Domain Six: PKI and Cryptography

Question 1

What are the PAIN concepts that ryptography should address ?

Answer 1

Privacy, Authentication, Integrity, Non - Repudiation

Question 2

What is Data in Use ?

Answer 2

This is data that is actively in use by the computer system. This includes data stored in memory while being processed.

Question 3

What is the main protection for data in transit ?

Answer 3

Encyption via tls

Question 4

What is data at rest ?

Answer 4

Data that is stored in storage media - encryption is an obvious protection

Question 5

What is a cipher ?

Answer 5

The actual algorithm used to carry out cryptography

Question 6

What are the two categories that ciphers fall into ?

Answer 6

Block and Stream

Question 7

What is the advantage of block ciphers ?

Answer 7

High diffusion and immune to insertion

Question 8

What is the disadvantage of block ciphers ?

Answer 8

Slow and error propagation

Question 9

What is the advantage of stream ciphers ?

Answer 9

Speed and low error propagation

Question 10

What are the disadvantages of stream ciphers ?

Answer 10

Low diffusion and susceptibiltiy to malicious insertion

Question 11

What is a block cipher ?

Answer 11

Encrypts data in whole or in chunks and used when we know the size of the data to be encrypted

Question 12

What is a stream cipher ?

Answer 12

Encrypts each individual bit as part of a stream

Question 13

What is the concept of confusion in cryptography ?

Answer 13

Makes the relationship between the cipher and data as complex as possible. Confusion means that each binary digit (bit) of the ciphertext should depend on several parts of the key, obscuring the connections between the two.[3]

The property of confusion hides the relationship between the ciphertext and the key.

This property makes it difficult to find the key from the ciphertext and if a single bit in a key is changed, the calculation of most or all of the bits in the ciphertext will be affected.

Question 14

What is the concept of diffusion in cryptography ?

Answer 14

Diffusion means that if we change a single bit of the plaintext, then about half of the bits in the ciphertext should change, and similarly, if we change one bit of the ciphertext, then about half of the plaintext bits should change.[5] This is equivalent to the expectation that encryption schemes exhibit an avalanche effect.

The purpose of diffusion is to hide the statistical relationship between the ciphertext and the plain text

Question 15

What kind of algorithm is DiffieHelman ?

Answer 15

Asymmetric

Question 16

What kind of algorithm is DSA ?

Answer 16

Asymmetric - Good for digital signatures but does little for confidentiality

Question 17

What kind of algorithm is Elliptical Curve ?

Answer 17

Asymmetric - Very fast uses real and rational numbers and requires smaller key sizes to provide same security as other algorithms

Question 18

What kind of algorithm is RSA ?

Answer 18

Standard for Asymmetric - Key 2048 bits

Question 19

What kind of agorithm is 3DES ?

Answer 19

Symmetric - Comes in four different types and the key length is 112 to 168 256 and 356. The different flavours use a key multiple times

DES - EEE2 Two key are used in the encryption process three times
DES - EDE2 Two key are used in the encryption process twice and once in the decryption process
DES - EEE3 Three keys are used in the encryption process three times
DES - EDE3 Three key are used in the encryption process twice and once in the decryption process

Question 20

What kind of algorithm is AES ?

Answer 20

Symmetric - 3DES was only ever a stopgap and AES was the preferred standard and was based on the Rijndael algorithm. The key lengths are 128, 192 or 256 bits

Question 21

What kind of algorithm is DES ?

Answer 21

Symmetric - DES uses a 64 bit key but 8 bits are used for parity checking so in actuality the key is only 56bits. This is a deprecated mechanism because it was shown that the algorithm could be cracked in less that 24 hours.

Question 22

What kind of algorithm is RC4 ?

Answer 22

Symmetric - Ron Rivest came up with these ciphers. They are fast steam ciphers which are perfect for WiFi WEP. The key length is 40 bits plus a 24 bit initialisation vector making it 64 in total length.

Question 23

What is a cipher mode ?

Answer 23

These are the primary ways of using the ciphers that adds additional functionality. So you would never use AES on its own but in conjunction with a cipher mode.

Question 24

Describe the ECB cipher mode ?

Answer 24

Electronic Block will pad when there is a partial block. It is the easiest mode to break and is the native mode of DES. Its advantage is that it provides the highest throughput.

Question 25

What is Cipher Block Chaining mode ?

Answer 25

Very similar to ECB has a slightly higher error rate meaning some block could become undecipherable.

Question 26

What are counter cipher modes ?

