Week 2-Summarize the Basics of Cryptographic Concepts

Question 1

Is the set of all possible keys that can be used in an encryption algorithm. (i.e. 56-bits=2^56, 256-bits=2^256 and 512-bits=2^512).

Answer 1

Keyspace

Question 2

Is the process of changing the values. Complex substitution functions are used to create___

Answer 2

Confusion

Question 3

The process of transforming plaintext (i.e. unencrypted data) into cipher text (i.e. encrypted data) using an algorithm and a secret key.
*The goal of ___ is confidentiality

Answer 3

Encryption

Question 4

Is a measure of ensuring the:
*Authenticity
*Integrity
*Non-repudiation
of a digital document or message

Answer 4

Digital Signature

Question 5

___means that the use of the algorithm & key length is allowed, but the user must accept some risk (weakness)

Answer 5

Deprecated

Question 6

Is a process converting input data of arbitrary length into a fixed-sized output.
Known as a __value, digest or fingerprint

Answer 6

Hashing

Question 7

Term used in cryptography to refer to a secret value used as a key, seed or initialization vector in an encryption or decryption algorithm.
Is a critical component of a cryptographic system, as it is used to transform plaintext & data into cyphertext or to decrypt ciphertext back to plaintext, the strength and security of the depends on its lenth, randomness and secrecy

Answer 7

Cryptovariable

Question 8

The process of changing the order, sending bits through multiple rounds of transpositon is used to create___

Answer 8

Diffusion

Question 9

Malicious code embedded in advertising

Answer 9

Malvertising

Question 10

Hiding method:
modifying color space of a PNG image
Purpose:
hiding malicious code within a banner ad

Answer 10

Hiding method:
Malicious steganography

Purpose:
Segano

Question 11

Hiding method:
Data hiding in HTML comment tags of the HTTP 404 error page
Purpose:
Embedding command and control commands

Answer 11

Hiding method:
Malicious seganography

Purpose:
Teslacrypt

Question 12

Common symmetric encryption algorithms

Answer 12

3DES
AES

Question 13

Common Asymmetric encryption algorithms

Answer 13

RSA, ECC, Difie-Hellman

Question 14

__uses the same cryptographic key to encrypt and decrypt data.
*it is computationally efficient and can process large blocks of data.
*The disadvantages are key distribution and scalability

Answer 14

Symmetric encryption

Question 15

__uses a pair of mathematically related keys.
*a private key and a public key.
*requires a lot of processing power and is slower.
*More suited for small blocks of data.
*advantage is scalability

Answer 15

Asymmetric encryption

Question 16

_used to prove integrity
_produces a unique one-way fixed length
_representation of data set know as a __ , digest, checksum or fingerprint
_digests are compared and if they are the same then there is assurance that the data has not been modified

Answer 16

hash

Question 17

Hash common algorithms are:

Answer 17

MDx
SHAx

Question 18

__is used to prove authenticity of the message and verify the sender’s identy.
*A _ is a message digest encrypted with the sender’s private key.

Answer 18

Digital Signature

Question 19

_are the mechanism used to generate a private key and to associate a public key with a collection of components sufficient to authenticate the claimed owner.
*The certificate is issued by a trusted certification authority, a web of trust, or self-generated and self-signed.
*is a unique ID for users, devices, applications and services.

Answer 19

Digital certificate

Question 20

The cryptographic component used to ensure confidentiality.

Answer 20

Encryption

Question 21

The cryptographic component used to prove integrity.

Answer 21

Hashing

Question 22

The cryptographic component used to prove authenticity.

Answer 22

Digital signature

Question 23

The number of keys used in asymmetric encryption

Answer 23

Two (public and private)

Question 24

The key that is used to create a digital signature

Answer 24

the senders Private Key.

Question 25

Security-In-Action
1) Your organization plans to begin digitally signing messages to prove authenticity.
2) You have been asked to eplain to the user community what the purpose of a digital signature is and how it works.
3) What do you tell them

Answer 25

A digital signature is used to verify (prove) that the message actually came from the sender and that it has not been modified in transmission.
*On behalf of the user, their messageing program will sign the message with a private key that is specific to the user.
*Technical details
The original message is hashed and a message digest is created. The message digest is encrypted with the senders private key. The recipient decrypts the message digest with the senders public key to validate the sender. The recipient also hashes the original message and compares the two message digests to validate that the message was not modified in transmission.

