CompTIA Security+ Study Guide: Cryptographic Solutions and Key Concepts
Studied by 0 people
Learn
Practice Test
Spaced Repetition
Match
Flashcards1/95
There's no tags or description
Looks like no tags are added yet.
Name | Mastery | Learn | Test | Matching | Spaced |
|---|
No study sessions yet.
96 Terms
Cryptography
■ Practice and study of writing and solving codes
■ Encryption to hide information's true meaning
Encryption
■ Converts plaintext to ciphertext
■ Provides data protection at rest, in transit, and in use
Data States
■ Data at Rest ● Inactive data on storage devices
■ Data in Transit ● Moving across networks
■ Data in Use ● Currently undergoing change
Algorithm and Key
■ Algorithm (Cipher) ● Performs encryption or decryption
■ Key ● Essential for determining cipher output
Most encryption algorithms are transparent and publicly available, the main source of security is the privacy of the key, and the length of that key.
Key Strength and Rotation
■ Key Length ● Proportional to security
■ Key Rotation ● Best practice for security longevity
Symmetric and Asymmetric Encryption
■ Symmetric ● Uses same key for encryption and decryption
■ Asymmetric ● Uses a pair of keys for encryption and decryption
Hashing definition
■ Converts data into fixed-size string (digest) using hash functions
Hashing algorithms
● MD5
● SHA Family
● RIPEMD
● HMAC
Encryption Tools
■ TPM
■ HSM
■ Key Management Systems
■ Secure Enclave
Obfuscation
■ Steganography
■ Tokenization
■ Data Masking
Cryptographic Attacks
■ Downgrade Attacks
■ Collision Attacks
■ Quantum Computing Threats
Symmetric Encryption
■ Uses a single key for both encryption and decryption
■ Often referred to as private key encryption
■ Requires both sender and receiver to share the same secret key
■ Offers confidentiality but lacks non-repudiation
■ Challenges with key distribution in large-scale usage
● More people means more sharing of the keys
Asymmetric Encryption
■ Uses two separate keys
● Public key for encryption
● Private key for decryption
■ Often called "Public Key Cryptography"
■ No need for shared secret keys
■ Commonly used algorithms include Diffie-Hellman, RSA, and Elliptic Curve Cryptography (ECC)
■ Slower compared to symmetric encryption but solves key distribution challenges
Hybrid Approach with symmetric and asymmetric
■ Combines both symmetric and asymmetric encryption for optimal benefits
■ Asymmetric encryption used to encrypt and share a secret key
■ Symmetric encryption used for bulk data transfer, leveraging the shared secret key
■ Offers security and efficiency
2 cipher types
○ Stream Cipher - ■ Encrypts data bit-by-bit or byte-by-byte in a continuous stream, good for real time comms, often used in symmetric - often in hardware solutions
○ Block Cipher ■ Breaks input data into fixed-size blocks before encryption ● Usually 64, 128, or 256 bits at a time. Adds padding to small blocks. - often in software solutions
Stream Cipher
■ Encrypts data bit-by-bit or byte-by-byte in a continuous stream
■ Uses a keystream generator and exclusive XOR function for encryption
■ Suitable for real-time communication data streams like audio and video
■ Often used in symmetric algorithms
Block Cipher
■ Breaks input data into fixed-size blocks before encryption ● Usually 64, 128, or 256 bits at a time
■ Padding added to smaller data blocks to fit the fixed block size
■ Advantages include ease of implementation and security
■ Can be implemented in software, whereas stream ciphers are often used in hardware solutions
Symmetric Algorithms
■ DES - Uses a 64-bit key (56 effective bits due to parity), used from 70s to early 2000s
■ Triple DES - Utilizes three 56-bit keys, Encrypts data with the first key, decrypts with the second key, and encrypts again with the third key, Provides 112-bit key strength but is slower than DES
■ IDEA - A symmetric block cipher with a 64-bit block size, 128-bit key, faster and more secure than DES, Not as widely used as AES
■ AES - Replaced DES and 3DES as the US government encryption standard, Supports 128-bit, 192-bit, or 256-bit keys, widely adopted and is the gold standard
■ Blowfish - A block cipher with key sizes ranging from 32 to 448 bits, DES replacement but not widely used
■ Twofish - A block cipher supporting 128-bit block size and key sizes of 128, 192, or 256 bits, open source
■ Rivest Cipher - RC Cipher Suite (RC4, RC5, RC6), RC4 is a stream cipher with variable key sizes from 40 to 2048 bits, used in SSL and WEP, RC5 is a block cipher with key sizes up to 2048 bits, RC6, based on RC5, was considered as a DES replacement
