Security Plus SY0-701 Domain 1 Handout (1).pdf

Full Transcript

SECURITY+ EXAM CRAM

Domain 1
Coverage of every topic in
the official exam syllabus!

with Pete Zerger vCISO, CISSP, MVP Covers SY0-701
SECURITY+
EXAM STUDY GUIDE
& PRACTICE TESTS BUNDLE
500 practice questions
100 flashcards
2 practice exams
SECURITY+
EXAM STUDY GUIDE
& PRACTICE TESTS BUNDLE

1000 practice questions
2 practice exams
Links in video description
 1.0 General Security Concepts

line-for-line review of the official exam syllabus!
1.0 General Security Concepts
1.1 Compare and contrast various types of security controls

Categories Control Types
– Technical – Preventive
– Managerial – Deterrent
– Operational – Detective
– Physical – Corrective
– Compensating
– Directive

You should know some examples of each for the exam.

Controls can fit into multiple types based on context.
Categories of security controls
Technical
Hardware or software mechanisms used to manage access to resources
and systems and provide protection for those resources and systems.
Physical
Security mechanisms focused on providing protection to the
facility and real-world objects.

Managerial
Policies and procedures, administrative controls defined by an
organizations security policy.
Use planning and assessment methods to review the organization’s
ability to reduce and manage risk.

Operational
Help ensure that the day-to-day operations of an organization comply
with their overall security. Primarily implemented and executed by people
instead of systems.
Categories of security controls EXAMPLES

Technical Physical Managerial Operational
Encryption Guards Policies Awareness training
Smart cards Fences Procedures Configuration
Hiring practices management
Passwords Lights
Background Media protection
Biometrics Motion detectors checks
Access control Guard dogs Data classification
lists (ACLs) Security training
Video cameras
Firewalls, routers Risk assessments
Alarms
IDS/IPS Vulnerability
Laptop locks assessments
Categories of security controls

Technical Technology (HW and SW)

Physical Tangible (touchable)

Managerial Policy (and policy implementation)

Operational People (doing stuff)
Security controls
Physical Prevent physical attacks
on facilities and devices

Operational People-centric activities

Protect against logical
Technical
attacks and exploits

Managerial policies

ASSETS
 D O M A I N 1 : CONTROLS

Security Controls
Security measures for countering and
minimizing loss or unavailability of
services or apps due to vulnerabilities
 D O M A I N 1 : SECURITY CONTROLS

Security Controls
The terms safeguards and
countermeasures may seem
to be used interchangeably
 D O M A I N 1 : SECURITY CONTROLS

Security Controls
safeguards are proactive (reduce
likelihood of occurrence)
countermeasures are reactive
(reduce impact after occurrence)
 D O M A I N 1 : SECURITY CONTROLS

Control Types
Deterrent. Deployed to discourage violation of
security policies.
Preventive. Deployed to thwart or stop
unwanted or unauthorized activity from occurring.
Detective. Deployed to discover or detect
unwanted or unauthorized activity.
Compensating. Provides options to other existing
controls to aid in enforcement of security policies.
 D O M A I N 1 : SECURITY CONTROLS

Control Types
Corrective. modifies the environment to return
systems to normal after an unwanted or
unauthorized activity has occurred.
Directive. direct, confine, or control the actions of
subjects to force or encourage compliance with
security policies.
CONTROL TYPES EXAMPLES

Preventive
deployed to stop unwanted or unauthorized activity from occurring,
EXAMPLES: fences, locks, biometrics, mantraps, alarm systems, job
rotation, data classification, penetration testing, access control methods

Deterrent
deployed to discourage the violation of security policies. A deterrent
control picks up where prevention leaves off.

EXAMPLES: locks, fences, security badges, security guards, lighting,
security cameras, trespass or intrusion alarms, separation of duties,
security policies, and security awareness training
CONTROL TYPES
Detective
deployed to discover unwanted or unauthorized activity. Often are
after-the-fact controls rather than real-time controls.
EXAMPLES: security guards, guard dogs, motion detectors, job rotation,
mandatory vacations, audit trails, intrusion detection systems, violation
reports, honey pots, and incident investigations

Directive
direct, confine, or control the actions of subjects to force or
encourage compliance with security policies..

EXAMPLES: policies, procedures, standards, guidelines, physical signage,
verbal instructions, contracts and agreements
CONTROL TYPES
Corrective
deployed to restore systems to normal after an unwanted or unauthorized
activity has occurred. minimal capability to respond to access violations.
EXAMPLES: backups and restores, patching, antivirus/antimalware,
forensic analysis, disciplinary action

Compensating
deployed to provide options to other existing controls to aid in the
enforcement and support of a security policy.
EXAMPLES: security policy, personnel supervision, monitoring,
and work task procedures
Control overlap One control, multiple types/functions

A single security control can be identified as multiple
types, depending on the context of the situation

Overlapping Functions
Security controls are designed to work together, and their
functions often overlap.
EXAMPLE: a security camera system is both deterrent (deterring unwanted
entry) and detective (recording potential security incidents for later review).

Context Matters
The classification of a control can depend on how it's
implemented and the specific risk it's addressing.
EXAMPLE: an access control list can be primarily preventive if it blocks
unauthorized access or detective if it mainly logs access for later investigation.
Control overlap One control, multiple types/functions

A single security control can be identified as multiple
types, depending on the context of the situation

Focus on keywords
Exams often use specific words or phrases to hint at the
control type.

Deterrent: "warning," "sign," "visibility," "perception"
Preventive: "access control," "authentication," "firewall," "encryption"
Directive: "policy," "procedure," "standard," "guideline"
EXAMPLES Detective: "monitoring," "audit," "logging," "alert"
Corrective: "backup," "restore," "incident response," "patching"
Compensating: "alternative," "backup," "redundancy"
1.0 General Security Concepts
1.2 Summarize fundamental security concepts

Confidentiality, Integrity, and Policy Engine Pressure
Availability (CIA) – Data Plane Microwave
Non-repudiation Implicit trust zones Ultrasonic
Subject/System Deception and disruption
Authentication,
Policy Enforcement Point technology
Authorization, and Physical security – Honeypot
Accounting (AAA) – Bollards – Honeynet
– Authenticating people – Access control vestibule – Honeyfile
– Authenticating systems – Fencing – Honeytoken
– Authorization models – Video surveillance
Gap analysis – Security guard
Zero Trust
– Control Plane
– Access badge
– Lighting
Security controls
Adaptive identity – Sensors
Threat scope reduction Infrared
Policy-driven access control
Policy Administrator
D O M A I N 1 : SECURITY & RISK MANAGEMENT

KNOW

BY HEART!
 D O M A I N 1 : SECURITY & RISK MANAGEMENT

C onfidentiality

I ntegrity

A vailability
 D O M A I N 1 : SECURITY & RISK MANAGEMENT

1
C onfidentiality
2 3
I ntegrity A vailability
D O M A I N 1 : SECURITY & RISK MANAGEMENT

C onfidentiality
Access controls help ensure that only
authorized subjects can access objects
 D O M A I N 1 : GENERAL SECURITY CONCEPTS

I ntegrity
Ensures that data or system configurations
are not modified without authorization
D O M A I N 1 : GENERAL SECURITY CONCEPTS

A vailability
Authorized requests for objects must
be granted to subjects within a
reasonable amount of time
Non-repudiation
Non-repudiation is the guarantee that no one can deny a transaction.

