Cryptography: VPNs, Hash Algorithms & Authentication

Questions and Answers

What is a primary goal of cryptography?

• To ensure confidentiality of data (correct)
• To reduce the amount of data transmitted
• To speed up network traffic
• To simplify network configurations

Which of the following is a cryptographic service?

• Network Addressing
• Load Balancing
• Authentication (correct)
• Quality of Service

What does integrity ensure in cryptographic services?

• Data is publicly available
• Data is quickly accessible
• Data is compressed for efficient storage
• Data remains unaltered during transit or storage (correct)

What is the purpose of hashing?

To ensure integrity (B)

Which of the following is a peer authentication method?

Using a shared key and ID (C)

What is the role of a Certificate Authority (CA)?

To verify digital identities (D)

What is the primary purpose of key exchange in cryptography?

To securely share encryption keys (A)

What is a characteristic of symmetric encryption?

Uses the same key for encryption and decryption (A)

Which CIA service does encryption directly support?

Confidentiality (D)

Which hash algorithm has a longer key-length, providing more security?

SHA (B)

What is HMAC used for?

Authenticity (C)

What is a digital signature's main property?

Authenticity (A)

Why are digital certificates used?

To prove the bond between a public key and its subject (D)

What is the function of a Registration Authority?

Forwards enrollment requests to a CA (D)

What is the full name of AES?

Advanced Encryption Standard (A)

What does VPN stand for?

Virtual Private Network (D)

What best describes integrity?

Confirming data is unaltered. (C)

Which of the following is stronger?

SHA-256 (A)

In a Public Key Infrastructure (PKI), which element is responsible for issuing digital certificates?

Certification Authority (A)

What is the purpose of running the hash algorithm?

Hashes are used to determine if data has been altered. (B)

If Alice wants to send an encrypted message to Bob using asymmetric encryption so only Bob can read it, which key does Alice use to encrypt the message?

Bob's public key (C)

Which key is generally used to decrypt data from asymmetric encryption?

Private Key (D)

Which of the options best describes confidentiality?

Preventing unauthorized disclosure of information (B)

Which type of encryption uses the same key for encryption and decryption?

Symmetric Encryption (A)

Cryptography ensures confidentiality, integrity, and authentication.

True (A)

Encryption is the sole method for ensuring data integrity.

False (B)

Authentication verifies the sender's identity.

True (A)

Symmetric encryption uses two different keys for encryption and decryption.

False (B)

Asymmetric encryption is generally faster than symmetric encryption.

False (B)

Hashing is a one-way function; it is easy to revert the hash to get the original data.

False (B)

A digital certificate is signed by a Certificate Authority (CA).

True (A)

Integrity ensures that data has not been altered during transmission.

True (A)

Confidentiality means that only authorized parties can access the information.

True (A)

MD5 is considered more secure than SHA-256.

False (B)

HMAC uses a secret key in addition to a hashing algorithm.

True (A)

The Diffie-Hellman algorithm is used for encrypting messages directly.

False (B)

Digital signatures provide non-repudiation, meaning the sender cannot deny sending the message.

True (A)

VPNs primarily offer integrity but not confidentiality.

False (B)

Encryption always guarantees complete anonymity.

False (B)

A shorter key length in encryption always means stronger security.

False (B)

SSL VPN stands for Secure Socket Layer Virtual Private Network

True (A)

Integrity checks can detect accidental or malicious data modification.

True (A)

The main goal of integrity is to prevent unauthorized access to data.

False (B)

Data origin authentication provides assurance that the data source is as claimed.

True (A)

DES and 3DES are equally secure encryption algorithms.

False (B)

The primary purpose of a firewall is to ensure data integrity.

False (B)

Cryptography can be used to protect data at rest and in transit.

True (A)

A Certificate Authority is responsible for issuing digital certificates.

True (A)

The terms 'encryption' and 'cipher' refer to distinct concepts in cryptography.

False (B)

Which of the following is a potential benefit of using VPNs?

Cost savings (B)

What type of VPN allows individual users to connect to a private network from a remote location?

Remote-access VPN (B)

What is a key factor to consider when comparing security protocols?

Key length (D)

In IPsec, which protocol provides data confidentiality?

ESP (B)

Which of the following is used for key exchange in IPsec?

IKE (D)

What is the purpose of AH (Authentication Header) in IPsec?

