Sec Flashcards
Symmetric encryption
- Same key to encrypt and decrypt.
- Faster than asymmetric.
- AES, DES, Blowfish, RC4,5,6
Protocols / OSI model
1) Physical - Cables etc (Base10T, Base100T, Full Duplex)
2) Data Link - (IEEE such as ethernet and wifi, PPP, ARP, MAC, TAP)
3) Network - IP, IPSec, ICMP, TUN, Wireguard
4) Transport - TCP, UDP, TLS/SSL
5) Session - sockets, connections
6) Presentation -
7) Application
Block ciphers vs stream ciphers
- Block ciphers encrypt data using blocks (usually 128 bits, such as in AES).
- Stream ciphers encrypt data by bit or byte(mostly).
Asymmetric encryption
- Uses two keys do encrypted data transfer
- One key to encrypt (public key)
- One key to decrypt (private key)
- DH, ECC, RSA
HMAC
- hash-based message authentication code
- used to ensure data integrity and authenticity (as some ciphers lack that such as AES)
- in ciphers you can modify send data which will result in corrupted data mostly
- uses any hash, but mostly SHA-2 or SHA-3
Symmetric encryption modes
- ECB - electronic codebook (outdated)
- CBC - Cipher Block Chaining
- ECB, CBC, OFB, CFB, CTR, and XTS provide confidentiality but not protect against modification/tampering (need to use HMAC)
- this led to new encryption algorithms “Authenticated encryption” which provide data integrity as well
- GCM does the GMAC with Galois Counter
- GCM is stream cipher
- GCM - uses nonce to initialize the counter -> counter gets encrypted -> output xored with plaintext -> output encrypted and sent
- CBC - uses nonce to xor it with first block-> output is encrypted and sent -> next block xors with the previous one etc…
https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation
Initialization Vector / Cryptographic nonce
- used to randomize the encryption, so that the same data encrypted with the same key would not be similar.
- should be random/pseudorandom in CBC/GCM modes
- Cryptographic nonce is used only once to initiate the
RSA
- public key cryptosystem
- part of PKI used for SSL certificates, digital signatures etc
- used in TLS/SSL, OpenVPN
- public/private keys
- quite slow as it is asymetric
- does not provide Perfect Forward secrecy, but can be extended with ECDHE
DH
- Diffie-Hellman
- one of the first public key protocols
- derives a secret key for further use in symmetric ciphers
Alice Bob
Orange Orange
Blue Green
Mix1 Mix2
Mix2 Mix1
+Blue + Green
Mix3 Mix3 - best way to deploy PFS with ECDHE and DHE
AEAD
- authenticated encryption with additional data
- uses counters for authentication
- older encryption standarts doesn’t authenticate the data, and need to use additional MAC (message authentication code)
- GCM
Perfect Forward Secrecy
- feature that session keys won’t be compromised even if long term secrets are revealed
- new key for each session
- keys are not kept on server
On which port goes ping?
It’s ICMP! none of them, but in some rare cases it may go to UDP 7 or TCP 7
Encoding, Encryption and Hashing?
Encoding may be reversed with the same algorithm used to encode it. It is used to represent the data in suitable way.
Encryption used to protect data’s confidentiality and in some cases (GCM) it’s authenticity and integrity
Hashing is not reversible in theory(hello rainbow tables) and is used to map data of arbitrary size to fixed-size values.
Hash use cases:
- data authenticity and integrity in ciphers
- checksum
- hash tables in programming
- check digits (like in credit card)
CIA triangle
Confidentiality
Integrity
Availability
PKI
Public Key Ifrastructure
A public key infrastructure (PKI) is a system for the creation, storage, and distribution of digital certificates which are used to verify that a particular public key belongs to a certain entity. The PKI creates digital certificates which map public keys to entities, securely stores these certificates in a central repository and revokes them if needed.[6][7][8]
A PKI consists of:[7][9][10]
A certificate authority (CA) that stores, issues and signs the digital certificates;
A registration authority (RA) which verifies the identity of entities requesting their digital certificates to be stored at the CA;
A central directory—i.e., a secure location in which keys are stored and indexed;
A certificate management system managing things like the access to stored certificates or the delivery of the certificates to be issued;
A certificate policy stating the PKI’s requirements concerning its procedures. Its purpose is to allow outsiders to analyze the PKI’s trustworthiness.
