Fundamentals of Cryptography

Questions and Answers

Which of the following is the primary goal of cryptography?

• To prevent any access to information.
• To ensure data remains unchanged during transmission.
• To secure communication in the presence of adversaries. (correct)
• To make data easily accessible to everyone.

Which feature of cryptography ensures that information is accessible only to authorized users?

• Confidentiality (correct)
• Authentication
• Non-repudiation
• Integrity

What cryptographic feature uses digital signatures to prevent someone from denying their actions?

• Authentication
• Integrity
• Confidentiality
• Non-repudiation (correct)

How do cryptographic hash functions primarily ensure data integrity?

By converting data into a unique, fixed-size string. (B)

In the context of encryption, what is the purpose of a 'key'?

To convert plaintext to ciphertext and vice versa. (B)

Which type of encryption uses the same key for both encryption and decryption?

Symmetric encryption (A)

In asymmetric encryption, which key is used by the sender to encrypt a message?

The receiver's public key (B)

What is the main purpose of digital signatures?

To verify the authenticity and integrity of a message (A)

Which of the following best describes the purpose of key management?

Securing cryptographic keys throughout their lifecycle (C)

What is the role of a Certificate Authority (CA) in a Public Key Infrastructure (PKI)?

To issue and manage digital certificates (B)

Which component in PKI acts as an intermediary between users and the Certificate Authority (CA)?

Registration Authority (RA) (B)

What is the purpose of a digital certificate?

To authenticate the identity of an entity (A)

Which of the following best describes the purpose of Secure Socket Layer (SSL)?

To provide secure communication over a network. (A)

During an SSL handshake, what is the primary action that occurs?

Cryptographic keys are exchanged to establish a secure connection. (D)

How does SSL contribute to verifying the identity of a website?

By verifying the server's digital certificate. (A)

What does a 'WildCard' SSL certificate secure?

A primary domain and all its subdomains. (A)

Which type of SSL certificate validation involves rigorous identity verification and displays the company's legal name in the address bar?

Extended Validation (A)

How does Transport Layer Security (TLS) improve upon Secure Socket Layer (SSL)?

By offering enhanced security features and efficiency. (B)

What is a key benefit of using end-to-end encryption (E2EE)?

Data is only readable by the sender and receiver. (D)

What is the primary purpose of data masking?

To create a replica of data to protect the original. (B)

In which type of data masking is the data altered while it is being transferred?

Dynamic data masking (C)

What is the main focus of Data Loss Prevention (DLP) strategies?

Preventing sensitive information from unauthorized access, loss, or misuse. (C)

Which of the following is a key benefit of implementing a DLP solution?

Prevention of unauthorized data transfers and mitigation of security threats (D)

What is the first step in implementing a DLP strategy?

Establishing goals and success metrics (C)

In the context of DLP, what does classifying and prioritizing data involve?

Identifying critical data and associated risks. (B)

What does monitoring data flow enable as part of implementing a DLP strategy?

Identification of risky behaviors and refinement of policies (D)

What is the purpose of the key rotation process in key management?

To reduce the risk from prolonged key exposure. (C)

What should employee training for DLP best practices include?

Proper data handling, threat recognition, and incident response procedures (A)

What is the primary goal of interoperability in cryptography?

To ensure different cryptographic systems work together. (B)

What does the term 'adaptability' refer to in the context of cryptography?

The ability of cryptographic methods to evolve against new security threats. (D)

What is the purpose of the key deletion stage in the Key Management Life Cycle?

To physically destroy key data when it is no longer needed. (C)

Why is it important to securely store cryptographic keys?

To prevent unauthorized access and maintain confidentiality. (B)

Which level of data classification in DLP is considered the most sensitive and requires the strictest control?

Restricted (A)

Flashcards

Cryptography

The practice and study of techniques for secure communication in the presence of third parties (adversaries).

Confidentiality

Ensures information is accessible only to authorized users, typically using encryption techniques.

