Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
315 Cards in this Set
- Front
- Back
Front (Term) is a method of storing and transmitting data in a form that only those it is intended for can read and process. |
Back (Definition) Cryptography |
|
Front (Term) • Set of mathematical and logic rules used in cryptographic functions |
Back (Definition) Algorithm |
|
Front (Term) Another name for algorithm |
Back (Definition) Cipher |
|
Algorithm |
Set of mathematical and logic rules used in cryptographic functions |
|
Cipher |
Another name for algorithm |
|
Cryptography |
Science of secret writing that enables an entity to store and transmit data in a form that is available only to the intended individuals |
|
Cryptosystem |
Hardware or software implementation of cryptography that contains all the necessary software, protocols, algorithms, and keys |
|
Cryptanalysis |
Practice of uncovering flaws within cryptosystems |
|
Key |
Sequence of bits that are used as instructions that govern the acts of cryptographic functions within an algorithm
|
|
Key clustering |
Instance when two different keys generate the same ciphertext from the same plaintext |
|
Keyspace |
A range of possible values used to construct keys |
|
Plaintext |
Data in readable format, also referred to as cleartext |
|
Substitution cipher |
Encryption method that uses an algorithm that changes out (substitutes) one value for another value |
|
Scytale cipher |
Ancient encryption tool that used a type of paper and rod used by Greek military factions |
|
Kerckhoffs’ principle |
Concept that an algorithm should be known and only the keys should be kept secret |
|
One-Time Pad Requirements
For a one-time pad encryption scheme to be considered unbreakable, each pad in the scheme must be |
*
Made up of truly random values * Used only one time * Securely distributed to its destination * Secured at sender’s and receiver’s sites * At least as long as the message |
|
A concealment cipher, |
also called a null cipher, is a type of steganography method defined . Method of hiding data in another media type with the goal of secrecy
|
|
Key Derivation Functions (KDFs) |
are used to generate keys that are made up of random values. Different values can be used independently or together as ran- dom key material. The algorithm is created to use specific hash, password, and/ or salt values, which will go through a certain number of rounds of mathematical functions dictated by the algorithm. The more rounds that this keying material goes through, the more assurance and security for the cryptosystem overall. |
|
One-time pad |
Encryption method created by Gilbert Vernam that is considered impossible to crack if carried out properly |
|
Number generator |
Algorithm used to create values that are used in cryptographic functions to add randomness |
|
Running key cipher |
Substitution cipher that creates keystream values, commonly from agreed-upon text passages, to be used for encryption purposes |
|
Concealment cipher |
Encryption method that hides a secret message within an open message |
|
Steganography |
Method of hiding data in another media type with the goal of secrecy |
|
Digital Rights Management (DRM) |
Access control technologies commonly used to protect copyright material |
|
Transposition |
Encryption method that shifts (permutation) values |
|
Caesar cipher |
Simple substitution algorithm created by Julius Caesar that shifts alphabetic values three positions during its encryption and decryption processes |
|
Frequency analysis |
Cryptanalysis process used to identify weaknesses within cryptosystems by locating patterns in resulting ciphertext |
|
Key Derivation Functions (KDFs) |
Generation of secret keys (subkeys) from an initial value (master key) |
|
The following list outlines the strengths of symmetric key systems:
Strengths |
*
Much faster (less computationally intensive) than asymmetric systems. * Hard to break if using a large key size. |
|
The following list outlines the Weaknesses of symmetric key systems: |
*
Requires a secure mechanism to deliver keys properly. * Each pair of users needs a unique key, so as the number of individuals increases, so does the number of keys, possibly making key management overwhelming. * Provides confidentiality but not authenticity or nonrepudiation. |
|
The following list outlines the strengths of asymmetric key al- gorithms:
Strengths |
*
Better key distribution than symmetric systems. * Better scalability than symmetric systems * Can provide authentication and nonrepudiation |
|
The following list outlines the Weaknesses of asymmetric key al- gorithms: |
*
Works much more slowly than symmetric systems * Mathematically intensive tasks |
|
The following are examples of asymmetric key algorithms: |
*
Rivest-Shamir-Adleman (RSA) * Elliptic curve cryptosystem (ECC) * Diffie-Hellman * El Gamal * Digital Signature Algorithm (DSA) * Merkle-Hellman Kn |
|
asymmetric key algorithm |
Rivest-Shamir-Adleman (RSA) |
|
asymmetric key algorithm |
*
Elliptic curve cryptosystem (ECC) |
|
asymmetric key algorithm |
*
Diffie-Hellman |
|
asymmetric key algorithm |
*
El Gamal |
|
asymmetric key algorithm |
*
Digital Signature Algorithm (DSA) |
|
asymmetric key algorithm |
Merkle-Hellman Kn |
|
Stream Ciphers vs. One-Time Pads |
Stream ciphers were developed to provide the same type of protection one-time pads do, which is why they work in such a similar manner. In reality, stream ci- phers cannot provide the level of protection one-time pads do, but because stream ciphers are implemented through software and automated means, they are much more practical. |
|
Symmetric algorithm |
Encryption method where the sender and receiver use an instance of the same key for encryption and decryption purposes. |
|
Out-of-band method |
Sending data through an alternate communication channel. |
|
Asymmetric algorithm |
Encryption method that uses two different key types, public and private. Also called public key cryptography |
|
Public key |
Value used in public key cryptography that is used for encryption and signature validation that can be known by all parties. |
|
Private key |
Value used in public key cryptography that is used for decryption and signature creation and known to only key owner. |
|
Public key cryptography |
Asymmetric cryptography, which uses public and private key values for cryptographic functions. |
|
Block cipher |
Symmetric algorithm type that encrypts chunks (blocks) of data at a time. |
|
Diffusion |
Transposition processes used in encryption functions to increase randomness. |
|
Confusion |
Substitution processes used in encryption functions to increase randomness. |
|
Avalanche effect |
Algorithm design requirement so that slight changes to the input result in drastic changes to the output. |
|
Stream cipher |
Algorithm type that generates a keystream (random values), which is XORd with plaintext for encryption purposes. |
|
Keystream generator |
Component of a stream algorithm that creates random values for encryption purposes. |
|
Initialization vectors (IVs) |
Values that are used with algorithms to increase randomness for cryptographic functions. |
|
Cryptography |
Science of secret writing that enables an entity to store and transmit data in a form that is available only to the intended individuals |
