CompTIA Security+ SYO 601 Chapter 7 Cryptography and the Public Key Infrastructure

Symmetric key algorithms relay on a?

"Shared secret" encryption key that is distributed to all members who participate in the communications. This key is used by all parties to both encrypt and decrypt messages, so the sender and the receiver both possess a copy of the sharded key. The sender encrypts with the shared secret key and the receiver decrypts with it. When a large-sized keys are used, symmetric encryption can be very difficult to break. It is primarily employed to perform bulk encryption and provides only for the security services of confidentiality.

An AES cipher allows the use of three key strengths what are they?

128 bits. 192 bits. And 256 bits.

AES only allows the procession of?

128-bit blocks, but Rijndael exceeds this specification, allowing cryptographers to use a block size equal to the key length.

The number of encryption rounds depends on the key length chosen what are some of those encryption rounds?

128-bit keys require 10 rounds of encryption. 192-bit keys require 12 rounds of encryption. 256-bit keys require 14 rounds of encryption.

The SHA-1 algorithm processes a message in?

512-bit blocks. Therefore, if the message length is not a multiple of 512, the SHA algorithm pads the message with additional data until the length reaches the next highest multiple of 512.

The key used by DES is?

56 bits long.

All of the DES modes operate on?

64-bits of plaintext at a time to generate 64-blocks of ciphertext.

Columnar transposition is a classic example of?

A transposition cipher. With this cipher, you choose the number of rows in advance, which will be the encryption key. You then write your message by passing successive characters in the next row until you get to the bottom of the column. For example, if you wanted to encode the message M E E T M E I N T H E S T O R E

Using a key of 4, you would write the message in four rows like this

A transposition cipher. With this cipher, you choose the number of rows in advance, which will be the encryption key. You then write your message by passing successive characters in the next row until you get to the bottom of the column. For example, if you wanted to encode the message M E E T M E I N T H E S T O R E Using a key of 4, you would write the message in four rows like this M M T T E E H O E I S R T N S E Then, to get the cipher text, you read across the rows instead of down the columns giving you? M M T T E E H O E I E R T N S E To decrypt this message, you must know that the message was encrypted using four rows, and then you use that information to re-create the matrix, writing the ciphertext characters across the rows. You then decrypt the massage by reading down the columns instead of across the rows.

In November 2001, NIST released FIPS 197, which mandated the use of?

AES/Rijndael for the encryption of all sensitive but unclassified data by the U.S. government.

DES what superseded by the?

Advanced Encryption Standard in December 2001. It is still important to understand DES because it is the building block of Triple DES (3DES), a strong encryption algorithm.

Modern cryptosystems do not rely on the secrecy of their?

Algorithms. In fact, the algorithms for most cryptographic systems are widely available for public review in the accompanying literature and on the Internet.

Digital signature algorithms rely on a combination of two major concepts which are public key cryptography and hashing functions. If Alice wants to digitally sign a message, she's sending to Bob, she performs the following actions which are?

Alice generates a message digest of the original plaintext message using one of the cryptographically sound hashing algorithms, such as SHA3-512. Alice then encrypts only the message digest using her private key. This encrypted message digest is the digital signature. Alice appends the singed message digest to the plaintext message. o Alice transmits the append message to Bob. When Bob receives the digitally singed message, he reverses the procedure as follows: Bob decrypts the digital signature using Alice's public key. Bob uses the same hashing function to create a message digest of the full plaintext message received from Alice. Bob then compares the decrypted message digest he received from Alice with the message digest he computed himself. If the two-digest match, he can be assured that the message he received was sent by Alice. If they do not match, either the message was not sent by Alice or the message was modified while in transit.

The enigma machine vetted?

Allied intelligence-officers, who devoted significant time and energy to a project called Ultra designed to defeat the machine. The effort to defeat Enigma was centered at Bletchley Park in the United Kingdom and was led by pioneering computer scientist Alan Turing. The efforts led to great success in deciphering German communication, and those efforts were praised by British Prime Minister Winston Churchill himself, who reportedly told King George VI that, "it is thanks to [Ultra], put into use on all the fronts, that we won the war"

Steganographic algorithms work by making?

Alterations to the least significant bits of many bits that make up image files. The changes are so minor that there is no appreciable effect on the viewed image. This technique allows communicating parties to hide messages in plain sight—for example, they might embed a secret message within an illustration on an otherwise innocent webpage.

Integrity ensures that data is not?

Altered without authorization.

Tor, formerly known as the onion router, provides a mechanism for?

Anonymously routing traffic across the Internet using encryption and a set of relay nodes. IT relies upon a technology known as perfect forward secrecy, where layers of encryption prevent nodes in the relay chain from reading anything other than the specific information that they need to accept and forward the traffic. By using perfect forward secrecy in combination with a set of three or more relay nodes, Tor allows for both anonymous browsing of the standard Internet, as well as the hosting of completely anonymous sites on the Dark Web.

As the name implies, public key cryptosystems has users make their public keys freely available to?

Anyone with who they want to communicate with. The more possession of the public key by third parties does not introduce any weakness into the cryptosystem. The private key, on the other hand, is reserved for the sole use of the individual who owns the keys. It is never shared with any other cryptosystem user.

You must also select your keys in an?

Appropriate manner. Use a key length that balances your security requirements with performance considerations. Also, ensure that your key is truly random, or in cryptographic terms, that that it has sufficient entropy. Any predictability within the key increases the likelihood that an attacker will be able to break your encryption and degrade the security of your cryptosystem. You should also understand the limitations of your cryptographic algorithm and avoid the use of known weak keys.

Certificate pinning approaches instruct browsers to?

Attach a certificate to a subject for an extended period of time. When sites use certificate pinning, the browser associates that site with their public key. This allows users or administrators to notice and intervene if a certificate unexpectedly changes.

Modern ciphers fit into two major categories when it comes to describing their method of operation what are the two key things?

Block ciphers operate on "chucks," or blocks, of a message and apply the encryption algorithm to an entire message block at the same time. The transposition ciphers are examples of block ciphers. The simple algorithm used in the challenge-response algorithm takes an entire word and reverses its letters. The more complicated columnar transposition cipher works on the entire message (or a piece of a message) and encrypts it using the transposition algorithm and secret keyword. Most modern encryption algorithms implement some type of block cipher. Stream ciphers operate on one character or bit of a message (or data stream) at a time. The Caesar cipher is an example of a stream cipher. The one-time pad is also a stream cipher because the algorithm operates on each letter of the plaintext message independently. Stream ciphers can also function as a type of block cipher. In such operations there is a buffer that fills up to real-time data that is then encrypted as a block and transmitted to the recipient.

In Cipher block Chaining (CBC) mode, each block of unencrypted text is combined with the?

Block of ciphertext immediately preceding it before it is encrypted using the DES algorithm.

One of the oldest known substitution ciphers is called the?

Caesar cipher. It was purportedly used by Julius Caesar. The system involves simply shifting all letters a certain number of spaces in the alphabet. Supposedly, Julius Caesar used a shift of three to the right. This simply means that if you turn the A's of a message into D's, the B's into E's, and so on. When you hit the end of the alphabet, you simply "wrap around" so that the X's become A's, Y's become B's and Z's become C's. Caesar was working in Latin, of course, but the same thing can be done with any languages including English.

There are many specialized use cases for cryptography that you may encounter during your?

Career where computing power and energy might be limited. Some devices operate at extremely low power levels and put a premium on conserving energy. For example, imagine sending a satellite into space with a limited power source. Thousands of hours of engineering goes into getting as much life as possible out of that power source. Similar cases happen here on Earth, where remote sensors must transmit information using solar power, a small battery or other circumstances.

In the CA trust model, the use of a series intermediate Cas is known as?

Certificate chaining. To validate a certificate, the browser verifies the identity of the intermediate (CAs) first and then traces the path of trust back to a known root CA, verifying the identity of each link in the chain of trust.

The current version of X.509 (version 3) supports?

Certificate extensions—customized variables containing data inserted into the certificate by the certificate authority to support the tracking of certificates or various applications.

You can use three techniques to verify the authenticity of certificates and identify revoked certificate. What are those three techniques?

Certificate revocation lists? Certificate Revocation Lists (CRLs) are maintained by the various certificate authorities and contain the serial numbers of certificates that have been issued by the CA and have been revoked along with the date and the time the revocation went into effect. The major disadvantage to certificate revocation lists is that they must be downloaded and cross-referenced periodically, introducing a period of latency between the time a certificate is revoked and the time end users are notified of the revocation. Online Certificate Status Protocol (OCSP) This protocol eliminates the latency inherent in the use of certificate revocation lists by providing a means for real-time certificate verification. When a client receives a certificate, it sends an OCSP request to the CA's OCSP server. The server then responds with a status of valid, invalid, or unknown. The browser uses this information to determine whether the certificate is valid. Certificate Stapling? The primary issue with OCSP is that it places a significant burden on the OCSP servers operated by certificate authorities. These servers must process requests from ever single visitor to a website or other user of digital certificate, verifying the certificate is valid and not revoked.

