GCGA Ch. 10 Understanding Cryptography and PKI

Question 3

Integrity

Answer 3

provides assurances that data has not been modified. Hashing ensures that data has retained integrity. Confidentiality ensures that data is only viewable by authorized users. Encryption protects the confidentiality of data.

Question 4

Symmetric encryption

Answer 4

uses the same key to encrypt and decrypt data.

Question 5

Asymmetric encryption

Answer 5

uses two keys (public and private) created as a matched pair.

Question 6

Digital signature

Answer 6

provides authentication, non-repudiation, and integrity. Users sign emails with a digital signature, which is a hash of an email message encrypted with the sender’s private key. Only the sender’s public key can decrypt the digital signature which reveals hash, providing verification the hash was encrypted with the sender’s private key.

Question 7

Authentication

Answer 7

validates an identity.

Question 8

Non-repudiation

Answer 8

prevents a party from denying an action.

Question 9

Hashing & Hashes

Answer 9

Hashing verifies the integrity of data, such as downloaded files and email messages. A hash is a fixed-length string of hexadecimal characters, which cannot be reversed to re-create the original data.

Question 10

Checksum

Answer 10

similar to a hash but is typically smaller. It is used to verify the integrity of data but is not intended to be cryptographically secure.

Question 11

Hashing algorithms

Answer 11

one-way functions used to create a hash. You cannot reverse the process to re-create the original data.

Question 12

Hash collision

Answer 12

occurs when a hashing algorithm creates the same hash from different inputs.

Question 13

Common hashing algorithms

Answer 13

Message Digest 5 (MD5), Secure Hash Algorithms (SHA), and Hash-based Message Authentication Code (HMAC). HMAC provides both integrity and authenticity of a message.

Question 14

Password attacks

Answer 14

attempt to discover passwords. An online password attack attempts to discover a password from an online system. An offline password attack attempts to discover passwords from a captured database or captured packet scan. Passwords are often stored as a hash. Weak hashing algorithms are susceptible to collisions, which allow different passwords to create the same hash.

Question 15

Brute force attack

Answer 15

attempts to guess all possible character combinations. Account lockout policies thwart online brute force attacks.

Question 16

Dictionary attack

Answer 16

uses all the words and character combinations stored in a file. Complex passwords thwart offline password attacks.

Question 17

Spraying attack

Answer 17

attempts to bypass account lockout policies. An automated program starts with a large list of targeted user accounts. It then picks a password and tries it against every account in the list. It then picks another password and loops through the list again.

Question 18

Pass the hash attack

Answer 18

In a pass the hash attack, the attacker discovers the hash of the user’s password and then uses it to log on to the system as the user.

Question 19

Birthday attack

Answer 19

an attacker attempts to create a password that produces the same hash as the user’s actual password.

Question 20

Password salting

Answer 20

adds additional characters to passwords before hashing them and prevents many types of attacks, including dictionary, brute force, and rainbow table attacks.

Question 21

Key stretching techniques

Answer 21

Three commonly used key stretching techniques are bcrypt, Password-Based Key Derivation Function 2 (PBKDF2), and Argon2. They protect passwords against brute force and rainbow table attacks.

Question 22

Confidentiality

Answer 22

ensures that data is only viewable by authorized users. Encryption provides confidentiality of data, including data at rest (any type of data stored on disk) or data in transit (any type of transmitted data).

Question 23

Block cipher

Answer 23

encrypt data in fixed-size blocks. Advanced Encryption Standard (AES) encrypts data in 128-bit blocks and 3DES encrypts data in 64-bit blocks.

Question 24

Stream ciphers

Answer 24

encrypt data 1 bit or 1 byte at a time. They are more efficient than block ciphers when encrypting data of an unknown size or when sent in a continuous stream. Asymmetric encryption uses public and private keys as matched pairs.

Question 25

Public & Private Keys

Answer 25

If the public key encrypts information, only the matching private key can decrypt it. If the private key encrypts information, only the matching public key can decrypt it. Private keys are always kept private and never shared. Public keys are freely shared by embedding them in a certificate.

Question 26

Asymmetric encryption (2)

Answer 26

used to share symmetric keys between two entities. After both parties know the symmetric key, they use it to encrypt data within the session because symmetric encryption is much faster than asymmetric encryption.

Question 27

Certificates

Answer 27

distribute public keys and the same public key is used for months or years.

