Domain 3: Security Architecture and Engineering - Cryptography

Question 1

Caesar Cipher

Answer 1

Simple substitution
Shift Characters, etc. (Caesar was a 3 character shift)
Subject to pattern analysis to crack the cipher
Current example: Rot-13, move characters 13 spaces

Question 2

Scytale Cipher

Answer 2

Spartans used this cipher to communicate messages to general in the field
Wrapped tape around a rod, then wrote on the tape
Diameter of the rod is the pre-agreed upon secret (key)

Question 3

Symmetric Cryptography

Answer 3

Same secret is used on both ends

Question 4

Vignere Cipher

Answer 4

First polyalphabetic cipher
Key word is agreed upon ahead of time
First letter of the key is matched up against first letter of the message and so on

Question 5

Enigma Machine

Answer 5

Used by Germans in WWII; Japanese had Purple machine

Used a rotor configuration to create a cipher

Question 6

Vernam Cipher

Answer 6

AkA One Time Pad
Mathematically unbreakable
pad must be as long as the message
pad must be securely distributed and only used once

Question 7

Services provided by cryptography

Answer 7

PAIN
Privacy: prevents unauthorized disclosure
Authenticity: verifies claimed identity
Integrity: detects modification or corruption
Non-Repudiation: combines authentication and integrity. Sender can’t dispute having sent a message, or contents

Question 8

Cipher Text Algorithm

Answer 8

Plain Text + Initialization vector + Algorithm (Cipher) + Key = Cipher Text

Question 9

Initialization Vector

Answer 9

Provides randomness by changing the starting point randomly

Similar to Salt for a password

Question 10

Cryptographic Algorithms

Answer 10

For data, it is broken into blocks (S-Blocks) and then complex and strong math to substitute the blocks.
Collection of math functions that should be open

Question 11

Cryptographic Keys

Answer 11

Provide instructions on how to use the math
Should be random
Should be protected
Should be long “enough”

Question 12

Symmetric Process

Answer 12

single key is shared by both parties and is used to encrypt and decrypt. aka Secret, private, shared, or session key

Question 13

Symmetric Pro’s

Answer 13

Provides fast data transfer

Good strong privacy

Question 14

Symmetric Cons

Answer 14

Out of band key distribution
Doesn’t scale well
Doesn’t provide non-repudiation

Question 15

Asymmetric Cryptography

Answer 15

Every user has a key pair which consists of a public and private key
Anything encrypted with one key can only be decrypted by the other

Question 16

Symmetric Cipher types

Answer 16

Stream - one bit at a time, uses transposition, substitution, XOR. fast and efficient, not as secure, RC-4
Block - Chunks data and each chunk goes through a series of math functions called S-boxes

Question 17

Common Symmetric Algorithms

Answer 17

DES
3DES
AES
RC-4 (Stream)
RC-5
Two Fish
Blowfish
IDEA
CAST
MARS
Skipjack

Question 18

Private key

Answer 18

Used to encrypt, can prove authenticity because only the public key pair can decrypt it

Question 19

Public Key

Answer 19

Used to decrypt, shared with other systems

Question 20

Integrity with Cryptography

Answer 20

Hashing/Checksums is a fixed length representation of the contents of the file. hashing performed on both ends of file transfer to ensure no changes have been made
One way math, cannot be reversed, once it is it is considered cracked

Question 21

Hashing Algorithms

Answer 21

MD-5 128 bit
SHA-1 160 bit
Sha-2 256, 384, 512, etc
HAVAL, TIGER, RIPEMD are lesser known algorithms

Question 22

Collision

Answer 22

When two different documents produce the same hash

Question 23

Birthday attack

Answer 23

Attempt to cause collisions. based on the idea that it is easier to find two hashes that happen to match than to produce a specific hash

Question 24

Non-Repudiation with cryptography

Answer 24

Encrypting the hash with private key allows for non repudiation. Hash is created, showing integrity. Encrypted with private key. Decrypted with public key. hash is generated for decrypted file, compared to prove who and what.
Digital signatures are a way to do this.

