Encryption & PKI Flashcards
cryptography
The science of encrypting and decrypting information to hide its true meaning
OCSP
Online Certificate Status Protocol
- HTTP-based alternative to a certificate revocation list (CRL) that provides real-time validation of certificates
- Clients query a CA with the serial number of a certificate and the CA replies with good, revoked, or unknown.
- OCSP stapling appends a digitally signed OCSP response to a certificate
DSA
Digital Signature Algorithm
A public key encryption standard used for digital signatures that provides authentication and integrity verification for messages.
HMAC
Hash-based Message Authentication Code
- A method used to verify both the integrity and authenticity of a message by combining cryptographic hash functions with a secret key.
- Two versions:
- HMAC-MD5: creates 128-bit hashes
- HMAC-SHA1: creates 160-bit hashes
DHE
Diffie-Hellman Ephemeral
- Based on Diffie-Hellman key exchange algorithm
- Used to privately share a symmetric key between 2 parties over unsecured connection.
- Uses ephemeral keys, generating a different key each session.
- Also called EDH - Ephemeral Diffie-Hellman
key exchange
Any method by which cryptographic keys are transferred among users thus enabling the use of a cryptographic algorithm
CSR
Certificate Signing Request
- Method of requesting a certificate from a CA.
- Starts with the creation of an RSA-based private/public key pair
- Next step is to include the public key in the CSR.
cryptographic salt
A security countermeasure that mitigates the impact of a rainbow table attack by adding a random value to (‘salting) each plain text input
DV
Domain Validated Certificate
- A type of digital certificate that proves that some entity has control over a particular domain name.
- Considered to be weaker than EV (Extended Validation)
public key
The component of asymmetric encryption that can be accessed by anyone
symmetric encryption
Two-way encryption scheme in which encryption and decryption use the same key
Also known as shared-key encryption
public root CA
A root CA that is created by a vendor for general access by the public
KEK
Key Encryption Key
A symmetric key that encrypts/decrypts other keys (typically Traffic Encryption Keys or TEKs) for transmission or storage
Provides confidentiality
Also called key-wrapping
ECC
Elliptic Curve Cryptography
Doesn’t take as much processing power as other cryptographic method and is often used on low-power devices such as small wireless devices.
Mathematical equations are used to formulate an elliptic curve.
Keys are created by graphing points on the curve.
key generation
The process of generating keys in cryptography
A key is used to encrypt and decrypt whatever data is being encrypted/decrypted
CRL
Certificate Revocation List
A list of certificates that a CA has revoked before their expiration date.
Certificates are commonly revoked if they are compromised or issued to an employee who has left the organization.
MAC
Message Authentication Code
- Short piece of information used to confirm that the message came from the stated sender and has not been changed
- Similar to a hash
- AKA a tag
PEM
Privacy Enhanced Mail
Common PKI certificate format that can be used for most types of certificates
Can use either format:
- CER (ASCII)
- DER (binary)
Can be used for almost any type of certificates
DES
Data Encryption Standard
A legacy symmetric encryption standard used to provide confidentiality.
It has been compromised and AES or 3DES should be used instead.
asymmetric encryption
A two-way encryption scheme that uses paired private and public keys.
EV
Extended Validation Certificate
- Goes several steps beyond domain validation
- Can only be issued by a subset of CAs and requires verification of requesting entity’s legal identity before issuing certificate
- Domains with EV certificates have company name before URL
- Considered to be stronger than domain validation (DV)
key escrow
Process of placing a copy of a private keys with a third-party
Used when third party is granted access to the process
If key lost, copy can be retrieved
Used in instances where organization determines that data loss is unacceptable
XOR
Exclusive OR
- A logical operation used in some ecryption schemes.
- XOR operators compare 2 inputs:
- 2 inputs the same=true
- 2 inputs different=false
OID
Object Identifier
A series of numbers separated by periods that describe the identity of the owner of a digital certificate
Blowfish
A freely available 64-bit block symmetric key cipher algorithm that uses a variable key length
Faster than AES in some cases like AES-256
key escrow agent
A third party that maintains a backup copy of private keys
MD5
Message Digest 5
- Hashing function used to provide integrity
- Creates 128-bit hashes (aka checksums)
- Considered cracked/deprecated
block cipher
A type of symmetric encryption that encrypts data one block at a time often in 64-bit blocks. It is usually more secure but is also slower than stream ciphers.
steganography
Technique of hiding secret data within an ordinary, non-secret, file or message in order to avoid detection; the secret data is then extracted at its destination
Twofish
A symmetric key block cipher similar to Blowfish consisting of a block size of 128 bits and key sizes up to 256 bits
CTM
Counter-Mode
- An encryption mode of operation that combines an IV with a counter.