Authentication (D)

Which mode of IPsec encrypts the entire IP packet?

Tunnel mode (B)

Which of the following is a typical component of a remote-access VPN setup?

VPN client software (B)

In a site-to-site VPN, do clients typically need to be aware a VPN is being used?

No, never (D)

What is the first phase of IKE negotiation focused on?

Negotiating ISAKMP policy (C)

What command is used to see the ISAKMP policy on the router?

show crypto isakmp policy (B)

After a crypto map is configured, what must be done to activate it?

Apply it to an interface (A)

What type of information can be exchanged via an IPsec tunnel?

Any information (A)

What command lets you see information regarding IPsec?

show crypto ipsec sa (C)

What does the acronym ESP stand for?

Encapsulating Security Payload (B)

Which Diffie-Hellman group is included in the default configuration?

5 (A)

What does the command crypto isakmp key do?

Configures a pre-shared key (B)

When defining interesting traffic, what does the word ACL stand for?

Access Control List (C)

Which of the following isn't an ESP protocol?

ESP-MD5-HMAC (B)

What command is used to enable a crypto map on the interface?

interface serial 0/0/0 (D)

What is the command to verify the interface is using the crypto map?

show crypto map (C)

After the configurations have been made, what should you do test and verify the VPN?

Ping host B from host A (D)

What type of data is encrypted with ESP?

Data payload (A)

Is all data in plaintext with AH?

True (B)

A VPN provides cost savings.

True (A)

In a site-to-site VPN, the client is aware of the VPN connection.

False (B)

IPsec operates at the Data Link Layer.

False (B)

IPsec provides security services such as confidentiality and integrity.

True (A)

AH provides encryption.

False (B)

ESP provides confidentiality.

True (A)

AES is considered more secure than Double DES.

True (A)

The Diffie-Hellman algorithm is used for key exchange.

True (A)

IKE has one phase.

False (B)

A remote-access VPN connects entire networks.

False (B)

A VPN encrypts all traffic.

True (A)

Using a VPN always slows down your internet speed.

False (B)

VPN stands for Very Private Network.

False (B)

IPsec is a single protocol.

False (B)

IPsec can only operate in tunnel mode.

False (B)

A longer key length generally indicates stronger encryption.

True (A)

In IKE Phase 1, the peers negotiate the IPsec policy.

False (B)

A crypto map is applied to a physical interface.

True (A)

show crypto isakmp sa shows IPsec security associations.

False (B)

VPNs are only used by large corporations.

False (B)

Compatibility is not a benefit of VPNs.

False (B)

A VPN cannot provide scalability.

False (B)

AH and ESP protocols can be used together.

False (B)

DH14 provides a stronger key exchange method than DH1.

True (A)

Flashcards

Confidentiality

Ensuring only authorized parties can view the data. Achieved through encryption.

Integrity

Ensuring data is not altered in transit or storage. Achieved through hashing algorithms like MD5 and SHA.

Authentication

Verifying the sender's identity. Achieved through digital signatures and certificates.

Symmetric Encryption

Uses the same key for encryption and decryption.

Asymmetric Encryption

Uses a pair of keys: a public key for encryption and a private key for decryption.

Hash Algorithms

Mathematical functions that create a unique, fixed-size 'fingerprint' of data.

Keyed-Hash Message Authentication Code (HMAC)

A code used to verify both data integrity and authenticity.

Diffie-Hellman

Used to securely exchange cryptographic keys over a public network.

Digital Certificates

Electronic documents that verify the digital identity of an entity.

Certification Authority (CA)

Entity that issues digital certificates.

Registration Authority

A 'lite' version of PKI certificate authority.

Confidentiality

DES, 3DES, AES, and SEAL are all protocols of?

Integrity

MD5 and SHA are?

Cryptography

The art of writing or solving codes.

Integrity validation

Compares computed and received hashes to confirm data hasn't changed.

Cryptographic Hash Function

A mathematical function that converts a data of arbitrary size to a fixed size.

HMAC

A keyed hash function used to provide authenticity of a message.

Diffie-Hellman key exchange

A secure method for exchanging cryptographic keys over a public network.

Certificate authority (CA)

An entity that vouches for the authenticity of entities on the Internet.

Registration Authority (RA)

A streamlined version of a CA that handles certificate enrollment requests.

DES, 3DES, AES, SEAL

Algorithms commonly used for confidentiality.

