Cryptographic Solutions Flashcards

1
Q

Symmetric vs Asymmetric Encryption

A

Symmetric Encryption
 Uses a single key for both encryption and decryption
 Often referred to as private key encryption
 Requires both sender and receiver to share the same
secret key
 Offers confidentiality but lacks non-repudiation
 Challenges with key distribution in large-scale usage
 More people mean more sharing of the keys

Asymmetric Encryption
 Uses two separate keys
 Public key for encryption
 Private key for decryption
 Often called “Public Key Cryptography”
 No need for shared secret keys
 Commonly used algorithms include Diffie-Hellman, RSA,
and Elliptic Curve Cryptography (ECC)
 Slower compared to symmetric encryption but solves
key distribution challenges

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Define cryptography & encryption

A

Cryptography
 Practice and study of writing and solving codes
 Encryption to hide information’s true meaning

Encryption
 Converts plaintext to ciphertext
 Provides data protection at rest, in transit, and in use

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Symmetric Algorithms

A

 DES
 Triple DES
 IDEA
 AES
 Blowfish
 Twofish
 Rivest Cipher

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Asymmetric Algorithms

A

 Diffie-Hellman
 RSA
 Elliptic Curve Cryptography

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Hashing

A

Converts data into fixed-size string (digest) using hash functions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Algorithms

A

 MD5
 SHA Family
 RIPEMD
 HMAC

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Public Key Infrastructure (PKI)

A

Framework managing digital keys and certificates for secure data transfer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Digital Certificates

A

Electronic credentials verifying entity identity for secure communications

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Blockchain

A

Decentralized, immutable ledger ensuring data integrity and transparency

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Encryption tools

A

 TPM
 HSM
 Key Management Systems
 Secure Enclave

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Obfuscation

A

 Steganography
 Tokenization
 Data Masking

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Three types of Cryptographic Attacks

A

 Downgrade Attacks
 Collision Attacks
 Quantum Computing Threats

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Hybrid Approach

A

 Combines both symmetric and asymmetric encryption
for optimal benefits

 Asymmetric encryption used to encrypt and share a
secret key

 Symmetric encryption used for bulk data transfer,
leveraging the shared secret key

 Offers security and efficiency

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Stream Cipher

A

 Encrypts data bit-by-bit or byte-by-byte in a continuous
stream

 Uses a keystream generator and exclusive XOR function
for encryption

 Suitable for real-time communication data streams like
audio and video

 Often used in symmetric algorithms

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Block Cipher and its advantages

A

 Breaks input data into fixed-size blocks before
encryption

 Usually 64, 128, or 256 bits at a time

 Padding added to smaller data blocks to fit the fixed
block size

 Advantages include ease of implementation and
security

 Can be implemented in software, whereas stream
ciphers are often used in hardware solutions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Sysmmetric algorition - DES (Data Encryption Standard)

A

 Uses a 64-bit key (56 effective bits due to parity)

 Encrypts data in 64-bit blocks through 16 rounds of
transposition and substitution

 Widely used from the 1970s to the early 2000s

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Sysmmetric algorition - Triple DES (3DES)

A

 Utilizes three 56-bit keys

 Encrypts data with the first key, decrypts with the
second key, and encrypts again with the third key

 Provides 112-bit key strength but is slower than DES

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Sysmmetric algorition - IDEA (International Data Encryption Algorithm)

A

 A symmetric block cipher with a 64-bit block size

 Uses a 128-bit key, faster and more secure than DES

 Not as widely used as AES

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Sysmmetric algorition - AES (Advanced Encryption Standard)

A

 Replaced DES and 3DES as the US government
encryption standard

 Supports 128-bit, 192-bit, or 256-bit keys and matching
block sizes

 Widely adopted and considered the encryption
standard for sensitive unclassified information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Sysmmetric algorition - Blowfish

A

 A block cipher with key sizes ranging from 32 to 448
bits

 Developed as a DES replacement but not widely
adopted

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Sysmmetric algorition - Twofish

A

 A block cipher supporting 128-bit block size and key
sizes of 128, 192, or 256 bits

 Open source and available for use

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Sysmmetric algorition - RC Cipher Suite (RC4, RC5, RC6)

A

 Created by cryptographer, Ron Rivest

 RC4 is a stream cipher with variable key sizes from 40
to 2048 bits, used in SSL and WEP