cpb
Cycles per byte. Number of clock cycles a microprocessor will perform per byte of data processed
Wireguard
- ChaCha20 for symmetric encryption, authenticated with Poly1305
- Curve25519 for ECDH (one of the fastest, provides 128 bit security)
- BLAKE2s for hashing and keyed hashing (hashing algorithm)
- SipHash24 for hashtable keys
- HKDF for key derivation,
Security level (cryptography)
Measure of the strength that a cryptographic primitive achieves : n-bit security means that the attacker would have to perform 2n operations to break it. For symmetric ciphers equals to key size. (AES-128bit key is 128 bit security) For asymmetric: depends on best known alogrithm. For 128 bit sec needs: RSA 3072, or ECDHA around 256 bits (Curve25519 for example)
Hash functions
Hash use cases:
- data authenticity and integrity in ciphers
- checksum
- hash tables in programming
- check digits (like in credit card)
Most used: SHA-1, 2, 3 , Blake2, MD5
(H)KDF
Key derivation function - is a cryptographic hash function that derives one or more secret keys from a secret value such as a main key
Hash Key derivation function - a simple KDF based on HMAC
SLA
5 nines - 99,999% - 5 minutes
4 nines - 99,99% - 50 minutes
3,5 nines - 99,95% - 250 minutes
3 nines - 99,9% - 9 hours
PGP
Pretty Good Privacy
is an encryption program that provides cryptographic privacy and authentication for data communication.
Public key asymetric encryption used to share teh symmetric key.
PGP is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications. Phil Zimmermann developed PGP in 1991.
PGP fingerprint - can derive public key from short text
PGP encryption uses a serial combination of hashing, data compression, symmetric-key cryptography, and finally public-key cryptography; each step uses one of several supported algorithms. Each public key is bound to a username or an e-mail address. The first version of this system was generally known as a web of trust to contrast with the X.509 system, which uses a hierarchical approach based on certificate authority and which was added to PGP implementations later. Current versions of PGP encryption include both options through an automated key management server.
Digital Signature
- provide authenticity and integrity
- have legal significance
- asymmetric cryptography
- uses RSA, DSA, SHA etc
- makes a hash, signs with private key - that can be decrypted only with public key
non-repudiation
a situation where a statement’s author cannot successfully dispute its authorship or the validity of an associated contract.
EFAIL
security hole in email systems with which content can be transmitted in encrypted form. This gap allows attackers to access the decrypted content of an email if it contains active content like HTML or JavaScript, or if loading of external content has been enabled in the client. Affected email clients include Gmail, Apple Mail, and Microsoft Outlook.
Heartbleed
- present since 2012
- discovered in 2014
- It results from improper input validation (due to a missing bounds check) in the implementation of the TLS heartbeat extension.
- Buffer over-read (program, while reading data from a buffer, overruns the buffer’s boundary and reads (or tries to read) adjacent memory.)
-Heartbeat Request message, consisting of a payload, typically a text string, along with the payload’s length as a 16-bit integer. The receiving computer then must send exactly the same payload back to the sender.
OpenSSL allocate a memory buffer for the message to be returned based on the length field in the requesting message, without regard to the actual size of that message’s payload. Because of this failure to do proper bounds checking, the message returned consists of the payload, possibly followed by whatever else happened to be in the allocated memory buffer.[
Poodle
2014 TLS/SSL downgrade MITM attack
- downgrades the connection to SSL3.0 which can be cracked as it uses RC4 (insecure)
- attacker interferes in TLS version exchange and downgrades the version to SSL3.
Shellshock/Bashdoor
2014 Bash passes env variables and exported functions to the called scripts. Exported functions are being encoded in certain way (start with “()”) to be decoded on the fly. You can encode malicious function as a variable so it decodes as a function in some bash versions.
env x=’() { :;}; echo Vuln’ bash -c “echo Test run”