Chapter 7 Cryptography and The Public Key Infrastructure
Difference of RSA vs ECC
The strengths of various key lengths also vary greatly according to the cryptosystem you're using. For example, a 1,024-bit RSA key offers approximately the same degree of security as a 160-bit ECC key.
What are the different standard formats and their file extensions?
+--------------------------------------+----------------------+ | Standard Format | File Extension(s) | +--------------------------------------+----------------------+ | Distinguished Encoding Rules (DER) | Binary | | | .DER, .CRT, .CER | +--------------------------------------+----------------------+ | Privacy Enhanced Mail (PEM) | Text | | | .PEM, .CRT | +--------------------------------------+----------------------+ | Personal Information Exchange (PFX) | Binary | | | .PFX, .P12 | +--------------------------------------+----------------------+ | P7B | Text | | | .P7B | +--------------------------------------+----------------------+
What are five basic requirements for a cryptographic hash function?
1. They accept an input of any length. 2. They produce an output of a fixed length, regardless of the length of the input. 3. The hash value is relatively easy to compute. 4. The hash function is one-way (meaning that it is extremely hard to determine the input when provided with the output). 5. The hash function is collision free (meaning that it is extremely hard to find two messages that produce the same hash value).
Cryptography Goal Authentication
Authentication verifies the claimed identity of system users and is a major function of cryptosystems. I.e Challenge words - I give a work, and you need to encrypt it with our secret code
Why is key length important and what considerations should be make as security proffessional
Because key length equals strength, we need to balance timeliness and security for encrypting different types of data. Moore's law is the idea that computing power doubles every two years. So a password that takes 1 year to break now, will be broken in 3 months four years from now.
How does SHA-2 improve upon SHA-1?
Because of weaknesses in SHA-1, the SHA-2 was developed with 4 variants SHA-256 produces a 256-bit message digest using a 512-bit block size. SHA-224 uses a truncated version of the SHA-256 hash to produce a 224-bit message digest using a 512-bit block size. SHA-512 produces a 512-bit message digest using a 1,024-bit block size. SHA-384 uses a truncated version of the SHA-512 hash to produce a 384-bit digest using a 1,024-bit block size. Although SHA-2 is still considered secure, it suffered from the same weakness as SHA-1, so SHA-3 was developed.
What are internal certifications and how are they used?
Certificate authorities do not need to be third-party service providers. Many organizations operate internal CAs that provide self-signed certificates for use inside an organization. These certificates won't be trusted by the browsers of external users, but internal systems may be configured to trust the internal CA, saving the expense of obtaining certificates from a third-party CA.
What is certificate chaining?
Certificate chaining is the process of validating a digital certificate by establishing a trust chain from the certificate to a trusted root certificate authority (CA). Digital certificates are obtained from CAs, and their authenticity is verified by checking a chain of certificates leading back to a trusted root CA. Each certificate in the chain is validated using the public key of the issuing CA. If the entire chain is successfully validated and the root CA is trusted, the end certificate is considered valid, ensuring the integrity and authenticity of secure communication over the internet, such as in HTTPS.
What are some common examples for giving digital signatures?
Certificates may be issued for a variety of purposes. These include providing assurance for the public keys of Computers/machines Individual users Email addresses Developers (code-signing certificates)
Cryptography Goal Confidentiality
Confidentiality ensures that data remains private in three different situations: when it is at rest, when it is in transit, and when it is in use. Two main types of cryptosystems enforce confidentiality. Symmetric cryptosystems use a shared secret key available to all users of the cryptosystem. Asymmetric cryptosystems use individual combinations of public and private keys for each user of the system.
What are the 3 Common symmetric cryptosystems?
Data Encryption Standard (DES), Triple DES (3DES) The Advanced Encryption Standard (AES).
Key tips when deciding which key to use
Here are a few simple rules to help keep these concepts straight in your mind when preparing for the exam: 1. If you want to encrypt a message, use the recipient's public key. 2. If you want to decrypt a message sent to you, use your private key. 3. If you want to digitally sign a message you are sending to someone else, use your private key. 4. If you want to verify the signature on a message sent by someone else, use the sender's public key. These four rules are the core principles of public key cryptography and digital signatures. If you understand each of them, you're off to a great start!
What are message digests?
Message digests are summaries of a message's content (not unlike a file checksum) produced by a hashing algorithm.
