Chapter 2- Cryptography
Output Feedback (OFB)
A DES mode that is very similar to CFB mode, but instead of the previous block's ciphertext being the next block's IV, it takes the result of the previous encryption of the IV and key before the plaintext is XORed.
Twofish
A block cipher that operates on 128-bit blocks of data and is capable of using cryptographic keys sizes 128, 192, 256 bits in length and performs 16 rounds of encryption.
Pretty Good Privacy (PGP)
A cryptography application and protocol suite used in asymmetric cryptography. (used in e-mail)
Certificate Signing Request (CSR)
A message sent from an applicant to a certificate authority in order to apply for a digital identity certificate.
Substitution Cipher
A method of encryption and decryption in which each letter in the alphabet is replaced by another.
Galois/Counter Mode (GCM)
A mode that starts with CTR mode, but adds a special data type known as a Galois field to add integrity. Used by AES.
codebook
A predefined dictionary that translates codes to their plaintext messages and back.
D-H group
A preset modulus of a specific size: Group 1- 768 bit modulus Group 2- 1024 bit modulus Group 5- 1536 bit modulus Group 14- 2048 bit modulus
key exchange
A process, typically using Diffie-Hellman algorithms, which assists in the creation and secure exchange of symmetric keys, typically session keys used for one communications session only.
Certificate Revocation List (CRL)
A repository that lists revoked digital certificates.
Secure Hash Algorithm (SHA)
A secure hash algorithm that creates hash values of longer lengths than Message Digest (MD) algorithms.
Public Key Cryptography Standards (PKCS)
A set of voluntary standards created by RSA security and industry security leaders.
Advanced Encryption Standard (AES)
A symmetric cipher that can use block sizes of 128 bits, with key sizes of 128, 192, and 256 bits. 10 rounds- 128 bits, 12 rounds- 192 bits, and 14 rounds- 256 bits.
Diffie-Hellman Ephemeral or ephemeral key
A temporary key that is used only once before it is discarded.
Wired Equivalent Privacy (WEP)
An IEEE 802.11 security protocol designed to ensure that only authorized parties can view transmitted wireless information. WEP has significant vulnerabilities and is not considered secure.
block algorithm
An algorithm that operates on a predefined size of a group of bits, known as a block. (16, 64, 128 bit)
streaming algorithms
An algorithm that operates on individual bits, one bit at a time. Tend to work much faster than block algorithms.
Elliptic Curve Cryptography (ECC)
An asymmetric method of cryptography based upon problems involving the algebraic structure of elliptic curves over finite fields. ECC has many uses, including variations that apply both to encryption and digital signatures. (mobile devices)
dictionary attack
Attempt to break a password by trying all possible words compared to the programs dictionary file.
Online Certificate Status Protocol (OCSP)
Automated method of maintaining revoked certificates within a PKI.
ElGamal
Based partially on Diffie-Helmann, can be used for both general encryption and digital signature. The algorithm is comprised of 3 parts: the key generator, the encryption algorithm, and the decryption algorithm. This was made publicly available. (US Government's Digitial Signature Algorithm is based on this.)
session key
Created and used for a single communication session, cannot be reused. New key is generated every time communication is made.
What are the symmetric key cryptosystems?
DES, 3DES, AES, Blowfish, Twofish, RC4
An offline attack is done against what type of data?
Data-at-Rest
An online attack is executed against what type of data?
Data-in-transit
Data Encryption Standard (DES) five different cipher modes
ECB, CBC, CFB, OFB, CTR
Symmetric Cryptography
Encryption that uses a single key to encrypt and decrypt a message.
Elliptic Curve Diffie-Hellman Ephemeral (ECDHE)
Ephemeral key exchange that skips pseudo-random number generation and instead uses ephemeral keys calculated using elliptic curve cryptography, Group 19- 25 bit elliptic curve Group 20- 384 bit elliptic curve Group 21- 521 bit elliptic curve
Out-of-band key exchange
Involves the use of a separate, independent channel, such as snail mail, USB stick, or even a different network connection, to send the key to the authorized users.
