Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
77 Cards in this Set
- Front
- Back
Asymmetric encryption
|
1. Sender writes a message
2. Sender encrypts the message with sender's private key to create interim msg 3. Sender encrypts the interim msg with recipient's public key 4. Sender sends the msg 5. The recipient decrypts the msg with receipient's private key 6. The recipient decrypts interim msg with sender's public key |
|
Types of asymmetric cryptography
|
RSA
Diffie-Hellman ECC El Gamal |
|
Key management basics
|
Keys should be long enough to provide the necessary level of protection, should be stored and transmitted secuirely, should be random, and should use the full spectrum of the keyspace. In addition, they should be escrowed, properly destroyed at the end of their lifetime
|
|
Centralized key management
|
Centralized key management gives complete control of cryptographic keys to organization and takes control away from the end users. In a centralized management solution, copies of all cryptographic keys are stored in escrow
|
|
Decentralized key management
|
In decentralized key management, end users generate their keys (whether symmetric or asymmetric) and submit keys only as needed to centralized authorities. The end user's private key is always kept private so they are the only entitiy in possession of it.
|
|
Symmetric cryptography
|
Symmetric cryptography is also called private key cryptography or secret key cryptography
|
|
Strengths and weaknesses of symmetric cryptography
|
Symmetric cryptography is very fast but it is secure as long as the keys are kept private
|
|
Block cipher
|
A block cipher is a solution that works against a complete static data set called block. Each block is encrypted separately
|
|
Stream ciphers
|
A stream cipher is a solution that works against data that is constantly being produced on the fly. Stream ciphers can operate on a bit, character or buffer basis of encrypting data in real-time.
|
|
Common symmetric cryptography solutions
|
AES, 3DS, DES, IDEA, Blowfish, Twofish, Rivest Choper 5 (RC5) and Carisle Adams/Stafford Tavares (CAST-128)
|
|
Asymmetric cryptography
|
Asymmetric cryptography is also called PKI. It uses key pairs consisting of a public and private key. Each communication partner in an asymmetric cryptography solution needs only a key pair.
|
|
Strengths and weaknesses of asymmetric cryptography
|
Asymmetric cryptography is scalable. The private key of the key pair must be kept private and secure. It is slower than symmetric cryptography. It provides 3 security cryptography solution needs only a key pair.
|
|
Common asymmetric cryptography solutions
|
RSA
Diffie-Hellman ECC El Gamal |
|
Confidentiality
|
Prevents or minimizes unauthorized access to data
|
|
Integrity
|
protection prevents unauthorized alteration of data
|
|
Digital signatures
|
A digital signature is an electronic mechanism to prove that a message was send from a specific user and that the message wasn't changed while in transit.
|
|
Authentication
|
The security service that verifies the identity of the sender
|
|
Non-repudiation
|
Non-repudiation prevents the sender of a message or the perpetrator of an activity from being able to deny that they send the message or performed the activity
|
|
Access control
|
Access control restricts access to secure data to authorized users. Cryptographic access control is enforced through the possession of encryption key
|
|
Key storage
|
Cryptographic keys and digital cert should be stored securely.
|
|
Software key storage
|
A software solution offers flexible storage mechanisms and often, customizable options. This is vulnerable to virus and attacks
|
|
Hardware key storage
|
Hardware solutions aren't as flexible. However, they're more reliable and more secure than software solutions.
