Ch8 Cryptography 1.2, 6.1-6.4
extended validation certificate
quire more validation of the certificate holder; thus, they provide more security.
ElGamal
*Transmitting digital signatures and key exchanges. ASYM uses ephemeral key
enterprise mode
, a server handles distribution of cryptographic keys and/or digital certificates.
cryptographic hash
A function that is one-way (NONREVERSIBLE), has a fixed length output, and is collision resistant.
Known Plain tetxt
ATTACK relies on the attacker having pairs of known plain text along with the corresponding cipher text. This gives the attacker a place to start attempting to derive the key. **Heil hitler Nava; message crack
CA's
Certificate Authorities Third-party organizations manage public keys ISSUE certificates verifying the validity of a sender's message. ***maintenence of ceritifcates too
CRL
Certificate Revocation list rally a list of certificates that a specific CA states should no longer be used. now being replaced by a real-time protocol called Online Certificate Status Protocol (OCSP).
CCMP
Counter Mode with Cipher Block Chaining Message Authentication Code Protocol favored by WPA2 uses 128-bit AES.
asymmetric cipher
Cryptographic algorithms that use 2 DIFFERENT keys—one key to encrypt and another to decrypt. Also called public key cryptography.
ECC
Elliptic Curve Cryptography similar to RSA but uses smaller key sizes for same secuirty An option to RSA that uses less computing power than RSA and is popular in smaller devices like smartphones. based on the idea of using points on a curve combined with a point at infinity and the difficulty of solving discrete logarithm problems Elliptic Curve Digital Signature Algorithm (ECC-DSA) Elliptic Curve Diffie-Hellman (ECC-DH) DHE?? ECDHE??
MD5
Message Digest algorithm version 5 creates a hash value and uses a one-way hash. hash value used to help maintain integrity It produces a 128-bit hash, but the algorithm is more complex than its predecessors and offers greater security. Its biggest weakness is that it does not have strong collision resistance, and thus it is no longer recommended for use... use SHA instead.
PSK
PreShared Key mode used in WPS the client and the wireless access point must negotiate and share a key prior to initiating communications.
PRNG
Pseudo-Random Number Generator is an algorithm used to generate a number that is sufficiently random for cryptographic purposes. but not entirely random
RC4
Ron's Cipher level 4 produced by RS labs -obsfucate popular with wireless and WEP/WPA encryption. streaming cipher that works with key sizes between 40 and 2,048 bits, and it is used in SSL and TLS.
transposition cipher
SCRAMBLING the letters in a certain manner.
SHA
Secure Hash Algorithm use SHA-2 ensure integrity of a message one-way hash that provides a hash value that can be used with an encryption protocol. This algorithm produces a 160-bit hash value. SHA-2 has several sizes: 224, 256, 334, and 512 bit.
TKIP
Temporal Key Integrity Protocol mixes a root key with an initialization vector. mixing means theres a new key for each packet
strength of crypto system
The effectiveness of a cryptographic system in preventing unauthorized decryption also work factor
diffusion
a change in a single bit of input changes more than one bit of the output.
Pinning
a method designed to mitigate the use of fraudulent certificates. Basically, once a public key or certificate has been seen for a specific host, that key or certificate is pinned to the host.
stapling
a method used with OCSP, which allows a web server to provide information on the validity of its own certificate rather than needing to go to the certificate vendor.
substitution cipher
a type of coding or ciphering system that changes one character or symbol into another. problem: they did not change the underlying letter and word frequency of the text. One way to combat this was to have multiple substitutions. ex enigma..multialphabet sub
AES
advanced encryption standard has replaced DES as the current standard, and it uses the Rijndael algorithm. **use for hard drives, SYM cipher better than DES It supports key sizes of 128, 192, and 256 bits, with **128 bits being the default.
Blowfish
an encryption system, performs a 64-bit block cipher at very fast speeds. It is a symmetric block cipher that can use variable-length keys (from 32 bits to 448 bits).
Machine/Computer certificate
are X.509 certificates assigned to a specific machine. These are often used in authentication schemes. For example, in order for the machine to sign in to the network, it must authenticate using its machine certificate.
DOmain validation certificate
are among the most common certificates. These are used to secure communication with a specific domain. This is a low-cost certificate that website administrators use to provide TLS for a given domain.
Chosen plain text
attack, the attacker obtains the cipher texts corresponding to a set of plain texts of their own choosing. This allows the attacker to attempt to derive the key used and thus decrypt other messages encrypted with that key
Wildcard certificate
can be used more widely, usually with multiple subdomains of a given domain.
data-in-use
data being used
DSA
digital signature algorithm Elliptic Curve Digital Signature Algorithm (ECC-DSA)
secret method cryptography
dont use Keeping a cryptographic method secret not only makes it impossible for it to be tested by the cryptographic community, it is something that security experts term security through obscurity. This means that something is not particularly secure, just that the details are hidden and you hope that no attacker finds them. This is a very bad approach to security.
