Cryptographics Flashcards
True / False
One of the ways of confirming that a software application comes from a trusted source is the verification of its digital signature. A digitally signed software proves the identity of the developer and guarantees that the application code has not been tampered with since it was signed. The authenticity and integrity of the application’s code can be verified by comparing results of a cryptographic hash function (original hash published by the application developer vs. hash obtained from a downloaded app).
True.
The statement accurately describes the role of digital signatures in confirming the authenticity and integrity of software applications. A digitally signed software application provides assurance that it comes from a trusted source and that its code has not been tampered with since it was signed. This is achieved by using cryptographic techniques to generate a unique digital signature for the software, which is then verified using a public key infrastructure (PKI).
Additionally, comparing the cryptographic hash of the downloaded application with the original hash published by the developer helps ensure that the application has not been altered during transmission or after download, further confirming its authenticity and integrity.
Digital signatures provide: (Select 3 answers)
Integrity
Authentication
Confidentiality
Authorization
Non-repudiation
Accounting
Digital signatures provide:
Integrity: Digital signatures ensure that the data or content has not been altered or tampered with since it was signed. Any modifications to the signed data would invalidate the signature.
Authentication: Digital signatures verify the identity of the signer, confirming that the signature was generated by the entity with the corresponding private key. This helps establish trust in the authenticity of the signer.
Non-repudiation: Digital signatures provide non-repudiation, meaning that the signer cannot deny their involvement or the authenticity of the signed document or message. Once signed, the signature serves as evidence of the signer’s intent and cannot be repudiated.
True / False
In cryptography, the number of bits in a key used by a cryptographic algorithm is referred to as a key size or key length. The key length determines the maximum number of combinations required to break the encryption algorithm, therefore typically a longer key means stronger cryptographic security.
True.
In cryptography, the number of bits in a key used by a cryptographic algorithm is indeed referred to as the key size or key length.
A longer key typically means stronger cryptographic security because it increases the number of possible combinations required to break the encryption algorithm through brute force or other cryptographic attacks. This increased complexity makes it exponentially more difficult and time-consuming for attackers to decipher encrypted data without the corresponding key.
Key stretching
Key stretching is a technique used in cryptography to enhance the security of cryptographic keys, especially passwords, by making them more resistant to brute force and dictionary attacks.
The concept behind key stretching involves applying a cryptographic function, such as a hash function or a key derivation function (KDF), multiple times to the original key or password. Each iteration of the function generates a new, derived key, which is then fed back into the function for further processing. This process is repeated a predetermined number of times, effectively “stretching” the original key into a longer and more complex key.
The goal of key stretching is to significantly increase the computational cost of deriving the original key from its hashed or derived form, thereby making it more difficult for attackers to guess or crack the password through exhaustive search methods. By increasing the time and resources required to generate each derived key, key stretching helps mitigate the risk of successful brute force attacks and strengthens the overall security of cryptographic systems.
Bcrypt
Bcrypt is a key stretching algorithm commonly used for securely hashing passwords in cryptographic applications. It employs a computationally intensive process that repeatedly applies the Blowfish encryption algorithm to a password, making it resistant to brute-force attacks. Bcrypt allows for adjustable cost parameters, known as the “work factor,” which determine the number of iterations performed during hashing. This work factor can be increased over time to adapt to advancements in hardware capabilities and maintain the effectiveness of the algorithm against evolving security threats.
DSA
DSA, or Digital Signature Algorithm, is a widely used cryptographic algorithm for generating and verifying digital signatures.
It was developed by the National Institute of Standards and Technology (NIST) as part of the Digital Signature Standard (DSS). DSA relies on modular arithmetic and discrete logarithms for its security.
The algorithm involves generating a pair of asymmetric keys: a private key for signing and a corresponding public key for signature verification.
DSA signatures provide authenticity, integrity, and non-repudiation, meaning that they confirm the identity of the signer, ensure that the signed data has not been altered, and prevent the signer from denying their involvement.
ROT13
ROT13, short for “rotate by 13 places,” is a simple letter substitution cipher that replaces each letter in a message with the letter 13 positions ahead or behind it in the alphabet. It is a symmetric encryption algorithm, meaning that the same algorithm is used for both encryption and decryption.
For example, applying ROT13 to the English alphabet:
A becomes N
B becomes O
C becomes P
ROT13 is often used for simple obfuscation or to hide text in plain sight, as it is a very weak encryption method that offers no real security. It is also sometimes used humorously for spoilers or to hide answers to puzzles.
