Cryptography
HTTPS technical breakdown
(1) Client connects to secure site via browser (2) site/web server sends cert to browser (3) this establishes identity (4) if browser accepts cert, finds no validation problems with cert (5) SSL activated between server & client
What is needed from each communicating device for IPSec to work?
(1) IPSec running (2) share some form of public key
Two common functions for key stretching:
(1) Password-Based Key Derivation Function 2 (PBDKF2) (2) bcrypt
Two main types of symmetric encryption?
(1) Stream cipher (2) Block cipher
Two main types of cipher encryption that can be used?
(1) Substitution (2) Transposition
Features of WPA:
(1) can use preshared key (2) or authentication server that distributes keys (3) improved integrity checking of data over wireless network (4) makes sure data can't be intercepted & changed on way to destination
Strength of the cryptosystem lies in?
(1) strength (2) effectiveness (3) of keyspace
Two encryption modes IPSec uses:
(1) transport (2) tunnel
Features of one-time pad
(1) used once (2) pad as long as message it's encrypting (3) pad values random (4) communication of pad is secure (5) often manual backup encryption method for high-security areas
Digital handshake confirms:
(1) you are who you say you are [identity] (2) site your connected to is ACTUAL site expected to be
PGP public key
(a) 1 given to anyone you want to share messages with (b) each PGP user shares their own public key (c) all the public keys in PGP system kept on key ring
PGP private key
(a) 1 you use to decrypt messages you receive (b) passphrase is used to encrypt this key (c) stored on local computer
(SHA) Secure hash algorithm
(a) 160-bit hash (b) run through DSA (Digital Signature Algorithm) (c) encrypts hash with private key (d) attached to message before it's sent (e) receiver decrypts message with public key & runs hashing value to compare the two (f) identical? not altered
DES
(a) 64-bit block size (b) 56-bit key (c) requires sender & receiver to possess same secret key (d) also encrypts data on hdd/other medium
Popular symmetric algorithms include:
(a) AES (b) DES (c) Blowfish (d) Twofish (e) IDEA (f) RC5
You have been tasked with implementing information assurance principles within your organization's security and encryption functions. Name 3 functions of IA within encryption systems:
(a) Confidentiality (b) Integrity (c) Nonrepudiation
DHE
(a) Diffie-Hellman exchange (b) encryption algorigthm (c) key agreement protocol (d) enables users to exchange encryption keys over insecure medium (e) depends on discrete logarithmic formulas (f) main crux: basic protocol doesn't authenticate the participants for key exchange
DSA
(a) Digital signature algorithm (b) only for authentication (c) secure when key size is large enough (d) supports key sizes up to 1024 bits (e) RSA preferred over this
S-HTTP
(a) Don't confuse with HTTPS (b) similar, but just encrypts message headers
ECC
(a) Elliptic curve cryptosystems (b) similar to RSA, encryption & digital signatures (c) complex math to create asymmetric algorithms & keys (d) for devices with smaller processing capabilities (e) smaller key than RSA
GPG
(a) GNU Privacy Guard (b) free, open-source (c) implements OpenPGP standard (d) intended as free replacement for PGP
HMAC
(a) Hash-based Message Authentication Code (b) used for message authentication where its applied with hash functions & secret key to create code value
HTTPS
(a) Hyper Text Transfer Protocol over Secure Socket Layer (b) secure comm of data between web server & browser (c) all HTTP sent in clear text, this was needed for security/privacy (d) typical banking/online shopping (e) small lock icon indicator in taskbar
Authentication header (AH)
(a) IP header added to network packet (b) provides crypto checksum (c) achieves authenticate/integrity (d) ensures packet sent by specified source (e) not been captured/changed in transit
Key management for IPSec is provided by?
(a) Internet Key Exchange (IKE) (b) formerly ISAKMP/Oakley
MIME
(a) Multipurpose Internet Mail Extensions (MIME) (b) spec for transfer of multimedia/attachments through e-mail (b) standard for mail clients & mail transfer systems to handle certain types of attachments
Main PGP difference
(a) NON centralized certificate authority (b) authentication is verified relying on each other to establish trust between other users and their keys
PGP
(a) Pretty Good Privacy (b) so good, was considered 'weapon' by Gov't, & creator investigated for breaking law (c) Symantec bought this standard
RIPEMD
(a) RACE integrity Primitives Evaluation Message Digest (b) hash function message digest (c) several bits: 128,160,256,320 (256 & 320 reduce collisions) (d) 128 bit replaced by RIPEMD-160, not as cool as SHA-1 or MD5
Popular asymmetric algorithms & apps include:
(a) RSA (b) Elliptical curve (c) DSS (d) Diffie-Hellman
RSA
(a) Rivest, Shamir, Adleman (inventors) (b) main standard & PRIMARILY for encrypt/decrypt & digital signatures (c) based on factoring prime numbers to obtain private & public key pairs
Which encryption protocols are used for secure web communication?
