Cryptography and PKI (Security+ 501)
MD5 - Message Digest 5
128-bit hash based on variable-length plaintext A hasing algorithm that produces a 128bit digest A hasing algorithm that transforms a tring of characters into a fixed-length value or key Known as hash value hases ensure the integrity of data or messages considered weak and is not recommended
XTACACS - Extended Terminal Access Controller Access-Control System
A Cisco proprietary authentication protocol that replaced TACACS and was used to securely access Cisco devices
SHA-1
A hashing algorithm that produces a 160-bit digest
CRL (Certificate Revocation List)
A list of DIGITAL certificates that have been revoked by the issuing ertificate authority before their scheduled expiration date and should not be trusted
Nonrepudiation
A method of guaranteeing a message transmission between parties by a digital signature
WPS (Wi-Fi Protected Setup)
A network security standard that allows home users to easily add new devices to an existing wireless network without entering long passphrases users enter a PIN to allow the device to connect after pressing the WPS button on the SOHO router
key stretching
A password hashing algorithm that requires significantly more time than standard hashing algorithms to create the digest. increase the strength of stored passwords Protects passwords from brute-force attacks & rainbow table attacks Length of the key that is being used to encrypt the data. According to NIST guidance, the use of keys that provide less than 112bits of security strength for key agreement is disallowed
key escrow
A process in which keys are managed by a third party, such as a trusted CA. The stored key can be used to decrypt encrypted material, allowing restoration of the original material to its unencrypted state
Kerberos
A protocol for authenticating service request between trusted hosts across an untrusted network such as the internet
Xmas Attack
A specifically crafted TCP packet that runs on flags to scan the system and dtermine what operating system it's using. An advanced attack that tries to get around detection and send a packet with every single option enabled.
NAC (Network Access Control)
A term that refers to collected protocols, policies, and hardware that govern access on devices to and from a network. Increases the security of a proprietary network by restricting access to devices that do not comply with a defined security policy
wildcard certificate
Allow the company to secure an unlimited number of subdomain certificates on a domain name from a third party
ECC (Elliptic Curve Cryptography)
An asymmetric encryption algorithm commonly used with smaller wireless devices. It uses smaller key sizes and requires less processing power than many other encryption methods. Has the same level of strength compared to longer key length asymmetric algorithm. Based on the EC theory that uses points on a curve to define more efficient public & private keys
WPA2-Enterprise
An authentication scheme for Wi-Fi networks that combines WPA2 with RADIUS. Uses an authentication server such as a RADIUS server to control access to a WLAN
CHAP
Authenticates by using PPP servers to validate the identity of remote clients it supports password-based authentication
IEEE 802.1x is commonly used on wireless networks.
Authentication protocols that transfer authentication data between two devices
Supplicant
Authenticator AP or wireless controller Sends authentication messages between the supplicant and authentication server
TACACS+ Terminal Access Control Access Control System+
CISCO proprietary authentication protocol that replaced TACACS & was used to securely access Cisco devices
RADIUS
Client-server protocol that enables remote access servers to communicate with a central server to authenticate users Uses symmetric encryption for security
TLS (Transport Layer Security)
Creates a secure connection by using symmetric cryptography based on a shared secret
Symmetric Algorithms
DES, 3DES, Blowfish, IDEA, RC4-RC6, and AES Twofish Secret key algorithm - use same key Each pair of users who are exchanging data must have two instances of the same key Calculatin gsymmetric key N(N-1)/2=no. of keys
Transposition scrambles
Data by recording the plain text in some certain way
Pin of death
Denial-of-service attack in which a threat actor sends a larger IP packet than allowed by the IP protocol. The IP packet is broken down into smaller segments which would cuase the system to crash
EAP-TTLS (Extensible Authentication Protocol-Tunneled Transport Layer Security)
Determines how user authentication will perform during phase 2 The user authentication may be a legacy protocol such as PAP, CHAP, MCCHAP, or MS-CHAPV2
DHE
Diffie-Hellman Ephemeral
WPA2-Personal
Does not use an authentication server Uses a passphrase that is entered into the SOHO router
One-time pad
Encryption method Uses a pad with random values that are XORed agaist the message to produce ciphertext. at least as long as the msg itself &its used once and then discarded If the pad is not as long as the message, it will need to be reused to be the same length as the messages One-Time pad must be delivered by a secure method and properly guarded at each destination The pad must be used one time only to avoid introducing patterns, it must be made up of truly random values Today's computer systems have pseudorandom-number generators which are seeded by an initial value form some component within the computer system
PKI (Public Key Infrastructure)
Entire system of hardware, software, policies and procedures and people PKI creates, distributes, manages, stores, and revokes certificates OCSP is part of the PKI
GPG
GNU Privacy Guard (GPG). Free software that is based on the OpenPGP standard. It is similar to PGP but avoids any conflict with existing licensing by using open standards.
self-signed certificate
Generate errors within the client's web browser &should not be used as a replacement since the self-signed certificate is not from a trusted certificate authority
SHA, MD5
Hashing algorithm Used for integrity
OIDs Object identifiers
Identify an object or entity Used in X.509 certificates to name almost every object type
authenticator
In Kerberos authentication, the user's time stamp encrypted with the session key. The authenticator is used to help the service verify that a user's ticket is valid.
