WGU - Introduction to Cryptography (v5)

SIMON

- Light-Weight Symmetric Block Cipher - 32, 48, 64, 96, or 128-bit Block Size - Variable Key Size - Optimized for Hardware Implementations

PRESENT

- Light-Weight Symmetric Block Cipher - 64-bit Block Size - 80 or 128-bit Key Sieze - 32 Rounds - AES Replacement for Light-Weight Implementations

SPECK

- Light-Weight Symmetric Block Cipher - Optimized for Software Implementations

Enocoro

- Light-Weight Symmetric Stream - 128-bit Key Size - 64-bit IV

Rabbit

- Light-Weight Symmetric Stream - 128-bit Key Size - 64-bit IV

Grain

- Light-Weight Symmetric Stream - 80-bit Key Size

Trivium

- Light-Weight Symmetric Stream - 80-bit Key Size - 80-bit IV

Mickey v2

- Light-Weight Symmetric Stream - 80-bit Key Size - Variable up to 80-bit IV

RC5

- Light-Weight/Symmetric Block - 32, 64, or 128-bit Block Size - 0-2048-bit Key Size - Conventional method suitable for light-weight implementations.

XTEA

- Light-Weight/Symmetric Block - 64-bit Block Size - 128-bit Key Size

Cipher Block Chaining (CBC)

- Minor step up from ECB with the incorporation of an Initialization Vector (IV) from the first block. - Results of encryption from the previous block is XOR'd with the plaintext of the current block. That result is input into the encryption process of the current block.

Electronic Code Book (ECB)

- Most Basic, weak, and unsecure mode. - Each block is processed separately. No salt or IV is used and the same key is used to encrypt each block. The same ciphertext will be output EVERY TIME the same plaintext is encrypted.

Main Advantages of Elliptic Curver Methods

- Much smaller keys, which speeds up the encryption process. - Creation of the curves are more difficult than generating prime numbers, which makes it more difficult to crack than RSA. - Can be used to factorize values, such as finding the prime number factors within RSA.

2 Mono-Alphabetic Ciphers

- Pigpen - Caesar

Most Common Tunnelling Protcols

- Point-to-Point Tunnelling Protocol (PPTP) - Layer 2 Tunnelling Protocol (L2TP) - IPSec

2 Symmetric Stream Ciphers

- RC4 - ChaCha

WEP

- RC4 - Symmetric Stream - 40-bit Key Size - 24-bit IV Size

4 Asymmetric Ciphers

- RSA - ECC - EL Gamal - DSA

4 Basic Steps for Obtaining a Digital Certificate

- Requester generates a key pair. - Requester creates a Certificate Signing Request (CSR) - Trusted CA generates the digital certificate for the requester. - Trusted CA signs the requester's digital certificate with the CA's own private key.

Camellia

- Symmetric Block

RC6

- Symmetric Block

TwoFish

- Symmetric Block - 1-256-bit Key Size (Common = 128, 192, or 256)

AES

- Symmetric Block - 128-bit Block Size - 128, 192, or 256-bit Key Size

Blowfish

- Symmetric Block - 32-448 Key Size (Common = 128, 192, or 256)

RC2

- Symmetric Block - 64-bit Block Size - 1-128-bit Key Size (Suggested = minimum of 40 bits)

IDEA

- Symmetric Block - 64-bit Block Size - 128-bit Key Size - >17 Rounds

DES

- Symmetric Block - 64-bit Block Size - 56-bit Key Size - 16 Rounds

Skipjack

- Symmetric Block - 64-bit Block Size - 80-bit Key Size

3DES

- Symmetric Block - 64-bit Blocks - 112-bit Key Size - 48 Rounds

RC4

- Symmetric Stream - 1-256-byte Key Size - Commonly used with SSL and WEP.

WPA

- TKIP and RC4 - Symmetric Steam - 128-bit Key Size - 48-bit IV Size

Why are conventional cryptography solutions impractical for use in IoT and Embedded Systems?

- Take up too much processing power. - Take up too much physical space. - Consume too much battery power.

