Security+ Encryption, PKI, Authentication, and Network Security Concepts (Vocabulary Flashcards)

A comprehensive set of vocabulary flashcards covering encryption (symmetric/asymmetric, PKI), hashing, digital certificates, TLS/SSL, authentication methods, access control models, PAM, directory services, and network security concepts mentioned in the notes.

Symmetric Encryption

Encryption that uses the same key for encryption and decryption; fast and suitable for bulk data.

Pre-Shared Key (PSK)

A secret key shared in advance by both communicating parties for symmetric encryption.

AES

Advanced Encryption Standard; symmetric cipher used for bulk data encryption.

AES-256

AES variant using 256-bit keys, offering strong security.

RC4

A stream cipher once common in TLS; now considered insecure and deprecated.

DES

Data Encryption Standard; 56-bit key; deprecated due to vulnerability to brute-force attacks.

3DES

Triple DES; applies DES three times; stronger than DES but slower and largely deprecated.

Asymmetric Cryptography

Public-key cryptography using a key pair (public and private) for encryption and digital signatures.

PKI

Public Key Infrastructure; framework for managing keys and digital certificates.

RSA

Public-key algorithm used for encryption and digital signatures; widely used in emails and data protection.

RSA 2048-4096

RSA key size range; larger keys provide greater security but require more processing.

ECC (Elliptic Curve Cryptography)

Elliptic Curve Cryptography; provides equivalent security with smaller key sizes; efficient for devices.

Diffie-Hellman (DH)

Key exchange protocol that enables two parties to establish a shared secret over an insecure channel.

Key Exchange

Process by which cryptographic keys are agreed upon between parties.

Hashing

Process that produces a fixed-size digest to verify data integrity.

MD5-128

MD5 producing 128-bit hashes; now considered insecure due to collision vulnerabilities.

SHA-1

Hash function; deprecated due to collision weaknesses; successors include SHA-256/512.

SHA-256

Secure Hash Algorithm with 256-bit output; widely used for integrity and signatures.

SHA-512

Secure Hash Algorithm with 512-bit output; strong integrity protection.

MD5 vulnerabilities (birthday attack, collisions)

MD5 is susceptible to collisions via birthday attack, compromising integrity.

Digital Signatures

Cryptographic signatures proving authenticity and integrity; often tied to certificates.

CAC Card

Common Access Card; smart card used for identity and authentication in certain environments.

Root CA

Root Certificate Authority; ultimate trusted authority; often offline to protect trust.

RA (Registration Authority)

Entity that authenticates identities and issues requests to a CA; may be offline or online.

CSR

Certificate Signing Request; request containing identity and public key for certificate issuance.

IPv4

Internet Protocol version 4; 32-bit addressing.

IPv6 / AAAA

Internet Protocol version 6; 128-bit addressing; AAAA records denote IPv6 addresses.

Digital Certificate

Electronic document that asserts identity and contains a public key (X.509 format common).

X.509

Directory standard for public key certificates used in PKI.

PKIX

Public Key Infrastructure X.509; standard for certificate path validation.

PKCS

Public Key Cryptography Standards; family of protocols for certificates and cryptography.

Self-Signed Certificate

Certificate signed with its own private key; lacks a trusted chain unless manually trusted.

CRL

Certificate Revocation List; list of certificates revoked before expiry.

OCSP

Online Certificate Status Protocol; real-time certificate status checking.

OCSP Stapling

OCSP response is stapled to the TLS handshake to reduce latency and privacy concerns.

Certificate Pinning

Associating a host with a specific certificate or public key to prevent MitM attacks.

Common Name (CN)

Main domain name in a certificate; part of the subject field.

Subject Alternative Name (SAN)

Additional identities (domains/addresses) listed in a certificate.

KMIP

Key Management Interoperability Protocol; standard for managing cryptographic keys.

TPM

Trusted Platform Module; hardware root of trust integrated in CPU/motherboard.

HSM

Hardware Security Module; removable hardware device for secure key generation and storage.

Key Escrow

Backup of cryptographic keys with a trusted party for recovery purposes.

Secure Enclave

Isolated hardware/firmware environment to protect sensitive data like passwords.