|
|
Private key protection
|
In a symmetric system, all entities in possession of the shred secret key must protect the privacy and secrecy of that key
|
|
Use of multiple key pairs
|
In some situation you may use multiple key pairs. one for authentication and one for digital signature
|
|
Hashing
|
Hashing is used to produce a unique data indentifier
|
|
Hashing attack
|
Hashing can be attacked using reverse engineering, reverse hash matching
|
|
Common hash algorithms
|
The common hash algorithms are Secure Hash Algorithm (SHA-1), MD5, MD4 and MD2
|
|
Hashing
|
Hashing is used to produce a unique data identifier. Hashing takes a variable-length output. It can be performed in only one direction. The hash value is used to detect violations of data integrity
|
|
Hashing attacks
|
Hashing can be attacked using reverse engineering, reverse hash matching or a birthday attack. These attack methods are commonly used by password-cracking tools
|
|
Common hashing algorithms
|
MD5, MD4, MD2
|
|
One time pad
|
One time pad is the basis of many forms of modern cryptography from SSL to IPSec to dynamic one time password tokens. The concept is that a real or virtual paper pad contains codes or keys on each page that are random and do not repeat. Each page of the pad can be used once for a single operation, then it is discarded - never to be reused or be valid again.
|
|
SSL/TLS
|
Secure Socket Layer (SSL) and Transport Layer Security (TLS) are used to encrypt traffic between a web browser and a web server.
|
|
SSL steps
|
1. The client requests a secure connection.
2. The server responds with its certificate and its public key 3. The client verifies the server cert, produces a session (symmetric) key, encrypts the key with the server's public key and send the key back to the server 4. The server unpacks the session key and sends a summary of session details to the client encrypted with the session key 5. The client reviews the summary and sends it own summary back to the server, encrypted with the session key 6. After both entities receives a matching session summary, secured SSL comm is initiated. |
|
SSL uses what type of session key?
|
Symmetric keys, 40-bit and 128-bit
|
|
What is S/MIME
|
Secure Multipurpose Internet mail Extensions
|
|
How S/MIME work?
|
1. Sender encrypts the message with the recipient's public key
2. The message is sent to the recipient 3. The recipient decrypts the message using the recipient's private key |
|
What protocols are commonly used for VPN?
|
PPTP and L2TP
|
|
What authentication methods supports by PPP
|
CHAP, EAP, MS-CHAP1, MS-CHAP2, SPAP and PAP
|
|
What is L2TP
|
A combo of MS proprietary implementation of PPTP and Cisco L2F VPN protocols.
|
|
What can L2TP used for?
|
It can be used by to tunnel any routable protocol but does not have any native security features.
|
|
IPSec
|
IPSec can be stand-alone VPN or a module used with L2TP. IPSec is not one protocol but a collection of protocols. 2 primary protocols are Authentication Header (AH) and Encapsulating Security Payload (ESP)
|
|
2 Modes of IPSec
|
Tunnel mode - Encrypting payload and message header and adding a temp header
Transport mode - IPSec provide encryption only of the payload |
|
SSH
|
Secure Shell is a secure replacement of Telnet, rlogon, rsh and rcp
|
|
ISAKMP
|
Internet Security Association and Key Management Protocol is used to negotiate and provide authenticated keying material for security associations in a secured manner. The 4 major functional components are authentication of communications peers, threat mitigation, security association creation and management, and cryptographic key establishment and management.
|
|
PKI
|
PKI focuses on proving the identity of comm partners, providing a means to securely exchange session-based symmetric encryption keys through asymmetric cryptographic solutions, and providing a means to protect message integrity through the use of hashing
|
|
Certificates
|
Certificates serve a single purpose: proving the identity of a user or the source of an object.
|
|
Trusted third parties
|
Certificates work under a theory known as the trusted 3rd party: if User A trusts user C and user B trusts user C, then user A can trust B and visa versa.
|
|
x.509 version 3 certificate standard
|
Most certificates are based on the X.509 version 3 certificate standard. Some of the required components are the subject's public key, the CA's distinguishing name, a unique serial number, and the type of symmetric algorithm used for the certificate's encryption
|
|
Procedure for requesting a certificate
|
To request a certificate, a subject submits a request to a CA with proof of their identity and their public key
|
|
Certificate policies
|
A certificate policy is a PKI document that serves as the basis for common interoperability standards and common assurance criteria. It's a statement that governs the use of digital certificates within an organization. Certificate policies are acceptable use policies for certificates
|
|
Revocation
|
A CA may have cause to revoke or invalidate a certificate before its predefined expiration date. Revocation may occur because the subject's the subject's identity information has changed, the subject used the certificate to commit a crime, or the subject used the certificate in such a way as to violate the CA's certificate policy
|
|
CRL
|
Certificate Revocation list.