(a) SSL/TLS (Secure socket layer, Transport layer security) (b) HTTPS (Secure hyper text transfer protocol)
Cipher suites
(a) SSL/TLS support (b) authenticate, encrypt, MAC algorithms combo (c) negotiate security of connection (d) any # of algorithms: DHE, ECDHE,AES,MD5,etc
S/MIME
(a) Secure MIME (b) extension for digitally signing/encrypting e-mail using certs (c) public key certs for authentication (d) message confidentiality/integrity via user's encryption & hashing
SSH
(a) Secure Shell (b) secure remote-access utility to log in & execute commands (c) secure, encrypted tunnel to access another system remote
SSL
(a) Secure socket layer (b) enables comm between systems to be encrypted (c) used for websites (d) support by both web server & client browser to work (e) e-mail systems too (f) uses digital handshake (public key)
SAs
(a) Security associations [SAs] (b) building blocks of IPSec communication (c) before IPSec, establish set of SAs (d) specifies crypto parameters (e) agreed upon by both devices before anything transferred (including encryption & authenticate algorithms/keys)
Where can SHA be found/used?
(a) TLS (Transport Layer Security) (b) SSL (Secure Sockets Layer) (c) IPsec (Internet Protocol Security)
TKIP
(a) Temporal Key Integrity Protocol (b) 128-bit key (c) routinely changed (d) use in WPA, single session key cannot be hacked by time protocol changes keys
TLS
(a) Transport layer security (b) next-gen SSL (c) enhanced encrypt/authentication (d) NOT interoperable with SSL
Hash value
(a) [aka] message digest (b) fixed-length value (c) represents longer message from which it was created (d) appended to the message that's sent to another user
AES
(a) aka "rain-doll" (b) gov't-defined encryption standard to replace DES (c) symmetric-block (d) 128,192,256 bits (e) 2003 became standard for nonclassified docs, while 192 to 256 required for TS
Authentication server method
(a) aka 'Enterprise WPA' (b) suited for big environments (c) using single passphrase key not scalable (d) server takes care of key management between wireless devices & network
Preshared key method
(a) aka 'Personal WPA' (b) all devices on wireless LAN must use same passphrase key for access
What is a key?
(a) aka password (b) combined with algorithm (c) creates ciphertext (d) data can't be deciphered unless same key used to decrypt it
Key escrow
(a) asymmetric (b) involves 3rd party (c) holds 3rd special key on top of private and public key pair (d) this key used to encrypt the private key, which is then stored in secure location (e) can be used to unlock encrypted copy of private key in case of loss/theft
HMAC (Hash-based Message Authentication Code)
(a) authenticates message (b) provides data integrity (c) MAC [Message Authentication Code] sent along with message (d) so receiver can authenticate the sender of the message & verify integrity of contents
In a file storage system, data is protected by?
(a) authentication (b) access controls
Modern cryptography protects sensitive comm, but also includes:
(a) authentication (b) data integrity (c) nonrepudiation
IPSec component protocols include:
(a) authentication header [AH] (b) Encapsulating security payload [ESP] headers
Digital handshake - server side
(a) begins when server sends message to client (b) indicates secure session needed (c) gets security info & encryption key from client - compares for a match (d) sends authentication info so client knows web server that its talking to is the right one
Birthday attacks
(a) brute-force attack (b) often used to find collisions of hash functions
Digital handshake - client side
(a) client sends security info & encryption key to server (b) receives authentication info from server (c) so it knows server is the right one to talk to
Algorithm
(a) complex math formula (b) dictates how encryption & decryption process takes place
Asymmetric schemes offer:
(a) confidentiality (b) authentication (c) nonrepudiation (d) manageable/efficient ways for dealing with key distribution
Ephemeral keys
(a) converse of a static key (b) temporary by nature (c) often generated for each execution of the key establishment process (d) unique to a message or session (e) aka used ONE time (f) can be used again / see NIST 800-57
Cryptography
(a) conversion of communicated information into secret code (b) keeps info confidential and private
Key
(a) created by algorithm to contain keys (b) key is made of random values within the keyspace range (c) larger keyspace w/ more bits means more available values exist for different keys
Hashing
(a) creates "fingerprint" for a message (b) prevents message from being accessed and changed on its way to destination (c) used to protect integrity of a message (d) digital signatures
Digital certificate
(a) credential required by PKI systems (b) securely identify an organization's server (c) creates association between server's authenticated identity and its public keys
Confidentiality
(a) data not made available (b) or disclosed to unauthorized people (c) use: encryption on data, network infrastructure, communication channels (d) protects against data interception & disclosure
PGP involves
(a) decentralized digital certificates (b) using RSA-based public key encryption method (c) 2 keys: one public/one private (d) creates "web of trust" with other users (e) each user keeps collection of other's public keys on key ring
How is digital signature created?
