Security

Question 1

Encryption

Answer 1

Modifying data to make it unreadable to miscreants

Question 2

Nonrepudiation

Answer 2

The process that guarantees that the data is the same as original sent, came from the bona fide source

Question 3

Authentication

Answer 3

Verifying that whoever is accessing the data is who they claim to be. The computer that is trying to connect must present some form of credential to be allowed access to the network.

Question 4

Authorization

Answer 4

Verifying that whoever is accessing the data should be able to do so. Once authenticated, the computer determines what the device can and cannot do on the network.

Question 5

Accounting

Answer 5

The logging of authentications and authorizations. The authenticating server should do some form of accounting fo who is logging in and when, number of unsuccessful logins, etc.

Question 6

Cipher

Answer 6

A series of algorithms (complex and hard to reverse) that is run on data to encrypt it

Question 7

Complete algorithm

Answer 7

A combination of a cipher and an implementation method for it

Question 8

XOR

Answer 8

“eXclusive OR.” A logical operation that compares to inputs and outputs true (i.e. “1”) if both inputs differ, otherwise it outputs false (i.e., “0”).

Question 9

Brute force

Answer 9

The process of testing every possible combination of characters to determine an answer

Question 10

Ciphertext

Answer 10

The result when cleartext/plaintext is run through a cipher algorithm using a key

Question 11

Symmetric encryption

Answer 11

Any encryption implementation that uses the same key for encryption and decryption. Inherently weak since the key must be shared and can be lost. E.g., DES

Question 12

Asymmetric encryption

Answer 12

Any encryption implementation that uses different keys for encryption and decryption (e.g., a public/shared key and a private/secret key)

Question 13

Block cipher

Answer 13

Any cipher that encrypts data in discrete blocks/chunks (e.g., a cipher encrypting discrete IP packets). E.g., AES

Question 14

Stream cipher

Answer 14

Any cipher that encrypts data on the fly. Common on wireless networks and mobile phone data networks. E.g., RC4

Question 15

DES

Answer 15

Data encryption standard. Symmetric key algorithm and block cipher. Encrypts data using a 56-bit key, in 64-bit blocks. Very vulnerable due to the short key length. More modern variants: 3DES, IDEA, Blowfish

Question 16

RC4

Answer 16

Rivest Cipher 4. Symmetric key algorithm and stream cipher. Today it is very vulnerable to attacks

Question 17

AES

Answer 17

Advanced encryption standard. Block cipher. Encrypts data in 128-bit blocks. Can use a 128- 192-, or 256-bit key. Very fast. For now, virtually uncrackable. Very popular today, usually the only cipher that is recommended

Question 18

Safest and most secure encryption algorithm today

Answer 18

AES. The longer the key, the better. 256-bits is the longest.

Question 19

Inventors of asymmetric public key cryptography

Answer 19

Whitfield Diffie, Martin Hellman, Ralph Merkle

Question 20

Common name for public key asymmetric key implementation

Answer 20

Diffie-Hellman Key Exchange

Question 21

Private key

Answer 21

One of the two keys created in asymmetric encryption. Kept strictly secret; never revealed to anyone. Used only to decrypt data encrypted with the matching public key.

Question 22

Public key

Answer 22

One of the two keys created in asymmetric encryption. Can be freely shared with anyone. Used to encrypt data that can only be decrypted with the matching private key.

Question 23

Encryption at OSI Layer 1

Answer 23

None; no common encryption on the physical layer

Question 24

Encryption at OSI Layer 2

Answer 24

Lots of encryption at the Data Link layer using proprietary devices

Question 25

Encryption at OSI Layer 3

Answer 25

Only IPSec encryption occurs (currently) at the network layer

Question 26

Encryption at OSI Layer 4

Answer 26

None; no common encryption at the transport layer

Question 27

Encryption at OSI Layer 5

Answer 27

None; no common encryption at the session layer

Question 28

Encryption at OSI Layer 6

Answer 28

None; no common encryption at the presentation layer

Question 29

Encryption at OSI Layer 7

Answer 29

Common layer for encryption (e.g., SSL/TLS, etc.)

Question 30

Hash

Answer 30

A one-way mathematical function run on data (regardless of its content or length) that creates a fixed length result called a checksum or a digest

Question 31

Checksum

Answer 31

The output of a hash. Also called a digest.