Four types of Hashing Algorithms
MD5, SHA, RIPEMD, HMAC
hierarchical trust model
Multiple CAs deployed throughout a single organization. CAs are subordinate to a single root CA within the organization.
web-of-trust model
Not typically used in a PKI. You'll most often see this type of model used in smaller groups or organizations, typically in those that allow individual users to generate their own public and private key pairs.
cross-trust model
Often found between two different organizations. In this trust model, organizations typically have their own certificate authorities and issuing servers and they must trust each others certificates so that their personnel can authenticate to access resources in each others security domains.
Data Encryption Standard (DES)
Older encryption standard that used a 56-bit key and a 64-bit block size using a summetric block algorithm; based upon the Lucifer algorithm.
Cipher Block Chaining (CBC)
Producing much stronger encryptions by XORing(repeating) the previous block to the next block inside itself.
What are the Asymmetric Key Cryptosystems?
RSA, Diffie-Hellman, PGP/GPG, ECC, ElGamal
Vigenere Cipher
Rotates the Caesar cipher offset used to encrypt each new letter in a text utilizing ROT0-25 in a table.
Cipher Feedback (CFB)
Similar to CBC, except the plaintext is XORed into the IV after each round.
Kerckhoff's Principle
States that the algorithm should not be the secret part of the cryptographic process or method used; the key should be kept secret, not the algorithm.
root CA server
The certificate server at the top of the hierarchy of servers in a large company that manage a certificate needs.
Certificate Authority (CA)
The entity that issues and controls the digital certificates.
key generation
The process of creating a public and private key pair, which is then issued to an individual, based upon his or her confirmed identity.
key exchange
The process used to exchange keys between users who send a message and those who receive it.
brute force attack
The simplest and least-efficient type of attack, attempts to derive a password or key by inspecting either ciphertext or a hash and then trying every possible combination of key or hash until it can decrypt the plaintext or generate a match.
Hybrid Cryptography
Using both symmetric and asymmetric cryptography together in order to make up for each type's disadvantages and leverage each type's advantages.
Spoofing
When someone pretends to be someone else with the intent of obtaining unauthorized data.
WPA-PSK
Wi-Fi Protected Access Pre-Shared Key
Recovery Agent
a designated person or entity who has the auhority to recover lost keys or data in the event the person holding the keys is not available.
digital signature
a hash value encrypted with the private key and that accompanies the public key
RIPEMD (RACE Integrity Primitives Evaluation Message Digest)
a hashing algorithm not often seen in practical implementation, developed in an open-standard type of environment, as opposed to SHA.
Floating Point Operation Per Second (FLOPS)
a measure of computer performance, useful in fields of scientific calculations that make heavy use of floating-point calculations.
Hybrid Attack
a password attack that is a combination of dictionary and brute force attacks which adds numbers and special characters to a dictionary word in an attempt to crack a password
Non-repudiation
a person cannot deny that they took a specific action.
Counter (CTR)
a random 64 bit block as the first IV, then increments a specified number or counter for every subsequent block of plaintext.
code
a representation of an entire phrase or sentence
River Cipher 4 (RC4)
a streaming (wireless) symmetric algorithm, uses only one round of encryption, using key sizes 40-2048bits in length.
Diffie-Hellman key exchange
an asymmetric standard for exchanging keys. primarily used to send private keys over public networks.
digital certificate
an electronic file specifically formatted using industry standards that contains identifying information. Stores a public key with digital signature, personal information about the resource and second digital signature from a third party you both trust.
Key
an indicated number to shift the variable of the algorithm for the final cryptosystem
Initialization Vector (IV)
arbitrary number
Blowfish
block cipher that accepts 64 bit blocks and has a wide range of variable key links, from 32 bit-448bits, performs 16 rounds of encryption.
