Cryptography & PKI Flashcards
Define Cipher Text
Text that has been encrypted for confidentiallity
Define Plain Text
Readable text for human comprehension
Define Symmetric Encryption
Encryption using a shared secret key, typically used for bulk encryption
Define Asymmetric Encrytpion
Encryption using a key pair consisting of a private and a public key
Goals of Cryptology
Confidentiality
Integrity
Authentication
Non-Repudiation
Define a Code
Substitutes one word or phrase for another
Define a Cipher
A mathematical algorithm for encryption
Types of Ciphers
Stream verses Block
Substitution verses Transposition
Define a Stream Cipher
Encrypts a single character at a time
Define a Block Cipher
Encrypts a chunk of text at a time
Define a Substitution Cipher
Encrypts by changing individual characters
Define a Transposition Cipher
Encrypts by scrambling letters
Define XOR
Exclusive Or;
True when only one input of two or more are true
Explain the Confusion Principle
Hide connection between cipher and key, can be used in stream and block ciphers
Explain the Diffusion Principle
Any change in input creates 50% or greater change in output
Explain the Obfuscation Principle
Action taken to make something unclear, unintelligible, or obscure
One-Time Pad Criteria
2 identical pads
Equal length
Single Use
Explain Security through Obscurity
Security reliant upon secrecy,
Generally disparaged
5 Stages of NIST Crypto Lifecycle
Initiation Develop and Acquire Implement and Assess Operate and Maintain Sunset; stop, destroy, or archive
DES Key Facts
Symmetric
64 bit blocks
56 bit key
Insecure
3DES Key Facts
Symmetric 64 bit blocks 168 bit key (112 effective key length) Secure utilizing 3 separate keys Used in IPsec
AES Key Facts
Symmetric 128 bit blocks 128, 192, or 256 bit key Secure Uses Rijndael block Cipher
Blowfish Key Facts
Symmetric
64 bit blocks
32-448 bit key
Secure (at larger key sizes)
Twofish Key Facts
Symmetric
128 bit block
128, 192, or 256 bit key
Secure (more complex and faster then Blowfish)
RC4 Key Facts
Symmetric Stream cipher 40-2048 bit key Not secure/most common Used in WEP and SSL
Cipher Block Modes
ECB
CBC
CR
GCM
Describe ECB Mode
Electronic Codebook;
Utilize same encryption key for each block
Describe CBC Mode
Cipher Block Chaining;
Use previous cipher block as key for subsequent blocks
Describe CR Mode
Counter Mode;
Uses nonce plus a counter for encryption key.
Counter increases for each block
Describe GCM
Galois Counter Mode;
Adds authentication ability to CR
Define Stegonography
Hiding data in large files
RSA Key Facts
Asymmetric
1024-4096 bit key
Digital certificate with key distribution
Secure
Define PGP/GnuPG
Pretty Good Privacy;
Encrypt with random shared key (symmetric)
Encrypt random key with public key (asymmetric)
GnuPG is open source version
Define Perfect Forward Secrecy
Nodes work independent of one another so that no node knows both final source and destination
Key Exchange Methods
Out-of-band
In-Band
Explain the Diffie-Hellman Process
Select common number and share
Choose secret number and compute results
Share results
Use shared results to create shared secret
Define DH Group 1
768 bit group
Insecure
Define DH Group 2
1024 big group
Insecure
Define DH Group 5
1536 bit group
Insecure
Define DH Group 14
2048 bit group
Secure
Define DH Group 20
384 bit elliptic curve
Secure
Define DH Group 21
521 bit elliptic curve
Secure
Define DH Group 24
2048 bit group
256 bit subgroup
Secure
Purpose of Key Escrow
Government access to keys pending court orders
Key storage backups (debatable)
Define Key Stretching
Increase strength of passwords by increasing length and/or complexity
Key Stretching Methods
Salting
Hashing
Define Password/Key Salting
Add value to a key to increase length
Define Password/Key Hashing
Adds time with additional math
Key Stretching Functions
PBKDF2
Bcrypt
Define PBKDF2
Password Based Key Derivation Function v2;
Uses salt and hash
Minimum of 4000 iterations
Define Bcrypt
Key stretching utilizing Blowfish algorithm
Factors of a Good Hash
One way, not reversible
Collision Resistant
Small input change creates large output change
Define a Collision
Two separate inputs create the same hashed output
MD5 Key Facts
Message Digest 5
128 bit hash
Not secure
SHA1 Key Facts
Secure Hash Algorithm
160 bit hash
Not secure
SHA2 Key Facts
Secure Hash Algorithm 2
224, 256, 384, 512 bit hashes
Secure
SHA3 Key Facts
Secure Hash Algorithm 3
Produce hash at any fixed input length
Secure?
