Cryptographic Solutions

Question 1

Symmetric Encryption

Answer 1

■ Uses a single key for both encryption and decryption
■ Often referred to as private key encryption
■ Requires both sender and receiver to share the same secret key
■ Offers confidentiality but lacks non-repudiation
■ Challenges with key distribution in large-scale usage

Question 2

Asymmetric Encryption

Answer 2

■ Uses two separate keys
● Public key for encryption
● Private key for decryption

■ Often called “Public Key Cryptography”
■ No need for shared secret keys
■ Commonly used algorithms include Diffie-Hellman, RSA, and Elliptic Curve
Cryptography (ECC)
■ Slower compared to symmetric encryption but solves key distribution challenges

Question 3

Hybrid Approach

Answer 3

■ Combines both symmetric and asymmetric encryption for optimal benefits
■ Asymmetric encryption used to encrypt and share a secret key
■ Symmetric encryption used for bulk data transfer, leveraging the shared secret
key
■ Offers security and efficiency

Question 4

Stream Cipher

Answer 4

■ Encrypts data bit-by-bit or byte-by-byte in a continuous stream
■ Uses a keystream generator and exclusive XOR function for encryption
■ Suitable for real-time communication data streams like audio and video
■ Often used in symmetric algorithms

Question 5

Block Cipher

Answer 5

■ Breaks input data into fixed-size blocks before encryption
● Usually 64, 128, or 256 bits at a time
■ Padding added to smaller data blocks to fit the fixed block size
■ Advantages include ease of implementation and security
■ Can be implemented in software, whereas stream ciphers are often used in
hardware solutions

Question 6

Symmetric Algorithms

Answer 6

DES
3DES
IDEA
AES
Blowfish
Twofish
RC Cipher Suite

Question 7

DES

Answer 7

Data Encryption Standard

64-bit key
56-bit strength
Deprecated

Question 8

3DES

Answer 8

Triple DES

Three 56-bit keys
Provides 112-bit strength
Slower than DES

Question 9

IDEA

Answer 9

International Data Encryption Algorithm

128-bit key
Faster and more secure than DES

Question 10

AES

Answer 10

Advanced Encryption Standard

Replaced DES and 3DES as US gvt encryption standard

Supports 128-bit, 192-bit, or 256-bit keys

Widelely adopted. Standard encryption for sensitive unclassified information

Question 11

Blowfish

Answer 11

DES replacement
32 to 448 bits key size
Not widely adopted

Question 12

Twofish

Answer 12

Open source and available for use

Supports 128, 192, or 256 bits key size

Question 13

RC Cipher suite

Answer 13

RC4: stream cipher with keys from 40 to 2048 bits. Used in SSL and WEP

RC5: Block cipher up to 2048 bits

RC6: based on RC5, DES replacement

Question 14

Asymmetric Algorithms

Answer 14

Diffie-Hellman
RSA
ECC

Question 15

Diffie-Hellman

Answer 15

● Used for key exchange and secure key distribution
● Vulnerable to man-in-the-middle attacks, requires authentication
● Commonly used in VPN tunnel establishment (IPSec)

Question 16

RSA

Answer 16

Rivest, Shamir, Adleman

● Used for key exchange, encryption, and digital signatures
● Relies on the mathematical difficulty of factoring large prime numbers
● Supports key sizes from 1024 to 4096 bits
● Widely used in organizations and multi-factor authentication

Question 17

ECC

Answer 17

Elliptic Curve Cryptography

● Efficient and secure, uses algebraic structure of elliptical curves
● Commonly used in mobile devices and low-power computing
● Six times more efficient than RSA for equivalent security

Question 18

ECC variants

Answer 18

○ ECDH (Elliptic Curve Diffie-Hellman)
○ ECDHE (Elliptic Curve Diffie-Hellman Ephemeral)
○ ECDSA (Elliptic Curve Digital Signature Algorithm)

Question 19

Hashing

Answer 19

One-way cryptographic function that produces a unique message digest from an input

Question 20

Hash Digest

Answer 20

■ Like a digital fingerprint for the original data
■ Always of the same length regardless of the input’s length

Question 21

Common Hashing Algorithms

Answer 21

MD5
SHA
RIPEMD
HMAC

Question 22

MD5

Answer 22

Message Digest Algorithm 5

● Creates a 128-bit hash value
● Limited unique values, leading to collisions
● Not recommended for security-critical applications due to vulnerabilities

Question 23

SHA

Answer 23

Secure Hash Algorithm Family
● SHA-1
○ Produces a 160-bit hash digest, less prone to collisions than MD5
● SHA-2
○ Offers longer hash digests (SHA-224, SHA-256, SHA-348, SHA-512)
● SHA-3
○ Uses 224-bit to 512-bit hash digests, more secure, 120 rounds of
computations

