cryptography chapter 10
Digital signatures
Provides integrity, verifies that the original sender is actually the one who sent it. This can be done through asymmetric encryption, where there is a hash message then they will encrypt the hash using their private key, creating a digital signature that can only originate from them. To verify, the signature is decrypted with the public key, and the message is then hashed. If the two hashes match, then the digital signature is valid
Symmetric algorithms
A shared secret key used by the sender and receiver to encrypt and decrypt. The Same key is used for both.
Symmetric algorithms - AES, DES, 3DES, RC4
AES (Advanced Encryption Standard): Symmetric, block cipher with 128-bit blocks, key sizes of 128-bit, 192-bit and 256-bit. It utilizes the Rijndael algorithm and is the U.S. government standard for the secure exchange of sensitive but unclassified data. It is also the encryption standard used today with WPA2. DES (Data Encryption Standard): Symmetric, was common until replaced by AES, the block cipher is 64-bit and the key is 56-bit (very small), this means it can easily be brute forced. 3DES: Symmetric, very secure and upgrade over DES with three separate keys and three passes over data. Not used in modern day either. RC4: Symmetric, part of the original WEP standard with SSL, removed from TLS, key sizes of 40-bit to 2048-bit. Deprecated from biased output.
Blowfish/Twofish
Blowfish: Symmetric, fast and has variable key-lengths from 1-bit to 448-bits, uses 64-bit block cipher. Not limited by patents. Twofish: Symmetric, uses a very complex key structure up to 256-bits but still similar to predecessor, works using 128-bit blocks. Again, not limited by patents.
CA, Intermediate CA, CRL, OSCP, CSR, Private key/public key
CA (Certificate Authority): A trusted third-party agency that is responsible for issuing digital certificates. Intermediate CA (Intermediate Certificate Authority): An entity that processes the CSR and verifies the authenticity of the user on behalf of a CA. CRL (Certificate Revocation List): A list of certificates that are: no longer valid, expired, or that have been revoked by the issuer. OCSP (Online Certificate Status Protocol): A request and response protocol that obtains the serial number of the certificate that is being validated and reviews revocation lists for the client. CSR (Certificate Signing Request): A user request for a digital certificate Public key: A key that is provided by the sender, used by anyone to encrypt with asymmetric. Private key: Key used to decrypt a message, only used by the person opening the message.
Cipher modes -CBC, GCM, ECB, CTR
CBC (Cipher Block Chaining): Symmetric, uses IV for randomization. Encryption that is dependent on the block before it. Slow. GCM (Galois Counter Mode): Used by many. Provides data authenticity/integrity, hashes as well. Widely used. ECB (Electronic Code Book): Mode of operation, simplest cipher mode, not recommended. CTR (Counter Mode): Converts block into stream, uses IV. Widely used. Stream vs. block:
Certificate Formats - DER, PEM, PFX, CER, P12, PKS12, RFC
DER (Distinguished Encoding Rules): Are common and designed for X.509 certificates, they are used to extend binary encoded certificates. Cannot be edited by a plain text editor. Used with java commonly . PEM (Privacy Enhanced Mail): Most common format in which certificates are issued. Multiple certificates and the private key can be included in one file. The file is encoded ASCII. PEM file extensions include .pem, .crt, .cer, and .key. Apache servers typically use PEM-format files. PFX: A precursor to P12, has the same usage. Administrators often use this to format on Windows to import and export certificates. CER (Certificate File): May be encoded as binary DER or as ASCII PEM. P12: Is a PFX extension used in windows PKS 12 (Public Key Cryptography Standards #12): Is part of the RFC standard. Stores many types of certificates and can be password protected. RFC (Remote Function Call): A formal document describes the specifications for a particular technology, was drafted by the Internet Engineering Task Force.
Data-in-transit, at rest, in use
Data-in-transit: Data being transmitted over a network. Should be encrypted using TLS and IPSec. Data-at-rest: Data in a storage device. Data-in-use: Data being ran through RAM or CPU, is almost always decrypted to make it easier to use.
Authentication protocols - EAP, PEAP, EAP-FAST, EAP-TLS, EAP-TTLS, RADIUS FEDERATION
EAP (Extensible Authentication Protocol): Is an authentication framework that provides general guidance for authentication methods. PEAP (Protected Extensible Authentication Protocol): An extension of EAP that is sometimes used with 802.1x, a certificate is required on the 802.1x server. EAP-FAST (EAP Flexible Authentication with Secure Tunneling): A Cisco-designed replacement for Lightweight EAP, supports certificates but are not required. EAP-TLS (EAP Transport Layer Security): This is one of the most secure EAP standards and is widely implemented on many networks. It uses PKI, so certificates are required on the 802.1x server and on the clients. EAP-TTLS (EAP Tunneled Transport Layer Security): Allows for systems to use older authentication methods such as PAP within a TLS tunnel. Certificate is required on the 802.1x server but not on the clients. IEEE 802.1x: An authentication protocol used in VPNs, wired and wireless networks. In VPNs it is used as a RADIUS server, wired use it as a port-based authentication, and wireless use it in Enterprise mode. Can be used with certificate-based authentication. RADIUS Federation: Members of one organization can authenticate to the network of another network using their normal credentials.
