Domain Six: PKI and Cryptography Flashcards
What are the PAIN concepts that ryptography should address ?
Privacy, Authentication, Integrity, Non - Repudiation
What is Data in Use ?
This is data that is actively in use by the computer system. This includes data stored in memory while being processed.
What is the main protection for data in transit ?
Encyption via tls
What is data at rest ?
Data that is stored in storage media - encryption is an obvious protection
What is a cipher ?
The actual algorithm used to carry out cryptography
What are the two categories that ciphers fall into ?
Block and Stream
What is the advantage of block ciphers ?
High diffusion and immune to insertion
What is the disadvantage of block ciphers ?
Slow and error propagation
What is the advantage of stream ciphers ?
Speed and low error propagation
What are the disadvantages of stream ciphers ?
Low diffusion and susceptibiltiy to malicious insertion
What is a block cipher ?
Encrypts data in whole or in chunks and used when we know the size of the data to be encrypted
What is a stream cipher ?
Encrypts each individual bit as part of a stream
What is the concept of confusion in cryptography ?
Makes the relationship between the cipher and data as complex as possible. Confusion means that each binary digit (bit) of the ciphertext should depend on several parts of the key, obscuring the connections between the two.[3]
The property of confusion hides the relationship between the ciphertext and the key.
This property makes it difficult to find the key from the ciphertext and if a single bit in a key is changed, the calculation of most or all of the bits in the ciphertext will be affected.
What is the concept of diffusion in cryptography ?
Diffusion means that if we change a single bit of the plaintext, then about half of the bits in the ciphertext should change, and similarly, if we change one bit of the ciphertext, then about half of the plaintext bits should change.[5] This is equivalent to the expectation that encryption schemes exhibit an avalanche effect.
The purpose of diffusion is to hide the statistical relationship between the ciphertext and the plain text
What kind of algorithm is DiffieHelman ?
Asymmetric
What kind of algorithm is DSA ?
Asymmetric - Good for digital signatures but does little for confidentiality
What kind of algorithm is Elliptical Curve ?
Asymmetric - Very fast uses real and rational numbers and requires smaller key sizes to provide same security as other algorithms
What kind of algorithm is RSA ?
Standard for Asymmetric - Key 2048 bits
What kind of agorithm is 3DES ?
Symmetric - Comes in four different types and the key length is 112 to 168 256 and 356. The different flavours use a key multiple times
DES - EEE2 Two key are used in the encryption process three times
DES - EDE2 Two key are used in the encryption process twice and once in the decryption process
DES - EEE3 Three keys are used in the encryption process three times
DES - EDE3 Three key are used in the encryption process twice and once in the decryption process
What kind of algorithm is AES ?
Symmetric - 3DES was only ever a stopgap and AES was the preferred standard and was based on the Rijndael algorithm. The key lengths are 128, 192 or 256 bits
What kind of algorithm is DES ?
Symmetric - DES uses a 64 bit key but 8 bits are used for parity checking so in actuality the key is only 56bits. This is a deprecated mechanism because it was shown that the algorithm could be cracked in less that 24 hours.
What kind of algorithm is RC4 ?
Symmetric - Ron Rivest came up with these ciphers. They are fast steam ciphers which are perfect for WiFi WEP. The key length is 40 bits plus a 24 bit initialisation vector making it 64 in total length.
What is a cipher mode ?
These are the primary ways of using the ciphers that adds additional functionality. So you would never use AES on its own but in conjunction with a cipher mode.
Describe the ECB cipher mode ?
Electronic Block will pad when there is a partial block. It is the easiest mode to break and is the native mode of DES. Its advantage is that it provides the highest throughput.
What is Cipher Block Chaining mode ?
Very similar to ECB has a slightly higher error rate meaning some block could become undecipherable.
What are counter cipher modes ?
Turns block ciphers into stream ciphers by the use of a counter function which is used alongside an IV.
What is Galois Counter Mode ?
Uses the Galois authentication with standard Counter Mode. Used specifically with 128 bit encryption
Describe the HMAC hashing algorithm ?
Designed to avoid collisions that other algorithms are prone to. This is done by the use of a shared private key but it does require that the key is sent out of bounds
What is MD5 ?
Hashing Algorithm - Takes a variable length input and produces a 128 bit output
What is the SHA algorithm ?
Hashing - SHA 1 and 0 are deprecated. SHA 2 is the most commonly used algorithm today
What is key stretching ?
Improving of weak keys for examples multiple rounds of either hashing or encryption
What is perfect forward secrecy ?
Used to change keys ensuring that even though a compromise occurs the blast radius is small.
What does the term east-west traffic mean ?
Lateral movement within a network
What are PEAP and EAP-TLS and what is the difference between the two ?
They are protocols for securing wireless communications with TLS. PEAP uses passwords whereas EAP-TLS uses server side certificates
Why use a site survey for wireless placement ?
Discovery of dead zones and optimal placement.
Give an example of a stream cipher ?
Caesar
What is the minimum key length in todays cryptographic systems ?
128 bit
Does symmetric encryption offer non repudiation ?
No - Only confidentiality
What are the main issues with symmetric encryption ?
Key exchange is a problem
Does not implement non-repudiation as anyone with the key can encrypt and decrypt
Algorithm is not scalable - Difficult to manage large numbers of users
Key Regeneration overhead - Every time someone leaves a key has to be regenerated
What are the main advantages of asymmetric encryption ?