RSA Algorithm
Named after inventors Rivest, Shamir, and Adelman, RSA is a system for encrypting and decrypting a message using a pair of keys, both of which contain the product of two prime numbers. This still remains as the worldwide standard
What are the four key ideas behind cryptography?
1. Confidentiality - To protect information from others 2. Integrity - Ensure information is not changed 3. Authentication - Validate the identity of users 4. Non-repudation - the ability to prove to third party vendors that a message came from the purported vendor.
What are asymmetric key algorithms?
Also known as public key algorithms Every user has two keys, a public one and a private one.
What is Cryptography?
Cryptography is the practice and study of techniques for securing information and communication mainly to protect the data from third parties that the data is not intended for. The art of creating and implementing secret codes and ciphers is known as cryptography.Cryptography is the practice and study of techniques for securing communication and data from adversaries or attackers. It involves the use of mathematical algorithms to encode information in a way that makes it difficult for unauthorized users to access or understand.
How does polyalphabetic substitution work?
Depends on a password; when the password matches it enciphers, if not long enough it repeats until it matches The most famous example of a polyalphabetic substitution from historical times was the Vigenère cipher. Using a table, you can use two letters to come up with a new one.
What are digital certificates?
Digital certificates provide communicating parties with the assurance that the people they are communicating with truly are who they claim to be. Digital certificates are essentially endorsed copies of an individual's public key.
What is Distinguished Encoding Rules (DER)?
Distinguished Encoding Rules (DER) is a specific encoding format used to represent data structures, particularly ASN.1 (Abstract Syntax Notation One) data structures, in a binary format. DER is often associated with encoding and decoding cryptographic data, including digital certificates such as X.509 certificates. The Distinguished Encoding Rules (DER) are a subset of BER; they eliminate some of the flexibility provided by BER, however, they also guarantee that there is one and only one way to encode a message. That is, if we were to encode, decode, re-encode, re-decode, and re-re-encode, all three encodings must be the same. DER is commonly used in security-related applications such as X.509 digital certificate
What are hash functions?
Hash functions have a very simple purpose—they take a potentially long message and generate a unique output value derived from the content of the message. This value is commonly referred to as the message digest.
Cryptography Goal Integrity
If the correct mechanisms are in place, we can ensure when receiving a message it's correct. Message integrity is enforced through the use of encrypted message digests, known as digital signatures, created upon transmission of a message. The recipient of the message simply verifies that the message's digital signature is valid, ensuring that the message was not altered in transit. Integrity can be enforced by both public and secret key cryptosystems.
What is the difference of SHA-2 vs SHA-3 ?
More than SHA3, SHA2 is widely popular and used in the majority of online systems. However, SHA3 is a more secure and fast performer than SHA2. It represents the supreme form of hashing functionality and may even become the go-to hashing function in the future.
Cryptography Goal Nonrepudiation
Nonrepudiation provides assurance to the recipient that the message was originated by the sender and not someone masquerading as the sender. Nonrepudiation is offered only by public key, or asymmetric, cryptosystems. Something like a challenge word won't work because someone could have the secret code So this is more of a stricter version of authentication
What is Secure Hash Algorithm (SHA)?
SHA-1, SHA-2, and SHA-3, are government standard hash functions promoted by the National Institute of Standards and Technology (NIST) and are specified in an official government publication—the Secure Hash Standard (SHS), also known as Federal Information Processing Standard (FIPS) 180.
What is the most common binary format for digital certification?
The most common binary format is the Distinguished Encoding Rules (DER) format. DER certificates are normally stored in files with the .DER, .CRT, or .CER extensions.
What is Domain Validation (DV)?
The simplest, and most common, certificates are Domain Validation (DV) certificates, where the CA simply verifies that the certificate subject has control of the domain name. Domain validation (DV) is a method used by Certificate Authorities (CAs) to verify the ownership of a domain before issuing a digital certificate. The purpose of domain validation is to ensure that the entity requesting the certificate has control over the domain for which the certificate is being issued. DV is typically used for low-assurance certificates, such as SSL/TLS certificates for securing websites.
What are the different forms that digital signatures come in?
There are two main formats which are Binary and text based.
How does a Brute force attack work?
This method simply involves trying every possible key. It is guaranteed to work, but it is likely to take so long that it is simply not usable. For example, to break a Caesar cipher, there are only 26 possible keys, which you can try in a very short time. But even DES, which has a rather weak key, would take 2 56 different attempts. That is 72,057,594,037,927,936 possible DES keys. To put that in perspective, if you try 1 million keys per second, it would take you just a bit over 46,190,765 years to try them all.
