Encryption & PKI Flashcards

1
Q

cryptography

A

The science of encrypting and decrypting information to hide its true meaning

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

OCSP

A

Online Certificate Status Protocol

  • HTTP-based alternative to a certificate revocation list (CRL) that provides real-time validation of certificates
  • Clients query a CA with the serial number of a certificate and the CA replies with good, revoked, or unknown.
  • OCSP stapling appends a digitally signed OCSP response to a certificate
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

DSA

A

Digital Signature Algorithm

A public key encryption standard used for digital signatures that provides authentication and integrity verification for messages.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

HMAC

A

Hash-based Message Authentication Code

  • A method used to verify both the integrity and authenticity of a message by combining cryptographic hash functions with a secret key.
  • Two versions:
    • HMAC-MD5: creates 128-bit hashes
    • HMAC-SHA1: creates 160-bit hashes
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

DHE

A

Diffie-Hellman Ephemeral

  • Based on Diffie-Hellman key exchange algorithm
  • Used to privately share a symmetric key between 2 parties over unsecured connection.
  • Uses ephemeral keys, generating a different key each session.
  • Also called EDH - Ephemeral Diffie-Hellman
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

key exchange

A

Any method by which cryptographic keys are transferred among users thus enabling the use of a cryptographic algorithm

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

CSR

A

Certificate Signing Request

  • Method of requesting a certificate from a CA.
  • Starts with the creation of an RSA-based private/public key pair
  • Next step is to include the public key in the CSR.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

cryptographic salt

A

A security countermeasure that mitigates the impact of a rainbow table attack by adding a random value to (‘salting) each plain text input

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

DV

A

Domain Validated Certificate

  • A type of digital certificate that proves that some entity has control over a particular domain name.
  • Considered to be weaker than EV (Extended Validation)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

public key

A

The component of asymmetric encryption that can be accessed by anyone

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

symmetric encryption

A

Two-way encryption scheme in which encryption and decryption use the same key

Also known as shared-key encryption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

public root CA

A

A root CA that is created by a vendor for general access by the public

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

KEK

A

Key Encryption Key

A symmetric key that encrypts/decrypts other keys (typically Traffic Encryption Keys or TEKs) for transmission or storage

Provides confidentiality

Also called key-wrapping

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

ECC

A

Elliptic Curve Cryptography

Doesn’t take as much processing power as other cryptographic method and is often used on low-power devices such as small wireless devices.

Mathematical equations are used to formulate an elliptic curve.

Keys are created by graphing points on the curve.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

key generation

A

The process of generating keys in cryptography

A key is used to encrypt and decrypt whatever data is being encrypted/decrypted

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

CRL

A

Certificate Revocation List

A list of certificates that a CA has revoked before their expiration date.

Certificates are commonly revoked if they are compromised or issued to an employee who has left the organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

MAC

A

Message Authentication Code

  • Short piece of information used to confirm that the message came from the stated sender and has not been changed
  • Similar to a hash
  • AKA a tag
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

PEM

A

Privacy Enhanced Mail

Common PKI certificate format that can be used for most types of certificates

Can use either format:

  • CER (ASCII)
  • DER (binary)

Can be used for almost any type of certificates

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

DES

A

Data Encryption Standard

A legacy symmetric encryption standard used to provide confidentiality.

It has been compromised and AES or 3DES should be used instead.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

asymmetric encryption

A

A two-way encryption scheme that uses paired private and public keys.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

EV

A

Extended Validation Certificate

  • Goes several steps beyond domain validation
  • Can only be issued by a subset of CAs and requires verification of requesting entity’s legal identity before issuing certificate
  • Domains with EV certificates have company name before URL
  • Considered to be stronger than domain validation (DV)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

key escrow

A

Process of placing a copy of a private keys with a third-party

Used when third party is granted access to the process

If key lost, copy can be retrieved

Used in instances where organization determines that data loss is unacceptable

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

XOR

A

Exclusive OR

  • A logical operation used in some ecryption schemes.
  • XOR operators compare 2 inputs:
    • 2 inputs the same=true
    • 2 inputs different=false
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

OID

A

Object Identifier

A series of numbers separated by periods that describe the identity of the owner of a digital certificate

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Blowfish

A

A freely available 64-bit block symmetric key cipher algorithm that uses a variable key length

Faster than AES in some cases like AES-256

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

key escrow agent

A

A third party that maintains a backup copy of private keys

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

MD5

A

Message Digest 5

  • Hashing function used to provide integrity
  • Creates 128-bit hashes (aka checksums)
  • Considered cracked/deprecated
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

block cipher

A

A type of symmetric encryption that encrypts data one block at a time often in 64-bit blocks. It is usually more secure but is also slower than stream ciphers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

steganography

A

Technique of hiding secret data within an ordinary, non-secret, file or message in order to avoid detection; the secret data is then extracted at its destination