2 Poly-Alphabetic Ciphers

- Vigenere - Enigma Machine

The MIC (Message Integrity Check)

- When using WPA-2, the MIC portion of the 4-way handshake is calculated using HMAC-MD5.

Pseudo-Random Number Generators (PRNGs)

A method that repeats the random numbers after a given time (periodic). They are fast and are also deterministic and are useful in producing a repeatable set of random numbers.

Caesar Cipher

A mono-alphabetic substitution cipher known as "shift" cipher. Involves plaintext being replace by a letter some fixed number of positions down the alphabet.

Pigpen Cipher

A mono-alphabetic substitution cipher that makes use of mapping plaintext characters to graphical chracters, rather than to alphabetic ones.

Bcrypt

A more powerful hash generator option for passwords that uses salt to create a non-recurrent hash.

Kerberos

A new authentication architecture that address scalability issues of prior authentication solutions and utilizes tickets as part of the identification and authentication process.

Vigenere Cipher

A polyalphabetic cipher that involves using a different mapping, based on a keyword, for each character of the cipher.

Decryption

A process that reverses encryption; changes ciphertext into plaintext.

Cramer-Shoup

A public key encryption method that is an extension of El Gamal but adds a one-way hashin method which protects an adaptive chosen ciphertext attack.

El Gamal

A public key method that is used in both encryption and digital signing. It is used in many applications and uses discrete logarithms.

Blockchain

A publicly available ledger of transactions that allows the Bitcoin network to know the number of bitcoins that a given user has in their account. Can be public or private.

Nonce

A random number that is used only once, and is generated by one part and sent using a secure handshaking process.

Hashing Weakness

A weakness of one-way hashing is that the same piece of plaintext will result in the same ciphertext, unless salt is applied.

Diffie-Hellman

A widely used key exchange algorithm used to exchange the secret key in symmetric cryptography.

Homophonic Substitution Code

Aims to overcome the ease at which letter and symbol probability in ciphertext can be analyzed, by varying the number of codes mapped to each character.

Hashed One Time Password (HOTP)

Allows a new unique passcode to be created each instance, based on a counter value and an initial seed.

Timed One Time Passwords (TOTP)

Allows for a new unique passcode to be created for each instance, based on an initial seed for a given time period.

One Time Passwords (OTP)

Allows for a new unique password to be created for each instance, based on an initial seed.

Online Certificate Status Protocol (OCSP)

An alternative to CRL; OCSP is a light-weight online service that can be used to check the validity of a certificate.

Identity-Based Encryption (IBE)

An alternative to PKI, and involves generating the encryption key from a piece of the identity of the recipient.

Chosen Ciphertext Attack (CCA)

An attacker has a chance to enter one or more known ciphertexts into the system and obtain the resulting plaintexts. From these pieces of information the attacker can attempt to recover the hidden secret key used for decryption.

Morse Code

An encoding method, rather than a cipher, that works by translating characters into sequences of dots and dashes.

Homomorphic Encryption

An encryption method that can perform mathematical operations on ciphered values. (Before Decryption)

Elliptic Curve Cryptography

An inmproved solution over RSA which is often used in key exchange methods.

OpenSSL

An open-source command line tool that is commonly used to generate private keys, create CSRs, install your SSL/TLS certificates, and identify certificate information.

Public Key Encryption

Asymmetric Cryptography that makes use of a key pair (one public, one private) to perform encryption and decryption. If a given key in a key pair is used for encryption, only the opposit key in that pair can perform the reverse decryption.

WIF (Wallet Interchange Format) Key

Bitcoins generate a 256-bit random key which is converted into a WIF Key, which has a 256-bit private key and a 512-bit public key.

RSA and Paillier

Both support some form of homomorphic encryption.

Values of ASCII Coding

Decimal, Binary, and Hexadecimal.

IPSec Phase 2

Defines the policies to be used for the tunnel. Includes the lifetime of the SA and whether we are using AH and/or ESP.

Hashing

Describes one-way or irreversible encryption used for protecting the integrity of data and in authentication applications.

Psuedorandom Function (PRF)

Durring Ephermeral Diffie-Hellman with RSA (DHE-RSA) operation, a pre-master secret is used to create a master key by using a PRF.

