Chapter 7: PKI and Cryptographic Applications

Question 1

If Dylan and Alexa are using PKI, and Dylan wants to send Alexa an encrypted message, which key would he use to encrypt the message? Which key decrypts the message?

Answer 1

Sender encrypts using receiver’s public key
Receiver decrypts using their private key

Question 2

RSA

Answer 2

The most famous public key cryptosystem
Based on the difficulty of factoring operations
Uses two large prime numbers (approx 200 digits each) labeled p and q, which are multiplied together

Question 3

ElGamal

Answer 3

Public key cryptosystem that is essentially an extension of Diffie-Hellman key exchange
Major disadvantage- algorithm doubles the size of any message that it encrypts

Question 4

ECC

Answer 4

Elliptic Curve Cryptography
Involves points on a curve, I don’t understand the math but here’s a good analogy:
“Imagine one person plays our game alone in a room for a random period of time. It is easy for him to hit the ball over and over following the rules described above. If someone walks into the room later and sees where the ball has ended up, even if they know all the rules of the game and where the ball started, they cannot determine the number of times the ball was struck to get there without running through the whole game again until the ball gets to the same point. Easy to do, hard to undo.”

Question 5

Diffie-Hellman

Answer 5

Key exchange algorithm that allows two individuals to generate a shared secret key over an insecure communications channel.
Each party agrees on two large numbers, performs calculations on them using random integers, then exchanges the results. When they perform a calculation on the results, they should each get the same result, which can be used as the secret key.

Question 6

Quantum Computing

Answer 6

Theory that we can use principles of quantum mechanics to replace binary 1 and 0 bits with multidimensional quantum bits called qubits

Question 7

Quantum Supremacy

Answer 7

The potential that quantum computers may be able to solve problems that are not possible for current computers to solve, rendering popular cryptographic algorithms insecure

Question 8

What are the five basic requirements for a cryptographic hash function?

Answer 8

The input can be of any length.
The output has a fixed length.
The hash function is relatively easy to compute for any input.
The hash function is one-way.
The hash function is collision resistant.

Question 9

SHA-1

Answer 9

Hashing algorithm no longer considered secure
Produces a 160-bit message digest

Question 10

Message digest

Answer 10

Another name for the output value derived from hashing function

Question 11

SHA-256

Answer 11

SHA-2 variant
Produces a 256-bit message digest

Question 12

SHA-224

Answer 12

SHA-2 variant
Produces a 224-bit message digest

Question 13

SHA-512

Answer 13

SHA-2 variant
Produces a 512-bit message digest

Question 14

SHA-384

Answer 14

SHA-2 variant
Produces a 384-bit message digest

Question 15

SHA-3

Answer 15

Developed to serve as a replacement for SHA-2. Offers the same variants and hash lengths but uses a different algorithm. Provides same level of security, but is slower than SHA-2 so not commonly used.

Question 16

MD5

Answer 16

Hash algorithm developed by Ronald Rivest (the R in RSA)
Uses four distinct rounds of computation to produce a 128-bit message digest
Cryptanalytic attacks demonstrated that MD5 is subject to collisions.

Question 17

RIPEMD

Answer 17

128-bit message digest, no longer secure

Question 18

RIPEMD-128

Answer 18

Replaced RIPEMD, also uses 128-bit message digest, also no longer secure

Question 19

RIPEMD-160

Answer 19

Replacement for RIPEMD-128 that remains secure today
160-bit message digest

Question 20

RIPEMD-256

Answer 20

256-bit message digest, but with equivalent security to 128

Question 21

RIPEMD-320

Answer 21

320-bit message digest, but with equivalent security to 160

Question 22

What are the two distinct goals of digital signature infrastructures?

