Ch8 Cryptography 1.2, 6.1-6.4

extended validation certificate

quire more validation of the certificate holder; thus, they provide more security.

ElGamal

*Transmitting digital signatures and key exchanges. ASYM uses ephemeral key

enterprise mode

, a server handles distribution of cryptographic keys and/or digital certificates.

cryptographic hash

A function that is one-way (NONREVERSIBLE), has a fixed length output, and is collision resistant.

Known Plain tetxt

ATTACK relies on the attacker having pairs of known plain text along with the corresponding cipher text. This gives the attacker a place to start attempting to derive the key. **Heil hitler Nava; message crack

CA's

Certificate Authorities Third-party organizations manage public keys ISSUE certificates verifying the validity of a sender's message. ***maintenence of ceritifcates too

CRL

Certificate Revocation list rally a list of certificates that a specific CA states should no longer be used. now being replaced by a real-time protocol called Online Certificate Status Protocol (OCSP).

CCMP

Counter Mode with Cipher Block Chaining Message Authentication Code Protocol favored by WPA2 uses 128-bit AES.

asymmetric cipher

Cryptographic algorithms that use 2 DIFFERENT keys—one key to encrypt and another to decrypt. Also called public key cryptography.

ECC

Elliptic Curve Cryptography similar to RSA but uses smaller key sizes for same secuirty An option to RSA that uses less computing power than RSA and is popular in smaller devices like smartphones. based on the idea of using points on a curve combined with a point at infinity and the difficulty of solving discrete logarithm problems Elliptic Curve Digital Signature Algorithm (ECC-DSA) Elliptic Curve Diffie-Hellman (ECC-DH) DHE?? ECDHE??

MD5

Message Digest algorithm version 5 creates a hash value and uses a one-way hash. hash value used to help maintain integrity It produces a 128-bit hash, but the algorithm is more complex than its predecessors and offers greater security. Its biggest weakness is that it does not have strong collision resistance, and thus it is no longer recommended for use... use SHA instead.

PSK

PreShared Key mode used in WPS the client and the wireless access point must negotiate and share a key prior to initiating communications.

PRNG

Pseudo-Random Number Generator is an algorithm used to generate a number that is sufficiently random for cryptographic purposes. but not entirely random

RC4

Ron's Cipher level 4 produced by RS labs -obsfucate popular with wireless and WEP/WPA encryption. streaming cipher that works with key sizes between 40 and 2,048 bits, and it is used in SSL and TLS.

transposition cipher

SCRAMBLING the letters in a certain manner.

SHA

Secure Hash Algorithm use SHA-2 ensure integrity of a message one-way hash that provides a hash value that can be used with an encryption protocol. This algorithm produces a 160-bit hash value. SHA-2 has several sizes: 224, 256, 334, and 512 bit.

TKIP

Temporal Key Integrity Protocol mixes a root key with an initialization vector. mixing means theres a new key for each packet

strength of crypto system

The effectiveness of a cryptographic system in preventing unauthorized decryption also work factor

diffusion

a change in a single bit of input changes more than one bit of the output.

Pinning

a method designed to mitigate the use of fraudulent certificates. Basically, once a public key or certificate has been seen for a specific host, that key or certificate is pinned to the host.

stapling

a method used with OCSP, which allows a web server to provide information on the validity of its own certificate rather than needing to go to the certificate vendor.

substitution cipher

a type of coding or ciphering system that changes one character or symbol into another. problem: they did not change the underlying letter and word frequency of the text. One way to combat this was to have multiple substitutions. ex enigma..multialphabet sub

AES

advanced encryption standard has replaced DES as the current standard, and it uses the Rijndael algorithm. **use for hard drives, SYM cipher better than DES It supports key sizes of 128, 192, and 256 bits, with **128 bits being the default.

Blowfish

an encryption system, performs a 64-bit block cipher at very fast speeds. It is a symmetric block cipher that can use variable-length keys (from 32 bits to 448 bits).

Machine/Computer certificate

are X.509 certificates assigned to a specific machine. These are often used in authentication schemes. For example, in order for the machine to sign in to the network, it must authenticate using its machine certificate.

DOmain validation certificate

are among the most common certificates. These are used to secure communication with a specific domain. This is a low-cost certificate that website administrators use to provide TLS for a given domain.

Chosen plain text

attack, the attacker obtains the cipher texts corresponding to a set of plain texts of their own choosing. This allows the attacker to attempt to derive the key used and thus decrypt other messages encrypted with that key

Wildcard certificate

can be used more widely, usually with multiple subdomains of a given domain.

data-in-use

data being used

DSA

digital signature algorithm Elliptic Curve Digital Signature Algorithm (ECC-DSA)

secret method cryptography

dont use Keeping a cryptographic method secret not only makes it impossible for it to be tested by the cryptographic community, it is something that security experts term security through obscurity. This means that something is not particularly secure, just that the details are hidden and you hope that no attacker finds them. This is a very bad approach to security.

