Cryptography and PKI (Security+ 501)

MD5 - Message Digest 5

128-bit hash based on variable-length plaintext A hasing algorithm that produces a 128bit digest A hasing algorithm that transforms a tring of characters into a fixed-length value or key Known as hash value hases ensure the integrity of data or messages considered weak and is not recommended

XTACACS - Extended Terminal Access Controller Access-Control System

A Cisco proprietary authentication protocol that replaced TACACS and was used to securely access Cisco devices

SHA-1

A hashing algorithm that produces a 160-bit digest

CRL (Certificate Revocation List)

A list of DIGITAL certificates that have been revoked by the issuing ertificate authority before their scheduled expiration date and should not be trusted

Nonrepudiation

A method of guaranteeing a message transmission between parties by a digital signature

WPS (Wi-Fi Protected Setup)

A network security standard that allows home users to easily add new devices to an existing wireless network without entering long passphrases users enter a PIN to allow the device to connect after pressing the WPS button on the SOHO router

key stretching

A password hashing algorithm that requires significantly more time than standard hashing algorithms to create the digest. increase the strength of stored passwords Protects passwords from brute-force attacks & rainbow table attacks Length of the key that is being used to encrypt the data. According to NIST guidance, the use of keys that provide less than 112bits of security strength for key agreement is disallowed

key escrow

A process in which keys are managed by a third party, such as a trusted CA. The stored key can be used to decrypt encrypted material, allowing restoration of the original material to its unencrypted state

Kerberos

A protocol for authenticating service request between trusted hosts across an untrusted network such as the internet

Xmas Attack

A specifically crafted TCP packet that runs on flags to scan the system and dtermine what operating system it's using. An advanced attack that tries to get around detection and send a packet with every single option enabled.

NAC (Network Access Control)

A term that refers to collected protocols, policies, and hardware that govern access on devices to and from a network. Increases the security of a proprietary network by restricting access to devices that do not comply with a defined security policy

wildcard certificate

Allow the company to secure an unlimited number of subdomain certificates on a domain name from a third party

ECC (Elliptic Curve Cryptography)

An asymmetric encryption algorithm commonly used with smaller wireless devices. It uses smaller key sizes and requires less processing power than many other encryption methods. Has the same level of strength compared to longer key length asymmetric algorithm. Based on the EC theory that uses points on a curve to define more efficient public & private keys

WPA2-Enterprise

An authentication scheme for Wi-Fi networks that combines WPA2 with RADIUS. Uses an authentication server such as a RADIUS server to control access to a WLAN

CHAP

Authenticates by using PPP servers to validate the identity of remote clients it supports password-based authentication

IEEE 802.1x is commonly used on wireless networks.

Authentication protocols that transfer authentication data between two devices

Supplicant

Authenticator AP or wireless controller Sends authentication messages between the supplicant and authentication server

TACACS+ Terminal Access Control Access Control System+

CISCO proprietary authentication protocol that replaced TACACS & was used to securely access Cisco devices

RADIUS

Client-server protocol that enables remote access servers to communicate with a central server to authenticate users Uses symmetric encryption for security

TLS (Transport Layer Security)

Creates a secure connection by using symmetric cryptography based on a shared secret

Symmetric Algorithms

DES, 3DES, Blowfish, IDEA, RC4-RC6, and AES Twofish Secret key algorithm - use same key Each pair of users who are exchanging data must have two instances of the same key Calculatin gsymmetric key N(N-1)/2=no. of keys

Transposition scrambles

Data by recording the plain text in some certain way

Pin of death

Denial-of-service attack in which a threat actor sends a larger IP packet than allowed by the IP protocol. The IP packet is broken down into smaller segments which would cuase the system to crash

EAP-TTLS (Extensible Authentication Protocol-Tunneled Transport Layer Security)

Determines how user authentication will perform during phase 2 The user authentication may be a legacy protocol such as PAP, CHAP, MCCHAP, or MS-CHAPV2

DHE

Diffie-Hellman Ephemeral

WPA2-Personal

Does not use an authentication server Uses a passphrase that is entered into the SOHO router

One-time pad

Encryption method Uses a pad with random values that are XORed agaist the message to produce ciphertext. at least as long as the msg itself &its used once and then discarded If the pad is not as long as the message, it will need to be reused to be the same length as the messages One-Time pad must be delivered by a secure method and properly guarded at each destination The pad must be used one time only to avoid introducing patterns, it must be made up of truly random values Today's computer systems have pseudorandom-number generators which are seeded by an initial value form some component within the computer system

PKI (Public Key Infrastructure)

Entire system of hardware, software, policies and procedures and people PKI creates, distributes, manages, stores, and revokes certificates OCSP is part of the PKI

GPG

GNU Privacy Guard (GPG). Free software that is based on the OpenPGP standard. It is similar to PGP but avoids any conflict with existing licensing by using open standards.

self-signed certificate

Generate errors within the client's web browser &should not be used as a replacement since the self-signed certificate is not from a trusted certificate authority

SHA, MD5

Hashing algorithm Used for integrity

OIDs Object identifiers

Identify an object or entity Used in X.509 certificates to name almost every object type

authenticator

In Kerberos authentication, the user's time stamp encrypted with the session key. The authenticator is used to help the service verify that a user's ticket is valid.

