Chapter 2: Implementing Public Key Infrastructure Flashcards by Dakota Edmunds

This is an asymmetric encryption that has a Certificate Authority and the infrastructure to help with issuing and managing certificates.

Public Key Infrastructure (PKI)

How well did you know this?

Not at all

Perfectly

PKI has two different keys; hence why it is an asymmetric encryption. It also has a certificate hierarchy, called the Certificate Authority, that manages, issues, validates, and revokes certificates.

PKI Concepts

How well did you know this?

Not at all

Perfectly

It is the ultimate authority as it has the master key, or root key, for signing all certificates.

Certificate Authority

How well did you know this?

Not at all

Perfectly

The certificate authority gives signed certificates to the _____ who then turns around and issues the certificate to the requester.

Intermediary

How well did you know this?

Not at all

Perfectly

Always up and running so that people in the company can request a certificate and any time. This would not be allowed in a government or top-security environment.

Online CA

How well did you know this?

Not at all

Perfectly

This tends to be in a military or top-secret environment where the clearance and vetting must be completed first before even requesting a certificate. Turned

Offline CA

How well did you know this?

Not at all

Perfectly

Also known as a third-party CA and is the commercially accepted as an authority for issuing public certificates.
The benefit of using a third-party CA is that all of the management is handled by them; so all you have to do is purchase the service and download it.

Public CA

How well did you know this?

Not at all

Perfectly

This list allows you to check whether or not your certificate is valid. A certificate that is not valid will not work if you were trying to sell goods to other companies; this is known as a B2B transaction and it needs a public certificate.

Certificate Revocation List

How well did you know this?

Not at all

Perfectly

This certificate can only be used internally. Even though it is free; you must maintain the certificate and that can require a skill set from your company.

Private CA

How well did you know this?

Not at all

Perfectly

This authority validates and accepts the incoming requests from certificates from users an then notifies the CA to issue the certificates. These issued certificates are known as X509 certificates.

Registration Authority

How well did you know this?

Not at all

Perfectly

It could be the RA that issues the certificates to users. Subordinate CA could also be called an intermediary.

Subordinate CA

How well did you know this?

Not at all

Perfectly

This prevents the compromising of a CA and the issuing of fraudulent X509 certificates. It also prevents SSL man-in-the-middle attacks.

Certificate Pinning

How well did you know this?

Not at all

Perfectly

This type of certificate trust model in a PKI environment is the root certificate or master key that the whole chain of trust is derived from; this is the root CA.

Trust Anchor

How well did you know this?

Not at all

Perfectly

Comprised of two trust models:
Hierarchical Trust Model
Bridge Trust Model

This proves the authenticity of a certificate.

Trust Model

How well did you know this?

Not at all

Perfectly

This uses the hierarchy of the root CA down to the intermediary (also known as a subordinate); this is the normal PKI model.

Hierarchical Trust Model

How well did you know this?

Not at all

Perfectly

This type of trust is peer-to-peer, where two separate PKI environments trust each other. The CAs communicate with each other, and allow for cross certification.

Bridge Trust Model

How well did you know this?

Not at all

Perfectly

The chain of trust uses the CRL to verify the validity of a certificate. It normally consists of three layers, the certificate vendor, the vendor’s CA, and the computer where the certificate is installed.

Certificate Chaining

How well did you know this?

Not at all

Perfectly

Every time a certificate is used, it must be checked for validity.
It goes through usually three checkpoints:
Certificate Revocation List

Online Certificate Status Protocol(OCSP)

OCSP Stapling/Certificate Stapling

Certificate validity can only be done by the CRL or OCSP. OCSP is used only when the CRL is going slow or had been replaced by the OCSP

Certificate Validity

How well did you know this?

Not at all

Perfectly

This is the process of requesting a new certificate.

Certificate Signing Request(CSR)

How well did you know this?

Not at all

Perfectly

This holds the private keys for third parties and stores them in a Hardware Security Module.