DES (Data Encryption Standard) - symmetric algorithm
■ Uses a 64-bit key (56 effective bits due to parity)
■ Encrypts data in 64-bit blocks through 16 rounds of transposition and substitution
■ Widely used from the 1970s to the early 2000s
block cipher
Triple DES (3DES) - symmetric algorithm
■ Utilizes three 56-bit keys
■ Encrypts data with the first key, decrypts with the second key, and encrypts again with the third key
■ Provides 112-bit key strength but is slower than DES
block cipher
IDEA (International Data Encryption Algorithm) - symmetric algorithm
■ A symmetric block cipher with a 64-bit block size
■ Uses a 128-bit key, faster and more secure than DES
■ Not as widely used as AES
block cipher
AES (Advanced Encryption Standard) - symmetric algorithm
■ Replaced DES and 3DES as the US government encryption standard
■ Supports 128-bit, 192-bit, or 256-bit keys and matching block sizes
■ Widely adopted and considered the encryption standard for sensitive unclassified information
block cipher
Blowfish
■ A block cipher with key sizes ranging from 32 to 448 bits
■ Developed as a DES replacement but not widely adopted
block cipher
Twofish
■ A block cipher supporting 128-bit block size and key sizes of 128, 192, or 256 bits
■ Open source and available for use
block cipher
RC Cipher Suite (RC4, RC5, RC6)
■ Created by cryptographer, Ron Rivest
■ RC4 is a stream cipher with variable key sizes from 40 to 2048 bits, used in SSL and WEP
■ RC5 is a block cipher with key sizes up to 2048 bits
■ RC6, based on RC5, was considered as a DES replacement
Asymmetric Algorithms
Uses a key pair, public key for encryption, private for decryption - Provides confidentiality(encrypted), integrity (Hash digest), authentication(only private key works), and non-repudiation
■ Diffie-Hellman - Used for key exchange and secure key distribution, Vulnerable to man-in-the-middle attacks, requires authentication, commonly used in VPN tunnels
■ RSA - Used for key exchange, encryption, and digital signatures, Supports key sizes from 1024 to 4096 bits, widely used especially for MFA
■ Elliptic Curve Cryptography - Efficient and secure, uses algebraic structure of elliptical curves, common in mobile, 6 times more efficient than RSA but equivalent, variations include ECDH, ECDHE, ECDSA
Public Key Cryptography
■ No shared secret key required
■ Uses a key pair
● Public key for encryption
● Private key for decryption
■ Provides confidentiality, integrity, authentication, and non-repudiation
Confidentiality with Public Key
■ Encrypt data using the receiver's public key
■ Only the recipient with the corresponding private key can decrypt it
Non-Repudiation with Private Key
■ Encrypt data using the sender's private key
■ Anyone with access to the sender's public key can verify the sender's identity
Integrity and Authentication with Digital Signature
■ Create a hash digest of the message
■ Encrypt the hash digest with the sender's private key
● Digital Signature ○ A hash digest of a message encrypted with the sender's private key to let the recipient know the document was created and sent by the person claiming to have sent it
■ Encrypt the message with the receiver's public key
■ Ensures message integrity, non-repudiation, and confidentiality
Diffie-Hellman - asymmetric algorithm
● Used for key exchange and secure key distribution
● Vulnerable to man-in-the-middle attacks, requires authentication
● Commonly used in VPN tunnel establishment (IPSec)
RSA (Ron Rivest, Adi Shamir, Leonard Adleman) - asymmetric algorithm
● Used for key exchange, encryption, and digital signatures
● Relies on the mathematical difficulty of factoring large prime numbers
● Supports key sizes from 1024 to 4096 bits
● Widely used in organizations and multi-factor authentication
Elliptic Curve Cryptography (ECC) - asymmetric algorithm
● Efficient and secure, uses algebraic structure of elliptical curves
● Commonly used in mobile devices and low-power computing
● Six times more efficient than RSA for equivalent security
● Variants include
○ ECDH (Elliptic Curve Diffie-Hellman) - an EEC version of DH
○ ECDHE (Elliptic Curve Diffie-Hellman Ephemeral) - an ECC version of DH, but uses a different key for each portion of the key establishment process in the key exchange
○ ECDSA (Elliptic Curve Digital Signature Algorithm) - used as a public key encryption algorithm by the US government in their digital signatures
Hashing
