Section 3 - Security Engineering & Cryptography Flashcards
What describes the suite of policies and technology tools designed to enable centralized management and control of mobile devices in a corporate setting?
Enterprise Mobility Management (EMM)
What are the difference between Trust and User Specific Certificates
Trust are used to globally identify trusted devices within an organization using a single certificate pushed to multiple devices which is different then specific user based rolled out by a MDM to uniquely identify for granular control
What is a firmware update delivered on a cellular data connection
Over the Air (OTA)
can be exploited - evil base station
What encryption standard does WPA2 use and what does it replace
Advanced Encryption Standard with 128 bit keys
replaced WPA where replacing RC4 and Cipher Block Chaining Message Authentication Code Protocol (CCMP) replacing TKIP
What are the main features of WPA 3
Simultaneous Authentication of Equals (SAE) which was introduced to address vulnerabilities in the WPA-PSK method.
Enterprise authentication uses 192-bit AES while personal uses 128-bit
Updated Cryptographic Protocols - replaced AES CCMP with AES Galois Counter Mode Protocol (GCMP) - high performance mode of operation for symmetric encryption and provided a special characteristic called Authentication Encryption with associated data (AEAD)
Protection Frames to prvent against recovery ttacks
What is WPA3 also called and and what standard is it
Wi-Fi 6 and 802.11ax
What is a standard for peer-to-peer (2-way) radio communications over a very short distance is
Near Field Communication and around 4”
most common application is for contactless payments
Not encrypted so vulnerable
What is a recent attack against Bluetooth
BlueBorne
What is the security control that enforces a virtual boundary based on real world geography
Geofencing
Is DNS communications secure?
No and DNS over HTTPS (DoH) was developed as a response to incidents.
What is the terms for obtaining root privileges in both IOS and Android
Jailbreaking for IOS
Rooting for Android
Is Android or IOS more secure?
IOS and Android allows sideloading to install and app without using an app store
What is the access control that is based on the idea of security clearance
Mandatory Access Control (MAC)
Labels objects and subjects and not changeable by user
What is the process of determining what additional software may be needed installed on a client or server beyond its baseline and what OS is a good example of this
Execution Control
Using a Linux Security Module (LSM)
SELinux
AppArmor - used by Ubuntu
SUSE Linux
Which version of Android is based on Security Enhanced LInux
SEAAndroid
Use MAC
Describe the differences between BIOS (Basic Input/Output System) and UEFI (unified Extensible Firmware Interface)
Both are firmware designed to assist a computer/device boot an OS. BIOS uses a Master Boot Record whereas UEFI used a GUID Partition table. UEFI is more advanced and has more security features such as Secure boot or measure boot.
What is an appliance for generating and storing cryptographic keys
Hardware Security Module (HSM)
FIPS 140-2 provided accreditation for cryptographically strong products
T or F Key management and key use can be incorporated into the same function and cloud location
False - should use a KMS that is being generated separately from cloud provider
What is serverless computing billed on and does this paradigm have risks?
Execution time rather than hourly charges. This is commonly called Function as a Service (FaaS)
New Paradigm and use cases and best practices are not mature
Depends heavily on event-drive orchestration to facilitate operations
AWS Lambda
Google Cloud Functions
Azure Functions
What is the term for provisioning architecture in which deployment of resources is performed by scripted automation and orchestration
Infrastructure as a Code (IaC)
Used for Software Defined Networking
What is an enterprise management system software designed to mediate access to cloud services by users across all types of devices
Cloud Access Security Broker (CASB)
Enable SSO
Scan for Malware, rogue and non-compliant devices
Monitor and audit user and resource activity
Mitigate data exfiltration
What are the 3 implmentation methods of CASB
Forward Proxy - security appliance/host positioned at the client network edge that forwards traffic to the cloud network. users can evade and connect directly
Reverse Proxy - at network edge and can direct traffic in policy is in compliance and does not require configuration on user device but does require cloud application support
API - this is between the cloud service and cloud consumer. works best for post security incidents where inline interception is not possible/desirable. Not in real time such as the above proxy options
What is the name of the practice of splitting encrypted data output into multiple parts which are subsequently stored in disparate locations
Bit or Cryptographic Splitting
What are some examples of Microcontrollers that perform sequential operations from a dedicated instruction set
Application-specific integrated circuits (ASICs) - used for ethernet switching
Field Programmable Gate Array (FPGA) - a processor that can be programmed to perform a specific function by customer than at the time of manufacture
What is the system that practically integrates all components (CPU, RAM, Storage, etc.) into one
System on a Chip (SoC)
Name the components of an Industrial Control Systems
Human Machine Interfaces (HMI) - input/output controls on a PLC allowing users to configure and monitor
Supervisory Contral and Data Acquisition - manages large scale, multi-site devices and equipment spreach over geographically large areas
Programmable Logic Controller (PLC) - form of a digital computer and interact with a wide range of sensors
HVAC
Name the common protocols used by ICS
Controller Area Network - serial network designed to allow communication between embedded PLC - cars are susceptible to attack due to this design using wireless or direct connection
Modbus - component of an ICS and is described as an OT and its protocol
It uses Common Industrial Protocol (CIP) and Distributed network Protocol (DNP3)
Data Distribution Services (DDS) - enables interrogability for connected machines and facilitates scalability, performance, and QoS
Safety Instrumented Systems (SIS) - comprised of sensors, logic solvres and final control elements - horns, flashing lights, and sirens.
