Lesson 3: Explain Cryptographic Solutions Flashcards

Question 1

Q

Define ‘Cryptography’

Answer

A

The science and practice of encoding or decoding data to make it unintelligible to unauthorized parties.

Question 2

Q

Define ‘security through obscurity’

Answer

A

Keeping something a secret by hiding it.

Question 3

Q

Define ‘Plaintext/Cleartext’

Answer

A

Unencrypted data.

Question 4

Q

Define ‘Ciphertext’

Answer

A

Encrypted data that can’t be read without the cipher key.

Question 5

Q

Define an ‘Algorithm’

Answer

A

Process that encrypts and decrypts data.

Question 6

Q

Define ‘Cryptanalysis’

Answer

A

The science/practice of breaking ciphers and cryptographic systems.

Question 7

Q

Define an ‘Encryption’ algorithm/cipher

Answer

A

Process that encodes data so that it can be stored or transmitted securely and then decrypted only by its owner or its intended recipient.

Question 8

Q

Define a ‘key’ in cryptography

Answer

A

Specific piece of data that is used in an algorithm to perform encryption and decryption.

Question 9

Q

What are the two types of encryption algorithms?

Answer

A

Symmetric
Asymmetric

Question 10

Q

Define a ‘substitution’ cipher/algorithm

Answer

A

Replacing characters or blocks in the plaintext with different text or ciphertext.

Question 11

Q

Define a ‘Transposition’ cihper/algorithm

Answer

A

The units of data stay the same, but their order is changed depending on the mechanism.

Question 12

Q

Define ‘Symmetric Encryption’

Answer

A

Shared-key encryption; Two-way encryption process in which encryption and decryption are both performed by the same key.

Question 13

Q

What is the benefit of symmetric encryption?

Answer

A

Used for bulk encryption of large amounts of data due to its speed; Very fast

Question 14

Q

What is the security risk in symmetric encryption?

Answer

A

The transmission/receipt of the shared-key; Security is broken if the key is intercepted along with the cipher text.

Question 15

Q

Define ‘key length’

Answer

A

Size of a cryptographic key in bits; Longer keys generally offer better security and are harder to crack with brute force.

Question 16

Q

What is the downside to using larger encryption keys?

Answer

A

The computer must use more resoruces to perform encryption and decryption.

Question 17

Q

Define ‘Asymmetric Encryption’

Answer

A

One-way encryption; Cipher that uses public and private keys mathematically linked by RSA or ECC algorithms;

Question 18

Q

What is the difference between asymmetric encryption and symmetric encryption?

Answer

A

An asymmetric key cannot reverse the operation it performs; The public key cannot decrypt what it has encrypted and vise versa.

Question 19

Q

What is the function of the public key in asymmetric encryption?

Answer

A

Key is freely distributed and can be used to perform reverse encryption or decryption operation of the linked private key in the pair.

Question 20

Q

What is the function of the private key in asymmetric encryption?

Answer

A

Uniquely associated with the owner and is not made public; Used to encrypt data that can be decrypted by the linked public key or vice versa.

Question 21

Q

What is a downfall of asymmetric encryption?

Answer

A

Involves substantial computing overhead compared to symmetric encryption and is inefficient for large amounts of data.

Question 22

Q

How can the overhead from asymmetric encryption be mitigated with large amounts of data?

Answer

A

Asymmetric encryption can be used to encrypt a symmetric key that was used to encrypt data before transmitting the data.

Question 23

Q

Define ‘cryptographic hashing’ algorithms

Answer

A

One-way encryption that produces a fixed-length string of bits from a plaintext input.

Question 24

Q

What does a hashing algorithm produce?

Answer

A

The output is a ‘hash’ or ‘message digest’

Question 25

Q

What is the typical function/purpose of hashing algorithms?

Answer

A

To prove integrity; Ensure that data has not been manipulated in transmission/receipt/storage and for authentication.

Question 26

Q

What are the two popular hashing algorithms?