■ One-way cryptographic function that produces a unique message digest from an input
○ Hashes change drastically even with minor changes in input
○ Hashing is used to verify data integrity and detect any changes
Hash Digest
■ Like a digital fingerprint for the original data
■ Always of the same length regardless of the input's length
4 common Hashing algorithms
■ One-way cryptographic function that produces a unique message digest from an input, the hash digest is like a fingerprint and is always the same length
■ MD5 (Message Digest Algorithm 5)
● Creates a 128-bit hash value
● Limited unique values, leading to collisions, not recommended for critical
■ SHA (Secure Hash Algorithm) Family
● SHA-1 ○ Produces a 160-bit hash digest, less prone to collisions than MD5
● SHA-2 ○ Offers longer hash digests (SHA-224, SHA-256, SHA-348, SHA-512)
● SHA-3 ○ Uses 224-bit to 512-bit hash digests, more secure, 120 rounds of computations
■ RIPEMD (RACE Integrity Primitive Evaluation Message Digest)
● Versions available - 160 bit, 256 bit, 320 bit.
opensource competitor to sha
■ HMAC (Hash-based Message Authentication Code)
● Checks message integrity and authenticity, using HMAC-MD5, HMAC-SHA, and HMAC-SHA256
MD5 (Message Digest Algorithm 5) hash algorithm
● Creates a 128-bit hash value
● Limited unique values, leading to collisions - can lead to a collision because two different files can have the same hash digest
● Not recommended for security-critical applications due to vulnerabilities
SHA (Secure Hash Algorithm) Family hash algorithm
● SHA-1 ○ Produces a 160-bit hash digest, less prone to collisions than MD5
● SHA-2 ○ Offers longer hash digests (SHA-224, SHA-256, SHA-348, SHA-512)
● SHA-3 ○ Uses 224-bit to 512-bit hash digests, more secure, 120 rounds of computations
RIPEMD (RACE Integrity Primitive Evaluation Message Digest) hash algorithm
● Versions available
○ 160-bit (Most common) ○ 256-bit ○ 320-bit
● Open-source competitor to SHA but less popular
HMAC (Hash-based Message Authentication Code) hash algorithm
● Checks message integrity and authenticity - use to ensure the authenticity and integrity of a message
● Utilizes other hashing algorithms (e.g., HMAC-MD5, HMAC-SHA1, HMAC-SHA256)
The sender will encrypt the hash digest with their private key, they will then send the message to the receiver. The receiver will decrypt the message with the public key and calculate its own hash digest of the message, and compare it to the hash digest it received. This way they can verify who the message was from, and that the contents were not altered
2 Digital Signatures algorithms
■ Uses a hash digest encrypted with a private key, Sender hashes the message and encrypts the hash with their private key
■ DSA (Digital Security Algorithm) - used a 160 bit message digest created by DSS
■ RSA (Rivest-Shamir-Adleman) - Supports digital signatures, encryption, and key distribution, widely used
Common Digital Signature Algorithms
■ DSA (Digital Security Algorithm) ● Utilized for digital signatures● Uses a 160-bit message digest created by DSS (Digital Security Standard)
■ RSA (Rivest-Shamir-Adleman) ● Supports digital signatures, encryption, and key distribution ● Widely used in various applications, including code signing
2 Common Hashing attacks
■ Pass the Hash Attack - attacker uses the hash of the password rather than the password itself, can be prevented with a good OS, MFA, and patching
■ Birthday Attack - occurs due to hash collisions, can be exploited because it allows you to brute force fewer items?, can be prevented with longer hash output SHA-256
Pass the Hash Attack
● A hacking technique that allows the attacker to authenticate to a remote server or service by using the underlying hash of a user's password instead of requiring the associated plaintext password
● Hashes can be obtained by attackers to impersonate users without cracking the password
● Difficult to defend against due to various Windows vulnerabilities and applications
● Penetration tools like Mimikatz automate hash harvesting
● Prevention
○ Ensure trusted OS
○ Proper Windows domain trusts
○ Patching
○ Multi-factor authentication
○ Least privilege
Birthday Attack
● Occurs when two different messages result in the same hash digest (collision)
● Named after the Birthday Paradox, where shared birthdays become likely in a group
● Collisions in hashes can be exploited by attackers to bypass authentication systems
● Use longer hash output (e.g., SHA-256) to reduce collisions and mitigate the attack
4 methods to increase hash security
■ Key Stretching
