1.4 : Cryptographic Solutions

Question 1

Public Key

Answer 1

A cryptographic key that can be shared publicly and is used to encrypt data or verify (decrypt) digital signatures. It’s part of a pair with a private key.

Question 2

Private Key

Answer 2

A cryptographic key that is kept secret and is used to decrypt data or create (encrypt) digital signatures. It’s part of a pair with a public key.

Question 3

Key Escrow

Answer 3

A process where encryption keys are stored securely by a third party, allowing access under certain conditions, often used in government, legal, or corporate environments.
* There’s not actually a good / secure way to carry this out

Question 4

Full-disk Encryption

Answer 4

Encrypts the entire disk, including the operating system, ensuring that all data is protected when the system is powered off.

Question 5

Partition Encryption

Answer 5

Encrypts specific partitions on a disk, allowing selective protection of sensitive data without encrypting the entire disk.

Question 6

File Encryption

Answer 6

Encrypts individual files, providing flexibility to protect only specific documents or files as needed.

Question 7

Volume Encryption

Answer 7

Encrypts a storage volume, which can contain multiple partitions or logical drives, providing protection for a larger data set than file encryption.

Question 8

Database Encryption

Answer 8

Encrypts data within a database, protecting sensitive information stored in structured formats from unauthorized access.

Question 9

Record Encryption

Answer 9

Encrypts specific records within a database, allowing granular protection of individual data entries.

Question 10

Transport/Communication Encryption

Answer 10

Encrypts data in transit, protecting it from interception or tampering as it moves across networks. Examples: SSL/TLS, HTTPS.

Question 11

Asymmetric Encryption

Answer 11

Encryption that uses a pair of keys—a public key for encryption and a private key for decryption—offering secure key exchange and authentication
* Sender encrypts message using recipient’s public key, recipient decrypts the message using their private key
* security is based upon the difficulty of solving extremely complex math problems

Question 12

Symmetric Encryption

Answer 12

Encryption that uses a single key for both encryption and decryption, providing faster performance but requiring secure key management.

Question 13

Key Exchange

Answer 13

• Allows two parties to securely generate a shared secret key over an insecure channel without exchanging the key itself.
• This enables symmetric encrypted communication. Methods include out-of-band (e.g., in person, mail) or in-band using algorithms like Diffie-Hellman.

Question 14

Algorithms

Answer 14

Mathematical formulas used to encrypt and decrypt data. Examples include AES, RSA, and SHA-256.

Question 15

Key Length

Answer 15

The size of a cryptographic key, typically measured in bits, which determines the strength of the encryption. Longer keys provide stronger security.

Question 16

TPM

Answer 16

Trusted Platform Module
* A hardware-based security chip that provides secure storage and processing of cryptographic keys, enhancing platform integrity.

Question 17

HSM

Answer 17

Hardware Security Module
* A physical device that manages cryptographic keys and performs cryptographic operations
* provides a higher level of security and performance for key management and operations.

Question 18

Key Management System

Answer 18

A system or software that manages cryptographic keys throughout their lifecycle, including generation, storage, distribution, and destruction.

Question 19

Secure Enclave

Answer 19

A secure area within a processor that provides isolated and protected execution of security-sensitive operations, often used in mobile devices.

Question 20

Steganography

Answer 20

The practice of hiding data within other non-secret data, such as embedding a message in an image, video, or audio file, to avoid detection.
* hide the fact that you are even communicating in the first place

Question 21

Tokenization

Answer 21

Replacing sensitive data with non-sensitive tokens that can be mapped back to the original data through the use of a relational database (which itself must be kept secure)

Question 22

Data Masking

Answer 22

The process of obscuring specific data within a dataset to protect it, often used in non-production environments to prevent unauthorized access to sensitive information.

Question 23

Hashing

Answer 23

The irreversible process of converting an input of any size into a fixed-size string of characters, which represents the data uniquely. Used for integrity verification. Examples: SHA-256, MD5.