In-band key exchange
essentially means that the key is exchanged **within the same communications channel that is going to be encrypted. IPSec, which will be discussed later in this chapter, uses in-band key exchange exhanged where its encrytped.
XOR
exclusive OR operation simple but powerful binary math operation. takes LSB (two bytes) and XOR's them 1011 and 1001 to 0010 symmetric algorithm because reversible
trust model, 4 types
exist in PKI implementations and come in a number of types. simply a model of how different certificate authorities trust each other and consequently how their clients will trust certificates from other certificate authorities 4 types: bridge, hierarchical, hybrid, and mesh..
WPA2
favors CCMP fully implements the 802.11i Wi-Fi security standards. better than WEP and WPA uses counter mode with cipher block chaining
captive portal.
first connect web page web page may list acceptable use policies or require some authentication. This page must be navigated before full access to network resources is granted
GOST
gosudarstvennyy standard, DES-like algorithm developed by the Soviets in the 1970s. was classifed It uses a 64-bit block and a key of 256 bits
HMAC
hash-based message authentication code uses a hashing algorithm along with a symmetric key.
key exchange
here are two primary approaches to key exchange: in-band key exchange and out-of-band key exchange.
Proper Implementation
how the key is generated (using a good PRNG) not reusing keys and key exchange.
When to encrypt?
if it is possible to encrypt data in any of these three states, without unduly interfering with the ability of legitimate users to use the data, then it should be encrypted.
IV's
initialization vectors numbers that should be used only once and are added to a key to make the algorithm stronger like salt added to hash PRNGs generate these
support confidentiality
intended to prevent the unauthorized disclosure of information in a local network or to prevent the unauthorized disclosure of information across a network
support integrity
involves providing assurance that a message wasn't modified during transmission. may render a message unintelligible or, even worse, inaccurate **can be accomplished by adding information such as redundant data that can be used as checked using a **hashing algorithm.
cipher
is a method used to scramble or obfuscate characters to hide their value. types: substitution and transposition.
Open mode
is simply unsecure. WPS sometimes used for public Wi-Fi that has no access to any sensitive data, but it is simply a portal to access the Internet.
Code signing certificate
know who produced the code or app trust, no malware mitigate danger X.509 certificates used to digitally sign some type of computer code.
Issues with Symmetric Cipher
latency - depletes power high resiliency - various rather advanced attacks that can "leak" a portion of the secret key, such as with side-channel attacks
LSB
least significant bit method stenography If you changed the very last bit (the least significant bit in each byte), then that would not make a noticeable change in the image. In other words, you could not tell that anything had been changed. Using this fact, you can store data by putting it in the least significant bits of an image file.
Out-of-band key exchange
means that some other channel, other than the one that is going to be secured, is used to exchange the key. exchanged elsewhere
Challenge Handshake Authentication Protocol (CHAP)
n authentication protocol that periodically reauthenticates.
nonce
number used only once used in IVs
cryptographic module
one that is slow might not be useful for commercial solutions. one that requires significant power won't be useful for low-power devices likely will use 3rd party _______ __________ and crypto provider instead of creating own
Nonrepudiation
prevents one party from denying actions that they carried out
LANMAN
prior to WIndows NT, Microsoft OS used for authentication. used LM Hash and two DES keys(data encryption standard) replaced by NTLM
symmetric key
private key, secret key breach in security if disclosed to unauth encrypt/decrypt key same
PKI
public key infrastructure intended to offer a means of providing security to messages and transactions on a grand scale.
key stretching
refers to processes used to take a key that might be a bit weak and make it stronger, usually by making it longer LONGER = STRONGER thus less susceptible to brute-force attacks PBBKDF2 and Bcrypt
symmetric alagorithm
require both the sender and receiver of an encrypted message to have the same key and processing algorithms. Symmetric algorithms generate a secret key that must be protected. faster than asym.. just as secure if key is small
Email certificate
secure email. ex. Secure Multipurpose Internet Mail Extension S/MIME uses X.509 certificates to secure email communications.
