Module 4- Applications of Cryptography Flashcards by Kaitlin C

FIPS Standard 140

Cryptographic Modules

How well did you know this?

Not at all

Perfectly

FIPS Standard 186

Digital Signatures

How well did you know this?

Not at all

Perfectly

FIPS Standard 197

AES

How well did you know this?

Not at all

Perfectly

FIPS Standard 201

Identity Verification

How well did you know this?

Not at all

Perfectly

Encryption of a message digest with the sender’s private key. Provides:

Authentication
Integrity
Non-repudation

Digital Signatures

How well did you know this?

Not at all

Perfectly

A digital document that contains a public key and some information to allow your system to verify where that key came from.

Digital Certificate

How well did you know this?

Not at all

Perfectly

Uses asymmetric key pairs and combines software, encryption and services to provide a means of protecting the security of business communication and transactions.

PKI (Public Key Infrastructure)

How well did you know this?

Not at all

Perfectly

Put in place by RSA to ensure uniform certificate management throughout the internet.

PKCS (Public Key Cryptography Standards)

How well did you know this?

Not at all

Perfectly

Certificate, a digital representation of the information that identifies you as a relevant entity.

Trusted Third Party (TTP)

How well did you know this?

Not at all

Perfectly

An entity trusted by one or more users to manage certificates.

CA (Certification Authority)

How well did you know this?

Not at all

Perfectly

Used to take the burden off of a CA by handling verification prior to certificates being issued. Acts as a proxy between user and CA. Receives request, authenticates it and forwards it to the CA.

RA (Registration Authority)

How well did you know this?

Not at all

Perfectly

A set of rules that defines how a certificate may be used.

CP (Certificate Policy)

How well did you know this?

Not at all

Perfectly

The most widely used digital certificate standard. First issued July 3, 1988. It is a digital document that contains a public key signed by the trusted third party, which is known as a Certificate Authority, or CA.

X.509

How well did you know this?

Not at all

Perfectly

Relied on by S/MIME. Contains your name, info about you, and a signature of a person who issued the certificate.

X.509

How well did you know this?

Not at all

Perfectly

X.509 Certificate Content

Version
Certificate holder's public key
Serial number
Certificate's validity period
Unique name of certificate issuer
Digital signature of issuer
Signature algorithm identifier

How well did you know this?

Not at all

Perfectly

X.509 Certificate File Extensions

.pem
.cer, .crt., .der
.p7b, .p7c
.p12
.pfx

How well did you know this?

Not at all

Perfectly

a Base64 encoded DER certificate, enclosed between “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–”

.pem (Privacy Enhanced Mail)

How well did you know this?

Not at all

Perfectly

Usually in binary DER form, but Base64-encoded certificates are common also

.cer, .crt, .der

How well did you know this?

Not at all

Perfectly

PKCS#7 SignedData structure without data, just certificate(s) or CRL(s).

.p7b, .p7c

How well did you know this?

Not at all

Perfectly

PKCS#12, may contain certificate(s) (public) and private keys (password protected).

.p12

How well did you know this?

Not at all

Perfectly

Predecessor of PKCS#12 (usually contains data in PKCS#12 format, e.g., w/ PFX files generated in IIS).

.pfx

How well did you know this?

Not at all

Perfectly

The primary role of this is to digitally sign and publish the public key bound to a given user. It is an entity trusted by one or more users to manage certificates. Verisign is an example.

Certificate Authority (CA)

How well did you know this?

Not at all

Perfectly

Certificate for individuals, intended for email

Certificate Authority - Verisign - Class 1

How well did you know this?

Not at all

Perfectly

Certificate for organizations for which proof of identity is required

Certificate Authority - Verisign - Class 2

How well did you know this?

Not at all

Perfectly

Certificate for servers and software signing, for which independent verification and checking of identity and authority is done by the issuing CA

Certificate Authority - Verisign - Class 3

Certificate for online business transactions between companies

Certificate Authority - Verisign - Class 4

Certificate for private organizations or governmental security

Certificate Authority - Verisign - Class 5

Used to take the burden off of a CA by handling verification prior to certificates being issued. Acts as a proxy between the user and the CA. Receives request, authenticates it, and forwards it to the CA.

