7/22/2019 TestOut LabSim
https://cdn.testout.com/client-v5-1-10-563/startlabsim.html 1/3
9.2.2 Advanced Cryptography Facts9.2.2 Advanced Cryptography Facts
Advanced cryptography includes the following:
Concepts Definition
Encrypting
The purpose of encryption is obfuscation, making a message obscure so it is difficult to read.
Cryptographic service providers (CSPs) are software libraries that can be used to enhance encryption. Applications can use
these libraries to help secure email and provide strong user authentication.
Key
Exchange
The sender of an encrypted message encrypts a message with a key. Then the message receiver must decrypt the message with a key.
Key families include:
Symmetric. A symmetric key is where the sender uses a private key to encrypt a message. Then the recipient uses that same
private key to decrypt it.
Asymmetric. An asymmetric key is where the sender's key and receiver's key are different for the encryption and decryption
processes.
Key length is the number of bits used in a key by a cryptographic algorithm and can determine the strength.
Modes of
Operation
Modes of operations include:
Block Cipher: Provides confidentiality and authenticity services. A block cipher can encrypt or decrypt one fixed-length
block. It encrypts or decrypts one large chunk of data (or block) at a time, often combining blocks for additional security.
Block ciphers are more useful when the amount of data is known.
Cipher Block Chaining (CBC): A plaintext block is combined with the previous cipher text block, and the result is
encrypted with the key.
Cipher Feedback (CFB): Each cipher text block is fed back into the encryption and then used to encrypt the next plaintext
block.
Output Feedback (OFB): The output blocks are fed back into the block cipher. These blocks then make strings of bits to
feed the encryption algorithm, acting as the key generator.
Counter (CTR): Both the sender and recipient access a reliable counter that computes a new shared value each time a
ciphertext block is exchanged. The counter needs to be synchronized between both parties.
Galois/Counter Mode (GCM): A variation of the Counter mode, GCM throughput rates do not require high performance
hardware to produce acceptable high speed communication channels.
Output
The output from a cryptographic process may exhibit the following:
A simple character change in the plaintext will cause several characters to change in the cipher text. This is called diffusion.
When two different inputs to a cryptographic function produce the same output, this is called a collision. Collisions are not
common, but can occur.
Digital
Signature
A digital signature is a mathematical scheme for demonstrating the authenticity of digital message or document. A valid digital
signature gives a message credibility, guaranteeing the recipient that the message has not been tampered with in transit.
Things to consider when choosing your cryptographic methods:
Concept Definition
L ...
1. 7/22/2019 TestOut LabSim
https://cdn.testout.com/client-v5-1-10-563/startlabsim.html 1/3
9.2.2Advanced Cryptography Facts9.2.2Advanced
Cryptography Facts
Advanced cryptography includes the following:
Concepts Definition
Encrypting
The purpose of encryption is obfuscation, making a message
obscure so it is difficult to read.
Cryptographic service providers (CSPs) are software libraries
that can be used to enhance encryption. Applications can use
these libraries to help secure email and provide strong user
authentication.
Key
Exchange
The sender of an encrypted message encrypts a message with a
key. Then the message receiver must decrypt the message with a
key.
Key families include:
Symmetric. A symmetric key is where the sender uses a private
key to encrypt a message. Then the recipient uses that same
private key to decrypt it.
2. Asymmetric. An asymmetric key is where the sender's key and
receiver's key are different for the encryption and decryption
processes.
Key length is the number of bits used in a key by a
cryptographic algorithm and can determine the strength.
Modes of
Operation
Modes of operations include:
Block Cipher: Provides confidentiality and authenticity
services. A block cipher can encrypt or decrypt one fixed-length
block. It encrypts or decrypts one large chunk of data (or block)
at a time, often combining blocks for additional security.
Block ciphers are more useful when the amount of data is
known.
Cipher Block Chaining (CBC): A plaintext block is combined
with the previous cipher text block, and the result is
encrypted with the key.
Cipher Feedback (CFB): Each cipher text block is fed back into
the encryption and then used to encrypt the next plaintext
block.
Output Feedback (OFB): The output blocks are fed back into the
block cipher. These blocks then make strings of bits to
feed the encryption algorithm, acting as the key generator.
