Cryptography Flashcards Preview

CISSP > Cryptography > Flashcards

Flashcards in Cryptography Deck (101):
1

Cross-certification

used to establish trust between different PKIs and build an overall PKI hierarchy.

Cross certification allows users to validate each other's certificate when they are certified under different certification hierarchies.

Cross certification does not check the authenticity of the certificates in the certification path.

2

certification path validation

check the authenticity of the certificates in the certification path

3

What are the three main issues with key management?

key recovery, key storage, and key change

4

Which key should you use to ensure confidentiality of an e-mail message?

the receiver's public key

5

What are the three purposes of ElGamal?

digital signatures, encryption of data, and key exchange

6

What does a digital signature provide?

non-repudiation for e-mail

7

Which security standard sets security standards for hardware and software cryptographic modules?

FIPS-140

8

To which type of attack is the Diffie-Hellman algorithm susceptible?

man-in-the-middle attacks

9

What is contained within an X.509 CRL?

a list of serial numbers of unexpired or revoked digital certificates that should be considered invalid

10

AES - MixColums

provides diffusion by mixing the columns of the state via finite field mathematics.

11

AES - SubRows

provides diffusion by shifting rows (row of blocks) of the state.

12

AES - SubBytes

provides confusion by substituting the bytes of the state.

13

AES - AddRoundKey

is the final function applied in each round. It XORs the state with the subkey.

14

Electronic Code Book (ECB)

- is the simplest and weakest form of DES.
- Block mode
- It uses no initialization vector or chaining.
- Each block is encrypted independently.
- Two plaintexts with partial identical portions (such as the header of a letter) encrypted with the same key will have partial identical ciphertext portions.
-Used in small amount of data such as ATM PINS.

15

Cipher Feedback (CFB)

- a stream mode (usually 8-bits). The first 8 bits that come from the algorithm are then XORed with the first 8 bits of the plaintext (the first segment).
- Each 8-bit segment is then transmitted to the receiver and also fed back into the shift register.
- It uses feedback (the name for chaining when used in stream modes) to destroy patterns.
- Like CBC, CFB uses an initialization vector and destroys patterns, and errors propagate.

16

Cipher Block Chaining (CBC)

-a block mode that XORs the previous encrypted block of ciphertext to the next block of plaintext to be encrypted.
-The first encrypted block is an initialization vector.
-This “chaining” the result of encrypting one block of data is fed back into the process to encrypt the next block of data.
-This “chaining” destroys patterns and encryption errors will propagate

17

Output Feedback (OFB)

- A stream mode of DES that uses portions of the key for feedback.
- errors will not propagate.
- This does pose some storage complications, especially if it were to be used in a high-speed link.

18

Counter (CTR) mode

- a counter—a 64-bit random data block—is used as the first IV for feedback.
- every subsequent block, the counter is incremented by
- The counter is then encrypted just as in OFB, and the result is used as a keystream and XORed with the plaintext.
Because the keystream is independent from the message, it is possible to process several blocks of data at the same time, thus speeding up the throughput of the algorithm.
- used in high-speed applications such as IPSec and ATM.

19

principal

any entity that possesses a public key

20

verifier

an entity that verifies a public key chain.

21

subject

an entity that seeks to have a certificate validated.

22

Trust anchor

is a public key that verifies the certificate used in a digital signature.

23

Symmetric algorithms

DES, 3DES, IDEA, Blowfish, Twofish, RC4, RC5, RC6, Advanced Encryption Standard (AES), SAFER, and Serpent

24

Asymmetric algorithms

Diffie-Hellman, RSA, ElGamal, Elliptic Curve Cryptosystem (ECC), LUC, Knapsack, and Zero

25

Hash collision

creates an identical hash for two different plaintext.

26

Simple Key-management for Internet Protocols (SKIP)

a key distribution protocol such as the Diffie-Hellman algorithm, which uses hybrid encryption to convey session keys that are used to encrypt data in IP packets.

SKIP is similar to SSL, except that it requires no prior communication in order to establish or exchange keys on a session-by-session basis.

27

Rijndael

a symmetric block cipher algorithm that uses variable block lengths and variable key lengths. It supports 128, 192, and 256 bits.

28

How PGP provides secrity ?

o Confidentiality through the International Data Encryption Algorithm (IDEA) (symmetric).
o Integrity through the MD5 hashing algorithm.
o Authentication through public key certificates.
o Nonrepudiation through encrypted signed messages.

29

What is Collision?

Two or more plaintexts that generate the same hash.

30

What is Collusion?

