Cryptography, VPNs, and Cryptographic Services

Questions and Answers

Which cryptographic service ensures that data has not been altered in transit or storage?

• Integrity (correct)
• Key Exchange
• Authentication
• Confidentiality

In cryptography, what is achieved by using encryption algorithms?

• Non-repudiation
• Integrity
• Confidentiality (correct)
• Authentication

What is the primary difference between symmetric and asymmetric encryption?

• Symmetric encryption is primarily used for authentication, while asymmetric encryption is used for confidentiality.
• Symmetric encryption is more secure than asymmetric encryption.
• Symmetric encryption uses a single key for both encryption and decryption, while asymmetric encryption uses a pair of keys. (correct)
• Symmetric encryption uses a public key, while asymmetric encryption uses a private key.

Which of the following is a characteristic of a good hash function?

It is collision-resistant, making it difficult to find two different inputs that produce the same hash value. (A)

How does a Certificate Authority (CA) contribute to the authentication process in asymmetric key cryptography?

By issuing certificates that verify the authenticity of public keys. (C)

Which of the following algorithms is considered a symmetric encryption algorithm?

AES (D)

What is the purpose of a digital signature?

To verify the integrity and authenticity of a message. (A)

Which of the following is a key exchange algorithm?

Diffie-Hellman (D)

In the context of cryptography, what does non-repudiation ensure?

That the sender cannot deny having sent the message. (C)

Which of the following is a characteristic of Public Key Infrastructure (PKI)?

It involves Certificate Authorities (CAs) to verify identities. (A)

How does hashing contribute to data integrity?

By creating a unique, fixed-size 'fingerprint' of the data that changes if the data is altered. (B)

Which of the following is a primary goal of key management in cryptography?

Ensuring the secure generation, storage, exchange, and use of cryptographic keys. (B)

What is the role of a Registration Authority (RA) in the PKI framework?

To verify the identity of a user requesting a digital certificate, before forwarding the request to a CA. (B)

Which cryptographic service is primarily achieved through the use of Hashed Message Authentication Codes (HMAC)?

Authentication and Integrity (D)

Why is the length of the key a crucial factor in cryptographic algorithms?

Longer keys generally provide higher security by increasing the number of possible key combinations. (C)

Which of the following accurately describes a man-in-the-middle attack?

An attacker intercepts communications between two parties, impersonating each to eavesdrop or manipulate the data. (A)

Which of these choices describes the purpose of 'salting' in the context of password hashing?

To add randomness to the hashing process, making rainbow table attacks less effective. (C)

What is the primary reason for using both symmetric and asymmetric encryption in protocols like SSL/TLS?

To combine the speed of symmetric encryption with the secure key exchange of asymmetric encryption. (A)

Which of the following is most vulnerable to frequency analysis?

A simple substitution cipher. (D)

Which of the following is an advantage of asymmetric encryption compared to symmetric encryption?

Simpler key distribution (D)

What are the properties of a digital signature?

Authentic, unalterable, not reusable, and cannot be repudiated (D)

What are the advantages of using symmetric algorithms?

Less Computational Power needed, faster encryption (A)

If Alice wants to send an encrypted message to Bob using public-key cryptography, what key does Alice use to encrypt the message?

Bob's public key (A)

How would you best mitigate against replay attacks?

Implement time stamps with a threshold and message sequences (D)

Which of the following is an important part of a PKI framework?

The use of asymmetric keys (A)

Encryption provides the cryptographic service of ensuring data confidentiality.

True (A)

The primary goal of integrity services is to prevent unauthorized modification of information, ensuring that data remains consistent and trustworthy.

True (A)

A hash algorithm is reversible, meaning the original data can be recovered from the hash value.

False (B)

In symmetric encryption, the encryption and decryption keys are different, while in asymmetric encryption, they are the same.

False (B)

The MD5 algorithm generates a hash value of 256 bits, providing a stronger level of security compared to SHA-1.

False (B)

In the context of digital signatures, the private key is used to verify the signature, while the public key is used to create the signature.

False (B)

Adding a secret key to a hash function, as done in HMAC, enhances authenticity of the message.

True (A)

Digital signatures cannot be reused for different documents because they are uniquely tied to the signed data.

True (A)

A digital certificate can be self-signed and still be considered valid and trusted by other parties.