Methods to provide non-repudiation
Digital Signatures prove that a digital message or document was not
modified—intentionally or unintentionally—from the time it was signed.
based on asymmetric cryptography (a public/private key pair)
the digital equivalent of a handwritten signature or stamped seal.
provides non-repudiation in a publicly verifiable manner.
Non-repudiation is the ability to defeat/counter a false rejection or
refusal of an obligation with irrefutable evidence.

REMEMBER: shared accounts/identities prevent non-repudiation!
AAA
Several protocols provide authentication,
authorization, and accounting services.

Authentication
user/service proves identity with some type of credentials, such as a username
and password.

Authorization
authenticated users are granted access to resources based on the roles and/or
permissions assigned to their identity.

Accounting
methods that track user activity and records these activity in logs.
Tracks user activity and resource access as part of the audit trail
identification and authentication

Subjects claim an identity, and identification
Identification can be as simple as a username for a user.

Subjects prove their identity by providing
Authentication authentication credentials such as the
matching password for a username.
authorization and accountability

After authenticating subjects, systems
Authorization authorize access to objects based on their
proven identity.
after authentication

Auditing logs and audit trails record events
Accountability including the identity of the subject that
provides proof performed an action.

identification + authentication + auditing = ACCOUNTABILITY
maintaining accountability

Why is accountability important?
is maintained for individual subjects using auditing.
logs record user activities and users can be held
accountable for their logged actions.
HOW THIS HELPS
directly promotes good user behavior and
compliance with the organization’s security policy.
Provides an audit trail for investigation if needed
maintaining accountability
But it’s not only for people…
In modern enterprises, systems and devices have
identities as well!
EXAMPLES:
In the cloud, VMs have a managed identity (managed by
platform) used to access resources, such as data.
Client devices have machine identities in mobile device
management (MDM) platforms.
 D O M A I N 1. 2 : AUTHORIZATION MODELS

Non-discretionary Access Control
Enables the enforcement of system-wide restrictions that override
object-specific access control. RBAC is considered non-discretionary
Discretionary Access Control (DAC) Use-based, user-centric
A key characteristic of the Discretionary Access Control (DAC) model is that every
object has an owner, and the owner can grant or deny access to any other subject.
Example: New Technology File System (NTFS)

Role Based Access Control (RBAC)
A key characteristic is the use of roles or groups. Instead of assigning permissions
directly to users, user accounts are placed in roles and administrators assign
privileges to the roles. Typically mapped to job roles.

Rule-based access control
A key characteristic is that it applies global rules that apply to all subjects. Rules
within this model are sometimes referred to as restrictions or filters.
EXAMPLE: a firewall uses rules that allow or block traffic to all users equally.
 MADATORY ACCESS CONTROL

“
A key point about the MAC model is that every
object and every subject has one or more labels.
These labels are predefined, and the system
determines access based on assigned labels.

EXAMPLE: in military security, data owner does not set access
 D O M A I N 1. 2 : AUTHORIZATION MODELS

ATTRIBUTE-BASED
ACCESS CONTROL
access is restricted based on an attribute
on the account, such as department,
location, or functional designation.
For example, admins may require user accounts have
the Legal department attribute to view contracts
SUBJECTS AND OBJECTS IN ACCESS CONTROL

Subjects A user, group, or service accessing
resources, known as objects.

Resources, such as files, folders, shares,
Objects and printers, accessed by subjects

These come up often in discussions of access
control, so you should be familiar for the exam

The authorization model determines how a system
grants users access to files and other resources.
 All auditors should have independence, but attestations from
Gap analysis external auditors carry more weight (higher confidence)

A common task performed on a recurring basis, and often
in preparation for external audits is the gap analysis.

Auditors will follow a standard (often ISO 27001) and then
compare standard requirements to the org’s current operations.
Deficiencies versus the standard will be captured in the audit
report as gaps, sometimes called control gaps.

Control gap
a discrepancy between the security measures an organization
should have in place versus controls actually in place.

The outcome of an audit is an attestation, which is a formal
statement made by the auditor on controls and processes in place.
Zero trust

An approach to security architecture in
which no entity is trusted by default
Zero Based on three principles:

Trust 1) Assume breach
2) Verify explicitly
3) Least privilege access

Has largely replaced trust but verify and its network perimeter strategy.
Supported by defense in depth, that advises a layered approach to security.
Zero Trust Security
addresses the limitations of the legacy
network perimeter-based security model.
treats user identity as the control plane
assumes compromise / breach in verifying
every request. no entity is trusted by default

VERIFY MANAGE MANAGE PROTECT
IDENTITY DEVICES APPS DATA
Access policy enforcement
Policy Enforcement Point
responsible for enabling, monitoring, and terminating connections between a
subject (such as a user or device) and an enterprise resource.
acts as the gateway that enforces access control policies.
when an access request occurs, the PEP evaluates the request against predefined
policies and applies the necessary controls.
For example, PEP might enforce Multi-Factor Authentication (MFA) for access
requests from unexpected locations. Dynamic based on conditions/context

Policy Decision Point
is where access decisions are made based on various factors such as user
identity, device health, and risk assessment.
evaluates the context of an access request and decides whether it should be
allowed, denied, or subjected to additional controls.
considers the 5 W’s (who, what, when, where, and why)
In short, the PEP enforces policies at the connection level, while
the PDP makes access decisions based on contextual information.
Access policy enforcement

The key elements of Zero Trust Network Architecture:

Control Plane Data Plane
✓ Adaptive Identity ✓ Implicit Trust Zones
✓ Threat Scope Reduction ✓ Subject/System
✓ Policy-Driven Access Control ✓ Policy Enforcement Point
✓ Policy Administrator
Enforces the decisions defined in
✓ Policy Engine control plane

Drives the policy-based decision
logic for zero trust
Described in NIST SP 800-207
Zero trust CONTROL PLANE

Adaptive Identity
changes the way that the system asks a user to authenticate based on
context of the request. EXAMPLES: location, device, app, risk

Threat Scope Reduction
an end goal of ZTNA, which is to decrease risks to the organization.