An agreement between two or more individuals to subvert the security of a system.

31

S/MIME

Secure/Multipurpose Internet Mail Extensions—Leverages PKI to encrypt and authenticate MIME-encoded email.

32

SIGABA

Rotor machine used by the United States through World War II into the 1950s.

33

Purple

Allied name for the stepping-switch encryption device used by Japanese Axis powers during World War II.

34

Engima

Rotor machine used by German Axis powers during World War II.

35

Known-plaintext

the attacker has access to both the ciphertext and the plaintext versions of the same message to find the key.

36

Chosen-plaintext attack

the attacker knows the algorithm used or have access to the machine used to determine the key.

37

Adaptive-chosen plaintext

attacker can modify the chosen input files to see what effect that would have on the resulting ciphertext.

38

Chosen-ciphertext attacks

cryptanalyst chooses the ciphertext to be decrypted with the help of a decryption oracle.

Usually launched against asymmetric cryptosystems, where the cryptanalyst may choose public documents to decrypt that are signed (encrypted) with a user’s public key.

39

Adaptive-chosen ciphertext

begins with a chosen ciphertext attack in round 1. The cryptanalyst then “adapts” further rounds of decryption based on the previous round.

40

ciphertext-only attack

to discover the encryption key by gathering multiple encrypted messages and then trying to deduce a pattern from the encrypted messages

41

A message can be encrypted

provides confidentiality

42

A message can be digitally signed

which provides authentication, nonrepudiation, and integrity.

43

A message can be hashed

which provides integrity.

44

A message can be encrypted and digitally signed

which provides confidentiality, authentication, nonrepudiation, and integrity.

45

What are the root protocols of IKE?

a combination of Internet Security Association and Key Management Protocol (ISAKMP) and Oakley

46

What are the three components of an IPSec security association?

a Security Parameter Index (SPI), the identity of the security protocol (AH or ESP), and the destination IP address

47

What is key clustering?

when two different keys encrypt a plaintext message and produces the same ciphertext

48

Authentication include

include hash functions, digital signatures, and message authentication codes (MACs).

Cryptography supports all of the core principles of information security except authenticity.

49

What is the purpose of embedding a timestamp within cipher text?

It will decrease the chance of the message being replayed.

50

What is used by a payroll application program to ensure integrity while recording transactions for an accounting period?

time and date stamps

51

What cryptology encompasses?

both cryptography and cryptanalysis.

Cryptology is the science of secure communications.

52

what ANSI X9.17 is concerned with?

concerned primarily with protection and secrecy of keys.

53

Confusion

means that the relationship between the plaintext and ciphertext should be as random as possible.

54

Diffusion

means the order of the plaintext should be spread out in the ciphertext.

55

Substitution

replaces one character for another; this provides confusion.

56

Permutation (transposition)

provides diffusion by rearranging the characters of the plaintext.

57

Monoalphabetic

uses one alphabet.A specific letter (e.g., “E”) is substituted for another (e.g., “X”).

58

polyalphabetic ciphers

uses multiple alphabets: “E” may be substituted for “X” one round and then “S” the next round.

59

Modular math

shows you what remains (the remainder) after division. It is sometimes called “clock math” because we use it to tell time.

60

Cryptographic protocol governance

describes the process of selecting the right method (cipher) and implementation for the right job, typically at an organization wide scale.

61

Caesar cipher

a monoalphabetic rotation cipher used by Gaius Julius Caesar.

a substitution cipher

Caesar rotated each letter of the plaintext forward three times to encrypt,

62

Book cipher

uses whole words from a well-known text such as a dictionary.

63

Running-key cipher

instead of using whole words, they use modulus math to “add” letters to each other.

64

Codebooks

assign a code word for important people, locations, and terms.

65

Vernam cipher

the first type of one-time page

66

COCOM

Coordinating Committee for Multilateral Export Controls (COCOM) was designed to control the export of critical technologies to non-COCOM.

Replaced by Wassenaar Arrangement

67

The formula for calculating how many symmetric keys are needed:

n (n-1)/2

68

3DES

168 bits of key length uses.
uses 48 rounds of computation
slow and complex compared to newer symmetric algorithms such as AES or Twofish.

69

What is Chaining (called feedback in stream modes)?

seeds the previous encrypted block into the next block to be encrypted. This destroys patterns in the resulting
ciphertext.

Electronic Code Book mode (see below) does not use an initialization vector or chaining

70

DES

uses 64-bit block size and a 56-bit key

71

International Data Encryption Algorithm

is a symmetric block cipher designed as an international replacement to DES.

