Flashcards in Cryptography Deck (101):

1

## Cross-certification

###
used to establish trust between different PKIs and build an overall PKI hierarchy.

Cross certification allows users to validate each other's certificate when they are certified under different certification hierarchies.

Cross certification does not check the authenticity of the certificates in the certification path.

2

## certification path validation

### check the authenticity of the certificates in the certification path

3

## What are the three main issues with key management?

### key recovery, key storage, and key change

4

## Which key should you use to ensure confidentiality of an e-mail message?

### the receiver's public key

5

## What are the three purposes of ElGamal?

### digital signatures, encryption of data, and key exchange

6

## What does a digital signature provide?

### non-repudiation for e-mail

7

## Which security standard sets security standards for hardware and software cryptographic modules?

### FIPS-140

8

## To which type of attack is the Diffie-Hellman algorithm susceptible?

### man-in-the-middle attacks

9

## What is contained within an X.509 CRL?

### a list of serial numbers of unexpired or revoked digital certificates that should be considered invalid

10

## AES - MixColums

### provides diffusion by mixing the columns of the state via finite field mathematics.

11

## AES - SubRows

### provides diffusion by shifting rows (row of blocks) of the state.

12

## AES - SubBytes

### provides confusion by substituting the bytes of the state.

13

## AES - AddRoundKey

### is the final function applied in each round. It XORs the state with the subkey.

14

## Electronic Code Book (ECB)

###
- is the simplest and weakest form of DES.

- Block mode

- It uses no initialization vector or chaining.

- Each block is encrypted independently.

- Two plaintexts with partial identical portions (such as the header of a letter) encrypted with the same key will have partial identical ciphertext portions.

-Used in small amount of data such as ATM PINS.

15

## Cipher Feedback (CFB)

###
- a stream mode (usually 8-bits). The first 8 bits that come from the algorithm are then XORed with the first 8 bits of the plaintext (the first segment).

- Each 8-bit segment is then transmitted to the receiver and also fed back into the shift register.

- It uses feedback (the name for chaining when used in stream modes) to destroy patterns.

- Like CBC, CFB uses an initialization vector and destroys patterns, and errors propagate.

16

## Cipher Block Chaining (CBC)

###
-a block mode that XORs the previous encrypted block of ciphertext to the next block of plaintext to be encrypted.

-The first encrypted block is an initialization vector.

-This “chaining” the result of encrypting one block of data is fed back into the process to encrypt the next block of data.

-This “chaining” destroys patterns and encryption errors will propagate

17

## Output Feedback (OFB)

###
- A stream mode of DES that uses portions of the key for feedback.

- errors will not propagate.

- This does pose some storage complications, especially if it were to be used in a high-speed link.

18

## Counter (CTR) mode

###
- a counter—a 64-bit random data block—is used as the first IV for feedback.

- every subsequent block, the counter is incremented by

- The counter is then encrypted just as in OFB, and the result is used as a keystream and XORed with the plaintext.

Because the keystream is independent from the message, it is possible to process several blocks of data at the same time, thus speeding up the throughput of the algorithm.

- used in high-speed applications such as IPSec and ATM.

19

## principal

### any entity that possesses a public key

20

## verifier

### an entity that verifies a public key chain.

21

## subject

### an entity that seeks to have a certificate validated.

22

## Trust anchor

### is a public key that verifies the certificate used in a digital signature.

23

## Symmetric algorithms

### DES, 3DES, IDEA, Blowfish, Twofish, RC4, RC5, RC6, Advanced Encryption Standard (AES), SAFER, and Serpent

24

## Asymmetric algorithms

### Diffie-Hellman, RSA, ElGamal, Elliptic Curve Cryptosystem (ECC), LUC, Knapsack, and Zero

25

## Hash collision

### creates an identical hash for two different plaintext.

26

## Simple Key-management for Internet Protocols (SKIP)

###
a key distribution protocol such as the Diffie-Hellman algorithm, which uses hybrid encryption to convey session keys that are used to encrypt data in IP packets.

SKIP is similar to SSL, except that it requires no prior communication in order to establish or exchange keys on a session-by-session basis.

27

## Rijndael

### a symmetric block cipher algorithm that uses variable block lengths and variable key lengths. It supports 128, 192, and 256 bits.

28

## How PGP provides secrity ?

###
o Confidentiality through the International Data Encryption Algorithm (IDEA) (symmetric).

o Integrity through the MD5 hashing algorithm.

o Authentication through public key certificates.

o Nonrepudiation through encrypted signed messages.