Question 24

Salting

Answer 24

Adding random data to a hash input to prevent attackers from using precomputed hash values (rainbow tables) to crack passwords.

Question 25

Digital Signatures

Answer 25

A cryptographic mechanism used to verify the integrity and authenticity of a message, software, or digital document. It uses asymmetric encryption with two keys: * Private Key: The sender signs the data with their private key. * Public Key: The recipient uses the sender’s public key to verify the signature. * Note that this is reversed from how ssymmetric crpytography normally works! **Key Concepts:** * Ensures **Integrity**: Verifies that the message or document has not been altered. * Ensures **Authenticity**: Confirms the identity of the sender. * **Non-Repudiation**: The sender cannot deny sending the message since only their private key could have created the signature. * Commonly used with **digital certificates** in **Public Key Infrastructure (PKI)**. * Add **confidentiality** by also encyrpying the *message* portion of the signature with the recipients public key (the way these things are normally used outside of signatures!)

Question 26

Key Stretching

Answer 26

A technique used to make a weak password stronger by applying a salt and one or more rounds of hashing, making it more resistant to brute-force attacks.

Question 27

Blockchain

Answer 27

A distributed ledger technology used to track transactions. Every participant in the blockchain network maintains an identical copy of the ledger. It ensures immutability, decentralization, and transparency. Blockchain is used in a variety of applications such as: * Payment processing (e.g., cryptocurrencies) * Digital identification * Supply chain monitoring * Digital voting * Property ownership records * Vital records

Question 28

Open Public Ledger

Answer 28

A ledger that is accessible to the public and contains a record of all transactions, typically associated with blockchain technology.

Question 29

Certificate Authorites (CA)

Answer 29

Trusted organizations that verify the identity of individuals, systems, or organizations and issue digital certificates. These certificates include the subject's public key, and the CA uses its private key to digitally sign the certificate, ensuring authenticity and establishing trust in secure communications.

Question 30

CRLs | In the context of PKI

Answer 30

Certificate Revocation Lists ( * Lists published by Certificate Authorities that identify certificates that are no longer valid, helping to maintain trust in the PKI system. * Inefficient and no longer used as it requires everyone on the internet to download these lists which themselves got longer and longer

Question 31

OCSP

Answer 31

Online Certificate Status Protocol * A protocol used to check the revocation status of a digital certificate in real-time with the CA, providing up-to-date information on certificate validity. * Faster and more efficient than CRLs

Question 32

Self-signed Certificates

Answer 32

Digital certificates signed by the entity that created them, often used for internal purposes but less trusted than certificates issued by a Certificate Authority.

Question 33

Third-party Certificates

Answer 33

Digital certificates issued by a trusted Certificate Authority, used to establish trust between parties over the internet.

Question 34

Root of Trust

Answer 34

A secure, trusted source within a system that provides the foundation for verifying the authenticity and integrity of other components.

Question 35

Certificate Signing Request (CSR) Generation

Answer 35

A request to a Certificate Authority (CA) to sign a digital certificate. It includes a public key and entity information, used to bind a public key to an identity in Public Key Infrastructure (PKI)

Question 36

Wildcard Certificates

Answer 36

Digital certificates that can be used to secure multiple subdomains under a single domain, simplifying certificate management. * Only goes one level deep * commonly used for load balancers

Question 37

PKI

Answer 37

Public Key Infrastructure. A framework of policies, procedures, and technologies used to create, manage, distribute, and revoke digital certificates, ensuring secure communication and authentication.

Question 38

Encryption

Answer 38

The process of converting information into a secure cipher to protect confidentiality, prevent unauthorized access.

Question 39

Encryption Tools

Answer 39

Hardware and software solutions used to manage and protect cryptographic keys and secure operations. * Trusted Platform Module (TPM) * Hardware security module (HSM) * Key management system * Secure enclave

Question 40

Obfuscation

Answer 40

The process of making data obscure or unclear to prevent unauthorized access or understanding. * Steganography * Tokenization * Data Masking

Question 41

Certificates

Answer 41

Digital documents used to certify the ownership of a public key, ensuring secure communication and authentication.