Twofish
Twofish is a symmetric key block cipher algorithm designed for encryption and decryption of data. Although Twofish was not selected as the AES standard, it remains a respected and widely studied encryption algorithm.
Twofish operates on blocks of data, typically 128 bits in size, and uses a key of variable length, up to a maximum of 256 bits. It employs a Feistel network structure with a complex key schedule and multiple rounds of substitution and permutation operations. Twofish is known for its strong security and resistance to various cryptographic attacks.
One of the notable features of Twofish is its flexibility in key size and block size, allowing it to adapt to different security requirements and performance constraints. It is used in various applications, including file encryption, disk encryption, and network communication protocols, where data confidentiality is crucial. Despite its strengths, Twofish is not as widely deployed as some other encryption algorithms like AES, but it remains an important part of the cryptographic landscape.
PBKDF2
PBKDF2, or Password-Based Key Derivation Function 2, is a cryptographic algorithm used to derive cryptographic keys from passwords or passphrases. It employs a pseudorandom function, typically a cryptographic hash function like SHA-1 or SHA-256, along with a salt value to generate the key. PBKDF2 applies the hash function iteratively a configurable number of times, known as the “work factor,” which increases the computational cost of deriving the key. This makes it more resistant to brute-force and dictionary attacks, as attackers must expend significant computational resources to guess or crack the original password.
One of the main advantages of PBKDF2 is its flexibility and widespread support across various platforms and programming languages. It is commonly used in security-sensitive applications, such as password hashing, disk encryption, and secure communication protocols, to protect sensitive data and credentials from unauthorized access. However, PBKDF2 does have limitations, such as vulnerability to parallelization on hardware with specialized cryptographic accelerators. Additionally, the choice of hash function and the number of iterations used in PBKDF2 implementations can impact its security, and best practices continue to evolve to address emerging threats and vulnerabilities.
Which of the following answers refers to a type of additional input that increases password complexity and provides better protection against brute-force, dictionary, and rainbow table attacks?
Seed
IV
Salt
Shim
Salt is a random value that is added to passwords before hashing to prevent attackers from using precomputed tables (rainbow tables) to crack passwords. Salting increases password complexity and enhances security by ensuring that identical passwords hash to different values.
Seed: A starting point for generating pseudorandom numbers in cryptographic algorithms. It is not directly related to password complexity or protection against brute-force attacks.
IV (Initialization Vector): A random value used in cryptographic algorithms, particularly block ciphers in modes like CBC (Cipher Block Chaining), to ensure that identical plaintext blocks encrypt to different ciphertext blocks. While IVs are important for encryption, they are not specifically used to increase password complexity.
Shim: In the context of software development, a shim is a small piece of code that facilitates compatibility between different software components. It is not related to password complexity or protection against brute-force attacks.
Elliptic Curve Cryptography (ECC)
lliptic Curve Cryptography (ECC) is a public-key cryptographic algorithm based on the mathematical properties of elliptic curves over finite fields. It provides a way to securely encrypt and authenticate data, as well as generate digital signatures, using smaller key sizes compared to other public-key algorithms like RSA.
ECC relies on the difficulty of solving the Elliptic Curve Discrete Logarithm Problem (ECDLP), which involves finding the discrete logarithm of a point on an elliptic curve. This mathematical problem is believed to be computationally hard, making ECC resistant to attacks by brute force or mathematical algorithms.
One of the key advantages of ECC is its efficiency in terms of key size and computational resources. ECC keys are typically much shorter than RSA keys for equivalent security levels, making ECC suitable for environments with constrained resources such as mobile devices or Internet of Things (IoT) devices. Additionally, ECC provides strong security properties, including forward secrecy and resistance to quantum attacks, making it a popular choice for securing modern cryptographic protocols and systems.
ECC is primarily associated with asymmetric encryption, which involves using pairs of public and private keys generated from elliptic curve parameters.
Asymmetric vs symmetric encryption
Symmetric encryption: In symmetric encryption, the same key is used for both encryption and decryption of data. This means that the sender and receiver must share a secret key in advance. Symmetric encryption algorithms are typically fast and efficient, making them well-suited for encrypting large volumes of data. However, the challenge lies in securely sharing the secret key between the communicating parties, especially over insecure channels.
