Security+ Chapter 2: PKI Concepts

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

To carry out B2B activity with 3rd party companies or to sell products on the web, what type of CA should I use?

Use a public CA for B2B activities.

Pretty Good Privacy (PGP

Used between 2 users to set up an asymmetric encryption and digital signatures. Requires a private and public key pair. 1st stage is to exchange keys. It uses RSA keys.

Diffie Hellman (DH) - Asymmetric Technique

Used for creating secure sessions to that symmetric data can travel down to it. Does not encrypt data. Creates the keys used in the Internet Key Exchange (IKE) Uses UDP Port 500 to set up secure session for L2TP/IPSec VPN.

Code Signing Certificate

Used to digitally sign software so that its authenticity is guaranteed

RIPEMD

Used to hash data (128-bit hashing function)

Computer/Machine Certificate

Used to identify a computer within a domain

OCSP Stapling/Certificate Stapling

Used when a web server bypasses the CRL to use the OCSP for a faster confirmation (irrespective of whether or not a certificate is valid.

Hierarchical Trust Model

Uses hierarachy form the root CA down tot he intermediary (a.k.a., subordinate). This is the normal PKI model.

GnuPG

Free version of OpenPGP (a.k.a., PGP). Uses RSA Keys

What should I do to protect data-at-rest on a removable device, such as USB flash drive or an external hard drive?

Full disk encryption

What 2 things does digitally signing an email provide?

1. Integrity 2. Non-repudiation of the sender

Full Disk Encryption (FDE)

A technology that encrypts everything stored on a storage medium automatically, without any user interaction (ex: if data is stolen, it will be encrypted, and unreadable)

What are the two purposes of Data Loss Protection (DLP)?

1. Prevents sensitive or PII information from being emailed out of a company 2. Prevents sensitive or PII information from being stolen from a file server using a USB device

Name 2 key-stretching algorithms

1. bcrypt 2. PBKDF2

What is the first stage in any encryption, no matter whether it is asymmetric or symmetric?

1st stage in encryption is the key exchange (During asymmetric encryption, each entity will give the other entity its pubic key. The private key is secure and never given away.)

Data Loss Prevention (DLP)

A system that can identify critical data, monitor how it is being accessed, and protect it from unauthorized users. (ex: can prevent someone from stealing data with a USB drive)

What type of certificate does a CA have?

A CA has a root certificate, which it uses to sign keys.

How can I tell whether my certificate is valid?

A Certificate Revocation List (CRL) is used to determine whether a certificate is valid

What is the process of obtaining a new certificate?

A Certificate Signing Request (CSR) is a new certificte request

Obfuscation

A technique that makes stored source code unreadable.

Perfect Forward Secrecy

A characteristic of encryption keys ensuring that keys are random. Perfect forward secrecy methods do not use deterministic algorithms. There is no link between the session key and the server's private key. Therefore, even if the VPN server has been compromised, the attacker cannot use the server's private key to decrpt the session.

Collision

A collision attack is where the attacker tries to match the hash. A collision is when the hash is matched--compromises the system

Certificate Pinning

A method of trusting digital certificates that bypasses the CA hierarchy and chain of trust to minimize man-in-the-middle attacks.

Online Certificate Status Protocol (OCSP)

A process that performs a real-time lookup of a certificate's status. (OCSP comes into play if CRL is going slowly.)

What is the name of the key used to ensure the security of communication between a computer and a server or a computer to another computer?

A session key ensures the security of communications between a computer and a server or a computer and another computer.

Diffusion

A technique where you change one character of the input, which will change multiple bits of output.

What shall I use to encrypt a military mobile telephone?

AES-256 will be used to encrypt a military mobile phone

Subject Alternative Name (SAN) Certificate

Allows a certificate owner to specify additional domains and IP addresses to be supported. You can also insert other information into a SAN certificate, such as an IP address.

Homomorphic Encryption

Allows data to remain encrypted while it's being processed and manipulated; it enables the ability to apply functions on encrypted data without needing to reveal the values of the data. It helps to protect integrity of data by allowing others to manipulate its encrypted form while no one besides the private key holder can understand or access its decrypted values.

Asymmetric - PKI

Asymmetric keys are obtained from a CA

Pseudo-Random Number Generator (PRNG)

An algorithm that uses mathematical formulas to produce sequences of random numbers. Random numbers can be used when generating data encryption keys.

Nonce

An arbitrary number used only once in a cryptographic communication, often to prevent replay attacks. (often a random number)

Who builds the CA or intermediary authorities?

An architect would build the CA or intermediary authorities.

