Domain 3 - Cryptographic concepts | Crypto Attacks | PKI Infrastructure Flashcards
1
Q
Symmetric Encryption - Strengths
A
Speed, and strength per bit of key
2
Q
Symmetric Encryption - Weakness
A
Key must be shared securely
3
Q
Symmetric Encryption - Stream Cipher
A
Each bit is independently encrypted
4
Q
Symmetric Encryption - Block cipher
A
Blocks of data are encrypted
5
Q
Initialization Vector
A
Symmetric EncryptionEncryption step. Used on Symmetric ciphers to ensure that the first block of data is random
6
Q
DES Encryption type
A
Symmetric
7
Q
DES
A
Data Encryption Standard
8
Q
DES Encryption dates
A
1976 US Fed standard
9
Q
DES Encryption, who designed
A
IBM, based on older lucifer symmetric cipher
10
Q
DES Encryption, block size
A
64 bit
11
Q
DES Encryption, key size
A
56 bit
12
Q
DES Modes
A
5 modes
13
Q
Double DES
A
The DES encryption algorithm with two rounds, with two keys. Rendered unusable due to being susceptible to meet in the middle attacks.
14
Q
Triple DES
A
Expands the size of the key by running the algorithm in succession with three different keys. It makes 48 passes through the algorithm, and the resulting key is 168 bits.
15
Q
IDEA Encryption/Cipher Type
A
International Data Encryption Algorithm.Symmetric Block Cipher
16
Q
IDEA - good or bad?
A
Held up to cryptanalysis
17
Q
IDEA - drawback
A
Patent encumbrance (no longer an issue, not sure if tested as an issue or not) and slow speed
18
Q
AES Acroynym and encryption type
A
Advanced Encryption Standard - Symmetric
19
Q
AES Block and Key Size
A
128 bit block
Key - 128 bit to 256 bit.
128 with 10 rounds of encryption192 bit with 12 rounds of encryption 256 bit with 14 rounds of encryption
20
Q
Blowfish cipher type
A
symmetric
21
Q
RC5 and RC6 designed by
A
RSA Labs
22
Q
Asymmetric Encryption Pros
A
Solves issues around preshared keys
23
Q
Asymmetric key how many
A
two. Public/private key pair
24
Q
hashing/one-way functions
A
easy to compute one way. VERY difficult to reverse
25
Asymmetric, factoring prime numbers. factorization.
Relies on strength of composite number. Example: 6269 x 7883 = 49418527.To crack, you must factor 49418527 to find which two prime numbers are factors.
26
Discrete logarithm
Basis of the Diffie-hellman and El Gamal asymmetric algs
Uses in Asymmetric algorithms. Way to ensure encryption.
More advanced than factorization and considered more secure.
27
Diffie-Hellman Key agreement protocol, and encryption type.
Asymmetric encryption algorithm.
Allows two parties to securely agree on a symmetric key via a public channel
Type of key exchange that is secure. If an attacker sniffs the whole conversation, they still can't obtain the key.
28
Elliptic Curve Cryptography
Type of encryption. Uses discrete logarithms. Asymmetric encryption.
Stronger than factorization based encryption methods. Uses less computational power, and smaller key for equal strength.
29
Asymmetric and Symmetric tradeoffs
Asymmetric - slower, weaker on equal sized keys. Pro no need for preshared key
Both types are often used together Symmetric - faster, weak due to pre-shared keys.
30
Hash Functions
Encryption using algorithm, does not have a key. One Way. Impossible to reverse. Variable length plaintext is hashed into a fixed length hash
31
Collisions
This is what happens if two separate, and non-identical inputs to a hash algorithm result in identical hashes.
32
MD5 Acronym and type
Message Digest 5, hashing algorithm.
33
SHA-1 Acronym and type
Secure Hash Algorithm, hash
34
SHA2-224/SHA3-224SHA2-256/SHA3-256SHA2-384/SHA3-384SHA2-512/SHA3-512 lengths
Length of hash value is in the name.
35
HAVAL acronym and type
Hash of variable length. Hash
36
Brute force
attempts every possible valid combination for a key or password.
37
Known Plaintext
In the known plaintext attack, the attacker has a copy of the encrypted message along with the plaintext message used to generate the ciphertext (the copy).
If I know an input and output. I can potentially guess a key.
38
Chosen Plaintext and adaptive chosen plaintext
In this attack, the attacker obtains the ciphertexts corresponding to a set of plaintexts of their own choosing. This allows the attacker to attempt to derive the key used and thus decrypt other messages encrypted with that key.
analyst chooses plaintext to be encrypted.Analyst then changes further rounds of encryption based on previous round
39
Chosen Ciphertext
In a chosen ciphertext attack, the attacker has the ability to decrypt chosen portions of the ciphertext message and use the decrypted portion of the message to discover the key.
