Security + Chapter 6

Salt

For hashes

Blowfish and Twofish

Blowfish is a 64-bit block cipher that can use variable-length keys (from 32 bits to 448 bits); Twofish is similar and works on 128-bit blocks

CSR

Certificate Signing Request

Weak encryption standards

DES and WEP

data in-transit

Data that is in transit across a network, such as an email sent across the Internet. (protect best with TLS or NIDS)

Data at rest

Data that is stored on electronic media. Protect with encryption.

Code Signing Certificate

Digital certificate issued (typically by a trusted CA. Used for downloaded code, macros, object, etc.

RC4

An RC stream cipher that will accept keys up to 128 bits in length. No longer used because of bias flaw. Used in WEP and SSL.

Distinguished Encoding Rules (DER)

An X.509 encoding format. Usually with with Java certificates.

Elliptic Curve Cryptography (ECC)

An algorithm that uses elliptic curves instead of prime numbers to compute keys.

OCSP stapling

The device that holds the certificate will also be the one that provides status of any certificate revocation. Lightening the load on the CA.

3DES (Triple DES)

Symmetric Key Algorithm, Applies DES three times, 168-bit key (+24 for parity)

EAP-TLS

"EAP-Transport Layer Security--Uses PKI, requiring both server-side and client-side certificates."

Chain of trust

The concept in which entities in a hierarchical relationship are valid at each level of the hierarchy.

MD5 - Message Digest 5

128-bit hash based on variable-length plaintext

Initialization Vector (IV)

A 24-bit value used in WEP that changes each time a packet is encrypted.

wildcard certificate

A PKI certificate that is applied to a specific domain but also covers all of the subdomains.

Advanced Encryption Standard (AES)

A block cipher created in the late 1990s that uses a 128-bit block size and a 128-, 192-, or 256-bit key size. Practically uncrackable. Used in powerful WPA2

self-signed certificate

A certificate that lacks a third-party signature.

extended validation (EV) certificate

A certificate used for HTTPS websites and software that proves the legal entity controlling the website or software package. Obtaining an EV certificate requires verification of the requesting entity's identity by a certificate authority (CA).

Digital Signature Algorithm (DSA)

A common asymmetric encryption algorithm that is primarily used for creating digital signatures. Used with ECC.

User Certificate

A credential issued by the Authentication Service that supplies valid authentication credentials. Whenever the client requires access to a new network resource, it must prevent its TGT to the Key Distribution Center (usually using smart card)

Assymetric Encryption

A cryptographic key that may be widely published and is used to enable the operation of an asymmetric cryptography scheme. This key is mathematically linked with a corresponding private key. Typically, a public key can be used to encrypt, but not decrypt, or to validate a signature, but not to sign. Aka public key cryptography.

PGP (Pretty Good Privacy)

A data encryption and decryption computer program that provides cryptographic privacy and authentication for data communication

Web of Trust

A decentralized model used for sharing certificates without the need for a centralized CA.

Object Identifier (OID)

A designator made up of a series of numbers separated with a dot which names an object or entity.

Bcrypt

A key-stretching function based on the Blowfish cipher algorithm.

RIPEMD-160

A message-digest algorithm that produces a 160-bit hash value after performing 160 rounds of computations on 512-bit blocks.

Substitution Cipher

A method of encryption and decryption in which each letter in the alphabet is replaced by another.

Electronic Code Book (ECB)

A mode of operation for a block cipher, with the characteristic that each possible block of plaintext has a defined corresponding ciphertext value, and vice versa

Galois/Counter Mode (GCM)

A mode that starts with CTR mode, but adds a special data type known as a Galois field to add integrity. (used in wireless, SSH, IPSEC, TLS)

Cipher Block Chaining (CBC)

A process in which each block of unencrypted text is XORed with the block of cipher text immediately preceding it before it is encrypted using the DES algorithm. Also uses IV vector. Like ECB but random.

Certificate Revocation List (CRL)

A repository that lists revoked digital certificates.

Secure Hash Algorithm (SHA)

A secure hash algorithm that creates more secure hash values of longer lengths than Message Digest (MD) algorithms.

mutual authentication

A security mechanism that requires that each party in a communication verify its identity.

TKIP (Temporal Key Integrity Protocol)

A security protocol created by the IEEE 802.11i task group to replace WEP. Deprecated encryption standard that provided a new encryption key for every sent packet.

Privacy Enhanced Mail (PEM)

A standard proposed by the Internet Engineering Task Force (IETF) that uses 3DES symmetric key encryption and RSA for key exchanges and digital signatures.

Data Encryption Standard (DES)

A symmetric block cipher that uses a 56-bit key and encrypts data in 64-bit blocks.

key stretching

A technique that strengthens potentially weak cryptographic keys, such as passwords or passphrases created by people, against brute force attacks. Using hashes.

Certificate Authority (CA)

A trusted third-party agency that is responsible for issuing digital certificates.

