Cryptographic Solutions Flashcards
DES (Data Encryption Standard)
Symetric, Block cypher
Widely used from the 1970s to the early 2000s
Triple DES (3DES)
Symetric, Block cypher
Provides 112-bit key strength but is slower than DES
IDEA (International Data Encryption Algorithm)
Symetric, Block cypher
Not as widely used as AES
AES (Advanced Encryption Standard)
Symetric, Block cypher
■ Replaced DES and 3DES as the US government encryption standard
■ Widely adopted and considered the encryption standard for sensitive
unclassified information
Blowfish
Symetric, Block cypher
Developed as a DES replacement but not widely adopted
Twofish
Symetric, Block cypher
Open source and available for use
RC Cipher Suite (RC4, RC5, RC6)
Symetric, Block cypher
■ RC4 is a stream cipher with variable key sizes from 40 to 2048 bits, used in SSL
and WEP
■ RC5 is a block cipher with key sizes up to 2048 bits
■ RC6, based on RC5, was considered as a DES replacement
Diffie-Hellman
Asymetric
● Used for key exchange and secure key distribution
● Vulnerable to man-in-the-middle attacks, requires authentication
● Commonly used in VPN tunnel establishment (IPSec)
RSA (Ron Rivest, Adi Shamir, Leonard Adleman)
Asymetric
● Used for key exchange, encryption, and digital signatures
● Relies on the mathematical difficulty of factoring large prime numbers
● Supports key sizes from 1024 to 4096 bits
● Widely used in organizations and multi-factor authentication
Elliptic Curve Cryptography (ECC)
Asymetric
● Efficient and secure, uses algebraic structure of elliptical curves
● Commonly used in mobile devices and low-power computing
● Six times more efficient than RSA for equivalent security
MD5 (Message Digest Algorithm 5)
Hashing
● Limited unique values, leading to collisions
● Not recommended for security-critical applications due to vulnerabilities
SHA (Secure Hash Algorithm) Family
Hashing
● SHA-1
○ Produces a 160-bit hash digest, less prone to collisions than MD5
● SHA-2
○ Offers longer hash digests (SHA-224, SHA-256, SHA-348, SHA-512)
● SHA-3
○ Uses 224-bit to 512-bit hash digests, more secure, 120 rounds of
computations
RIPEMD (RACE Integrity Primitive Evaluation Message Digest)
Hashing
Open-source competitor to SHA but less popular
HMAC (Hash-based Message Authentication Code)
Hashing
Utilizes other hashing algorithms (e.g., HMAC-MD5, HMAC-SHA1,
HMAC-SHA256)
Digital Signatures
■ Uses a hash digest encrypted with a private key
■ Sender hashes the message and encrypts the hash with their private key
■ Recipient decrypts the digital signature using the sender’s public key
■ Verifies integrity of the message and ensures non-repudiation
Common Digital Signature Algorithms
■ DSA (Digital Security Algorithm)
■ RSA (Rivest-Shamir-Adleman)
● Supports digital signatures, encryption, and key distribution
● Widely used in various applications, including code signing
Common Hashing Attack
Pass the Hash
A hacking technique that allows the attacker to authenticate to a remote
server or service by using the underlying hash of a user’s password
instead of requiring the associated plaintext password
Common Hashing Attack
Brithday Attack
Occurs when two different messages result in the same hash digest
(collision)
Increasing Hash Security
Key Stretching
● Technique that is used to mitigate a weaker key by creating longer, more
secure keys (at least 128 bits)
● Used in systems like Wi-Fi Protected Access, Wi-Fi Protected Access
version 2, and Pretty Good Privacy
Increasing Hash Security
Salting
● Adds random data (salt) to passwords before hashing
● Ensures distinct hash outputs for the same password due to different
salts
● Thwarts dictionary attacks, brute-force attacks, and rainbow tables
Increasing Hash Security
Nonces (Number Used Once)
● Adds unique, often random numbers to password-based authentication
processes
● Prevents attackers from reusing stolen authentication data
● Adds an extra layer of security against replay attacks
Key Escrow
■ Storage of cryptographic keys in a secure, third-party location (escrow)
■ Enables key retrieval in cases of key loss or for legal investigations
Digital Certificates
■ Digitally signed electronic documents■ Bind a public key with a user’s identity
■ Used for individuals, servers, workstations, or devices
■ Use the X.509 Standard
Wildcard Certificate
● Allows multiple subdomains to use the same certificate
● Easier management, cost-effective for subdomains
● Compromise affects all subdomains
SAN (Subject Alternate Name) field
● Certificate that specifies what additional domains and IP addresses are
going to be supported
● Used when domain names don’t have the same root domain
Single-sided certificate
Only requires the server to be validated
Dual-sided certificate
○ Both server and user validate each other
○ Dual-sided for higher security, requires more processing power
Self-Signed Certificates
● Digital certificate that is signed by the same entity whose identity it
certifies
● Provides encryption but lacks third-party trust
● Used in testing or closed systems
Third-Party Certificates
● Digital certificate issued and signed by trusted certificate authorities (CAs)
● Trusted by browsers and systems
● Preferred for public-facing websites
Root of Trust
● Highest level of trust in certificate validation
● Trusted third-party providers like Verisign, Google, etc.