Common Block Cipher Modes

Electronic Code Book (ECB), Cipher Block Chaining (CBC), Cipher Feedback (CFB), Output Feedback (OFB), Counter (CTR) Mode.

Rail Fence/Code Cipher

Employs a method to scramble text by writing it in a sequence accross a number of rails.

IPSec Transport Mode

End-to-end tunnelling, where the encryption scope spans across the entire network.

Smart Contracts

Ethereum was built on the Bitcoin/Blockchain concept but included the concept of smart contracts. Smart Contracts enables users to create their own contacts which will be strictly abided to.

Major Problem of Symmetric-Key Encryption

Figuring out how to pass the secret key between communicating endpoints.

RSA Encryption

Has a heacy overhead on processor loading and is not well suited for embeded systems.

Self-Signed Certificate

Has no credibility at all as there is no validation of it, as anyone can produce a self-signed certificate.

Quantum Computers

Have fast multiplication circuits, and thus can be used to perform multiplications and search a range of prime numbers at a speed which would break most existing RSA implementations.

Two Main Applications of PKE

Identity Checking and Key Protection

Non-Synchronizing Cipher

If any part of the ciphertext is lost, it cannot be rebuilt as the current cipher block is based on the previous one.

Hold Status

In this case the certificate's trust level is on hold, and can be reversed at some time in the future.

Symmetric Stream Encryption

Involves encrypting one bit at a time. Typically much faster than block encryption and is typically applied in real-time applications.

DHE_Export Downgrade Attack

Involves forcing the key negotion process to default to 512-bit prime numbers, a bit size that facilitates precomputation of associated keys within a reasonable time frame.

Symmetric Block Encryption

Involves grouping data into blocks and encrypting the individual blocks.

Public-Key Cryptography

Invovles using a key pair to encrypt and decrypt a message.

Polyalphabetic Code/Substitution

Is any cipher based on substitution, using multiple substitution alphabets.

The Purpose of MIC

Mainly gaurds againts the bit flipping attacks identified within WEP.

BIFID Cipher

Makes use of a grid which maps letters into numeric values as part of the encryption process.

Forward Secrecy (FS)

Means that a compromise of the long-term keys will not compromise any previous session keys.

Entropy

Measures the degree of uncertainty of the encryption process.

Intermediate Authentication

Only part of the conversation between entities is authenticated.

FREAK (Factoring RSA Export Keys)

Pertains to the vulnerability in Diffie-Hellman that involves the ease at which 512-bit keys can be determined using graphic processors running in the Cloud.

Time Stamp Protocol (TSP)

Provides a cryptography method to give a verifiable method that a data entity was created at a defined time.

Public Blockchain Implementations

Public blockchains offer the best security and trust between peers because everyone can be invovled in policing the system.

Major Friedrich Wilhelm Kasiski

Published the first successful attack against the Vigenere cipher in 1863.

Genesis Record

Refers to the first Bitcoin transaction created.

TOR Network

Routing is done using computers of volunteers around the world to route the traffic around the Internet, and within each hop the chances to trace the original source significantly reduces, and anonymity increases.

Public Key

Should be the only key distributed or shared/exchanged.

Time Resetting Attack

Some encryption schemes use the time of the computer to create the key. Resetting this time or determining the time that the message was created can give some useful information to the intruder.

Static Key vs. Ephemeral Key

Static keys come from a digital certificate, and ephemeral keys are generated for each connection.

Secret Key Encryption

Symmetric Cryptography that makes use of a single secret key for both encryption and decryption.

IPSec Handshake

Takes place on UDP port 500 for key exchange. If this is blocked, the tunnel will not be created.

Encapsulated Security Payload (ESP)

Takes the original data packet, and breaks off the IP header. The rest of the packet is encrypted, with the original header added to the start, along with a new ESP field at the start, and one at the end.

Protocol Number 51

The IP protocol number that the Authentication Header (AH) protocol uses.

50

The IP protocol number used by ESP.