Policy-Driven Access Control
controls based upon a user’s identity rather than simply their system’s
location. EXAMPLE: Conditional Access in MSFT Entra ID

Policy Administrator (PA) PA + PE = Policy Decision Point (PDP)

responsible for communicating the decisions made by the policy engine.

Policy Engine (PE) EXAMPLE: MSFT Entra ID (Azure Active Directory)

decides whether to grant access to a resource for a given subject.
Zero trust DATA PLANE

Implicit Trust Zones
part of traditional security approach in which firewalls and other security devices
formed a perimeter. Systems belonging to the org were placed inside this boundary.

Subject/System
A subject is a user who wishes to access a resource.
A system is a non-human entity, often the device used by the user, to access the
resource.

Policy Enforcement Point
when a user or system requests access to a resource, the PEP evaluates it against
predefined policies and applies the necessary controls.
EXAMPLE: MSFT Entra ID (Azure Active Directory)
conditional access enforcing “conditions of access”

image credit: Microsoft
signal > decision > enforcement
Zero Trust (logical diagram) Where policy
decisions are made

Policy Decision Point

Policy Engine Data Access
CDM System
Policy

Policy Administrator
Industry
PKI
Compliance
Control Plane
Threat Data Plane Identity
Intelligence Management
Untrusted Policy Enforcement Trusted

Activity Logs
Point
SIEM System
Subject and Enterprise
Supporting System Resource Supporting
Components Components

Where security controls are applied
 SECURITY+ EXAM CRAM

A quick tour of
Conditional Access

EXAMPLE FOR CONTEXT – The
Security+ exam is vendor-agnostic.
physical security

There is no security without physical security
Without control over the physical environment, no
amount of administrative or technical/logical access
controls can provide adequate security.
If a malicious person can gain physical access to your
facility or equipment, they can do just about anything they
want, from destruction to disclosure and alteration.
bollard
A short, sturdy vertical post, usually made of
concrete, steel, or other heavy-duty materials.
They can be fixed in place or retractable.
Act as physical barriers, preventing vehicles from
forcibly entering a restricted area.
Delineate pedestrian areas, parking lots, and
bollard sensitive zones to minimize accidental damage

Primarily used to control traffic flow and protect
buildings or areas from vehicle-based attacks.
Access control vestibule Previously called a mantrap

A physical security system comprising a small
space with two interlocking doors.
Only one door can be opened at a time.

Designed to strictly control access to highly secure
areas by allowing only one person at a time to
pass through.

Protects against
Access control Tailgating (slipping in on someone else's badge)
vestibule Piggybacking (like tailgating, but with bad intent)
Unauthorized entry of any kind
FENCES
Efficacy of fences by height
3-4 feet
deters the casual trespasser Fence is a DETERRENT control
PIDAS is a DETECTIVE control
6-7 feet
too difficult to climb easily
may block vision (providing additional security)

8-feet (topped with barbed wire) EXPENSIVE and may
will deter determined intruders generate false positives

PIDAS (perimeter intrusion detection and assessment system)
will detect someone attempting to climb a fence.
FENCES
Efficacy of fences by height
3-4 feet
deters the casual trespasser Fence is a DETERRENT control
PIDAS is a DETECTIVE control
6-7 feet
too difficult to climb easily
may block vision (providing additional security)

8-feet (topped with barbed wire)
will deter determined intruders

To augment fences some orgs may erect stronger barricades,
or zig-zag paths to prevent a vehicle from ramming a gate.
 Can you see how each may also
Physical security serve to deter potential attacks?

Video surveillance Detective control
Cameras and closed-circuit television (CCTV) systems provide video
surveillance and reliable proof of a person’s identity and activity.
Many cameras include motion and object detection capabilities.

Security guards Preventive control
a preventive physical security control, and they can prevent
unauthorized personnel from entering a secure area.
can recognize people and compare an individual’s picture ID for people
they don’t recognize.
Access badges Preventive control
can electronically unlock a door and help prevent unauthorized
personnel from entering a secure area.
lighting Deterrent control

When planning lighting, think about location, efficiency and protection.
Location
installing lights at all the entrances and exits to a building can
deter attackers from trying to break in.
Efficiency
a combination of automation, light dimmers, and motion sensors
to save on electricity costs without sacrificing security.
automatically turn on at dusk, automatically turn off at dawn.
Protection
protect the lights. If an attacker can remove the light bulbs, it
defeats the control.
either place the lights high enough so that they can’t be reached or
protect them with a metal cage.
Infrared sensors
detects heat signatures in the form of infrared radiation emitted by
people, animals, or objects.
integrated into security cameras and alarm systems to improve detection capabilities

Pressure
designed to detect changes in pressure on a surface or in a specific
area, such as a person walking on a floor or stepping on a mat.
used in access control systems to ensure that only authorized individuals can enter

Microwave
uses microwave technology to detect movement within a specific area.
often used with other types of sensors to reduce false alarms

Ultrasonic
emits high-frequency sound waves and measure the time it takes for the
sound waves to bounce back after hitting an object or surface.
commonly used in parking assistance, robotic navigation, and intrusion detection
Deception and disruption

Lure bad people into doing bad things. Lets
you watch them.

Honeypot Only ENTICE, not ENTRAP. You are not allowed
to let them download items with “Enticement”.

A group of honeypots For example, allowing download of a fake
is called a honeynet. payroll file would be entrapment.

Goal is to distract from real assets and isolate in a padded cell
until you can track them down.
Deception and disruption

Honeyfile a decoy file deceptively named so it attracts
the attention of an attacker.

a fake record inserted into a database
Honeytoken to detect data theft.

These are all intended to deceive attackers and disrupt attackers,
divert them from live networks and allow observation.
1.0 General Security Concepts
Explain the importance of change management processes
1.3 and the impact to security.

WHAT do these solve for? Why do we use them?
Business processes Technical implications Documentation
impacting security operation – Allow lists/deny lists – Updating diagrams
– Approval process – Restricted activities – Updating policies/procedures
– Ownership – Downtime Version control
– Stakeholders – Service restart
– Impact analysis – Application restart
– Test results – Legacy applications
– Backout plan – Dependencies
– Maintenance window
– Standard operating procedure
 ORGANIZATIONAL POLICIES

Configuration & Change Management
Can prevent security related incidents and outages
Configuration Management
ensures that systems are configured similarly, configurations are known
and documented. Ensures true ‘current state’ is known to all
Baselining ensures that systems are deployed with a common baseline
or starting point, and imaging is a common baselining method.

