Security Fundamentals Flashcards
What does AAA stand for?
Authentication, Authorization, Accounting
What does CIA stand for?
Confidentiality, Integrity, Availability
Explain Confidentiality
Information NOT available or disclosed to unauthorized parties
Explain integrity
Information NOT modified by unauthorized parties or in an unauthorized manner
Explain Availability
Information available when needed
Explain Authentication
Assurance of identity claim.
Ex login, digital certificates, location, token/phone, ID cards
Something you know, something you have, something you are, somewhere you are
Explain Authorization
Grant or deny access to resource operations over resources (once authenticated)
Explain Accounting
Keeping track of information, users or data. (Building & storing log data)
Important for auditing
Explain ”Cryptography” and ”Encryption”
Cryptography is the science of concealing messages with a secret code
Encryption (method) is the way to encrypt and decrypt data
Explain Symmetric encryption
Uses the same key for encryption and decryption
Amount of keys formula:
(n^2 - n)/2
Explain Asymmetric encryption
Uses a public key for encryption and a private key for decryption
Amount of keys formula:
2n
Explain Symmetric authenticated encryption
The same as symmetric encryption but also an extra private one to sign
Amount of keys formula:
(n^2-n)/2 + n
What is digital certificates
A file or electronical password that proves the authenticity of a device, server or user through the use of cryptography and public key infrastructure
What do authenticated encryption provide:
Confidentiality & integrity
(& authentication ofc)
Types of digital certificates
Domain validation -> least secure
Organization validation
Extended validation -> most secure, most requrenments
What is the problem with digital certificates
Everyone can get a certificate. But people think that it is authentication. It is only to secure connection, not act as authentication. People will think that a sketchy site is a good site because of the lock
Explain Pretty Good Privacy
When a user wants to send a message, PGP generates a random symmetric key, often referred to as a session key. This symmetric key is used to encrypt the actual message using a symmetric encryption algorithm. Next, PGP uses the recipient’s public key to encrypt the symmetric key. Both the encrypted message and the encrypted symmetric key are then sent to the recipient.
Upon receiving the message, the recipient uses their private key to decrypt the symmetric key. Once the symmetric key is decrypted, it is used to decrypt the actual message. This combination of symmetric and asymmetric encryption in PGP provides a secure and efficient way to transmit private messages
Explain Authenticated symmetric encryption
Bob and Alice agree upon two shared keys. First one is used to encrypt and the second one is used to provide authentication (hash the encrypted message)
When Bob receives the encrypted message and digest from Alice, he also uses the second key to hash the encrypted message and compares his digest with the received digest from Alice. If they match Bob knows the message is from Alice.
