CompTIA Sec+ Chapter 7 - Cryptography and the PKI

cryptography

the practice of encoding information in a manner that it cannot be decoded without access to the required decryption key

cipher

a method used to scramble or obfuscate characters to hide their value

ciphering

the process of using a ___to do that type of scrambling to a message

substitution cipher

A method of encryption and decryption in which each letter in the alphabet is replaced by another. (i.e. ROT13, Caesar)

polyalphabetic substitution

In this system, multiple alphabets are used to encrypt a single message. (i.e. vignere)

transposition cipher

the ordering of the letters in each word is changed in some systematic way

enigma machine

An example of a one time pad encryption device used by the Germans

steganography

A technology that makes it possible to embed hidden information in documents, pictures, and music files

symmetric cryptosystem

use a shared secret key available to all users of the cryptosystem

asymmetric cryptosystem

Use individual combinations of public and private keys for each user of the system.

data on the wire

another name for data in transit

Transport Layer Security (TLS)

A protocol for managing the security of message transmissions on the Internet.

full-disk encryption (FDE), partition encryption, fil-level encryption, volume encryption

encrypting data on a disk is done by these four methods

database encryption, record-level encryption

encrypting database data is done by these two methods

obfuscation

the action of making something obscure, unclear, or unintelligible

Full Disk Encryption (FDE)

The process of encrypting all the data on the hard disk drive used to boot a computer, including the computer's operating system, and permitting access to the data only after successful authentication with the full disk encryption product

partition encryption

Encrypts specific partitions of a hard drive, leaving other partitions unencrypted

file-level encryption

The encryption and decryption process is performed per file, and each file owner has a key

volume encryption

Encrypts a set of selected files or directories

Database Encryption

Applying encryption at the table, field, or record level via a database management system rather than via the file system.

Transparent Data Encryption (TDE)

entire database is encrypted

Column-level Encryption (CLE)

Allows for specific columns within tables to be encrypted.

record-level encryption

Choices can be made about which records to encrypt, which has a significant positive effect on both performance and security.

key space

Represents the total number of possible values of keys in a cryptographic algorithm or other security measure, such as a password.

key length

The size of a key, usually measured in bits or bytes, which a cryptographic algorithm used in ciphering or deciphering protected information.

cryptovariables

another name for cryptographic keys

cipher suites

sets of ciphers and key length supported by a system

stream ciphers

Ciphers that operate on each character or bit of a message (or data stream) one character/bit at a time. (i.e. Caesar)

block ciphers

The cipher takes data in, places that into a bucket or block of data that's a fixed size, then encodes that entire block as one unit (most modern encryption uses this)

Data Encryption Standard (DES)

A symmetric block cipher that uses a 56-bit key and encrypts data in 64-bit blocks.

128

Modern cryptographic systems use at lest a ___-bit key to protect data

Secret key cryptography/private key cryptography

other names for symmetric key cryptography

public key algorithms

another name for asymmetric cryptographic systems

hash collision

Occurs when the hashing algorithm creates the same hash from different methods

3DES

A symmetric algorithm used to encrypt data and provide confidentiality. It was originally designed as a replacement for DES. It uses multiple keys and multiple passes and is not as efficient as AES, but is still used in some applications, such as when hardware doesn't support AES.

Advanced Encryption Standard (AES)

Rijndael exceeded expectations of this standard: 128-bit keys require 10 rounds of encryption, 192-bit keys require 12 rounds of encryption, 256-bit keys require 14 rounds of encryption

key exchange

Any method by which cryptographic keys are transferred among users, thus enabling the use of a cryptographic algorithm.

offline distro, public key encryption, and the Diffie-Hellman key exchange algorithm

3 main methods to exchange secret keys

Offline Distribution

The most technically simple method of key exchange, it involves the physical exchange of key material.

Public key encryption

pairs a public key for encryption and a private key for decryption. The sender does not need the receiver's private key to encrypt a message, but the receiver's private key is required to decrypt the message

Diffie-Hellman key exchange

A hybrid cryptosystem that facilitates exchanging private keys using public-key encryption.

split knowledge

Two people each have half of the knowledge of a key

key escrow

the process of storing a copy of an encryption key in a secure location

key recovery

A process of reconstructing an encryption key from the ciphertext alone, such as when the original key has been corrupted, lost or forgotten. Requires a known way of reverse-engineering the algorithm (i.e., a successful means of conducting a ciphertext-based attack). By definition, a workable key recovery process for an algorithm means that the algorithm is not secure.

