1.4 : Cryptographic Solutions Flashcards

Question

Digital Signatures

Answer 1

A cryptographic mechanism used to verify the integrity and authenticity of a message, software, or digital document. It uses asymmetric encryption with two keys: * Private Key: The sender signs the data with their private key. * Public Key: The recipient uses the sender’s public key to verify the signature. * Note that this is reversed from how ssymmetric crpytography normally works! **Key Concepts:** * Ensures **Integrity**: Verifies that the message or document has not been altered. * Ensures **Authenticity**: Confirms the identity of the sender. * **Non-Repudiation**: The sender cannot deny sending the message since only their private key could have created the signature. * Commonly used with **digital certificates** in **Public Key Infrastructure (PKI)**. * Add **confidentiality** by also encyrpying the *message* portion of the signature with the recipients public key (the way these things are normally used outside of signatures!)

Answer 2

A technique used to make a weak password stronger by applying a salt and one or more rounds of hashing, making it more resistant to brute-force attacks.

Answer 3

A distributed ledger technology used to track transactions. Every participant in the blockchain network maintains an identical copy of the ledger. It ensures immutability, decentralization, and transparency. Blockchain is used in a variety of applications such as: * Payment processing (e.g., cryptocurrencies) * Digital identification * Supply chain monitoring * Digital voting * Property ownership records * Vital records

Answer 4

A ledger that is accessible to the public and contains a record of all transactions, typically associated with blockchain technology.

Answer 5

Trusted organizations that verify the identity of individuals, systems, or organizations and issue digital certificates. These certificates include the subject's public key, and the CA uses its private key to digitally sign the certificate, ensuring authenticity and establishing trust in secure communications.

Answer 6

Certificate Revocation Lists ( * Lists published by Certificate Authorities that identify certificates that are no longer valid, helping to maintain trust in the PKI system. * Inefficient and no longer used as it requires everyone on the internet to download these lists which themselves got longer and longer

Answer 7

Online Certificate Status Protocol * A protocol used to check the revocation status of a digital certificate in real-time with the CA, providing up-to-date information on certificate validity. * Faster and more efficient than CRLs

Answer 8

Digital certificates signed by the entity that created them, often used for internal purposes but less trusted than certificates issued by a Certificate Authority.

Answer 9

Digital certificates issued by a trusted Certificate Authority, used to establish trust between parties over the internet.

Answer 10

A secure, trusted source within a system that provides the foundation for verifying the authenticity and integrity of other components.

Answer 11

A request to a Certificate Authority (CA) to sign a digital certificate. It includes a public key and entity information, used to bind a public key to an identity in Public Key Infrastructure (PKI)

Answer 12

Digital certificates that can be used to secure multiple subdomains under a single domain, simplifying certificate management. * Only goes one level deep * commonly used for load balancers

Answer 13

Public Key Infrastructure. A framework of policies, procedures, and technologies used to create, manage, distribute, and revoke digital certificates, ensuring secure communication and authentication.

Answer 14

The process of converting information into a secure cipher to protect confidentiality, prevent unauthorized access.

Answer 15

Hardware and software solutions used to manage and protect cryptographic keys and secure operations. * Trusted Platform Module (TPM) * Hardware security module (HSM) * Key management system * Secure enclave

Answer 16

The process of making data obscure or unclear to prevent unauthorized access or understanding. * Steganography * Tokenization * Data Masking

Answer 17

Digital documents used to certify the ownership of a public key, ensuring secure communication and authentication.

Answer 18

* Data Encryption Standard * Symmetric encryption algorithm * 64 bit block cipher * Key length of 56 bits * one of the first, no longer secure -- would need a key length of 2048 bits

Answer 19

* Triple DES: Applies DES 3 times with 3 separate keys * 64 bit block, 56 bit keys, max effective key length of 112 bits * Bought some time for DES by getting around the vulnerabilities that were there for a short time * **Why TRIPLE?**: Double DES is no more secure than standard DES due to Meet-in-the-Middle attack * no longer secure! :) -- being phased out

Answer 20

* Advanced Encryption Standard * Symmetric encryption algorithm * 128 bit block cipher * Key lengths of 128, 192, or 256 bits * Secure!