Answer 26

Turns block ciphers into stream ciphers by the use of a counter function which is used alongside an IV.

Question 27

What is Galois Counter Mode ?

Answer 27

Uses the Galois authentication with standard Counter Mode. Used specifically with 128 bit encryption

Question 28

Describe the HMAC hashing algorithm ?

Answer 28

Designed to avoid collisions that other algorithms are prone to. This is done by the use of a shared private key but it does require that the key is sent out of bounds

Question 29

What is MD5 ?

Answer 29

Hashing Algorithm - Takes a variable length input and produces a 128 bit output

Question 30

What is the SHA algorithm ?

Answer 30

Hashing - SHA 1 and 0 are deprecated. SHA 2 is the most commonly used algorithm today

Question 31

What is key stretching ?

Answer 31

Improving of weak keys for examples multiple rounds of either hashing or encryption

Question 32

What is perfect forward secrecy ?

Answer 32

Used to change keys ensuring that even though a compromise occurs the blast radius is small.

Question 33

What does the term east-west traffic mean ?

Answer 33

Lateral movement within a network

Question 34

What are PEAP and EAP-TLS and what is the difference between the two ?

Answer 34

They are protocols for securing wireless communications with TLS. PEAP uses passwords whereas EAP-TLS uses server side certificates

Question 35

Why use a site survey for wireless placement ?

Answer 35

Discovery of dead zones and optimal placement.

Question 36

Give an example of a stream cipher ?

Answer 36

Caesar

Question 37

What is the minimum key length in todays cryptographic systems ?

Answer 37

128 bit

Question 38

Does symmetric encryption offer non repudiation ?

Answer 38

No - Only confidentiality

Question 39

What are the main issues with symmetric encryption ?

Answer 39

Key exchange is a problem
Does not implement non-repudiation as anyone with the key can encrypt and decrypt
Algorithm is not scalable - Difficult to manage large numbers of users
Key Regeneration overhead - Every time someone leaves a key has to be regenerated

Question 40

What are the main advantages of asymmetric encryption ?

Answer 40

Overhead - New or leaving users only need their key pair generated or removed
Blast Radius - Keys only need to be regenerated when the private key is compromised
Provides Non-Repudiation, Confidentiality, Integrity and Authentication
Key Exchange is simplified - There is no method to derive the private key from the public key

Question 41

What key lengths does AES support ?

Answer 41

128,192,256

Question 42

I want to exchange keys in order to use symmetric encryption but the PKI and Offline options are not available to me what should I use ?

Answer 42

Diffie Hellman

Question 43

In symmetric cryptography what is split knowledge ?

Answer 43

Where two people own half of the key

Question 44

What is a key escrow service ?

Answer 44

Key is stored with a third party service

Question 45

Whats a weakness of the MD5 hashing protocol ?

Answer 45

It is prone to collisions

Question 46

What cryptographic goals are satisfied by digital signatures ?

Answer 46

Authentication, Integrity and Non Repudiation

Question 47

Whats the process in creating a digital signature ?

Answer 47

Sender creates message digest by hashing original plain text
Sender encrypts the digest with their private key
Sender attaches the message digest to plain text message
Sender transmits message

Receiver decrypts message digest with Senders public key
Receiver uses same hashing function on plain text
Receiver then compares that their result and the received hash are the same

Question 48

What extra step should you take to ensure privacy after you have created a digital signature ?

Answer 48

Encrypt it with the recipents public key

Question 49

What key should I use if I want to send an encrypted message to a recipient ?

Answer 49

Recipients public key

Question 50

What key should I use if I recieve an encrypted message ?

Answer 50

My private key

Question 51

What key should I use if I want to create a digital signature ?

Answer 51

My private key

Question 52

What key should I use to verify a digital signature ?

Answer 52

Senders public key

Question 53

What hashing algorithm uses a shared private key ?

Answer 53

HMAC

Question 54

What does the common name (CN) of certificates contain ?

Answer 54

Fully Qualified Domain Name (FQDN)

Question 55

How is the root certificate of the CA stored ?

Answer 55

Offline

Question 56

What is certificate chaining ?

Answer 56

In the CA trust model, the use of a series of intermediate CA’s is known as certificate chaining and the browser has to verify all the certificates in the chain.

Question 57

What is the role of the registration authority (RA)

Answer 57

Help with identification but does not issue certificates

Question 58

What are some of the items mandated by the X509 standard for certificates ?