What is the function that converts an arbitrary length string to a fixed string output called
Hashing
1. Output is of fixed length regardless of input size
- Same input to a hashing algorithm will generate the same output every time is hashed
- Output of the hashing function cannot be used to recreate the input in any way referred to as one-way function
Name some common hurdles in Hashing
Being certain that the hash value is properly represented.
Older hash algorithms are susceptible to collisions where two different plaintext inputs produce the same ciphertext output
Name two popular hasing algorithms th
Message Digest Algorithm (MD5) - produces a 128 bit output and due to short outputs can be easily brute-forced
Secure Hash Algorithm (SHA) - was created to address weaknesses in MD5
SHA-1 generates a 160-bit output while SHA-256 (widely used for bitcoin)
Per NIST they developed SHA-3 to and SHA-1 should not longer be used.
What is RIPEMND
RACE Integrity Primitives Evaluation Message Digest - devleoped around the same time as SHA-1 to produce longer outputs than MD5 and is also the bitcoin standard
What is the method used to verify both the integrity and authenticity of a message by combining a cryptographic hash with a secret key
Hash-based message authentication code (HMAC)
when a MAC is constructed through eh use of hashing then it is a HMAC
HMAC-SHA
What is the MAC that is used on older iphone/ipad devices that do not include AES hardware
Poly1305
What is a “key” difference between hashing and encryption
Unlike hashing encryption algorithm can be used to regenerate the input so it is regarded as a two way function.
Symmetrical Algorithms has one key to lock and unlock and do not provide message integrity or authentication
T or F Cypher is another term for an algorithm
True
Name the two types of Symmetric Encryption
Stream Cypher - stream of plaintext bits or bytes with pseudorandom stream initialized by a secret key. Best for encrypting communications where the total length is not known.
Examples: RC4 - old and vulnerable
Salsa20 - well regarded
ChaCha - variant of salsa and adopted by Google and uses in devices lacking AES hardware acceleration
Used Initialization Vector - technique used in cryptography to generate random numbers to be used along with a secret key to provide data encryption
Block Cypher - encrypts one block at a time often in 64-bit block. More secure than steam but slower. Uses Output Feedbak (OFB) for the first round of encryption and combines the ouput of all previous rounds as input.
3DES - replaced by AES which is based on the Rijndael algorithm.
What are modes of operations that are used with symmetrical block cyphers
These are techniques or methods by which symmetrical encryption can be performed.
Cipher Block Chaining (CBC) - very simple and susceptible to the padding-oracle attack
Electronic Codebook (ECB) simple and also susceptible to attack
Galois/Counter Mode (GCM) widely adopted.
In Asymmetric encryption what is known only to the holder and is linked to, but derivable from, a public key distributed to those with which the holder wants to communicate securely
Private Key
Can be used to prove identity
Does involve more overhead that symmetrical and not ideal for large amounts of data.
used mainly for authentication and non-repudiation.
What is the differences in key agreements between symmetrical and asymmetrical
Symmetrical derives the key while asymmetrical is transmitted.
Name the two common Key Agreements
Diffie-Hellman (DH) - used complicated modulus math based on common secret
Elliptic-Curve Diffie-Hellman (ECDH) - similar to DH but used math based on elliptical curves instead of discrete logs
What is the process when a user creates a digest of a message, using a pre-agreed hash algorithm such as SHA 256 and then encrypts the digest using a private key
Digital Signature
Rivest, Shamir and Adleman (RSA) - asymmetrical algorithm that is based on factoring large prime numbers
Digital Signature Algorithm - similar to RSA but uses logarithmic and modulus math. Faster at generating digital signatures but slower at verifying
Elliptic-Curve Digital Signature Algorithm (EDCS) - similar but smaller keys
What was the protocol developed by Netscape in the 90’s to protect traffic and what was it replaced by
Secure Sockets Layer (SSL) to protect traffic for HTTPS and version 2.0 and 3.0 should no longer be used
Transport Layer Security (TLS) only version 1.2 or higher should be used
This is applied at the OSI Application Layer
What is the algorithm supported by both the client and server to perform the different encryption and hashing operations by the protocol
Cipher Suites
ECDHE - RSA - AES128 - GCM - SHA256
Key Exchange - Signature - Bulk Encryption - Message Authentication - Elliptic Curve
What type of attack tries to force the use of a weak cipher suite and SSL/TLS Version
Downgrade Attack
recommended to disallow “export cipher suites”
What is the email encryption standard that adds digital signatures and public key cryptography to traditional MIME communications
S/MIME
What two types of key pairs does SSH Use
Host Key Pair - revealed by server
User Key pair for a client to login to an SSH Server.
