Security Architecture Domain 3 Flashcards
Functions such as MDS, SHA-256, and the new SHA-3 are used for
integrity to protect against unauthorised modification of data
The four fundamental goals of cryptography
Confidentiality
Integrity
Authentication
Non-repudiation
ISO/IEC 18033-2:2006 specifies
encryption systems
(ciphers) for the purpose of data confidentiality
ISO/IEC 11770-1:2010 defines
a general model of key management that is independent of the use of any particular cryptographic algorithm
ISO 11568 series specifies
the principles for the management of keys used in cryptosystems implemented within the retail-banking environment
ISO/IEC 13888 is applicable when
non-repudiation is required for key management
Messaging security standards include:
Secure Multi-Purpose Internet Mail Extensions (S/MIME):
Privacy-Enhanced Mail (PEM) PEM was never widely used for securing e-mail
Only PEM’s definition of header field format (PEM format) has
found use as a common means of representing digital certificates
in ASCII form.
Pretty Good Privacy (PGP)
Secure Multi-Purpose Internet Mail Extensions (S/MIME):
This extension of the MIME standards that specify e-mail formatting and encapsulation adds encryption of message content. S/MIME also uses a hashing algorithm for message integrity, public key certificates for message authentication, and digital signatures to
provide non-repudiation of origin”.
PGP provides message authentication
by binding a public key to an e-mail address where the public
key is
distributed to a community of users who trust each other, commonly known as a web of trust.
IPSec includes two protocols
Authentication Header (AH) and Encapsulating Security Protocol (ESP).
AH: Authentication Header provides data origin authentication and data integrity but does not provide
confidentiality for the IP payload and header that it protects.
ESP Encapsulating security policy, provides data origin authentication and data integrity, and it offers …
confidentiality for the payload it protects
Secure TCP/IP communication is not limited to IPSec. What else are additional cryptographic protocols that provide communications security for TCPIP
Transport Layer
Security (TLS) and its predecessor, Secure Sockets Layer (SSL)
VPNs are implemented in the following architectures:
- Remote Access VPN
- Site-to-Site VPN:
- Extranet VPN: when one or more
separate organizations are connecting to that organization over IP.
By default, PPP does not provide any security or rely on any cryptographic controls. However, PPP does include
an optional authentication phase and an optional encryption feature, PPP Encryption Control Protocol (ECP)
SSH operates at the _____ layer of the OSI model
application layer
The most commonly used family of standards for Wireless Local Area
Networks (WLANs) is Institute of Electrical and Electronics Engineers (IEEE)
802.11’7. 802.11 originally relied on the ___________1________ security method to provide confidentiality and integrity. _____1_________
insecure due to the way it implements its ______2_________ algorithm
1 Wired Equivalent Privacy (WEP)
2 RC4 stream cipher
Prior to the introduction of
802.1li, the Wi-Fi Alliance, a global nonprofit industry association, created
a protocol and certification program for wireless network components known
as _____1________. WPA, based on ___________
Wi-Fi Protected Access (WPA)
a draft of IEEE 802.11i,
The biggest difference between WPA and the 802.11i draft is that
WPA does not require support for the Advanced Encryption Standard (AES)
strong encryption algorithm. WPA allows many existing IEEE 802.11 hardware components that cannot support the computationally intensive AES encryption.
WPA2 certification is based on
the mandatory elements of the IEEE 802.11i standard, but there are some
differences. WPA2 extends its certification program to include
interoperability with a set of common Extensible Authentication Protocol (EAP) methods.
Bluetooth optionally encrypts, but does not provide
integrity protection for the transmitted data.
True or false, it is easy to modify a transmitted bluetooth packet without being detected
True because only a simple CRC is added to each packet
In version 2.0 and earlier of
the Bluetooth specification, pairing is performed over a non-encrypted channel,
allowing
a passive eavesdropper to compute the link key used for encryption.
Version 2.1 of bluetooth introduced the use of
Elliptic Curve Diffie-Hellman (ECDH) public
key cryptography, which can be utilized by Bluetooth device developers for
protection against a passive eavesdropping attack
The Bluetooth specification
defines its own stream cipher called
EO
What is the problem with the EO stream cipher
Several weaknesses have been identified
in Bluetooth’s EO stream cipher, which is not a Federal Information Processing
Standards (FIPS)-approved algorithm and can be considered nonstandard
[SP800-121720 21
Version 3.0 + High Speed (HS) of the Bluetooth Core Specification was
adopted by the Bluetooth SIG on
21 April 2009.
Bluetooth high speed is based on
Wi-Fi
A service provider hosting multiple clients in a data center may use encryptionfor privacy of data within a SAN. This can be done using Fibre Channel
Security Protocol (FC-SP), a security framework that includes protocols to
Fibre Channel Security Protocol (FC-SP)
An early use of cryptographic identification for distinguishing
friendly aircraft was developed during WWII with the Identification, Friend or Foe (IFF) system
using coded radar signals to trigger a transponder on the
aircraft. Modern military IFF transponders encrypt challenge and response messages
Similar to IFF, RFID relies on
use of a transponder, or an RFID tag
special-purpose interfaces such as the NSA-developed Crypto Ignition Key (CIK) used in the STU-III family of secure telephones [CIK] are examples of
Hardware-token-based technologies, and also include smart cards and USB tokens
Authentication protocols used by Point-to-Point Protocol (PPP) include
Password Authentication Protocol (PAP)
Challenge-Handshake Authentication Protocol (CHAP).
EAP Extensible Authentication Protocol
Of the Authentication protocols used by Point-to-Point Protocol (PPP) which is considered a weak authentication method and why
PAP is a weak authentication method, transmitting a cleartext password and static identifier that does not protect against replay attack.