- The combined result is used to encrypt blocks.
- Effectively turns a block cypher into a stream cipher
- The counter can be any function that produces a sequence guaranteed not to repeat for a long time.
- The increment-by-one counter is the simplest and most popular.
RIPEMD
RACE Integrity Primitives Evaluation Message Digest
Hash function used for integrity
4 versions that create fixed size hashes:
- RIPEMD-128
- RIPEMD-160
- RIPEMD-256
- RIPEMD-320
RIPEMD-160 is the most common but RIPEMD not as widely used as other hash functions like MD5, SHA, and HMAC
ciphertext
Data that has been encoded and is unreadable
hash
The value that results from hashing encryption. Also known as hash value or message digest
CER
Canonical Encoding Rules
A base format for PKI certificates. They are binary encoded files.
Compare with DER
ECB
Electronic Code Book
- Simplest encryption mode
- Text divided into plain-text blocks
- Each block is encrypted using the same key
- Encryption method has significant weakness and is easy to break
- Deprecated
cipher suite
Combination of cryptographic algorithms that provide several layers of security for TLS connections
When 2 systems connect, they identify cypher suite acceptable to both and then use protocols within suite
Protocols provide 3 primary crypto solns:
- Encryption-data confidentiality
- Authentication via certificates
- Integrity using msg authentication code (MAC)
CA
Certificate Authority
An entity that manages, issues, and signs digital certificates and the associated public/private key pairs.
It is critical part of PKI.
DER
Distinguised Encoding Rules
- A base format for PKI certificates.They are BASE64 ASCII encoded files.
- Compare with CER
key
A specific piece of information that is used in conjunction with an algorithm to perform encryption and decryption
substitution cipher
Method of encryption in which units of plaintext are replaced with the ciphertext, in a defined manner, with the help of a key
“Units” may be single letters (the most common), pairs of letters, triplets of letters, mixtures of the above, etc.
nonce
An arbitrary number used only once in a cryptographic communication often to prevent replay attacks
encryption
A security technique that converts data from plain-text form into coded (or cipher-text) form so that only authorized parties with the necessary decryption information can decode and read the data
3DES
Triple Digital Encryption Standard
- Symmetric block cipher
- Originally designed to replace DES
- Encrypts in 64-bit blocks
- Applies the DES cipher algorithm each data block 3 times creating 3 independent
- Deprecated by NIST in 2017 for new apps and disallowed for all apps 2023
- Still used in some applications when legacy hardware doesn’t support AES
obfuscation
A technique that essentially hides or camouflages code or other information so that it is harder to read by unauthorized users
PRNG
Pseudo Random Number Generator
An algorithm for generating a sequence of numbers whose properties approximate the properties of sequences of random numbers.
asymmetric encryption
A two-way encryption scheme that uses paired private and public keys.
chain of trust
A linked path of verification and validation to ensure the validity of a digital certificate’ issuer.
confusion
Cryptography concept that indicates that ciphertext is significantly different than plaintext
PFS
Perfect Forward Secrecy
A feature of specific key agreement protocols that gives assurances that session keys will not be compromised even if long-term secrets used in the session key exchange are compromised.
cryptographic module
Any software or hardware solution that implements one or more cryptographic concepts such as different encryption and decryption algorithm
digital signature
An encrypted hash of a message
Encrypted with senders private key and decrypted with sender’s public key
Provides:
- authentication
- non-repudiation
- integrity
cipher
An algorithm used to encrypt or decrypt data.
PGP
Pretty Good Privacy
- Encryption program that provides cryptographic privacy and authentication for data communication.
- PGP is used for signing encrypting and decrypting texts, e-mails, files, directories, and whole disk partitions
- Increases the security of e-mail communications
subordinate CA
Any certificate authority below the root CA in the hierarchy
GCM
Galois/Counter Mode
- A mode of operation used for encryption.