● uses longer keys at least 128 bit, increases the time needed to crack the key
● Used in systems like Wi-Fi Protected Access, Wi-Fi Protected Access version 2, and Pretty Good Privacy
■ Salting
● Adds random data (salt) to passwords before hashing, ensures distinct hash output for same inputs
● Thwarts dictionary attacks (every word), brute-force attacks(every combo), and rainbow tables (tables for reversing cryptographic functions, makes it impossible)
■ Nonces (Number Used Once)
● Adds unique, often random numbers to password-based authentication processes, prevents reuse of stolen auth data
■ Limiting Failed Login Attempts
● Restricts the number of incorrect login attempts a user can make
Public Key Infrastructure (PKI)
■ Framework managing digital keys and certificates for secure data transfer - includes hardware, software, policies, procedures, and people that is based on asymmetric encryption
system that creates the asymmetrical key pairs that consist of those public and private keys that are used in the encryption and decryption process
PKI
entire system for facilitating data transfer, auth, and encrypted communications. Used in HTTPS.
HTTPS Steps - user connects via HTTPS, browser contacts CA, random shared secret key is generated for symmetric encryption, shared secret is transmitted used public key encryption, web server decrypts with private key and both sides used shared key
- it includes public key cryptography, which is just a part of PKI
key escrow - ensures encrypted data is not permanently lost, storage of keys in secure third party location. enables retrieval if a key is lost. Needs to be locked down
PKI Components
■ An entire system involving hardware, software, policies, procedures, and people
■ Based on asymmetric encryption
■ Facilitates secure data transfer, authentication, and encrypted communications
■ Used in HTTPS connections on websites
Establishing a Secure Connection
■ User connects to a website via HTTPS
■ Web browser contacts a trusted certificate authority for the web server's public key
■ A random shared secret key is generated for symmetric encryption
■ The shared secret is securely transmitted using public key encryption
■ The web server decrypts the shared secret with its private key
■ Both parties use the shared secret for symmetric encryption (e.g., AES) to create a secure tunnel
Security Benefits of PKI
■ Confidentiality ● Data is encrypted using a shared secret
■ Authentication ● The web server's identity is verified using its private key
Public Key Infrastructure vs. Public Key Cryptography
■ Public Key Infrastructure (PKI)
● Encompasses the entire system for managing key pairs, policies, and trust
● Involves generating, validating, and managing public and private key pairs that are used in the encryption and decryption process
● Ensures the security and trustworthiness of keys
■ Public Key Cryptography
● Refers to the encryption and decryption process using public and private keys
● Only a part of the overall PKI architecture
Key Escrow
■ Storage of cryptographic keys in a secure, third-party location (escrow)
■ Enables key retrieval in cases of key loss or for legal investigations
■ Relevance in PKI
● In PKI, key escrow ensures that encrypted data is not permanently inaccessible
● Useful when individuals or organizations lose access to their encryption keys
■ Security Concerns
● Malicious access to escrowed keys could lead to data decryption
● Requires stringent security measures and access controls
5 Digital Certificate types
■ Digitally signed electronic documents to bind a public key with a user's identity
■ Used for individuals, servers, workstations, or devices
■ Use the X.509 Standard
● Commonly used standard for digital certificates within PKI, contains user and CA info
■ Wildcard Certificate - Allows multiple subdomains to use the same certificate
■ SAN (Subject Alternate Name) field - specifies what additional domains and IP addresses are going to be supported for when domain names dont have same root domain
■ Single-Sided and Dual-Sided Certificates - single sided only requires server validation. dual sided requires both server and user validation
■ Self-Signed Certificates - signed by the same entity it certifies
■ Third-Party Certificates - certs issues by trusted CAs
Key concepts
■ Root of Trust - Highest level of trust in certificate validation, like google, forms path for trust
■ Certificate Authority (CA) - Trusted third party that issues digital certificates