Question 32

MD5

Answer 32

Message-digest algorithm version 5. Common hashing algorithm.

Question 33

SHA

Answer 33

Secure hash algorithm. Another common hashing algorithm. Two versions: SHA-1, SHA-2

Question 34

CRAM-MD5

Answer 34

Challenge-Response Authentication Mechanism MD5. Used as a special form of server authentication, especially for SMTP servers

Question 35

Digital signature

Answer 35

Created by the sender of data (typically email), usually by hashing the message with a private key. Allows the holder of the public key to verify the identity of its sender.

Question 36

Certificate

Answer 36

Standardized digital signature that allows proof of nonrepudiation of data (i.e., that the sender of the data is who they claim to be, and that the data is what it is supposed to be). Also used to verify the exchange of public keys.

Question 37

PKI

Answer 37

Public key infrastructure. The tree of root certificate authorities (VeriSign, DigiCert, etc.), intermediate authorities, etc.

Question 38

Self-signed certificate

Answer 38

An unsigned certificate issued by someone other than a root or intermediate certificate authority.

Question 39

PGP

Answer 39

Pretty good privacy. Web-of-trust peer group verification system for email.

Question 40

NAC

Answer 40

Network access control. Generic term for series of security applications. A common one prevents computers lacking anti-malware from accessing the network, create policies defining what systems can do on the network, etc.

Question 41

ACL

Answer 41

Access control list. A defined list of permissions that specify what an authenticated user can do on a shared resource or network

Question 42

MAC security access model

Answer 42

Mandatory access control. Every resource is assigned a label that defines its security level. If the user lacks that level he does not get access. Old model; no longer common

Question 43

DAC security access model

Answer 43

Discretionary access control. Every resource has an owner who has discretion to assign access to it. More flexible than MAC

Question 44

RBAC security access model

Answer 44

Role based access control. Defines access based on roles of each user. Often organized by group. Very common today.

Question 45

The three security access models for access control

Answer 45

MAC, DAC, and RBAC

Question 46

PPP

Answer 46

Authentication protocol. Stands for “Point-to-Point”. Enables two devices to connect and authenticate to each other. Old.

Question 47

Initiator

Answer 47

The device asking for the connection in a PPP connection

Question 48

Authenticator

Answer 48

The device containing the list of usernames and passwords (or hashes) in a PPP connection

Question 49

PAP

Answer 49

Password authentication protocol. Original method within PPP to authenticate usernames and passwords. Stored and sent in plaintext. Very insecure.

Question 50

CHAP

Answer 50

Challenge handshake authentication protocol. Replacement for PAP. More secure authentication. Relies on hashes based on a shared secret. Actual password never transmitted. Periodically repeats entire process.

Question 51

MS-CHAP

Answer 51

Version of CHAP released by Microsoft. MS-CHAPv2 still the most common authentication protocol for dialup PPP connections

Question 52

AAA

Answer 52

The philosophy that a proper authentication protocol should provide for authentication, authorization, and accounting.

Question 53

RADIUS

Answer 53

Remote Authentication Dial-In User Service. An AAA standard. Users are authenticated and authorized by a central server that tracks logins and attempts. Supports PAP, CHAP, and MS-CHAP.

Question 54

Three components of a RADIUS environment

Answer 54

The RADIUS server, the Network Access Servers that control the modems, and the hosts that connect to the modems

Question 55

NAS [in the context of RADIUS]

Answer 55

Network Access Server. Controls the modems in a RADIUS setting. [Don’t confuse with Network Attached Storage!]

Question 56

IAS

Answer 56

Internet Authentication Service, Microsoft’s implementation of a RADIUS server

Question 57

TACACS+

Answer 57

Terminal Access Controller Access Control System Plus. Cisco (proprietary), supports AAA in a network with lots of routers and switches. Similar to RADIUS, but uses TCP Port 49. Can use Kerberos for authentication as well as PAP, CHAP

Question 58

Kerberos

Answer 58

Authentication protocol for TCP/IP clients connected to a single authenticating server. Unconnected with PPP. Default protocol for Windows domains; also used in TACACS+

Question 59

KDC

Answer 59

Key distribution center. The centerpiece of the Kerberos system. Consists of the Authentication Server and the Ticket Granting Service.

Question 60

Kerberos AS

Answer 60

Authentication Server. Receives login request, compares the hash to its stores and, if they match, sends a time-stamped TGT (Ticket Granting Ticket) to the host, who then sends it to the TGS.