Change Management
the policy outlining the procedures for processing changes
helps reduce risk associated with changes, including outages or
weakened security from unauthorized changes.

Requires changes to be requested, approved, tested, and documented.
 ORGANIZATIONAL POLICIES

Change Management vs Change Control
Change Control
refers to the process of evaluating a change request within an organization
and deciding if it should go ahead.
requests are sent to the Change Advisory Board (CAB) to ensure that it is
beneficial to the company.

Change Management Change Control
policy that details how changes will process of evaluating a change request
be processed in an organization to decide if it should be implemented

Guidance on the process The process in action
 BUSINESS PROCESSES impacting security operation

A change management program should address
important business process issues, including:

Approval process: ensures that every proposed change is properly reviewed and
cleared by management before it takes place. Ensure alignment across teams
Ownership: clearly defines who is responsible for each change by designating a
primary owner who will be the key decisionmaker and sponsor of the change.
Stakeholder analysis: identifies all the individuals and groups within the
organization and outside the organization that might be affected by the change.
Enables team to contact and coordinate with all relevant stakeholders
Impact analysis: review of potential impacts of a change, including side effects.
Ensures team considers impact to systems and stakeholders
Testing: confirms that the change will work as expected by validating it in a test
environment before production rollout.
Test results should be captured in the change approval request
 BUSINESS PROCESSES impacting security operation

A change management program should address
important business process issues, including:

Backout plan: provides detailed step-by-step sequence that the team should
follow to roll back if the change goes wrong.
Ensures systems can be quickly restored to an operational state
Maintenance windows: Standing window of time during which changes can be
implemented that minimizes impact to business, often outside of business hours.
For critical services, may be defined in customer contracts

REMEMBER: Any change that affects system
or data exposure may impact security!

These elements together can define a standard
operating procedure for change management.
 TECHNICAL IMPLICATIONS

There are several technical implications that should be
considered as part of the change management process.

Allow lists/deny lists
Restricted activities
WHY?
Downtime
To avoid service disruptions
Application restarts and security vulnerabilities

Legacy applications
Dependencies
 TECHNICAL IMPLICATIONS

There are several technical implications that should be
considered as part of the change management process.

Allow lists/deny lists
firewall rules, application allow/deny lists, and access control lists
(ACLs) may need to be updated.
Restricted activities
some activities may need to be restricted, such as data updates
during database replication/migration.
Downtime
some changes may cause service interruption, resulting in direct
impact to the business.
This is where our ‘maintenance window’ comes into play
 TECHNICAL IMPLICATIONS

There are several technical implications that should be
considered as part of the change management process.

Application restarts
putting controls around risky activities, such as application and
service restarts.
Legacy applications use case for private or hybrid cloud
modifications to legacy apps that may not support some
changes, such as component/service version updates.
Dependencies
tracking dependencies between systems and services to identify
downstream effects of current and future changes.
documentation
The process of documentation current state of
and changes to the operating environment.

Provides team members with a repository of information about the way
that systems and applications are designed and configured.
Serves as a reference for current and future team members
Change management processes should ensure that changes are not
closed out until all documentation and diagrams are updated.
It is a continuous process across new deployments and changes
Documentation applies not only to environment, but to policies and
procedures that direct operation and support of the environment.

Provides benefits to IT and security operations, BC/DR, incident
response, and future design and planning iterations.
documentation
The process of documentation current state of
and changes to the operating environment.

Provides team members with a repository of information about the way
that systems and applications are designed and configured.
Serves as a reference for current and future team members
Change management processes should ensure that changes are not
closed out until all documentation and diagrams are updated.
It is a continuous process across new deployments and changes
Documentation applies not only to environment, but to policies and
procedures that direct operation and support of the environment.

You cannot fully secure a system or service for which you do not
have a true picture of current state!
Version control
A formal process used to track the current versions of
software code and system/application configurations.

Most organizations use a formal version control system that is integrated
into their software development processes.
For most orgs, this is some platform based on Git.
Developers modify the code and check it into a version control system
that identifies conflicts in their changes with those made by other devs.
It also tracks the current dev, test, and production versions of code.
Code for different environments is tracked in Git using code ‘branches’

FOR THE EXAM: Focus on the functions of version control,
not on any specific version control system.
1.0 General Security Concepts
Explain the importance of using appropriate cryptographic
1.4 solutions.
Public key infrastructure (PKI) Tools – Certificate revocation lists
– Public key – Trusted Platform Module (TPM) (CRLs)
– Private key – Hardware security module – Online Certificate Status
– Key escrow (HSM) Protocol (OCSP)
Encryption – Key management system – Self-signed
- Level – Secure enclave – Third-party
Full-disk Obfuscation – Root of trust
Partition – Steganography – Certificate signing request
File – Tokenization (CSR) generation
Volume – Data masking – Wildcard
Database Hashing
Record Salting
– Transport/communication Digital signatures
– Asymmetric
Key stretching
– Symmetric
– Key exchange
Blockchain
– Algorithms Open public ledger
– Key length Certificates
- Certificate authorities
Public key infrastructure (pki) CONCEPTS

Key management
management of cryptographic keys in a cryptosystem.
Operational considerations include dealing with the generation, exchange,
storage, use, crypto-shredding (destruction) and replacement of keys.
Design considerations include cryptographic protocol design, key servers,
user procedures, and other relevant protocols.

Certificate authority (CA)
Certification Authorities create digital certificates and own the policies.
PKI hierarchy can include a single CA that serves as root and issuing CA,
but this is not recommended.
Also called a ‘certification authority’ by some vendors
Public key infrastructure (pki) CONCEPTS

Usually maintained in an offline state
Root
CA Issues certs to new subordinate CAs
CHAIN OF TRUST

Also called a Policy CA or Intermediate CA
Subordinate
CA Issues certs to new issuing CAs

Certificates for clients, servers, devices,
Issuing websites, etc. issued from here
CA
Can be consolidated to fewer servers,
creating a 1 or 2-level hierarchy.
Public key infrastructure (pki) CONCEPTS

Certificate revocation list (CRL)
Contains information about any certificates that have been revoked due
to compromises to the certificate or PKI hierarchy.
CRL of issuing CA contains info on revocation of certs it has issued
CAs are required to publish CRLs, but it’s up to certificate consumers if they
check these lists and how they respond if a certificate has been revoked.

Each CRL is published to a file, that the client must
download to check, which can grow large over time
Public key infrastructure (pki) CONCEPTS

Online Certificate Status Protocol (OCSP)
Offers a faster way to check a certificate’s status compared to
downloading a CRL.
With OCSP, the consumer of a certificate can submit a request to the
issuing CA to obtain the status of a specific certificate.

