Cryptography Misc Flashcards
Trusted Platform Module (TPM)
security chip installed on motherboards that manages symmetric and asymmetric keys, hashes and digital certificates
Helps protect passwords, encrypt drives, manage digital rights, making it harder to access computers with TPM enabled
TPM Uses
Binding - binds hard drive to computer through encryption. Hard drive contents only available on that computer
Sealing - seals system state to particular HW, SW configuration, preventing changes to the system. System can only boot after TPM verifies integrity by comparing original hash value of system configuration to hash value at boot time
TPM Details
Uses static and dynamic memory to retain information when PC is powered off
Memory used in TPM chip:
Endorsement Key (EK) - persistent memory installed by mfr that contains public / private key pair
Storage Root Key (SRK) - persistent memory that secures keys stored in the TPM
Attestation Identity Key (AIK) - Dynamic memory that ensures integrity of EK
Platform Configuration Registration (PCR) Hashes - dynamic memory that stores data hashes for the sealing function
Storage Keys - Dynamic memory that contains the keys used to encrypt storage
Encryption Communication Levels
Link Encryption
Encrypts all data transmitted over a link
Data Link Control information needed to transmit data correctly, is only part not encrypted
Header Information is decrypted so routing can occur, then re-encrypted before sending to next device
Used over public communication links to ensure security and privacy
Protects against packet sniffers, other eavesdropping
All data encrypted, no user interaction required
Each device data transmitted through must receive the key, key changes must be transmitted to each device on the route and packets are decrypted at each device
Encryption Communication Levels
End-to-End Encryption
Encrypts less of the packet than Link Encryption
Packet routing information, packet headers and addresses are not encrypted, exposing more information
Advantages
Every device in path doesn’t have to encrypt / decrypt to determine routing
user selects exactly what gets encrypted and how
Email Security
PGP
Provides email encryption use different technologies
Provides confidentiality, integrity, authenticity based on the encryption methods used
Provides key management using RSA and web of trust
Public key rings of all users stored on each users’s computer in a key ring file. In that, each user assigned level of trust. Users in web vouch for each other
Users can choose level of trust and change it if needed
Compromise of user’s public key requires that key is removed from key ring of all users
Provides data encryption using IDEA
Provides data integrity if using MD5
Provides authentication with public certificates
Email Security
Secure MIME (S/MIME)
Adheres to PKCS, Public Key Cryptography Standards
Encryption provides confidentiality
Hashing provides integrity
Public Key certificates provide authentication
Message digests provide nonrepudiation
Quantum Cryptography
combines quantum physics and cryptography
offers possibility of factoring products of large prime numbers
provides strong encryption, eavesdropping detection
excellent choice for organizations transmitting top secret data
Internet Security
Remote Access allows direct dial-in or access over the internet
Organization ensures data protection with encryption
RA servers can require encrypted connections
Internet Security
SSL
Secure Sockets Layer provides encryption, server and client authentication and message integrity
Allows application to have encrypted, authenticated communication over network
Internet Security
TLS
Transport Layer Security - open community standard that provides many of the same services as SSL
TLS 1.0 based on SSL 3.0 but is more extensible
Goal of TLS is privacy and data integrity between two communicating applications
Internet Security
HTTPS
HTTP Secure - http over SSL / TLS protocol
not same as Secure HTTP which encrypts a single message, not entire session
Internet Security
SET
Secure Electronic Transaction (SET)
Never fully adopted. Secures credit card transactions based on X.509 certificates and asymmetric keys. Would have required full cooperation of financial institutions, credit card users, wholesale, retail firms, payment gateways
Internet Security
Secure Shell
SSH - application and protocol used to remotely log into other computer using secure tunnel
Internet Security
Internet Protocol Security
IPSEC
Suite of protocols that establish secure channel between two devices
AH - Authenticating Headers provide authentication and integrity
ESP - Encapsulating Security Payload provides authentication, integrity and encryption
SA - Secure Association is a record of a device’s configuration that needs to participate in IPSEC
SPI - Security Parameter Index is a table that tracks different SA’s used and ensures device uses appropriate SA to communicate with other device