(a) digest of the message encrypted (b) using sender's private key (c) takes variable length message (d) produce 128-bit message digest
Message digest
(a) digital signatures use in apps (b) for large messages to be hashed securely
IKE - Internet Key Exchange
(a) enables receiver to obtain public key (b) and authenticate sender using digital certs
Transport mode
(a) encrypt data portion of each packet (b) not header though (c) host-to-host communication
Digital signatures
(a) encrypted has value to ensure ID & integrity of message (b) can be attached to message to uniquely ID sender (c) senders runs hash function on his message, takes result, encrypts with private key, and sends along with message
Tunnel mode
(a) encrypts both header/data of network packet (b) used to host VPN gateway comm, most common form of VPN (c) receiver of packet uses IPSec to decrypt message
WEP
(a) encrypts comm between wireless clients & access points (APs) (b) key encryption algorithm that is weak (c) key manually configured on each AP & client before network access allowed
Stream cipher
(a) encrypts data one bit at a time (b) fast compared to blocks (c) each bit of plain-text stream is transformed into different ciphertext bit (d) generates a key stream that's combined with plain-text data
Block cipher
(a) encrypts entire blocks of data, rather than smaller bits of data (as stream does) (b) transforms particular block of plain-text data into block of ciphertext data of same length (c) for many, ciphers = 64 bit block size
ECDHE
(a) further enhancement for Diffie-Hellman (b) allow the two parties to authenticate each other (c) through use of Elliptic Curve public-private key pairs, signatures, and public key certs (d) used in PKI system
Encapsulating security payload header (ESP)
(a) header applied to IP packet after encryption (b) data confidentiality, can't be view in transit (c) newer IPSec, AH done within ESP header (d) results in combined ESP/AH header
One-time pad
(a) implemented correctly, considered secure & theoretically impossible to break (b) pad genered from random values (c) uses math function called XOR (exclusive-OR) (d) encrypts plaint-text into cipher (e) only ever used ONCE
Nonrepudiation
(a) inability of a person to deny or repudiate the origin of a signature or document (b) or receipt of message/document
In digital handshake, the web server sending authentication information so the client knows the server it's talking to is the correct one. Why is this so important?
(a) its possible, through redirection or other methods (b) user can be switched from one website to another (c) without user's knowledge
Out-of-Band
(a) key exchange utilizes separate channel (b) outside norm to authenticate the user (c) verifies original channel is not compromised (d) ie: time-based code from phone or token device (e) susceptible to man-in-the-middle
Protection for one-way hashes by?
(a) longer hash values (b) less susceptible to brute-force attacks (c) good min start point is 128 bits size
IPSec features
(a) lower level than most app security protocols (ie SSL) (b) so more flexible (c) apps don't need to be aware of IPsec to make use
SSH vulnerabilities
(a) make sure to use latest version (b) early version susceptible to MITM (man-in-the-middle) attacks (c) headers of handshake could be captured to intercept session key
One-way hash
(a) math function that transforms a variable-sized message (b) into fixed-length value (c) referred to as either a hash value or message digest (d) difficult to invert, never decrypted
Additional GNU Privacy Guard (GPG) features
(a) no patented encryption algorithms (b) supports many tech: DSA, RSA, AES, 3DES, Blowfish, etc (c) uses asymmetric keys generated by GPG users (d) public keys exchanged with other users using Internet key servers (e) also use digital signatures to verify sender/integrity
Message digest 4 (MD4)
(a) one-way (b) produces 128 bit hash (c) optimized for 32-bit machines, fast (d) padded to ensure bit length plus 448 divides by 512-bit blocks (e) each block processed in 3 rounds (f) easily broken
Perfect forward secrecy (PFS)
(a) prevents compromise of one secret key or message leading to compromise of previous confidential messages (b) ie: if key compromised today, all previous messages still secret
Where does birthday attack get its name?
(a) probability that two or more people (b) in group of 23 (c) share same birthday is greater than half (d) result is birthday paradox
Integrity
(a) protect info from damage or deliberate manipulation (b) extreme criticality (c) guarantees stored info hasn't been changed or manipulated in transit (d) often used to create signatures
HTTPS features:
(a) protects comm channel using SSL & certs (b) to provide encrypted/protected comm (c) URL begins with HTTPS:// (d) attempts to prevent steal of CC info, or PII (e) while in transit from client to server and back (f) TCP port 443
Information Assurance
(a) protects info and info systems (b) secures: -confidentiality -integrity -authentication -non repudiation
Internet Security Association and Key Management Protocol (ISAKMP)
(a) protocol for performing auto key management (b)auto negotiates with remote VPN device (c) establish parameters for individual SAs (d) once SA good, session SA negotiated for securing normal VPN traffic (e) aka IKE Phase-1 and Phase-2 negotiations
Secure Shell (SSH) features:
(a) public key crypto for authentication (b) client connects to system via SSH (c) initial handshake process beings (d) special session key exchanged (e) starts session, and secure channel is created to allow access
How does the SSL protocol use public key cryptography in the handshake confirms?
(a) securely exchanges symmetric session keys (b) then used to encrypt comm (c) for duration of the session
Message digest 5 (MD5)
(a) slower, more complex than MD4 (b) security apps and integrity checking use (c) 128-bit has value using hexa, 32-char string (d) 4 distinct processing rounds (e) SHA is better
The reason an SA is established for VPNs?