■ Registration Authority (RA) - assists in cert issuance, Requests identifying information from the user and forwards certificate request up to the CA to create a digital certificate,
■ Certificate Signing Request (CSR) - A block of encoded text with information about the entity requesting the certificate, includes public key and is submitted to CA
■ Certificate Revocation List (CRL) - listed of revoked certs maintained by CA
■ Online Certificate Status Protocol (OCSP) - Determines certificate revocation status or any digital certificate using the certificate's serial number
■ OCSP Stapling - alternative to OCSP, allowing cert holder to get OCSP record from server at regular intervals
■ Public Key Pinning - Allows an HTTPS website to resist impersonation attacks, Alerts users if a fraudulent certificate is detected
■ Key Escrow Agents - Securely store copies of private keys
■ Key Recovery Agents - software that allows the restoration of a lost or or corrupted key to be performed, backup to CA
Types of Digital Certificates
■ Wildcard Certificate
■ SAN (Subject Alternate Name) field
■ Single-Sided and Dual-Sided Certificates
■ Self-Signed Certificates
■ Third-Party Certificates
Wildcard Certificate
● Allows multiple subdomains to use the same certificate
● Easier management, cost-effective for subdomains
● Compromise affects all subdomains
Using * to reduce the number of certificates you need to manage
SAN (Subject Alternate Name) field (certificate type)
● Certificate that specifies what additional domains and IP addresses are going to be supported
● Used when domain names don't have the same root domain
Single-Sided and Dual-Sided Certificates
● Single-sided ○ Only requires the server to be validated
● Dual-sided
○ Both server and user validate each other
○ Dual-sided for higher security, requires more processing power
Self-Signed Certificates
● Digital certificate that is signed by the same entity whose identity it it certifies
● Provides encryption but lacks third-party trust
● Used in testing or closed systems
Third-Party Certificates
● Digital certificate issued and signed by trusted certificate authorities (CAs)
● Trusted by browsers and systems
● Preferred for public-facing websites
Root of Trust
● Highest level of trust in certificate validation
● Trusted third-party providers like Verisign, Google, etc.
● Forms a certification path for trust
They are the trusted entity that determines who the trusted third parties are
Certificate Authority (CA)
● Trusted third party that issues digital certificates
● Certificates contain CA's information and digital signature
● Validates and manages certificates
Registration Authority (RA)
● Requests identifying information from the user and forwards certificate request up to the CA to create a digital certificate
● Collects user information for certificates and sends it to CA
● Assists in the certificate issuance process
Certificate Signing Request (CSR)
● A block of encoded text with information about the entity requesting the certificate
● Includes the public key
● Submitted to CA for certificate issuance
● Private key remains secure with the requester
Certificate Revocation List (CRL)
● Maintained by CAs
● List of all digital certificates that the certificate authority has already revoked
● Checked before validating a certificate
Online Certificate Status Protocol (OCSP)
● Determines certificate revocation status or any digital certificate using the certificate's serial number
● Faster but less secure than CRL
OCSP Stapling
● Alternative to OCSP
● Allows the certificate holder to get the OCSP record from the server at regular intervals
● Includes OCSP record in the SSL/TLS handshake
● Speeds up the secure tunnel creation
Public Key Pinning
● Allows an HTTPS website to resist impersonation attacks from users who are trying to present fraudulent certificates
● Presents trusted public keys to browsers
● Alerts users if a fraudulent certificate is detected when the public keys are verified with the CA
Key Escrow Agents
● Securely store copies of private keys
● Ensures key recovery in case of loss
● Requires strong access controls
Key Recovery Agents
● Specialized type of software that allows the restoration of a lost or or corrupted key to be performed
● Acts as a backup for certificate authority keys
Trust in Digital Certificates
■ Trust is essential in digital certificates
■ Compromised root CAs can impact all issued certificates
■ Commercially trusted CAs are more secure
■ Self-managed CAs must be vigilant against compromises