The last point is a subtle but extremely important item. Before you trust an identifying piece of information about someone, be sure that it is actually contained within the?

Certificate. If a certificate contains the email address ([email protected]) but not the individuals name, you can be certain only that the public key contained therein is associated with that email address. The CA is not making any assertions about the actual identity of the [email protected] email account. However if the certificate contains the name Bill Jones along with the address and telephone number, the CA is vouching for that information as well.

When a user with knowledge of a secret key leaves the organization or is no longer permitted access to material protected with a key, the keys must be?

Changed, and all encrypted materials must be encrypted with new keys. The difficulty of destroying a key to remove a user from a symmetric cryptosystem is one of the main reasons organizations turn to asymmetric algorithms.

When working within the public key infrastructure, it's important that you comply with several best practice requirements to maintain the security of your communications. You must first?

Choose your encryption system wisely. As you learned earlier "security through obscurity" is not an appropriate approach. Choose an encryption system with an algorithm kin the public domain that has been thoroughly vetted by industry experts. Be wary of systems that use a "black-box" approach and maintain the secrecy of their algorithm is critical to the integrity of the cryptosystem.

Ciphering is the process of using a?

Cipher to do that type of scrabbling to a message.

Cipher suites are the set of?

Ciphers and key lengths supported by a system.

In a chosen plain-text attack the attacker obtains the?

Ciphertext corresponding to a set of plain texts of their own choosing. This allows the attacker to attempt to derive the key used and thus decrypt other messages encrypted with that key. This can be difficult, but it is not impossible. Advanced methods such as differential cryptanalysis are types of chosen plain-text attacks.

DES uses a long series of exclusive or (XOR) operations to generate the?

Ciphertext. This process is repeated 16 times for each encryption/decryption operation. Each repetition is commonly referred to as a round of encryption, explaining the statement that DES performs 16 rounds of encryption.

Authentication verifies the?

Claimed identify of system users and is a major function of cryptosystems. For example, suppose that Bob wants to establish a communication session with Alice and they are both participants in a shared secret communication system. Alice might use a challenge-response authentication technique to ensure that Bob is who he claims to be. An example shows how this challenge-response protocol would work in action. In this example, the shared-secret code used by Alice and Bob is quite simple-the letters of each word are simply reversed. Bob first contacts Alice and identifies himself. Alice then sends a challenge message to Bob asking him to encrypt a short message using the secret code known only to Alice and Bob. Bob replies with the encrypted message. After Alice verifies that the encrypted message is correct, she trusts that Bob himself is truly on the other end of the connection.

A substitution cipher is a type of?

Coding or ciphering system that changes one character or symbol into another.

Cases where a hash function produces the same value for two different methods are known as?

Collison's, and the existence of collisions typically leads to the deprecation of a hashing algorithm.

Digital certificates provide?

Communicating parties with the assurance that the people they are communicating with truly are who they claim to be.

The RSA algorithm depends on the?

Computational difficulty inherent in factoring large prime numbers. Each user of the cryptosystems generates a pair of public and private keys using the algorithm. The specifics of key generation are beyond the scope of the exam, but you should remember that it's based on the complexity of factoring large prime numbers.

Modern cryptosystem use?

Computationally complex algorithms and long cryptographic keys to meet the cryptographic goals of continentality, integrity, authentication, and non-repudiation. The following sections cover the roles cryptographic keys play in the world of data security and examine three types of algorithms used today: symmetric key encryption algorithms, asymmetric key encryption algorithms, and hashing algorithms.

Certificates may be issues for a variety of purposes. These include providing assurance for the public keys of?

Computer/machines Individual users Email addresses Developers (code-signing certificates)

Obfuscation is a concept closely related to?

Confidentiality. It is the practice of making it intentionally difficult for humans to understand how code works. This technique is often used to hide the inner workings of software, particularly when it contains intellectual property.

The operator of the Enigma machine was responsible for?

Configuring the machine to use the code of the day by setting the rotary dials at the top of the machine and configuring the wires on the front of the machine. The inner workings of the machine implement a polyalphabetic substitution, changing the substitution for each character of the message. One the machine was properly configured for the day, using it was straightforward. The sending operator pressed the key on the keyboard corresponding to a letter of the plain-text message. The corresponding cipher text letter then lit up. The receiving operator followed the same process to covert back to plain text.

In private key (or secret key) cryptosystems, all participants use a single shard key. In public key cryptosystems, each participant has their own keys. Cryptographic keys are sometimes referred to as?

Crypto variables.

The first major application of the blockchain is?

Cryptocurrency. The blockchain was originally invented as a foundational technology for Bitcoin, allowing the tracking of Bitcoin transactions without the use of a centralized authority. In this manner, blockchain allows the existence of a currency that has no central regulator. Authority for Bitcoin transactions is distributed among all participants in the Bitcoin blockchain.

There are also scenarios in which someone is using a good?

Cryptographic algorithm (like AES) but has it implemented in a weak manner—for example, using weak key generation. A classic example is the Wireless Equivalent Privacy (WEP) protocol. This protocol uses an improper implementation of the RC4 encryption algorithm and has significant security vulnerabilities.

In 1985, two mathematicians, Neal Koblitz from the University of Washington and Victor Miller from IBM, independently purposed the application of elliptic curve cryptography (ECC) theorem to develop a secure?

Cryptographic systems.

Steganography is the art of using?

Cryptographic techniques to embed secret messages within another file.

Summary of chapter 7 review this.

Cryptography is one of most important security controls in use today and it touches almost every other area of security, ranging from networking to software development. The use of cryptography supports the goals of providing confidentiality, integrity, authentication, and nonrepudiation in a wide variety of applications. Symmetric encryption technology uses shared secret keys to provide security for data at rest and data in motion. A long as users are able to overcome key exchange and maintenance issues, symmetric encryption is fast and efficient. Asymmetric cryptography and the public key infrastructure (PKI) provides a scalable way to securely communicate, particularly when the communication parties do not have a prior relationship.

The art of creating and implementing secret codes and ciphers is known as?

Cryptography. This practice is paralleled by the art of cryptanalysis—the study of methods to defeat codes and ciphers.

Together, cryptography and cryptanalysis are commonly referred to as?

Cryptology.

Specific implementation of a code or cipher in hardware and software are known as?

Cryptosystems

When developing a cryptographic system for the purpose of providing confidentiality you must think about three types of data what are they?

Data at rest, or stored data, is that which resides in a permanent location awaiting access. Examples of data at rest include data stored on hard drives, backup tapes, cloud storage services, USB devices, and other storage media. Data in motion, or data on the wire, is data being transmitted across a network between two systems. Data in motion might be traveling on a corporate network, a wireless network, or the public Internet. Data in use, is data that is stored in the active memory of a computer system where it may be accessed by a process running on that system. Each of these situations poses different types of confidentiality risks that cryptography can protect against. For example, data in motion may be susceptible to eavesdropping attacks, whereas data at rest is more susceptible to the theft of physical devices. Data in use may be accessed by unauthorized processes inf the operating system does not properly implement process isolation.

Several common symmetric cryptosystems are?

Data encryption standard (DES) Triple DES (3DES) And the advanced encryption standard (AES)

Understand the purpose and use of digital certificate which are?

Digital certificates provide a trusted mechanism for sharing public keys with other people. Users and organizations obtain digital certificates from certificate authorities (CAs, who demonstrate their trust in the certificate by applying their digital signature. Recipients of the digital certificate can rely on the public key it contains if they trust the issuing CA and verify the CA's digital signature.

Asymmetric key algorithms also provide support for?

Digital signature technology. Basically, if Bob wants to assure other users that a message with his name on it was actually sent by him, he first creates a message digest by using a hashing algorithm. Bob then encrypts the digest using his private key. Any user who wants to verify the signature simply decrypts the message digest using Bob's private key and then verifies that the decrypted message digest is accurate.

Explain how digital signatures provide nonrepudiation?

Digital signatures provide nonrepudiation by allowing a third party to verify the authenticity of a message. Senders create digital signatures by using a hash function to generate a message digest and then encrypting that digest with their own private key. Others many verify the digital signature buy decrypting it with the sender's public key and comparing this decrypted message digest to one that they compute themselves using the hash function on the message.

Once you have chosen a cryptographically sound hashing algorithm, you can use it to implement a digital signature system. Digital signature infrastructures have two distinct goals what are they?

