Chapter 7 Cryptography
Information security risks the most routine uses of email systems by
-almost all emails are sent unencrypted, with content, file attachment content, and address and routing information open to anyone who chooses to intercept it. This also means that content can be altered en route, and senders and recipients have no reasonable way to detect this. -no existing email systems have strong nonrepudiation capabilities, allowing senders to claim they never received emails or received ones with different content than what was sent.
Cryptography provides confidentiality and integrity across both time and space by
-by protecting data in transit (via Internet or other means), it protects data when en route between two or more physically separated points (in space). -encrypting a file for storage ensures that it cannot be read or tampered with by unauthorized users or processes (which do not have the key); later, authorized users with the key can read the file.
Using cryptographic techniques to protect the integrity of data in a file if you do not require its content to remain confidential needs to be:
-digitally sign the file, as is done with software patch files, device driver executables, and so forth. -an encrypting hash to produce a message digest; even a single bit change in the file will cause a subsequent message digest to be different, indicating a loss of integrity. Windows, Office, and many software systems use both techniques in their distribution and update processes.
Information risks that cryptography cannot address are
-display of data to humans, or output of data as device commands in control systems, needs to be in an unencrypted form to be usable. -even cryptographic support for nonrepudiation cannot prove that a recipient (authorized or not) actually read and understood or made use of the contents of a protected file or message; it can only prove that they accessed it. c-users with legitimate access to a variety of information at one level of classification, when decrypted for use, may be able to infer the existence or value of information at higher levels of classification.
Conditions might cause you to stop using a key would be:
-notification that a key has been lost or compromised. -suspicion that a user of that key is not who or what they claim to be.
Digital signatures work by
-the sender hashes the message or file to produce a message digest and applies the chosen decryption algorithm and their private key to it. This is the signature. The recipient uses the sender's public key and applies the corresponding encryption algorithm to the signature, which will produce a matching message digest only if the message or file is authentically from the sender.
Webs of trust and hierarchies of trust differ in that
-webs of trust are based on peer-to-peer architectures and as such are not very scalable to large numbers of users. Hierarchies of trust rely on certificate authorities as publishers of intermediate certificates, which supports much larger numbers of users. -webs of trust, as peer-to-peer architectures, are not part of the IT logistics supply chain; hierarchies of trust work best when CAs become part of the architecture of hardware, operating systems, browsers, and other applications.
Cryptography protects the meaning or content of files and messages by means of all of the following obscure meaning by misdirection, concealment, or deception. True or False?
False- This is more suggestive of camouflage, honeypots, or other efforts to draw attackers away form what you wish to defend and divert their energies elsewhere.
True or False: All aspects of CIANA can be enhanced via proper cryptographic techniques.
False: Using proper cryptographic techniques, all aspects of CIANA (confidentiality, integrity, availability, nonrepudiation, authentication) can be enhanced, even availability and integrity.
1. Should a hash function be reversible?
No, because this would allow the plaintext to be decrypted from the hash, rendering message digests and digital signatures unworkable.
Social engineering is:
The most common attacks that business or commercial use of cryptography might be exposed to.
True or False: Cryptography by private businesses in many jurisdictions, law and regulation place significant responsibilities for information protection and due diligence on businesses; these can only be met in practical ways by using cryptographic systems.
True
Hashing is
a one-way cryptography in that you transform a meaningful plaintext into a meaningless but unique has value but you cannot go from hash value back to the original meaning or plaintext.
Comparing the relative security of character, block, or stream ciphers against cryptanalytic attacks is by
blocking ciphers support the best levels of security but with performance penalties that make stream ciphers suitable for some applications.
Nonrepudiation relies on cryptography to validate the
certificate, public key, or both associated with the sender or author match what is associated with the file or message.
The role of a hierarchy of trust in using digital signatures is through the
client's operating system, browsers, and applications either embed certificate authorities as trust anchors or use peer-to-peer trust anchors; the client's user must then trust these systems vendors and the installation of their products, and the client's user own use of them, to completely trust that received digitally signed files or messages are legitimate.
To make a one-time pad encryption system truly unbreakable is to
generate the one-time pad key in a truly random fashion, ensure that no portion of it is ever reused, and ensure that only one sender and one recipient have copies of it. Destroy sections of the pad as they are used. Protect the one-time pads at both sender and recipient from loss, theft, or compromise. Provide secure, immediate means to signal both parties of any loss or compromise or change in identity of sender or recipient.
Symmetric encryption is best described as:
it uses the same key or a simple transform of it to encrypt plaintext into ciphertext, and to then decrypt the ciphertext back into plaintext.
Cryptographic security tends to increase as the key size gets larger because
no matter what kind of cryptanalytic attack, the larger the key, the larger the possible space of key values that an attacker must test; each additional binary bit doubles this search or testing time. Ultimately, this requires more computing power and storage than even the most well-funded governments can afford.
The most common source of exploitable vulnerabilities that business or commercial use of cryptography might present to attackers is:
operational errors in use, such as incorrectly choosing control parameters or mismanaging keys or certificates.