Which is stronger out of PAP and CHAP and why
CHAP is stronger because it transmits a hash that is computed based on a random challenge value and shared secret, providing replay protection and a stronger level of authentication.
Which of the authentication protocols developed for PPP is actually a framework that supports a number of protocols
EAP
How are different authentication mechanisms implemented in EAP
In a variety of ways which are called EAP methods, eg. EAP-MD% and EAP-TLS
The approved standard IEEE P1619 addresses ______1___
and the approved standard IEEE P1619.1 is for ______2____
data storage and encryption on disk drives,
data encryption on tape drives
One specification for protecting the decades old EDI transmitted over the Internet is
Applicability Statement 2 (AS2)
NSA Suite B is a subset of cryptographic algorithms approved
by NIST including those for
Encryption, hashing, digital signatures, and key exchange.
What is Ek(M) = C
A simple way of representing the Encryption Functions
Advanced Encryption Standard (AES)
Blowfish
Data Encryption Standard (DES)
IDEA
RC2, RC4, RCS, and RC6
Triple-DES (3DES)
Are examples of what
Symmetric algorithms
Symmetric algorithms tall into two categories:
block ciphers and stream
ciphers.
In stream ciphers how is plaintext encrypted
one bit, byte or word at a time using a rotating stream of bits from the key
Symmetric key algorithms that operate as block ciphers are used in one or more
modes of operation. Each block cipher mode provides a different level of
security, efficiency, fault tolerance, or in some cases, provides a specific protection benefit such as confidentiality or authentication.
Name some common block cipher modes of operation
Electronic Code Book (ECB) Mode:
Cipher Block Chaining (CBC) Mode:
Counter(CTR) Mode:
Which is the least complex of the common Block Cipher Modes of operation
Electronic Code Book Mode
Block ciphers typically include an __________________, a block of bits added to ensure that identical plaintext messages encrypt to different ciphertext messages.
Initialization vector
Block Cipher Modes Electronic Code Book (ECB) Mode
each block is operated on independently, and an IV is not used.
Because identical plaintext blocks result in identical ciphertext,
this mode is not useful for providing message confidentiality.
Block Cipher Modes Cipher Block Chaining (CBC) Mode
Adds an IV and uses a chaining method such that results of the encryption of previous blocks are fed back into the encryption of the current block. This makes CBC useful for message confidentiality.
Which of the block cipher modes are not useful for confidentiality?
Electronic Code Book (ECB) mode
Block Cipher Modes. Cipher Feedback (CFB), Output Feedback (OFB), and Counter (CTR) Mode .
These modes are capable of producing unique cipher text given identical plaintext blocks, and are useful for
message confidentiality.
they can operate as a stream cipher.
Because these modes employ a block cipher as a keystream generator, they can operate as a stream cipher.
Cipher Feedback (CFB),
Output Feedback (OFB) and
Counter (CTR) mode
When is the ability to operate as a stream cipher useful
In applications that require low latency between the arrival of plain text and the output of corresponding ciphertext
What do the following modes not offer
Electronic Code Book (ECB) Mode
Cipher Block Chaining (CBC) Mode
Cipher Feedback (CFB),
Output Feedback (OFB), and
Counter (CTR) Mode
Integrity protection
Name the block cipher modes that include additional security eg. authenticity and integrity
Cipher-Based Message Authentication Code (CMAC) Mode
Counter with Cipher Block Chaining-Message Authentication
Code (CCM) Mode: This mode can provide assurance of both
Galois/Counter Mode (GCM)
Who invented the RC algorithms
Ron Rivest
RC2 was found vulnerable to a
related key attack
Invented by NSA, the now-declassified _________
algorithm uses a 64-bit block size with 80-bit key
length.It was intended for implementation in tamperproof
hardware using the Clipper chip as part of a now-defunct key
escrow program that would allow U.S. government agency
decryption of telecommunications.
Skipjack
_______1________ was one of the finalists that were not selected
for the AES standard. Cryptanalysis of _____1_____ continues to
reveal that it is _______2_______
Twofish
Secure
_____________ are generally less complex than block ciphers
stream ciphers
Examples of synchronous stream ciphers are
RC4 and HC-128
Stream ciphers may be viewed as approximating the function of a one-time pad or Vernam cipher, which uses
a random keystream of the same length as the plaintext.
What makes a Vernam cipher cumbersome and impractical
The size of the keystream which is the same length as the plaintext
Asynchronous stream ciphers are less susceptible to attack by
attempting to introduce predictable error.
Examples of asynchronous stream ciphers are
ciphertext autokey (СТАК)
and stream ciphers based on block ciphers in cipher feedback mode (CFB).
Asymmetric cryptosystems rely heavily on mathematical functions known as _______1_______
trapdoor functions
Why are trapdoor functions so called
They are easy to apply in one direction but extremely difficult to apply in the reverse.
The idea that separate keys for encryption and decryption could be used was presented in 1976 by
Whitfield Diffie and Martin Hellman [DH].
The Diffie-Hellman (DH) key agreement protocol, also called the ______1_______
exponential key agreement, which is a ______2_______
- exponential key agreement,
- which is a method of exchanging secret keys over a nonsecure medium without exposing the keys.
The DH protocol is based on the
difficulty of calculating
discrete logarithms in a finite field.
While DH provides confidentiality for key distribution, the protocol does
not provide (1) this means that (2) is required
- authentication of the communicating parties.
- a means of authentication such as digital signatures must be used to protect against a man-in-the-middle attack.
The idea of a public-key cryptosystem and its use in digital signing was
presented by
Ron Rivest, Adi Shamir, and Leonard Adleman in 1977 [RSA].
