Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
86 Cards in this Set
- Front
- Back
|
Cryptography
|
Study of the methods of keeping some information secret, either by hiding its existance or changing its meaning.
|
|
|
Encryption
|
Type of cryptography - process of scrambling information so that the casual observer can't read it.
|
|
|
Algorithm
|
Set of instructions for mixing and rearranging an original message (called plaintext) with a message key to create a scrambled message (ciphertext).
|
|
|
Cryptographic key
|
Piece of data used to encrypt plaintext to ciphertext, or vice versa, or both.
|
|
|
2 Subclasses of algorithms
|
Block cipher (blocks of text in a series - variable length) and stream cipher (each individual unit - letters or bits).
|
|
|
3 Main categories of algorithms
|
Symmetric and asymmetric cryptography, and hashing algorithms. Open algorithms are open to examination by public and therefore tend to be more secure. Proprietary algorithms keep internal workings secret and are harder to crack at first.
|
|
|
Symmetric Encryption
|
Uses one key for both the encryption and decryption processes; commonly referred to as: secret-key encryption, shared-secret encryption, and private key. Symmetric encryption is common and abundant because it's fast and simple.
|
|
|
DES and Triple DES (3DES)
|
Data Encryption Standard - symmtric; oldest and most famous; single 64-bit key (56 of data and 8 parity) - operate on data in 64 bit chunks.
|
|
|
3DES
|
Uses three separate 56-bit DES keys as a
single 168-bit key, though sometimes keys 1 and 3 are identical, yielding 112-bit security. DESX adds an additional 64-bits of key data. Both 3-DES and DESX are intended to strengthen DES against brute force attacks. |
|
|
AES (Rijndael)
|
Advanced Encryption Standard - private key symmetric block cipher; stronger/faster than DES; life expectancy of 20 to 30 years; key sizes: 128, 192 and 256 bits; freely available; small footprint, which means that it can be used effectively in memory (CPU and Smart cards).
|
|
|
IDEA
|
International Data Encryption Algorithm - European counterpart to DES; faster and more secure than DES; uses simple operations like XOR (exclusive OR), addition, muliplication; 64-bit blocks with 128-bit key; encryption/decryption process uses 8 rounds with 6 16-bit subkeys/round; one of the components of PGP (Pretty Good Privacy).
|
|
|
Asymmetric algorithms
|
Characterized by the use of two different keys to encrypt and decrypt information; commonly refered to as public key cryptography; decryption key is called the private key; although these keys are generated together and exhibit a mathmatical relationship, private key can't be derived from public key.
|
|
|
Encryption algorithms
|
Used to encrypt data and provide confidentiality.
|
|
|
Signiture algorithms
|
Used to digitally sign data to provide authentication.
|
|
|
Hashing algorithms
|
Used to provide data integrity.
|
|
|
Sream cipher cryptography examples
|
RC4 and ISAAC.
|
|
|
Block cipher examples
|
DES, CAST, Blowfish, IDEA, RC5/RC6, and SAFER. Most AES candidates are block ciphers.
|
|
|
Which is faster, symmetric or asymmetric?
|
Symmetric is faster, and therefore, asymmetric is used only for encrpyting small amounts of information.
|
|
|
Diffie-Hellman
|
The purpose of this encryption was to transmit a private key for DES (because of the inherent slowness of asymmetric cryptography). Secure Internet Protocol (IPSec) uses the Diffie-Hellman
algorithm in conjunction with RSA authentication to exchange a session key used for encrypting all traffic that crosses the IPsec tunnel. |
|
|
El Gamal
|
Essentially an updated and extended version of Diffie-Hellman algorithm based on discrete algorithms. DSA (Digital Signiture Algorithm) was based on El Gamal.
|
|
|
RSA
|
Shares many similarities with the Diffie-Hellman algorithm - based on multiplying and factoring of large integers; RSA is significantly faster. PGP and SSH use RSA.
