Cryptography Misc

Question 1

Trusted Platform Module (TPM)

Answer 1

security chip installed on motherboards that manages symmetric and asymmetric keys, hashes and digital certificates

Helps protect passwords, encrypt drives, manage digital rights, making it harder to access computers with TPM enabled

Question 2

TPM Uses

Answer 2

Binding - binds hard drive to computer through encryption. Hard drive contents only available on that computer

Sealing - seals system state to particular HW, SW configuration, preventing changes to the system. System can only boot after TPM verifies integrity by comparing original hash value of system configuration to hash value at boot time

Question 3

TPM Details

Answer 3

Uses static and dynamic memory to retain information when PC is powered off

Memory used in TPM chip:

Endorsement Key (EK) - persistent memory installed by mfr that contains public / private key pair

Storage Root Key (SRK) - persistent memory that secures keys stored in the TPM

Attestation Identity Key (AIK) - Dynamic memory that ensures integrity of EK

Platform Configuration Registration (PCR) Hashes - dynamic memory that stores data hashes for the sealing function

Storage Keys - Dynamic memory that contains the keys used to encrypt storage

Question 4

Encryption Communication Levels

Link Encryption

Answer 4

Encrypts all data transmitted over a link

Data Link Control information needed to transmit data correctly, is only part not encrypted

Header Information is decrypted so routing can occur, then re-encrypted before sending to next device

Used over public communication links to ensure security and privacy

Protects against packet sniffers, other eavesdropping

All data encrypted, no user interaction required

Each device data transmitted through must receive the key, key changes must be transmitted to each device on the route and packets are decrypted at each device

Question 5

Encryption Communication Levels

End-to-End Encryption

Answer 5

Encrypts less of the packet than Link Encryption

Packet routing information, packet headers and addresses are not encrypted, exposing more information

Advantages
Every device in path doesn’t have to encrypt / decrypt to determine routing

user selects exactly what gets encrypted and how

Question 6

Email Security

PGP

Answer 6

Provides email encryption use different technologies

Provides confidentiality, integrity, authenticity based on the encryption methods used

Provides key management using RSA and web of trust

Public key rings of all users stored on each users’s computer in a key ring file. In that, each user assigned level of trust. Users in web vouch for each other

Users can choose level of trust and change it if needed

Compromise of user’s public key requires that key is removed from key ring of all users

Provides data encryption using IDEA

Provides data integrity if using MD5

Provides authentication with public certificates

Question 7

Email Security

Secure MIME (S/MIME)

Answer 7

Adheres to PKCS, Public Key Cryptography Standards

Encryption provides confidentiality
Hashing provides integrity
Public Key certificates provide authentication
Message digests provide nonrepudiation

Question 8

Quantum Cryptography

Answer 8

combines quantum physics and cryptography

offers possibility of factoring products of large prime numbers

provides strong encryption, eavesdropping detection

excellent choice for organizations transmitting top secret data

Question 9

Internet Security

Answer 9

Remote Access allows direct dial-in or access over the internet

Organization ensures data protection with encryption

RA servers can require encrypted connections

Question 10

Internet Security

SSL

Answer 10

Secure Sockets Layer provides encryption, server and client authentication and message integrity

Allows application to have encrypted, authenticated communication over network

Question 11

Internet Security

TLS

Answer 11

Transport Layer Security - open community standard that provides many of the same services as SSL

TLS 1.0 based on SSL 3.0 but is more extensible

Goal of TLS is privacy and data integrity between two communicating applications

Question 12

Internet Security

HTTPS

Answer 12

HTTP Secure - http over SSL / TLS protocol

not same as Secure HTTP which encrypts a single message, not entire session

Question 13

Internet Security

SET

Answer 13

Secure Electronic Transaction (SET)

Never fully adopted. Secures credit card transactions based on X.509 certificates and asymmetric keys. Would have required full cooperation of financial institutions, credit card users, wholesale, retail firms, payment gateways

Question 14

Internet Security

Secure Shell

Answer 14

SSH - application and protocol used to remotely log into other computer using secure tunnel

Question 15

Internet Security

Internet Protocol Security

Answer 15

IPSEC

Suite of protocols that establish secure channel between two devices

AH - Authenticating Headers provide authentication and integrity

ESP - Encapsulating Security Payload provides authentication, integrity and encryption

SA - Secure Association is a record of a device’s configuration that needs to participate in IPSEC

SPI - Security Parameter Index is a table that tracks different SA’s used and ensures device uses appropriate SA to communicate with other device

Question 16

IPSEC’s Two Modes

Answer 16

Transport or Tunnel Mode
Both can be used for gateway-gateway or host-gateway IPSEC communication

Transport Mode protects only message payload
Tunnel Mode protects payload, routing, header

Internet Key Exchange (IKE) is common key exchange method used with IPSEC. combines OAKLEY and Internet Security Association and Key Mgmt Protocol (ISAKMP)

Authentication methods include pre-shared keys, certificates, PKI

Most secure implementations of pre-shared keys require PKI but not necessary if preshared key based on simple passwords