Key Escrow

How well did you know this?

Not at all

Perfectly

Can either be a piece of hardware that is attached to a server or a portable device that holds onto the keys. It stores and manages certificates.

Hardware Security Module (HSM)

How well did you know this?

Not at all

Perfectly

If the user cannot access their data or their private key is corrupted, this helps recover the data. This needs to get the private key from the key escrow.

Data Recovery Agent(DRA)

How well did you know this?

Not at all

Perfectly

Two main types:
public key
private key

Certificates

How well did you know this?

Not at all

Perfectly

This key is sent to third parties to encrypt the data.

public key

How well did you know this?

Not at all

Perfectly

This key will decrypt the data.

private key

The certificate is identified by its OID.

Object Identifier (OID)

``` Self-signed Certificates Wildcard Domain Validation Subject Alternate Name Code Signing Computer/Machine User Extended Validation ```

Types of Certificates

This type of certificate is issued by the same entity that is using it. It doesn't contain a CRL and it cannot be validated or trusted.

Self-Signing Certificate

this type of certificate works for domains and subdomains. For example: securityplus.training has a web server and mail server. Using *.securityplus.training would take the place of a web.securityplus.training, and mail.securityplus.training so that the FQDN works for both.

Wildcard

This type of certificate is equivalent to an X509 certificate that proves the ownership of a domain name.

Domain Validation

This type of certificate can be used on multiple domain names, and you can also insert other information into an SAN certificate like an IP address.

Subject Alternate Name(SAN)

This type of certificate is used to digitally sign software so that is guarantees authenticity.

Code Signing

This type of certificate can be used to identify a computer on the domain.

Computer/Machine

Proves authenticity of a user for the applications that they use.

User

This type of certificate provides a higher level of trust in identifying the entity that is using the certificate. This is normally seen in the financial arena. Companies applying for this certification have to provide more information about their company.

Extended Validation

(TIP)A wildcard certificate can be installed on multiple facing websites as a cheaper option. A self-signed certificate can be installed on internal face websites as a cheaper option.

TIP

It is a type of cypher that has uses a substitution method that switches out messages for other images, letter, etc to maintain cryptography.

Substitution Cypher

Type of rotation that moves the letter 13 places and uses the new letter.

ROT 13

This type of encryption uses one key. It will use a private or shared key. This private key will encrypt or decrypt the data. The main reason for using this type of encryption is that it can encrypt large amounts of data very quickly. This encryption is either DES 56 bit, 3DES 168 bit, AES 256 bit, Twofish 128 bit, and Blowfish 64 bit. The smaller the key, the faster it is, but the bigger the key, the more secure it is. Uses block cypher to transfer data faster.

Symmetric Encryption

This tunnel protects symmetric data when it is in transit. Its main purpose is to create a secure tunnel for symmetric data to pass through. It doesn't encrypt data but creates a more secure tunnel.

Diffie Hellman(DH)

This type of encryption uses two keys-- a public key and a private key-- it is also known as the PKI since it is complete with a CA and intermediary authorities.

Asymmetric Encryption

TIP Your private key, or a key pair, is never installed on another server. You always retain the private key just like your bank card. You give the public key away or install on another server.

Tip

TIP Encryption uses the recipients' public key, where a digital signature used the sender's private key.

TIP

This symmetric algorithm comes in three strengths: 128-,192-, and 256-bits. It is commonly used for L2TP/IPSec VPNs.

Advanced Encryption Standard (AES)

this symmetric algorithm groups data into 64-bit blocks, but for the purpose of the exam, it is seen as a 56-bit key, which makes it the fastest but weakest of the symmetric algorithms. This can be used for L2TP/IPSec VPNs, but it is weaker than AES.

Data Encryption Standard (DES)

This symmetric algorithm applies the DES three times to make it a 168-bit key. It may also be used for L2TP/IPSec VPNs, but is still weaker than AES.

