Chapter 6

A key space is defined by its ______________

Bit size Bit size is nothing more than the number of binary bits (0s and 1s) in the key. A 128-bit key can have a value from 0 to 2^128 (which is a very large number)

DES is an example of a _________ cipher?

Block cipher

A ________ cipher operates on "chunks" of a message and applies the encryption algorithm to an entire message block at the same time.

Block cipher. Transposition ciphers are examples of block ciphers. Most modern algorithms implement some type of block cipher.

For a one-time pad to be successful, what are the requirements?

(1) Key must be generated manually without any pattern knowledge, (2) Key must be as long as the message to be encrypted, (3) Pads must be protected against physical disclosure, (4) Each pad must be used only one time and then discarded.

What is the minimum number of keys needed for secure two-way communications in symmetric key cryptography? (1), (2), or (3)

(1) Symmetry key cryptography uses a shared secret key. All communicating parties utilize the same key for communication in any direction.

Which type of technique would be used to require a minimum number of agents out of a total number of agents to work together to perform high-security tasks? (1) Zero-knowledge proof, or (2) M of N control

(2) M of N control. Number of agents (M) out of the total number of agents (N).

Electronic Code Book is suitable for (1) large, or (2) small amounts of data

(2) small

The difficulty of factoring the product of large prime numbers is a characteristic of what problem? (1) it contains confusion, (2) it contains diffusion, (3) it is a one-way function.

(3) it is a one-way function. A one-way function is a mathematical operation that easily produces output values for each possible combination of inputs, but makes it impossible to retrieve the input values.

How many encryption keys are required to fully implement an asymmetric algorithm with 10 participants? 10, 20, or 100?

20. In an asymmetric algorithm, each participant requires two keys, a public key and a private key.

What is the minimum number of times that a DES encryption algorithm should be run on the same data to achieve security that is cryptographically strong by modern standards?

3 times DES must also be run using at least two different keys. NIST recommends use of three independent keys for the strongest version.

How many keys are required to fully implement a symmetric algorithm with 10 participants? 10, 45, or 100

45. The number of keys required for a symmetric algorithm is dictated by the formula (n*(n-1))/2, which in this case, where n = 10, is 45. Symmetric cryptosystems require each pair of potential communicators to have a shared private key makes the algorithm non-scalable. It is extremely difficult for large groups to communicate using symmetric key encryption. Secure private communication between individuals in the group can be achieved only if each possible combination of users shared a private key.

What is the length of the cryptographic key used in the DES cryptosystem?

56 bits

6 mod 8 = __________

6

What is the block size used by the 3DES encryption algorithm?

64 bits. 3DES simply repeats the use of the DES algorithm three times. All of the DES modes (eg. ECB, CBC, OFB) operate on 64 bits of plaintext at a time to generate 64-bit blocks of ciphertext.

What is a number that is greater than 1 that cannot be multiplied by two numbers smaller than it?

A prime number For example, 5 and 7 are primary numbers. 8 is not a prime number since 2 x 4 = 8.

Nonrepudiation is offered only by _________ cryptosystems

Asymmetric cryptosystems

_____________ use individual combinations of public and private keys for EACH user of the system (also known as public key encryption)

Asymmetric cryptosystems. Each user has two keys: a public key, which is shared with all users. And a private key, which is kept secret and known only to the user.

___________ key cryptosystems use public-private key pairs for communication between parties

Asymmetric. They are much slower than symmetric.

What goal of cryptography relies on the challenge-response protocol to valid?

Authentication (which can be achieved with both symmetric and asymmetric cryptosystems)

__________ is the streaming cipher version of CBC. In other words, it operates against data produced in real time.

Cipher Feedback mode (CFB) Instead of breaking a message into blocks, it uses memory buffers of the same block size. As the buffer becomes full, it is encrypted and then sent to the recipients. Other than the change from preexisting data to real-time data, CFB operates in the same fashion as CBC. It uses an IV and uses chaining.

______ are meant to hide the true meaning of a message.

Ciphers

____________ are always meant to hide the true meaning of a message. They use a variety of techniques to alter and/or rearrange characters or bits of a message to achieve confidentiality.

Ciphers Ciphers convert messages from plaintext to ciphertext on a bit basis (a single digit of binary code), character basis (single character of an American Standard Code for Information Interchange [ASCII] message), or block basis (fixed-length segment of a message, usually expressed in number of bits).