|
|
How a web browser handles new certificates
|
When a web browser receives a certificate from a web server, it verifies that the date on the certificate is still valid. Next, it checks the local copy of the CA's CRL. If the CRL is no longer valid, an updated copy of the CRL is obtained.
|
|
OCSP
|
Online Certificate Status Protocol is a revocation solution that functions on a direct query basis. Each time an application receives a new cert, it sends a query to an OCSP CA server. The CA responds directly to indicate whether the cert is still valid or not.
|
|
Trust model
|
The term trust model refers to the structure of the trust hierarchy used by a cert authority system.
|
|
Hierarchical trust model
|
A hierarchical structure has a single top-level root CA. Below the root CA are one two or more subordinate CAs. The root CA is the start of trust. All CAs and participants in a hierarchical trust model ultimately rely on the trustworthiness of the root CA.
|
|
Cross-certification
|
Cross-certification occurs when a CA from one organization elects to trust a CA from another organization
|
|
Trust lists
|
A trust list is a form of trust model where a web browser or similar application is provided with a list of root cert of trusted CAs.
|
|
Key escrow
|
Key escrow is a storage process by which copies of private keys and/or secret keys are retained by a centralized management system. This system securely stores the encryption keys as a means of insurance or recovery in the event of a lost or corrupted key
|
|
Key revocation and status checking
|
Keys and certificates can be revoked before they reach their lifetime expiration date. Status checking is the process of checking the lifetime dates against the current system date, checking the CRL, and/or querying an OCSP server.
|
|
Key suspension
|
Suspension is an alternative to revocation.
|
|
Key recovery
|
recovery is the process of pulling a key or certificate from escrow. The recovery process can be used when a user loses their key or their key has been corrupted. Only a key recovery agent can perform key recovery
|
|
M of N control
|
If the environment doesn't warrant the trust of a single key recovery agent, a mechanism known as M of N control can be implemented. M of N control indicates that there are multiple key recovery agents (M) and that a specific minimum number of these key recovery agents (N) must be present and working in tandem in order to extract keys from the escrow database.
|
|
Key renewal
|
Renewal is the process by which a key or certificate is reissued with an extended lifetime date before it expires. The renewal process doesn't a complete repeat of the request and identity proofing process; rather, the old key (which is about to expire) is used to sign the request for the new key.
|
|
Key destruction
|
After a key or certificate is no longer needed or it has expired or been revoked, it should be properly disposed of. For keys and certificates that are still valid, the CA should be informed about the destruction of the key or certificate, This action allows the CA to update its CRL and OCSP servers.
|
|
Variants of SHA
|
SHA-256, SHA-224, SHA-384, SHA-512, SHA-1
|
|
NTLM
|
1. Stands for NT LAN Manager
2. It is MS 3. It is an authentication protocol |
|
A certificate request should contain what sort of information?
|
1. Web site name
2. Contact email 3. Corporate info |
|
IKE
|
IKE depends on security association
|
|
SPAP
|
Shiva Password Authentication Protocol is an older proprietary, two-way reversible encryption protocol
|
|
PKCS
|
PKCS is the de facto cryptographic message standards developed by RSA Laboratories
|
|
PKCS#11
|
Used by smartcards
|
|
In a decentralized key management system what is the user responsible to do?
|
Generate key pair
|
|
Weakness to LM Hash
|
Passwords longer than 7 characters are broken into two chunks
Before being hashed, all lowercase characters in the password are converted to upper case character |
|
LAN Manager applies to what OSs
|
Windows 3.1 and DOS
|
|
Only successful attack to AES is
|
Side channel attack where the attack improper implementations that leak data
|
|
A hash created by MD5 is typically a hex number of how many character?
|
32
|