Digitally singed messages assure the recipient that the message truly cam efrom the claimed sender. They enforce nonrepudiation (that is, they preclude the sender from later claiming that the message is forgery or fake). Digitally signed messages assure the recipient that the message was not altered while in transit between the sender and the recipient. This protects against both malicious modification (a third party altering the meaning of the message) and unintentional modification (because of faults in the communications process, such as electrical interference.

Widespread analysis of algorithms by the computer security community allows practitioners to?

Discover and correct potential security vulnerabilities and ensure that the algorithms they use to protect their communications are secure as possible.

Although cryptocurrency is the blockchain application that has received the most attention, there are many other uses for a?

Distributed immutable ledger. SO much that new application blockchain technology seem to be appearing every day. For example, property ownership records could benefit tremendously from a blockchain application. This approach would place those records in a transparent, public repository that is protected against intentional or accidental damage. Blockchain technology might also be used to track supply chains, providing consumers with confidence that their produce came from reputable sources and allowing regulators to easily track down the origin of recalled produce.

The blockchain is, in the simples description a?

Distributes and immutable public ledger. This means that it can store records in a way that distributes those records among many different systems located around the world and do so in manner that prevents anyone from tampering with those records. The blockchain creates a data store that nobody can tamper with or destroy.

Certificate authorities issue different types of certificates depending upon the level of identity verification that they perform. The simplest, and the most common, certificates are?

Domain Validation (DV) certificates, where the CA simply verifies that the certificate subject has control of the domain name. Extended Validation (EV) certificates which provide a higher level of assurance and the CA takes steps to verify that the certificate owner is a legitimate business before issuing the certificate.

DES is a 64-bit cipher that has five modes of operation what are they?

Electronic Codebook (ECB) mode. Cipher Block Chaining (CBC) mode. Cipher Feedback (CFB) mode. Output Feedback (OFB) mode. And Counter (CTR) mode.

Each elliptic curve has a corresponding?

Elliptic curve group made up of the points on the elliptic curve along with the point O, located at infinity.

Cryptography is the practice of?

Encoding information in a manner that it cannot be decoded without access to the required decryption key.

Frequency Analysis involves looking at the blocks of an?

Encrypted message to determine if any common patterns exist. Initially, the analyst doesn't try to break the code but looks at the patterns in the message. In the English language, the letters e and t and words like the, and, that, it, and is are very common. Singe letters that stand alone in a sentence are usually limited t a and I. A determined cryptanalyst looks for these types of patters, and over time, may be able to deduce the method used to encrypt the data. This process can sometimes be simple, or it may take a lot of effort. This method works only on the historical ciphers. It does not work on modern algorithms.

Ciphers are the algorithms used to perform?

Encryption and decryption operations.

Hardware security modules (HSMs) also provide an effect want to manage?

Encryption keys. These hardware devices store and mange encryption keys in a secure manner that prevents humans from ever needing to work directly with the keys. HSMS range in scope and complexity from very simple devices, such as YubiKey, that store encrypted keys on a USB drive for personal use, to more complex enterprise products that reside in a data center. Cloud providers, such as Amazon and Microsoft, also offer cloud-based HSMs that provide secure key management for IaaS services.

Human error is one of the major causes of?

Encryption vulnerabilities. If an email is sent using an encryption scheme, someone else may send it in the clear (unencrypted). If a cryptanalyst gets ahold of both messages, the process of decoding future messages will be considerably simplified A code key might wind up in the wrong hands, giving insights into what the key consist of. Many systems have been broken into as a result of these types of accidents.

Digital certificates are essentially?

Endorsed copies of an individual's public key. When users verify that a certificate was signed by a trusted certificate authority (CA), they know that the public key is legitimate.

When you want to obtain a digital certificate, you must first prove your identity to the CA in some manner; this process is called?

Enrollment. As mentioned in the previous section, this sometimes involves physically appearing before an agent of the certification authority with the appropriate identification documents. Some certificate authorities provide other means of verification, including the use of credit report data and identity verification by trusted community leaders.

One important consideration when using CBC mode is the?

Errors propagate—if one block is corrupted during transmission, it becomes impossible to decrypt that block and the next block as well.

There are two major approaches to key escrow that have been purposed over the past decade what are those two major things?

Fair Cryptosystems In this escrow approach, the secret keys used in a communication are divided into two or more pieces, each of which is given to an independent third party. Each of these pieces is useless on its own but may be recombined to obtain the secret key. When the government obtains legal authority to access a particular key, it provides evidence of the court order to each of the third parties and then reassembles the secret key. Escrowed Encryption Standard This escrow approach provides the government with a technological means to decrypt ciphertext. This standard is the basis behind the Skipjack algorithm. Its highly unlikely that government regulators will ever overcome the legal and privacy hurdles necessary to implement key escrow on a widespread basis. The technology is certainly available, but the general public will never accept the potential government intrusiveness its facilities.

In output feedback (OFB) mode, DES operates in almost the same?

Fashion as it does in CFB mode. However, instead of XORing an encrypted version of the previous block of ciphertext, DES XORs the plain text with a seed value. For the first encrypted block, an initialization vector is used to create the seed value. Future seed values are derived by running the DES algorithm on the previous seed value. The major advantages of OFB mode are that there is no changing function and transmission errors do not propagate to affect the decryption of future blocks.

Cryptography has several important goals what are they?

First among these goals is confidentiality, which corresponds to one of the three legs of the CIA triad. Organizations use encryption to protect sensitive information from prying eyes. The second goal, integrity also corresponds to one of the three elements of the CIA triad. Organizations use cryptography to ensure that data is not maliciously or unintentionally altered. When we get to the third goal authentication, the goals of cryptography begin to differ from the CIA triad. Although authentication begins with the letter A, remember that the A in the CIA triad is "availability." Authentication refers to uses of encryption to validate the identity of individuals. The fourth goal, nonrepudiation, ensures that individuals can prove to a third party that a message came from its purported sender. Different cryptographic systems are capable of achieving different goals.

Message digests can be generated by the sender of a message and transmitted to the recipient along with the full message for two reasons which are?

First the recipient can use the same hash function to recompute the message digest from the full message. They can then compare the computed message digest from the full message. They can then compare the computed message digest to the transmitted one to ensure that the message sent by the originator is the same one received by the recipient. If the message digests do not match, that means the message was somehow modified while in transit. It is important to note that the messages must be exactly identical for the digests to match. If the message have even a slight difference in spacing, punctuation, or content, the message digest values will be completely different. It is not possible to tell the degree of the difference between the two messages by comparing the digest. Even a slight difference will generate totally different digest values. Second, the message digest can be used later to implement a digital signature algorithm.

No discussion of the history of cryptography would be complete without discussing the Enigma machine. The Enigma machine was created by the?

German government during World War II to provide secure communications between military and political units. The machine looked like a typewriter with some extra features.

The National Institute of Standards and Technology specifies the digital signature algorithms acceptable for federal?

Government use in Federal Information Processing Standard (FIPS) 186-4 also known as the Digital Signature Standard (DSS). This document specifies that all federally approved digital signature algorithms must use the SHA-3 hashing functions.

Known plain text attacks relies on the attacker?

Having pairs of known plain text along with the corresponding cyphertext. This gives the attacker a place to start attempting to derive the key. With modern ciphers, it would still take many billions of such combinations to have a chance at cracking the cipher. This method was, however successful at cracking the German Naval Enigma. The code breakers at Bletchley Park in the UK realized that all German Naval messages ended with Heil Hitler. They used this known plan-text attack to crack the key.

The basic idea of a birthday attack is?

How many people would you need to have in a room to have a strong likelihood that two would have the same birthday (month and day, but not year)? Obviously if you put 367 people in a room, at least two of them must have the same birthday, since there are only 365 days in a year, plus one more in a leap year. The paradox is not asking how many people you need to guarantee a match—just how many you need to have a strong probability. Even with 23 people in the room, you must have a 50 percent chance that two will have the same birthday. The probability that the first person does not share a birthday with any previous person is 100 percent, because there is no previous people in the set. That can be written as 365/365. The second person has only one preceding person, and the odds that the second person has a birthday different from the fist are 364/365. The third person might share a birthday with two preceding people, so the odds of having a birthday from either of the two preceding people are 363/365. Because each of these is independent, we can compute the probability as follows: § 365/365x364/365x363/365x362/365...x342/365 o 342 is the probability that the 23rd person shares a birthday with a preceding person. We convert these to decimal values, it yields (truncating at the third decimal point like this: 1x0.997x0.994x0.991x0.989x0.986x...0.936=0.49, or 49 percent. This 49 percent is the probability that 23 people will not have any birthdays in common/ The math works out to about 1.7/n to get a collision. Remember a collision is when two inputs produce the same output. So, for an MD5 hash, you might think that you need 2128 +1 different inputs to get a collision—and for a guaranteed collision you do. That is an exceedingly large number:3.4028236692093846346337460743177e+38. But the birthday paradox tell us that to just have a 51 percent change of there being a collision with a hash you only need 1.7/n (n being 2128 ) inputs. That number is still very large: 31,359,464,925,306,237,747.2. But it is much smaller than the brute-force approach of trying every possible input.

