Security Plus - Chapter 7 Flashcards

Question

Block Ciphers

Answer 1

operate on chunks or blocks of a message and apply the encryption algorithm to an entire message block at the same time. An example is the transposition cipher and columnar transposition.

Answer 2

Operate on one character or bit of a message or data stream at a time. The algorithm operates on each letter of the message independently. The Caesar cipher and one-time pad cipher are examples.

Answer 3

Rely on a shared secret encryption key that is distributed to all members who participate in the communications. The sender encrypts with the shared key, and the receiver decrypts with the shared key. Provides confidentiality. - Private Key Cryptography - Secret Key Cryptography Cons: - Key distribution must occur through secured online channels or sending offline through an out of band method. - Does not provide non-repudiation - The algorithm is not scalable for large groups to use for communicating - Keys must be regenerated often

Answer 4

Public Key Algorithm. Each user has two keys, a public key, and a private key, which is kept secret and known only to the owner of the key pair. Opposite and related keys must be used in tandem to encrypt and decrypt. If the public key encrypts a message, then the corresponding private key must decrypt the message. Provide support for digital signature technology. Strengths of Asymmetric cryptography: - Adding new users requires generation of only one public-private key - Users are removed more easily by including a key revocation system - Key regeneration is only required if the user's private key has been compromised - Provides integrity, authentication, and non-repudiation - Key exchange is a simple process by making their public key available, and then keeping their private key secured No preexisting communication link is needed, so users can begin communicating right away by providing their public key. Cons of Asymmetric cryptography: - Slow speed of operation - Best when used with smaller data set transmission

Answer 5

Attributes Keys Symmetric - Same key is used by sender to encrypt and receiver to decrypt Asymmetric - Each user has a key pair - a public key and a private key Key Exchange Symmetric - Out-of-band Asymmetric - Public key is freely shared Speed Symmetric - Algorithm is less complex and much faster Asymmetric - Algorithm is more complex and slower Number of keys Symmetric - N*(N-1)/2 Asymmetric - 2N Use Symmetric - Bulk encryption, meaning encrypting files and communication Asymmetric - Key encryption and digital signatures. Security service provided Symmetric - Confidentiality Asymmetric - Confidentiality, authentication, and non-repudiation

Answer 6

Produces message digests which are summaries of the messages contents. It is extremely difficult to derive a message from an ideal hash function, and very unlikely that two messages will produce the same hash value. If this occurs, it is known as collision.

Answer 7

Data Encryption Standard (DES) Triple DES (3DES) Advanced Encryption Standard (AES)

Answer 8

Pros: - Provides fast data transfer - Good strong privacy Cons: - Out of band key distribution - Doesn't scale well - Doesn't provide non-repudiation Aliases - Secret, Private, Shared, Session A single key shared by both parties Symmetric Ciphers - Stream - one bit at a time - Block - chunks of data

Answer 9

DES 3DES AES RC-4 RC-5 Two Fish Blowfish IDEA CAST MARS Skipjack

Answer 10

Published in 1977 and is no longer in use due to flaws in the algorithm. Officially retired in 2001.

Answer 11

Uses the DES algorithm three times, with three different encryption keys produced. This is also considered insecure and was retired in 2023.

Answer 12

Introduced in 2000, the Rijndael block cipher was chosen as the replacement for DES. The Federal Information Processing Standard (FIPS) mandated the use of Rijndael/AES for the encryption of all sensitive information. This cipher allows the use of 3 key strengths128, 192, & 256. The number of encryption rounds depends on the key length. 128 bit key = 10 rounds of encryption 192 bit key = 12 rounds of encryption 256 bit key = 14 rounds of encryption

Answer 13

Provides safeguards around key creation, distribution, storage, destruction, recovery, and escrow of secret keys.

Answer 14

The secure distribution of the secret keys required to operate algorithms. - Offline distribution - Public key encryption - Diffie-Hellman algorithm

Answer 15

Physical exchange of key material. May flaws can occur while providing a physical distribution of a key.