Question 26

Common Certificate properties

Answer 26

Thumbprint**-Hash of the certificate (unique identifier)
Subject-name of the certificate. (DN,CN, O, OU)
**Issuer**-the entity that issued the certificate.
**SAN-Additional information about the subject.
Key Usage**- What the certificate can be used for.
**Version-X.509 certificate version
Valid From/To-Date **range in which the certificate is valid.
**CRL distribution-Location of the certificate revocation list
Public key-**Public key
**Algorithm-Algorithm used to sign the certificate.

Question 27

Certificate Formats

Answer 27

PEM-**most common certificate format. Can include both the certificate and private key in one file or can be a separate file. Extensions include .pem, .crt, .cer, .key.
**Der-Binary form of a PEM. Extensions include .cer, .der.
P7B/PKCS#7-**Contains certificate but not the private key (Base64 encoded ASCII). Extensions include .p7b, .p7c.
**PFX/PKCS#12-contains certificate, intermediate certificate and private key (binary). Extensions include .pfx, .12

Question 28

Types of Digital Certificates

Answer 28

Personal**-Verifies a user identity (generally used for email).
**Machine-Verifies a device identity.
Domain**-Verifies a domain (wildcards for subdomains)
Organization-Verifies a domain and an organization.
**Extended Validation**-Verifies a domain and an organization subject to additional standardized global verification processes.
**Code/Object signing-Verifies origination/ownership as well as object integrity.
*Trusted/Intermediate-Identifies root and intermediate Certificate Authorities.

Question 29

Certificate Pinning

Answer 29

Forces a client application to validate the server’s certificate against a known copy.
*pinning can be preloaded into the application, or it can automatically pin whatever certificate the server sends during the first client-to-server call.
preloading protects the application, as an attacker might be able to pin their own certificate upon the first call.
*Use case
Pinning is intended to add a layer of security against a Man-in-the -Middle attack.

Question 30

Security-In-Action Certificate Assurance

Your organization is planning on launching a customer facing website. It is very important that customers feel confident bout the trustworthiness of the site.
You have been asked which certificate is better-Domain Validation, Organizational validation, or Extended validation-and why?
What is your response

Answer 30

Response:
Domain validation only requires that the website owner demonstrate control over the domain.
Organizational validation documents information about the site operator but the user needs to open the certificate to see the datails.
Extended validation*requires that an organization demonstrate exclusive rights to use a domain, confirm its legal, operational and physical existence, and prove that the entity has authorized the issuance of the certificate. **Clicking on the padlock will reveal that the certificate is EV. Unfortunately the “green bar” is no longer in use.

Answer is Extended validation

Question 31

Trused Certificate Phases

Answer 31

Enrollment-Enrollment initiated by users request to a Certificate Authority.
Validation-When a certificate is used, that status is checked to verify that it tis still operationally valid.
Suspension-Temporary revocation of a certificate until a certificate problem can be resolved.
Revocation-Permanent withdrawl of trust by issuing authority before scheduled expiration date.
Renewal-Prior to a certificate reaching its expiration date, it must be renewd
Destruction-When a certificate is no longer in use (expired or revoked), the certificate and backup copies should be destroyed along with the associated private key.

Question 32

Enrollment-Certificate Authority (CA)

Answer 32

Digital certificates are issued by commercial trusted parties, called Certificate Authorities (CA).
* Browsers and devices trust a CA by accepting the Root Certificate into its root store-essentially a database of approved CAs that come pre-installed with the browser or device.
* CAs use these pre-installed Root Certificates to issue Intermediate Root Certificates and entity Digital Certificates.
*the CA receives certificate requests, validates the applications, issues the certificates, and publishes the ongoing validity status of issued certificates.

Question 33

Registration Authority

Answer 33

A Registration Authority (RA) offloads some of the work from the CA.
* The RA can accept and process registration requests and distrubute certificates.
* A Local Registration Authority (LRA) requires physical identification. (rare occasion, must go to office to prove validity).

Question 34

Certificate Request Process

Answer 34

1). Applicant generates a public/private key.
2). Applicant submits certificate request (Identifying info + public key)
3). The CA (or RA) validates identity of the applicant.
4). The CA generates a certificate and signs it with their private key.
5). The CA (or RA) sends the certificate to the applicant.

