Module 03 - Criptography Flashcards
Definition:
Cryptography
The process of writing or solving messages using a secret code
Definition:
Security through obscurity
Protecting by hiding something
Definition:
Encryption
A form of cryptography, it’s a process of converting text into unintelligible text, or a ciphertext.
Definition:
Ciphertext
Encrypted text
What’s Cryptanalysis?
The art of cracking cryptographic systems
What are Encryption Keys?
String used to encrypt and decrypt messages, generated by ciphers
What kinds of encryption keys are there?
Symmetric and Assymetric
Definition:
Symmetrick algorithm
The same key that encrypts also decrypts
Definition:
Asymmetric algorithm
Uses a public key to encrypt and a private key to decrypt
Definition:
Hashing
The process of converting one value into another, no decrypting, no duplicates
Definition:
Salt [Hashing]
It’s the process of fixating a string at the end of a value before hashing it, to generate a completely different hash
What’s a Digital Signature?
Verifies that data is legitimate, non-repudiation.
Private key + Hash of data
What’s non-repudiation?
The concept of not being able to disassociate the ‘cause’ from the ‘consequence’.
Audit trails
Acronym:
ECC
Elliptic Curve Cryptography
Definition:
Elliptic Curve Cryptography - ECC
Cryptography method that generates more complex and smaller encryption keys
Definition:
Perfect Forward Secrecy
Most used in messaging apps, uses a different encryption key for each message in the same conversation
Definition:
Steganography
Technique of hiding files, messages, bytes in other files, messages or bytes
Definition:
Cipher or Encryption Algorithm
Cryptographic process that encodes and decrypts data, using encryption keys
What are the types of ciphers?
- Substitution and Transposition algorithm
- Symmetric Algorithm
- Asymmetric Algorithm
Acronym:
AES
Advanced Encryption Standard
True or false:
The larger the key’s length the more memory and processing power to encrypt/decrypt
True
Definition:
Brute force cryptoanalysis
Attempt to decrypt a ciphertext with every possible key
True or false:
Symmetric algorithm is more processing consuming that Asymmetric
False
List common asymmetric algorithms
- RSA
- ECC
- DSA
- Diffie-Hellman
Acronym:
RSA
Rivest-Shamir-Adleman
Acronym:
DSA
Digital Signature Algorithm
What RSA is used in?
Mostly in creating digital signatures
What DSA is used in?
Only in creating digital signatures
What Diffie-Hellman is used in?
Security protocols such as TLS, SSH, IPSec and others
What ECC is used in?
Securing data transmission, mainly in websites
What are Hybrid Cryptosystems?
Combine the efficiency of symmetric encryption with the convenience of asymmetric encryption.
Describe the process in Hybrid Cryptosystems
Generate a symmetric key.
Encrypt the data with the symmetric key.
Encrypt the symmetric key with the recipient’s public key.
Send the encrypted data and the encrypted key.
Definition:
Ephemeral Keys
Encryption keys generated for each new session or message sent, used in PFC
Acronym:
PFS
Perfect Forward Secrecy
Definition:
Open Public Ledger
Distributed public record of transactions that supports the integrity of blockchains.
Definition:
Blockchain
Expanding list of transactions protected by cryptography.
Definition:
Blocks, [In blockchain]
It’s a record of a transaction.
How are the blocks linked criptographycally? [Blockchain]
The hash value of the previous block in the chain is added to the hash calculation of the next block in the chain.
What is the information stored in a block?
- Time
- Date
- Parties involved
- A unique hash that separates the block from other blocks on the chain
What are the applications of blockchain?
Financial transactions
Legal contracts
Copyright and Intelectual property
Online voting systems
Identity Management System
Definition:
Mining [In blockchain]
It’s the process of adding block to the chain, by generating the 64-digit hexadecimal based hash
What are the most common cryptographic attacks?
- Dictionary Attack
- Collision Attack
- Birthday Attack
- Downgrade Attack
Definition:
Dictionary Attack
The use of a list of words and phrases to try to guess the decryption key.
Definition:
Collision Attack
A collision attack tries to find two inputs that produce the same hash value.
Done to fake digital signatures
Definition:
Birthday Attack
This attack combines a collision attack and a brute-force attack. The name is taken from the birthday probability math problem.
Definition:
Downgrade Attack
Forcing systems to use an older, less secure communication protocol.
Definition
Cryptographic primitive
Single hash function, symmetric or asymmetric ciphers
Definition:
Key Streching
Salts an encryption key, and converts it to a longer and disordered key
What are the most common hash uses?
- File Integrity
- Digital Signaturee
- Secure Logon Credential exchamge
Definition:
Hash collision
Hashing is a good file verification method, but it is not perfect. Depending on the algorithm used, there is a potential for hash collisions.
Most popular hashing algorithm
SHA
MD5
HMAC
RIPEMD
Acronym:
SHA
Secure Hashing Algorithm
Acronym:
MD5
Message-Digest Algorithm 5
Acronym:
HBMSC
Hash-Based Message Authentication Code
What are the 3 states of data?