Answer 16

A secured link is established between two parties. a secret key is exchanged over the secured public key link. Then, communication is switched from the public key algorithm to the secret key algorithm. The secret key algorithm provides increased processing speed.

Answer 17

The communicating parties agree on two large numbers, P (prime number), and G (integer number) where 1 < G< P. Sender chooses an integer R and calculates the number with the formula R=g to the r mod P. Receiver chooses an integer S and calculates this in the formula S=g to the s mod P. Sender sends R to the receiver, Receiver sends S to the sender. Sender calculates formula K= S to the r mod P, and receiver calculates K= R to the s mod P. This provides K as the secret key they use for transmission of messages.

Answer 18

Never store an encryption key on the same system where the encrypted data resides. For highly sensitive keys, use two different individuals with half of the key. They must collaborate to re-create the entire key. Principle of split knowledge. For Symmetric cryptography, when a person with knowledge of the key leaves an organization, the keys must be changed and any data encrypted with the original keys must be re-encrypted with the new key.

Answer 19

Utilize a third-party to store a protected copy of the key.

Answer 20

Specifies the circumstances under which a key may be retrieved from escrow and used without a user's knowledge.

Answer 21

Users make their public keys freely available to anyone they will need to communicate with. The sender will utilize the organization public key to encrypt the message, then send to the organization. Once the organization receives, it can only be decrypted by the organizations private key. Public Key Encryption. Asymmetric keys must be longer than symmetric keys and utilize a higher degree of computations to ensure equivalent strength to symmetric.

Answer 22

Every user has a key pair which consists of a public kay and a private key Anything encrypted with one key can only be decrypted by the other

Answer 23

Created in 1977 and is still a standard used today. The algorithm depends on the computational difficulty inherent in factoring large prime numbers. Each user of the cryptosystem generates a pair of public and private keys using the algorithm.

Answer 24

Created in 1985 as a mathematical based on points along the curve and performing a mathematical function y squared = x to the third + ax+ b. In the formula, x, y, a, and b are real numbers.

Answer 25

Take a potentially long message and generate a unique output value derived from the contents of the message. The output value = message digest.

Answer 26

Message digests are sent to the recipient along with the full message for two reasons: - The recipient can use the same hash function to recompute the message digest from the full message. - The message sent by the originator is the same one received by the recipient. - The message digest can be used to implement a digital signature algorithm.

Answer 27

- They accept an input of any length. - They produce an output of a fixed length, regardless of the length of the input. - The hash value is relatively easy to compute. - The hash function is one-way (meaning that it is extremely hard to determine the input when provided with the output). - A secure hash function is collision free (it is extremely hard to find two messages that produce the same hash value).

Answer 28

Government standard hashing functions published in the Secure Hash Standard (SHS) known as FIPS 180. There are several versions of the SHA algorithm: - SHA-1 - SHA-2 - SHA-3

Answer 29

Takes an input of virtually any length and produces a 160-bit message digest. It processes a message in 512-bit blocks. If not in a 512-bit block, the message digest will pad the message with data to meet the next multiple of 512.

Answer 30

This is doubling of the processing of SHA-1, and is considered secure, but the weaknesses of SHA-1 can be revealed with persistence. There are 4 variations of SHA-2: - SHA-256 - produces a 256-bit message digest using a 512-bit block size. - SHA-224 - uses a truncated version of SHA-256 hash to produce a 224-bit message digest using a 512-bit block size. - SHA-512 - produces a 512-bit message digest using a 1,024-bit block size. - SHA-384 - Uses a truncated version of the SHA-512 hash to produce a 384-bit digest using a 1,024-bit block size.

Answer 31

Published in 2015, also known as the Keccak algorithm, was developed to serve as a drop-in replacement for SHA-2 hash functions offering the same variants and lengths using a more secure algorithm.

Answer 32

Published in 1991 by Ron Rivest (RSA). It processes 512-bit blocks of the message, but it uses four distinct rounds of computation to produce a digest. Implements security features to that reduce the speed of the message digest production significantly. It is subject to collisions preventing the ability to use it for integrity.