Triple DES (3DES)

This symmetric algorithm is 40-bits long and is used by WEP. It is seen as a stream cipher.

Rivest Cipher 4 (RC4)

This symmetric algorithm is a 64-bit key. It is faster than Twofish and it was originally designed for encryption with embedded systems.

Blowfish

This symmetric algorithm is a 128-bit key. It is slower than Blowfish, but stronger. It was originally used for encryption with embedded systems.

Twofish

This Asymmetric algorithm does not encrypt the data. Its main purpose is to establish a secure session so that symmetric data can travel through it. More like a tunneling protocol in a way. Keys are created in the Internet Key Exchange on UDP port 500 to set up the secure session for the L2TP/IPSec VPNs.

Diffie Hellman (DH)

Used for a Diffie Hellman handshake; DH creates keys inside of this exchange.

Internet Key Exchange

This asymmetric algorithm was named after the three people that designed it. The keys here were the first public and private key pairs and they start at 1,024-bit, 2,046-bit, 3,072-bit, and 4096-bits. They are used for digital signatures and encryption.

Rivest, Shamir, and Adelman (RSA)

This asymmetric algorithm are sued for digital signatures; they start at 512-bits, but their 1,024-bit and 2,026-bit keys are faster than RSA for digital signatures.

Digital Signature Algorithm (DSA)

This asymmetric algorithm is a small, but fast key that is used in small mobile devices. However, AES-256 is used in military-grade mobile cell phones. It uses less processing power than other encryptions listed.

Elliptic Curve Cryptography (ECC)

This asymmetric algorithm is a short-lived key. It is used for a single session. and there are two of them: Diffie Hellman Ephemeral(DHE) Elliptic Curve Diffie Hellman Ephemeral (ECDHE)

Ephemeral Keys

This asymmetric algorithm is used between two users for both asymmetric encryption and digital signatures. For this algorithm to work, you'll need a private key and a public key. The first stage is to exchange the keys. It uses RSA keys.

Pretty Good Privacy (PGP)

This asymmetric algorithm is the free version of OpenPGP; it is also known as PGP. It also uses RSA keys.

GnuPG

(TIP)PGP is used for encryption between two people. S/MIME is used for digital signatures between two people.

TIP

This key stretching algorithm is a password-hashing algorithm based on the blowfish cipher. It is used to salt the passwords. A random string is appended to the password to increase the password length to help increase the compute time for a brute-force attack.

BCRYPT

This key stretching algorithm stores passwords with a random salt and with the password hash using HMAC. It then iterates, which forces the regeneration of every password and prevents any rainbow table attack.

PBKDF2

(TIP)Symmetric encryption is used to encrypt large amounts of data as they have small, fast keys and use block ciphers.

TIP

This cipher mode is a method of encrypting text (this produces ciphertext) in which a cryptographic key and algorithm are applied to each binary digit in a data stream, one bit at a time. It is normally used by an asymmetric encryption.

Stream Cipher

This cipher method is where blocks of data is taken and then encrypted; for example, 128 bits of data may be ciphered at a time. This is the more popular method today and it is much faster than a stream cipher. It is used with a symmetric encryption with the exception of RC4.

Block Cipher

This mode of operation uses a random value as a secret key for data encryption. This secret number, also called a nonce, is used only time in any session. It is usually about the same size as the length of an encryption key or the block of the cipher in use. This mode of operation, it is known as a starter variable.

Initialization Vector (IV)

Used as a secret key for the encryption and is used only one time in any session.

nonce

This mode of operation adds XOR to each of the plaintext block from the ciphertext block that was previously produced. The first plaintext block has an IV that you XOR, and you then encrypt that block of plaintext. The next block of plaintext before you encrypt this block. When decrypting a ciphertext block, you need the XOR from the previous ciphertext block. If you are missing any blocks, then the decryption cannot be done.

Cipher Block Chaining (CBC)

This mode of operation replaces each block of the clear text with the block of ciphertext. The same plaintext will result in the same ciphertext. The blocks are independent from the other blocks. CBC is much more secure.