How do you verify a digital signature?
When you receive a digital certificate from someone with whom you want to communicate, you verify the certificate by checking the CA's digital signature using the CA's public key. Next, you must check and ensure that the certificate was not revoked using a certificate revocation list (CRL) or the Online Certificate Status Protocol (OCSP). At this point, you may assume that the public key listed in the certificate is authentic, provided that it satisfies the following requirements: 1. The digital signature of the CA is authentic. 2. You trust the CA. 3. The certificate is not listed on a CRL. 4. The certificate actually contains the data you are trusting.
What is steganography?
a cryptography method in which data is hidden in another media type they might embed a secret message within an illustration on an otherwise innocent web page. Steganographers often embed their secret messages within images, video files, or audio files because these files are often so large that the secret message would easily be missed by even the most observant inspector Popular with criminals and watermarking for IP protection
For Asymmetric Key Symmetry what are some things to consider?
it's important that you comply with several best practice requirements to maintain the security of your communications. 1. Ensure that you choose an encryption system wisely. Choose one that is in the public domain as they have been vetted. Don't rely of Security through Obscurity! 2. Choose an appropriate key length!! The longer the longer!! More security means more time. Ensure that it's random and that know weak keys are not used! 3.KEY PROTECTION! Ensure that no one has your private key and that we retire old keys that we do not use anymore. We should try to change keys to ensure security, ideally every few months but whatever is practical. Also always have key back up from any possible data corruption, disaster or any other circumstance.
What is key space?
A metric that is often discussed when talking about the strength of a particular encryption scheme The key space is the range of values that are valid for use as a key for a specific algorithm. A key space is defined by its key length.
How do Certificate Authorities protect their root certificate/private key?
Certificate authorities must carefully protect their own private keys to preserve their trust relationships. To do this, they often use an offline CA to protect their root certificate, the top-level certificate for their entire PKI. This offline CA is disconnected from networks and powered down. We typically see that the root certificate will be stored offline and utilize intermediaries to be used for giving out the digital certificates on a routine basis.
What is Extended Validation (EV)?
Extended Validation (EV) is a higher level of authentication and validation for digital certificates, typically used for SSL/TLS certificates that secure websites. The goal of EV is to provide users with enhanced confidence in the authenticity of a website by verifying not only domain ownership but also the legal identity and existence of the entity that owns the website Extended Validation (EV) certificates provide a higher level of assurance and the CA takes steps to verify that the certificate owner is a legitimate business before issuing the certificate.
What are the risks associated with Certificate Authorities?
One thing to keep in mind is that, there is no requirements to being a CA. Therefore you need to ensure that when you receive as digital certificate its from a reputable one. The key reason is that if you use a fake CA, then not only is your CA bad, but then all other fake ones are accepted by your system as well.
How did SHA-1 work?
SHA-1 takes an input of virtually any length (in reality, there is an upper bound of approximately 2,097,152 terabytes on the algorithm) and produces a 160-bit message digest. The SHA-1 algorithm processes a message in 512-bit blocks. Therefore, if the message length is not a multiple of 512, the SHA algorithm pads the message with additional data until the length reaches the next highest multiple of 512.
What are cryptographic keys?
a key is nothing more than a number. It's usually a very large binary number, but it's a number nonetheless.
How do digital signatures work?
-The sender uses a private key to encrypt the hash total -Sender attaches the encrypted total to the message data and uses a public key to encrypt everything -The receiver uses a private key to decrypt the message and use the sender's public key to decrypt the digital signature. -The hash total is then reproduced based on the message data and if this matches the decrypted hash total (digital signature) then it is certain the message genuinely came from the sender.
What are the strengths of a asymmetric algorithm?
1. It's Scalable - Every added user adds only two extra keys, but for symmetric you need to add keys for every current member 2. Easily Removable - Just take out the existing public key 3. Key regeneration is required only when a user's private key is compromised - Only change one key, no need to recharge every key combo 4.Asymmetric key encryption can provide integrity, authentication, and nonrepudiation. - nonrep using digital signatures, and similiar to authentication. 5. Key distribution is a simple process. - Just share a single public key 6. No preexisting communication link needs to exist. The main issue is that it's slow!! That's why for large transmissions we'll connect using the asymmetric, and then share symmetric algorithms to speed up everything.
What is a YubiKey?
