Obectives 1.4 comptia sec +

Questions and Answers

What is a significant role of a trusted certificate authority in the PKI framework?

It encrypts all data transmitted between parties.

It stores cryptographic keys in escrow.

It issues public keys for web servers. (correct)

It generates random shared secret keys.

Which aspect is mainly ensured by the use of the private key in a web server's identity verification process?

Authenticity of the web server. (correct)

Integrity of the shared secret key.

Confidentiality of data transmissions.

Availability of the web server.

What is a potential risk associated with key escrow in terms of data security?

It could enable unauthorized access to escrowed keys. (correct)

It increases the likelihood of key loss.

It removes the requirement for secure key storage.

It eliminates the need for encryption.

In establishing a secure connection using PKI, which process follows the generation of a random shared secret key?

The shared secret is transmitted using asymmetric encryption.

What encryption method is typically used for the actual data transmission once a secure tunnel has been established in PKI?

Symmetric encryption (e.g., AES)

What advantage does public key infrastructure (PKI) offer in communication between unknown parties?

It establishes trust through asymmetric cryptography.

Which statement best describes the function of key escrow systems?

They allow a third party to store a copy of the decryption key for emergencies.

What is a potential consequence of losing a decryption key in a cryptographic system?

Access to the data is permanently lost.

In what situation would an organization's key recovery policy be most likely invoked?

When an employee leaves unexpectedly and cannot provide their key.

Which cryptographic elements are combined in hybrid cryptography as allowed by PKI?

Asymmetric cryptography, symmetric cryptography, hashing, and digital certificates.

Which encryption method specifically targets individual files without affecting the entire storage system?

File Encryption

Which combination of encryption methods is best suited for protecting data that is actively being created and modified?

Encryption at the Application Level and Secure Enclaves

What type of encryption is utilized to secure data as it travels across networks, especially in web browsing?

Transport Layer Security

Which of the following statements about Data States is false?

Data in Use is only stored in a database.

Which encryption method is likely to encrypt specific fields within a database record?

Record Encryption

Which characteristic distinguishes asymmetric encryption from symmetric encryption?

Utilizes two separate keys for encryption and decryption

What is the main use of the Diffie-Hellman algorithm?

Secure key exchange between parties

What is a key feature of the AES encryption standard?

Supports variable key sizes of 128, 192, or 256 bits

What kind of attack does 'Password Hashing' seek to prevent?

Replay attacks through hash impersonation

What distinguishes a block cipher from a stream cipher?

Breaking data into fixed-size blocks for encryption

Which of the following is a common vulnerability in hashing algorithms?

Collisions leading to data integrity issues

Which encryption method utilizes multiple rounds of transposition and substitution?

Triple DES

What does the term 'salting' refer to in the context of hash functions?

Adding random data to a password before hashing

Which algorithm is commonly used for digital signatures?

RSA

What is a significant risk associated with using MD5 for hash digest creation?

It has known vulnerabilities that lead to collisions

Cryptographic attacks can exploit which of the following?

All of the above

How does the 'birthday attack' exploit hash functions?

By comparing relatively small datasets for hash collisions

Which property does a digital signature provide in a communication?

Non-repudiation of the sender's identity

What is 'key stretching' primarily used for?

Increasing encryption key length to enhance security

What is the primary advantage of using Transparent Data Encryption (TDE) in a database?

It automatically encrypts the entire database.

Which type of encryption focuses specifically on protecting individual files rather than entire drives?

File-level encryption

Why is record-level encryption particularly beneficial in shared database environments?

It allows precise control over access to specific records.

Which encryption method would be most appropriate for encrypting only specific partitions of a hard drive?

Partition encryption

What is a key disadvantage of full-disk encryption (FDE) once the system is booted?

It exposes the entire disk to unauthorized access.

Which type of data encryption allows users to selectively choose files for encryption?

File-level encryption

In terms of data management, what does partition encryption specifically target?

Specific partitions within a hard drive.

What distinguishes column-level encryption (CLE) from whole database encryption?

CLE encrypts only specific columns within tables.

What is the primary purpose of obfuscation in software development?

To make code deliberately confusing to secure sensitive information

How does tokenization function in data protection?

By using a lookup table to map sensitive data to non-sensitive representations

What technique is used by masking to protect sensitive information?