Data-in-Use

Any data currently being used by a computer. Because the computer needs to process the data, it is not encrypted while in use.

Wildcard Certificate

Asterisk (*) used in place of a part of a domain name. Can be installed on multiple public facing websites as a cheaper option.

What asymmetric encryption algorithm should I use to encrypt data on a smartphone?

ECC will be used to encrypt data on a smart phone (It is small and fast and uses the DH handshake.)

What format is a PEM certificate?

Base 64 format

Blowfish and Twofish - Symmetric Algorithms

Blowfish key length: 64-bit (faster) Twofish key length: 128-bit (slower) Used for encryption with embedded systems

What should I do to protect data-at-rest on a laptop?

FDE

What should I do to protect data-at-rest on a tablet or smartphone?

FDE

What happens with cipher block chaining (CBC) if I don't have all of the blocks?

CBC needs all of the blocks of data to decrypt the data

What type of cipher is the Caesar cipher and how does it work if it uses ROT 4?

Caesar cipher is a substitution cipher. ROT cipher substitutes letters by a letter 4 characters away.

If Carol is encrypting data to send to Bob, what key will they each use?

Carol uses Bob's public key to encrypt the data Bob uses his private key to decrypt the data (Encryption and decryption are always done by the same key pair.)

What can I use to prevent my CA from being compromised and fraudulent certificates being issued?

Certificate pinning can be used to prevent a CA from being compromised and fraudulent certificates being issued.

Explain certificate stapling/OCSP stapling

Certificate stapling/OCSP stapling is where a web server uses an OCSP for faster certificate authentication, bypassing the CRL.

Certificate Chaining

Chain of trust used to verify the validity of a certificate as it incudes details of the Certificate Revocation List (CRL). The chain normally has 3 layers (and shows trust between layers): 1. Certificate vendor 2. Vendor's certificate 3. Computer where the certificate is installed

What should I do with my software to verify that it is original and not a fake copy?

Code-signing software is similar to hashing the software and ensuring the integrity of the software.

What type of attack tries to find two has values that match?

Collision attack (tries to match 2 hash values to obtain a password)

Supporting Non-Repudiation (Common Use Cases)

Confirm the authenticity of data. Digital signature provides both integrity and non-repudiation.

Explain why we would use Diffie Hellman Ephemeral (DHE) and Elliptic Curve Diffie Hellman Ephemeral (ECDHE)

DHE and ECDHE are ephemeral keys that are short-lived, 1-time keys

What is the purpose of the DRA and what does it need in order to complete its role effectively?

DRA recovers data (when a user's private key is corrupt) by obtaining a copy of the private key from the key escrow.

Hashing

Data inside a document is hashed using an algorithm [ex: Secure Hash Algorithm Version 1 (SHA1), SHA2, SHA3, and MD5] Turns data inside the file into a long text string (hash value or message digest) 1-way function (cannot be reversed)

Data-at-Rest

Data is not being used and is stored on a hard drive or external storage (e.g., laptop, phone, USB, etc.)

Data-in-Transit

Data that is in transit across a network, such as an email sent across the Internet.

What should I do to protect data-at-rest on a backend server?

Database encryption (data is stored on a database)

Implementation Decisions

Decisions related to how to ensure that a organization's operations are more secure. Need to balance processing power with increased key length. Should use key length of 2046-bits or larger (less is too insecure)

Private Key

Decrypts the data (Think of private key as a bank card--the card you don't give away)

How can I identify each certificate?

Each certificate can be identified by its OID, which is similar to a serial number.

Supporting Confidentiality (Common Use Case)

Encrypting data to prevent it from being viewed and to prevent any protocol analyzer from reading the packets. Encryption could be couple with mandatory access controls to ensure that data is secure and kept confidential.

If I want to ensure the protection of data, what shall I use?

Encryption is used to protect data so that it cannot be reviewed or accessed

What is encryption and what are the inputs and outputs called?

Encryption: makes data unreadable Input: plain text Output: ciphertext

What is the purpose of forward secrecy?

Ensures that there is no link between the server's private key and the session key. If the VPN server's key was compromised, it could not decrypt the session.

Use Case (for purpose of the Security+ exam)

Example of when something is useful

If I want to ensure the integrity of data, what shall I use? Name 2 algorithms

Hashing ensures the integrity of data. Exaamples: 1. SHA-1 (160-bit) 2. MD5 (128-bit)

Is a hash a 1-way or 2-way function, and is it reversible?

Hashing is 1-way. It is not reversible.

