Domain 3 Flashcards
Code
Cryptographic systems of symbols that
operate on words or phrases and are
sometimes secret but don’t always
provide confidentiality.
Cipher
Ciphers, are always meant to hide
the true meaning of a message.
Stream Cipher
is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream (keystream). In a stream cipher, each plaintext digit is encrypted one at a time with the corresponding digit of the keystream, to give a digit of the ciphertext stream
Block Cipher
is a method of encrypting text (to produce ciphertext) in which a cryptographic key and algorithm are applied to a block of data (for example, 64 contiguous bits) at once as a group rather than to one bit at a time.
Substitution Cipher
uses the encryption algorithm to replace each character or bit of the plaintext message with a different character. The Caesar cipher is a good example.
Transposition Cipher
uses an encryption algorithm to rearrange the letters of a plaintext message, forming the ciphertext message.
Initialization Vector (IV)
is a random bit string (a nonce) that is the same length as the block size that is XORed with the message. IVs are used to create a unique cipher text every time the same message is encrypted with the same key.
Caesar Cipher
substitution cipher that shifts characters, uses a key of length one
Vigenère Cipher
cipher uses a longer key (usually a word or sentence),
One time Pad Cipher
- For a one time pad to be successful, the key must be
- Generated randomly without any known pattern.
- Key at least as long as the message to be encrypted.
- The pads must be protected against physical disclosure
- Each pad must be used only one time and then discarded
Zero-knowledge proof
is a communication concept.
A specific type of information is exchanged, but no real data is transferred, as with digital signatures and digital
certificates.
More simply: It enables one to prove knowledge of a fact to another
individual without revealing the fact itself .
Split knowledge
means that the information or privilege
required to perform an operation is divided among multiple users.
This ensures that no single person has sufficient privileges to compromise the security of the environment.
Work function or work factor
a way to measure the strength of a cryptography system by measuring the effort in terms of cost and/or time to decrypt messages.
The time and effort required to break a protective measure.
Symmetric Key
Relies on the use of a shared secret key. Lacks support for scalability, easy key distribution, and nonrepudiation
Faster and for bulk encryption
Asymmetric
Public private key pairs for communication
between parties. Supports scalability, easy
key distribution, and nonrepudiation.
Stronger
3DES Modes
- Electronic Codebook Mode (ECB).
- Cipher Block Chaining (CBC).
- Cipher Feedback (CFB).
- Output Feedback (OFB).
- Counter (CTR).
3DES Mode - Electronic Codebook Mode (ECB).
Simplest & least secure mode. Processes 64 bit blocks, encrypts block with the chosen key. If same block encountered
multiple times, same encrypted block is produced, making it easy to break.
3DES Mode - Cipher Block Chaining (CBC).
Each block of unencrypted text is XORed with the block of ciphertext immediately preceding. Decryption process simply decrypts ciphertext and reverses the XOR operation.
3DES Mode - Cipher Feedback (CFB).
Is the streaming version of CBC. Works on data in real time, using memory buffers of same block size. When buffer is full, data is encrypted and transmitted. Uses chaining, so errors propagate.
3DES Mode - Output Feedback (OFB).
Operates similar to CFB, but XORs the plain text with a seed value. No chaining function, so errors do not propagate.
3DES Mode - Counter (CTR).
Uses an incrementing counter instead of a seed. Errors do not propagate.
Key Clustering
A Weakness in cryptography where a plain text message generates identical ciphertext messages using the same algorithm but using different keys.
Public Keys/Private Keys (asymmetric)
- Public keys are shared among communicating parties
- Private keys are kept secret.
DATA
- To encrypt a message: use the recipient’s public key.
- To decrypt a message: use your own private key.
DIGITAL SIGNATURE
- To sign a message: use your own private key.
- To validate a signature: use the sender’s public key.
HASH FUNCTION REQUIREMENTS
Good hash functions have five requirements:
- They must allow input of any length.
- Provide fixed length output
- Make it relatively easy to compute the hash function for any input
- Provide one way functionality.
- Must be collision free.