(a) so all key exchanges can be encrypted (b) no keys need to be passed over Internet in clear text
Keyspace
(a) specific range of values (b) measured in bits usually
IPSec
(a) standards-based (b) suite of protocols (c) privacy, integrity, authenticity for info across IP networks (d) IP network layer (e) VPN
WPA passphrases
(a) strength only as good as passphrase used (8 - 63 characters) (b) not based on known dictionary words (c) include: upper/lowercase, numbers, special characters
Key stretching
(a) strengthens weak key, usually password (b) against brute-force (c) increases time to test each potential key (d) theoretical impossible, or at least too cost intensive to crack
Quantum crypto
(a) super advanced (b) protects keys through light-based quantum computing (c) uses quantum effect of light waves over fiber-optic cable (d) unbreakable light pulses to distribute shared key between two users (e) dumb expensive
Blowfish
(a) symmetric (b) 64-bit blocks (c) key length = 448 (d) 16 rounds of crypto computations (e) specific for 32-bit (f) lots faster than DES
Twofish
(a) symmetric (b) similar to Blowfish, but w/ 128 bit block size (c) keys up to 256 bit (d) free, open-source
IDEA
(a) symmetric block (b) 64 bit block data (c) key length 128 bit (d) blocks divided into 16 smaller sections (e) 8 crypto rounds (f) speed similar to DES (g) used in PGP (Pretty Good Privacy)
RC4
(a) symmetric stream cipher (b) 1997 created by RSA Data Security (c) speedy/simple (d) used in SSL, TLS, 40 bit & 128 bit WEP (e) secure exchange of shared key (f) use WPA2 though instead of WEP for wireless
Define encryption
(a) transformation of data into an unreadable form (b) ensures privacy by keeping the information hidden from those whom its not intended for
3DES
(a) tripled DES (b) 168-bit (c) 48 rounds of crypto computations (d) 2^56 times stronger than DES (e) main disadvantage: encrypt/decrypt 3x slower than DES
WPA2
(a) true replace of WEP (b) adds RSN (Robust Security Network) (c) which includes ad hoc networks, key caching, preroaming authentication, & CCMP (d) CCMP uses AES cipher to replace TKIP
Hash value collisions
(a) two hashed messages (b) same hashing value (c) when discovered, can be used to reveal underlying algorithm
Authentication
(a) uniquely ID individuals to provide assurance of identity (b) person is who they claim to be (c) encrypted digital certs used to ID users electronically on network (d) can also be smart cards
Identify the primary way of establishing SAs & managing VPN keys
(a) via ISAKMP [Internet Security Association and Key Management Protocol] (b) IKE [Internet Key Exchange]
HTTPS ensures:
(a) website is genuine (who it says it is) (b) client is not connecting to rogue site
HMAC (continued)
(c) authenticates a message and provides data integrity (d) Message Authentication Code (MAC) sent with message itself for receiver to authenticate the sender & verify integrity (e) size depends on hash (MD5,SHA-1,key size)
Digital signatures (continued)
(d) receiver gets signed message, decrypts hash with public key (verifies sender) and then performs own hashing function on message (e) calculated has then compared against unencrypted hash (f) if same, receiver knows message hasn't been altered in transmission
Transport layer security (TLS) continued
(e) secure connections to websites, email, IM, VoIP, LDAP (f) cipher suites support underlying security of TLS/SSL
SAs continued
(f) short-lived (g) renegotiated at intervals, ensures keys discarded regularly (h) same keys used only for small amount of time (I) and for limited amounts of data
RSA (Key Sizes)
1024 to 4096 bits
Twofish (Key Sizes)
128, 192, 256 bits
AES (Key Sizes)
128, 192, or 256 bits
MD5 Strength
128-bit hash Provides integrity
HMAC-MD5 Strength
128-bit hash Provides integrity and authenticity
RIPEMD
160 bit version of this is typically represented as 40-digit hexadecimal numbers. Original version was based on MD4 and comparable in performance to SHA-1
SHA-1 Strength
160-bit hash Provides integrity
HMAC-SHA1
160-bit hash Provides integrity and authenticity
static and ephemeral
2 categories of asymmetric keys
In-band key exchange
2 parties share an encryption key in the same communication channel as the encrypted data
Out-of-band key exchange
2 parties share symmetric encryption key in one communication channel and then exchange the encrypted data in a separate communication channel
Blowfish (Key Sizes)
32 to 448 bits
Symmetric Encryption Algorithms
3DES, DES and AES
RC4 (Key Sizes)
40 to 2048 bits
DES (Key Sizes)
56 bits
3DES (Key Sizes)
56, 112, or 168 bits
WPA2 Enterprise
802.11i standard. Authenticates with 802.1X and EAP, Encrypts with CCMP and AES cipher. TKIP and RC4 are optional.
WPA2 Personal
802.11i standard. Authenticates with PSK, Encrypts with CCMP using AES cipher. TKIP and RC4 are optional
Bitlocker
A Microsoft Windows Vista hardware enabled data encryption feature.
RC5
A block cipher that can accept different length keys & blocks.