|
Cryptosystem |
Hardware or software implementation of cryptography that contains all the necessary software, protocols, algorithms, and keys |
|
Cryptanalysis |
Practice of uncovering flaws within cryptosystems |
|
Cryptology |
The study of both cryptography and cryptanalysis |
|
Encipher |
The study of both cryptography and cryptanalysis Act of transforming data into an unreadable format |
|
Decipher |
Act of transforming data into an unreadable format Act of transforming data into a readable format |
|
Key |
Sequence of bits that are used as instructions that govern the acts
of cryptographic functions within an algorithm |
|
Key clustering |
Instance when two different keys generate the same ciphertext from the same plaintext |
|
Keyspace |
A range of possible values used to construct keys |
|
Plaintext |
Data in readable format, also referred to as cleartext |
|
Substitution cipher |
Encryption method that uses an algorithm that changes out (substitutes) one value for another value |
|
Scytale cipher |
Ancient encryption tool that used a type of paper and rod used by Greek military factions |
|
Kerckhoffs’ principle |
Concept that an algorithm should be known and only the keys should be kept secret |
|
One-Time Pad Requirements
For a one-time pad encryption scheme to be considered unbreakable, each pad in the scheme must be |
*
Made up of truly random values * Used only one time * Securely distributed to its destination * Secured at sender’s and receiver’s sites * At least as long as the message |
|
concealment cipher |
also called a null cipher, is a type of steganography method. |
|
Key Derivation Functions (KDFs) |
are used to generate keys that are made up of random values. Different values can be used independently or together as ran- dom key material. The algorithm is created to use specific hash, password, and/ or salt values, which will go through a certain number of rounds of mathematical functions dictated by the algorithm. The more rounds that this keying material goes through, the more assurance and security for the cryptosystem overall. |
|
One-time pad |
Encryption method created by Gilbert Vernam that is considered impossible to crack if carried out properly |
|
Number generator |
Algorithm used to create values that are used in cryptographic functions to add randomness |
|
Running key cipher |
Substitution cipher that creates keystream values, commonly from agreed-upon text passages, to be used for encryption purposes |
|
Concealment cipher |
Encryption method that hides a secret message within an open message |
|
Steganography |
Method of hiding data in another media type with the goal of secrecy |
|
Digital Rights Management (DRM) |
Access control technologies commonly used to protect copyright material |
|
Transposition |
Encryption method that shifts (permutation) values |
|
Caesar cipher |
Simple substitution algorithm created by Julius Caesar that shifts alphabetic values three positions during its encryption and decryption processes |
|
Frequency analysis |
Cryptanalysis process used to identify weaknesses within cryptosystems by locating patterns in resulting ciphertext |
|
Key Derivation Functions (KDFs) |
Generation of secret keys (subkeys) from an initial value (master key)
|
|
The following list outlines the weakness of symmetric key systems: |
*
Requires a secure mechanism to deliver keys properly. * Each pair of users needs a unique key, so as the number of individuals increases, so does the number of keys, possibly making key management overwhelming. * Provides confidentiality but not authenticity or nonrepudiation. |
|
The following list outlines the strengths of symmetric key systems: |
*
Much faster (less computationally intensive) than asymmetric systems. * Hard to break if using a large key size. |
|
The following list outlines the strengths of asymmetric key al- gorithms: |
*
Better key distribution than symmetric systems. * Better scalability than symmetric systems * Can provide authentication and nonrepudiation |
|
The following list outlines the weaknesses of asymmetric key al- gorithms: |
*
Works much more slowly than symmetric systems * Mathematically intensive tasks |
|
The following are examples of asymmetric key algorithms: |
*
Rivest-Shamir-Adleman (RSA) * Elliptic curve cryptosystem (ECC) * Diffie-Hellman * El Gamal * Digital Signature Algorithm (DSA) * Merkle-Hellman Kn |
|
Stream Ciphers vs. One-Time Pads |
Stream ciphers were developed to provide the same type of protection one-time pads do, which is why they work in such a similar manner. In reality, stream ci- phers cannot provide the level of protection one-time pads do, but because stream ciphers are implemented through software and automated means, they are much more practical. |
|
Symmetric algorithm |
Encryption method where the sender and receiver use an instance of the same key for encryption and decryption purposes. |
|
Out-of-band method |
Sending data through an alternate communication channel. |
|
Asymmetric algorithm |
Encryption method that uses two different key types, public and private. Also called public key cryptography. |
|
Public key |
Value used in public key cryptography that is used for encryption and signature validation that can be known by all parties. |
|
Private key |
Value used in public key cryptography that is used for decryption and signature creation and known to only key owner. |
|
Public key cryptography |
Asymmetric cryptography, which uses public and private key values for cryptographic functions. |
|
Block cipher |
Symmetric algorithm type that encrypts chunks (blocks) of data at a time. |
|
Diffusion |
Transposition processes used in encryption functions to increase randomness. |
|
Confusion |
Substitution processes used in encryption functions to increase randomness. |
|
Avalanche effect |
Algorithm design requirement so that slight changes to the input result in drastic changes to the output. |
|
Stream cipher |
Algorithm type that generates a keystream (random values), which is XORd with plaintext for encryption purposes. |
|
Keystream generator |
Component of a stream algorithm that creates random values for encryption purposes. |
|
Initialization vectors (IVs) |
Values that are used with algorithms to increase randomness for cryptographic functions. |
|
using purely symmetric key cryptography has three drawbacks, which affect the following |
*
Security services Purely symmetric key cryptography provides confidentiality only, not authentication or nonrepudiation. * Scalability As the number of people who need to communicate increases, so does the number of symmetric keys required, meaning more keys must be managed. * Secure key distribution The symmetric key must be delivered to its destination through a secure courier. |
|
Diffie-Hellman algorithm |
Although the ................... algorithm is vulnerable to a man-in- the-middle attack, it does not mean this type of compromise can take place anywhere this algorithm is deployed. Most implementations include another piece of software or a protocol that compensates for this vulnerability. But some do not. As a security professional, you should understand these issues.