Certificate signing request (CSR)
Records identifying information for a person or device that owns a
private key as well as information on the corresponding public key.
It is the message that's sent to the CA in order to
get a digital certificate created.
CN (common name)
the Fully Qualified Domain Name (FQDN) of the entity (e.g. web server)
Public key infrastructure (pki) CONCEPTS

Online vs. offline CA. Online CA is always running, offline CA is kept offline
except for specific issuance and renewal operations.
Offline is best practice for your root CA.
Stapling. a method used with OCSP, which allows a web server to provide
information on the validity of its own certificate.
Done by the web server essentially downloading the OCSP response from
the certificate vendor in advance and providing it to browsers.
Pinning. a method designed to mitigate the use of fraudulent certificates.
Once a public key or certificate has been seen for a specific host, that key
or certificate is pinned to the host.
Should a different key or certificate be seen for that host, that might
indicate an issue with a fraudulent certificate.
Public key infrastructure (pki) CONCEPTS

Certificate chaining
Refers to the fact that certificates are handled by a chain of trust.
You purchase a digital certificate from a certificate authority (CA), so you
trust that CA’s certificate.
In turn, that CA trusts a root certificate.

Trust model
A model of how different certificate authorities trust each other and how
their clients will trust certificates from other certification authorities.
The four main types of trust models that are used with PKI are
bridge, hierarchical, hybrid, and mesh.
Public key infrastructure (pki)
Key escrow
Addresses the possibility that a cryptographic key may be lost.
The concern is usually with symmetric keys or with the private key in
asymmetric cryptography.
If that occurs, then there is no way to get the key back, and the user cannot
decrypt messages.
Organizations establish key escrows to enable recovery of lost keys.
 CERTIFICATE FORMATS

X.509 certificate formats and descriptions

FORMAT EXT PRI KEY DESCRIPTION

Distinguished encoding rules DER NO Secure remote access (Linux and network)
Privacy enhanced mail PEM YES Secure copy to Linux/Unix
Personal information
PFX YES Supports storage of all certificates in path
exchange
Base64-encoded CER NO Storage of a single certificate.
PKCS#12 standard P12 YES Supports storage of all certificates in path
Cryptographic Message Supports storage of all certificates in path.
P7B NO
Syntax Standard KCS #12 is the successor to Microsoft's "PFX“.

EXT = File extension PRI KEY = File includes private key?

Certificates are not whole without the private key!
Types of certificates
User Root
Used to represent a user's digital identity.
CA
In most cases, a user certificate is mapped back to a user account.
Root This is the “root of trust”
A trust anchor in a PKI environment is the root certificate from which the
whole chain of trust is derived; this is the root CA.
Subordinate
Domain validation CA
A Domain-Validated (DV) certificate is an X.509 certificate that
proves the ownership of a domain name.
Extended validation
Extended validation certificates provide a higher level of trust in
identifying the entity that is using the certificate. Issuing
Commonly used in the financial services sector. CA
Root of trust Think of the certificate of root CA as “root of trust”

In a PKI, the root certificate serves as the trust anchor,
Root
as it is the most trusted component of the system.
CA
Your org’s root certificate will be deployed to your org’s
devices to the list of trusted certificate authorities.
Your CA’s root certificate is generally only known and
trusted within your organization Subordinate
CA
For external customer-facing use cases
For resources accessed externally, you will buy a
certificate from a trusted third party.
e.g. Digicert, Entrust, GlobalSign, GoDaddy Issuing
CA
Root certificates from widely trusted sources are pre-
installed on most devices (computers, phones, etc.)
SECURITY+ EXAM CRAM

Certificates, certificate
authority & root of trust
Types of certificates
Wildcard Supports multiple FQDNs in the same domain
Can be used for a domain and a subdomain. For example:
In the contoso.com domain, there are two servers called web and mail.
The wildcard certificate is *.contoso.com and, when installed, it would work for the
Fully Qualified Domain Names (FQDNs) for both of these.
A wildcard can be used for multiple servers in the same domain, saving costs.

Code signing Provides proof of content integrity
When code is distributed over the Internet, it is essential that users can trust that it
was actually produced by the claimed sender.
An attacker would like to produce a fake device driver or web component (actually
malware) that is claimed to be from some legitimate software vendor.
Using a code signing certificate to digitally sign the code mitigates this danger.
Types of certificates
Self-signed
A self-signed certificate is issued by the same entity that is using it. However, it does
not have a CRL and cannot be validated or trusted.
It is the cheapest form of internal certificates and can be placed on multiple servers.

Machine/computer
A computer or machine certificate is used to identify a computer within a domain.

Email
Allow users to digitally sign their emails to verify their identity through the attestation
of a trusted third party known as a certificate authority (CA).
Allow users to encrypt the entire contents (messages, attachments, etc.)

Third-party
A certificate issued by a widely trusted external provider such as GoDaddy or Digicert.
Preferred for TLS on public-facing services, such as company website.
Types of certificates
Subject alternative name (SAN)
an extension to the X. 509 specification that allows users to specify additional
host names for a single SSL certificate.
Is standard practice for SSL certificates, and it's on its way to replacing the use
of the common name.
You can also insert other information into a SAN certificate, such as an IP address.
Enables support for FQDNs from multiple domains in a single certificate.

Expiration
certificates are valid for a limited period from the date of issuance, as
specified on the certificate.
Current industry guidance on maximum certificate lifetime from widely
trusted issuing authorities (like Digicert) is currently 1 year (398 days).
LEVEL (Scope) of encryption
LOW operates at the individual file level, meaning
File files could have unique encryption keys.
Useful for files containing sensitive info
Encryption
e.g. financial info, PHI, PII

encryption targets a specific partition or volume

Volume within the physical drive.
Scope

Useful when different volumes need varying
Encryption levels of protection. data volume vs system volume

Disk automatically encrypts data when it is written to
or read from the entire disk.
Encryption Bitlocker on Windows, dm-crypt on Linux.
HIGH
LEVEL (Scope) of encryption
HIGH operates at the individual file level, meaning
File files could have unique encryption keys.
Useful for files containing sensitive info
Encryption
e.g. financial info, PHI, PII

encryption targets a specific partition or volume
Granularity

Volume within the physical drive.
Useful when different volumes need varying
Encryption levels of protection. data volume vs system volume

Disk automatically encrypts data when it is written to
or read from the entire disk.
Encryption Bitlocker on Windows, dm-crypt on Linux.
LOW
Volume vs partition
Partition
It represents a distinct section of storage on a disk.
In Windows, the C drive is typically a primary partition
Is a distinct PHYSICAL section of storage

Volume
Represents a logical division of a storage device.
Represents a single accessible storage area.
Can span multiple partitions or disks.

