Section 1.4

Question 1

What does PKI stand for?

Answer 1

Public Key Infrastructure

Question 2

What’s the purpose of the PKI?

Answer 2

Public Key Infrastructure (PKI) is a framework of policies, procedures, hardware, software, and people that enables the secure exchange of information over networks. It uses a system of digital certificates and public-private key pairs to authenticate the identity of users, devices, and services, ensuring secure communication and data integrity.

Question 3

What is Symmetric encryption?

Answer 3

Symmetric encryption means that anytime you are performing a decryption of some information, you’re using the same key that you used to encrypt that information.

Question 4

What is Asymmetric encryption?

Answer 4

Asymmetric encryption means that two (or more) keys are used, one for encryption and one key for decryption.

One becomes the private key and the other becomes the public key.

How does it work?
Anyone that has the public key, can encrypt data with that key and then send the encrypted data to you, and only the holder of the private key can decrypt the data.

Question 5

What is transport encryption and provide examples of it.

Answer 5

Transport encryption is encrypting data on the move.
For example browsers use https for encrypted data in transit.
VPNs encrypts all data transmitted over the network.
- Client based VPN use SSL/TLS
- Site to Site VPN use IPsec

Question 6

Explain encryption algorithms

Answer 6

Encryption algorithm provides the formula to be used during the encryption and decryption process. Both sides, the encrypting side and decrypting side must use the same encryption algorithm.

Question 7

Why are cryptographic key lengths important?

Answer 7

Brute force attacks are commonly used by attackers to find the key. This means that brute force attacks try every possible key combination. The longer the key, the more combination would be available, therefore more secure.

Question 8

What’s a typical key length for symmetric encryption?

Answer 8

128-bit or larger symmetric keys are common

Question 9

What’s a typical key length for asymmetric encryption?

Answer 9

3072 bits or even larger

Question 10

What is meant by key stretching /strengthening?

Answer 10

This means that in order to make a key more secure, you would hash a password, and then hash the hash of the password, and hash the hash … and continue

Question 11

What is Out-of-band key exchange?

Answer 11

This means that the key is shared through means that are not in the internet. This would be through in person, over a telephone and so on.

Question 12

What is In-band key exchange?

Answer 12

This means that the key is shared through the network. This would use additional security such as:
- If the goal is to share a symmetric key, then this key can be encrypted with a asymmetric key, and then send the key along with the asymmetric public key.

Question 13

Explain session keys

Answer 13

Session keys are used for temporary basis for a specific session.

Question 14

Explain the key exchange algorithms.

Answer 14

Key exchange algorithms means the following:
System A has its own private key.
System B has its own private key.
If system A wants to send information to system B, then it can combine its private key with System B public key.
Then when the information is received in system B, system B can combine its private key with System A public key.
Now the two systems can securely communicate with each other.

Question 15

What is a TPM?

Answer 15

Its a Trusted Platform Module (TPM) to provide cryptographic functions for a specific computer.

It can create keys.
It can store keys such as bitlocker keys.

Question 16

What is a HSM?

Answer 16

Hardware Security Module (HSM) is used for large environments such as thousands of servers. HSM is used to store all the encryption keys for all of those servers.

Question 17

What is a secure enclave?

Answer 17

A secure enclave is a hardware processor, which is isolated from the main processor and provides extensive security features such as:
- Has its own boot ROM
- Monitors the system boot process
- Random number generator
- Real time memory encryption
- Root cryptographic keys
- Performs AES encryption in hardware and more

Question 18

What is obfuscation?

Answer 18

It’s the process of making something unclear, but not impossible to understand.
A type of obfuscation is Steganography, which means hiding information inside of an image.

Question 19

What is Steganography?

Answer 19

Steganography is security through obscurity.

It can be in an image data, or the actual image itself.
It can be on network bits, or audios.

Question 20

What is tokenization?

Answer 20

Tokenization refers to replacing sensitive data with a non sensitive placeholder.
For example it can be taking a SSN number and providing a new number that the system understands how to revert it back to the original number.

Question 21

What is data masking?

Answer 21

Data masking means that we hide part of the information and only display part of the information. An example is showing only the last 4 digits of a credit card number and hiding the rest of them using *.

Question 22

What is SHA256 Hash?

Answer 22

It’s a popular hashing algorithm

Question 23

What is hashing used for?

Answer 23

1. Verify downloaded file.
2. Password storage

Question 24

What does salt means in hashing process?

Answer 24

It’s random data added to a password when hashing. Makes the hash stronger especially against attacks such as rainbow tables or brute force.

Question 25

What is blockchain technology?

Answer 25

It’s a distributed ledger to keep track of transaction. Everyone’s transactions are public.
Makes it perfect for:
- Payment processing
- Digital identification
- supply chain monitoring
- digital voting

Question 26

What is a digital certificate?

Answer 26

A digital certificate is a file that contains a public key and a digital signature.

Question 27

What is the purpose of X.509?

Answer 27

This is the standardized format for a digital certificate.

Question 28

What information is stored in the digital certificates?

Answer 28

Serial number
version
signature algorithm
issuer
name of the cert holder
public key
extensions
and more

Question 29

What is meant by the root of trust?

Answer 29

The root of trust is an inherently trusted component meaning that if a third party trusts a specific website the we can also trust this website.

These third party component can be hardware, software, firmware or other component such as Certificate Authority (CA).

Question 30

What is a CSR?

Answer 30

A CSR is a certificate signing request.

Question 31

What is a CRL?

Answer 31

Certificate Revocation List. This is a list of all of the certificates that have been revoked.

Question 32

What is OCSP Stapling?

Answer 32

OCSP Stapling (Online Certificate Status Protocol Stapling) is a method used to improve the efficiency and performance of checking the revocation status of SSL/TLS certificates.