Cryptographics Flashcards
True / False
One of the ways of confirming that a software application comes from a trusted source is the verification of its digital signature. A digitally signed software proves the identity of the developer and guarantees that the application code has not been tampered with since it was signed. The authenticity and integrity of the application’s code can be verified by comparing results of a cryptographic hash function (original hash published by the application developer vs. hash obtained from a downloaded app).
True.
The statement accurately describes the role of digital signatures in confirming the authenticity and integrity of software applications. A digitally signed software application provides assurance that it comes from a trusted source and that its code has not been tampered with since it was signed. This is achieved by using cryptographic techniques to generate a unique digital signature for the software, which is then verified using a public key infrastructure (PKI).
Additionally, comparing the cryptographic hash of the downloaded application with the original hash published by the developer helps ensure that the application has not been altered during transmission or after download, further confirming its authenticity and integrity.
Digital signatures provide: (Select 3 answers)
Integrity
Authentication
Confidentiality
Authorization
Non-repudiation
Accounting
Digital signatures provide:
Integrity: Digital signatures ensure that the data or content has not been altered or tampered with since it was signed. Any modifications to the signed data would invalidate the signature.
Authentication: Digital signatures verify the identity of the signer, confirming that the signature was generated by the entity with the corresponding private key. This helps establish trust in the authenticity of the signer.
Non-repudiation: Digital signatures provide non-repudiation, meaning that the signer cannot deny their involvement or the authenticity of the signed document or message. Once signed, the signature serves as evidence of the signer’s intent and cannot be repudiated.
True / False
In cryptography, the number of bits in a key used by a cryptographic algorithm is referred to as a key size or key length. The key length determines the maximum number of combinations required to break the encryption algorithm, therefore typically a longer key means stronger cryptographic security.
True.
In cryptography, the number of bits in a key used by a cryptographic algorithm is indeed referred to as the key size or key length.
A longer key typically means stronger cryptographic security because it increases the number of possible combinations required to break the encryption algorithm through brute force or other cryptographic attacks. This increased complexity makes it exponentially more difficult and time-consuming for attackers to decipher encrypted data without the corresponding key.
Key stretching
Key stretching is a technique used in cryptography to enhance the security of cryptographic keys, especially passwords, by making them more resistant to brute force and dictionary attacks.
The concept behind key stretching involves applying a cryptographic function, such as a hash function or a key derivation function (KDF), multiple times to the original key or password. Each iteration of the function generates a new, derived key, which is then fed back into the function for further processing. This process is repeated a predetermined number of times, effectively “stretching” the original key into a longer and more complex key.
The goal of key stretching is to significantly increase the computational cost of deriving the original key from its hashed or derived form, thereby making it more difficult for attackers to guess or crack the password through exhaustive search methods. By increasing the time and resources required to generate each derived key, key stretching helps mitigate the risk of successful brute force attacks and strengthens the overall security of cryptographic systems.
Bcrypt
Bcrypt is a key stretching algorithm commonly used for securely hashing passwords in cryptographic applications. It employs a computationally intensive process that repeatedly applies the Blowfish encryption algorithm to a password, making it resistant to brute-force attacks. Bcrypt allows for adjustable cost parameters, known as the “work factor,” which determine the number of iterations performed during hashing. This work factor can be increased over time to adapt to advancements in hardware capabilities and maintain the effectiveness of the algorithm against evolving security threats.
DSA
DSA, or Digital Signature Algorithm, is a widely used cryptographic algorithm for generating and verifying digital signatures.
It was developed by the National Institute of Standards and Technology (NIST) as part of the Digital Signature Standard (DSS). DSA relies on modular arithmetic and discrete logarithms for its security.
The algorithm involves generating a pair of asymmetric keys: a private key for signing and a corresponding public key for signature verification.
DSA signatures provide authenticity, integrity, and non-repudiation, meaning that they confirm the identity of the signer, ensure that the signed data has not been altered, and prevent the signer from denying their involvement.
ROT13
ROT13, short for “rotate by 13 places,” is a simple letter substitution cipher that replaces each letter in a message with the letter 13 positions ahead or behind it in the alphabet. It is a symmetric encryption algorithm, meaning that the same algorithm is used for both encryption and decryption.
