Cryptography

Question 1

Confidentiality

Answer 1

Only authorized parties can access data.

Question 2

Integrity

Answer 2

Verifying data has not been altered in transit.

Question 3

Authentication

Answer 3

Verifying the sender is who they say they are.

Question 4

Non-Repudiation

Answer 4

Prevents one party from denying actions they carried out.

Question 5

Cryptography

Answer 5

“Science of secret writing”

Question 6

Cryptanalysis

Answer 6

Study and practice of finding weaknesses in ciphers

Question 7

Algorithm

Answer 7

“Formulas to encrypt data”

Question 8

Cipher

Answer 8

Method used to encode characters to hide their value

Question 9

Plain Text/Clear Text

Answer 9

Info which is transferred or stored without crypto protection

Question 10

Cipher text

Answer 10

Result of encryption performed on plaintext using an algorithm.

Question 11

Substitution Cipher

Answer 11

One character or symbol into another

Question 12

Substitution Code

Answer 12

Substitution at the level of words or phrases

Question 13

Transposition

Answer 13

Changing the positions of plaintext letters within a sentence.

eg. meet me at noon = noontaemteem

Question 14

Exclusive-OR (XOR) Operation

Answer 14

Binary mathematical operation

If values are the same = 0
If values are different = 1

Used in One-Time Pad

Question 15

One-Time Pad

Answer 15

Considered Unbreakable

3 Requirements:

1. Made up of truly random values and used only once
2. Must be at least as long as the message
3. Securely distributed to destination and protected at sender’s and receiver’s sights.

Cons: More overhead, needs to be received in a secure fashion, sender/receiver must be perfectly synched.

Question 16

Frequency Analysis

Answer 16

Study of the frequency of letters or groups of letters in a cipher text.

Eg. Wheel of Fortune

Question 17

Initialization Vectors

Answer 17

Random values used with algorithms to ensure patterns are not created during encryption process.

Not encrypted when being sent

Used in WEP

Question 18

Steganography

Answer 18

Electronic Watermarking

Hiding one’s message in another in order to prevent it from being detected.

Graphics/Sound Files

Question 19

ADS

Answer 19

Alternate Data Streams

Adds a program on to another to help it work across multiple platforms.

Can be used for evil.

Eg. Drive in movie with someone in the trunk.

Question 20

Quantum Cryptography

Answer 20

Message is sent in a series of photons. Receiver must know sequence and polarity of photons to decode message.

If someone intercepts, some of the photons will change polarity and message will be altered.

Question 21

Hashing

Answer 21

Used for Integrity

One-way encryption function. Takes variable-length input and makes a fixed-length output.

Hash collision happens when different inputs create the same hash value. Collision detection prevents this.

Question 22

MD5

Answer 22

Message Digest 5
Hash Function (Cisco)
Digest Size: 128 bits

Question 23

SHA-1

Answer 23

Secure Hashing Algorithm
Hash Function
Digest Size: 160 bits

Question 24

SHA-2/SHA-224/256

Answer 24

Secure Hashing Algorithm
Hash Function
Digest Sizes: 224, 256 bits

Question 25

SHA-2/SHA-384/512

Answer 25

Secure Hashing Algorithm
Hash Function
Digest Size: 512 bits

Question 26

RIPEMD-160

Answer 26

Hash Function

Digest Sizes: 128, 160, 256, 320 bits

Question 27

HAVAL

Answer 27

Hash Function

Digest Sizes: 128, 160, 192, 224, 256 bits

Question 28

Whirlpool

Answer 28

Hash Function

Digest Size: 512

Question 29

Brute Force Attacks

Answer 29

Applying every possible combination of characters that could be the key.

Time may be a factor/not fast enough

Question 30

Dictionary Attack

Answer 30

Uses dictionary of common words (to include proper nouns)

Question 31

Rainbow Table/Crack

Answer 31

Uses a lookup table comprised of pre-calculated hash from common words.

Question 32

Birthday Attack

Answer 32

Probability that someone has the same hash that attacker has already figured out.

Question 33

SALT

Answer 33

Randomly generated value that is calculated into the hashing process

eg. Table Salt

Question 34

MAC

Answer 34

Message Authentication Code

Verifies integrity and origin
Symmetric Key

Question 35

HMAC

Answer 35

Hashed Message Authentication Code

Hash function added to MAC

Adds symmetric key to data to be hashed.