A YubiKey is a small, physical hardware device that provides strong two-factor authentication (2FA) and other security features. It is manufactured by Yubico, a company specializing in hardware authentication devices. YubiKeys are designed to enhance the security of various online services, applications, and devices by adding an additional layer of protection beyond traditional usernames and passwords.
What is a cipher?
A code that is used with a key to hide an encrypted message. Two main ways are: 1. Substitution - i.e Caesar cipher where you change one symbol for another ROT 13 (Rotate 13 )- the advanced version where you rotate 13 letters (can be done up to anything) 2.Transposition - In cryptography, a transposition cipher (also known as a permutation cipher) is a method of encryption which scrambles the positions of characters (transposition) without changing the characters themselves Can be done by splitting code into segments, then rotating in the segment itself.
What is Kerchoff's principle?
A cryptosystem should be secure even if everything about the system, except the key, is public knowledge. It states that the security of a cryptographic system should not rely on the secrecy of the algorithm itself, but rather on the secrecy of the key used in the algorithm. His insight was that keeping the details of the cryptographic algorithm secret is not a reliable way to ensure security, as secrecy can be compromised through various means such as reverse engineering, leaks, or espionage. Instead, the strength of the system should rely on the secrecy and complexity of the cryptographic key.
Why is Symmetric key algorithms good?
Although there are quite a bit of flaws, the idea is that if you're in the inner circle, you can immense benefits. 1000 - 10000 times faster than asymetric
What is of elliptic curve cryptography (ECC)?
Any elliptic curve can be defined by the following equation: y2 = x3 + ax + b In this equation, x, y, a, and b are all real numbers. Each elliptic curve has a corresponding elliptic curve group made up of the points on the elliptic curve along with the point O, located at infinity. Two points within the same elliptic curve group (P and Q) can be added together with an elliptic curve addition algorithm. This operation is expressed as P + Q This problem can be extended to involve multiplication by assuming that Q is a multiple of P, meaning the following: Q = xP Computer scientists and mathematicians believe that it is extremely hard to find x, even if P and Q are already known. This difficult problem, known as the elliptic curve discrete logarithm problem, forms the basis of elliptic curve cryptography. It is widely believed that this problem is harder to solve than both the prime factorization problem that the RSA cryptosystem is based on and the standard discrete logarithm problem utilized by Diffie-Hellman.
What are block ciphers?
Block ciphers are fundamental cryptographic algorithms used to secure data in various applications, such as encryption and decryption of messages or files. They operate by taking fixed-size blocks of plaintext and transforming them into ciphertext using a specific encryption key. The transformation process involves a series of substitution and permutation operations, making it difficult to decipher the original data without the correct key. Each block of plaintext is processed independently, enhancing security and enabling the encryption of large amounts of data. Prominent examples of block ciphers include AES (Advanced Encryption Standard) and DES (Data Encryption Standard).
What are Certificate Revocation Lists ?
Certificate Revocation Lists Certificate revocation lists (CRLs) are maintained by the various certificate authorities and contain the serial numbers of certificates that have been issued by a CA and have been revoked along with the date and time the revocation went into effect. The major disadvantage to certificate revocation lists is that they must be downloaded and cross-referenced periodically, introducing a period of latency between the time a certificate is revoked and the time end users are notified of the revocation.
What is Certificate Stapling?
Certificate Stapling The primary issue with OCSP is that it places a significant burden on the OCSP servers operated by certificate authorities. These servers must process requests from every single visitor to a website or other user of a digital certificate, verifying that the certificate is valid and not revoked. Certificate stapling is an extension to the Online Certificate Status Protocol that relieves some of the burden placed upon certificate authorities by the original protocol. When a user visits a website and initiates a secure connection, the website sends its certificate to the end user, who would normally then be responsible for contacting an OCSP server to verify the certificate's validity. In certificate stapling, the web server contacts the OCSP server itself and receives a signed and timestamped response from the OCSP server, which it then attaches, or staples, to the digital certificate. Then, when a user requests a secure web connection, the web server sends the certificate with the stapled OCSP response to the user. The user's browser then verifies that the certificate is authentic and also validates that the stapled OCSP response is genuine and recent. Because the CA signed the OCSP response, the user knows that it is from the certificate authority and the timestamp provides the user with assurance that the CA recently validated the certificate. From there, communication may continue as normal.
What are Certificate Authorities?
