Cryptographic Solutions

Question 1

Symmetric vs Asymmetric Encryption

Answer 1

Symmetric Encryption
 Uses a single key for both encryption and decryption
 Often referred to as private key encryption
 Requires both sender and receiver to share the same
secret key
 Offers confidentiality but lacks non-repudiation
 Challenges with key distribution in large-scale usage
 More people mean more sharing of the keys

Asymmetric Encryption
 Uses two separate keys
 Public key for encryption
 Private key for decryption
 Often called “Public Key Cryptography”
 No need for shared secret keys
 Commonly used algorithms include Diffie-Hellman, RSA,
and Elliptic Curve Cryptography (ECC)
 Slower compared to symmetric encryption but solves
key distribution challenges

Question 2

Define cryptography & encryption

Answer 2

Cryptography
 Practice and study of writing and solving codes
 Encryption to hide information’s true meaning

Encryption
 Converts plaintext to ciphertext
 Provides data protection at rest, in transit, and in use

Question 3

Symmetric Algorithms

Answer 3

 DES
 Triple DES
 IDEA
 AES
 Blowfish
 Twofish
 Rivest Cipher

Question 4

Asymmetric Algorithms

Answer 4

 Diffie-Hellman
 RSA
 Elliptic Curve Cryptography

Question 5

Hashing

Answer 5

Converts data into fixed-size string (digest) using hash functions

Question 6

Algorithms

Answer 6

 MD5
 SHA Family
 RIPEMD
 HMAC

Question 7

Public Key Infrastructure (PKI)

Answer 7

Framework managing digital keys and certificates for secure data transfer

Question 8

Digital Certificates

Answer 8

Electronic credentials verifying entity identity for secure communications

Question 9

Blockchain

Answer 9

Decentralized, immutable ledger ensuring data integrity and transparency

Question 10

Encryption tools

Answer 10

 TPM
 HSM
 Key Management Systems
 Secure Enclave

Question 11

Obfuscation

Answer 11

 Steganography
 Tokenization
 Data Masking

Question 12

Three types of Cryptographic Attacks

Answer 12

 Downgrade Attacks
 Collision Attacks
 Quantum Computing Threats

Question 13

Hybrid Approach

Answer 13

 Combines both symmetric and asymmetric encryption
for optimal benefits

 Asymmetric encryption used to encrypt and share a
secret key

 Symmetric encryption used for bulk data transfer,
leveraging the shared secret key

 Offers security and efficiency

Question 14

Stream Cipher

Answer 14

 Encrypts data bit-by-bit or byte-by-byte in a continuous
stream

 Uses a keystream generator and exclusive XOR function
for encryption

 Suitable for real-time communication data streams like
audio and video

 Often used in symmetric algorithms

Question 15

Block Cipher and its advantages

Answer 15

 Breaks input data into fixed-size blocks before
encryption

 Usually 64, 128, or 256 bits at a time

 Padding added to smaller data blocks to fit the fixed
block size

 Advantages include ease of implementation and
security

 Can be implemented in software, whereas stream
ciphers are often used in hardware solutions

Question 16

Sysmmetric algorition - DES (Data Encryption Standard)

Answer 16

 Uses a 64-bit key (56 effective bits due to parity)

 Encrypts data in 64-bit blocks through 16 rounds of
transposition and substitution

 Widely used from the 1970s to the early 2000s

Question 17

Sysmmetric algorition - Triple DES (3DES)

Answer 17

 Utilizes three 56-bit keys

 Encrypts data with the first key, decrypts with the
second key, and encrypts again with the third key

 Provides 112-bit key strength but is slower than DES

Question 18

Sysmmetric algorition - IDEA (International Data Encryption Algorithm)

Answer 18

 A symmetric block cipher with a 64-bit block size

 Uses a 128-bit key, faster and more secure than DES

 Not as widely used as AES

Question 19

Sysmmetric algorition - AES (Advanced Encryption Standard)

Answer 19

 Replaced DES and 3DES as the US government
encryption standard

 Supports 128-bit, 192-bit, or 256-bit keys and matching
block sizes

 Widely adopted and considered the encryption
standard for sensitive unclassified information

Question 20

Sysmmetric algorition - Blowfish

Answer 20

 A block cipher with key sizes ranging from 32 to 448
bits

 Developed as a DES replacement but not widely
adopted

Question 21

Sysmmetric algorition - Twofish

Answer 21

 A block cipher supporting 128-bit block size and key
sizes of 128, 192, or 256 bits