Question 35

Enrollment Self-generated certificate

Answer 35

Digital certificates can be self-generated and self-signed.
*Problems with self-generated/signed
1. A self-signed certificate can be easily impersonated.
2. Presents warning message when used.
3. Cannot be revoked.

Use Case:
Internal development

NOTE:
Self-generated certificates can be signed and validated by other users-referred to as web of trust.

Question 36

Certificate Validity

Answer 36

Certificate Revocation List (CRL)-CA maintained list of certificates that have been revoked.
* Pull model-CRL is downloaded by the user or organization.
* Push model-CRL is automatically sent out by the CA at regular intervals.
Online Certificate Status Protocol (OCSP)- Process designed to query the status of certificate in real-time.
* OCSP stapling is a time-stamped (cached) OCSP response.

Question 37

Key Management

Answer 37

Describes the activities involving the handling of cryptographic keys and other related security parameters. (e.g., passwords) during their lifecycle.
* The includes generation, exchange, store, use strength crypto-shedding (destruction) and replacement.
* A Key management Practices Statement (KMPS) is a document tht describes in detail the organizational structure, responisble roles and rules for key management.

Question 38

Key Management Best Practices

Answer 38

1). Usage- A key should only be used for one purpose (e.g. encryption).
* The use of the same key for different cryptographic purposes may weaken the security provided by one or both.
2). Strength-The strength of the key should be commensurate with the data/process protection requirements.
* 3)Storage-Private keys must be securely stored. The measures taken to protect a private key must be at least equal to the required security of the use of the key.
* A hardware security module (HSM) can be used to store cryptographic keys in tamper resistant hardware providing both logical and physical protection (plug-in card or external device).

Question 39

Key Escrow

Answer 39

Is a proactive arrangement in which keys needed to decrypt data are held in escrow so that, under certain circumstances, an authorized third party may gain access to those keys.

Question 40

What type of certificate does a CA have?

Answer 40

A CA has a root certificate, which it uses to sign certificates.

Question 41

If you are going to use a CA internally what type of CA should you choose?

Answer 41

You would use a private CA for internal use only; these certificates will not be accepted outside of your organization.

Question 42

If you want to carry out B2B activity with third-party companies or sell products on the web, waht type of CA should you use?

B2B=Business to Business

Answer 42

You would use a public CA for B2B.

Question 43

Why should you take your CA offline when not in use?

Answer 43

If you were a military, security, or banking organization, you would keep the CA offline when it is not being used to prevent it from being compromised.

Question 44

What type of encryption does PKI use?

PKI=Public Key infrastructure

Answer 44

PKI uses asymmetric encryption.

Question 45

Who signs X509 certificates

Answer 45

The CA signs the X509 certificate.

Question 46

What can you use to prevent your CA from being compromised and fradulent certificates from being issued?

Answer 46

Certificate pinning can be used to prevent a CA from being compromised and fraudulent certificates from being issued.

Question 47

If two entiteis want to setup a cross-certification, what must they setup first?

Answer 47

If two separate PKI entities want to setup cross-certificaton, the root CAs would set up a trust model between themselves, known as a bridge trust model.

Question 48

What type of trust model does the PGP use?

PGP=Pretty Good Privacy

Answer 48

PGP uses a trust model known as a web of trust.

Question 49

How can you tell whether your certificate is valid?

Answer 49

A Certificate Revocation List (CRL) is used to determine whether a certificate is valid.

Question 50

If the CRL is going slowly, what should you implement?

Answer 50

If the CRL is going slow, you should use OCSP as it provides faster validation.
* Use OCSP instead of CRLs: Online Certificate Status Protocol (OCSP) provides real-time revocation status information without the need for downloading and parsing a large CRL. OCSP can be faster and more efficient than CRLs, especially in high-traffic environments.

OCSP=Online Certificate Status Protocol

Question 51

Explain certificate stapling/OCSP stapling

Answer 51

Certificate stapling/OCSP stapling is where a web server uses and OCSP for faster certificate authentication, bypassing CRL.

Question 52

What is the process of obtaining a new certificate?

Answer 52

You would submit a Certificate Signing Request (CSR) to request a new certificate.

Question 53

What is the purpose of the key escrow?

Answer 53

The key escrow stores and manages private keys for third parties.

Question 54

What is the purpose of the HSM?