What is an example of a Caesar Cipher?

I WILL PASS THE EXAM If you shift each letter three to the right, you get the following: L ZLDO SDVV WKH HADP

If integrity mechanisms are in place, the recipient of a message can be certain that the message received is?

Identical to the message that was sent. Similarly, integrity checks can ensure that stored data was not altered between the time it was created and the time it was accessed. Integrity controls protect against all forms of alteration, including intentional alternations by a third party attempting to insert false information, intentional deletion of portions of the data, and unintentional alteration by faults in the transmission process.

If you're new to public key cryptography, selecting the correct key for various applications can be quite confusing. Encryption, decryption, message signing, and signature verification al use the same algorithm with different key inputs. Here are a few simple rules to help keep these concepts straight in your mind when preparing for the exam?

If you want to encrypt a message, use the recipient's public key. If you want to decrypt a message sent to you, use a private key. If you want to digitally sign a message you are sending to someone else, use your private key. If you want to verify the signature on a message sent by someone else, use the sender's public key. These four rules are the core principals of public key cryptography and digital signatures. If you understand each of them, you're off to a great start!

Steganography techniques are often used for?

Illegal or questionable activities, such as espionage and child pornography. Steganography can also be used for legitimate purposes, however. Adding digital watermarks to documents or protect intellectual property is accomplished by the means of steganography. The hidden information is known only to the file's creator. If someone later creates an unauthorized copy of the content, the watermark can be used to detect the copy and (if uniquely watermarked files are provided to each original recipient) trace the offending copy back to the source.

Stenographers often embed their secret messages within?

Images, video files, or audio files because these files are often so large that the secret message would be easily missed by even the most observant inspector.

Character substitution can be a relatively easy method of encrypting?

Information.

CBC uses an?

Initialization vector (IV), which is a randomly selected value that is used to start the encryption process. CBC takes the IV and combines it with the first block of the message using an operation known as the exclusive or (XOR), producing a unique output every time the operation is performed. The IV must be sent to the recipient, perhaps by taking the IV onto the front of the completed ciphertext in plain form or by protecting it with ECB mode encryption using the same key used for the message.

Digital certificate verification algorithms are built in a number of popular web browsing and email clients, so you won't often need to get?

Involved in the particulars of the process. However, it is important to have a solid understanding of the technical details taking place behind the scenes to make appropriate security judgements for your organization. It also the reason that, when purchasing a corticate, you choose a CA that is widely trusted. If the CA is not included in, or is later pulled from, the list of CAs trusted by a major browser, it will greatly limit the usefulness of your certificate.

What is key stretching?

It is used to create encryption keys from passwords in a strong manner. Key stretching algorithms, such as the Password Based Key Derivation Function v2 (PBKDF2) use thousands of iterations of salting and hashing to generate encryption keys that are resilient against attack.

The major strength of symmetric key cryptography is the great speed at which it can operate. Symmetric key encryption is how fast?

It is very fast, often 1,000 to 10,000 times faster than asymmetric algorithms. By nature of the mathematics involved, symmetric keys cryptography also naturally lends itself to hardware implementation, creating the opportunity for even higher-speed operations.

Computer scientists and mathematicians believe that it is extremely hard to find X even if what is known.

It is very hard to find X even if P and Q are already known. This difficult problem, known as the elliptic curve discrete logarithm problem, forms the basis of elliptic curve cryptography. It is widely believed that this problem is harder to solve than both the prime factorization problem that the RSA cryptosystem is based on and the standard discrete logarithm problem unutilized by Diffie-Hellman.

Symmetric key cryptography has several weaknesses what are they?

Key distribution is a major problem Parties must have a secure method of exchanging the secret key before establishing communications with a symmetric key protocol. If a secure electronic channel is not available, an offline key distribution method must often be used (that is, out-of-band-exchange.) Symmetric key cryptography does not implement nonrepudiation Because any communicating party can encrypt and decrypt messages with the shared secret key, there is no way to prove where a given message originated. The algorithm is not scalable It is extremely difficult for large groups to communicate using symmetric key cryptography. Secure private communication between individuals in the group could be achieved only if each possible combination of users shared a private key. Keys must be regenerated often Each time a participant leaves the group, all keys known by that participant must be discarded.

Cryptography is a powerful tool. Like most tools it can be used for a number of beneficent purposes but it can also be used with malicious intent. To gain a handle on the explosive growth of cryptographic technologies governments around the world have floated ideas to implement?

Key escrow systems. These systems allow the government under limited circumstances such as a court order, to obtain the cryptographic key for a particular communication from a central storage facility.

A key space is defined by its?

Key length. Key length is nothing more than the number of binary bits (0's and 1's) in the key. The key space is the range between the key that has all 0s and the key that has all 1s. Or to state it another way, the key space is the range of numbers from 0 to 2n , where n is the bit size of the key. So a 128-bit key can have a value from 0 to 2128 (which is roughly 3.40282367 X 1038 , a very big number!) it is absolutely critical to protect the security of secret keys. In fact, all of the security you gain from cryptography rests on your ability to keep the keys private.

Because cryptographic keys contain information essential to the security of the cryptosystem, it is incumbent upon cryptosystem users and administrators to take extraordinary measures to protect the security of keying material. These security measures are collectively known as?

Key management practices. They include safeguards surrounding the creation, distribution, storage, destruction, recovery, and escrow of secret keys.

Every algorithm has a specific?

Key space. The key space is the range of values that are valid for use as a key for a specific algorithm.

The brute force method simply involves trying every possible?

Key. It is guaranteed to work, but it is likely to take so long that it is simply not usable. For example, to break a Caesar cipher, there are only 26 possible keys, which you can try in a very short time. But even DES, which has a rather weak key would take 256 different attempts. That is 72,057,594,037,927,936 possible DES keys. To put that it perspective, if you try 1 million keys per second, it would take you must over 46,190,765 years to try them all.

Always make sure to back up?

Keys and files. If you lose the file containing your private key because of data corruption, disaster, or other chrominances. You will certainly want to have a backup available. You may want to either create your own backup or use a key escrow service that maintains the backup for you. In either case, ensure that the backup is handled in a secure manner.

SHA-1 takes an input of virtually any?

Length (in reality, there is an upper bound of approximately 2,097,152 terabytes on the algorithm) and produces a 160-bit message digest.

A transposition cipher involves transposing or scrabbling?

Letter in a certain manner. Typically, a message is broken into blocks of equal size, and each block is then scrabbled. In the simplest example, the characters are transposed by changing the ordering of characters within each group. In this case, the letter is rotated three places in the message. You could change the way Block 1 is transposed from Block 2 and make it a little more difficult, but it would still be relatively easy to decrypt.

For example, imagine that you wanted to use the cipher to encrypt the phrase "SECRET MESSAGE" using the keyword "APPLE." You would begin by?

Lining up the characters of the message with the characters of the keyword, repeating the keyword as many times as necessary which would look something like this: S E C R E T M E S S A G E A P P L E A P P L E A P P Then you would create the ciphertext by looking up each pair of the plain-text and key characters in the Vigenere table. The first letter of the plain text is "S" and the first letter of the key is "A" so you go to the column for S in the table and then look at the row for A and find that the ciphertext value is "S." repeating this process for the second character you look up the intersection of "E" and "P" in the table to get the ciphertext character "T". As you work your way through this process you get an encrypted message which looks something like this? § S T R C I T B T D E A V T To decrypt the message, you reverse the process, finding the ciphertext character in the row for the key letter and then looking at the top of that column to find the plain text. For example, the fisrt letter brings us the row for "A," where we find the ciphertext character "S" in the "S" column. The second letter brings us the row for "P," were we find the ciphertext character "T" in the "E" column.

Smartcards are another example of a?

Low power environment. They must be able to securely communicate with smartcard readers, but only using the energy either stored on the card or transferred to it by a magnetic field. In these cases, cryptographers often design specialized hardware that is purpose built to implement lightweight cryptographical algorithms with as little power expenditure as possible. You won't need to know the details of how these algorithms work, but you should be familiar with the concept that specialized hardware can minimize power consumption.

In 1991 Ron Riverst released the next version of his message digest algorithm, which he called?