Question 24

RIPEMD

Answer 24

RACE Integrity Primitive Evaluation Message Digest

● Versions available
○ 160-bit (Most common)
○ 256-bit
○ 320-bit
● Open-source competitor to SHA but less popular

Question 25

HMAC

Answer 25

Hash-based Message Authentication Code ● Checks message integrity and authenticity ● Utilizes other hashing algorithms (e.g., HMAC-MD5, HMAC-SHA1, HMAC-SHA256)

Question 26

Digital Signatures

Answer 26

■ Uses a hash digest encrypted with a private key ■ Sender hashes the message and encrypts the hash with their private key ■ Recipient decrypts the digital signature using the sender's public key ■ Verifies integrity of the message and ensures non-repudiation

Question 27

Common Digital Signature Algorithms

Answer 27

DSA RSA

Question 28

DSA

Answer 28

Digital Security Algorithm ● Utilized for digital signatures ● Uses a 160-bit message digest created by DSS (Digital Security Standard)

Question 29

Common Hashing Attacks

Answer 29

Pass the Hash Attack Birthday Attack

Question 30

Pass the Hash Attack

Answer 30

● A hacking technique that allows the attacker to authenticate to a remote server or service by using the underlying hash of a user's password instead of requiring the associated plaintext password ● Hashes can be obtained by attackers to impersonate users without cracking the password ● Difficult to defend against due to various Windows vulnerabilities and applications ● Penetration tools like Mimikatz automate hash harvesting

Question 31

Birthday Attack

Answer 31

● Occurs when two different messages result in the same hash digest (collision) ● Named after the Birthday Paradox, where shared birthdays become likely in a group ● Collisions in hashes can be exploited by attackers to bypass authentication systems ● Use longer hash output (e.g., SHA-256) to reduce collisions and mitigate the attack

Question 32

Key stretching

Answer 32

● Technique that is used to mitigate a weaker key by creating longer, more secure keys (at least 128 bits)

Question 33

Salting

Answer 33

● Adds random data (salt) to passwords before hashing

Question 34

Nonce

Answer 34

Number Used Once ● Adds unique, often random numbers to password-based authentication processes ● Prevents attackers from reusing stolen authentication data ● Adds an extra layer of security against replay attacks

Question 35

PKI

Answer 35

Public Key Infrastructure ■ Based on asymmetric encryption ■ Facilitates secure data transfer, authentication, and encrypted communications ■ Used in HTTPS connections on websites

Question 36

Public Key Cryptography

Answer 36

● Refers to the encryption and decryption process using public and private keys ● Only a part of the overall PKI architecture

Question 37

Key Escrow

Answer 37

■ Storage of cryptographic keys in a secure, third-party location (escrow) ■ Enables key retrieval in cases of key loss or for legal investigations

Question 38

Digital Certificates

Answer 38

■ Digitally signed electronic documents ■ Bind a public key with a user's identity ■ Used for individuals, servers, workstations, or devices ■ Use the X.509 Standard

Question 39

Types of digital certificates

Answer 39

■ Wildcard Certificate ■ SAN (Subject Alternate Name) field ■ Single-Sided ■ Dual-Sided Certificates ■ Self-Signed Certificates ■ Third-Party Certificates

Question 40

Root of trust

Answer 40

● Highest level of trust in certificate validation ● Trusted third-party providers like Verisign, Google, etc.

Question 41

CA

Answer 41

Certificate Authority ● Trusted third party that issues digital certificates ● Certificates contain CA's information and digital signature ● Validates and manages certificates

Question 42

RA

Answer 42

Registration Authority ● Requests identifying information from the user and forwards certificate request up to the CA to create a digital certificate ● Collects user information for certificates ● Assists in the certificate issuance process

Question 43

CSR

Answer 43

Certificate Signing Request ● A block of encoded text with information about the entity requesting the certificate ● Includes the public key ● Submitted to CA for certificate issuance

Question 44

CRL

Answer 44

Certificate Revocation List ● Maintained by CAs ● List of all digital certificates that the certificate authority has already revoked ● Checked before validating a certificate

Question 45

OCSP

Answer 45

Online Certificate Status Protocol ● Determines certificate revocation status or any digital certificate using the certificate's serial number ● Faster but less secure than CRL

Question 46

OCSP Stapling

Answer 46

● Alternative to OCSP ● Allows the certificate holder to get the OCSP record from the server at regular intervals ● Includes OCSP record in the SSL/TLS handshake ● Speeds up the secure tunnel creation

Question 47

Public Key Pinning

Answer 47

● Allows an HTTPS website to resist impersonation attacks from users who are trying to present fraudulent certificates ● Presents trusted public keys to browsers ● Alerts users if a fraudulent certificate is detected

Question 48

Key Recovery Agents

Answer 48

● Specialized type of software that allows the restoration of a lost or or corrupted key to be performed ● Acts as a backup for certificate authority keys