Answer 33

Digitally signed messages assure the recipient that the message came from the claimed sender. This enforces non-repudiation. They assure that the message was not altered while in transit between the sender and recipient as well. This protects against both malicious and unintentional modification. They rely on two concepts, public key cryptography and hashing functions. Ensure that the goals of integrity, authentication, and non-repudiation are met. Does not guarantee privacy.

Answer 34

- A message digest of the original plain-text message is created using one of the hashing algorithms. - The message digest is encrypted using the sender's private key. The encrypted message digest is the digital signature. - The sender appends the signed message digest to the plain-text message. - The sender transmits the appended message to receiver. - The receiver reverses the order of operations - The receiver decrypts the digital signature with sender's public key - The receiver uses the same hashing function to create a message digest of the full plain-text message - The receiver compares the decrypted message with the message digest they computed. If the two digests match, the receiver is assured this is actual message from sender.

Answer 35

Implements a partial digital signature which guarantees integrity but does not guarantee non-repudiation. HMAC can be combined with any standard message digest generation algorithm by using a shared key.

Answer 36

A trust relationship between two entities that permits combining asymmetric cryptography with symmetric cryptography along with hashing and digital certificates.

Answer 37

Provide communicating parties with the assurance that the people they are communicating with are who they claim to be. When users verify that a certificate was signed by a trusted certificate authority (CA), the public key is legitimate. Certificates contain specific identifying information, and they are governed by an international standard, X.509. Certificates contain the below attributes: - Version x.509 which they conform to - Serial number (from the certificate creator) - Signature algorithm identifier (specifies the technique used by the certificate authority to digitally sign the contents of the certificate) - Issuer name (identification of the certificate authority that issued the certificate) - Validity period (specifies the dates and times; a starting date and time, and an expiration date and time; during which the certificate is valid) - Subject's common name (CN) that clearly describes the certificate owner - Certificates may optionally contain Subject Alternative Names (SANs) that allow you to specify additional items (IP addresses, domain names, etc) to be protected by the single certificate - Subject's public key (the actual public key the certificate owner used to set up secure communications)

Answer 38

Providing assurance for the public keys of: - Computers/Machines - Individual users - Email addresses - Developers (code-signing certificates)

Answer 39

Neutral organizations that offer notarization services for digital certificates. They must carefully protect their own private keys to preserve the trust relationships. They usually utilize an offline CA to protect their root certificate, the top-level certificate for their entire PKI that is the root of trust for all the certificates they issue. The offline CA is disconnected, powered down, and not accessible until it is needed. The offline CA uses the root certificate to create subordinate intermediate CAs that serve as the online CAs used to issue certificates.

Answer 40

Assist CAs with the burden of verifying users' identities prior to issuing digital certificates.

Answer 41

Identity is proven to a CA, then you must provide the CA with your public key in the form of a Certificate Signing Request (CSR), then the CA will create an x.509 digital certificate with your identifying information and a copy of your public key. The CA then digitally signs the certificate using your private key and provides you with a copy of your signed digital certificate.

Answer 42

Domain Validation certificate (DV) - The CA verifies that the certificate subject has control of the domain name. Extended Validation Certificate (EV) - Provide a higher level of assurance by the CA taking steps to verify that the certificate owner is a legitimate business before issuing the certificate.

Answer 43

Certificate Enrollment Certificate Verification Certificate Revocation

Answer 44

When receiving a certificate, the certificate is checked with the CA's digital signature using the CA's public key. Verify the certificate was not revoked using the certificate revocation list (CRL) or Online Certificate Status Protocol (OCSP). Once that validation is completed, you must verify the following: - The digital signature of the CA is authentic - You trust the CA - The certificate is not listed on a CRL - The certificate actually contains the data you are trusting Before you trust an identifying piece of information about someone, be sure that it is actually contained within the certificate. It only verifies the information listed in the certificate.

Answer 45

Algorithms that are built into web browsers and email clients.