Key Escrow

Hold the private keys for 3rd parties and stores them in a Hardware Security Module (HSM)

Self-Signed Certificate

Issued by the same entity that is using it. It doesn't have a CRL and it cannot be validated or trusted. Can be installed on internal acing websites as a cheaper option.

What is the purpose of salting a password?

It ensures that duplicate passwords are never stored and makes things more difficult for brute-force attacks by increasing the key size (key stretching) It appends the salt to the password making it longer than before hashing.

What is the purpose of DH?

It is an asymmetric technique that creates a secure tunnel. (During a VPN connection it is used during the IKE phase and uses UDP port 500 to create the VPN tunnel.)

What is the purpose of hardware security model (HSM)?

It is used by the key escrow as it securely stores and manages certificates.

What is the purpose of the extended validation of an X509?

It provides a higher level of trust for X509; when it is used, the URL background turns green.

If Janet is digitally signing an email to send to John to prove that it has not been tampered with in transit, what key will they each use?

Janet will use her private key to digitally sign the email John will check its validity with Janet's public key (which he would have received inadvance)

Triple DES (3DES) - Symmetric Algorithm

Key Length: 168-bit key (applies the DES algorithm 3 times) Used for L2TP/IPSec VPNs (is weaker than AES)

Elliptic Cure Cryptography (ECC) - Asymmetric Algorithm

Key Length: 256-bit Used for encryption in small mobile devices (ex: military mobile cell phones) Uses less processing than other encryptions

Rivest Cipher 4 (RC4) - Symmetric Algorithm

Key Length: 40-bits Used by WEP Considered to be a stream cipher

Data Encryption Standard (DES) - Symmetric Algorithm

Key Length: 56-bits (fastest but weakest). Groups data into 64-bit blocks. Used for L2TP/IPSec VPNs (is weaker than AES)

Rivest, Shamir, and Adelman (RSA) - Asymmetric Algorithm

Key Lengths: 1024-, 2046-, 3072-, and 4096-bits Used for encryption and digital signatures First private and public key pairs

Advanced Encryption Standard (AES) - Symmetric Algorithm

Key Lengths: 128-, 192-, and 256-bits Used for L2TP/IPSec VPNs

Digital Signature Algorithm (DSA) - Asymmetric Algorithm

Key Lengths: 512-, 1024- and 2046-bits Used for digital signatures 1024 and 2046 are faster than RSA for digital signatures

Who signs the X509 certificates?

The CA signs the X509 certificates

Supporting Integrity (Common Use Case)

Main reasons for ensuring integrity 1. To hash data stored on a file server (to prove whether or not it has been tampered with) 2. To digitally sign an email with your private key to prove to the recipient that it has not been tampered with in transit.

If George encrypted data 4 years ago with an old CAC card, can he unencrypt the data with his new CAC card?

No. George must obtain the old private key to decrypt the data because the encryption was done with a different key pair.

PGP vs. S/MIME

PGP: used for encryption between 2 people S/MIME: used for digital signatures between 2 people

What type of man-in-the-middle attack is SSL 3.0 (CBC) vulnerable to?

POODLE is a man-in-the-middle attach on a downgraded SSL 3.3 (CBC)

Supporting Obfuscation (Common Use Cases)

Obscuring source code so that it cannot be read by anyone who steals it. Also known as security by obscurity, where you want to prevent third-parties knowing about your IT systems and identifying any weaknesses in the system.

What type of trust model does PGP use?

PGP uses the web of trust model.

Bridge Trust Model

Peer-to-peer, where two separate PKI environments trust each other. The CAs communicate with each other, allowing for cross certification. (Sometimes referred to as the trust model.)

What format is a private certificate and what file extension does it have?

Private key format: P12 Private key extension: .pfx

What format is a public certificate and what extension does it have?

Private key format: P7B Private key extension: .cer

Trust Model

Proves the authenticity of a certificate. There are 2 trust models: 1. Hierarchical Trust Model 2. Bridge Trust Model

Extended Validation Certificate

Provides a higher level of trust in identifying the entity that is using the certificate (normally used in the financial arena)

User Certificate

Provides authenticity to a user for the applications that they use

What is the purpose of rainbow tables?

Rainbow tables are a list of precomputed words showing their hash value. You will get rainbow tables for MD5 and different rainbow tables for SHA-1.

Data Recover Agent (DRA)

Recovers data. DRA needs a private key from the key escrow to recover data. (e.g., use this when user can't access data because private key is corrupted)

If 2 entities want to set up a cross-certification, what must they set up first?