Used in IPSec, SSL/TLS, SSH

Question 36

Symmetric Cryptography

Answer 36

• Uses one key to encrypt/decrypt info
• Both parties share same key
• Best for bulk encryption; faster (smaller key) than asymmetric
• AKA: secret key, private key, shared key, same key, single key, session key

Question 37

Stream Cipher

Answer 37

Symmetric Encryption Method

• Bit by bit
• Keystream
• Hardware
• No memory
• On-the-fly
• Very fast

Question 38

Block Cipher

Answer 38

Symmetric Encryption Method

• Software
• Fixed-length blocks
• Block-by-block
• Uses substitution/transposition ciphers
• Stronger than stream-based
• Slow/resource intensive

Question 39

Symmetric Encryption Methods

Answer 39

Stream Cipher and Block Cipher

Pros:

• Less computationally intensive
• Produces smaller file size
• Faster transmissions

Cons:

• Key distribution security
• Needs to be trust between parties
• Key management (n(n-1)/2=# keys needed
• No “non-repudiation”

Question 40

Symmetric Key Algorithms

Answer 40

C - CAST
3 - 3DES
2 - Twofish
B - Blowfish
R - RC4, 5, 6
A - AES
I - IDEA
D - DES
S - SAFER (+, ++)

Question 41

DES

Answer 41

Data Encryption Standard/Symmetric

Based on IBM’s Lucifer algorithm
64-bit Block (56-bit key + 8 bits for parity)
Algorithm: DEA (Data Encryption Algorithm)
Easily Broken

Question 42

3DES

Answer 42

Triple DES/Symmetric

Upgrade of DES (still in use)
Applies DES three times
168-bit key (+24 bits for parity)

Question 43

AES

Answer 43

Advanced Encryption Standard/Symmetric

Current standard replaced DES
128 bit block
Algorithm: Rijndael
Key Sizes: 128, 192, 256 bits

Question 44

Blowfish

Answer 44

Symmetric

Fastest of the symmetric
64 bit block cipher
Variable-length keys (32-448 bits)

Question 45

Twofish

Answer 45

Symmetric

128 bit block cipher
Variable length keys (128, 192, 256 bits)
Finalist for AES

Question 46

CAST

Answer 46

Carlisle Adams and Stafford Tavares/Symmetric

Used by PGP

CAST-128:

• 64 bit block size
• Variable key lengths (40-128 bits)

CAST-256:

• 128 bit block size
• Variable key lengths (128, 160, 192, 224, 256 bits)

Question 47

RC

Answer 47

Rivest Cipher/Symmetric

RC4 (stream): Variable key length (0-2048 bits)

RC5 (block): Variable block (32, 64, 128 bits)
* Variable key length (0-2048)

RC6 (block): Variable block (128)
* Variable key length (0-2048)

Question 48

IDEA

Answer 48

International Data Encryption Algorithm/Symmetric

64 bit block
128 bit key length
Developed by the Swiss
Used in PGP and other encryption software

Question 49

Skipjack

Answer 49

Symmetric

Block cipher
NSA
Clipper chip

Question 50

SAFER

Answer 50

Secure And Fast Encryption Routine/Symmetric

Used in Bluetooth
For key derivation NOT for encryption

SAFER+:
* 128 bit block cipher

SAFER++:
* 64, 128 bit block cipher

Question 51

Asymmetric Cryptography

Answer 51

Public Key Encryption

Each user has two keys: Private/Public
Keys are mathematically related

Pros:

• Key Management (n*2)
• Public key can be freely distributed
• Offers: digital signatures, integrity, key exchange, non-repudiation

Cons:

• Slower than symmetric
• Larger encryption file

Question 52

Asymmetric Key Algorithms

Answer 52

D- Diffie-Hellman
E- ElGamal
E- ECC
R- RSA

Question 53

Diffie-Hellman

Answer 53

Asymmetric

Based on difficulty of computing discrete logarithms
Key exchange
Variable key length: 512, 1024-2048 (secure)

Same strength as 3072 bit RSA key

Question 54

El Gamal

Answer 54

Asymmetric

Encryption, Digital Signatures, Key Exchange
Based on Diffie Hellman
Slow

Open standard/Legacy

Question 55

RSA

Answer 55

Rivest, Shamir, Adleman/Asymmetric

Encryption, Digital Signatures, Key Exchange
De facto standard
Based on difficulty of factoring N (prod of 2 large prime #)
Variable block and key length
* 512 bit to arbitrarily long
* 1024-2048 considered secure