Recovering the plaintext from RSA encryption without the key would require
factoring the product of two large primes, forming the basis for the security
In RSA encryption the keys must be generated in such a way that it is computationally infeasible to
factor them
Cryptosystems employ ________1______, which are the basic mathematical operations on which the encryption procedure is built.
cryptographic primitives
Primitives by themselves do not provide security. A particular security goal is achieved by employing the cryptographic primitives in what is known as
a cryptographic scheme.
Cryptosystems built using RSA schemes may be used for
confidentiality,
signing to provide authenticity, or
key exchange.
Another popular approach to public-key cryptography, which is more computationally efficient than either RSA or DH, is
elliptic curve cryptography (ECC).
Recommendations by the National Institute of Standards
and Technology (NIST) for protecting AES 128-bit private keys is to use
RSA and DH key sizes of 3072 bits, or elliptic curve key size of
256 bits
ECC schemes are based on the mathematical problem of
computing discrete logarithms of elliptic curves.
Because the algorithm is very efficient, ECC can be very useful in
applications requiring limited processing power such as in small wireless devices and mobile phones.
Aside from RSA and ECC other asymmetric cryptosystems include.
El Gamal and Cramer-Shoup
Asymmetric cryptosystems that have been proved insecure and should not
be used are those based on the
knapsack algorithm.
Public key cryptosystems will continue to be necessary when secret key
exchange is required. Common software protocols and applications where they
are used include
IPSec, SSL/TLS, SSH, and PGP.
Hash functions are cryptographic algorithms that provide message integrity by producing a condensed representation of a message, called a
message digest.
At a minimum, the following properties are present in a hash function:
- Compression
- Ease of computation
- Preimage resistance
- Second preimage resistance
- Collision resistance
Explain the following minimum requirement of hash functions
* Compression
The hash function H transforms a variable-length input M to a fixed-length hash value h.
Explain the following minimum requirement of hash functions
* Ease of computation
Given a hash function H and an input M, the hash value h is easy to compute.
Explain the following minimum requirement of hash functions
Preimage resistance
Given a hash function h, it is computationally infeasible to compute what the input M was. This is known as the “one-way” property of hash functions.
Explain the following minimum requirement of hash functions
Second preimage resistance
For a given input M, is computationally
infeasible to find any second input which has the same hash value h.
Explain the following minimum requirement of hash functions
Collision resistance
For hash function h, it is computationally
infeasible to find any two distinct inputs that produce the same hash value.
One-way functions are limited in their ability to provide collision resistance, however. A popular means of constructing the hash function and strengthen its collision resistance
is
the Merkle-Damgärd technique, which involves breaking the message input into a series of smaller blocks
_______________________________
designed by Ron Rivest in 1991, is
one such hash function based on a one-way algorithm and utilizing Merkle-
Damgärd construction.
MDS (Message Digest algorithm 5),
While MD5 has been widely used, it has been found to be prone to
collision weakness and is thus insecure
A common replacement recommended for MDS, and which is also widely
used, is _________________ designed by the United States National
Security Agency (NSA).
SHA-1 (Secure Hash Algorithm),
Which of MD5 and SHA1 uses a one way function and the Merkle-Damgärd technique to avoid collisions
They both do
What is an alternative to SHA-1 that also produces a 160 bit digest
RIPEMD-160, designed by Hans Dobbertin,
Aside from a one way function and the Merkle-Damgärd technique to avoid collisions what is another way of producing a hash
By using a block cipher algorithm
How can a block cipher work as a hash function
Block ciphers operate by encrypting plaintext using a private key to produce ciphertext.
The ciphertext cannot be used by itself to recreate the plaintext,
This resembles the one-way property of a hash function. .
Why is a block cipher not a complete hash function
The block cipher’s secret key and decryption algorithm would allow reconstruction of the plaintext,
Hashes need to be fixed length
To make a block cipher into a secure cryptographic hash function …
some additional operations must be added to a block cipher
Example of a block cipher hash functions are
- MDC-2 (Modification Detection
Code 2, sometimes called Meyer-Schilling), developed by IBM, which produces
a 128-bit hash. - Whirlpool, which produces a 512-bit hash
Which function was adopted by the International Organization for Standardization (ISO) in
the ISO/IEC 10118-3:2004
The Whirlpool hash
Another use of a block cipher is in a _____, which is a key-dependent hash
function.
MAC (Message Authentication Code)
Another use of a block cipher is in a MAC, which is a
key-dependent hash function
A MAC adds to the input message the secret key used by the symmetric
block cipher, and the resulting output is a fixed-length string called the MAC.
Adding the secret key to the message produces ….
origin authentication
A MAC may also be derived using a hash function, where the hash function
is modified to incorporate use of a secret key to provide origin authentication
and integrity. This is known as
an MDx-MAC scheme,
What is an MDx-MAC scheme
where the hash function
is modified to incorporate use of a secret key to provide origin authentication
and integrity.
The most common form of MAC
algorithm based on a block cipher employs cipher block chaining, and is known as .
a CBC-MAC Cipher Block Chaining
Give an example of a MAC derived from a hash function
A Hashed Message Authentication Code (HMAC) is another case of a MAC
derived using a hash function.
MACs can be derived using
Block Ciphers or Hash Functions
How does HMAC work
In an HMAC, the underlying hash function is not modified, but is treated as a “black box.” HMAC uses any iterative hash
function and adds a secret key to the input message in order to obtain origin
authentication and integrity.
A digital signature may be thought of as a MAC that uses asymmetric cryptography, because a digital signature uses
a private signing key and a public verification key.
Why does a digital signature not provide confidentiality
Because the digest is signed (the hash) not the original record.
