U17 Security Flashcards
encryption
- alters data into a form that is unreadable by anybody that is not the intended recipient
- process of turning plain text into cipher text
plain-text
the original data
cipher text
the encrypted data
public key
widely available key that can be used to encrypt messages that only the owner of the private key can decrypt
private key
key needed to decrypt data that has been encrypted by a public key and is used in asymmetric encryption which is not shared
similarities between priv and pub key
- both used in asymmetric encryption
- a pair of keys is required
- one is used to encrypt data and the other is used to decrypt data
- both are hashing algorithms
differences between priv and pub key
- private key is only known to the owner of the key pair, public key can be distributed to anyone
- when messages are sent to the owner of the public key they are encrypted with the owner’s public key so they can only be decrypted by the owner’s private key
symmetric key encryption
when only one key is used to encrypt and decrypt (sender and receiver share the secret key)
asymmetric encryption
when two different keys are used (one for encryption and one for decryption)
how does asymmetric encryption ensure that the message remains private
- sender will encrypt the message with the receiver’s public key
- receiver will decrypt the message with their private key
secure socket layer protocol (SSL)
when a user logs onto a website, SSL encrypts the data and only the client’s computer and the webserver are able to make sense of what is being transmitted
process of setting up secure connection using SSL
- browser requests that the server identifies itself
- server sends a copy of its SSL certificate and its public key
- browser checks the certificate against a list of trusted certificate authorities
- if browser trusts certificate, it creates and sends the server a symmetric session key using the server’s public key
- server decrypts the symmetric session key using its private key
- server sends browser an acknowledgement encrypted with session key
symmetric session key
- when the client gains trust of the server after confirming the SSL certificate of it from a CA (certificate authority), the client creates a symmetric session key by using the public key of the server for that particular session
- after this all messages are encrypted by that session key which is only known to the client and server
transport layer security protocol (TLS)
- recent security protocol
- more secure than SSL
- only some browsers have the capability to support TLS so SSL is widely used
- provides encryption, authentication and data integrity in more effective way
record protocol
(main layer #1 of TLS) can be used with or without encryption, contains the data being transmitted over the network
handshake protocol
(main layer #2 of TLS) permits the web server and client to authenticate each other and to make use of encryption algorithm
differences between SSL and TLS
- it’s possible to extend TLS by adding new authentication methods unlike SSL
- TLS can make use of session caching which improves overall performance of the communication when compared to SSL
- TLS separates the handshaking process from the record protocol layer where all data is held
session caching
- when opening a TLS session a lot of time is required due to the complex cryptographic process
- so the existing session can be used again
what is the purpose of TLS
- to provide secure communication over a network
- to maintain data integrity
- additional layer of security
applications of TLS
- online banking
- private email
- online shopping
- online messaging
security parameters agreed on b/w server and client during handshake
- which protocol will be used => there are different versions of the 2 protocols
- session ID => uniquely identifies a related series of messages b/w server and client
- session type => reusable or not
- encryption method => asymmetric or symmetric
- authentication method => use of digital certificate or use of digital signature
differences between a digital certificate and signature
- certificate is obtained from an issuing authority while signature is created from a message
- certificate provides authentication of owner while signature is used to authenticate a message sent by the owner
- certificate remains unchanged while valid while signature is created for every message
- signature makes use of private key and does not provide info while certificate provides info and does not use private key
purpose of a digital signature
- to ensure a document is authentic
- to ensure a document has not been altered during transmission
- the validity of contents cannot be denied
how is a digital signature produced
- a message is put thru agreed hashing algorithm
- to produce a hash total also known as a message digest
- the message digest is then encrypted using the sender’s private key
how is a digital certificate obtained
- an application is filed to an issuing certificate authority (CA) with proof of identity e.g: name of organization/address
- so their identity can be checked by organizational registration authority
- so that a digital certificate will only be issued to a trusted organization
items in a digital certificate
- public key
- agreed hashing algorithm
- serial number
- name of organisation
- date valid from/to
- signature
- name of issuer
- CA digital signature
how is asymmetric encryption used to ensured that the message is verified
- sender creates the message digest
- receiver recreates the message digest
- if both copied of message digest match then message has not been altered
quantum computing
due to advancement in tech, the concept of quantum computers have been introduced which will easily be able to crack all encryption keys
benefits of quantum cryptography
- any eavesdropping can be identified
- integrity of the key once transferred can be guaranteed
- more secure keys can be exchanged
drawbacks of quantum cryptography
- requires a dedicated line and specialist hardware which can be expensive to implement
- has a limited range
- possible for polarisation of light to be altered due to various contions while travelling down fibre optic cable
- terrorists and criminals can use the technology to hide their activities from government
