Module 2, Unit 1 - Cryptography

A cryptographic function may produce collisions (where the function produces the same output for two different inputs). These may be connected to weak keys. The birthday paradox means that these collisions are less computationally intensive to attack than pure brute force (that is, you do not need to try every possible permutation to discover a weakness).

Birthday Attack

An encryption method where the plaintext is divided into equal-size blocks that are then subjected to complex transposition and substitution operations, based on the value of the key used.

Block Cipher

How are cryptographic systems protected against brute force attacks?

By using a key length that increases the length of time to brute force the key given the processing resources of the system.

How are cryptographic authentication systems protected against replay attacks?

By using once-only session tokens or timestamping sessions.

A public key that has been affirmed by some agency, validating that the owner of the key is really who he or she says he or she is. This allows a sender to encrypt a message using the public key in the knowledge that only the recipient will be able to read it (using their linked private key). These types of public keys can also be used as proof of identity (for authentication or signing documents).

Certificate

A symmetric encryption protocol that is considered weak in comparison with modern standards, such as AES.

Data Encryption Standard (DES)

What term is used to describe data stored on the flash drive memory of a smartphone?

Data-at-Rest (this state means that the data is in some sort of persistent storage media - such as a smartphone's flash drive).

The process where an attacker intercepts some authentication data and reuses it to try to re-establish a session.

Replay Attack

You want to ensure that data stored on backup media cannot be read by third-parties. What type of security control should you use?

Symmetric Encryption (data-at-rest can be protected using whole disk/database/file or folder encryption. Since this can amount to large amounts of data symmetric is the best option as asymmetric data amounts cannot exceed key length).

A modern encryption suite providing symmetric encryption (the same key is used to encrypt/decrypt). This encryption suite is a very strong cipher with many applications, including being part of the WPA2 Wi-Fi encryption scheme.

Advanced Encryption Standard (AES)

Which symmetric algorithm is being selected for use in many new products?

Advanced Encryption Standard (AES) (a block cipher designed to replace 3DES with a block size of 128 bits and key sizes of 128, 192, and 256 bits)

Any designed method of performing a process, but in encryption, the term specifically refers to the technique used to encrypt a message. The strength of this encryption mechanism depends to a large extent on the size of its key.

Algorithm

What is the process of digitally signing document?

Alice generates a digest of the message using a pre-agreed secure hashing algorithm and then encrpyts the digest with her private key (this is the signature), it is then attached to the message and sent to Bob who uses Alice's public key to decrypt the signature and compares its value to one that he generates on his own using the same secure hashing algorithm Alice used.

This cryptographic algorithm uses different keys (public and private; the keys are linked but the private key is not derivable from the public one).

Asymmetric Algorithm

The choice of encryption algorithm is mostly driven by application (for example, symmetric encryption is the best choice for file or folder encryption for performance reasons). The basic measure of strength within an algorithm is the key size. Most current algorithms support key sizes of 128-bit or better. It is important to note that while an algorithm may be secure, its implementation in a particular product may not be.

Comparative Strength of Algorithms

The basis of most "Something You Have" authentication systems. A general example of this process is that a user is given a smart card that stores a digital certificate issued to the user by a certificate authority. To authenticate, the user presents the card to the reader and inputs a PIN (which protects against the use of a stolen card)

Cryptographic Access Control

A mathematical function that transforms plaintext into ciphertext in such a way that the plaintext cannot be recovered without knowledge of the appropriate key. A symmetric algorithm uses the same key for encrypting and decrypting; an asymmetric algorithm uses different keys (public and private; the keys are linked but one is not derivable from the other). A hashing algorithm is one-way only; once encrypted, the ciphertext cannot be decrypted.

Cryptographic Algorithm

A general term describing when something can only be viewed by someone in possession of the correct key because it has been encrypted. In other words, only a person with a key can read a message, so it is said to be this. The main problem with this is secure distribution of the key. Typically, asymmetric algorithms are processor and memory intensive, they are not suitable for encrypting long messages.

