MODULE 21 - CERTIFICATION CYBER OPS ASSOCIATE Flashcards

Question

Symmetric Encryption Symmetric algorithms use the same pre-shared key to encrypt and decrypt data. A pre-shared key, also called a secret key, is known by the sender and receiver before any encrypted communications can take place.

Answer 1

To help illustrate how symmetric encryption works, consider an example where Alice and Bob live in different locations and want to exchange secret messages with one another through the mail system. In this example, Alice wants to send a secret message to Bob.

Answer 2

In the figure, Alice and Bob have identical keys to a single padlock. These keys were exchanged prior to sending any secret messages. Alice writes a secret message and puts it in a small box that she locks using the padlock with her key. She mails the box to Bob. The message is safely locked inside the box as the box makes its way through the post office system. When Bob receives the box, he uses his key to unlock the padlock and retrieve the message. Bob can use the same box and padlock to send a secret reply back to Alice. https://snipboard.io/XpOlrK.jpg

Answer 3

Today, symmetric encryption algorithms are commonly used with VPN traffic. This is because symmetric algorithms use less CPU resources than asymmetric encryption algorithms. This allows the encryption and decryption of data to be fast when using a VPN. When using symmetric encryption algorithms, like any other type of encryption, the longer the key, the longer it will take for someone to discover the key. Most encryption keys are between 112 and 256 bits. To ensure that the encryption is safe, a minimum key length of 128 bits should be used. Use a longer key for more secure communications.

Answer 4

Symmetric encryption algorithms are sometimes classified as either a block cipher or a stream cipher. Click the buttons to learn about these two cipher modes.

Answer 5

BLOCK CIPHERS : Block ciphers transform a fixed-length block of plaintext into a common block of ciphertext of 64 or 128 bits. Common block ciphers include DES with a 64-bit block size and AES with a 128-bit block size. https://snipboard.io/wNjKdT.jpg

Answer 6

STREAM CIPHERS : Stream ciphers encrypt plaintext one byte or one bit at a time. Stream ciphers are basically a block cipher with a block size of one byte or bit. Stream ciphers are typically faster than block ciphers because data is continuously encrypted. Examples of stream ciphers include RC4 and A5 which is used to encrypt GSM cell phone communications. https://snipboard.io/UHZFBO.jpg

Answer 7

Well-known symmetric encryption algorithms are described below: Symmetric Encryption Algorithms: -- Data Encryption Standard (DES) -- 3DES (Triple DES) -- Advanced Encryption Standard (AES) -- Software-Optimized Encryption Algorithm (SEAL) -- Rivest ciphers (RC) series algorithms

Answer 8

Data Encryption Standard (DES) : This is a legacy symmetric encryption algorithm. It uses a short key length that makes it insecure for most current uses.

Answer 9

3DES (Triple DES) : The is the replacement for DES and repeats the DES algorithm process three times. It should be avoided if possible as it is scheduled to be retired in 2023. If implemented, use very short key lifetimes.

Answer 10

Advanced Encryption Standard (AES) AES is a popular and recommended symmetric encryption algorithm. It offers combinations of 128-, 192-, or 256-bit keys to encrypt 128, 192, or 256 bit-long data blocks.

Answer 11

Software-Optimized Encryption Algorithm (SEAL) SEAL is a faster alternative symmetric encryption algorithm to AES. SEAL is a stream cypher that uses a 160-bit encryption key and has a lower impact on the CPU compared to other software-based algorithms.

Answer 12

Rivest ciphers (RC) series algorithms This algorithm was developed by Ron Rivest. Several variations have been developed, but RC4 was the most prevalent in use. RC4 is a stream cipher that was used to secure web traffic. It has been found to have multiple vulnerabilities which have made it insecure. RC4 should not be used.

Answer 13

Asymmetric algorithms, also called public-key algorithms, are designed so that the key that is used for encryption is different from the key that is used for decryption, as shown in the figure. The decryption key cannot, in any reasonable amount of time, be calculated from the encryption key and vice versa. Asymmetric Encryption Example https://snipboard.io/6HFTSI.jpg

Answer 14

Because neither party has a shared secret, very long key lengths must be used. Asymmetric encryption can use key lengths between 512 to 4,096 bits. Key lengths greater than or equal to 2,048 bits can be trusted, while key lengths of 1,024 or shorter are considered insufficient.