Question 42

DES

Answer 42

* Data Encryption Standard * Symmetric encryption algorithm * 64 bit block cipher * Key length of 56 bits * one of the first, no longer secure -- would need a key length of 2048 bits

Question 43

3DES

Answer 43

* Triple DES: Applies DES 3 times with 3 separate keys * 64 bit block, 56 bit keys, max effective key length of 112 bits * Bought some time for DES by getting around the vulnerabilities that were there for a short time * **Why TRIPLE?**: Double DES is no more secure than standard DES due to Meet-in-the-Middle attack * no longer secure! :) -- being phased out

Question 44

AES

Answer 44

* Advanced Encryption Standard * Symmetric encryption algorithm * 128 bit block cipher * Key lengths of 128, 192, or 256 bits * Secure!

Question 45

Blowfish

Answer 45

* Public domain algorithm * Intended as a replacement of DES * Symmetric * 64 bit block chain * Pick any key length from 32 to 448 bits * Not secure

Question 46

Twofish

Answer 46

* a competitor in the AES competition that lost out, now public domain * Symmetric * 128 bit block cipher * Key lengths of 128, 192, or 256 bits * Still considered secure

Question 47

RSA

Answer 47

* Early asymmetric algorithm (1977), still used today * Variable key length from 1024 to 4096 bits * US authorities recommend key lengths of 2048 or more * **Users create RSA key pairs using two very large prime numbers** * It is slow and not used for long messages; often used to create initial secure channel over which symmetric key is exchanged * RSA patent is expired * Rivest, Shamir, Adleman

Question 48

PGP

Answer 48

* Pretty Good Privacy * Not an encryption algorithm itself, it's a framework for using other encryption algorithms * Combines symmetric and assymmetric cryptography * Sender generates random symmetric key to encrypt message, and uses recipient's asymmetric public key to encrypt the random symmetric key, which is sent along with the message to the recipient. The recipient uses their asymmetric private key to decrypt the random symmetric key, and is then able to use that key to decrypt the message

Question 49

GnuPG / GPG

Answer 49

* Gnu Privacy Guard * An open source package based on PGP

Question 50

ECC

Answer 50

* Elliptic curve cryptography * Unlike other asymmetric cryptographic algorithms, does not use prime factorization * Uses the EC discrete log problem * Ironically, would be easier for a quantum computer to crack than PF

Question 51

PFS

Answer 51

* Perfect Forward Secrecy * a property of secure communication protocols where compromise of long-term keys does not compromise past session keys * Generates a unique and ephemeral session key for each session, ensuring that if one session key is compromised, it does not affect the security of other sessions * Provides additional protection for past and future encrypted communications by isolating each session cryptographically * Commonly used in protocols like TLS/SSL to enhance the security of web communications * Implemented using methods like Diffie-Hellman key exchange

Question 52

Diffie-Hellman Algorithm

Answer 52

* A method for securely exchanging shared cryptographic keys over a public channel. * Invented in 1976 * Allows two parties to generate a shared secret key used for symmetric encryption, without transmitting the key itself. * Security is based on the discrete logarithm problem, involving prime numbers and modular arithmetic. * Commonly used in secure communications to establish a shared symmetric encryption key.

Question 53

DHE

Answer 53

* Diffie-Hellman Ephemeral * Creates unique session keys for each connection * Ensures forward secrecy: compromising one session doesn't affect others * Commonly used in TLS/SSL protocols Protects against retrospective decryption if long-term keys are compromised * Slightly higher computational cost than static DH

Question 54

ECDH

Answer 54

* Elliptic Curve Diffie-Hellman * Math is based on Eliptic Curve rather than prime numbers and modulos

Question 55

Recovery Agent (RA)

Answer 55

* Allow internal access to lost keys * Possesses master key that allows access to any encrypted data in the organization * Could be a highly privileged account or a special certificate * e.g. EFS (Encrypting File System) for Windows has a special recovery agent account