|
|
|
PKDS
|
Public Key Distribution System - Diffie-Hellman is an example of this. PKDS systems are used as session-key exchange mechanisms.
|
|
|
PKE
|
Public Key Encryption - RSA is an example of this. PKE systems are considered fast enough to encrypt small messages.
|
|
|
Hashing
|
Technique in which an algorithm (hash function) is applied to a portion of data to create a unique digital fingerprint that is a fixed-size variable; ensures integrity and provides authentication; cannot be reverse-engineered; won't return the same result from 2 different inputs; sometimes referred to as checksums.
|
|
|
MD4/MD5
|
Message Digest class of algorithms developed by Ron Rivest for use with digital signitures; 128-bit hash length.
|
|
|
SHA
|
Secure Hash Algorithm - hashing algorithm created by US govt; most common is SHA-1, which is typically used in IPSec installations; fixed 160-bit.
|
|
|
2 Cryptographic techniques
|
Encryption and Steganography
|
|
|
Encryption
|
Technique of applying a procedure called an algorithm to plain text to turn it into something that will appear to be gibberish to anyone who doesn't have the key.
|
|
|
Steganography
|
Hiding the existance of the data, not just its contents. Usually done by concealing it within other, innocuous data.
|
|
|
Confidentiality
|
Through the use of cryptography users are able to ensure that only an intended recipient can unlock (decrypt) an encrypted message.
|
|
|
Integrity
|
With cryptography, most asymmetric algorithms have built-in ways to validate that all the outputs are the same as the inputs - referred to as a digital signiture.
|
|
|
Digital Signitures
|
Serve to enforce data integrity and non-repudiation; ensures that the message received was the message sent because a hash was performed on the original using hashing algorithms (hash value created by this process is encrypted by the author's private key and appended to the message).
|
|
|
MITM Attacks
|
If the key exchange protocol does not authenticate at least one and
preferably both sides of the connection, it may be vulnerable to MITM-type attacks. Authentication systems generally use some form of digital certificates (usually X.509), and require a Public Key Infrastructure (PKI) infrastructure. MITM-based attacks can only occur during the initial correspondence between two parties. |
|
|
Thawte or VeriSign
|
Companies that provide digital certificates (usually X.509).
|
|
|
Authentication
|
Symmetric cryptography doesn't provide authentication, while asymmetric does by their private key (each person is responsible for their own private key).
|
|
|
Non-repudiation
|
Asymmetric cryptography ensures that an author cannot refute that they signed or encrypted a particular message once it has been sent, assuming the private key is secured.
|
|
|
Digital Signitures
|
Support message integrity by validating that the message being read by the recipient is the exact message sent by the author and proves that the author sent the message.
|
|
|
Access Control
|
Some systems can provide access control based on key signitures; based on a certificate presented by a user that has been signed by that user, a particular user can be identified and authenticated.
|
|
|
One Time Pad (OTP)
|
Type of cryptography that has been mathematically proven to be unbreakable - uses a series of random numbers equal in length to the message you want to send.
|
|
|
CSS
|
Content Scrambling System - DVD copy protection.
|
|
|
PKI
|
Public Key Infrastructure - system for validating the identity of users and businesses; a way to manage and secure identities once they're verified; PKI is based on unique identifiers called keys - assigned public and private key (math related); PGP uses a form of PKI.
|
|
|
CA
|
Certificate Authority - one part of PKI; management center for digital certificates.
|
|
|
Digital Certificate
|
Collections of predefined information related to a public key.
|
|
|
RA
|
Registration Authority - another part of PKI; used to take some of the burden off the CA by handling verification prior to certificates being issued; acts as proxy between user and CA; often found in stand-alone or hierarchical models.
