1.4 Explain the importance of using appropriate cryptographic solutions

What does PKI stand for and what does it do?

PKI stands for (Public Key Infrastructure) and commonly refers to policies and procedures in terms of creating, managing, storing and revoking digital certificates. This can also refer to the binding of public keys to people or devices.

What is the difference between symmetric encryption and asymmetric encryption?

Symmetric: This kind of encryption is a single shared key to where you encrypt and decrypt the data using the same key.

Asymmetric: This kind of encryption is using 2 or more keys that are mathematically related. One key gets assigned as the private key and the other as the public key. The private key is the only key that can decrypt data encrypted with the public key.

Why does key length matter in encryption?

Key length is important because the longer the key, the better chance you have at that data staying encrypted. A short encryption key will not be hard for an attacker to crack it.

What is key stretching?

Key stretching is a technique used when a key is weak and short. This allows the key to hash the encryption, hash it again and again making it even harder for an attacker to crack it.

What does TPM stand for and what does this do?

TPM stands for Trusted Platform Module and is standardized hardware to provide cryptographic functions.

What is a HSM and what does this do?

HSM stands for (Hardware Security Module) is used in large environments to where multiple servers needs their keys stored securely. This is also designed for securing data on a system level.

What is Obfuscation?

This is a way to make information that was hard to read, even harder to read or understand. However, if you know how to read it, then you can decipher it.

What are the 3 ways to hide data using Obfuscation and describe the difference between each one.

The 3 ways to hide data are Steganography, Tokenization and Data Masking.

Steganography: This is used to hide data in an image. However, there are other forms of this to where you can hide data in a video or audio.

Tokenization: This is taking sensitive data and turning it into random data. This is most common in credit card processing to where when a payment is being made, a temporary token is being used during the payment to protect the actual credit card number.

Data Masking: This is hiding some of the original data and only showing a portion of the data. An example is the last 4 of a social security number with the rest showing “x” or with credit cards.

What is salting?

This is the process of adding random data to a password when hashing.

What is a blockchain?

This is a decentralized digital ledger that securely stores records across a network of computers in a way that is transparent and resistant to tampering. Each “block” contains data that is in a chronological chain. Each block relies on the previous hash of the previous block. If any data is altered in a previous block, the hash’s of those blocks will change which will then cause the computers to know that the data has been altered and will not record any more past that point.

What is the standard format for digital certificates?

X.509

What is a CSR?

CSR stands for Certificate Signing Request and this is a request for your public key to be signed and validated by a CA. After they sign it, they then sign your digital certificate with their private key and send it back to you.

What is a self-signed digital certificate?

This kind of certificate is installed on every computer in your company that will need access to an internal application. You personally sign the digital certificate using your internal CA so that way every PC knows that the application they are wanting to connect to is validated.

What is a SAN in terms of digital certificates.

This stands for (Subject Alternative Name) and is used as an extension to a .509 certificate and allows a certificate to support different domains. This is also based on the name of the server as well. An example would be *.countyapps.azurewebsites.net as the domain. The subdomains that could use the same certificate could be adair.countyapps.azurewebsites.net, ballard.countyapps.azurewebsites.net and so on

What is a CRL?

A CRL stands for Certificate Revocation List. This list is maintained by the CA and gives a list of certificates that are no longer valid and trusted.

What is OSCP Stapling?

OSCP (Online Certificate Status Protocol) stapling is where the browser can check for certificate revocation and the CA is responsible for responding to all clients OSCP requests. The status is “stapled” into the SSL/TLS handshake.