Question 56

PBKDF2

Answer 56

* Password-Based Key Derivation Function v2 * A key derivation function used to implement salted password hashing. It applies a pseudorandom function (like HMAC) to the input password along with a salt value and repeats the process many times to produce a derived key. This technique increases the computational cost of cracking passwords, enhancing security against brute-force attacks. Key points: * Purpose: Convert passwords into cryptographic keys * Features: Uses salt and iteration count * Security benefit: Slows down brute-force and rainbow table attacks * Common use: Password storage and verification in many systems

Question 57

How hash functions fail

Answer 57

* being reversible * producing a collision (same output from different inputs)

Question 58

MD5

Answer 58

* Message Digest 5 * 128 bit hash * Can produce collisions and should not be used

Question 59

SHA

Answer 59

* Secure Hash Algorithm * A family of 3 algorithms * -1 is unsecure * -2 is most common today * -3 uses a completely different technique, and a hash output of any length can be chosen, ready to replace SHA-2 someday * Some don't trust SHA because of its roots in US gov't, NSA

Question 60

SHA-1

Answer 60

Secure Hashing Algorithm v. 1 * 160 bit * unsecure, prone to collision attacks

Question 61

SHA-2 ## Footnote Recall: name, hash lengths of family members, block and word sizes per family member

Answer 61

Secure Hashing Algorithm v. 2 Consists of: * SHA-224 * SHA-256 (most common) * SHA-384 * SHA-512, -512/224, -512/256 (truncated versions with same security but smaller output) * 224 and 256 are 512 bit block, 32 bit word, making them more efficient for 32 bit environment / applications * 384, 512, and 512-truncated are 1024 bit block, 64 bit word, more efficient for 64 bit environment / applications * generally considered secure, including by NIST, but follows the same principals as MD5 and SHA-1 and is therefore susceptible to the same attacks; flaws in certain configs of SHA-2 have been found

Question 62

SHA-3

Answer 62

* actually secure * allows use of any fixed-length output * completely different mathematical basis than MD5, SHA-1 or SHA-2

Question 63

RIPEMD ## Footnote Recall: what it is, length outputs, which length is no longer secure

Answer 63

* Race Integrity Primitives Evaluation Message Digest * 128, 160, 256, and 320 bit hash lengths * 128 no longer secure * created free of involvment with the US government and NSA

Question 64

HMAC

Answer 64

Hash-based Message Authentication Code Definition: A cryptographic method that uses a **hash function** and a **secret key** to ensure **authentication** and **integrity**. How it works: * The secret key and the message are combined inside the HMAC function to produce a hashed **Message Authentication Code (MAC)** * This **MAC** is what gets sent along with the message, but the secret key is kept secret by both the sender and the receiver. * When the receiver gets the message and MAC, they use their copy of the same secret key (which they already know) to recreate the MAC and verify the message.

Question 65

MAC | As it relates to authentication, not networking

Answer 65

Message Authentication Code The output of the MAC-generating method (hash-based or otherwise!) that combines a message with a secret key. Provides assurance of message **integrity** and sender **authenticity**.

Question 66

ECDSA

Answer 66

Elliptic Curve Digital Signature Algorithm * a cryptographic algorithm used for creating and verifying digital signatures, based on elliptic curve cryptography (ECC) * Security: ECDSA is considered a secure and acceptable algorithm for creating and verifying digital signatures. * Usage: It is one of the three digital signature algorithms supported for use in the U.S. government, alongside RSA and EdDSA.

Question 67

DSS

Answer 67

Digital Signature Standard * a federal standard for digital signatures, established by the U.S. government. It specifies the use of the Digital Signature Algorithm (DSA) to ensure the authenticity and integrity of digital messages or documents * Approved DSA's: RSA, ECDSA, EdDSA

Question 68

EdDSA

Answer 68

Edwards-curve Digital Signature Algorithm * offers faster signature generation and verification compared to traditional algorithms like ECDSA, while maintaining strong security * uses twisted Edwards curves to provide high performance, even in constrained environments * used for secure authentication and integrity * one of the DSS-recommended digital signature algorithms alongside RSA and ECDSA, especially for environments requiring high efficiency.