Answer

A

Secure Hash Algorithm (SHA)
Message Digest Algorithm #5 (MD5)

Question 27

Q

Define ‘Secure Hash Algorithm (SHA)’

Answer

A

Replacement for message digest algorithm (MDA); Considered strongest - most popular is SHA256 producing a 256-bit digest.

Question 28

Q

Define ‘Message Digest Algorithm #5 (MD5)’

Answer

A

Considered not as safe as SHA256; Produces a 128-bit digest.

Question 29

Q

Define a ‘cryptographic primitive’

Answer

A

A single hash function, symmetric cipher, or asymmetric cipher.

Question 30

Q

Define a ‘complete cryptographic system/product’

Answer

A

The use of multiple cryptographic primitives within a cipher suite.

Question 31

Q

What two forms of cryptography combine to create a digital signature?

Answer

A

Combines Asymmetric encryption for confidentiality to authenticating the sender with hashing to provide integrity.

Question 32

Q

What is ‘Public Key Infrastructure (PKI)’

Answer

A

Framework that establishes trust in the use of public key cryptography to sign and encrypt messages via digital certificates.

Question 33

Q

What is the purpose of Public Key Infrastructure (PKI)?

Answer

A

To prove the owners of public keys are who they say they are.

Question 34

Q

Define a ‘Digital Certificate’

Answer

A

A public assertion of identity, authenticated by a certificate authority (CA) that contains a subjects public key.

Question 35

Q

Define a ‘certificate authority (CA)’

Answer

A

A server that guarantees subject identities by issuing signed digital certificate wrappers for their public keys.

Question 36

Q

What is a 3rd party certificate authority (CA)?

Answer

A

A public CA that issues certificates for multiple domains; Widely trusted as a root trust by operating systems and browsers.

Question 37

Q

What purpose of a 3rd party public CA?

Answer

A

Provide a range of cert services.
Ensure the validity of certs and the identity of those applying for them.
Manage the repositories that store and administer certs.
Key and cert lifecycle management (revoking invalid certs).

Question 38

Q

How does a subject generate a certificate from a public 3rd party root CA?

Answer

A

Register to the CA to prove identity
Generate a cert signing request (CSR) from a webserver containing the public key and submit the CSR to CA for validation
CA generates a signed cert with the public key and sends to subject.
Publishing of cert in webservice manager (IIS/Apache/other)

Question 39

Q

Define a ‘digitally signed certificate’

Answer

A

Proof that a cert was validly issued to a subject (user/host) by a public 3rd party root CA.

Question 40

Q

When going to a URL, how does the client verify identity?

Answer

A

Client checks web server’s certificate and validates that it is signed by a trusted CA.

Question 41

Q

What is packaged in a digitally signed cert?

Answer

A

Information identifying the subject and the public key authenticating the connection presented in X.509 format, and digital signature from the issuing CA.

Question 42

Q

Define a ‘root certificate/trusted root’

Answer

A

Pre-installed self-signed cert and public key from a CA.

Question 43

Q

What is the purpose/function of a root certificate?

Answer

A

Issues signed certificates to intermediate CAs; Sign other certificates issued by the CA;

Question 44

Q

How do clients trust a public 3rd party root CA?

Answer

A

CA generates a root certificate, signs it with private key, and publishes it with the public key.
Client obtains CA’s certificate and adds it to a store of trusted root certificates.

Question 45

Q

What is the outcome of installing a CA’s root certificate?

Answer

A

Host will automatically trust any certificates signed by that CA.

Question 46

Q

Define a ‘Single CA’ model

Answer

A

Single root CA issues certificates directly to users and computers; Often used on private networks.

Question 47

Q

What is the shortcoming of the single CA model?

Answer

A

Single CA server is exposed; If it is compromised the whole PKI collapses.

Question 48

Q

Define the ‘3rd party CA model’

Answer

A

Hierarchical model where the root CA issues certs to one or more intermediate CAs; The intermediate CAs issue certs to subjects (end entities).

Question 49

Q

Define ‘certificate chaining’ or ‘chain of trust’

Answer

A

Method of validating a certificate by tracing each CA that signs the certificate, up through the hierarchy to the root CA.