Cryptographic Confedentiality

It is often important to prove that a message has not been modified in transit and to confirm the identity of the sender. This can be done using a cryptographic hashing function and digital signature respectively. If both the sender and receiver use the same hash function on the same message, they should derive the same value (a message digest). The message digest is also encrypted using an asymmetric algorithm and the sender's private key. The recipient uses the sender's linked public key to decrypt the hash. This provides authentication, as only the sender ( the possessor of the private key) could have encrypted the message in this way. This also provides non-repudiation (that is, the sender cannot deny creating and sending the message).

Cryptographic Integrity and Authentication

These are widely-accepted and used normal formats and processes for cryptography. For example, the PKIX RFCs for digital certificates and PKI. Many cryptographic applications have been developed from RSA's PKCS. Cryptographic products may be certified by Common Criteria and FIPS.

Cryptographic Standards

What cipher(s) can be selected to enable Perfect Forward Secrecy when configuring TLS?

Diffie-Hellman Ephemeral mode (DHE or EDH) or Elliptic Curve Diffie-Hellman Ephemeral mods (ECDHE)

Used to prove the identity of the sender of a message and show that a message has not been tampered with since the sender posted it.

Digital Signature

A different means of creating key pairs such that it is easy to determine that the keys are linked but very difficult to determine one key from the other. The other advantage of this key creation methodology is that the algorithm is more efficient, allowing smaller keys to give the same level of security as larger RSA keys.

Elliptic-Curve Cryptography (ECC)

What is the principal use of symmetric encryption?

For confidentiality only (because the same key must be used to encrypt and decrypt the message)

What is the relevance of a "seed" to cryptographic functions?

It is a True or Pseudo Random Number Generator (TRNG or PRNG) that is used as a value to add strength to key generators.

What is CryptoNG?

It is a Windows crypto module (API) that provides encryption and / or authentication services (crypto module is how algorithms underpinning cryptography must be interpreted and packaged as a computer program or programming library).

What features of a one-time pad make the system cryptographically secure?

It is generated by a truly random algorithm and they must only be used once.

An encryption cipher scrambles a message (plaintext) using an algorithm. The algorithm is given a key so that someone intercepting the message could not just reverse the algorithm to unscramble the message; they must also know the key. In symmetric encryption, the same key is used for encryption and decryption. In asymmetric encryption, different keys are used (one key is linked to but not derivable from the other).

Key (encryption)

This algorithm was designed in 1990 by Ronald Rivest, on of the "fathers" of modern cryptography. The most widely used version was released in 1991, which uses a 128-bit hash value.

MD5 (Message Digest Algorithm v5)

The process of intercepting large amounts of encrypted information and using statistics and mathematical analysis to find a key to decrypt the method. If a cryptographic function (algorithm) has known weaknesses, an attack can be formulated to exploit this ( for example, to decrypt a document or to fake a digital signature).

Mathematical Attack

In asymmetric encryption, this is known only to the holder and is linked to, but not derivable from, a public key that has been distributed to those which the holder wants to communicate securely. This object can be used for encryption and decryption, but the same object should not be used for both.

Private Key

A cryptographic hashing algorithm created to address possible weaknesses in MDA.

SHA (Secure Hash Algorithm)

Which offers better security - MD5 of SHA?

SHA (it was created to address the collision weakness found in MD5)

An encryption method where each byte of data in the plaintext is encrypted one at a time.

Stream Cipher

An encryption method where a single secret key is used to both encrypt and decrypt data.

Symmetric Algorithm

What are the main commercial goals of cryptography supporting obfuscation?

Used in conjunction with source code (to make it difficult for a person reading it to understand how it works) and Digital Rights Management protection for copyright content (such as music, videos, and books

You are distributing a software application to clients and want to provide them with assurance that the executable files has not been modified. What type of security control is appropriate for this task?

Using a secure hashing function