CompTIA® Security+ Exam Notes : Compare and contrast basic concepts of cryptography

6. Cryptography and PKI

6.1 Compare and contrast basic concepts of cryptography

A cryptographic hash function is a "one-way" operation. It is practically not possible to deduce the input data that had produced the output hash.

You can decrypt an encoded message using matching secret key. Similarly, Digital certificate is issued by a CA, and can be decrypted to find the contents of the certificate.

Quantum cryptography offers secure communication by providing security based on the fundamental laws of physics, instead of the mathematical algorithms or computing technology. Quantum cryptography is most suitable for secure key distribution. Other options are distractions only.

The important terms of information security are confidentiality, integrity, availability, and non-repudiation.

Confidentiality is the term used to prevent disclure of information to unauthorized persons. Integrity is the term used ensure that the data cannot be modified undetectably. Confidentiality ensures that a message is not disclosed to any unintended parties. Note that integrity is to do with the correctness of information, and authorization refers to privileges to access a given resource. Authentication is used in conjunction with validation of a user or a process to login.

Availability ensures that the data (or information) is available when needed. Authenticity ensures that the transaction is genuine and accepted by both the parties concerned.

Non-repudiation means that both the parties cannot refuse having performed the transaction. Non-repudiation ensures that the sender, as well as the receiver cannot refute having sent or received a message. For example, you receive an email from your perspective employer. By using an unsigned email, it might so happen that your employer later denies having sent any such email. Non-repudiation ensures that neither the sender nor the receiver can deny the transmission or the reception of a message respectively. Non-repudiation is used to ensure that a sender cannot refuse later that he had not sent the message. A digital signature on the message ensures that the sender is the original sender of the electronic message. Non-repudiation prevents either the sender or the receiver of messages from denying having sent or received a message.

Secret-key encryption is also known as single-key or symmetric encryption. It involves the use of a single key that is shared by both the sender and the receiver of the message.

Typically, the sender encrypts the message with a key and transmits the message to the recipient. The recipient then decrypts it by using a copy of the same key used to encrypt it.

It is very important to know the distinction between Hashing, Digital signature, and Encryption.

Hashing produces a small footprint (basically, signature) of the original message. It is used to verify the integrity of a message. Hash is generated by a formula in such a way that it is extremely unlikely that some other text will produce the same hash value. In other words, Hash used to ensure that transmitted messages have not been tampered with. Hashing ensures that the message is not tampered with, during transit or storage. Note that Hashing not necessarily encode or encrypt a message.

Typically, the sender generates a hash of the message, encrypts it, and sends it with the message itself. The recipient then decrypts both the message and the hash, produces another hash from the received message (by using the same formula that was used to produce the Hash by the sender), and compares the two hashes. If they're the same, there is a very high probability that the message was transmitted intact.

Encryption is used to translate a message in to secret code. To read an encrypted file, you must have access to a secret key that enables you to decrypt it. Encrypted data is referred to as cipher text. Encryption ensures that the message cannot be read by any person who do not have matching key to decode the coded message

Two main types of encryption are

1. Asymmetric encryption (also called public-key encryption) and

2. Symmetric encryption.

A digital signature is an electronic signature that can be used to authenticate the identity of the sender of a message. A digital signature can be used with encrypted or even un-encrypted message. A digital certificate contains the digital signature of the certificate-issuing authority so that anyone can verify that the certificate is real. Digital signature ensures that the sender cannot repudiate having sent the message at a future date.

Scenario: Some of the temporary employees get renewed every year in your company. Each time the renewal takes place, they will be given a new smart cards. The smart card is used for digitally signing the email sent by the employees. When they tried to copy the digital signature from the old card to the new smart card, it was not successful. What should be done so that the digital signature works with the new smart card?

Solution: You should advice the employees to publish the PIV certificate (a part of PKI, or Public Key Infrastructure) on the new smart card using global address list (GAL).

It is not possible for users to copy a certificate, a public key, or a private key to a smart card.


Hashing a message ensures that the message is delivered without any distortion.

The disadvantages of using symmetric encryption over asymmetric encryption are given below:

1. Inability to support non-repudiation: Since both the sender and receiver use the same key, it is difficult to determine who is the sender, should a dispute arise.

2. Impractical for web commerce: Imagine thousands of customers buying goods and services over the Internet. If symmetric encryption standard is used, one unique private key-pair needs to be used for each user. It is therefore, impractical.

3. Another major difficult is with the transmission of private key. With symmetric encryption, the private key needs to be transmitted to the other party for decryption, which may pose security risk.

There are two primary types of keys.

Static keys usually remain the same over the period of validity of a certificate. The disadvantage of static keys (for example, RSA uses static private-public key pair) is that it is predictable and relatively more prone to hacking.

Ephemeral keys are temporary in nature. The key is valid only for one session, and it is discarded soon after the session ended. Some versions of Diffie-Hellman algos use ephemeral keys.

Eliptic Curve: The primary benefit of Elliptic Curve Cryptography is that it uses smaller key size, reducing storage and transmission requirements, i.e., that an elliptic curve group could provide the same level of security afforded by an RSA-based system with a large modulus and correspondingly larger key.

For example, a 256-bit ECC public key should provide comparable security to a 3072-bit RSA public key.

U.S. National Security Agency (NSA) approved ECC for digital signatures and Diffie-Hellman key agreements

1. Diffie-Hellman is used to securely share symmetric encryption keys over a public network.

2. Elliptic curve cryptography (ECC) is commonly used with small wireless devices.

3. ECDHE is a version of Diffie-Hellman that uses elliptic curve cryptography to generate encryption keys.

4. Diffie-Hellman methods support both static keys and ephemeral keys.

5. RSA is based on the Diffie-Hellman key exchange mechanism using static keys

The following are true about wildcard domains in the context of a PKI infrastructure:

1. It can be used for the domain and all of its first level sub-domains.

2. It reduces administrative work in maintaining the certificates.

Steganography: Steganography is the process of hiding information within information. For example, an attacker may use the least significant bits in an image to transfer a harmful virus. The picture looks harmless. Steganography is also used to embed watermark within an image by authors.

Previous   Contents   Next

Security+ Cram Notes Contents
certexams ad

simulationexams ad