Module 4 - Advanced Cryptography and PKI

block cipher mode of operation

a process that specifies how block ciphers should handle plaintext

Electronic Code Book (ECB)

a process in which plaintext is divided into blocks and each block is then encrypted separately, not suitable for use, less secure

Cipher Block Chaining (CBC)

a process in which each block of plaintext is XORed with the previous block of ciphertext before being encrypted, more secure

Counter (CTR)

a process in which both the message sender and receiver access a counter, which computes a new value each time a ciphertext block is exchanged

Galois/Counter (GCM)

a process that both encrypts and computes a message authentication code (MAC)

crypto service provider

a service used by an application to implement cryptography

salt

a value that can be used to ensure that plaintext, when hashed, will not consistently result in the same digest

nonce

a value that must be unique within some specified scope

initialization vector (IV)

a nonce that is selected in a non-predictable way

digital certificate

a technology used to associate a user's identity to a public key and that has been digitally signed by a trusted third party, X509 certificate

Certificate Signing Request (CSR)

a user request for a digital certificate

intermediate certificate authority

an entity that processes the CSR and verifies the authenticity of the user on behalf of a CA

certificate authority (CA)

the entity that is responsible for digital certificates

offline CA

a certificate authority that is not directly connected to a network

online CA

a certificate authority that is directly connected to a network

Certificate Revocation List (CRL)

a list of certificate serial numbers that have been revoked

Online Certificate Status Protocol (OCSP)

a process that performs a real-time lookup of a certificate's status

stapling

a process for verifying the status of a certificate by sending queries at regular intervals to receive a signed time-stamped response, uses OCSP

certificate chaining

linking several certificates together to establish trust between all the certificates involved

user digital certificate

the end-point of the certificate chain

root digital certificate

a certificate that is created and verified by a CA, trust anchor

self-signed

a signed digital certificate that does not depend upon any higher level authority for authentication, most cost-effective

pinning

hard-coding a digital certificate within a program that is using the certificate, prevents SSL man-in-the-middle attacks

session keys

symmetric keys used to encrypt and decrypt information exchanged during the session and to verify its integrity

domain validation digital certificate

certificate that verifies the identity of the entity that has control over the domain name

Extended Validation (EV) certificate

certificate that requires more extensive verification of the legitimacy of the business

wildcard digital certificate

certificate used to validate a main domain along with all subdomains

Subject Alternative Name (SAN)

certificate primarily used for Microsoft Exchange servers or unified communications

machine digital certificate

certificate used to verify the identity of a device in a network transaction

code signing digital certificate

certificate used by software developers to digitally sign a program

email digital certificate

a certificate that allows a user to digitally sign and encrypt mail messages

CER/DER (Canonical/Distinguished Encoding Rules)

X.509 encoding formats

Privacy Enhancement Mail (PEM)

an X.509 file format that uses DER encoding and can have multiple certificates

Personal Information Exchange (PFX)

an X.509 file format that is the preferred file format for creating certificates to authenticate applications or websites

PKCS#12

an X.509 file format that is one of a numbered set of 15 standards defined by RSA Corporation

Public key infrastructure (PKI)

the underlying infrastructure for the management of public keys used in digital certificates

object identifier (OID)

a designator made up of a series of numbers separated with a dot which names an object or entity

key escrow

a process in which keys are managed by a third party, such as a trusted CA

Secure Sockets Layer (SSL)

an early and widespread cryptographic transport algorithm; now considered obsolete

Transport Layer Security (TLS)

a widespread cryptographic transport algorithm, current versions v1.1 and v1.2 are considered secure

Secure Shell (SSH)

an encrypted alternative to the Telnet protocol that is used to access remote computers

Hypertext Transport Protocol Secure (HTTPS)

HTTP sent over SSL or TLS, uses port 443

Secure/Multipurpose Internet Mail Extensions (S/MIME)

a protocol for securing email messages

Secure Real-time Transport Protocol (SRTP)

a protocol for providing protection for Voice over IP (VoIP) communications

Internet Protocol Security (IPsec)

a protocol suite for securing Internet Protocol (IP) communications

Authentication Header (AH)

an IPsec protocol that authenticates that packets received were sent from the source

Encapsulating Security Payload (ESP)

an IPsec protocol that encrypts packets

transport mode

an IPsec mode that encrypts only the data portion (pay-load) of each packet yet leaves the header unencrypted

tunnel mode

an IPsec mode that encrypts both the header and the data portion

X509 certificates

a standard defining the format of public-key certificates

Registration Authority (RA)

validates and accepts the incoming requests for certificates from users on the network and notifies the CA to issue the certificates

Data Recovery Agent (DRA)

can recover the data if a user's private key is corrupted, retrieves from key escrow

superposition

bits can be switched on or off at the same time or somewhere in between

Pseudo-Random Number Generator (PRNG)

an algorithm that uses mathematical formulas to produce sequences of random numbers

P12

private certificate, file extension .pfx

P7B

public certificate, file extension .cer

Base 64 format

PEM certificate, file extension .pem

Extension for PEM

DER certificate, file extension .der