Lesson 5 Basic Cryptography Concepts

Question 1

Cryptographic systems do what?

Answer 1

Cryptography encodes data in a way only authorized users can decode

It is NOT security by obscurity, which merely keeps something secret by hiding it

Encryption is not cryptography, it is a type of cryptography

Question 2

Cryptographic algorithms

Answer 2

Hashing algorithms
symmetric encryption algorithm
asymmetric encryption algorithm

Question 3

Hashing

Answer 3

like a fingerprint, one way, anti-collision

used mainly to store pass words

MD5 (message digest) older method of hashing; depricated
SHA (Security Hashing Algorithm) newer using more bits

NOT encryption

collision is when different inputs produce the same outputs - this is BAD
CAT and RAT using MD5 causes a collision and why MD5 is depricated

Question 4

hashing algorithm

Answer 4

used to prove integrity

comparing passwords after transfer

comparing files after transfer

Question 5

Hashing facts

Answer 5

prove integrity by:
identical inputs = identical outputs
Good:
longer outputs = less chance for collisions
longer input = less chance for collisions and more strength against cracking
salt - adding something to make password more secure against crackers, rainbow tables, collisions

Bad:
collisions - two different inputs with same output

Considered one-way encryption

Question 6

Symmetric Encryption

Answer 6

Uses the same key to encrypt and decrypt, similar to a house key

flaw: how to share key w/out compromise

can NOT be used for authentication or integrity because the same secret can be created from the same key, both parties know the key as well

an attacker only needs to intercept the key to unlock the cypher

useful for ‘bulk’ encrypting because it is much faster then asymmetrical encryption

also called single key or shared key or private key (not asymmetrical)

Question 7

Stream Ciphers

Answer 7

symmetrical encryption technique to encrypt streams of data

good for when message length in unknown

Question 8

Block Cipher

Answer 8

symmetrical encryption technique dividing plaintext in to equal sized blocks of data

Question 9

AES

Answer 9

Advanced Encryption Standard for block ciphers

Question 10

Asymmetrical Encryption

Answer 10

Used to prove identity, authentication, non-repudiation, key agreement and key exchange

Uses key pairs and is aka Public Key exchange

important: Each key is capable of reversing the operation of its pair (private/public)

The keys are linked in such a way as to make it impossible to derive one from the other, allowing users to share the public key; private key is kept secret

1. Both parties trade their public keys
2. Sending encrypted messages:
   Sender encrypts message with recipients public key
   Recipient decrypts message with recipients private key
3. Signing:
   Sender encrypts signature with senders private key
   Recipient decrypts with senders public key

Question 11

Symmetrical vs Asymmetrical - Pros/cons

Answer 11

Symmetrical
Pro: Much more efficient/much faster; key lengths are 128-256 bits
Con: need direct access for keys, impossible to have secure exchange

Asymmetrical
Pro: Good for unsecured connection, good key exchange; provides authentication and non-repudiation
Con: Much, much slower; key lengths are 1024-2048 bits

Do bulk in symmetrical
Do keys in asymmetrical

Question 12

RSA

Answer 12

Algorithm for deriving key pairs and performing encrypt/decrypt operations

RSA - Rivest/Shamir/Adleman published in 1977

Also called a trapdoor function as it is easy to perform using the public key but difficult to reverse without knowing the private key

Question 13

ECC

Answer 13

Elliptic Curve Cryptography which is also a trapdoor function

no known shortcuts to cracking the cypher as there are with RSA

can user smaller keys to obtain same security as RSA

Question 14

Digital Signature

Answer 14

Using public key crypto with hashing

Provides integrity, authentication and non-repudiatioin

uses RSA

1. sender creates hash of message and encrypts hash with private key
2. sender attaches digital signature to original message
3. recipient decrypts the signature using sender public key, resulting in original hash
4. recipient calculates own checksum for the message, and compares the two hashes

if hashes match means message has not been altered
Sender identity is also proven, authenticated

