Cryptographic Solutions Flashcards
Symmetric Encryption
■ Uses a single key for both encryption and decryption
■ Often referred to as private key encryption
■ Requires both sender and receiver to share the same secret key
■ Offers confidentiality but lacks non-repudiation
■ Challenges with key distribution in large-scale usage
Asymmetric Encryption
■ Uses two separate keys
● Public key for encryption
● Private key for decryption
■ Often called “Public Key Cryptography”
■ No need for shared secret keys
■ Commonly used algorithms include Diffie-Hellman, RSA, and Elliptic Curve
Cryptography (ECC)
■ Slower compared to symmetric encryption but solves key distribution challenges
Hybrid Approach
■ Combines both symmetric and asymmetric encryption for optimal benefits
■ Asymmetric encryption used to encrypt and share a secret key
■ Symmetric encryption used for bulk data transfer, leveraging the shared secret
key
■ Offers security and efficiency
Stream Cipher
■ Encrypts data bit-by-bit or byte-by-byte in a continuous stream
■ Uses a keystream generator and exclusive XOR function for encryption
■ Suitable for real-time communication data streams like audio and video
■ Often used in symmetric algorithms
Block Cipher
■ Breaks input data into fixed-size blocks before encryption
● Usually 64, 128, or 256 bits at a time
■ Padding added to smaller data blocks to fit the fixed block size
■ Advantages include ease of implementation and security
■ Can be implemented in software, whereas stream ciphers are often used in
hardware solutions
Symmetric Algorithms
DES
3DES
IDEA
AES
Blowfish
Twofish
RC Cipher Suite
DES
Data Encryption Standard
64-bit key
56-bit strength
Deprecated
3DES
Triple DES
Three 56-bit keys
Provides 112-bit strength
Slower than DES
IDEA
International Data Encryption Algorithm
128-bit key
Faster and more secure than DES
AES
Advanced Encryption Standard
Replaced DES and 3DES as US gvt encryption standard
Supports 128-bit, 192-bit, or 256-bit keys
Widelely adopted. Standard encryption for sensitive unclassified information
Blowfish
DES replacement
32 to 448 bits key size
Not widely adopted
Twofish
Open source and available for use
Supports 128, 192, or 256 bits key size
RC Cipher suite
RC4: stream cipher with keys from 40 to 2048 bits. Used in SSL and WEP
RC5: Block cipher up to 2048 bits
RC6: based on RC5, DES replacement
Asymmetric Algorithms
Diffie-Hellman
RSA
ECC
Diffie-Hellman
● Used for key exchange and secure key distribution
● Vulnerable to man-in-the-middle attacks, requires authentication
● Commonly used in VPN tunnel establishment (IPSec)
RSA
Rivest, Shamir, Adleman
● Used for key exchange, encryption, and digital signatures
● Relies on the mathematical difficulty of factoring large prime numbers
● Supports key sizes from 1024 to 4096 bits
● Widely used in organizations and multi-factor authentication
ECC
Elliptic Curve Cryptography
● Efficient and secure, uses algebraic structure of elliptical curves
● Commonly used in mobile devices and low-power computing
● Six times more efficient than RSA for equivalent security
ECC variants
○ ECDH (Elliptic Curve Diffie-Hellman)
○ ECDHE (Elliptic Curve Diffie-Hellman Ephemeral)
○ ECDSA (Elliptic Curve Digital Signature Algorithm)
Hashing
One-way cryptographic function that produces a unique message digest from an input
Hash Digest
■ Like a digital fingerprint for the original data
■ Always of the same length regardless of the input’s length
Common Hashing Algorithms
MD5
SHA
RIPEMD
HMAC
MD5
Message Digest Algorithm 5
● Creates a 128-bit hash value
● Limited unique values, leading to collisions
● Not recommended for security-critical applications due to vulnerabilities
SHA
Secure Hash Algorithm Family
● SHA-1
○ Produces a 160-bit hash digest, less prone to collisions than MD5
● SHA-2
○ Offers longer hash digests (SHA-224, SHA-256, SHA-348, SHA-512)
● SHA-3
○ Uses 224-bit to 512-bit hash digests, more secure, 120 rounds of
computations
RIPEMD
RACE Integrity Primitive Evaluation Message Digest
● Versions available
○ 160-bit (Most common)
○ 256-bit
○ 320-bit
● Open-source competitor to SHA but less popular
HMAC
Hash-based Message Authentication Code
● Checks message integrity and authenticity
● Utilizes other hashing algorithms (e.g., HMAC-MD5, HMAC-SHA1,
HMAC-SHA256)
Digital Signatures