Uses a 128-bit key and 64-bit block size.

Drawbacks: slow speed compared to newer symmetric ciphers such as AES.

72

AES

uses 128- (with 10 rounds of encryption), 192- (12 rounds of encryption), or 256-bit (14 rounds of encryption) keys t

Encrypt 128-bit blocks of data

73

What are AES fialists?

MARS, RC6, Rijndael, Serpent, Twofish

74

Blowfish

uses from 32- to 448-bit (the default is 128) keys to encrypt 64 bits block of data

open algorithms, unpatented and freely available.

75

Twofish

was an AES finalist, encrypting 128-bit blocks using 128- to 256-bit keys.

open algorithms, unpatented and freely available.

76

RC5

Key size ranges from zero to 2040 bits.

32, 64, or 128-bit blocks.

77

RC6

encrypting 128-bit blocks using 128-, 192-, or 256-bit keys.

78

Discrete logarithm

is the opposite of exponentiation

Used by Diffie-Hellman, ElGamal and ECC

79

What are the three primary approaches to attack the RSA algorithm?

brute force
mathematical attacks
timing attacks, measuring the running time of the decryption algorithm.

80

El Gamal

based on the work of Diffie–Hellmann,

but it included the ability to provide message confidentiality and digital signature services, not just session key exchange.

81

MD5

creates a 128-bit hash value based on any input length.

82

SHA-1

creates a 160-bit hash value.

SHA-2 includes SHA-224, SHA-256, SHA-384, and SHA-512

83

Known key attack

means the cryptanalyst knows something about the key, to reduce the efforts used to attack it.

If the cryptanalyst knows that the key is an uppercase letter and a number only, other characters may be omitted in the attack.

84

Differential cryptanalysis

seeks to find the difference between related plaintexts that are encrypted. The plaintexts may differ by a few bits.
It is usually launched as an adaptive-chosen plaintext attack; the attacker chooses the plaintext to be encrypted (but does not know the key) and then encrypts related plaintexts.

85

Linear cryptanalysis

a known plaintext attack where the cryptanalyst finds large amounts of plaintext/ciphertext pairs created with the same key to derive information about the key used to create them.

86

Algebraic attacks

a class of techniques that rely for their success on block ciphers exhibiting a high degree of mathematical structure , which may result in weakness.

87

Implementation attacks

exploits a mistake (vulnerability) made while implementing an application, service, or system.

88

Birthday attack

an attack on hashing functions through brute force. The attacker tries to create two messages with the same hashing value.

used to create hash collisions.

89

Digital signatures

used to cryptographically sign documents, which provides authentication and integrity, which forms non-repudiation.

90

Message Authenticate Code MAC

is a hash function that uses a key. Done by applying a secret key to a message in some form.

A common MAC implementation is Cipher Block Chaining Message Authentication Code (CBC-MAC), which uses the CBC mode of a symmetric block cipher such as DES to create a MAC.

91

HMAC

combines a shared secret key with hashing. IPsec uses HMACs (see below). Two parties must pre-share a secret key.

92

digital certificate

a public key signed with a digital signature.

93

describes five components of PKI

1. Certification authorities (CAs) that issue and revoke certificates
2. Registration Authorities (ORAs) that vouch for the binding between public keys and certificate holder identities.
3. Certificate holders that are issued certificates and can sign digital documents
4. Clients that validate digital signatures and their certification paths from a known public key of a trusted CA
5. Repositories that store and make available certificates and certificate revocation lists (CRLs)

94

What is the standard for PKI?

X.509

95

What is IPsec Security Association (SA) ?

a simplex (one-way) connection, which may be used to negotiate ESP or AH parameters.

96

What is Security Parameter Index (SPI) ?

A unique 32-bit number used to identifies each simplex SA connection.

97

Internet Security Association and Key Management Protocol (ISAKMP)

manages the SA creation process.

Defined as a key establishment protocol based on the Diffie-Hellman algorithm proposed for IPsec but superseded by IKE.

98

Internet Key Exchange (IKE)

defines the key exchange and negotiates the algorithm selection process.

Two sides of an IPsec tunnel will typically use IKE to negotiate to the highest and fastest level of security

99

OAKLEY

a key establishment protocol (proposed for IPsec but superseded by IKE) based on the Diffie-Hellman algorithm and designed to be a compatible component of ISAKMP.

100

Clipper Chip

used the Skipjack algorithm, a symmetric cipher that uses an 80-bit key.

101

What is the purpose of embedding a timestamp within cipher text?

It will decrease the chance of the message being replayed.