Sec + Chapter 10
Revoking Certs
A CA can revoke a cert for following reasons: -Key compromise -CA compromise -Change of affiliation -superseded -Cease of operation -certificate hold
Certificate
A digital document that typically includes the public key and information on the owner of the cert,
Certificate Signing Request (CSR)
step in the registration process for requesting certs from the CA. includes the purpose of the certificate, and the info about the web sit, the public key and the user.
Advanced encryption Standard (AES)
strong symmetric block cipher that encrypts data in 128 bit blocks. Fast, strong and efficient.
CA trust model
Most common trust model is the hierarchical trust model, also known as centralized trust model. In this the public CA creates the first CA(root CA) and if the organization is large it can create intermediate and child CAs. root Ca issues certs to intermediate CAs and intermediate CAs issues to child CAs
Block cipher
Most symmetric keys use either a block cipher or a stream cipher. block cipher encrypts data in specific sized blocks. More efficient when file size is known
Online Certificate Status Protocol
OCSP allows the client to query the CA with the serial number of the certificate and the CA responds with -good -revoked -unknown
Hashing passwords
Passwords are often stored as hashes. When a user authenticates by entering a username and password the system calculates the hash of the entered password and compares it to the stored one
Integrity
Provides Assurances that data has not been modified. (hashes can ensure this, common hashing algorithms include MD5 and SHA)
Digital signature
Provides authentication, non-repudiation and integrity.
Encryption
-Scrambles, or ciphers data to make it unreadable if intercepted. Encryption normally includes an algorithm and a key. -Symmetric encryption uses the same key to encrypt and decrypt data -Asymmetric encryption uses a public and a private key created as a matched pair. Requires PKI to issue certificates. -Stream ciphers encrypt data 1 bit at a time - block ciphers encrypt data in blocks
Recovery Agent
designated person or program that can recover private keys to access encrypted data. In some cases the recovery agent can recover encrypted data using a different key.
Stream cipher
encrypts data as a stream of bits or bytes rather than dividing it into blocks. More efficient when file size isnt known
Twofish
encrypts data in 128 bit blocks and supports 128, 192, or 256 bit keys..
Confidentiality
ensures that data is only viewable by authorized users. Encryption protects the confidentiality of data
XOR
logical operation used in encryption schemes. XOR operations compare two inputs and if they are the same it outputs True(binary 1) if they are different it outputs False (binary 0)
PGP (pretty good privacy)
method used to secure email communication and can encrypt, decrypt and digitally sign email. Uses both aymmetric and symmetric encryption
S/MIME
popular standard used to digitally sign and encrypt email. Uses RSA for asymmetric encryption and AES for symmetric encryption. Can encrypt data at rest and in transit. Because it uses RSA for asymmetric it requires a PKI to distribute and manage certs
Key escrow
process of placing a copy of a private key in a safe environment. useful for recovery. If the original is list the organization retrieves the copy of the key to access the data
Initialization vector (IV)
provides a starting value for a cryptographic algorithm. Random number or psuedo random number that helps create random encryption keys.
Random and psuedo-random numbers
random- able to pick a number completely by chance psuedo-random- number that appears to be random but is actually created by a deterministic algorithm
Substitution cipher
replaces plaintext with cipher text using a fixed system.Ex. moving a character on alphabet by three spaces to encrypt and 3 spaces back to decrypt. (symmetric cipher, key is 3 letters)
Public Key Infrastructure (PKI)
A group of technologies used to request, create, manage, store, distribute and revoke digital certificates. PKI allows two entities to communicate securely without knowing each other previously. In other words it allows them to communicate securely through an insecure public medium such as the internet.
Crypto module
A set of hardware, software, and/or firmware that implements cryptographic functions. includes algorithms for encryption and hashing, key generation, and authentication techniques such as digital sigs
Crypto service providers
A software library of crypto standards and algorithms. Typically distributed within crypto modules.
