Domain 3 Flash Cards
Algorithm
A mathematical function that is used in the encryption and decryption processes. A mathmatical function that is used in the encryption and decryption process; can be simply or very complex; also defined as a set of instructions by which encryption and decryption is done.
Asymmetric / Public key
Cryptography
It is a cryptographic system which uses pairs of keys: public keys (which may be known to others), and private keys (which may never be known by any except the owner).
Availability
Ensuring timely and reliable access to and use of information by authorized users.
Advanced Encryption Standard (AES)
uses the Rijndael algorithm and is the US gov standard for the secure exchange of sensitive but unclassified data; it uses key lengths of 128, 192, and 256 bits, and a fixed block size of 128 bits, achieving a higher level of security than the older DES algorithm
Argon2
a secure key derivation and password hashing algorithm designed to protect against brute-force and side-channel attacks; it was the winner of the Password Hashing Competition in 2015 and is considered highly secure and efficient, especially for systems requiring robust password protection
Address space layout randomization (ASLR)
is a memory-protection process for operating systems (OSes) that guards against buffer-overflow attacks by randomizing the location where system executables are loaded into memory
Block Mode Encryption
using fixed-length sequences of input plaintext symbols as the unit of encryption
Block ciphers
take a number of bits and encrypt them in a single unit, padding the plaintext to achieve a multiple of the block size; the Advanced Encryption Standard (AES) algorithm uses 128-bit blocks
Certificate authority
(CA)
An entity trusted by one or more users as an authority in a network that issues, revokes, and manages digital certificates to bind individuals and entities to their public keys.
CIA/AIC Triad
Security model with the three security concepts of confidentiality, integrity, and availability make up it.
Ciphertext
The encrypted form of a plaintext message, so as to be unreadable for anyone except the intended recipients. Something that has been turned into a secret.
Confidentiality
Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.
Confusion
Provided by mixing (changing) the key values used during the repeated rounds of encryption. When the key is modified for each round, it provides added complexity that the attacker would encounter.
Cryptanalysis
The study of techniques for attempting to defeat cryptographic techniques and, more generally, information security services provided through cryptography. It is the process of transforming or decoding communications from non-readable to readable format without having access to the real key
Cryptology
The science that deals with hidden, disguised, or encrypted communications.
Cryptography
Secret writing. Today provides the ability to achieve confidentiality, integrity, authenticity, non-repudiation, and access control. study of/application of methods to secure the meaning and content of messages, files etc by disguise, obscuration, or other transformations
Ciphers
always meant to hide the true meaning of a message; types include transposition, substitution, stream, and block
Cleartext
any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding)
Codes
cryptographic systems of symbols that operate on words or phrases and are sometimes secret, but don’t always provide confidentiality
Collision
occurs when a hash function generates the same output for different inputs
Cryptographic Hash function
process or function that transforms an input plaintext into a unique value called a hash (or hash value); note that they do not use cryptographic algorithms, as hashes are one-way functions where it’s infeasible to determine the plaintext; Message digests are an example of cryptographic hash
Cryptosystem
complete set of hardware, software, communications elements and procedures that allow parties to communicate, store or use info protected by cryptographic means; includes algroithm, key, and key management functions
Cryptovariables(s)
parameters associated with a particular cryptogrphic algorithm; e.g. block size, key length and number of iterations
Cyber-physical systems
systems that use ‘computational means’ to control physical devices
Decryption
The reverse process from encryption. It is the process of converting a ciphertext message back into plaintext through the use of the cryptographic algorithm and the appropriate key that was used to do the original encryption.
Diffusion
Provided by mixing up the location of the plaintext throughout the ciphertext. The strongest algorithms exhibit a high degree of confusion and diffusion.
Digital certificate
An electronic document that contains the name of an organization or individual, the business address, the digital signature of the certificate authority issuing the certificate, the certificate holder’s public key, a serial number, and the expiration date
Decoding
The reverse process from encoding - converting the encoded message back into its plaintext format.
Digital Certificate
An electronic document that contains the name of an organization or individual, the business address, the digital signature of the certificate authority issuing the certificate, the certificate holder’s public key, a serial number, and the expiration date
Digital rights management
(DRM)
A broad range of technologies that grant control and protection to content providers over their own digital media.
Digital Signatures
Provide authentication of a sender and integrity of a sender’s message and non-repudiation services.