Blowfish
A block cipher that operates on 64-bit blocks and can have a key length from 32 to 448 bits.
RC2
A block cipher that processes blocks of 64 bits.
RC6
A cipher that has three key sizes (128,192, and 256 bit) and performs 20 rounds on each block.
Block Cipher
A cipher that manipulates an entire block of plaintext at the same time.
Homoalphabetic Substitution Cipher
A cipher that maps a single plaintext character to multiple ciphertext characters.
Transposition Cipher
A cipher that rearranges letters without changing them.
Monoalphabetic Substitution Cipher
A cipher that simply substitutes one letter or character for another.
Substitution Cipher
A cipher that simply substitutes one letter or character for another.
Diffie-Hellman
A cryptographic algorithm that allows two users to share a secret key securely over a public network.
dual-sided certificate
A digital certificate in which the functionality is split between two certificates.
SHA-2
A family of Secure Hash Algorithms that has variations, known as SHA-224, SHA-256, SHA-384, and SHA-512.
Twofish
A later derivation of the Blowfish algorithm that is considered to be strong.
Key
A mathematical value entered into the algorithm to produce a cipher.
File System
A method used by operating systems to store, retrieve, and organize files.
Whirlpool
A new cryptographic hash function that has received international recognition and adoption by standards organizations.
File Transfer Protocol (FTP)
A protocol of the TCP/IP suite used for transferring files.
Certificate Repository (CR)
A publicly accessible directory that contains digital certificates.
Certificate Policy (CP)
A published set of rules that govern the operation of a PKI.
Certificate Revocation List (CRL)
A repository that lists revoked digital certificates.
HTTPS (Hypertext Transport Protocol over Secure Socket Layer)
A secure version of HTTP sent over SSL/TLS.
RC4
A stream cipher that will accept keys up to 128 bits in length.
Certificate Practice Statement (CPS)
A technical document that describes in detail how the CA uses and manages certificates.
digital certificates
A technology used to associate a user's identity to a public key.
hierarcical trust model
A trust model that has a single hierarchy with one master CA.
distributed trust model
A trust model that has multiple CAs that sign digital certificates.
bridge trust model
A trust model with one Certificate Authority (CA) that acts as a facilitator to interconnect all other CAs.
direct trust
A type of trust model in which a relationship exits between two individuals because one person knows the other person.
Elliptic Curve Diffie-Hellman Ephemeral (ECDHE)
A version of Diffie-Hellman that uses ECC to generate encryption keys. Ephemeral keys are recreated for each session.
Use which two algorithms as secure encryption algorithms?
AES-256, RSA
Which algorithms used as secure encryption?
AES-256, RSA
AES Stages
AddRoundKey, SubBytes, ShiftRows & Mix Columns
Padding
Additional data that is added to a hash to make it the correct number of bytes.
AES
Advanced Encryption Standard: A symetric cipher that has been approved as a replacement for DES
Internet Security Association & Key Management Protocol/Oakley (ISAKAMP/Oakley)
An IPsec protocol that allows the receiver to obtain a key & authenticate the sender using digital certificates.
Authentication Header (AH)
An IPsec protocol that authenticates that packets received were sent from the source identified in the header of the packet.
Encapsulating Security Payload (ESP)
An IPsec protocol through which confidentiality is achieved.
Stream Cipher
An algorithm that takes one character and replaces it with for another.
Elliptic Curve Cryptography
An algorithm that uses elliptic curves instead of prime numbers to compute keys.
RSA
An asymmetric algorithm published in 1977 and patented by MIT in 1983.
Elliptic Curve Cryptography (ECC)
An asymmetric encryption algorithm commonly used with small wireless devices because it doesn't take up much processing power to achieve desired level of security
Private Key
An asymmetric encryption key that does have to be protected.
Public Key
An asymmetric encryption key that does not have to be protected.
Digital Signature
An electronic verification of a sender.
Extended Validation SSL Certificates (EV SSLs)
An enhanced server digital certificate that requires more extensive verification on the legitimacy of the business.
Certificate Authority (CA)
An entity that issues digital certificates for others.
Elliptic Curve (ECC)
An option to RSA that uses less computing power and is popular for use on small devices like smart phones.
NTLMv2
As of Window NT 4.0, this replaces other versions of the LanMan hash. Can handle passwords greater than 14 characters. When possible, disable LANMAN hash to force this version for shorter passwords.
Diffe-Hellman
Asymmetric
Diffie-Hellman (Type)
Asymmetric
ECC
Asymmetric
ECC (Type)
Asymmetric
ElGamal
Asymmetric
RSA
Asymmetric
RSA (Type)
Asymmetric
Your organization wants you to implement an encryption system that ensures the sender and receiver of the encrypted message use different keys for encryption and decryption. Which type of encryption scheme would you use?
Asymmetric
___________ encryption scheme, where everyone use different, but mathematically related, keys for encryption and decryption purposes.
Asymmetric
Diffie-Hellman
Asymmetric Algorithm - used for key agreement only
RSA
Asymmetric Algorithm based on large prime numbers. Most commonly used
El Gamal
Asymmetric Algorithm used for transmitting digital signatures and Key exchanges. Provides the basis for DSA, this algorithm is based on logarithmic numbers and functions.