False (B)

The main purpose of a Certificate Authority (CA) is to issue and verify digital certificates, establishing trust in online transactions.

True (A)

Authentication is the process of ensuring that data has not been altered in transit, focusing on the integrity of the information.

False (B)

The Diffie-Hellman key exchange allows two parties to establish a shared secret key over an unsecure channel, even if an eavesdropper is present.

True (A)

The initialism CIA in cryptography refers to Certification, Integrity, and Availability.

False (B)

Using a longer key length in symmetric encryption (e.g., AES 256-bit instead of 128-bit) generally decreases the computational complexity and thus encryption time.

False (B)

The main goal of cryptography is to provide absolute and unbreakable security, preventing any possibility of data breaches or unauthorized access.

False (B)

In asymmetric encryption, the public key is kept secret by the owner, while the private key is distributed to anyone who needs to send encrypted messages.

False (B)

The main advantage of symmetric encryption over asymmetric encryption is its enhanced scalability, especially in scenarios with many communicating parties.

False (B)

The 'salt' used in hashing passwords should be a publicly known constant value to ensure consistency across different systems.

False (B)

SHA-256 produces a hash value of 128 bits.

False (B)

Using peer authentication methods, RSA is considered to be more secure than PSK.

True (A)

The integrity of a message is assured by using encryption.

False (B)

In PKI, the Registration Authority directly issues the digital certificates.

False (B)

A digital signature proves the sender's identity and is able to also encrypt the message.

False (B)

If two different sets of data produce the same hash value, this is known as a collision.

True (A)

Public Key Infrastructure (PKI) is designed to issue public keys, but not used for issuing private keys.

True (A)

Which VPN benefit primarily addresses the ability to support a growing number of connections and remote sites without significant infrastructure overhaul?

Scalability (B)

In a site-to-site VPN, how does a client typically interact with the VPN?

The client is unaware of the VPN, as it is handled by the network infrastructure. (D)

When comparing Authentication Header (AH) and Encapsulating Security Payload (ESP) in IPsec, what key difference affects their deployment?

ESP provides encryption, while AH only provides authentication. (A)

Why is the Internet Key Exchange (IKE) protocol essential for IPsec VPNs?

It automates the key exchange process and establishes security associations (SAs). (A)

Which hash algorithm are suitable for ensuring integrity, offering varying levels of security and performance?

MD5 and SHA (B)

During IKE Phase 1 negotiation, what is the primary goal?

To establish a secure channel for negotiating IPsec security associations (SAs). (A)

In the context of cryptography and VPNs, what does a transform set define?

A combination of security protocols, such as encryption and authentication algorithms. (A)

What is the purpose of configuring an Access Control List (ACL) when setting up an IPsec VPN?

To define the 'interesting traffic' that should be protected by the VPN. (B)

What command is required to enable ISAKMP?

crypto map (D)

After configuring an IPsec VPN, which of the following actions is essential to verify its operation?

Sending 'interesting traffic' across the VPN tunnel to initiate the IPsec connection. (D)

How do Remote Access VPNs and Site-to-Site VPNs primarily differ in their application?

Remote Access VPNs connect individual users to a network, and Site-to-Site VPNs connect entire networks. (A)

If a network administrator needs to configure a VPN that must support both authentication and encryption, which IPsec protocol should they choose?

ESP (A)

Which command is used to configure the hash algorithm?

hash sha (A)

Before encapsulating and authenticating traffic across the VPN tunnel what must be configured?

All of the above (D)

What benefit do VPNs provide when connecting to branch offices?

VPNs offer a cost-effective and secure alternative to dedicated leased lines. (D)

What is one of the benefits of IPsec tunnel mode?

All of the above. (D)

A network admin is configuring IPsec. Which task must he or she configure first?

configure ISAKMP policy (B)

What is a common step in troubleshooting IPsec VPN connectivity issues?

Verifying that the ISAKMP and IPsec Security Associations (SAs) are active. (D)

Where can you configure the peer address in ISAKMP?

Use the crypto isakmp key keystring hostname peer-hostname command. (B)

What is the lifetime of the security association seconds?

900 seconds (B)

If a technician configured both sides of the IPsec VPN tunnel, what is the next step?

Send interesting traffic (D)

What command is used to show crypto keys?

show crypto isakmp sa (C)

What does implementing Perfect Forward Secrecy (PFS) do for the VPN tunnel?