MD5. It also processes 512-bit blocks of the message, but it uses four distinct rounds of computation to produce a digest of the same length as the earlier MD2 and MD4 algorithms (128-bits).

Historical methods of cryptography predate the modern computer age. These methods did not depend on?

Mathematics, as many modern methods do, but rather on some technique for scrambling the text.

HMAC can be combined with any standard?

Message digest generation algorithm, such as SHA-3, by using a shared secrete key. Therefore, only communicating parties who know the key can generate or verify the digital signature. If any recipient decrypts the message digest but cannot successfully compare it to a message digest generated from the plain-text message, that means the message was altered in transit.

Message integrity is enforced through the use of encrypted?

Message digests, known as digital signatures, created upon transmission of a message. The recipient of the message simply verifies that the message's digital signature is valid, ensuring that the message was not altered in transit. Integrity can be enforced by both public and secret key cryptosystems.

Message digests are summaries of a?

Message's content (not unlike a file checksum) produced by a hashing algorithm. It's extremely difficult, if not impossible, to device a message from an ideal hash function, and it's very unlikely that two messages will produce the same hash value.

Electronic Codebook (ECB) mode is the simplest?

Mode to understand and also the least secure. Each time the algorithm processes a 64-bit block, it simply encrypts the block using the chosen secret key. This means that if the algorithm encounters the same block multiple times, it will produce the same encrypted block. If an enemy were eavesdropping on the communications, they could simply build a "code book" of all the possible encrypted values. After a sufficient number of blocks were gathered, cryptanalytic techniques could be used to decipher the blocks and break the encryption scheme. This vulnerability makes it impractical to use ECB mode on all but he shortest transmissions. In everyday use, ECB is used only for exchanging small amounts of data, such as keys and parameters used to imitate other DES modes as well as the cells in a database.

The Secure Hash Algorithm (SHA) and its successors, SHA-1, SHA-2, and SHA-3, are government standard hash functions promoted by the?

National Institute of Standards and Technology (NIST) and are specified in an official government publication—the Secure Hash Standard (SHS), also known as the Federal Information Processing Standard (FIPS) 180.

Another major challenge with the use of symmetric key cryptography is that all of the keys used in the cryptosystem must be kept secure. This includes the following best practices surrounding the storage of encryption keys what are those things?

Never store an encryption key on the same system where encrypted data resides. This just makes it easier for the attacker! For sensitive keys, consider providing two different individuals with half of the key. They them must collaborate to re-create the entire key. This is known as the principle of split knowledge.

Because HMAC relies on a shard secret key it does not provide any?

Nonrepudiation functionality (as previously mentioned) However, it operates in a more efficient manner than the digital signature standard and may be suitable for applications in which symmetric key cryptography is appropriate. In short it represents a halfway point between unencrypted use of a message digest algorithm and computationally expensive digital signature algorithms based on public key cryptography.

Certificate authorities must carefully protect their own private keys to preserve their trust relationships. To do this, they often use an?

Offline CA to protect their root certificate, the top-level certificate for their entire PKI. This offline CA is disconnected from networks and powered down until it is needed. The offline CA users the root certificate create subordinate intermediate Cas that serve as the online Cas used to issue certificates on a routine basis.

The three main methods used to exchange secret keys securely are offline distribution, public key encryption, and the Diffie-Hellman key exchange algorithm what do these three things contain or what are these three things?

Offline Distribution The most technically simple method involves the physical exchange of key material. One party provides the other party with a sheet of paper or piece of storage media containing the secret key. In many hardware encryption devices, this key material comes in the form of an electronic device and resembles an actual key that is inserted into the encryption device. However, early offline key distribution method has its own inherent flaws. If keying material is sent through the mail, it might be intercepted. Telephones can be wiretapped. Papers containing keys might be inadvertently thrown in the trash or lost. Public Key Encryption Most communicators want to obtain the speed benefits of secret key encryption without the hassles of key distribution. For this reason, many people use public key encryption to set up an initial communicators link. Once the link is successfully established and the parties are satisfied as to each other's identity, they exchange a secret key over the secure public key link. They then switch communications from the public key algorithm to the secret key algorithm and enjoy the increased processing speed. In general, secret key encryption is thousands of times faster than public key encryption. Diffie-Hellman In some cases, neither the public key encryption nor offline distribution is sufficient, Two parties might need to communicate with each other, but they have no physical means to exchange key material, and there is no public key infrastructure in place to facilitate the exchange of secret keys. IN situations like this, key exchange algorithms like Diffie-Hellman algorithm prove to be extremely useful mechanisms.

Certificate stapling is an extension to the?

Online Certificate Status Protocol that relives some of the burned placed upon certificate authorities by the original protocol. When a user visits a website and imitates a secure connection, the website sends its certificate to the end user, who would normally then be responsible for contacting an OCSP server to verify the certificate's validity. In certificate stapling, the web server contacts the OCSP server, which it attaches, or staples, to the digital certificate. Then, when a user requests a secure web connection, the web server send the certificate with the stapled OCSP response to the user. The user's browser then verifies that the certificate is authentic and also validates that the stapled OCSP response is genuine and recent. Because the CA signed the OCSP response, the user knowns that it is from the certificate authority and the timestamp provides the user with assurance that the CA recently validated the certificate. From there, communication may continue as normal. Time savings come when the next user visits the website. The web server can simply reuse the stapled certificate, without recontacting the OCSP server. As long as the timestamp I recent enough, the user will accept the stapled certificate without needing to contact the CA's OCSP server again. It's common to have stapled certificates with a validity period of 24 hours. That reduces the burden on a OCSP server from handling one request per user over the course of the day, which could be millions of requests to handling one request per certificate per day. That's a tremendous reduction.

Nonrepudiation provides assurance to the recipient that the message was?

Originated by the sender and not someone masquerading as the sender. It also prevents the sender from claiming that they never sent the message in the first place (also known as reupdating the message). Secret key, or symmetric, key cryptosystems (such as simple substitution ciphers) do not provide this guarantee of nonrepudiation. If Jim and Bob participate in a secret key communication system, they can both produce the same encrypted message using their shared secret key. Nonrepudiation is offered only by public key, or asymmetric, cryptosystems.

In the early days of cryptography, one of the predominant principles was "security through obscurity." Some cryptographers thought the best way to keep an encryption algorithm secure was to hide the details of the algorithm from?

Outsiders

Two points within the same elliptic curve group (P and Q) can be added together with an elliptic curve addition algorithm this operation is expressed as?

P divided by Q

The Hashed Message Authentication Code (HMAC) algorithm implements a?

Partial digital signature—it guarantees the integrity of a message during transmission, but it does not provide for nonrepudiation.

Columnar transposition can be used to securely communicate between?

Parties as long as long as a keyword is chosen that would not be guessed by an outsider. As long as the security of this keyword is maintained, it doesn't matter that third parties know the details of the algorithm.

The major strength of the public key encryption is its ability to facilitate communication between?

Parties previous unknown to each other. This is made possible by the public key infrastructure (PKI) hierarchy of trust relationships. These trusts permit combining asymmetric cryptography with symmetric cryptography along with hashing and digital certificates giving us hybrid cryptography.

As with any science, you must be familiar with certain technology before studying cryptography. Before a message is put into a coded form, it is known as a?

Plain-text message and produce a cipher text message, represented by the letter C. This message is transmitted by some physical or electronic means to the recipient. The recipient then uses a predetermined algorithm to decrypt the ciphertext message and retrieve the plaintext version.

One of the problems with substitution ciphers is that they did not change the underlying letter and word frequency of the text. One way to combat this was to have multiple substitution alphabets for the same message. Ciphers using this approach are known as?

Polyalphabetic substitution ciphers. For example, you might shift the first letter by three to the right, the second letter by two to the right, and the third letter by one to the left; then repeat this formula with the next three letters.

Note that digital signature process does not provide any?

Privacy in and of itself. It only ensures that the cryptographic goals of integrity, authentication, and nonrepudiation are met. However, if Alice wanted to ensure the privacy of her message to Bob, she could add a step to the message creation process. After appending the signed message digest to the plaintext message, Alice could encrypt the entire message with Bob's public key. When Bob received the message, he would decrypt it with his own private key before following the steps just outlined.

The most famous public key cryptosystem is named after its creators. In 1977, Ronald Rivest, Adi Shamir, and Leonard Adleman proposed the?

Public key algorithm that remains a worldwide standard today. They patented their algorithm and formed a commercial venture known as RSA Security to develop mainstream implementations of their security technology. Today, the RSA algorithm has been released into the public domain and is widely used for secure communications.

Once you've satisfied the certificate authority regarding your identity, you provide them with your?