29

## What is Collision?

### Two or more plaintexts that generate the same hash.

30

## What is Collusion?

### An agreement between two or more individuals to subvert the security of a system.

31

## S/MIME

### Secure/Multipurpose Internet Mail Extensions—Leverages PKI to encrypt and authenticate MIME-encoded email.

32

## SIGABA

### Rotor machine used by the United States through World War II into the 1950s.

33

## Purple

### Allied name for the stepping-switch encryption device used by Japanese Axis powers during World War II.

34

## Engima

### Rotor machine used by German Axis powers during World War II.

35

## Known-plaintext

### the attacker has access to both the ciphertext and the plaintext versions of the same message to find the key.

36

## Chosen-plaintext attack

### the attacker knows the algorithm used or have access to the machine used to determine the key.

37

## Adaptive-chosen plaintext

### attacker can modify the chosen input files to see what effect that would have on the resulting ciphertext.

38

## Chosen-ciphertext attacks

###
cryptanalyst chooses the ciphertext to be decrypted with the help of a decryption oracle.

Usually launched against asymmetric cryptosystems, where the cryptanalyst may choose public documents to decrypt that are signed (encrypted) with a user’s public key.

39

## Adaptive-chosen ciphertext

### begins with a chosen ciphertext attack in round 1. The cryptanalyst then “adapts” further rounds of decryption based on the previous round.

40

## ciphertext-only attack

### to discover the encryption key by gathering multiple encrypted messages and then trying to deduce a pattern from the encrypted messages

41

## A message can be encrypted

### provides confidentiality

42

## A message can be digitally signed

### which provides authentication, nonrepudiation, and integrity.

43

## A message can be hashed

### which provides integrity.

44

## A message can be encrypted and digitally signed

### which provides confidentiality, authentication, nonrepudiation, and integrity.

45

## What are the root protocols of IKE?

### a combination of Internet Security Association and Key Management Protocol (ISAKMP) and Oakley

46

## What are the three components of an IPSec security association?

### a Security Parameter Index (SPI), the identity of the security protocol (AH or ESP), and the destination IP address

47

## What is key clustering?

### when two different keys encrypt a plaintext message and produces the same ciphertext

48

## Authentication include

###
include hash functions, digital signatures, and message authentication codes (MACs).

Cryptography supports all of the core principles of information security except authenticity.

49

## What is the purpose of embedding a timestamp within cipher text?

### It will decrease the chance of the message being replayed.

50

## What is used by a payroll application program to ensure integrity while recording transactions for an accounting period?

### time and date stamps

51

## What cryptology encompasses?

###
both cryptography and cryptanalysis.

Cryptology is the science of secure communications.

52

## what ANSI X9.17 is concerned with?

### concerned primarily with protection and secrecy of keys.

53

## Confusion

### means that the relationship between the plaintext and ciphertext should be as random as possible.

54

## Diffusion

### means the order of the plaintext should be spread out in the ciphertext.

55

## Substitution

### replaces one character for another; this provides confusion.

56

## Permutation (transposition)

### provides diffusion by rearranging the characters of the plaintext.

57

## Monoalphabetic

### uses one alphabet.A specific letter (e.g., “E”) is substituted for another (e.g., “X”).

58

## polyalphabetic ciphers

### uses multiple alphabets: “E” may be substituted for “X” one round and then “S” the next round.

59

## Modular math

### shows you what remains (the remainder) after division. It is sometimes called “clock math” because we use it to tell time.

60

## Cryptographic protocol governance

### describes the process of selecting the right method (cipher) and implementation for the right job, typically at an organization wide scale.

61

## Caesar cipher

###
a monoalphabetic rotation cipher used by Gaius Julius Caesar.

a substitution cipher

Caesar rotated each letter of the plaintext forward three times to encrypt,

62

## Book cipher

### uses whole words from a well-known text such as a dictionary.

63

## Running-key cipher

### instead of using whole words, they use modulus math to “add” letters to each other.

64

## Codebooks

### assign a code word for important people, locations, and terms.

65

## Vernam cipher

### the first type of one-time page

66

## COCOM

###
Coordinating Committee for Multilateral Export Controls (COCOM) was designed to control the export of critical technologies to non-COCOM.

Replaced by Wassenaar Arrangement

67

## The formula for calculating how many symmetric keys are needed:

### n (n-1)/2

68

## 3DES

###
168 bits of key length uses.

uses 48 rounds of computation

slow and complex compared to newer symmetric algorithms such as AES or Twofish.

69

## What is Chaining (called feedback in stream modes)?

###
seeds the previous encrypted block into the next block to be encrypted. This destroys patterns in the resulting

ciphertext.

Electronic Code Book mode (see below) does not use an initialization vector or chaining

70

## DES

### uses 64-bit block size and a 56-bit key

71

## International Data Encryption Algorithm

###
is a symmetric block cipher designed as an international replacement to DES.

Uses a 128-bit key and 64-bit block size.