Kerckhoffs' principle
security of an algorithm should depend only on the secrecy of the key and not on the secrecy of the algorithm itself. only use proven cryptography methods, avoid new and secret
refactoring
set of techniques used to identify the flow and then modify the internal structure of code WITHOUT changing the code's visible behavior
digital signature
similar in function to a standard signature on a document. authentication It validates the integrity of the message and the sender. after encryption
Twofish
similar to blowfish, works on 128-bit blocks. The distinctive feature of the latter is that it has a complex key schedule.
ephemeral key
simply a key that exists only for that session. Essentially, the algorithm creates a key to use for that single communication session, and it is not used again.
security through obsfucurity
something is not particularly secure, just that the details are hidden and you hope that no attacker finds them. This is a very bad approach to security.
downgrade attack
sometimes used against secure communications such as TLS in an attempt to get the user to shift to less secure modes. The idea is to trick the user into shifting to a less secure version of the protocol, one that might be easier to break.
modern cryptography categories
symmetric cryptography, asymmetric cryptography, and hashing algorithms.
rainbow table
table of precomputed hashes used to guess passwords by searching for the hash of a password.
block cipher
the algorithm works on chunks of data, encrypting one and then moving to the next.
confusion
the concept that the relationship between the plain text, cipher text, and key are very difficult to see. , NOT XOR
stream cipher
the data is encrypted one bit, or byte, at a time.
stenography
the process of hiding a message in a medium such as a digital image, audio file, or other file. You could encode your message in another file or message and use that file to hide your message.
clear text
unencrypted, in the clear.
User certificate
used for individual users. Like machine/computer certificates, these are often used for authentication. Users must present their certificate to authenticate prior to accessing some resource.
Rootcertificate
used for root authorities. These are usually self-signed by that authority.
Bcrypt
used with passwords, and it essentially uses a derivation of the Blowfish algorithm converted to a hashing algorithm to hash a password and add Salt to it. *type of key stretch
weak or deprecated algorithms
user error some algorithms are no longer considered appropriate . This may be due to some flaw found in the algorithm. It can also be due to increasing computing power.
cryptographic hashes, 3 characteristics
very different from data storing hashes. It must be one-way. This means that it is not reversible. Once you hash something, you cannot unhash it. Variable-length input produces fixed-length output. This means that whether you hash two characters or two million, the hash size is the same. The algorithm must have few or no collisions. This means that hashing two different inputs does not give the same output.
data-in-transit
when data is being transmitted from point A to point B encrypt with SSL/TLS
block chaining
when encrypting with block cipher: take the output of block i-1 and exclusively OR (XOR) it with the plain text of block i before encrypting it. Basically, the output of each block is combined with the plain text of the next block before that next block is encrypted. guarantees that, even if you have the same plain text in various places in your text, it won't come out the same in the cipher text.
data-at-rest
when the data is simply stored—for example, on a hard drive
Diffe-Hellman
** key agreement, ASYM algorithm for exchanging keys over an insecure medium, public/priavte keys generate a shared secret key across public networks. The process isn't used to encrypt or decrypt messages; it's used merely for the creation of a symmetric key between two parties.
suspended keys
CAN be reactivated
salt
Bits added to a hash to make it resistant to rainbow table attacks.
symmetric cipher
Any cryptographic algorithm that uses the SAME KEY to encrypt and decrypt. DES, AES, and Blowfish are examples. use for harddrives
3 most important concepts in security
Confidentiality, integrity, and availability
DES
Data Encryption Standard It's based on a 56-bit key, and it has several modes that offer security and integrity. It is now considered insecure because of the small key size. replaced by AES
EAP-TTLS
EAP Tunneled Transport Layer Security) this protocol extends TLS.
EAP-TLS
Extensible Authentication Protocol - Transport Layer Security utilizes TLS in order to secure the authentication process.
EAP
Extensible Authentication Protocol) framework frequently used in wireless networks and point-to-point connections. handles the transport of key's and related parameters.
GPG
GNU Privacy Guard alternative to freeware PGP considered a hybrid program since it uses a combination of symmetric and public key cryptography.
IDEA
International Data Encryption Algorithm uses a 128-bit key. This product is similar in speed and capability to DES, but it's more secure.
MAC for crypto
Message Authentication Code will reveal any tampering, accidental or intentional in a message
NSA
National Security Agency repsonsible for all crypto in gov. should be adhered to like NIST
PBBKDF2
Password-Based Key Derivation Function 2 applies some function like hash or HMAC to pw or phrase w/ Salt to produce derived key *type of key stretch
RIPEMD
RACE Integrity Primitives Evaluation Message Digest based on MD4 replaced by RIPEMD-160,
RADIUS Federation
Remote Authentication Dial-In User Service federation a federation that is using RADIUS to authenticate between the various entities within the federation supports EAP for authentication
RSA
Ron Rivest, Adi Shamir, and Leonard Adleman ******The most commonly used public key algorithm, and most widely used ASYM cipher RSA is used for *****encryption and digital signatures. early public key encryption system that uses large integers as the basis for the process. Secure Sockets Layer (SSL), and it can be used for key exchange.