Encoding
The action of putting a message or text onto a medium. Encoding into ASCII, UTF, Base 64 etc.
action of changing a message or set of info into another format through the use of code; unlike encryption, encoded info can still be read by anyone with knowledge of the encoding process
Encryption
The process of converting the message from its plaintext to ciphertext.
Elliptic-curve cryptography (ECC)
a newer mainstream algorithm, is normally 256 bits in length (a 256-bit ECC key is equivalent to a 3072-bit RSA key), making it securer and able to offer stronger anti-attack capabilities
Fog computing
advanced computational architecture often used as an element in IIoT; it relies on sensors, IoT devices, or edge computing devices to collect data, then transfers it back to a central location for processing (centralizing processing and intelligence)
Frequency analysis
form of cryptanalysis that uses frequency of occurrence of letters, words or symbols in the ciphertext as a way of reducing the search space
Hash function
Accepts an input message of any length and generates, through a one-way operation, a fixed-length output called a message digest or hash.
Hybrid encryption system
a system that uses both symmetric and asymmetric encryption
Initialization vector (IV)
A non-secret binary vector used as the initializing input algorithm, or a random starting point, for the encryption of a plaintext block sequence to increase security by introducing additional cryptographic variance and to synchronize cryptographic equipment. also sometimes called a nonce or a seed value
Integrity
Guarding against improper information modification or destruction and includes ensuring information non-repudiation and authenticity.
International Data Encryption Algorithm (IDEA)
is a form of symmetric key block cipher encryption that uses a 128-bit key and operates on 64-bit blocks; it encrypts a 64-bit block of plaintext into a 64-bit block of ciphertext, and the input plaintext block is divided into four subblocks of 16 bits each
Key or crypto variable
The input that controls the operation of the cryptographic algorithm. It determines the behavior of the algorithm and permits the reliable encryption and decryption of the message.
Key clustering
When different encryption keys generate the same ciphertext from the same plaintext message.
Key length
The size of a key, usually measured in bits, that a cryptographic algorithm uses in ciphering or deciphering protected information.
Key pair
matching set of one public and one private key
Key escrow
process by which keys (asymmetric or symmetric) are placed in a trusted storage agent’s custody, for later retrieval
Key generation
the process of creating a new encryption/decryption key
Key recovery
process of reconstructing an encryption key from the cyphertext alone; if there is a workable key recovery system, it means the algorithm is not secure
Key space
represents the total number of possible values of keys in a cryptographic algorithm or password; keyspace = 2 to the power of the number of bits, so 4 bits = 16 keys, 8 bits = 256 keys
Message authentication
code (MAC)
A small block of data that is generated using a secret key and then appended to the message, used to address integrity, also provides authenticity
Message digest
A small representation of a larger message.
are used to ensure the authentication and integrity of information, not the confidentiality.
Meet-in-the-middle
attack that uses a known plaintext message and both encryption of the plaintext and decryption of the ciphertext simultaneously in a brute-force manner to identify the encryption key; 2DES is vulnerable to this attack
Microcontroller
similar to system on a chip (SoC), consists of a CPU, memory, IO devices, and non-volatile storage (e.g. flash or ROM/PROM/EEPROM); think Raspberry Pi or Arduino
Mobile device deployment models
cover allowing or providing mobile devices for employees include: BYOD, COPE, CYOD, and COMS/COBO; also consider VDI and VMI options;
Mobile device deployment policies
should address things like data ownership, support ownership, patch and update management, security product management, forensics, privacy, on/offboarding, adherence to corporate policies, user acceptance, legal concerns, acceptable use policies, camera/video, microphone, Wi-Fi Direct, tethering and hotspots, contactless payment methods, and infrastructure considerations
Multistate systems
certified to handle data from different security classifications simultaneously
Nonrepudiation
Inability to deny. In cryptography, a service that ensures the sender cannot deny a message was sent and the integrity of the message is intact, and the receiver cannot claim receiving a different message.
Null cipher
Hiding plaintext within other plaintext. A form of steganography.