What can a digital signature provide
Origin authentication, non-repudiation and integrity
How does a digital signature provide non-repudiation
If the digest can be decrypted using the public key then it was signed using the private key
A digital signature scheme contains the following elements
Cryptographic hash function
Key generation algorithm
Signing algorithm
Verification algorithm
When it comes to the design and implementation of cryptographic systems, the main school of thought is that if the system is going to be designed for use commercially, then it cannot be a
proprietary system, as the ability to test it
and probe for weaknesses would be a problem.
What is crypto-tax?
the computational overhead on a system that uses cryptography
Why Was Kerberos v4 Deprecated?
Weaknesses in the Data Encryption Standard (DES)
Lack of forward secrecy
Vulnerability to replay attacks
What were the problems with DES that resulted in the deprecation of Kerberos 4?
- Kerberos v4 relied exclusively on DES (Data Encryption Standard) for encryption.
- NIST (National Institute of Standards and Technology) deprecated DES in 2005 due to its small 56-bit key size, which was easily brute-forced.
- Modern attacks (like rainbow tables and parallelized brute-force attacks) made DES insecure.
What did Kerberos v5 do
- Removing DES (which NIST deprecated in 2005).
- Adding AES support for modern encryption.
- Improving security against replay attacks, ticket forgery, and session key compromise.
In the real world what is the biggest problem in cryptography
key management
One of the principles of modern cryptography requires that keys not appear in
cleartext outside the crypto module
One of the important characteristics of the keys is a crypto period. It is defined
[NISTSP800-57-1] as the time span during which
a specific key is authorized
for use by legitimate entities
A successful brute force attack on a symmetric key algorithm, which in the
case of perfect key entropy essentially consists of an exhaustive search of all the
keys, would require
on 2 to the power of N, divided by 2, where N is a size of the key in bits
cycles
What are the phases of a key life-cycle that should be considered
Preoperational phase
Operational phase
Postoperational phase
Key destruction
In a key lifecycle what happens in the pre-operational phase
The key is not generated yet, but preactivation processes are taking place. It may include
- registering a user’s attributes with the key management system,
- installing the key policies, and
- selecting algorithms and key parameters, - initial installation or update of the software or hardware cryptographic
module with initial key material
A seed key, in its turn, is defined as
“a secret value used to initialize a
cryptographic function or operation.”
There are two basic classes of Random Number Generators in cryptography namely
Deterministic and non-deterministic
A deterministic RNG consists of
an algorithm that produces a sequence of bits from an initial value called a seed.
A nondeterministic RNG produces outout that is dependent on
unpredictable physical source that is outside human control.
In encryption and decryption applications, the RSA private key is used to _________ data and the
RSA public key is used to ________ the data. As described in [FIPS
decrypt,
encrypt
For symmetric cryptography, the keys may be generated from
a random number generation method or
regenerated from the previous key during a key update procedure.
If symmetric cryptography is used for wrapping the keys, those key-wrapping keys should be distributed via
a separate channel of communication.
One of the main advantages of using public and private key cryptography is
the easier distribution of keys
Distributing static public keys does not require encrypted channels or split knowledge techniques, but it has its own specifics. A
relying party, who obtains the keys either for verifying an owner’s signature or for encrypting a message for the key owner, should have a high level of assurance that,
- The key really belongs to the subject.
- The key is associated with certain attributes belonging to the
subject.
- The key is valid.
- The key is allowed by its policy to be used for the intended purpose.
All of this is achieved through
PKI Public Key Infrastructure
What does PKI do for public keys
Issues X509 certificates containing the subjects public keys and attributes
The protection of keys in storage should provide
- Integrity
- Confidentiality
- Association with application and objects
- Assurance of domain parameters
- Availability
The protection of keys in storage should provide
Association with application and objects what does this mean
Making sure that the key belongs to a designated object; e. g., encapsulating public keys with the object DN in a signed certificate or storing private signing keys in the object’s protected key store.
The protection of keys in storage should provide
Assurance of Domain Parameters what does this mean
Assurance of Domain Parameters (making sure that domain
parameters used in the PKI keys exchange are correct).
________________is required when an attempt is made to
access the maintenance interface or tamper with a device meeting FIPS 140-2 level 3 requirements [FIPS 140-2].
Automatic zeroization
If it is believed that an encryption key of data at rest was compromised, ________________________________. This whole process is called ________________
this data should be reencrypted with a new key
key rotation
What is a way of changing keys without requiring new key distribution or exchange between parties
applying a non-reversable function to an existing key
Generally, escrow is defined as
something delivered to a third person (usually
called an “escrow agent”) to keep, and to be returned to the delivering entity
How does an escrow system operate in cryptography applications
In cryptography applications, a key escrow system operates with two
components of one key, and these two components are entrusted to two independent escrow agents.
In order to support escrow capabilities in telecommunication, the U.S. government adopted the symmetric encryption algorithm _____________ and a
_________________________ method, which presents one part of a key escrow system enabling decryption of encrypted telecommunications.
SKIPJACK
Law Enforcement Access Field (LEAF)
Decryption of lawfully intercepted telecommunications may be achieved through the acquisition and use of
The LEAF, the decryption algorithm, and the
two escrowed key components.
Key backup and recovery is part of the
KMS contingency plan
When should key backup be considered.
Only if there are no other ways (such as rekeying or key derivation) to provide continuity
a full-fledged PKI deployment often involves two distinct key pairs
- Signing Key Pair
- Private Key (Signing Key): Stored securely on a server or HSM. Used for signing certificates, documents, or authentication challenges.
- Public Key (Verification Key): Sent to the Certificate Authority (CA) and embedded in an X.509 certificate.
- Encryption Key Pair (optional but common in PKI deployments)
- Private Key (Decryption Key): Used to decrypt messages encrypted for the entity.