Question 25

Common Asymmetric Algorithms

Answer 25

DSA and RSA ECC (Elliptical Curve Cryptography) and El Gamal Diffie Hellman (DH) and Knapsack

Question 26

RSA (Rivest, Shamir, Adleman)

Answer 26

Standard for Digital Signatures, replacing DSA Uses Factorization; Uses the idea that there is no efficient way to factor the product of large prime numbers Trap-door math

Question 27

Diffie-Hellman

Answer 27

First Asymmetric algorithm Secure key-algorithm without pre-shared secrets Based on discrete logarithms in a finite field Asymmetric to agree on key, then symmetric for communication

Question 28

ECC (Elliptical Curve Cryptography)

Answer 28

Based upon plottings points along a curve Very efficient but only for applicable key agreement, digital signatures, pseudo-random generators and small tasks Frequently used for handheld devices due to their limited processing capability

Question 29

Defacto standard for encryption

Answer 29

AES | Exception: PGP for email uses IDEA (Internet Data Exchange Algorithm)

Question 30

Number of keys in Symmetric Algorithms

Answer 30

N*(N-1)/2

Question 31

Number of keys in Asymmetric Algorithms

Answer 31

2N

Question 32

Key sharing for symmetric algorithms

Answer 32

out of band

Question 33

Key sharing for asymmetric algorithms

Answer 33

public key is shared

Question 34

Hybrid Cryptography

Answer 34

Goal is to achieve all of PAIN plus Speed | SSL/TLS a good example. Asymmetric Key exchange with goal of creating a Symmetric Session Key for further communication

Question 35

How SSL/TLS uses Hybrid Cryptography

Answer 35

Message to website Website responds with public key (Asymmetric) Client Browser creates a symmetric session key and sends it to the server (Hybrid/Asymmetric) Server uses its private key to decrypt the symmetric key. Now both parties know the symmetric key and use that to communicate (Symmetric)

Question 36

Public Key Infrastructure (PKI)

Answer 36

System for web servers to obtain Digital Certificates from trusted Certificate Authorities to generate public/private key pairs to ensure server identity

Question 37

Certificates

Answer 37

Provides authenticity of a server's public key Necessary to avoid MITM attacks Digitally signed by Certificate Authority

Question 38

Certificates

Answer 38

Provides authenticity of a server's public key Necessary to avoid MITM attacks Digitally signed by Certificate Authority

Question 39

Certificate Authority (CA)

Answer 39

entity that stores, signs, and issues digital certificates

Question 40

Registration Authority (RA)

Answer 40

responsible for accepting requests for digital certificates and authenticating the entity making the request.

Question 41

Certificate Repository

Answer 41

Where certificate is stored on web server

Question 42

Certificate Revocation List (CRL)

Answer 42

A list published by the CA. Client is responsible for downloading to see if a certificate is revoked

Question 43

Online Certificate Status Protocol (OCSP )

Answer 43

Streamlines the process of verifying whether or not a certificate has been revoked

Question 44

Message Authentication Codes (MAC)

Answer 44

Provides reasonable authenticity and integrity not strong enough to be non-repudiation (because it uses a symmetric key) Between hashing and digital signatures

Question 45

How MAC Works

Answer 45

Message + Symmetric Number + Hashing Algorithm to produce an HMAC

Question 46

How it all Fits together (Web Browsing)

Answer 46

(Application) Web Browser requests web traffic (Protocol) HTTP/HTTPS specifies rules for communication (Cryptosystem) HTTPS mandates a cryptosystem, SSL/TLS is the framework to provide protection for data (Algorithm) Provides the math for the actual encryption

Question 47

How it all fits together (e-Mail)