Used in PGP

Question 56

ECC

Answer 56

Elliptic Curve Cryptography/Asymmetric

Encryption, Digital Signatures, Key Exchange
Based on using points on a curve to define public/private key
Key of 160 bis is equal to 1024 RSA key
Hardware such as wireless devices and smart cards

Question 57

Three Things Needed to Create a Digital Signature

Answer 57

• Email message
• Hashing Algorithm
• Sender’s Private Key

Question 58

Digital Signature Process

Answer 58

Sender:

• Creates email message
• Creates message hash
• Uses private key to encrypt hash
• Hash becomes digital signature and is sent with message

Receiver:

• Hashes received message
• Uses sender’s public key to decrypt
• If hashes match message is valid and sender is verified

Question 59

DSA

Answer 59

Digital Signature Algorithm

Used only for digital signatures
Does not provide confidentiality
Public key algorithm with var key size from 512-4096 bits
Follows NIST/FIPS DSS and goes up to 1024 bits
Uses SHA-1 for integrity
Faster than RSA at verifying signatures

Question 60

Two Goals of DSA

Answer 60

Provide authentication and integrity

Question 61

Hybrid Cryptosystem

Answer 61

Symmetric for data encapsulation
Asymmetric for key encapsulation
Cryptographic hash can be used to provide data integrity

Eg. PGP, S/MIME, TLS, SSH, IPSec

Question 62

SSL

Answer 62

Secure Socket Layer

Secure connection between two TCP-based machines
Uses X.509v3
TCP Port 443

Question 63

SSL Vulnerabilities

Answer 63

Small key size
Expired digital certificates
Compromised keys

Question 64

SSL Provides:

Answer 64

• Confidentiality: AES, IDEA, 3DES, DES, RC4, RC2
• Message Integrity: SSLv3 MAC w/ shared key (similar to HMAC) with MD5 or SHA1
• Key Exchange: RSA, Diffie Hellman

Ability to implement Mutual Authentication

Question 65

SSL Can Be Used to Secure:

Answer 65

Telnet, NNTP, FTP, HTTP, SMTP, IMAP

Question 66

TLS

Answer 66

Transport Layer Security

Secure connection between two TCP-based machines
Operates like SSSL
More secure hashing than SSL
TCP Port 443

Question 67

TLS Provides:

Answer 67

Confidentiality: AES, IDEA, 3DES, DES, RC4, RC2
Message Integrity: HMAC
Key Exchange: RSA and Diffie-Hellman
More alert codes that SSL

Question 68

HTTPS vs S-HTTP

Answer 68

HTTPS:

• HTTP over SSL
• TCP Port 443
• Encrypts communication channel

S-HTTP:

• Dev by Netscape
• Provides security over standard page requests
• TCP Port 80
• Encrypts INDIVIDUAL MESSAGES
• Does not require client-side public key certs (symmetric key only)

Question 69

SSH

Answer 69

Secure Shell

Secures remote terminal communications
Secure replacement for Telnet and FTP
TCP Port 22
Encrypts data w/ symmetric algorithm
Est connection and authentication using public key crypto

Eg. PuTTY and OpenSSH

Question 70

SMTP

Answer 70

Transmits mail from e-mail clients to e-mail servers and between e-mail servers
TCP port 25

Question 71

POP3

Answer 71

Downloads e-mail from an inbox on an e-mail server to an e-mail client
TCP port 110

Question 72

IMAP4

Answer 72

Downloads e-mail from an inbox on an e-mail server to an e-mail client
TCP port 143

Question 73

MIME

Answer 73

Multipurpose Internet Mail Extensions

Defines how e-mail clients handle non-plaintext content.

Question 74

S/MIME

Answer 74

Secure Multipurpose Internet Mail Extensions

Uses X.509 Standard
Protection for email and attachments
Provides: Authentication, Integrity, Confidentiality, non-repudiation
Uses: AES, 3DES, DES, RC2
Key Exchange: Diffie-Hellman with DSS or RSA
SHA-1 and MD5

Question 75

x.509 Standard

Answer 75

ITU standard for defining digital certificates
Defines the formats and fields for public keys
Defines procedures for distributing public keys

Question 76

PGP

Answer 76

Pretty Good Privacy

E-mail encryption system
Web of Trust NOT X.509
GPG = open source version
Asymmetric: RSA, DSS, Diffie-Hellman
Symmetric: AES, IDEA, CAST-128, IDEA, Twofish, 3DES
Hash Coding: SHA-2, SHA-1, MD5 RIPEMD-160