Cryptographic Salts
A salt is random data that is used as an additional
input to a one way function that hashes data, a password or passphrase
Adding salts to the passwords before hashing them reduces the effectiveness of rainbow table attacks.
DSS
Digital Signature Standard
The Digital Signature Standard uses the SHA-1, SHA-2, and SHA-3 message digest functions…
Works in conjunction with one of three encryption algorithms: -Digital Signature Algorithm (DSA) -Rivest, Shamir, Adleman (RSA) algorithm -Elliptic Curve DSA (ECDSA) algorithm.
Certificate Authorities (CA)
generate digital certificates containing the public keys of system users.
Users then distribute certificates to people with whom they want to communicate.
Certificate recipients verify a certificate using the CA’s public key.
Email Traffic Encryption
- S/MIME
- Pretty Good Privacy (PGP).
Web Traffic Encryption
Transport Layer Security (TLS)
largely replacing the older SSL
Network Traffic Encryption
IPsec
protocol standard provides a common
framework for encrypting network traffic and is built into many common operating systems.
IPsec
A security architecture framework that supports secure communication over IP.
Establishes a secure channel in 2 modes
transport mode or tunnel mode.
Can be used to establish direct communication between computers or over a VPN connection
Uses two protocols:
Authentication Header (AH)
Encapsulating Security Payload (ESP)
Meet in the middle attack
exploits protocols that use two rounds of encryption.
Birthday attack
an attempt to find collisions in hash functions.
Replay attack
an attempt to reuse authentication requests.
DRM
Digital Rights Management
Commonly protect entertainment content, such as music, movies, and e-books
Symmetric Algorithms
AES Blowfish Twofish 3DES RC5
AES
Advanced Encryption Standard
Symmetric
Block Size: 128 bits
Key Size: 128, 192, 256
Blowfish
Symmetric
Block Size: 64 bits
Key Size: 32 - 448 bit
3DES
Symmetric
Block Size: 64 bits
Key Size: 112 - 168 bit
Twofish
Symmetric
Block Size: 128 bits
Key Size: 1 - 256 bit
RC5
Symmetric
Block Size: 32, 64, 128 bits
Key Size: 0-2,040 bit
Hash Algorithms
-HAVAL
-MD4, 5 - no longer in use due to collisions
SHA-224
SHA-256
SHA-384
SHA-512
HAVAL
Hash algorithm
Value length: 128, 160, 192, 224, 256
SHA-2 (variants)
Secure Hash Algorithm
Hash algorithm
Used with digital signature standard (DSS)
Value length: 160, 224, 256, 384, 512
MD4, 5
Message Digest
Hash algorithm
No longer in use
Value length: 128
Public Key Cryptosystems (asymmetric)
RSA
is the most famous public key cryptosystem; it was developed by
Rivest, Shamir, and Adleman in 1977. It depends on the difficulty of factoring the
product of prime numbers.
El Gamal
is an extension of the Diffie
Hellman key exchange algorithm that depends on modular arithmetic.
(ECC) Elliptic curve
Algorithm depends on the elliptic curve discrete logarithm problem and
provides more security than other algorithms when both are used with keys of the same length.
Digital Signatures
Rely on public key cryptography and hashing functions DS algorithms suitable for use in FIPS 186 4 (the Digital Signature Standard) must use SHA 2 hashing functions.
Three currently approved encryption algorithms:
Digital Signature Algorithm (DSA), as specified in FIPS 186 4
Rivest, Shamir, Adleman (RSA), specified in ANSI X9.31
Elliptic Curve DSA (ECDSA), specified in ANSI X9.62
RSA
Asymmetric Key
Most common
Size: 512
El Gamal
Asymmetric Key
Replaced Diffie-Hellman
ECC
Asymmetric Key
Elliptic Curve
Size: Variable (smaller key size due to EC, 160 bit EC key = 1025 RSA)
Integrity Security Models
- Biba: State machine model (SMM)
- Clark-Wilson: Access control triple
- Goguen-Meseguer: THE noninterference model
- Sutherland: preventing interference (information flow and SMM)