Partially removing or hiding sensitive data by showing only certain characters

Which statement accurately describes the role of hashing in data security?

Hashing generates a unique hash value that can replace sensitive data in a system

What is a critical consideration when using a lookup table in tokenization?

The lookup table must remain secure to prevent data breaches

What is a significant flaw associated with offline distribution of secret keys?

It is vulnerable to interception during transit.

Why do communicators often prefer using public key encryption for initial communications?

It facilitates establishing a secure link before using secret key algorithms.

What is an advantage of the Diffie–Hellman key exchange algorithm?

It allows two parties to establish a shared key without prior communication.

Which statement contrasts the speed of public key and symmetric encryption?

Public key encryption is thousands of times slower than symmetric encryption.

What is a key limitation of offline key distribution methods?

They are prone to physical loss or compromise.

In what situation would the use of public key encryption be less advantageous?

When rapid data transmission is required.

Which of the following accurately represents an advantage of using public key encryption over offline key distribution?

It enables quicker establishment of communication links.

What disadvantage does the Diffie–Hellman key exchange algorithm inherently have?

It does not work well in completely insecure environments.

What is a characteristic feature of blockchain technology?

It provides an immutable and distributed ledger system.

In what way can blockchain improve property ownership records?

By ensuring transparency and protection against damage.

What is one of the potential uses of blockchain technology beyond cryptocurrency?

Tracking food supply chains for quality assurance.

How does the decentralization of authority in blockchain affect its operation?

It enables all participants to verify transactions independently.

Which feature distinguishes a Trusted Platform Module (TPM) from a Hardware Security Module (HSM)?

TPM is dedicated to drive encryption, while HSM manages keys in mission-critical scenarios.

What is the primary function of a Key Management System in data security?

It manages the lifecycle of cryptographic keys to protect against unauthorized access.

In what way do Secure Enclaves enhance device security?

By isolating sensitive data from the main processor for secure processing.

Which statement correctly describes the environment where an HSM operates?

It operates in a tamper-proof environment to ensure key security and compliance.

Which scenario represents an appropriate use case for integrating a TPM into a device?

Providing hardware-level encryption for securing sensitive data on a hard drive.

What is a significant disadvantage of using wildcard certificates?

Compromise of the certificate affects all subdomains.

Which of the following best describes the role of self-signed certificates?

They are primarily used for testing or closed systems.

Which feature is unique to dual-sided certificates compared to single-sided certificates?

Both server and user validate each other.

What is the main purpose of the SAN (Subject Alternate Name) field in digital certificates?

To identify additional domains and IP addresses supported by the certificate.

Which of the following statements about root of trust in certificate validation is correct?

It represents the highest level of trust in validating certificates.

What is the primary function of a Registration Authority (RA) in the certificate issuance process?

To collect user information and forward requests to the Certificate Authority

How does the Online Certificate Status Protocol (OCSP) compare to the Certificate Revocation List (CRL) in terms of speed and security?

OCSP is faster but less secure than CRL

Which security measure does Public Key Pinning primarily aim to prevent?

Phishing attacks through fraudulent certificates

What role do Key Recovery Agents serve within a Public Key Infrastructure (PKI)?

To restore lost or corrupted keys

In which scenario would OCSP Stapling significantly improve performance during the SSL/TLS handshake process?

When multiple requests for the same certificate are made frequently

What does a Certificate Signing Request (CSR) primarily include in its encoded text?

Public key and identity information of the requester

Which of the following statements best explains the importance of trust in digital certificates?

Compromised root Certificate Authorities (CAs) can lead to a loss of trust in all issued certificates

What is a fundamental requirement for Key Escrow Agents to function effectively?

Strong access controls are necessary to secure private key copies

Study Notes

Public Key Infrastructure (PKI)

• A system that uses hardware, software, policies, procedures, and people to facilitate the secure transfer of data, authentication, and encrypted communications
• Uses asymmetric encryption
• Widely used in HTTPS connections for websites

Establishing a Secure Connection

• User connects to a website through HTTPS
• Browser contacts a trusted certificate authority to obtain the website's public key
• A shared secret key for symmetric encryption is generated
• This shared secret is securely sent using public key encryption
• Web server uses its private key to decrypt the shared secret
• Both parties use the shared secret with symmetric encryption to create a secure connection

Security Benefits

• Confidentiality: Data is encrypted using the shared secret.
• Authentication: The website's identity is verified through its private key.

