Cryptography

Question 1

Cross-certification

Answer 1

used to establish trust between different PKIs and build an overall PKI hierarchy.

Cross certification allows users to validate each other’s certificate when they are certified under different certification hierarchies.

Cross certification does not check the authenticity of the certificates in the certification path.

Question 2

certification path validation

Answer 2

check the authenticity of the certificates in the certification path

Question 3

What are the three main issues with key management?

Answer 3

key recovery, key storage, and key change

Question 4

Which key should you use to ensure confidentiality of an e-mail message?

Answer 4

the receiver’s public key

Question 5

What are the three purposes of ElGamal?

Answer 5

digital signatures, encryption of data, and key exchange

Question 6

What does a digital signature provide?

Answer 6

non-repudiation for e-mail

Question 7

Which security standard sets security standards for hardware and software cryptographic modules?

Answer 7

FIPS-140

Question 8

To which type of attack is the Diffie-Hellman algorithm susceptible?

Answer 8

man-in-the-middle attacks

Question 9

What is contained within an X.509 CRL?

Answer 9

a list of serial numbers of unexpired or revoked digital certificates that should be considered invalid

Question 10

AES - MixColums

Answer 10

provides diffusion by mixing the columns of the state via finite field mathematics.

Question 11

AES - SubRows

Answer 11

provides diffusion by shifting rows (row of blocks) of the state.

Question 12

AES - SubBytes

Answer 12

provides confusion by substituting the bytes of the state.

Question 13

AES - AddRoundKey

Answer 13

is the final function applied in each round. It XORs the state with the subkey.

Question 14

Electronic Code Book (ECB)

Answer 14

• is the simplest and weakest form of DES.
• Block mode
• It uses no initialization vector or chaining.
• Each block is encrypted independently.
• Two plaintexts with partial identical portions (such as the header of a letter) encrypted with the same key will have partial identical ciphertext portions.
• Used in small amount of data such as ATM PINS.

Question 15

Cipher Feedback (CFB)

Answer 15

• a stream mode (usually 8-bits). The first 8 bits that come from the algorithm are then XORed with the first 8 bits of the plaintext (the first segment).
• Each 8-bit segment is then transmitted to the receiver and also fed back into the shift register.
• It uses feedback (the name for chaining when used in stream modes) to destroy patterns.
• Like CBC, CFB uses an initialization vector and destroys patterns, and errors propagate.

Question 16

Cipher Block Chaining (CBC)

Answer 16

• a block mode that XORs the previous encrypted block of ciphertext to the next block of plaintext to be encrypted.
• The first encrypted block is an initialization vector.
• This “chaining” the result of encrypting one block of data is fed back into the process to encrypt the next block of data.
• This “chaining” destroys patterns and encryption errors will propagate

Question 17

Output Feedback (OFB)

Answer 17

• A stream mode of DES that uses portions of the key for feedback.
• errors will not propagate.
• This does pose some storage complications, especially if it were to be used in a high-speed link.

Question 18

Counter (CTR) mode

Answer 18

• a counter—a 64-bit random data block—is used as the first IV for feedback.
• every subsequent block, the counter is incremented by
• The counter is then encrypted just as in OFB, and the result is used as a keystream and XORed with the plaintext.
  Because the keystream is independent from the message, it is possible to process several blocks of data at the same time, thus speeding up the throughput of the algorithm.
• used in high-speed applications such as IPSec and ATM.

Question 19

principal

Answer 19

any entity that possesses a public key

Question 20

verifier

Answer 20

an entity that verifies a public key chain.

Question 21

subject

Answer 21

an entity that seeks to have a certificate validated.

Question 22

Trust anchor

Answer 22

is a public key that verifies the certificate used in a digital signature.

Question 23

Symmetric algorithms

Answer 23

DES, 3DES, IDEA, Blowfish, Twofish, RC4, RC5, RC6, Advanced Encryption Standard (AES), SAFER, and Serpent

Question 24

Asymmetric algorithms

Answer 24

Diffie-Hellman, RSA, ElGamal, Elliptic Curve Cryptosystem (ECC), LUC, Knapsack, and Zero

Question 25

Hash collision

Answer 25

creates an identical hash for two different plaintext.

