Shared Flashcard Set

Details

5. SSCP (Crytography)
SSCP (Crytography)
51
Computer Networking
Intermediate
05/03/2017

Additional Computer Networking Flashcards

 


 

Cards

Term

Crytography

Definition

Crytography

Term

Understand and apply fundamental concepts of Crytography

Definition
[image]
Term
Hashing
Definition
[image]
Term
Hashing Algorithms
Definition

MD5 - Message digest algorithm

128 bit has - commonly used but not for goverment applications

SHA-1 Secure hash algorithm

160 bit hash - commonly used, however considered insecure against well trained attackers

SHA-2 Supports muliple bit lengths

Bits 224, 256, 384. 512 - current, but is beleived to have vulnerabilities

SHA-3 The new kid

Standard released by NIST in 2015

Term
Hashing Algorythms example
Definition
[image]
Term
Salting
Definition
[image]
Term

Symmetric /Asymmetric Encryption

Definition

Encrytion algoriths are not secret!

Keys used with the encryptin create a unique cipher

Symetric encrytion

Uses one key encrypt and decrypt

Keys need to be changed often

Asymetric encryption

Uses key pair (two keys) to encrypt and decrypt

Example public/private keys

Term
symetric algorithm: ROT13
Definition
[image]
Term
symetric algorithm: ROT13
Definition
[image]
Term

Block and Stream Encryption

Definition

Symetric encryption uses two types of ciphers block and stream

Depending on data and purpose

Block - encrypts blocks of fixed length data

Advanced Encryption Standard (AES)

AES 128, 192, 256 bit lengths

Problems?

Key usage - same key produces same result

Keys need to be changed

Term
Electronic cookbook Mode (ECB)
Definition
[image]
Term

Cipher Block Chaining Mode (CBC)

IV=Initialisation Vector

XOR = Truth

Definition
[image]
Term
Stream Encryption
Definition

Stream encrytps bit for bit - small blocks

Examples Video and audit

Cipher feedback mode (CFB)

Output feedback mode (OFB)

Counter (CTR)

Term
Other Algarythms
Definition

AES

DES - 56bit block cipher - rarely used

3DES - Same as DES but performs three pases with diffrent keys

Blowfish - designed to replace DES

Overshowded by AES

IDEA - 128 bit - designed to replace DES

Used with PGP (Pretty good privacy)

RC4 - Rivest's cipher

Term

Asymmetric Encryption

Definition

Aysemmetric Crytography - also known as public key Cryptography

Used key pairs - public and private

Public key is never shared - must be kept secret

Public key is freely shared

Anything encrypted with the public key can be decryted with the matching private key

Anything encryted with the private key can be decrytped with the public key

Term
Key Pair Encryption
Definition
[image]
Term
Proof of Origin
Definition
[image]
Term
Adding Confidentiality
Definition
[image]
Term
Asymmetric Encrytion
Definition

Asymmetric Encryption is slower thn symmetric

High processer overhead

Not good for large amount of data

Often used to initiate a session to exchange a symmetric key

Then sender and reciever swith to symmetric

Rivest, Ahamir, Aldeman (RSA)

Aysmetric standard

Created in 1978

Uses large prime numbers (1024, 2048 bits) to create public and private keys

Prime numbers are multiplied to get a composite number

Not enough time to discover original prime numbers

Term
Certificates
Definition
[image]
Term

Non-key-based Asymmetric Encryption

Definition

Key distribution is a challenge

Sender and reciver may have no access to a PKI solution

Deffie-Hellman

Sender and reciver negotioatea shared key

Each has public and private integers

Public integers are used and calculated over several passes to derive shared secret key

ElGamal

Based on Diffie-Hellman

Designed to create a complete public key infrastructure (cryptosystem)

Available publically - not patened

Disadvantage: Doubles the length of the message making large transfers difficult

Term
Other
Definition

Elliptic Curve

Goal: Reduce the overhead of calculation using large prime numbers

Based on logarithm math to determine a point on an alliptic curve

Very complicated but leads to other wave encryption (light) - quantum crytography

Hybrid Encrytion

Combines both asymetric and symmetric

The bases of SSL/TLS

Massage Authentication Code (MAC)

Hashing method for authentication and integrity

Small part of data is encryted with a shared secret key

Authentication is verified because the sender is the only one with the shared key

Keyed-hash message authentication code (HMAC)

Similar to MAC

Shared secret is appended to message before hashing

Term
Steganoghraphy
Definition
[image]
Term
Digital Signatures
Definition

Commonly used with email - S/MIME

Asymetric encrytion

Provides Integrity

Message is hashed

Provides proof of Origin

The hash is encryted with the senders private key

the reciver decrypts with the senders public key

No confidentiality by default

Original message is not encryted

Term
Non-repudiation
Definition

A person can not reasonably deny that they are responsible for the action or message

Logging, auditing, Digital signatures

Asymetric - user uses private key

Requires proper authentication

User must authenticate to system to gain access to private key

Symmetric - uses use a shared secret

If more than two users have the shared secret, then non-repudiation is more difficult