Answer 15

Because neither party has a shared secret, very long key lengths must be used. Asymmetric encryption can use key lengths between 512 to 4,096 bits. Key lengths greater than or equal to 2,048 bits can be trusted, while key lengths of 1,024 or shorter are considered insufficient. Examples of protocols that use asymmetric key algorithms include: -- Internet Key Exchange (IKE) -- Secure Socket Layer (SSL) -- Secure Shell (SSH) -- Pretty Good Privacy (PGP)

Answer 16

Internet Key Exchange (IKE) : This is a fundamental component of IPsec VPNs.

Answer 17

Secure Socket Layer (SSL) : This is now implemented as IETF standard Transport Layer Security (TLS).

Answer 18

Secure Shell (SSH): This protocol provides a secure remote access connection to network devices.

Answer 19

Pretty Good Privacy (PGP): This computer program provides cryptographic privacy and authentication. It is often used to increase the security of email communications.

Answer 20

Because they are slow, asymmetric algorithms are typically used in low-volume cryptographic mechanisms, such as digital signatures and key exchange. However, the key management of asymmetric algorithms tends to be simpler than symmetric algorithms, because usually one of the two encryption or decryption keys can be made public.

Answer 21

Because they are slow, asymmetric algorithms are typically used in low-volume cryptographic mechanisms, such as digital signatures and key exchange. However, the key management of asymmetric algorithms tends to be simpler than symmetric algorithms, because usually one of the two encryption or decryption keys can be made public. Common examples of asymmetric encryption algorithms are described below: -- Diffie-Hellman (DH) -- Digital Signature Standard (DSS) and Digital Signature Algorithm (DSA) -- Rivest, Shamir, and Adleman encryption algorithms (RSA) -- EIGamal -- Elliptic curve techniques

Answer 22

Diffie-Hellman (DH) : Key Length : 512, 1024, 2048, 3072, 4096 The Diffie-Hellman algorithm allows two parties to agree on a key that they can use to encrypt messages they want to send to each other. The security of this algorithm depends on the assumption that it is easy to raise a number to a certain power, but difficult to compute which power was used given the number and the outcome.

Answer 23

Digital Signature Standard (DSS) and Digital Signature Algorithm (DSA) Key Length : 512 - 1024 DSS specifies DSA as the algorithm for digital signatures. DSA is a public key algorithm based on the ElGamal signature scheme. Signature creation speed is similar to RSA, but is 10 to 40 times slower for verification.

Answer 24

Rivest, Shamir, and Adleman encryption algorithms (RSA): Key Length : 512 to 2048 RSA is for public-key cryptography that is based on the current difficulty of factoring very large numbers. It is the first algorithm known to be suitable for signing, as well as encryption. It is widely used in electronic commerce protocols and is believed to be secure given sufficiently long keys and the use of up-to-date implementations.

Answer 25

EIGamal : Key Length : 512 - 1024 An asymmetric key encryption algorithm for public-key cryptography which is based on the Diffie-Hellman key agreement. A disadvantage of the ElGamal system is that the encrypted message becomes very big, about twice the size of the original message and for this reason it is only used for small messages such as secret keys.

Answer 26

Elliptic curve techniques Key Length : 224 or higher Elliptic curve cryptography can be used to adapt many cryptographic algorithms, such as Diffie-Hellman or ElGamal. The main advantage of elliptic curve cryptography is that the keys can be much smaller.

Answer 27

Asymmetric algorithms are used to provide confidentiality without pre-sharing a password. The confidentiality objective of asymmetric algorithms is initiated when the encryption process is started with the public key. The process can be summarized using the formula: Public Key (Encrypt) + Private Key (Decrypt) = Confidentiality

Answer 28

When the public key is used to encrypt the data, the private key must be used to decrypt the data. Only one host has the private key; therefore, confidentiality is achieved. If the private key is compromised, another key pair must be generated to replace the compromised key. Click the buttons to view how the private and public keys can be used to provide confidentiality to the data exchange between Bob and Alice.

