on the cloud provider to manage their keys and also avoid potential vendor lock-in due to using a CSP’s proprietary key management platform.

Increase portability

Question 76

cryptographic module

Answer 76

module is simply any hardware, software, and/or firmware combination that performs encryption, decryption, or other cryptographic functions.

Question 77

Encryption Challenges?

Answer 77

1. Data Analysis requires unencrypted data
2. Encryption keys are cached in memory when in use - CSPs must protect keys in multi-tenant env
3. Cloud data is often replicated making encryption and key management challenging - most CSPs mitigate by replicating encrypted data if it is encrypted at rest
4. Throughout data lifecycle data is changing which requires encryption along the way - mitigate by designing end to end encryption solution
5. Encryption addresses confidentiality but not integrity
6. Encryption is only as secure as the key management - if key is compromised all data is potentially compromised

Question 78

How do you implement a secure key management strategy?

Answer 78

1. Ensure keys are generated within a trusted secure cryptographic module (e.g. FIPS 140-2 compliant)
2. Secure key distribution - common practice to encrypt keys with a separate key when distributing
3. Secure key storage - both in volatile and persistent memory; keys should be stored internally on VM or other integrated app, externally and separate from data itself or managed by trusted 3rd party (key escrow service)
4. Key destruction or deletion when key is no longer needed

Question 79

Key destruction

Key deletion

Answer 79

Key destruction is the removal of an encryption key from its operational location.

Key deletion takes it a step further and also removes any information that could be used to reconstruct that key.