Keys and Encryption Flashcards
What is Encryption?
Encryption is the process of translating data into another form so that only people with access to a secret key (decryption key) or password can read it.
It involves taking a piece of information (plaintext) and applying an encryption algorithm that produces the output (ciphertext)
What is encrypted data referred to as?
CIPHERTEXT
What is unencrypted data referred to as?
PLAINTEXT
What are the 4 main goals of encryption?
1) Confidentiality - maintain secrecy of data in transit and rest
2) Integrity - only authorised users can change data
3) Authentication - ensure the identity of a user is valid and access allowed
4) Nonrepudiation - Links actions to a verifiable individual
What is Symmetric Encryption?
Uses a single key (or password) that is shared ahead of time and must be kept secret by all involved.
This means there can be many copies of the key in distribution and it becomes less secure the longer the same key is in use
Designed to ensure confidentiality
What is Asymmetric Encryption?
Has 2 keys (1 public and 1 private)
Messages are encrypted using the public key and decrypted using the private key, which is not shared by anyone else.
Slower than symmetric encryption
Designed to ensure confidentiality
What is cryptographic hashing?
Often used for password storage. Based on taking a piece of data and hashing it into a single hash value, which cannot be converted back into a representation of the data
One way function that cannot be undone
Designed to ensure integrity
Give an example scenario of Asymmetric encryption
A wants to send a message to B. First A has to request B’s public key and send a list of algorithms they know how to use to encrypt messages
B sends back his public key with accepted choice of algorithm that A knows
A changes PLAINTEXT to CIPHERTEXT using public key and algorithm (cipher) to encrypt the message and send the CIPHERTEXT to B
B takes CIPHERTEXT and decrypts it with his secret private key that has not been shared with anyone else. B will process it and turn it back to PLAINTEXT
Give an example scenario of Hashing (MD5 Hash)
We take PLAINTEXT and process it with a hashing algorithm and turn it into CIPHERTEXT
CIPHERTEXT gets sent to recipient and they process it through the hashing algorithm function which turns it into PLAINTEXT
Hashing algorithms always treat the input as PLAINTEXT. The algorithm needs to be set up so there is no reverse of that function
List the problems associated with password based authentication systems
1) Passwords can become compromised
2) System allows weak passwords
3) Password Iteration (using related passwords)
4) Not requiring password changes over time
5) Not changing default passwords
6) Replay attacks (obtaining network traffic between user and server application
7) Storing passwords instead of password verifiers
8) Brute-force attacks against password verifiers
9) Revealing whether a failure is due to incorrect username or password
10) Online attacks
11) Returning forgotten passwords rather than resetting
List common cryptography issues
1) Using home grown cryptography that hasn’t been reviewed by global cryptographic community
2) Creating a protocol from low level algorithms
3) Using a weak cryptographic Primitive (MD4, MD5, Two-key 3DES)
4) Using a cryptographic primitive incorrectly
5) Encrypting known PLAINTEXT
6) Validating a hash incorrectly
7) Using the wrong communication protocol
8) Failing to use a salt
Name some high-level tested security protocols
SSL3 and TLS
IPSec
XMLDSig (signatures) XMLEnc (encryption)
What does HTTP and HTTPS stand for?
HyperText Transfer Protocol
HyperText Transfer Protocol Secure
What does SSL stand for?
Secure Socket Layer - Encryption protocol used for securing HTTP
What does TLS stand for?
Transport Layer Security - Encryption protocol designed to secure internet communications and replaced SSL in 1999
