CompTIA Security+ - Chapter 2
One-Way Function
For the exam, hashing is a one-way function and cannot be reversed.
Diffusion
A technique where you change one character of the input, which will change multiple bits of the output.
GnuPG
GnuPG is a free version of OpenPGP; it is also known as PGP.
Trust Anchor
A trust anchor in a PKI environment is the root certificate from which the whole chain of trust is derived; this is the root CA.
Trust Model
A trust model proves the authenticity of a certificate; there are two trust models: Hierarchical Trust Model and Bridge Trust Model
User Certificate
A user certificate provides authenticity to a user for the applications that they use.
Three types of data
1. At rest 2. in use 3. in transit
RIPEMD
128-bit hashing function (used to hash data)
Symmetric Algorithms: Triple (DES) (3DES)
3DES applies the DES key three times and is said to be a 168-bit key. This could be used for L2TP/IPSec VPNs but is weaker than AES.
Stream Cipher
A stream cipher is method of encrypting text (to produce ciphertext) in which a cryptographic key and algorithm are applied to each binary digit in a data stream, one bit at a time. It is normally used by asymmetric encryption.
Domain Validation Certificate
A Domain-Validated (DV) certificate is an X.509 certificate that proves the ownership of a domain name.
Block Cipher
A block cipher is where a block of data is taken and then encrypted; for example, 128 bits of data may be encrypted at a time. This is the method used today as it is much faster than a stream cipher. It is used by symmetric encryption with the exception of RC4.
Computer/Machine Certificate
A computer or machine certificate is used to identify a computer within a domain.
Proper Authentication for Companies?
A corporate environment should not use a single-factor username and password as they are not as secure as multi-factor usernames and passwords. We should adopt at least two-factor authentication and use a smart card and PIN to make authentication more secure. Installing a RADIUS server adds an additional layer to authentication to ensure that authentication from the endpoints is more secure.
Data Loss Protection (DLP)
A formal program that reduces the likelihood of accidental or malicious loss of data. Set of technologies and inspection techniques used to classify information content contained within an object — such as a file, email, packet, application or data store — while at rest (in storage), in use (during an operation) or in transit (across a network). These tools also have the ability to dynamically apply a policy — such as log, report, classify, relocate, tag and encrypt — and/or apply enterprise data rights management protections.
Substitution Cipher
A method of encryption and decryption in which each letter in the alphabet is replaced by another.
Private CA
A private CA can only be used internally. However, although it is free, you must maintain the CA (which means you need the correct skill set)
Public CA
A public CA is also known as a third-party CA and is commercially accepted as an authority for issuing public certificates. Examples include Sectigo, formerly known as Comodo, Symantec, Go Daddy, and more.
Self-signed Certificate
A self-signed certificate is issued by the same entity that is using it. However, it does not have a CRL and cannot be validated or trusted. It is the cheapest form of internal certificates and can be placed on multiple servers.
Crypto Service Provider
A software library. For example, Microsoft uses the Crypto API and has providers including the following: Microsoft AES Cryptographic Provider: This service provider provides support for the AES algorithm. Microsoft DSS and DH/Channel Cryptographic Provider: This supports hashing and data signing with DSS and key exchanging for DH.
Wildcard
A wildcard can be used for multiple servers in the same domain. For a wildcard certificate for a domain called securityplus.training, the wildcard certification would be *.securityplus.training and could be used for the domain and a subdomain. For example, in the securityplus.training domain, there are two servers called web and mail. The wildcard certification is *.securityplus.training and, when installed, it would work for the Fully Qualified Domain Names (FQDNs) of both of these—web.securityplus.training and mail.securityplus.training.
Cheapest Certificate Options
A wildcard certificate can be installed on multiple public-facing websites as a cheaper option. A self-signed certificate can be installed on internal-facing websites as a cheaper option.
Public Key Infrastructure (PKI)
Asymmetric encryption that has a Certificate Authority and the associated infrastructure to support issuing and managing certificates.
Symmetric Algorithms: Advanced Encryption Standard (AES)
AES comes in three key strengths: 128-, 192-, and 256-bits. AES is commonly used for L2TP/IPSec VPNs.
Full Disk Encryption
Also "whole disk encryption" - protects the entire volume and all files on the drive against unauthorized access. Converts data into unreadable code that cannot be deciphered easily. Disk encryption uses disk encryption software or hardware to encrypt every bit of data that goes on a disk or disk volume.
Subject Alternative Name (SAN) Certificate
An SAN certificate can be used on multiple domain names, such as abc.com or xyz.com. You can also insert other information into a SAN certificate, such as an IP address.
