CISSP (Domain 5 - Cryptography) Flashcards
1
Q
4 Cryptography Goals
CAIN
A
- Confidentiality: no unauthorized access (encrypt with public decrypt with private)
- Authenticity: Validate source (encrypt with private decrypt with public)
- Integrity: Message not modified
- Non-repudiation: Sender can’t deny
2
Q
Hash
A
Unique digital representation of the “thing”
3
Q
Symmetric Ciphers (Algorithms)
A
- Share Key
- Stream/Block Ciphers (XOR/Substitution)
- Ciphered and decrypted with the same key
- Confidentiality but no non-repudiation
- Faster
*DES, 3DES, AES, IDEA, Blowfish, Twofish, RC4, RC5, RC6, CAST, SAFER, Serpent
4
Q
Asymmetric Ciphers
A
- PKI (Public/Private key pairs)
- No normal reason to share private key
- Confidentiality, Authentication, non-repudiation
5
Q
One-Time Pad Encryption
A
- Key is the same size as the message and only used once
- Impossible to break
- Key exchange is cumbersome
6
Q
Exclusive OR (XOR)
A
- Binary mathematical operation applied to two bits
- Key and text turned into binary, then math is done.
+If both bits are the same, result is 0
+If both bits are different, results is 1
7
Q
Cipher Text
A
Encrypted text
8
Q
Stream Cipher (Symmetric) (FSHR)
A
- Faster than block cipher
- Operates on smaller units of plaintext (bits)
- Good for hardware
- Randomized key string with no repeatable patterns WEP
*Only RC4
9
Q
Block Cipher (Symmetric) (DLSC)
A
- Divided into blocks and put through mathematical functions called Substitution Boxes (S-Boxes)
- Operates on larger units of plaintext (64 bits)
- Good for software
- Most Common
*56 Bit DES
10
Q
Data Encryption Standard (DES)
DType/key/calc/blocks
A
- Used for sensitive and unclassified data
- *56 bit key with 8 for parity (SBOX)
- *16 rounds of calculations
- *64 bit Blocks
11
Q
2 Modes for Block Ciphers
CE
A
- *Cipher Block Chaining: XOR before cipher (Errors)
- Electronic Code Book: Same ciphertext for plaintext
12
Q
3 Modes of Stream Block Ciphers
COC
A
- *Cipher Feedback Mode (CFB): Prev ciphertext used to encrypt next block (Errors)
- Output Feedback Mode (OFB): Output of prev block calc is used as imput for next block
- Counter Mode (CRT): AES encryption, IVs are successive values
13
Q
Triple DES
EC
A
- Encrypts messages three times with multiple keys
- 48 rounds of computation (256 times stronger)
14
Q
Advanced Encryption Standard (AES)
RA/BS/KS
A
- Rijndael Algorithm
- Block Symmetric Encryption Algorithm (Block size 128/192/256)
- Key size of 128/192/256 (Variable)
15
Q
Calculating the Number of Necessary Keys for Symmetric Encryption (Formula)
A
Keys = N(N - 1) / 2
16
Q
3 Symmetric Key Cryptography Issues
DEC
A
- Distinct key needed for each couple communicating
- The more the key is used to encrypt large amounts of data, the more the key is exposed
- Can’t be used for digital signatures
17
Q
3 Symmetric Key Cryptography Weaknesses
KD/S/LS
A
- Key Distribution: secure mechanism needed to deliver keys
- Scalability: Each pair of users needs a unique pair of keys
- Limited Security: No non-repudiation, only confidentiality
18
Q
Diffie-Hellman
etype/ri,sr,ssk/agr/no/based/vuln
A
- Asymmetric PK
- Random input, share result, shared session key
- Allows users to agree on a symmetric key over a non-secure medium
- Does not provide data encryption or digital signatures
- Security based on discrete logarithms in a finite field
- Vulnerable to MITM attacks
19
Q
RSA
type/ds,kd,e/ksize/lpn
A
- Asymmetric PK
- Digital Signatures, Key distribution, encryption
- Min 1024 key size
- Large prime numbers
20
Q
El Gamal (type/ds,e,ke/uses)
A
- Asymmetric PK
- Digital Signatures, encryption, key exchange
- Uses discrete logarithms in a finite field and DH key agreement
21
Q
Elliptic Curve Cryptography (ECC)
type/ds,kd,e/me/minb
A
- Asymmetric PK
- Digital Signatures, Key distribution, encryption
- More efficient, limited processing power products
- Min 112 bites
22
Q
MD5 Hashing Algorithm (bit digest)