Question 26

Simple Key-management for Internet Protocols (SKIP)

Answer 26

a key distribution protocol such as the Diffie-Hellman algorithm, which uses hybrid encryption to convey session keys that are used to encrypt data in IP packets.

SKIP is similar to SSL, except that it requires no prior communication in order to establish or exchange keys on a session-by-session basis.

Question 27

Rijndael

Answer 27

a symmetric block cipher algorithm that uses variable block lengths and variable key lengths. It supports 128, 192, and 256 bits.

Question 28

How PGP provides secrity ?

Answer 28

o Confidentiality through the International Data Encryption Algorithm (IDEA) (symmetric).
o Integrity through the MD5 hashing algorithm.
o Authentication through public key certificates.
o Nonrepudiation through encrypted signed messages.

Question 29

What is Collision?

Answer 29

Two or more plaintexts that generate the same hash.

Question 30

What is Collusion?

Answer 30

An agreement between two or more individuals to subvert the security of a system.

Question 31

S/MIME

Answer 31

Secure/Multipurpose Internet Mail Extensions—Leverages PKI to encrypt and authenticate MIME-encoded email.

Question 32

SIGABA

Answer 32

Rotor machine used by the United States through World War II into the 1950s.

Question 33

Purple

Answer 33

Allied name for the stepping-switch encryption device used by Japanese Axis powers during World War II.

Question 34

Engima

Answer 34

Rotor machine used by German Axis powers during World War II.

Question 35

Known-plaintext

Answer 35

the attacker has access to both the ciphertext and the plaintext versions of the same message to find the key.

Question 36

Chosen-plaintext attack

Answer 36

the attacker knows the algorithm used or have access to the machine used to determine the key.

Question 37

Adaptive-chosen plaintext

Answer 37

attacker can modify the chosen input files to see what effect that would have on the resulting ciphertext.

Question 38

Chosen-ciphertext attacks

Answer 38

cryptanalyst chooses the ciphertext to be decrypted with the help of a decryption oracle.

Usually launched against asymmetric cryptosystems, where the cryptanalyst may choose public documents to decrypt that are signed (encrypted) with a user’s public key.

Question 39

Adaptive-chosen ciphertext

Answer 39

begins with a chosen ciphertext attack in round 1. The cryptanalyst then “adapts” further rounds of decryption based on the previous round.

Question 40

ciphertext-only attack

Answer 40

to discover the encryption key by gathering multiple encrypted messages and then trying to deduce a pattern from the encrypted messages

Question 41

A message can be encrypted

Answer 41

provides confidentiality

Question 42

A message can be digitally signed

Answer 42

which provides authentication, nonrepudiation, and integrity.

Question 43

A message can be hashed

Answer 43

which provides integrity.

Question 44

A message can be encrypted and digitally signed

Answer 44

which provides confidentiality, authentication, nonrepudiation, and integrity.

Question 45

What are the root protocols of IKE?

Answer 45

a combination of Internet Security Association and Key Management Protocol (ISAKMP) and Oakley

Question 46

What are the three components of an IPSec security association?

Answer 46

a Security Parameter Index (SPI), the identity of the security protocol (AH or ESP), and the destination IP address

Question 47

What is key clustering?

Answer 47

when two different keys encrypt a plaintext message and produces the same ciphertext

Question 48

Authentication include

Answer 48

include hash functions, digital signatures, and message authentication codes (MACs).

Cryptography supports all of the core principles of information security except authenticity.

Question 49

What is the purpose of embedding a timestamp within cipher text?

Answer 49

It will decrease the chance of the message being replayed.

Question 50

What is used by a payroll application program to ensure integrity while recording transactions for an accounting period?

Answer 50

time and date stamps

Question 51

What cryptology encompasses?