For example, applying ROT13 to the English alphabet:
A becomes N
B becomes O
C becomes P
ROT13 is often used for simple obfuscation or to hide text in plain sight, as it is a very weak encryption method that offers no real security. It is also sometimes used humorously for spoilers or to hide answers to puzzles.
Twofish
Twofish is a symmetric key block cipher algorithm designed for encryption and decryption of data. Although Twofish was not selected as the AES standard, it remains a respected and widely studied encryption algorithm.
Twofish operates on blocks of data, typically 128 bits in size, and uses a key of variable length, up to a maximum of 256 bits. It employs a Feistel network structure with a complex key schedule and multiple rounds of substitution and permutation operations. Twofish is known for its strong security and resistance to various cryptographic attacks.
One of the notable features of Twofish is its flexibility in key size and block size, allowing it to adapt to different security requirements and performance constraints. It is used in various applications, including file encryption, disk encryption, and network communication protocols, where data confidentiality is crucial. Despite its strengths, Twofish is not as widely deployed as some other encryption algorithms like AES, but it remains an important part of the cryptographic landscape.
PBKDF2
PBKDF2, or Password-Based Key Derivation Function 2, is a cryptographic algorithm used to derive cryptographic keys from passwords or passphrases. It employs a pseudorandom function, typically a cryptographic hash function like SHA-1 or SHA-256, along with a salt value to generate the key. PBKDF2 applies the hash function iteratively a configurable number of times, known as the “work factor,” which increases the computational cost of deriving the key. This makes it more resistant to brute-force and dictionary attacks, as attackers must expend significant computational resources to guess or crack the original password.
One of the main advantages of PBKDF2 is its flexibility and widespread support across various platforms and programming languages. It is commonly used in security-sensitive applications, such as password hashing, disk encryption, and secure communication protocols, to protect sensitive data and credentials from unauthorized access. However, PBKDF2 does have limitations, such as vulnerability to parallelization on hardware with specialized cryptographic accelerators. Additionally, the choice of hash function and the number of iterations used in PBKDF2 implementations can impact its security, and best practices continue to evolve to address emerging threats and vulnerabilities.
Which of the following answers refers to a type of additional input that increases password complexity and provides better protection against brute-force, dictionary, and rainbow table attacks?
Seed
IV
Salt
Shim
Salt is a random value that is added to passwords before hashing to prevent attackers from using precomputed tables (rainbow tables) to crack passwords. Salting increases password complexity and enhances security by ensuring that identical passwords hash to different values.
Seed: A starting point for generating pseudorandom numbers in cryptographic algorithms. It is not directly related to password complexity or protection against brute-force attacks.
IV (Initialization Vector): A random value used in cryptographic algorithms, particularly block ciphers in modes like CBC (Cipher Block Chaining), to ensure that identical plaintext blocks encrypt to different ciphertext blocks. While IVs are important for encryption, they are not specifically used to increase password complexity.
Shim: In the context of software development, a shim is a small piece of code that facilitates compatibility between different software components. It is not related to password complexity or protection against brute-force attacks.
Elliptic Curve Cryptography (ECC)
lliptic Curve Cryptography (ECC) is a public-key cryptographic algorithm based on the mathematical properties of elliptic curves over finite fields. It provides a way to securely encrypt and authenticate data, as well as generate digital signatures, using smaller key sizes compared to other public-key algorithms like RSA.
ECC relies on the difficulty of solving the Elliptic Curve Discrete Logarithm Problem (ECDLP), which involves finding the discrete logarithm of a point on an elliptic curve. This mathematical problem is believed to be computationally hard, making ECC resistant to attacks by brute force or mathematical algorithms.
One of the key advantages of ECC is its efficiency in terms of key size and computational resources. ECC keys are typically much shorter than RSA keys for equivalent security levels, making ECC suitable for environments with constrained resources such as mobile devices or Internet of Things (IoT) devices. Additionally, ECC provides strong security properties, including forward secrecy and resistance to quantum attacks, making it a popular choice for securing modern cryptographic protocols and systems.
ECC is primarily associated with asymmetric encryption, which involves using pairs of public and private keys generated from elliptic curve parameters.