|
|
MQV (Menezes-Qu-Vanstone) |
is an authentication key agreement cryptography function very similar to Diffie-Hellman.The users’ public keys are exchanged to create session keys. It provides protection from an attacker figuring out the session key because she would need to have both users’ private keys. |
|
Strong cryptographic hash functions has the following characteristics: |
*
The hash should be computed over the entire message. * The hash should be a one-way function so messages are not disclosed by their values. * Given a message and its hash value, computing another message with the same hash value should be impossible. * The function should be resistant to birthday attacks (explained in the upcoming section “Attacks Against One-Way Hash Functions”). |
|
Asymmetric Key Algorithms |
ECC El Gamal
Knapsack |
|
Symmetric Key Algorithms |
DES |
|
Diffie-Hellman algorithm |
First asymmetric algorithm created and is used to exchange symmetric key values. Based upon logarithms in finite fields. |
|
RSA algorithm |
De facto asymmetric algorithm used for encryption, digital signatures, and key exchange. Based upon the difficulty of factoring large numbers into their original prime numbers. |
|
El Gamal algorithm |
Asymmetric algorithm based upon the Diffie- Hellman algorithm used for digital signatures, encryption, and key exchange. |
|
Elliptic curve cryptosystem algorithm |
Asymmetric algorithm based upon the algebraic structure of elliptic curves over finite fields. Used for digital signatures, encryption, and key exchange. |
|
Knapsack algorithm |
Asymmetric algorithm based upon a subset sum problem (knapsack problem). It has been broken and no longer used. |
|
Zero knowledge proof |
One entity can prove something to be true without providing a secret value. |
|
One-way hash |
Cryptographic process that takes an arbitrary amount of data and generates a fixed-length value. Used for integrity protection. |
|
Message authentication code (MAC) |
Keyed cryptographic hash function used for data integrity and data origin authentication. |
|
Hashed message authentication code (HMAC) |
Cryptographic hash function that uses a symmetric key value and is used for data integrity and data origin authentication. |
|
CBC-MAC |
Cipher block chaining message authentication code uses encryption for data integrity and data origin authentication. |
|
CMAC |
Cipher message authentication code that is based upon and provides more security compared to CBC-MAC |
|
CCM |
Block cipher mode that combines the CTR encryption mode and CBC-MAC. One encryption key is used for both authentication and encryption purposes. |
|
Collision |
When two different messages are computed by the same hashing algorithm and the same message digest value results. |
|
Birthday attack |
Cryptographic attack that exploits the mathematics behind the birthday problem in the probability theory forces collisions within hashing functions. |
|
Digital signature |
Ensuring the authenticity and integrity of a message through the use of hashing algorithms and asymmetric algorithms. The message digest is encrypted with the sender’s private key. |
|
Digital signature standard |
U.S. standard that outlines the approved algorithms to be used for digital signatures for government authentication activities. |
|
Certificate Revocation CRL |
CRLs are the thorn in the side of many PKI implementations.They are challenging for a long list of reasons. It is interesting to know that, by default, web browsers do not check a CRL to ensure that a certificate is not revoked. So when you are setting up an SSL connection to do e-commerce over the Internet, you could be relying on a certificate that has actually been revoked. Not good. |
|
Rules for Keys and Key Management |
*
The key length should be long enough to provide the necessary level of protection. * Keys should be stored and transmitted by secure means. * Keys should be extremely random, and the algorithm should use the full spectrum of the keyspace. * The key’s lifetime should correspond with the sensitivity of the data it is protecting. (Less secure data may allow for a longer key lifetime, whereas more sensitive data might require a shorter key lifetime.) * The more the key is used, the shorter its lifetime should be. * Keys should be backed up or escrowed in case of emergencies. * Keys should be properly destroyed when their lifetime comes to an end. |
|
End-to-end encryption |
happens within the applications |
|
SSL encryption takes place |
at the transport layer. |
|
PPTP encryption takes place |
at the data link layer. |
|
Link encryption takes place |
at the data link and physical layers. |
|
Advantages of end-to-end encryption include the following: |
*
It provides more flexibility to the user in choosing what gets encrypted and how. * Higher granularity of functionality is available because each application or user can choose specific configurations. * Each hop device on the network does not need to have a key to decrypt each packet. |
|
Disadvantages of end-to-end encryption include the following: |
Headers, addresses, and routing information are not encrypted, and therefore not protected. |
|
Certificate authority |
Component of a PKI that creates and maintains digital certificates throughout their life cycles. |
|
Registration authority |
Component of PKI that validates the identity of an entity requesting a digital certificate. |
|
Certificate revocation list |
List that is maintained by the certificate authority of a PKI that contains information on all of the digital certificates that have been revoked. |
|
Online certificate status protocol |
Automated method of maintaining revoked certificates within a PKI. |
|
Certificate |
Digital identity used within a PKI. Generated and maintained by a certificate authority and used for authentication. |
|
Link encryption |
Technology that encrypts full packets (all headers and data payload) and is carried out without the sender’s interaction. |
|
End-to-end encryption |
Encryption method used by the sender of data that encrypts individual messages and not full packets. |
|
Hardware vs. Software Cryptography Systems |
Encryption can be done through software or hardware, and there are trade-offs with each. Generally, software is less expensive and provides a slower throughput than hardware mechanisms. Software cryptography methods can be more easily modified and disabled compared to hardware systems, but it depends on the ap- plication and the hardware product. If a company needs to perform high-end encryption functions at a higher speed, the company will most likely implement a hardware solution. |
|
PGP |
is considered a cryptosystem because it has all the necessary components: symmetric key algorithms, asymmetric key algorithms, message digest algorithms, keys, protocols, and the necessary software components. |