Answer 29

Alice acquires Bob's public key: Alice requests and obtains Bob’s public key. https://snipboard.io/Mbz9Cs.jpg

Answer 30

Alice acquires Bob's public key: Alice requests and obtains Bob’s public key. https://snipboard.io/Mbz9Cs.jpg Alice uses Bob’s public key to encrypt a message using an agreed-upon algorithm. Alice sends the encrypted message to Bob. https://snipboard.io/3oHi9E.jpg

Answer 31

Alice acquires Bob's public key: Alice requests and obtains Bob’s public key : https://snipboard.io/Mbz9Cs.jpg Alice uses Bob’s public key to encrypt a message using an agreed-upon algorithm. Alice sends the encrypted message to Bob. https://snipboard.io/3oHi9E.jpg Bob decrypts message with private key: Bob then uses his private key to decrypt the message. Since Bob is the only one with the private key, Alice's message can only be decrypted by Bob and thus confidentiality is achieved. https://snipboard.io/ZGeTB4.jpg

Answer 32

When the private key is used to encrypt the data, the corresponding public key must be used to decrypt the data. Because only one host has the private key, only that host could have encrypted the message, providing authentication of the sender. Typically, no attempt is made to preserve the secrecy of the public key, so any number of hosts can decrypt the message. When a host successfully decrypts a message using a public key, it is trusted that the private key encrypted the message, which verifies who the sender is. This is a form of authentication.

Answer 33

Alice uses her private key Alice encrypts a message using her private key. Alice sends the encrypted message to Bob. Bob needs to authenticate that the message did indeed come from Alice. https://snipboard.io/zftL2Z.jpg Bob requests the public key: In order to authenticate the message, Bob requests Alice’s public key. https://snipboard.io/GvDpJU.jpg Bob decrypts using the public key: Bob uses Alice’s public key to decrypt the message. https://snipboard.io/nmKYRt.jpg

Answer 34

The following example will be used to illustrate this process. In this example, a message will be ciphered using Bob’s public key and a ciphered hash will be encrypted using Alice’s private key to provide confidentiality, authenticity, and integrity.

Answer 35

Alice sus Bob's public key : Alice wants to send a message to Bob ensuring that only Bob can read the document. In other words, Alice wants to ensure message confidentiality. Alice uses the public key of Bob to cipher the message. Only Bob will be able to decipher it using his private key. https://snipboard.io/ZNF4fa.jpg Alice encrypts a hash using her private key: Alice also wants to ensure message authentication and integrity. Authentication ensures Bob that the document was sent by Alice, and integrity ensures that it was not modified Alice uses her private key to cipher a hash of the message. Alice sends the encrypted message with its encrypted hash to Bob. https://snipboard.io/aRldo5.jpg Bobs uses Alice's public key to decrypt the hash: Bob uses Alice’s public key to verify that the message was not modified. The received hash is equal to the locally determined hash based on Alice’s public key. Additionally, this verifies that Alice is definitely the sender of the message because nobody else has Alice’s private key. https://snipboard.io/P1ov5r.jpg Bob uses his private key to decrypt the message: Bob uses his private key to decipher the message. https://snipboard.io/er6PCc.jpg

Answer 36

Here are two examples of instances when DH is commonly used: Data is exchanged using an IPsec VPN SSH data is exchanged To help illustrate how DH operates, refer to the figure. https://snipboard.io/d2Lcgn.jpg

Answer 37

The colors in the figure will be used instead of complex long numbers to simplify the DH key agreement process. The DH key exchange begins with Alice and Bob agreeing on an arbitrary common color that does not need to be kept secret. The agreed-on color in our example is yellow. Next, Alice and Bob will each select a secret color. Alice chose red while Bob chose blue. These secret colors will never be shared with anyone. The secret color represents the chosen secret private key of each party.