______ are cryptographic systems of symbols that operate on words or phases and sometimes secret, but don't always provide confidentiality?

Codes

___________ are cryptographic systems of symbols that represent words or phrases, are sometimes secret, but are not necessarily meant to provide confidentiality. '10-4' is example

Codes

Cases where a hash function produces the same value for two different methods are known as ________________

Collisions These lead to the deprecation of a hashing algorithm

What are the four main goals of cryptography?

Confidentiality (data at rest and in transit), integrity, nonrepudiation (undeniable proof of author), and authentication

What are the two basic operations relied upon by cryptographic algorithms to obscure plaintext messages?

Confusion and diffusion. Confusion occurs when the relationship between the plaintext and the key is so complicated that an attacker can't merely continue altering the plaintext and analyzing the resulting cipher text to determine the key. Diffusion occurs when a change in the plaintext results in multiple changes spread throughout the ciphertext.

In _________, a type of key escrow system, secret keys used in communication are divided into two or more pieces, each of which is given to an independent third party.

Fair cryptosystems. At least two independent parties are necessary to implement this approach to key escrow.

True of False: The key used by DES is 64 bits long

False. It is 56 bits long. DES uses a 56 bit key to drive encryption and decryption process. Although the spec called for a 64 bit key, only 56 of the bits contain keying information. The remaining 8 bits are supposed to contain parity information to ensure that the other 56 bits are accurate. However, the 8 parity bits are rarely used.

The Caesar cipher (and other simple substitution ciphers) are vulnerable to __________ attacks that analyze the rate at which specific letters appear in the ciphertext?

Frequency Analysis attacks.

The _______________ operation (represented by ~ of !) simply reverses the value of an input variable.

NOT Operates on only one variable at a time.

A ___________ is a random number that acts as a placeholder variable in mathematical functions

Nonce Cryptography often gains strength by adding randomness to the encryption process. When the function is executed, the nonce is replaced with a random number generated at the moment of processing for one-time use

A _______ is a random number that acts as a placeholder variable in mathematical functions. An initialization vector (IV) is a recognizable example of this.

Nonce. When the function is executed, the nonce is replaced with a random number generated at the moment of processing for one-time use.

How many number of keys are needed to connect 10 participants in symmetric cryptography?

Number of keys = [ n(n-1) ] / 2

Which function asks the question, are at least one of the binary values true?

OR

The ______________ operation (represented by the V symbol) checks to see whether at least one of the input values is true.

OR Will select true (1) if it is an option.

___________ is a mathematical operation that easily produces output values for each possible combination of inputs but makes it impossible to retrieve the input values

One way function Public key cryptosystems are all based on some sort of one-way function. In practice, however, it's never been proven that any specific known function is truly one way.

In _______ mode, which is similar to CFB. Instead of XORing an encrypted version of the previous block of ciphertext, DES XORs the plaintext with a seed value

Output Feedback Mode (OFB) For the first encrypted block, the IV is used to create the seed value. Future seed values are derived by running the DES algorithm on the previous seed. Major advantages are that there is no chaining function and transmission ERRORS DO NOT propagate to affect the decryption of future blocks.

DES, 3DES, IDEA, Blowfish, Skipjack, and AES are examples of which type of encryption?

Symmetric cryptography

___________ cryptosystems use a shared key available to ALL users

Symmetric cryptosystems

___________ is a way to measure strength of a cryptography system by measuring the effort in terms of cost and/or time to decrypt messages.

Work function (or work factor). Usually the time and effort required to perform a complete brute-force attack against an encryption system is what a work function rating represents.

The security and protection offered by a cryptosystem is directly proportional to the value of its _______________.

Work function / factor. Size of the work function should be matched against the relative value of the protected asset. Work function need only be slightly greater than the time value of that asset. All security, including cryptography, should be cost effective and cost efficient.

Which function asks the question, are only one of the two binary values true?

XOR

In _________, a specific type of information is exchanged, but no real data is transferred, as with digital signatures and digital certificates.

Zero-knowledge proof. It is a concept. Prove your knowledge of a fact to a third party without revealing the fact itself to the third party (cave door example). Often done using passwords and other secret indicators.