FIPS 180-4

The Secure Hash Standard

Bitcoin Wallet

The WIF address is in a Base-58 format for the random key, and is stored in the Bitcoin Wallet.

VPN Tunnelling

The aim is to create a connection from a host machine to a trusted network which is tunneled through a public network.

IPSec Tunnel Mode

The connection is tunneled over a public network, but the network traffic is unprotected on either side of the connection. This mode allows for the inspection of network packets on either side.

Root Certificate

The core part of PKI. These are self-signed certificates from a root CA, where all the certificates signed by a root certificate are trusted.

.CER

The file type digital certificates are most often exported to.

Post-Quantum Cryptography

The goal is to develop cryptographic systems that are secure against both quantum and classical computers, and can interoperate with existing communications protocols and networks.

Greatest Common Divisor (GCD)

The largest positive integer that divides into two numbers without a remainder.

Little Endian

The least significant byte is stored in the lowest memory address.

Major Weakness with Diffie-Hellman

The major weakness with Diffie-Hellman is its susceptibility to having certain parameter values easily precomputed.

Rainbow Table Attack

The method of knowing the mapping between the hashed values and the original data.

2048-bit Prime Numbers

The minimum prime numbers recommended for use with Diffie-Hellman to counter attacks involving precomputation.

Big Endian

The most significant byte is stored in the lowest memory address.

Moore's Law

The observation that computing power essentially doubles every 18 months.

Kerchoff's Principle

The one thing we have to protect to keep the cryptosystem secure is the secret key.

Salting

The process of adding an Initialization Vector (IV) to the ciphering process to change its operation and ensure the ciphertext does not give the original plaintext when played back.

Encryption

The process of changing plaintext into ciphertext.

Factoring

The process used to determine the original prime numbers used in the Public-Key Cryptography process.

DHE-RSA

The server signs the Diffie-Hellman parameter (using a private key from an RSA key pair) to create a pre-master secret, and where a master key is created which is then used to generate a shared symmetric encryption key.

FIPS 202

The standard for SHA-3, and provides revision to the Applicability Clause of FIPS 180-4.

x.500

The standard that LDAP is based on.

Internet Key Exchange (IKE)

The standard used for remote host, network access, and VPN access. The handshaking process uses UDP port 500 for key exchange.

Key Escrow and A NOBUS

The two main methods used in terms of a backdoor in cryptography.

PEM and DER

The two major encoding schemes for X.509 certificates and keys. The standard output for X.509 is in a binary format, but a Base-64 conversion (PEM) can be used as an easy wat to export/import on a wide range of systems.

Block and Stream

The two types of Symmetric Encryption.

Type 5 = Hashing, and Type 7 = Encoding Method

The two types of hashing or encoding methods used for passwords in Cisco devices.

Gas

The unit that is used to measure the amount of work that is require to perform a single Keccak-256 hash when dealing with Ethereum.

End-to-End Authentication

The user authenticates themselves to the end service.

Distributed Peet-to-Peer Network

There are no centralized servers with Bitcoin, instead, there is a distributed peer-to-peer network where nodes exchange transactions, blocks and addresses with the rest of the network.

Authentication Header (AH)

This encrypts the complete contents of the IP data packet, and adds a new packet header.

Cancellation Stage

This includes certificate expiration, certificate revocation, key history and key archiving.

Issued Stage

This includes certificate retrieval, certificate validation, key recovery and key update.

Initialization Stage

This includes registration, key pair generation, certificate creation and certificate/key distribution, certificate dissemination, and key backup.

Revoked Status

This is where a certificate has been revoked, and cannot be reversed, and often occurs when a certificate is defined as having its private key breached.

Cisco Type 5 Hash

Type 5 hashing employs MD5 which produces a 128-bit hash value.

Time-Out Mechanism Benefit

Typically included in the Diffie-Hellman key exchange process, the Time-Out Mechanism allows a smaller time window for an attacker to determine the key.

Bitcoins

Use Elliptic Curve Cryptography with 32-byte private keys and 64-byte public keys, on a secp256k1 curve.

Enigma Machine

Used a polyalphabetic substitution cipher, which did not repeat within a reasonable time period, along with a secret key.