Counter (CTR): Both the sender and recipient access a reliable
counter that computes a new shared value each time a
ciphertext block is exchanged. The counter needs to be
synchronized between both parties.
Galois/Counter Mode (GCM): A variation of the Counter mode,
GCM throughput rates do not require high performance
hardware to produce acceptable high speed communication
channels.
3. Output
The output from a cryptographic process may exhibit the
following:
A simple character change in the plaintext will cause several
characters to change in the cipher text. This is called diffusion.
When two different inputs to a cryptographic function produce
the same output, this is called a collision. Collisions are not
common, but can occur.
Digital
Signature
A digital signature is a mathematical scheme for demonstrating
the authenticity of digital message or document. A valid digital
signature gives a message credibility, guaranteeing the recipient
that the message has not been tampered with in transit.
Things to consider when choosing your cryptographic methods:
Concept Definition
Low Power
Devices
Some devices experience constraints on the amount of energy
available to them. Some of these devices are wireless sensors,
RFID tags, smart cards, mobile phones, and handheld tablets.
These devices need to be secured using cryptography that
provides
fast identification, authentication and data protection. The issue
is that low energy usage, while posing advantages in design and
applicability, is also the cause of some security challenges
because deploying security mechanisms and services consumes
a
4. large amount of power.
While the processing power, memory, and network bandwidth of
today's mobile devices are sufficient, battery power levels are
increasing at a modest pace. These devices can still quickly
drain their batteries. A security protocol running over these
devices
should utilize as little energy as possible. During a secure
wireless session, the main sources of energy consumption are
transmission and reception of packets, the overhead messages
required for establishing the session, and cryptographic
computations, in that order.
One method to reduce energy consumption would be to select a
combination of security primitives in a single session. Another
way is to optimize the standard security protocols themselves.
For example, wherever security needs are not that rigid, energy
savings can be obtained by switching to smaller keys. Another
way is to employ hardware acceleration of crypto-mechanisms.
7/22/2019 TestOut LabSim
https://cdn.testout.com/client-v5-1-10-563/startlabsim.html 2/3
However, it can be difficult to provide customized hardware for
encryption because this type of hardware is vulnerable to
differential power analysis attacks.
Low Latency
Latency is the delay before a transfer of data begins to follow
an instruction for its transfer. Lightweight ciphers are designed
to
be efficient based on size and power consumption. A new
5. emphasis in lightweight ciphers is to achieve a lower latency (a
lower
response time). Automotive authentication systems and high-
speed storage are examples of applications that require lower
latency.
Processing all rounds of the cipher in one clock cycle would
achieve lower latency in a block cipher. This kind of
implementation technique is called round unrolling or
unfolding. In general, conventional block ciphers are
implemented with a
loop architecture, which processes one round of the cipher in
one or a few clock cycles and repeats the process until the last
round of the cipher.
High
Resilience
High resilience cryptography (also know as leakage-resilient
cryptography) refers to cryptographic protocols that remain
secure
and resistant to side channel attacks.
Side channel attacks exploit devices that leak information to the
outside world, not just through input-output interaction, but
through physical characteristics like power consumption,
timing, and electromagnetic radiation. This information leakage
has
been successfully used to break many cryptographic algorithms
in common use. These leakages are particularly accessible when
the device is at the hands of an attacker, as is often the case for
modern devices, such as smart cards, mobile phones, and
laptops.
There are ongoing studies and research in leakage-resilient
cryptography to tackle this challenge from an algorithmic angle.
The
idea behind the research is to design various cryptographic
6. schemes that resist side channel attacks.
Supporting
Confidentiality
Data encryption is a common method for ensuring
confidentiality. Safeguarding data confidentiality involves
training. Training
should include strong passwords, user IDs, and multifactor
authentication. Users can also take precautions to minimize the
number of places where the information appears and the number
of times it is actually transmitted to complete a required
transaction. To prevent sensitive information from reaching the
wrong people, access must be restricted to those authorized to
view the data.