True or False: Key escrow is the best seen concept of split knowledge

True Using key escrow, cryptographic keys, digital signatures, and even digital certificates can be stored or backed up in a special database called the key escrow database. In the event a user loses or damages their key, it can be extracted from the backup.

True or False: Asymmetric key algorithms provide support for digital signature technology

True (nonrepudiation). As opposed to symmetric key algorithms which do not. To prove that a message was sent by you, you first create a message digest by using a hashing algorithm. Then, you encrypt the digest using your own private key.

How many possible keys exist in a 4-bit key space?

16. To determine the number of keys in a key space, raise 2 to the power of the number of bits in the key space.

What are the 5 basic operational modes of the Data Encryption Standard (DES)?

- Electronic Code Book (ECB) mode - Cipher Block Chaining (CBC) mode - Cipher Feedback (CFB) mode - Output Feedback (OFB) mode - Counter (CTR) mode

10 mod 3 = _______

1

AES uses a fixed block size of _____ bits?

128 bit block size. However, Rijndael exceeded this specification allowing cryptographers to use a block size equal to the key length.

Modern cryptosystems utilize keys that are at least _______ bits long to provide adequate security.

128 bits. It is generally agreed that the 56-bit key of the Data Encryption Standard (DES) is no longer sufficiently long enough to provide security.

With the AES cipher, how many round of encryption are required for the following bit key sizes? - 128 - 192 - 256

128 requires 10 rounds of encryption 192 requires 12 rounds of encryption 256 requires 14 rounds of encryption

AES uses what size key lengths (3 options)?

128, 192, 256 bit key length

AES-256 requires ________ rounds of encryption

14. AES-128 requires 10 rounds. AES-192 requires 12 rounds.

8 mod 6 = _________

2 The remainder value left over after a division operation is performed.

Which function asks the question, are both binary values true?

AND

The ___________ operation (represented by ^ symbol) checks to see whether two values are both true

AND Takes only two variables as input. In Boolean math, there are only two possible values for each of these two variables, leading to four possible inputs to the AND function. True (1), and False (0). Basically, it asks whether both of the values are True.

_________ uses the Rijndael algorithm and is the US government standard for the secure exchange of sensitive but unclassified data.

Advanced Encryption Standard (AES). Achieves a much higher level of security than that provided by the older DES algorithm

A ____________________ is a set of rules, usually mathematical, that dictate how enciphering and deciphering processes are to take place.

Algorithm

What are the two items needed to encrypt a plaintext message into ciphertext?

An algorithm and a key. Similarly, an algorithm and key are needed to decrypt the ciphertext for viewing.

_____________, which is a block cipher that is an alternative to DES and IDEA, operates on 64-bit block of text, however it extends IDEA's key strength even further by allowing the use of variable-length keys ranging from 32 bits to 448 bits

Blowfish By Bruce Schneier. Time trials have established blowfish as a much faster algorithm than both IDEA and DES. It is available for public use with no license required. It is built into a number of commercial software products and operating systems. Blowfish is often used in SSH.

________________ defines the rules used for bits and bytes that form the nervous system of any computer.

Boolean mathematics In an electrical circuit, there are only two possible states - on and off. All computation performed by an electrical devices must be expressed in these terms, giving rise to the use of Boolean computation in modern electronics. In general, computer scientists refer to the on condition as a true value and the off condition as a false value.

DES is dead due to ________?

Brute force attacks

In a substitution cipher example, someone wants to take a plaintext message and convert to cipher text. The message will be a ROT3 cipher and characters will be represented by numbers, with A = 0 and Z = 25. What is the encryption algorithm here?

C = (P + 3) mod 26 26 represents the total possible values. The decryption algorithm would be: P = (P - 3) mod 26

In _____________ mode, each block of unencrypted text is XORed with the block of ciphertext immediately preceding it before it is encrypted using the DES algorithm

Cipher Block Chaining (CBC) CBC implements an IV and XORs it with the first block of the message, producing a unique output every time the operation is performed. The IV must be sent to the recipient, perhaps by tacking the IV onto the front of the completed ciphertext in plain form or by protecting it with ECB mode encryption using the same key used for the message. ERRORS propagate however, meaning that if one block is corrupted, it becomes impossible to decrypt.