 Open source and available for use

Question 22

Sysmmetric algorition - RC Cipher Suite (RC4, RC5, RC6)

Answer 22

 Created by cryptographer, Ron Rivest

 RC4 is a stream cipher with variable key sizes from 40
to 2048 bits, used in SSL and WEP

 RC5 is a block cipher with key sizes up to 2048 bits

 RC6, based on RC5, was considered as a DES
replacement

Question 23

Note: When working with encryption, identify if it’s symmetric or asymmetric and whether it’s a block or stream cipher

Question 24

Asymmetric Algorithms - key

Answer 24

Public Key Cryptography
 No shared secret key required
 Uses a key pair

Public key for encryption
 Private key for decryption
 Provides confidentiality, integrity, authentication, and
non-repudiation

Confidentiality with Public Key
 Encrypt data using the receiver’s public key
 Only the recipient with the corresponding private key
can decrypt it

Non-Repudiation with Private Key
 Encrypt data using the sender’s private key
 Anyone with access to the sender’s public key can verify
the sender’s identity

Integrity and Authentication with Digital Signature
 Create a hash digest of the message
 Encrypt the hash digest with the sender’s private key

Digital Signature
 A hash digest of a message encrypted with the sender’s
private key to let the recipient know the document was
created and sent by the person claiming to have sent it
 Encrypt the message with the receiver’s public key
 Ensures message integrity, non-repudiation, and confidentiality

Question 25

Asymmetric Algorithms - Diffie-Hellman

Answer 25

 Used for key exchange and secure key distribution  Vulnerable to man-in-the-middle attacks, requires authentication  Commonly used in VPN tunnel establishment (IPSec)

Question 26

Asymmetric Algorithms - RSA (Ron Rivest, Adi Shamir, Leonard Adleman)

Answer 26

 Used for key exchange, encryption, and digital signatures  Relies on the mathematical difficulty of factoring large prime numbers  Supports key sizes from 1024 to 4096 bits  Widely used in organizations and multi-factor authentication

Question 27

Asymmetric Algorithms - Elliptic Curve Cryptography (ECC)

Answer 27

 Efficient and secure, uses algebraic structure of elliptical curves  Commonly used in mobile devices and low-power computing  Six times more efficient than RSA for equivalent security  Variants include  ECDH (Elliptic Curve Diffie-Hellman)  ECDHE (Elliptic Curve Diffie-Hellman Ephemeral)  ECDSA (Elliptic Curve Digital Signature Algorithm)

Question 28

Three types of Asymmetric Algorithims

Answer 28

1: Diffie-Hellman 2: RSA (Ron Rivest, Adi Shamir, Leonard Adleman) 3: Elliptic Curve Cryptography (ECC)

Question 29

Hashing

Answer 29

One-way cryptographic function that produces a unique message digest from an input

Question 30

Hash Digest

Answer 30

 Like a digital fingerprint for the original data  Always of the same length regardless of the input's length

Question 31

Common Hashing Algorithms

Answer 31

1: MD5 (Message Digest Algorithm 5)  Creates a 128-bit hash value  Limited unique values, leading to collisions  Not recommended for security-critical applications due to vulnerabilities 2: SHA (Secure Hash Algorithm) Family SHA-1  Produces a 160-bit hash digest, less prone to collisions than MD5 SHA-2  Offers longer hash digests (SHA-224, SHA-256, SHA-348, SHA-512) SHA-3  Uses 224-bit to 512-bit hash digests, more secure, 120 rounds of computations 3: RIPEMD (RACE Integrity Primitive Evaluation Message Digest) Versions available  160-bit (Most common)  256-bit  320-bit  Open-source competitor to SHA but less popular 4: HMAC (Hash-based Message Authentication Code)  Checks message integrity and authenticity  Utilizes other hashing algorithms (e.g., HMAC-MD5, HMAC-SHA1, HMAC-SHA256) 5: Digital Signatures  Uses a hash digest encrypted with a private key  Sender hashes the message and encrypts the hash with their private key  Recipient decrypts the digital signature using the sender's public key  Verifies integrity of the message and ensures non-repudiation

Question 32

5 types of hashes

Answer 32

1: MD5 (Message Digest Algorithm 5) 2: SHA (Secure Hash Algorithm) Family 3: RIPEMD (RACE Integrity Primitive Evaluation Message Digest) 4: HMAC (Hash-based Message Authentication Code) 5: Digital Signatures