RIPEMD Key Facts
RACE Integrity Primitive Message Digest
128, 160, 256, and 320 bit hashes
Secure greater then 128 bit
Define HMAC
Hash-Based Message Authentication Code;
Compares hashes to verify integrity
NIST Approved DSSs
DSA
RSA
ECDSA
X.509 Digital Certification Process
Create key pair
CSR
CA validates ID
CA encrypts Certificate with CA’s private key
Certificate Revocation Methods
CRL
OCSP
Define Certificate Stapling
Time stamped certificates with expiration
Define Certificate Chaining
Transitive trust between CAs, internal CA trusted by 3rd party CA leading to chain of trust
Purpose of OIDs
Object Identifiers, can be used to trace certificate origins
Define Certificate Pinning
Ties cert to subject for a period of time
Certificate Types
Root Wildcard Code Signing Machine/Computer SAN DV OV EV
Explain a Root Certificate
Protected highest level of CA with private keys, often taken offline except when needed
Define a Wildcard Certificate
Match entire domains up to one layer deep
Define a DV
Domain Validation;
lowest level of validation
Define a OV
Organizational Validation;
Verify business name
Define an EV
Extended Validation;
Extensive investigation
Sometimes portrayed as a green locked icon to the left of a browser’s search bar
DER File Usage and Extensions
Distinguished Encoding Rules (binary format, largely used by Java Platform);
.der
.crt
.cer
PEM File Usage and Extensions
Privacy Enhanced Mail (ASCII format, largely Linux/Unix systems); .pem .crt .key .cer
PFX File Usage and Extensions
Personal Information Exchange; (binary format, used by Microsoft systems) .pfx .p12 (ASCII format, provide Cert chain) .p7b .p7c
Knowledge Based Attack Types
Frequency/pattern
Known plain text
Chosen plain text
Define DRM
Digital Rights Management;
Watermarking protected content/protecting with encryption
Explain Low Power Effect on Encryption
May limit key space
Explain Encryption Effect on Latency
May bottleneck network traffic
Explain Cryptographic Resiliance
A cipher/algorithm’s resistance to attacks
Define Kerckhoff’s Principle
Security of algorithm depends on secrecy of the key
Define Access Recertification
Auditing of account access privileges and permissions for alignment with security policies
Define a Nonce
A random or pseudo random number used one time to prevent replay attacks
DSA Key Facts
Digital Signature Algorithm
Similar to RSA but used for authentication only
Define ECDSA
Elliptic Curve Digital Signature Algorithm
Out-of-Band Key Exchange Methods
In person
Over the phone
Via courier
DH
In-Band Key Exchange Methods
Over the network using encryption with recipients public key
Common SSL Certificate Errors
SSL Certificate Not Trusted
Name Mismatch
Mixed Content
Expired SSL Certificate
Describe SSL Certificate Not Trusted Error and Remediation
Browser does not recognize CA. Remediate by purchasing and installing certificate from trusted CA.
Describe Name Mismatch Certificate Error and Remediation
Domain name does not match URL. Double check URL for accuracy and possibly upgrade to dedicated IP address.
Describe Mixed Content Error and Remediation
Website displays mixed HTTP and HTTPS content. Identify mixed content and adjust source code (if possible).
Describe Expired SSL Certificate and Remediation
Certificate no longer valid with CA. Renew the certificate.
Define SAN Certificate
Subject Alternate Name; allows multiple host names to be protected by a single certificate (also called Unified Communications Certificate, UCC)
Define a Atbash Cipher
Cipher text is alphabetically inverted plain text
Define a Caesar Cipher
Cipher text is rotated X places from plain text
Define ROT13
Cipher text is rotated 13 places from plain text
Define S/MIME and purpose
Secure Multipurpose Internet Mail Extensions, encrypt emails
Define DH Group 16
4096 bit MODP
Define DH Group 17
6144 bit MODP
Define DH Group 18
8192 bit MODP
Define DH Group 19
256 bit Elliptic Curve
Define DH Group 15
3072 bit MODP
Non-Variable Block Ciphers
DES RC2 Blowfish Twofish SkipJack IDEA
RC5 Key Facts
Symmetric block cipher
0-2048 bits
DH alternative
El Gamal
Define a CSP
Cryptographic Service Provider, generates key pairs for the client
Benefit of Centralized Key Management Solutions
Key escrow
Define a Registration Authority
Validates information contained within certificate requests
Define a CPS
Certificate Practice Statement; an organizations certificate issuing policy