- Data in transit
- Data at rest
3 . Data in use [RAM, registers]
What are the types of disk and file encryption?
- Full-disk Encryption and partition encryption
- Volume and file encryption
- Database encryption
- Database-level encryption
- Record-level encryption
What are the most common data transport encryption? And where are they used?
- WPA (Wi-fi)
- IPSec (VPN)
- TLS (Internet)
Acronym:
WPA
Wi-Fi Protected Access
Acronym:
IPSec
Internet Protocol Security
Acronym:
TLS
Transport Layer Security
Acronym:
EFS
Encrypting File System
Definition:
Encrypting File System - EFS
EFS combines the speed of symmetric encryption with the convenience of asymmetric encryption using a process called key encapsulation.
Definition:
Pretty Good Privacy (PGP)
PGP is a product by Symantec that encrypts devices
Definition:
GNU Privacy Guard (GPG)
GNU Privacy Guard (GPG) is an encryption tool that encrypts emails, digitally signs emails, and encrypts documents
Acronym:
GPG
GNU Privacy Guard
Acronym:
PGP [Encryption Software]
Pretty Good Privacy
Acronym:
PKI
Public Key Infrastructure
Definition:
Public Key Infrastructure
Framework that establishes trust in the use of public key cryptography to sign and encrypt messages via digital certificates.
Aims to prove that the owners of public keys are who they say they are
Difinition:
Digital certificate
Public assertion of identity validaded by a certificate authority (CA)
Acronym:
CA
Certificate Authority
Definition:
Certificate Authority
Entity that guarantees a digital certificate’s validity
Comodo, DigiCert, GeoTrust, IdenTrust, and Let’s Encrypt.
What standard is used on Digital Certificates?
X.509 standard
Approved by the International Telecommunications Union
Standardized by the Internet Engineering Task Force
What are the digital certificate’s attributes? What information does it hold?
- Version
- Serial Number
Signature algorithm [Cryptographic Algorithm] - Issuer - CA
- Valid From and Valid To
- Subject
- Public Key [Encryption algorithm]
Aside from expiration, what other reasons a certificate might be invalidated?
- The organization no longer exists.
- The private key has been compromised.
- The issued certificate is discovered to be fake.
Acronym:
CRL
Certificate Revocation List
Definition:
Certificate Revocation List - CRL
Blacklist of expired or untrustworthy certificates maintained by CAs
Acronym:
OCSP
Online Certificate Status Protocol
Definition:
Online Certificate Status Protocol - OSCP
Internet protocol used to determine the validity or state of a certificate.
Why use OSCP rather than CRL?
- Faster validation
- No need to download the entire CRL.
- A grace period for expired certificates.
List the certificates types
- Root certificate
- Subject Alternative Name (SAN) certificate
- Wildcard certificate
- Code-signing certificate
- Self-signed certificate
- Email certificate
- User and computer certificate
Definition:
Root certificate
Emitted by a CA, basically a self-signed certificate
Definition:
Subject Alternative Name (SAN) certificate
Allows organizations to use the same certificate for different domain names
Definition:
Wildcard certificate
Similar to SAN certificate, instead of multiple domain names allows the use for different subdomains
Definition:
Code-signing certificate
Used by app developers to prove their application is legitimate.
Definition:
Self-signed certificate
Self-signed certificates are certificates that have not been validated or signed by a CA.
Definition:
Email certificate
Used to secure email communication.
Definition:
User and computer certificate
User and computer certificates are used in a network environment to identify and validate specific users or computers.
Acronym:
CSR
Certificate Signing Request
Definition:
Certificate Signing Request - CSR
The CSR is a file containing the information the subject wants to use in the certificate, including its public key, sent to the CA to sign.
Acronym:
FQDN
Fully Qualified Domain Name
What is the field SAN used for?
Structured to represent different types of identifiers, including FQDNs and IP addresses.
What is the field CN - Common Name
Previous used to identify the FQDN, it’s now deprecated
What are the attributes of a CRL - Certificate Revocation List?
- Publish Period
- Distribution Point(s)
- Validity Period
- Signature - the CRL is signed by the CA
Definition:
Root of Trust Model
Defines how users and different CAs can trust one another. It’s the root certificate
Definition:
Single CA Model
In this simple model, a single root CA certificates directly to users and computers.
Definition:
Hierarchical model - Third Party CAs
The root CA issues certificates to one or more intermediate CAs.
The intermediate CAs issue certificates to subjects (leaf or end entities).
Definition:
Certificate chaining/Chain of trust
Each leaf certificate can be traced to the root CA along the certification path, in the hierarchical model.
What are the main methods to keep Private Key Safety
- Key archival
- Key escrow
Definition:
Key archival Method
The private key is sent securely and backed up by the CA.
Definition:
Key escrow
Refers to archiving a key (or keys) with a third party. A key can be split into more parts.
Each part can be held by separate escrow providers, reducing the risk of compromise.
Acronym:
KRA
Key Recovery Agent
Definition:
Key Recovery Agent - KRA
Account with permission to access a key held in escrow, usually required two or more KRA to authorize the operation.