Asymmetric vs symmetric encryption
Symmetric encryption: In symmetric encryption, the same key is used for both encryption and decryption of data. This means that the sender and receiver must share a secret key in advance. Symmetric encryption algorithms are typically fast and efficient, making them well-suited for encrypting large volumes of data. However, the challenge lies in securely sharing the secret key between the communicating parties, especially over insecure channels.
Asymmetric encryption: In asymmetric encryption, also known as public-key encryption, two separate keys are used: a public key for encryption and a private key for decryption. The public key can be freely distributed, while the private key is kept secret. Asymmetric encryption provides a solution to the key distribution problem in symmetric encryption, as the public key can be shared openly. However, asymmetric encryption algorithms are generally slower and less efficient than symmetric algorithms, making them better suited for encrypting small amounts of data or for key exchange purposes.
In summary, symmetric encryption is typically faster and more efficient for bulk data encryption, while asymmetric encryption provides a solution for secure key distribution and offers other cryptographic functionalities like digital signatures and key exchange. Often, a combination of both symmetric and asymmetric encryption techniques is used in cryptographic systems to leverage their respective advantages.
ECB
ECB stands for Electronic Codebook Mode, which is a basic mode of operation for block ciphers in cryptography. In ECB mode, each block of plaintext is encrypted independently using the same encryption key, resulting in a one-to-one mapping between plaintext blocks and ciphertext blocks.
While ECB mode is simple and easy to implement, it has several significant drawbacks. One of the main issues with ECB mode is that identical plaintext blocks will always encrypt to the same ciphertext blocks, regardless of their position in the message. This makes ECB mode vulnerable to certain cryptographic attacks, such as pattern recognition and replay attacks, and it does not provide confidentiality for patterns in the plaintext data.
Due to these vulnerabilities, ECB mode is generally not recommended for secure communication or encryption purposes, especially when encrypting large amounts of data. Instead, more secure modes of operation like CBC (Cipher Block Chaining) or GCM (Galois/Counter Mode) are typically preferred for block cipher encryption.
PFS
PFS stands for Perfect Forward Secrecy, a property of cryptographic systems that ensures that the compromise of long-term secret keys does not compromise the confidentiality of past communications.
In systems with PFS, even if an attacker were to gain access to the long-term secret keys used to establish communication, they would not be able to decrypt past encrypted communications.
PFS is achieved by using ephemeral keys, which are short-lived and randomly generated for each session or communication. These ephemeral keys are used to negotiate session keys for encryption and decryption, and they are not derived from or dependent on the long-term secret keys. As a result, even if the long-term secret keys are compromised, past communications remain confidential because they were encrypted using different session keys.
PFS is considered a critical security feature in modern cryptographic protocols, particularly in secure communication protocols like TLS (Transport Layer Security) used for securing web traffic. It provides an additional layer of protection against sophisticated attacks and ensures that the confidentiality of past communications is preserved, even in the event of key compromise.
EFS
EFS typically refers to Encrypting File System, a feature built into the Microsoft Windows operating system that provides filesystem-level encryption for protecting sensitive data stored on disk. With EFS, individual files or directories can be encrypted using symmetric encryption algorithms, and access to the encrypted data is controlled using public-key cryptography.
When a file or directory is encrypted using EFS, a unique file encryption key (FEK) is generated, and this FEK is then encrypted using the public key of the user who encrypted the file. The encrypted FEK is stored alongside the encrypted file on disk. To decrypt the file, the user’s private key is used to decrypt the FEK, which can then be used to decrypt the file itself.
EFS provides a convenient way to encrypt sensitive files and folders on Windows systems without the need for additional software. It allows for seamless integration with existing file permissions and access controls, ensuring that only authorized users can decrypt and access encrypted data. However, it’s important to note that EFS does not provide protection against attacks that bypass the Windows authentication mechanisms or gain access to the user’s private key. Therefore, it should be used in conjunction with other security measures to provide comprehensive data protection.
PFX
PFX stands for Personal Information Exchange. It is a file format used to store cryptographic objects such as private keys, public keys, and certificates, typically protected by a password. PFX files are commonly used for securely transferring and storing private keys and certificates, especially in scenarios where they need to be moved between systems or shared with other parties.
PFX files are commonly used in environments where secure key management and certificate handling are essential, such as web servers, email servers, and secure network communication protocols like SSL/TLS. They provide a convenient way to bundle cryptographic assets into a single file for easy distribution and deployment while ensuring their confidentiality and integrity through encryption and password protection.