Question 28

Ephemeral keys

Answer 28

last only a short time, such as a few minutes within a session. Perfect forward secrecy ensures that the compromise of a key does not compromise any keys used in the past. It depends on the use of ephemeral keys.

Question 29

ECC

Answer 29

Elliptic curve cryptography - an encryption technology that doesn’t take as much processing power as other cryptographic methods. It is commonly used with low power devices.

Question 30

Common obfuscation techniques

Answer 30

include steganography, tokenization, and masking.

Question 31

Steganography

Answer 31

the practice of hiding data within a file. Current steganography methods include audio steganography, image steganography, and video steganography.

Question 32

Tokenization

Answer 32

replaces sensitive data with non-sensitive tokens, retaining essential information without revealing sensitive details, commonly used in payment processing and securing personally identifiable information.

Question 33

Masking

Answer 33

partially or fully conceals sensitive data with characters, symbols, or other data, often employed when sharing data with third parties or for development and testing purposes.

Question 34

Encryption/decryption of emails using digital signatures

Answer 34

When using digital signatures with email: The sender’s private key encrypts (or signs). The sender’s public key decrypts. A digital signature provides authentication (verified identification) of the sender, non-repudiation, and integrity of the message.

Question 35

Sending email & digital signatures

Answer 35

Senders create a digital signature by hashing a message and encrypting the hash with the sender’s private key. Recipients decrypt the digital signature with the sender’s matching public key. When encrypting email: The recipient’s public key encrypts. The recipient’s private key decrypts. Many email applications use the public key to encrypt a symmetric key, and then use the symmetric key to encrypt the email contents.

Question 36

S/MIME

Answer 36

used to secure email with encryption and digital signatures. It uses certificates and depends on a PKI. When deploying, use port 587 for SMTP-over-TLS and port 993 for IMAP-over-TLS.

Question 37

Encrypting traffic & TLS

Answer 37

When encrypting website traffic with TLS: The website’s public key encrypts a symmetric key. The website’s private key decrypts the symmetric key. The symmetric key encrypts data in the session.

Question 38

PKI

Answer 38

A Public Key Infrastructure (PKI) is a group of technologies used to request, create, manage, store, distribute, and revoke digital certificates. A PKI allows two entities to privately share symmetric keys without any prior communication.

Question 39

Public CAs

Answer 39

Most public CAs use a hierarchical centralized CA trust model, with a root CA and intermediate CAs. A CA issues, manages, validates, and revokes certificates. Certificate chaining combines all the certificates from the root CA to the certificates issued to the end-entities.

Question 40

CSR

Answer 40

You request a certificate with a certificate signing request (CSR). You first create a private/public key pair and include the public key in the CSR.

Question 41

Online/Root CAs

Answer 41

An online CA is accessible over a network, including the Internet. Many root CAs are taken offline to reduce the risk of compromise.

Question 42

Updating/revoking certificates

Answer 42

Configuration changes related to certificates are updating them and revoking them. Certificates are renewed before their expiration dates to update them. Certificates are revoked if they are compromised.

Question 43

CRL

Answer 43

A certificate revocation list (CRL) identifies revoked certificates with a list of serial numbers. The CA publishes the CRL, making it available to anyone. Web browsers can check certificates they receive from a web server against a copy of the CRL to determine if a certificate is revoked.

Question 44

OCSP

Answer 44

As an alternative to the CRL, the Online Certificate Status Protocol (OCSP) allows clients to query the CA with the serial number of the certificate to determine if it is valid.

Question 45

Certificate stapling

Answer 45

provides clients with a timestamped, digitally signed OCSP response. This is from the CA and appended to the certificate.

Question 46

Certificate pinning

Answer 46

provides clients with a list of hashes for each public key it uses.

Question 47

Key escrow

Answer 47

stores a copy of private keys used within a PKI. If the original private key is lost or inaccessible, the copy is retrieved from escrow, preventing data loss.

Question 48

Wildcard certificates

Answer 48

use an asterisk (*) for sub domains to reduce the administrative burden of managing certificates.

Question 49

SAN

Answer 49

Subject alternative name (SAN) certificates can be used for multiple domains with different domain names.

Question 50

CER & DER

Answer 50

CER is an ASCII format and DER is a binary format for certificates.

Question 51

PEM

Answer 51

the most commonly used certificate format and can be used for just about any certificate type.

Question 52

P7B files

Answer 52

commonly used to share public keys.