Encryption & PKI Flashcards
cryptography
The science of encrypting and decrypting information to hide its true meaning
OCSP
Online Certificate Status Protocol
- HTTP-based alternative to a certificate revocation list (CRL) that provides real-time validation of certificates
- Clients query a CA with the serial number of a certificate and the CA replies with good, revoked, or unknown.
- OCSP stapling appends a digitally signed OCSP response to a certificate
DSA
Digital Signature Algorithm
A public key encryption standard used for digital signatures that provides authentication and integrity verification for messages.
HMAC
Hash-based Message Authentication Code
- A method used to verify both the integrity and authenticity of a message by combining cryptographic hash functions with a secret key.
- Two versions:
- HMAC-MD5: creates 128-bit hashes
- HMAC-SHA1: creates 160-bit hashes

DHE
Diffie-Hellman Ephemeral
- Based on Diffie-Hellman key exchange algorithm
- Used to privately share a symmetric key between 2 parties over unsecured connection.
- Uses ephemeral keys, generating a different key each session.
- Also called EDH - Ephemeral Diffie-Hellman
key exchange
Any method by which cryptographic keys are transferred among users thus enabling the use of a cryptographic algorithm
CSR
Certificate Signing Request
- Method of requesting a certificate from a CA.
- Starts with the creation of an RSA-based private/public key pair
- Next step is to include the public key in the CSR.
cryptographic salt
A security countermeasure that mitigates the impact of a rainbow table attack by adding a random value to (‘salting) each plain text input
DV
Domain Validated Certificate
- A type of digital certificate that proves that some entity has control over a particular domain name.
- Considered to be weaker than EV (Extended Validation)
public key
The component of asymmetric encryption that can be accessed by anyone
symmetric encryption
Two-way encryption scheme in which encryption and decryption use the same key
Also known as shared-key encryption

public root CA
A root CA that is created by a vendor for general access by the public
KEK
Key Encryption Key
A symmetric key that encrypts/decrypts other keys (typically Traffic Encryption Keys or TEKs) for transmission or storage
Provides confidentiality
Also called key-wrapping
ECC
Elliptic Curve Cryptography
Doesn’t take as much processing power as other cryptographic method and is often used on low-power devices such as small wireless devices.
Mathematical equations are used to formulate an elliptic curve.
Keys are created by graphing points on the curve.
key generation
The process of generating keys in cryptography
A key is used to encrypt and decrypt whatever data is being encrypted/decrypted
CRL
Certificate Revocation List
A list of certificates that a CA has revoked before their expiration date.
Certificates are commonly revoked if they are compromised or issued to an employee who has left the organization.
MAC
Message Authentication Code
- Short piece of information used to confirm that the message came from the stated sender and has not been changed
- Similar to a hash
- AKA a tag
PEM
Privacy Enhanced Mail
Common PKI certificate format that can be used for most types of certificates
Can use either format:
- CER (ASCII)
- DER (binary)
Can be used for almost any type of certificates
DES
Data Encryption Standard
A legacy symmetric encryption standard used to provide confidentiality.
It has been compromised and AES or 3DES should be used instead.
asymmetric encryption
A two-way encryption scheme that uses paired private and public keys.
EV
Extended Validation Certificate
- Goes several steps beyond domain validation
- Can only be issued by a subset of CAs and requires verification of requesting entity’s legal identity before issuing certificate
- Domains with EV certificates have company name before URL
- Considered to be stronger than domain validation (DV)
key escrow
Process of placing a copy of a private keys with a third-party
Used when third party is granted access to the process
If key lost, copy can be retrieved
Used in instances where organization determines that data loss is unacceptable
XOR
Exclusive OR
- A logical operation used in some ecryption schemes.
- XOR operators compare 2 inputs:
- 2 inputs the same=true
- 2 inputs different=false
OID
Object Identifier
A series of numbers separated by periods that describe the identity of the owner of a digital certificate