Answer 38

Alice and Bob now mix the shared common color (yellow) with their respective secret color to produce a public color. Therefore, Alice will mix the yellow with her red color to produce a public color of orange. Bob will mix the yellow and the blue to produce a public color of green. Alice sends her public color (orange) to Bob and Bob sends his public color (green) to Alice. Alice and Bob each mix the color they received with their own, original secret color (Red for Alice and blue for Bob.). The result is a final brown color mixture that is identical to the partner’s final color mixture. The brown color represents the resulting shared secret key between Bob and Alice.

Answer 39

The security of DH is based on the fact that it uses very large numbers in its calculations. For example, a DH 1024-bit number is roughly equal to a decimal number of 309 digits. Considering that a billion is 10 decimal digits (1,000,000,000), one can easily imagine the complexity of working with not one, but multiple 309-digit decimal numbers.

Answer 40

Diffie-Hellman uses different DH groups to determine the strength of the key that is used in the key agreement process. The higher group numbers are more secure, but require additional time to compute the key. The following identifies the DH groups supported by Cisco IOS Software and their associated prime number value: DH Group 1: 768 bits DH Group 2: 1024 bits DH Group 5: 1536 bits DH Group 14: 2048 bits DH Group 15: 3072 bits DH Group 16: 4096 bits Note: A DH key agreement can also be based on elliptic curve cryptography. DH groups 19, 20, and 24, which are based on elliptic curve cryptography, are also supported by Cisco IOS Software.

Answer 41

Unfortunately, asymmetric key systems are extremely slow for any sort of bulk encryption. This is why it is common to encrypt the bulk of the traffic using a symmetric algorithm, such as 3DES or AES and use the DH algorithm to create keys that will be used by the encryption algorithm.

Answer 42

explore properties of digital signatures.: -- AUTHENTIC -- UNALTERABLE -- NOT REAUSABLE -- NON-REPUDIATED

Answer 43

AUTHENTIC : The signature cannot be forged and provides proof that the signer, and no one else, signed the document.

Answer 44

UNALTERABLE : After a document is signed, it cannot be altered.

Answer 45

NOT REAUSABLE : The document signature cannot be transferred to another document.

Answer 46

NON-REPUDIATED : The signed document is considered to be the same as a physical document. The signature is proof that the document has been signed by the actual person.

Answer 47

Code signing: This is used for data integrity and authentication purposes. Code signing is used to verify the integrity of executable files downloaded from a vendor website. It also uses signed digital certificates to authenticate and verify the identity of the site that is the source of the files.

Answer 48

Digital certificates: These are similar to a virtual ID card and used to authenticate the identity of system with a vendor website and establish an encrypted connection to exchange confidential data.

Answer 49

Digital Signature Algorithm (DSA) : DSA is the original standard for generating public and private key pairs, and for generating and verifying digital signatures.

Answer 50

Rivest-Shamir Adelman Algorithm (RSA) : RSA is an asymmetric algorithm that is commonly used for generating and verifying digital signatures.

Answer 51

Elliptic Curve Digital Signature Algorithm (ECDSA) : ECDSA is a newer variant of DSA and provides digital signature authentication and non-repudiation with the added benefits of computational efficiency, small signature sizes, and minimal bandwidth. In the 1990s, RSE Security Inc. started to publish public-key cryptography standards (PKCS). There were 15 PKCS, although 1 has been withdrawn as of the time of this writing. RSE published these standards because they had the patents to the standards and wished to promote them. PKCS are not industry standards, but are well recognized in the security industry and have recently begun to become relevant to standards organizations such as the IETF and PKIX working-group.

Answer 52

Digitally signing code provides several assurances about the code: The code is authentic and is actually sourced by the publisher. The code has not been modified since it left the software publisher. The publisher undeniably published the code. This provides nonrepudiation of the act of publishing.

Answer 53

The purpose of digitally signed software is to ensure that the software has not been tampered with, and that it originated from the trusted source as claimed. Digital signatures serve as verification that the code has not been tampered with by threat actors and malicious code has not been inserted into the file by a third party.

