Cryptography Algorithms

Questions and Answers

What is the purpose of the ISAKMP protocol?

To encrypt and decrypt data

To establish a secure tunnel

To manage keys, security associations, and security parameters index (correct)

To hash and sign messages

How does SSH set up a secure connection?

By using a digital envelope

By transmitting credentials in clear text

By setting up a secure tunnel (correct)

By using Diffie-Hellman key exchange

What is the primary function of S/MIME?

To manage keys and security associations

To create a digital envelope for secure email (correct)

To encrypt and decrypt data

To establish a secure tunnel

What is the purpose of a digital envelope in S/MIME?

To protect the confidentiality of email

What is the primary feature of PGP?

Uses a web of trust for key authentication

What is the purpose of whole drive encryption?

To protect data at rest

What is a type of attack on cryptography?

Ciphertext-only attack

What is the purpose of a key ring in PGP?

To store learned keys

What is a potential security risk associated with shared tenancy?

Poor visitor security practices

What is the demarcation point?

The point where the ISP's responsibility ends and the customer's begins

Why is it important to know where data is located?

To prevent data loss due to theft or disaster

What is a recommended approach for very secure sites?

Constructing multiple segregated demarcs

What is a potential risk associated with adjacent buildings?

Attackers can enter through a shared wall

What is the purpose of asset tracking?

To track serial numbers and model numbers

What is the last line of defense in a defense-in-depth strategy?

Physical system defenses

What is a potential security risk associated with wireless security?

Adjacent buildings posing a security risk

What is the main advantage of ECC over other asymmetric algorithms?

It is more efficient and suitable for environments with limited processing power

What is the main disadvantage of symmetric algorithms?

They are not scalable

What is the basis of the RSA algorithm?

The idea that there is no efficient way to factor the product of large prime numbers

What is the main advantage of asymmetric algorithms over symmetric algorithms?

They provide non-repudiation and do not require exchange of secret information

What does the Diffie-Hellman algorithm provide?

Secure key-agreement without pre-shared secrets

What is the function of the client in the hybrid cryptography process of SSL/TLS?

The client initiates a secure connection and generates a symmetric session key

What is the main difference between symmetric and asymmetric algorithms?

Symmetric algorithms are faster and asymmetric algorithms are slower

What is the concept referred to in the RSA algorithm?

Trap-door function

What is the primary concern of the physical security domain in the CISSP exam?

Human safety

What type of attack involves an attacker capturing ciphertext and also knowing what a portion of the message is in plaintext?

Known Plain Text

What is the primary goal of perimeter defenses in physical security?

To prevent, detect, and correct unauthorized physical access

What type of attack involves an attacker trying to learn what each key does individually in an algorithm like 3DES?

Meet in the Middle

What is the term used to describe an attacker who can see whatever they want in plain or ciphertext and has compromised a workstation?

Lunchtime attack

What is the main objective of an attacker in a Chosen Plaintext attack?

To see the full text encrypted and decrypted

What is the recommended humidity level for a data center?

40-55%

What is the primary benefit of using a higher temperature set point in a data center?

Increased energy efficiency

What is the purpose of proper grounding in a data center?

To mitigate static discharge

What is the result of high humidity levels in a data center?

Increased risk of corrosion

What is the purpose of antistatic sprays and wrist straps in a data center?

To mitigate static discharge

What is the common problem that can cause overheating and static buildup in a data center?

Airborne dust particles

What is the consequence of CPU fan impeded by dust buildup?

CPU failure due to overheating

What is the recommended temperature range for a data center according to the 2008 ASHRAE recommendations?

64.4 °F (18 °C) to 80.6 °F (27 °C)

Study Notes

Symmetric Algorithms

• DES, 3DES, AES, RC-4, RC-5, Two Fish, Blowfish, IDEA, CAST, MARS, Skipjack are examples of symmetric algorithms
• These algorithms are fast, but not scalable and do not provide integrity, authenticity, or non-repudiation

Asymmetric Algorithms

• RSA, DSA, ECC (Elliptical Curve Cryptography), El Gamal, Diffie Hellman, Knapsack are examples of asymmetric algorithms
• These algorithms are slow, but scalable and provide integrity, authenticity, and non-repudiation

RSA

• Named after Rivest, Shamir, and Adleman
• Currently the standard for digital signatures
• Uses the idea that there is no efficient way to factor the product of large prime numbers
• The math used for RSA is sometimes referred to as a trap-door function