MD5, SHA

Used to maintain /validate integrity.

Diffie-Hellman (DH)

Used when you want to exchange keys, that is normally done through a DH...

Alice encrypts, bob decrypts

Using Asymmetric keys to Encrypt a Hash using a Private Key

DES, 3DES, AES, SEAl

Symmetrical encryption algorithms.

PSK, RSA

Encryption algorithms

Virtual Private Network (VPN)

A network that provides secure connections for remote users or sites, using encryption.

VPN Cost Savings

Reduces infrastructure costs by using existing network infrastructure.

VPN Security

A VPN benefit that ensures data is protected from unauthorized access.

VPN Scalability

Easily adapt to increased network demands

VPN Compatibility

Works with various devices and operating systems.

Site-to-Site VPN

Connects entire networks, like branch offices, over the internet.

Remote-Access VPN

Enables individual users to connect securely to a private network from remote locations.

IPsec (Internet Protocol Security)

A framework of protocols providing secure communication over IP networks.

IPsec Integrity

Guarantees that the data has not been altered during transmission.

IPsec Authentication

Verifies the identity of the sender.

IKE (Internet Key Exchange)

Provides secure key exchange in IPsec.

AH (Authentication Header)

A protocol that provides authentication and integrity, but not confidentiality.

ESP (Encapsulating Security Payload)

A protocol that provides confidentiality, authentication, and integrity.

AH protocol

All data is in plaintext.

Tunnel Mode

Mode where the entire IP packet is encrypted and encapsulated within a new IP packet.

Transport Mode

Only the payload of the IP packet is encrypted.

Security Association (SA)

The set of security parameters used to establish a secure connection in IPsec.

Phase 1

Negotiate ISAKMP policy to create a tunnel.

Phase 2

Negotiate IPsec policy for sending secure traffic across the tunnel.

ACL (Access Control List)

A misconfiguration can lead to the VPN not functioning correctly.

Transform Set

A set of IPsec parameters, like encryption and authentication algorithms.

Crypto Map

Defines which traffic should be protected by IPsec.

What is IPsec?

A Layer 3 protocol suite that secures communication over IP networks by providing confidentiality, integrity, and authentication.

Internet Key Exchange (IKE)

Offers secure key exchange for IPsec, sets up secure communication channels.

Authentication Header (AH)

Provides integrity and authentication but does not encrypt data, leaving the payload exposed.

Encapsulating Security Payload (ESP)

Provides confidentiality, integrity, and authentication by encrypting the data payload.

IPSec Transport Mode

Only the payload is protected, useful in secure end-to-end communications.

IPSec Tunnel Mode

The entire IP packet is encrypted and encapsulated, providing a completely secure encrypted tunnel.

IKE Phase 1

An initial negotiation phase to establish a secure channel for further IPsec negotiations.

IKE Phase 2

Where IPsec policies get decided after a secure channel has been established.

Access Control Lists (ACLs) for VPNs

Used to filter traffic and control which packets are allowed to initiate an IPsec tunnel.

IPsec Transform Set

Groups IPsec security settings like encryption algorithms and authentication methods.

crypto isakmp key Command

Command used to define which peers are allowed to establish the ISAKMP SA.

Interesting Traffic

Traffic that triggers the IPsec VPN to initiate after a device initiates a connection.

Extended Ping

A command that allows for extended pings that define larger packets, timeout intervals, and source IP addresses, and allows the administrator to test for VPN connection stability.

Study Notes

• VPNs extend over a POP (Point of Presense)

Confidentiality (Cont.)

• Less Secure to Most Secure data encryption: DES, 3DES, AES, SEAL

Authentication

• Local Authentication Key + ID via the Internet to Remote Authentication results in keys matching

Authentication (Cont.)

• Local Authentication Key + ID Encrypted via Internet with Digital Signature matching Remote Authentication Decrypted signature

Authentication Header (AH)

Authentication Header (Cont.)

• IP Header + Data + Authentication Key Create a Hash via the Internet to verify Authentication Header

Encapsulating Security Payload (ESP)

• ESP Encrypts and Authenticats Data

Crypto Map

• Syntax to Configure a Crypto Map involves: crypto map map-name seq-num [ ipsec-isakmp | ipsec-manual ]

Crypto Map Configuration

• Crypto Map Configuration commands: default, description, dialer, exit, match, no, qos, reverse-route, set