Answer 54

Click the buttons to access the properties of a file that has a digitally signed certificate. : -- File Properties -- Digital Signatures -- Digital Signatures Details -- Certificate Information -- Certification Path

Answer 55

File Properties : This executable file was downloaded from the internet. The file contains a software tool from Cisco Systems. https://snipboard.io/A0WHML.jpg

Answer 56

Digital Signatures : Clicking the Digital Signatures tab reveals that the file is from a trusted organization, Cisco Systems Inc. The file digest was created with the sha256 algorithm. The date on which the file was signed is also provided. Clicking Details opens the Digital Signatures Details window. https://snipboard.io/WLy2qC.jpg

Answer 57

Digital Signatures Details : The Digital Signature Details window reveals that the file was signed by Cisco Systems, Inc in October of 2019. This was verified by countersignature provided by Entrust Time Stamping Authority on the same day as it was signed by Cisco. Click View Certificate to see the details of the certificate itself. https://snipboard.io/OGXTlY.jpg

Answer 58

Certificate Information The General tab provides the purposes of the certificate, who the certificate was issued to, and who issued the certificate. It also displays the period for which the certificate is valid. Invalid certificates can prevent the file from running. https://snipboard.io/PkY2ob.jpg

Answer 59

Certification Path : Click the Certification Path tab to see the file was signed by Cisco Systems, as verified to DigiCert. In some cases an additional entity may independently verify the certificate. https://snipboard.io/456d8p.jpg

Answer 60

Digital certificates are similar to physical certificates. For example, the paper-based Cisco Certified Network Associate Security (CCNA-S) certificate in the figure identifies who the certificate is issued to, who authorized the certificate, and for how long the certificate is valid. Digital certificates also provide similar information. https://snipboard.io/L27hwq.jpg

Answer 61

The digital certificate independently verifies an identity. Digital signatures are used to verify that an artifact, such as a file or message, is sent from the verified individual. In other words, a certificate verifies identity, a signature verifies that something comes from that identity.

Answer 62

This scenario will help you understand how a digital signature is used. Bob is confirming an order with Alice. Alice is ordering from Bob’s website. Alice has connected with Bob’s website, and after the certificate has been verified, the Bob’s certificate is stored on Alice’s website. The certificate contains Bob’s public key. The public key is used to verify the Bob’s digital signature. Refer to the figure to see how the digital signature is used. https://snipboard.io/lIw2kQ.jpg

Answer 63

An SSL certificate is a digital certificate that confirms the identity of a website domain. To implement SSL on your website, you purchase an SSL certificate for your domain from an SSL Certificate provider. The trusted third party does an in-depth investigation prior to the issuance of credentials. After this in-depth investigation, the third-party issues credentials (i.e. digital certificate) that are difficult to forge. From that point forward, all individuals who trust the third party simply accept the credentials that the third-party issues. When computers attempt to connect to a web site over HTTPS, the web browser checks the website’s security certificate and verifies that it is valid and originated with a reliable CA. This validates that the website identify is true. The certificate is saved locally by the web browser and is then used in subsequent transactions. The website’s public key is included in the certificate and is used to verify future communications between the website and the client.

Answer 64

These trusted third parties provide services similar to governmental licensing bureaus. The figure illustrates how a driver’s license is analogous to a digital certificate. https://snipboard.io/Diwbd5.jpg The Public Key Infrastructure (PKI) consists of specifications, systems, and tools that are used to create, manage, distribute, use, store, and revoke digital certificates. The certificate authority (CA) is an organization that creates digital certificates by tying a public key to a confirmed identify, such as a website or individual. The PKI is an intricate system that is designed to safeguard digital identities from hacking by even the most sophisticated threat actors or nation states. Some examples of Certificate Authorities are IdenTrust, DigiCert, Sectigo, GlobalSign, and GoDaddy. These CAs charge for their services. Let’s Encrypt is a non-profit CA that offers certificates free of charge.

