Management of Cryptography

Question 1

Key Management

Answer 1

The protection factors are the strength of the encryption algorithm and key management, the activities related to the management of encryption keys.
The level of effort taken to protect an encryption key should correspond to the value
of the information that is encrypted with the key.

The life cycle of encryption keys includes these activities:
- Key creation
- Key protection and custody
- Key rotation
- Key destruction
- Key escrow

Question 2

Key Creation

Answer 2

The creation of random encryption keys should be performed on a secure
server, so that an intruder is not able to observe or re-create the key generation process or
intercept generated encryption keys.

A key must be truly random and non-predictable

Question 3

Key Protection and Custody

Answer 3

Access to private keys and symmetric encryption keys must be tightly controlled. Confidentiality of encrypted information is only as good as the protection of encryption keys.

Question 4

Key rotation

Answer 4

Regulation or prudence necessitates the occasional rotation of encryption keys.

An organization that encrypts sensitive information should have formal procedures to be followed in the event that an encryption key is compromised.

Question 5

Key destruction

Answer 5

When an encryption key is no longer needed, it should be destroyed securely. This means that the key must be destroyed in all locations where it was stored.

Question 6

Key Escrow

Answer 6

A business arrangement can be established where a trusted third party will hold encryption keys in escrow. The typical purpose for key escrow is the greater certainty
that data can be recovered.

Question 7

Message Digest and Hashing

Answer 7

A message digest, or hash, is the result of a cryptographic operation on a message or file.
A cryptographic hashing algorithm will read the entire contents of a message or file and produce a fixed-length digest. A message digest is used to confirm that a message or file has not been altered.

Question 8

The Principles of a message digest

Answer 8

The principles of message digests are:
- It should not be possible to recreate the original message from the digest.
- It should be impossible (well, computationally infeasible) to create messages that will result in a given message digest.
- No two messages should result in the same message digest (although collisions are possible).
- A message digest should be the result of the entire message, not a portion of it.

Question 9

Message Digest Algorithms

Answer 9

• MD5
• SHA-1
• SHA-2
• SHA-3
• Whirlpool
• HMAC

Question 10

Digital Signature

Answer 10

A digital signature is a method used to verify the authenticity and integrity of a message or
document.

Some of the algorithms used for digital signatures are:
- Digital Signature Algorithm (DSA)
- El Gamal
- Elliptic Curve DSA (ECDSA)

Question 11

Digital Certificates

Answer 11

A digital certificate is an electronic document that contains an individual’s public encryption
key together with identifying information such as the person’s name and contact information.

Question 12

Non-Repudiation

Answer 12

The use of digital signatures and other factors such as strong authentication give rise to situations where it can become difficult for an individual to reasonably deny that they performed a transaction.

Question 13

PKI

Answer 13

A public key infrastructure (PKI) is an online facility where parties’ public keys can be easily retrieved.

A PKI can store other information in addition to public encryption keys, and serve multiple purposes in an identity management service