 RC5 is a block cipher with key sizes up to 2048 bits

 RC6, based on RC5, was considered as a DES
replacement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Note: When working with encryption, identify if it’s symmetric or asymmetric and whether it’s a block or stream cipher

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Asymmetric Algorithms - key

A

Public Key Cryptography
 No shared secret key required
 Uses a key pair

Public key for encryption
 Private key for decryption
 Provides confidentiality, integrity, authentication, and
non-repudiation

Confidentiality with Public Key
 Encrypt data using the receiver’s public key
 Only the recipient with the corresponding private key
can decrypt it

Non-Repudiation with Private Key
 Encrypt data using the sender’s private key
 Anyone with access to the sender’s public key can verify
the sender’s identity

Integrity and Authentication with Digital Signature
 Create a hash digest of the message
 Encrypt the hash digest with the sender’s private key

Digital Signature
 A hash digest of a message encrypted with the sender’s
private key to let the recipient know the document was
created and sent by the person claiming to have sent it
 Encrypt the message with the receiver’s public key
 Ensures message integrity, non-repudiation, and confidentiality

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Asymmetric Algorithms - Diffie-Hellman

A

 Used for key exchange and secure key distribution
 Vulnerable to man-in-the-middle attacks, requires
authentication
 Commonly used in VPN tunnel establishment (IPSec)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Asymmetric Algorithms - RSA (Ron Rivest, Adi Shamir, Leonard Adleman)

A

 Used for key exchange, encryption, and digital
signatures
 Relies on the mathematical difficulty of factoring large
prime numbers
 Supports key sizes from 1024 to 4096 bits
 Widely used in organizations and multi-factor
authentication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Asymmetric Algorithms - Elliptic Curve Cryptography (ECC)

A

 Efficient and secure, uses algebraic structure of
elliptical curves
 Commonly used in mobile devices and low-power
computing
 Six times more efficient than RSA for equivalent
security
 Variants include
 ECDH (Elliptic Curve Diffie-Hellman)
 ECDHE (Elliptic Curve Diffie-Hellman Ephemeral)
 ECDSA (Elliptic Curve Digital Signature Algorithm)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Three types of Asymmetric Algorithims

A

1: Diffie-Hellman
2: RSA (Ron Rivest, Adi Shamir, Leonard Adleman)
3: Elliptic Curve Cryptography (ECC)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Hashing

A

One-way cryptographic function that produces a unique message digest from an input

30
Q

Hash Digest

A

 Like a digital fingerprint for the original data
 Always of the same length regardless of the input’s
length

31
Q

Common Hashing Algorithms

A

1: MD5 (Message Digest Algorithm 5)
 Creates a 128-bit hash value
 Limited unique values, leading to collisions
 Not recommended for security-critical applications due
to vulnerabilities

2: SHA (Secure Hash Algorithm) Family
SHA-1
 Produces a 160-bit hash digest, less prone to collisions than MD5

SHA-2
 Offers longer hash digests (SHA-224, SHA-256, SHA-348, SHA-512)

SHA-3
 Uses 224-bit to 512-bit hash digests, more secure, 120
rounds of computations

3: RIPEMD (RACE Integrity Primitive Evaluation Message
Digest)
Versions available
 160-bit (Most common)
 256-bit
 320-bit
 Open-source competitor to SHA but less popular

4: HMAC (Hash-based Message Authentication Code)
 Checks message integrity and authenticity
 Utilizes other hashing algorithms (e.g., HMAC-MD5,
HMAC-SHA1, HMAC-SHA256)

5: Digital Signatures
 Uses a hash digest encrypted with a private key
 Sender hashes the message and encrypts the hash with
their private key
 Recipient decrypts the digital signature using the sender’s public key
 Verifies integrity of the message and ensures non-repudiation

32
Q

5 types of hashes

A

1: MD5 (Message Digest Algorithm 5)

2: SHA (Secure Hash Algorithm) Family

3: RIPEMD (RACE Integrity Primitive Evaluation Message
Digest)

4: HMAC (Hash-based Message Authentication Code)

5: Digital Signatures

33
Q

Common Digital Signature Algorithms

A

DSA (Digital Security Algorithm)
 Utilized for digital signatures
 Uses a 160-bit message digest created by DSS (Digital
Security Standard)

RSA (Rivest-Shamir-Adleman)
 Supports digital signatures, encryption, and key
distribution
 Widely used in various applications, including code
signing