Assembles one or more partitions into a unified storage area
Drive encryption

FDE
Full Disk Encryption is built into the Windows
operating system.
Full Disk Encryption Bitlocker is an implementation of FDE.
Bitlocker protects disks, volumes, and partitions

SED
Self-Encrypting Drive
encryption on a SED that’s built into the
hardware of the drive itself.
anything that’s written to that drive is
automatically stored in encrypted form.

A good SED should follow the ‘Opal Storage Specification’
Protecting data at rest
Full Disk Encryption (FDE) “under the hood”
Trusted Platform Module (TPM): is on the motherboard and is used to store the
encryption keys so when system boots, it can compare keys and ensure that the system
has not been tampered with. A TPM is a HRoT
Hardware Root of Trust: When using certificates for FDE, they use a hardware root of trust
that verifies that the keys match before the secure boot process takes place.
Self-Encrypting Drives (SEDs)
The OPAL storage specification is the industry standard for self-encrypting drives. This is
a hardware solution, and typically outperform software-based alternatives.
They don't have the same vulnerabilities as software and therefore are more secure.
SEDs are Solid State Drives (SSDs) and are purchased already set to encrypt data at rest.
The encryption keys are stored on the hard drive controller.
They are immune to a cold boot attack and are compatible with all operating systems

SED is effective in protecting the data on lost or stolen devices (such
as a laptop). Only the user and vendor can decrypt the data.
Protecting data at rest
How can we encrypt different types of data at rest?

Cloud Storage Encryption
CSPs usually protect data at rest by automatically encrypting before persisting
it to managed disks, blob storage, file, or queue storage.
Transparent data encryption (TDE)
Helps protect SQL Database and data warehouses against threat of malicious
activity with real-time encryption and decryption of database, backups, and
transaction log files at rest without requiring app changes.

CSP = Cloud Service Provider
Transport/communication
How can we encrypt different types of data in transit?

“ Data in transit is most often encrypted
using TLS or HTTPS
This is typically how a session is encrypted “
before a user enters the credit card details.

While similar in function, TLS has largely replaced SSL
Transport/communication Also called “data in motion”

How can we encrypt different types of data in transit?

“ Data in transit is most often encrypted
using TLS or HTTPS
This is typically how a session is encrypted “
before a user enters the credit card details.

TLS is common for encrypting network communications, such as VPN
Protecting data in use / in processing
How can we encrypt different types of data in use?

Data-in-use/in processing occurs when we launch an
application such as Microsoft Word or Adobe Acrobat
Apps not running the data from the disk drive but running the
application in random access memory (RAM).
This is volatile memory, meaning that, should you power down
the computer, the contents are erased.

In some cases, data in-memory will be encrypted
 DATA PROTECTION IN RELATIONAL DATABASES

Encrypting Records
Many relational databases support row or column
level encryption.
Row-level encrypts an entire record, column-level
encrypts specific fields within the record.
Commonly implemented within the database tier, but
also possible in code of frontend applications
 DATA PROTECTION IN RELATIONAL DATABASES

Database Encryption
Transparent data encryption is full database-level
encryption (database files, logs, backups)
Requires no changes in application and comes with
virtually no performance impact

Offered on most relational database management
(RDBMS) platforms, like MSSQL, MySQL, and PostgreSQL
CONCEPT: Symmetric vs Asymmetric

Relies on the use of a shared secret key.
Symmetric Lacks support for scalability, easy key
distribution, and nonrepudiation

Public-private key pairs for communication
Asymmetric between parties. Supports scalability, easy
key distribution, and nonrepudiation
asymmetric key types
Public keys are shared among communicating parties.
Private keys are kept secret.
DATA
To encrypt a message: use the recipient’s public key.
To decrypt a message: use your own private key.
DIGITAL SIGNATURE
To sign a message: use your own private key.
To validate a signature: use the sender’s public key.
each party has both a private key and public key!
common uses
How are different algorithm types used?
Symmetric
Typically used for bulk encryption / encrypting large amounts of data.

Asymmetric
Distribution of symmetric bulk encryption keys (shared key)
Identity authentication via digital signatures and certificates
Non-repudiation services and key agreement
Key exchange in asymmetric cryptography
Franco sends a message to Maria,
requesting her public key

Maria sends her public key to Franco

Franco uses Maria’s public key to encrypt
the message and sends it to her

Maria uses her private key to decrypt
the message
 1.4 ENCRYPTION ALGORITHMS

Common symmetric encryption algorithms
AES (Advanced Encryption Standard): The current industry gold
standard. Highly efficient and widely implemented.
It offers various key lengths (128, 192, 256 bits), providing flexibility in
security levels.
3DES (Triple DES): A variation of DES applying encryption three
times.
Being phased out and replaced by AES
Twofish: A finalist in the competition to select AES, known for its
flexibility and security.
Blowfish: Predecessor to Twofish, also known for its strength and
speed.
Symmetric algorithms are used for bulk data encryption
 1.4 ENCRYPTION ALGORITHMS

Common asymmetric encryption algorithms
RSA (Rivest–Shamir–Adleman): One of the oldest and most widely
used asymmetric algorithms.
Often used for key exchange and digital signatures. Its security
relies on the difficulty of factoring large prime numbers.
ECC (Elliptic Curve Cryptography): A more modern approach
using elliptic curves.
Offers similar security levels to RSA but with smaller key sizes,
making it suitable for resource-constrained environments.
Diffie-Hellman: Primarily a key exchange protocol, allowing two
parties to establish a shared secret key over an insecure channel.
ElGamal: An algorithm based on the difficulty of the discrete
logarithm problem. Used for encryption and digital signatures.
common uses of algorithms
How are different algorithm types used?
Symmetric Example: AES256
Typically used for bulk encryption / encrypting large amounts of data.

Asymmetric Example: RSA, DH, ECC
Distribution of symmetric bulk encryption keys (shared key)
Identity authentication via digital signatures and certificates
Non-repudiation services and key agreement
TYPES OF CIPHERS
Stream cipher
is a symmetric key cipher where plaintext digits are combined with a
pseudorandom cipher digit stream (keystream).
each plaintext digit is encrypted one at a time with the corresponding
digit of the keystream, to create a digit of the ciphertext stream.

Block cipher
is a method of encrypting text in which a cryptographic key and
algorithm are applied to a block of data (for example, 64 contiguous
bits) at once as a group rather than to one bit at a time.