Certificate authorities (CAs) are the glue that binds the public key infrastructure together. These neutral organizations offer notarization services for digital certificates. To obtain a digital certificate from a reputable CA, you must prove your identity to the satisfaction of the CA. The following list includes some of the major CAs who provide widely accepted digital certificates: Symantec IdenTrust Amazon Web Services GlobSymantec IdenTrust Amazon Web Services GlobalSign Comodo Certum GoDaddy DigiCert Secom Entrust Actalis Trustwave
Certificate Stapling explained more!
Certificate stapling, or OCSP stapling, is a method in SSL/TLS communication to streamline the certificate revocation check process. Instead of relying on the user's browser to independently query a Certificate Authority's (CA) OCSP server or check Certificate Revocation Lists (CRLs), the server periodically fetches a signed OCSP response from the CA. The server then attaches, or "staples," this response to its SSL/TLS certificate. When a user's browser connects to the server, it receives both the certificate and the stapled OCSP response, allowing for faster and more efficient revocation status verification without the need for additional queries. This enhances connection performance and privacy.
What are ciphers? What are the two main ones?
Ciphers are the algorithms used to perform encryption and decryption operations. Cipher suites are the sets of ciphers and key lengths supported by a system. Modern ciphers fit into two major categories, describing their method of operation: Block Ciphers and Stream Ciphers Block ciphers transform plaintext 1 block (64/128/256 bits) at a time, while stream ciphers convert plaintext to ciphertext 1 byte at a time. This makes block ciphers slower since an entire block has to be accumulated before the data is encrypted/decrypted
What are the different Data Encryption Standard (DES) modes?
DES is a 64-bit block cipher that has five modes of operation: 1. Electronic Codebook (ECB) mode Each time the algorithm processes a 64-bit block, it simply encrypts the block using the chosen secret key. transmissions. In everyday use, ECB is used only for exchanging small due to vulnerabilities that allow for it to be cracked by using small sections to find patterns (AKA if it's small no pattern found) 2. Cipher Block Chaining (CBC) mode Cipher Block Chaining (CBC) mode is a method of using the Data Encryption Standard (DES) block cipher to provide confidentiality and privacy for data transmission. In CBC mode, each plaintext block is XORed with the ciphertext of the previous block before being encrypted. This XOR operation introduces feedback from the previous block, which helps to ensure that identical plaintext blocks result in different ciphertext blocks, enhancing security. if one block is corrupt the whole chain is thus corrupted as well. 3. Cipher Feedback (CFB) mode transmitted. Other than the change from preexisting data to real-time data, CFB operates in the same fashion as CBC.This mode is particularly useful when working with data streams of varying lengths or when real-time encryption is required. (Goes bit by bit so no need to first break things into blocks) 4. Output Feedback (OFB) mode Output Feedback (OFB) mode is a method of using the Data Encryption Standard (DES) block cipher for encryption. Similar to Cipher Feedback (CFB) mode, OFB mode transforms DES into a stream cipher, allowing it to encrypt individual bits or bytes of data. OFB mode is particularly useful for scenarios where real-time encryption or working with data streams of varying lengths is required.mode. However, instead of XORing an encrypted version of the previous block of ciphertext, DES XORs the plain text with a seed value. 5. Counter (CTR) mode. DES that is run in Counter (CTR) mode uses a stream cipher similar to that used in CFB and OFB modes. However, instead of creating the seed value for each encryption/decryption operation from the results of the previous seed values, it uses a simple counter that increments for each operation. As with OFB mode, errors do not propagate in CTR mode. .
Elliptical curve cryptography (ECC) explained more
Elliptical curve cryptography (ECC) is a public key encryption technique based on elliptic curve theory that can be used to create faster, smaller and more efficient cryptographic keys. ECC is an alternative to the Rivest-Shamir-Adleman (RSA) cryptographic algorithm and is most often used for digital signatures in cryptocurrencies, such as Bitcoin and Ethereum, as well as one-way encryption of emails, data and software. An elliptic curve is not an ellipse, or oval shape, but it is represented as a looping line intersecting two axes, which are lines on a graph used to indicate the position of a point. The curve is completely symmetric, or mirrored, along the x-axis of the graph. Public key cryptography systems, like ECC, use a mathematical process to merge two distinct keys and then use the output to encrypt and decrypt data. One is a public key that is known to anyone, and the other is a private key that is only known by the sender and receiver of the data. ECC generates keys through the properties of an elliptic curve equation instead of the traditional method of generation as the product of large prime numbers. From a cryptographic perspective, the points along the graph can be formulated using the following equation: y²=x³ + ax + b
How does the Columnar Transposition cipher work>
Essentially by passing the amount of Rows as the key we are able to read a message in a unique way. M M T T E E H O E I E R T N S E Meet me in the store (Row number 4)
Why does HMAC The Hashed Message Authentication Code (HMAC) only provide partial digital signature?