34
Q

What are hashes used for

A

Hashes change drastically even with minor changes in input

Hashing is used to verify data integrity and detect any changes

35
Q

Common Hash Attacks and prevention methods
1: Pass the Hash attack
2: Birthday attack

A

1: Pass the Hash Attack
 A hacking technique that allows the attacker to
authenticate to a remote server or service by using the
underlying hash of a user’s password instead of
requiring the associated plaintext password
 Hashes can be obtained by attackers to impersonate
users without cracking the password
 Difficult to defend against due to various Windows
vulnerabilities and applications
 Penetration tools like Mimikatz automate hash
harvesting
Prevention
 Ensure trusted OS
 Proper Windows domain trusts
 Patching
 Multi-factor authentication
 Least privilege

Birthday Attack
 Occurs when two different messages result in the same
hash digest (collision)
 Named after the Birthday Paradox, where shared
birthdays become likely in a group
 Collisions in hashes can be exploited by attackers to
bypass authentication systems
 Use longer hash output (e.g., SHA-256) to reduce
collisions and mitigate the attack

36
Q

Four methos for increasing hash security

A

1: Key Stretching
 Technique that is used to mitigate a weaker key by
creating longer, more secure keys (at least 128 bits)
 increases the time needed to crack the key
 Used in systems like Wi-Fi Protected Access, Wi-Fi
Protected Access version 2, and Pretty Good Privacy

2: Salting
 Adds random data (salt) to passwords before hashing
 Ensures distinct hash outputs for the same password
due to different salts
 Thwarts dictionary attacks, brute-force attacks, and
rainbow tables

3: Nonces (Number Used Once)
 Adds unique, often random numbers to password-
based authentication processes
 Prevents attackers from reusing stolen authentication
data
 Adds an extra layer of security against replay attacks

4: Limiting Failed Login Attempts
 Restricts the number of incorrect login attempts a user
can make
 Increases security by deterring attackers attempting to
guess passwords
 Typically, lock the account after three incorrect attempts

37
Q

Public Key Infrastructure (PKI) components

A

 An entire system involving hardware, software, policies,
procedures, and people
 Based on asymmetric encryption
 Facilitates secure data transfer, authentication, and
encrypted communications
 Used in HTTPS connections on websites

38
Q

Public Key Infrastructure (PKI) - establishing a secure connection

A

 User connects to a website via HTTPS
 Web browser contacts a trusted certificate authority for
the web server’s public key
 A random shared secret key is generated for symmetric
encryption
 The shared secret is securely transmitted using public
key encryption
 The web server decrypts the shared secret with its
private key
 Both parties use the shared secret for symmetric
encryption (e.g., AES) to create a secure tunnel

39
Q

Public Key Infratructure (PKI) - benefits

A

 Confidentiality
 Data is encrypted using a shared secret
 Authentication
 The web server’s identity is verified using its private key
 Visual indicators like a padlock show secure
communication

40
Q

Public Key Infrastructure vs. Public Key Cryptography

A

Public Key Infrastructure (PKI)
 Encompasses the entire system for managing key pairs,
policies, and trust
 Involves generating, validating, and managing public
and private key pairs that are used in the encryption
and decryption process
 Ensures the security and trustworthiness of keys

Public Key Cryptography
 Refers to the encryption and decryption process using
public and private keys
 Only a part of the overall PKI architecture

41
Q

Key Escrow - what is it, its relevance in PKI and its security concerns.

A

 Storage of cryptographic keys in a secure, third-party
location (escrow)
 Enables key retrieval in cases of key loss or for legal
investigations

Relevance in PKI
 In PKI, key escrow ensures that encrypted data is not
permanently inaccessible
 Useful when individuals or organizations lose access to
their encryption keys

Security Concerns
 Malicious access to escrowed keys could lead to data
decryption
 Requires stringent security measures and access
controls

42
Q

Define digital certificate

A

 Digitally signed electronic documents
 Bind a public key with a user’s identity
 Used for individuals, servers, workstations, or devices
 Use the X.509 Standard
 Commonly used standard for digital certificates within
PKI
 Contains owner’s/user’s information and certificate
authority details

43
Q

Five types of Digital Certificates

A

1: Wildcard Certificate
 Allows multiple subdomains to use the same certificate
 Easier management, cost-effective for subdomains
 Compromise affects all subdomains

