Cryptographic Solutions Flashcards

1
Q

Symmetric vs Asymmetric Encryption

A

Symmetric Encryption
 Uses a single key for both encryption and decryption
 Often referred to as private key encryption
 Requires both sender and receiver to share the same
secret key
 Offers confidentiality but lacks non-repudiation
 Challenges with key distribution in large-scale usage
 More people mean more sharing of the keys

Asymmetric Encryption
 Uses two separate keys
 Public key for encryption
 Private key for decryption
 Often called “Public Key Cryptography”
 No need for shared secret keys
 Commonly used algorithms include Diffie-Hellman, RSA,
and Elliptic Curve Cryptography (ECC)
 Slower compared to symmetric encryption but solves
key distribution challenges

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Define cryptography & encryption

A

Cryptography
 Practice and study of writing and solving codes
 Encryption to hide information’s true meaning

Encryption
 Converts plaintext to ciphertext
 Provides data protection at rest, in transit, and in use

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Symmetric Algorithms

A

 DES
 Triple DES
 IDEA
 AES
 Blowfish
 Twofish
 Rivest Cipher

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Asymmetric Algorithms

A

 Diffie-Hellman
 RSA
 Elliptic Curve Cryptography

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Hashing

A

Converts data into fixed-size string (digest) using hash functions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Algorithms

A

 MD5
 SHA Family
 RIPEMD
 HMAC

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Public Key Infrastructure (PKI)

A

Framework managing digital keys and certificates for secure data transfer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Digital Certificates

A

Electronic credentials verifying entity identity for secure communications

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Blockchain

A

Decentralized, immutable ledger ensuring data integrity and transparency

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Encryption tools

A

 TPM
 HSM
 Key Management Systems
 Secure Enclave

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Obfuscation

A

 Steganography
 Tokenization
 Data Masking

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Three types of Cryptographic Attacks

A

 Downgrade Attacks
 Collision Attacks
 Quantum Computing Threats

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Hybrid Approach

A

 Combines both symmetric and asymmetric encryption
for optimal benefits

 Asymmetric encryption used to encrypt and share a
secret key

 Symmetric encryption used for bulk data transfer,
leveraging the shared secret key

 Offers security and efficiency

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Stream Cipher

A

 Encrypts data bit-by-bit or byte-by-byte in a continuous
stream

 Uses a keystream generator and exclusive XOR function
for encryption

 Suitable for real-time communication data streams like
audio and video

 Often used in symmetric algorithms

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Block Cipher and its advantages

A

 Breaks input data into fixed-size blocks before
encryption

 Usually 64, 128, or 256 bits at a time

 Padding added to smaller data blocks to fit the fixed
block size

 Advantages include ease of implementation and
security

 Can be implemented in software, whereas stream
ciphers are often used in hardware solutions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Sysmmetric algorition - DES (Data Encryption Standard)

A

 Uses a 64-bit key (56 effective bits due to parity)

 Encrypts data in 64-bit blocks through 16 rounds of
transposition and substitution

 Widely used from the 1970s to the early 2000s

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Sysmmetric algorition - Triple DES (3DES)

A

 Utilizes three 56-bit keys

 Encrypts data with the first key, decrypts with the
second key, and encrypts again with the third key

 Provides 112-bit key strength but is slower than DES

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Sysmmetric algorition - IDEA (International Data Encryption Algorithm)

A

 A symmetric block cipher with a 64-bit block size

 Uses a 128-bit key, faster and more secure than DES

 Not as widely used as AES

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Sysmmetric algorition - AES (Advanced Encryption Standard)

A

 Replaced DES and 3DES as the US government
encryption standard

 Supports 128-bit, 192-bit, or 256-bit keys and matching
block sizes

 Widely adopted and considered the encryption
standard for sensitive unclassified information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Sysmmetric algorition - Blowfish

A

 A block cipher with key sizes ranging from 32 to 448
bits

 Developed as a DES replacement but not widely
adopted

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Sysmmetric algorition - Twofish

A

 A block cipher supporting 128-bit block size and key
sizes of 128, 192, or 256 bits

