Keys and Encryption Flashcards
What is Encryption?
Encryption is the process of translating data into another form so that only people with access to a secret key (decryption key) or password can read it.
It involves taking a piece of information (plaintext) and applying an encryption algorithm that produces the output (ciphertext)
What is encrypted data referred to as?
CIPHERTEXT
What is unencrypted data referred to as?
PLAINTEXT
What are the 4 main goals of encryption?
1) Confidentiality - maintain secrecy of data in transit and rest
2) Integrity - only authorised users can change data
3) Authentication - ensure the identity of a user is valid and access allowed
4) Nonrepudiation - Links actions to a verifiable individual
What is Symmetric Encryption?
Uses a single key (or password) that is shared ahead of time and must be kept secret by all involved.
This means there can be many copies of the key in distribution and it becomes less secure the longer the same key is in use
Designed to ensure confidentiality
What is Asymmetric Encryption?
Has 2 keys (1 public and 1 private)
Messages are encrypted using the public key and decrypted using the private key, which is not shared by anyone else.
Slower than symmetric encryption
Designed to ensure confidentiality
What is cryptographic hashing?
Often used for password storage. Based on taking a piece of data and hashing it into a single hash value, which cannot be converted back into a representation of the data
One way function that cannot be undone
Designed to ensure integrity
Give an example scenario of Asymmetric encryption
A wants to send a message to B. First A has to request B’s public key and send a list of algorithms they know how to use to encrypt messages
B sends back his public key with accepted choice of algorithm that A knows
A changes PLAINTEXT to CIPHERTEXT using public key and algorithm (cipher) to encrypt the message and send the CIPHERTEXT to B
B takes CIPHERTEXT and decrypts it with his secret private key that has not been shared with anyone else. B will process it and turn it back to PLAINTEXT
Give an example scenario of Hashing (MD5 Hash)
We take PLAINTEXT and process it with a hashing algorithm and turn it into CIPHERTEXT
CIPHERTEXT gets sent to recipient and they process it through the hashing algorithm function which turns it into PLAINTEXT
Hashing algorithms always treat the input as PLAINTEXT. The algorithm needs to be set up so there is no reverse of that function
List the problems associated with password based authentication systems
1) Passwords can become compromised
2) System allows weak passwords
3) Password Iteration (using related passwords)
4) Not requiring password changes over time
5) Not changing default passwords
6) Replay attacks (obtaining network traffic between user and server application
7) Storing passwords instead of password verifiers
8) Brute-force attacks against password verifiers
9) Revealing whether a failure is due to incorrect username or password
10) Online attacks
11) Returning forgotten passwords rather than resetting
List common cryptography issues
1) Using home grown cryptography that hasn’t been reviewed by global cryptographic community
2) Creating a protocol from low level algorithms
3) Using a weak cryptographic Primitive (MD4, MD5, Two-key 3DES)
4) Using a cryptographic primitive incorrectly
5) Encrypting known PLAINTEXT
6) Validating a hash incorrectly
7) Using the wrong communication protocol
8) Failing to use a salt
Name some high-level tested security protocols
SSL3 and TLS
IPSec
XMLDSig (signatures) XMLEnc (encryption)
What does HTTP and HTTPS stand for?
HyperText Transfer Protocol
HyperText Transfer Protocol Secure
What does SSL stand for?
Secure Socket Layer - Encryption protocol used for securing HTTP
What does TLS stand for?
Transport Layer Security - Encryption protocol designed to secure internet communications and replaced SSL in 1999
Give an example of Symmetric key encryption
Advanced Encryption Standard (AES)
RC4
DES
3DES
What different key sizes can be found with AES
128 bits, 192 bits or 256 bits
Give examples of Asymmetric key encryption
RSA - Rivest-Shamir-Adleman
DSA - Digital Signature Algorithm
ECC - Elliptic Curve Cryptography
What is DES?
It is a symmetric key algorithm. DES – The Data Encryption Standard (DES) is a symmetric key algorithm developed by IBM in the 1970’s. With its short key length of 56 bits, DES is not secure by today’s standards. However, it does provide the foundation for a much more secure encryption algorithm (3DES)
What is 3DES?
It is a symmetric key algorithm. 3DES – Triple DES (or 3DES) is a symmetric key cipher that applies the DES algorithm three times to each block of data. By using three 56-bit keys, the problems associated with using a single short key are mitigated. Although 3DES has been used by many applications including Microsoft Office and Mozilla Firefox, in July 2017 the National Institute of Standards and Technology (NIST) proposed to retire 3DES, suggesting AES as an alternative solution.
What is AES?
It is a symmetric key algorithm. AES – The Advanced Encryption Standard (AES) was established by NIST in 2001. AES refers to three different block ciphers: AES-128, AES-192 and AES-256. The number denotes the size of the key used by each implementation. AES is considered faster and more secure than 3DES and can be used on a wide range of low-power devices
What is RSA?
RSA – Rivest-Shamir-Adleman (RSA) is an asymmetric cryptographic algorithm that works on the basis that it is computationally expensive to find the factor of large prime numbers. The relationship between these prime numbers forms the basis of the public and private keys which are used by RSA.
What is Elliptic-curve Cryptography?
It is a type of cryptographic algorithm that uses an elliptic curve, which is a specific type of curve defined by a mathematical equation. By using the properties of elliptic curves, it is easy to generate secure asymmetric keys but extremely difficult to reverse the process