|
SET |
is a cryptographic protocol and infrastructure developed to send encrypted credit card numbers over the Internet. |
|
The following entities would be involved with a SET transaction, which would require each of them to upgrade their software, and pos- sibly their hardware: |
*
Issuer (cardholder’s bank) The financial institution that provides a credit card to the individual. * Cardholder The individual authorized to use a credit card. * Merchant The entity providing goods. * Acquirer (merchant’s bank) The financial institution that processes payment cards. * Payment gateway This processes the merchant payment. It may be an acquirer. |
|
Multipurpose Internet Mail Extension |
Standard that outlines the format of e-mail messages and allows binary attachments to be transmitted through e-mail. |
|
Secure MIME Secure/Multipurpose Internet Mail Extensions |
, which outlines how public key cryptography can be used to secure MIME data types. |
|
Pretty Good Privacy |
Cryptosystem used to integrate public key cryptography with e-mail functionality and data encryption, which was developed by Phil Zimmerman. |
|
Quantum cryptography |
Use of quantum mechanical functions to provide strong cryptographic key exchange. |
|
HTTPS |
A combination of HTTP and SSL\TLS that is commonly used for secure Internet connections and e-commerce transactions. |
|
Secure Electronic Transaction |
Secure e-commerce standard developed by Visa and MasterCard that has not been accepted within the marketplace. |
|
Cookies |
Data files used by web browsers and servers to keep browser state information and browsing preferences. |
|
Secure Shell (SSH) |
Network protocol that allows for a secure connection to a remote system. Developed to replace Telnet and other insecure remote shell methods. |
|
IPSec |
Protocol suite used to protect IP traffic through encryption and authentication. De facto standard VPN protocol. |
|
Authentication header protocol |
Protocol within the IPSec suite used for integrity and authentication. |
|
Encapsulating security protocol |
Protocol within the IPSec suite used for integrity, authentication, and encryption. |
|
Transport mode |
Mode that IPSec protocols can work in that provides protection for packet data payload. |
|
Tunnel mode |
Mode that IPSec protocols can work in that provides protection for packet headers and data payload. |
|
Internet Security Association and Key Management Protocol |
Used to establish security associates and an authentication framework in Internet connections. |
|
Passive attack |
Attack where the attacker does not interact with processing or communication activities, but only carries out observation and data collection, as in network sniffing. |
|
Active attack |
Attack where the attacker does interact with processing or communication activities. |
|
Ciphertext-only attack |
Cryptanalysis attack where the attacker is assumed to have access only to a set of ciphertexts. |
|
Known-plaintext attack |
Cryptanalysis attack where the attacker is assumed to have access to sets of corresponding plaintext and ciphertext. |
|
Chosen-plaintext attack |
Cryptanalysis attack where the attacker can choose arbitrary plaintexts to be encrypted and obtain the corresponding ciphertexts. |
|
Chosen-ciphertext attack |
Cryptanalysis attack where the attacker chooses a ciphertext and obtains its decryption under an unknown key. |
|
Differential cryptanalysis |
? |
|
Linear cryptanalysis |
Cryptanalysis method that uses the study of affine transformation approximation in encryption processes. |
|
Side-channel attack |
Attack that uses information (timing, power consumption) that has been gathered to uncover sensitive data or processing functions. |
|
Replay attack |
Valid data transmission is maliciously or fraudulently repeated to allow an entity gain unauthorized access. |
|
Algebraic attack |
Cryptanalysis attack that exploits vulnerabilities within the intrinsic algebraic structure of mathematical functions. |
|
Analytic attack |
Cryptanalysis attack that exploits vulnerabilities within the algorithm structure. |
|
Statistical attack |
Cryptanalysis attack that uses identified statistical patterns. |
|
Social engineering attack |
Manipulating individuals so that they will divulge confidential information, rather than by breaking in or using technical cracking techniques. |
|
Meet-in-the-middle attack |
Cryptanalysis attack that tries to uncover a mathematical problem from two different ends.
|
|
Cryptography is the science of protecting information by |
encoding it into an unreadable format. |
|
The most famous rotor encryption machine is |
the Enigma used by the Germans in World War II. |
|
A readable message is in a form called plaintext, and once it is encrypted, |
it is in a form called ciphertext. |
|
Cryptographic algorithms are the mathematical rules that dictate |
the functions of enciphering and deciphering. |
|
Cryptanalysis is the study of |
breaking cryptosystems |
|
Nonrepudiation is a service that ensures the |
sender cannot later falsely deny sending a message. |
|
Key clustering is an instance in which two different keys |
generate the same ciphertext from the same plaintext. |
|
The range of possible keys is referred to as the |
keyspace. A larger keyspace and the full use of the keyspace allow for more random keys to be created. This provides more protection. |
|
The two basic types of encryption mechanisms used in symmetric ciphers |
are substitution and transposition. Substitution ciphers change a character (or bit) out for another, while transposition ciphers scramble the characters (or bits). |
|
A polyalphabetic cipher uses more than one |
alphabet to defeat frequency analysis. |
|
Steganography is a method of hiding data within |
another media type, such as a graphic, WAV file, or document. This method is used to hide the existence of the data. |
|
A key is |
a random string of bits inserted into an encryption algorithm. The result determines what encryption functions will be carried out on a message and in what order. |
|
In symmetric key algorithms, the sender and receiver use |
use the same key for encryption and decryption purposes. |
|
In asymmetric key algorithms, the sender and receiver use |
different keys for encryption and decryption purposes. |
|
Symmetric key processes provide barriers of secure key distribution and scalability. However, symmetric key algorithms perform |
much faster than asymmetric key algorithms. |
|
Symmetric key algorithms can provide confidentiality, |
but not authentication or nonrepudiation. |
|
Examples of symmetric key algorithms include |
DES, 3DES, Blowfish, IDEA, RC4, RC5, RC6, and AES.
