Encryption, Hashing, Threats, and mitigations, Authentication.... etc Comptia sec+

Symmetric key

Single shared key, shared secret key

asymmetric encryption

Different keys used for encryption and decryption, (public key cryptography)

Stream cipher

Encrypts bit by bit ( symmetric algorithm)

Block cipher 

encrypts fixed length blocks 

DES

symmetric block encryption, breaks input into 64 bit blocks, with an effective key strength of 56 bits, transposition and substitution

3DES

three separate symm keys to encrypt decrypt then encrypt again into stronger cipher text 

IDEA

Symmetric cipher block encryption 128 bit key and with 64 bit blocks

AES

symmetric block cipher that uses 128 192 or 256 bit blocks and matching keys

Blowfish

A block cipher with key sizes ranging from 32 to 448 bits Developed as a DES replacement but not widely adopted

Twofish 

A block cipher supporting 128-bit block size and key sizes of 128, 192, or 256 bits Open source and available for use

RC4

a stream cipher with variable key sizes from 40 to 2048 bits, used in SSL

and WEP

RC5

is a block cipher with key sizes up to 2048 bits

Asymmetric algorithm

does not require a shared secrt key, provides CIA and non repudiation, private key is the only key that decrypts 

Diffie- Hellman(DH)

Used for key exchange and secure key distribution  Vulnerable to man-in-the-middle attacks, requires authentication commonly used in VPN tunnel establishment (IPSec)

RSA

Used for key exchange, encryption, and digital signatures, Relies on the mathematical difficulty of factoring large prime numbers Supports key sizes from 1024 to 4096 bits 

Widely used in organizations and multi-factor authentication

ECC

Efficient and secure, uses algebraic structure of elliptical curves Commonly used in mobile devices and low-power computing Six times more efficient than RSA for equivalent security

Hashing

One-way cryptographic function that produces a unique message digest from an input

MD5

Creates a 128-bit hash value, has a collision vulnerability

SHA-1

160-bit hash digest, reducing the number of collision that can occur compared to MD5

SHA-2

Offers longer hash digests (SHA-224, SHA-256, SHA-384, SHA-512)

SHA-3

Uses 224-bit to 512-bit hash digests, more secure, 120 rounds of computations

RIPEMD

Open-source competitor to SHA but less popular -160 bit the most common

HMAC

Checks message integrity and authenticity  Utilizes other hashing algorithms

Digital signatures

created by hashing a file then encrypting with a private key 

DSA

Uses a 160-bit message digest created by DSS (Digital Security Standard)

RSA

 Supports digital signatures, encryption, and key distribution

 Widely used in various applications, including code signing

Public Key Infrastructure (PKI)

• ●  Encompasses the entire system for managing key pairs, policies, and trust

• ●  Involves generating, validating, and managing public and private key pairs

  that are used in the encryption and decryption process

• ●  Ensures the security and trustworthiness of keys

Public Key Cryptography

Refers to the encryption and decryption process using public and private

keys

Key Escrow

• Storage of cryptographic keys in a secure, third-party location Enables key retrieval in cases of key loss or for legal investigations

Digital certificate

• Bind a public key with a user's identity

• Used for individuals, servers, workstations, or devices

• Use the X.509 Standard

Wildcard certificate 

• ●  Allows multiple subdomains to use the same certificate

• ●  Easier management, cost-effective for subdomains

• ●  Compromise affects all subdomains

SAN (Subject Alternate Name) field

  Certificate that specifies what additional domains and IP addresses are

going to be supported

 Used when domain names don’t have the same root domain

Single-sided certificate 

Only requires the server to be validated

Dual-sided

• ○  Both server and user validate each other higher security, requires more processing power

Self-Signed Certificates

• ●  Digital certificate that is signed by the same entity whose identity it certifies

• ●  Provides encryption but lacks third-party trust

• ●  Used in testing or closed systems

Third-Party Certificates

• ●  Digital certificate issued and signed by trusted certificate authorities (CAs)

• ●  Trusted by browsers and systems

• ●  Preferred for public-facing websites

Root of trust 

• ●  Highest level of trust in certificate validation

• ●  Trusted third-party providers like Verisign, Google, etc.

