Chapter 8: Cryptography

Question 1

Substitution Ciphers

Answer 1

You change one symbol with another.

• The Caesar Cipher shifted 3 letters to the right in Latin.
• The less cryptotext that’s available, the harder it is to decrypt

Question 2

Multi-Alphabet Substitution Cipher

Answer 2

Maybe shifting differently, say 3 to the right, 2 to the right, 1 to the left, in that order.

• Vigenère Cipher
  
  • You had a table of letters matched up to keywords

Question 3

Transposition Ciphers

Answer 3

Take separate blocks of text and scramble them all differently

Question 4

Rot13

Answer 4

Rotates every letter 13 places in the alphabet

Question 5

The Enigma Machine

Answer 5

A typewriter that used a different substitute or alphabet for each keystroke
-Contained 26 different alphabets and was very hard to break back in the day.

Question 6

Steganography

Answer 6

Hiding a message within an image, audio file, or some other file

• Least significant bit is the most common
  
  • You change the last bit in every byte
• Invisible secrets is a good application for steganography

Question 7

How to encrypt in SUSE

Answer 7

Login as root and start YaST
System->partitioner
Answer yes, select filesystem, click edit
Select encrypt

Question 8

Symmetric encryption algorithm

Answer 8

• Both ends of the message must have the same key and processing algorithms
• Generates a (symmetric, secret, private) key that’s disclosed only to those who need to know
• faster than asymmetric, just as secure with smaller key size
• Problem is, if you need to share the key, how do you do it securely?

Question 9

Block Cipher

Answer 9

Algorithm works on chunks of data

Question 10

Stream Cipher

Answer 10

Algorithm works by bit or by byte

Question 11

in-band vs. out of band Key Exchange

Answer 11

In-band
-Key is included with the data stream (IPSec)
Out of Band
-Another channel shares the key

Question 12

Key Exchange Forward Secrecy

Answer 12

• Ensures that if one key is compromised, subsequent keys will not be
• Perfect forward secrecy is when a key is unbreakable

Question 13

Data Encryption Standard (DES)

Answer 13

-Was the standard used by government from the 70s until it was replaced by AES
-It was based on a 56-bit key
Symmetric Encryption

Question 14

Triple-DES (3DES)

Answer 14

-Uses 3 56-bit DES keys; 168 bits
-Pretty decent, though AES is still generally preferred
Symmetric Encryption

Question 15

Advanced Encryption Standard (AES)

Answer 15

-Uses the Rijndael algorithm, developed by Daemen and Rijma
-128 bit key is standard, 192 and 256 are optional
-256 bit is for DoD TS information
Symmetric Encryption

Question 16

Carlisle Adams and Stafford Tavares (CAST)

Answer 16

-Used by MS and IBM
-Fast, efficient 40-128 bit key
-128 and 256 exist, too
Symmetric Encryption

Question 17

Ron’s Cipher (RC)

Answer 17

-Developed by RSA, it’s very strong. RC4, 5, and 6. 6 is up to 2-48 bit
-RC4 is popular with wireless encryption. Streaming cipher with 40-2048 bits
-used in SSL and TLS
-Used for downloading Bittorrent files, too
Symmetric Encryption

Question 18

Blowfish and Twofish

Answer 18

Blowfish, 64 bit block cipher, very fast
-Symmetric block cipher, 32-448 bit keys
Two fish works on 128-bit blocks. Complex key schedule
Symmetric Encryption

Question 19

international Data Encryption Algorithm (IDEA)

Answer 19

-Developed by the Swiss. 128-bit key
-Used by PGP
Symmetric Encryption

Question 20

One-Time Pads

Answer 20

The key’s as long as a plaintext message

-The key can only be used once, then it’s discarded

Question 21

Rivest, Shamir, Adleman (RSA)

Answer 21

Pretty much the standard for Asymmetric encryption, as old as it is

Question 22

Diffie-Hellman

Answer 22

Founders of public/private keys
-Only used for the creation of a symmetric key between two parties
Asymmetric Encryption
<b>If you’re asked about insecure key exchange, it’s this or IPSec</b>

Question 23

Elliptic Curve Cryptography (ECC)

Answer 23

-Smaller keys than RSA, same level of security
-This may start replacing RSA as the de facto standard
Asymmetric Encryption

Question 24

ElGamal

Answer 24

Uses an ephemeral key, one that lasts only for one session

Question 25

Kerchoff's Principle

Answer 25

The security depends on the secrecy of the key, no the algorithm

Question 26

Hashing Algorithms

Answer 26

- Cannot be reversible - No matter how many characters you input, the hash size is the same - Few/no collisions

Question 27

Secure Hashing Algorithm (SHA)

Answer 27

- 160-bit, used with encryption protocols - SHA-2: 224, 256, 334, 512 bit - SHA-3 is out, but SHA-2 is pretty much flawless, so...