|
|
Asymmetric algorithms are used to encrypt keys |
and symmetric algorithms are used to encrypt bulk data. |
|
Asymmetric key algorithms are much slower than |
symmetric key algorithms, but can provide authentication and nonrepudiation services. |
|
Examples of asymmetric key algorithms include |
RSA, ECC, Diffie-Hellman, El Gamal, Knapsack, and DSA. |
|
Two main types of symmetric algorithms are |
stream and block ciphers. Stream ciphers use a keystream generator and encrypt a message one bit at a time. A block cipher divides the message into groups of bits and encrypts them. |
|
Many algorithms are publicly known, so the secret part of the process is the |
key. The key provides the necessary randomization to encryption. |
|
Data Encryption Standard (DES) is a block cipher that divides |
a message into 64-bit blocks and employs S-box-type functions on them. |
|
Because technology has allowed the DES keyspace to be successfully broken, Triple-DES (3DES) |
was developed to be used instead. 3DES uses 48 rounds of computation and up to three different keys. |
|
International Data Encryption Algorithm (IDEA) is a |
symmetric block cipher with a key of 128 bits. |
|
RSA is an asymmetric algorithm developed by |
Rivest, Shamir, and Adleman and is the de facto standard for digital signatures. |
|
Elliptic curve cryptosystems (ECCs) are used as asymmetric algorithms and can provide |
digital signature, secure key distribution, and encryption functionality. They use fewer resources, which makes them better for wireless device and cell phone encryption use. |
|
When symmetric and asymmetric key algorithms are used together, this is called a |
hybrid system. The asymmetric algorithm encrypts the symmetric key, and the symmetric key encrypts the data. |
|
A session key is a symmetric key used by the sender and receiver of messages for |
encryption and decryption purposes. The session key is only good while that communication session is active and then it is destroyed. |
|
A public key infrastructure (PKI) is a framework of programs, procedures, communication protocols, and public key cryptography that |
enables a diverse group of individuals to communicate securely. |
|
A certificate authority (CA) is a trusted third party that generates and maintains |
user certificates, which hold their public keys. |
|
The CA uses a certification revocation list (CRL) |
to keep track of revoked certificates. |
|
A certificate is the mechanism the CA uses to |
associate a public key to a person’s identity. |
|
A registration authority (RA) validates the |
user’s identity and then sends the request for a certificate to the CA. The RA cannot generate certificates. |
|
A one-way function is a mathematical function that is easier to compute |
in one direction than in the opposite direction |
|
RSA is based on a one-way function that factors large numbers into prime numbers. Only the private key knows how to |
use the trapdoor and how to decrypt messages that were encrypted with the corresponding public key. |
|
Hashing algorithms provide |
data integrity only. |
|
When a hash algorithm is applied to a message, it produces |
a message digest, and this value is signed with a private key to produce a digital signature. |
|
Some examples of hashing algorithms include |
SHA-1, MD2, MD4, MD5, and HAVAL. |
|
HAVAL produces a variable-length |
hash value, whereas the other hashing algorithms mentioned produce a fixed-length value. |
|
SHA-1 produces a |
160-bit hash value and is used in DSS |
|
A birthday attack is an attack on hashing functions |
through brute force. The attacker tries to create two messages with the same hashing value. |
|
A one-time pad uses a pad with random values that are |
XORed against the message to produce ciphertext. The pad is at least as long as the message itself and is used once and then discarded. |
|
A digital signature is the result of a user signing a hash value with |
a private key. It provides authentication, data integrity, and nonrepudiation. The act of signing is the actual encryption of the value with the private key. |
|
Examples of algorithms used for digital signatures include |
RSA, El Gamal, ECDSA, and DSA. |
|
Key management is one of the most challenging pieces of cryptography. It pertains to |
creating, maintaining, distributing, and destroying cryptographic keys. |
|
The Diffie-Hellman protocol is a key agreement protocol and does not |
provide encryption for data and cannot be used in digital signatures. |
|
TLS is the “next version” of SSL and is an open-community protocol, which allows |
for expansion and interoperability with other technologies. |
|
Link encryption encrypts the entire packet, including headers and trailers, and |
has to be decrypted at each hop. End-to-end encryption does not encrypt the headers and trailers, and therefore does not need to be decrypted at each hop. |
|
Pretty Good Privacy (PGP) is an e-mail security program that uses |
public key encryption. It employs a web of trust instead of the hierarchical structure used in PKI. |
|
S-HTTP provides protection for each message sent between two computers, but not |
the actual link. HTTPS protects the communication channel. HTTPS is HTTP that uses SSL for security purposes. |
|
Secure Electronic Transaction (SET) is a proposed electronic commerce technology that |
provides a safer method for customers and merchants to perform transactions over the Internet. |
|
In IPSec, AH provides |
integrity and authentication, and ESP provides those plus confidentiality. |
|
IPSec protocols can work in transport mode (the data payload is protected) or |
tunnel mode (the payload and headers are protected). |
|
IPSec uses IKE as its key exchange protocol. IKE is the |
de facto standard and is a combination of ISAKMP and OAKLEY. |
|
Trusted Platform Module is a secure cryptoprocessor that |
can be used for platform integrity, disk encryption |
|
An asymmetric algorithm performs encryption and decryption by using |
by using public and private keys that are related to each other mathematically. |
|
A symmetric algorithm performs |
encryption and decryption by using a shared secret key. |
|
A symmetric key is used to |
encrypt and/or decrypt the actual message. |
|
Public keys are used to encrypt |
the symmetric key for secure key exchange |
|
A secret key is synonymous |
with a symmetric key. |
|
An asymmetric key refers to |
a public or private key. |
|
So, that is how a hybrid system works. |
The symmetric algorithm creates a secret key that will be used to encrypt the bulk, or the message, and the asymmetric key encrypts the secret key for transmission. |
|
*
If a symmetric key is encrypted with a receiver’s public key, what security service(s) is (are) provided? |
Confidentiality, because only the receiver’s private key can be used to decrypt the symmetric key, and only the receiver should have access to this private key.