Registration Authority (RA)

Distributes digital certificates that contain public keys. A network of trusted certificate authority servers. An arrangement that binds public keys with user identities by means of a CA.

Public Key Infrastructure (PKI)

A list of certificates that have been revoked.

Certificate Revocation List (CRL)

A real time protocol for verifying certificates (and a newer method than CRL)

Online Certificate Status Protocol (OCSP)

An Internet protocol for determining the path between a X.509 digital certificate and a trusted root (Delegated Path Discovery) and the validation of that path (Delegated Path Validation) according to a particular validation policy.

Server-based Certificate Validation Protocol (SCVP)

Two types of systems: Centralized key-management systems Decentralized key-management systems

Digital Certificate Management

Three phases of key life cycle (Digital Certificate Management)

Setup and initialization Administration Cancellation

Process components: Registration Key pair generation Certificate Generation Certificate Dissemination

Setup and Initialization Phase

``` Expiration Renewal Revocation Suspension Destruction ```

Cancellation and History Phase

Key Storage Certificate retrieval and validation Backup or escrow Recovery

Administration Phase

- Person who can recover keys from the keystore on behalf of a user - Highly trusted person - Issue recovery agent ·EFS recovery agent certificate ·Key recovery agent cert

Update and Patch Vulnerabilities

Certificate Authority is at the top Intermediate CAs are the next level Users are the bottom level

Hierarchical Trust Model

Certificate Authority is at the top | Users are directly below the CA

Single Authority Trust Model

Users all trust each other

Web of Trust - Trust Model

One of the most basic authentication protocols. Passwords are sent over the network in clear text. The basic authentication feature built into HTTP uses this.

Password Authentication Protocol (PAP)

This is a proprietary version of PAP. Encrypts username and password as it is sent across network.

Shiva Password Authentication Protocol (S-PAP)

Authenticator sends a "challenge" message to the peer after link establishment. Peer responds with a value using a "one-way hash" function. Authenticator checks the response against its own calculation of the hash value. Authenticator sends new challenges to the peer at random intervals.

Challenge-Handshake Authentication Protocol (CHAP)

Widely used, particularly with Microsoft operating systems. Created by MIT and derives its name from the mythical three headed dog.

Kerberos

A server or client that Kerberos can assign tickets to.

Principal

Server that authorizes the principal and connects them to the Ticket Granting Server.(Components of Kerberos System)

Authentication Server (AS) -

Provides tickets in Kerberos System

Ticket Granting Server (TGS)

A server that provides the initial ticket and handles TGS requests. Often runs as TGS services. (Components of Kerberos System)

Key Distribution Center (KDC)

A boundary within an organization. Each realm has its own AS and TGS. (Components of Kerberos System)

Realm

A TGS (Ticket Granting Server) in a remote realm. (Components of Kerberos System)

Remote Ticket Granting Server (RTGS)

The ticket that is granted during the authentication process. (Components of Kerberos System)

Ticket Granting Ticket (TGT)

Used to authenticate to the server. Contains identity of client, session key, timestamp, and checksum. Encrypted with servers key. (Components of Kerberos System)

Ticket

Temporary encryption key.(Components of Kerberos System)

Session key

Proves session key was recently created. Often expires within 5 minutes. (Components of Kerberos System)