DES that is run in ___________ mode uses a stream cipher similar to that used in CFB and OFB modes, however instead of creating the seed value for each encryption/decryption operation from the results of the previous seed values, it uses a simple counter that increments for each operation

Counter mode (CTR). Errors do not propogate in CTR mode. It allows you to break an encryption or decryption operation into multiple independent steps. This makes CTR mode well suited for use in parallel computing.

_______________ is the study of methods to defeat codes and ciphers

Cryptoanalysis

______________ is the art of creating and implementing secret codes and ciphers

Cryptography Specific implementations of a code or cipher in hardware and software are known as cryptosystems

Secure RPC (S-RPC) employs the __________ algorithm for key exchange

Diffie-Hellman algorithm

What method is used for key distribution when public key encryption or offline distribution are not sufficient

Diffie-Hellman algorithm. A physical means to communicate may not be available, or a communications infrastructure may not be available to facilitate the exchange of keys. Secure exchange of symmetric encryption keys over a public network.

Message integrity is enforced through the use of encrypted message digests, known as ______________ created upon transmission of a message

Digital signatures These help meet the cryptographic goals of integrity and nonrepudiation.

Why are one-time pads not practical in most cases?

Due to slowness for high speed/volume communications. However they are unbreakable if the key never repeats.

Which of the 5 basic operational modes of DES is considered the least secure?

Electronic Code Book (ECB) mode. It is usually only used for short messages. It is however the easiest mode to understand.

In ____________ mode, the block is simply encrypted using the private key. This means that if the algorithm encounters the same block multiple times, it will produce the same encrypted block

Electronic Code Book mode (DES). This makes it impractical to use on all but the shortest transmissions. It is used only for exchanging small amounts of data, such as keys and parameters used to indicate other DES modes as well as cells in a database.

In ________ a type of key escrow system, the government is provided with a technological means to decrypt ciphertext. It is is the standard behind the Skipjack algorithm.

Escrowed Encryption Standard

___________ perhaps the most important and commonly used in cryptographic applications. Commonly represented with the ⊕ symbol. Returns a true value when only one of the input values is true. Two true or two false both result in false.

Exclusive OR - (XOR)

____________ is a random bit string that is the same length as the block size and is XOR'd with the message

Initialization vector (IV) IVs are used to create unique ciphertext every time the same message is encrypted using the same key.

A ______ is a whole number that is not a decimal

Integer

The _________ block cipher was developed in response to complaints about the insufficient key length of the DES algorithm

International Data Encryption Standard (IDEA) Like DES, IDEA operates on 64 bit block of plaintext/ciphertext, however it begins its operation with a 128 bit key. Broken up into a series of operations into 52 16-bit subkeys. The subkeys then act on the input text using a combination of XOR and modulus operations to produce the encrypted/decrypted version of the input message.

___________ principle states that a cryptographic system should be secure even if everything about the system, except the key, is public knowledge

Kerckhoff's principle

Every algorithm has a _____________ , which is a range of values that are valid for use as a key

Key space

All cryptographic algorithms rely on ________ to maintain their security

Keys For the most part, the key is nothing more than a number (usually a very large binary number).

____________ means that letters are substituted in a message in a fixed manner for the entirety of a message

Mono-alphabetic. This is how the Caesar cipher works.

__________ DES standard operating mode can be used for large messages with the assurance that an error early in the encryption/decryption process won't spoil the results throughout the communication.

Output feedback (OFB). OFB prevents early errors from interfering with future encryption/decryption. Cipher block chaining (CBC) and cipher feedback (CFB) modes will carry errors throughout the entire encryption/decryption process. Electronic Code Book (ECB) is not suitable for large amounts of data.

____________ substitution ciphers use multiple alphabets in the same message to hinder decryption efforts

Polyalphabetic Vigenere cipher is one of the most notable examples of substitution ciphers (uses a single encryption/decryption chart).

Data in use may be accessed by unauthorized processes if the operating system does not properly implement ____________________

Process isolation

________ ciphers often use a passage from a commonly available book as the encryption key

Running key cipher. Also known as a book cipher. Example, sender and recipient agree on text from a chapter from Moby Dick.

__________, which is a block cipher, operates on 64 bit blocks of text, uses an 80-bit key and supports the same modes of operation supported by DES. However, it supports the escrow of encryption keys. NIST and the Department of Treasury hold a portion of the information required to reconstruct one of these keys.