Asymmetric encryption: In asymmetric encryption, also known as public-key encryption, two separate keys are used: a public key for encryption and a private key for decryption. The public key can be freely distributed, while the private key is kept secret. Asymmetric encryption provides a solution to the key distribution problem in symmetric encryption, as the public key can be shared openly. However, asymmetric encryption algorithms are generally slower and less efficient than symmetric algorithms, making them better suited for encrypting small amounts of data or for key exchange purposes.
In summary, symmetric encryption is typically faster and more efficient for bulk data encryption, while asymmetric encryption provides a solution for secure key distribution and offers other cryptographic functionalities like digital signatures and key exchange. Often, a combination of both symmetric and asymmetric encryption techniques is used in cryptographic systems to leverage their respective advantages.
ECB
ECB stands for Electronic Codebook Mode, which is a basic mode of operation for block ciphers in cryptography. In ECB mode, each block of plaintext is encrypted independently using the same encryption key, resulting in a one-to-one mapping between plaintext blocks and ciphertext blocks.
While ECB mode is simple and easy to implement, it has several significant drawbacks. One of the main issues with ECB mode is that identical plaintext blocks will always encrypt to the same ciphertext blocks, regardless of their position in the message. This makes ECB mode vulnerable to certain cryptographic attacks, such as pattern recognition and replay attacks, and it does not provide confidentiality for patterns in the plaintext data.
Due to these vulnerabilities, ECB mode is generally not recommended for secure communication or encryption purposes, especially when encrypting large amounts of data. Instead, more secure modes of operation like CBC (Cipher Block Chaining) or GCM (Galois/Counter Mode) are typically preferred for block cipher encryption.
PFS
PFS stands for Perfect Forward Secrecy, a property of cryptographic systems that ensures that the compromise of long-term secret keys does not compromise the confidentiality of past communications.
In systems with PFS, even if an attacker were to gain access to the long-term secret keys used to establish communication, they would not be able to decrypt past encrypted communications.
PFS is achieved by using ephemeral keys, which are short-lived and randomly generated for each session or communication. These ephemeral keys are used to negotiate session keys for encryption and decryption, and they are not derived from or dependent on the long-term secret keys. As a result, even if the long-term secret keys are compromised, past communications remain confidential because they were encrypted using different session keys.
PFS is considered a critical security feature in modern cryptographic protocols, particularly in secure communication protocols like TLS (Transport Layer Security) used for securing web traffic. It provides an additional layer of protection against sophisticated attacks and ensures that the confidentiality of past communications is preserved, even in the event of key compromise.
EFS
EFS typically refers to Encrypting File System, a feature built into the Microsoft Windows operating system that provides filesystem-level encryption for protecting sensitive data stored on disk. With EFS, individual files or directories can be encrypted using symmetric encryption algorithms, and access to the encrypted data is controlled using public-key cryptography.
When a file or directory is encrypted using EFS, a unique file encryption key (FEK) is generated, and this FEK is then encrypted using the public key of the user who encrypted the file. The encrypted FEK is stored alongside the encrypted file on disk. To decrypt the file, the user’s private key is used to decrypt the FEK, which can then be used to decrypt the file itself.
EFS provides a convenient way to encrypt sensitive files and folders on Windows systems without the need for additional software. It allows for seamless integration with existing file permissions and access controls, ensuring that only authorized users can decrypt and access encrypted data. However, it’s important to note that EFS does not provide protection against attacks that bypass the Windows authentication mechanisms or gain access to the user’s private key. Therefore, it should be used in conjunction with other security measures to provide comprehensive data protection.
PFX
PFX stands for Personal Information Exchange. It is a file format used to store cryptographic objects such as private keys, public keys, and certificates, typically protected by a password. PFX files are commonly used for securely transferring and storing private keys and certificates, especially in scenarios where they need to be moved between systems or shared with other parties.
PFX files are commonly used in environments where secure key management and certificate handling are essential, such as web servers, email servers, and secure network communication protocols like SSL/TLS. They provide a convenient way to bundle cryptographic assets into a single file for easy distribution and deployment while ensuring their confidentiality and integrity through encryption and password protection.
Quantum cryptography
Quantum cryptography is a branch of cryptography that utilizes principles from quantum mechanics to provide secure communication channels between parties. Unlike classical cryptography, which relies on mathematical algorithms, quantum cryptography leverages the inherent properties of quantum mechanics to achieve secure communication.
