Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
58 Cards in this Set
- Front
- Back
AES |
Called for block cipher Symmetric key sizes 128,192,256 bits |
|
Rijndael |
New AES Block cipher 128,192,256 bits |
|
Blowfish |
Block cipher 64 bit blocks Key length 32-448 Quick on 32bit processors Optimized for few key changes 2 words recombined to form 64 bit output ciphertext No apparent weaknesses in 16 round version |
|
IDEA(International Data Encryption Algorithm) |
Block-mode 64bit block size 128bit key Susceptible to weak key Easy to mitigate weakness, though DO NOT USE IDEA |
|
Symmetric Key |
-Comparatively faster and fewer computational requirements. -Algorithms use key via algorithm to convert ptext to ctext. -Same key needed for encrypt and decrypt. -Main weakness: Have to have matching key even if far away -AES 128bit is min. standard for Symmetric encryption |
|
Asymmetric Encryption Algorithms |
RSA Diffie-Hellman ECC ElGamal |
|
Asymmetric cryptography |
AKA: PUBLIC KEY CRYPTOGRAPHY TWO KEYS Typically uses trapdoor functions (hard math probs) |
|
RSA |
One of first public key systems BOTH ENCRYPTION AND DIGITAL SIGNATURES Alg uses product of 2 very large numbers (100-200 digits) to make: -1 key for encrypt -1 key for decrypt Expl: Sender encrypts with receiver's pub key, decrypts with private key. Withstood 20+ yrs. analysis Can be 100x slower than DES in software Patents running out Being compromised by faster computing |
|
Key Exchange |
Pub key: Slower, can be used to exchange private key, then faster symmetric key protocol used thereafter.
Known as ELEC KEY EXCHANGE
Can be done manually by local RA by gen. keys from closed system. |
|
Diffie-Helman History |
1970, Stanford grad Whitfield Diffie and Prof. Martin Helman investigated cryptography and key distribution problem.
Came up with scheme where 2 people could make SHARED SECRET KEY by exchanging public info. |
|
Diffie-Helman Stats |
Used in elec. key exch. of SSL protocol. Used by: SSH, TLS, IpSec Enables sharing of Secret key (Session Key, Symm. Session Key) btw. 2 people who have not contacted e/o before. D-H is NOT considered encryption. Uses Large prime numbers like RSA Temp. AUTO-GENERATED SECRET KEY, good only for single comms session. |
|
Diffie-Helman Example |
User 1: X=Ga mod P, X being pub number User 2: y=Gb mod P, Y being pub number EXCHANGE PUB KEYS (1 knows PGaXY) User1: Computes Ka=Y to a mod P User2: Computes Kb=X to b mod P W/ Ka=Kb=K now both know new shared secret K. Basic algorithm. |
|
El Gamal Asymmetric Algorithm |
US Gov Standard for Digital Signatures ASYMMETRIC ECC is evolved form of El Gamal EG uses discreet logarithm problem Finding log of number within finite field arithmetic system Prime fields: fields w/ prime # of members In prime field: exponentiation easy, LOG COMPUTATION HARD |
|
ECC Elyptic Curve Cryptography |
Elliptic curves 2 points can be added to get 3rd point ECC works like pub key alg USERS AGREE ON A CURVE AND A FIXED CURVE POINT Can be made pub w/o compromising User1 then chooses a secret random number, computes pub key based on a point on curve (P1=k1*f) User2 does same and makes P2 User1->User2 generated using shared secret (k1*p2) User2 can make p2*k1 for same secret |
|
ECC vs DH/DSA/RSA |
Key Size for same security ECC/DH-DSA-RSA 163/1024 283/3072 409/7680 571/15360 |
|
CIA+N |
Confidentiality Integrity Accessibility Nonrepudiation |
|
Confidentiality |
Keep secrets Symmetric encryption favored for storing and transmitting Asymmetric crypt better for protecting small units |
|
Integrity |
Know that message wasn't altered ONE-WAY HASH FUNCTIONS, DIGITAL SIGNATURES Hash value: combined with asymmetric crypt. by taking message's hash and encrypting it w/ user's private key. User's pub key used to decrypt hash and compare w/ locally computed hash |
|
Nonrepudiation |
Can't deny that you sent message PKI based (only YOU know your private key) |
|
Authentication |
Prove identity Token, biometric, password Digital certificate:Kind of token Asymmetric: Better for proving one's ident. |
|
Digital signatures |
Based on HASHING and ASYMMETRIC CRYPTO.
Hashing functions: Used to create digest of a unique message and easily reproducible by both parties. Ensures integrity. |
|
Hashing Functions |
Used in cryptography DEFINITION: Math function that performs ONE WAY encryption. Hash value: Output of hashing algorithm for specific input Output: message digest Hashing algorithms: SHA-256 (present recommended standard by NSA) |
|
Message Digest Example |
MD: Generic of 1/3 algs to create MD or hash from data input into alg. |
|
Key escrow |
System where Private key is kept by BOTH USER AND GOV Key escrow and recovery are 2 issues in use of asymm encrypt. that are often discussed. |
|
Hybrid Model |
Key encapsulation: PK (Asymmetric) Data encapsulation: Symmetric
Slower PK used to exchange Session key or PK of sender, then faster Symmetric used for Bulk Data or Payload.