3DES
A symmetric block cipher designed as an improvement over DES. Uses DES algorithm in 3 different passes and uses multiple keys.
Web of trust
Also known as decentralized trust model. A web of trust uses self signed certificates and a third party vouches for these certs. ex. if five of your friends trust a cert, you can trust the cert.
SHA
Another hashing algorithm. SHA-0: not used SHA-1: creates 160 bit hashes SHA-2: has 4 versions. SHA256,SHA512,SHA224, and SHA384 SHA-3: alternative to SHA2
Certificate issues
Before clients use a cert, they verify its valid with checks. Some typical errors that are displayed for certs are: -expired -certificate not trusted -compromised private key (improper management) clients also validate certs through the CA to ensure they havent been revoked by checking the CRL
Certificate formats
CER is a binary format for certs and DER is an ASCII format. PEM is the most commonly used certificate format and can be used for just about any cert type. P7B certs are commonly used to share public keys are P12 and PFX certs are commonly used to hold the private key
Certificate revocation lists (CRL)`
Ca uses this to revoke certs
Elliptic curve Cryptography (ECC)
Doesn't take as much processing power as other cryptographic methods so often used for low power devices. graphs points on an elliptical curve to create keys. NSA has depreciated use of various versions for gov agencies
Cipher modes
ECB-divides the plaintext into blocks and then encrypts each block using the same key CBC- uses an IV when encrypting the first block and then combines each block with the last block CTM- converts a block cipher into a stream cipher (combines an IV with a counter to encrypt each block) GCM- combines counter mode of operation with Galios mode(hashing techniques) that provides data integrity and confidentiality
Diffusion
Ensures that small changes in the plaintext results in large changes in the ciphertext.
Certificate Authority
Issues, validates, and revokes certificates. Ca's can be very large such as company Symantec, but can also be a service running on a server in a private network. Public CA's sell certs which are trusted by others similar to how you can validate your identity with a drivers license from the DMV to other businesses because the DMV is trusted
Diffie- Hellman (DH)
Key exchange algorithm used to privately share a symmetric key between two parties. Once both parties know the symmetric key they use asymmetric encryption. Supports both static and and ephemeral keys. DHE- uses ephemeral keys ECDHE- ephemeral keys generated using ECC ECDH- uses static keys generated using ECC
Encrypting email with only asymmetric encryption
Lisa recieves a copy of barts cert that has his public key -Lisa encrypts the email with Barts public key -Lisa sends the encrypted email to Bart -Bart decrypts email with his private key Only bart has access to his private key so even if an attacker intercepted they could not decrypt.
Encrypting email with both symmetric and asymmetric
Lisa uses a symmetric key to encrypt email -Lisa retrieves copy of Barts cert with his public key - Lisa uses Barts public key to encrypt the symmetric key - Lisa sends the encrypted email and the encrypted symmetric key to Bart - Bart decrypts the symmetric key with his private key - then he decrypts the email with the decrypted symmetric key
Obfuscation
Make something unclear or difficult to understand.
Confusion
Means that ciphertext is significantly different from the plaintext version. "i passsed" encrypted being "gfdfsgdfdfshdfsg"
Data in Transit
Refers to any data sent over a network and its common to encrypt sensitive data in transit
Data-at-rest
Refers to any data stored on media and its common to encrypt sensitive data
Data in use
Refers to data being used by a computer. because the computer needs to process the data, it is not encrypted while in use.
SSL vs TLS
SSL and TLS are encryption protocols that are commonly used to encrypt data in transit. both provide certificate based authentication and encrypt data with a combo of symmetric and asymmetric encryption during a session. When encrypting traffic, Asymmetric encryption is used to securely share the symmetric key and the symmetric key is used to encrypt the session data. asymmetric encryption is resource intensive so thats why.
Hash-Based Message Authentication Code (HMAC)
Similar to MD5 and SHA-1 but also uses a shared secret key to add some randomness to the result and only the sender and receiver know the secret key. the shared key portion provides authenticity to it because if the receiver can calculate the same thing that means they know the same key as the sender.