 Open source and available for use

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Sysmmetric algorition - RC Cipher Suite (RC4, RC5, RC6)

A

 Created by cryptographer, Ron Rivest

 RC4 is a stream cipher with variable key sizes from 40
to 2048 bits, used in SSL and WEP

 RC5 is a block cipher with key sizes up to 2048 bits

 RC6, based on RC5, was considered as a DES
replacement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Note: When working with encryption, identify if it’s symmetric or asymmetric and whether it’s a block or stream cipher

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Asymmetric Algorithms - key

A

Public Key Cryptography
 No shared secret key required
 Uses a key pair

Public key for encryption
 Private key for decryption
 Provides confidentiality, integrity, authentication, and
non-repudiation

Confidentiality with Public Key
 Encrypt data using the receiver’s public key
 Only the recipient with the corresponding private key
can decrypt it

Non-Repudiation with Private Key
 Encrypt data using the sender’s private key
 Anyone with access to the sender’s public key can verify
the sender’s identity

Integrity and Authentication with Digital Signature
 Create a hash digest of the message
 Encrypt the hash digest with the sender’s private key

Digital Signature
 A hash digest of a message encrypted with the sender’s
private key to let the recipient know the document was
created and sent by the person claiming to have sent it
 Encrypt the message with the receiver’s public key
 Ensures message integrity, non-repudiation, and confidentiality