Electronic Code Book(ECB)

This mode of operation is a block cipher mode of operation that uses universal hashing over binary Galois field to provide authenticated encryption. It can be implemented in hardware and software to achieve high speeds with low cost and low latency.

Galois/Counter Mode (GCM)

This mode of operation turns a block cipher into a stream cipher. It generates the next key stream block by encrypting successive values of a counter rather than an IV.

Counter Mode (CTR)

Quantum computing uses qubits, which can be switched on or off at the same time for somewhere in between.

superposition

For the purpose of the security plus exam, hashing is a one-way function cannot be reversed.

One-Way Function (Hashing)

This is a 128-bit hashing function. It has since been replaced by a 160-256-and 320 version. For the purpose of the exam, just know that it hashes data.

RIPEMD

This service provider provides support for the AES algorithm.

Microsoft AES Cryptographic Provider

This supports hashing and data signing with DSS and key exchanging for DH.

Microsoft DDS and DH/Channel Cryptographic

This type of data is data not being used and is stored either on a hard drive or external storage. Desktops and laptops: Can use bitlocker, with is known by the exam as Full disk encryption. These devices would need a TPM chip built into the MoBo. Data Loss Prevention is used to guard against data being stolen via USB. Tablets/Phones/USB or removable Drive: Will need Full Device Encryption to stop data being stolen.

Data-at-Rest

DLP works on a regular expression or a pattern match. Once that value has been matched, the data is blocked.

Data Loss Prevention

This type of data is used when purchasing items, TLS, SSL, HTTPS to encrypt the session before we enter the credit card information. If we are remote users, we would use we would use a VPN to tunnel into the workplace to access the data. TLS is normally used to encrypt emails as they travel between mail servers.

Data-in-Transit

When we use memory on a device, it is in random access memory or a faster block of memory called the CPU cache. We can protect this data by using full memory encryption.

Data-in-Use

The process where you take source code and make it look obscure, so that if it is stolen, it would not be understood. It is used to mask data.

Obfuscation

It is an algorithm that uses mathematical formulas to produce sequences of random numbers. These random numbers can be used when generating data encryption keys.

Pseudo-Random Number Generator (PRNG)

It doesn't link the session key to the server's private key. Therefore, even if a VPN server is compromised, the attacker cannot use the Servers private key to decrypt the session.

Perfect Forward Secrecy

This Attack happens when an attacker tries to match the hash; if the hash is matched, it is known as a collision, and this could compromise systems.

Collision

This is where a document, image, audio file, or video file can be hidden in another document, image, audio file, or video file.

Steganography

allows an accountant to run calculations against data while it is still encrypted and could be used with data in the cloud.

Homomorphic Encryption

This is a technique where you change one character of the input, which will ultimately change multiple bits of the output.

Diffusion

(TIP)We should not be using a key of fewer than 2046 bits as this is too insecure.

TIP

(TIP)When people access a company's network from a remote location, they should use a L2TP/IPSec VPN tunnel, using AES as the encryption method to create a secure tunnel across the network and to prevent a man-in-the-middle attack. Encryption should be coupled with mandatory access control to ensure the data is secure and kept confidential.

TIP

(TIP) Two reasons for integrity: Hashing to ensure the beginning hash and the ending hash is not tampered with and can be used as admissible data. Another is digitally signing your emails to ensure that they have not been tampered with during the transit stage.

TIP

When you digitally sign an email, you cannot deny that it is from you. This causes it to be legally binding.

Non-Repudiation

These devices will need to use an ECC for encryption because they do not have the processing power for conventional encryption.

Internet of Things (IOT) Devices

(TIP) We should be using at least a two factor authentication. Installing a RADIUS server adds an additional layer to authentication to ensure that authentication from the endpoints is more secure.

TIP