Authenticator

Type cryptography Kerberos uses and the port number

Uses symmetric cryptography and UDP port 88.

Created by Phillip Zimmerman in early 1990's. Not itself an algorithm but uses other symmetric and asymmetric algorithms. Open source software for making encryption and decryption readily usable by end users. Most often associated with email encryption. Uses certificates that contain multiple signatures but they are self-signed so they can't be validated with a CA.

Pretty Good Privacy (PGP)

Defines it own format. A single certificate can contain multiple signatures. Includes: Version Number Certificate holder's public key Certificate holder's information Digital signature of certificate owner Certificates validity period Preferred symmetric encryption algorithm for the key

PGP Certificates

Uses the RC4 stream cipher to secure the data and a CRC-32 checksum for error checking. Standard version uses a 40bit key with a 24bit initialization vector to form 64bit encryption. 128bit version uses 104bit key with 24bit IV. Because RC4 is a stream cipher, the same traffic key must never be used twice. 24bit IV is not enough prevent repetition on a busy network. Vulnerable to related key attack.

Wired Equivalent Privacy (WEP)

Uses Temporal Key Integrity Protocol (TKIP). Dynamically generates a new key for each packet.

WPA - WiFi Protected Access

Uses pre-shared key mode. Designed for home and small networks. Doesn't require authentication server. Each wireless device authenticates using the same 256bit key.

WPA-Personal (can be known as WPA-PSK mode)

Designed for enterprise networks. Requires a RADIUS server for authentication. Extensible Authentication Protocol (EAP) is used for authentication. (EAP-TLS and EAP-TTLS)

WPA-Enterprise (can be called WPA-802.1x mode)

Based on IEEE 802.11i and provides: - Advanced Encryption Standard (AES) using the Counter Mode-Cipher Block Chaining (CBC)-Message Authentication Code (MAC) Protocol (CCMP) that provides data confidentiality, data origin authentication, and data integrity for wireless frames. - Optional use of Pairwise Master Key (PMK) caching and opportunistic PMK caching. (caches results of 802.1x authentications to improve access time) - Optional use of pre-authentication that allows WPA2 wireless client to authenticate with other wireless access points in range.

WPA2

Developed by Netscape and has been replaced by TLS. It was the preferred method used with secure websites (i.e. https)

SSL

SSL Steps

1. The browser asks the web server to prove its identity. 2. The server sends back a copy of its SSL certificate. 3. The browser checks to see if the certificate is from a CA it trusts. 4. The server sends back a digitally signed acknowledgement and a session is started.

A protocol for encrypting transmissions. A client and server negotiate a connection by using a handshaking procedure. The server sends back its identification as a X.509 certificate. The client contacts the CA to confirm the validity of the certificate before proceeding. This protocol also supports secure bilateral connection mode.

TLS (Transport Layer Security)

A way to use the internet to create a virtual connection between a remote user or site and a central location. Packets are encrypted making the network private. Emulates a direct network connection.

VPN

Oldest of the three protocols used in VPNs. Designed as a secure extension to the Point-to-Point Protocol (PPP). Adds the feature of encrypting packets and authenticating users to PPP. Works at the data link layer of the OSI model.

Point-to-Point Tunneling Protocol (PPTP)

Can use two different methods of of authenticating the user: | EAP and CHAP

PPTP VPN