Everyone uses different, but math related, keys for encryption & decryption purposes. The heck is this called?
Asymmetric encryption
WPA Enterprise
Authenticates with 802.1x / EAP, uses TKIP encryption only and RC4 cipher
WPA Personal
Authenticates with PSK, Encryption is TKIP only, uses RC4 cipher
What does HMAC provide that standard hashes do not?
Authenticity through the use of a shared secret
Other Symmetric Key Algorithms
CCMP, Rijndael, CAST, SAFER, Blowfis and Twofish, RC4 & RC5
You have encrypted an e-mail message that is only meant to be seen by the recipient. A hacker has intercepted the message. When he views the message, what does he see?
Ciphertext
MD5
Created by Ron Rivist, 128 bit, 4 rounds Hashing algorithm. Previous versions have been cracked. Hash value is typically expressed as a hexadecimal number, 32 digits long. Used by many applications to verify integrity. Some collisions have been identified though.
Private Key Cryptography
Cryptographic algorithms that use a single key to encrypt and decrypt a message.
Whole Disk Encryption
Cryptography that can be applied to entire disks.
Most well-known and widely used cryptosystem in the world?
DES
3DES modes
DES-EEE3, DES-EDE3, DES-EEE2 & DES-EDE2
What storage medium still encrypts with DES-based encryption (3DES in particular) today?
DVD
DES
Data Encryption Standard: A symmetric block cipher that encrypts data in 64-bit blocks.
Plaintext
Data input into an encryption algorithm.
Ciphertext
Data that has been encrypted.
Metadata
Data that is used to describe the content or structure of the actual data.
EFS
Encrypting File System: An encryption scheme for Windows operating systems.
Symmetric Cryptographic Algorithm
Encryption that uses a single key to encrypt and decrypt a message.
Asymmetric Cryptographic Algorithm
Encryption that uses two mathematically related keys.
Public Key Cryptography
Encryption that uses two mathematically related keys.
Block Cipher
Encrypts data in blocks
Stream Cipher
Encrypts data one bit at a time
Confidentiality
Ensures that data is only viewable by authorized users.
ECC (Method)
Ephemeral
SHA, SHA2
Family of hash algorithms, consisting of 224, 256, 384 and 512 bit hashing functions. Used for verifying file integrity. The 256 version is the more trusted hashing algorithm now.
GPG
GNU Privacy Guard: Free, open-source software that is commonly used to encrypt and decrypt e-mail messages.
Which protocol would you use for message authentication and integrity in your encryption systems?
HMAC (Hash-based Message Authentication Code)
Gost
Hash
Lanman
Hash
MD
Hash
NTLM
Hash
RIPEMD
Hash
SHA
Hash
Most common problem with weak hashing algorithms?
Hash value collisions
You have been asked to implement hashing protocols that have a low possibility of a hashing collision. What is a hashing collision?
Hash values of two DIFFERENT messages result in the same value. (Can be used to crack hashing algorithm)
HMAC
Hash-based Message Authentication Code
A __________ value is used in encryption systems to create a "fingerprint" for a message.
Hashing
In the overall IA model, ______ is used to protect the integrity of a message and is most often used with digital signatures.
Hashing
This prevents the message from being accessed and changed on the way to its destination.
Hashing
Steganography
Hiding the existence of data within a text, audio, image, or video file.
This ensures communications cannot be read by a third party, traffic has not been modified in transit, and messages received are from a trusted source.
IPSec
Pad
In cryptography, a truly random key.
Collision
In cryptography, two different sets of data that produce the same hash.
The method of protecting info & info systems by providing Confidentiality, Integrity, Authentication, and Nonrepudiation?
Information Assurance (IA)
IDEA
International Data Encryption Algorithm: A symmetric algorithm that dates back to the early 1990s and is used mainly in Europe.
This technique works to counteract password-cracking attacks by creating an enhanced key; a result of (1) an initial key, and (2) hash function (or block cipher) being applied in a loop
Key stretching
What strengthens potentially weak passwords/phrases by applying cryptographic principles...increasing time costs of password cracking?
Key stretching
___ ________ strengthens potentially weak passwords or phrases by applying cryptographic principles to increase the time costs of password cracking.
Key stretching
A _______ is like a password that's combined with the algorithm to create _______, and encrypted data can't be deciphered unless same key used to decrypt it.
Key, ciphertext
Strength of the key depends on algorithm's?
Keyspace
LANMAN
LAN Manager
Popular hashing algorithms include:
MD5, SHA
MD2
Message Digest 2: A hash algorithm that takes plaintext of any length and creates a hash that is 128 bits in length after the message is divided into 128 bit sections.
MD4
Message Digest 4: A hash that was created in 1990 for computers that process 32 bits at a time.
MD5
Message Digest 5
MD5
Message Digest 5: A revision of MD4 that is designed to address its weaknesses.
MD
Message Digest: A common hash algorithm of several different versions.