- Public Key (Encryption Key): Distributed in a certificate to allow others to encrypt messages for the subscriber.
What is an EE in PKI
End Entity
In PKI what is a CP
Certificate policy
What is the purpose of a CP
- Specifies who can request, issue, and use a certificate.
- Defines trust levels and security controls applied to the certificates.
- Ensures compliance with industry standards (e.g., NIST, WebTrust, ETSI).
- Helps relying parties (e.g., browsers, applications) understand the trustworthiness of a certificate.
What is a CPS
A Certificate Practice Statement
If a CP Defines what policies apply to certificates what does the CPS do?
Defines how the CA enforces those policies
What is the difference in scope between the CP and the CPS
CP - High level policy framework
CPS - Operational details
What is the difference in content between the CP and the CPS
CP - Trust levels, authentication requirements, intended use
CPS - Key management procedures, certificate issuance process
When talking about PKI certificates and the keys, we should always remember the guidance provided in
CP and CPS documents
There are many steps between the moment when a subscriber applies for a PKI certificate and the final state, when keys have been generated and certificates have been signed and placed in the appropriate locations in the system. These steps are described
either explicitly or implicitly in the
PKI CPS.
In PKI what is a CPF
Certificate Policy Framework, the rules governing CPs in an organisation
The most reliable, but most expensive method to authenticate an EE for PKI registration is
face-to-face authentication.
Technically, the sanctioned and expected usage of the
certificate is represented in the X.509 certificate ___________ attribute.
“Key usage”
Name three models that provide chains of trust for PKI applications supporting multiple communities
- Subordinate Hierarchy (Two or more CA’s in a hierarchical trust relationship)
- Cross-certified mesh (CA’s cross certify)
- Certificate Chains - the validity of an issuing CA’s certificate depends on the validity and life span of the whole certificate chain
Which PKI trust model is good for internal enterprise applications but may be hard to implement between enterprises
The subordinate hierarchy
The _______________________ is probably the most general model of trust between CAs and participating PKIs.
Cross-certified mesh
When a cross-certified mesh is too dynamic and grows too fast to include n CAs, it may not scale well because it is supposed to include and support n(n - 1) cross-certifications and also because of potentially ambiguous verification paths.
What model may be helpful in this case?
Bridge CA
How does the bridge CA model allow participating parties to mutually validate each other’s certificate paths.
By creating a mesh of participating root CAs
The most well-known example of a Trusted List model is
a set of publicly trusted root certificates embedded in the Internet browsers.
CRL
Certificate Revocation List
What is the traditional CRL Model
A relying party checks a certificate against the latest published CRL. If the certificate is not in the CRL, it is assumed valid.
Why is the response time variable in the traditional CRL model
The relying party may or may not have the current CRL in cache.
What is the problem with the traditional CRL model
In applications with a large number of subscribers and relying parties and with a high revocation rate, the CRL request rate can be very high, and CRLs themselves can be very long. This may introduce network and CRL-repository performance problems.
When would cached CRL requests peak?
How could this be mitigated?
When parties request it for the first time, and when cached CRLs expire.
Set different expirations for overissued CRLs
How does a segmented CRL help with peak times.
Reducing the size of the CRL or the portion of the CRL that the party needs to download
What are some ways of mitigating peaks in CRL traffic
Expiring CRLs at different rates
Segmenting CRLs for smaller downloads
Delta CRLs
What is an alternative to the CRL model
Online certificate status protocol OCSP
What is a limitation of the OCSP
Cannot be used offline
______________ is a way of establishing trust between entities that are
subscribers for different PKI certificates services and which have been issued certificates by different nonrelated CAs.
Cross-certification
In Cross-certification complete understanding of Certificate
Policy and Practice of each CA is required, because each party needs to know
how much it can trust to the certificates issued by another CA, what are the enrolment, issuing and revocation procedures of another
Does cross-certification need to be mutual?
No
In cross certification What is issued by company A after going through the process of trusting company B
A cross-certificate or cross-signed certificate
What is inside a cross-certificate?
Issuer: Company A
Subject: Company B
Public Key: Public Key of Company B’s root CA
Signature: Company A
Validity period:how long the certification is valid for
Attack models - What is required for a ciphertext-only attacks
a large volume of ciphertext encrypted with the same algorithm
Attack models - What is required for a known-plaintext attack
some plaintext and the corresponding ciphertext
Attack models - Chosen-plaintext
Choosing the plaintext with the corresponding ciphertext
Attack models - Chosen-ciphertext
Chosen-ciphertext attack: This attack involves choosing the
ciphertext to be decrypted and gaining access to the resulting
plaintext.
Variations on the attack models can be used in a controlled environment to reveal weaknesses in a cryptosystem and analyze an algorithm’s strength. Two common attacks applied to the testing of symmetric ciphers are the techniques
of
differential cryptanalysis and linear cryptanalysis
AES in ECB mode (Electronic Codebook) is vulnerable to Chosen Plaintext Attack because
it encrypts identical plaintext blocks into identical
ciphertext blocks.
What is the mitigation for the weaknesses of AES in ECB mode
Use a stronger encryption mode like AES-CBC or AES-GCM, which add randomness (IV or nonce) to prevent patterns.
What is the differential cryptanalysis method?
It is a chosen-plaintext attack where an attacker encrypts pairs of plaintexts with a known difference (ΔP) and observes how this difference propagates through the encryption process.
______ was successfully broken using differential cryptanalysis, but ______ remains secure because the number of required
plaintext pairs is beyond practical limits.
DES
AES
Linear cryptanalysis
Attackers try to find patterns between the plaintext, ciphertext, and secret key. If an attacker can find even a slight pattern, they can use a large amount of data to gradually figure out the secret key.
