CompTIA Security+ (SY0-601): Cryptography
Brute-force attacks try
Character combinations
Which term describes the result of plaintext that has been fed into an encryption algorithm along with an encryption key? Hash Ciphertext Message digest Digital signature
Correct Answer: Ciphertext results from feeding plaintext and an encryption key into an encryption algorithm. Incorrect Answers: A hash is a unique representation of data that was fed into a one-way hashing algorithm; no key is used. "Message digest" is synonymous with hash. A digital signature is created with a sender's private key and verified by the recipient with the related public key; it assures the recipient of message authenticity and that the message has not been tampered with.
You are ordering laptops for sales executives that travel for work. The laptops will run the Windows 10 Enterprise operating system. You need to ensure that protection of data at rest is enabled for internal laptop disks. The encryption must be tied to the specific laptop. What should you do? Order laptops with HSM chips and configure BitLocker disk encryption. Order laptops with HSM chips and configure EFS encryption. Order laptops with TPM chips and configure EFS encryption. Order laptops with TPM chips and configure BitLocker disk encryption.
Correct Answer: Order laptops with TPM chips and configure BitLocker disk encryption. A Trusted Platform Module (TPM) chip in a computer is used to secure the integrity of the machine boot process and to store disk volume encryption keys. Incorrect Answers: A Hardware Security Module (HSM) is not a chip installed within a computer; it is a tamper-resistant device used for cryptographic operations and the storage of encryption keys. Encrypting File System (EFS) file encryption is tied to the user account, not tied to the machine.
You are verifying a digital signature. Which key will be used? Sender public key Your public key Sender private key Your private key
Correct Answer: Sender public key. Verifying digital signatures is done using the sender's public key (the sender's private key creates the digital signature). Incorrect Answers: The listed keys are not used to verify a digital signature.
Public Key Infrastructure (PKI)
Uses a hierarchy structure with certificate authorities CAs and immediate CAs (Certificate Authority)
asymmetric encryption
Uses a key pair -public key (only used to encrypt) -Private key (only used to decrypt)
Web of Trust (WoT)
Uses a network of mutually trusting peers
Digital certificates come in many different forms including
Web (Which includes DV, EV, Wildcard, and SAN), Email, code signing, machine/computer, and user.
AES is
a U.S. government encryption standard supported by NIST
Feistel function
a function that takes two inputs, a data block, and a subkey, and returns one output the same size as the data block.
Classic cryptography components
1 Algorithm 2 Key for encryption
Short key
56 bits
Blowfish
64-bit Block size 16 rounds Key size: 32-448 bit
Triple DES (3DES)
A more-secure variant of DES that repeatedly encodes the message using three separate DES keys.
Streaming Ciphers
A stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream. In a stream cipher, each plaintext digit is encrypted one at a time with the corresponding digit of the keystream, to give a digit of the ciphertext stream
Data Encryption Standard (DES)
A symmetric block cipher that uses a 56-bit key and encrypts data in 64-bit blocks.
Advanced Encryption Standard (AES)
A symmetric cipher that was approved by the NIST in late 2000 as a replacement for DES.
Ephemeral key
A temporary key that is used only once before it is discarded. -Provides perfect forward secrecy
After several data breaches involving stolen laptops and stolen removable media, you are asked to implement a solution to mitigate the issue. The solution must protect data at rest with a minimum of user inconvenience. What solution best addresses the scenario?
A. Encrypting File system (EFS) B. Hardware Security Module (HSM) C. Trusted Platform Module (TPM) D. Self-Encrypting Drive (SED) *
Which type of encryption uses a single key for encryption and decryption? Asymmetric RSA Symmetric SHA256
Correct Answer: Symmetric encrypting uses a single "secret" key for encrypting and decrypting. Incorrect Answers: Asymmetric keys (public and private keys) are used for security in the form of encryption, digital signatures and so on; the recipient public key is used to encrypt and the related private key is used to decrypt. RSA is a public and private key pair cryptosystem. SHA256 is a hashing algorithm.
Symmetric Key Algorithm
Any encryption method that uses the same key for both encryption and decryption. Same key is used
Kerckhoff's Principle
As long as you don't know what the key is to an encryption you can actually understand the completely
Cryptographic attacks can be put into three main categories
Attack the algorithm, implementation, or key.
AES
Block Cipher 128-bit Block size Key Size: 128, 192, or 256-bits Rounds 10, 12, or 14
DES =
Block Cipher 64-bit Block size 16 rounds Key size: 56 bit
3DES
Block Cipher 64-bit Block size 16 rounds Key size: 56-bit x 3 168 bit key
Expired certificates are included in a certificate authority's published list called a certificate revocation list
CRL
The Vigenere cipher employs the
Caesar cipher as one element of the encryption process
P12 files include the
Certificate, chain certificates, chain certificates, and the private key.