Key Encryption Key (KEK)

Used by the AP when using data encryption.

Temporal Key (TK)

Used for the encryption/decryption of unicast packets.

LM Hash

Used in many versions of MS Windows OS to store paswords that are fewer than 15 characters.

Key Confirmation Key (KCK)

Used in the creation of the MIC.

Padding

Used to fill blocks to operating size when the data does not fit perfectly when using block encryption.

PBKDF2

Used to generate the salted key used with TrueCrypt.

Fermat's Little Theorem

Used to prove that RSA works correctly an accurately.

MIC Authenticator RX Key (MIC RX)

Used with TKIP setup for the unicast packets sent by clients.

MIC Authenticator TX Key (MIC TX)

Used with TKIP setup for unicast packets sent by APs.

Keccak Hash

Used within Ethereum applications to define the concept of gas, which is the unit that is used to measure the amount of work that is required to perfom a single 256-bit Keccak Hash.

PEAP (Protected Extensible Authentication Protocol)

Used within IEEE 802.1x to support authentication for server supplied digital certificates.

Diffie-Hellman Group 3

Uses a 1,024-bit Prime Number

Diffie-Hellman Group 5

Uses a 1536-bit Prime Number

Fractionated Morse Cipher

Uses a 26 character key mapping and converts a plaintext input to fixed length chunks of Morse Code used to derive ciphertext letters.

Diffie-Hellman Group 1

Uses a 768-bit Prime Number.

Lattice-Based Cryptography

Uses asymmetric cryptographic primitives based on lattices. It has been known about for several decades, and is now being investigated because of its quantum robustness, whereas many of the existing public key methods such as RSA and Diffie-Hellman cryptosystems can be broken with quantum computers.

Four-Square Cipher

Uses four 5x5 matrices arranged in a square, where each matrix contains 25 letters for encoding and decoding operations.

ASCII

Utilizes 8-bit values and supports up to 256 diffent characters.

Key Escrow

Where a copy of the encryption key is kept in escrow so that it can be used by a government agent.

Full Context

Where an alternative message is created with the same hash signature and has a direct relation to the original message. An extension to a Pre-Image Attack.

Diffie-Hellman MITM Attack

Where an attacker sits in-between, passes values back and forward, and negotiates two keys: one between the 1st legitimate end and the other between the other legitimate end involved in the communication.

Blinding Attack

Where an attacker tricks a victim user to sign for a seemingly harmless messages, performs a mathematical calculation to ascertain the actual signature, and then uses the signature to sign items as the victim.

Collision

Where another match is found, no matter the similarity of the orignial message. Exploited by collision attacks.

NOBUS

Where it is mathematically possible for government agents to crack the encryption, but no-on else can.

Similar Context

Where part of the message has some significance to the original and generates the same hash signature. Defined as a Pre-Image Attack.

IPSec Phase 1

Where the hashing method, the encryption, and key exchange methods are defined.

Bleichenbacher's Attack

Where the intruder captures the cipher for the preshare key, and then re-ciphers with an additional value. It has been the core of many attacks on SSL.

Active Attack

Where the intruder inserts or modifies messages.

Cut-and-Past Attack

Where the intruder mixes parts of two different encrypted messages and is able to create a new message. This message is likely to make no sense, but may trick the receiver into doing something that helps the intruder.

Replay Attack

Where the intruder takes a legitimate message and sends it into the network at some future time.

Mono-Alphabetic Code/Substituion

Where we create a single mapping from our alphabet to a cipher alphabet.

Keccak

Won the NIST hash function competition, and is proposed as the SHA-3 standard.

Time Attack

involves determining the amount of time that a user takes to decrypt the message; from this the key could be found.