Term
Data Sensitivity
Definition

Data classification - private or not

Determine level of sensitivity

Level of integrity and confidentiality

Strength os crytography should match sensitvity level

Don't forget this applies to risk management and availability

Term

Regulatory Requirements

Definition
[image]
Term
Organization Policies and compliance
Definition
[image]
Term
Safe Harbour
Definition

Broad legal definition and application

Protects on organisation from constant reglation changes if they follow a set of conditions

Organisations may be impacted by local city, state and county regulations and changes

Offers protection from penalties and prosecution

Term

End-User Training

Definition

Increases organizational security success

Increases overall security posture

Gives the emplyees the ability to participate

Educates organizational expectations and reglations

Educates vulnerabilities and threats

Improves the safety and welfare of humaity

Term
Behavious
Definition
[image]
Term
Personally Identifiable Information (PII)
Definition
[image]
Term
Socail Networking
Definition

Do Not post sesitve company information

Careful with your own information

Malware, cross-site scritping, phishing and other attacks are common

Remember, shortened URLS can go anywhere!

Term
Peer to Peer
Definition

File sharing directly between computers often for music and videos

Often banned in many Orgs

Files often contain malware

A conduit for data leakage

Pirated software is illegal in the office and at home

Term

Understand and Support Secured Protocols

Definition

Internet Protocol Security (IPSec)

Provides encrytion and authentication of Internet Protcol (IP)

Used within an organization to protect confidential information transmition both locally and extranet

IPSec provides two modes:

Transport Mode

Tunnel mode

Term

IPSec Modes

IPSEC is high on performance use.

Definition
[image]
Term
SSL/TLS
Definition

Secure Socket Layer (SSL)

Transport Layer Security (TLS)

Often labeled SSL/TLS - but they are diffrent

Both begin with Asymetric encrytion with certificates - then switch to symmetric and shared key

SSL considered vulnerable to POODLE

Padding Oracle on Download Legacy Encrytion

Fallback to less secure (Legacy) systems

Term
TLS
Definition

Eventually to replace SSL

Used in many applications today

Client and server negotiate a cipher suit

Offical cipher suite regisrty by IANA

Term
Cipher Suite Registry
Definition
[image]
Term
S/MIME
Definition

Secure Mulipurpose internet mail extensions

Used in many e-mail applications today

Standard for public key encryption and signing of MIME data - e-mail

Provides authentication, non- repudiation, integrity and message encryption

Term

Operate and Implement Cryptographic systems

Fundamental Key Management Concepts

Definition

Key generation/creation

Modern systems create integers for both symmetric and asymetric keys

Keys can be automatically created by a computers random number generator

Often seeded to increase randomness

Keys can be manually created, such as ahared secret

Key distribution

Best to use modern cryptosystems

Can be distributedIN-Bans - over existing communication infrastructure

Can be out-ofband - such as handwritten note

Distributed keys need to be managed

Key Management

Lifetime of the key

Creation, revocation, renwal, deletion

Term
Crypto graphic Attacks
Definition

Process of deciphering codes through analysis

To compromise confidentiality and interity of data

Performed by hackers and researchers alike

Both are trying to find/confirm vulnerabilities

Hackers to expoit - researchers to improve

Term

Crypto graphic Attacks

Attack types

Definition

Bruteforce

Dictionary

Rainbow

Known plaintext

Chosen plaintext

Cipher test

There is more to this list!

Term

Administration and Validation

Definition

Need to have cryptosystem to help

Key generation/creation

Keys should be created to meet the level of protection required

shorter key lengthsreduce the lifespan if the key Algorithms that reuse keys should use diffrent keys for the cycle or an initialization Vector (IV)

Keys should have secured distribution

Keys should be able to be renewed and revoked

Keys storage and recovery

Term
Keys storage and recovery
Definition

Keys escrow - process to hold encrytion/decrytion

Keys in a secured environment

In case needed - such as lost by user

In case organization needs to gain access

Can be stored in a software or hardware solution

Key recovery performed by key recovery agent (Escrow agent)

One or more trusted people in the organisation

Often working in tandem

May required multifactor authentication

Term
Public Key Infrastructure (PKI)
Definition
[image]
Term
Infrastructure
Definition
[image]
Term
Trusted Authorty
Definition
[image]
Term
Trusted Authority (Certificates)
Definition
[image]
Term
Revocation
Definition

Certificates have the validity dates when they can no longer be trusted - however, sometimes they need to be revoked sooner

CA maintains a list of revoked certificates in a certificate Revocation List (CRL)

Clients can request the CRL to check certificate validity

Administrators of PKI can revoke and renew certificates as needed

Term
Web of Trust
Definition

PKI is centralized trust model - web of trust is decentralized

Created by PGP (pretty good privacy) creator Phil Zimmerman in 1992

Uses the Public/Private key concept

Users do not need to have root CA trusted authority - they can sign the certificate themselves as trusted.

Supporting users have an ad free experience!