Key Escrow

• Storage of cryptographic keys in a secure third-party location
• Enables key retrieval in case of key loss or for legal investigations
• In PKI, it ensures that encrypted data remains accessible
• Important for situations where individuals or organizations lose their encryption keys

Security Concerns

• Malicious access to escrowed keys could result in data decryption
• Requires strict security measures and access controls

Public Key Infrastructure

• Public-key encryption allows communication between parties who haven't previously met.
• This is achieved through a hierarchy of trust relationships known as a Public Key Infrastructure (PKI).
• PKI combines asymmetric and symmetric cryptography with hashing and digital certificates, resulting in hybrid cryptography.

Key Escrow and Recovery

• Strong encryption can pose a risk if the decryption key is lost.
• Key escrow systems address this issue by having a third party store a protected copy of the key for emergency use.
• Organizations can implement key recovery policies outlining the circumstances under which keys can be retrieved from escrow without user knowledge.

Data States and Encryption Methods

• Data at Rest is stored and not actively being used. This data is typically encrypted to protect it from unauthorized access.

  • Full Disk Encryption (FDE) encrypts the entire hard drive.
  • Partition Encryption encrypts specific partitions of the hard drive, leaving others unencrypted.
  • File Encryption encrypts individual files.
  • Volume Encryption encrypts selected files or directories.
  • Database Encryption encrypts data stored in a database at various levels, like columns, rows, or tables.
  • Record Encryption encrypts specific fields within a database record.

• Data in Transit (Data in Motion) is actively moving between locations, making it vulnerable to interception. To protect data in transit, various transport encryption methods are used.

  • SSL (Secure Sockets layer) and TLS (Transport Layer Security) secure communication over networks, commonly used for web browsing and email.
  • VPN (Virtual Private Network) creates secure connections over less secure networks like the internet.
  • IPSec (Internet Protocol Security) secures IP communication by authenticating and encrypting IP packets.

• Data in Use is actively being processed and is one of the most difficult states to secure.

  • Encryption at the application level encrypts data during processing.
  • Access Controls restrict access to data during processing.
  • Secure Enclaves create isolated environments for processing sensitive data, protecting it from unauthorized access.

Cryptographic Algorithms

• Symmetric Algorithms use a single secret key for both encryption and decryption.

  • DES (Data Encryption Standard) uses a 64-bit key (56 effective bits). Encrypts data in 64-bit blocks through 16 rounds of transposition and substitution. It was widely used but is now considered weak.
  • Triple DES (3DES) utilizes three 56-bit keys, offering greater security than DES. It is slower than DES.
  • IDEA (International Data Encryption Algorithm) is a symmetric block cipher with a 64-bit block size, using a 128-bit key and offering more security than DES. It is not as widely used as AES.
  • AES (Advanced Encryption Standard) is the current standard for encryption of sensitive unclassified information. It supports 128-bit, 192-bit, or 256-bit keys.
  • Blowfish is a block cipher with key sizes ranging from 32 to 448 bits.
  • Twofish is a block cipher supporting 128-bit block size and key sizes of 128, 192, or 256 bits.
  • RC Cipher Suite (RC4, RC5, RC6) is a set of algorithms created by Ron Rivest. RC4 is a stream cipher, RC5 and RC6 are block ciphers.

• Asymmetric Algorithms use separate keys for encryption (public) and decryption (private).

  • Diffie-Hellman is used for key exchange and secure key distribution. Vulnerable to man-in-the-middle attacks.
  • RSA (Ron Rivest, Adi Shamir, Leonard Adleman) is used for key exchange, encryption, and digital signatures. Relies on the mathematical difficulty of factoring large prime numbers.
  • Elliptic Curve Cryptography (ECC) offers efficient and secure encryption. Used in mobile devices and low-power computing.

Hashing

• Hashing is a one-way cryptographic function that converts data into a fixed-length string (hash digest).
  • Hash Digest is a unique digital fingerprint for the original data.
  • MD5 (Message Digest Algorithm 5) creates a 128-bit hash value. It is considered weak due to vulnerabilities and is not recommended for security-critical applications.
  • SHA (Secure Hash Algorithm) Family offers longer and more secure hash digests.
    • SHA-1 produces a 160-bit hash digest.
    • SHA-2 (SHA-224, SHA-256, SHA-348, SHA-512) offers longer hash digests.
    • SHA-3 uses 224-bit to 512-bit hash digests.
  • RIPEMD (RACE Integrity Primitive Evaluation Message Digest) offers similar functionalities to SHA but is less popular.
  • HMAC (Hash-based Message Authentication Code) checks message integrity and authenticity.