Answer 65

It consists of the hardware, software, people, policies, and procedures needed to create, manage, store, distribute, and revoke digital certificates. The figure shows the main elements of the PKI. https://snipboard.io/r4XEZy.jpg

Answer 66

The next figure shows how the elements of the PKI interoperate: In this example, Bob has received his digital certificate from the CA. This certificate is used whenever Bob communicates with other parties. Bob communicates with Alice. When Alice receives Bob’s digital certificate, she communicates with the trusted CA to validate Bob’s identity. https://snipboard.io/zbHier.jpg Note: Not all PKI certificates are directly received from a CA. A registration authority (RA) is a subordinate CA and is certified by a root CA to issue certificates for specific uses.

Answer 67

The table provides a description of the classes. The class number is determined by how rigorous the procedure was that verified the identity of the holder when the certificate was issued. The higher the class number, the more trusted the certificate. Therefore, a class 5 certificate is trusted much more than a lower-class certificate. CLASS 0 - Used for testing in situations in which no checks have been performed. CLASS 1 - Used by individuals who require verification of email. CLASS 2 - Used by organizations for which proof of identity is required. CLASS 3 - Used for servers and software signing. Independent verification and checking of identity and authority is done by the certificate authority. CLASS 4 - Used for online business transactions between companies. CLASS 5 - Used for private organizations or government security.

Answer 68

For example, a class 1 certificate might require an email reply from the holder to confirm that they wish to enroll. This kind of confirmation is a weak authentication of the holder. For a class 3 or 4 certificate, the future holder must prove identity and authenticate the public key by showing up in person with at least two official ID documents. Some CA public keys are preloaded, such as those listed in web browsers. The figure displays various VeriSign certificates contained in the certificate store on the host. Any certificates signed by any of the CAs in the list will be seen by the browser as legitimate and will be trusted automatically. https://snipboard.io/slWPNU.jpg Note: An enterprise can also implement PKI for internal use. PKI can be used to authenticate employees who are accessing the network. In this case, the enterprise is its own CA.

Answer 69

As shown in the figure below, a single CA, called the root CA, issues all the certificates to the end users, which are usually within the same organization. The benefit to this approach is its simplicity. However, it is difficult to scale to a large environment because it requires a strictly centralized administration, which creates a single point of failure. Single-Root PKI Topology: https://snipboard.io/wPmzc0.jpg

Answer 70

On larger networks, PKI CAs may be linked using two basic architectures: Cross-certified CA topologies - As shown in the figure below, this is a peer-to-peer model in which individual CAs establish trust relationships with other CAs by cross-certifying CA certificates. Users in either CA domain are also assured that they can trust each other. This provides redundancy and eliminates the single-point of failure. Cross-Certified CA: https://snipboard.io/rGH7ek.jpg

Answer 71

Hierarchical CA topologies - As shown in the figure below, the highest-level CA is called the root CA. It can issue certificates to end users and to a subordinate CA. The sub-CAs could be created to support various business units, domains, or communities of trust. The root CA maintains the established “community of trust” by ensuring that each entity in the hierarchy conforms to a minimum set of practices. The benefits of this topology include increased scalability and manageability. This topology works well in most large organizations. However, it can be difficult to determine the chain of the signing process. A hierarchical and cross-certification topology can be combined to create a hybrid infrastructure. An example would be when two hierarchical communities want to cross-certify each other in order for members of each community to trust each other. Hierarchical CA: https://snipboard.io/blWPO1.jpg

Answer 72

To address this interoperability concern, the IETF published the Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework (RFC 2527). The X.509 version 3 (X.509 v3) standard defines the format of a digital certificate. Refer to the figure for more information about X.509 v3 applications. As shown in the figure, the X.509 format is already extensively used in the infrastructure of the internet. X.509v3 Applications https://snipboard.io/aYrfqV.jpg

Answer 73

For many systems such as web browsers, the distribution of CA certificates is handled automatically. The web browser comes pre-installed with a set of public CA root certificates. Organizations and their website domains push their public certificates to website visitors. CAs and certificate domain registrars create and distribute private and public certificates to clients that purchase certificates.