Sony Hack was based on SSH mismanaged key.
What is the framework for negotiating authentication mechanisms rather than the details of the mechanisms themselves?
Extensible Authentication Protocol
EAP-TLS - one of the strongest and widely supported. requires PKI and more complex and costly to manage
Protected EAP (PEAP) - encrypted tunnel is established between the supplicant and authentication server. Simpler than EAP with only server side certs.
EAP-TTLS) - also only server side certs
EAP-FAST - designed by Cisco and instead of using a certificate to setup tunnel it uses a Protected Access Credential - requires out of band delivery .
What is the network protocol used to secure through an authentication and encryption as data travels through the network
Internet Protocol Security (IPSec)
Layer 3 - networking
What are the two core protocols for IPSec
Authentication Header - form of cryptographic hash on whole packet including IP header, plus a shared secret and does not support nat gateways so not often used. Does not provide confidentiality
Encapsulation Security Payload (ESP) provides confidentiality, authentication, and integrity.
What is the modern successor to RSA
Elliptic Curve Cryptography (ECC)
no known shortcuts for cracking
P256 no longer recommended by NSA
How do you mitigate the risk of RSA Key Exchange
Perfect Forward Secrecy (PFS) - uses Diffie-Hellman to create ephemeral session keys without using servers private keys.
What is the form of encryption that in addition to confidentiality provides integrity and authenticity
Authenticated Encryption with Associated Data (AEAD)
What is the technique that strengthen potentially weak input for cryptographic key generation
Key Stretching
for passwords created by people against brute force attacks
Password-Based Key Derivation Function 2 (PBKDF2) widely used for WPA, IoS, Cisco, LastPass.
Bcrypt - Adds additional variations to the key called a salt
What does Code Signing Provide
Proof of Origin
What mechanisms can be used to encrypt data while in use
Trusted Execution Environments such as Intel Software Guard Extensions
What is a public assertion of identify and who validates that
Digital Certificate and validate by Certificate Authority (CA)
What is the specialized card containing cryptographic information to achieve authentication
Smart Card Authentication
has secure processing chip that stores users digital certificate, the private key, and a pin to activate the card.
What is the purpose of a bridge CA
allows for interoperability and shared trust between multiple, otherwise independent PKIs.
Who is the entity responsible for issuing and guaranteeing certificates
Certificate Authority (CA)
What is the method of validating a certificate by tracing each CA that signs the certificate up through the hierarchy to the root CA
Certificate Chaining or chain of trust
even with a root CA that is offline most CA activities are handled by intermediate CA servers
What is a component of PKI when __________ is generated on the device that needs a certificate and contains information that the CA needs in order to create a the certificate
Certificate Signing Request (CSR)
A Base64 ASCII file that is sent to CA
Uses key fields
Common Name (CN) - FQDN
Subject Alternative Name (SAN) - multiple host names on same certificate - feature is called multi-domain certificates
Origination (O) - legal name
OU - division or dept
City/Locality (L)
State/County/Region (S)
Country C)
Public Key that will be included
Information about key type and length
In the creation of Digital Certificates what are common methods of validation
General Purpose or Domain Validation (DV) - email or modifying a DNS text record.
Extended Validation (EV) - maintained by CA/Browser forum. major drawback is that they cannot be issued for wildcard domain. Also use same process as standard ones and not necessarily better protection
A ___________ is a hash that is then encrypted using a private key
Digital Signature
What describes when a certificate is used to establish a trust relationship between two different CAs
Cross Certification
for two organizations or migrations
What describes the set of root CAs that are trusted to validate identity
Trusted Providers
Organizations that build their own PKI infrastructure their root CA must be added to the list of trusted providers
What do CAs need to maintain a list of certificates that were revoked before their expiration date?
Certification Revocation List (CRL)
Coded based on reason such as:
Unspecified, Key Compromise, CA Compromise, Superseded or Cessation of Operation,
Revoked Certificates cannot be reinstated
What is a another means of providing up to date information on certificate status
Online Certificate Status Protocol (OCSP)
Allows real time status request to check if there is revocation
Describe the differences between Certificate Pinning and Stapling during a transport protocol such as SSL/TLS
Pinning is the technique when a client inspects the certificate presented by a server or a code-signed application bypassing the CA hierarchy. Pinning has many vulnerabilities
Stapling resolves these issues by having the SSL/TLS server periodically obtain time-stamped OCSP response from the CA.
What can be configured as a response header on a web server and notifies a browser to connect to the requested site as HTTPS
HTTPS Strict Transport Security (HSTS)
Prevents downgrade attacks
What is another term to describe the requirement for both client and server devices to use certificates to verify identity
Mutual authentication
What would cause a website to display your connection is not private when accessing
The website is configured to use a weak signing algorithm