Security+ Cryptography
salt
Bits added to a hash to make it resistant to rainbow table attacks.
X.509
The X.509 standard is the most widely used standard for digital certificates.
rainbow table
A table of precomputed hashes used to guess passwords by searching for the hash of a password.
cryptographic hash
A function that is one-way (nonreversible), has a fixed length output, and is collision resistant.
PRNG
A pseudo-random number generator is an algorithm used to generate a number that is sufficiently random for cryptographic purposes.
Challenge Handshake Authentication Protocol (CHAP)
An authentication protocol that periodically reauthenticates.
symmetric cipher
Any cryptographic algorithm that uses the same key to encrypt and decrypt. DES, AES, and Blowfish are examples.
asymmetric cipher
Cryptographic algorithms that use two different keys—one key to encrypt and another to decrypt. Also called public key cryptography.
LEAP
Lightweight Extensible Authentication protocol was developed by Cisco and has been used extensively in wireless communications. LEAP is supported by many Microsoft operating systems, including Windows 7. LEAP uses a modified version of MS-CHAP.
CA Certificate
The CA certificate is issued by one CA to another CA. The second CA, in turn, can then issue certificates to an end entity.
DER
The DER extension is used for binary DER-encoded certificates. These files may also bear the CER or the CRT extension.
PEM
The PEM extension is used for different types of X.509v3 files that contain ASCII (Base64) armored data prefixed with a -- BEGIN ... line.
X.509
The X.509 standard defines the certificate formats and fields for public keys. It also defines the procedures that should be used to distribute public keys. The current version of X.509 certificates is version 3, and it comes in two basic types:
End-Entity Certificate
The most common is the end-entity certificate, which is issued by a CA to an end entity. An end entity is a system that doesn't issue certificates but merely uses them.
Code signing certificates
These are X.509 certificates used to digitally sign some type of computer code.
P7b:
These are base 64 encoded ASCII files. They actually include several variations: P7b, P7C, etc.
certificate-signing request (CSR)
This is a request formatted for the CA. This request will have the public key that you wish to use and your fully distinguished name (often a domain name). The CA will then use this to process your request for a digital certificate.
CER
This is an alternate form of .crt (Microsoft Convention). You can use Microsoft crypto API to convert .crt to .cer (both DER-encoded .cer, or base64 [PEM]-encoded .cer). The .cer file extension is also recognized by IE as a command to run an MS cryptoAPI command (specifically rundll32.exe cryptext.dll, CryptExtOpenCER).
PFX
This is an archive file for PKCS#12 standard certificate information.
Protected Extensible Authentication Protocol
This protocol encrypts the authentication process with an authenticated TLS tunnel. PEAP was developed by a consortium including Cisco, Microsoft, and RSA Security. It was first included in Microsoft Windows XP.
EAP-TTLS (Tunneled Transport Layer Security)
This protocol extends TLS. It was first supported natively in Windows with Windows 8. There are currently two versions of EAP-TTLS: EAP-TTLS v0 and EAP-TTLSv1.
Extensible Authentication Protocol - Transport Layer Security
This protocol utilizes TLS in order to secure the authentication process. Most implementations of EAP-TLS utilize X.509 digital certificates to authenticate the users.
EAP - FAST or Flexible Authentication via Secure Tunneling
This protocol was proposed by Cisco as a replacement for the original EAP. EAP-FAST establishes a TLS tunnel for authentication, but it does so using a Protected Access Credential (PAC).
P12
This refers to the use of PKCS#12 standard.
Machine/computer certificates
X.509 certificates assigned to a specific machine. These are often used in authentication schemes. For example, in order for the machine to sign in to the network, it must authenticate using its machine certificate.
Extensible Authentication Protocol (EAP)
a framework frequently used in wireless networks and point-to-point connections. It was originally defined in RFC 3748, but it has been updated since then. It handles the transport of key's and related parameters. There are several versions of EAP, which we will look at briefly:
A certificate
a mechanism that associates the public key with an individual. It contains a great deal of information about the user. Each user of a PKI system has a certificate that can be used to verify their authenticity.
Certificate Pinning
a method designed to mitigate the use of fraudulent certificates. Basically, once a public key or certificate has been seen for a specific host, that key or certificate is pinned to the host. Should a different key or certificate be seen for that host, that might indicate an issue with a fraudulent certificate.
Domain validation certificates
among the most common certificates. These are used to secure communication with a specific domain. This is a low-cost certificate that website administrators use to provide TLS for a given domain.
self-signed certificat
an easy task to perform using Microsoft Internet Information Services (IIS). The certificate will be X.509, but it will be digitally signed by you. This means that although it can be used to transmit your public key, it won't be trusted by browsers. It will instead generate a certificate error message.
A certificate authority (CA)
an organization that is responsible for issuing, revoking, and distributing certificates.
Extended validation certificates
require more validation of the certificate holder; thus, they provide more security.
Wildcard certificates
can be used more widely, usually with multiple subdomains of a given domain. So rather than have a different X.509 certificate for each subdomain, you would use a wildcard certificate for all subdomains.
Certificate chaining
certificates are handled by a chain of trust. You purchase a digital certificate from a certificate authority (CA), so you trust that CA's certificate. In turn, that CA trusts a root certificate. In this example, the CA's certificate is an intermediate CA, and the ultimate trust is the root certificate.
Subject Alternative Name (SAN)
not so much a type of certificate as a special field in X.509. It allows you to specify additional items (IP addresses, domain names, and so on) to be protected by this single certificate.
A registration authority (RA)
offloads some of the work from a CA. An RA system operates as an intermediary in the process: it can distribute keys, accept registrations for the CA, and validate identities. The RA doesn't issue certificates; that responsibility remains with the CA.
User certificates
used for individual users. Like machine/computer certificates, these are often used for authentication. Users must present their certificate to authenticate prior to accessing some resource.
Root certificates
used for root authorities. These are usually self-signed by that authority.
Email certificates
used for securing email. Secure Multipurpose Internet Mail Extensions (S/MIME) uses X.509 certificates to secure email communications.