Considered to be more secure than stream ciphers
TYPES OF CIPHERS
Substitution cipher
uses the encryption algorithm to replace each character or bit of
the plaintext message with a different character.
Examples include Caesar cipher, Vigenère cipher

Transposition cipher
rearranges order of plaintext letters according to a specific rule.
the message itself is left unchanged, just the order is scrambled.
Examples include Rail Fence and Columnar Transposition
 CRYPTOGRAPHIC KEY LENGTH

An effective means to increase the strength of
an algorithm is by increasing its key length

The relationship between key length and
work factor is exponential.
A small increase in key length leads to a significant increase
in the amount of work required to break the encryption.

Asymmetric
RSA (Rivest-Shamir-Adleman), the primary public key
EXAMPLES cryptography algorithm used on the Internet.
It supports key sizes of 1024, 2048, and 4096 bits.
NIST recommends minimum key length of 2048
 CRYPTOGRAPHIC KEY LENGTH

An effective means to increase the strength of
an algorithm is by increasing its key length

The relationship between key length and
work factor is exponential.
A small increase in key length leads to a significant increase
in the amount of work required to break the encryption.

Symmetric
Advanced Encryption Standard (AES) is the go-to
EXAMPLES algorithm for the US Federal gov’t.
It supports key sizes of 128, 192, and 256 bits.
256-bit key is recommended for quantum resistance
 CRYPTOGRAPHIC KEY LENGTH

An effective means to increase the strength of
an algorithm is by increasing its key length

The relationship between key length and
work factor is exponential.
A small increase in key length leads to a significant increase
in the amount of work required to break the encryption.

Doubling key length from 128 to 256
does not make the key twice as strong.
It makes it 2 1 28 times as strong!
 CRYPTOGRAPHIC KEY LENGTH

Static versus Ephemeral Keys
The two primary categories of asymmetric keys are static and ephemeral.

Static Keys RSA uses static keys.
Static keys are semi-permanent and stay the same over a long
period of time.
A certificate includes an embedded public key matched to a private
key. This key pair is valid for the lifetime of a certificate.
Certificates have expiration dates and systems continue to use these
keys until the certificate expires. 1-2 years is a common certificate lifetime

A certification authority (CA) can validate a certificates static key with a certificate
revocation list (CRL) or using the Online Certificate Status Protocol (OCSP).
 CRYPTOGRAPHIC KEY LENGTH

Static versus Ephemeral Keys
The two primary categories of asymmetric keys are static and ephemeral.

Ephemeral Keys
Ephemeral keys have very short lifetimes and are re-created for each
session.
An ephemeral key pair includes a private ephemeral key and a public
ephemeral key.
Systems use these key pairs for a single session and then discard them.
Some versions of Diffie-Hellman use ephemeral keys.
 1.4 TOOLS

A chip that resides on the motherboard of the

Trusted device.

Multi-purpose, for storage and management of
Platform keys used for full disk encryption (FDE) solutions.
Module Provides the operating system with access to keys,
TPM but prevents drive removal and data access

TPM is also leveraged by the secure OS boot process
 1.4 TOOLS

Hardware Security
Module (HSM)
a physical computing device that safeguards and
manages digital keys, performs encryption and
decryption functions for digital signatures, strong
authentication and other cryptographic functions.
Like a TPM, but are often removable or external devices
 1.4 TOOLS

Hardware Root of Trust
A line of defense against executing
unauthorized firmware on a system
And when certificates are used in FDE, they
use a hardware root of trust for key storage.
It verifies that the keys match before the
secure boot process takes place

Trusted platform module (TPM) and Hardware Security
Module (HSM) are both implementations of HRoT
TOOLS
Key Management System (KMS)
E.G. Azure Key Vault, AWS KMS, GCP Cloud KMS Vault
CSPs offer a cloud service for centralized secure storage and
access for application secrets called a vault.
A secret is anything that you want to control access to, such as API
keys, passwords, certificates, tokens, or cryptographic keys.
Service will typically offer programmatic access via API to support
DevOps and continuous integration/continuous deployment (CI/CD)
Access control at vault instance-level and to secrets stored within.

Secrets and keys can generally be protected either by
software or by FIPS 140-2 Level 2 validated HSMs.
TOOLS

provides a secure and isolated area within a
system or application for processing sensitive data.

Secure uses hardware-based security mechanisms to
create an isolated trusted execution environment
Enclave allows sensitive data to be processed and stored
securely, even in a potentially insecure computing
environment.

Also called “Trusted Execution Environment”
obfuscation Privacy enhancing technologies

a computer file, message, image, or video is
concealed within another file, message,
Steganography image, or video.
an attacker may hide info in this way to
exfiltrate sensitive company data.
obfuscation
where meaningful data is replaced with a
Tokenization token that is generated randomly, and the
Stateless, stronger than original data is held in a vault.
encryption, keys not local

de-identification procedure in which
Pseudo- personally identifiable information (PII) fields
nymization within a data record are replaced by one or
more artificial identifiers, or pseudonyms.
Reversal requires access
to another data source
obfuscation

process of removing all relevant data
Anonymization so that it is impossible to identify
original subject or person.

Only effective if you do NOT need the identity data!
 OBFUSCATION

Data minimization
only necessary data required to fulfill the
specific purpose should be collected

Collect “the minimum amount” to meet the stated
purpose and manage retention to meet regulations
 OBFUSCATION

Data masking
when only partial data is left in a data field.
for example, a credit card may be shown as
**** **** **** 1234
Commonly implemented within the database tier, but
also possible in code of frontend applications
hashing vs encryption
How is hashing different from encryption?
Encryption
Encryption is a two-way function; what is encrypted can be decrypted with
the proper key.

Hashing no way to reverse if properly designed
a one-way function that scrambles plain text to produce a unique message
digest.

Common uses of hashing
Verification of digital signatures
Generation of pseudo-random numbers
Integrity services (data integrity and authenticity)

File integrity monitoring , validation of data transfer
common uses of algorithms
How are different algorithm types used?
Symmetric Example: AES256
Typically used for bulk encryption / encrypting large amounts of data.

Asymmetric Example: RSA, DH, ECC
Distribution of symmetric bulk encryption keys (shared key)
Identity authentication via digital signatures and certificates
Non-repudiation services and key agreement

Hash functions
Verification of digital signatures
Generation of pseudo-random numbers
Integrity services (data integrity and authenticity)
HASH FUNCTION REQUIREMENTS
Good hash functions have five requirements:
1. They must allow input of any length.
2. Provide fixed-length output.
3. Make it relatively easy to compute the hash
function for any input.
4. Provide one-way functionality.
5. Must be collision free.
differences between algorithm types
Feature / Algorithm HASH SYMMETRIC ASYMMETRIC
NUMBER OF KEYS 0 1 2+
RECOMMENDED KEY 128 bits (more for some
256 bits 2048 bits
LENGTH (NIST) sensitive data types)
COMMON EXAMPLE SHA AES RSA

SPEED Fast Fast Relatively Slow

COMPLEXITY Medium Medium High
EFFECT OF KEY Loss of both Loss for owner of the
N/A
COMPROMISE sender & receiver asymmetric key only
KEY MANAGEMENT
N/A Challenging Easy & Secure
& SHARING
SHA-224, SHA-256, AES, Blowfish, Twofish, RSA, DSA, ECC, Diffie-
EXAMPLES
SHA-384, SHA-512 3DES, RC4 Helman
Always evolving, and eventually affected by quantum computing
salting

Attackers may use rainbow tables, which contain
precomputed values of cryptographic hash
functions to identify commonly used passwords

SALTS A salt is random data that is used as an additional
input to a one-way function that hashes data, a
Cryptographic
password or passphrase.