Question 33

Common Digital Signature Algorithms

Answer 33

DSA (Digital Security Algorithm)  Utilized for digital signatures  Uses a 160-bit message digest created by DSS (Digital Security Standard) RSA (Rivest-Shamir-Adleman)  Supports digital signatures, encryption, and key distribution  Widely used in various applications, including code signing

Question 34

What are hashes used for

Answer 34

Hashes change drastically even with minor changes in input Hashing is used to verify data integrity and detect any changes

Question 35

Common Hash Attacks and prevention methods 1: Pass the Hash attack 2: Birthday attack

Answer 35

1: Pass the Hash Attack  A hacking technique that allows the attacker to authenticate to a remote server or service by using the underlying hash of a user's password instead of requiring the associated plaintext password  Hashes can be obtained by attackers to impersonate users without cracking the password  Difficult to defend against due to various Windows vulnerabilities and applications  Penetration tools like Mimikatz automate hash harvesting Prevention  Ensure trusted OS  Proper Windows domain trusts  Patching  Multi-factor authentication  Least privilege Birthday Attack  Occurs when two different messages result in the same hash digest (collision)  Named after the Birthday Paradox, where shared birthdays become likely in a group  Collisions in hashes can be exploited by attackers to bypass authentication systems  Use longer hash output (e.g., SHA-256) to reduce collisions and mitigate the attack

Question 36

Four methos for increasing hash security

Answer 36

1: Key Stretching  Technique that is used to mitigate a weaker key by creating longer, more secure keys (at least 128 bits)  increases the time needed to crack the key  Used in systems like Wi-Fi Protected Access, Wi-Fi Protected Access version 2, and Pretty Good Privacy 2: Salting  Adds random data (salt) to passwords before hashing  Ensures distinct hash outputs for the same password due to different salts  Thwarts dictionary attacks, brute-force attacks, and rainbow tables 3: Nonces (Number Used Once)  Adds unique, often random numbers to password- based authentication processes  Prevents attackers from reusing stolen authentication data  Adds an extra layer of security against replay attacks 4: Limiting Failed Login Attempts  Restricts the number of incorrect login attempts a user can make  Increases security by deterring attackers attempting to guess passwords  Typically, lock the account after three incorrect attempts

Question 37

Public Key Infrastructure (PKI) components

Answer 37

 An entire system involving hardware, software, policies, procedures, and people  Based on asymmetric encryption  Facilitates secure data transfer, authentication, and encrypted communications  Used in HTTPS connections on websites

Question 38

Public Key Infrastructure (PKI) - establishing a secure connection

Answer 38

 User connects to a website via HTTPS  Web browser contacts a trusted certificate authority for the web server's public key  A random shared secret key is generated for symmetric encryption  The shared secret is securely transmitted using public key encryption  The web server decrypts the shared secret with its private key  Both parties use the shared secret for symmetric encryption (e.g., AES) to create a secure tunnel

Question 39

Public Key Infratructure (PKI) - benefits

Answer 39

 Confidentiality  Data is encrypted using a shared secret  Authentication  The web server's identity is verified using its private key  Visual indicators like a padlock show secure communication

Question 40

Public Key Infrastructure vs. Public Key Cryptography

Answer 40

Public Key Infrastructure (PKI)  Encompasses the entire system for managing key pairs, policies, and trust  Involves generating, validating, and managing public and private key pairs that are used in the encryption and decryption process  Ensures the security and trustworthiness of keys Public Key Cryptography  Refers to the encryption and decryption process using public and private keys  Only a part of the overall PKI architecture

Question 41

Key Escrow - what is it, its relevance in PKI and its security concerns.

Answer 41

 Storage of cryptographic keys in a secure, third-party location (escrow)  Enables key retrieval in cases of key loss or for legal investigations Relevance in PKI  In PKI, key escrow ensures that encrypted data is not permanently inaccessible  Useful when individuals or organizations lose access to their encryption keys Security Concerns  Malicious access to escrowed keys could lead to data decryption  Requires stringent security measures and access controls

Question 42

Define digital certificate

Answer 42

 Digitally signed electronic documents  Bind a public key with a user's identity  Used for individuals, servers, workstations, or devices  Use the X.509 Standard  Commonly used standard for digital certificates within PKI  Contains owner's/user's information and certificate authority details