|
|
If data are encrypted with the sender’s private key, what security service(s) is (are) provided? |
Authenticity of the sender and nonrepudiation. If the receiver can decrypt the encrypted data with the sender’s public key, then she knows the data was encrypted with the sender’s private key. |
|
If the sender encrypts data with the receiver’s private key, what security services(s) is (are) provided? |
None, because no one but the owner of the private key should have access to it. Trick question. |
|
Why do we encrypt the message with the symmetric key? |
Because the asymmetric key algorithm is too slow. |
|
Why don’t we encrypt the symmetric key with another symmetric key? |
We need to get the necessary symmetric key to the destination securely, which can only be carried out through asymmetric cryptography through the use of public and private keys to provide a mechanism for secure transport of the symmetric key. |
|
Sadly, you could see sym- metric cryptography referred to as any of the following: |
*
Single key cryptography * Secret key cryptography * Session key cryptography * Private key cryptography * Shared-key cryptography
|
|
Among the long laundry list of security problems with WEP |
not using unique session keys for data encryption is one of them. If only WEP is being used to encrypt wireless traffic, then in most implementations, just one static symmetric key is being used over and over again to encrypt the packets. This is one of the changes and advancements in the 802.11i standard, which makes sure each packet is encrypted with a unique session key.
|
|
DEA is the algorithm that fulfills DES, which is really just a standard. So DES is the standard and DEA is the algorithm, but in the industry we usually just refer to it as |
DES.The CISSP exam may refer to the algorithm by either name, so remember both.
|
|
In some resources, you may run across rc5-w/r/b or RC5-32/12/16. This is a type of shorthand that describes the configuration of the algorithm: |
*
w = Word size, in bits, which can be 16, 32, or 64 bits in length * r = Number of rounds, which can be 0 to 255 So RC5-32/12/16 would mean the following: * 32-bit words, which means it encrypts 64-bit data blocks * Using 12 rounds * With a 16-byte (128-bit) key A developer configures these parameters (words, number of rounds, key size) for the algorithm for specific implementations. The existence of these parameters gives developers extensive flexibility. |
|
Hybrid cryptography |
Combined use of symmetric and asymmetric algorithms where the symmetric key encrypts data and an asymmetric key encrypts the symmetric key. |
|
Session keys |
Symmetric keys that have a short lifespan, thus providing more protection than static keys with longer lifespans. |
|
Digital envelope Message |
is encrypted with a symmetric key and the symmetric key is encrypted with an asymmetric key. Collectively this is called a digital envelope. |
|
Data Encryption Standard Block symmetric algorithm chosen by NIST as an encryption standard in 1976. It uses |
a 56-bit true key bit size, 64-bit block size, and 16 rounds of computation. |
|
Lucifer Algorithm that was chosen for the |
Data Encryption Standard, which was altered and renamed Data Encryption Algorithm. |
|
Data Encryption Algorithm Algorithm chosen to fulfill the |
Data Encryption Standard. Block symmetric cipher that uses a 56-bit true key size, 64-bit block size, and 16 rounds of computation. |
|
Advanced Encryption Standard U.S. encryption standard that replaced |
DES. Block symmetric cipher that uses 128-bit block sizes and various key lengths (128, 192, 256). |
|
Rijndael Block symmetric cipher that was chosen to fulfill the |
Advanced Encryption Standard. It uses a 128-bit block size and various key lengths (128, 192, 256). |
|
Triple DES Symmetric cipher that applies |
DES three times to each block of data during the encryption process. |
|
International Data Encryption Algorithm Block symmetric cipher that |
uses a 128-bit key and 64-bit block size. |
|
Blowfish Block symmetric cipher that uses |
64-bit block sizes and variable-length keys. |
|
RC4 Stream symmetric cipher that |
was created by Ron Rivest of RSA. Used in SSL and WEP. |
|
RC5 Block symmetric cipher that uses |
variable block sizes (32, 64, 128) and variable-length key sizes (0–2040). |
|
RC6 Block symmetric cipher that uses a |
128-bit block size and variable- length key sizes (128, 192, 256). Built upon the RC5 algorithm |
|
MAC |
Mandatory Access Control Under a mandatory access control environment, the system or security administrator will define what permissions subjects have on objects. The administrator does not dictate user’s access but simply configure the proper level of access as dictated by the Data Owner. |
|
will look at the Security Clearance of the subject and compare it with the object sensitivity level or classification level. This is what is called the dominance relationship. The subject must DOMINATE the object sensitivity level. Which means that the subject must have a security clearance equal or higher than the object he is attempting to access
|
The MAC system |
|
introduce the concept of labels. Every objects will have a label attached to them indicating the classification of the object as well as categories that are used to impose the need to know (NTK) principle. Even thou a user has a security clearance of Secret it does not mean he would be able to access any Secret documents within the system |
MAC |
|
If there is no clearance and no labels then |
IT IS NOT Mandatory Access Control |
|
simple security rule,” or “no read up.” |
MAC policy |
|
“*-property” (pronounced “star property”) or “no write down. |
MAC Policy |
|
no read up |
MAC |
|
no read up |
MAC |
|
strict *- property” |
requires that information can be written at, but not above, the subject’s clearance level. MAC |
|
also known as: Identity Based access control system. The owner of an object is define as the person who created the object. As such the owner has the discretion to grant access to other users on the network. Access will be granted based solely on the identity of those users. Such system is good for low level of security. One of the major problem is the fact that a user who has access to someone's else file can further share the file with other users without the knowledge or permission of the owner of the file. Very quickly this could become the wild west as there is no control on the dissemination of the information. |
DAC = Discretionary Access Control |
|
is a form of Non-Discretionary access control. access control usually maps directly with the different types of jobs performed by employees within a company |
RBAC = Role Based Access Control |
|
is a form of Non-Discretionary access control. access control device would be a Firewall. A single set of rules is imposed to all users attempting to connect through the firewall. |
RuBAC = Rule Based Access Control |
|