In-band key exchange

essentially means that the key is exchanged **within the same communications channel that is going to be encrypted. IPSec, which will be discussed later in this chapter, uses in-band key exchange exhanged where its encrytped.

XOR

exclusive OR operation simple but powerful binary math operation. takes LSB (two bytes) and XOR's them 1011 and 1001 to 0010 symmetric algorithm because reversible

trust model, 4 types

exist in PKI implementations and come in a number of types. simply a model of how different certificate authorities trust each other and consequently how their clients will trust certificates from other certificate authorities 4 types: bridge, hierarchical, hybrid, and mesh..

WPA2

favors CCMP fully implements the 802.11i Wi-Fi security standards. better than WEP and WPA uses counter mode with cipher block chaining

captive portal.

first connect web page web page may list acceptable use policies or require some authentication. This page must be navigated before full access to network resources is granted

GOST

gosudarstvennyy standard, DES-like algorithm developed by the Soviets in the 1970s. was classifed It uses a 64-bit block and a key of 256 bits

HMAC

hash-based message authentication code uses a hashing algorithm along with a symmetric key.

key exchange

here are two primary approaches to key exchange: in-band key exchange and out-of-band key exchange.

Proper Implementation

how the key is generated (using a good PRNG) not reusing keys and key exchange.

When to encrypt?

if it is possible to encrypt data in any of these three states, without unduly interfering with the ability of legitimate users to use the data, then it should be encrypted.

IV's

initialization vectors numbers that should be used only once and are added to a key to make the algorithm stronger like salt added to hash PRNGs generate these

support confidentiality

intended to prevent the unauthorized disclosure of information in a local network or to prevent the unauthorized disclosure of information across a network

support integrity

involves providing assurance that a message wasn't modified during transmission. may render a message unintelligible or, even worse, inaccurate **can be accomplished by adding information such as redundant data that can be used as checked using a **hashing algorithm.

cipher

is a method used to scramble or obfuscate characters to hide their value. types: substitution and transposition.

Open mode

is simply unsecure. WPS sometimes used for public Wi-Fi that has no access to any sensitive data, but it is simply a portal to access the Internet.

Code signing certificate

know who produced the code or app trust, no malware mitigate danger X.509 certificates used to digitally sign some type of computer code.

Issues with Symmetric Cipher

latency - depletes power high resiliency - various rather advanced attacks that can "leak" a portion of the secret key, such as with side-channel attacks

LSB

least significant bit method stenography If you changed the very last bit (the least significant bit in each byte), then that would not make a noticeable change in the image. In other words, you could not tell that anything had been changed. Using this fact, you can store data by putting it in the least significant bits of an image file.

Out-of-band key exchange

means that some other channel, other than the one that is going to be secured, is used to exchange the key. exchanged elsewhere

Challenge Handshake Authentication Protocol (CHAP)

n authentication protocol that periodically reauthenticates.

nonce

number used only once used in IVs

cryptographic module

one that is slow might not be useful for commercial solutions. one that requires significant power won't be useful for low-power devices likely will use 3rd party _______ __________ and crypto provider instead of creating own

Nonrepudiation

prevents one party from denying actions that they carried out

LANMAN

prior to WIndows NT, Microsoft OS used for authentication. used LM Hash and two DES keys(data encryption standard) replaced by NTLM

symmetric key

private key, secret key breach in security if disclosed to unauth encrypt/decrypt key same

PKI

public key infrastructure intended to offer a means of providing security to messages and transactions on a grand scale.

key stretching

refers to processes used to take a key that might be a bit weak and make it stronger, usually by making it longer LONGER = STRONGER thus less susceptible to brute-force attacks PBBKDF2 and Bcrypt

symmetric alagorithm

require both the sender and receiver of an encrypted message to have the same key and processing algorithms. Symmetric algorithms generate a secret key that must be protected. faster than asym.. just as secure if key is small

Email certificate

secure email. ex. Secure Multipurpose Internet Mail Extension S/MIME uses X.509 certificates to secure email communications.