Question 50

Q

Define a ‘Self-signed Certificate’

Answer

A

A digital certificate that has been signed by the entity that issued it (any machine, webserver or code), rather than by a CA.

Question 51

Q

What is the process to register with a CA?

Answer

A

End users create an account with the CA and become authorized to request certificates.

Question 52

Q

What is the contents of a ‘certificate signing request (CSR)’?

Answer

A

A Base64 ASCII file containing the information that the subject wants to use in the certificate, including its public key.

Question 53

Q

Define a ‘common name (CN)’

Answer

A

X.500 certificate identifier expressing a host or username; The subject identifier for a digital certificate.

Question 54

Q

Define a ‘subject alternative name (SAN)’

Answer

A

X.500 certificate identifier allowing a host to be represented by multiple host names/subdomains.

Question 55

Q

What takes precedence in a certificate, a subject alternative name (SAN) or common name (CN)?

Answer

A

If a certificate is configured with a SAN, the browser should validate that and ignore the CN value.

Question 56

Q

Define a ‘wildcard certificate’

Answer

A

A digital certificate that will match multiple subdomains of a parent domain using a ‘’ as the subdomain before the parent domain (.comptia.org)

Question 57

Q

What are the two types of invalid certificates?

Answer

A

Revoked - no longer valid and can’t be unrevoked
Suspended and can be reenabled

Question 58

Q

Define a ‘certificate revocation list (CRL)’

Answer

A

A list maintained by a CA of all revoked and suspended certificates.

Question 59

Q

What is the purpose of a certificate revocation list (CRL)?

Answer

A

To inform users whether a certificate is valid, revoked, or suspended.

Question 60

Q

Where can a certificate revocation list (CRL) be found for browsers to check validity of certs?

Answer

A

Each certificate should contain information for the browser on how to check the CRL.

Question 61

Q

What are the 4 attributes of a certificate revocation list (CRL)?

Answer

A

Publish Period
Distribution Points
Validity Period
Signature

Question 62

Q

Define the ‘Publish Period’ attribute of a certificate revocation list (CRL)

Answer

A

Date and time at which the CRL is published. Most CAs are set up to publish the CRL automatically.

Question 63

Q

Define the ‘Distribution Point(s)’ attribute of a certificate revocation list (CRL)

Answer

A

Location(s) to which the CRL is published.

Question 64

Q

Define the ‘Validity Period’ attribute of a certificate revocation list (CRL)

Answer

A

Period during which the CRL is considered authoritative. This is usually a bit longer than the publish period

Answer 65

A

CRL is signed by the CA to verify its authenticity.

Answer 66

A

Allows clients to request the status of a digital certificate by querying the certificate database directly instead of relying on a CRL.

Answer 67

A

Operational considerations for the various stages in a key’s lifecycle.

Answer 68

A

Key Generation
Storage
Revocation
Expiration/Renewal

Answer 69

A

Creating an asymmetric key pair or symmetric secret key

Answer 70

A

Prevents unauthorized access to a private/secret key and protecting against loss or damage.

Answer 71

A

Prevents use of the key if it is compromised.

Answer 72

A

Re-encrypt any data encrypted by the revoked key with a new key.

Answer 73

A

Every certificate expires after a certain period; Certificates can be renewed with the same key pair or with a new key pair.

Answer 74

A

Keys are generated and managed directly on the computer or user account that will use the certificate.

Answer 75

A

Centralizes generation and storage of cryptographic keys.

Answer 76

A

Client/server communication protocol for the storage and maintenance of key, certificate, and secret objects.

Answer 77

A

Generated using a random process with a high degree of disorder.

Answer 78

A

A measure of disorder; Cryptographic systems should exhibit high entropy to better resist brute force attacks.

Answer 79

A

Computer hardware and software is extremely low entropy.

Answer 80

A

pseudo RNG (PRNG) software and true random number generator (TRNG) hardware.