CLEFIA

- Light-Weight Symmetric Block Cipher - 128-bit Block Size - 128, 192, or 256-bit Key Size

RC4 Main Phases

- Key Setup - Key Ciphering

Elli

- LIght-Weight Public Key - Used in RFID Implementations

Major Problems with CRLs

- Lack of Checking - Revoking Error - Denial of Service on the CA

PHOTON

- Light-Weight Hashing

SPONGENT

- Light-Weight Hashing

Quark

- Light-Weight Hashing - 64 or 112-bit Hash Value - Can be usef for Hashing and in Stream Encryption

Lesamnta-LW

- Light-Weight Hashing - Five Times Faster than SHA-256 - For Short Message Hashing

Chaskey

- Light-Weight Signing - 128-bit Key Size

WPA2

- AES-CCMP - Symmetric Block - 128-bit Key Size - 48-bit IV Size

AES Vulnerabilities Using ECB

- Brute Force - Use of Non-Random Numbers - Copy-and-Paste

Cipher Feedback (CFB)

- Converts the block cipher into a self-synchronizing steam cipher. - Current block takes the output of the XOR process vs from the cipher stage of the previous block.

Output Feedback (OFB)

- Converts the block cipher to a synchronous stream output. - Current block takes the output from the cipher stage vs the output of the XOR process of the previous block.

Counter Mode (CTR)

- Converts the block into a stream cipher. - Generates a counter value and a nounce, and encrypts this, in order to XOR with the plaintext block. - Each block is processed independent of the others, facilitating the ability to conduc parallel processing of blocks.

MD4

- Cryptographic Hash - 128-bit Hash Value

MD5

- Cryptographic Hash - 128-bit Hash Value

SHA-1

- Cryptographic Hash - 160-bit Hash Value

SHA-2

- Cryptographic Hash - 256, 384, or 512-bit Hash Value

3 Common Methods used to Crack RSA

- Different E Value - Factorizing N - Chinese Remainder Theorem (CRT)

Methods to Combat DHE_Export Downgrade Attacks

- Disabling Export Cipher Suites - Using (Ephemeral) Eliptic-Curve Diffie-Hellman (ECDHE) - Using a Strong Group

Lightweight Cryptography is Best Suited For

- Embedded Systems - RFID - Sensor Networks

Common Digital Certificate Types

- IKE - PKCS #7 - PKCS #10 - RSA Signatures - x.509v3 Certificates

Methods that Contribute to Improving Brute Force Analysis

- Increasing power of computers. - Parrallel Processing - The use of Supercomputers.

Playfair Cipher

A 5x5 matric containing the alphabet minus the letter "J". The cipher/decipher process consists of a set of rules outlining the use of column and row combinations.

10 Minutes

A blockchain mining process where a new block of transactions is added to the blockchain and transactions within the block are considered to be process about every 10 minutes.

Frequency Analysis

A cipher cracking methodology that involves identifying patterns and variations in the probability of codes.

Rainbow Table

A collection of precomputed hash values of actual plaintext passwords used for password cracking.

Geth

A command line interface for running Ethereum node implemented in Go Language.

Ephermeral Methods

A different key is used for each connection, which ensures the leakage of any long-term key would not cause all the associated session keys to be breached.

Start and End Dates

A digital certificate has a start and end date, which will define the valid period of the certificate.

Hash-based Message Authentication Code (HMAC)

A message authentication code (MAC) that can be used to verify the integrity and authentication of the message.

True Random Number Generators (TRNGs)

A method that generates a true random number and uses some form of random process. This method is generally slow, especially if it involves human interation, but it is non-deterministic and aperiodic.

APR1

Addresses the problems of brute forcing an MD5 hash, and basically iterates the hash value 1,000 times.

AES and Poor Implementation

AES has proven to be free from major vulnerabilities, but poor implementation of the encryption method often causes problems.

Root Certificate Authority (CA)

Certificates generated by a trusted root CA is a secure option for ensuring certificates used can be trusted as valid by both parties.

Which Block Cipher modes essentially allow the block cipher to operate like a stream cipher?

Cipher Feedback (CFB), Output Feedback (OFB), and Counter Mode (CTR).

One Time Pad Cipher

Cipher code mapping that is used only once.

One-Time Pad

Considered to be unbreakable since it only uses its cipher code once.

Digital Certificates

Contain the public key of the certificate owner. So, generating and securely sharing a certificate that can be validated by a trusted source is a viable option for public key transport in PKI.