Public key in the form of a Certificate Signing Request (CSR). The CA next creates an X.509 digital certificate containing your identifying information and a copy of your public key. The CA then digitally signs the certificate using the CAs private key and provides you with a copy of your signed digital certificate. You may then safely distribute this certificate to anyone with whom you want to communicate securely.

The problem above can be extended to involve multiplication by assuming that Q is a multiple of P, meaning the following?

Q= xP

Quantum Computing is an emerging field that attempts to use?

Quantum mechanics to perform computing and communication tasks. It's still mostly a theoretical field, but if it advances to the point where that theory becomes practical to implement, quantum cryptography may be able to defeat cryptographic algorithms that depend on factoring large prime numbers. At the same time, quantum computing may be used to develop even stronger cryptographical algorithms that would be far more secure than modern approaches. We'll have to wait and see how those develop to provide us with strong quantum communications in the postquantum era.

Rainbow table attacks attempt to?

Reverse hashed password value by precomputing the hashes of common passwords. The attacker takes a list of common passwords and runs them through the hash function to generate the rainbow table. They then search through lists of hashed values, looking for matches to the rainbow table. The most common approach to preventing these attacks is salting which adds a randomly generated value to each password prior to hashing.

Decrypting a message encrypted with a Caesar cipher follows the?

Reverse process. Instead of shifting each letter three places to the right, decryption shifts each letter of the ciphertext three places to the left to restore the original plain-text character.

In October 200, the National Institute of Standards and Technology announced the?

Rijndael (pronounced "Rhine-doll) block cipher had been chosen as the replacement for DES.

All cryptography relies on algorithms. An algorithm is a set of?

Rules, usually mathematical, that dictates how enciphering and deciphering processes are to take place. Most cryptographers follow the Kerchoff principle a concept that makes algorithms known and public, allowing anyone to examine and test them. Specifically, the Kerchoff principle (also known as Kerchoff's assumption) is that a cryptographic system should be secure even if everything about the system, except the key is public knowledge. The principle can be summed up as "the enemy knowns the system" A large number of cryptographers adhere to this principle, but not all agree. In fact, some believe that better overall security can be maintained be keeping both the algorithms and key private. Kerchoff's adherents retort the opposite approach includes the dubious practice of "security through obscurity" and they believe that public exposure produces more activity and exposes more weakness more readily, leading to the abandonment of insufficiently strong algorithms and quicker adoption of suitable ones.

Cryptanalytic attacks demonstrated that there are weaknesses in the SHA-1 algorithm. This led to the creation of SHA-2, which has four variants what are they?

SHA-256 produces a 256-bit message digest using a 512-bit block size. SHA-224 uses a truncated version of SHA-256 hash to produce a 224-bit message digest using a 512-bit block size. SHA-512 produces a 512-bit message digest using a 1,024-bit block size. SHA-384 uses a truncated version of SHA-512 hash to produce a 384-bit digest using a 1,024-bit block size.

A cipher is a method used to?

Scramble or obfuscate characters to hide their value.

Instead of relying on secret algorithms, modern cryptosystems rely on the?

Secrecy of one or more cryptographic keys used to personalize the algorithm for specific users or groups of users. Recall from the discussion of transposition ciphers that a keyword is used with the columnar transposition to guide the encryption and decryption efforts. The algorithm used to perform the columnar transposition is well known.

Symmetric key cryptography can be called?

Secret key cryptography and private key cryptography.

When using public key encryption, keep your private key?

Secret. Do not, under any circumstances, allow anyone else to gain access to your private key. Remember, allowing someone access even once permanently compromises all communications that take place (past, present, or future) using that key and allows the third party to successfully impersonate you.

The cryptographic community generally considers the SHA-2 algorithms?

Secure but they theoretically suffer for the same weakness as the SHA-1 algorithm. In 2015, the federal government announced the release of Keccak algorithm as the SHA-3 standard. The SHA-3 suite was developed to serve as a drop-in replacement for the SHA-2 hash functions, offering the same variants and hash lengths using a more secure algorithm.

A downgrade attacks sometimes used against?

Secure communications such as TLS in an attempt to get the user or system to inadvertently shift to less secure cryptographic modes. The idea is to trick. The user into shifting to a less secure version of the protocol, one that might be easier to break.

Key exchange is the?

Secure distribution of the secret keys required to operate the algorithms.

As mentioned in the previous sections, the Data Encryption Standard's 56-bit key is no longer considered adequate in the face of modern cryptanalytic techniques and super computing power. However, an adapted version of DES, Triple DES (3DES), uses the same algorithm to produce a more?

Secure encryption

MD5 implements

Security features that reduce the speed of message digest production significantly. Unfortunately, recent cryptanalytic attack demonstrated that the MD5 protocol is subject to collisions, preventing its use for ensuring message integrity.

Several decades ago, when the Data Encryption Standard was created, a 56-bit key was considered sufficient to maintain the?

Security of any data. However, there is now a wide spread agreement that the 56-bit DES algorithm is no longer secure due to the advances in cryptanalysis techniques and supercomputing power. Modern cryptographic systems use at least a 128-bit key to protect data against prying eyes. Remember, the length of the key directly relates to the work function of cryptosystem; for secure cryptosystem, the longer the key, the harder it is to break the cryptosystem.

Opening algorithms to public scrutiny actually improves their?

Security.

All cryptographic algorithms rely on key to maintain their?

Security. For the most part, a key is nothing more than a number. It's usually a very large binary number, but it's a number nonetheless

Cryptosystems implement digital?

Signatures to provide proof that a message originated from a particular user of the cryptosystem and to ensure that the message was not modified while in transit between the two parties, before you can completely understand that concept, we must first explain the concept of hash functions. We will explore the basics of hash functions and look at several common hash functions used in modern digital signature algorithms.

The technical concepts behind the public key infrastructure are relatively?

Simple. In the following sections, we'll cover the processes used by certificate authorities to create, validate, and revoke client certificates.

The major weakness of public key cryptography is its?

Slow speed of operation. For this reason, many applications that require the secure transmission of large amounts of data use public key cryptography to establish a connection and then exchange a symmetric secret key. The remained of the session then users symmetric cryptography.

Privacy concerns also introduce some?

Specialized use cases for encryption. In particular, we sometimes have applications where we want to protect, the privacy of individuals, but still want to perform calculations on their data. Homomorphic encryption technology allows this, encrypting data in a way that preserves the ability to perform computation on that data. When you encrypt data with a homographic algorithm and then perform computation on that data, you get a result that, when decrypted, matches the result you would have received if you had performed the computation on the plaintext data in the first place.

Digital certificates contain?

Specific identifying information, and their construction is governed by an international standard—X.509.

The U.S. government published the Data Encryption Standard in 1977 as a proposed?

Standard cryptosystems for all government communications. Because of the flaws in this algorithm, cryptographers and the federal government no longer consider DES secure. It is widely believed that intelligence agencies routinely decrypt DES-encrypted information.

Normal conditions between public key cryptosystems users is quite?

Straight forward. In example, notice that processes do not require the sharing of private keys. The sender encrypts the plaintext message (P) with the recipient's public key to create the ciphertext message (C). When the recipient opens the cyphertext message, they decrypt it using their private key to re-create the original plain-text message. Once the sender encrypts the message with the recipient's public key, no user (including the sender) can decrypt that message without knowing the recipient's private key (the second half of the public-private key pair used to generate the message). This is the beauty of public key cryptography—public keys can be freely shared using an unsecured communication and then used to create secure communications channels between users previously unknown to each other. Key used within public key systems must be longer than those used in private key systems to produce cryptosystems of equivalent strengths.

DES that is run in counter mode uses a?

Stream cipher similar to that used in CFB and OFB models. However, instead of creating the seed value for each encryption/decryption operation from the results of a previous seed values, it uses a simple counter that increments for each operation. As with OFB mode, errors do not propagate in CTR mode.

Cipher feedback mode (CFB) is the?

Streaming cipher version of CBC. In other words. CFB operates against data produced in real time. However, instead of breaking a message into blocks, it uses memory buffers of the same block size. As the buffer becomes full it is encrypted and then sent to the recipients. Then the system waits for the next buffer to be filled as the new data is generated before it is in turn encrypted and then transmitted. Other than the change from preexisting data to real-time data, CFB operates in the same fashion as CBC.

The length of a cryptographical key is an extremely important factor in determining the?

Strength of the cryptosystem and the likelihood that the encryption will not be compromised through cryptanalytic techniques. The rapid increase in computing power allows you to use increasing long keys in your cryptographic efforts. However, this same computing power is also in the hands of cryptanalysts attempting to defeat the algorithms you use. Therefore, it's essential that you outpace adversaries by using sufficiently long keys that will defeat contemporary cryptanalysis efforts. Additionally, if you want to improve the chance that data will remain safe from cryptanalysis in the future, you must strive to use keys that will outpace this projected increase in cryptanalytic capability during the entire time period that data must be kept safe. For example, the advent of quantum computing may transform cryptography, rendering current cryptosystems insecure.