RSA public key algorithm

the most famous public key cryptosystem, invented in 1977 by Ronald Rivest, Adi Shamir, and Leonard Adleman

elliptic curve cryptography

An algorithm that uses elliptic curves instead of prime numbers to compute keys.

hash functions

mathematical algorithms that generate a message summary or digest (sometimes called a fingerprint) to confirm message identity and integrity

message digest

A digital signature that uniquely identifies data and has the property such that changing a single bit in the data will cause a completely different message digest to be generated. NISTIR-8011 Vol.3

checksum

another name for message digest

Secure Hash Algorithm

government standard hash functions promoted by NIST and are specified in an official government publication

MD5

Message Digest 5. A hashing function used to provide integrity. uses 128 bits. A hash is simply a number created by applying the algorithm to a file or message at different times. The hashes are compared to each other to verify that integrity has been maintained.

Hash-based Message Authentication Code (HMAC)

implements a partial digital signature

recipient's public

If you want to encrypt a message, use the _______ _______ key

your private

if you want to decrypt a message sent to you, use ____ ________ key

your private

If you want to digitally sign a message you are sending to someone else, use ____ ________

the sender's public

If you want to verify the signature on a message sent by someone else, use ___ ________ _____ key

Public Key Infrastructure (PKI)

System for creating public and private keys using a certificate authority (CA) and digital certificates for authentication.

X.509

The most widely accepted format for digital certificates as defined by the International Telecommunication Union (ITU).

wildcard

designated by an asterisk character, making all subdomains valid

certificate authorities

issue digital certificates that validate ownership of encrypted keys used in secured communications and are based on a trust model.

enrollment

proving your identity to the CA in some manner

Certificate Signing Request (CSR)

A specially formatted encrypted message that validates the information the CA requires to issue a digital certificate.

Domain Validation (DV)

proving the ownership of a particular domain. This may be proved by responding to an email to the authorized domain contact or by publishing a text record to the domain. This process can be highly vulnerable to compromise.

certificate revocation list (CRL)

A repository that lists revoked digital certificates.

Online Certificate Status Protocol (OCSP)

A protocol that performs a real-time lookup of a certificate's status.

Extended Validation (EV)

This type of certificate requires more extensive verification of the legitimacy of the business

certificate stapling

provides clients with a timestamped, digitally signed OCSP response. This is from the CA and appended to the certificate.

certificate pinning

A method of trusting digital certificates that bypasses the CA hierarchy and chain of trust to minimize man-in-the-middle attacks.

sufficient entropy

sufficient cryptographic algorithms have ____ ______

frequency analysis

A technique that is based on how frequently certain letters/words appear in English versus others.

known plain text

The attacker has both the plaintext and its encrypted version.

chosen plain text

In a this attack, the hacker creates plain text, feeds it into the cipher, and analyzes the resulting ciphertext. The chosen plain text attack occurs when the hacker can choose the information to be encrypted. The idea is to find patterns in the cryptographic output that might uncover a vulnerability or reveal the cryptographic key.

related key attack

Two chosen plaintext attacks run in parallel, but you are using two different but related keys. You would have two streams of text being encrypted into ciphertext by these two keys. Commonly used against wireless network encryption.

birthday attack

An attack that searches for any two digests that are the same.

downgrade attack

A type of attack that forces a system to ___ its security. The attacker then exploits the lesser security control.

salting

Adding random data into a one-way cryptographic hash to help protect against password cracking techniques

key stretching

uses thousands of iterations of salting and hashing to generate encrpytion keys that are resilient against attack

blockchain

A distributed and decentralized ledger that records and verifies transactions and ownership, making it difficult to tamper with or shut down.

homomorphic encryption

Enables processing of encrypted data without the need to decrypt the data. It allows the cloud customer to upload data to a cloud service provider for processing without the requirement to decipher the data first.

quantum computing

A technology that applies the principles of quantum physics and quantum mechanics to computers to direct atoms or nuclei to work together as quantum bits (qubits), which function simultaneously as the computer's processor and memory.