Cryptographic Systems

Question 1

Cryptology

Answer 1

Is the science of making and breaking secret codes. The development and use of codes is called cryptography, and breaking codes is called crypt-analysis

Question 2

Data Encryption Standard (DES)

Answer 2

• is a cipher/ a method of encrypting information
• DES is now considered to be insecure for many applications: chiefly due to the 56-bit key size being too small. Can be broken in as few as 24 hours.
• is believed to be practically secure in the form of triple DES

Question 3

Advanced Encryption Standard (AES)

Answer 3

• successor of DES
• Is a symmetric cipher defined in federal information processing (FIPS) standard number 197 in 2001
• NSA approves 128-bit for SECRET and 192-bit AES for TOP SECRET
• AES has a fixed block size of 128, 192, or 256 bits (those are the 3 approved key lengths)

Question 4

3 Approved AES key lengths

Answer 4

128 bit
192 bit
256 bit

Question 5

Triple DES / 3DES

Answer 5

• 3des is 256 times stronger than DES
• It takes a 64-bit block of data and then performs 3 DES operations in sequence, encrypt, decrypt, encrypt
• requires additional processing time
• can use 1,2, or 3 different keys (1 key = DES)

Question 6

Software-optimized Encryption Algorithm (SEAL)

Answer 6

Is an alternative algorithm to software based DES, 3DES, and AES

• Is a stream cipher that uses a 160-bit encryption key
• Because it is a stream cipher, data to be encrypted is continuously encrypted and therefore much faster than block ciphers
• longer initialization phase during which a large set of tables is created using SHA
• SEAL has a lower impact on CPU compared to other software-based algorithms
• SEAL support was added to cisco IOS release 12.3(7)T

Question 7

RC Algorithms

Answer 7

Rc algorithms are widely deployed in many networking applications because of their favorable speed and variable key-length capabilities
Several Variations of RC algorithms:
-RC2
-RC4
-RC5
-RC6

Question 8

RC2

Answer 8

Variable key-size block cipher that was designed as a “drop-in” replacement for DES

Question 9

RC4

Answer 9

• Worlds most widely used stream cipher.
• Variable key-size stream cipher that is often used in file encryption products and for secure communications, such as within SSL
• It is not considered a one-time pad, because the key is not random
• The cipher can be expected to run very quickly in software and is considered secure, although it can be implemented insecurely, as in Wired Equivalent Privacy (WEP)

Question 10

RC5

Answer 10

a fast block cipher that has a variable block size and key size. RC5 can be used as a drop-in replacement for DES if the block size is set to 64-bit

Question 11

RC6

Answer 11

RC6 was an AES finalist. a 128-bit to 256-bit block cipher that was designed by rivest, sidney, and yin and is based on RC5.

Question 12

Bulk Data Encryption - symmentric keys

Answer 12

• The best encryption method for bulk encryption is AES
• AES provides good security and speed and versatility across a variety of computer platforms.
• RSA keys are large numbers that are only suitable for short messages
• DES can be brute forced
• 3DES can take a long time (3 times as long as DES)

Question 13

Symmetric Encryption Algorithm examples (3)

Answer 13

1. DES
2. 3DES
3. AES
   Symmetric encryption requires a much larger key size to achieve the same level of protection as asymmetric encryption.

Question 14

Stream Cipher

Answer 14

A stream cipher converts one symbol of plaintext directly to a symbol of ciphertext

• Stream ciphers encrypt plaintext one byte or one bit at a time
• Can be much faster than block ciphers, and generally do not increase the message size

Question 15

Block Ciphers

Answer 15

Encrypt a group of plaintext symbols as one block
- most modern symmetric encryption algorithms are block ciphers
-block sizes vary, 64=des 128=aes
-Block ciphers transform a fixed-length block of plaintext into a common block of ciphertext of 64 or 128 bits
-

Question 16

Stream Encryption Advantages

Answer 16

• Speed of transformation: algorithms are linear in time and constant in space
• low error propagation: an error in encrypting one symbol likely will not affect subsequent symbols

Question 17

Stream Encryption Disadvantages

Answer 17

Low Diffusion: All information of plaintext symbols is contained in a single ciphertext symbol
Susceptibility to insertions/modifications: and active interceptor who breaks the algorithm might insert spurious text that looks authentic

Question 18

Block Encryption Advantages

Answer 18

High diffusion: information from one plaintext symbol is diffused into several ciphertext symbols.

Immunity to tampering: difficult to insert symbols without detection

Question 19

Block Encryption Disadvantages

Answer 19

Slowness of encryption: an entire block must be accumulated before encryption / decryption can begin

Error propagation: An error in one symbol may corrupt the entire block.