One of the key principles of quantum cryptography is the use of quantum key distribution (QKD) protocols, which enable two parties to securely generate and exchange cryptographic keys. QKD protocols typically involve the transmission of quantum bits (qubits) over a quantum communication channel, such as optical fibers or free space, between a sender (Alice) and a receiver (Bob).
The security of quantum cryptography is based on the fundamental properties of quantum mechanics, such as the Heisenberg uncertainty principle and the no-cloning theorem. These principles ensure that any attempt by an eavesdropper (Eve) to intercept or measure the qubits will disrupt the quantum state of the particles, thereby alerting Alice and Bob to the presence of an attacker.
Quantum cryptography offers several advantages over classical cryptographic techniques, including unconditional security guarantees based on the laws of physics, resistance to quantum attacks using quantum computers, and the ability to detect eavesdropping attempts in real-time. However, practical implementations of quantum cryptography are still in the early stages of development and face significant challenges, such as the limited range of quantum communication channels and the need for specialized hardware. Nonetheless, quantum cryptography holds promise for the future of secure communication in fields such as finance, government, and data privacy.
ephemeral vs static keys
Ephemeral keys: Also known as temporary keys, ephemeral keys are short-lived cryptographic keys that are generated for each session or communication. These keys are typically randomly generated and used only for a single instance of encryption or authentication.
Ephemeral keys offer the advantage of forward secrecy, meaning that even if an attacker were to compromise the key used for one session, they would not be able to decrypt past or future communications. Ephemeral keys are commonly used in protocols like Diffie-Hellman key exchange and session-based encryption algorithms like TLS (Transport Layer Security).
Static keys: In contrast, static keys are long-term cryptographic keys that remain constant over time and are reused for multiple sessions or communications. These keys are typically generated once and stored securely, often associated with specific entities or devices. While static keys offer simplicity and convenience, they lack forward secrecy, meaning that compromising the key used for one session could potentially compromise the confidentiality of past and future communications. Static keys are commonly used in scenarios where key management overhead is low and forward secrecy is not a strict requirement, such as in symmetric encryption algorithms or for long-term cryptographic identities.
In summary, ephemeral keys provide forward secrecy and are used for short-lived sessions or communications, while static keys offer simplicity and are used for long-term cryptographic operations or identities. The choice between ephemeral and static keys depends on the specific security requirements and constraints of the application or protocol being used.
Session key
A session key is a temporary cryptographic key used to encrypt and decrypt data exchanged during a communication session between two parties. Unlike long-term keys, which remain constant over time, session keys are generated dynamically for each session and are typically short-lived.
Session keys are commonly used in cryptographic protocols to provide confidentiality, integrity, and sometimes authentication for data exchanged during a communication session. They are often generated using key exchange protocols such as Diffie-Hellman key exchange or derived from a master key using a key derivation function.
The use of session keys offers several advantages:
Forward secrecy: Since session keys are short-lived and generated for each session, compromising a session key does not compromise the confidentiality of past or future sessions.
Reduced exposure: Session keys have a shorter lifespan compared to long-term keys, reducing the window of opportunity for attackers to compromise them.
Enhanced security: Session keys can be generated with specific security parameters tailored to the requirements of each session, providing flexibility and adaptability to changing security needs.
Blockchain
The term “blockchain” refers to a decentralized digital ledger system that records transactions across multiple computers in a peer-to-peer (P2P) network. Each transaction is recorded in a “block,” which is then linked to previous blocks in a chain-like structure, hence the name “blockchain.” This distributed ledger is maintained by a network of nodes (computers) that validate and record transactions using a consensus mechanism. The decentralized nature of blockchain ensures transparency, immutability, and security, making it suitable for various applications such as cryptocurrency transactions, supply chain management, and digital identity verification.
stream cipher vs block cipher
Stream ciphers and block ciphers are two essential cryptographic techniques with distinct characteristics and applications.
Stream ciphers encrypt plaintext data continuously, typically one bit or byte at a time, generating a stream of pseudorandom ciphertext bits. This continuous processing makes stream ciphers suitable for encrypting data streams of arbitrary length in real-time applications like communication protocols. Examples of stream ciphers include RC4 and the stream cipher mode of operation in block ciphers like AES in CTR (Counter) mode.
In contrast, block ciphers encrypt fixed-size blocks of plaintext data, typically 64 or 128 bits in length, processing one block at a time. Block ciphers operate using fixed-length encryption algorithms and a secret key, producing corresponding blocks of ciphertext. They offer versatility in encrypting data of arbitrary length through various modes of operation like Electronic Codebook (ECB), Cipher Block Chaining (CBC), and Counter (CTR) mode. Examples of block ciphers include DES, AES, and Blowfish.