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Asymmetric Algorithms - Diffie-Hellman
 Used for key exchange and secure key distribution  Vulnerable to man-in-the-middle attacks, requires authentication  Commonly used in VPN tunnel establishment (IPSec)
26
Asymmetric Algorithms - RSA (Ron Rivest, Adi Shamir, Leonard Adleman)
 Used for key exchange, encryption, and digital signatures  Relies on the mathematical difficulty of factoring large prime numbers  Supports key sizes from 1024 to 4096 bits  Widely used in organizations and multi-factor authentication
27
Asymmetric Algorithms - Elliptic Curve Cryptography (ECC)
 Efficient and secure, uses algebraic structure of elliptical curves  Commonly used in mobile devices and low-power computing  Six times more efficient than RSA for equivalent security  Variants include  ECDH (Elliptic Curve Diffie-Hellman)  ECDHE (Elliptic Curve Diffie-Hellman Ephemeral)  ECDSA (Elliptic Curve Digital Signature Algorithm)
28
Three types of Asymmetric Algorithims
1: Diffie-Hellman 2: RSA (Ron Rivest, Adi Shamir, Leonard Adleman) 3: Elliptic Curve Cryptography (ECC)
29
Hashing
One-way cryptographic function that produces a unique message digest from an input
30
Hash Digest
 Like a digital fingerprint for the original data  Always of the same length regardless of the input's length
31
Common Hashing Algorithms
1: MD5 (Message Digest Algorithm 5)  Creates a 128-bit hash value  Limited unique values, leading to collisions  Not recommended for security-critical applications due to vulnerabilities 2: SHA (Secure Hash Algorithm) Family SHA-1  Produces a 160-bit hash digest, less prone to collisions than MD5 SHA-2  Offers longer hash digests (SHA-224, SHA-256, SHA-348, SHA-512) SHA-3  Uses 224-bit to 512-bit hash digests, more secure, 120 rounds of computations 3: RIPEMD (RACE Integrity Primitive Evaluation Message Digest) Versions available  160-bit (Most common)  256-bit  320-bit  Open-source competitor to SHA but less popular 4: HMAC (Hash-based Message Authentication Code)  Checks message integrity and authenticity  Utilizes other hashing algorithms (e.g., HMAC-MD5, HMAC-SHA1, HMAC-SHA256) 5: Digital Signatures  Uses a hash digest encrypted with a private key  Sender hashes the message and encrypts the hash with their private key  Recipient decrypts the digital signature using the sender's public key  Verifies integrity of the message and ensures non-repudiation
32
5 types of hashes
1: MD5 (Message Digest Algorithm 5) 2: SHA (Secure Hash Algorithm) Family 3: RIPEMD (RACE Integrity Primitive Evaluation Message Digest) 4: HMAC (Hash-based Message Authentication Code) 5: Digital Signatures
33
Common Digital Signature Algorithms
DSA (Digital Security Algorithm)  Utilized for digital signatures  Uses a 160-bit message digest created by DSS (Digital Security Standard) RSA (Rivest-Shamir-Adleman)  Supports digital signatures, encryption, and key distribution  Widely used in various applications, including code signing
34
What are hashes used for
Hashes change drastically even with minor changes in input Hashing is used to verify data integrity and detect any changes
35
Common Hash Attacks and prevention methods 1: Pass the Hash attack 2: Birthday attack
1: Pass the Hash Attack  A hacking technique that allows the attacker to authenticate to a remote server or service by using the underlying hash of a user's password instead of requiring the associated plaintext password  Hashes can be obtained by attackers to impersonate users without cracking the password  Difficult to defend against due to various Windows vulnerabilities and applications  Penetration tools like Mimikatz automate hash harvesting Prevention  Ensure trusted OS  Proper Windows domain trusts  Patching  Multi-factor authentication  Least privilege Birthday Attack  Occurs when two different messages result in the same hash digest (collision)  Named after the Birthday Paradox, where shared birthdays become likely in a group  Collisions in hashes can be exploited by attackers to bypass authentication systems  Use longer hash output (e.g., SHA-256) to reduce collisions and mitigate the attack
36
Four methos for increasing hash security
1: Key Stretching  Technique that is used to mitigate a weaker key by creating longer, more secure keys (at least 128 bits)  increases the time needed to crack the key  Used in systems like Wi-Fi Protected Access, Wi-Fi Protected Access version 2, and Pretty Good Privacy 2: Salting  Adds random data (salt) to passwords before hashing  Ensures distinct hash outputs for the same password due to different salts  Thwarts dictionary attacks, brute-force attacks, and rainbow tables 3: Nonces (Number Used Once)  Adds unique, often random numbers to password- based authentication processes  Prevents attackers from reusing stolen authentication data  Adds an extra layer of security against replay attacks 4: Limiting Failed Login Attempts  Restricts the number of incorrect login attempts a user can make  Increases security by deterring attackers attempting to guess passwords  Typically, lock the account after three incorrect attempts
37
Public Key Infrastructure (PKI) components
 An entire system involving hardware, software, policies, procedures, and people  Based on asymmetric encryption  Facilitates secure data transfer, authentication, and encrypted communications  Used in HTTPS connections on websites
38
Public Key Infrastructure (PKI) - establishing a secure connection
 User connects to a website via HTTPS  Web browser contacts a trusted certificate authority for the web server's public key  A random shared secret key is generated for symmetric encryption  The shared secret is securely transmitted using public key encryption  The web server decrypts the shared secret with its private key  Both parties use the shared secret for symmetric encryption (e.g., AES) to create a secure tunnel