Pseudo-Random Number Generator (PRNG)
An algorithm that uses mathematical formulas to produce sequences of random numbers. Random numbers can be used when generating data encryption keys.
SSL
An asymmetric algorithm that should be depreciated, as it is weak. An exploit is the POODLE attack, which is a man-in-the-middle attack that exploits the vulnerabilities of SSL 3.0 using CBC. Asymmetric algorithms should not be using a key whose strength is 2046 or lower. However, an SSL VPN is the only VPN that uses an SSL certificate and works with legacy clients.
Perfect Forward Secrecy (PFS)
An encryption method that ensures that a session key derived from a set of long-term keys cannot be compromised if one of the long-term keys is compromised in the future. To work properly, it requires two conditions: Keys must not be reused, and new keys must not be derived from previously used keys. When a VPN makes a secure connection, a key exchange is made for each secure session, but it links to the server's private key. With perfect forward secrecy, there is no link between the session key and the server's private key. Therefore, even if the VPN server has been compromised, the attacker cannot use the server's private key to decrypt the session. It would be great for providing security of a voting machine.
Online CA
An internal online CA is always up and running so that people in the company can request a certificate at any time of the day or night. This would not be the case in a government or top-security environment.
Offline CA
An offline CA is for a military or secure environment where clearance and vetting must be completed before someone can be issued with a certificate. The CA is kept offline and locked up when it is not being used. It is switched off so that it cannot issue new certificates.
Nonce
Arbitrary number that can be used just once; it is often a random number.
Ephemeral Keys
Asymmetric - short-lived keys that are used for a one-time-only session.
Two types of encryption
Asymmetric and symmetric
Purpose of Obfuscation
Companies can store their source code through this method, so if stolen, it would remain unreadable and would protect IT systems.
Block Cipher Mode of Operation
Block cipher mode takes blocks of data depending on the key and encrypts that data in blocks—this makes the encryption of a large amount of data much faster. The key size determines how large the block of data is. For example, if I use DES, then I can only encrypt blocks of 56 bits, whereas AES can encrypt blocks of data of up to 256 bits.
Symmetric Algorithms: Blowfish and Twofish
Blowfish is a 64-bit key and Twofish is a 128-bit key, and both were originally designed for encryption with embedded systems.
What is encryptian?
Taking plaintext and changing it into ciphertext so that the information cannot be read by outside agencies.
Cipher Block Chaining (CBC)
CBC adds XOR to each plaintext block from the ciphertext block that was previously produced. The first plaintext block has an IV that you XOR, and you then encrypt that block of plaintext.
Counter Mode
CTR turns a block cipher into a stream cipher. It generates the next keystream block by encrypting successive values of a counter rather than an IV.
Certificate Pinning
Certificate pinning prevents the compromising of the CA and the issuing of fraudulent X509 certificates. It prevents SSL man-in-the-middle attacks.
OCSP Stapling/Certificate Stapling
Certificate stapling, also known as OCSP stapling, is used when a web server bypasses the CRL to use the OCSP for faster certificate validation. Certificate stapling, also known as OCSP stapling, is used when a web server bypasses the CRL to use the OCSP for faster certificate validation.
Code Signing Certificate
Code-signing certificates are used to digitally sign software so that its authenticity is guaranteed.
Crypto Module
Combination of hardware and software that implements crypto functions such as digital signatures, encryption, random number generation, and decryption.
Collision
If you hash the same data or password with the same hashing algorithm, then it will always create the same hash. A collision attack is where the attacker tries to match the hash; if the hash is matched, it is known as a collision, and this could compromise systems.
Electronic Code Book (ECB)
ECB replaces each block of the clear text with the block of ciphertext. The same plaintext will result in the same ciphertext. The blocks are independent of the other blocks. CBC is much more secure.
Symmetric Algorithms: Data Encryption Standard (DES)
DES groups data into 64-bit blocks, but for the purpose of the exam, it is seen as a 56-bit key, making it the fastest but weakest of the symmetric algorithms. This could be used for L2TP/IPSec VPNs but is weaker than AES.
Three versions of symmetric encryption in an L2TP/IPSec VPN tunnel
DES: 56-bit key (weakest) 3DES: 168-bit key (middle) AES: 128-bit to 256-bit (strongest) *Remember, symmetric encryption has only one key. It is much faster for encrypting a larger amount of data, but it needs DH, an asymmetric technique, to create a secure tunnel before it is used.