Question 15

DSA

Answer 15

Another digital signature algorithm but using ECC instead of RSA

Question 16

Digital Envelops and key exchanges

Answer 16

Process to overcome the deficiencies of asymmetrical and symmetrical encryption techniques

1. Sender obtains recipient (rec) public key
2. Sender encrypts message using her symmetrical key (private/secret key) Also known as a session key
3. Sender encrypts the session key with recipient public key (asymmetrical encryption)
4. Sender attaches encrypted session key to the cipher text message in a digital envelope and sends to the recipient
5. Recipient uses his private key to decrypt the session key (asymmetrical encryption)
6. Recipient uses the session key to decrypt the cipher text message (symmetrical encryption)

Question 17

Digital Certificate

Answer 17

A method for ensuring identity of the person or server issuing a public key

Uses a CA (certificate authority) as a third party to validate the owner of a public key

The CA issues a certificate signed by the CA

If the recipient trusts the CA, they can trust the public key wrapped in the subjects certificate

This process is known as PKI - public key infrastructure

Question 18

Perfect Forward Secrecy

Answer 18

Allows two parties to derive the same secret value that an attacker cannot guess

mitigates the issue of a private key being compromised allowing previously captured transmissions to be deciphered

uses Diffie-Hellman (D-H) key agreement protocols

Question 19

Cipher Suite

Answer 19

a signature algorithm to prove messages were created by the server

used to bulk encrypt data

uses session keys to keep data confidential

Question 20

Bulk Encryption

Answer 20

uses symmetrical encryption AES

Question 21

Key Exchange

Answer 21

uses asymmetrical encryption (RSA/D-H/ECC)

Question 22

Signature

Answer 22

uses asymmetrical encryption (DSA)

Question 23

Unauthenticated

Answer 23

does not use a hash
cannot prove integrity
vulnerable to insertion and modification attacks

Question 24

Authenticated

Answer 24

uses a hash of the combination of the message and a shared secret

Message Authentication Code (MAC)

vulnerable to padding oracle attacks

Question 25

AEAD

Answer 25

Authenticated Encryption with Additional Data

associates message with context to prevent replay

Question 26

Hybrid encryption

Answer 26

Makes use of asymmetrical and symmetrical encryption

bulk uses symmetrical and protected by the public key (asymmetrical ) cryptography

Question 27

File Encryption

Answer 27

private key encrypts the symmetric key

use of key is locked to a users account credential

Question 28

Transport encryption

Answer 28

uses a session key exchange/agreement

Question 29

MitM

Answer 29

Man in the Middle aka On Path Attack

interferes with public key presented to the client

Question 30

Downgrade Attack

Answer 30

Forces server into using weak protocol versions and ciphers

Question 31

Key stretching

Answer 31

Taking a key generated from a users password and repeatedly converts it to a longer and more random key

Uses hashing to do this

Slows the attacker down

Password-Based Key Derivation Function 2 (PBKDF2) is widely used for this purpose

PBDKDF2 is used in wifi protected Access (WPA)

Question 32

Salting

Answer 32

a method of adding additional information to a password prior to hashing

increases difficulty for attack to ‘guess’ the password by comparing to known hash values such as dictionary words

The salt is no kept secret as the system verifying the hash must know it

Question 33

Birthday attack

Answer 33

a brute force attack aimed at exploiting collisions in a hash function

The time is takes to create a message with the same hash as the original message does not take a much time as one might think, similar to the odds of a room of people and two people having the same birthday

Question 34

Homomorphic encryption

Answer 34

Allows a user to decrypt the needed data without decrypting the sensitive data, like PII, allowing for user to perform actions on the data

Question 35

Blockchain

Answer 35

uses a public ledger which is encrypted, based on non-repudiation

the ledger is shared to all users

Question 36

Steganography

Answer 36

utilize obfuscation to hide data in plain site, such as text in an image file