Answer 74

The certificate enrollment process is used by a host system to enroll with a PKI. To do so, CA certificates are retrieved in-band over a network, and the authentication is done out-of-band (OOB) using the telephone. The system enrolling with the PKI contacts a CA to request and obtain a digital identity certificate for itself and to get the CA’s self-signed certificate. The final stage verifies that the CA certificate was authentic and is performed using an out-of-band method such as the Plain Old Telephone System (POTS) to obtain the fingerprint of the valid CA identity certificate.

Answer 75

Authentication no longer requires the presence of the CA server, and each user exchanges their certificates containing public keys. Certificates must sometimes be revoked. For example, a digital certificate can be revoked if key is compromised or if it is no longer needed. Here are two of the most common methods of revocation: Certificate Revocation List (CRL) Online Certificate Status Protocol (OCSP)

Answer 76

Certificate Revocation List (CRL) : A list of revoked certificate serial numbers that have been invalidated because they expired. PKI entities regularly poll the CRL repository to receive the current CRL.

Answer 77

Online Certificate Status Protocol (OCSP) : An internet protocol used to query an OCSP server for the revocation status of an X.509 digital certificate. Revocation information is immediately pushed to an online database.

Answer 78

Applications and Impacts of Cryptography PKI Applications Where can PKI be used by an enterprise? The following provides a short list of common uses of PKIs: SSL/TLS certificate-based peer authentication Secure network traffic using IPsec VPNs HTTPS Web traffic Control access to the network using 802.1x authentication Secure email using the S/MIME protocol Secure instant messaging Approve and authorize applications with Code Signing Protect user data with the Encryption File System (EFS) Implement two-factor authentication with smart cards Securing USB storage devices

Answer 79

Threat actors can use SSL/TLS to introduce regulatory compliance violations, viruses, malware, data loss, and intrusion attempts in a network. Other SSL/TLS-related issues may be associated with validating the certificate of a web server. When this occurs, web browsers will display a security warning. PKI-related issues that are associated with security warnings include: -- Validity date range -- Signature validation error

Answer 80

Validity date range : The X.509v3 certificates specify “not before” and “not after” dates. If the current date is outside the range, the web browser displays a message. Expired certificates may simply be the result of administrator oversight, but they may also reflect more serious conditions.

Answer 81

Signature validation error : If a browser cannot validate the signature on the certificate, there is no assurance that the public key in the certificate is authentic. Signature validation will fail if the root certificate of the CA hierarchy is not available in the browser’s certificate store.

Answer 82

Encrypted Network Transactions The figure shows an example of a signature validation error with the Cisco AnyConnect Mobility VPN Client. Signature Validation Error https://snipboard.io/PECwqX.jpg

Answer 83

Some of these issues can be avoided due to the fact that the SSL/TLS protocols are extensible and modular. This is known as a cipher suite. The key components of the cipher suite are the Message Authentication Code Algorithm (MAC), the encryption algorithm, the key exchange algorithm, and the authentication algorithm. These can be changed without replacing the entire protocol. This is very helpful because the different algorithms continue to evolve. As cryptanalysis continues to reveal flaws in these algorithms, the cipher suite can be updated to patch these flaws. When the protocol versions within the cipher suite change, the version number of SSL/TLS changes as well.

Answer 84

However, the increased use of HTTPS in the enterprise network introduces new challenges. Since HTTPS introduces end-to-end encrypted HTTP traffic (via TLS/SSL), it is not as easy to peek into user traffic.

Answer 85

Cryptography is dynamic and always changing. A security analyst must maintain a good understanding of cryptographic algorithms and operations to be able to investigate cryptography-related security incidents.

Answer 86

For example, command and control traffic that is encrypted with TLS/SSL most likely cannot be seen by a firewall. The command and control traffic between a command and control server and an infected computer in a secure network cannot be stopped if it cannot be seen and understood. The attacker would be able to continue using encrypted commands to infect more computers and possibly create a botnet. This type of traffic can be detected by decrypting the traffic and comparing it with known attack signatures, or by detecting anomalous TLS/SSL traffic. This is either very difficult and time consuming, or a hit-or-miss process.