39
Public Key Infratructure (PKI) - benefits
 Confidentiality  Data is encrypted using a shared secret  Authentication  The web server's identity is verified using its private key  Visual indicators like a padlock show secure communication
40
Public Key Infrastructure vs. Public Key Cryptography
Public Key Infrastructure (PKI)  Encompasses the entire system for managing key pairs, policies, and trust  Involves generating, validating, and managing public and private key pairs that are used in the encryption and decryption process  Ensures the security and trustworthiness of keys Public Key Cryptography  Refers to the encryption and decryption process using public and private keys  Only a part of the overall PKI architecture
41
Key Escrow - what is it, its relevance in PKI and its security concerns.
 Storage of cryptographic keys in a secure, third-party location (escrow)  Enables key retrieval in cases of key loss or for legal investigations Relevance in PKI  In PKI, key escrow ensures that encrypted data is not permanently inaccessible  Useful when individuals or organizations lose access to their encryption keys Security Concerns  Malicious access to escrowed keys could lead to data decryption  Requires stringent security measures and access controls
42
Define digital certificate
 Digitally signed electronic documents  Bind a public key with a user's identity  Used for individuals, servers, workstations, or devices  Use the X.509 Standard  Commonly used standard for digital certificates within PKI  Contains owner's/user's information and certificate authority details
43
Five types of Digital Certificates
1: Wildcard Certificate  Allows multiple subdomains to use the same certificate  Easier management, cost-effective for subdomains  Compromise affects all subdomains 2: SAN (Subject Alternate Name) field  Certificate that specifies what additional domains and IP addresses are going to be supported  Used when domain names don’t have the same root domain 3: Single-Sided and Dual-Sided Certificates Single-sided  Only requires the server to be validated Dual-sided  Both server and user validate each other  Dual-sided for higher security, requires more processing power 4: Self-Signed Certificates  Digital certificate that is signed by the same entity whose identity it certifies  Provides encryption but lacks third-party trust  Used in testing or closed systems 5: Third-Party Certificates  Digital certificate issued and signed by trusted certificate authorities (CAs)  Trusted by browsers and systems  Preferred for public-facing websites
44
Key concepts (digital certificate) - root trust
 Highest level of trust in certificate validation  Trusted third-party providers like Verisign, Google, etc.  Forms a certification path for trust
45
Key concepts (digital certificate) - Certificate Authority (CA)
 Trusted third party that issues digital certificates  Certificates contain CA's information and digital signature  Validates and manages certificates
46
Key concepts (digital certificate) - Registration Authority (RA)
 Requests identifying information from the user and forwards certificate request up to the CA to create a digital certificate  Collects user information for certificates  Assists in the certificate issuance process
47
Key concepts (digital certificate) - Certificate Signing Request (CSR)
 A block of encoded text with information about the entity requesting the certificate  Includes the public key  Submitted to Certificate Authority (CA) for certificate issuance  Private key remains secure with the requester
48
Key concepts (digital certificate) - Certificate Revocation List (CRL)
 Maintained by Certificate Authority's (CAs)  List of all digital certificates that the certificate authority has already revoked  Checked before validating a certificate
49
Key concepts (digital certificate) - Online Certificate Status Protocol (OCSP)
 Determines certificate revocation status or any digital certificate using the certificate's serial number  Faster but less secure than Certificate Revocation List (CRL)
50
Key concepts (digital certificate) - Online Certificate Status Protocol (OCSP) Stapling
 Alternative to OCSP  Allows the certificate holder to get the OCSP record from the server at regular intervals  Includes OCSP record in the SSL/TLS handshake  Speeds up the secure tunnel creation
51
Key concepts (digital certificate) - Public Key Pinning
 Allows an HTTPS website to resist impersonation attacks from users who are trying to present fraudulent certificates  Presents trusted public keys to browsers  Alerts users if a fraudulent certificate is detected
52
Key concepts (digital certificate) - Key Escrow Agents
 Securely store copies of private keys  Ensures key recovery in case of loss  Requires strong access controls
53
Key concepts (digital certificate) - Key Recovery Agents
 Specialized type of software that allows the restoration of a lost or corrupted key to be performed  Acts as a backup for certificate authority keys
54
Trust in Digital Certificates
 Trust is essential in digital certificates  Compromised root CAs can impact all issued certificates  Commercially trusted CAs are more secure  Self-managed CAs must be vigilant against compromises
55
Define blockchain
 Shared immutable ledger for transactions and asset tracking  Builds trust and transparency  Widely associated with cryptocurrencies like Bitcoin  Is essentially a really long series of information with each block containing information in it  Each block has the hash for the block before it
56
Block Structure
