Section 6.0 - Cryptography and PKI
What is EAP-Fast?
(EAP Flexible Authentication via Secure Tunneling) is Cisco's replacement of LEAP. It uses Protected Access Credential (PAC) which is generated for each user from the authentication server's master key.
What type of cipher is ROT13 (ROTATE BY 13 PLACES)?
A substitution cipher that rotates each letter 13 places Ex. the ciphertext "Uryyb Jbeyq" means "Hello World" in plaintext
Which of the following are reversible and will output a set length of characters and numbers based on their pre-defined algorithms? (Select two)
3DES and AES 3DES is a 2-way symmetric block cipher algorithm and it outputs 64-bit block cipher text. AES is a 2-way encryption symmetric cipher. AES was adopted as a replacement to 3DES because it is faster and more secure, outputting a 128-bit block ciphertext
For RC4 (ArcFour), what is the highest supported key length and the lowest supported key length?
A 128-bit key is the highest supported key length for RC4. The higher the key length, the stronger the key is, and therefore the encryption is stronger as well. A 40-bit key is the lowest supported key length for RC4. Smaller key length = weaker key strength
A system admin installed a new certificate onto a web server. Browsing to the website, the browser shows trust errors. After clicking on the certificate icon, the website's name and information look correct. How would the system administrator troubleshoot further to find a root cause?
Check the certificate chain
When setting up a secure authentication line for supplicants and an authentication server, EAP-TTLS (EAP-Tunneled TLS) is not working well as an authentication protocol. When using PEAP (Protected Extensible Authentication Protocol), proper authentication occurs and network connection is established. Why is PEAP a better option in this case?
Compatibility with MSCHAPv2
What is the 802.1x framework and what does it do?
Devices attempting to connect to a LAN or WLAN require an authentication mechanism. IEEE 802.1X, an IEEE Standard for Port-Based Network Access Control (PNAC), provides protected authentication for secure network access.
An up and coming entrepreneur wants to build an online business. During creation of the website, the owner sends an email to a third-party certificate service, and was able to setup a trusted and secure website in 24 hours. Which process supports the quick turnaround time for web server set up?
Domain validation
What is the difference between domain validation and extended validation?
Domain validation: proving the ownership of the domain, which can be proved by responding to an email to the authorized point of contact -> highly vulnerable to compromise Extended Validation: requires more rigorous checks on the subject's legal identity and control over the domain or software being signed
What authentication mechanism is established when using the 802.1x framework?
EAP: Extensible Authentication Protocol 802.1x is the port-based Network Access Control framework. It provides secure authentication between devices and users before they are permitted full network access.
What's the difference between EAP, LEAP, and PEAP?
EAP: authentication framework (Extensible Authentication Protocol -> WPA and WPA2 use 5 different types of EAP methods LEAP: created by Cisco (Lightweight Extensible Authentication Protocol) uses passwords to connect only, no certificate management or PKI required; based on MS-CHAP; vulnerable to password cracking PEAP: more secure encryption (Protected Extensible Authentication Protocol) encapsulates EAP in a TLS tunnel, only use the certificate;
D-H Ephemeral (DHE) mode combined with _______ provides a perfect forward secrecy mechanism for Transport Layer Security (TLS).
ECC: Elliptic Curve Cryptography: a type of trapdoor function used to generate public/private key pairs. NOT EPHEMERAL KEY because it is already being used
What is ECB? (Electronic Code Book)
Electronic Code Book: mode applies the same key to each plaintext block. This indicates identical plaintext blocks can output identical ciphertexts, making the ciphertext vulnerable to cryptanalysis.
A network administrator enables WPA and WPA2 on a Cisco Wireless LAN (Local Area Network) Controller. 802.1x is also enabled. How will the network admin complete setup for Enterprise mode?
Enter secret key for RADIUS server A RADIUS is required to complete the 802.1x setup. The wireless controller connects to the RADIUS server with a shared secret key, then credentials can be properly authenticated.
Block ciphers like AES (Advanced Encryption Standard) can operate in different modes of operation, each giving a different result of all outputs. Which of the following provides a type of authentication?
GCM (Galois/Counter Mode) combines the ciphertext with a type of message authentication code (GMAC), like an HMAC (hash-based message authentication code) to provide native message integrity and authentication
What is CTM? (Counter Mode)
Counter Mode: functions like a stream cipher, but each block is combined with a nonce counter value. This allows each block to process in a parallel using multi-core CPUs. This solves the problem of slow, serial encryption and improves performance for block ciphers like AES and 3DES.
What is an IV?