Digital Signatures

• Digital Signatures are used for message integrity verification and non-repudiation. They involve encrypting a hash digest with the sender's private key.
  • DSA (Digital Security Algorithm) is a specific algorithm used for digital signatures using a 160-bit message digest.
  • RSA supports digital signatures, encryption, and key distribution.

Cryptographic Attacks

• Downgrade Attacks target a weak encryption protocol to downgrade the security of a communication channel.
• Collision Attacks exploit the potential for different messages to have the same hash digest, compromising security.
• Quantum Computing Threats pose potential threats to classical cryptographic techniques due to their ability to break certain algorithms efficiently.

Encryption Tools

• TPM (Trusted Platform Module) is a hardware-based security module that protects digital data and encrypts it securely.
• HSM (Hardware Security Module) is a dedicated hardware device used for cryptographic key storage and generation.
• Key Management Systems manage and control cryptographic keys for secure access and distribution.
• Secure Enclave is a secure processor designed to isolate and protect sensitive computations within a device.
• Obfuscation makes code or data difficult to understand, hindering reverse engineering.
• Steganography hides data within seemingly innocuous files like images or audio.
• Tokenization replaces sensitive data (e.g., credit card numbers) with unique tokens.
• Data Masking replaces sensitive data with non-sensitive values while preserving data structure and integrity.

Database Encryption

• Two primary types of database encryption:

  • Transparent Data Encryption (TDE): Encrypts the entire database, providing comprehensive protection for sensitive data.
  • Column-level Encryption (CLE): Encrypts specific columns within tables, allowing for selective data protection based on sensitivity.

• Record-level encryption:

  • Encrypts individual records within a database, providing fine-grained access control.
  • Particularly useful in shared environments where various users or groups need access to specific subsets of data.

Encrypting Data on Disk

• Full-disk encryption (FDE):

  • Encrypts all data on a hard drive, including the operating system and system files.
  • Offers comprehensive protection against unauthorized access in case of loss or theft.
  • Data is accessible once the system is booted, making it vulnerable if the system is compromised while running.

• Partition encryption:

  • Encrypts specific partitions on a hard drive, providing flexibility in choosing which data to encrypt.
  • Particularly useful for dual-boot systems or segregating sensitive data.

• File-level encryption:

  • Encrypts individual files, offering easier setup and management compared to FDE or partition encryption.
  • May be less secure than full-disk encryption as unencrypted and encrypted files can coexist on the same drive.

• Volume encryption:

  • Encrypts a set "volume" on a storage device, encompassing folders and files.
  • Provides a balance between partition and file-level encryption, suitable for encrypting large amounts of data without needing to encrypt an entire disk or partition.

Obfuscation

• Used to protect sensitive information in software
• Makes code difficult to understand

Hashing

• Replaces data values with a hash value
• Uses a hash function to transform the original value
• Strong hash functions prevent data retrieval from the hash

Tokenization

• Replaces sensitive values with a unique identifier
• Uses a lookup table to maintain the original value
• Securely stores the lookup table to protect the data

Masking

• Partially redacts sensitive information
• Replaces characters with asterisks or Xs
• Prevents complete exposure of sensitive data

Key Exchange Methods

• Offline Distribution is the simplest method, involving the physical exchange of secret keys.
  • This can be done through paper, storage media, or electronic devices resembling keys.
  • This method is vulnerable to interception, wiretapping, loss, or accidental disposal.
• Public Key Encryption addresses the challenges of key distribution by establishing a secure initial communication link.
  • This initial link allows parties to confirm each other's identities before exchanging a secret key.
  • Once the secret key is exchanged, communication switches to the more efficient secret key algorithm.
  • Secret key encryption generally operates thousands of times faster than public key encryption.
• Diffie-Hellman Algorithm provides a solution for key exchange when neither public key encryption nor offline methods are feasible.
  • It enables parties with no physical means of exchange and without a public key infrastructure to securely share a secret key.
  • This algorithm is highly effective in situations where traditional methods are impractical.