Digital Signature Algorithm (DSA)
DSA keys are used for digital signatures; they start at 512 bits, but their 1024-bit and 2048-bit keys are faster than RSA for digital signatures.
Data-at-Rest
Data-at-rest is data that is not being used and is stored either on a hard drive or external storage. To protect this data, we need to encrypt the data-at-rest.
Elliptic Curve Cryptography (ECC)
ECC is a small, fast key that is used for encryption in small mobile devices. However, AES-256 is used in military mobile cell phones. It uses less processing than other encryptions.
Two types of Ephemeral Keys
Diffie Hellman Ephemeral (DHE) & Elliptic Curve Diffie Hellman Ephemeral (ECDHE).
Digital Signatures
Digital signatures are used to verify the integrity of an email so that you know it has not been tampered with in transit. The private certificate used to sign the email creates a one-way hash function, and when it arrives at its destination, the recipient has already been given a public key to verify that it has not been tampered with.
Diffie Hellman (DH)
Does not encrypt data - purpose is to create a secure session so that symmetric data can travel down it. DH creates the keys used in the Internet Key Exchange (IKE); it uses UDP port 500 to set up the secure session for the L2TP/IPSec VPN. Once the secure tunnel has been created, then the symmetrically encrypted data flows down the tunnel.
Verifying Integrity
During forensic analysis, a scientist takes a copy of the data before investigation. To ensure that they have not tampered with it during the investigation, they will hash the data before starting and then compare the hash to the data when finished. If the hash matches, then they know that the integrity of the data is intact.
Certificate Validity
Each time a certificate is used, the first thing that must happen is that it must be checked for validity.
Homomorphic Encryption
Enables processing of encrypted data without the need to decrypt the data. It allows the cloud customer to upload data to a cloud service provider for processing without the requirement to decipher the data first.
What are certificates used for?
Encryption and authentication
Ephemeral Keys
Ephemeral keys are short-lived keys. They are used for a single session and then discarded. There are two of them: Diffie Hellman Ephemeral (DHE) and Elliptic Curve Diffie Hellman Ephemeral (ECDHE)
Extended Validation Certificate
Extended validation certificates provide a higher level of trust in identifying the entity that is using the certificate. It would normally be used in the financial arena. Companies applying for the extended validation certificate would have to provide more detailed information about the company.
Modes of Operation
How ciphers work to achieve encryption.
Data Recovery Agent (DRA)
If a user cannot access their data because their private key is corrupted, the DRA will recover the data. To recover, the DRA needs to get a copy of the private key from the key escrow.
Subordinate CA
It could be the RA that issues certificates to users. In the CompTIA exam, the subordinate CA could be called an intermediary. A security administrator or an architect could build the intermediary.
Blockchain
It is a digital ledger of transactions where the data is stored in batches called blocks that are distributed to many computers. Therefore, if you wanted to tamper with the blockchain, it would be impossible as you would have to change the data on every computer holding a copy. As they say, there is safety in numbers. This data is chained together with a block of data holding both the hash for that block and the hash of the preceding block. To create a new block on the chain, the computer that wishes to add the block solves a cryptographic puzzle and sends the solution to the other computers participating in that blockchain. This is known as proof of work. Once that has been verified by those computers on this network, a new block is added to the end of the chain. Should data in the chain be modified, a new block with the changes is added, referring to the amended block. Since the data is held by many computers, it makes it impossible to carry out fraudulent transactions as copies are held in multiple places.
Symmetric Encryptian- Confusion
Massively changes the input to the output by putting it through a non-linear table created by the Symmetric Encryption - Secret Algorithm key. A secret key is the piece of information that is used to encrypt and decrypt messages in symmetric encryption.
Hardware Security Module (HSM)
The HSM can be a piece of hardware attached to the server or a portable device that is attached to store the keys.
How is a certificate identified?
Object Identifier (OID)
Symmetric Encryptian
Only uses one key to encrypt and decrypt data. The main reason for using symmetric encryption is that it can encrypt large amounts of data very quickly. The danger of symmetric encryption is that if the key is stolen, the attacker gets the keys to the kingdom. The Security+ exam does not focus on key exchange, because it only uses one key, but instead focuses on which is the fastest or strongest symmetric key, and which is used for the encryption of large amounts of data. The symmetric encryptions are DES 56 bit, 3DES 168 bit, AES 256 bit, Twofish 128 bit, and Blowfish 64 bit. **The smaller the key, the faster it is, but the larger the key, the more secure it is.**
Online Certificate Status Protocol (OCSP)
Only when the CRL is going slow will the OCSP come into play. It is much faster than the CRL and can take a load from the CRL in a very busy environment.