PBKDF2 (Password-Based Key Derivation Function 2)

Key stretching algorithm Applies a pseudo-random function such as HMAC to the password along with a salt value and produces derived key. Designed to protect against brute-force attacks BCRYPT is a password-hasing function derived from the blowfish cipher It adds a salt value to protect against rainbow talbe attacks. A key stretching technique that adds additional bits to a password as a salt. This method helps prevent brute force and rainbow table attacks. Bcrypt is a similar key stretching technique.

MS-CHAPv2 (Microsoft Challenge Handshake Authentication Protocol, version 2)

Microsoft's version of CHAP and is used as an authentication option with RADIUS It supports password-based authenticaiton

AES (Advanced Encryption Standard)

Newer and stronger encryption standard. capable of using 128-bit, 192 bit and 256 bit key Symmetric algorithm and encrypts data. An encryption standard used by WPA2 and is currently the strongest encryption standard used by Wi-Fi.

WiFi Alliance

Non-Profit organisation that promotes WiFi technology Recommends a passphrase be at least 8 characters long and include a mixture of upper & lowercase letters and symbols

Hashing

One-way encryption that transforms cleartext into a coded form that is never decrypted. one-way encryption that transforms a string of characters into a fixed-length value or key known as hashvalue hashes ensure the integrity of data or message

Steganography

Process of hiding data within data Technique can be applied to images, video files or audio files

Website Certificate

Provided by a certification authority to ensure an online organisation is legitimate. Expired, user can continue accessing the website, but the error will state the user could not be accessing an untrusted site Domain expired - the users would receive a page stating that the website domain is unavailable

PFS pretty good privacy

Provides a low-cost or open source alternative solution that allows users to encrypt their outgoing emails

Asymmetric Algorithms

Public key cryptography uses public and private keys to encrypt and decrypt data. every user must have at least one pair of keys (private & public). The formula to determine the number of keys needed is Nx2 Different keys for encryption and decryption; two keys private and public Encrypt with private- unencrypt with privateor encrypt with public- decrypt with private. Use of private ensures non repudiation; without confidentiality-becomes the digital signature

authentication server

RADIUS server Responsible for authenticating users wanting to connect to the network.

RC4 (Rivest Cipher 4)

RC4 (Rivest Cipher 4) is a stream cipher. RC4 is a stream cipher designed by Ron Rivest. It is used in many applications including Transport Layer Security (TLS), Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA), and so on. RC4 is fast and simple. However, it has weaknesses that argue against its use in new systems. It is especially vulnerable when the beginning of the output keystream is not discarded, nonrandom or related keys are used, or a single keystream is used twice. Some ways of using RC4 can lead to very insecure cryptosystems such as WEP. Uses key sizes of 40 to 2048 bits

EAP-TLS (EAP-Transport Layer Security)

Remote access authentication protocol that supports the use of smartcards. Create a TLS tunnel to protect the supplicant credentials but don't support legacy authentication protocols Requires both client and server to have certificates The authenticaiton is mutual where the server authenticates to the client and the client authticates to the server

ROT13

Replaces a letter with the 13th letter after it in the alphabet substitution cipher

WEP (Wired Equivalent Privacy)

Security standard for 802.11b; Designed to provide a level of security for a WLAN Uses the encryption protocol RC4, considered insecure key; Does not use an authentication server Users enter a passphrase to connect to the SOHO routher

Blowfish

Symmetric algorithm uses the same key to encrypt and decrypt data A block cipher that operates on 64-bit blocks and can have a key length from 32 to 448 bits.

Twofish

Symmetric block cipher that replaced Blowfish

3DES

Triple Digital Encryption Standard. A symmetric algorithm used to encrypt data and provide confidentiality. It was originally designed as a replacement for DES. It uses multiple keys and multiple passes and is not as efficient as AES, but is still used in some applications, such as when hardware doesn't support AES. Symmetric-key block ciphers using a 64 block size

Stream Cipher

Use a keystream generator and encrypt a message one bit at a time, usually implemented in hardware RC4

RA (Registration Authority)

Used to vertify requests for certificates Forwards responses to the CA An authority in a PKI that processes requests for digital certificates from users.