Blockchain Definition

• A blockchain is a shared, immutable ledger distributed across multiple computers.
• It stores records securely, preventing tampering or destruction.

Blockchain Applications

• Cryptocurrency is a primary application, particularly Bitcoin.
• Bitcoin transactions are recorded on a blockchain without central authority.
• Blockchain allows for decentralized currency control.
• Other applications include tracking property ownership records, supply chains, and food origin.
• Potential benefits include transparency, security, and traceability.

TPM (Trusted Platform Module)

• A dedicated microcontroller for hardware-level security
• Protects digital secrets using integrated encryption keys
• Employed in BitLocker drive encryption on Windows devices
• Provides resistance against software-based attacks

HSM (Hardware Security Module)

• A physical device used to safeguard and manage digital keys
• Suitable for high-security scenarios like financial transactions
• Performs encryption operations in a tamper-proof environment
• Ensures key security and compliance with regulations

Key Management System

• Manages the lifecycle of cryptographic keys (storage, distribution, retirement)
• Acts as a centralized mechanism for key management
• Vital for data security and preventing unauthorized access
• Automates key management in complex environments

Secure Enclaves

• A coprocessor built into the main processor of some devices
• Isolated from the main processor to ensure secure data processing and storage
• Safeguards sensitive data like biometric information
• Enhances device security by preventing unauthorized access

Digital Certificates

• Digitally signed electronic documents
• Bind a public key with a user's identity
• Used for individuals, servers, workstations, and devices
• Utilize the X.509 Standard
• Contains owner's/user's information and certificate authority details

Types of Digital Certificates

• Wildcard Certificate
  • Allows multiple subdomains to use the same certificate
  • Easier management, cost-effective for subdomains
  • Compromise affects all subdomains
• SAN (Subject Alternate Name) Certificate
  • Specifies what additional domains and IP addresses are supported
  • Used when domain names don't have the same root domain
• Single-Sided and Dual-Sided Certificates
  • Single-sided
    • Only requires server validation
  • Dual-sided
    • Server and user validate each other
    • Higher security, requires more processing power
• Self-Signed Certificates
  • Signed by the same entity whose identity it certifies
  • Provides encryption but lacks third-party trust
  • Used in testing or closed systems
• Third-Party Certificates
  • Issued and signed by trusted certificate authorities (CAs)
  • Trusted by browsers and systems
  • Preferred for public-facing websites

Key Concepts

• Root of Trust
  • Highest level of trust in certificate validation
  • Trusted third-party providers like Verisign, Google, etc.
  • Forms a certification path for trust
• Certificate Authority (CA)
  • Trusted third party that issues digital certificates
  • Certificates contain CA's information and digital signature
  • Validates and manages certificates
• Registration Authority (RA)
  • Requests identifying information from the user and forwards certificate request to the CA
  • Collects user information for certificates
  • Assists in the certificate issuance process
• Certificate Signing Request (CSR)
  • A block of encoded text with information about the entity requesting the certificate
  • Includes the public key
  • Submitted to CA for certificate issuance
  • Private key remains secure with the requester
• Certificate Revocation List (CRL)
  • Maintained by CAs
  • List of all digital certificates that the certificate authority has already revoked
  • Checked before validating a certificate
• Online Certificate Status Protocol (OCSP)
  • Determines certificate revocation status using the certificate's serial number
  • Faster but less secure than CRL
• OCSP Stapling
  • Alternative to OCSP
  • Allows the certificate holder to get the OCSP record from the server at regular intervals
  • Includes OCSP record in the SSL/TLS handshake
  • Speeds up the secure tunnel creation
• Public Key Pinning
  • Allows HTTPS websites to resist impersonation attacks
  • Presents trusted public keys to browsers
  • Alerts users if a fraudulent certificate is detected
• Key Escrow Agents
  • Securely store copies of private keys
  • Ensures key recovery in case of loss
  • Requires strong access controls
• Key Recovery Agents
  • Allows the restoration of a lost or corrupted key
  • Acts as a backup for certificate authority keys

Trust in Digital Certificates

• Trust is essential in digital certificates
• Compromised root CAs can impact all issued certificates
• Commercially trusted CAs are more secure
• Self-managed CAs must be vigilant against compromises

Description

Obectivos del punto 1.4 puede que no esten todos.