Crypto Quiz
PKI responsibilities
-Binding of public keys to people -Certificate Authority -Trust
Key generation
-build both the public and private keys at the same time -randomization -large prime numbers -MATH
Key management Lifecycle
1. Key generation 2. Certificate Generation 3. Distribution 4. Storage 5. Revocation 6. Expiration
Serial Number
A number uniquely identifying the certificate within the domain of its CA.
Certificate extensions
Add more information to a digital certificate. -extension ID -Critical - True/False -Value - String value of the extension
AES
Advanced Encryption Standards, Today's Symmetric Encryption Standard
Public Key certificate
Binds public key with a digital signature
Signed Data syntax
CMS provides integrity, authentication, and nonrepudiation security.
What is a PKI?
Combination of Policies, procedures, hardware, software, people
CIA + N
Confidentiality Integrity Availability Non-repudiation
Valid from/ Valid to
Date and time during which the certificate is valid
PKI can be used by:
E-mail clients Virtual private network products Web server components Domain controllers Mobile Devices
Sign with Private key
Message doesn't need to be encrypted nobody else can sign
Pretty Good Privacy (PGP)
PGP can use symmetric and asymmetric encryption methods.
Asymmetric Encryption
Public key Cryptography Public key and Private key
Public key
Public key and algorithm used by the certificate holder
Key exchange
Public key, the slower protocol, can be used to exchange the private key, and then the communication uses the faster symmetric key protocol.
Certificate Repositories
Repository is a term that describes a centralized directory that can be accessed by a subset of individuals.
Fall of 2000 Which AES did NIST choose?
Rijndael
Substitution Cipher
Substitution ciphers work on the principle of substituting a different letter for every letter. This system permits 26 possible values for every letter in a message. Simple analysis of the cipher retrieves the key. One looks for common letters and patterns that would become words.
Caesar cipher (Shift Cipher)
The algorithm specifies that you offset the letters of the alphabet either to the right (forward) or to the left (backward). The key specifies how many letters the offset is
Issuer
The name of the CA, expressed as Distinguished Name (DN)
Subject
The name of the certificate holder, expressed as a Distinguished Name (DN)
Version
The x.509 version supported (V1, V2, V3)
Elliptic Curve Cryptography ECC
Two points can be added to get a third point on the curve. Users agree on a Elliptic Curve (27 Curves) and a fixed curve point.
Symmetric key from asymmetric key
Use public key and private key to create a symmetric key
Extensions
V3 certificates can be defined with extended attributes, such as friendly subject or issuer names, contact email addresses, and intended key usages
IPsec
VPN protocol that secures all types of IP traffic because it works below the Application layer features designed to introduce security at the network or packet-processing layer in network
WTLS
Wireless version of TLS
IDEA (International Data Encryption Algorithm)
a block-mode cipher using a 64-bit block size and a 128-bit key. IDEA is susceptible to a weak key—a key made of all zeros.
SSH (Secure Shell)
a clear text protocol for a remote connection to a computer.
What is a key?
a key is a sequence of bits (1's and 0"s) used by an algorithm to encrypt or decrypt. Keys are generated in advance and usually kept in a key table for easy access.
Policy certificates
a mechanism is required to provide centrally controlled policy information to PKI clients.
Digital signature
adds trust(integrity) PKI uses Certificate Authority Web of Trust
key pair
allows more flexibility and mobility.
True Crypt
an open source solution for encryption. It also allows file encryption or whole disk encryption.
Key complexity
assigning a large number of possible values to the key.
Brute Force
attempting every possible key.
Nonrepudiation
based upon public key cryptography and the principle of only you knowing your private key.
Certificate creation
built into OS part of windows domain services 3rd party Linux options
Diffie - Hellman
came up with a scheme where two people could create a SHARED SECRET KEY by exchanging public information. Used in the electronic key exchange method of the Secure Sockets Layer (SSL) protocol.
RSA (Rivest Shamir Adleman)
can be used for both encryption and digital signatures. RSA's security has withstood the test of over 20 years of analysis, but in software it can be 100 times slower than even DES.
Public key infrastructures (PKIs)
central security foundation for organizations.
Lightweight Directory Access Protocol (LDAP).
certificate repositories are usually LDAP compliant
HTTPS
clear text protocol that is secured by encryption, in this case Secure Socket Layer (SSL).
Symmetric algorithms
comparatively faster and have fewer computational requirements.
XML Key Management Specification (XKMS)
defines services to manage PKI operations within the Extensible Markup Language (XML) environment.
PKIX Certificate Management Protocol (CMP)
defines the messages and operations required to provide certificate management services within the PKIX model.
Secure/Multipurpose Internet Mail Extensions (S/MIME)
extension to the MIME standard that provides a way to send and receive signed and encrypted MIME data.
PKI - X.509 (PKIX)
formed by the Internet Engineering Task Force (IETF) to define a certificate profile and operational Model for deployment of X.509 Certificates
NSA Suite B Cryptography
includes: AES Elliptic Curve DSA Elliptic curve D-H SHA-256
Rijndael
is a block cipher separating data input in 128-bit blocks that can also be configured to use blocks of 192 or 256 bits.
Cryptanalysis
is the process of analyzing available information to attempt to return the encrypted message to its original form.
Cryptography
is the science of encrypting information.
key space
is the size of every possible key value. 128, 256 bits are example key spaces.
End-entity certificates
issued by a CA to a specific subject such as Joyce, the accounting department, or a firewall.
distinguished name
label that follows the X.500 standard.
Hashing definition
math function that performs one way encryption.
ECC vs DH/DSA/RSA
much more efficient
Integrity provided by:
one-way hash functions and digital signatures.
Local Registration Authorities
performs the same functions as an RA, but the LRA is closer to end users.
Vigenère Cipher
polyalphabetic substitution cipher that depends on a password. done by setting up a substitution table
cryptographic algorithm
set of mathematical steps for encrypting and decrypting information.
algorithm
step-by-step problem-solving procedure. recursive computational procedure for solving a problem in finite steps
CA certificates
superior CA gives the authority and allows the subordinate CA to accept certificate requests and generate the individual certificates.
SSL
supports many different algorithms but primarily used D-H for key exchange, DES or 3 DES for symmetric encryption and SHA-1 and MD-5 for hashing.
Key escrow
system by which a private key is kept both by the user and by the government.
Register Authority
the component that accepts a request for a digital certificate.
ISAKMP
to support security associations at all layers of the network stack meaning it can be implemented on the transport level using TCP or UDP
Transport Layer Security (TLS)
update version of SSL that supports more ciphers , D-H,RSA,DES,3DES, AES,MD5 and SHA. protocol that ensures privacy
Enigma machine
used a complex series of substitutions to perform encryption, and gave rise to great amounts of research in computers.
El Gamal
used as the U.S. government standard for digital signatures, and may also be used for encryption. uses a problem known as the discrete logarithm problem as its central, asymmetric operation. The discrete log problem concerns finding a logarithm of a number within a finite field arithmetic system.
Class 3 certificate
used by a company to set up its own certificate authority.
Class 2 certificate
used for software signing
Hashing functions
used to create a digest of a unique message
Class 1 certificate
used to verify an individual's identity through e-mail.
Cross-certification certificates
used when independent CAs establish peer-to-peer trust relationships.
Blowfish
using 64-bit blocks and a variable key length from 32 to 448 bits. It is designed to run quickly on 32-bit microprocessors. It is optimized for situations where there are few key changes
Digital Signatures
ways to confirm that the information is correct, nonrepudiation
How to verify private key?
with public key