Answer 51

both cryptography and cryptanalysis.

Cryptology is the science of secure communications.

Question 52

what ANSI X9.17 is concerned with?

Answer 52

concerned primarily with protection and secrecy of keys.

Question 53

Confusion

Answer 53

means that the relationship between the plaintext and ciphertext should be as random as possible.

Question 54

Diffusion

Answer 54

means the order of the plaintext should be spread out in the ciphertext.

Question 55

Substitution

Answer 55

replaces one character for another; this provides confusion.

Question 56

Permutation (transposition)

Answer 56

provides diffusion by rearranging the characters of the plaintext.

Question 57

Monoalphabetic

Answer 57

uses one alphabet.A specific letter (e.g., “E”) is substituted for another (e.g., “X”).

Question 58

polyalphabetic ciphers

Answer 58

uses multiple alphabets: “E” may be substituted for “X” one round and then “S” the next round.

Question 59

Modular math

Answer 59

shows you what remains (the remainder) after division. It is sometimes called “clock math” because we use it to tell time.

Question 60

Cryptographic protocol governance

Answer 60

describes the process of selecting the right method (cipher) and implementation for the right job, typically at an organization wide scale.

Question 61

Caesar cipher

Answer 61

a monoalphabetic rotation cipher used by Gaius Julius Caesar.

a substitution cipher

Caesar rotated each letter of the plaintext forward three times to encrypt,

Question 62

Book cipher

Answer 62

uses whole words from a well-known text such as a dictionary.

Question 63

Running-key cipher

Answer 63

instead of using whole words, they use modulus math to “add” letters to each other.

Question 64

Codebooks

Answer 64

assign a code word for important people, locations, and terms.

Question 65

Vernam cipher

Answer 65

the first type of one-time page

Question 66

COCOM

Answer 66

Coordinating Committee for Multilateral Export Controls (COCOM) was designed to control the export of critical technologies to non-COCOM.

Replaced by Wassenaar Arrangement

Question 67

The formula for calculating how many symmetric keys are needed:

Answer 67

n (n-1)/2

Question 68

3DES

Answer 68

168 bits of key length uses.
uses 48 rounds of computation
slow and complex compared to newer symmetric algorithms such as AES or Twofish.

Question 69

What is Chaining (called feedback in stream modes)?

Answer 69

seeds the previous encrypted block into the next block to be encrypted. This destroys patterns in the resulting
ciphertext.

Electronic Code Book mode (see below) does not use an initialization vector or chaining

Question 70

DES

Answer 70

uses 64-bit block size and a 56-bit key

Question 71

International Data Encryption Algorithm

Answer 71

is a symmetric block cipher designed as an international replacement to DES.

Uses a 128-bit key and 64-bit block size.

Drawbacks: slow speed compared to newer symmetric ciphers such as AES.

Question 72

AES

Answer 72

uses 128- (with 10 rounds of encryption), 192- (12 rounds of encryption), or 256-bit (14 rounds of encryption) keys t

Encrypt 128-bit blocks of data

Question 73

What are AES fialists?

Answer 73

MARS, RC6, Rijndael, Serpent, Twofish

Question 74

Blowfish

Answer 74

uses from 32- to 448-bit (the default is 128) keys to encrypt 64 bits block of data

open algorithms, unpatented and freely available.

Question 75

Twofish

Answer 75

was an AES finalist, encrypting 128-bit blocks using 128- to 256-bit keys.

open algorithms, unpatented and freely available.

Question 76

RC5

Answer 76

Key size ranges from zero to 2040 bits.

32, 64, or 128-bit blocks.

Question 77

RC6

Answer 77

encrypting 128-bit blocks using 128-, 192-, or 256-bit keys.

Question 78

Discrete logarithm

Answer 78

is the opposite of exponentiation

Used by Diffie-Hellman, ElGamal and ECC

Question 79

What are the three primary approaches to attack the RSA algorithm?

