Encryption & PKI Flashcards
cryptography
The science of encrypting and decrypting information to hide its true meaning
OCSP
Online Certificate Status Protocol
- HTTP-based alternative to a certificate revocation list (CRL) that provides real-time validation of certificates
- Clients query a CA with the serial number of a certificate and the CA replies with good, revoked, or unknown.
- OCSP stapling appends a digitally signed OCSP response to a certificate
DSA
Digital Signature Algorithm
A public key encryption standard used for digital signatures that provides authentication and integrity verification for messages.
HMAC
Hash-based Message Authentication Code
- A method used to verify both the integrity and authenticity of a message by combining cryptographic hash functions with a secret key.
- Two versions:
- HMAC-MD5: creates 128-bit hashes
- HMAC-SHA1: creates 160-bit hashes
DHE
Diffie-Hellman Ephemeral
- Based on Diffie-Hellman key exchange algorithm
- Used to privately share a symmetric key between 2 parties over unsecured connection.
- Uses ephemeral keys, generating a different key each session.
- Also called EDH - Ephemeral Diffie-Hellman
key exchange
Any method by which cryptographic keys are transferred among users thus enabling the use of a cryptographic algorithm
CSR
Certificate Signing Request
- Method of requesting a certificate from a CA.
- Starts with the creation of an RSA-based private/public key pair
- Next step is to include the public key in the CSR.
cryptographic salt
A security countermeasure that mitigates the impact of a rainbow table attack by adding a random value to (‘salting) each plain text input
DV
Domain Validated Certificate
- A type of digital certificate that proves that some entity has control over a particular domain name.
- Considered to be weaker than EV (Extended Validation)
public key
The component of asymmetric encryption that can be accessed by anyone
symmetric encryption
Two-way encryption scheme in which encryption and decryption use the same key
Also known as shared-key encryption
public root CA
A root CA that is created by a vendor for general access by the public
KEK
Key Encryption Key
A symmetric key that encrypts/decrypts other keys (typically Traffic Encryption Keys or TEKs) for transmission or storage
Provides confidentiality
Also called key-wrapping
ECC
Elliptic Curve Cryptography
Doesn’t take as much processing power as other cryptographic method and is often used on low-power devices such as small wireless devices.
Mathematical equations are used to formulate an elliptic curve.
Keys are created by graphing points on the curve.
key generation
The process of generating keys in cryptography
A key is used to encrypt and decrypt whatever data is being encrypted/decrypted
CRL
Certificate Revocation List
A list of certificates that a CA has revoked before their expiration date.
Certificates are commonly revoked if they are compromised or issued to an employee who has left the organization.
MAC
Message Authentication Code
- Short piece of information used to confirm that the message came from the stated sender and has not been changed
- Similar to a hash
- AKA a tag
PEM
Privacy Enhanced Mail
Common PKI certificate format that can be used for most types of certificates
Can use either format:
- CER (ASCII)
- DER (binary)
Can be used for almost any type of certificates
DES
Data Encryption Standard
A legacy symmetric encryption standard used to provide confidentiality.
It has been compromised and AES or 3DES should be used instead.
asymmetric encryption
A two-way encryption scheme that uses paired private and public keys.
EV
Extended Validation Certificate
- Goes several steps beyond domain validation
- Can only be issued by a subset of CAs and requires verification of requesting entity’s legal identity before issuing certificate
- Domains with EV certificates have company name before URL
- Considered to be stronger than domain validation (DV)
key escrow
Process of placing a copy of a private keys with a third-party
Used when third party is granted access to the process
If key lost, copy can be retrieved
Used in instances where organization determines that data loss is unacceptable
XOR
Exclusive OR
- A logical operation used in some ecryption schemes.
- XOR operators compare 2 inputs:
- 2 inputs the same=true
- 2 inputs different=false
OID
Object Identifier
A series of numbers separated by periods that describe the identity of the owner of a digital certificate
Blowfish
A freely available 64-bit block symmetric key cipher algorithm that uses a variable key length
Faster than AES in some cases like AES-256
key escrow agent
A third party that maintains a backup copy of private keys
MD5
Message Digest 5
- Hashing function used to provide integrity
- Creates 128-bit hashes (aka checksums)
- Considered cracked/deprecated
block cipher
A type of symmetric encryption that encrypts data one block at a time often in 64-bit blocks. It is usually more secure but is also slower than stream ciphers.
steganography
Technique of hiding secret data within an ordinary, non-secret, file or message in order to avoid detection; the secret data is then extracted at its destination
Twofish
A symmetric key block cipher similar to Blowfish consisting of a block size of 128 bits and key sizes up to 256 bits
CTM
Counter-Mode
- An encryption mode of operation that combines an IV with a counter.
- The combined result is used to encrypt blocks.
- Effectively turns a block cypher into a stream cipher
- The counter can be any function that produces a sequence guaranteed not to repeat for a long time.
- The increment-by-one counter is the simplest and most popular.
RIPEMD
RACE Integrity Primitives Evaluation Message Digest
Hash function used for integrity
4 versions that create fixed size hashes:
- RIPEMD-128
- RIPEMD-160
- RIPEMD-256
- RIPEMD-320
RIPEMD-160 is the most common but RIPEMD not as widely used as other hash functions like MD5, SHA, and HMAC
hash
The value that results from hashing encryption. Also known as hash value or message digest
CA
Certificate Authority
An entity that manages, issues, and signs digital certificates and the associated public/private key pairs.
It is critical part of PKI.
subordinate CA
Any certificate authority below the root CA in the hierarchy
PKI
Public Key Infrastructure
A group of technologies for digital certificates. It is used perform functions with digital certificates:
- request
- create
- manage
- store
- distribute
- revoke
DH
Diffie-Hellman
A cryptographic protocol that provides for secure key exchange over a public channel.
digital certificate
- Electronic document used to prove ownership of a public key.
- Contains:
- Name of certificate holder
- The holder’s public key
- Digital signature of certificate authority
- Using public key cryptography its authenticity can be verified to ensure that the software or website you are using is legitimate.
CA hierarchy
A single CA or group of CAs that work together to issue digital certificates.
RC4
Rivest Cipher Version 4/Ron’s Code V.4
- Symmetric stream cipher developed by Ronald Rivest
- Can use between 40 - 2048 bits
- Crackable
hashing
A process or function that transforms plaintext into ciphertext that cannot be directly decrypted
AES
Advanced Encryption Standard
- A strong symmetric block cipher that encrypts data in 128-bit blocks.
- Designed to replace DES.
- Fast, efficient, and strong
- Uses key sizes of:
- 128 bits
- 192 bits
- 256 bits (not as fast as Blowfish)
- Approved encryption standard for government agencies including NSA.
RA
Registration Authority
Assist CAs with the verification of users’ identities prior to issuing digital certificates
Doesn’t directly issue certificates but plays important role in the certification process, allowing CAs to remotely validate user identities