|
|
|
X.509
|
Based on X.500 - Intended to provide a means of developing easy-to-use electronic directory of people that would be available to all Internet users; CN= (common name), C= (country), O= (organization), etc. A common X.509 certificate cotents: serial number, subject, signiture algorithm, issuer, valid from, valid to, public key, thumbprint algorithm, thumbprint.
|
|
|
Certificate Policy
|
Set of rules that indicates exactly how a certificate may be used; plaintext document that is assigned a unique object identifier (OID) so that anyone can reference it.
|
|
|
CPS
|
Certificate Practice Statement - describes how tha CA (Certificate Authority) plans to manage the certificates it issues.
|
|
|
Revocation
|
Certificate are revoked when the information contained in the certificate is no longer considered valid or trusted - happens when a company changes ISPs, moves to a new physical address, or contact list has changed. Most important reason to revoke a certificate is if the private key has been compromised.
|
|
|
Who can revoke digital certificates?
|
Certificate owners and PKI administrators.
|
|
|
Who is responsible for changing the status of certificates and notifying users that it's been revoked?
|
CA
|
|
|
Certificate Revocation List (CRL)
|
X.509 standard requires that CA's publish certificate revocation list - serveral forms exist, but two common ones are simple CRLs and deltra CRLs.
|
|
|
Simple CRL
|
Container that holds a list of revoked certificates with the name of the CA, the time the CRL was published, and when the next CRL will be published.
|
|
|
Delta CRL
|
Handle the issues that simple CRLs cannot - size and distribution. A base CRL is sent to all end-parties to initialize their copies of teh CRL. Updates known as deltas are sent out on a periodic basis to inform the end-parties of any changes.
|
|
|
OCSP
|
Online Certificate Status Protocol - returns information relating only to certain certificates that have been revoked. There is no need for the large files used in the CRL to be transmitted. OSCP response: status (good, revoked, unknown), last update, next status update, time that the response was sent back to the requestor).
|
|
|
One-way Trust Relationship
|
Trusted party B meets the expectations of the trusting party A.
|
|
|
Two-way Trust Relationship
|
Based on the loyalties of the parties; when you're closer to a person or object, you're more likely to have higher confidence in them (like a marriage).
|
|
|
Chain of Trust
|
Transitive trust - when you trust your friend, you are likely to trust a friend of the friend, too, as compared to a complete stranger.
|
|
|
Single CA Model
|
Only one CA is used within a public-key infrasructure; Anyone who needs to use the CA is given the public key using an out-of-band method (key is not transmitted through the media that the end user intends to use with the certificate).
|
|
|
Hierarchical CA Model
|
Root CA functions as a top-level authority over CAs, called subordinate CAs. Root CA function as trust anchor.
|
|
|
Trust Anchor
|
Entity known to be sufficiently trusted and therefore can be used to trust anything connected to it (used in hierarchical CA models).
|
|
|
Intermediate and Leaf CAs
|
Intermediate CA come after the root, and leaf CAs come after the intermediate CA in a hierarchical CA model.
|
|
|
How to avoid a compromised Root CA
|
Root CA's key security is the highes priority in PKI security - good solution for securing root CA's keys is to use remote storage devices, such as smart cards. Another solution is to take the root CA offline by removing the roots CAs from your network, and making sure they are stored in a secure location.
|
|
|
Web-of-trust Model
|
Key holders sign each other's certificates, thereby validating the certificates based on their down knowledge of the key owner (email encryption program, PGP, uses this).
|
|
|
PKCS
|
Pubic-Key Cryptography Standards - standard protocols used for securing the exchange of information through PKI - created by RSA Laboratories. (PKCS#1 - #12)
|
|
|
Key Management Lifecycle mechanisms
|
Centralized vs. decentralized key management, storage of private keys, key escrow, key expiration, key revocation, key suspension, key recovery, key renewal, key destruction, key usage, and multiple key pairs.