Overhead - New or leaving users only need their key pair generated or removed
Blast Radius - Keys only need to be regenerated when the private key is compromised
Provides Non-Repudiation, Confidentiality, Integrity and Authentication
Key Exchange is simplified - There is no method to derive the private key from the public key
What key lengths does AES support ?
128,192,256
I want to exchange keys in order to use symmetric encryption but the PKI and Offline options are not available to me what should I use ?
Diffie Hellman
In symmetric cryptography what is split knowledge ?
Where two people own half of the key
What is a key escrow service ?
Key is stored with a third party service
Whats a weakness of the MD5 hashing protocol ?
It is prone to collisions
What cryptographic goals are satisfied by digital signatures ?
Authentication, Integrity and Non Repudiation
Whats the process in creating a digital signature ?
Sender creates message digest by hashing original plain text
Sender encrypts the digest with their private key
Sender attaches the message digest to plain text message
Sender transmits message
Receiver decrypts message digest with Senders public key
Receiver uses same hashing function on plain text
Receiver then compares that their result and the received hash are the same
What extra step should you take to ensure privacy after you have created a digital signature ?
Encrypt it with the recipents public key
What key should I use if I want to send an encrypted message to a recipient ?
Recipients public key
What key should I use if I recieve an encrypted message ?
My private key
What key should I use if I want to create a digital signature ?
My private key
What key should I use to verify a digital signature ?
Senders public key
What hashing algorithm uses a shared private key ?
HMAC
What does the common name (CN) of certificates contain ?
Fully Qualified Domain Name (FQDN)
How is the root certificate of the CA stored ?
Offline
What is certificate chaining ?
In the CA trust model, the use of a series of intermediate CA’s is known as certificate chaining and the browser has to verify all the certificates in the chain.
What is the role of the registration authority (RA)
Help with identification but does not issue certificates
What are some of the items mandated by the X509 standard for certificates ?
Version
Serial Number
Signature Algorithm Identifier
Issuer Name - The CA authority name
Validity Period - Start, Expiration date and time
Subjects Common Name (CN) - FQDN of domain owner
Subject Alternative Names (SAN) - Additional optional items such as IP addresses and domain names
Subjects Public Key
What is enrolment in the certificate process ?
The supplying of identity documents to prove to the CA you are genuine
What is a CSR (Certificate Signing Request) ?
The submitting of your public key to the CA after your identity has been verified.
What is a domain validation certificate (DV) ?
The lowest level which just identifies that you own the domain is known as a Domain Validation (DV) certificate
What is the name of the certificate that requires more validation than just the DV ?
Extended validation (EV) certificate
What is a primary use case for Eliptical Curve cryptography ?
Key Exchange and digital signatures
What is XSS ?
XSS is a web-based vulnerability that occurs when an attacker injects malicious code into a web page that is then executed by the browser of a user who visits the page. The code can steal cookies, session tokens, or other sensitive information from the user or the web server.
Which attribute of a threat actor refers to their ability to develop unique exploit techniques and tools?
Capability
Do SIEMS maintain a database ?
Yes
What is the difference between recurring and continuous risk assessment ?
Recurring risk assessment involves conducting risk assessments at regular intervals to adapt to changing threats and vulnerabilities over time whereas continuous is all the time to help with operational security
What is the difference between SASE and WAN ?
SASE (Secure access service edge) combines network security and WAN capabilities in a single cloud-based service, making it an ideal solution for ensuring secure and reliable access to data and applications irrespective of user/device location where as WAN just covers networking capabilities
What is infrastructure monitoring ?
Infrastructure monitoring is focused on ensuring the foundational IT components, like servers, data centers, and networking equipment, are both functional and secure
What is systems monitoring?
Systems monitoring evaluates the hardware, operating systems, and the essential services that applications run on but not the broader foundational structures of IT.
What is directory traversal ?
A directory traversal attack is a type of application attack that involves manipulating the input parameters to access files or directories that are not intended to be accessible by the user, such as configuration files, source code, or system files.
What is the primary purpose of package monitoring ?
Package monitoring involves keeping track of software package versions and security patches, which helps identify potential vulnerabilities and ensures that appropriate actions are taken to mitigate risks.
Is the file extension normally included in the files metadata ?
No
Which of the following BEST describes a system that allocates permissions and access based on pre-defined organizational guidelines, strategies, codes, roles, or requirements?
Policy Driven
Can a single tool be two types of control ?
Yes Antimalware is a detective control and a corrective one
What is a directive control give an example ?
Sets the standards of behaviour for org normally a policy or document such as AUP
What is a POA&M ?
Plan of action and milestones to rectify gaps found in a gap analysis
What is zero trust ?
Zero Trust demands verification for every device, every user and every transaction regardless of where it came from.
In zero trust architecture what is the control plane ?
Is the overarching set of components responsible for defining, enforcing and managing the policies related to user and system access within the organisation
In zero trust what is the control planes adaptive identity ?
leverages Context based authentication, considers where the user is logging in from, whether the device they are using meets security requirements and will either request additional info or request if standards are not met. The assumption is a users identity is not set in stone we need to take into account context based information such as behaviour and device location.
What is the control planes threat scope reduction ?
Limiting the blast radius determined by least privilege and identity base network segmentation rather than the more traditional network segmentation methods such as VLAN and IP addresses
What is the role of the policy engine in Zero Trust ?
Policy engines make decisions based on rules and external systems such as identity management and SIEM. They use a trust algorithm that makes a decision to grant, deny or revoke access to a given resource. Once the decision has been made it is logged and then the policy administrator takes action.
What is the role of the policy enforcement in Zero Trust ?
To carry out the decisions made by the policy engine such as terminating connections