NTLM
NT LAN Manager
OTP
On-Time Pad: Compining a truly random key with plaintext.
A ________ pad must be used only once, must be truly random, must be communicated securely, and must be as _______ as the message it is encrypting.
One-time, pad
A __________ hash is a mathematical function that transforms a variable-sized message into a fixed-length value, referred to as either a ________ value or ________ digest.
One-way, hash, message
LanMan
Password hash restricted password length to 14 characters or less, used pre Windows NT. It first divides the password into two seven-character blocks, and then converts all lower case letters to upper case. Microsoft recommends turning this hash off as of Windows Vista. Uses DES
List encryption process:
Plain txt -> Encrypt -> Cipher -> Decrypt -> Plain txt
PGP
Pretty Good Privacy: A commercial product that is commonly used to encrypt e-mail messages.
Non-Repudiation
Prevents a party from denying an action
Algorithm
Procedures based on mathematical formula; used to encrypt dada.
Digital Signatures
Provide authentication, non-repudiation, and integrity
Integrity
Provides assurance that data has not been modified.
PKI
Public Key Infrastructure
RIPEMD
RACE Integrity Primitives Evaluation Message Digest
Big Data
Refers to databases so large that tools don't exist to extract meaningful info from them
RC
Rivest Cipher: A family of cipher algorithms designed by Ron Rivest.
Secure Hash Algorithm (SHA)
SHA-0 (not used), SHA-1 (160-bit), SHA-2 (SHA-224, SHA-256, SHA-384, and SHA-512) and SHA-3 (different than SHA-2, but same hash bit quantities)
SHA-2 Variations and Strengths
SHA-224, SHA-256. SHA-384, SHA-512 (224, 256, 384, 512-bits respectively) Provides integrity
SHA-3 Variations and Strengths
SHA-224, SHA-256. SHA-384, SHA-512 (224, 256, 384, 512-bits respectively) Provides integrity
A low-cost alternative to normal VPN communications because of its simple installation, and delivery of well-encrypted, secure communications?
SSH
Use __________ as an encrypted alternative to Telnet or other mechanisms that use clear text in their communications.
SSH
Which encryption protocol should be used as alternative to Telnet or other clear text communication?
SSH (Secure shell)
RSA is used in...
SSL, PGP, IPSec, DES & AES
Encryption protocols include __________ and _______ for secure web communications, and _______ for VPN communications.
SSL/TLS, HTTPS, IPSec
Encryption
Scrambles or ciphers data to make it unreadable if intercepted.
Because math algorithms are usually publicly known, the crypto is strengthened with the addition of?
Secret key
SHA
Secure Hash Algorithm: A Secure Hash Algorithm that creats hash values of longer lengths.
SHA
Secure Hashing Algorithm
When you connect to a secure website, you are asked to accept the server certificate. What is the function of the digital certificate?
Securely validates the identity of the server and its public key
RSA (Method)
Static
Diffie-Hellman (Methods)
Static RSA-based, Ephemeral ECC-based
Hiding data in another type of media that effectively conceals the existence of the data.
Steganography
What encryption scheme would you use if your company wants to create an invisible watermark hidden within the images on their website to identify the images if they are used by another company?
Steganography
In simple form, _____ cipher takes plain text and substitutes the original characters in the data with other characters.
Substitution
3DES (Type)
Symmetric
3Des
Symmetric
AES
Symmetric
AES (Type)
Symmetric
AES256
Symmetric
Blowfish
Symmetric
Blowfish (Type)
Symmetric
CAST
Symmetric
DES
Symmetric
DES (Type)
Symmetric
IDEA
Symmetric
In a __________ encryption scheme, both parties use the same key for encryption and decryption purposes.
Symmetric
RC4
Symmetric
RC4 (Type)
Symmetric
Twofish
Symmetric
Twofish (Type)
Symmetric
You have sent your friend a secret, encrypted message. The key you used to encrypt the message is the same key with which your friend will decrypt the message. What type of encryption scheme is used?
Symmetric
AES
Symmetric Block Encryption block size of 128 bits, and a key size of 128, 192, or 256 bits, based on the Rijndael cipher
TwoFish
Symmetric Block Encryption, 128 bit block, key sizes of 128, 192 or 256 bits, Public Domain, related to Blowfish
Blowfish
Symmetric Block Encryption, 64 bit block and key sizes of 32-448 bits, Public Domain
DES
Symmetric Block Encryption, 64 bit block, 56 bit key. Developed by IBM and based on the Lucifer cipher, Cracked
Two protocols used to secure info between server & client systems?
TLS & SSL
SHA-1
The first version of Secure Hash Algorithm.
RC4
The most widely used software stream cipher. It is used in popular protocols such as Secure Sockets Layer (SSL) , TLS, WEP and WPA. Key sizes of 40-2,048 bits.
Hashing
The process for creating a unique signature for a set of data.
Decryption
The process of changing ciphertext into plaintext.
Encryption
The process of changing plaintesxt into ciphertext.
One-way Hash
The process of creating a unique signature of a set of data.