40
meet in the middle attack
Used to attack algorithms that use only two rounds of encryption.
the attacker uses a known plaintext message. They then encrypt using all possible keys, and decrypt using all possible keys. In this way they can find all possible key pairs, AND all possible cipher texts for the plaintext.
Only takes twice as long as breaking a single round of encryption.
41
Known Key
Analyst knows something about the key, and can use that to reduce efforts used to attack it.
42
Side Channel Attacks
Use physical data to break cryptosystem. Monitoring CPU cycles or power consumption used while encrypting/decrypting.
43
Birthday Attack
Create hash collisions and break the key
44
Key clustering
When two different symmetric keys run on same plaintext and algorithm produce same ciphertext.
Analogous to collisions in hashing, but in relation to symmetric encryption.
45
Digital signatures
Method of authentication and non-repudiation.
Process:
1. Sender hashes their message, and appends hash to email
2. Sender then encrypts entire email using their private key.
3. Receiver decrypts message using public key (they now know the sender is authentic - only the sender could have encrypted).
4. Receiver then hashes the message on their own - if the hash is the same as appended to the email they know that integrity has been preserved.
46
HMAC Acronym and length
Hash Message Authentication Code - Variable length hash value
Used to implement a partial digitial signature. Combines hashing and symmetric encryption (full digital signature uses asymmetric).
47
PKI Public Key Infrastructure Process of key exchange.
leverages all three forms of encryption. Symmetric, asymmetric, and hashing.
1. Certificate requestor opens an asymmetric channel w/server to verify identity, and to share symmetric key.
2. server accept asymmetric channel. Agree on an ephemeral key.
3. Server hashes and encrypt the certificate.
4. Recipient decrpypts cert, and checks hash for integrity.
5. Recipient checks certificate against the CA.
48
Cert Authorities
Digitals certs are signed by CAs. They authenticate identity of orgs before issuing a certsMay be private, or public
49
Cert Revocation lists
Lists revoked certs. Maintained by CAs
50
IPSec
Suite of protocols to provide cryptographic IPV4 and v6. Used to build VPNs
51
IPSec primary components of SA's
Security Associations:
AH - Authentication Header
ESP - Encapsulating Security Payload
52
ISAKMP
Sub component of IKE. Used to organize and manage the encryption keys that have been generated and exchanged by OAKLYEY AND SKEME. Manages SAs.
53
IKE
Mechanism of IPsec that manages cryptography keys. Internet key exchange.
IKE Consists of three elements. OAKLEY, SKEME, AND ISAKMP.
54
AH
Authentication header provides authentication and integrity for each packet of net data. NO CONFIDENTIALITY
55
ESP
provides confidentiality and integrity by encrypting packet data. Does not provide strong authentication.
56
IPSec Security Association (ISAKMP)
Security Associations are managed by ISAKMP.
Each SA is a one way/simplex connection used to negotiate ESP or AH Parameters. Each side of the IPSec session transmits and receives using different keys. So, this results in up to 4 SAs in use for a two way communication. Each side has a SA for outgoing and incoming traffic.
57
SA Identification index
Identifies the SA. 32 bits
58
ESP Tunnel mode
Encrypts everything
59
ESP Transport mode
only encrypts data, not IP headers. May use AH to authenticate the un-encrypted headers.
60
IKE vs ISAKMP
IKE - Encryption algorithm negotiation protocol. Allows both sided to select and agree upon the best encryption that both sides support.ISAKMP - Manages Security Associations.
61
IKE
Another way to manage key exchanges. Both sides will use IKE to negotiate fastest and highest sec level.
62
SSL and TLS
TSL succeeds SSL. Commonly used for HTTPS. Encrypted out of the gate. Uses Asymmetric encryption to exchange a key, for a subsequent symmetrically encrypted data session.
63
PGP
pretty good privacy.
64
PGP year
1991
65
PGP
uses web-of-trust instead of cert authority.
66
S/MIME
Email encryption and authentication
67
Escrowed Encryption
splits private key into two or more parts. Will only release their part of the key on a court order.
68
Clipper Chip
Name of tech used in the Escrowed Encryption Standard. Allows backdoor to govt while encrypting voice.
69
Steganography
Science of hidden communication. Hiding information into other media.