- It combines the counter mode (CTM) with hashing techniques for data authenticity and confidentiality.
bcrypt
Key-stretching algorithm used to protect passwords
Salts passwords with additional bits before encrypting them with Blowfish
Thwarts rainbow table attacks
cleartext
Unencrypted readable data that is not meant to be encrypted
PKI
Public Key Infrastructure
A group of technologies for digital certificates. It is used perform functions with digital certificates:
- request
- create
- manage
- store
- distribute
- revoke
DH
Diffie-Hellman
A cryptographic protocol that provides for secure key exchange over a public channel.
CBC
Cipher Block Chaining
A mode of operation used for encryption that effectively converts a block cipher into a stream cipher.
It uses an initialization vector (IV) for the first block and each subsequent block is combined with the previous block.
Less efficient than other modes due to potential pipeline delay.
key stretching
A technique that strengthens potentially weak cryptographic keys such as passwords or passphrases created by people against brute force attacks
P12 Certificates
- Use PKCS #12 format
- DER-based (binary)
- Commonly used to hold certificates with the private key
root CA
The top-most CA in the hierarchy and consequently the most trusted authority in the hierarchy
SHA
Secure Hash Algorithm
- Hash algorithm modeled after MD5 and considered the stronger of the two.
- Has multiple versions:
- SHA-1: 160-bit hashes
- SHA2: 224-, 256-, 384-, or 512-bit hashes
- SHA3: 224-, 256-, 384-, or 512-bit hashes
digital certificate
- Electronic document used to prove ownership of a public key.
- Contains:
- Name of certificate holder
- The holder’s public key
- Digital signature of certificate authority
- Using public key cryptography its authenticity can be verified to ensure that the software or website you are using is legitimate.
CA hierarchy
A single CA or group of CAs that work together to issue digital certificates.
RC4
Rivest Cipher Version 4/Ron’s Code V.4
- Symmetric stream cipher developed by Ronald Rivest
- Can use between 40 - 2048 bits
- Crackable
diffusion
A cryptographic technique that makes ciphertext change drastically upon even the slightest changes in the plaintext input
RSA
Rivest Shamir & Adleman
- An asymmetric algorithm used to encrypt data and digitally sign transmissions
- Used to protect email and other data transmitted over the internet
- Uses static keys
hashing
A process or function that transforms plaintext into ciphertext that cannot be directly decrypted
RA
Recovery Agent
Someone allowed entry into cryptographic protocol who is authorized to recover a certificate on behalf of an end user.
The role of key recovery agents can involve sensitive data so only highly trusted individuals should be assigned to this role.
SAN
Subject Alternative Name
Certificate type used for multiple domains that have different names but are owned by the same organization
SCEP
Simple Certificate Enrollment Protocol
Protocol designed to make the request and issuing of digital certificates as simple as possible for any standard network user
AES
Advanced Encryption Standard
- A strong symmetric block cipher that encrypts data in 128-bit blocks.
- Designed to replace DES.
- Fast, efficient, and strong
- Uses key sizes of:
- 128 bits
- 192 bits
- 256 bits (not as fast as Blowfish)
- Approved encryption standard for government agencies including NSA.
ECDHE
Elliptic Curve Diffie-Hellman Ephemeral
- Cryptographic protocol that is based on the Diffie Hellman protocol for key exchange
- Provides for secure key exchange over a public network by using ephemeral keys and elliptic curve cryptography.
- Ephemeral cryptographic keys are newly generated for each key exchange session.
PBKDF2
Password-based Key Derivation Function 2
Key stretching technique that adds additional bits to a password as salt. It helps prevent brute force and rainbow table attacks.
RA
Registration Authority
Assist CAs with the verification of users’ identities prior to issuing digital certificates
Doesn’t directly issue certificates but plays important role in the certification process, allowing CAs to remotely validate user identities
certificate chaining
A linked path of verification and validation to ensure the validity of a digital certificate’s issuer
certificate pinning
A method of trusting digital certificates that bypasses the CA hierarchy and chain of trust to minimize man-in-the-middle attacks.
One-time pad (OTP)
- Only method of encryption has ever been mathematically proven to offer perfect security
- Pad of numbers can only be used once and must then be disposed of afterward
- Also known as Vernam Cipher