PBKDF2 (Password-Based Key Derivation Function 2)
Key stretching algorithm Applies a pseudo-random function such as HMAC to the password along with a salt value and produces derived key. Designed to protect against brute-force attacks BCRYPT is a password-hasing function derived from the blowfish cipher It adds a salt value to protect against rainbow talbe attacks. A key stretching technique that adds additional bits to a password as a salt. This method helps prevent brute force and rainbow table attacks. Bcrypt is a similar key stretching technique.
MS-CHAPv2 (Microsoft Challenge Handshake Authentication Protocol, version 2)
Microsoft's version of CHAP and is used as an authentication option with RADIUS It supports password-based authenticaiton
AES (Advanced Encryption Standard)
Newer and stronger encryption standard. capable of using 128-bit, 192 bit and 256 bit key Symmetric algorithm and encrypts data. An encryption standard used by WPA2 and is currently the strongest encryption standard used by Wi-Fi.
WiFi Alliance
Non-Profit organisation that promotes WiFi technology Recommends a passphrase be at least 8 characters long and include a mixture of upper & lowercase letters and symbols
Hashing
One-way encryption that transforms cleartext into a coded form that is never decrypted. one-way encryption that transforms a string of characters into a fixed-length value or key known as hashvalue hashes ensure the integrity of data or message
Steganography
Process of hiding data within data Technique can be applied to images, video files or audio files
Website Certificate
Provided by a certification authority to ensure an online organisation is legitimate. Expired, user can continue accessing the website, but the error will state the user could not be accessing an untrusted site Domain expired - the users would receive a page stating that the website domain is unavailable
PFS pretty good privacy
Provides a low-cost or open source alternative solution that allows users to encrypt their outgoing emails
Asymmetric Algorithms
Public key cryptography uses public and private keys to encrypt and decrypt data. every user must have at least one pair of keys (private & public). The formula to determine the number of keys needed is Nx2 Different keys for encryption and decryption; two keys private and public Encrypt with private- unencrypt with privateor encrypt with public- decrypt with private. Use of private ensures non repudiation; without confidentiality-becomes the digital signature
authentication server
RADIUS server Responsible for authenticating users wanting to connect to the network.
RC4 (Rivest Cipher 4)
RC4 (Rivest Cipher 4) is a stream cipher. RC4 is a stream cipher designed by Ron Rivest. It is used in many applications including Transport Layer Security (TLS), Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA), and so on. RC4 is fast and simple. However, it has weaknesses that argue against its use in new systems. It is especially vulnerable when the beginning of the output keystream is not discarded, nonrandom or related keys are used, or a single keystream is used twice. Some ways of using RC4 can lead to very insecure cryptosystems such as WEP. Uses key sizes of 40 to 2048 bits
EAP-TLS (EAP-Transport Layer Security)
Remote access authentication protocol that supports the use of smartcards. Create a TLS tunnel to protect the supplicant credentials but don't support legacy authentication protocols Requires both client and server to have certificates The authenticaiton is mutual where the server authenticates to the client and the client authticates to the server
ROT13
Replaces a letter with the 13th letter after it in the alphabet substitution cipher
WEP (Wired Equivalent Privacy)
Security standard for 802.11b; Designed to provide a level of security for a WLAN Uses the encryption protocol RC4, considered insecure key; Does not use an authentication server Users enter a passphrase to connect to the SOHO routher
Blowfish
Symmetric algorithm uses the same key to encrypt and decrypt data A block cipher that operates on 64-bit blocks and can have a key length from 32 to 448 bits.
Twofish
Symmetric block cipher that replaced Blowfish
3DES
Triple Digital Encryption Standard. A symmetric algorithm used to encrypt data and provide confidentiality. It was originally designed as a replacement for DES. It uses multiple keys and multiple passes and is not as efficient as AES, but is still used in some applications, such as when hardware doesn't support AES. Symmetric-key block ciphers using a 64 block size
Stream Cipher
Use a keystream generator and encrypt a message one bit at a time, usually implemented in hardware RC4
RA (Registration Authority)
Used to vertify requests for certificates Forwards responses to the CA An authority in a PKI that processes requests for digital certificates from users.
