Cryptography & PKI

Question 1

Symmetric algorithms

Answer 1

Requires both the sender and receiver to have the same key. This results in faster computations, which makes them well-suited to bulk encryption.

Question 2

Modes of operation

Answer 2

Modes of operation are used to deal with multiple blocks of identical input data, so that the cipher text doesn’t have repeated blocks of encrypted data.

Question 3

Asymmetric algorithms

Answer 3

In asymmetric algorithms, the sender and receiver each have a private key, which they keep to themselves, and a public key, which they can share.

Question 4

Hashing

Answer 4

• Hashing is a special mathematical function that performs one-way encryption.
• This is a good way of storing computer passwords, and also ensuring message integrity.
• Common hashing algorithms include MD2, MD4, MD5, SHA-1, SHA-256, SHA-384 and SHA-512, some of which have been found to suffer from collisions.

Question 5

Salt

Answer 5

Salting is the addition of a high-entropy piece of data (random characters) to an input to make it more difficult for the attacker to determine the original data.

Question 6

Initialization Vectors (IV)

Answer 6

Initialization vectors, or IV, are used to help achieve randomness with deterministic inputs.

Question 7

Nonce

Answer 7

Nonce is similar to salts and IVs, but is only used once. This is helpful in stream ciphers to break stateful properties.

Question 8

Elliptic Curve

Answer 8

Special mathematical properties that allow a sender and receiver to openly pick a spot on the curve, and then individually derive keys from that point.

Question 9

Weak/deprecated algorithms

Answer 9

As time goes by, computational power increases, which means that algorithms are not as secure. Additionally, flaws are found in different algorithms.

Question 10

Digital signatures

Answer 10

• This is a cryptographic implementation meant to demonstrate authenticity and identity for a given a message.
• This uses public key cryptography. A person will hash a message, and then encrypt it with their private key.
• The receiver can then decrypt it with the sender’s public key. If they hash the original message, and it matches the decrypted message, they know that the message hasn’t been altered, and they also know that the sender sent it.

Question 11

Diffusion

Answer 11

One character change in the plaintext should correspond to multiple changes in the cipher text.

Question 12

Confusion

Answer 12

The principle that affects randomness of an output. Each ciphertext character should depend on several parts of the key.

Question 13

Collision

Answer 13

When two different inputs have the same output on a cryptographic function.

Question 14

Steganography

Answer 14

The science of hiding data inside other data. This has the advantage of not attracting attention.

Question 15

Obfuscation

Answer 15

This is masking an item so that it’s unreadable, yet still functions.

Question 16

Stream vs. block

Answer 16

• Encryption can happen as block operations, which are performed on blocks of data. This means you can do both transposition and substitution operations.
• Alternatively, you can also do stream ciphers on stream data, which is common with streaming audio and video. This has to happen in smaller chunks, so it can do substitution only.

Question 17

Key strength

Answer 17

The strength of a cryptographic operation is dependent on the key strength.

Question 18

Session keys

Answer 18

A session key is a symmetric key for encrypting messages during a communication session. It’s generated from random seeds, and provides perfect forward secrecy.

Question 19

Ephemeral key

Answer 19

Ephemeral keys are keys that are only used once after generation.

Question 20

Secret algorithm

Answer 20

While most algorithms are known, leaving the key as the crucial part, you can also have secret algorithms.

Question 21

Data-at-Rest Encryption

Answer 21

Protection of data-at-rest is also known as data encryption. This includes things like whole disk encryption.

Question 21

Data-In-Transit Encryption

Answer 21

Transport encryption is used to protect data-in-transit. This includes things like Transport Layer Security on the transport level.

Question 22

Data-in-use Encryption

Answer 22

Data-in-use means data that’s stored in a non-persistent state (RAM, CPU caches, CPU registers, etc.) New techniques like Intel’s Software Guard Extensions can encrypt this data.

Question 22

Random/pseudo-random number generation

Answer 22

There are specialized pseudo-random number generators that try to minimize the predictability of not-actually-random numbers that are generated by computers.

Question 23

Low latency

Answer 23

Low latency refers to situations that have extreme time constraints. This might require special cryptographic functions that can deliver results quickly. Stream ciphers are an example.

Question 24

High resiliency

Answer 24

High resiliency is the capability of resuming normal operations after an external disruption.

Question 25

AES Symmetric algorithm

Answer 25

This is the successor to DES. It’s secure and computationally efficient.

Question 26

DES Symmetric algorithm

Answer 26

Obselete (replaced with AES)

Question 27

3DES Symmetric algorithm

Answer 27

there are 3 rounds of encryption, with 2 or three keys. This makes it more secure.

Question 28

RC4 Symmetric algorithm

Answer 28

Stream Cipher.

Question 29

CBC Symmetric algorithm

Answer 29

Cipher Block Chaining (CBC)

Question 30

RSA Asymmetric algorithm

Answer 30

The algorithm is based on the product of two very large prime numbers, which is very difficult to factor. It’s almost 100x slower than DES

Question 31

DSA Asymmetric algorithm

Answer 31

A digital signature. Providing proof-of-author/sender.