Overall, stream ciphers excel at encrypting data streams in real-time, while block ciphers offer flexibility and versatility in encrypting fixed-size blocks of data and are widely used in cryptographic protocols and applications. The choice between stream ciphers and block ciphers depends on the specific security requirements and constraints of the application at hand.
Block cipher modes: CBC, ECB, CTR, GCM
CBC (Cipher Block Chaining) mode links each plaintext block with the previous ciphertext block before encryption, ensuring each ciphertext block is dependent on all preceding plaintext blocks. This chaining mechanism enhances security by preventing identical plaintext blocks from encrypting to the same ciphertext, but CBC mode lacks parallel encryption and decryption, making it slower for certain applications.
ECB (Electronic Codebook) mode encrypts each plaintext block independently with the same key, making it simple and efficient but vulnerable to plaintext pattern exposure and replay attacks. As a result, ECB mode is generally not recommended for secure communication or encryption purposes.
CTR (Counter) mode turns a block cipher into a stream cipher by using a counter as input, enabling parallel encryption and decryption. CTR mode does not require padding and is resilient to ciphertext manipulation attacks, making it efficient and versatile for various cryptographic applications like disk encryption and VPNs.
GCM (Galois/Counter Mode) combines counter mode (CTR) encryption with polynomial authentication tags, providing both confidentiality and integrity. GCM mode supports parallel encryption and decryption, making it efficient for secure communication protocols like TLS, and computes authentication tags using polynomial multiplication in Galois fields.
Which of the block cipher modes listed below provides both data integrity and confidentiality?
CBC
GCM
ECB
CTR
GCM (Galois/Counter Mode) provides both data integrity and confidentiality through its combination of counter mode (CTR) encryption with a polynomial authentication tag.
Confidentiality: GCM encrypts plaintext data using counter mode (CTR), which allows for parallel encryption and decryption of multiple blocks. This ensures efficient and secure encryption of data while maintaining confidentiality.
Data Integrity: GCM computes an authentication tag for each ciphertext block using polynomial multiplication in Galois fields. This authentication tag serves as a cryptographic checksum that provides data integrity, ensuring that the ciphertext has not been tampered with or modified during transmission.
A type of encryption scheme where the same key is used to encrypt and decrypt data is referred to as: (Select 3 answers)
Session-key encryption
Public-key encryption
Symmetric encryption
Asymmetric encryption
Secret-key encryption
The correct answers are:
Symmetric encryption
Secret-key encryption
Session-key encryption
Symmetric encryption, secret-key encryption, and session-key encryption all refer to the same type of encryption scheme where the same key is used for both encryption and decryption of data. In this scheme, a single secret key is shared between the communicating parties, and this key is used to both encrypt plaintext data into ciphertext and decrypt ciphertext back into plaintext.
Symmetric encryption is the most commonly used encryption technique for securing data transmission and storage due to its efficiency and simplicity. Because the same key is used for both encryption and decryption, symmetric encryption algorithms typically offer faster processing speeds and lower computational overhead compared to asymmetric encryption algorithms, which require separate keys for encryption and decryption.
Secret-key encryption emphasizes the concept that the encryption key must remain secret and known only to the communicating parties. This ensures that only authorized parties with access to the secret key can decrypt the ciphertext and access the original plaintext data.
Session-key encryption refers to the practice of using a unique symmetric key for each communication session. While the underlying encryption algorithm may remain the same, a different session key is generated for each session, providing forward secrecy and enhancing security by limiting the impact of key compromise to a single session.
T/F:
Symmetric encryption algorithms require large amounts of processing power for both encryption and decryption of data which makes them much slower in comparison to asymmetric encryption ciphers.
False. Symmetric encryption algorithms typically require less processing power for both encryption and decryption compared to asymmetric encryption algorithms. This is because symmetric encryption uses the same key for both encryption and decryption, resulting in simpler and more efficient mathematical operations. As a result, symmetric encryption algorithms are generally faster and more computationally efficient than asymmetric encryption algorithms.
T/F:
In asymmetric encryption, any message encrypted with the use of a public key can only be decrypted by applying the same algorithm and a matching private key (and vice versa).