blockchain types
■ Shared immutable ledger for transactions and asset tracking, each block has the hash of the block before it
■ Block Structure - previous blocks hash, timestamp, transactions
■ Public Ledger - anonymous record keeping system, records all transactions
Applications
■ Smart Contracts - Self-executing contracts with code-defined terms
■ Commercial Uses - Permissioned blockchain used for business transactions, enhances trust and transparency
■ Supply Chain Management - ● Transparency and traceability in the supply chain
Implications - versatility, decentralization, immutable ledger, and digital evolution
Blockchain
■ Shared immutable ledger for transactions and asset tracking
■ Builds trust and transparency
■ Widely associated with cryptocurrencies like Bitcoin
■ Is essentially a really long series of information with each block containing information in it ● Each block has the hash for the block before it
■ Block Structure
● Chain of blocks, each containing
○ Previous block's hash
○ Timestamp
○ Root transactions (hashes of individual transactions)
● Blocks are linked together in a chronological order
■ Public Ledger
● Secure and anonymous record-keeping system
● Maintains participants' identities
● Tracks cryptocurrency balances
● Records all genuine transactions in a network
Blockchain Applications
■ Smart Contracts
● Self-executing contracts with code-defined terms
● Execute actions automatically when conditions are met
● Transparent, tamper-proof, and trust-enhancing
■ Commercial Uses
● Companies like IBM promote blockchain for commercial purposes
● Permissioned blockchain used for business transactions
● Enhances trust and transparency with immutable public ledger
■ Supply Chain Management
● Transparency and traceability in the supply chain
● Immutable records of product origin, handling, and distribution
● Ensures compliance and quality control
Broad Implications of Blockchain
■ Versatility
● Beyond finance and cryptocurrencies
● Applications across various industries
● Promises transparency, efficiency, and trust
■ Decentralization
● Key feature of blockchain
● Eliminates need for central authorities
● Empowers peer-to-peer networks
■ Immutable Ledger
● Ensures data integrity
● Records cannot be altered or deleted
● Reinforces trust in transactions and information
■ Digital Evolution
● Blockchain's impact on technology and industries
● Potential to reshape traditional systems
● Offers transparency, efficiency, and trust in the digital era
4 Encryption Tools for Data Security
■ TPM (Trusted Platform Module) - Dedicated microcontroller for hardware-level security, protect secrets through integrated cryptographic keys, used in bitlocker on windows
■ HSM (Hardware Security Module) - Physical device for safeguarding and managing digital keysm tamper proof environment
■ Key Management System - Manages, stores, distributes, and retires cryptographic keys
■ Secure Enclaves - Coprocessor integrated into the main processor of some devices, isolated for secure processing, can be used for biometric data
TPM (Trusted Platform Module)
● Dedicated microcontroller for hardware-level security
● Protects digital secrets through integrated cryptographic keys
● Used in BitLocker drive encryption for Windows devices
● Adds an extra layer of security against software attacks
HSM (Hardware Security Module)
● Physical device for safeguarding and managing digital keys
● Ideal for mission-critical scenarios like financial transactions
● Performs encryption operations in a tamper-proof environment
● Ensures key security and regulatory compliance
This is like a bank, vs a personal vault like the TPM
Key Management System
● Manages, stores, distributes, and retires cryptographic keys
● Centralized mechanism for key lifecycle management
● Crucial for securing data and preventing unauthorized access
● Automates key management tasks in complex environments
Secure Enclaves
● Coprocessor integrated into the main processor of some devices
● Isolated from the main processor for secure data processing and storage, its like a computing fortress within a device, so that even if the device gets compromised, the enclave is still secure
● Safeguards sensitive data like biometric information
● Enhances device security by preventing unauthorized access
3 Obfuscation Techniques
■ Steganography - Conceals a message within another to hide its very existence, try to prevent suspicion there is a message at all
■ Tokenization - Substitutes sensitive data with non-sensitive tokens