Answer 22

Enforce nonrepudiation
Assure the recipient that the message was not altered in transit (whether intentionally or because of faults in the process)

Question 23

If you want to encrypt a confidential message, use ____

Answer 23

The recipient’s public key

Question 24

If you want to decrypt a confidential message sent to you, use ___

Answer 24

Your private key

Question 25

If you want to digitally sign a message you are sending to someone else, use ____

Answer 25

Your private key

Question 26

If you want to verify the signature on a message sent by someone else, use ___

Answer 26

The sender’s public key

Question 27

HMAC

Answer 27

Hashed Message Authentication Code
To be combined with any standard hashing algorithm by using a shared secret key. This provides integrity, but does not provide nonrepudiation

Question 28

Digital Signature Standard (DSS)

Answer 28

NIST standard that specifies that all federally approved digital signature algorithms must use the SHA-3 hashing functions
Also specifies which encryption algorithms can be used to support digital signature infrastructure

Question 29

Which three encryption algorithms are approved for federal use to support digital signature infrastructure?

Answer 29

DSA- The Digital Signature Algorithm
RSA
ECDSA- Elliptic Curve DSA

Question 30

Certificate

Answer 30

Essentially an endorsed copy of an individual’s public key, signed by a trusted certificate authority

Question 31

X.509

Answer 31

International standard that governs digital certificates

Question 32

What data do certificates that conform to X.509 contain?

Answer 32

Version of X.509
Serial number
Signature algorithm identifier
Issuer name
Validity period
Subject’s name
Subject’s public key

Question 33

Wildcard Certificate

Answer 33

Certificate indicating that the certificate is good for subdomains as well.
Only good for one level of subdomain.

Question 34

Certificate Authorities (CA)

Answer 34

Offer notarization services for digital certificates. To obtain a digital certificate from a reputable CA you must prove your identity to the satisfaction of the CA.

Question 35

Registration Authorities (RA)

Answer 35

Assist CAs with verifying users’ identities prior to issuing digital certificates

Question 36

How do certificate authorities usually protect their root certificate?

Answer 36

Using an offline CA, which is disconnected from networks and powered down until it is needed

Question 37

Certificate Chaining

Answer 37

Root CA uses a series of intermediate CAs to protect root certificate

Question 38

Certificate Signing Request (CSR)

Answer 38

In the enrollment phase, once you’ve asserted your identity, you provide the CA with your public key, which the CA then adds to a X.509 certificate

Question 39

Domain Validation (DV) Certificate

Answer 39

CA simply verifies that the certificate subject has control of the domain name

Question 40

Extended Validation (EV) Certificate

Answer 40

Provides a higher level of assurance than DV, CA takes steps to verify that the certificate owner is a legitimate business before issuing the certification

Question 41

What steps are taken to verify a digital certificate?

Answer 41

Check the CA’s digital signature using the CA’s public key
Check the validity period of the certificate
Check that the certificate was not revoked using a certificate revocation list (CRL) or the Online Certificate Status Protocol (OCSP)

Question 42

Certificate Pinning

Answer 42

Instructs browsers to attach a certificate to a subject for an extended period of time. Browser associates site with their public key.
This allows users or administrators to take notice and intervene if a certificate unexpectedly changes

Question 43

Certificate Revocation Lists (CRLs)

Answer 43

Maintained by the various CAs and contain the serial numbers of certificates that have been issued by a CA and that have been revoked and with the date revocation went into effect

Major disadvantage- must be downloaded and cross-referenced periodically, so could miss notification of a revoked certificate

Question 44

OCSP

Answer 44

Online Certificate Status Protocol
Provides a means for real-time certificate verification. When a client receives a certificate, it sends OCSP request to the CA’s OCSP server.

Question 45

Certificate Stapling

Answer 45

An extension of OCSP that removes some of the overhead of making OCSP requests every single time a certificate is received. Instead, the web server attaches a signed and timestamped response from the CA to the certificate after one user request, then reuses that stapled certificate for the next user, etc.
Stapled certificates typically have a validity period of 24 hours and can reduce millions of requests per day to just one.

Question 46

Distinguished Encoding Rules (DER) format and extensions

Answer 46

The most common binary format for certificates
Normally stored with .der, .crt, or .cer extensions

Question 47

Privacy Enhanced Mail (PEM) format and extensions

Answer 47

ASCII text version of DER format.
Normally stored with .pem or .crt extensions

Question 48

Personal Information Exchange (PFX)

Answer 48

Binary certificate format typically used by Windows systems
Uses .pfx and .p12 file extensions

Question 49

P7B

Answer 49

ASCII text format certificates used by windows
Uses .p7b extension

Question 50

Ephemeral Key

Answer 50

Shared private key that is used once between parties as part of a hybrid cryptography set up. Asymmetric cryptography used to set up initial communication to conduct a secure key exchange, then switch to using the ephemeral key for faster communication.