TKIP (Temporal Key Integrity Protocol)
Wrapper that wraps around existing WEP encryption Used in WPA Replaced WEP in WLAN devices
Diffusion
a change in the plain text resulting in multiple changes that are spread out throughout the ciphertext
IPSec (Internet Protocol Security)
a framework of open standards that ensures communications are private and secure over IP networks
Encryption
a process of encoding messages to keep them secret, so only "authorized" parties can read it.
802.1x
a treat actor can spoof a devices's MAC address and by pass 802.1x authentication. using 802.1x with client certificates or tunnelled authentication can help prevent this attack. A port-based authentication protocol. Wireless can use 802.1X. For example, WPA2-Enterprise mode uses an 802.1X server (implemented as a RADIUS server) to add authentication.
Recovery agent
a user who is permitted to decrypt another user's data in case of emergency or in special stituation
File backup
allows the data to be available in case the original files are deleted or become corrupted
ARP posioning
attack where a threat actor sends spoofed ARP messages over a LAN. Attacker poisons the ARP cache of devices with MAC address of attacker's NIC. Usually targets a host's DFG.
EAP
authentication protocols that transfer authentication data between two devices
MTTR (mean time to repair)
average time it takes for a failed device or componet to be repired or replaced
strong password
complex password of 16 or more ASCII characters
EAP-FAST (EAP Flexible Authentication via Secure Tunneling)
create a TLS tunnel to protect the supplicant credentials but don't support legacy authentication protocols for situation a where strong password policy can't be enforced and certificates are not used. consists of three phases: EAP-FAST authentication, establishment of a secure tunnel and client authentication
Full Disk Encryption (FDE)
data-at-rest Will help protect the inactive data should the storage device be stolen. the thief would not be able to read the data. A technology that encrypts everything stored on a storage medium automatically, without any user interaction
Implementing a host based IPS
designed to prevent an attack on the network does not protect the data-at-rest if the storage device is stolen
Open wireless network
does not require a user to enter credentials for access
Block Cipher
encrypt data one block, or fixed block at a time cryptographic service provider, a cryptographic module,performs block and stream cryptography algorithms
confusion
encryption method that uses a relationship between the plain text and the key tat is so complicated the plain text can't be altered and the key can't be dtermined by a threat actor
CA
in the certification hierarchy, the root CA certifies the intermediate CA and can issue certificates to users, computers or services
MTBF (Mean Time Between Failures)
measurement to show how reliable a hardware component is
revoked certificate
no longer valid for the intended purpose A new key pair and certificate will need to be generated Certificate can not be renewed after its expiration date
collision
occurs when a hashing algorithm creates the same hash from two different messages
Shredding
proces of reducing the size of objects so the information is no longer usable, burning, pulping, and pulverizing
ALE (Annual Loss Expectancy)
product of ARO x SLE
digital signature
provide 3 core benefit: authentication, integrity and non-repudiation a one way hash and encrypted with the private key the public key is used to decrypt the hash and validate the integrity of the digital signature created with the private key a means of electronically signing a document with data that cannot be forged
IV (Initialization Vector)
random values used with algorithms to ensure patterns are not created during the encryption process used the keys and are not encrypted with being sent to the destination Arbitrary number that is used with a secret key for data encrption IV makes it more difficult for hackers to break a cipher
CSR (Certificate Signing Request)
request an applicant sends to a CA for the purpose of applying for a digital identity certificates. A specially formatted encrypted message that validates the information the CA requires to issue a digital certificate.
WPA (WIFI protected Access) or WPA2
security standards for more advanced encryption techniques Security standard that replaced and improved on WEP Security standard that secures computers connected to a WiFi network
Intermediate certificate authority
sits between the root certificate authority and the end entity to better secure the root certificate authority Help a large organisation handle large requests for certifications
RPO recovery point objective
specifies the allowable data loss
DES (Data Encryption Standard)
symmetric-key block ciphers using a 64 bit block size 56 bit key superseded by 3DES considered to be insurance for many applications symmetric encryption standard that uses a key length of 56 bits
Implementing
the effort to direct and lead people to accomplish the planned work of the organization
OCSP (Online Certificate Status Protocol)
used to query a certificate authority about the revocation status of a given certificate It validates certificates by returning responses such as 'good','revoked','unknown' Protocol that can be used to query a certificate authority about the revocation status of a given certificate
RSA (Rivest, Shamir, Adleman)
uses a longer key length than ECC Asymmetric algorithm Should be discontinued known as public key cryptogrphy that uses a public & private key to encrypt & decrypt data during transmission.
SSL (Secure Sockets Layer)
uses public key encryption when a client acceses a secured website it will generate a session key &encrypt it with the server's public key The session key is used to encrypt & decrypt data sent back an dforth
implementing biometrics
will control who enters the location an unauthorised user can tailgate and obtain the storage device and read the data-at-rest