Answer 81

A

Software that is still deterministic, but able to approximate a high level of disorder

Answer 82

A

Generates random key values by sampling physical phenomena (noise/air movement) that has a high rate of entropy.

Answer 83

A

Could easily be compromised via user credential or physical theft of the device; Difficult to ensure that key access is fully audited.

Answer 84

A

Tamper evident; Immediately known when a private/secret key has been compromised.

Answer 85

A

Dedicated hardware for key generation and storage and can decrypt and sign on behalf of applications.

Answer 86

A

Creates smaller attack surface for key management because key material never leaves the cryptoprocessor.

Answer 87

A

Trusted Platform Module (TPM)
Hardware security module (HSM)

Answer 88

A

Implemented as a module within the CPU on a computer or mobile device.

Answer 89

A

Implemented in a removable or dedicated form factor, including rack-mounted appliances, plug-in PCIe adapter cards, and USB-connected security keys; Can be provisioned as a virtual appliance.

Answer 90

A

Keys are not directly accessible via the file system.

Answer 91

A

Via an application programming interface (API)

Answer 92

A

Mechanisms that enable two software components to communicate with each other using a set of definitions and protocols.

Answer 93

A

A trusted execution environment (TEE) secure enclave

Answer 94

A

CPU extensions that protects data stored in system memory so that an untrusted process cannot read it.

Answer 95

A

Decrypted data needs to be loaded into the computer’s system memory (RAM) for applications to access it raising the potential for a malicious process to gain access to the data via some type of exploit.

Answer 96

A

Only authorized processes can have access, regardless if it has system/root privilege.

Answer 97

A

Ciphertexts cannot be recovered unless a backup of the key has been made.

Answer 98

A

Problematic as it becomes more likely that a copy will be compromised and more difficult to detect that a compromise has occurred.

Answer 99

A

Escrow
M of N controls

Answer 100

A

The storage of a backup key with a third party.

Answer 101

A

An operation cannot be performed by a single individual; A quorum (M) of available persons (N) must agree to authorize the operation.

Answer 102

A

Splitting the key in to parts, and each part being held by sperate escrow providers.

Answer 103

A

An account authorized to access a key held in escrow.

Answer 104

A

Require two or more KRAs to authorize an operation.

Answer 105

A

Threat actor will not be able to understand or change what has been stolen.

Answer 106

A

Data at rest
Data in transit
Data in use

Answer 107

A

When the data is in some sort of persistent storage media.

Answer 108

A

Data transmitted between two hosts, such as over a private network or the Internet.

Answer 109

A

Data present in volatile memory, such as system RAM or CPU registers and cache.

Answer 110

A

Encrypting megabytes or gigabytes of data.

Answer 111

A

Symmetric encryption due to overhead of asymmetric.

Answer 112

A

Depth of encryption; Ranging from more granular (file/folder or row/record) to less granular (volume/partition/disk or database).

Answer 113

A

Disk/Drive firmware that encrypts the full contents of a storage device, including metadata, free space.

Answer 114

A

Protects against physical theft of the disk.

Answer 115

A

A self-encrypting drive (SED).

Answer 116

A

Storage device (SSD/HDD/USB) with cryptoprocessor firmware that can perform self-encryption and storage of keys.

Answer 117

A

Any storage resource with a single file system; The way the OS “sees” a storage resource.

Answer 118

A

A removable disk; Partition on an HDD or SSD; RAID array.

Answer 119

A

Typically only encrypts volumes, implemented as a software application rather than disk firmware.

Answer 120

A

Self-encrypting drive (SDE) software
may or may not encrypt free space and/or metadata.

Answer 121

A

Software that applies encryption to individual files (or perhaps to folders/directories).

Answer 122

A

Microsoft’s BitLocker and Apple’s FileVault products perform volume encryption.

Answer 123

A

Database-level encryption
Record-level encryption

Answer 124

A

All records and logs are encrypted while they are stored on disk.

Answer 125

A

Encryption and decryption occurs when any data is transferred between disk and memory.

Answer 126

A

DBA determines which fields need encryption with asymmetric encryption.