HSM=Hardware Security Module

Answer 54

A hardware security module (HSM) is used by the key escrow to securely store and manage certificates.

Question 55

What is the purpose of the DRA, and what does it need to complete its role effectively?

DRA=Disaster Recovery Agent

Answer 55

The purpose of the Disaster Recovery Agent (DRA) is to recover data when a user’s private key becomes corrupt. To do this, it must first obtain a copy of the private key from the key escrow.

Question 56

How can you identify each certificate?

Answer 56

Each certificate can be identified by its OID, which is similar to a serial number.

OID=Object identifyer

Question 57

What format (PKCS is a private certificate, and what file extension does it have?

PKCS =Public-Key Cryptography Standards

Answer 57

A private certificate is in P12 format with a .pfx extension.

Question 58

What format (PKCS) is a public certificate, and what file extension does it have?

PKCS =Public-Key Cryptography Standards

Answer 58

A public certificate is in P7B format with a .cer extension.

Question 59

What format is a PEM certificate?

Answer 59

A PEM certificate is Base64 format.

Question 60

What type of certificate can be used on multiple servers in the same domain?

Answer 60

A wildcard certificate can be used on multiple servers in the same domain.

Question 61

What type of certificate can be used on multiple domains?

Answer 61

A Subject Alternative Name (SAN) certificate can be used on multiple domains.

Question 62

What should you do with your software to verify that it is original and not a fake copy?

Answer 62

You would code-sign the software in order to verify that it is the original, and not a copy. This is similar to a digital signature in that it ensures the integrity of the software.

Question 63

What is the purpose of extended validation of an X509?

Answer 63

Extended validation is normally used by financial institutions to provide a higher level of trust for the X509.

Question 64

What type of cipher is the Caesar cipher, and how does it work if it uses ROT 4?

Answer 64

The Caesar cipher is a substituion cipher; an example would be ROT 4, where each letter would be substitued by a letter four characters along in the alphabet.

Question 65

What is encryption, and what are the inputs and outputs called?

Answer 65

Encryption is when plain text (input) is taken and turned into cipher text (output).

Question 66

What type of encryption will be used to encrypt large amounts of data?

Answer 66

Symmetric encryption is used to encrypt large amounts of data as it uses one key.

Question 67

What is the purpose of Diffie-Hellman?

Answer 67

Diffie-Hellman (DH) is an asymmetrice technique that creates a secure tunnel. During a VPN connection, it is used during the IKE phase and uses UDP port 500 to create the VPN tunnel.

IKE=Internet Key Exchange

Question 68

IKE (Internet Key Exchange)

Answer 68

is a protocol used in IPsec VPNs (Virtual Private Networks) to establish secure communication channels between two endpoints. IKE uses a series of phases to negotiate and establish a secure connection. One of these phases, called IKE Phase 1, uses the Diffie-Hellman key exchange algorithm to establish a shared secret key between the endpoints.

Question 69

What is the first stage in asymmetric encryption?

Answer 69

The first stage in encryption is key exchange. During asymmetric encryption, each entity will give the other entity its public key. The private key is secure and never given away.

Question 70

If Carol is encrypting data to send to Bob, what key will each of them use?

Answer 70

1. Carol uses Bob’s public key to encrypt the data.
2. and then Bob will use his private key to decrypt the data.
3. Encryption and decryption are always don by the same key pair.

Question 71

If George encrypted data four years ago with an old CAC card, can he decrypt the data with his new CAC card?

Answer 71

No. George must obtain the old private key to decrypt the data as the encryption as done with a different key pair.

Question 72

If Janet is digitally signing an email to send to John to prove that it has not been tampered with in transit, what key will they each use?

Answer 72

Janet will digitally sign the email with her private key and John will check its validity with Janet’s public key; which he should have received in advance.

Question 73

What two things does a digital email signature provide?

Answer 73

A digital signature provides both integrity and non-repudiation.

Question 74

What asymmetric encryption algorithm should you use to encrypt data on a smartphone?

Answer 74

ECC will be uesed to encrypt data on a smartphone as it is small and fast and uses the DH handshake.

ECC =Elliptic Curve Cryptography

Question 75

What should you use to encrypt a military mobile telephone?

Answer 75

You would use AES-256 to encrypt a military mobile phone.

Question 76

Name two key-stretching algorithms.

Answer 76

Two key stretching algorithms are bcrypt and PBKDF2.