 Chain of blocks, each containing  Previous block's hash  Timestamp  Root transactions (hashes of individual transactions)  Blocks are linked together in a chronological order
57
Public Ledger
 Secure and anonymous record-keeping system  Maintains participants' identities  Tracks cryptocurrency balances  Records all genuine transactions in a network
58
Blockchain Applications
Smart Contracts  Self-executing contracts with code-defined terms  Execute actions automatically when conditions are met  Transparent, tamper-proof, and trust-enhancing
59
Blockchain - commercial uses
 Companies like IBM promote blockchain for commercial purposes  Permissioned blockchain used for business transactions  Enhances trust and transparency with immutable public ledger
60
Broad Implications of Blockchain
Versatility  Beyond finance and cryptocurrencies  Applications across various industries  Promises transparency, efficiency, and trust Decentralization  Key feature of blockchain  Eliminates need for central authorities  Empowers peer-to-peer networks Immutable Ledger  Ensures data integrity  Records cannot be altered or deleted  Reinforces trust in transactions and information Digital Evolution  Blockchain's impact on technology and industries  Potential to reshape traditional systems  Offers transparency, efficiency, and trust in the digital era
61
4 Encryption Tools for Data Security
1: TPM (Trusted Platform Module)  Dedicated microcontroller for hardware-level security  Protects digital secrets through integrated cryptographic keys  Used in BitLocker drive encryption for Windows devices  Adds an extra layer of security against software attacks 2: HSM (Hardware Security Module)  Physical device for safeguarding and managing digital keys  Ideal for mission-critical scenarios like financial transactions  Performs encryption operations in a tamper-proof environment  Ensures key security and regulatory compliance 3: Key Management System  Manages, stores, distributes, and retires cryptographic keys  Centralized mechanism for key lifecycle management  Crucial for securing data and preventing unauthorized access  Automates key management tasks in complex environments 4: Secure Enclaves  Coprocessor integrated into the main processor of some devices  Isolated from the main processor for secure data processing and storage  Safeguards sensitive data like biometric information  Enhances device security by preventing unauthorized access
62
3 Obfuscation Techniques in Data Security
1: Steganography  Conceals a message within another to hide its very existence  Involves altering image or data elements to embed hidden information  Primary goal is to prevent the suspicion that there’s any hidden data at all  Used alongside encryption for added security  Detection is challenging due to hiding data in plain sight 2: Tokenization  Substitutes sensitive data with non-sensitive tokens  Original data securely stored elsewhere  Tokens have no intrinsic value  Reduces exposure of sensitive data during transactions  Commonly used for payment systems to comply with security standards 3: Data Masking (Data Obfuscation)  Disguises original data to protect sensitive information  Maintains data authenticity and usability  Used in testing environments, especially for software development  Reduces the risk of data breaches in non-production settings  Common in industries handling personal data  Masks portions of sensitive data for privacy, e.g., credit card digits, social security numbers
63
Define Cryptographic Attacks
Techniques and strategies that adversaries employ to exploit vulnerabilities in cryptographic systems with the intent to compromise the confidentiality, integrity, or authenticity of data
64
Cryptographic attack - Define Downgrade Attacks and countermeasure
 Force systems to use weaker or older cryptographic standards or protocols  Exploit known vulnerabilities or weaknesses in outdated versions  Example: POODLE attack on SSL 3.0  Countermeasures include phasing out support for insecure protocols and version-intolerant checks
65
Cryptographic attack - Collision Attacks
 Find two different inputs producing the same hash output  Undermine data integrity verification relying on hash functions  Vulnerabilities in hashing algorithms, e.g., MD5, can lead to collisions Birthday Paradox or Birthday Attack  The probability that two distinct inputs, when processed through a hashing function, will produce the same output, or a collision
66
Cryptographic attack - Quantum Computing Threat
 A computer that uses quantum mechanics to generate and manipulate quantum bits in order to access enormous processing powers.  Uses quantum bits (qubits) instead of using ones and zeros
67
Cryptographic attack - Quantum Communication
A communications network that relies on qubits made of photons (light) to send multiple combinations of ones and zeros simultaneously which results in tamper resistant and extremely fast communications
68
Define Qubit
A quantum bit composed of electrons or photons that can represent numerous combinations of ones and zeros at the same time through superposition
69
Post-quantum cryptography
 A new kind of cryptographic algorithm that can be implemented using today’s classic computers but is also impervious to attacks from future quantum computers  Aims to create algorithms resistant to quantum attacks  First method is to create post-quantum cryptography is to increase the key size  Increases the number of permutations that are needed to be brute-forced  Second method is to create something like lattice-based cryptography and super singular isogeny key exchange
70
What are NISTs 4 selected post-quantum cryptography standards
 CRYSTALS-Kyber - general encryption needs & Digital signatures:  CRYSTALS-Dilithium  FLACON  SPHINCS+
71