2: SAN (Subject Alternate Name) field
 Certificate that specifies what additional domains and
IP addresses are going to be supported
 Used when domain names don’t have the same root
domain

3: Single-Sided and Dual-Sided Certificates

Single-sided
 Only requires the server to be validated

Dual-sided
 Both server and user validate each other
 Dual-sided for higher security, requires more
processing power

4: Self-Signed Certificates
 Digital certificate that is signed by the same entity
whose identity it certifies
 Provides encryption but lacks third-party trust
 Used in testing or closed systems

5: Third-Party Certificates
 Digital certificate issued and signed by trusted
certificate authorities (CAs)
 Trusted by browsers and systems
 Preferred for public-facing websites

44
Q

Key concepts (digital certificate) - root trust

A

 Highest level of trust in certificate validation
 Trusted third-party providers like Verisign, Google, etc.
 Forms a certification path for trust

45
Q

Key concepts (digital certificate) - Certificate Authority (CA)

A

 Trusted third party that issues digital certificates
 Certificates contain CA’s information and digital
signature
 Validates and manages certificates

46
Q

Key concepts (digital certificate) - Registration Authority (RA)

A

 Requests identifying information from the user and
forwards certificate request up to the CA to create a
digital certificate
 Collects user information for certificates
 Assists in the certificate issuance process

47
Q

Key concepts (digital certificate) - Certificate Signing Request (CSR)

A

 A block of encoded text with information about the
entity requesting the certificate
 Includes the public key
 Submitted to Certificate Authority (CA) for certificate
issuance
 Private key remains secure with the requester

48
Q

Key concepts (digital certificate) - Certificate Revocation List (CRL)

A

 Maintained by Certificate Authority’s (CAs)
 List of all digital certificates that the certificate authority
has already revoked
 Checked before validating a certificate

49
Q

Key concepts (digital certificate) - Online Certificate Status Protocol (OCSP)

A

 Determines certificate revocation status or any digital
certificate using the certificate’s serial number
 Faster but less secure than Certificate Revocation List
(CRL)

50
Q

Key concepts (digital certificate) - Online Certificate Status Protocol (OCSP) Stapling

A

 Alternative to OCSP
 Allows the certificate holder to get the OCSP record
from the server at regular intervals
 Includes OCSP record in the SSL/TLS handshake
 Speeds up the secure tunnel creation

51
Q

Key concepts (digital certificate) - Public Key Pinning

A

 Allows an HTTPS website to resist impersonation
attacks from users who are trying to present fraudulent
certificates
 Presents trusted public keys to browsers
 Alerts users if a fraudulent certificate is detected

52
Q

Key concepts (digital certificate) - Key Escrow Agents

A

 Securely store copies of private keys
 Ensures key recovery in case of loss
 Requires strong access controls

53
Q

Key concepts (digital certificate) - Key Recovery Agents

A

 Specialized type of software that allows the restoration
of a lost or corrupted key to be performed
 Acts as a backup for certificate authority keys

54
Q

Trust in Digital Certificates

A

 Trust is essential in digital certificates
 Compromised root CAs can impact all issued
certificates
 Commercially trusted CAs are more secure
 Self-managed CAs must be vigilant against
compromises

55
Q

Define blockchain

A

 Shared immutable ledger for transactions and asset
tracking
 Builds trust and transparency
 Widely associated with cryptocurrencies like Bitcoin
 Is essentially a really long series of information with
each block containing information in it
 Each block has the hash for the block before it

56
Q

Block Structure

A

 Chain of blocks, each containing
 Previous block’s hash
 Timestamp
 Root transactions (hashes of individual transactions)
 Blocks are linked together in a chronological order

57
Q

Public Ledger

A

 Secure and anonymous record-keeping system
 Maintains participants’ identities
 Tracks cryptocurrency balances
 Records all genuine transactions in a network

58
Q

Blockchain Applications

A

Smart Contracts
 Self-executing contracts with code-defined terms
 Execute actions automatically when conditions are met
 Transparent, tamper-proof, and trust-enhancing

59
Q

Blockchain - commercial uses

A

 Companies like IBM promote blockchain for
commercial purposes
 Permissioned blockchain used for business
transactions
 Enhances trust and transparency with immutable
public ledger

60
Q

Broad Implications of Blockchain

A

Versatility
 Beyond finance and cryptocurrencies
 Applications across various industries
 Promises transparency, efficiency, and trust