Answer 79

brute force
mathematical attacks
timing attacks, measuring the running time of the decryption algorithm.

Question 80

El Gamal

Answer 80

based on the work of Diffie–Hellmann,

but it included the ability to provide message confidentiality and digital signature services, not just session key exchange.

Question 81

MD5

Answer 81

creates a 128-bit hash value based on any input length.

Question 82

SHA-1

Answer 82

creates a 160-bit hash value.

SHA-2 includes SHA-224, SHA-256, SHA-384, and SHA-512

Question 83

Known key attack

Answer 83

means the cryptanalyst knows something about the key, to reduce the efforts used to attack it.

If the cryptanalyst knows that the key is an uppercase letter and a number only, other characters may be omitted in the attack.

Question 84

Differential cryptanalysis

Answer 84

seeks to find the difference between related plaintexts that are encrypted. The plaintexts may differ by a few bits.
It is usually launched as an adaptive-chosen plaintext attack; the attacker chooses the plaintext to be encrypted (but does not know the key) and then encrypts related plaintexts.

Question 85

Linear cryptanalysis

Answer 85

a known plaintext attack where the cryptanalyst finds large amounts of plaintext/ciphertext pairs created with the same key to derive information about the key used to create them.

Question 86

Algebraic attacks

Answer 86

a class of techniques that rely for their success on block ciphers exhibiting a high degree of mathematical structure , which may result in weakness.

Question 87

Implementation attacks

Answer 87

exploits a mistake (vulnerability) made while implementing an application, service, or system.

Question 88

Birthday attack

Answer 88

an attack on hashing functions through brute force. The attacker tries to create two messages with the same hashing value.

used to create hash collisions.

Question 89

Digital signatures

Answer 89

used to cryptographically sign documents, which provides authentication and integrity, which forms non-repudiation.

Question 90

Message Authenticate Code MAC

Answer 90

is a hash function that uses a key. Done by applying a secret key to a message in some form.

A common MAC implementation is Cipher Block Chaining Message Authentication Code (CBC-MAC), which uses the CBC mode of a symmetric block cipher such as DES to create a MAC.

Question 91

HMAC

Answer 91

combines a shared secret key with hashing. IPsec uses HMACs (see below). Two parties must pre-share a secret key.

Question 92

digital certificate

Answer 92

a public key signed with a digital signature.

Question 93

describes five components of PKI

Answer 93

1. Certification authorities (CAs) that issue and revoke certificates
2. Registration Authorities (ORAs) that vouch for the binding between public keys and certificate holder identities.
3. Certificate holders that are issued certificates and can sign digital documents
4. Clients that validate digital signatures and their certification paths from a known public key of a trusted CA
5. Repositories that store and make available certificates and certificate revocation lists (CRLs)

Question 94

What is the standard for PKI?

Answer 94

X.509

Question 95

What is IPsec Security Association (SA) ?

Answer 95

a simplex (one-way) connection, which may be used to negotiate ESP or AH parameters.

Question 96

What is Security Parameter Index (SPI) ?

Answer 96

A unique 32-bit number used to identifies each simplex SA connection.

Question 97

Internet Security Association and Key Management Protocol (ISAKMP)

Answer 97

manages the SA creation process.

Defined as a key establishment protocol based on the Diffie-Hellman algorithm proposed for IPsec but superseded by IKE.

Question 98

Internet Key Exchange (IKE)

Answer 98

defines the key exchange and negotiates the algorithm selection process.

Two sides of an IPsec tunnel will typically use IKE to negotiate to the highest and fastest level of security

Question 99

OAKLEY

Answer 99

a key establishment protocol (proposed for IPsec but superseded by IKE) based on the Diffie-Hellman algorithm and designed to be a compatible component of ISAKMP.

Question 100

Clipper Chip

Answer 100

used the Skipjack algorithm, a symmetric cipher that uses an 80-bit key.

Question 101

What is the purpose of embedding a timestamp within cipher text?

Answer 101

It will decrease the chance of the message being replayed.