One-time pad
series of randomly generated symmetric encryption keys, each one to be used only once by the sender and recipient; to be successful, the key must be generated randomly without any known pattern; the key must be at least as long as the message to be encrypted; the pads must be protected against physical disclosure and each pad must be used only one time, then discarded
Out-of-band
transmitting or sharing control information (e.g. encryption keys and crypto variables) by means of a separate and distinct communications path, channel, or system
Plaintext
The message in its natural format has not been turned into a secret. message or data in its readable form, not turned into a secret
Password-Based Key Derivation Function 2 (PBKDF2)
securely derives cryptographic keys from passwords; by applying salting and key stretching (through multiple hashing iterations), it transforms a password into a cryptographic key that can be used for encrypting data or securely storing passwords; this process makes it much harder for attackers to guess or brute-force the password, as it increases the computational work required to test each possible password, improving resistance against attacks
Pepper
a large constant number used to increase the security of the hashed password further; it is stored outside of the database holding the hashed passwords
Personal electronic device (PED)
security features can usually be managed using mobile device management (MDM) or unified endpoint management (UEM) solutions, including device authentication, full-device encryption, communication protection, remote wiping, communication protection, device lockout, screen locks, GPS and location services, content management, app control, push notification management, third-party app store control, rooting/jailbreaking, credential management and more
Registration authority (RA)
This performs certificate registration services on behalf of a Certificate Authority (CA).
Remote attestation
feature of the TPM (Trusted Platform Module) that creates a hash value from the system configuration to confirm the integrity of the configuration
real-time operating system (RTOS)
is an operating system specifically designed to manage hardware resources and run applications with precise timing and high reliability; they are designed to process data with minimum latency; an it is often stored on ROM; they use deterministic timing, meaning tasks are completed within a defined time frame and is designed to operate in a hard (i.e. missing a deadline can cause system failure) or soft (missing a deadline degrades performance but is not catastrophic) real-tme condition
Steganography
Hiding something within something else, or data hidden within other data.
Stream cipher
When a cryptosystem performs its encryption on a bit-by-bit basis.
encrypt the digits (typically bytes), or letters (in substitution ciphers) of a message one at a time
Substitution
The process of exchanging one letter or bit for another. encryption/description process using substitution
Symmetric algorithm
Operate with a single cryptographic key that is used for both encryption and decryption of the message.
Salting
adds additional bits to a password before hashing it, and helps thwart rainbow attacks; algorithms like Argon2, bcrypt, and PBKDF2 add salt and repeat the hashing function many times; salts are stored in the same database as the hashed password
Salting vs key stretching
salting adds randomness and uniqueness to each password before hashing, which reduces the effectiveness of rainbow table attacks; key stretching makes the hashing process deliberately slow, making it much more challenging for attackers to crack passwords using brute-force or precomputed tables; common password hashing algorithms that use key stretching include PBKDF2, bcrypt, and scrypt
SDx
software-defined everything refers to replacing hardware with software using virtualization; includes virtualization, virtualized software, virtual networking, containerization, serverless architecture, IaC, SDN, VSAN, software-defined storage (SDS), VDI, VMI SDV, and software-defined data center (SDDC)
Session key
a symmetric encryption key generated for one-time use; usually requires a key encapsulation approach to eliminate key management issues
Static Environments
apps, OSs, hardware, or networks that are created/configured to meet a particular need or function are set to remain unaltered; static environments, embedded systems, network-enabled devices, edge, fog, and mobile devices need security management that may include network segmentation, security layers, app firewalls, manual updates, firmware version control, wrappers, and control redundancy/diversity
Stream mode encryption
system using a process that treats the input plaintext as a continuous flow of symbols, encrypting one symbol at a time; usually uses a streaming key, using part of the key as a one-time key for each symbol’s encryption
Symmetric encryption
process that uses the same key (or a simple transformation of it) for both encryption/decryption
Transposition
The process of reordering the plaintext to hide the message by using the same letters or bits.
encryption/description process using transposition
Trusted platform module
(TPM)
A secure crypto processor and storage module, allows system to boot securely
Trust and Assurance
trust is the presence of a security mechanism or capability; assurance is how reliable the security mechanism(s) are at providing security
Work factor
This represents the time and effort required to break a cryptography system.
is a way to measure the strength of a cryptography system, measuring the effort in terms of cost/time to decrypt messages; amount of effort necessary to break a cryptographic system using a bruteforce attack, measured in elapsed time
VESDA
very early smoke detection process (air sensing device brand name)
Zero-knowledge proof
one person demonstrates to another that they can achieve a result that requires sensitive info without actually disclosing the sensitive info