WPS (Wi-Fi Protected Setup)

A user-friendly—but not very secure—security setting available on some consumer-grade APs. Part of the security involves requiring a PIN in order to access the AP's settings or to associate a new device with the network. The PIN can be easily cracked through a brute force attack, so this PIN feature should be disabled if possible.

Strong encryption standards

AES and PGP

Block Cipher

An encryption algorithm in which data is encrypted in "chunks" of a certain length at a time. Popular in wired networks.

Stream Cipher

An encryption method that encrypts a single bit at a time. Used only in symmetric.

Subject Alternative Name (SAN)

An extension to X.509 that allows various values to be associated with a security certificate using a subjectAltName field. These values are called "Subject Alternative Names" (SANs).

EAP (Extensible Authentication Protocol)

An extension to the PPP protocol suite that provides the framework for authenticating clients and servers. It does not perform encryption or authentication on its own, but rather works with other encryption and authentication schemes to verify the credentials of clients and servers.

Digital Signatures provide which of the following?

B. Authorization C. Integrity D. Authentication

CTR (Counter Mode)

Block cipher mode/acts like a stream cipher. Encrypts successive values of a "counter". Plaintext can be any size, since it's part of the XOR. (i.e. 8 bits at a time (streaming) instead of 128-bit block.

EAP-FAST

EAP-Flexible Authentication via Secure Tunneling--Designed by Cisco to replace LEAP.

HMAC

Hash-based Message Authentication Code. An HMAC is a fixed length string of bits similar to other hashing algorithms such as MD5 and SHA-1, but it also uses a secret key to add some randomness to the result. (Used in IPSEC/TLS)

LEAP

Lightweight Extensible Authentication Protocol

certificate chaining

Linking several certificates together to establish trust between all the certificates involved.

PBKDF2

Password-Based Key Derivation Function 2. A key stretching technique that adds additional bits to a password as a salt. This method helps prevent brute force and rainbow table attacks. Bcrypt is a similar key stretching technique.

802.1x is an IEEE standard defining:

Port-based network access control

Certificate pinning

Prevents man in the middle attacks by hardcoding servers certificate into application itself and checks if certificate matches up between server and application.

PEAP

Protected Extensible Authentication Protocol. PEAP provides an extra layer of protection for EAP. PEAP-TLS uses TLS to encrypt the authentication process by encapsulating and encrypting the EAP conversation in a Transport Layer Security (TLS) tunnel. Since TLS requires a certificate, PEAP-TLS requires a certification authority (CA) to issue certificates.

PKCS#12

Public Key Cryptography Standards #12 is a file format used to store private keys with accompanying public key certificates.

PKCS#7

Public Key Cryptography Standards #7 is used by a CA to distribute digital certificates.

perfect forward secrecy

Public key systems that generate random public keys that are different for each session.

RSA Encryption

RSA (Rivest-Shamir-Adleman) is the most common internet encryption and authentication system. The system used an algorithm that involves multiplying two large prime numbers to generate a public key, used to encrypt data and decrypt an authentication, and a private key, used to decrypt the data and encrypt an authentication.

Symmetric Key Encryption

Sender and receiver use single, shared key (not scalable because its a shared secret) Faster than asymmetric encryption but commonly used with asymmetric encryption.

EAP-TTLS (EAP Tunneled Transport Layer Security)

Support other authentication protocols in TLS tunnel. Use any authentication you can support, maintain security with TLS.

Captive Portal

Technical solution that forces clients using web browsers to complete a specific process before it allows them access to the network

TACAS+

Terminal Access Control Access Control System Plus

root certificate authority

The CA whose public key is used to authenticate all certificate chains within that community

domain validation (DV) certificates

The lowest level of SSL certificates. CAs issue DV certificates to the domain admin contact in the public record associated with a domain name.

SHA-2

The second revision of SHA, also designed by the NSA, which supports a variety of hash sizes, the most popular of which are SHA-256 and SHA-512.

ROT13 cipher

This more recent cipher uses the same mechanism as the Caesar cipher but moves each letter 13 places forward

Eliptic Curve Cryptography (ECC)

Use curves to encryption, digital signatures, psuedo random number generators and more

RADIUS Federation (authentication protocols)

Using a series of __________ servers in a federated connection has been employed in several worldwide ___________________ networks. One example is the EDUROAM project that connects users of education institutions worldwide. The process is relatively simple in concept, although the technical details to maintain the hierarchy of these servers and routing tables is daunting at worldwide scale. A user packages their credentials at a local access point using a certificate-based tunneling protocol method.

OCSP (Online Certificate Status Protocol)

What technology was developed to help improve the efficiency of checking the validity of certs in large environments?

WPA2

Wireless Protected Access 2. Wireless network encryption system. Used AES, CCMP (replaced TKIP) 128 bit key and 128 block cipher

Diffie-Hellman key exchange

an asymmetric standard for exchanging keys. primarily used to send private keys over public networks.

data in-use

data in temporary storage buffers while an application is using it. Almost always unencrypted. ex- RAM

XOR

exclusive or

key escrow

the process of storing a copy of an encryption key in a secure location with a third party

Hash collision

two different objects for which a hash function computes identical values. (MD5 does this)