Your company has numerous public-facing Web sites that use the same DNS domain suffix. You need to use PKI to secure each Web site. Which solution involves the least amount of administrative effort? Generate self-signed certificates for each Web site Acquire public certificates for each Web site Acquire a wildcard certificate Acquire an extended validation certificate
Correct Answer: Wildcard certificates allow a single certificate tied a DNS domain to be used by hosts within subdomains. Incorrect Answers: Using self-signed or public certificates for each Web site requires more effort than using a wildcard certificate. Extended validation certificates require the certificate issuer to perform extra due diligence in ensuring that the certificate request is legitimate.
Which block cipher mode uses the ciphertext from the previous block to be fed into the algorithm to encrypt the next block? CFB ECB CBC OFB
Correct Answer: With Cipher Feedback Mode (CFB), each previous block ciphertext is encrypted and fed into the algorithm to encrypt the next block. Incorrect Answers: Electronic Code Book (ECB), given the same plaintext, always results in the same ciphertext and is thus considered insecure. Cipher Block Chaining (CBC) is similar to ECB except that it used a random Initialization Vector (IV). Output Feedback Mode (OFB) uses a keystream of bits to encrypt data blocks.
You are decrypting a message sent over the network. Which key will be used for decryption? Your public key Sender public key Your private key Sender private key
Correct Answer: Your private key. Recipient private keys decrypt network messages (the recipient's related public key encrypts network messages). Incorrect Answers: The listed keys are not used for decryption.
Encryption/decryption
Cryptography or secure writing ensures that information is transformed into unintelligible forms before transmission and intelligible forms when it arrives at its destination to protect the informational content of messages.
Data in transit
Data that is in transit across a network, such as an email sent across the Internet.
Data at rest
Data that is stored on electronic media.
certificate authorities (CA) or Registration authorities (RA)
Identify and authenticate individuals registering for certificate; the middle entities are called intermediate CAs, the entity at the top of the hierarchy is called the root CA
Confusion
Make a mess out of something to cause confusion
Diffusion
Making something harder to see
Substitution
Making the normal wording something different to decode
Passwords are usually stored in hash format
Making them difficult to crack
Salting and key stretching adds another layer of
Obfuscation, making passwords even harder to crack than just hashing
A self-signed Certificate is
One that is authorized by the same entity who registers for the digital certificate (These should not be trusted outside an internal network)
Rainbow tables use
Pre-calculated hashes of passwords
Digital certificates store a
Public key with a digital signature, personal information about the resources, and a second digital signature from a trusted third party
ROT2
Rotate 2 times
ROT3
Rotate 3 times
Which technique is used to enhance the security of password hashes? Password length Key pinning Multifactor authentication Salting
Salting
Data in process
The state of data while it is being used.
Attacking the key means
Somehow figuring out the key in order to break in.
RC4
Streaming Cipher 1 bit at a time 1 Round Key Size: 40-2048 bits
block
Takes off a chunk of data and then encrypts it
Attacking the implementation means
Taking advantage of weakness in how the connection is made
P7B files include
The certificate and chain certificates, no private key
Vigenere Cipher
a method of encrypting text by applying a series of Caesar ciphers based on the letters of a keyword.
RC4 (Rivest Cipher4) is
a stream cipher
Cryptosystem
a system for encryption and decryption
Ceaser Cipher
a technique for encryption that shifts the alphabet by some number of characters
Session key
a unique symmetric encryption key chosen for a single secure session
Attacking the algorithm is nearly impossible for most up-to-date standards, as crackable
algorithms are usually taken out of production
Cryptanalysis
breaking secret codes
Cryptosystems define key properties
communication, requirements for the key exchange and the actions taken through the encryption and decryption process
Ephemeral keys provide perfect
forward secrecy due to the temporary nature of the key
Public key Cryptography Standards(PKCS)
gives details on digital certificate construction and use
The Caesar cipher is
one of the earliest known and simplest ciphers
Dictionary attacks use lists of probable
passwords
Cryptography is the
practice of disguising information in a way taht looks random
asymmetric encryption is used to
send a secure session key
Asymmetric encryption is
slow, but very useful in exchanging session keys
Initial permutation
stirring of the data
blow fish
symmetric cipher
Obfuscation
the action of making something obscure, unclear, or unintelligible
Cryptography
the art of protecting information by transforming it into an unreadable format, called cipher text
Final permutation
the inverse of the initial permutation) finishes off the ... via an XOR, sent through 8 S-boxes producing 32 new bits, and permuted again
Symmetric encryption is
the primary way we encrypt data
Algorithms
very specific, step-by-step procedures for solving certain types of problems