Summarize the basics of cryptographic concepts Flashcards
Digital signatures
A digital signature is a mathematical technique used to validate the authenticity and integrity of a message, software or digital document. … Digital signatures can provide evidence of origin, identity and status of electronic documents, transactions or digital messages.
Key length
In cryptography, a specific piece of information that is used in conjunction with an algorithm to perform encryption and decryption.
Key stretching
A technique that strengthens potentially weak input for cryptographic key generation, such as passwords or passphrases created by people, against bruteforce attacks.
Salting
A security countermeasure that mitigates the impact of a rainbow table attack by adding a random value to (“salting”) each plaintext input.
Hashing
A function that converts an arbitrary length string input to a fixed length string output. A cryptographic hash function does this in a way that reduces the chance of collisions, where two different inputs produce the same output.
Key exchange
Any method by which cryptographic keys are transferred among users, thus enabling the use of a cryptographic algorithm.
Elliptic-curve cryptography
Elliptic-curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields.
Perfect forward secrecy
A characteristic of transport encryption that ensures if a key is compromised the compromise will only affect a single session and not facilitate recovery of plaintext data from other sessions.
Quantum
Communications
Computing
Quantum refers to computers that use properties of quantum mechanics to significantly out-perform classical computers at certain tasks.
Communications
While quantum computing could put the strength of current cryptographic ciphers at risk, it also has the promise of underpinning more secure cryptosystems. The properties of entanglement, superposition, and collapse suit the design of a tamper-evident communication system that would allow secure key agreement.
Computing
A quantum computer performs processing on units called qubits (quantum bits). A qubit can be set to 0 or 1 or an indeterminate state called a superposition, where there is a probability of it being either 1 or 0. The likelihood can be balanced 50/50 or can be weighted either way. The power of quantum computing comes from the fact that qubits can be entangled. When the value of a qubit is read, it collapses to either 1 or 0, and all other entangled qubits collapse at the same time. The strength of this architecture is that a single operation can utilize huge numbers of state variables represented as qubits, while a classical computer’s CPU must go through a read, execute, write cycle for each bit of memory. This makes quantum very well-suited to solving certain tasks, two of which are the factoring problem that underpins RSA encryption and the discrete logarithm problem that underpins ECC.
Post-quantum
Anticipating challenges to current cryptographic implementations and general security issues in a world where threat actors have accesss to significant quantum processing capability.
Ephemeral
In cryptography, a key that is used within the context of a single session only.
Modes of operation
Authenticated
Unauthenticated
Counter
Implementation of a block symmetric cipher, with some modes allowing secure encryption of a stream of data, with or without authentication for each block.
Authenticated
message authentication code (MAC) provides an authentication and integrity mechanism by hashing a combination of the message output and a shared secret key. The recipient can perform the same process using his or her copy of the secret key to verify the data. This type of authenticated encryption scheme is specified in a cipher suite as separate functions, such as “AES CBC with HMAC-SHA.” Unfortunately, the implementation of this type of authenticated mode in AES CBC is vulnerable to a type of cryptographic attack called a padding oracle attack (docs.microsoft.com/en-us/dotnet/standard/security/vulnerabilities-cbc-mode).
Unauthenticated
Symmetric algorithms do not provide message integrity or authentication. The basic CBC and counter modes of operation are unauthenticated. While a man-in-the-middle cannot decrypt them directly without the secret key, the ciphertexts are vulnerable to arbitrary data being inserted or modified to break the encryption scheme, referred to as a chosen ciphertext attack.
Counter
An encryption mode of operation where a numerical counter value is used to create a constantly changing IV. Also referred to as CTM (counter mode) and CM (counter mode).
Blockchain
Public ledgers
Blockchain is a shared, immutable ledger that facilitates the process of recording transactions and tracking assets in a business network. An asset can be tangible (a house, car, cash, land) or intangible (intellectual property, patents, copyrights, branding).
Public ledgers
The blockchain is recorded in a public ledger. This ledger does not exist as an individual file on a single computer; rather, one of the most important characteristics of a blockchain is that it is decentralized. The ledger is distributed across a peer-to-peer (P2P) network in order to mitigate the risks associated with having a single point of failure or compromise. Blockchain users can therefore trust each other equally. Likewise, another defining quality of a blockchain is its openness—everyone has the same ability to view every transaction on a blockchain.
Cipher suites
Stream
Block
A cipher suite is a set of algorithms that help secure a network connection. Suites typically use Transport Layer Security (TLS)
Stream
A type of symmetric encryption that combines a stream of plaintext bits or bytes with a pseudorandom stream initialized by a secret key.