Question 77

Explain how key stretching works.

Answer 77

Key stretching salts the password being stored to prevent duplicate passwords. It also increases the length of the keys to make things harder for a brute-force attack.

Question 78

What is the difference between stream and block cipher modes, and which one will you use to encrypt large blocks of data?

Answer 78

Stream ciphers encrypt one bit at a time and block ciphers take blocks of data, such as 128-bit modes. you would use a block cipher for large amounts of data.

Question 79

What happens with cipher block chaining if you don’t have all of the blocks?

Answer 79

CBC needs all of the blocks of data to decrypt the data; otherwise it will not work.

CBC=Cipher Block Chain

Question 80

If you want to ensure the integrity of data, what should you use? Name
two algorithms.

Answer 80

Hashing ensures the integrity of data; two examples include SHA-1 (160-bit) and MD5 (128-bit)

Question 81

If you want to ensure the protection of data, what should you use?

Answer 81

Encryption is used to protect data so that it cannot be reviewed or accessed.

Question 82

Is a hash a one-way or two-way function, and is it reversible?

Answer 82

A hash is one-way and cannot be reversed.

Question 83

What type of man-in-the-middle attack is SSL 3.0 (CBC) vulnerable to?

Answer 83

POODLE is a man-in-the-middle attack on a downgraded SSL 3.0 (CBC)

POODLE attack (Padding Oracle On Downgraded Legacy Encryption).

Question 84

Define Diffie Hellman Ephemeral (DHE) and Elliptic Curve Diffie Hellman
Ephemeral (ECDHE).

Answer 84

Diffie Hellman Ephemeral (DHE) and Elliptic Curve Diffie Hellman Ephemeral are both ephemeral keys that are short-lived, one-time keys.

Question 85

What are the strongest and weakest methods of encryption with an L2TP/IPSec VPN tunnel?

Answer 85

The strongest encryption for an L2TP/IPSec VPN tunnel is AES, and the weakest is DES.

Question 86

What is the name of the key used to ensure the security of communication between
a computer and a server or a computer to another computer?

Answer 86

A session key ensures the security of communications between a computer and a server or a computer and another computer.

Question 87

What should you do to protect data-at-rest on a laptop?

Answer 87

You would use an FDE to protect data-at-rest on a laptop

FDE=Full Disk Encryption

Question 88

What should you do to protect data-at-rest on a tablet or smartphone?

Answer 88

You would use an FDE to protect data-at-rest on a tablet or smartphone.

Question 89

What should you do to protect data-at-rest on a backend server?

Answer 89

Data-at-rest on a backend server is stored on a database. therefore, to protect it you would encrypt the database.

Question 90

What should you do to protect data-at-rest on a removable device, such as a USB flash drive or an external hard drive?

Answer 90

You would protect data-at-rest on a USB flash drive or external hard dirve via full disk encryption.

Question 91

What protocols could you use to protect data in-transit?

Answer 91

You can secure data in-transit using TLS, SSL, HTTPS, or an L2TP/IPSec tunnel.

Question 92

How can you protect data-in-use?

Answer 92

You can protect data-in-use with full memory encryption.

Question 93

What is the purpose of obfuscation?

Answer 93

Obfuscation is used to make the source code look obscure so that if it is stolen, it cannot be understood. It masks the data and could use eitehr XOR or ROT13

Question 94

What is the purpose of perfect forward secrecy?

Answer 94

Perfect forward secracy ensures that there is no link between the server’s private key and the sesson key. If the VPN server’s key was compromised, it could not decrypt the session. It would be great for use on voting machines.

Question 95

What type of attack tries to find two hash values that match?

Answer 95

A collision attackis whee two hash values match.

Question 96

What is the purpose of rainbow tables?

Answer 96

Rainbow tables are a list of precomputed words shoing their hash value used to crack the hash value of passwords. you will get rainbow tables for MD5 and different rainbow tables for SHA-1

Question 97

Explain the concept of steganography.

Answer 97

Steganography is used to conceal data inside another form of data. You can hide a file, image, video or audio inside another image, video, or audio file.

Question 98

What are the two purposes of Data Loss Protection (DLP)?

Answer 98

DLP prevents sensitive or PII information from being emailed out of a company or being stolen from a file server using a USB device.

Question 99

What is the purpose of salting a password?