Initialization Vector: a psuedo-random character that is added to data before it goes through an encryption process -> the random character cna be re-used if desired.
What does perfect forward secrecy do?
It ensures that a compromise of long-term encryption keys will not compromise data encrypted by these keys in the past
A company with multiple types of archived encrypted data is looking to archive the keys needed to decrypt the data. However, the company wants to separate the two in order to heavily guard these keys. Analyze the scenario to determine the most likely key placement.
Key escrow Key escrow is the archiving of a key (or keys) with a 3rd party. Key escrow is used for orgs that don't have the capacity to securely store all of their keys, but they can transfer that trust to the 3rd party.
What is MS-CHAP?
MS-CHAP is the Microsoft version of the Challenge Handshake Protocol, CHAP with two version: MS-CHAPv1 and MS-CHAPv2
What is RIPEMD?
RACE Integrity Primitives Evaluation Message Digest: a message digest algorithm designed as an alternative to MD5 and SHA. It can verify both authenticity and message integrity
A connection cannot be established during a network connection test of a newly deployed WAP (Wireless Access Point) in WPA2 Enterprise (Wi-Fi Protected Access) mode. After checking the wireless controller, the 802.1x option was selected, but another configuration setting did not save. Apply knowledge of the network connection process to determine which of the following did not save.
RADIUS server settings
What is the difference between RC4 and 3DES ciphers?
RC4: a stream cipher which means that each bit of data (byte) in the plaintext message is encrypted one at a time (stream) 3DES: uses 64-bit blocks and a 56-bit key. The plaintext is encrypted 3 TIMES using different subkeys. #DES is not a stream cipher, but a block cipher meaning: the plaintext message is divided into equal-size blocks AES uses a block size of 128 bits
Why is SHA (Secure Hashing Algorithm) preferred to other hashing alternatives?
SHA addressed the weaknesses of MD5 like exploited collisions and was developed by NIST for use on government systems.
What are examples of hashing algorithms that are preferred over MD5 because they implement an authentication mechanism, which MD5 does not?
SHA-2 RIPEMD HMAC SHA-1
The security and software development team are working on a password storage application. It will store passwords as a secure hash. Which of the following will provide the best protection against brute force attacks? (Select two)
PBKDF2 (Password Based Key Derivative Function 2): used for key stretching like BCrypt which makes it harder to apply brute force attacks Bcrypt: used in key stretching -> taking the initial key and putting it through thousands of rounds of hashing
What is a PSK?
Pre-shared Key: the password needed to gain access to a WAP
What is another term used for a "session key" when being exchanged in a digital envelope?
Secret Key A session key is packaged into a digital envelope so it can be exchanged with another user or system. The secret key was used to encrypt the message and will be used to decrypt the message when received.
Explain what "Enterprise" refers to when configuring a wireless access point for WPA2-Enterprise.
Selecting the "Enterprise" option on a wireless router enables the use of 802.1x. 802.1x is a Port-Based Network Access Control (PNAC) mechanism that uses EAP.
What are 2 examples of symmetric algorithms and asymmetric algorithms?
Symmetric algorithms: DES and AES Asymmetric algorithms: RSA and DSA RSA creates digital signatures and can be used to encrypt short messages DSA uses the Diffie Hellman private and public key exchange
A new wireless access point has been installed in the office. Users are not able to connect to the Wireless Access Point (WAP). All users are using older model smart phones. Which of the following security settings should the network administrator setup to resolve this connection issue?
TKIP and WPA2
What is TKIP and what does it do?
Temporal Key Integrity Protocol: an encryption protocol used in the IEEE 802.11 wireless networking standard (WLANS). Replaced WEP. Uses the original WEP programming, but wraps additional code at the bginning and end to encapsulate and modify it, using the RC4 algorithm as the basis. Not as strong as AES.
What is an XOR operation?
XOR (Exlusive or) operation encodes a message where a value is combined with the plaintext message. XOR preserves randomness meaning: a random bit XORed with a non-random bit will result in a random bit,
What is the purpose of a Certificate Signing Request (CSR)?
To obtain a certificate
In a Public Key Infrastructure (PKI), which option best describes how users and multiple Certificate Authorities (CAs) share information and exchange certificates?
Trust model The trust model is a concept of PKI that shows how users and different CAs can trust one another. This is detailed in a certificate's certification path leading back to the root CA.
A company has two web servers using a load-balance configuration. Users report having periodic trust errors connecting to the website. Both servers are using server-only certificates. Which of the following actions would most likely resolve the issue?
Use correct certificate path Both web certificates in this scenario must use the same path. The certification path or "Certificate chaining" or "Chain of trust" is a verifiable path to the leaf cetificate to the root CA.