The two primary types of nonmathematical cryptography, or ciphering methods, are?

Substitution and transposition.

The Caesar cipher and ROT13 are very simple examples of?

Substitution ciphers. They are far too simplistic to use today, as any cryptologist could break these ciphers, so any similar substitution, in a matter of seconds. However, the substitution operation forms the basis of many modern encryption algorithms. They just perform far more sophisticated substitution and carry out those operations many times to add complexity and made the cipher harder to crack.

Certificate authorities (CAs) are the glue that blinds the public key infrastructure together. These neutral organizations offer notarization services for digital certificates. To obtain a digital certificate form a reputable CA, you must prove your identity to the satisfaction of the CA. The following list includes some of the major CAs who provide widely accepted digital certificates which are?

Symantec IdenTrust Amazon Web Services GlobalSign Comodo Certum GoDaddy DigiCert Secom Entrust Actalis Trustwave

In 2017, a significant security failure occurred in the digital certificate industry what was this thing?

Symantec, through a series of affiliated companies, issued several digital certificates that did not meet industry security standards. In response, Google announced that the Chrome browser would no longer trust Symantec certificates. As a result, Symantec wound up selling of their certificate issuing business to DigiCert, who agreed to properly validate certificates prior to issuance. This demonstrates the importance of properly validating certificate requests. A series of seemingly small lapses in procedure can decimate a CA's business!

confidentiality is perhaps the most-wieldy citied goal of cryptosystems—the preservation of secrecy for stored information or for communications between individuals and groups. Two main types of cryptosystems enforce confidentiality what are they?

Symmetric cryptosystems Use a shard key available to all users of the cryptosystem. Asymmetric cryptosystems Use individual combinations of public and private keys for each user of the system.

As previously mentioned, key exchange is one of the major problems underlying?

Symmetric encryption algorithms.

Explain the difference between symmetric and asymmetric encryption?

Symmetric encryption uses the same shared secret key to encrypt and decrypt information. Users must have some shared some mechanism to exchange these shared secret keys. The Diffie—Hellman algorithm provides one approach. Asymmetric encryption provides each user with a pair of keys which are a public key, which is freely shard, and a private key, which is kept secret. Anything encrypted with one key from the pair may be decrypted with the other key from the same pair.

A related key attack is like a chosen plain-text attack except the attacker can obtain?

Texts encrypted under two different keys. This is actually a useful attack if you can obtain the plain text and matching ciphertext.

DDS also specifies the encryption algorithms that can be used to support a digital signature infrastructure. There are three currently approved standard encryption algorithms what are they?

The Digital Signature Algorithm (DSA) as specified in FIPS 186-4 The Rivest, Shamir, Adleman (RSA) algorithm as specified in ANSI X9.31 The Elliptic Curve DSA (ECDSA) as specified in ANSI X9.62

What is ROT13 or "rotate 13"?

The ROT13 cipher works the same way as a Caesar cipher but rotates every letter 13 places in the alphabet. Thus, an A becomes an N, a B becomes an O, and so forth. Because the alphabet has 26 letters, you can use the same rotation of 13 letters to decrypt the message.

The following is a list of the major strength s of asymmetric key cryptography what are those things in the list?

The addition of new users requires the generation of only one public-private key pair? This same key pair is used to communicate with all users of the asymmetric cryptosystem. This makes the algorithm extremely scalable. Users can be removed far more easily from asymmetric systems? Asymmetric cryptosystems provide a key revocation mechanism that allows a key to be canceled, effectively removing a user from the system. Key regeneration is required only when a user's private key is compromised? If a user leaves the community, the system administrator simply needs to invalidate that user's keys. No other keys are compromised and therefore key regeneration is not required for any other user. Asymmetric key encryption can provide integrity, authentication, and nonrepudiation? If a user does not share their private key with other individuals, a message signed buy that user can be shown to be accurate and from a specific source and cannot be later repudiated. Key distribution is a simple process? Users who want to participate in the system simply make their public key available to anyone with who they want to communicate. There is no method by which the private key can be derived from the public key. No preexisting communication link needs to exist? Two individuals can begin communicating securely from the start of their communication session. Asymmetric cryptography does not require a preexisting relationship to provide a secure mechanism for data exchange.

Occasionally, a certificate authority needs to revoke a certificate. This might occur for one of the following reason which are?

The certificate was compromised (for example, the certificate owner accidentally gave away the private key.) The certificate was erroneously issue (for example, the CA mistakenly issued a certificate without proper verification). The details of the certificate changed (for example, the subject's name changed). The security association changed (for example, the subject is no longer employed by the organization sponsoring the certificate).

The Diffie Hellman algorithm represented a major advance in the state of cryptographic science released in 1976. It's still in use today. The algorithm works like?

The communicating parties (we'll call them Richard and Sue) agree on two large numbers: p (which is the prime number) and g (which is an integer) such that 1<g<p. Richard chooses a random large integer r and performs the following calculation: R= gr mod p Sue chooses a random large integer s and performs the following calculation: S= gs mod p Richard sends R to Sue and Sue send S to Richard. Richard then performs the following calculation: K= Sr mod p Sue then performs the following calculation: K= Rs mod p o At this point, Richard and Sue both have the same value, K, and can use this for secret key communication between the two parties.

At some point, you may assume that the public key listed in the certificate is authentic, provided that it satisfies the following reequipments which are?

The digital signatures of the CA is authentic. You trust the CA. The certificate is not listed on a CRL The certificate actually contains the data you are trusting.

There are four version of 3DES what are they?

The first simply encrypts the plaintext three times using three different keys K1 , K2, and K3. It is known as DES-EEE3 mode (the E's indicate that there are three encryption operations, whereas the numeral 3 indicates that three different keys are used). DES-EEE3 can be expressed using the following notation Where E(K,P) represents the encryption of the plaintext P with K: · E(K1,E(K2,E(K3,P))) DES-EEE3 has an effective key length of 168bits The second variation (DES-EDE3) also uses three keys but replaces the second encryption operation with a decryption operation. E(K1,D(K2,E(K3,P))) The third versions of 3DES (DES-EEE2) uses only two keys K1 , K2, as follows E(K1,E(K2,E(K1,P))) The fourth variant of 3DES (DES-EDE2) also uses two keys but uses a decryption operation in the middle, represented by the D(K,C) function, were K is the decryption key and C is the ciphertext to be decrypted. E(K1,D(K2,E(K1,P))) Both the third and fourth variants have an effective key length of 112 bits. These four variants of 3DES were developed over the years because several cryptologists put forth that one variant was more secure than the others. However, the current belief is that all modes are equally secure.

Understand the goals of cryptography which are.

The four goals of cryptography, integrity, authentication, and non-repudiation. Confidentiality is the use of encryption to protect sensitive information from prying eyes. Integrity is the use cryptography to ensure that data is not maliciously or unintentionally altered. Authentication refers to uses of encryption to validate the identity of individuals. Nonrepudiation ensures that individuals can prove to a third party that message came from its purported sender.

Why is the key length important?

The length of the cryptographic key is perhaps the most important security parameter that can be set at the discretion of the security administrator. It's important to understand the capabilities of your encryption algorithm and choose a key length that provides an appropriate level of protection. This judgment can be made by weighing the difficulty of defeating a given key length (measured in the amount of processing time required to defeat the cryptosystems) against the importance of the data. Generally speaking, the more critical your data, the stronger the key you use to protect it should be, Timeliness of the data is also an important consideration. You must take into account the rapid growth of computing power—Moore's law suggests that computing power doubles approximately every two years. If it takes current computers one year of processing time to break your code, it will take only three months if the attempt is made with contemporary technology about four years down the road. If you expect that your data will still be sensitive at that time, you should choose a much longer cryptographic key that will remain secure well into the future. Also, as attackers are now able to leverage cloud computing resources, they are able to more efficiently attack encrypted data. The cloud allows attackers to rent scalable computing power, including powerful graphic processing units (GPUs) on a per-hour basis and offers significant discounts when using excess capacity during non-peak hours. This brings powerful computing well within reach of many attackers. The strengths of various key lengths also vary greatly according to the cryptosystem you're using. For example, a 1,024-bit RSA key offers approximately the same degree of security as a 160-bit ECC key. So why not just always use an extremely long key? Longer keys are certainly more secure, but they also require more computational overhead. It's the classic trade-off of resources versus security constraints.

Hash functions have a very simple purpose which is they take a potentially long message and generate a unique output value derived from the content of the message This value is commonly referred to as?