Elliptic curve (ECC)
Great for low powered machines. Uses curves for encryption instead of large prime numbers. commonly used with small wireless devices
Hashing algorithms - MD5, SHA, HMAC, RIPEMD
MD5 (Message-Digest Algorithm v5): Hashing algorithm, 128-bit hash with strong security, collision was found in 1996 so it is not used as much nowadays. SHA (Secure Hash Algorithm): Hashing algorithm, one-way 160-bit hash value with encryption protocol. Standard hash algorithm today, went from SHA-1 (160-bit digest, deprecated) to SHA-2 (512-bit digest, still used). HMAC (Hash-Based Message Authentication Code): Hashing algorithm that combines itself with a symmetric key. Provides data integrity as well as authenticity, but is faster than asymmetric encryption. RIPEMD (RACE Integrity Primitives Evaluation Message Digest): Hashing algorithm that is based on MD4, collisions were found so it now exists in versions of 160-bits, 256-bits, and 320-bits.
Asymmetric algorithms
RSA (Rivest, Shamir, Adleman): First practical use of public key cryptography, uses large prime numbers as the basis for encryption. DSA (Digital Signature Algorithm): Standard for digital signatures and modifies Diffie-Hellman, follows usage of elliptic curves to create ECDSA. Diffie-Hellman: An asymmetric standard for exchanging keys. Primarily used to send private keys over public (unsecured) networks Elliptic curve cryptography (ECC): Asymmetric, uses smaller key sizes and curve algorithms to secure data, useful in portable devices bc it uses less CPU power. PGP (Pretty Good Privacy): Asymmetric, used by many for emails and is used by IDEA algorithm. GPG (GNU Privacy Guard): A free, open-source version of PGP that provides equivalent encryption and authentication services.
Salt, IV, nonce
Salt: The adding of input to random data to function to make it more complicated. A small piece of data added to the end of a password when creating a hash IV (Initialization Vector): A random value used with an encryption key. Nonce: One-time use random value used for authentication.
Asymmetric algorithms
There is a shared public key and a private secret key. Public key encrypts and the private key decrypts, private key to sign and public key verify.
Wireless Cryptographic protocols- WPA, WPA2, CCMP, TKIP
WPA (Wi-Fi Protected Access): Uses RC4 with TKIP. Was replaced by WPA2. WPA2 (Wi-Fi Protected Access v2): Uses CCMP for encryption. CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol): Is based on 128-bit AES is more secure than TKIP. Was advanced for its time. TKIP (Temporal Key Integrity Protocol): Protocol that mixes a root key with an initialization vector, a new key for each packet.
Certificate Concepts - Online CA, Stapling, Pinning, Trust Model, Key Escrow, Chaining
_____ CA: Is directly connected to a network, most common. Offline isn't, its used for root certificates. ______ : Combining related items in order to reduce communication steps. The device that holds the certificate will also be the one to provide status of any revocation. _______ : The application has hard-coded the server's certificate into the application itself. ________: A complex structure of: systems, personnel, applications, protocols, technologies, and policies working together to provide protection. ______: Private keys are kept by the users and a 3rd party as back-ups. ______: Certificates are handled by a chain of trust, the trust anchor for the digital cert is the root CA.
difference between confidentiality and integrity
_____ provides assurances that data has not been modified and Hashing ensures that data retains integrity and is used for data like downloaded files and emails. ______ ensures that data is only viewable by authorized users. Encryption protects confidentiality of data, including data-at-rest or data-in-transit.
Types of certificates - Wildcard, SAN. code Signing, Self-signed, machine/computer, email, user, root, domain validation, extended validation.
______ A Certificate that can be used with multiple subdomains of a given domain, by covering the all subordinate certificates to the root. ______ The certificate has several uses, allows a certificate to be valid for multiple domains using multiple names. ______ Digitally signs written application code and makes sure that it adheres to policy restriction and usage. ______ The root CA creates its own certificate. ______ Certificates that are assigned to a specific machine. ______ Secures emails, is used by S/MIME. ______ Often for authentication or to access resources. _____ Used for root authorities, they usually are self-signed. ________ Provides a secure communication with a specific domain and provides TLS, this is the most common form of certificate. _______ Are more secure because they require more validation from the certification holder.
Diffusion, confusion, collision, obfuscation, key strength, session keys, ephemeral key
_______ is Changing one character causes the plaintext to drastically change the outputted cipher. _______ is The cipher doesn't look anything like the plain text. _______: Two completely different pieces of data have the exact same hash. ________: Taking something and making it difficult for a human to understand, however it is not impossible to convert it back to the original form. ________: Larger keys and more bits are signs of better encryption and stronger keys. _________: Symmetric keys used to provide a secure and fast online connection. The server's public key is paired with a random key to produce a symmetric key, that the server uses to encrypt and the user to decrypt. _________: Session keys that only last temporarily and change frequently.