True. In asymmetric encryption, any message encrypted with a public key can only be decrypted by applying the corresponding private key, and vice versa. This property ensures that messages encrypted with a public key can only be decrypted by the corresponding private key holder, providing confidentiality and secure communication between parties.
RC4
RC4, or Rivest Cipher 4, is a symmetric stream cipher algorithm designed by Ron Rivest in 1987. It is widely used in various cryptographic protocols and applications due to its simplicity and efficiency.
RC4 operates by generating a pseudorandom stream of bytes based on a secret key, which is then XORed with the plaintext to produce ciphertext. The key scheduling algorithm (KSA) initializes the internal state of the cipher based on the secret key, while the pseudorandom generation algorithm (PRGA) generates the keystream used for encryption and decryption.
Despite its widespread use, RC4 has been found to have several vulnerabilities over the years, including biases in the initial bytes of the keystream and weaknesses in the key scheduling algorithm. As a result, its usage has been deprecated in many cryptographic protocols and standards, and it is generally considered insecure for use in new systems.
DES / 3DES / AES
DES (Data Encryption Standard), 3DES (Triple Data Encryption Standard), and AES (Advanced Encryption Standard) are all symmetric block cipher algorithms used for encrypting data. Here’s a brief overview of each:
DES (Data Encryption Standard): DES is a symmetric key algorithm that was developed in the 1970s and became a widely used encryption standard. It operates on 64-bit blocks of plaintext and uses a 56-bit key for encryption and decryption. Despite its widespread adoption, DES has become vulnerable to brute-force attacks due to its relatively short key length.
3DES (Triple Data Encryption Standard): 3DES is a variant of DES that applies the DES algorithm three times to each block of data. It provides increased security compared to DES by using multiple keys and encrypting each block three times in different modes (e.g., EDE or ECB). However, 3DES is slower and less efficient than DES due to its triple encryption process, and it has largely been replaced by more modern encryption algorithms.
AES (Advanced Encryption Standard): AES is a symmetric block cipher algorithm that was established as a federal government standard by the U.S. National Institute of Standards and Technology (NIST) in 2001. It operates on 128-bit blocks of plaintext and supports key lengths of 128, 192, or 256 bits. AES is widely considered to be secure, efficient, and suitable for a wide range of applications. It has become the de facto standard for symmetric encryption and is used in various cryptographic protocols and systems worldwide.
In summary, DES is an older encryption standard that has largely been replaced by more secure algorithms like 3DES and AES. 3DES provides increased security through multiple encryption rounds but is slower and less efficient. AES is the current industry-standard symmetric encryption algorithm, offering high security and performance for encrypting sensitive data.
Blowfish / Twofish
Blowfish and Twofish are both symmetric block cipher algorithms designed by Bruce Schneier.
While Blowfish offers customizable key lengths and was once popular for its simplicity and security, it has been largely replaced by newer algorithms like AES.
Twofish, on the other hand, is a more modern algorithm that offers strong security and is still used in various cryptographic applications.
Asymmetric Encryption:
RSA, GPG, DSA, DHE, ECDHE, PGP
RSA, GPG, DSA, DHE, ECDHE, and PGP are all cryptographic algorithms or protocols used for encryption, authentication, and secure communication. Here’s a brief overview of each:
RSA (Rivest-Shamir-Adleman): RSA is a widely used asymmetric encryption algorithm named after its inventors Ron Rivest, Adi Shamir, and Leonard Adleman. It is commonly used for secure key exchange, digital signatures, and encryption of sensitive data. RSA relies on the mathematical difficulty of factoring large prime numbers to provide security.
GPG (GNU Privacy Guard): GPG is an open-source implementation of the OpenPGP (Pretty Good Privacy) standard for encrypting and decrypting data, as well as for creating and verifying digital signatures. It uses symmetric-key cryptography for data encryption and asymmetric-key cryptography for key management.
DSA (Digital Signature Algorithm): DSA is an asymmetric encryption algorithm commonly used for digital signatures. It was proposed by the U.S. National Institute of Standards and Technology (NIST) and is based on the difficulty of solving the discrete logarithm problem.
DHE (Diffie-Hellman Ephemeral): DHE is a key exchange protocol based on the Diffie-Hellman algorithm. It allows two parties to securely negotiate a shared secret key over an insecure communication channel, which can then be used for symmetric encryption.