Answer 127

A

Storing the private key used to unlock the value of a cell outside of the database.

Answer 128

A

Data remains encrypted when loaded into memory; It is only decrypted when the client application supplies the key in the DBMS.

Answer 129

A

Protects data-in-motion using key exchange.

Answer 130

A

Any method by which cryptographic keys are transferred between users, enabling the use of a cryptographic algorithm.

Answer 131

A

Wi-Fi Protected Access (WPA), Internet Protocol Security (IPsec), Transport Layer Security (TLS).

Answer 132

A

Securing traffic sent over a wireless network.

Answer 133

A

Secured traffic sent between two endpoints over a public or untrusted transport network - refereed to as a VPN.

Answer 134

A

Securing application data, such as web or email data, sent over a public or untrusted network.

Answer 135

A

Cryptographic protocol ‘Hash-based Message Authentication Code (HMAC)’.

Answer 136

A

Provides confidentiality/integrity for a message by combining a cryptographic hash of the data with a symmetric secret key.

Answer 137

A

Periodically creates a new key value based on data supplied by both parties in the exchange.

Answer 138

A

Ensures if a key is compromised, the compromise will only affect a single session and not facilitate recovery of plaintext data from other sessions.

Answer 139

A

Diffie-Hellman (D-H) key agreement to create ephemeral session keys.

Answer 140

A

Created by Diffie-Hellman (D-H), a key that is used within the context of a single session only.

Answer 141

A

Help to protect password-derived cryptographic secrets from discovery through cryptanalysis.

Answer 142

A

Adds a random value to each plaintext input.

Answer 143

A

The combination of a password and salt, input into a hashing algorithm outputs a salted hash.

Answer 144

A

Mitigates the risk that if users choose identical plaintext passwords, there won’t be identical hash values in the password file.

Answer 145

A

A salted hash repeatedly inserted into a hashing algorithm to multiply length and disorder.

Answer 146

A

A decentralized/public ledger containing a growing list of records secured using cryptographic hashing.

Answer 147

A

A record (block) is has a hash value, the hash value of the previous record is added to the hash calculation of the next record in the chain.

Answer 148

A

Ensures integrity of all historical records (blocks); Each block validates the hash of the previous block.

Answer 149

A

Recorded in an open public ledger.

Answer 150

A

Distributed public record of transactions.

Answer 151

A

Decentralized peer-to-peer (P2P) network.

Answer 152

A

Mitigate the risks a of a single point of failure/compromise ensuring equal trust between users.

Answer 153

A

Ensure the integrity and transparency of financial transactions, legal contracts, copyright and intellectual property (IP) protection, online voting systems, identity management systems, and data storage.

Answer 154

A

Security through obscurity; Technique that “hides” or “camouflages” code or data so that it is difficult to find.

Answer 155

A

Steganography
Data masking
Tokenization

Answer 156

A

Hiding the presence of data, often by embedding information within a file or other entity called ‘covertext’

Answer 157

A

Obfuscates personal data from databases so that it can be shared without compromising privacy.

Answer 158

A

De-identification method; Generic/placeholder labels are substituted for real data while preserving the structure or format of the original data.

Answer 159

A

De-identification method where a unique token is substituted for real data.

Answer 160

A

Token is stored with the original value on a dedicated token server/vault; An authorized query or app can retrieve the original value from the vault.

Answer 161

A

An asymmetric cipher (RSA or ECC) private key.

Answer 162

A

A secret symmetric key to perform bulk encryption of a disk.

Answer 163

A

Propensity for collisions.

Answer 164

A

RSA 2,048-bit or ECC 256-bit.

Answer 165

A

RSA 2,048-bit or ECDHE 256-bit.

Answer 166

A

AES-128 or AES-256

Answer 167

A

SHA256 or SHA512; MD5 allowed for documented compatibility requirements.

Brainscape's Knowledge GenomeTM

Lesson 3: Explain Cryptographic Solutions Flashcards

Brainscape's Knowledge Genome^TM