Answer 21

* Public domain algorithm * Intended as a replacement of DES * Symmetric * 64 bit block chain * Pick any key length from 32 to 448 bits * Not secure

Answer 22

* a competitor in the AES competition that lost out, now public domain * Symmetric * 128 bit block cipher * Key lengths of 128, 192, or 256 bits * Still considered secure

Answer 23

* Early asymmetric algorithm (1977), still used today * Variable key length from 1024 to 4096 bits * US authorities recommend key lengths of 2048 or more * **Users create RSA key pairs using two very large prime numbers** * It is slow and not used for long messages; often used to create initial secure channel over which symmetric key is exchanged * RSA patent is expired * Rivest, Shamir, Adleman

Answer 24

* Pretty Good Privacy * Not an encryption algorithm itself, it's a framework for using other encryption algorithms * Combines symmetric and assymmetric cryptography * Sender generates random symmetric key to encrypt message, and uses recipient's asymmetric public key to encrypt the random symmetric key, which is sent along with the message to the recipient. The recipient uses their asymmetric private key to decrypt the random symmetric key, and is then able to use that key to decrypt the message

Answer 25

* Gnu Privacy Guard * An open source package based on PGP

Answer 26

* Elliptic curve cryptography * Unlike other asymmetric cryptographic algorithms, does not use prime factorization * Uses the EC discrete log problem * Ironically, would be easier for a quantum computer to crack than PF

Answer 27

* Perfect Forward Secrecy * a property of secure communication protocols where compromise of long-term keys does not compromise past session keys * Generates a unique and ephemeral session key for each session, ensuring that if one session key is compromised, it does not affect the security of other sessions * Provides additional protection for past and future encrypted communications by isolating each session cryptographically * Commonly used in protocols like TLS/SSL to enhance the security of web communications * Implemented using methods like Diffie-Hellman key exchange

Answer 28

* A method for securely exchanging shared cryptographic keys over a public channel. * Invented in 1976 * Allows two parties to generate a shared secret key used for symmetric encryption, without transmitting the key itself. * Security is based on the discrete logarithm problem, involving prime numbers and modular arithmetic. * Commonly used in secure communications to establish a shared symmetric encryption key.

Answer 29

* Diffie-Hellman Ephemeral * Creates unique session keys for each connection * Ensures forward secrecy: compromising one session doesn't affect others * Commonly used in TLS/SSL protocols Protects against retrospective decryption if long-term keys are compromised * Slightly higher computational cost than static DH

Answer 30

* Elliptic Curve Diffie-Hellman * Math is based on Eliptic Curve rather than prime numbers and modulos

Answer 31

* Allow internal access to lost keys * Possesses master key that allows access to any encrypted data in the organization * Could be a highly privileged account or a special certificate * e.g. EFS (Encrypting File System) for Windows has a special recovery agent account

Answer 32

* Password-Based Key Derivation Function v2 * A key derivation function used to implement salted password hashing. It applies a pseudorandom function (like HMAC) to the input password along with a salt value and repeats the process many times to produce a derived key. This technique increases the computational cost of cracking passwords, enhancing security against brute-force attacks. Key points: * Purpose: Convert passwords into cryptographic keys * Features: Uses salt and iteration count * Security benefit: Slows down brute-force and rainbow table attacks * Common use: Password storage and verification in many systems

Answer 33

* being reversible * producing a collision (same output from different inputs)

Answer 34

* Message Digest 5 * 128 bit hash * Can produce collisions and should not be used

Answer 35

* Secure Hash Algorithm * A family of 3 algorithms * -1 is unsecure * -2 is most common today * -3 uses a completely different technique, and a hash output of any length can be chosen, ready to replace SHA-2 someday * Some don't trust SHA because of its roots in US gov't, NSA

Answer 36

Secure Hashing Algorithm v. 1 * 160 bit * unsecure, prone to collision attacks

Answer 37

Secure Hashing Algorithm v. 2 Consists of: * SHA-224 * SHA-256 (most common) * SHA-384 * SHA-512, -512/224, -512/256 (truncated versions with same security but smaller output) * 224 and 256 are 512 bit block, 32 bit word, making them more efficient for 32 bit environment / applications * 384, 512, and 512-truncated are 1024 bit block, 64 bit word, more efficient for 64 bit environment / applications * generally considered secure, including by NIST, but follows the same principals as MD5 and SHA-1 and is therefore susceptible to the same attacks; flaws in certain configs of SHA-2 have been found

Answer 38

* actually secure * allows use of any fixed-length output * completely different mathematical basis than MD5, SHA-1 or SHA-2

Answer 39

* Race Integrity Primitives Evaluation Message Digest * 128, 160, 256, and 320 bit hash lengths * 128 no longer secure * created free of involvment with the US government and NSA

Answer 40

Hash-based Message Authentication Code Definition: A cryptographic method that uses a **hash function** and a **secret key** to ensure **authentication** and **integrity**. How it works: * The secret key and the message are combined inside the HMAC function to produce a hashed **Message Authentication Code (MAC)** * This **MAC** is what gets sent along with the message, but the secret key is kept secret by both the sender and the receiver. * When the receiver gets the message and MAC, they use their copy of the same secret key (which they already know) to recreate the MAC and verify the message.