70
Digital watermaks
encode data in a file. Watermark is probably hidden
71
Mantrap
Two doors requireing separate authentication to open
72
Bollard
Post designed to stop a car
73
Smart card
physical access card containing integrated circuit
74
tailgating
following an auth person into building w/o providing creds
75
Perimeter defenses
fence doors, walls, locks
76
Class 1 gate
residential
77
class 2 gate
Commercial, general access
78
Class 3 gate
industrial limited access - loading dock for 18 wheeler
79
Class 4 gate
restricted access. Prison or airport
80
Lights
detective and/or deterrant
81
vigenere cipher
- Vigenère ciphero Polyalphabetico Repeated 26 times to form a matrix
82
Jefferson disks
o Tommy Jo 36 wooden disks
83
Caesar cipher
- Caesar ciphero Monoalphabetico Simple substitutiono Rotated 3 times
84
book cipher and running key cipher
- Book cipher and running key ciphero Use well known texts as the basis for keys
85
Codebooks
assign codeword for important people/locations/terms
86
one time pad
o one time pad uses identical paird pads one page is used to encrypte same page to decrypt pages are then discarded, never reused only one mathematically proven to be secure
87
project VERONA
o Broke KGB encryption in 1940s o KGB used one time padso KGB violated one of the three rules thougho Reused pads.
88
Hebern Machines and PURPLE
o Class of cryptographic deviceso Large manual typewriter looking devices electrified with rotorso Used through WWII
89
ENIGMA
doi
90
SIGABA
o Rotor machine used by US through 1950so More complex and covered weaknesses of the Enigmao Large complex and heavyo Never known to be broken
91
PURPLE
japanese version of enigma
92
COCOM
o Coordinating comeittee for multilateral export controls Designed to control export of critical technologies to iron curtain countries
93
Wassenaar arrangement
o After COCOM endedo Created in 1996o Many iron curtain countries includedo Relaxed restriction on exporting cryptography.
94
DEA
Data Encryption Algorithm described by DES (Data Encryption Standard)
95
PKI standard
X.509
96
CAs and ORAs
Certificate Authority (Issues Certs)Organizational Registration Authority (authenticates client certs)
97
OCSP
Online Certificate Status Protocol - Replacement for CRL (Cert Revocation Lists). Scales beeter than CRL
98
CRL
Certificate Revocation Lists
99
PGP encryption type
Symmetric
100
RC4, RC5, RC6 encryption type
Symmetric
101
Rijndael Encryption type
Symmetric
102
Skipjack Encryption Type
Symmetric
103
CAST-128 Encryption type
Symmetric
104
CAST-256 Encryption type
Symmetric
105
```
RIPEMD-128
RIPEMD-160
RIPEMD-256
RIPEMD-320
Type and key length
```
Hashing algorithms. Key length is in the name.
106
RSA Type
Asymmetric. Used for encrypting and signing data.
107
ElGamal type
Asymmetrc. Used for transmitting digital signatures, and key exchanges.
108
IDEA and PGP relationship
PGP (pretty good privacy) uses IDEA (international data encryption algorithm) for symmetric encryption.
109
Work function/work factor
Way to measure the strength of a cryptography system. Measures the effort in terms of time and/or cost of brute forcing a crypto system.
110
one-time pad/Vernam cipher
Uses a different substitution alphabet for each letter of the plaintext message.
111
Implementation Attack
exploits weaknesses in the implementation of a cryptography system. It focuses on exploiting the software code, not just errors and flaws but the methodology employed to program the encryption system
112
Statistical Attack
A statistical attack exploits statistical weaknesses in a cryptosystem, such as floating-point errors and inability to produce truly random numbers. Statistical attacks attempt to find a vulnerability in the hardware or operating system hosting the cryptography application.
113
Fault Injection Attack
the attacker attempts to compromise the integrity of a cryptographic device by causing some type of external fault. For example, they might use high-voltage electricity, high or low temperature, or other factors to cause a malfunction that undermines the security of the device.
114
Side-Channel Attack
Computer systems generate characteristic footprints of activity, such as changes in processor utilization, power consumption, or electromagnetic radiation. Side-channel attacks seek to use this information to monitor system activity and retrieve information that is actively being encrypted.
115
Timing Attack
Timing attacks are an example of a side-channel attack where the attacker measures precisely how long cryptographic operations take to complete, gaining information about the cryptographic process that may be used to undermine its security.
116
Man in the middle
a malicious individual sits between two communicating parties and intercepts all communications. They set up two separate encrypted sessions, posing as the legitimate endpoints. Can then see all communications.
117
Birthday Attack
a malicious individual sits between two communicating parties and intercepts all communications
118
Replay attack
The replay attack is used against cryptographic algorithms that don't incorporate temporal protections. In this attack, the malicious individual intercepts an encrypted message between two parties (often a request for authentication) and then later “replays” the captured message to open a new session