HMAC The Hashed Message Authentication Code (HMAC) algorithm implements a partial digital signature—it guarantees the integrity of a message during transmission, but it does not provide for nonrepudiation. Because HMAC relies on a shared secret key, it does not provide any nonrepudiation functionality (as previously mentioned). However, it operates in a more efficient manner than the digital signature standard described in the following section and may be suitable for applications in which symmetric key cryptography is appropriate. In short, it represents a halfway point between the unencrypted use of a message digest algorithm and computationally expensive digital signature algorithms based on public key cryptography.
What are Hardware Security Modules (HSMs)?
Hardware security modules (HSMs) also provide an effective way to manage encryption keys. These hardware devices store and manage encryption keys in a secure manner that prevents humans from ever needing to work directly with the keys. HSMs range in scope and complexity from very simple devices, such as the YubiKey, that store encrypted keys on a USB drive for personal use, to more complex enterprise products that reside in a data center. Cloud providers, such as Amazon and Microsoft, also offer cloud-based HSMs that provide secure key management for IaaS services.
When would a digital certificate be revoked?
Here are the four major examples of when a revocation would occur. 1. The certificate was compromised (for example, the certificate owner accidentally gave away the private key). 2. The certificate was erroneously issued (for example, the CA mistakenly issued a certificate without proper verification). 3. The details of the certificate changed (for example, the subject's name changed). 4. The security association changed (for example, the subject is no longer employed by the organization sponsoring the certificate).
What are the steps to send a digital signature?
If Alice wants to digitally sign a message she's sending to Bob, she performs the following actions: 1. Alice generates a message digest of the original plaintext message using a hashing algorithm. 2. Alice then encrypts only the message digest using her private key. This encrypted message digest is the digital signature. 3. Alice appends the signed message digest to the plaintext message. 4. Alice transmits the appended message to Bob. When Bob receives the digitally signed message, he reverses the procedure, as follows: 1. Bob decrypts the digital signature using Alice's public key. 2. Bob uses the same hashing function to create a message digest of the full plaintext message received from Alice. 3.Bob then compares the decrypted message digest he received from Alice with the message digest he computed himself. If the two digests match, he can be assured that the message he received was sent by Alice. If they do not match, either the message was not sent by Alice or the message was modified while in transit.
What is MD5 and how does it work?
In 1991, Ron Rivest released the next version of his message digest algorithm, which he called MD5. It also processes 512-bit blocks of the message, but it uses four distinct rounds of computation to produce a digest of the same length as the earlier MD2 and MD4 algorithms (128 bits). MD5 implements security features that reduce the speed of message digest production significantly. Unfortunately, recent cryptanalytic attacks demonstrated that the MD5 protocol is subject to collisions, preventing its use for ensuring message integrity.
Asymmetric Cryptography
In this Cryptography a Key Pair - Private and Public Key is used. Private Key is kept secret and the Public Key is Widely distributed. Because we are able to use insecure methods to create a secure connection, the keys in public systems must be longer than private key systems to create similar strength
What is the enigma machine?
It was a decoding machine that the Germans used, Britain had their own copy and decoded German messages instantly. a polyalphabetic substitution,
What are hashing algorithms?
It's extremely difficult, if not impossible, to derive a message from an ideal hash function, and it's very unlikely that two messages will produce the same hash value. Cases where a hash function produces the same value for two different methods are known as collisions, and the existence of collisions typically leads to the deprecation of a hashing algorithm.
What are Message digests used for?
Message digests are used to verify that a message is genuine. They are also used to protect the integrity of data or media. Message digests can detect changes or alterations to any part of a message. Message digests are also known as hash values. They are used for digital signatures and password protection. A message digest can be encrypted to form a digital signature. The length of a message digest depends on the algorithm used. The most common message digests used for security are collision-resistant hash functions.
How does modern cryptography work?
Modern cryptosystems use computationally complex algorithms and long cryptographic keys to meet the cryptographic goals of confidentiality, integrity, authentication, and nonrepudiation. Algorthims are open to public for multiple reasons. Trying to hide an algorithm and failing would risk an entire company. Having a public knowledge of algorithm allows for security community to find vulnerabilities and improve cryptosystems rely on the secrecy of one or more cryptographic keys used to personalize the algorithm for specific users or groups of users.