Kerckhoffs' principle

security of an algorithm should depend only on the secrecy of the key and not on the secrecy of the algorithm itself. only use proven cryptography methods, avoid new and secret

refactoring

set of techniques used to identify the flow and then modify the internal structure of code WITHOUT changing the code's visible behavior

digital signature

similar in function to a standard signature on a document. authentication It validates the integrity of the message and the sender. after encryption

Twofish

similar to blowfish, works on 128-bit blocks. The distinctive feature of the latter is that it has a complex key schedule.

ephemeral key

simply a key that exists only for that session. Essentially, the algorithm creates a key to use for that single communication session, and it is not used again.

security through obsfucurity

something is not particularly secure, just that the details are hidden and you hope that no attacker finds them. This is a very bad approach to security.

downgrade attack

sometimes used against secure communications such as TLS in an attempt to get the user to shift to less secure modes. The idea is to trick the user into shifting to a less secure version of the protocol, one that might be easier to break.

modern cryptography categories

symmetric cryptography, asymmetric cryptography, and hashing algorithms.

rainbow table

table of precomputed hashes used to guess passwords by searching for the hash of a password.

block cipher

the algorithm works on chunks of data, encrypting one and then moving to the next.

confusion

the concept that the relationship between the plain text, cipher text, and key are very difficult to see. , NOT XOR

stream cipher

the data is encrypted one bit, or byte, at a time.

stenography

the process of hiding a message in a medium such as a digital image, audio file, or other file. You could encode your message in another file or message and use that file to hide your message.

clear text

unencrypted, in the clear.

User certificate

used for individual users. Like machine/computer certificates, these are often used for authentication. Users must present their certificate to authenticate prior to accessing some resource.

Rootcertificate

used for root authorities. These are usually self-signed by that authority.

Bcrypt

used with passwords, and it essentially uses a derivation of the Blowfish algorithm converted to a hashing algorithm to hash a password and add Salt to it. *type of key stretch

weak or deprecated algorithms

user error some algorithms are no longer considered appropriate . This may be due to some flaw found in the algorithm. It can also be due to increasing computing power.

cryptographic hashes, 3 characteristics

very different from data storing hashes. It must be one-way. This means that it is not reversible. Once you hash something, you cannot unhash it. Variable-length input produces fixed-length output. This means that whether you hash two characters or two million, the hash size is the same. The algorithm must have few or no collisions. This means that hashing two different inputs does not give the same output.

data-in-transit

when data is being transmitted from point A to point B encrypt with SSL/TLS

block chaining

when encrypting with block cipher: take the output of block i-1 and exclusively OR (XOR) it with the plain text of block i before encrypting it. Basically, the output of each block is combined with the plain text of the next block before that next block is encrypted. guarantees that, even if you have the same plain text in various places in your text, it won't come out the same in the cipher text.

data-at-rest

when the data is simply stored—for example, on a hard drive

Diffe-Hellman

** key agreement, ASYM algorithm for exchanging keys over an insecure medium, public/priavte keys generate a shared secret key across public networks. The process isn't used to encrypt or decrypt messages; it's used merely for the creation of a symmetric key between two parties.

suspended keys

CAN be reactivated

salt

Bits added to a hash to make it resistant to rainbow table attacks.

symmetric cipher

Any cryptographic algorithm that uses the SAME KEY to encrypt and decrypt. DES, AES, and Blowfish are examples. use for harddrives

3 most important concepts in security

Confidentiality, integrity, and availability

DES

Data Encryption Standard It's based on a 56-bit key, and it has several modes that offer security and integrity. It is now considered insecure because of the small key size. replaced by AES

EAP-TTLS

EAP Tunneled Transport Layer Security) this protocol extends TLS.

EAP-TLS

Extensible Authentication Protocol - Transport Layer Security utilizes TLS in order to secure the authentication process.

EAP

Extensible Authentication Protocol) framework frequently used in wireless networks and point-to-point connections. handles the transport of key's and related parameters.

GPG

GNU Privacy Guard alternative to freeware PGP considered a hybrid program since it uses a combination of symmetric and public key cryptography.

IDEA

International Data Encryption Algorithm uses a 128-bit key. This product is similar in speed and capability to DES, but it's more secure.

MAC for crypto

Message Authentication Code will reveal any tampering, accidental or intentional in a message

NSA

National Security Agency repsonsible for all crypto in gov. should be adhered to like NIST

PBBKDF2

Password-Based Key Derivation Function 2 applies some function like hash or HMAC to pw or phrase w/ Salt to produce derived key *type of key stretch

RIPEMD

RACE Integrity Primitives Evaluation Message Digest based on MD4 replaced by RIPEMD-160,

RADIUS Federation

Remote Authentication Dial-In User Service federation a federation that is using RADIUS to authenticate between the various entities within the federation supports EAP for authentication

RSA

Ron Rivest, Adi Shamir, and Leonard Adleman ******The most commonly used public key algorithm, and most widely used ASYM cipher RSA is used for *****encryption and digital signatures. early public key encryption system that uses large integers as the basis for the process. Secure Sockets Layer (SSL), and it can be used for key exchange.