● Forms a certification path for trust
Certificate Authority (CA)
● Trusted third party that issues digital certificates
● Certificates contain CA’s information and digital signature
● Validates and manages certificates
Registration Authority (RA)
● Requests identifying information from the user and forwards certificate
request up to the CA to create a digital certificate
● Collects user information for certificates
● Assists in the certificate issuance process
Certificate Signing Request (CSR)
● A block of encoded text with information about the entity requesting the
certificate
● Includes the public key
● Submitted to CA for certificate issuance
● Private key remains secure with the requester
Certificate Revocation List (CRL)
● Maintained by CAs
● List of all digital certificates that the certificate authority has already revoked
● Checked before validating a certificate
Online Certificate Status Protocol (OCSP)
● Determines certificate revocation status or any digital certificate using the
certificate’s serial number
● Faster but less secure than CRL
OCSP Stapling
● Alternative to OCSP
● Allows the certificate holder to get the OCSP record from the server at
regular intervals
● Includes OCSP record in the SSL/TLS handshake
● Speeds up the secure tunnel creation
Public Key Pinning
● Allows an HTTPS website to resist impersonation attacks from users who
are trying to present fraudulent certificates
● Presents trusted public keys to browsers
● Alerts users if a fraudulent certificate is detected
Key Escrow Agents
● Securely store copies of private keys
● Ensures key recovery in case of loss
● Requires strong access controls
Key Recovery Agents
● Specialized type of software that allows the restoration of a lost or
corrupted key to be performed
● Acts as a backup for certificate authority keys
Blockchain
■ Shared immutable ledger for transactions and asset tracking
■ Builds trust and transparency
■ Widely associated with cryptocurrencies like Bitcoin
■ Is essentially a really long series of information with each block containing
information in it
Block Structure
● Chain of blocks, each containing
○ Previous block’s hash
○ Timestamp
○ Root transactions (hashes of individual transactions)
● Blocks are linked together in a chronological order
Public Ledger
● Secure and anonymous record-keeping system
● Maintains participants’ identities
● Tracks cryptocurrency balances
● Records all genuine transactions in a network
Smart Contracts
● Self-executing contracts with code-defined terms
● Execute actions automatically when conditions are met
● Transparent, tamper-proof, and trust-enhancing
TPM (Trusted Platform Module)
Encryption Tools
● Dedicated microcontroller for hardware-level security
● Protects digital secrets through integrated cryptographic keys
● Used in BitLocker drive encryption for Windows devices
● Adds an extra layer of security against software attacks
HSM (Hardware Security Module)
Encryption Tools
● Physical device for safeguarding and managing digital keys
● Ideal for mission-critical scenarios like financial transactions
● Performs encryption operations in a tamper-proof environment
● Ensures key security and regulatory compliance
Key Management System
Encryption Tools
● Manages, stores, distributes, and retires cryptographic keys
● Centralized mechanism for key lifecycle management
● Crucial for securing data and preventing unauthorized access
● Automates key management tasks in complex environments
Secure Enclaves
Encryption Tools
● Coprocessor integrated into the main processor of some devices
● Isolated from the main processor for secure data processing and storage
● Safeguards sensitive data like biometric information
● Enhances device security by preventing unauthorized access
Steganography
● Conceals a message within another to hide its very existence
● Used alongside encryption for added security
Tokenization
● Substitutes sensitive data with non-sensitive tokens
● Reduces exposure of sensitive data during transactions
● Commonly used for payment systems to comply with security standards
Data Masking (Data Obfuscation)
● Disguises original data to protect sensitive information
● Common in industries handling personal data
Downgrade Attacks
■ Force systems to use weaker or older cryptographic standards or protocols
■ Exploit known vulnerabilities or weaknesses in outdated versions
Collision Attacks
■ Find two different inputs producing the same hash output
■ Vulnerabilities in hashing algorithms, e.g., MD5, can lead to collisions
Post-quantum cryptography
A new kind of cryptographic algorithm that can be implemented using
today’s classic computers but is also impervious to attacks from future
quantum computers
NIST selected four post-quantum cryptography standards
● CRYSTALS-Kyber - general encryption needs
● Digital signatures
○ CRYSTALS-Dilithium
○ FLACON
○ SPHINCS+