Requires re-keying using the Diffie-Hellman key exchange. (C)

What are the benefits of VPNs?

Cost Savings, Security, Scalability, Compatibility (B)

Which ACL command permits ESP traffic for an IPsec tunnel?

access-list acl permit esp source wildcard destination wildcard (C)

VPNs can offer cost savings by reducing the need for dedicated, expensive WAN connections.

True (A)

All VPNs provide only encryption, and do not offer authentication or data integrity features.

False (B)

Scalability is a benefit of VPNs, allowing organizations to easily add or remove connections as needed.

True (A)

A site-to-site VPN is typically used to allow individual users to connect securely to a central network from remote locations.

False (B)

Remote-access VPNs do not require the installation of VPN client software on the user's device.

False (B)

In a site-to-site VPN, the client device is directly aware of the VPN connection and handles the encryption/decryption processes.

False (B)

IPsec operates at the transport layer of the OSI model.

False (B)

The AH (Authentication Header) protocol only provides data integrity and authentication, without encryption.

True (A)

ESP (Encapsulating Security Payload) provides both encryption and authentication.

True (A)

The IKE (Internet Key Exchange) protocol is used to establish the security associations (SAs) in an IPsec connection.

True (A)

MD7 is a secure hash algorithm used for data integrity in IPsec.

False (B)

RSA is used only for encryption and cannot be used for authentication in IPsec.

False (B)

Diffie-Hellman is a key exchange algorithm used to securely exchange cryptographic keys over a public network.

True (A)

In transport mode, IPsec encrypts the entire IP packet, including the header.

False (B)

In tunnel mode, a new IP header is added to the original IP packet after encryption, providing additional security.

True (A)

IKE Phase 1 is primarily used to negotiate IPsec policies for secure traffic transmission.

False (B)

IKE Phase 2 is responsible for negotiating the IPsec security associations (SAs) to protect the data traffic.

True (A)

When configuring a site-to-site IPsec VPN, the 'crypto isakmp key' command is used to define the encryption algorithm.

False (B)

The 'access-list' command is used to define interesting traffic that will be protected by the VPN.

True (A)

The 'crypto ipsec transform-set' command is used to specify the encryption and authentication algorithms for IPsec.

True (A)

The crypto map only specifies which traffic to protect, and does not include security parameters for encryption or authentication.

False (B)

The 'show crypto isakmp sa' command is used to verify the status of the IPsec security associations.

False (B)

The 'show crypto ipsec sa' command displays the parameters and statistics related to the established IPsec security associations.

True (A)

If the ISAKMP SA state is 'QM_IDLE', the IKE Phase 1 negotiation was unsuccessful.

False (B)

Configuring 'pfs group24' provides weaker security than not enabling PFS.

False (B)

Flashcards

Integrity

Ensuring data has not been altered in transit or storage.

Authentication

Verifying the identity of a user, device, or other entity.

Confidentiality

Keeping information secret and available only to authorized users.

Symmetric Encryption

An encryption method using the same key for both encryption and decryption.

Asymmetric Encryption

Encryption method using different keys for encryption and decryption.

Hashing

A process that produces a unique, fixed-size output (hash) from any input.

HMAC

Used to confirm data integrity and authenticity.

Asymmetric Keys

To verify identities using asymmetric keys.

Certificate Authority (CA)

A trusted entity that issues digital certificates.

Key Exchange

A method for securely exchanging cryptographic keys over a public channel.

Digital Certificate

To prove bond or Pub key to subject, signed by Cert. Authority.

PKI (Public Key Infrastructure)

Used to distribute public keys within a network.

Registration Authority

Receives digital certificate request from users.

Confidentiality in Cryptography

A cryptographic service ensuring that data is accessible only to those authorized to view it.

Integrity in Cryptography

A cryptographic service providing proof that data has not been altered during transit or storage.

Authentication in Cryptography

The process of verifying the identity of a user, device, or another entity in a network.

Keyed-Hash Message Authentication Code

A technique for ensuring both integrity and authenticity of a message.

Certificate Authority

A trusted entity that issues digital certificates to verify the authenticity of entities.

Public Key Infrastructure

A framework that manages digital certificates and public keys for secure communication.

Symmetric vs Asymmetric

Comparing symmetric vs asymmetric encryption.

