Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
73 Cards in this Set
- Front
- Back
Cryptography |
The practice of encoding information in a manner that it cannot be decoded without access to the required decryption key. It consists of 2 main operations: encryption and decryption |
|
Goals of Cryptography |
Confidentiality, Integrity, Authentication, Nonrepudiation |
|
Confidentiality |
Protect sensitive information from prying eyes |
|
Integrity |
Ensuring that data is not maliciously or unintentionally altered |
|
Authentication |
Validate the identity of individuals |
|
Nonrepudation |
Ensures that individuals can prove to a third party that a message came from its purported sender |
|
Cipher |
A method used to scramble or obfuscate characters to hide their value |
|
Substitution Cipher |
Type of ciphering system that changes one character or symbol into another. Caesar Cipher |
|
Polyalphabetic Substitution |
Using multiple substitution alphabets for the same message. Shifting different letters by different distances |
|
Transposition Ciphers |
Involves transposing or scrambling the letters in a certain manner. Typically a message is broken into blocks of equal size and each clock is then scrambled. |
|
Steganography |
Is the art of using cryptographic techniques to embed secret messages within another file. Makes alterations to the least significant bits of the many bits that make up image files. This allows them to hide in plain sight which are invisible to the human eye |
|
Data at Rest |
Stored data that resides in a permanent location awaiting access |
|
Data in Motion |
Also known as data on the wire. Data being transmitted across a network between two systems |
|
Data in Use |
Data that is stored in the active memory of a computer system where it may be accessed by a process running on that system |
|
Obfuscation |
The practice of making it intentionally difficult for humans to understand how code works. Used to hide the inner workings of software and intellectual property |
|
Cryptographic Keys |
A key is nothing more than a number. It’s usually a very large binary number. |
|
Key Space |
The range of values that are valid for use as a key for a specific algorithm |
|
Key Length |
The number of binary bits (0’s and 1’s) in the key |
|
Kerchoff Principle |
A concept that makes algorithms known and public allowing everyone to examine and test them. The cryptographic system should be secure even if everything about the system, except the key, is public knowledge |
|
Cryptovariables |
Another name for Cryptographic Keys |
|
Block Ciphers |
Operate on “chunks” or blocks of a message and apply the encryption algorithm to an entire message cloaca at the same time. Transposition ciphers are an example of block ciphers |
|
Stream Cipher |
Operate on one character or bit of a message at a time. Caesar ciphers are an example of stream ciphers |
|
Symmetric Key Algorithms |
“Shared Secret” encryption key that is distributed to all members who participate in the communications. This key is used to both encrypt and decrypt messages. Pros: Very fast communication Cons: Key distribution is difficult, No implementation of nonrepudiation, Not scalable, Keys must be regenerated often |
|
Asymmetric Key Algorithms |
Also known as “public key algorithms”. Each user has two keys a public and a private key. The public key encrypts the message but the private key is the only way to decrypt the message. Pros: Scalable both up and down, Key regeneration is only required when a user’s private key is compromised, Provides integrity, authentication, and nonrepudiation Cons: Very slow |
|
Message Digests |
Summaries of a message’s content produced by a hashing algorithm |
|
Hashing Algorithm |
One way encryption that produces a hash value that is unique. If not it is called a collision. It is extremely difficult, if not impossible, to derive a message from an ideal hash function. It’s purpose it to take a very long message and generate a unique output value derived from the content in the message. It is used to verify that the message sent is the message that was received if the two hash values or message digest values are the same. If they differ at all the values will be completely different. It can also be used as a digital signature |
|
DES |
Data Encryption Standard. Published by the US government for encrypted communication but because of flaws it considered no longer secure. Used a 64 bit block cipher that has 5 modes of operation: Electronic Codebook (ECB) Cipher Block Chaining (CBC) Cipher Feedback (CFB) Output Feedback (OFB) Counter (CTR) Exclusive Or (XOR) - An operation to generate cipher text repeated in rounds |
|
3DES |
Triple Data Encryption Standard or Advanced Encryption Standard. More advanced encryption that replaced the 56 bit DES. It has 4 versions. DES-EEE3: Encrypts the plaintext three times, using three different keys 168 bits DES-EEE2: Uses only two keys DES-EDE2: Uses two keys but uses a decryption operation in the middle DES-EDE1: Uses one key but is not used because it is the same as DES |
|
ECB |
Electronic Codebook mode. Each time the algorithm processes a 64 bit block it simply encrypts the clock using the chosen secret key. Easiest to understand and least secure |
|
CBC |
Cipher Block Chaining Mode. Each block of unencrypted text is combined with the block of cipher text immediately preceding it before it is encrypted using the DES algorithm |
|
IV |