Supporting
Integrity
Integrity involves maintaining the consistency, accuracy, and
trustworthiness of data over its entire lifecycle. Data must not
be
changed in transit, and steps must be taken to ensure that data
cannot be altered by unauthorized people. These measures
include
cryptographic checksums for verification of integrity. Backups
or redundancies must be available to restore the affected data to
its correct state.
Supporting
Obfuscation
Obfuscation is only secure if unwanted eyes don't know the
mechanism used to camouflage the data. Obfuscation masks the
data
being sent. The goal is to camouflage the text making it
7. incomprehensible to the interceptor unless the receiver knows
the
method use to obfuscate the text. If the receiver knows the
method used, he can decipher the message. For example, instead
of
writing the text normally, you would:
Reverse the order of the letters.
Replace every plaintext letter with a different ciphertext letter.
This is known as a substitution cipher.
Replace a letter with a letter that is 13 places after it in the
alphabet. This substitution cipher is known as ROT13, which
is short for rotate 13. Since there are 26 characters in the
alphabet, to undo the cipher, you apply the same ROT13
substitution.
Perform an XOR (exclusive or) operation that combines the
plaintext with a key. This is usually done at the bit level: 0
XOR 0 = 0, 0 XOR 1 = 1, 1 XOR 0 = 1, 1 XOR 1 = 0. The XOR
operator is extremely common as a component in more
complex ciphers.
Supporting
Authentication
Multifactor authentication is one of the most cost effective
mechanisms companies can use to protect digital assets. As
more
businesses move their servers into the cloud, better
authentication is needed. With password breaches growing at an
alarming
rate, the need to improve authentication practices is undeniable.
Deploying multifactor authentication forces people to use more
than one authentication method, such as something you have
along with something you know.
Supporting
8. Non-
Repudiation
Non-repudiation is the assurance that someone cannot deny
something. It usually refers to ensuring that a party to a contract
cannot deny the authenticity of their signature on a document or
the sending of a message that they originated. A legal document
may require witnesses so that the person who signs cannot deny
having done so. With a digital signature, the idea is the same.
You need to ensure that a message or document has been
electronically signed by the correct person. Since no security
technology is absolutely foolproof, some experts argue that a
digital signature alone may not guarantee non-repudiation. It is
suggested that multiple approaches be used, such as capturing
unique biometric information and other data about the signer
that
would be difficult to repudiate collectively.
Resources vs.
Security
Constraints
The Internet of Things (IoT) is a network of physical resources,
or devices, embedded with software, sensors, and connectivity
that enables these devices to exchange data with the
manufacturer and other connected devices. These devices are
connected
over the internet in the same way as laptops, tablets, smart
phones, and Bluetooth devices are connected. Some of these
devices
can also remotely monitor or control home components, such as
lighting and heating.
Security protocols built on strong cryptographic algorithms use
9. a pattern of analysis to defeat attacks, but these algorithms
consume a lot of processor's efficiency. This is a security
constraint because devices with limited capabilities, such as
Internet of
7/22/2019 TestOut LabSim
https://cdn.testout.com/client-v5-1-10-563/startlabsim.html 3/3
Things devices, need modified protocols that won't over-burden
processors. The absence of strong security protocols may result
in malicious attacks and malfunctions.
7/22/2019 TestOut LabSim
https://cdn.testout.com/client-v5-1-10-563/startlabsim.html 1/1
9.2.4Cryptography Algorithms Facts9.2.4Cryptography
Algorithms Facts
Cryptographic algorithms come in three types, as follows:
Algorithm Explanation
Symmetric Generates a single key that is used for both
encryption and decryption. If the key were to fall in the wrong
hands, messages
encrypted with the key, both past and future, could be
decrypted.
Asymmetric
10. Generates two different yet mathematically related keys. The
encryption key can be shared publicly. This is because the
public key
is used only to encrypt information. It cannot decrypt
information at all. The only key that can decrypt the
information is the private
key.
Hashing
Instead of being used to encrypt information, hashing keys are
used for signature verification and data integrity checking. They
take
a string of characters of an undetermined length and convert it
into a string of characters that has a specific length. This output
is
known as a digest. Hashes should not be able to be
reconstructed from the output of the hash function.
Use the right algorithm.