Answer 99

Salting a password ensures that duplicate passwords are never stored and makes things more difficult for brute-force attacks by the key side (key-stretching). It appends the salt to the password making it longer than before hashing.

Question 100

Temporary key generated for a connection and never used again?

Answer 100

Ephemeral key

Question 101

Technique to strengthen a weak key to protect against brute-force attacks

Answer 101

Keystretching

Two types:
PBKDZF2
bcrypt

Question 102

is a key derivation function used to derive cryptographic keys from passwords or passphrases.

Answer 102

PBKDF2 (Password-Based Key Derivation Function 2)

*The “PBKDF2 with HMAC-SHA-256” (PBKDF2-HMAC-SHA256) is a specific variant of the PBKDF2 algorithm that uses the HMAC-SHA-256 (Hashed Message Authentication Code using Secure Hash Algorithm 256

Question 103

is a password hashing function that is widely used for secure password storage. It was designed to be slow and computationally intensive, making it more difficult for attackers to crack passwords through brute-force attacks or other methods.

Answer 103

bcrypt
*bcrypt uses the Blowfish encryption algorithm to encrypt passwords, and also incorporates a salt value to make each password hash unique. The number of iterations used in the encryption process can also be adjusted, making it possible to increase the computational cost of generating password hashes.

Question 104

Is a symmetric-key block cipher encryption algorithm designed by Bruce Schneier in 1993. It is widely used for a variety of applications, including secure file transfer protocols, password storage, and virtual private network (VPN) technologies.

Answer 104

Blowfish
*Blowfish uses a variable-length key, from 32 bits to 448 bits, and operates on 64-bit blocks of data. It uses a Feistel network structure, which involves splitting the input block into two halves and performing multiple rounds of encryption and permutation on each half.

One of the key advantages of Blowfish is its speed and efficiency.

Question 105

Hashing algorithm that has been shown to be subject to collision attacks and is deprecated.

Answer 105

MD5
Message Digest (MDX)
*MD5 is a one-way hash function that generates a fixed-length 128-bit hash value from an input message.

Question 106

Hashing algorithm created by NSA

Answer 106

Secure Hash Algorithm (SHA)
SHA-1 has been shown to be subject to collision attacks
SHA-2 family is widely used and includes SHA-256, SHA-384, SHA-512, SHA-512/224, and SHA-512/256.
*SHA-2 takes an input message of any length and produces a fixed-length hash value.
*The SHA-2 hash functions are resistant to a wide range of attacks, including collision attacks, preimage attacks, and second-preimage attacks.
*SHA-2 is widely used for a variety of security applications, including digital signatures, password storage, and SSL/TLS encryption. I

Question 107

Hashing algorithm based on MD4

Answer 107

RIPEMD
*has been replaced by RIPE-160

Question 108

Is the operation performed to encrypt (encode) or decrypt (decode) data.
An algorithm used to encrypt or decrypt data.
The process (or algorithm) used to encrypt and decrypt a message.

Answer 108

Cipher

Question 109

The science and practice of altering data to make it unintelligible to unauthorized parties

Answer 109

Cryptography

Question 110

Security through ___ means keeping something a secret by hiding it.

Answer 110

obscurity

Question 111

Unencrypted data that is meant to be encrypted before it is transmitted, or the result of decryption of encrypted data. An unecrypted message.

AKA cleartext

Answer 111

Plaintext

Question 112

Data that has been enciphered and cannot be read without the cipher key. An encrypted message

Answer 112

Ciphertext

Question 113

The science, art, and practice of breaking codes and ciphers.
The art of cracking cryptographic systems.

Answer 113

Cryptanalysis

Question 114

A function that converts an arbitrary length string input to a fixed length string output. A cryptographic hash function does this in a way that reduces the chance of collisions, where two different inputs produce the same output.
The output can be referred to as a checksum, message digest, or ___

Answer 114

Hashing

A hashing algorithm is used to prove integrity

Question 115

A cryptographic hashing algorithm created to address possible weaknesses in MDA.
Considered the strongest algorithm. There are variants that produce different-sized outputs, with longer digests considered more secure. The most popular variant is ___-256, which produces a 256-bit digest.

Answer 115

Secure Hash Algorithm (SHA)

Question 116

A cryptographic hash function producing a 128-bit output.
produces a 128-bit digest.
___is not considered to be quite as safe for use as SHA-256, but it might be required for compatibility between security products.