What is blowfish?
a 2-way SYMMETRIC encryption algorithm and symmetric block cipher.
What does "enterprise mode" mean?
a Compatability mode that
What is a trapdoor function?
a function that is easy to compute in one direction, yet hard to compute int he opposite direction (TRAPDOOR)
What is PRNG (Psuedo Random Number Generator)?
an algorithm that produces a sequence of numbers that approximate randomness without being truly random. It is not "truly random" because it is produced by a computer and nothing a computer does is random.
What is the "data in use" state?
when data is present in volatile memory, such as RAM, CPU cache, and encrypted drives
What is GCM? (Galois/Counter Mode)
combines the ciphertext with a type of message authentication code (GMAC), like an HMAC, to provide native message integrity
What is OCSP?
Online Certificate Status Protocol- an internet protocol issued by CAs used for obtaining the revocation status of an X.509 digital certificate; replacement for CRL OCSP is responsible for updating the status of certificates, not the CA
Distinguishing between Enterprise and Open authentication, determine the easier option for a user to connect to a wireless access point, and identify the reason supporting the selection. (Select two)
Open and No Authentication Open authentication is common for public "hotspots", but data sent over the link is unencrypted
What is a RADIUS federation?
Multiple organizations allow access to each other's users by joining their RADIUS servers into a RADIUS hierarchy.
A user is connecting a printer to the home's wireless router using WPS (Wi-Fi Protected Setup). The printer setup is not completing. Pressing the WPS button on the wireless router and printer at the same time does nothing to assist with the issue. Why is the printer not connecting?
Must enter a PIN WPS makes it easier for home users to connect wireless devices to a wireless router. You can establish a connection by using the push button or entering the 8-digit PIN on the router.
A security engineer performed a few auditing tasks and began checking the status of a couple web server certificates. One of the certificate statuses returned with an "unknown", and the other status with "good". Evaluate and determine what the engineer utilized in this case.
OCSP (Online Certificate Status Protocol): runs on an issuing CA designated as an OCSP responder to communicate the status of requested certificates, rather than returning a CRL.
What is OTP?
One Time Pad: an encryption key that has the same number of characters as the PLAINTEXT and must be generated by a truly random algorithm.
What is a digital envelope?
Used to send private messages that can only be decrypted by the recipient. Messages are encrypted using the recipient's public key and then the message is decrypted by the recipient's private key
A company has deployed public key infrastructure and will use a chip to issue employees company IDs. Employees will be able to use these cards on any company workstation and Outlook client with a compatible card reader. What type of certificates will most likely be loaded onto these cards? (Select two)
User Email
User A sends an encrypted email to User B, and signs the email using RSA (Rivest, Shamir, Adleman) encryption. If User A uses a digital envelope, which key in this email process would most likely compromise confidentiality for both this, and future emails?
User B's private key User B's private key is used to decrypt an encrypted session key. If the recipient's private key is compromised so is all of the data and communications between A and B.
What is Nonce?
"Number used once" a random or counter value that is added to data before encryption, but it is never reused within the same scope. Randomness in a nonce prevents against attacks that work across multiple keys in the same system.
What is the formula to calculate keyspace?
2 to the power of (size of the key). Keyspace is the range of key values available to use with a particular cipher.
Which of the following allows multiple authentication methods to permit users access to the LAN (Local Area Network) or WLAN (Wireless LAN)?
802.1x
To resist cryptanalysis, a cryptographic module must apply a value to the message to remove any possibility of the same plaintext outputting to the same encrypted value. How is this value added to a cryptographic algorithm?
An XOR operation XOR produces 0 if both values are the same and 1 if the values are different
When using cryptography, how does it help so that any compromise in a small part of a system does not compromise the rest of the system?
Authentication and Integrity of Messages Cryptography ensures "resilience" by ensuring authentication and integrity of messages delivered over the control system.
A company has workstation drives encrypted with BitLocker. Employees use a Common Access Card (CAC) to log in to those computers. Public Key Infrastructure (PKI) is available on the network and digital signatures are a requirement on company emails. What 3 cases do these technologies support?
Authentication, Non-repudiation, and Confidentiality
What are two examples of key stretching methods that can slow down a brute force attack?
Bcrypt: key stretching method PBKDF2: Password-Based Key Deriviation Function 2 is also another key stretching method
Why are some cipher algorithms not improved upon, or developed further?
Because there are secret algorithms due to attempts to hide details of the cipher and make them more difficult to examine.
What is a CSR?