Question 77

Typical Certificate Contains (6):

Answer 77

Issuer's name
Valid date / to date
Owner (subject)
Subject's public key
Time stamp
Certificate issuer's digital signature

Question 78

PKI

Answer 78

Public Key Infrastructure

• Framework for managing private keys and certificates
• Follows X.509 standard
• Standard for key generation, authentication, distribution and storage
• Est who is responsible for authenticating the ID of the owners of the digital certificate

Question 79

CA

Answer 79

Certificate Authority

Organization responsible for issuing, storing, revoking and distributing certificates

Authenticates the certificates by signing them with their private key

Question 80

RA

Answer 80

Registration Authority

• Middleman between CA and subscribers
• Can distribute keys, accept registrations for CA and validate identities
• Does not issue certs on their own

Question 81

Digital Certificate Enrollment Process

Answer 81

• Subject must prove ID to CA before cert is created
• Give info physically appearing w/ and agent ID, credit report data, etc.
• Once satisfied, cert is made containing ID info, public key, etc.
• CA then digitally signs the cert with their private key

Question 82

CPS

Answer 82

Certificate Practice Statement

How CA is structured
How certs will be managed
How subscriber's ID is validated
How to request revocation
Which standards and protocols are used

Question 83

OCSP

Answer 83

Online Certificate Status Protocol

• Checks for revoked certs
• Queries a CA or RA that maintains a list of expired certs
• Server sends a response with status of valid, suspended or revoked

Question 84

CRL

Answer 84

Certificate Revocation List

IDs revoked certs
Expired certs not on on the CRL

Question 85

Certificate Suspension

Answer 85

Certs can be suspended
Ensures key is unusable for a period of time
Suspend rather than expire to make them TEMPORARILY invalid

Question 86

Certificate Expiration

Answer 86

If a cert expires, a new cert must be issued

NOT added to the CRL

Question 87

Certificate Renewal

Answer 87

Unexpired certs can be renewed close to the end of the expiring cert’s lifetime

Allows same cert to be used past the original expiry time

Not a good practice

Question 88

Certificate Destruction

Answer 88

Establish policies for destroying old keys
When key/cert no longer useful, destroy and remove from system
When destroyed, notify CA so CRL and OCSP can be updated
Deregistration should occur when a key is destroyed

Question 89

Trust Models (4):

Answer 89

Single-Authority (AKA third-party trust)
Hierarchical Trust
Bridge Trust
Web of Trust (AKA peer-to-peer)

Question 90

Single Authority

Answer 90

Third party signs key/cert
User trusts authority and all keys issued by them
Trust verified by digital sig attached to public key

Question 91

Hierarchical Trust

Answer 91

Root CA>Intermediate CA>Leaf CA

Question 92

Bridge Trust

Answer 92

Trust between Root CAs

Question 93

Web of Trust

Answer 93

All parties involved trust each other

CA does not exist to certify owners

Question 94

Centralized Key Management

Answer 94

Central entity in charge or issuing keys

CA keeps a copy of the key

Question 95

Decentralized Key Management

Answer 95

End user generates their own key

Does not provide key escrow (no key recovery)

Question 96

Two Methods for Key Storage

Answer 96

Software-based:

• Access violations/intrusions
• Easily destroyed
• Subject to security of access control system

Hardware-based:

• Most secure
• More expensive
• Relies on physical security
• Smart cards/flash drives

Question 97

Key Escrow

Answer 97

Third party may gain access to key storage
Allows for key recovery
Key’s must be secured on escrow network/systems

Question 98

Recovery Agent

Answer 98

Someone with authority to remove keys from escrow

Question 99

M of N Control

Answer 99

Requires two or more recovery agents
Must but multiple key escrow recovery agents
Minimum number of agents must work to recover key

Question 100

Revoking Keys

Answer 100

Conducted when:

• Keys compromised
• Authentication process malfunction
• People transferred/fired
• Other security risks occur

Keeps key from being misused

Question 101

Suspending Keys

Answer 101

Temporary

Unusable for a period of time

Question 102

Renewing Keys

Answer 102

Enable key for use after scheduled expiry
Reissued for certain time
Bad practice

Question 103

TPM

Answer 103

Trusted Platform Module

Hardware
Stream Cipher Encryption
Symmetric