Quantum cryptography
Quantum cryptography is a branch of cryptography that utilizes principles from quantum mechanics to provide secure communication channels between parties. Unlike classical cryptography, which relies on mathematical algorithms, quantum cryptography leverages the inherent properties of quantum mechanics to achieve secure communication.
One of the key principles of quantum cryptography is the use of quantum key distribution (QKD) protocols, which enable two parties to securely generate and exchange cryptographic keys. QKD protocols typically involve the transmission of quantum bits (qubits) over a quantum communication channel, such as optical fibers or free space, between a sender (Alice) and a receiver (Bob).
The security of quantum cryptography is based on the fundamental properties of quantum mechanics, such as the Heisenberg uncertainty principle and the no-cloning theorem. These principles ensure that any attempt by an eavesdropper (Eve) to intercept or measure the qubits will disrupt the quantum state of the particles, thereby alerting Alice and Bob to the presence of an attacker.
Quantum cryptography offers several advantages over classical cryptographic techniques, including unconditional security guarantees based on the laws of physics, resistance to quantum attacks using quantum computers, and the ability to detect eavesdropping attempts in real-time. However, practical implementations of quantum cryptography are still in the early stages of development and face significant challenges, such as the limited range of quantum communication channels and the need for specialized hardware. Nonetheless, quantum cryptography holds promise for the future of secure communication in fields such as finance, government, and data privacy.
ephemeral vs static keys
Ephemeral keys: Also known as temporary keys, ephemeral keys are short-lived cryptographic keys that are generated for each session or communication. These keys are typically randomly generated and used only for a single instance of encryption or authentication.
Ephemeral keys offer the advantage of forward secrecy, meaning that even if an attacker were to compromise the key used for one session, they would not be able to decrypt past or future communications. Ephemeral keys are commonly used in protocols like Diffie-Hellman key exchange and session-based encryption algorithms like TLS (Transport Layer Security).
Static keys: In contrast, static keys are long-term cryptographic keys that remain constant over time and are reused for multiple sessions or communications. These keys are typically generated once and stored securely, often associated with specific entities or devices. While static keys offer simplicity and convenience, they lack forward secrecy, meaning that compromising the key used for one session could potentially compromise the confidentiality of past and future communications. Static keys are commonly used in scenarios where key management overhead is low and forward secrecy is not a strict requirement, such as in symmetric encryption algorithms or for long-term cryptographic identities.
In summary, ephemeral keys provide forward secrecy and are used for short-lived sessions or communications, while static keys offer simplicity and are used for long-term cryptographic operations or identities. The choice between ephemeral and static keys depends on the specific security requirements and constraints of the application or protocol being used.
Session key
A session key is a temporary cryptographic key used to encrypt and decrypt data exchanged during a communication session between two parties. Unlike long-term keys, which remain constant over time, session keys are generated dynamically for each session and are typically short-lived.
Session keys are commonly used in cryptographic protocols to provide confidentiality, integrity, and sometimes authentication for data exchanged during a communication session. They are often generated using key exchange protocols such as Diffie-Hellman key exchange or derived from a master key using a key derivation function.
The use of session keys offers several advantages:
Forward secrecy: Since session keys are short-lived and generated for each session, compromising a session key does not compromise the confidentiality of past or future sessions.
Reduced exposure: Session keys have a shorter lifespan compared to long-term keys, reducing the window of opportunity for attackers to compromise them.
Enhanced security: Session keys can be generated with specific security parameters tailored to the requirements of each session, providing flexibility and adaptability to changing security needs.
Blockchain
The term “blockchain” refers to a decentralized digital ledger system that records transactions across multiple computers in a peer-to-peer (P2P) network. Each transaction is recorded in a “block,” which is then linked to previous blocks in a chain-like structure, hence the name “blockchain.” This distributed ledger is maintained by a network of nodes (computers) that validate and record transactions using a consensus mechanism. The decentralized nature of blockchain ensures transparency, immutability, and security, making it suitable for various applications such as cryptocurrency transactions, supply chain management, and digital identity verification.
stream cipher vs block cipher
Stream ciphers and block ciphers are two essential cryptographic techniques with distinct characteristics and applications.