SAN certificate
Subject Alternative Name not so much a type of certificate as a special field in X.509. It allows you to specify additional items (IP addresses, domain names, and so on) to be protected by this single certificate.
3DES
Triple-DES is a technological upgrade of DES. is still used, even though AES is the preferred choice for government applications. It increases the key length to 168 bits (using three 56-bit DES keys).
WPA
WIfi Protected Access couples the RC4 encryption algorithm with TKIP (Temporal Key Integrity Protocol)
collision
When two different inputs into a cryptographic hash produce the SAME output
Types of certificates
Wildcard SAN Code signing Machine/computer Email User Root Domain validation Extended Validation
WEP
Wired Equivalent Privacy encryption was an early attempt to add security, but it fell short because of weaknesses in the way the encryption algorithms are employed replaced with WPA and WPA2
CER
certificate format This is an alternate form of .crt (Microsoft Convention). You can use Microsoft crypto API to convert .crt to .cer (both DER-encoded .cer, or base64 [PEM]-encoded .cer).
Frequency analysis
looking at the blocks of an encrypted message to determine if any common patterns exist.
latency
the difference between the time you input plain text and the time get out cipher text. want low latency
CAST
Carlisle Adams and Stafford Tavares used in some products offered by Microsoft and IBM. CAST uses a 40-bit to 128-bit key, and it's very fast and efficient.
EAP-FAST
EAP-Flexible Authentication via Secure Tunneling establishes a TLS tunnel for authentication, but it does so using a Protected Access Credential (PAC). replace EAP
PGP
Pretty Good Privacy is a freeware email encryption system. uses both symmetrical and asymmetrical systems as a part of its process; it is this serial combination of processes that makes it so competent.
PEAP
Protected Extensible Authentication Protocol This protocol encrypts the authentication process with an authenticated TLS tunnel
S/MIME
Secure Multipurpose Internet Mail Extension uses X.509 certificates to secure email communications.
all X.509 Certificates have
Signature of the issuer. Version. Serial number. Signature algorithm ID. Issuer name. Validity period. Subject name. Subject public key information. Issuer unique identifier (relevant for versions 2 and 3 only). Subject unique identifier (relevant for versions 2 and 3 only). Extensions (in version 3 only). Object identifiers, or OIDs,
X.509
The X.509 standard is the most widely used standard for digital certificates.
public key vs private key
The sender uses the public key to encrypt a message, and the receiver uses the private key to decrypt the message; what one key does, the other one undoes. ASYM algorithms
session key
a one-use random number, to create the cipher text.
key escrow
addresses the possibility that a cryptographic key may be LOST ________________ established in order to be able to recover lost keys. key recovery agent to recover a key (loss of a private key is bad)
OID
are used in X.509 certificate extensions (and are thus optional). These are values that help identify objects. They are dot separated numbers usually. For example,_____2.5.4.6 might correspond to the country-name value.
P7b
certificate format These are base 64 encoded ASCII files. They actually include several variations: P7b, P7C, etc.
P12
certificate format This refers to the use of PKCS#12 standard.
PFX
certificate format an archive file for PKCS#12 standard certificate information.
DER
certificate format ed for binary DER-encoded certificates. These files may also bear the CER or the CRT extension.
PEM
certificate format used for different types of X.509v3 files that contain ASCII (Base64) armored data prefixed with a -- BEGIN ... line.
CSR
certificate signing request This is a request formatted for the CA. This request will have the public key that you wish to use and your fully distinguished name (often a domain name).
X.509 standard
defines the certificate formats and fields for public keys. It also defines the procedures that should be used to distribute public keys. end entitity (most common) and CA Cert
self-signed certificate
easy task to perform using Microsoft Internet Information Services (IIS). The certificate will be X.509, but it will be digitally signed by you. This means that although it can be used to transmit your public key, it won't be trusted by browsers. It will instead generate a certificate error message.
certificate policy
how certificate can be used
CA certificate
issued by one CA to another
certificate chaining
refers to the fact that certificates are handled by a chain of trust. You purchase a digital certificate from a certificate authority (CA), so you trust that CA's certificate. that CA trusts a root certificate the CA's Certificate is an intermediate CA
RA
registration authority easy access to verify an indiviual's certifcate ID.. or to be issued a cert by CA
IEEE 802.1x
the IEEE standard for port-based network access control. It can be used on a LAN or a WLAN. allows you to secure a port so that only authenticated users can connect to it. supports EAP for authentication