Domain 3: Cryptography Attacks and Implementing Flashcards
Algebraic manipulation that attempts to reduce the complexity of the algorithm
Analytic Attack
Attack that focus on the exploiting of the software code of cryptography system
Implementation Attack
Attack that attempts to find the vulnerability in the hardware or OS hosting the cryptography application
Statistical Attack
Attack that involves massive processing power to methodically guess the key used to secure cryptographic communications
Brute-Force Attack
Attacker has a copy of the message in both encrypted and plaintext format from here he can derive the key that was used
Known Plaintext Attack
Attacker has the ability to encrypt plaintext messages of their choosing and can then analyze the ciphertext output of the encryption algorithm
Chosen Plaintext Attack
- Cryptanalyst has the ability to decrypt chosen portions of ciphertext message and use the decrypted portion of the message to discover the key
- Mirrors plaintext attacks
- Usually used against asymmetric cryptosystems
Chosen Ciphertext Attacks
Attacker seeks to substitute in a digitally signed communication with a different message that produces the same message digest, thereby maintaining the validity of the original digital signature
Birthday attack
Cryptanalyst knows something about the key and uses this knowledge to attack
Known Key Attack
Seeks to find the difference between related plaintexts that are encrypted
Differential Cryptanalysis
- Cryptanalyst finds a large amount of plaintext/ciphertext pairs created with the same key
- The pairs are studied to derive information about the key used to create them
Linear Cryptanalysis
- Uses physical data to break a cryptosystem
- i.e. monitoring CPU cycles or power consumption used while encrypting and decrypting
Side-Channel Attacks
- Authenticates identity of the signer and proof of document’s integrity
- Provides nonrepudiation
Digital Signatures
Public key signed with a digital signature
Digital Certificate
Organization registration authority that authenticates the identity of a certificate holder before issuing a certificate to them
Certificate Authorities (CAs)
When obtaining a digital certificate you must first prove your identity to the CA. This process is called…
Enrollment
List of revoked certificates
Certificate Revocation Lists (CRL)
Replacements for Certificate Revocation Lists (CRL) and uses client-server design that scales better
Online Certificate Status Protocol (OCSP)
- Software that uses encryption to enforce copyright restrictions on digital media
- i.e. Music, movies, e-book, video games, and documents
Digital Rights Management (DRM)
- IPSec protocol
- Acts as a digital signature for data
- Protects against replay attacks
- Provides no confidentiality
Authentication Header (AH)
- IPSec protocol
- Encrypted packet data
Encapsulating Security Payload (ESP)
- IPSec protocol
- One-way connection used to negotiate ESP or AH parameters
Security Association (SA)
- IPSec protocol
- Manages the SA creation process
Internet Security Association and Key Management Protocol (ISAKMP)
- IPSec protocol
- Encrypts the entire packet, including original packet headers
ESP Tunnel Mode
- IPSec protocol
- Only encrypts the data, not the original headers
ESP Transport Mode
- IPSec protocol
- Negotiates the algorithm selection process
- Both sides of the IPSec tunnel will typically use IKE to negotiate the highest and fastest level of security (i.e. selecting AES over single DES)
IKE
- Asymmetric encryption
- Used to encrypt emails, documents, or disk drives
- Used web of trust model to authenticate digital certificates instead of a central CA
Pretty Good Privacy (PGP)
- Asymmetric encryption
- Leverages PKI to encrypt and authenticate MIME-encoded email
S/MIME (Secure MIME)
- Third-party organization holds copy of public/private key pair
- Failsafe that allows access to sensitive data when the need arises
Escrowed Encryption
- The examination of repetition of characters in a given encrypted message
- Repeating patterns may indicate the type of cipher being used i.e. substitution or transposition
Frequency analysis
Exploits cryptographic protocols that use two rounds of encryption
Meet-in-the-middle attack
Procedure to digitally sign a message
- Use a hash function to generate a message digest
Then encrypt the digest with your private key
Procedure to verify the digital signature on a message
- Decrypt the signature with the sender’s public key and then compare the message digest to the one you generate yourself
- If they match the message is authentic
- NIST standard created to specify the digital signature algorithms acceptable for Federal Gov use
- Requires that SHA-3 hashing function be used for all digital signatures
- Allowed encryption algorithms include:
- Digital Signature Algorithm (DSA)
- Rivest, Shamir, Adleman (RSA)
- Elliptic Curve DSA (ECDSA)
Digital Signature Standard (DSS)