Integrity

Guarantees that data remains unaltered during transmission or storage, often through cryptographic hashing.

Non-repudiation

Prevents entities from denying their actions, often achieved using digital signatures or cryptographic proofs.

Authentication

Verifies the identity of users or systems to prevent unauthorized access.

Interoperability

Enables different cryptographic systems and protocols to work together securely.

Adaptability

Allows cryptographic methods to evolve and remain effective against emerging security threats.

Encryption

The process of converting plaintext into ciphertext using an algorithm and a key.

Decryption

The reverse process of encryption, where ciphertext is converted back into plaintext using the appropriate key.

Symmetric Key Encryption

An encryption system where the sender and receiver of a message use a single, common key to encrypt and decrypt messages.

Asymmetric Key Encryption

Cryptography where a pair of keys (public and private) is used to encrypt and decrypt information. Public key for encryption, private key for decryption.

Hash Functions

Algorithms that take an input and return a fixed-size string of bytes (hash value), unique to the input data.

Digital Signatures

Validates the authenticity and integrity of a message using a private key to create a unique signature, verifiable with the corresponding public key.

Key Management

Handling cryptographic keys securely throughout their lifecycle, from generation to disposal.

Key Generation

Creating a new cryptographic key with sufficient randomness and strength.

Key Distribution

Ensuring keys reach authorized users without interception or modification.

Key Storage

Properly safeguarding the key in a secure repository.

Key Rotation

Old keys are replaced periodically to reduce risks from prolonged exposure.

Key Deletion

Keys are revoked when no longer needed and secured by deletion.

Public Key Infrastructure (PKI)

A framework for managing digital certificates and cryptographic keys, enabling secure authentication, encryption, and data integrity.

Certificate Authority (CA)

A trusted entity that issues and manages digital certificates to verify identities and enable secure communication.

Registration Authority (RA)

Acts as an intermediary between users and the CA, verifying identity information before certificate issuance.

Digital Certificates

Electronic credentials issued by a CA that authenticate the identity of an entity and enable secure data exchange.

Secure Socket Layer (SSL)

A cryptographic protocol designed to provide secure communication over a computer network, creating an encrypted link between a web server and a web browser.

SSL Verification

Verifies the identity of the server, ensuring you’re communicating with the intended website and not an imposter.

SSL Certificate

Used to establish a secure connection between a website and a user's browser, verifying the website's identity.

Single-domain SSL Certificate

Secures one specific domain or subdomain, ensuring encrypted communication for that single site.

WildCard SSL Certificate

Secures a primary domain and all its subdomains, providing flexibility for expanding websites.

Multi-Domain SSL Certificate

Secures multiple domains and subdomains under a single certificate, ideal for businesses managing several websites.

Transport Layer Security (TLS)

Transport Layer Security is designed to provide improved security and efficiency. TLS was developed as an enhancement of SSL to the address various vulnerabilities and to the incorporate modern cryptographic techniques.

End-to-End Encryption (E2EE)

Ensure a secure way of data communication. Only sender and receiver can see the plain data. No one else can encrypt the data including government or even by the server through which data is passing.

Data Masking

Is creating an exact replica of pre-existing data in order to keep the original data safe and secure from any safety breaches.

Static data masking (SDM)

Static data masking works at a state of rest by altering the data thereby, permanently replacing sensitive data.

Dynamic data masking (DDM)

Dynamic data masking alters the data simultaneously or while the data transfer is taking place.

Data Loss Prevention (DLP)

Protects sensitive information from loss, corruption, misuse, or unauthorized access.

Study Notes

Fundamentals of Cryptography

• Cryptography ensures data security through encryption, decryption, and key management
• Cryptographic principles protect confidentiality, integrity, authentication, and non-repudiation,
• Secures digital communications and prevents cyber threats with real-world applications

What is Cryptography?