Skipjack When law enforcement authorities obtain legal authorization, they contact the two agencies, obtain the pieces of the key, and are able to decrypt communications between the affected parties. It (along with the Clipper chip) were not embraced by the cryptographic community at large because of the mistrust of escrow procedures in place within the US government.

The major weakness of public key cryptography is ____________

Slow speed of operation. Many applications that require secure transmission of data use public key cryptography to establish the connection and then exchange a symmetric secret key. The remainder of the session then uses symmetric key cryptography.

__________ means that information or privilege required to perform an operation is divided among multiple users.

Split knowledge. Ensures that no single person has sufficient privileges to compromise the security of the environment. M of N control is an example of split knowledge.

A one-time pad is an example of a __________ cipher?

Stream cipher

A _______ cipher operates on one character or bit of a message at a time

Stream cipher. Caesar cipher is an example of a stream cipher. Also a one-time pad is a stream cipher.

A __________ cipher uses the encryption algorithm to replace each character or bit of the plaintext message with a different character. Caesar cipher is a good example of this.

Substitution cipher.

A one-time pad is an extremely powerful type of _________ cipher

Substitution cipher. Also known as Vernam cipher. These are considered an unbreakable encryption scheme when used properly.

An algorithm first performs a complex substitution and then uses transposition to rearrange the characters of the substituted ciphertext. Substitution introduces _____, and the transposition introduces _____

Substitution introduces confusion, and the transposition introduces diffusion

Out of band exchange of keys is indicative of which type of cryptography system?

Symmetric. In band exchange is asymmetric.

___________ key cryptosystems rely on the use of a shared secret key

Symmetric. They are much faster than asymmetric algorithms, but they lack the support for scalability (hard for large groups to communicate), easy key distribution (secure channel must be used), and nonrepudiation. They must also be regenerated often. Each time a participant leaves the group, all keys known by that participant must be discarded. They are also often 1,000 - 10,000 times faster than public key encryption. Naturally lends itself to hardware implementations, for faster operations.

______________ is an extremely important function in cryptography. Quite simply, it is the remainder value left over after a division operation is performed.

The modulo function (mod) Modulo function is just as important to cryptography as the logical operations are. Usually represented in the equations by the abbreviation 'mod'. Also sometimes represented by the % operator. • Examples of modulo functions: 10 mod 3 = 1, 8 mod 6 = 2, 6 mod 8 = 6

A __________ cipher uses an encryption algorithm to rearrange the letters of a plaintext message, forming the ciphertext message. The decryption algorithm simply reverses the encryption transformation to retrieve the original message.

Transposition cipher. A keyword can also be used to perform a columnar transposition. Example: ATTACKERS 17823546 THEENEMY WILLSTRIKE ATNOONAND Read down from columns based on the order. However, columnar transposition is an inadequate technology for use in modern secure communication since several inherent weaknesses make it vulnerable to cryptanalysis.

True or False: Allied forces developed Ultra to attack the Enigma codes from Germany

True

True or False: Codes work on words and phrases, whereas ciphers work on individual characters and bits.

True

True or False: Cryptographic keys are sometimes referred to as cryptovariables

True

True or False: DES was superseded by AES in December 2001

True

True or False: FIPS-140-2 defines the hardware and software requirements for cryptographic modules that the federal government uses

True

True or False: Key escrow systems allow the government, under limited circumstances such as a court order, to obtain the cryptographic key used for a particular communication from a central storage facility

True

True or False: M of N Control (which is a split knowledge concept) requires that a minimum number of agents (M) out of the total number of agents (N) work together to perform high-security tasks.

True

True or False: Message digests are summaries of a message's content produced by a hashing algorithm

True

True or False: Organizations should: (1) Define the cryptographic algorithms acceptable for use within the organization [eg. AES, RSA] (2) Identify acceptable key length for use with the algorithms based on sensitivity of data (3) Ensure secure transaction protocols (such as SSH) are used

True

True or False: Public key encryption is often used to setup initial communication sessions. Once the connection is setup, the parties exchange secret key over the public key length. Then, the switch communications to the secret key algorithm and enjoy increased processing speeds

True

True or False: RC5, a symmetric algorithm patented by RSA security, is a block cipher of variable block sizes (with between 0 and 2,040 bit key sizes). However, it is the subject of brute force cracking attempts. Messages with RC5 have been cracked that were encrypted using RC5 with a 64-bit key.