A
128-Bit digest
23
Q
SHA-1 512 (bit digest)
A
160-Bit digest
24
Q
Diffie-Hellman Key Agreement (4 steps)
geck
A
- generate value from random string
- exchange value with other party
- complete calculation using the local value and the received value
- Unique, mathematically identical key is created
25
Trusted Platform Module (TPM)
| gah
- Offers facilities for the generation of cryptographic keys
- Software can use to authenticate hardware devices
- *Hardware Based Encryption
+Real-time protection of data
+AuthN HD to PC
26
Digital Signature Services
| Provides/Enc/Hash/Both
- Provide Integrity, Authentication, Non-repudiation
- If message is encrypted it provides confidentiality
- Hashed message provides integrity
- Message can be digitally signed and encrypted to provide Integrity, Authentication, Non-repudiation, and confidentiality
27
Hashing Collision
2 messages with the same digest
28
Ciphertext-Only Attack (Cryptosystems)
- Captured ciphertext only
| - Most Common
29
Known-Plaintext Attack (Cryptosystems)
- Captured ciphertext and plaintext
30
Link Encryption Advantage/Disadvantage
(a-en/low)
(d-key/dec)
Advantages:
- Encrypts all data in packet (Headers, addresses, routing info)
- Works at lower level of OSI
Disadvantage:
- Key distribution
- Message decrypted at each hop, more points of vulnerability
31
End-to-End Encryption Advantage/Disadvantage
(a-each/prot/enc)
(d-enc/dec)
Advantages:
- Each hop does not need key to decrypt packet (Mac Header)
- Protects info from start to finish
- Only payload encrypted
Disadvantages:
- Headers, addresses, routing information not encrypted
- Destination system needs to have same encryption mechanism to decrypt
32
Domain Name Service Security (DNSSEC)
- DNS Server distributes keys
| - Secure DNS
33
Secure Remote Procedure Call (S-RPC)
| sec/enc/key
- Secure computer to computer connections
- Uses DES to encrypt message
- Uses Diffie-Hellman to create key pair
34
Generic Security Services API (GSSAPI)
Key exchange, generic authentication, provides encryption interface for different AuthN methods and systems
35
Secure Shell (SSH)
- Provides multiplexed encrypted tunnel into several logical channels.
- Server authN to client
- User authentication protocol
36
Secure Electronic Transaction (SET)
| key/con/ds/enc
- PKI
- Confidentiality through DES
- Digital signatures using RSA
- Encrypts payment cards and cardholders' data
37
Internet Protocol Security (IPSec)
| framew/layer/sec/3con
- Framework to ensure secure communication over IP networks
- Layer 3 (Network)
- Secure between two nodes instead of two applications
- Host to host, Host to subnet, subnet to subnet
38
IPSec Transfer Mode
- Payload encrypted
| - MAC/IP header open
39
IPSec Tunnel Mode
- Payload and IP header encrypted
| - MAC header open
40
Secure Multipurpose Internet Mail Extensions (S/MIME)
| stand/layer/against/prov/need
- Standard for encrypting and digitally signing electronic mail that contains attachments and for providing secure data transmissions.
- Application Layer
- Countermeasure against message interception and forgery
- Provides Data integrity, confidentiality (users enc algorithm), and authentication (X.509 public key)
- Needs key management system
41
Secure Email Security Services (4 Things)
| CIAN
- Confidentiality, Integrity, Authentication, Non-repudiation
42
Online Certificate Status Protocol (OCSP)
Used to validate authenticity of certificates
43
X.509
Digital Certificates
44
X.500
Directory Services
45
X.400
Electronic Messaging
46
X.25
Data Communication Protocol
47
PKI Security Services (5 Things)
| CIANA
- Confidentiality, Integrity, Authentication, Non-repudiation, Access Control
48
Components of PKI
| cert/sn/ds
- X.509 v3 Certificates
- Serial number in certificate unique
- All data digitally signed by trusted anchor
49
Steganography
- Modifies least significant bits
| - Hiding a message in an image