Question 32

Diffie-Hellman Asymmetric algorithm

Answer 32

It’s used for electronic key exchange of SSL and TLS protocols, as well as SSH and IPSec.

Question 33

Elliptic curve Asymmetric algorithm

Answer 33

ECC is well-suited for platforms with limited computing power, like cell phones.

Question 34

Hashing Asymmetric algorithm

Answer 34

These are cryptographic methods that are commonly used to store computer passwords and to ensure message integrity.

Question 35

SHA Asymmetric algorithm

Answer 35

Secure Hash Algorithm is another algorithm developed by NIST, and the NSA. There are several variants, including SHA-1, which was developed in 1993 and modeled on MD4. However, SHA-1 is vulnerable to collision attacks. SHA-2 includes SHA-224, SHA-256, SHA_384, SHA-512. The hash output is equal to the number after “SHA.” There’s also SHA-3 but this is new and not widely adopted yet.

Question 36

Key stretching Asymmetric algorithm

Answer 36

Key stretching is a way of taking a weak key and “stretching” it to make the system more secure.

Question 37

WPA Cryptographic Protocol

Answer 37

Wi-Fi Protected Access.

Question 38

WPA2 Cryptographic Protocol

Answer 38

Wi-Fi Protected Access 2 is the protocol in common use.

Question 39

CCMP Cryptographic Protocol

Answer 39

Counter Mode with Cipher Block Chaining–Message Authentication Code (or CCMP) is another protocol that uses AES. Unlike WPA2, it requires new hardware.

Question 40

TKIP Cryptographic Protocol

Answer 40

Obselete.

Question 41

EAP Authentication Protocol

Answer 41

Extensible Authentication Protocol (EAP) is a protocol for wireless networks that builds on the authentication methods used in Point-to-Point Protocol (PPP).

Question 42

PEAP Authentication Protocol

Answer 42

Protected EAP. Developed to protect EAP communication by encapsulating it with TLS.

Question 43

EAP-FAST Authentication Protocol

Answer 43

The Wi-Fi Alliance added EAP-FAST (along with EAP-TLS and EAP-TTLS) in 2010 in support of WPA/WPA2. The “FAST” part stands for Flexible Authentication via Secure Tunneling.

Question 44

EAP-TLS Authentication Protocol

Answer 44

EAP-TLS is an IETF open standard.

Question 45

EAP TTLS Authentication Protocol

Answer 45

EAP-Tunneled TLS Protocol. This is a variant of the EAP-TLS protocol and works in a similar way. It has the server authenticating to the client with a certificate, but there is also a TLS tunnel to the client side of the authentication. This allows for legacy authentication protocols such as Password Authentication Protocol (PAP).

Question 46

WPS Method

Answer 46

Wi-Fi Protected Setup (WPS) was meant to help facilitate wireless network setup for home users.

Question 47

CA

Answer 47

The CA is the trusted authority that certifies individuals’ identities and creates electronic documents indicating that individuals are who they say they are. The electronic document is referred to as a digital certificate, and it establishes an association between the subject’s identity and a public key.

Question 48

CRL

Answer 48

CAs must provide a list of all revoked certificates (by serial number) on a Certification Revocation List (CRL).

Question 49

OCSP

Answer 49

Online Certificate Status Protocol (OCSP) is a request and response protocol that gets the serial number of a certificate that is being validated for a client, and checks it against CRLs.

Question 50

CSR

Answer 50

A certificate signing request (CSR) is the request made to a CA containing a public key and other information needed to generate a certificate.

Question 51

Certificate

Answer 51

A digital certificate binds an individual’s identity to a public key. X.509 is the latest version (as of the time of writing). Certificate fields include: X.409 version number Certificate owner (“Subject”) Public key The CA issuing the certificate (“Issuer”) Serial number of the certificate Dates through which it is valid for use (“Validity”) Approved certificate usage Signature algorithm Extensions

Question 52

Trust Model

Answer 52

This is “a construct of systems, personnel, applications, protocols, technologies, and policies that work together to provide a certain level of protection.”

Question 53

End-Entity Certificate

Answer 53

End-entity certificates are issued by a CA to a specific subject, like a user, website, firewall, etc. A CA certificate can be self-signed (for a root CA) or it can be signed by a superior CA.

Question 54

Cross-certification certificate

Answer 54

When independent CAs establish a peer-to-peer trust relationship.

Question 55

Root Certificate

Answer 55

A root certificate is a certificate that forms the initial basis of trust in a trust chain.

Question 56

User Certificate

Answer 56

User certificates identify users, and are also end-entity certificates.

Question 57

E-Mail Certificate

Answer 57

Email certificates can be used for identity with respect to email. Another end-entity example.

Question 58

Computer Certificate

Answer 58

Certificates that bind identities to keys and provide means of authentication for computers are computer certificates, or machine certificates. Active Directory Domain Services can then keep track of machines via those certificates. This is an example of an end-entity certificate.

Question 59

.Key

Answer 59

The .key file extension is used for both public and private keys.

Question 60

CER

Answer 60

This file extension is for Windows systems (the Linux equivalent is .crt).