True

True or False: Stream ciphers can also function as a type of block cipher

True

True or False: The Skipjack algorithm was approved for use by the US government in Federal Information Processing Standard (FIPS) 185, the Escrowed Encryption Standard (EES)

True

True or False: With the exception of the one-time pad, all cryptographic systems have a limited life span

True

True or False: The three main methods used to exchange secret keys are (1) offline distribution, (2) public key encryption, and (3) the Diffie-Hellman key exchange

True (1) physical exchange of materials

True or False: Strengths of asymmetric encryption include: (1) The addition of new users requires the generation of only one public-private key pair (2) Users can be removed far more easily (3) Key regeneration is required only when a user's private key is compromised (4) It can provide integrity, authentication, and nonrepudiation (5) Key distribution is a simple process (6) No preexisting communication link needs to exist

True Anyone that wants to communicate can simply make their public key available. There is no method by which the private key can be derived from the public key. Also two individuals can begin communicating securely from the moment they start communicating (no preexisting relationship to provide a secure mechanism for data exchange is required).

True or False: When large sized keys are used, symmetric encryption is very difficult to break

True Primarily employed to perform bulk encryption and provides only for the security service of confidentiality.

True or False: The use of a substitution cipher, a category that includes AES and 3DES, would change the frequency distribution so that it did not mirror that of the English language

True Substitution language would make it appear with uncommon letters. Transposition cipher would simply shift around the plaintext being used (which would mirror letters in the english language).

True or False: One-time pads use a different substitution technique for each letter of the plaintext message. C = (C + K) mod 26, where K is the encryption key.

True. Also known as Vernam ciphers. There is no repeating pattern of alphabetic substitution, rendering cryptanalytic efforts useless. One-time pads must be randomly generated (without the use of a recurring pattern), be physically protected against disclosure, each pad should only be used once, and the key must be at least as long as the message to be encrypted.

True or False: DES uses a long series of XOR operations to generate the ciphertext. This process is repeated 16 times for each encryption/decryption operation.

True. Each repetition is commonly referred to as a round of encryption, explaining the statement that DES performs 16 rounds of encryption.

True or False: (1) Never store an encryption key on the same system where encrypted data resides (2) For sensitive keys, consider providing two individuals with half of the key. They must then collaborate to re-create the entire key

True. Piece #2 refers to the split knowledge principle. When an individual with knowledge of a secret key leaves an org, the keys must be changed and all encrypted materials must be re-encrypted with the new keys. Destroying the keys are a major drawback of symmetric key encryption.

True or False: IDEA is capable of operating in the same 5 modes used by DES (ECB, CBC, CFB, OFB, and CTR)

True. The patent for IDEA expired in 2012, and it is now available for unrestricted use. One popular implementation of IDEA is found in Pretty Good Privacy (PGP) secure email package.

True or False: A major obstacle for widespread use of one-time pads is difficulty of generating, distributing, and safeguarding the lengthy keys required.

True. They can realistically be used only for short messages, because of key lengths. Awkward to implement because they require the physical exchange of pads.

True or False: The Rijndael block cipher is also known as the AES cipher

True. NIST chose this as the replacement for DES in 2001. Used for encryption of all sensitive but unclassified data by the US government.

True or False: The caesar cipher is an example of the ROT3 cipher

True. Shift each letter of the alphabet 3 places to the right

Which algorithm, which was an AES finalist, uses two techniques not found in other algorithms (prewhitening and postwithening)? It also, like AES, operates on 128 bit blocks of data and is capable of using cryptographic keys up to 256 bits in length.

Twofish. By Bruce Schneier. Prewhitening involves XORing the plaintext with a separate subkey before the first round of encryption. Post whitening uses a similar operation after the 16th round of encryption.

How does 3DES expand upon DES?

Uses three iterations of DES with two or three different keys to increase the effective key strength to 112 or 168 bits, respectively. If 3 keys are used, the key strength is 168 bits. If 2 keys are used, the key strength is 112 bits. It uses the same symmetric algorithm as DES to produce more secure encryption.

The Rijndael algorithm allows for a ________ block size

Variable. As opposed to AES, which uses a 128-bit block size, even though AES is based on the Rijndael algorithm.