Question 28

Message Digest Algorithm (MD)

Answer 28

Used to maintain integrity - MD5, 4, 2. MD4 was used by NTLM - MD5 produces a 128-bit hash, but it's very secure. Doesn't have strong collision resistance, so don't use it

Question 29

RIPEMD (160, 256, 320)

Answer 29

Based on MD4

Question 30

GOST

Answer 30

Old soviet symmetric cipher modded to work as a 256-bit hash

Question 31

LANMAN

Answer 31

Pre-NT was a protocol used for authentication. It used LM Hash and two DES keys on the side

Question 32

NTLM

Answer 32

Replaced LANMAN | -Still pretty common despite MS wanting to employ Kerberos

Question 33

Rainbow Tables and Salt

Answer 33

A rainbow table is when you put in a password, get all of its possible hashes, find the hash of a stored password, and connect the two. -Salt is when the OS adds bits to combat this

Question 34

Key Stretching

Answer 34

Strengthening a weak key, usually by making it longer - PBKDF2 - Applies some function (hash or HMAC) plus Salt to get a good password - Bcrypt - Used with passwords, blowfish for hashing plus Salt

Question 35

Frequency Analysis

Answer 35

Analyze blocks for common patterns. Does not work on modern algorithms

Question 36

Chosen Plaintext

Answer 36

Comparing cypher text to plaintext to crack the algorithm. Once you do, that key is now yours.

Question 37

Related Key Attack

Answer 37

Like a chosen plaintext attack, but you obtain cipher text encrypted under two different keys.

Question 38

Brute Force

Answer 38

Brute force (also known as brute force cracking) is a trial and error method used by application programs to decode encrypted data such as passwords or Data Encryption Standard (DES) keys, through exhaustive effort (using brute force) rather than employing intellectual strategies.

Question 39

Message Authentication Code (MAC)

Answer 39

Gives you a value to check with the message | -HMAC hashes

Question 40

Digital Signatures

Answer 40

Validates the integrity of message and sender | -The private key could be an example

Question 41

Nonrepudiation

Answer 41

- Determining that someone is telling the truth | - Certificate authorities certify people with public keys legitimately

Question 42

Key Escrow

Answer 42

Keys are kept safe in case a 3rd party (generally the government or your employer) needs it

Question 43

Key Recovery Agent

Answer 43

Used to access information encrypted with older keys

Question 44

Key Registration

Answer 44

Providing Certificates. The RA hands these over to the CA

Question 45

Certificate Revocation List (CRL)

Answer 45

If your term expires, you're added to the CRL and your certificate is no longer valid, usually after an hour or a day or something, but if OCSP is in action, then it'll be pretty immediately

Question 46

National Security Agency (NSA)

Answer 46

Creates code, breaks code, and codes for the government - Thought to be the world's largest employer of mathematicians - All missions are extremely highly classified - Enemies of EFF, Tor Project, Freenet, and I2P

Question 47

NSA/CSS

Answer 47

Helps coordinate DoD branch activities

Question 48

National Instutute of Standards and Technology (NIST)

Answer 48

involved in many standards, but it is primarily concerned with government systems

Question 49

Request For Comments (RFC)

Answer 49

This is how you propose a new standard

Question 50

American Bankers Association (ABA)

Answer 50

Concerned with the world of financial security

Question 51

Internet Engineering Task Force (IETF)

Answer 51

Improving the internet and computer security

Question 52

Internet Society (ISOC)

Answer 52

Experts who oversee committees such as the IETF

Question 53

World Wide Web Consortium (W3C)

Answer 53

Standardization of the WWW. Primary sponsor of XML

Question 54

International Telecommunications Union (ITU)

Answer 54

Responsible for pretty much all telecommunications and radio communication standards on Earth - ITU-R: Radio - ITU-T: Telecommunications - ITU-D: Expanding telecommunications in developing nations - Headquartered in Switzerland and sponsored by the UN

Question 55

Institute of Electrical and Electronics Engineers (IEEE)

Answer 55

PKC, wireless, networking protocol standards

Question 56

Public-Key Infrastructure X.509 (PKIX)/PK Cryptography Standards (PKCS)

Answer 56

PKIX formed by IETF to develop PKI standards | PKCS, voluntary standards created by a ton of organizations and coordinated through the RSA

Question 57

X.509

Answer 57

Certificate formats for public keys and how we should distribute said keys - end-entity certificate - most common, issued by CA to a system that uses, not issues, certificates

Question 58

CA Certificate

Answer 58

A certificate that's issued by one CA to another

Question 59

What do all X.509 certificates have?