Drawbacks: slow speed compared to newer symmetric ciphers such as AES.

72

## AES

###
uses 128- (with 10 rounds of encryption), 192- (12 rounds of encryption), or 256-bit (14 rounds of encryption) keys t

Encrypt 128-bit blocks of data

73

## What are AES fialists?

### MARS, RC6, Rijndael, Serpent, Twofish

74

## Blowfish

###
uses from 32- to 448-bit (the default is 128) keys to encrypt 64 bits block of data

open algorithms, unpatented and freely available.

75

## Twofish

###
was an AES finalist, encrypting 128-bit blocks using 128- to 256-bit keys.

open algorithms, unpatented and freely available.

76

## RC5

###
Key size ranges from zero to 2040 bits.

32, 64, or 128-bit blocks.

77

## RC6

### encrypting 128-bit blocks using 128-, 192-, or 256-bit keys.

78

## Discrete logarithm

###
is the opposite of exponentiation

Used by Diffie-Hellman, ElGamal and ECC

79

## What are the three primary approaches to attack the RSA algorithm?

###
brute force

mathematical attacks

timing attacks, measuring the running time of the decryption algorithm.

80

## El Gamal

###
based on the work of Diffie–Hellmann,

but it included the ability to provide message confidentiality and digital signature services, not just session key exchange.

81

## MD5

### creates a 128-bit hash value based on any input length.

82

## SHA-1

###
creates a 160-bit hash value.

SHA-2 includes SHA-224, SHA-256, SHA-384, and SHA-512

83

## Known key attack

###
means the cryptanalyst knows something about the key, to reduce the efforts used to attack it.

If the cryptanalyst knows that the key is an uppercase letter and a number only, other characters may be omitted in the attack.

84

## Differential cryptanalysis

###
seeks to find the difference between related plaintexts that are encrypted. The plaintexts may differ by a few bits.

It is usually launched as an adaptive-chosen plaintext attack; the attacker chooses the plaintext to be encrypted (but does not know the key) and then encrypts related plaintexts.

85

## Linear cryptanalysis

### a known plaintext attack where the cryptanalyst finds large amounts of plaintext/ciphertext pairs created with the same key to derive information about the key used to create them.

86

## Algebraic attacks

### a class of techniques that rely for their success on block ciphers exhibiting a high degree of mathematical structure , which may result in weakness.

87

## Implementation attacks

### exploits a mistake (vulnerability) made while implementing an application, service, or system.

88

## Birthday attack

###
an attack on hashing functions through brute force. The attacker tries to create two messages with the same hashing value.

used to create hash collisions.

89

## Digital signatures

### used to cryptographically sign documents, which provides authentication and integrity, which forms non-repudiation.

90

## Message Authenticate Code MAC

###
is a hash function that uses a key. Done by applying a secret key to a message in some form.

A common MAC implementation is Cipher Block Chaining Message Authentication Code (CBC-MAC), which uses the CBC mode of a symmetric block cipher such as DES to create a MAC.

91

## HMAC

### combines a shared secret key with hashing. IPsec uses HMACs (see below). Two parties must pre-share a secret key.

92

## digital certificate

### a public key signed with a digital signature.

93

## describes five components of PKI

###
1. Certification authorities (CAs) that issue and revoke certificates

2. Registration Authorities (ORAs) that vouch for the binding between public keys and certificate holder identities.

3. Certificate holders that are issued certificates and can sign digital documents

4. Clients that validate digital signatures and their certification paths from a known public key of a trusted CA

5. Repositories that store and make available certificates and certificate revocation lists (CRLs)

94

## What is the standard for PKI?

### X.509

95

## What is IPsec Security Association (SA) ?

### a simplex (one-way) connection, which may be used to negotiate ESP or AH parameters.

96

## What is Security Parameter Index (SPI) ?

###
A unique 32-bit number used to identifies each simplex SA connection.

97

## Internet Security Association and Key Management Protocol (ISAKMP)

###
manages the SA creation process.

Defined as a key establishment protocol based on the Diffie-Hellman algorithm proposed for IPsec but superseded by IKE.

98

## Internet Key Exchange (IKE)

###
defines the key exchange and negotiates the algorithm selection process.

Two sides of an IPsec tunnel will typically use IKE to negotiate to the highest and fastest level of security

99

## OAKLEY

### a key establishment protocol (proposed for IPsec but superseded by IKE) based on the Diffie-Hellman algorithm and designed to be a compatible component of ISAKMP.

100

## Clipper Chip

### used the Skipjack algorithm, a symmetric cipher that uses an 80-bit key.

101