Adding salts to the passwords before hashing
them reduces the effectiveness of rainbow table
attacks.
 CRYPTOGRAPHIC CONCEPTS

Digital Signatures
Digital signatures are similar in concept to handwritten signatures on printed
documents that identify individuals, but they provide more security benefits.
is an encrypted hash of a message, encrypted with the sender’s private key.
in a signed email scenario, it provides three key benefits:
Authentication. This positively identifies the sender of the email.
ownership of a digital signature secret key is bound to a specific user
Non-repudiation. The sender cannot later deny sending the message.
This is sometimes required with online transactions
Integrity. provides assurances that the message has not been modified or
corrupted.
Recipients know that the message was not altered in transit

These are the basics important for the Security+ exam
Digital Signature Standard
The Digital Signature Standard uses the SHA-2,
and SHA-3 message digest functions…

DSS Works in conjunction with one of three
asymmetric encryption algorithms:
Digital Signature
Digital Signature Algorithm (DSA)
Standard
Rivest, Shamir, Adleman (RSA) algorithm
Elliptic Curve DSA (ECDSA) algorithm.

DSS is documented in FIPS 186-4 from NIST at
https://csrc.nist.gov/publications/detail/fips/186/4/final
KEY STRETCHING
some cipher suites are easier to crack than others.
Key
larger keys tend to be more secure, because there
Length are more possible key combinations

processes used to take a key that may be weak and
Key make it stronger, by making it longer and more random
Stretching a longer key has more combinations a brute force
attack has to go through to crack
Quantum computing will impact this recommendation

Since 2015, NIST recommends a minimum of 2048-bit keys for
RSA. This will change over time as computing power advances.
blockchain
Blockchain was originally the technology that
powered Bitcoin but has broader uses.

A distributed, public ledger that can be used to store financial,
medical, or other transactions. Anyone is free to join and participate
does not use intermediaries such as banks and financial institutions.
data is “chained together” with a block of data holding both the
hash for that block and the hash of the preceding block.
To create a new block on the chain: the computer that wishes to
add the block solves a cryptographic puzzle and sends the solution
to the other computers participating in that blockchain.

This is known as “proof of work”
 BLOCKCHAIN vs OPEN PUBLIC LEDGER?

What is the difference between blockchain
and an open public ledger?

Decentralization. blockchain is decentralized - it is distributed across a peer-to-
peer network with no central authority.
An open public ledger can be centralized and maintained by a single
entity.

Immutability. blockchain data is immutable and cryptographically secured.
Once data is added to the blockchain, it is extremely difficult to alter it.
Data on a public ledger can be changed more easily.

Validation. blockchain uses consensus mechanisms like proof-of-work or proof-
of-stake to validate new data added to the chain.
Public ledgers rely more on the integrity of the central authority.

Transparency. blockchain transactions can be pseudonymous for privacy.
Public ledger transactions are typically fully transparent.
 1. 4 : CRYPTOGRAPHIC CONCEPTS

Common use cases
Common scenarios for specific cryptographic choices.
Low power devices. devices often use ECC for encryption, as it uses a small key.
IoT devices do not have the processing power for conventional encryption.
Low latency. Means “encryption and decryption should not take a long time”.
Specialized encryption hardware is a common answer in this scenario.
a VPN concentrator or encryption accelerator cards
can improve efficiency
High resiliency. Use the most secure encryption algorithm practical to prevent
the encryption key from being cracked by attackers.
Device, application, or service compatibility may influence decisions
Supporting confidentiality. Encryption should be implemented for exchange of
any sensitive data, and in a way that ensures only authorized parties can view.
For example, connecting remote offices via IPSec VPN
 1. 4 : CRYPTOGRAPHIC CONCEPTS

Common use cases
Common scenarios for specific cryptographic choices.
Supporting integrity. two important scenarios for ensuring integrity: ensuring file
data has not been tampered with, and communications are not altered in transit.
File hash to check file integrity, digital signature for email.
Supporting obfuscation. obfuscation is commonly used in source code or with
data to ensure it cannot be read by anyone who steals it.
Steganography, tokenization, masking can be used to obscure data.
Supporting authentication. a single-factor username and password are not
considered secure as theft of the password leads to compromise.
MFA for user authentication, certificate-based auth for devices
Supporting non-repudiation. When you digitally sign an email with your private
key, you cannot deny that it was you, as there is only one private key.
Non-repudiation is important in any legally binding transaction
 1. 4 : CRYPTOGRAPHIC CONCEPTS

Limitations
Common scenarios for specific cryptographic choices.
Speed. Application and hardware must be able to keep pace with the selected
encryption.
Size. If encrypting 16 bytes of data with a block cipher, the encrypted information
is also 16 bytes. This overhead must be considered in resource planning
Need enough memory, storage, and network to support the result
Weak keys. Larger keys are generally stronger and thus more difficult to break.
Find balance between security, compatibility, and capacity
Time. encryption and hashing take time. Larger amounts of data and asymmetric
encryption take more time than small data and symmetric encryption.
Selections need to match time constraints in transactions
Longevity. consider how long encryption algorithms selected can be used.
Older algorithms will generally be retired sooner
 1. 4 : CRYPTOGRAPHIC CONCEPTS

Limitations
Common scenarios for specific cryptographic choices.
Predictability. cryptography relies on randomization. Random number generation
that can’t be easily predicted is crucial for any type of cryptography.
Reuse. using the same key is commonly seen in a number of encryption
mechanisms. If an attacker gains access to the key, they can decrypt data
encrypted with it.
some IoT devices may not allow a key change
Entropy. a measure of the randomness or diversity of a data-generating function.
Data with full entropy is completely random with no meaningful patterns.
Resource vs security constraints. the more secure the encryption used and higher
the key length, the more processing power and memory the server will need.
requires balance between algorithms and hardware selections
INSIDE CLOUD

THANKS
F O R W A T C H I N G!