Pretty Good Privacy (PGP)
PGP is used between two users to set up asymmetric encryption and digital signatures. For PGP to operate, you need a private and public key pair. The first stage in using PGP is to exchange the keys.
Security through Obscurity
Prevent anyone from outside the organization from knowing the architecture or design of the system or any of its components. Obfuscation is a technique that makes stored source code unreadable.
Certificate Signing Request (CSR)
Process of requesting a new certificate.
Two types of certificates:
Public key and private key
Symmetric Algorithms: Rivest Cipher 4 (RC4)
RC4 is 40 bits and is used by WEP and is seen as a stream cipher.
SEDV
S: Sign (digital signature) E: Encryption D: Decryption V: Validation (know pic in chapter for SEDV)
Salting Passwords
Salting is a technique where random characters are appended to a password before it is hashed. This makes the password longer; it is similar to key stretching and increases the compute time for Brute Force attacks.
Information Rights Management (IRM)
Software that offers the capability not only to limit access to specific files or documents, but also to specify the actions (read, copy, print, download, etc.) that individuals who are granted access to that resource can perform. Some of this software even has the capability to limit access privileges to a specific period of time and to remotely erase protected files.
PBKDF2
Stores passwords with a random salt and with the password hash using HMAC. It then iterates, which forces the regeneration of every password and prevents any rainbow table attack. A rainbow table is a list of passwords and their corresponding hash.
Types of Cipher Modes
Stream Cipher & Block Cipher
Object Identifier
The OID on a certificate is similar to a serial number on a banknote. Banknotes are identified by their serial number. The certificate is identified by its OID.
Registration Authority (RA)
The RA validates and accepts the incoming requests for certificates from users on the network and notifies the CA to issue the certificates. The certificates that are issued are known as X509 certificates.
Cryptography
The art of writing or solving codes.
Benefit of Public CA
The benefit of using a third-party CA is that all of the management is carried out by them; once you purchase the certificate, all you have to do is install it. They keep an up-to-date Certificate Revocation List (CRL) where you can check whether your certificate is valid. A certificate that is not valid will not work if you are going to sell goods and services to other companies; this is known as a B2B transaction, which requires a public CA.
Bridge Trust Model
The bridge trust model is peer-to-peer, where two separate PKI environments trust each other. The certificate authorities communicate with each other, allowing for cross-certification.
Key Escrow
The key escrow holds the private keys for third parties and stores them in a Hardware Security Module (HSM), a device that can store digital keys.
High Resiliency
The most secure encryption algorithm should be used to prevent an encryption key from being cracked by attackers. The more secure the encryption key, the longer and more processing power it will take to gain the encryption key. In an RSA encryption environment, we should use a key with at least 3,072 bits.
Obfuscation
The process where you take source code and make it look obscure, so that if it is stolen, it would not be understood. It is used to mask data. XOR, ROT13, and steganography could all be used for obfuscation in the Security+ exam.
Relationship between private and public keys
The public key is sent to third parties to encrypt the data, and the private key decrypts the data. If you think of the private key as your bank card, that's a thing you wouldn't give away. The public key is the deposit slip that is tied to your account. If you were in a room with 20 people who wanted to pay $20 into your account, you would give them your deposit slip. You will always give your public key away because when people are sending you encrypted data, they are using your public key to encrypt.
Types of Symmetric Encryption
The symmetric encryptions are DES 56 bit, 3DES 168 bit, AES 256 bit, Twofish 128 bit, and Blowfish 64 bit. **The smaller the key, the faster it is, but the larger the key, the more secure it is.** The exam may ask what encryption uses one key and it will be one of the symmetric encryptions or they may ask which one has the smallest key, that would be DES. If they asked which one has the largest key that would be AES that can go up to 256 bits.
Certificate Authority
The ultimate authority as it holds the master key, also known as the root key, for signing all of the certificates that it gives to the Intermediary who issues the certificate to the requester.
Rivest, Shamir, and Adelman (RSA)
They are used for encryption and digital signatures. RSA is named after the three people who invented the algorithm. The keys were the first private and public key pairs, and they start at 1,024, 2,048, 3,072, and 4,096 bits.
Certificate Chaining
This chain of trust is used to verify who the Certificate Authority is. The chain normally has three layers, the certificate vendor, the vendor's CA, and the computer where the certificate is installed.