Answer 59

- Signature - Version - Serial number - Signature algorithm ID - Issuer name - Validity Period - Subject name - Subject public-key info - Issuer unique ID - Subject unizue ID - Extensions

Question 60

SSL

Answer 60

Establishes a secure connection between two TCP machines - Steps in handshake are between 4 and 9 - Establishes connection with asymmetric encryption, maintains with symmetric - You need an "up-to-date browser" that supports 128 bit encrypted sessions

Question 61

TLS

Answer 61

Expands on SSL, and will likely replace it. Should have replaced it long ago.

Question 62

Certificate Management Protocols (CMP)

Answer 62

- CMP is used for messaging between PKI entities - XML Key Management Specification (XKMS - Allow XML programs to access PKI services. Built on CMP

Question 63

Secure Multipurpose Internet Mail Extensions (S/MIME)

Answer 63

Standard for email encryption. Originally published by RSA | -MIME is email standard. Asymmetric encryption, digital certificates

Question 64

Secure Electronic Transaction (SET)

Answer 64

- Developed by visa and Mastercard for secure credit card transactions - Identification through an electric wallet

Question 65

Secure Shell (SSH)

Answer 65

Tunneling protocol originally used on Unix systems, but works on Windows now -similar handshake to SSL

Question 66

Pretty Good Privacy (PGP)

Answer 66

- Freeware email encryption. Introduced in the early 90s - Uses symmetric and asymmetric systems, which is why it's so good - GPG (GNU Privacy Guard) is an alternative - Session key is encrypted in a public key

Question 67

HTTP over SSL (HTTPS)

Answer 67

Secures the channel between client and server | -It's common for secure transactions

Question 68

Secure HTTP (S-HTTP)

Answer 68

Secure message, not secure channel | -Uses an RSA or digital certificate

Question 69

IPSec

Answer 69

Built into IPv6, becoming standard for VPN -Highly secure Open UDP Port 500 in firewall Two primary protocols -Authentication Header (AH) protocol 51 -Encapsulating Security Payload (ESP) protocol 50

Question 70

PPTP (Point to Point Tunneling Protocol)

Answer 70

Encapsulation from one point to one point - Encapsulates and encrypts PPP packets - The negotiation is in the clear, then the channel is encrypted - A sniffer can get information like this relatively easily

Question 71

L2F

Answer 71

Developed by Cisco for Dial-up tunneling | -Similar to PPP. Provides authentication, no encryption. Port 1701. TCP

Question 72

L2TP

Answer 72

Hybrid of PPTP and L2F. Primarily point-to-point - Can be sued as a bridge across many types of systems - Not encrypted. uses UDP port 1701

Question 73

Federal Information Processing Standard (FIPS)

Answer 73

Issued by NIST, establishes guidelines for US federal Information Systems

Question 74

Public Key Infrastructure (PKI)

Answer 74

``` Meant to offer security to messages and transactions on a grand scale Two key, asymmetric system with: -Certificate Authority (CA) -Registration Authority (RA) -RSA, for encryption -Digital Certificates Public/Private key system ```

Question 75

Certificate Authority (CA)

Answer 75

A CA is an organization who does shit with certificates - A certificate associates a person with a public key - To get a certificate, you send a CSR

Question 76

Registration Authority (RA)

Answer 76

It will act as the middleman and offload work for the CA - It can distribute keys, accept CSR, and validate identities - It cannot, however, issue certificates - A Local RA (LRA) can identify individuals on behalf of the CA

Question 77

Certificate Policies

Answer 77

- These define what certificates do - A CA will have policies to give out different kinds of certifications for different applications - This also helps because the consumer will be able to verify that it's the right kind of certificate

Question 78

Certificate Practice Statements (CPS)

Answer 78

This provides the users with information on the CS's policies, rules, and standards of practice. you should not trust a company without a CPS.

Question 79

What are the Four Main PKI Trust Models?

Answer 79

Hierarchal Bridge Mesh Hybrid

Question 80

Hierarchal Trust Models

Answer 80

- A tree model - Allows tight control, probably the best model - Intermediate CAs only trust root and each other. Roots can trust roots and intermediate and leaves can trust each other

Question 81

Bridge Trust Models

Answer 81

- intermediates only trust those above and below them - Roots trust each other - Adds flexibility and interoperability, but there's a lack of trustworthiness. - good for geographically dispersed or partnered companies - All of the roots must maintain high security standards

Question 82

Mesh Trust Models

Answer 82

Expanded bridge, good for when companies need CAs to certify each other