Transposition Cipher
changes the order of characters in a message using some predetermined method that both the sender and recipient know.
Public Key Infrastructure (PKI)
combine symmetric and asymmetric key cryptographic methods with hashing to create robust and secure systems.
Decryption
converting ciphertext back to plaintext
data in-transit
data currently in transport (being transmitted or received from one person or host to another)
Data in process
data currently in use by a computing device, and not at rest or in transit. (RAM, CPU, Operating System and Applications)
Data at rest
data that resides in storage (not currently accessed, transmitted or received, nor used by the computer)
modes
defined methods that determines how a plaintext block is input and changed to produce ciphertext.
Application-Specific Integrated Circuit (ASIC)
device that work hundreds or even thousands of times faster than a CPU. (Bitcoin Miner)
confusion
every character in a key is used to make the ciphertext more random looking.
key escrow
grant knowledge or copies of keys to a third party.
Message Authentication Code (MAC)
hash value used to ensure both integrity and authenticity of a message
Hashing
helps varify that data came from a specific source and that the date did not change from what was sent./ can not be decrypted or reversed, just compared.
shifts
in binary moving the ciphertext left or right by four digits
2 methods of key exchange
in-band and out-of-band
Cryptovariable
key that defines how many letters to shift
3DES (Triple DES)
like DES encryption process, except it uses three 56-bit keys and repeats is three times for each key. (like having a 168-bit key)
Algorithm
mathematical constructs that define how to transform plaintext into ciphertext, as well as how to reverse that process during decryption.
plaintext
normal text that has not been encrypted
Hydra
online dictionary attack password cracker
Electronic Code Book (ECB)
plaintext blocks of 64 bits are manipulated to produce ciphertext. Predictable in it will always produce identical plaintext to the same ciphertext.
Ciphertext
plaintext that was transformed into unreadable gibberish using encryption
Message Digest 5 (MD5)
produces a 128-bit message digest, consisting of 32 hexadecimal characters, regardless of the length of the input text.
Rounds
repeating the shift iteration multiple time, making it harder to encrypt/decrypt.
cipher
represents text on a character-by-character basis
ROT13 cipher/shift cipher
rotates every letter 13 places in the alphabet
eXclusive function (XOR)
the most commonly used binary math function used in cryptography by comparing two bits to determine difference. (0's=false, 1's=true)
Encryption
the process of converting plaintext information into ciphertext information.
Cryptography
the science of encrypting and decrypting communications to make them unintelligible for all but the intended recipient
Cryptanalysis
the study of breaking encryption, the opposite of cryptography.
reversible process
to reverse the process to return the data from an encrypted to an unencrypted state.
password cracker or password recovery tool
tool used to read a ciphertext or hash and try to extract the plaintext key or password. Examples are: Linux attacker use Jack the Ripper or Hashcat Windows attackers use Cain & Abel
collision
two different pieces of plaintext produce the same hash. should never happen.
Cryptosystem
use algorithms and keys as basic components to stir up the binary data, and also implement them in ways that enable the encryption/decryption to be faster, more efficient, or stronger. (a four bit key, XOR, four digit left shift of the ciphertext, the XOR/left shift iteration repeated in five rounds.)
HMAC (Hash-Based Message Authentication Code)
used in conjuction with a symmetric key both to authenticate and verify the integrity of the message, uses either MD5 or SHA.
RSA
used to create and use a public-private key pair, factored mathematically from two very large numbers. Uses one round of encryption and ranges from 1024 to 4096 bits.
Asymmetric Key Cryptography
uses a "key pair"-two separate keys- for secure communication.
public key cryptography
uses two mathematically related keys in a pair, a public key and a private key. What one key encrypts, only the other key in the pair may decrypt, and vice versa.
In-band key exchange
using the same communications channel you are using to send the message to send the key.
Registration Authority (RA)
verifies user identities and then passes the informaiton on to the actual CA for certificate generation.