• Cryptography involves secure communication techniques in the presence of adversaries
• Encompasses the development and analysis of protocols preventing unauthorized access
• Maintains data integrity, confidentiality, and authenticity

Features of Cryptography

• Confidentiality ensures information accessibility only to authorized users through encryption
• Non-repudiation prevents entities from denying actions using digital signatures or cryptographic proofs
• Interoperability enables different cryptographic systems and protocols to work together securely
• Integrity guarantees data remains unaltered during transmission or storage via cryptographic hashing
• Authentication verifies user or system identities to prevent unauthorized access
• Adaptability allows cryptographic methods to evolve against emerging security threats

Encryption and Decryption

• Encryption converts "plaintext" into "ciphertext" using an algorithm and a key
• Only those with the correct key can decrypt the ciphertext back into plaintext
• Decryption reverses encryption by converting ciphertext back into plaintext using the appropriate key

Symmetric vs. Asymmetric Encryption

• Symmetric Key encryption uses a single, common key for both encryption and decryption between sender and receiver
• Asymmetric Key cryptography uses a key pair to encrypt and decrypt information
• Asymmetric Key cryptography uses a sender's public key to encrypt and a receiver's private key for decryption

Cryptographic Hash Functions and Digital Signatures

• Hash Functions are algorithms that take an input (or message) and return a fixed-size string of bytes
• The output, typically a hash value, is unique to the input data
• Hash functions are used in password storage and data integrity verification
• Examples include SHA-256 (Secure Hash Algorithm 256-bit) and MD5 (Message Digest Algorithm 5)
• Digital Signatures are a cryptographic technique used to validate the authenticity and integrity of a message, software, or digital document
• Digital Signatures create a unique digital signature using a private key, which can be verified by anyone with the corresponding public key

Key Management and Public Key Infrastructure (PKI)

• Key management handles cryptographic keys securely throughout their lifecycle, from generation to disposal
• The Key management life cycle consists of generation, distribution, storage, rotation, and deletion.
• Key Generation refers to creating a new cryptographic key with sufficient randomness and strength
• Key Distribution ensures keys reach authorized users without interception or modification
• Key Storage refers to properly safeguarding the key in a secure repository
• Key Rotation refers to periodically replacing the old keys to reduce risks from prolonged exposure
• Key Deletion refers to revoking keys when they are no longer needed and securing them by deletion
• Public Key Infrastructure (PKI) manages digital certificates and cryptographic keys, enabling secure authentication, encryption, and data integrity.

Core Components of PKI

• Certificate Authority (CA) is a trusted entity that issues and manages digital certificates to verify identities and enable secure communication
• Registration Authority (RA) acts as an intermediary between users and the CA, verifying identity information before certificate issuance
• Digital Certificates are electronic credentials issued by a CA to authenticate an entity's identity and enable secure data exchange

Secure Data Storage and Transmission

• Cryptographic techniques like encryption, hashing, and digital signatures ensure secure data storage and transmission
• Methods protect data from unauthorized access, interception, and tampering
• It is important to use best practices for implementing secure communication channels and access controls

Secure Socket Layer (SSL)/Transport Layer Security (TLS)

• Secure Socket Layer (SSL) is a cryptographic protocol designed to provide secure communication over a computer network
• SSL was developed by Netscape in the 1990s to establish an encrypted link between the web server and a web browser
• An SSL certificate establishes a secure connection between a website and a user's browser
• An SSL certificate proves someone is who they say they are
• SSL certificates are stored and displayed on the Web by a website's or application's server
• TLS succeeds SSL and is designed to provide improved security and efficiency
• TLS improves upon SSL to address vulnerabilities and incorporate modern cryptographic techniques
• The first version, TLS 1.0, was based on SSL 3.0 but included significant improvements
• TLS continues to evolve with newer versions offering enhanced security features