provide access protection by calling back the number of a previously authorized location, but this control can be compromised by call forwarding. |
Call back Systems |
|
The use of database views is another example of a constrained user interface. |
Another method for controlling access is by restricting users to specific functions based on their role in the system. |
|
job rotation, the sharing of responsibilities, and reviews of audit records. |
detective/administrative controls |
|
The control measures that are intended to reveal the violations of security policy using software and hardware are associated with: |
detective/technical control measures |
|
The controls that usually require a human to evaluate the input from sensors or cameras to determine if a real threat exists are associated with: |
Detective/physical controls usually require a human to evaluate the input from sensors or cameras to determine if a real threat exists. |
|
A central authority determines what subjects can have access to certain objects based on the organizational security policy is called: |
Non-Discretionary Access Control |
|
Type 1 Something you know, such as a PIN or password Type 2 Something you have, such as an ATM card or smart card Type 3 Something you are (Unique physical characteristic), such as a fingerprint or retina scan |
Authentication is based on the following three factor types |
|
is verification that the user's claimed identity is valid and is usually implemented through a user password at log-on time. |
Authentication |
|
provides maximum security because a new password is required for each new log-on. |
"One-time password" |
|
is a sequence of characters that is usually longer than the allotted number for a password. |
passphrase |
|
Which of the following would be true about Static password tokens? |
The owner identity is authenticated by the token |
|
In Synchronous dynamic password tokens |
The token generates a new non-unique password value at fixed time intervals (this password could be based on the time of day encrypted with a secret key). |
|
identification is a "one-to-many" search of an individual's characteristics from a database of stored images. |
biometrics, |
|
It is used for identification in physical controls and for authentication in logical controls. |
Which of the following is true of biometrics |
|
What is called the percentage of valid subjects that are falsely rejected by a Biometric Authentication system? |
False Rejection Rate (FRR) or Type I Error |
|
What is called the percentage of invalid subjects that are falsely accepted by a Biometric authentication system? |
False Acceptance Rate (FAR) or Type II Error |
|
What is called the percentage at which the False Rejection Rate equals the False Acceptance Rate? |
Crossover Error Rate (CER)
Another name for the CER is the Equal Error Rate (EER), any of the two terms could be used. the device with the lowest EER is most accurate |
|
Considerations of privacy, invasiveness, and psychological and physica |
Acceptability of biometrics systems |
|
Which of the following is implemented through scripts or smart agents that replays the users multiple log-ins against authentication servers to verify a user's identity which permit access to system services? |
SSO |
|
FileTransferProtocol(FTP) • TrivialFileTransferProtocol(TFTP) • SimpleNetworkManagementProtocol(SNMP) • SimpleMailTransferProtocol(SMTP) • Telnet • HypertextTransferProtocol(HTTP) |
OSI: Application Layer The protocols at the application layer handle file transfer, virtual terminals, network management, and fulfilling networking requests of applications. A few of the protocols that work at this layer include |
|
What OSI Layer? FileTransferProtocol(FTP) |
Application FTPports21and20 |
|
What OSI Layer? TrivialFileTransferProtocol(TFTP) |
Application TrivialFileTransferProtocol(TFTP)serversarecommonlyused tosavetheconfigurationsettingsfromnetworkdevices.However,TFTPisan insecureprotocol,somenetworksettingsaresensitiveandshouldbekept confidential,andacoordinatedattackispossibleagainstnetworkdevices thatloadtheirconfigurationsusingTFTPbyfirstcausingthenetworkdevice tofailandthenattackingtheTFTPdownloadoftheconfigurationtocausea maliciousconfigurationtobeloaded.AlternativestoTFTPshouldbesought. |
|
What OSI Layer? SimpleNetworkManagementProtocol(SNMP) |
Application SimpleNetworkManagementProtocol(SNMP) SNMPports161and162 |
|
What is SNMP ports 161 and 162 SNMPusesagentsandmanagers.Agentscollectandmaintaindevice-oriented data, which are held in management information bases. Managers poll the agents using community string values for authentication purposes. |
Application layer. Simple Network Management Protocol (SNMP) A protocol within the IP suite that is used for network device management activities through the use of a structure that uses managers, agents, and Management Information Bases.. Management Information Base (MIB). An MIB is a logical grouping of managed objects that contain data used for specific management tasks and status checks. |
|
which version of SNMP uses encryption ? |
with version 3, cryptographic functionality has been added, which provides encryption, message integrity, and authentication security. So the sniffers that are installed on the network cannot sniff SNMP traffic. |
|
Which of the following is the best countermeasure to put into place to help reduce the threat of network sniffers viewing network management traffic? A. SNMP v3 B. L2TP C. CHAP D. Dynamic packet filtering firewall |
SNMP v3 with version 3, cryptographic functionality has been added, which provides encryption, message integrity, and authentication security. So the sniffers that are installed on the network cannot sniff SNMP traffic. |
|
Bob has noticed that one of the network switches has been acting strangely over the last week. Bob installed a network protocol analyzer to monitor the traffic going to the specific switch. He has identified UDP traffic coming from an outside source using the destination port 161. Which of the following best describes what is most likely taking place? A. Attacker is modifying the switch SNMP MIB. B. Attacker is carrying out a selective DoS attack. C. Attacker is manipulating the ARP cache. D. Attacker is carrying out an injection attack. |
A. If an attacker can uncover the read-write string she could change values held within the MIB, which could reconfigure the device. The usual default read-only community string is “public” and the read-write string is “private.” Many companies do not change these, so anyone who can connect to port 161 can read the status information of a device and potentially reconfigure it. The SNMP ports (161 and 162) should not be open to untrusted networks, like the Internet, and if needed they should be filtered to ensure only authorized individuals can connect to them. |
|
Which OSI layer? SimpleMailTransferProtocol(SMTP) An Internet standard protocol for electronic mail (e-mail) transmission across IP-based networks.