Decentralization
 Key feature of blockchain
 Eliminates need for central authorities
 Empowers peer-to-peer networks

Immutable Ledger
 Ensures data integrity
 Records cannot be altered or deleted
 Reinforces trust in transactions and information

Digital Evolution
 Blockchain’s impact on technology and industries
 Potential to reshape traditional systems
 Offers transparency, efficiency, and trust in the digital
era

61
Q

4 Encryption Tools for Data Security

A

1: TPM (Trusted Platform Module)
 Dedicated microcontroller for hardware-level security
 Protects digital secrets through integrated
cryptographic keys
 Used in BitLocker drive encryption for Windows devices
 Adds an extra layer of security against software attacks

2: HSM (Hardware Security Module)
 Physical device for safeguarding and managing digital
keys
 Ideal for mission-critical scenarios like financial
transactions
 Performs encryption operations in a tamper-proof
environment
 Ensures key security and regulatory compliance

3: Key Management System
 Manages, stores, distributes, and retires cryptographic
keys
 Centralized mechanism for key lifecycle management
 Crucial for securing data and preventing unauthorized
access
 Automates key management tasks in complex
environments

4: Secure Enclaves
 Coprocessor integrated into the main processor of
some devices
 Isolated from the main processor for secure data
processing and storage
 Safeguards sensitive data like biometric information
 Enhances device security by preventing unauthorized
access

62
Q

3 Obfuscation Techniques in Data Security

A

1: Steganography
 Conceals a message within another to hide its very
existence
 Involves altering image or data elements to embed
hidden information
 Primary goal is to prevent the suspicion that there’s any
hidden data at all
 Used alongside encryption for added security
 Detection is challenging due to hiding data in plain sight

2: Tokenization
 Substitutes sensitive data with non-sensitive tokens
 Original data securely stored elsewhere
 Tokens have no intrinsic value
 Reduces exposure of sensitive data during transactions
 Commonly used for payment systems to comply with
security standards

3: Data Masking (Data Obfuscation)
 Disguises original data to protect sensitive information
 Maintains data authenticity and usability
 Used in testing environments, especially for software
development
 Reduces the risk of data breaches in non-production
settings
 Common in industries handling personal data
 Masks portions of sensitive data for privacy, e.g., credit
card digits, social security numbers

63
Q

Define Cryptographic Attacks

A

Techniques and strategies that adversaries employ to exploit vulnerabilities in cryptographic systems with the intent to compromise the confidentiality, integrity, or authenticity of data

64
Q

Cryptographic attack - Define Downgrade Attacks and countermeasure

A

 Force systems to use weaker or older cryptographic
standards or protocols
 Exploit known vulnerabilities or weaknesses in
outdated versions
 Example: POODLE attack on SSL 3.0
 Countermeasures include phasing out support for
insecure protocols and version-intolerant checks

65
Q

Cryptographic attack - Collision Attacks

A

 Find two different inputs producing the same hash
output
 Undermine data integrity verification relying on hash
functions
 Vulnerabilities in hashing algorithms, e.g., MD5, can
lead to collisions

Birthday Paradox or Birthday Attack
 The probability that two distinct inputs, when
processed through a hashing function, will produce the
same output, or a collision

66
Q

Cryptographic attack - Quantum Computing Threat

A

 A computer that uses quantum mechanics to generate
and manipulate quantum bits in order to access
enormous processing powers.
 Uses quantum bits (qubits) instead of using ones and
zeros

67
Q

Cryptographic attack - Quantum Communication

A

A communications network that relies on qubits made of photons (light) to send multiple combinations of ones and zeros simultaneously which results in tamper resistant and extremely fast communications

68
Q

Define Qubit

A

A quantum bit composed of electrons or photons that can represent numerous combinations of ones and zeros at the same time through superposition

69
Q

Post-quantum cryptography

A

 A new kind of cryptographic algorithm that can be
implemented using today’s classic computers but is also
impervious to attacks from future quantum computers
 Aims to create algorithms resistant to quantum attacks
 First method is to create post-quantum cryptography is
to increase the key size
 Increases the number of permutations that are needed
to be brute-forced
 Second method is to create something like lattice-based
cryptography and super singular isogeny key exchange

70
Q

What are NISTs 4 selected post-quantum cryptography standards

A

 CRYSTALS-Kyber - general encryption needs

&

Digital signatures:
 CRYSTALS-Dilithium
 FLACON
 SPHINCS+

71
Q
A