Question 43

Five types of Digital Certificates

Answer 43

1: Wildcard Certificate  Allows multiple subdomains to use the same certificate  Easier management, cost-effective for subdomains  Compromise affects all subdomains 2: SAN (Subject Alternate Name) field  Certificate that specifies what additional domains and IP addresses are going to be supported  Used when domain names don’t have the same root domain 3: Single-Sided and Dual-Sided Certificates Single-sided  Only requires the server to be validated Dual-sided  Both server and user validate each other  Dual-sided for higher security, requires more processing power 4: Self-Signed Certificates  Digital certificate that is signed by the same entity whose identity it certifies  Provides encryption but lacks third-party trust  Used in testing or closed systems 5: Third-Party Certificates  Digital certificate issued and signed by trusted certificate authorities (CAs)  Trusted by browsers and systems  Preferred for public-facing websites

Question 44

Key concepts (digital certificate) - root trust

Answer 44

 Highest level of trust in certificate validation  Trusted third-party providers like Verisign, Google, etc.  Forms a certification path for trust

Question 45

Key concepts (digital certificate) - Certificate Authority (CA)

Answer 45

 Trusted third party that issues digital certificates  Certificates contain CA's information and digital signature  Validates and manages certificates

Question 46

Key concepts (digital certificate) - Registration Authority (RA)

Answer 46

 Requests identifying information from the user and forwards certificate request up to the CA to create a digital certificate  Collects user information for certificates  Assists in the certificate issuance process

Question 47

Key concepts (digital certificate) - Certificate Signing Request (CSR)

Answer 47

 A block of encoded text with information about the entity requesting the certificate  Includes the public key  Submitted to Certificate Authority (CA) for certificate issuance  Private key remains secure with the requester

Question 48

Key concepts (digital certificate) - Certificate Revocation List (CRL)

Answer 48

 Maintained by Certificate Authority's (CAs)  List of all digital certificates that the certificate authority has already revoked  Checked before validating a certificate

Question 49

Key concepts (digital certificate) - Online Certificate Status Protocol (OCSP)

Answer 49

 Determines certificate revocation status or any digital certificate using the certificate's serial number  Faster but less secure than Certificate Revocation List (CRL)

Question 50

Key concepts (digital certificate) - Online Certificate Status Protocol (OCSP) Stapling

Answer 50

 Alternative to OCSP  Allows the certificate holder to get the OCSP record from the server at regular intervals  Includes OCSP record in the SSL/TLS handshake  Speeds up the secure tunnel creation

Question 51

Key concepts (digital certificate) - Public Key Pinning

Answer 51

 Allows an HTTPS website to resist impersonation attacks from users who are trying to present fraudulent certificates  Presents trusted public keys to browsers  Alerts users if a fraudulent certificate is detected

Question 52

Key concepts (digital certificate) - Key Escrow Agents

Answer 52

 Securely store copies of private keys  Ensures key recovery in case of loss  Requires strong access controls

Question 53

Key concepts (digital certificate) - Key Recovery Agents

Answer 53

 Specialized type of software that allows the restoration of a lost or corrupted key to be performed  Acts as a backup for certificate authority keys

Question 54

Trust in Digital Certificates

Answer 54

 Trust is essential in digital certificates  Compromised root CAs can impact all issued certificates  Commercially trusted CAs are more secure  Self-managed CAs must be vigilant against compromises

Question 55

Define blockchain

Answer 55

 Shared immutable ledger for transactions and asset tracking  Builds trust and transparency  Widely associated with cryptocurrencies like Bitcoin  Is essentially a really long series of information with each block containing information in it  Each block has the hash for the block before it

Question 56

Block Structure

Answer 56

 Chain of blocks, each containing  Previous block's hash  Timestamp  Root transactions (hashes of individual transactions)  Blocks are linked together in a chronological order

Question 57

Public Ledger

Answer 57

 Secure and anonymous record-keeping system  Maintains participants' identities  Tracks cryptocurrency balances  Records all genuine transactions in a network

Question 58

Blockchain Applications

Answer 58

Smart Contracts  Self-executing contracts with code-defined terms  Execute actions automatically when conditions are met  Transparent, tamper-proof, and trust-enhancing

Question 59

Blockchain - commercial uses

Answer 59

 Companies like IBM promote blockchain for commercial purposes  Permissioned blockchain used for business transactions  Enhances trust and transparency with immutable public ledger