What are the steps needed to get a digital certification?
Obtaining a digital certificate involves several steps, including enrollment, verification, and revocation. The specific process may vary depending on the Certificate Authority (CA) and the type of certificate (e.g., SSL/TLS certificate, code signing certificate). Here's a general overview: Enrollment: Certificate, you must first prove your identity to the CA in some manner; this process is called enrollment. The steps needed vary and all matters on when the CA deems one identity verified. Once the ID is sufficient, you provide them with your public key in the form of a Certificate Signing Request (CSR). The CA next creates an X.509 digital certificate containing your identifying information and a copy of your public key. The CA then digitally signs the certificate using the CA's private key and provides you with a copy of your signed digital certificate. Verification: Identity Verification: The CA verifies the identity of the entity requesting the certificate. The level of verification depends on the type of certificate (e.g., domain validation, organization validation, extended validation). Validation Methods: Verification may involve checking domain ownership, legal entity existence, or contacting the entity through specified channels.
What are the two main goals of Digital Signatures?
Once you have chosen a cryptographically sound hashing algorithm, you can use it to implement a digital signature system. Digital signature infrastructures have two distinct goals: Digitally signed messages assure the recipient that the message truly came from the claimed sender. They enforce nonrepudiation (that is, they preclude the sender from later claiming that the message is a forgery). Digitally signed messages assure the recipient that the message was not altered while in transit between the sender and recipient. This protects against both malicious modification (a third party altering the meaning of the message) and unintentional modification (because of faults in the communications process, such as electrical interference). Comes from right person and no changes occurred
What are the three techniques to verify the authenticity of certificates and identify revoked certificates:?
Online Certificate Status Protocol (OCSP) Certificate Stapling Certificate Revocation Lists
What is the Online Certificate Status Protocol (OCSP) ?
Online Certificate Status Protocol (OCSP) This protocol eliminates the latency inherent in the use of certificate revocation lists by providing a means for real-time certificate verification. When a client receives a certificate, it sends an OCSP request to the CA's OCSP server. The server then responds with a status of valid, invalid, or unknown. The browser uses this information to determine whether the certificate is valid.
What are Registration Authorities?
Registration Authority (RA) is an entity that verifies the identity of individuals or organizations requesting digital certificates from a Certificate Authority. The RA acts as an intermediary between the end user (certificate subject) and the CA, facilitating the certificate issuance process. It's important to note that not all Certificate Authorities have a separate and distinct Registration Authority; some CAs handle both functions internally. The division of responsibilities between the RA and CA is often based on the structure and policies of the specific Public Key Infrastructure (PKI) system. The goal of involving a Registration Authority is to enhance the overall trustworthiness of the digital certificate issuance process by ensuring that the identity information provided by the certificate subject is accurate and reliable. The collaboration between the RA and CA helps maintain the integrity and security of the digital certificate ecosystem.
What is a steam cipher?
Stream ciphers operate on one character or bit of a message (or data stream) at a time. The Caesar cipher is an example of a stream cipher. Stream ciphers are often used in scenarios where the length of the data is unknown or when real-time encryption or decryption is necessary.
What are Symmetric key algorithms?
Symmetric key algorithms rely on a "shared secret" encryption key that is distributed to all members who participate in the communications. break. It is primarily employed to perform bulk encryption and provides only for the security service of confidentiality. Symmetric key cryptography can also be called secret key cryptography and private key cryptography. Downsides: Key distribution is a major problem. Parties must have a secure method of exchanging the secret key before establishing communications with a symmetric key protocol. Symmetric key cryptography does not implement nonrepudiation. Because any communicating party can encrypt and decrypt messages with the shared secret key, there is no way to prove where a given message originated. The algorithm is not scalable. It is extremely difficult for large groups to communicate using symmetric key cryptography. Keys must be regenerated often. Each time a participant leaves the group, all keys known by that participant must be discarded.
What is the government Digital Signature Standard?
The National Institute of Standards and Technology specifies the digital signature algorithms acceptable for federal government use in Federal Information Processing Standard (FIPS) 186-4, also known as the Digital Signature Standard (DSS). This document specifies that all federally approved digital signature algorithms must use the SHA-3 hashing functions.
What is the the Personal Information Exchange (PFX) format?