ECDHE (Elliptic Curve Diffie-Hellman Ephemeral): ECDHE is a variant of the Diffie-Hellman key exchange protocol that uses elliptic curve cryptography (ECC). It offers the same functionality as DHE but with improved performance and security due to the use of elliptic curves.
PGP (Pretty Good Privacy): PGP is a data encryption and decryption program that provides cryptographic privacy and authentication for electronic communication. It uses a combination of symmetric and asymmetric encryption, as well as digital signatures, to secure email messages and files.
Which of the following terms illustrate the security through obscurity concept? (Select all that apply)
Code obfuscation
Steganography
SSID broadcast suppression
Encryption
The terms that illustrate the security through obscurity concept are:
Code obfuscation: Code obfuscation involves intentionally complicating code to make it harder to understand or reverse-engineer. It relies on the assumption that attackers will be deterred by the complexity of the code rather than its inherent security.
Steganography: Steganography is the practice of concealing information within other non-secret data (such as images, audio files, or text) to hide its existence. It relies on the secrecy of the method used to embed the information rather than the strength of encryption.
SSID broadcast suppression: SSID broadcast suppression involves disabling the broadcasting of the Service Set Identifier (SSID) of a wireless network to prevent unauthorized users from discovering its existence. It relies on the assumption that hiding the network name will enhance security, but it can still be discovered through other means.
Encryption, on the other hand, does not rely on obscurity for security. Instead, it relies on the use of mathematical algorithms and keys to transform data into an unreadable format that can only be decrypted by authorized parties with the appropriate key.
Diffusion
Diffusion is a concept in cryptography that refers to spreading the influence of individual plaintext symbols over many ciphertext symbols in order to prevent patterns from being discerned in the encrypted data. In other words, diffusion ensures that a small change in the plaintext results in significant changes throughout the ciphertext.
This property is crucial for achieving strong encryption because it makes it more difficult for attackers to identify regularities or predictability in the encrypted data, thereby enhancing security. Encryption algorithms achieve diffusion through various techniques, such as permutation and substitution, which thoroughly mix and distribute the information across the ciphertext. Overall, diffusion is an essential aspect of cryptographic algorithms to ensure robustness against attacks and maintain the confidentiality of encrypted data.
Which of the following enables processing data in an encrypted form?
Diffusion
Homomorphic encryption
Obfuscation
Hashing
Homomorphic encryption is a type of encryption scheme that allows mathematical operations to be performed on encrypted data without decrypting it first. This means that computations can be carried out on ciphertexts, and the results will be the same as if the operations had been performed on the plaintexts before encryption. This property enables secure processing of sensitive data while maintaining confidentiality, as the data remains encrypted throughout the computation process.
Which of the following terms applies to the concept of confidentiality?
Hashing
Encryption
Security through obscurity
MFA
Digital certificate
Encryption: Encryption is the process of transforming plaintext data into ciphertext using an encryption algorithm and a secret key. Encrypted data can only be decrypted back to its original form by someone with the corresponding decryption key, ensuring confidentiality.
Why not hashing?
Hashing is a cryptographic technique used to transform data into a fixed-size string of characters, called a hash value. While hashing ensures data integrity and can be used for verification, it does not provide confidentiality as hash values are not reversible.
Which cryptographic solution would be best suited for low-power devices?
ECC
EFS
SED
FDE
Among the options provided, ECC (Elliptic Curve Cryptography) would be best suited for low-power devices.
ECC (Elliptic Curve Cryptography): ECC is a type of public-key cryptography that offers strong security with shorter key lengths compared to other encryption algorithms like RSA. It is well-suited for low-power devices due to its efficiency in terms of computational resources and memory requirements.
EFS (Encrypting File System): EFS is a built-in encryption feature in Windows operating systems that allows individual files or directories to be encrypted. While it provides encryption, it may not be optimized for low-power devices and may not offer the same level of efficiency as ECC.
SED (Self-Encrypting Drive): SED refers to a hardware-based encryption solution where the drive itself encrypts and decrypts data on-the-fly without requiring the CPU to perform encryption operations. While SEDs offer security, they may not necessarily be optimized for low-power devices as they still rely on hardware resources.
FDE (Full Disk Encryption): FDE refers to encrypting the entire storage device, such as a hard drive or SSD, rather than individual files or directories. While FDE provides comprehensive encryption, it may not be the most efficient solution for low-power devices, especially if the encryption process requires significant computational resources.
In summary, ECC is the best-suited cryptographic solution for low-power devices due to its efficiency and strong security properties.