|
Application port 25 worksasatransferagentfore-mailmessages. When SMTP technologies were developed, the concept of e-mail spoofing didn’t exist, so countermeasures for this type of threat were not embedded into the protocol. A user could use an SMTP server to send e-mail to anyone from any e-mail address. |
|
SMTP authentication (SMTP-AUTH) |
was developed to provide an access control mechanism. This extension comprises an authentication feature that allows clients to authenticate to the mail server before an e-mail is sent. Servers using the SMTP-AUTH extension are configured in such a manner that their clients are obliged to use the extension so that the sender can be authenticated. E-mail spoofing can be mitigated in several ways. The SMTP server can be configured to prevent unauthenticated users from sending e-mails. It |
|
E-mail spoofing |
Activity in which the sender address and other parts of the e-mail header are altered to appear as though the e-mail originated from a different source. Since SMTP does not provide any authentication, it is easy to impersonate and forge e-mails |
|
Which OSI layer? Telnet |
Application Telnetport23 SSH should be used instead of Telnet |
|
Secure Shell (SSH) |
Network protocol that allows for a secure connection to a remote system. Developed to replace Telnet and other insecure remote shell methods. SSH can encrypt. Telnet can't |
|
Which OSI Layer? HypertextTransferProtocol(HTTP) |
Application layer port 80 SSL works to protect HTTP. HTTP sits on top of TCP/IP. HTTP is a stateless protocol, which means the client and web server make and break a connection for each operation. |
|
Which Layer of OSI SSL Secure Sockets Layer? SSL is currently at version 3.0. Since SSL was developed by Netscape, it is not an open-community protocol. Although SSL is almost always used with HTTP, it can also be used with other types of protocols. So if you see a common protocol that is followed by an s, that protocol is using SSL to encrypt its data. |
SSL is on the Transport layer. HTTP Secure (HTTPS) is HTTP running over SSL. (HTTP works at the application layer, and SSL works at the transport layer.) Secure Sockets Layer (SSL) uses public key encryption and provides data encryption, server authentication, message integrity, and optional client authentication. |
|
TLS replaces Netscapes SSL since it's not open community SSL and TLS are commonly used when data need to be encrypted while “in transit,” which means as they are moving from one system to another system. |
So the open-community and standardized version of SSL is Transport Layer Security (TLS). The differences between SSL 3.0 and TLS are slight, but TLS is more extensible and is backward compatible with SSL. |
|
Secure HTTP
|
S-HTTP is a technology that protects each message sent between two computers, SSL/TLS is for all data |
|
InIPSec AH provides _____ and ______ ESP provides those plus _______ |
InIPSec AH provides integrity and authentication ESP provides those plus confidentiality |
|
What IPSEC provides integrity and authentication? |
AH |
|
What IPSEC provides integrity, authentication and confidentiality? |
ESP |
|
IPSEC protocols can work in the ______ mode (the data payload is protected) |
transport mode |
|
IPSEC protocols can work in the ______ mode (the payload and headers are protected) |
tunnel mode |
|
Encapulating Security Protocol ESP |
Protocol within IPSEC suite used for integrity, authentication and protection
isn't impacted by NAT which changes the ICV (integrity check value aka MAC value) it doesn't encrypt the network header portion so NAT won't change the IP. ESP is calculated over only the data payload and transport headers |
|
Authentication Header Protocol AH |
Protocol in IPSEC used for integrity and authentication
is impacted by NAT which changes the ICV (integrity check value aka MAC value). AH is calculated over the data payload, transport and network headers |
|
Ipsec |
used to protect IP traffic through authentication. The de facto standard in vpn protocol. |
|
Internet Key Exchange IKE |
is a combination of ISAKMP (Internet Security Association and Key Management Protocol) and OAKLEY ISAKMP set's up the playing field and OAKLEY is the player on the field carrying out steps of the negotiation works with SKIP at Network Layer |
|
SKIP Simple Key Management Protocol |
another key exchange protocol that provides basically the same functionality as IKE working at the network layer |
|
why AH vs ESP |
AH is impacted by NAT which will change the network header. ESP won't. |
|
SA (Security Association) |
critical to Ipsec is a record of configurations the device needs to support an Ipsec connection |
|
SPI Security Perimeter Index |
Each device has a spi TO KEEP TRACK of different SA's and tells the device which one is appropriate to invoke for the different packets it receives. |