TKIP (Temporal Key Integrity Protocol)

Wrapper that wraps around existing WEP encryption Used in WPA Replaced WEP in WLAN devices

Diffusion

a change in the plain text resulting in multiple changes that are spread out throughout the ciphertext

IPSec (Internet Protocol Security)

a framework of open standards that ensures communications are private and secure over IP networks

Encryption

a process of encoding messages to keep them secret, so only "authorized" parties can read it.

802.1x

a treat actor can spoof a devices's MAC address and by pass 802.1x authentication. using 802.1x with client certificates or tunnelled authentication can help prevent this attack. A port-based authentication protocol. Wireless can use 802.1X. For example, WPA2-Enterprise mode uses an 802.1X server (implemented as a RADIUS server) to add authentication.

Recovery agent

a user who is permitted to decrypt another user's data in case of emergency or in special stituation

File backup

allows the data to be available in case the original files are deleted or become corrupted

ARP posioning

attack where a threat actor sends spoofed ARP messages over a LAN. Attacker poisons the ARP cache of devices with MAC address of attacker's NIC. Usually targets a host's DFG.

EAP

authentication protocols that transfer authentication data between two devices

MTTR (mean time to repair)

average time it takes for a failed device or componet to be repired or replaced

strong password

complex password of 16 or more ASCII characters

EAP-FAST (EAP Flexible Authentication via Secure Tunneling)

create a TLS tunnel to protect the supplicant credentials but don't support legacy authentication protocols for situation a where strong password policy can't be enforced and certificates are not used. consists of three phases: EAP-FAST authentication, establishment of a secure tunnel and client authentication

Full Disk Encryption (FDE)

data-at-rest Will help protect the inactive data should the storage device be stolen. the thief would not be able to read the data. A technology that encrypts everything stored on a storage medium automatically, without any user interaction

Implementing a host based IPS

designed to prevent an attack on the network does not protect the data-at-rest if the storage device is stolen

Open wireless network

does not require a user to enter credentials for access

Block Cipher

encrypt data one block, or fixed block at a time cryptographic service provider, a cryptographic module,performs block and stream cryptography algorithms

confusion

encryption method that uses a relationship between the plain text and the key tat is so complicated the plain text can't be altered and the key can't be dtermined by a threat actor

CA

in the certification hierarchy, the root CA certifies the intermediate CA and can issue certificates to users, computers or services

MTBF (Mean Time Between Failures)

measurement to show how reliable a hardware component is

revoked certificate

no longer valid for the intended purpose A new key pair and certificate will need to be generated Certificate can not be renewed after its expiration date

collision

occurs when a hashing algorithm creates the same hash from two different messages

Shredding

proces of reducing the size of objects so the information is no longer usable, burning, pulping, and pulverizing

ALE (Annual Loss Expectancy)

product of ARO x SLE

digital signature

provide 3 core benefit: authentication, integrity and non-repudiation a one way hash and encrypted with the private key the public key is used to decrypt the hash and validate the integrity of the digital signature created with the private key a means of electronically signing a document with data that cannot be forged

IV (Initialization Vector)

random values used with algorithms to ensure patterns are not created during the encryption process used the keys and are not encrypted with being sent to the destination Arbitrary number that is used with a secret key for data encrption IV makes it more difficult for hackers to break a cipher

CSR (Certificate Signing Request)

request an applicant sends to a CA for the purpose of applying for a digital identity certificates. A specially formatted encrypted message that validates the information the CA requires to issue a digital certificate.

WPA (WIFI protected Access) or WPA2

security standards for more advanced encryption techniques Security standard that replaced and improved on WEP Security standard that secures computers connected to a WiFi network

Intermediate certificate authority

sits between the root certificate authority and the end entity to better secure the root certificate authority Help a large organisation handle large requests for certifications

RPO recovery point objective

specifies the allowable data loss

DES (Data Encryption Standard)

symmetric-key block ciphers using a 64 bit block size 56 bit key superseded by 3DES considered to be insurance for many applications symmetric encryption standard that uses a key length of 56 bits

Implementing

the effort to direct and lead people to accomplish the planned work of the organization

OCSP (Online Certificate Status Protocol)

used to query a certificate authority about the revocation status of a given certificate It validates certificates by returning responses such as 'good','revoked','unknown' Protocol that can be used to query a certificate authority about the revocation status of a given certificate

RSA (Rivest, Shamir, Adleman)

uses a longer key length than ECC Asymmetric algorithm Should be discontinued known as public key cryptogrphy that uses a public & private key to encrypt & decrypt data during transmission.

SSL (Secure Sockets Layer)

uses public key encryption when a client acceses a secured website it will generate a session key &encrypt it with the server's public key The session key is used to encrypt & decrypt data sent back an dforth

implementing biometrics

will control who enters the location an unauthorised user can tailgate and obtain the storage device and read the data-at-rest