The message digests.

Digital certificates are stored in files, and those files come in a variety of different formats, both binary and text-based what are two of those formats?

The most common binary format is the Distinguished Encoding Rules (DER) format. DER certificates are normally stored in files with the. DER, .CRT, or .CER extensions. The Privacy Enhanced Mail (PEM) certificate format is an ASCII text version of the DER format. PEM certificates are normally stored in files with the. PEM or .CRT extensions. The Personal Information Exchange (PFX) format is commonly used by Windows systems. PFX certificates may be stored in binary from, using either .PFX or. P12 file extensions. Windows systems also use P7B certificates, which are stored in ASCII text format.

A classic example of a human error that was exploited involved?

The transmission of a sensitive military-related message usign an encryption system. Most messages have a preamble that informs the receiver who the message is for, who sent it, how many characters are in the message, the date and time it was sent, and other persistent information. In this case, the preamble was sent in clear text, and this information was also encrypted and put into the message. As a result, the cryptanalysts gained a key insight into the message contents. They were given approximately 50 characters that were repeated in the message in code. This error caused a relatively secure system to be compromised. Another error is to use weak or deprecated algorithms. Over time, some algorithms are no longer considered appropriate. This may be due to some flaw found in the algorithm. It can also be due to increasing computing power. For example, in 1976 DES was considered very strong. But advances in computer power have made its key length too short. Although the algorithm is sound, they key size makes DES a poor choice for modern cryptography, and that algorithm has been deprecated.

There are five basic requirements for a cryptographic hash value what are they?

They accept an input of any length. They produce an output of a fixed length, regardless of the length of the input. The hash value is relatively easy to compute. The hash function is one-way (meaning that it is extremely hard to determine the input when provided with the output). The hash function is collision free (meaning that it is extremely hard to find two messages that produce the same hash value).

Security practitioners use cryptographic systems to meet four fundamental goals what are they?

They are confidentiality, integrity, authentication, and nonrepudiation. Achieving each of these goals requires the satisfaction of a number of designs requirements, and not all crypto-systems are intend to achieve all four goals.

Cryptography consists of two main operations what are they?

They are encryption, which transforms plain-text information into ciphertext using an encryption key, and decryption, which transforms ciphertext back into plain text using a decryption key.

Old cryptosystems required communicating parties to keep the algorithm used to encrypt and decrypt messages secret from?

Third parties. Any disclosure of the algorithm could lead to the compromise of the entire system by an adversary.

Certificate authorities do not need to be?

Third-party service providers. Many organizations operate internal CAs that provide self-signed certificates for use inside an organization. These certificates won't be trusted by the browsers of external users, but internal systems may be configured to trust the internal CA, saving the expense of obtaining certificates from a third-party CA.

What is a birthday attack?

This is an attack on cryptographic hashes, based on something called the birthday theorem.

Demonstrate familiarity with emerging issues in cryptography which is?

Tor uses perfect forward secrecy to allow anonymous communication over the Internet. The blockchain is an immutable distributed public ledger made possible though the use of cryptography. Homomorphic encryption allows the protection of sensitive data while still facilitating computation on that data in a manner that preserves privacy. Quantum computing challenges modern approaches to cryptography and may be a disruptive force in the future.

Cryptography is a field almost as old as humankind. The first recorded cryptographic efforts occurred 4,000 years ago. These early efforts included?

Translating messages from one language to another or substituting characters. Since that time, cryptography has grown to include a plethora of possibilities. These early efforts forays into cryptography focused exclusively on achieving goals of confidentiality. Classic methods used relatively simple techniques that a human being could usually break in a reasonable amount of time. The obfuscation used in modern cryptography is much more sophisticated and can be unbreakable within a period of time.

Nothing is preventing any organizations from simply setting up shop as a CA. However, the certificates issued by a CA are only as good as the?

Trust placed in the CA that issued them. This is an important item to consider when receiving a digital certificate from a third party. If you don't recognize the trust name of the CA that issued the certificate, you should not place any trust in the certificate at all.

PKI relies on a hierarchy of?

Trust relationships. If you configure your browser to trust a CA, it will automatically trust all of the digital certificates issued by that CA. Browser developers preconfigure browsers to trust all of the major Cas to avoid placing this burden on users.

If time has taught us anything, it is that people frequently do things that other thought were impassible. Every time a new code or process is invented it is thought to be?

Unbreakable, someone comes up with a new method of breaking it.

Steganography is an extremely simple technology to?

Use, with free tools available on the Internet. One is OpenStego. It simply requires that you specify a text file containing your secret message an image file that you wish to hide the message. An example would be a picture with an embedded secret message; the message is impossible to detect with the human eye.

Retire keys when they've served a?

Useful life. Many organizations have mandatory key rotation requirements to protect against undetected key compromise. If you don't have a formal policy that you must follow, select an appropriate interval based on the frequency with which you use your key. Continued reuse of a key creates more encrypted material that may be used in cryptographic attacks. You might want to change your key pair ever few months, if practical.

Recall from earlier in this chapter that public key cryptosystems rely on pairs of keys assigned to each?

User of the cryptosystem. Every user maintains both a public key and a private key

When you receive a digital certificate from someone with who you want to communicate, you?

Verify the certificate by checking the CAs digital signature using the CAs public key. Next you must check and ensure that the certificate was not revoked using a certificate revocation list (CRL) or the Online Certificate Status Protocol (OCSP).

Registration authorities (RAs) assist Cas with the burden of?

Verifying users' identities prior to issuing digital certificates. They do not directly issue certificates themselves, but they play an important role in the certification process, allowing Cas to remotely validate user identities.

Certificates that conform to X.509 contain the following certificate attributes what are they?

Version of X.509 to which the certificate conforms. Serial number (from the certificate creator). o Signature algorithm identifier (specifies the technique used by the certificate authority to digitally sign the contents of the certificate). Issuer name (identification of the certificate authority that issued the certificate. Validity period (specifies the dates and the times—a starting date and time and an expiration date and time—during which the certificate is valid). Subjects' Common Name (CN0 that clearly describes the certificate owner (e.g., "certmike.com"). Certificates may optionally contain (Subject Alternative Names (SAN) that allow you to specify additional items (IP addresses, domain names, and so on) to be protected by the single certificate. Subject's public key (the meat of the certificate—the actual public key the certificate owner used to set up secure communication.

Another specialized use case for cryptography are cases where you need?

Very low latency. That simply means that the encryption and decryption should not take a long time. Encrypting networks links is a common example of low latency cryptography. The data is moving quickly across a network and the encryption should be done as quickly as possible to avoid becoming a bottleneck. Specialized encryption hardware also solves many low latency requirements. For example, a dedicated VPN hardware device may contain cryptographic hardware that implements encryption and decryption operations in a highly efficient form to maximize speed. High resiliency requirements exist when it is extremely important that data be preserved and not accidentally destroyed during an encryption operation. In cases where resiliency is extremely important, the easiest way to address the issue is for the sender of data to retain a copy until the recipient confirms the successful receipt and decryption of the data.

The most famous example of polyalphabetic substitution form historical times was the?

Vigenere cipher. It used a keyword to look up the cipher text in a table. The user would take the first letter in the text that they wanted to encrypt, go to the Vigenere table and match that with the letter from the keyword in order to find the ciphertext letter. This would be repeated until the entire message was encrypted. Each letter in the keyword generated a different substitution alphabet.

Asymmetric key algorithms, also known as public key algorithms provide a solution to the?

Weakness of symmetric key encryption. In these systems, each user has two keys: a public key which is shared with all users, and a private key which is kept secret and known only by the owner of the keypair. But here's the twist: opposite and related keys must be used in tandem to encrypt and decrypt. In other words, if the public key encrypts a message, then only the corresponding private key can decrypt it, and vice versa. For example, if Alice wants to send a message to Bob using a public key cryptography, she creates the message and then encrypts it using Bob's public key. The only possible way to decrypt this cyphertext is to use Bob's private key, and the only user with access to that key is Bob. Therefore, Alice can't even decrypt the message herself after she encrypts it. If Bob wants to send a reply to Alice, he simply encrypts the message using Alice's public key, and then Alice reads the message by decrypting it with her private key.

Confidentiality ensures that data remains private in three different situations which are?

When it is at rest When it is in transit When it is in use.

Any elliptic curve can be defied by the following equation which is?

Y2=x3 + ax + b In this equation x, y, a, and b are all real numbers

The subject of certificate may include a wildcard in the certificate name, indicating that the certificate is good for the subdomains as well. The wildcard is designated by an asterisk character. For example, a wildcard certificate issued to *.certmike.com would be valid for all of the following domains what are those domains?

certmike.com www.certmike.com mail.certmike.com secure.certmike.com