Question 51

TPM

Answer 51

Trusted Platform Module
Chip that resides on motherboard of devices and handles the storage and management of keys used for full-disk encryption

Question 52

PGP

Answer 52

Pretty Good Privacy
Encryption program that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications.

Question 53

S/MIME

Answer 53

Secure/Multipurpose Internet Mail Extensions protocol
De facto standard for encrypted email
Uses the RSA encryption algorithm

Question 54

TLS

Answer 54

Transport Layer Security
Creates secure communications channels that remain open for an entire web browsing session.
Important: not an encryption algorithm itself; it’s a framework within which other encryption algorithms may function

Question 55

Summarize how TLS works

Answer 55

When user accesses a website, browser retrieve’s web server’s certificate and extracts server’s public key
Browser creates a random symmetric key (ephemeral key), uses server’s public key to encrypt it, then sends it to the server
Server decrypts the ephemeral key using its private key, then the two systems exchange all future messages using the symmetric encryption key

Question 56

How does Tor anonymously route traffic across the internet?

Answer 56

Perfect forward secrecy. Layers of encryption prevent nodes in the relay chain from reading anything other than the specific information they need to accept and forward the traffic.

Question 57

How does steganography work?

Answer 57

Modifies the least significant bit of a pixel value. This allows messages to be hidden within files without altering the image

Question 58

Link Encryption

Answer 58

All data, including header, trailer, address, and routing data, is encrypted. Each packet has to be decrypted at each hop so it can be properly routed and then reencrypted. Slows routing.

Question 59

End-to-end Encryption

Answer 59

Protects communications between two parties but does not encrypt the header, trailer, address or routing data. Moves faster from point to point but is more susceptible to sniffers and eavesdroppers.

Question 60

IPSec

Answer 60

A standard architecture for setting up a secure channel to exchange information between two entities. Two main components:
Authentication Header
Encapsulating Security Payload

Question 61

Authentication Header

Answer 61

Provides assurances of message integrity and nonrepudiation
Also provides authentication and access control and prevents replay attacks

Question 62

Encapsulating Security Payload

Answer 62

Provides confidentiality and integrity of packet contents
Provides encryption and limited authentication and prevents replay attacks

Question 63

What are IPSec’s two modes of operation?

Answer 63

Transport mode- end-to-end encryption (only packet payload encrypted)
Tunnel mode- entire packet, including header, is encrypted

Question 64

Security Association

Answer 64

Used in IPSec, represents the communication session and records any configuration and status information about the session
You will need one two SAs for bidirectional communication
IPSec can be managed on a per-SA basis.

Question 65

Homomorphic Encryption

Answer 65

Encrypts data in a way that preserves the ability to perform computation on that data

Question 66

Analytic Attack

Answer 66

Cryptographic attack. Algebraic manipulation that attempts to reduce the complexity of the algorithm. Focuses on the logic of the algorithm itself.

Question 67

Implementation Attack

Answer 67

Exploits weaknesses in the implementation of a cryptography system. Focuses on exploiting the software code, not just errors and flaws but the methodology employed to program the encryption system.

Question 68

Statistical Attack

Answer 68

Exploits statistical weaknesses in a cryptosystem, such as floating-point errors and inability to produce truly random numbers
Attempt to find a vulnerability in the hardware or operating system hosting the cryptography application

Question 69

Brute-Force Attack

Answer 69

Attempts every possible valid combination for a key or password. Uses massive amounts of processing power to methodically guess the key used to secure communications

Question 70

Fault Injection Attack

Answer 70

Attacker attempts to compromise the integrity of a cryptographic device by causing some type of external fault. Might use high-voltage electricity, high or low temperatures, etc to cause a malfunction

Question 71

Side-Channel Attack

Answer 71

Use information such as changes in processor utilization, power consumption, electromagnetic radiation, etc to monitor system activity and retrieve information that is actively being encrypted

Question 72

Timing Attack

Answer 72

Attacker measures precisely how long cryptographic operations take to complete, gaining information about the cryptographic process that may be used to undermine its security