How SSL works

• A browser initiates a handshake with the server when visiting a secure website
• Handshake process involves exchanging cryptographic keys to establish a secure connection
• Once the handshake completes, all data exchanged between the browser and server is encrypted
• Encryption ensures that intercepted data remains unreadable without the decryption key
• SSL verifies the identity of the server, ensuring communication with the intended website, not an imposter

Types of SSL Certificates

• Single-domain SSL certificates secure one specific domain or subdomain, ensuring encrypted communication for that single site
• WildCard SSL certificates secure a primary domain and all its subdomains, providing flexibility for expanding websites
• Multi-Domain SSL certificates secure multiple domains and subdomains under a single certificate, ideal for businesses managing several websites

Different Validation Levels for SSL Certificates

• Domain Validation verifies only domain ownership and provides basic encryption with a quick, automated process
• Organization Validation requires verification of the organization's identity, offering higher trust and security for business websites
• Extended Validation involves rigorous identity verification, displaying a company's legal name in the address bar for maximum credibility and user trust

Differences Between SSL and TSL

• SSL is an older protocol for encrypting data between web clients and servers
• SSL has security vulnerabilities, making it less secure
• TLS has largely replaced SSL due to SSL vulnerabilities
• TLS is an updated and more secure version of SSL
• TLS ensures data privacy and integrity by encrypting communications
• TLS is widely used for secure online interactions, and offers security, compatibility, and updates

End-to-End Encryption and Data Masking

• End-to-End Encryption (E2EE) implements asymmetric encryption for secure data communication
  • It is the most secure way to communicate privately ensuring that data can be read-only by the sender and receiver
  • Data cannot be encrypted by government entities or the server through which data passes
• Data Masking creates an exact replica of pre-existing data to keep the original data safe from safety breaches
  • Data Masking is particularly important for big organizations that contain heaps of sensitive data that can be easily compromised
  • Critical details like credit card information, phone numbers, house addresses are highly vulnerable information that must be protected

Types of Data Masking

• Static data masking (SDM) alters data at rest and permanently replaces sensitive data
• Dynamic data masking (DDM) alters data simultaneously or during data transfer
• Deterministic data masking replaces a value in a given table column with a similar value from the same row
• On-the-fly data masking transfers data from one place to another without disk involvement

Data Loss Prevention (DLP) Strategies

• Data loss prevention protects sensitive information from loss, corruption, misuse, or unauthorized access
• This includes confidential customer data, financial statements, intellectual property, and employee records

Benefits of DLP

• Improved Data Visibility provides insights into data usage, movement, and potential risks
• Improved Data Visibility enhances security monitoring
• Secure Data in Remote/BYOD Environments protects sensitive data across personal devices and remote work setups through encryption and access controls
• Protect Intellectual Property prevents unauthorized access, sharing, or leakage of proprietary information
• Promote Brand Reputation reduces the risk of data leaks and breaches, maintaining customer trust and corporate credibility
• Prove Regulatory Compliance helps organizations meet legal and industry data protection requirements, avoiding penalties
• Prevent Cyberattacks and Data Breaches detects and blocks unauthorized data transfers, mitigating security threats and financial losses

How to Implement a DLP Strategy in 5 Steps

• Step 1: Establish goals and success metrics, such as improving data visibility, enhancing decision-making, reducing security risks, or ensuring compliance
• Step 2: Classify and prioritize data: including PII, PHI, PCI, and intellectual property, each needing specific protection as Public, Internal, Confidential, and Restricted
• Step 3: Monitor data and identify risks: Tracking data flow across networks, systems, and devices reveals vulnerabilities, helping to identify risky behaviors and refine policies
• Step 4: Develop policies and implement controls: Collaborate with leadership and managers to create risk-mitigating policies. Continuously seek feedback and monitor controls to enhance effectiveness
• Step 5: Train employees on DLP best practices: Human error causes 33% of data loss incidents, often due to lack of awareness. Regular training ensures employees understand best practices, handle sensitive data properly, and recognize threats, training should also cover incident response procedures for swift issue resolution