Question 69

RA | In the context of PKI

Answer 69

Registration Authority * An entity in Public Key Infrastructure (PKI) that verifies an applicant’s identity before passing the request to the Certificate Authority (CA) for certificate issuance. It ensures that only authenticated and authorized users receive certificates.

Question 70

CA | In the context of PKI

Answer 70

Certificate Authority * A trusted entity in Public Key Infrastructure (PKI) that issues and digitally signs certificates, verifying the identity of certificate holders. The CA ensures the authenticity of the certificate and its associated public key.

Question 71

SAN | In the context of PKI

Answer 71

Subject Alternative Name * An extension to an X.509 certificate that allows multiple domain names or IP addresses to be associated with a single certificate. * Commonly used for securing multiple domains or subdomains with a single SSL/TLS certificate.

Question 72

Certificate Stapling

Answer 72

An extension of OCSP in which *the certificate subjects*, rather than the end users, reach out to the OCSP server of the CA to verify the web server's certificate. This verification is "stapled" to the server's certificate and will be accepted by all of the many web browsers contacting the server throughout the day. This validation is usually valid for 24 hours and saves the CA's OCSP server from having to verify the same certificate for millions of different users millions of times a day.

Question 73

Certificate Chaining

Answer 73

A process whereby you can have your internal CA trusted by a 3rd party CA and the outside world; multiple certificates are linked together to establish trust between a root certificate (trusted by all) and an end certificate. Each certificate in the chain is signed by the next higher certificate, creating a chain of trust from the root CA to the user's certificate. Additional Explanation: * **Root CA**: The starting point of trust, whose certificate is self-signed. * **Intermediate CA**: Links between the root CA and end-user certificates, often signed by the root CA or another intermediate CA. This would be your "internal" CA * **End Certificate**: The final certificate, issued to the end user or device, used for secure communication.

Question 74

Offline CAs

Answer 74

Protect sensitive root keys by not being on a network. Used to sign certificates of intermediate (online) CA's belonging to the same org. Any "top-level" / "global root" CA you see is most likely an offline CA that signed a lower CA's cert in the chain of trust.

Question 75

DV | Certificate Type

Answer 75

Domain Validation * Verifies domain ownership * lowest level

Question 76

OV | Certificate Type

Answer 76

Organizational Validation * Verifies business/orginazation name against business records * state business registrations, or reputable business databases

Question 77

EV | Certificate Type

Answer 77

Extended Validation * extensive investigation to verify the physical existence and legitimacy of the organization

Question 78

Distinguished Encoding Rules (DER) | Certificate Format ## Footnote Recall: encoding and file extensions

Answer 78

* Binary certificate format * .der, .cer, .crt file extensions * most common

Question 79

PEM | Certificate Format ## Footnote Recall: encoding and file extensions

Answer 79

* An ASCII equivalent of the binary DER certificat format * .pem, .cer, .crt, .key file extensions * Can easily convert between text-based PEM and and binary DER formats using OpenSSL * **note** that in the case of .crt or .cer files, you can't tell if it is DER or PEM without looking at it! * Name comes from deprecated Privacy Enhanced Mail secure email standard * The certificate format is still used even though the mail standard is not

Question 80

PFX | Certificate Format ## Footnote Recall: encoding and file extensions

Answer 80

Personal Information Exchange * binary format commonly used by windows systems * .pfx or .p12 file extensions

Question 81

P7B | Certificate Format ## Footnote Recall: encoding and file extensions

Answer 81

* ASCII text equivalent format to PFX * also commonly used in Windows * .p7b file extension

Question 82

Approved DSS Algorithms

Answer 82

* Rivest-Shamir-Adleman (RSA) * Elliptic Curve Digital Signature Algorithm (ECDSA) * Edwards Curve Digital Signature Algorithm (EdDSA) All consider secure and acceptable for use in creating and verifying digital signatures