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Twofish

A

A symmetric key block cipher similar to Blowfish consisting of a block size of 128 bits and key sizes up to 256 bits

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

CTM

A

Counter-Mode

  • An encryption mode of operation that combines an IV with a counter.
  • The combined result is used to encrypt blocks.
  • Effectively turns a block cypher into a stream cipher
  • The counter can be any function that produces a sequence guaranteed not to repeat for a long time.
  • The increment-by-one counter is the simplest and most popular.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

RIPEMD

A

RACE Integrity Primitives Evaluation Message Digest

Hash function used for integrity

4 versions that create fixed size hashes:

  • RIPEMD-128
  • RIPEMD-160
  • RIPEMD-256
  • RIPEMD-320

RIPEMD-160 is the most common but RIPEMD not as widely used as other hash functions like MD5, SHA, and HMAC

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

ciphertext

A

Data that has been encoded and is unreadable

34
Q

hash

A

The value that results from hashing encryption. Also known as hash value or message digest

35
Q

CER

A

Canonical Encoding Rules

A base format for PKI certificates. They are binary encoded files.

Compare with DER

36
Q

ECB

A

Electronic Code Book

  • Simplest encryption mode
  • Text divided into plain-text blocks
  • Each block is encrypted using the same key
  • Encryption method has significant weakness and is easy to break
  • Deprecated
37
Q

cipher suite

A

Combination of cryptographic algorithms that provide several layers of security for TLS connections

When 2 systems connect, they identify cypher suite acceptable to both and then use protocols within suite

Protocols provide 3 primary crypto solns:

  1. Encryption-data confidentiality
  2. Authentication via certificates
  3. Integrity using msg authentication code (MAC)
38
Q

CA

A

Certificate Authority

An entity that manages, issues, and signs digital certificates and the associated public/private key pairs.

It is critical part of PKI.

39
Q

DER

A

Distinguised Encoding Rules

  • A base format for PKI certificates.They are BASE64 ASCII encoded files.
  • Compare with CER
40
Q

key

A

A specific piece of information that is used in conjunction with an algorithm to perform encryption and decryption

41
Q

substitution cipher

A

Method of encryption in which units of plaintext are replaced with the ciphertext, in a defined manner, with the help of a key

“Units” may be single letters (the most common), pairs of letters, triplets of letters, mixtures of the above, etc.

42
Q

nonce

A

An arbitrary number used only once in a cryptographic communication often to prevent replay attacks

43
Q

encryption

A

A security technique that converts data from plain-text form into coded (or cipher-text) form so that only authorized parties with the necessary decryption information can decode and read the data

44
Q

3DES

A

Triple Digital Encryption Standard

  • Symmetric block cipher
  • Originally designed to replace DES
  • Encrypts in 64-bit blocks
  • Applies the DES cipher algorithm each data block 3 times creating 3 independent
  • Deprecated by NIST in 2017 for new apps and disallowed for all apps 2023
  • Still used in some applications when legacy hardware doesn’t support AES
45
Q

obfuscation

A

A technique that essentially hides or camouflages code or other information so that it is harder to read by unauthorized users

46
Q

PRNG

A

Pseudo Random Number Generator

An algorithm for generating a sequence of numbers whose properties approximate the properties of sequences of random numbers.

47
Q

asymmetric encryption

A

A two-way encryption scheme that uses paired private and public keys.

48
Q

chain of trust

A

A linked path of verification and validation to ensure the validity of a digital certificate’ issuer.

49
Q

confusion

A

Cryptography concept that indicates that ciphertext is significantly different than plaintext

50
Q

PFS

A

Perfect Forward Secrecy

A feature of specific key agreement protocols that gives assurances that session keys will not be compromised even if long-term secrets used in the session key exchange are compromised.

51
Q

cryptographic module

A

Any software or hardware solution that implements one or more cryptographic concepts such as different encryption and decryption algorithm

52
Q

digital signature

A

An encrypted hash of a message

Encrypted with senders private key and decrypted with sender’s public key

Provides:

  • authentication
  • non-repudiation
  • integrity
53
Q

cipher

A

An algorithm used to encrypt or decrypt data.