Stream ciphers encrypt plaintext data continuously, typically one bit or byte at a time, generating a stream of pseudorandom ciphertext bits. This continuous processing makes stream ciphers suitable for encrypting data streams of arbitrary length in real-time applications like communication protocols. Examples of stream ciphers include RC4 and the stream cipher mode of operation in block ciphers like AES in CTR (Counter) mode.
In contrast, block ciphers encrypt fixed-size blocks of plaintext data, typically 64 or 128 bits in length, processing one block at a time. Block ciphers operate using fixed-length encryption algorithms and a secret key, producing corresponding blocks of ciphertext. They offer versatility in encrypting data of arbitrary length through various modes of operation like Electronic Codebook (ECB), Cipher Block Chaining (CBC), and Counter (CTR) mode. Examples of block ciphers include DES, AES, and Blowfish.
Overall, stream ciphers excel at encrypting data streams in real-time, while block ciphers offer flexibility and versatility in encrypting fixed-size blocks of data and are widely used in cryptographic protocols and applications. The choice between stream ciphers and block ciphers depends on the specific security requirements and constraints of the application at hand.
Block cipher modes: CBC, ECB, CTR, GCM
CBC (Cipher Block Chaining) mode links each plaintext block with the previous ciphertext block before encryption, ensuring each ciphertext block is dependent on all preceding plaintext blocks. This chaining mechanism enhances security by preventing identical plaintext blocks from encrypting to the same ciphertext, but CBC mode lacks parallel encryption and decryption, making it slower for certain applications.
ECB (Electronic Codebook) mode encrypts each plaintext block independently with the same key, making it simple and efficient but vulnerable to plaintext pattern exposure and replay attacks. As a result, ECB mode is generally not recommended for secure communication or encryption purposes.
CTR (Counter) mode turns a block cipher into a stream cipher by using a counter as input, enabling parallel encryption and decryption. CTR mode does not require padding and is resilient to ciphertext manipulation attacks, making it efficient and versatile for various cryptographic applications like disk encryption and VPNs.
GCM (Galois/Counter Mode) combines counter mode (CTR) encryption with polynomial authentication tags, providing both confidentiality and integrity. GCM mode supports parallel encryption and decryption, making it efficient for secure communication protocols like TLS, and computes authentication tags using polynomial multiplication in Galois fields.
Which of the block cipher modes listed below provides both data integrity and confidentiality?
CBC
GCM
ECB
CTR
GCM (Galois/Counter Mode) provides both data integrity and confidentiality through its combination of counter mode (CTR) encryption with a polynomial authentication tag.
Confidentiality: GCM encrypts plaintext data using counter mode (CTR), which allows for parallel encryption and decryption of multiple blocks. This ensures efficient and secure encryption of data while maintaining confidentiality.
Data Integrity: GCM computes an authentication tag for each ciphertext block using polynomial multiplication in Galois fields. This authentication tag serves as a cryptographic checksum that provides data integrity, ensuring that the ciphertext has not been tampered with or modified during transmission.
A type of encryption scheme where the same key is used to encrypt and decrypt data is referred to as: (Select 3 answers)
Session-key encryption
Public-key encryption
Symmetric encryption
Asymmetric encryption
Secret-key encryption
The correct answers are:
Symmetric encryption
Secret-key encryption
Session-key encryption
Symmetric encryption, secret-key encryption, and session-key encryption all refer to the same type of encryption scheme where the same key is used for both encryption and decryption of data. In this scheme, a single secret key is shared between the communicating parties, and this key is used to both encrypt plaintext data into ciphertext and decrypt ciphertext back into plaintext.
Symmetric encryption is the most commonly used encryption technique for securing data transmission and storage due to its efficiency and simplicity. Because the same key is used for both encryption and decryption, symmetric encryption algorithms typically offer faster processing speeds and lower computational overhead compared to asymmetric encryption algorithms, which require separate keys for encryption and decryption.
Secret-key encryption emphasizes the concept that the encryption key must remain secret and known only to the communicating parties. This ensures that only authorized parties with access to the secret key can decrypt the ciphertext and access the original plaintext data.
Session-key encryption refers to the practice of using a unique symmetric key for each communication session. While the underlying encryption algorithm may remain the same, a different session key is generated for each session, providing forward secrecy and enhancing security by limiting the impact of key compromise to a single session.