What type of attack is a birthday attack
Hash function attack
What is the goal of a hash function attack?
Why is this bad?
Find two different inputs (M1 and M2) that produce the same hash (H).
If two different documents or files have the same hash, an attacker can swap one for another without detection.
What is a network-based cryptanalytic attack?
Attacks that target more than just the cryptographic algorithm by exploiting weaknesses in areas such as communication
protocols or transmission methods
Name three network-based cryptanalytic attacks
- Man in the middle attack
- Replay attack
- Traffic analysis attack
How is SSH operating in interactive mode vulnerable to a Traffic Analysis Attack
Every keystroke is transmitted as a packet, traffic analysis can get the password length by counting the packets
Two general countermeasures to protect against traffic
analysis
- traffic padding
- anonymising message senders using proxy servers, (making the source and destination of communicating parties more difficult to determine)
In a cryptographic system where multiple secret keys are necessary, for example, with a tape encryption appliance device, it is common to encrypt individual working keys with a top-level master key. The
storage of the top-level secret key used in such a cryptosystem can be done using key shares, a technique also known as ___________
This involves
split-knowledge.
splitting the key into multiple pieces and granting access to each share to separate individuals.
The following attacks against keys are variations on the
cryptanalytic attack models and are also important in validating cryptosystems:
Meet in the middle attacks
Related key attacks
How does the “Meet in the middle” attack against keys work
It reduces the time needed to break double encryption schemes (e.g., Double DES) by exploiting the independent encryption and decryption steps.
Instead of brute-forcing the full key space, Meet-in-the-Middle splits the attack into two halves
Related key attacks
The attacker exploits predictable relationships between multiple encryption keys to break a cipher more efficiently than brute force.
These attacks mainly deal with obtaining and analyzing information that originate from the cryptosystem hardware rather than weaknesses in the cryptographic algorithm.
Side-channel attacks
Three types of side channel attack
- Timing attack - how long does the cryptographic operation take to execute
- Differential Fault Analysis
- Differential power analysis
Explain the timing attack
A side channel attack
By analyzing small variations in execution time, the attacker can extract information about the secret key used in the encryption process.
Cryptographic operations (e.g., RSA, Diffie-Hellman) take slightly different amounts of time based on key bits and input values.
Explain differential fault analysis
a side-channel attack where an attacker injects small faults (errors) into a cryptographic computation and observes how the faulty outputs differ from correct outputs. By analyzing these differences, the attacker can recover secret keys faster than brute force.
Explain differential power analysis
In this method, power consumption measurements in a hardware device such as a smart card are made during encryption operations while ciphertext is recorded.
a digital signature scheme must employ an acceptable cryptographic hashing function, such as those specified in
NIST FIPS 180-4, the Secure Hash Standard
Determining if cryptographic controls meet governmental or corporate standards is a function of
compliance monitoring.
In the PCI standard the essential requirement in protecting card holder data is
not to store it at all if possible
- What cryptographic hash function would be the acceptable replacement
for MD4?
A. MD5
B. RIPEMD
C. RIPEMD-160
D. SHA-1
The correct option is C
This strengthened version of RIPEMD was successfully developed as a
collision-resistant replacement for other hash functions including MD4, MD5 (Option a), and RIPEMD (Option b) [Collisions]. Because collisions were also announced in SHA-1 (Option d) [SHA-1 Collisions], RIPEMD-160 would be the acceptable replacement [RIPEMD-160].
- An IPSec Security Association (SA) is a relationship between two
or more entities that describes how they will use security services to
communicate. Which values can be used in an SA to provide greater
security through confidentiality protection of the data payload?
A. Use of AES within AH
B. SHA-1 combined with HMAC
C. Using ESP
D. AH and ESP together
The correct option is C
Encapsulating Security Protocol (ESP) also provides data origin authentication and data integrity, and also offers confidentiality for the IP payload it protects.
- Suppose a secure extranet connection is required to allow an application in an external trusted entity’s network to securely access server resources in a corporate DMZ. Assuming IPSec is being configured to use ESP in tunnel mode, which of the following is the most accurate?
A. Encryption of data packets and data origin authentication for the
packets sent over the tunnel can both be provided.
B. ESP must be used in transport mode in order to encrypt both
the packets sent as well as encrypt source and destination IP
Addresses of the external entity’s network and of the corporate
DMZ network.
C. Use of AH is necessary in order to provide data origin
authentication for the packets sent over the tunnel.
D. Source and destination IP Addresses of the external entity’s
network and of the corporate DMZ network are not encrypted.
The correct option is A
ESP optionally provides a means of data origin authentication, and while it can be nested within AH, ESP does not require AH for this (Option c) [RFC 2406].
With ESP operating in transport mode (Option b), the original IP headers are not encapsulated within the ESP header, and the original IP addresses (source and destination IP addresses of the external entity’s network and of the corporate DMZ network) are in fact not encrypted. With ESP operating in tunnel mode, the original IP addresses are actually encrypted (Option d).
Is it possible to provide both encryption of data packets and data origin authentication for the packets in ESP tunnel mode
Yes, ESP optionally provides a means of data origin authentication, and while it can be nested within AH, ESP does not require AH for this
In ESP when are the original IP addresses (source and destination IP addresses of the external entity’s network and of the corporate DMZ network) not encrypted
In Transport mode
- What is the BEST reason a network device manufacturer might
include the RC4 encryption algorithm within an IEEE 802.11 wireless
component?
A. They would like to use AES, but they require compatibility
with TEEE 802.11i.
B. Their product must support the encryption algorithm WPA2 uses.
C. RC4 is a stream cipher with an improved key-scheduling
algorithm that provides stronger protection than other ciphers.