``` Designed as an enhancement to PPTP Like PPTP, works at the data link layer Offers many modes of authentication: CHAP, EAP, PAP, SPAP, and MS-CHAP Can work on X.25 networks (phone) Uses IPSec for its encryption ```

Layer 2 Tunneling Protocol (L2TP) VPN

Latest of the three VPN protocols Encrypts not only the packet data, but also the header information Has protection against unauthorized re-transmission of packets

Internet Protocol Security (IPSec) VPN

VPN setup through a web browser, portal that uses secure traffic. Gives user access to the target network.

SSL/TLS VPN

Since Windows 2000, this has been used along with NTFS. Allows a simple way to encrypt and decrypt files/folders. Simply right-click, choose properties, then advanced. Encrypted files will appear in green and are tied to the user who encrypted them.

Encrypting File System (EFS)

Introduced with Windows 7. Can encrypt partitions or entire drives. Startup key only. Key information is stored on a flash drive or TPM. Uses AES with 128bit key.

BitLocker

Software for maintaining an on-the-fly-encrypted volume. Data is automatically encrypted right before it is saved, then decrypted right after it is loaded, all w/o user intervention.

VeraCrypt

Common Cryptography Mistakes

- Using a standard modulus in RSA (modulus e=216+1=65537) - Using seeds for symmetric algorithms that are not random enough - Hard coded cryptographic secrets/elements - Using too short of a key - Re-using keys - Unsecure Key Escrow - Unsecure cryptographic mode (ECB mode) - Proprietary cryptographic algorithms

The art and science of writing hidden messages so that no one suspects the existence of the message, a type of security through obscurity. Message can be hidden in picture or audio file for example. Uses least significant bits in a file to store data.

Steganography

The data to be covertly communicated, the message you wish to hide. (Steganography Terms)

Payload

The signal, stream, or data file into which the payload is hidden.

Carrier

The type of medium used. This may be still photos, video, or sound files.(Steganography Terms)

Channel

In every file, there are a certain number of bits per unit of the file. For example, an image file in Windows is 24bits per pixel. With Least Certificate Bit (LSB) replacement, some bits can be replaced without altering the file much.

Steganography Details

Hiding messages in sound files. Can be done via LSB and Echo Hiding

Steganophony

Hiding messages in video files. Can be done via Discrete Cosine Transform

Video Steganography

Stores data in seemingly random files.

Steganographic File Systems

QuickStego - easy to use but limited Invisible Secrets - robust, has free and commercial versions MP3Stego - MP3 files Stealth File 4 - Sound files, video files, and image files Snow - Hides data in whitespace StegVideo - Hides data in a video sequence

Steganography Implementations

Detecting steganography and extracting the hidden information. Done with software. By analyzing changes in an images close color pairs, the steganalyst can determine if LSB was used. Close color pairs consist of two colors whose binary values differ only in the LSB.

Steganalysis

A method to analyze an image to detect hidden messages. Based on statistics of the number of unique colors and close-color pairs in a 24bit image. Analyzes the pairs of colors created by LSB embedding. Countermeasure- Maintaining the color palette w/o creating new colors.

Steganalysis - Raw Quick Pair

Calculates the average LSB and builds a table of frequencies and Pair of Values. Performs a test on the two tables. It measures the theoretical vs. calculated population difference.

Steganalysis - Chi-Square Analysis

Examines noise distortion in the carrier file. Noise distortion could indicate the presence of a hidden signal.

StegSpy Stegdetect StegSecret

Steganography Detection Tools

(How the NSA classifies cryptography) This classification of algorithms are not published. Algorithms are classified.

Suite A

(How the NSA classifies cryptography) This classification of algorithms are published.

Suite B

NSA Suite A Cryptography Algorithms

That's CLASSIFIED!

- AES w/ key sizes of 128 and 256bits - For traffic, AES should be used w/ the Galois/Counter Mode (GCM) mode of operation - symmetric encryption - Elliptic-Curve Digital Signature Algorithm (ECDSA) - digital signatures - Elliptic-Curve Diffie-Hellman (ECDH) - key agreement - Secure Hash Algorithm 2 (SHA-256 and SHA-384) - message digest

NSA Suite B Cryptography Algorithms

``` Highest level of encryption algorithms. Used for classified or sensitive U.S. government information. Includes: JUNIPER - Block Cipher MAYFLY - Asymmetric FASTHASH - Hashing WALBURN - High bandwidth link encryption PEGASUS - Satellite telemetry ```

NSA Type 1 Algorithms

Used for unclassified cryptographic equipment, assemblies, or components. Endorsed by the NSA for use in telecommunications and automated information systems for the protection of national security information. These include: Skipjack (a block cipher) KEA (Key Exchange Algorithm - Asymmetric)

NSA Type 2 Algorithms

product is a device for use with Sensitive But Unclassified (SBU) information on non-national security systems. Algorithms include: DES 3DES SHA AES (some implementations of AES are type 1)

NSA Type 3 Algorithms

Algorithms that are registered by NIST but not FIPS published. Also, unevaluated commercial cryptographic equipment, assemblies, or components that neither NSA nor NIST certify for any government usage.

NSA Type 4 Algorithms

The only unbreakable encryption. Has a separate substitution for each character making the key as long as the text. No substitution is used more than once. Key is used one time then destroyed. Impractical for most situations.

One Time Pad (OTP)