Diffie-Hellman

• The first asymmetric algorithm
• Enables secure key-agreement without pre-shared secrets
• Based on discrete logarithms in a finite field

ECC (Elliptical Curve Cryptography)

• Based on plotting points upon a curve
• Very efficient, but only designed to work within certain environments
• Frequently used for handheld devices due to their limited processing capability

Hybrid Cryptography in SSL/TLS

• Client initiates a secure connection
• Server responds by sending its public key to the client
• The client then generates a symmetric session key
• Oakley uses Diffie Hellman to agree upon a key
• ISAKMP (Internet Security Association and Key Management Protocol) manages keys, security associations (SAs), and security parameters index (SPI)

SSH (Secure Shell)

• A secure alternative to unsecure remote administrative protocols
• Telnet, FTP, R-utilitites (Rlogin, etc.) transmit credentials in clear text
• SSH sets up a secure tunnel

Security Associations and SPIs

• Manage keys, security associations (SAs), and security parameters index (SPI)

S/MIME (Secure Multipart Internet Mail Exchange)

• A standard for secure email by creating a digital envelope
• Sender functions: calculate hash value on message, encrypt message with session key, encrypt hash value with private key, encrypt session key with receiver’s public key
• Receiver functions: decrypt session key with private key, decrypt hash value with sender’s public key, decrypt message, calculate hash value and compare with one sent

PGP (Pretty Good Privacy)

• A proprietary mail standard from Phil Zimmerman
• Free, but proprietary software must be installed
• Uses Web of Trust
• Passphrases instead of passwords
• Learned keys are stored in a file called the key ring

Protecting Confidentiality of Data at Rest

• Data stored on local drives must be protected
• Log off of workstations not in use
• Use encryption within the operating system (ex: EFS in Windows environment)
• Whole Drive Encryption: Protect Hard Drive in the event the disk is stolen
• TPM (Trusted Platform Module)
• USB
• Directory Services

Attacks on Cryptography

• Ciphertext Only: Attacker has captured encrypted text on the network
• Known Plain Text: Attacker has captured cipher text, but also knows what a portion of the message is in plain text
• Chosen Plaintext: Attacker can see the full text encrypted and decrypted
• Chosen Ciphertext: Attacker can see whatever they want in plain or ciphertext
• Meet in the Middle (Not to be confused with Man in the Middle): An attacker tries to learn what each key does individually

Physical Security

• Physical assets: people, buildings, systems, and data
• CISSP exam considers human safety as the most critical concern of this domain - trumps all other concerns
• Physical security protects against threats such as unauthorized access and disasters, both man-made and natural

Perimeter Defenses

• Help prevent, detect, and correct unauthorized physical access
• Should employ defense-in-depth
• Defenses: Fences, doors, walls, locks, etc.

Site Selection, Design, and Configuration

• Shared Tenancy and Adjacent Buildings: Other tenants in a building can pose security issues
• Attackers can enter a less secure adjacent building and use that as a base to attack an adjacent building, often breaking in through a shared wall
• Many bank heists have been pulled off this way; including the theft of over $20 million dollars from British Bank of the Middle East in 1976
• Site selection, design, and configuration should consider shared tenancy and adjacent buildings

Physical System Defenses

• One of the last lines of defense in a defense-in-depth strategy
• Assume an attacker has physical access to a device or media containing sensitive information
• Asset Tracking: You cannot protect your data unless you know where (and what) it is

Heat and Humidity

• Humidity levels of 40-55% are recommended
• A commonly recommended “set point” temperature range for a data center is 68-77 °F (20-25 °C)
• With sufficient data center airflow, higher temperatures can be used
• Can result in energy savings; however, the data center may heat to dangerous levels more quickly in the event of HVAC failure

Static and Corrosion

• Sudden static discharge can cause damage from system reboots to chip or disk damage
• Static is mitigated by maintaining proper humidity, proper grounding all circuits in a proper manner, and using antistatic sprays, wrist straps, and work surfaces
• High humidity levels can allow the water in the air to condense onto (and into) equipment, which may lead to corrosion

Airborne Contaminants

• Dust is a common problem: airborne dust particles can be drawn into computer enclosures, where they become trapped
• Built-up dust can cause overheating and static buildup
• CPU fans can be impeded by dust buildup, which can lead to CPU failure due to overheating
• Other contaminants can cause corrosion or damaging chemical reactions

Description

This quiz covers various symmetric and asymmetric encryption algorithms, including DES, AES, RSA, and more. Test your knowledge of cryptography concepts and techniques.