|
|
|
Software Key storage
|
Private key can be stored on an oerating system by creating a directory on a server and using permissions - relies on the security of the OS and the network environment itself. Security: auditing actions (additions, deletions, etc.) can track network activity; permissions for backup operator can be limited (no recoveries).
|
|
|
Lunchtime Attack
|
Attacks occuring during lunchtime because users have a bad habit of leaving their computers without logging out or locking the screen via the screen saver.
|
|
|
HSM
|
Hardware Storage Modules - smart cards, PCMCIA cards, and other hardware devices, store private keys and handle all encryption and decryption of messages so that they key doesn't have to be transmitted to the computer.
|
|
|
Key Escrow
|
Keep copies of their private keyss in 2 separate secure locations where only authorized persons are allowed to access them. Keys are split up and one half is sent to the 2 different escrow companies.
|
|
|
Key Revocation
|
Occurs when: company changes IPSs; company moves to a new physical address; contact listed on corporate certificate has left the company; private key has been compromised.
|
|
|
Status Checking (Keys)
|
2 methods of checking the status of revoked keys and certificates: CRLs and OCSP.
|
|
|
RL
|
Revocation List
|
|
|
Key Suspension
|
Usually happens because a key is not going to be used for a period of time - reason this is done is to prevent the unauthorized use of keys during an unused period. They must be revoked or reactivated.
|
|
|
Key Recovery
|
Key recovery agent is an employee who has the authority to retrieve a user's private key. Some key recovery servers require that 2 key recovery agents retrieve private user keys together for added security.
|
|
|
KRI
|
Key Recovery Information - Name of key owner, time that the key was created, and issuing CA server.
|
|
|
M of N Control
|
Key recovery security that splits the PIN between N number of key recovery agents, then reconstructing the PIN only if M number of recovery agents provide their individual passwords. N must be an integer greater than 1 and M must be an integer less than or equal to N. If only one of the key recovery agents tried to recover a key under M of N control, the process would be denied.
|
|
|
Key Renewal
|
Key update - where a new key is created by modifying the existing key.
|
|
|
Key Destruction
|
When there is no longer a need for a key pair, all record of the key pair should be destroyed. Before a server is sold, the media needs to be erased and overwritten so that there cannot be recovery of keys. Paper copies of the keys also need to be disposed of. The keys should be deregistered by the CA.
|
|
|
What's the difference between deregistering a key and revoling a key?
|
Deregistering a key pair is different than revoking a key pair. When you deregister a key pair, the association between the key pair, CA, and the key owner is broken. When a key is revoked, it is because the information
is no longer valid or the private key was compromised, but the key owner still exists. |
|
|
Multiple Key Pairs (Single, Dual)
|
Situation arises when there is a need to back up private keys, but the fear of a forged digital signiture exists. Dual keys: First pair is used for authentication or encryption, the second pair is used for digital signitures. The private key used for authentication and encryption can still be backed up, but the 2nd private key would never be backed up and would not provide the security loophole that using single keys creates.
|
|
|
Quantitative Risk Analysis
|
2 fundamental elements: Probablility and likely loss; produces ALE (Annual Loss Expectancy); rarely used.
|
|
|
Qualitative Risk Analysis
|
Only estimated potential loss is calculated using the elements: Threats, vulnerabilities, and controls (deterrent, preventative, corrective, and detective).
|
|
|
Data Aggregation
|
Compilatoin of unclassified individual data systems and data elements resulting in the totality of the information being classified.
|
|
|
Ingress Filtering
|
Filtering software that removes IP packets with untrusted source addresses before they have a chance to enter and affect your system or network.
|
|
|
Egress Filtering
|
Filtering software that prevents IP packets with randomly generated source addresses from exiting your system or network, when one of your systems has been compromised and when the system is being used to perpetrate an attack against other systems.
|
|
|
Bounce Attack
|
Exploit of the FTP protocol whereby an attacker is able to use the PORT command to request access to ports indirectly through the use of the victim machine as a middle man for the request.
|