Certificate Signing Request a message sent from an applicant to a Certificate Authority (CA) of the PKI in order to apply for a digital identity certificate. The CSR is required to issue a SSL Certificate
What is CBC? (Cipher Block Chaining)
Cipher Block Chaining is not a cipher, but a cipher mode of applying an IV to improve ciphertext integrity and ensure a unique ciphertext with any plain text
A client browser does not support secure connections to web server. A TLS (Transport Layer Security) connection is being established with DHE (Diffie-Hellman Ephemeral mode). Why does the browser not support DHE?
DHE uses an Ephemeral key for "Perfect Forward Secrecy" but it only works if both the client and server are using the SAME ephemeral keys. In this instance, ECDH without Ephemeral should be used.
A government agency was using RSA encryption on a web app and the app crashed. What alternative to RSA can they use?
DSA: Digital Signature Algorithm
How does confusion and diffusion differ in the context of a security of a cipher?
Diffusion: transposes ciphertext if any bit in the plaintext changes Confusion: means the key should not be derivable from the ciphertext which can be done through complex substitution and transposition operations
What is DSA?
Digital Signature Algorithm: an adaptation of ElGamal's algorithm used for encryption and digital signing, rather than simply a mechanism for agreeing to a shared secret
What is ECDHE (ECC with D-H ephermeral mode) and why is it preferred over RSA?
Elliptic Curve Diffie Hellman: allows 2 parties, each having an elliptic curve public-private key pair, to communicate
Why is domain validation easier than extended validation?
Email to a point of contact
What are examples of 2 hashing methods that can be used for preserving integrity of messages in an office messaging system?
HMAC: Host Based Message Authentication Code: a hashing algorithm that allows both the sender and the receiver to use a shared secret key for authenticity and provide integrity MD5 or MDA is also a hashing algorithm that uses a 128-bit hash value, but only provides integrity
Diffie-Hellman (D-H) is commonly used in IP Security (IPsec) as part of the Internet Key Exchange (IKE) protocol. It can also be used with Transport Layer Security (TLS) protocol to provide perfect forward secrecy. How does D-H use a symmetric encryption algorithm to provide a secure agreement on a key to encrypt messages, and what is it referred to when used with TLS?
Groups DHE
Diffie-Hellman (D-H) uses 768-bit, 1024-bit and 2048-bit algorithms. What are these algorithms referred to in D-H, and what benefits do they provide when used with the Transport Layer Security (TLS) protocol? (Select two)
Groups Perfect forward secrecy D-H depends on the use of a group, which can be any mathematical operation with the properties of a trapdoor function. Common groups used are group 1 (768 bit), group 2 (1024 bit), group 5 (1536 bit) and group (2048 bit) D-H can be used in the TLS protocol to provide perfect forward secrecy -> referred to SHE (Diffie-Hellman Ephemeral Mode)
What is HMAC and how is it used?
HMAC generates a message authentication code (MAC) using the MD5 algorithm (HMAC-MD5), SHA-1 (HMAC-SHA1), or SHA-2 (HMACSHA2) algorithm.
What is a major drawback of ECC (Elliptic Curve Cryptography)?
If there is a compromise of its encryption keys, then it will affect all communications.
User A wants to establish a secure connection with a web server. Transport encryption is used to ensure data is encrypted as it is sent over the network. This works when both client and server agree on a secret key. How is the secret key exchanged?
In-band key exchange Why? In-band key exchange uses asymmetric encryption - the secret key is encrypted with the recipient's public key and is decrypted by the recipient's private key.
What is an ephemeral key?
It is the main component of ECDHE that makes it a perfect forward secrecy by using a different key for each session during transport.
What is BCRYPT and what is it used for?
It is used in key stretching. Key stretching involves taking the initial key and processing it through thousands of rounds of hashing which won't make it stronger, but it will slow down a hashing attack.
What authentication protocol uses MSCHAPv1?
LEAP: Lightweight Wxtensible Authentication Protocol
Management wants to implement a secure messaging system and will not be prioritizing confidentiality. Employees must know who the message is coming from and trust the message. The sender and receiver will share a session key. Which of the following options will meet the company's requirements?
MD5 HMAC HMAC: is a hashing algorithm that allows both the sender and the receiver to use a shared secret key for authenticity. It can verify both authenticity and message integrity MD5: is also a hashing algorithm that produces a 128-bit hash value. It can verify both authenticity and message integrity.