VPN Benefits Overview

Cost reductions, security enhancements, improved scalability and compatibility.

What is a Virtual Private Network?

A network that provides a secure connection over a public infrastructure, such as the Internet.

Remote-Access VPN

A VPN type where individual users connect to a central network.

Site-to-Site VPN

A VPN type that connects entire networks at different locations.

What is IPsec?

A framework of open standards that ensures private, secure communications over Internet Protocol (IP) networks through encryption.

What is Encryption?

The process of transforming readable data (plaintext) into an unreadable format (ciphertext).

What is AH?

A security protocol that provides authentication and integrity.

What is ESP?

A security protocol that provides confidentiality, authentication, and integrity.

Role of Internet Key Exchange (IKE)

The negotiation of security associations (SAs) between IPsec peers.

AES (Advanced Encryption Standard)

Used to encrypt and decrypt data.

Pre-Shared Key

Uses the same secret key on both sides of the VPN tunnel to set up a secure channel.

IPsec Policy

A set of security protocols with which to negotiate, and implement IPsec.

Crypto Map

Links together many of the components, such as the ACL, transform set, and the peer.

Transform Set

Ensures encrypted information arrives to the destination uncompromised.

What is Diffie-Hellman group?

A parameter used in key exchange algorithms, determining the size of the key used for encryption.

Authentication with PSK

Uses a secret key available to both peers to authenticate packets.

RSA

Used for increased security and is more complex and scalable than PSK

VPN benefits

Cost Savings,Security,Scalabillity,Compatibility

AH Protocol specifics

AH provides data origin authentication, data integrity, and anti-replay protection. It does not provide confidentiality (encryption).

ESP Protocol specifics

ESP provides confidentiality (encryption), data origin authentication, data integrity, and anti-replay protection.

Purpose of IKE

Negotiates security associations (SAs) between two IPsec peers, setting the stage for a secure connection.

IKE negotiations.

Phase 1: Establishes a secure channel and Phase 2: Creates the IPsec tunnel for secure data transfer.

IPsec VPN

A method of ensuring secure communication by encrypting data packets.

IPsec Configuration

Configuring security policies and steps for a secure transfer.

Configure ISAKMP policy

To verify identities between the two end points

Apply a Crypto Map

Integrates security components for IPsec VPNs.

Verify IPsec VPN

Check the IPsec tunnel is working and operational.

Transport mode

This mode encrypts only the payload of the packet; the header is not protected.

Tunnel Mode

The entire IP packet is encrypted, and a new IP header is added for transmission.

Study Notes

Existing ACL Configurations

• ACL syntax for IPsec traffic includes access-list commands for UDP (isakmp), ESP, and AHP protocols.
• Rules to permit icmp, udp, esp, and ahp protocols include source and destination wildcard to determine IPsec negotiations

Configuring a New ISAKMP Policy

• Commands include setting authentication, encryption, Diffie-Hellman group, hash, and lifetime, and negating a command or to set its defaults.

XYZCORP ISAKMP Policy Configuration

• Global IKE policy protection suite incorporates AES encryption (256 bit keys), Secure Hash Standard, Pre-Shared Key, Diffie-Hellman group #24 (2048 bit, 256 bit subgroup)

Pre-Shared Key Configuration

• The commandcrypto isakmp key keystring address peer-address and crypto isakmp key keystring hostname peer-hostname configure a pre-shared key

Define an ACL to Define Interesting Traffic

• ACL configuration for interesting traffic is configured using the access-list command

Configuring a Crypto Map

• A crypto map identifies the crypto map set and indicates whether to use IKE or manual establishment of IPsec Security Associations (SAs).
• Configuration commands include default, description, dialer, exit, match, no, qos, reverse-route and set.

Default Crypto Map

• By default new crypto maps will remain disabled until peer and valid access list have been configured

Crypto Map Configuration

• Crypto map can be configured to match address, set transform-set, set peer address, set pfs group, and set security-association lifetime.

Send Interesting Traffic

• Verification of configuration can be observed using ping ip x.x.x.x source x.x.x.x

Verify ISAKMP Configuration

• Verification of configrations can be observed using show crypto isakmp sa to show ISAKMP SA information

Verify IPsec Configuration

• Verification of configuration can be observed using show crypto ipsec sa to show IPsec SA information