Answer 47

(Application) Mail Client and Server (Protocol) Specifies rules for communication - SMTP POP3 or IMAP (Cryptosystem) Framework to protect data - S/MIME or PGP (Algorithm) Provides the math for encryption - AES is most popular, IDEA for PGP

Question 48

IPSec

Answer 48

Integrated with IPv6, backwards compatible with IPv4 Provides framework for services such as encryption, authentication, integrity Provides encapsulation, not encryption What is encapsulated can be protected through the protocols within IPSec

Question 49

Encapsulation

Answer 49

Data is not encrypted, but is wrapped in such a way that the data is protected in transit

Question 50

Tunnel Mode

Answer 50

Whole packet is encapsulated (IP Header, IP Payload, IP Trailer)

Question 51

Transport Mode

Answer 51

Only the payload is encapsulated (IP Payload)

Question 52

IPv4 IPSec packet

Answer 52

IPSec Header -> IP Header -> IP Payload -> IP Trailer -> IPSec Trailer

Question 53

Authentication Header (AH)

Answer 53

IPSec Sub Protocol Provides integrity, authenticity, and non-repudiation through the use of an Integrity check Value (ICV) Not compatible with NAT (Network Access Tunnels)

Question 54

Encapsulating Security Payload (ESP)

Answer 54

Provides authenticity and integrity through a MAC Provides Encryption, ICV is run on payload only Compatible with NAT

Question 55

Internet Key Exchange (IKE)

Answer 55

No security services | Management for a secure connection

Question 56

Integrity Check Value (ICV)

Answer 56

Part of Authentication Header (AH) Hash run on the entire packet (Header, data, trailer) except for particular fields in the header that are dynamic (TTL, Etc). No Confidentiality

Question 57

Oakley

Answer 57

IKE service, Uses Diffie Helman to agree upon a key

Question 58

Internet Security Association and Key Management Protocol (ISAKMP)

Answer 58

Manages Keys and Security Associations

Question 59

Security Association

Answer 59

Unique identifier for each secure session | Contains Dest Address, Security Parameter Index (SPI), IPSec Transform, Key, Additional SA Attributes (lifetime, etc)

Question 60

Security parameter Index (SPI)

Answer 60

Way to identify difference of multiple sessions with same destination

Question 61

Pretty Good Privacy (PGP)

Answer 61

Proprietary protocol for email cryptosystems Uses web of trust Passphrases instead of passwords Learned keys are stored in a key ring

Question 62

Secure/Multipurpose internet Mail Extensions (S/MIME)

Answer 62

Provides PAIN for email systems, Asymmetric key exchange for Symmetric Message key Privacy - Receiver's Public Key Authenticity - Senders Private Key Integrity - Hash/Checksum - neither symmetric or asymmetric Non-Repudiation - Hash encrypted by sender's private key

Question 63

S/MIME Process (Digital Envelope)

Answer 63

Message encrypted with Symmetric Key Symmetric Key added to Message Symmetric Key encrypted with Receiver's Public Key Document gets hashed Hash gets encrypted with Sender's Private Key

Question 64

Ciphertext Only Attack

Answer 64

Attacker has captured encrypted text on the network. Usually means all the attacker can do is brute force the encrypted text

Question 65

Known Plain Text Attack

Answer 65

Attacker has captured cipher text, but also knows what a portion of the message is in plain text (like automatic signature) How Allies cracked Enigma machine

Question 66

Chosen Plaintext Attack

Answer 66

Attacker can see the full text encrypted and decrypted. Attacker has initiated the message (usually)

Question 67

Chosen Ciphertext Attack

Answer 67

Attacker can see whatever they want in plain or ciphertext. They have compromised a workstation. Sometimes called a lunchtime or midnight attack

Question 68

Meet in the Middle Attack

Answer 68

Attacks are targeted towards algorithms like 3DES where there are multiple keys. An attacker tries to learn what each key does individually

Question 69

Highest level of AES

Answer 69

256