■ Data Masking (Data Obfuscation) - Disguises original data to protect sensitive information
Steganography
● Conceals a message within another to hide its very existence
● Involves altering image or data elements to embed hidden information
● Primary goal is to prevent the suspicion that there's any hidden data at all
● Used alongside encryption for added security
● Detection is challenging due to hiding data in plain sight
Tokenization
● Substitutes sensitive data with non-sensitive tokens
● Original data securely stored elsewhere
● Tokens have no intrinsic value
● Reduces exposure of sensitive data during transactions, you can use the token instead of the actual value
● Commonly used for payment systems to comply with security standards
Data Masking (Data Obfuscation)
● Disguises original data to protect sensitive information
● Maintains data authenticity and usability
● Used in testing environments, especially for software development
● Reduces the risk of data breaches in non-production settings
● Common in industries handling personal data
● Masks portions of sensitive data for privacy, e.g., credit card digits, social security numbers
3 cryptographic attacks
○ Downgrade Attacks - Force systems to use weaker or older cryptographic standards or protocols
○ Collision Attacks - Find two different inputs producing the same hash output
○ Quantum Computing Threat - Quantum computers can break present day encryption, mitigated with longer key sizes, lattice based cryptography, NIST standards - CRYSTALS-Kyber, CRYSTALS-Dilithium, FLACON, SPHINCS+
Cryptographic Attack
■ Techniques and strategies that adversaries employ to exploit vulnerabilities in cryptographic systems with the intent to compromise the confidentiality, integrity, or authenticity of data
Downgrade Attacks
■ Force systems to use weaker or older cryptographic standards or protocols
■ Exploit known vulnerabilities or weaknesses in outdated versions
■ Example: POODLE attack on SSL 3.0
■ Countermeasures include phasing out support for insecure protocols and version-intolerant checks
A man in the middle can implant themself in the middle of the handshake, and tell the client and server that each can only user an older version. Then they can exploit this older version of the encryption protocol
Collision Attacks
■ Find two different inputs producing the same hash output
■ Undermine data integrity verification relying on hash functions
■ Vulnerabilities in hashing algorithms, e.g., MD5, can lead to collisions
■ Birthday Paradox or Birthday Attack
● The probability that two distinct inputs, when processed through a hashing function, will produce the same output, or a collision
-an a attacker can produce a malicious file with a hash identical to the file the user intends to download, and have them unknowingly download a malicious file.
Quantum computing
● A computer that uses quantum mechanics to generate and manipulate quantum bits in order to access enormous processing powers.
● Uses quantum bits (qubits) instead of using ones and zeros
Quantum Communication
● A communications network that relies on qubits made of photons (light) to send multiple combinations of ones and zeros simultaneously which results in tamper resistant and extremely fast communications
Qubit
● A quantum bit composed of electrons or photons that can represent numerous combinations of ones and zeros at the same time through superposition
● Enable simultaneous processing of multiple combinations
Quantum computing use cases
● Complex math problems
● Trying to do something like the modeling of an atom or atomic structure
Quantum computing threat
Threat to traditional encryption algorithms (RSA, ECC) by rapid factorization of large prime numbers
Post-quantum cryptography
● A new kind of cryptographic algorithm that can be implemented using today's classic computers but is also impervious to attacks from future quantum computers
● Aims to create algorithms resistant to quantum attacks
● First method is to create post-quantum cryptography is to increase the key size ○ Increases the number of permutations that are needed to be brute-forced - works well for symmetric encryption
● Second method is to create something like lattice-based cryptography and super singular isogeny key exchange
NIST post-quantum cryptography standards
● CRYSTALS-Kyber - general encryption needs
● Digital signatures
○ CRYSTALS-Dilithium - this is primary recommendation
○ FLACON
○ SPHINCS+ - focuses on use of hashing functions
Note 
Flashcards (103)