■ Uses a hash digest encrypted with a private key
■ Sender hashes the message and encrypts the hash with their private key
■ Recipient decrypts the digital signature using the sender’s public key
■ Verifies integrity of the message and ensures non-repudiation
Common Digital Signature Algorithms
DSA
RSA
DSA
Digital Security Algorithm
● Utilized for digital signatures
● Uses a 160-bit message digest created by DSS (Digital Security Standard)
Common Hashing Attacks
Pass the Hash Attack
Birthday Attack
Pass the Hash Attack
● A hacking technique that allows the attacker to authenticate to a remote
server or service by using the underlying hash of a user’s password
instead of requiring the associated plaintext password
● Hashes can be obtained by attackers to impersonate users without
cracking the password
● Difficult to defend against due to various Windows vulnerabilities and
applications
● Penetration tools like Mimikatz automate hash harvesting
Birthday Attack
● Occurs when two different messages result in the same hash digest
(collision)
● Named after the Birthday Paradox, where shared birthdays become likely
in a group
● Collisions in hashes can be exploited by attackers to bypass
authentication systems
● Use longer hash output (e.g., SHA-256) to reduce collisions and mitigate
the attack
Key stretching
● Technique that is used to mitigate a weaker key by creating longer, more
secure keys (at least 128 bits)
Salting
● Adds random data (salt) to passwords before hashing
Nonce
Number Used Once
● Adds unique, often random numbers to password-based authentication
processes
● Prevents attackers from reusing stolen authentication data
● Adds an extra layer of security against replay attacks
PKI
Public Key Infrastructure
■ Based on asymmetric encryption
■ Facilitates secure data transfer, authentication, and encrypted communications
■ Used in HTTPS connections on websites
Public Key Cryptography
● Refers to the encryption and decryption process using public and private
keys
● Only a part of the overall PKI architecture
Key Escrow
■ Storage of cryptographic keys in a secure, third-party location (escrow)
■ Enables key retrieval in cases of key loss or for legal investigations
Digital Certificates
■ Digitally signed electronic documents
■ Bind a public key with a user’s identity
■ Used for individuals, servers, workstations, or devices
■ Use the X.509 Standard
Types of digital certificates
■ Wildcard Certificate
■ SAN (Subject Alternate Name) field
■ Single-Sided
■ Dual-Sided Certificates
■ Self-Signed Certificates
■ Third-Party Certificates
Root of trust
● Highest level of trust in certificate validation
● Trusted third-party providers like Verisign, Google, etc.
CA
Certificate Authority
● Trusted third party that issues digital certificates
● Certificates contain CA’s information and digital signature
● Validates and manages certificates
RA
Registration Authority
● Requests identifying information from the user and forwards certificate
request up to the CA to create a digital certificate
● Collects user information for certificates
● Assists in the certificate issuance process
CSR
Certificate Signing Request
● A block of encoded text with information about the entity requesting the certificate
● Includes the public key
● Submitted to CA for certificate issuance
CRL
Certificate Revocation List
● Maintained by CAs
● List of all digital certificates that the certificate authority has already
revoked
● Checked before validating a certificate
OCSP
Online Certificate Status Protocol
● Determines certificate revocation status or any digital certificate using the
certificate’s serial number
● Faster but less secure than CRL
OCSP Stapling
● Alternative to OCSP
● Allows the certificate holder to get the OCSP record from the server at
regular intervals
● Includes OCSP record in the SSL/TLS handshake
● Speeds up the secure tunnel creation
Public Key Pinning
● Allows an HTTPS website to resist impersonation attacks from users who
are trying to present fraudulent certificates
● Presents trusted public keys to browsers
● Alerts users if a fraudulent certificate is detected
Key Recovery Agents
● Specialized type of software that allows the restoration of a lost or or
corrupted key to be performed
● Acts as a backup for certificate authority keys