The Personal Information Exchange (PFX) format is commonly used by Windows systems. PFX certificates may be stored in binary form, using either .PFX or .P12 file extensions. Windows systems also use P7B certificates, which are stored in ASCII text format.
What is the common text based format for digital signatures?
The Privacy Enhanced Mail (PEM) certificate format is an ASCII text version of the DER format. PEM certificates are normally stored in files with the .PEM or .CRT extensions. TIP: You may have picked up on the fact that the CRT file extension is used for both binary DER files and text PEM files. That's very confusing! You should remember that you can't tell whether a CRT certificate is binary or text without actually looking at the contents of the file.
What is the Data Encryption Standard (DES)?
The U.S. government published the Data Encryption Standard in 1977 as a proposed standard cryptosystem for all government communications. Although outdate and weak by today's standards, is crucial to understand as it's the foundation for the modern ones. DES uses a long series of exclusive or (XOR) operations to generate the ciphertext. This process is repeated 16 times for each encryption/decryption operation
What does this mean " The certificate actually contains the data you are trusting." and why is it important?
The last point is a subtle but extremely important item. Before you trust an identifying piece of information about someone, be sure that it is actually contained within the certificate. If a certificate contains the email address ([email protected]) but not the individual's name, you can be certain only that the public key contained therein is associated with that email address. The CA is not making any assertions about the actual identity of the [email protected] email account. However, if the certificate contains the name Bill Jones along with an address and telephone number, the CA is vouching for that information as well.
What are some key features to ensure a cryptosystem isn't cracked?
The length of a cryptographic key is an extremely important factor in determining the strength of the cryptosystem and the likelihood that the encryption will not be compromised through cryptanalytic techniques. The rapid increase in computing power allows you to use increasingly long keys in your cryptographic efforts. Double edged sword as advanced computing power can be used by both sides. So keeping proactive is key.
Why is Public Key Infrastructure so great?
The major strength of public key encryption is its ability to facilitate communication between parties previously unknown to each other. This is made possible by the public key infrastructure (PKI) hierarchy of trust relationships. These trusts permit combining asymmetric cryptography with symmetric cryptography along with hashing and digital certificates, giving us hybrid cryptography.
What are the four version of Triple DES?
These four variants of 3DES were developed over the years because several cryptologists put forth theories that one variant was more secure than the others. However, the current belief is that all modes are equally secure. DES-EEE3 (Encrypt-Encrypt-Encrypt 3): This variant of Triple DES involves three consecutive encryption operations using three different keys: K1, K2, and K3. The plaintext is encrypted thrice, ensuring robust security through multiple encryption layers. The effective key length of DES-EEE3 is 168 bits, offering enhanced protection against cryptographic attacks. The encryption process can be expressed as: E(K1, E(K2, E(K3, P))). DES-EDE3 (Encrypt-Decrypt-Encrypt 3): In this version, three keys—K1, K2, and K3—are utilized. The plaintext undergoes an encryption step followed by a decryption step and finally another encryption step. This sequence enhances security while accommodating decryption. The process is represented as: E(K1, D(K2, E(K3, P))). DES-EEE2 (Encrypt-Encrypt-Encrypt 2): Utilizing two keys, K1 and K2, this variant offers strong protection with a reduced key count. The plaintext is encrypted twice, contributing to security, and can be expressed as: E(K1, E(K2, E(K1, P))). DES-EDE2 (Encrypt-Decrypt-Encrypt 2): Similar to DES-EEE2, this version uses two keys, K1 and K2. The encryption process involves an initial encryption, followed by a decryption, and concluded with another encryption. This arrangement provides a compromise between security and efficiency, expressed as: E(K1, D(K2, E(K1, P))).
What is Tripe DES?
Triple Data Encryption Standard (Triple DES or 3DES) is a cryptographic algorithm that provides a higher level of security than the original Data Encryption Standard (DES). DES is a symmetric-key block cipher that uses a 56-bit key, which is considered vulnerable to modern cryptanalysis due to its relatively small key size. Triple DES enhances security by applying the DES algorithm multiple times in succession.
why is MD5 no longer used?
techniques were created to easily produce collisions At present, the MD5 hash function is not considered secure. This was revealed in 2011 when a public organization cited a number of attackers against the MD5 hashes. In these attacks, the hackers were able to generate hash collisions in less than one minute. More sophisticated attacks could do this in less than 10 seconds. Due to these anomalies, MD5 has been gradually phased out, and other better hashing functions have taken its place in the form of SHA1, SHA1, and SHA3.