Asymmetric key categories
Static- a semi permanent key that stays the same over a long period of time ephemeral key- has a short lifetime and is re created for each session. Perfect forward secrecy indicates that a cryptographic system generates random public keys for each session and it doesnt use a deterministic algo to do so
Blowfish
Strong symmetric block cipher that encrypts in 64 bit blocks and supports key sizes between 32 and 448 bits. faster than AES in some instances.
Data encryption standard (DES)
Symmetric block cipher that encrypts in 64 bit blocks and uses a key of only 56 bits. Can easily be broken with brute force attacks today.
Symmetric encryption
Uses the same key to encrypt and decrypt. Also called secret key encryption or session key encryption. Radius uses symmetric encryption
Asymmetric Encryption
Uses two keys in a matched pair to encrypt and decrypt data - a public key and a private key.If the public key encrypts data, only the matching private key can decrypt that same data. and vice versa. Private keys are always kept private and never shared and public keys are freely shared by embedding them in a shared certificate. Very resource intensive
Nonce
a number used once
Downgrade attack
a type of attack that forces a system to downgrade its security. The attacker then exploits the lesser security control. Often associated with cryptographic attacks. TLS can be downgraded to SSL and disabling SSL can prevent this.
RIPEMD
another hash function used for integrity though isnt as widely used as the others.
RSA
asymmetric encryption method using both a public key and a private key in a matched pair
Stapling
certificate presenter (ex.web server) obtains a timestamped OCSP response from the CA and has the CA sign it with a digital signature. The cert presenter then staples the timestamp response to the certificate during the TLS handshake process that eliminates the need for clients to query the CA
Self signed certs(type of cert)
certs not issued by a trusted CA. Private CAs within an enterprise create self signed certs into the trusted root CA store for enterprise PCs
Cipher Suites
combination of cryptographic algorithms that provide several layers of security for TLS and SSL. the protcols in the suite provide encryption, authentication via certs and Integrity via hashing. ex.TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 There ar emany cipher suites because of the possibilities. When two systems coonect they identify which cipher suite they both support and can use and choose the suite highest on the list.. Some cipher suites are very old and shouldnt be used
Certificate chaining
combines all the certificates from the root CA down to the certificate issued to the end user
MD5
common hashing algorithm that produces a 128-bit hash. Considered cracked
Public key pinning
security mechanism to prevent attacks from impersonating a web site using fraudulent certs. server responds to client HTTPS requests with an extra header that includes a list of hashes derived from valid public keys used by the web site. When the client connects to the same site again they recalculate the hashes and then compare the recalculated hashes wit the store hashes and if they match it verifies the client is connected to the same site
Wildcard certs(type of cert)
start with an asterisk and can be used for multiple domains but each domain name must be the same root domain. ex wild card cert *google.com can be used for other google domains such as accounts.google.com support.google.com
steganography vs obfuscation
steganography hides data within data and obfuscation attempt to make something unclear or difficult to understand. Can detect steganography with hashing because if a single bit of a file is modiefied when embedding something then a different hash is created.
RC4
symmetric stream cipher that can use between 40 and 2048 bits. not recommended anymore as it is believed agencies can crack it. AES is recommended.
Key stretching
technique used to increase the strength of stored passwords and can help thwart brute force and rainbow table attacks. These techniques salt the passwords with additional random bits to make them even more complex. Common key stretching techniques are BCRYPT and PBKDF2
Root certificate
the first certificate created by the CA that identifies it
Digital Signature Algorithm (DSA)
uses an encrypted hash of a message thats encrypted with senders private key. If the recipient can decrypt the digitally signed email then it provides authentication, non-repudiation, and integrity because only the public key from the senders certificate which the recipient verifies can decrypt the message. digital signatures need certificates, they include the senders public.
ROT13 cipher
uses the same substitution algorithm as sub cipher but always uses a key of 13. Doesnt provide true encryption, just obfuscates data.