Bulk Encryption

Encryption of large data sets; typically uses AES for efficiency.

Perfect Forward Secrecy (PFS)

Ephemeral session keys ensure past communications remain secure if a key is compromised.

Salting

Adding random data to passwords before hashing to resist precomputed attacks.

Key Stretching

Applying multiple hashing or cryptographic operations to increase password resistance.

Steganography

Hiding information within other media to conceal its presence.

Data Masking

Redacting or obscuring sensitive data in outputs or datasets.

Tokenization

Substituting sensitive data with non-sensitive tokens; reversible with mapping.

De-Identification

Removing identifying information to protect privacy.

TLS

Transport Layer Security; secures data in transit via certificate-based protocols.

ECC for low power devices

ECC’s small key sizes are advantageous for devices with limited resources.

Key Enclave

Secure area in memory or hardware used to protect credentials (e.g., password managers).

MD5 (old hashing)

MD5 hashing; deprecated due to collision vulnerabilities.

Hard Authentication Tokens

Tokens used for authentication; include certificate-based PKI, OTP, FIDO, U2F.

Certificate-based PKI

Use of digital certificates issued by a PKI to establish identity.

OTP

One-Time Password; valid for a single login session.

FIDO

Fast Identity Online; standard for passwordless, strong authentication.

U2F

Universal 2nd Factor; hardware security keys for authentication.

Soft Authentication Tokens

Codes or prompts delivered via software channels (SMS, email, push).

SMS

Text message-based one-time codes for authentication.

Email

Email-based authentication tokens or links.

Phone Call

Voice-based verification codes or prompts for authentication.

Notification

Push or in-app notifications used for authentication prompts.

Authenticator App

Apps that generate time-based or event-based one-time codes.

Passwordless Authentication

Authentication without passwords (e.g., hardware keys, biometrics, push).

FRR

False Rejection Rate; probability a legitimate user is rejected.

FAR

False Accept Rate; probability an impostor is accepted.

DAC

Discretionary Access Control; access determined by object owner.

MAC

Mandatory Access Control; access determined by centralized policy.

RBAC

Role-Based Access Control; access based on user roles.

RUBAC

Rule-Based Access Control; access based on pre-defined rules (policy).

ABAC

Attribute-Based Access Control; access based on attributes like role, location.

PoLP

Principle of Least Privilege; grant only necessary permissions.

Provisioning

Onboarding: proofing identity, issuing credentials, assigning assets.

Deprovisioning

Removing access and credentials when a user leaves or role changes.

PAM

Privileged Access Management; controls and monitors privileged accounts.

LDAP

Lightweight Directory Access Protocol; directory service with DN and attribute-value pairs.

SAML

Security Assertion Markup Language; exchanging authentication/authorization data.

OAuth

Authorization framework for granting limited access to resources.

SSO

Single Sign-On; unify authentication across multiple systems.

Kerberos

Network authentication protocol used for secure, mutual authentication.

NGFW

Next-Generation Firewall; includes DPI and application awareness.

DPI

Deep Packet Inspection; analyzes content to enforce security policies.

Stateful

Firewall that tracks sessions and context to make decisions.

Stateless

Firewall that does not track session state; decisions based on rules only.

WAF

Web Application Firewall; protects web apps from SQLi, XSS, CSRF.

UTM

Unified Threat Management; integrates firewall, IPS/IDS, and more in one device.

Remember /24 subnet

CIDR notation for a 255.255.255.0 subnet; defines an IP range.

DNS

Domain Name System; resolves hostnames to IP addresses.

SAW

Secure Admin Workstation; dedicated secure workstation for admin tasks.

Jump Server

Hardened intermediary server in DMZ enabling access to internal hosts.

NAC

Network Access Control; enforces security policies at network access.

802.1x

Port-based network access control protocol used with RADIUS.

RADIUS

Remote Authentication Dial-In User Service; provides AAA services.

EAP

Extensible Authentication Protocol; framework for multiple authentication methods.

PEAP

Protected EAP; encapsulates EAP in a secure tunnel; often built on CHAP.

TLS

Transport Layer Security; strongest, certificate-based security for sessions.

HIDS/NIDS

Host-Based/Network-Based Intrusion Detection Systems; monitor threats.