CompTIA Security+ Sy0-601: Cryptography Basics (Mike Meyers)
What is TPM (Trusted Platform Module)?
It is a chip built into a computer's motherboard and is used during Full Disk Encryption (FDE)
Describe hashing
Used for integrity, one-way function that outputs a fixed length result. The value is determine by the data input. Involved in password storage and encryption
What is Web of Trust?
Uses a network of mutually-trusting peers. Not commonly used
What is a digital signature?
Verifies that the person who sent the public key legitimately owns the private key.
What is a collision and what hash types are prone to it?
When two different pieces of data output the same hash value. SHA1 and MD5 are prone to this
Describe the Blowfish block cipher algorithm. Hint: Block size, number of rounds, and key size
The symmetric algorithm has a 64 bit block size, encrypts in 16 rounds and has a key size of 32-448 bits
Describe the RC4 streaming cipher algorithm. Hint: Block size, number of rounds, and key size
The symmetric-key algorithm encrypts 1 bit at a time, in one round using a key size of 40-2048 bits
What is a root certificate?
A certificate that is at the top of the hierarchy
Describe PKI (Public key infrastructure)
A hierarchical structure consisting of root Certificate Authorities (root CAs) at the top. Root CAs generate certificates and are typically offline for security reasons. Intermediate CAs are used to take the load off of CAs. There are also Certificate Authorities (CAs) or registration authorities (RAs) that identify and authenticate individuals registering the certificate
What is a private key?
A key that is used for decryption. Should be protected
What is a public key?
A key that is used for encryption. This key can be given to anyone. Without its paired key the data can not be decrypted
What is X.509?
A method to query systems that store certificates and includes that standards for constructing digital certificates
What is a HSM (Hardware Security Module)?
A removable device that can be attached to a server or server via USB connection. It is used to store encryption keys and can act as a key escrow (can hold the private key for third parties)
What is the PKCS (Public Key Cryptography Standards)?
A standard which gives details on certificate construction and use
What is an ephemeral key?
A temporary key, thus providing perfect forward secrecy
What is Elliptic-curve cryptography (ECC)?
An asymmetric algorithm that can create a smaller key than RSA while providing the same security with increased performance. It is widely used today
What is certificate chaining?
It shows the trust from the CA down to the Intermediary to the certificate itself
What is a symmetric block algorithm and what are some examples?
An algorithm that encrypts data in chunks. These algorithms include DES, 3DES , Blowfish and the currently used AES
What is a streaming symmetric-key algorithm and what is the most used streaming symmetric cipher?
An algorithm that encrypts data one bit at a time. The most used is RC4
Asymmetric Encryption
An encryption method in which there are two keys in use, the public key and the private key. Very secure but is very slow. Typically used in exchanging session keys
Symmetric Encryption
An encryption method where there is only one key in use for both encryption and decryption. This method can encrypt large amounts of data quickly but is less secure
Describe the 3DES (Triple Data Encryption Standard) block cipher algorithm. Hint: Block size, number of rounds, and key size
The symmetric-key algorithm has a 64 bit block size, encrypts in 16 rounds and has a key size of 168 bits
Describe the DES (Data Encryption Standard) block cipher algorithm. Hint: Block size, number of rounds, and key size
The symmetric-key algorithm has a 64 bit block size, encrypts in 16 rounds and has a key size of 56 bits
What do salting and keystretching do?
Both techniques provide password obfuscation in which the password is appended with a random string before it is hashed, defending against rainbow table attacks
Data at rest
Data stored physically on a hard drive
Data in processing
Data that is actively stored in RAM and being accessed by a program
Data in transit
Data that is moving through cables / wireless transmission
What is a brute force attack?
In this attack, the attacker tries different character combinations until the password is cracked. Generally takes a good amount of time
What is a dictionary attack?
In this attack, the attacker tries every word in a wordlist (think dictionary) until a password match is found
What is a rainbow table?
In this attack, the attacker uses a table of passwords and their precomputed hashes to find a match
What is an offline attack?
In this attack, the attacker will usually move the information from the target system and copy it into their attacker system and to go through their attack. Think: An attacker finds a list of users and the password hashes, copies it from the target machine and moves it to their attacker machine to carry out cracking the password
What occurs in CBC mode?
In this block cipher mode an Initialization Vector is used
What occurs in CFB mode?
In this block cipher mode each previous of ciphertext is encrypted and fed into the algorithm to encrypt the next block
What occurs in ECB mode?
In this block cipher mode the same plaintext always results in the same ciphertext, it is considered insecure
What is a digital certificate?
Includes verification from a trusted third party to authenticate the owner of the digital signature. Think of it like the owner's public key + the owner's digital signature + the third party's digital signature
What are the different hash types?
MD5 (128 bit hash), SHA1 (16o bit has), SHA-265, SHA-512, and RIPEMD (128,160,256, 320 bit digest)
Describe the Diffie-Hellman key exchange.
The idea is to be able to exchange cryptographic keys in a secret manner so that only the two participants will know the keys when the exchange is complete. The keys are derived based on shared knowledge. It is an asymmetric algorithm
What is an email certificate?
This certificate allows the user to send encrypted emails between them and another user.
What is a Wildcard Certificate?
This certificate can be used for the domain and an unspecified amount subdomains. This type of certificate should not be used as attackers can make a subdomain of their own. Think: *.securityplus.training
What is a Subject Alternative Name (SAN) certificate?
This certificate can be used for the domain and the SPECIFIED subdomains chosen by the user
What is a user certificate?
This certificate ensures authenticity of a user in a system
What is a computer / machine / hardware certificate?
This certificate ensures that machines or device drivers can be trusted as legitimate and not tampered with. Think of digitally signed device drivers.
What is a code-signing certificate?
This certificate ensures that software can be trusted (usually verified by a big third party company like Microsoft) and is proof that it has not been tampered with. Essentially digitally signs the software
What is a self-signed certificate?
This certificate is one that is signed by the entity that registered for the certificate. This type of certificate is typically used in an internal network and should not be trusted outside of one
What is an Extended Validation (EV) Certificate?
This certificate provides a higher level of trust in identifying an entity, this is typically used on sites dealing with card information.
Describe the P12 certificate format
This file contains the certificate and the chain certificates along with the private key.
Describe the P7B certificate format
This file contains the certificate and the chain certificates but does not contain the private key
Describe the DER (Distinguished Encoding Rules) certificate format
This file puts the digital certificate in a binary format ends with the file extension .CER and is the oldest format
Describe the where the expiration date of a certificate is usually found and where it is usually published.
This information is found on the certificate itself and is also included on the CA's Certificate Revocation List (CRL)
Describe AES ( Advance Encryption Standard) block cipher algorithm. Hint: Block size, number of rounds, and key size
This symmetric-key algorithm is currently the strongest block cipher algorithm. The algorithm has a 128 bit block size, encrypts in 10,12, or 14 rounds depending on the key size and has a key size of 128, 192 or 256 bits
What is a Domain Validation (DV) Certificate?
This type of certificate proves ownership to a domain name, it is a standard X.509 certificate