Question 20

Message Digest 5 (MD5)

Answer 20

• is a widely used cryptographic hash function with a 128-bit hash value
• As an Internet standard (RFC 1321), MD5 has been employed in a wide variety of security applications, and is also commonly used to check the integrity of files
• An MD5 hash is typically expressed as a 32-character hexadecimal number.
• In 1996, a flaw was found with the design of MD5; while it was not a clearly fatal weakness, cryptographers began recommending the use of other algorithms, such as SHA-1 (which has since been found vulnerable itself)

Question 21

Secure Hash Algorithm (SHA1, SHA2)

Answer 21

The Sha hash functions are five cryptographic hash functions designed by the NSA and published by the NIST
-The five algorithms are denoted SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512
the latter 4 variants are somtimes collectivly called SHA-2
-SHA-1 produces a message digest that is 160 bits long, the number in the other 4 variants denote the bit length of the digest they produce.
-SHA-1 is employed in several widely used security applications and protocols: TLS, SSL, PGP, SSH, S/MIME, and IPsec
-considered to be the successor to MD5

Question 22

SHA-3

Answer 22

winner of a contest IN 2007 afteR SHA-2 has vulnerability worries
- known as keccak

Question 23

MD5 vs. SHA

Answer 23

• Longer hash values = more secure
• MD5 and SHA-1 are based on previous version of the message digest algorithm
• sha-1 involves 80 steps, and MD5 involves 64 steps
• when choosing a hashing algorithm, use SHA-256 or higher

Question 24

HMAC

Answer 24

is a message authentication code (MAC) that is calculated using a hash function and a secret key

• hash functions are the basis of the protection mechanism of HMACs
• the output of the hash function now depends on the input data and the secret key
• authenticity is guarenteed because only the sender and the reciever know the secret key
• The above characteristic defeats man-in-the-middle attacks and provides authentication of the data origin

Question 25

Asymmetric Key Algorithms

Answer 25

- also called public-key algorithms are designed so that the key that is used for encryption is different from the key that is used for decryption - the decryption key cannot, in any reasonable amount of time, be calculated from the encryption key and vice versa

Question 26

4 asymmetric key algorithms

Answer 26

1. Internet key exchange (IKE) 2. Secure Socket Layer (SSL) 3. Secure Shell (SSH) 4. Pretty good privacy (PGP)

Question 27

well known asymmetric key algorithms

Answer 27

- Diffie-hellman - Digital signature standard (dss) - Rsa encryption algorithms - Elgamal - Elliptical curve techniques

Question 28

Two main criteria to be considered when selecting an encryption algorithm:

Answer 28

1. the algorithm is trusted by the cryptographic community 2. The algorithm adequately protects against brute-force attacks other: the algorithm supports variable and long key lengths and scalability

Question 29

Diffie-Hellman Key Exchange

Answer 29

Both sides Create a public and private key, send public key to other side. use both public and private keys to generate a value (both sides will have same value) public key decrypts, private key encrypts. Not good for large amounts of data so after confirming each other with these public keys one side creates a symmetrical key that is shared and then data is transmitted while being symmetrically encrypted.

Question 30

Digital Signature security Services

Answer 30

Authenticity of digitally signed data: digital signatures authenticate a source, proving that a certain party has seen and signed the data in question. Integrity of digitally signed data: Digital signatures guarantee that the data has not changed from the time it was signed Nonrepudiation of the transaction: the recipient can take the data to a third party and the third party accepts the digital signature as a proof that this data exchange did take place. the signing party cannot repudiate that it has signed the data.

Question 31

Digital Signature Situations

Answer 31

- to provide a unique proof of data source, which can only be generated by a single party, such as contract signing in e-commerce environments - to authenticate a user by using the private key of the user and the signature it generates - to prove the authenticity and integrity of PKI certificates - to provide nonrepudiation using a secure timestamp and a trusted time source

Question 32

Asymmetrical Encryption Algorithms and key lengths

Answer 32

``` Diffie-Hellman - 512,1024, 2048 Digital signature standard (DSS) and Digital Signature Algorith (DSA) - 512 to 1024 RSA encryption algorithms - 512 to 2048 ElGamal - 512 to 1024 Elliptical curve techniques - 160 ```

Question 33

PKI

Answer 33

is a set of technical, organizational, and legal components that are needed to establish a system that enables large-scale use of public key cryptography to provide authenticity, confidentiality, integrity, and nonrepudiation services. The PKI framework consists of the hardware, software, people, policies, and procedures needed to create, manage, store, distribute, and revoke digital certificates.

Question 34

PKI Certificates

Answer 34

Used for various purposes in a network. Certificates are public information. They contain the binding between the names and public keys of entities and are usually published in a centralized directory so that other PKI users can easily access them.

Question 35

PKI Certificate Authority (CA)

Answer 35

A trusted third-party entity that issues certificates. The certificate of a user is always signed by a CA. Every CA also has a certificate containing its public key, signed by itself. This is called a CA certificate or, more properly, a self-signed CA certificate.