• ●  Forms a certification path for trust

Certificate authority

• ●  Trusted third party that issues digital certificates

  • ●  Certificates contain information and digital signature

  • ●  Validates and manages certificates

registration Authority

●  Requests identifying information from the user and forwards certificate

request up to the CA to create a digital certificate

• ●  Collects user information for certificates

• ●  Assists in the certificate issuance process

Certificate Signing Request (CSR)

• ●  A block of encoded text with information about the entity requesting the

  certificate

• ●  Includes the public key

• ●  Submitted to CA for certificate issuance

• ●  Private key remains secure with the requester

Certificate Revocation List (CRL)

• ●  Maintained by CAs

• ●  List of all digital certificates that the certificate authority has already
  revoked 

• Online Certificate Status Protocol (OCSP

●  Determines certificate revocation status or any digital certificate using the

• certificate's serial number

• ●  Faster but less secure than CRL

OCSP Stapling

• ●  Alternative to OCSP

• ●  Allows the certificate holder to get the OCSP record from the server at regular intervals

• ●  Includes OCSP record in the SSL/TLS handshake

• ●  Speeds up the secure tunnel creation

Public Key Pinning

• ●  Allows an HTTPS website to resist impersonation attacks from users who are trying to present fraudulent certificates

• ●  Presents trusted public keys to browsers

• ●  Alerts users if a fraudulent certificate is detected

Key Escrow Agents

• ●  Securely store copies of private keys

• ●  Ensures key recovery in case of loss

• ●  Requires strong access controls

Key Recovery Agents

• ●  Specialized type of software that allows the restoration of a lost or

  corrupted key to be performed

• ●  Acts as a backup for certificate authority keys

Blockchain

• Shared immutable ledger for transactions and asset tracking

• Builds trust and transparency

• Widely associated with cryptocurrencies like Bitcoin

• Is essentially a really long series of information with each block containing

  information in it

● Each block has the hash for the block before it

TPM (Trusted Platform Module)

• ●  Dedicated microcontroller for hardware-level security

• ●  Protects digital secrets through integrated cryptographic keys

• ●  Used in BitLocker drive encryption for Windows devices

• ●  Adds an extra layer of security against software attacks

HSM (Hardware Security Module

• ●  Physical device for safeguarding and managing digital keys

• ●  Ideal for mission-critical scenarios like financial transactions

• ●  Performs encryption operations in a tamper-proof environment

• ●  Ensures key security and regulatory compliance

Key Management System

• ●  Manages, stores, distributes, and retires cryptographic keys

• ●  Centralized mechanism for key lifecycle management

• ●  Crucial for securing data and preventing unauthorized access

• ●  Automates key management tasks in complex environments

Secure Enclaves

• ●  Coprocessor integrated into the main processor of some devices

• ●  Isolated from the main processor for secure data processing and storage

• ●  Safeguards sensitive data like biometric information

• ●  Enhances device security by preventing unauthorized access

Steganography

• ●  Conceals a message within another to hide its very existence

• ●  Involves altering image or data elements to embed hidden information

• ●  Primary goal is to prevent the suspicion that there’s any hidden data at all

• ●  Used alongside encryption for added security

• ●  Detection is challenging due to hiding data in plain sight

Tokenization

• ●  Substitutes sensitive data with non-sensitive tokens

• ●  Original data securely stored elsewhere

• ●  Tokens have no intrinsic value

• ●  Reduces exposure of sensitive data during transactions

• ●  Commonly used for payment systems to comply with security standards

Data Masking (Data Obfuscation)

• ●  Disguises original data to protect sensitive information

• ●  Maintains data authenticity and usability

• ●  Used in testing environments, especially for software development

• ●  Reduces the risk of data breaches in non-production settings

• ●  Common in industries handling personal data

• ●  Masks portions of sensitive data for privacy, e.g., credit card digits, social

  security numbers