Answer 116

Message Digest Algorithm #5 (MD5)

Question 117

In cryptography, a specific piece of information that is used in conjunction with an algorithm to perform encryption and decryption.
The use of a ___ with the encryption cipher ensures that decryption can only be performed by authorized persons.

Answer 117

Key

Question 118

A cryptographic ___ is a mathematically complex modern cipher

Answer 118

Algorithm

Question 119

Moves characters or bits to another place within the message block.

Answer 119

Transpositon cipher

The units in a tranportation cipher stay the same in plaintext and ciphertext, but their order is changed, according to some mechanism. Consider how the ciphertext “HLOOLELWRD” has been produced:

H L O O L

E L W R D

diffusion

Question 120

A ___cipher involves replacing units (a letter or blocks of letters) in the plaintext with different ciphertext. Simple ___ ciphers rotate or scramble letters of the alphabet. For example, ROT13 (an example of a Caesar cipher) rotates each letter 13 places (so A becomes N for instance). The ciphertext “Uryyb Jbeyq” means “Hello World”.

Answer 120

substitution cipher

For example, ROT13 (an example of a Caesar cipher) rotates each letter 13 places (so A becomes N for instance). The ciphertext “Uryyb Jbeyq” means “Hello World”.

confusion

Question 121

A ___ cipher is one in which encryption and decryption are both performed by the same secret key. The secret key is so-called because it must be kept secret. If the key is lost or stolen, the security is breached.

Answer 121

symmetric cipher

Question 122

A two-way encryption scheme in which encryption and decryption are both performed by the same key. Also known as shared-key encryption.

Answer 122

Symmetric encryption

Symmetric encryption is very fast. It is used for bulk encryption of large amounts of data. The main problem is secure distribution and storage of the key, or the exact means by which Alice and Bob “meet” to agree the key. If Mallory intercepts the key and obtains the ciphertext, the security is broken.

Note that symmetric encryption **CANNOT ** be used for AUTHENTICATION or INTEGRITY, because Alice and Bob are able to create exactly the same secrets, because they both know the same key.

!!!!NOTE!!!!Symmetric encryption is also referred to as single key or private key or shared secret.
!!!!Note!!!! that “private key” is also used to refer to part of the public key cryptography process, so take care not to confuse the two uses.

is used for CONFIDIENTIALITY

Question 123

Two types of symmetric encryption

Answer 123

Stream ciphers and Block ciphers.

Question 124

A type of symmetric encryption that combines a stream of plaintext bits or bytes with a pseudorandom stream initialized by a secret key.

Each byte or bit of data in the plaintext is encrypted one at a time. This is suitable for encrypting communications where the total length of the message is not known. The plaintext is combined with a separate randomly generated message, calculated from the key and an initialization vector (IV). The IV ensures the key produces a unique ciphertext from the same plaintext.

Answer 124

Stream cipher

Question 125

A type of symmetric encryption that encrypts data one block at a time, often in 64-bit and 128-bit, but 128-bit is most common. It is usually more secure, but is also slower, than stream ciphers.

The plaintext is divided into equal-size blocks (usually 128-bit). If there is not enough data in the plaintext, it is padded to the correct size using some string defined in the algorithm. For example, a 1200-bit plaintext would be padded with an extra 80 bits to fit into 10 x 128-bit blocks. Each block is then subjected to complex transposition and substitution operations, based on the value of the key used.

Answer 125

Block ciphers

Question 126

A symmetric 128-, 192-, or 256-bit block cipher based on the Rijndael algorithm developed by Belgian cryptographers Joan Daemen and Vincent Rijmen and adopted by the U.S. government as its encryption standard to replace DES.

Is the default symmetric encryption cipher for most products. Basic AES has a key size of 128 bits, but the most widely used variant is AES256, with a 256-bit key.

Answer 126

Advanced Encryption Standard (AES)

Question 127

Is the range of key values available to use with a particular cipher.

The keyspace is roughly equivalent to two to the power of the size of the key. Using a longer key (256 bits rather than 128 bits, for instance) makes the encryption scheme stronger. You should realize that key lengths are not equivalent when comparing different algorithms, however. Recommendations on minimum key length for any given algorithm are made by identifying whether the algorithm is vulnerable to cryptanalysis techniques and by the length of time it would take to “brute force” the key, given current processing resources.