Nonrepudiation
The process of proving that a user performed an action.
Cryptography
The science of transforming information into an unintelligible form while it is being transmitted or stored so that unauthorized users can't access it.
Digest
The unique signature created by a hashing algorithm.
Hash
The unique signature created by a hashing algorithm.
In a _________ cipher, the characters are rearranged through math permutations. These can be real complex when used with hard math formulas.
Transposition
3DES
Triple Data Encyption Standard: A symmetric cipher that was designed to replace DES.
TPM
Trusted Platform Module: a chip on the motherboard of the computer that provides cryptographic services.
Cleartext
Unencrypted data
Message Authentication Code (MAC)
Used for integrity by TLS and SSL
CCMP
Uses 128-bit AES encryption with a 48 bit initialization vector, more CPU intensive than RC4
Symmetric Encryption
Uses the same key to encrypt and decrypt data
Asymmetric Encryption
Uses two keys (public and private) created as a matched pair
Authentication
Validates an identity
Rivest Cipher 4 (RC4)
WEP, SSL/TLS uses to stream cipher using between 40-2048 bits for symmetric encryption (Microsoft recommends disabling RC4 and using AES)
Which wireless standards are NOT good for use anymore?
WEP, WPA
Dont' use WEP and WPA for encrypting wireless networks, use this instead.
WPA2
Which standard should be used for encrypting wireless networks?
WPA2
PBKDF2
WPA2, Apple's iOS mobile OS, and Cisco OS's use this to increase the security of their passwords (salt adds at least 64 bits)
Highest level of encryption to use for wireless networks?
WPA2, if available
Name the most recent & secure form of encryption for wireless networks
Wi-Fi protected access (WPA)
HMAC
Works with any cryptographic partner, Symmetric Hash creates a hash of a hash that provides integrity and authenticity for messages. Works with any cryptographic partner, MD5 AND SHA are common.
encryption certificate
a dual-sided certificate used for the actual encryption of the message.
Math algorithms usually known publicly, how is cryptosystem strengthened?
addition of a secret key
salt the password
additional random bits to make them even more complex
Message Digest 5 (MD5)
common hashing algorithm that produces a 128-bit hash and is displayed in 32 hexadecimal characters
Acceptable Use Policy (AUP)
defines proper system usage and might include privacy statements
Memorandum of Understanding (MOU)
defines responsibilities of each party, less formal than an SLA, many times used in conjunction with an ISA and indicates 2 or more parties working together toward a common goal
SSL uses a process known as?
digital handshake
Central function of cryptography?
encryption
block cipher
encrypts data in specific-block sizes of 64-bit or 128-bit
Personally Indentifiable Information (PII)
full name; birthday and birth place; medical and health info; street or email address info; personal characteristics, such as biometric data; any type of identification number, such as SSN or driver's license number
Public Key Infrastructure (PKI)
group of technologies used to request, create, manage, store, distribute and revoke digital certificates
Diffie-Hellman
key exchange algorithm used to privately share a symmetric key between 2 parties
In-Band
key exchanges take place in normal communication channel
Secure/Multipurpose Internet Mail Extension (S/MIME)
one of the most popular standards used to digitally sign and encrypt email and uses RSA for asymmetric encryption and AES for symmetric encryption
Private company info classifications
proprietary, private, classified or public
What has been the basis of cryptography throughout history?
protection of sensitive communications
digital signatures
provide authentication, non-repudiation and integrity. only the sender's public key can decrypt the hash, providing verification it was encrypted with the sender's private key
wildcard certificate
reduce the management burden
Bcrypt
salts the passwords by adding additional bits before encrypting with Blowfish
Both parties use _______ in a symmetric encryption scheme.
same key
hash
sometimes called a checksum, a number derived from performing a calculation on data, such as a message, patch or update file (common: MD5 and SHA)
Service Level Agreement (SLA)
stipulates performance expectations between a company and a vendor
Blowfish
strong symmetric block cipher that supports key sizes between 32 and 448 bits. faster than AES.
Advanced Encryption Standard (AES)
symmetric algorithm that typically uses 128-bit, 192-bit and 256-bit keys.
Data Encryption Standard (DES)
symmetric block cipher dating back to 1970s. it encrypts in 64-bit blocks, but it only uses a small key of 56 bits and can be broken with brute force attacks
Triple Data Encryption Standard (3DES)
symmetric block cipher that encrypts data in 3 separate passes and multiple keys in 64-bit blocks with key sizes of 56, 112 and 168 bits.
Interconnection Security Agreement (ISA)
tech and security requirements for planning, establishing, maintaining and disconnecting a secure connection between 2 or more entities
key stretching
technique used to increase the strength of the stored passwords
Business Partner Agreement (BPA)
typically identifies shares of profits or losses each partner will take, their responsibilities to each other what to do if a partner chooses to leave. primary benefit is that it can help settle conflicts when they arise
asymmetric encryption
uses 2 keys (public and private) created as a matched pair to create a very strong encryption, but very resource intensive method
symmetric encryption
uses the same key to encrypt and decrypt data