SAN certificate

Subject Alternative Name not so much a type of certificate as a special field in X.509. It allows you to specify additional items (IP addresses, domain names, and so on) to be protected by this single certificate.

3DES

Triple-DES is a technological upgrade of DES. is still used, even though AES is the preferred choice for government applications. It increases the key length to 168 bits (using three 56-bit DES keys).

WPA

WIfi Protected Access couples the RC4 encryption algorithm with TKIP (Temporal Key Integrity Protocol)

collision

When two different inputs into a cryptographic hash produce the SAME output

Types of certificates

Wildcard SAN Code signing Machine/computer Email User Root Domain validation Extended Validation

WEP

Wired Equivalent Privacy encryption was an early attempt to add security, but it fell short because of weaknesses in the way the encryption algorithms are employed replaced with WPA and WPA2

CER

certificate format This is an alternate form of .crt (Microsoft Convention). You can use Microsoft crypto API to convert .crt to .cer (both DER-encoded .cer, or base64 [PEM]-encoded .cer).

Frequency analysis

looking at the blocks of an encrypted message to determine if any common patterns exist.

latency

the difference between the time you input plain text and the time get out cipher text. want low latency

CAST

Carlisle Adams and Stafford Tavares used in some products offered by Microsoft and IBM. CAST uses a 40-bit to 128-bit key, and it's very fast and efficient.

EAP-FAST

EAP-Flexible Authentication via Secure Tunneling establishes a TLS tunnel for authentication, but it does so using a Protected Access Credential (PAC). replace EAP

PGP

Pretty Good Privacy is a freeware email encryption system. uses both symmetrical and asymmetrical systems as a part of its process; it is this serial combination of processes that makes it so competent.

PEAP

Protected Extensible Authentication Protocol This protocol encrypts the authentication process with an authenticated TLS tunnel

S/MIME

Secure Multipurpose Internet Mail Extension uses X.509 certificates to secure email communications.

all X.509 Certificates have

Signature of the issuer. Version. Serial number. Signature algorithm ID. Issuer name. Validity period. Subject name. Subject public key information. Issuer unique identifier (relevant for versions 2 and 3 only). Subject unique identifier (relevant for versions 2 and 3 only). Extensions (in version 3 only). Object identifiers, or OIDs,

X.509

The X.509 standard is the most widely used standard for digital certificates.

public key vs private key

The sender uses the public key to encrypt a message, and the receiver uses the private key to decrypt the message; what one key does, the other one undoes. ASYM algorithms

session key

a one-use random number, to create the cipher text.

key escrow

addresses the possibility that a cryptographic key may be LOST ________________ established in order to be able to recover lost keys. key recovery agent to recover a key (loss of a private key is bad)

OID

are used in X.509 certificate extensions (and are thus optional). These are values that help identify objects. They are dot separated numbers usually. For example,_____2.5.4.6 might correspond to the country-name value.

P7b

certificate format These are base 64 encoded ASCII files. They actually include several variations: P7b, P7C, etc.

P12

certificate format This refers to the use of PKCS#12 standard.

PFX

certificate format an archive file for PKCS#12 standard certificate information.

DER

certificate format ed for binary DER-encoded certificates. These files may also bear the CER or the CRT extension.

PEM

certificate format used for different types of X.509v3 files that contain ASCII (Base64) armored data prefixed with a -- BEGIN ... line.

CSR

certificate signing request This is a request formatted for the CA. This request will have the public key that you wish to use and your fully distinguished name (often a domain name).

X.509 standard

defines the certificate formats and fields for public keys. It also defines the procedures that should be used to distribute public keys. end entitity (most common) and CA Cert

self-signed certificate

easy task to perform using Microsoft Internet Information Services (IIS). The certificate will be X.509, but it will be digitally signed by you. This means that although it can be used to transmit your public key, it won't be trusted by browsers. It will instead generate a certificate error message.

certificate policy

how certificate can be used

CA certificate

issued by one CA to another

certificate chaining

refers to the fact that certificates are handled by a chain of trust. You purchase a digital certificate from a certificate authority (CA), so you trust that CA's certificate. that CA trusts a root certificate the CA's Certificate is an intermediate CA

RA

registration authority easy access to verify an indiviual's certifcate ID.. or to be issued a cert by CA

IEEE 802.1x

the IEEE standard for port-based network access control. It can be used on a LAN or a WLAN. allows you to secure a port so that only authenticated users can connect to it. supports EAP for authentication