D. Their release strategy planning includes maintaining some
degree of backward compatibility with earlier protocols.
The correct option is D
RC4 is widely used, and the manufacturer wants to make its product compatible with WPA or even WEP, which use RC4. This does not mean they do not include AES; in fact, they would likely do so in the case of a new product, because IEEE 802.11i does in fact use AES for encryption (Option a). Option b is incorrect because WPA2, which is based on IEEE 802.11i, uses AES. Option
c is incorrect because while RC4 is a stream cipher, it has a weak key-scheduling algorithm and offers less protection than other ciphers such as AES [WPA].
True or false RC4 is a stream cipher with an improved key-scheduling
algorithm that provides stronger protection than other ciphers.
It is a stream cipher but it it has a weak key-scheduling algorithm
- What is true about the Diffie-Hellman (DH) key agreement protocol?
A. The protocol requires initial exchange of a shared secret.
B. The protocol depends on a secure communication channel for key
exchange.
C. The protocol needs other mechanisms such as digital signatures to provide authentication of the communicating parties.
D. The protocol is based on a symmetric cryptosystem.
The correct option is C
It is true that the original Diffie-Hellman key exchange protocol does not provide authentication of the sender and receiver. Other protocols such as digital signatures or HMAC must be used for this [RFC4650]. The Diffie-Hellman (DH) protocol involves computing a shared secret based on exchange of a public
key (Option a), and is intended to be performed over insecure channels (Option b). DH is based on public-key cryptography because it involves deriving a shared secret based on the sender and receiver each having private keys and sharing public keys, and the property of the discrete logarithm problem, which makes it computationally infeasible to derive the private key from the public key
[SCHNEIER].
True or false The Diffie-Hellman protocol depends on a secure communication channel for key exchange.
False, it is performed over insecure channels to set up the secure channel
- What is the main security service a cryptographic hash function
provides, and what is the main security property a cryptographic hash function must exhibit?
Integrity and collision resistance
Message authentication codes and digital signatures provide
message authenticity
- What is necessary on the receiving side in order to verify a digital
signature?
A. The message, message digest, and the sender’s private key
B. The message, message digest, and the sender’s public key
C. The message, the MAC, and the sender’s public key
D. The message, the MAC, and the sender’s private key
The correct option is B
Verifying a digital signature is performed by decrypting the message digest using the sender’s public key. Exposing the private key would mean that anyone with the private key could now forge the signature (Option a). Message authentication
codes (MACs) do not use public key encryption, but produce a hash of the combined message input and a secret key (Options c and d).
- What is a known plaintext attack used against DES to show that
encrypting plaintext with one DES key followed by encrypting it with
a second DES key is no more secure than using a single DES key?
A. Meet-in-the-middle attack
B. Man-in-the-middle attack
C. Replay attack
D. Related-key attack
The correct option is A
This attack applies to double encryption schemes such as 2DES by encrypting known plaintext using each possible key and comparing results obtained “in the middle” from decrypting the corresponding ciphertext using each possible key. Option b is a network-based cryptanalytic attack involving intercepting and forwarding a modified version of a transmission between two parties. Option c is also a network-based attack involving capturing and retransmitting
- What is among the most important factors in validating the
cryptographic key design in a public key cryptosystem?
A. Ability of a random number generator to introduce entropy
during key generation
B. Preimage resistance
C. Confidentiality of key exchange protocol
D. Crypto period
The correct option is A
The purpose of randomness in the key or keystream is to make it less likely that cryptanalysts will be able to guess or deduce the key. A random number generator that does not exhibit the property of randomness or entropy in its output will produce weak keys. Option b applies to cryptographic hash functions and is known as the “one-way” property of hash functions. Because the question asks about public-key cryptosystems, Option c is less valid because public keys can be exchanged without loss of the private key. Option d applies more to the operation and management of keys, because the crypto period is the time span during which an actual key can remain valid for use.
A random number generator that does not exhibit the property of randomness or entropy in its output will produce
weak keys
- What factor would be most important in the design of a solution that is required to provide at-rest encryption in order to protect financial data in a restricted-access file sharing server?
A. Encryption algorithm used
B. Cryptographic key length
C. Ability to encrypt the entire storage array or file system versus
ability to encrypt individual files
D. Individual user access and file-level authorization controls
The correct option is D
The encryption algorithm, key length, and scope of encryption provided performed in order to ensure confidentiality, and is tied to an access control mechanism because those individuals or entities who must be able to decrypt the data will need authorised access to do so.
- A large bank with a more than one million customer base implements PKI to support authentication and encryption for online Internet transactions.
What is the best method to validate certificates in a timely manner?
A. CRL over LDAP
B. CRLDP over LDAP
C. OCSP over HTTP
D. CRLDP over ODBC
The correct option is C
Options a, b, and d are CRL-based methods that require significant network traffic between the verifying party and the LDAP or DB server where the CRL is published. It is most significant with a large base of subscribers whose certificates may point to different CRLDP and require pulling many different CRL fragments from the points of publication.
- A car rental company is planning to implement wireless communication
between the cars and rental support centers. Customers will be able
to use these centers as concierge services, and rental centers will be
able to check the car’s status if necessary. PKI certificates will be used
to support authentication, non-repudiation, and confidentiality of
transactions. Which asymmetric cryptography is a better fit?
A. RSA 1024
B. AES 256
C. RSA 4096
D. ECC 160
The correct option is D
Option b refers to a symmetric algorithm that does not support non-
repudiation. The algorithms in Options a and c have significantly longer keys than the algorithm in Option d, which has equivalent strength. For wireless communication, a smaller key length is an important factor.