Root CAs must set up a trust model between themselves (bridge trust model)

Public Key

Sent to 3rd parties to encrypt the data (Think of the public key as the deposit slip that is tied to your bank account)

Ephemeral Keys

Short-lived keys used for a single session 1. Diffie Hellman Ephemeral (DHE) 2. Elliptic Curve Diffie Hellman Ephemeral (ECDHE)

Object Identifier (OID)

Similar to a serial number; certificates are identified by their OIDs.

Low-Power Devices (Common Use Cases)

Small Internet of Things (IoT) devices need to use ECC for encryption, which uses a small key, because they don't have the processing power for conventional encryption.

Explain the concept of steganography

Steganography is used to conceal data; you can hide a file, image, video, or audio inside another image, video, or audio file.

Hardware Security Module (HSM)

Stores and manages certificates. A device (hardware) attached to the server or a portable device that is attached to store the keys.

What is the purpose of key escrow?

Stores and manages private keys for 3rd parties

What is the difference between stream and block cipher modes, and which one will you use to encrypt large blocks of data?

Stream: Encrypts data 1 bit at a time Block: Encrypts data in blocks (e.g., 128-bit modes); will be used for large amounts of data

Resource vs. Security Constraint (Common Use Case)

Striking a balance between the hardware resources and the amount of processing power used.

What are the strongest and weakest methods of encryption with an L2TP/IPSec VPN tunnel?

Strongest: AES Weakest: DES

What type of certificate can be used on multiple domains?

Subject Alternative Name (SAN) certificate

What type of encryption will be used to encrypt large amounts of data?

Symmetric encryption (uses batch encryption; one key)

Stream vs. Block Ciphers

Symmetric uses block ciphers Asymmetric uses stream ciphers (1 bit at a time)

What two protocols could we use to protect data-in-transit? How can you protect data in use?

TLS, HTTPS, or an L2TP/IPsec tunnel

Steganography

The art and science of hiding information by embedding messages within other, seemingly harmless messages

Certificate Revocation List (CRL)

The first stage in checking certificate validity.

Certificate Signing Request (CSR)

The process of requesting a new certificate.

Domain Validation

The right to administratively manage the domain name in question. A domain-validated (DV) certificate ian an X.509 certificate that proves the ownership of a domain name.

Trust Anchor

The root certificate from which the whole chain of trust is derived (i.e., root CA)

X.509

The standard format for digital certificates.

What is the purpose of obfuscation?

To make source code look obscure, so that if it is stolen, it cannot be understood. It masks the data and could use either XOR or ROT14 to obscure the data.

Security through Obscurity

To prevent anyone from outside the organization from knowing the architecture or design of the system or any of its components.

Why would I make my CA offline when not in use?

To reduce the chance of it being compromised. (Military, security, banking organizations keep the CA offline when it is not in use.)

What is the purpose of key stretching?

To salt the password being stored so that the duplicate passwords are never stored. It also increases the length of the keys to make things harder for a brute-force attack.

Certificates

Two main certificate types: 1. Public key 2. Private key

To use a CA internally, what type of CA should I use?

Use a private CA for internal use only; these certificates will not e accepted outside your organization.

Symmetric Encryption

Uses one key, which is known as the private, or shared, key. The same key encrypts and decrypts the data. Uses a block cipher and encrypts large blocks of data faster than asymmetric techniques.

Asymmetric Encryption

Uses two keys--a private key and a public key. A.k.a., PKI, including its CA and intermediary authorities. Stage 1: Key exchange (keep private key; give away public key). Use recipient's public key to encrypt. More secure than symmetric encryption. Uses Diffie Hellman (DH) to set up secure tunnel for symmetric data.

Supporting Authentication (Common Use Cases)

Using authentication to validate users of a system (e.g., 2-factor logon, smart card with PIN, etc.)

High Resiliency (Common Use Cases)

Using the most secure encryption algorithm to prevent the encryption key from being cracked by attackers. In an RSA environment, should be using a minimum key size of 3072. Additionally, implementing accelerator cards to reduce the amount of latency on the encryption or decryption.

What type of certificate can be used on multiple servers in the same domain?

Wildcard certificate

Subordinate CA

a.k.a. Intermediary. Could be the Registering Authority (RA)

If the CRL is going slow, what should I implement?

an OCSP is used to provide faster validation if CRL is going slowly


Ensembles d'études connexes

Honan Chapter 25 Hepatic and Biliary Disorders

View Set

(HA Ch 4) PrepU - Health History

View Set

Physics Chapter 19 Waves: Practice Test, ChTest, Homework and Terms

View Set

Methods of Strength and Conditioning Final Review

View Set

Strategic Mgt. Final Study Gudie Q1-80

View Set