Answer 58

Version
Serial Number
Signature Algorithm Identifier
Issuer Name - The CA authority name
Validity Period - Start, Expiration date and time
Subjects Common Name (CN) - FQDN of domain owner
Subject Alternative Names (SAN) - Additional optional items such as IP addresses and domain names
Subjects Public Key

Question 59

What is enrolment in the certificate process ?

Answer 59

The supplying of identity documents to prove to the CA you are genuine

Question 60

What is a CSR (Certificate Signing Request) ?

Answer 60

The submitting of your public key to the CA after your identity has been verified.

Question 61

What is a domain validation certificate (DV) ?

Answer 61

The lowest level which just identifies that you own the domain is known as a Domain Validation (DV) certificate

Question 62

What is the name of the certificate that requires more validation than just the DV ?

Answer 62

Extended validation (EV) certificate

Question 63

What is a primary use case for Eliptical Curve cryptography ?

Answer 63

Key Exchange and digital signatures

Question 64

What is XSS ?

Answer 64

XSS is a web-based vulnerability that occurs when an attacker injects malicious code into a web page that is then executed by the browser of a user who visits the page. The code can steal cookies, session tokens, or other sensitive information from the user or the web server.

Question 65

Which attribute of a threat actor refers to their ability to develop unique exploit techniques and tools?

Answer 65

Capability

Question 66

Do SIEMS maintain a database ?

Answer 66

Yes

Question 67

What is the difference between recurring and continuous risk assessment ?

Answer 67

Recurring risk assessment involves conducting risk assessments at regular intervals to adapt to changing threats and vulnerabilities over time whereas continuous is all the time to help with operational security

Question 68

What is the difference between SASE and WAN ?

Answer 68

SASE (Secure access service edge) combines network security and WAN capabilities in a single cloud-based service, making it an ideal solution for ensuring secure and reliable access to data and applications irrespective of user/device location where as WAN just covers networking capabilities

Question 69

What is infrastructure monitoring ?

Answer 69

Infrastructure monitoring is focused on ensuring the foundational IT components, like servers, data centers, and networking equipment, are both functional and secure

Question 70

What is systems monitoring?

Answer 70

Systems monitoring evaluates the hardware, operating systems, and the essential services that applications run on but not the broader foundational structures of IT.

Question 71

What is directory traversal ?

Answer 71

A directory traversal attack is a type of application attack that involves manipulating the input parameters to access files or directories that are not intended to be accessible by the user, such as configuration files, source code, or system files.

Question 72

What is the primary purpose of package monitoring ?

Answer 72

Package monitoring involves keeping track of software package versions and security patches, which helps identify potential vulnerabilities and ensures that appropriate actions are taken to mitigate risks.

Question 73

Is the file extension normally included in the files metadata ?

Answer 73

No

Question 74

Which of the following BEST describes a system that allocates permissions and access based on pre-defined organizational guidelines, strategies, codes, roles, or requirements?

Answer 74

Policy Driven

Question 75

Can a single tool be two types of control ?

Answer 75

Yes Antimalware is a detective control and a corrective one

Question 76

What is a directive control give an example ?

Answer 76

Sets the standards of behaviour for org normally a policy or document such as AUP

Question 77

What is a POA&M ?

Answer 77

Plan of action and milestones to rectify gaps found in a gap analysis

Question 78

What is zero trust ?

Answer 78

Zero Trust demands verification for every device, every user and every transaction regardless of where it came from.

Question 79

In zero trust architecture what is the control plane ?

Answer 79

Is the overarching set of components responsible for defining, enforcing and managing the policies related to user and system access within the organisation

Question 80

In zero trust what is the control planes adaptive identity ?

Answer 80

leverages Context based authentication, considers where the user is logging in from, whether the device they are using meets security requirements and will either request additional info or request if standards are not met. The assumption is a users identity is not set in stone we need to take into account context based information such as behaviour and device location.

Question 81

What is the control planes threat scope reduction ?

Answer 81

Limiting the blast radius determined by least privilege and identity base network segmentation rather than the more traditional network segmentation methods such as VLAN and IP addresses

Question 82

What is the role of the policy engine in Zero Trust ?

Answer 82

Policy engines make decisions based on rules and external systems such as identity management and SIEM. They use a trust algorithm that makes a decision to grant, deny or revoke access to a given resource. Once the decision has been made it is logged and then the policy administrator takes action.

Question 83

What is the role of the policy enforcement in Zero Trust ?

Answer 83

To carry out the decisions made by the policy engine such as terminating connections