Block
A type of symmetric encryption that encrypts data one block at a time, often in 64-bit blocks. It is usually more secure, but is also slower, than stream ciphers.
Symmetric vs. asymmetric
A symmetric cipher is one in which encryption and decryption are both performed by the same secret key.
With an asymmetric cipher, operations are performed by two different but related public and private keys in a key pair.
Lightweight cryptography
Another problem affecting current cryptographic ciphers is use on low-power devices. NIST is hoping that a compact cipher suite will be be developed that is both quantum resistant and that can run on battery-powered devices with minimal CPU and memory resources.
Steganography
Audio
Video
Image
Steganography is the practice of hiding a secret message in something that is not secret.
Audio Steganography
Video Steganography
Image Steganography
Homomorphic encryption
Method that allows computation of certain fields in a dataset without decrypting it.
Is principally used to share privacy-sensitive data sets. When a company collects private data, it is responsible for keeping the data secure and respecting the privacy rights of individual data subjects. Companies often want to use third parties to perform analysis, however. Sharing unencrypted data in this scenario is a significant risk.
Common use cases
Low power devices Low latency High resiliency Supporting confidentiality Supporting integrity Supporting obfuscation Supporting authentication Supporting non-repudiation
Low power devices
Low power devices—some technologies or ciphers configured with longer keys require more processing cycles and memory space. This makes them slower and means they consume more power. Consequently, some algorithms and key strengths are unsuitable for handheld devices and embedded systems, especially those that work on battery power. Another example is a contactless smart card, where the card only receives power from the reader and has fairly limited storage capacity, which affects the maximum key size supported.
Low latency
Low latency uses—this can impact protocol handshake setup times. A longer handshake will manifest as delay for the user, and could cause timeout issues with some applications. Also, if cryptography is deployed with a real time-sensitive channel, such as voice or video, the processing overhead on both the transmitter and receiver must be low enough not to impact the quality of the signal.
High resiliency
As well as providing integrity at the level of individual messages, cryptography can be used to design highly resilient control systems. A control system is one with multiple parts, such as sensors, workstations, and servers, and complex operating logic. Such a system is resilient if compromise of a small part of the system is prevented from allowing compromise of the whole system. Cryptography assists this goal by ensuring the authentication and integrity of messages delivered over the control system.
Supporting confidentiality
Supporting integrity
Supporting obfuscation
Integrity and resiliency are also an issue for computer code. If a threat actor has administrator privileges, they can change the operation of legitimate code to make it work as malware. A developer can make tampering more difficult using obfuscation. Obfuscation is the art of making a message difficult to understand. Obfuscated source code is rewritten in a way that does not affect the way the computer compiles or executes the code, but makes it difficult for a person reading the code to understand how it works.
Supporting authentication
Supporting non-repudiation
Non-repudiation is linked to identification and authentication. It is the concept that the sender cannot deny sending the message. If the message has been encrypted in a way known only to the sender, it follows that the sender must have composed it.
Limitations
Speed Size Weak keys Time Longevity Predictability Reuse Entropy Computational overheads Resource vs. security constraints
Speed
Speed—for symmetric ciphers and hash functions, speed is the amount of data per second that can be processed. Asymmetric ciphers are measured by operations per second. Speed has the most impact when large amounts of data are processed.
Size
Size—the security of a cipher is strongly related to the size of the key, with longer keys providing better security. Note that the key size cannot be used to make comparisons between algorithms. For example, a 256-bit ECC key is stronger than a 2048-bit RSA key. Larger keys will increase the computational overhead for each operation, reducing speed and increasing latency.
Weak keys
A weak key is one that produces ciphertext that is lower entropy than it should be. If a key space contains weak keys, the technology using the cipher should prevent use of these keys.
Time
Time/latency—for some use cases, the time required to obtain a result is more important than a data rate. For example, when a secure protocol depends on ciphers in the handshake phase, no data transport can take place until the handshake is complete. This latency, measured in milliseconds, can be critical to performance.
Longevity
longevity is the consideration of how long data must be kept secure. If you assume that a ciphertext will be exposed at some point, how long must that ciphertext resist cryptanalysis?
Predictability
Predictability is a weakness in either the cipher operation or within particular key values that make a ciphertext lower entropy and vulnerable to cryptanalysis.
Reuse
Entropy
A measure of disorder. Cryptographic systems should exhibit high entropy to better resist brute force attacks.
Computational overheads
Computational overheads—in addition to key size selection, different ciphers have unique performance characteristics. Some ciphers require more CPU and memory resources than others, and are less suited to use in a resource-constrained environment.
Resource vs. security constraints
Resource constraints may require you to make a tradeoff between security and performance, but you cannot trade too far.