Galois/Counter Mode (GCM)
This is a block cipher mode of operation that uses universal hashing over a binary Galois field to provide authenticated encryption. It can be implemented in hardware and software to achieve high speeds with low cost and low latency.
Initialization Vector (IV)
This is a random value used as a secret key for data encryption. This number (also called a nonce) is employed only one time in any session. The IV length is usually comparable to the length of the encryption key or the block of the cipher in use. Sometimes, this is also known as a starter variable.
Certificate Revocation List (CRL)
This is the first stage in checking whether a certificate is valid. If the certificate is not valid, it will be entered into the CRL. If the X509 is in the CRL, it is no longer valid and will not be accepted. **No matter how obscure the question posed in the exam, unless it is going slow or you are looking for a faster lookup, it will be the CRL that provides certificate validity. No matter the scenario, the CRL, is the default.**
Hierarchical Trust Model
This uses a hierarchy from the root CA down to the intermediary (also known as a subordinate); this is the normal PKI model.
How can a company ensure confidentiality?
To prevent data from being accessed, we will encrypt the data to prevent it from being viewed and prevent any protocol analyzer from reading the packets. When people access the company's network from a remote location, they should use an L2TP/IPSec VPN tunnel, using AES as the encryption method to create a secure tunnel across the internet and to prevent man-in-the-middle attacks. Encryption could be coupled with mandatory access control to ensure that data is secure and kept confidential.
Two reasons to ensure integrity? Two key methods?
To prove data hasn't been tampered with. Two methods are to hash data or to use a digital signature.
Quantum v. Traditional Computing
Traditional computer chips use bits to store data in values of 1 where the bit is switched on, and a 0 value where the bit is switched off. Quantum uses qubits, which can be switched on or off at the same time or somewhere in between. This is known as a superposition. A traditional computer trying to find the way from A to B could only try a single path at any one time until it found the path; however, quantum computing could try every path at the same time.
ROT 13
Type of Substitution Cipher - Each letter is changed to the letter rotated 13 times.
Certificate Formats
Type: Private Format: P12 File Extension: .pfx Type: Public Format: P7B File Extension: .cer Type: PREM Format: Base64 format File Extension: .pem Certificate type: DER Format: Extension for PEM File Extension: .der
Asymmetric Encryption
Uses two keys: private and public **When you see the word Public Key Infrastructure (PKI), it is asymmetric encryption, complete with its CA and intermediary authorities.**
Stream v. Block Cipher
We have two teams of four people who have been tasked with unloading a five-ton lorry full of skittles and placing them in a room on the bottom floor of a building. There are skittles in boxes and there are skittles that have been placed loose. One of the teams has loose skittles that need to be bagged and the other lorry has boxes of skittles. It is obvious that the team with boxes of skittles will win. The stream cipher is bagging the skittles, whereas the block cipher has boxes of skittles.
Data-in-Transit
When purchasing items, we use TLS, SSL, or HTTPS to encrypt the session before we enter the credit card details. This is a session using a web browser and is known as data in transit.
Diffie Hellman (DH)
When symmetric data is in transit, it is protected by Diffie Hellman, whose main purpose is to create a secure tunnel for symmetric data to pass through. It does not encrypt data but creates a secure tunnel.
Data-in-Use
When we launch an application such as word, we are not running the data from the disk drive but running the application in the Random Access Memory (RAM). This is volatile memory, meaning that, should you power down the computer, the contents are erased. This is also known as in processing.
Key Stretching
When you append a random set of characters to a password to increase the size of the password and its hash, ensuring that a brute-force attack needs more compute time to crack the password.
Purpose of Non-Repudiation
When you digitally sign an email with your private key, you cannot deny that it was you, as there is only one private key. When two separate parties decide to do a business deal together, they may use a third party to create a digital contract, but parties would log in to where the contract was stored. Once they digitally sign it, then it is legally binding.
Steganography
Where a document, image, audio file, or video file can be hidden inside another document, image, an audio file, or video file. The document, image, or file will be larger, and images will have a much lower resolution.
Private Key vs. Public Key
Your private key, or a key pair, is never installed on another server. You always retain the private key just like your bank card. You give the public key away or install it on another server.
Exclusive OR (XOR) Encryption
a binary operand from Boolean algebra. This operand will compare two bits and will produce one bit in return: Two bits that are the same: 0 Two bits that are different: 1 *The input is compared to the key, if the numbers match, the output is 0.*
BCRYPT
a password-hashing algorithm based on the Blowfish cipher. It is used to salt the passwords. A random string is appended to the password to increase the password length to help increase the compute time for a brute-force attack.