Answer 41

Message Authentication Code The output of the MAC-generating method (hash-based or otherwise!) that combines a message with a secret key. Provides assurance of message **integrity** and sender **authenticity**.

Answer 42

Elliptic Curve Digital Signature Algorithm * a cryptographic algorithm used for creating and verifying digital signatures, based on elliptic curve cryptography (ECC) * Security: ECDSA is considered a secure and acceptable algorithm for creating and verifying digital signatures. * Usage: It is one of the three digital signature algorithms supported for use in the U.S. government, alongside RSA and EdDSA.

Answer 43

Digital Signature Standard * a federal standard for digital signatures, established by the U.S. government. It specifies the use of the Digital Signature Algorithm (DSA) to ensure the authenticity and integrity of digital messages or documents * Approved DSA's: RSA, ECDSA, EdDSA

Answer 44

Edwards-curve Digital Signature Algorithm * offers faster signature generation and verification compared to traditional algorithms like ECDSA, while maintaining strong security * uses twisted Edwards curves to provide high performance, even in constrained environments * used for secure authentication and integrity * one of the DSS-recommended digital signature algorithms alongside RSA and ECDSA, especially for environments requiring high efficiency.

Answer 45

Registration Authority * An entity in Public Key Infrastructure (PKI) that verifies an applicant’s identity before passing the request to the Certificate Authority (CA) for certificate issuance. It ensures that only authenticated and authorized users receive certificates.

Answer 46

Certificate Authority * A trusted entity in Public Key Infrastructure (PKI) that issues and digitally signs certificates, verifying the identity of certificate holders. The CA ensures the authenticity of the certificate and its associated public key.

Answer 47

Subject Alternative Name * An extension to an X.509 certificate that allows multiple domain names or IP addresses to be associated with a single certificate. * Commonly used for securing multiple domains or subdomains with a single SSL/TLS certificate.

Answer 48

An extension of OCSP in which *the certificate subjects*, rather than the end users, reach out to the OCSP server of the CA to verify the web server's certificate. This verification is "stapled" to the server's certificate and will be accepted by all of the many web browsers contacting the server throughout the day. This validation is usually valid for 24 hours and saves the CA's OCSP server from having to verify the same certificate for millions of different users millions of times a day.

Answer 49

A process whereby you can have your internal CA trusted by a 3rd party CA and the outside world; multiple certificates are linked together to establish trust between a root certificate (trusted by all) and an end certificate. Each certificate in the chain is signed by the next higher certificate, creating a chain of trust from the root CA to the user's certificate. Additional Explanation: * **Root CA**: The starting point of trust, whose certificate is self-signed. * **Intermediate CA**: Links between the root CA and end-user certificates, often signed by the root CA or another intermediate CA. This would be your "internal" CA * **End Certificate**: The final certificate, issued to the end user or device, used for secure communication.

Answer 50

Protect sensitive root keys by not being on a network. Used to sign certificates of intermediate (online) CA's belonging to the same org. Any "top-level" / "global root" CA you see is most likely an offline CA that signed a lower CA's cert in the chain of trust.

Answer 51

Domain Validation * Verifies domain ownership * lowest level

Answer 52

Organizational Validation * Verifies business/orginazation name against business records * state business registrations, or reputable business databases

Answer 53

Extended Validation * extensive investigation to verify the physical existence and legitimacy of the organization

Answer 54

* Binary certificate format * .der, .cer, .crt file extensions * most common

Answer 55

* An ASCII equivalent of the binary DER certificat format * .pem, .cer, .crt, .key file extensions * Can easily convert between text-based PEM and and binary DER formats using OpenSSL * **note** that in the case of .crt or .cer files, you can't tell if it is DER or PEM without looking at it! * Name comes from deprecated Privacy Enhanced Mail secure email standard * The certificate format is still used even though the mail standard is not

Answer 56

Personal Information Exchange * binary format commonly used by windows systems * .pfx or .p12 file extensions

Answer 57

* ASCII text equivalent format to PFX * also commonly used in Windows * .p7b file extension

Answer 58

* Rivest-Shamir-Adleman (RSA) * Elliptic Curve Digital Signature Algorithm (ECDSA) * Edwards Curve Digital Signature Algorithm (EdDSA) All consider secure and acceptable for use in creating and verifying digital signatures

1.4 : Cryptographic Solutions Flashcards

Explain the importance of using appropriate cryptographic solutions (84 cards)