Answer 46

Instruct web browsers to attach a certificate to a subject for an extended period of time. The browser associates that site to their public key.

Answer 47

When the CA needs to remove a certificate from being available.

Answer 48

- The certificate was compromised (the certificate owner allowed the private key to become exposed) - The certificate was erroneously issued (the CA mistakenly issued a certificate without proper verification) - The details of the certificate changed (the subject's name was changed) - The security association changed (the subject is no longer employed by the organization sponsoring the certificate)

Answer 49

Certificate Revocation List (CRL) - Maintained by the various certificate authorities and contain the serial numbers of the certificates that have been issued by a CA and revoked along with the date and time the revocation went into effect. Online Certificate Status Portal (OCSP) - Provides a means for real-time certificate verification. A client can send a request to validate a certificate to OCSP, the server then responds with the status of good, revoked, or unknown. This is used by web browsers for validation. This must verify every user that is accessing a web browser. Certificate Stapling - An extension to the OCSP that relieves some of the burden placed upon CAs by the original protocol. The web server contacts the OCSP server itself and receives a signed and timestamped response from the OCSP server, which then attaches (staples) to the digital certificate. The user's browser then that the certificate is authentic and validates the stapled OCSP response is genuine and current. Time saving comes in because a user revisiting a site and the time stamp is recent enough, there is no need to perform the validation process.

Answer 50

Distinguished Encoding Rules (DER) - Certificates that are normally stored in files with .der, .crt, or .cer extension. Privacy Enhanced Mail (PEM) - Certificates that are formatted in an ASCII text version of DER. Normally stored as file extensions .pem or .crt. Personal Information Exchange (PFX) - Certificate format that is commonly used by Windows systems. May be stored in binary or text format. .pfx or .p12. p7b formats are stored in ASCII format.

Answer 51

The cryptographic key is created using a totally random method.

Answer 52

Provide a way to manage encryption keys. Hardware devices that store and manage encryption keys in a secure manner that prevents humans from needing to work directly with the keys.

Answer 53

Brute Force Frequency Analysis Known Plain Text Chosen Plain Text Related Key Attack Birthday Attack Downgrade Attack Rainbow Table Attack Exploiting Weak Keys Exploiting Human Error

Answer 54

Involves trying every possible key. It will eventually work, but could take an extremely long time to be successful.

Answer 55

Looks at the blocks of an encrypted message to determine if any common patterns exist. Only good for historical ciphers

Answer 56

Relies on the attacker having pairs of known plain text along with the corresponding ciphertext.

Answer 57

The attacker obtains the ciphertext messages corresponding to a set of plain text messages.

Answer 58

Based on the theory of how many people would need to be in a room to have at least two people with the same birthday? This is not to determine a guaranteed match, but a high probability that a match is likely.

Answer 59

Sometimes used against secure communications such as TLS to get a user or system to inadvertently shift to a less secure cryptographic protocol.

Answer 60

Attempt to reverse the hashed password values by precomputing the hashes of common passwords.

Answer 61

When a cryptographic algorithm is in place but was implemented in a weak manner. Ex. Weak key generation. WEP protocol uses an improper implementation of RC4 encryption which provide numerous vulnerabilities.

Answer 62

One user may send a secured message to multiple recipients. The none of those recipients then send the message on to another recipient and not secure it appropriately. Another example is that a user may use an outdated version of the encryption algorithm not knowing that a newer, more secure version has been implemented.

Answer 63

Laters of encryption prevent nodes in the relay chain from reading anything other than the specific information they need to accept and forward the traffic. TOR router uses this.

Answer 64

A distributed and immutable open public ledger. It can store records in a way that distributes those records among many different systems located around the world and in a manner that prevents anyone from tampering with those records.

Answer 65

Allows the ability to protect the privacy of individuals but still able to perform calculations on their data.

Answer 66

Attempts to use quantum mechanics to perform computing and communication tasks.

Security Plus - Chapter 7 Flashcards

(90 cards)