Initialization Vector. A randomly selected value that is used to start the encryption process. |
|
CFB |
Cipher Feedback Mode. A steaming cipher version of Cipher Block Chaining mode. It operates against the data in real time. Instead of using blocks it uses memory buffers of the same block size and when it is full it is encrypted and then sent to the recipients. |
|
OFB |
Output Feedback Mode. Operates in almost the same fashion as Cipher Feedback Mode, except instead uses XOR’s on the plain text with a seed value. Future seed values are derived from previous seed values using the DES algorithm |
|
CTR |
Counter Mode. Uses stream cipher similar to CFB and OFB modes, however it uses a simple counter that increments for each operation |
|
Diffie-Hellman Algorithm |
When public key encryption or offline distribution is sufficient, two parties might need to communicate with each other but have no means to physically exchange keys this algorithm can be of use. |
|
AES |
Advanced Encryption Algorithm. NIST mandated the change to AES. This cipher allows the use of three key strengths: 128, 192, 256 bits. They also have associated encryption rounds: 128-10 rounds, 192-12 rounds, 256-14 rounds |
|
Offline Distribution |
Most technologically simple method which evolves the physical exchange of key material. This method is at risk for interception of emails/mail, wiretaps of phones, papers being lost or thrown away |
|
Public Key Encryption Key Distribution |
Private key is sent over public key encryption to set up an initial communications link. Once both parties are satisfied as to identity of the other party the private key is used for further communication over symmetric encryption for faster communication |
|
Storage and Destruction of Keys |
Never store encryption keys on the same system where encrypted data resides. This makes it easier for the attacker. Use split knowledge where the encryption key is split in two and given to two individuals which they must collaborate to recreate the key. Destroying a key is difficult for symmetric as all party members are involved and the private key needs to be changed |
|
Key Escrow |
This system allows the government, under limited circumstances such as a court order, to obtain the cryptographic key used for a particular communication from a central storage facility. |
|
Fair Cryptosystems |
Key escrow approach that divides keys into tow or more pieces, each of which are given to independent third parties |
|
Escrowed Encryption Standard |
Escrow approach provides the government with a technological means to decrypt cipher-text. |
|
Elliptic Curve Cryptography |
Uses an equation for an elliptic curve to find a value for x which is extremely difficult to find. It is widely considered more difficult than the discrete logarithm problem utilized by Diffie-Hellman. |
|
SHA |
Secure Hash Algorithm. This includes SHA-1, SHA-2, SHA-3. SHA-1: takes a message of any length and produces a 160 bit message. It processes the message in 512 bit blocks. If the message is shorter that 512 bits it pads the message with additional data until it reaches the highest multiple of 512 SHA-2: replaced SHA-1 because of weaknesses. It has four variants: SHA-256: produces 256 bit message using 512 bit blocks SHA-224: truncated version of 256 to make a 224 bit message with 512 bit blocks SHA-512: produces a 512 bit message with 1024 bit blocks SHA-384: truncated version of 512 to produce a 384 bit with 1024 bit blocks SHA-3 suite was developed to replace SHA-2 by adding in some more hash length variants |
|
MD5 |
Processed with 512 bit blocks but it uses four district rounds to produce 128 bit message, but it was shown to produce collisions making it weak to integrity constraints |
|
Digital Signatures |
Assures the recipient that the message truly came from the claimed sender. Assure the recipient that the message was not altered while in transit between the sender and recipient. It relies on both public key encryption and hashing. Steps of Digital Signatures Sender generates message digest (hash value) using a secure hash algorithm and attaches it to the original plaintext message Sender encrypts message with their private key and sends it to recipient Recipient decrypts message with senders public key and uses the same secure hash algorithm on the plaintext message and compares it to the message digest received. If it matches then recipient knows that the message was sent by the sender and was not modified in transit |
|
HMAC |
Hashes Message Authentication Code. An algorithm that implements a partial digital signature and guarantees the integrity of a message during transmission, but does not provide nonrepudiation. It operates in a more efficient manner than the digital signature standard and may be suitable for applications in which symmetric key cryptography is appropriate. |
|
PKI |
Public Key Infrastructure. Hierarchy of trust relationships. This facilitates public key encryption between parties that previously were unknown to each other. This trust permit combining asymmetric and symmetric cryptography along with hashing and digital certificates giving us a hybrid cryptography |
|
Digital Certificates |
Provide communicating parties with the assurance that the people they are communications with truly are who they claim to be. They are essentially endorsed copies of an individual’s public key. When users verify that a certificate was signed by a trusted certificate authority they know that the public key is legitimate. It uses version X.509 |