When would one choose ECC over RSA 1024 or RSA 4096
When key length is a factor such as with wireless
Should one backup signing keys
no
- A key management system of a government agency’s PKI includes a
backup and recovery (BR) module. PKI issues and manages separate
certificates for encryption and verification. What is the right BR
strategy?
A. Back up all certificates and private keys
B. Back up all private keys and verification certificates
C. Back up decryption keys and all certificates
D. Back up signing keys and all certificates
The correct option is C
Options a and b assume backing up signing keys, which is wrong. Option d assumes signing keys, which is wrong, and does not include decryption keys, which is wrong, too.
- A company needs to comply with FIPS 140-2 level 3, and decided to
use split knowledge for managing storage encryption keys. What is the
right method for storing and using the key?
A. Store the key components on the encrypted media.
B. Create a master key and store it on external media owned by the
first security officer.
C. Store key components on separate external media owned by a
different security officer.
D. Publish key components on an LDAP server and protect them by
officers’ asymmetric keys encryption.
The correct option is C
Storing key components on the same media (Option a) will expose them to one
administrator or officer. One officer is in possession of all components (Option
b) and can recreate the whole key. Storing secret keys on intermediate storage
(Option d) is not acceptable.
- An agency is using symmetric AES 128 cryptography for distributing
confidential data. Because of its growth and key distribution problems,
the agency decided to move to asymmetric cryptography and X.509
certificates. Which of the following is the BEST strength asymmetric
cryptography to match the strength of the current symmetric
cryptography?
A. RSA 2048
B. ECC 160
С. ЕСС 256
D. RSA 7680
The correct option is C
According to NISTSP800-57, ECC 256 cryptographic strength is equivalent to
AES 128. Options a and b are wrong because they are weaker than AES 128;
Option d is stronger than required and comes with impractically long keys.
- One very large company created a business partnership with another,
much smaller company. Both companies have their own PKI in-house.
Employees need to use secure messaging and secure file transfer for
their business transactions. What is the BEST strategy to implement
this?
A. The larger company creates a PKI hierarchical branch for the
smaller company, so all parties have a common root of trust.
B. The larger company enrolls all employees of the smaller company
and issues their certificates, so all parties have a common root of
trust.
C. Companies should review each other’s CP and CPS, cross-
certify each other, and let each other access each other’s search
database.
D. Employ an external third-party CA and have both company’s
employees register and use their new certificates for secure
transactions.
The correct option is C
Options a, b, and d either partially or completely disregard existing PKI
infrastructure and require significant expenses for restructuring PKI or hiring
an outside service.
Is the asymmetric cryptography in EEC 256 Stronger or Weaker than than the symmetric cryptography of AES 128
They are considered equivalent
- When applications of cross-certified PKI subscribers validate each
other’s digitally signed messages, they have to perform the following
steps:
A. The signature is cryptographically correct, and sender’s validation
certificate and sender’s CA cross-certificate are valid.
B. Validate CRL and ARL.
C. Validate sender’s encryption certificate, ARL, and CRL.
D. The signature is cryptographically correct, and sender’s CA
certificate is valid
The correct option is A
Option b is incorrect because CRL and ARL just verify revocation status without
crypto and validity period validation; Option c is incorrect because signature
verification requires verification certificate validation rather than encryption;
Option d is incorrect because verification of signature verification certificate is
missing.
The correct option is A
Option b is incorrect because CRL and ARL just verify revocation status without
crypto and validity period validation; Option c is incorrect because signature
verification requires verification certificate validation rather than encryption;
Option d is incorrect because verification of signature verification certificate is
missing.
Why might RSA 7680 be a bad choice for asymmetric cryptography
They key size is huge, ECC may be better
- A company implements three-tier PKI, which will include a root CA,
several sub-CAs, and a number of regional issuing CAs under each
sub-CA. How should the life span of the CA’s certificates be related?
A. Root CA = 10 years; sub-CA = 5 years; issuing CA = 1 year
B. Root CA = sub-CA = issuing CAs = 5 years
C. Root CA = 1 year; sub-CA = 5 years; issuing CA = 10 years
D. Root CA = 5 years; sub-CA = 10 years; issuing CA = 1 year
The correct option is A
In a hierarchical PKI, the upper CA should issue certificates to the subordinate
CAs with a longer life span than those subordinates issue certificates to their
subordinates. Otherwise, the chain will be expiring before the intermediate CA
and entity certificates expire.
- Management and storage of symmetric data encryption keys most
importantly must provide
A. Integrity, confidentiality, and archiving for the time period from
key generation through the life span of the data they protect or the
duration of the crypto period, whichever is longer.
B. Confidentiality for the time period from key generation through
the life span of the data they protect or duration of crypto period,
whichever is longer.
C. Integrity, confidentiality, and archiving for the duration of the
key’s crypto period.
D. Integrity, confidentiality, non-repudiation and archiving for the
time period from key generation through the life span of the data
they protect or duration of crypto period, whichever is longer.
The correct option is A
Option b is incorrect because without an integrity requirement a key may be
tampered with. Option c is incorrect because if an encryption key crypto period
expires before the encrypted data life span, the key destruction may leave data
that is never possible to decrypt. Option d is incorrect because non-repudiation
is not relevant to symmetric cryptography.
- Management and storage of public signature verification keys most
importantly must provide
A. Integrity, confidentiality, and archiving for the time period from
key generation until no protected data needs to be verified.
B. Integrity and archiving for the time period from key generation
until no protected data needs to be verified.
C. Integrity, confidentiality and archiving for the time period from
key generation through the life span of the data they protect or the
duration of crypto period, whichever is longer.
D. Integrity and confidentiality for the time period from key
generation until no protected data needs to be verified.
The correct option is B
Options a, c, and d are incorrect because confidentiality is not required for
public keys.