A company deployed a website. The public cannot trust the site since a public key has not been generated. However, it is operational and users can browse its contents. Conclude which of the statements about the website is most true. (Select two)
No private key RSA not implemented There is no private key if there is no public key RSA is not implemented because it uses public key cryptography
A custom suite of in-house applications use a variety of encryption methods to process, send, audit, and archive data. Many use various symmetric and key pair encryptions to authenticate messages and ensure the integrity of those messages. Which of the following would be a benefit of using these encryption methods?
No single point of failure
What type of EAP uses MS-CHAPv2 for authentication?
PEAP
A company deployed a wireless access point, and wishes to enable the Enterprise mode for secure wireless connections. The servers have certificates, but the supplicants do not. Which of the following options would fit the company's needs?
PEAP EAP-FAST: uses TLS with PAC instead of certifiates
What authentication protocol uses MSCHAPv2?
PEAP: Protected Extensible Authentication Protocol
What's the difference between PEAP and EAP-TLS?
PEAP: only requires a server-side public key certificate EAP-TLS: requires a public key certificate on both the server side and the supplicant (client end user)
What is a method of encrypting emails that also supports non-repudiation?
PGP: Pretty Good Privacy an open standard for encrypting emails and can also be used for file/disk encryption and non-repudiation. PGP is an open internet standard.
What is PBKDF2?
Password-Based Key Derivation Function 2: uses RSA security's public key cryptography standards (PKCS #5) and is used for KEY STRETCHING.
What are two examples of a key stretching process?
Salting SHA Salt = random data added to other data before going through a hashing algorithm SHA because it is the second part of key stretching after salting.
A new Wireless Access Point (WAP) is connected to the network. Basic security settings were automatically selected during the set-up wizard. After entering the pre-shared key, the wireless client device does not have access to the LAN (Local Area Network). Several settings were changed to try and remediate the issue. What can the network administrator do to rule out the WAP as the cause?
Set up an open confiuguration
An application crashed after a software engineer implemented RSA with a key size of 2048-bit key for strong encryption. When other encryption algorithms were utilized, elliptical curve worked well and the application worked faster than anticipated. Which solution will make elliptical curve cryptography work better?
Smaller key size A large key size will work with ECC, but it will become slower -> causing the application to crash.
User A employs a secret key cipher such as AES when encrypting a message. That secret key is passed along to User B to decipher the message using a digital envelope. Why is a digital envelope used in this exchange?
To secure the session key Because symmetric encryption is faster
What is the purpose of key stretching?
To strengthen potentially weak cryptographic keys, such as passwords. They can be used as an add-on to existing ciphers as well.
What is salt?
Used in password-based systems and is concatenated to the front of a password before processing. No salt = attacker can build a dictionary of common passwords and look up each password by the authenticator.
A new company wants to provide free Wi-Fi access to its customers. The users must be able to easily find the wireless access point and enter a password to gain access. The wireless traffic must be encrypted with the highest setting possible. Which of the following would meet these requirements?
WPA WPA replaced WEP and improved encryption scheme. To use WPA, users enter a password for access
What makes WPA more vulnerable than WPA2?
WPA uses RC4 stream cipher. WPA is weaker than AES which is used by WPA2 WPA2 uses CCMP which is stronger than WPA which uses Temporal Key Integrity Protocol TKIP
What makes WPA weaker than WPA2?
WPA uses the RC4 stream cipher which is weaker than AES WPA adds TKIP to make RC4 stronger, but it is still weaker than CCMP which is used by WPA2.
IN order of most secure to least secure, it goes WPA2->WPA->WEP. What makes WPA2 more secure than the others?
WPA2 (Wi-Fi Protected Access 2) uses AES (Advanced Encryption Standard) within the Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) AES is WPA2 is a symmetric block cipher, not asymmetric -> using keys of 128, 192, or 256 bits.AES is stronger than RC4.
A network administrator is working to enable a secure wireless protocol for compatibility with older devices. The Wireless Access Point (WAP) will service mobile phones, laptops, and tablets. Which of the following will provide adequate service without sacrificing security?
WPA2 and TKIP
Differentiate between WPA and WPA2 and identify what makes WPA2 stronger than WPA.
WPA2 uses AES for encryption. WPA uses RC4, which is weaker than AES. AES is deployed within CCMP. WPA uses TKIP which has been replaced by CCMP
What is the "data in transit" state?
When data is transmitted over a network. The data can be sent over the WAN to its final location through a VPN.
What is a wildcard certificate?
a public key certificate that can be used with multiple sub-domains of a domain. It validates the parent domain and all subdomains under a single certificate.
What is a registration authority?
a server that completes identity checks, and submits CSRs (Certificate Signing Requests) on behalf of the end users -> but RAs don't actually sign or issue certificates.