|
CA |
Certificate Authorities. Neutral organizations offer motorization services for digital certificates. In order to obtain a digital certificate from a reputable CA you must prove your identity to the satisfaction of the CA. |
|
RA |
Registration Authorities. These assist CA’s with the burden of verifying users’ identities prior to issuing digital certificates. |
|
Certificate Chaining |
The use of a series of intermediate CA’s. It verifies the identity of the intermediate CA first and then traces the path of trust back to a known root CA |
|
Verifying CA Digital Signature |
Using the CA’s public key you check the digital signature against the certificate revocation list (CRL) or the online certificate status protocol (OCSP) |
|
Certificate Pinning |
Instructs browsers to attach a certificate to a subject for an extended period of time. This allows users or administrators to notice and intervene if a certificate unexpectedly changes. |
|
CRL |
Certificate Revocation Lists. A list of certificates and their serial numbers along with the date and time they were revoked. The disadvantage to these is that they must be downloaded and they have a higher latency. |
|
OCSP |
Online Certificate Status Protocol. Eliminates the latency issue that CRL’s have. When a client receives a certificate it sends a request to a CA’s OCSP server which will respond with a status. |
|
Certificate Stapling |
This helps take away the OCSP’s burden of responding to so many requests. It places a timestamp to the OCSP’s response and “staples” it to the digital certificate for a period of 24 hours. This helps reduce the requests that the OCSP servers have to handle. |
|
Certificate Formats |
Distinguished Encoding Rules (DER): stored as files .DER, .CRT, or .CER Privacy Enhanced Mail (PEM): stored as files .PEM, .CRT Personal Information Exchange (PFX): stored as files .PFX, .P12 |
|
Brute Force Attacks |
Trying every possible key. It is guaranteed to work, but it is likely to take so long that it is simply not usable. |
|
Frequency Analysis Attack |
Looking at the blocks of an encrypted message to determine if any common patterns exist. It works with historical ciphers but not with modern algorithms |
|
Known Plain Text |
Relies on the attacker having pairs of known plain text along with the corresponding cipher-text. This gives the attacker a place to start attempting to derive the key. |
|
Chosen Plain Text |
The attacker obtains the cipher-texts corresponding to a set of plain texts of their own choosing. This allows the attacker to attempt to derive the key used and thus decrypt other messages encrypted with that key. Very difficult but not impossible |
|
Related Key Attack |
Similar to chosen plain-text attack, except the attacker can obtain cipher texts encrypted under two different keys. |
|
Birthday Attack |
Based on the birthday theorem, how many people need to be in the same room in order to have a strong likelihood that two people share the same birthday. 23 people will produce the likelihood that 51% of two people sharing the same birthday. This makes a brute force attack to have better odds but still a very large number. |
|
Downgrade Attack |
Used against secure communications such as TLS in an attempt to get the user or system to inadvertently shift to less secure cryptographic models. Making it easier to break. |
|
Rainbow Table Attack |
Attempt to reverse hashed password value by pre computing the hashes of common passwords. They run common passwords through the hash function to generate the rainbow table and then look through the list of hashed values and try to match them with values in the rainbow table. Salting prevents this |
|
Key Stretching |
Used to create encryption keys from passwords in a strong manner. They use thousands of iterations of salting and hashing to generate encryption keys that are resilient against attacks. |
|
Human Error Exploitation |
Human error is one of the major causes of encryption vulnerabilities. Some of the most common errors occur through email or the use of weak algorithms |
|
TOR |
The Onion Router. Provides a mechanism for anonymously routing traffic across the internet using encryption and a set of relay nodes. It relies on technology known as perfect forward secrecy, where layers of encryption prevent nodes in the relay chain from reading anything other than the specific information they need to accept and forward the traffic. Makes for anonymous browsing and hosting of sites on the dark web |
|
Blockchain |
A distributed and immutable public ledger. It can store records in a way that distributes those records among many different systems located around the world and do so in a manner that prevents anyone from tampering with those records. It creates a data. Store that nobody can tamper with or destroy. |
|
Lightweight Cryptography |
Used when computing power and energy might be limited. As well as a need for low latency. |
|
Homomorphic Encryption |
Encrypting data in a way that preserves the ability to perform computation on that data. When this is used the data that computations were performed on when decrypted will give the same result as if it wasn’t encrypted in the first place. |
|
Quantum Computing |
An emerging filed that attempts to use quantum mechanics to perform computing and communication tasks. It is still in a theoretical state but if it advances it can offer quantum cryptographic methods as well as ways to break cryptography. |