Decreases transmission overhead, used in practice. |
|
Transport Encryption |
SSH: Clear text for remote connection to computer Can be encrypted Supports: D-H, MD5, SHA-1, 3DES, IDEA, Blowfish, Twofish, CAST-128 |
|
HTTPS |
Clear Text secured w/ SSL |
|
SSL |
Supports D-H (Main for key exchange), DES/3DES for symmetric SHA-1/MD5 for hashing |
|
TLS |
Update of SSL Supports: D-H, RSA, DES, 3DES, AES, MD5, SHA |
|
IPSEC |
VPN protocol, secures all IP traffic b/c below Application layer Network/packet processing layer SHA-1,3DES,AES Secure VPN capability Conf and Auth for: -Data (Transport mode) -Data and header (Tunnel mode) |
|
PGP |
Phill ZImmerman Symmetric and Asymmetric Symmetric for Bulk, Asymmetric for keys Uses RSA or Diffie-Hellman Application |
|
TrueCrypt |
Open source |
|
Kerberos |
Single-sign-on, trusted 3rd party mutual auth service -NEVER transmits passwords over network in clear, uses TICKETS TICKET: Time-limited crypto that proves user's ident to server w/o sending or caching pw's. Single-sign-on: EU only logs in once, creds are then passed btw resources Trusted 3rd party: works through centralized auth server that all systems on network inherently trust. All auth requests are routed through this server Mutual authentication: User and server validated as genuine
|
|
Kerberos goals |
1: Centralized auth into 1 server (Key distrib. servers) 2. Secure means of auth over insecure networks (encrypted tickets) 3. Provides A |
|
PKIX Standard and Protocols |
SSL, TLS, Datagram TLS |
|
TLS |
-Ensures PRIVACY btw/ communicating apps and users on internet -Based on SSL, NOT interoperable
|
|
WTLS |
Wireless TLS -Reliab and sec for wireless comms /w WAP -Necessary b/c limited memory and processing of WAP-enabled phones
Implementations: Class1: Anonymous auth. -Not for practical use Class2: Server auth -Most common -Clients and server can auth w/ diff. means Class3: Server/Client auth -Client and server WTLS certs authorized -Strongest form of auth and encryption |
|
TLS handshake |
Client: Hello, rand, alg list Server: Hello, servrand, cert, opt. cert request Client: client cert (optional) Client: Pre-Master secret (encrypted) C/S: GENERATE MASTER SECRET Client: Change cipher spec (start using encryption) Server: changes record layer sec. state Client: finished Server: finished C/S: Exchange app data |
|
TLS session |
-Remains active as long as data exchanged -Timeouts -ISAKMP provides method for implementing key exch prot. & policy |
|
ISAKMP |
Support sec. associations at all layers of network stack (transport TCP UDP, or IP directly) |
|
PKIX Protocols |
CMP, XKMS, S/MIME, X.509 standard for pub key Provides IAN of CIA-N |
|
CMP |
Messages and ops to provide cert management w/in PKIX |
|
XML Key Management Spec XKMS |
Manage PKI w/in XML |
|
PKIX Model |
Registration Init Cert Key Pair Gen Key Pair Recov Key Update Cross Cert Revocation Cert and CRL notice and distrib and publications |
|
RA |
Validates ident of someone requesting Certificate Advises CA |
|
CA |
Issues certificate |
|
Certificate Classes |
Class 1: Ident through email -Can use pub/priv key to sign email and encrypt message Class 2: Software signing -Software keys and ident integrity -Allows receiver of software to verify where it came form Class 3: Used to set up own CA -Generate certs internally in own setting |
|
Cert APIs |
Mozilla/UNIX: PKCS #11 Microsoft: Crypto API (CAPI) |
|
Obtain digital cert |
1. Register 2. Random vals 3. Alg makes key pair 4. Pair stored 5. Pub key & other ident sent to CA 6. CA generates digital cert w/ Pub key & ident 7. Cert sent to user |
|
Local Registration Auth (LRA) |
-Usually used w/ own internal PKI w/ distrib sites -Each site needs RA services, so have LRAs -Ident, verif, and registr. funcs -Sends request w/ user's pub key to CA for cert generation |
|
LDAP Lightweight Directory Access Protocol |
Cert repositories use this |
|
Distinguished name |
X.500 Standard -Standard for all unique names in organization -Ex: {Country = US, ORG = Real secure, Org Unit = R&D, Loc = Washington}
|
|
Cert Types |
End-Entity CA Cross-cert Policy |
|
End-Entity |
Issued by CA to specific subject (End-user) |
|
CA |
Can be self-signed in case of stand-alone or root CA, or issued by superior CA w/in hierarchy |
|
Cross-certification |
CAs peer-to-peer trust network One CA issue cert allowing users to trust another CA |
|
Policy Certs |
W/in sophisticated CAs for High-sec, Policy certs used to validate policies/information |
|
Cert extensions |
DigitalSignature Keyencipherment(Encrypt keys) Dataencipherment(Encrypt data, not keys) CRLSign (Verify CA sig on revocation list) KeyCertSign (Verify CA sig on certs) NonRepudiation |