Answer 127

Keyspace

i.e. 56-bits =2^56
256-bits= 2^256
512-bits=2^512

Question 128

an ___cipher, operations are performed by two different but related public and private keys in a key pair.

Each key is capable of reversing the operation of its pair. For example, if the public key is used to encrypt a message, only the paired private key can decrypt the ciphertext produced. The public key cannot be used to decrypt the ciphertext, even though it was used to encrypt it.

Answer 128

Asymmetric ciper

asymmetric encryption is mostly used for authentication and non-repudiation and for key agreement and exchange.

can be used to prove identity

Question 129

Widely implemented.
Defacto commercial standard.
Works with both encryption and digital signatures.

Named for its designers, Ronald Rivest, Adi Shamir, and Len Adelman, the first successful algorithm for public key encryption with a variable key length and block size. Published in 1977.

Answer 129

RSA algorithm

Asymmetric algorithm

Question 130

An asymmetric encryption algorithm that leverages the algebraic structures of elliptic curves over finite fields to derive public/private key pairs.
Similar function to RSA but with smaller key sizes (requires less computing power).
Current US Government standard.

Answer 130

Eliptic Curve Cryptosystem (ECC)

***well-suited for use in environments with limited computational resources, such as mobile devices and IoT devices.

Asymmetric algorithm,

Question 131

Mathematical ciphers that use an operation which is simple to perform one way when all of the values are known, but is difficult to reverse.

Answer 131

Trapdoor function

Question 132

A message digest encrypted using the sender’s private key that is appended to a message to authenticate the sender and prove message integrity.

A __ is a message digest that has been encrypted using the senders private key.

The goal of a ___ is integrity and non-repudiation.

Answer 132

Digital Signature

Question 133

___is the assurance that the data has not been modified

Answer 133

Integrity

Question 134

___means the signer cannot deny sending the message. Conversly the receiver can trust that the message came from the named signer

Answer 134

Non-repudiation.

Question 135

public key encryption standard used for digital signatures that provides authentication and integrity verification for messages.

Published by NIST in cooperation with the NSA.

US government standard

Answer 135

Digital Signature Algorithm (DSA)

*uses elliptic curve cryptography (ECC) rather than the RSA cipher.

Question 136

Any method by which cryptographic keys are transferred among users, thus enabling the use of a cryptographic algorithm.

Answer 136

Key exchange

Question 137

A characteristic of transport encryption that ensures if a key is compromised the compromise will only affect a single session and not facilitate recovery of plaintext data from other sessions.

Answer 137

Perfect forward secrecy (PFS)

uses Diffie-Hellman to create ephemeral session keys

Question 138

Primarily used for key agreement (key exchange)

Allows two parties (in same DH group) that have no prior knowlege of each other to jointly establish a shared secret key

Answer 138

Diffie-Hellman (DH)

Asymmetric Algorithm

Question 139

In cryptography, a key that is used within the context of a single session only.

Temporary key generated for a connection and never used again.

Answer 139

Ephemeral

Question 140

PFS can be implemented using either __ or __ algorithms

Answer 140

The Diffie-Hellman Ephemeral mode (DHE or EDH)
or
Elliptic Curve Diffie-Hellman Ephemeral mode (ECDHE)

Question 141

In 2014, a ___was discovered in the way some versions of OpenSSL work that allows remote users to grab 64K chunks of server memory contents (heartbleed.com). This could include the private key, meaning that any communications with the server could be compromised. The bug had been present for around two years. This illustrates the value of PFS, but ironically many servers would have been updated to the buggy version of OpenSSL to enable support for PFS.

Answer 141

Heartbleed bug

Question 142

Implementation of a block symmetric cipher, with some modes allowing secure encryption of a stream of data, with or without authentication for each block.

Answer 142

Mode of operation

Question 143

An encryption mode of operation where an exclusive or (XOR) is applied to the first plaintext block

Answer 143

Cipher Block Chaining (CBC)

XOR is a logical operation that outputs 1 only when the inputs are 1 & 0

Question 144

An encryption mode of operation where a numerical counter value is used to create a constantly changing IV. Also referred to as CTM (counter mode) and CM (counter mode).

Answer 144

Counter Mode (CTM)

Question 145

Proving the integrity and authenticity of a message by combining its hash with a shared secret.

Answer 145

Message Authentication Code (MAC)