T/F
The lack of entropy in the process of generating cryptographic keys improves the security of cryptographic algorithms.
False.
Entropy, in the context of cryptography and information theory, refers to the measure of randomness or unpredictability in a system. In simpler terms, it represents the amount of uncertainty or disorder in a set of data.
The lack of entropy in the process of generating cryptographic keys actually decreases the security of cryptographic algorithms. Entropy is essential for ensuring that cryptographic keys are sufficiently random and unpredictable, which is crucial for resisting attacks such as brute-force and dictionary attacks. Without adequate entropy, cryptographic keys may become predictable or susceptible to cryptographic attacks, compromising the security of the encryption system. Therefore, a lack of entropy in key generation processes undermines the security of cryptographic algorithms rather than improving it.
Examples of key stretching algorithms include: (Select 2 answers)
ROT13
Twofish
Bcryp
DSA
PBKDF2
Bcrypt: Bcrypt is a key stretching algorithm commonly used for password hashing. It applies a computationally intensive hashing function multiple times to slow down brute-force attacks on hashed passwords.
PBKDF2 (Password-Based Key Derivation Function 2): PBKDF2 is another key stretching algorithm commonly used for password hashing. It iteratively applies a cryptographic hash function to the input password along with a salt, making it more resistant to brute-force attacks.
ROT13 and DSA are not key stretching algorithms. ROT13 is a simple substitution cipher that provides minimal security and is not suitable for key stretching.
DSA (Digital Signature Algorithm) is a cryptographic algorithm used for digital signatures and does not involve key stretching.
Twofish is a symmetric encryption algorithm and is not typically used for key stretching purposes.
Which of the following answers refers to a solution designed to strengthen the security of session keys?
ECB
PFS
EFS
PFX
Perfect Forward Secrecy (PFS) is a property of cryptographic systems where session keys are ephemeral and are not derived from the long-term keys used for authentication. This means that even if the long-term keys are compromised in the future, past session keys remain secure because they are not derivable from the compromised keys. PFS enhances security by minimizing the potential impact of key compromise and ensuring that past communications remain confidential. It is commonly used in secure communication protocols such as Transport Layer Security (TLS) to protect the confidentiality of data exchanged during sessions.
ECB: Electronic Codebook mode is a basic encryption mode where each block of plaintext is encrypted independently. It does not provide any additional security for session keys.
EFS: Encrypting File System is a feature in Windows operating systems that allows individual files or directories to be encrypted. It is not specifically designed to strengthen the security of session keys.
PFX: Personal Information Exchange Format is a file format used for storing cryptographic keys and certificates. While it may be used to manage cryptographic materials, it is not specifically designed to strengthen the security of session keys.
According to predictions, the most future-proof cryptographic solution should be:
Quantum cryptography
Symmetric-key cryptography
Post-quantum cryptograph
Asymmetric-key cryptography
Public-key cryptography
Post-quantum cryptography refers to cryptographic algorithms that are believed to be secure against attacks by quantum computers. With the development of quantum computing technologies, traditional cryptographic algorithms, especially those based on integer factorization and discrete logarithm problems (such as RSA and ECC), may become vulnerable to quantum attacks. Post-quantum cryptographic algorithms aim to provide security even in the presence of quantum computers.
Quantum cryptography is also a strong candidate for future-proofing cryptographic solutions, as it leverages the principles of quantum mechanics to provide unconditional security for key distribution. However, it is primarily used for key distribution rather than general-purpose encryption and authentication.
Symmetric-key cryptography, asymmetric-key cryptography, and public-key cryptography are all essential components of modern cryptographic systems but may require updates or replacements in the face of quantum computing threats. Therefore, post-quantum cryptography is considered the most future-proof option for ensuring long-term security in cryptographic systems.
Which of the following terms applies to the concept of data integrity?
MFA
Digital certificate ( Your answer)
Hashing ( Missed)
Security through obscurity
Encryption
Hashing is a cryptographic technique used to generate a fixed-size string of characters, called a hash value or digest, from input data of arbitrary size. It is designed to be a one-way function, meaning that it is computationally infeasible to reverse the process and derive the original input data from the hash value. Hash functions are used to ensure data integrity by detecting any changes or modifications to the original data. Even a minor change to the input data will produce a significantly different hash value, making it possible to detect tampering or corruption. Therefore, hashing is a critical component of ensuring data integrity in various applications, such as file verification, password storage, and digital signatures.