54
Q

PGP

A

Pretty Good Privacy

  • Encryption program that provides cryptographic privacy and authentication for data communication.
  • PGP is used for signing encrypting and decrypting texts, e-mails, files, directories, and whole disk partitions
  • Increases the security of e-mail communications
55
Q

subordinate CA

A

Any certificate authority below the root CA in the hierarchy

56
Q

GCM

A

Galois/Counter Mode

  • A mode of operation used for encryption.
  • It combines the counter mode (CTM) with hashing techniques for data authenticity and confidentiality.
57
Q

bcrypt

A

Key-stretching algorithm used to protect passwords

Salts passwords with additional bits before encrypting them with Blowfish

Thwarts rainbow table attacks

58
Q

cleartext

A

Unencrypted readable data that is not meant to be encrypted

59
Q

PKI

A

Public Key Infrastructure

A group of technologies for digital certificates. It is used perform functions with digital certificates:

  • request
  • create
  • manage
  • store
  • distribute
  • revoke
60
Q

DH

A

Diffie-Hellman

A cryptographic protocol that provides for secure key exchange over a public channel.

61
Q

CBC

A

Cipher Block Chaining

A mode of operation used for encryption that effectively converts a block cipher into a stream cipher.

It uses an initialization vector (IV) for the first block and each subsequent block is combined with the previous block.

Less efficient than other modes due to potential pipeline delay.

62
Q

key stretching

A

A technique that strengthens potentially weak cryptographic keys such as passwords or passphrases created by people against brute force attacks

63
Q

P12 Certificates

A
  • Use PKCS #12 format
  • DER-based (binary)
  • Commonly used to hold certificates with the private key
64
Q

root CA

A

The top-most CA in the hierarchy and consequently the most trusted authority in the hierarchy

65
Q

SHA

A

Secure Hash Algorithm

  • Hash algorithm modeled after MD5 and considered the stronger of the two.
  • Has multiple versions:
    • SHA-1: 160-bit hashes
    • SHA2: 224-, 256-, 384-, or 512-bit hashes
    • SHA3: 224-, 256-, 384-, or 512-bit hashes
66
Q

digital certificate

A
  • Electronic document used to prove ownership of a public key.
  • Contains:
    • Name of certificate holder
    • The holder’s public key
    • Digital signature of certificate authority
  • Using public key cryptography its authenticity can be verified to ensure that the software or website you are using is legitimate.
67
Q

CA hierarchy

A

A single CA or group of CAs that work together to issue digital certificates.

68
Q

RC4

A

Rivest Cipher Version 4/Ron’s Code V.4

  • Symmetric stream cipher developed by Ronald Rivest
  • Can use between 40 - 2048 bits
  • Crackable
69
Q

diffusion

A

A cryptographic technique that makes ciphertext change drastically upon even the slightest changes in the plaintext input

70
Q

RSA

A

Rivest Shamir & Adleman

  • An asymmetric algorithm used to encrypt data and digitally sign transmissions
  • Used to protect email and other data transmitted over the internet
  • Uses static keys
71
Q

hashing

A

A process or function that transforms plaintext into ciphertext that cannot be directly decrypted

72
Q

RA

A

Recovery Agent

Someone allowed entry into cryptographic protocol who is authorized to recover a certificate on behalf of an end user.

The role of key recovery agents can involve sensitive data so only highly trusted individuals should be assigned to this role.

73
Q

SAN

A

Subject Alternative Name

Certificate type used for multiple domains that have different names but are owned by the same organization

74
Q

SCEP

A

Simple Certificate Enrollment Protocol

Protocol designed to make the request and issuing of digital certificates as simple as possible for any standard network user

75
Q

AES

A

Advanced Encryption Standard

  • A strong symmetric block cipher that encrypts data in 128-bit blocks.
  • Designed to replace DES.
  • Fast, efficient, and strong
  • Uses key sizes of:
    • 128 bits
    • 192 bits
    • 256 bits (not as fast as Blowfish)
  • Approved encryption standard for government agencies including NSA.
76
Q

ECDHE

A

Elliptic Curve Diffie-Hellman Ephemeral

  • Cryptographic protocol that is based on the Diffie­ Hellman protocol for key exchange
  • Provides for secure key exchange over a public network by using ephemeral keys and elliptic curve cryptography.
  • Ephemeral cryptographic keys are newly generated for each key exchange session.
77
Q

PBKDF2

A

Password-based Key Derivation Function 2

Key stretching technique that adds additional bits to a password as salt. It helps prevent brute force and rainbow table attacks.

78
Q

RA

A

Registration Authority

Assist CAs with the verification of users’ identities prior to issuing digital certificates

Doesn’t directly issue certificates but plays important role in the certification process, allowing CAs to remotely validate user identities

79
Q

certificate chaining

A

A linked path of verification and validation to ensure the validity of a digital certificate’s issuer

80
Q

certificate pinning

A

A method of trusting digital certificates that bypasses the CA hierarchy and chain of trust to minimize man-in-the-middle attacks.

81
Q

One-time pad (OTP)

A
  • Only method of encryption has ever been mathematically proven to offer perfect security
  • Pad of numbers can only be used once and must then be disposed of afterward
  • Also known as Vernam Cipher