Question 60

Broad Implications of Blockchain

Answer 60

Versatility  Beyond finance and cryptocurrencies  Applications across various industries  Promises transparency, efficiency, and trust Decentralization  Key feature of blockchain  Eliminates need for central authorities  Empowers peer-to-peer networks Immutable Ledger  Ensures data integrity  Records cannot be altered or deleted  Reinforces trust in transactions and information Digital Evolution  Blockchain's impact on technology and industries  Potential to reshape traditional systems  Offers transparency, efficiency, and trust in the digital era

Question 61

4 Encryption Tools for Data Security

Answer 61

1: TPM (Trusted Platform Module)  Dedicated microcontroller for hardware-level security  Protects digital secrets through integrated cryptographic keys  Used in BitLocker drive encryption for Windows devices  Adds an extra layer of security against software attacks 2: HSM (Hardware Security Module)  Physical device for safeguarding and managing digital keys  Ideal for mission-critical scenarios like financial transactions  Performs encryption operations in a tamper-proof environment  Ensures key security and regulatory compliance 3: Key Management System  Manages, stores, distributes, and retires cryptographic keys  Centralized mechanism for key lifecycle management  Crucial for securing data and preventing unauthorized access  Automates key management tasks in complex environments 4: Secure Enclaves  Coprocessor integrated into the main processor of some devices  Isolated from the main processor for secure data processing and storage  Safeguards sensitive data like biometric information  Enhances device security by preventing unauthorized access

Question 62

3 Obfuscation Techniques in Data Security

Answer 62

1: Steganography  Conceals a message within another to hide its very existence  Involves altering image or data elements to embed hidden information  Primary goal is to prevent the suspicion that there’s any hidden data at all  Used alongside encryption for added security  Detection is challenging due to hiding data in plain sight 2: Tokenization  Substitutes sensitive data with non-sensitive tokens  Original data securely stored elsewhere  Tokens have no intrinsic value  Reduces exposure of sensitive data during transactions  Commonly used for payment systems to comply with security standards 3: Data Masking (Data Obfuscation)  Disguises original data to protect sensitive information  Maintains data authenticity and usability  Used in testing environments, especially for software development  Reduces the risk of data breaches in non-production settings  Common in industries handling personal data  Masks portions of sensitive data for privacy, e.g., credit card digits, social security numbers

Question 63

Define Cryptographic Attacks

Answer 63

Techniques and strategies that adversaries employ to exploit vulnerabilities in cryptographic systems with the intent to compromise the confidentiality, integrity, or authenticity of data

Question 64

Cryptographic attack - Define Downgrade Attacks and countermeasure

Answer 64

 Force systems to use weaker or older cryptographic standards or protocols  Exploit known vulnerabilities or weaknesses in outdated versions  Example: POODLE attack on SSL 3.0  Countermeasures include phasing out support for insecure protocols and version-intolerant checks

Question 65

Cryptographic attack - Collision Attacks

Answer 65

 Find two different inputs producing the same hash output  Undermine data integrity verification relying on hash functions  Vulnerabilities in hashing algorithms, e.g., MD5, can lead to collisions Birthday Paradox or Birthday Attack  The probability that two distinct inputs, when processed through a hashing function, will produce the same output, or a collision

Question 66

Cryptographic attack - Quantum Computing Threat

Answer 66

 A computer that uses quantum mechanics to generate and manipulate quantum bits in order to access enormous processing powers.  Uses quantum bits (qubits) instead of using ones and zeros

Question 67

Cryptographic attack - Quantum Communication

Answer 67

A communications network that relies on qubits made of photons (light) to send multiple combinations of ones and zeros simultaneously which results in tamper resistant and extremely fast communications

Question 68

Define Qubit

Answer 68

A quantum bit composed of electrons or photons that can represent numerous combinations of ones and zeros at the same time through superposition

Question 69

Post-quantum cryptography

Answer 69

 A new kind of cryptographic algorithm that can be implemented using today’s classic computers but is also impervious to attacks from future quantum computers  Aims to create algorithms resistant to quantum attacks  First method is to create post-quantum cryptography is to increase the key size  Increases the number of permutations that are needed to be brute-forced  Second method is to create something like lattice-based cryptography and super singular isogeny key exchange

Question 70

What are NISTs 4 selected post-quantum cryptography standards

Answer 70

 CRYSTALS-Kyber - general encryption needs & Digital signatures:  CRYSTALS-Dilithium  FLACON  SPHINCS+