Remember that modern cryptographic algorithms are extremely
hard to crack; however, they are not 100% secure. As
technology increases, it gets
easier to crack the algorithms.
Avoid already exploited algorithms if possible, including weak
algorithms and deprecated algorithms.
General properties of cryptographic algorithms include:
Property Description
Confusion The relationship between the key and ciphertext
should be as complex as possible.
Diffusion The amount of change to the ciphertext when there is
a change in the input text. The more the amount of change, the
11. better the
algorithm.
Collision A collision is when two or more inputs create the
same ciphertext.
Use case challenges.
Use Case Description
Low
Power
Devices
Common public-key cryptography protocols perform poorly in
low-energy environments making low power devices unsuitable
for
real-world activities.
Low
Latency
One goal of cryptographic algorithms is encrypt and decrypt in
a short amount of time. Strong cryptographic algorithms may
take
hundreds or thousands of clock cycles making them ill suited
for low-latency applications.
High
Resiliency
Cryptographic algorithms are more susceptible to cracking if
information about the keys used in the algorithm is known. The
leakage
of information about an algorithm is a real-world problem. High
12. resiliency algorithms or leakage-resilient algorithms are harder
to
crack, even if some information about the algorithm is know.
7/22/2019 TestOut LabSim
https://cdn.testout.com/client-v5-1-10-563/startlabsim.html 1/3
9.3.3Cryptographic Implementation Facts9.3.3
Cryptographic Implementation Facts
Operating systems, applications, and other components of
information systems typically use a hybrid cryptography system.
A hybrid
cryptography system combines the strengths of hashing,
symmetric, and asymmetric encryption, depending on the need
for cryptographic
services. For example:
Use symmetric encryption for fast and efficient encryption of
bulk data.
Use hashing to verify message integrity.
Use asymmetric encryption for authentication and non-
repudiation.
Use asymmetric encryption for secure exchange of symmetric
encryption keys (for example, by encrypting the key used for
symmetric encryption
prior to sharing the key with the recipient). Using asymmetric
cryptography for encryption is best for small pieces of data.
The following table lists some of the applications for
cryptography:
13. Implementation Description
File System
Encryption
Encrypting data in files, directories, volumes, and hard drives
provides an additional layer of security for data. Options for
file
system encryption are as follows:
Encrypting File System (EFS) is available for encrypting files
and directories on NTFS partitions.
GNU Privacy Guard (GPG) and Pretty Good Privacy (PGP)
offer encryption options for Linux systems.
BitLocker Drive Encryption (also known as full-volume
encryption) protects offline data access on lost or stolen
laptops or other compromised systems.
In Microsoft Windows, EFS is referred to as file encryption key
(FEK).
Digital
Signature
A digital signature or signing is a combination of asymmetric
encryption and hashing values. A signature provides
confidentiality, integrity validation, strong authentication, and
non-repudiation. Typically, a digital signature works as follows:
1. A hash value is generated for a message.
2. The hash value is asymmetrically encrypted using the
sender's private key. Non-repudiation is provided because only
the sender could have encrypted the hash using the private key
(only the sender knows the private key).
3. The encrypted hash value and the message are sent.
4. The recipient decrypts the hash using the sender's public key.
14. 5. The recipient hashes the message.
6. Message integrity and sender authenticity (non-repudiation)
is confirmed if the two hash values match.
Digital Envelope
In addition to the digital signatures, the data can be secured
during transmit by secure data transmission. This protects the
message from hackers by using asymmetric encryption to secure
the message before sending it to the recipient. Secure data
transmission uses the following process:
1. The sender requests a copy of the recipient's public key.
2. The recipient or CA sends a digital certificate containing the
public key to the sender.
3. The sender asymmetrically encrypts the message using the
recipient's public key.
4. The sender sends the asymmetrically encrypted message to
the recipient.
5. The recipient uses his private key to decrypt the message.
Trusted Platform
Module
Trusted Platform Module (TPM) is a hardware chip on the
motherboard that can generate and store cryptographic keys.
A TPM is required to check the integrity of startup files and
components in BitLocker implementations.
The TPM generates a hash of the startup files to verify the
integrity of those files.
Additionally, the TPM creates a hash of system components.
