Encryption & PKI Flashcards
cryptography
The science of encrypting and decrypting information to hide its true meaning
OCSP
Online Certificate Status Protocol
- HTTP-based alternative to a certificate revocation list (CRL) that provides real-time validation of certificates
- Clients query a CA with the serial number of a certificate and the CA replies with good, revoked, or unknown.
- OCSP stapling appends a digitally signed OCSP response to a certificate
DSA
Digital Signature Algorithm
A public key encryption standard used for digital signatures that provides authentication and integrity verification for messages.
HMAC
Hash-based Message Authentication Code
- A method used to verify both the integrity and authenticity of a message by combining cryptographic hash functions with a secret key.
- Two versions:
- HMAC-MD5: creates 128-bit hashes
- HMAC-SHA1: creates 160-bit hashes
DHE
Diffie-Hellman Ephemeral
- Based on Diffie-Hellman key exchange algorithm
- Used to privately share a symmetric key between 2 parties over unsecured connection.
- Uses ephemeral keys, generating a different key each session.
- Also called EDH - Ephemeral Diffie-Hellman
key exchange
Any method by which cryptographic keys are transferred among users thus enabling the use of a cryptographic algorithm
CSR
Certificate Signing Request
- Method of requesting a certificate from a CA.
- Starts with the creation of an RSA-based private/public key pair
- Next step is to include the public key in the CSR.
cryptographic salt
A security countermeasure that mitigates the impact of a rainbow table attack by adding a random value to (‘salting) each plain text input
DV
Domain Validated Certificate
- A type of digital certificate that proves that some entity has control over a particular domain name.
- Considered to be weaker than EV (Extended Validation)
public key
The component of asymmetric encryption that can be accessed by anyone
symmetric encryption
Two-way encryption scheme in which encryption and decryption use the same key
Also known as shared-key encryption
public root CA
A root CA that is created by a vendor for general access by the public
KEK
Key Encryption Key
A symmetric key that encrypts/decrypts other keys (typically Traffic Encryption Keys or TEKs) for transmission or storage
Provides confidentiality
Also called key-wrapping
ECC
Elliptic Curve Cryptography
Doesn’t take as much processing power as other cryptographic method and is often used on low-power devices such as small wireless devices.
Mathematical equations are used to formulate an elliptic curve.
Keys are created by graphing points on the curve.
key generation
The process of generating keys in cryptography
A key is used to encrypt and decrypt whatever data is being encrypted/decrypted
CRL
Certificate Revocation List
A list of certificates that a CA has revoked before their expiration date.
Certificates are commonly revoked if they are compromised or issued to an employee who has left the organization.
MAC
Message Authentication Code
- Short piece of information used to confirm that the message came from the stated sender and has not been changed
- Similar to a hash
- AKA a tag
PEM
Privacy Enhanced Mail
Common PKI certificate format that can be used for most types of certificates
Can use either format:
- CER (ASCII)
- DER (binary)
Can be used for almost any type of certificates
DES
Data Encryption Standard
A legacy symmetric encryption standard used to provide confidentiality.
It has been compromised and AES or 3DES should be used instead.
asymmetric encryption
A two-way encryption scheme that uses paired private and public keys.
EV
Extended Validation Certificate
- Goes several steps beyond domain validation
- Can only be issued by a subset of CAs and requires verification of requesting entity’s legal identity before issuing certificate
- Domains with EV certificates have company name before URL
- Considered to be stronger than domain validation (DV)
key escrow
Process of placing a copy of a private keys with a third-party
Used when third party is granted access to the process
If key lost, copy can be retrieved
Used in instances where organization determines that data loss is unacceptable
XOR
Exclusive OR
- A logical operation used in some ecryption schemes.
- XOR operators compare 2 inputs:
- 2 inputs the same=true
- 2 inputs different=false
OID
Object Identifier
A series of numbers separated by periods that describe the identity of the owner of a digital certificate
Blowfish
A freely available 64-bit block symmetric key cipher algorithm that uses a variable key length
Faster than AES in some cases like AES-256
key escrow agent
A third party that maintains a backup copy of private keys
MD5
Message Digest 5
- Hashing function used to provide integrity
- Creates 128-bit hashes (aka checksums)
- Considered cracked/deprecated
block cipher
A type of symmetric encryption that encrypts data one block at a time often in 64-bit blocks. It is usually more secure but is also slower than stream ciphers.
steganography
Technique of hiding secret data within an ordinary, non-secret, file or message in order to avoid detection; the secret data is then extracted at its destination
Twofish
A symmetric key block cipher similar to Blowfish consisting of a block size of 128 bits and key sizes up to 256 bits
CTM
Counter-Mode
- An encryption mode of operation that combines an IV with a counter.
- The combined result is used to encrypt blocks.
- Effectively turns a block cypher into a stream cipher
- The counter can be any function that produces a sequence guaranteed not to repeat for a long time.
- The increment-by-one counter is the simplest and most popular.
RIPEMD
RACE Integrity Primitives Evaluation Message Digest
Hash function used for integrity
4 versions that create fixed size hashes:
- RIPEMD-128
- RIPEMD-160
- RIPEMD-256
- RIPEMD-320
RIPEMD-160 is the most common but RIPEMD not as widely used as other hash functions like MD5, SHA, and HMAC