Question 61

Kerberos TGT

Answer 61

Ticket Granting Ticket. What the authentication server gives a host who has presented a valid hash. The host takes the TGT to the TGS for access to the network.

Question 62

Kerberos TGS

Answer 62

Ticket Granting Service. Receives a TGT from the host and (if valid) issues a timestamped service ticket (aka token, access token).

Question 63

Kerberos Service Ticket (aka token, access token)

Answer 63

Used by a host on a Kerberos system to access network resources. When a host tries to access a folder, printer, etc., it must present the token.

Question 64

SID

Answer 64

Security Identifier. The name for a Kerberos token in Windows.

Question 65

Duration of a Kerberos service ticket

Answer 65

8 hours.

Question 66

EAP

Answer 66

Extensible Authentication Protocol. Essentially a PPP wrapper that allows EAP-compliant applications to accept one of many types of authentication. Primarily used in wireless networks.

Question 67

EAP-PSK

Answer 67

EAP-Personal Shared Key. Shared secret key stored on a WAP and a wireless client, usually encrypted with AES.

Question 68

EAP-TLS

Answer 68

EAP-Transport Layer Security. Wireless authentication protocol that requires a RADIUS server, and that both the client and server have valid certificates. Very robust but difficult to set up.

Question 69

EAP-TTLS

Answer 69

EAP-Tunneled Transport Layer Security. Wireless authentication protocol that requires a RADIUS server, and that the server have a valid certificate. No client certificate needed.

Question 70

EAP-MS-CHAPv2

Answer 70

EAP with MS-CHAPv2 authentication through an encrypted TLS tunnel. Also called Protected Extensible Authentication Protocol.

Question 71

EAP-MD5

Answer 71

EAP that uses only an MD5 has for transferring login credentials. Very weak security, rarely used

Question 72

LEAP

Answer 72

Lightweight EAP. Cisco (proprietary) authentication protocol for wireless. A combination of MS-CHAP authentication and RADIUS server methods

Question 73

IEEE 802.1x

Answer 73

Formal protocol that combines RADIUS-style AAA with EAP versions to make a complete solution. Only really used in wireless.

Question 74

Encryption used by SSH

Answer 74

PKI, with public/private keys

Question 75

Tunnel

Answer 75

An encrypted link between to programs on two separate computers

Question 76

SSL/TLS

Answer 76

Secure Sockets Layer. Superseded by Transport Layer Security. Requires a server with a certificate. Current version of TLS is 1.2

Question 77

IPSec

Answer 77

Internet Protocol Security. Combined authentication and encryption that works at the network layer. Works in either transport or tunnel mode.

Question 78

Two modes of IPSec

Answer 78

Transport mode (headers sent in plaintext but data is encrypted); Tunnel mode (headers and data both encrypted). In IPv6, transport mode is enabled by default.

Question 79

IPSec authentication header (AH)

Answer 79

Used in IPSec for authentication

Question 80

IPSec encapsulating security payload (ESP)

Answer 80

Used in IPSec for implementing authentication and encryption

Question 81

IPSec ISAKMP

Answer 81

Internet security association and key management protocol. Used for establishing security associations, defining things like the protocol used for exchanging keys.

Question 82

IPSec Internet Key Exchange

Answer 82

key exchanging protocol

Question 83

IPSec KINK

Answer 83

Kerberized Internet Negotiatino of Keys. IPSec key exchanging protocols

Question 84

SCP

Answer 84

Secure copy protocol. Transfers data securely between two hosts. No ability to see files on the other computer. Predecessor to SFTP

Question 85

SFTP

Answer 85

Secure FTP. Also known as SSH FTP. A way to run FTP through an SSH tunnel.

Question 86

SNMP

Answer 86

Simple network management protocol. Queries the state of SNMP capable network devices, reporting things like CPU usage, network utilization, firewall hits, etc. Uses agents to collect data from a Management Information Base (MIB)

Question 87

SNMP Port

Answer 87

UDP Port 161

Question 88

LDAP

Answer 88

Lightweight directory access protocol. A tool used by programs to query and change information in network databases.

Question 89

LDAP Port

Answer 89

TCP port 389.

Question 90

NTP

Answer 90

Network time protocol. Gives the current time. Important for Kerberos.

Question 91

NTP port

Answer 91

UDP port 123.