This hash acts as a validation check of the
system to ensure that system components have not changed. The
hash can also be used to uniquely identify
the system.
15. The system startup key can be saved in the TPM. With the
startup key saved in the TPM, the system can start without
additional intervention.
Without a TPM, the startup key must be stored on a USB drive.
The system will not start without the startup key.
When the startup key is saved in the TPM, you can require an
additional PIN or startup key that must be used to start
the system.
The TPM generates random numbers.
TPM provides full support for asymmetric encryption; therefore,
it can generate public and private keys.
Full Disk
Encryption and
Self-Encrypting
Drive
There are many vendors that provide hardware-based full disk
encryption (FDE) devices which require a password or key to
access the encrypted data. A hard disk drive with FDE is
usually referred to as a self-encrypting drive (SED).
Hardware Root Many roots of trust are implemented in
hardware. A TPM is an implementation of a hardware root of
trust. One benefit of
7/22/2019 TestOut LabSim
https://cdn.testout.com/client-v5-1-10-563/startlabsim.html 2/3
of Trust using a hardware root of trust is that malware can't
tamper with the functions they provide.
16. Hardware
Security
Modules
A Hardware Security Module (HSM) is a piece of hardware and
associated software/firmware that is connected to a computer
system to provide cryptographic functions such as encryption,
decryption, key generation, and hashing. HSM devices can also
provide key management. HSMs traditionally come in the form
of a plug-in card or an external security device that can be
attached directly to the computer system. Other names for
HSMs include the following:
Personal Computer Security Module (PCSM)
Secure Application Module (SAM)
Hardware Cryptographic Device
Cryptographic Module
When using a HSM to backup keys, make sure the backup
device attaches directly to the HSM.
The following table identifies how the technologies are
implemented in LAN- and web-based environments:
Technology Description
Secure
Electronic
Transaction
Secure Electronic Transaction (SET) was developed by VISA
and MasterCard to secure transactions. Credit card data and a
digital
certificate are stored in a plug-in to the user's web browser. An
17. order received by a SET-enabled merchant server passes the
encrypted payment information to the bank. Approval is
electronically sent to the merchant. SET uses DES and RSA in
addition to
digital signatures.
Secure
Sockets
Layer
Secure Sockets Layer (SSL) was developed by Netscape to
secure internet-based client/server interactions. SSL
authenticates the
server to the client using public key cryptography and digital
certificates and encrypts the entire communication session. SSL
can be
used to protect web (HTTP) traffic as well as TELNET, FTP,
and email.
SSL operates over TCP port 443. SSL operates at the Session
layer of the OSI model. Session keys employed by SSL (Secure
Sockets Layer) are available in 128-bit and 40-bit lengths.
Transport
Layer
Security
Transport Layer Security (TLS) was developed by Netscape to
secure internet-based client/server interactions. TLS is based on
SSL, but they are not interoperable. TLS authenticates the
server to the client using public key cryptography and digital
certificates.
TLS encrypts the entire communication session between a
server and a client. TLS can be used to protect web (HTTP)
traffic as
well as TELNET, FTP, and email.
18. TLS operates over TCP port 443 or port 80. TLS has a specific
version for wireless communications known as Wireless
Transport
Layer Security (WTLS).
Secure
Hypertext
Transport
Protocol
Secure Hypertext Transport Protocol (S-HTTP) is the old
method for securing communications on web servers. It is a
message-
based encryption technique in which each file is encrypted
separately. S-HTTP is not used any more.
Hypertext
Transport
Protocol
Secure
Hypertext Transport Protocol Secure (HTTPS) uses HTTP over
SSL (Secure Socket Layer). It has replaced S-HTTP as the
method
of securing HTTP (web) traffic. It is a session-based encryption
technology, meaning that the keys used for that session are
valid for
that session only. HTTP-S is used predominantly throughout the
internet. HTTPS operates over TCP port 443.
Secure
Shell
Secure Shell (SSH) was developed for the UNIX platform to
encrypt or secure communications for remote facilities. SSH
operates
19. over TCP port 22.
Internet
Protocol
Security
Internet Protocol Security (IPsec) is a data encryption protocol
for LAN-based applications. IPsec:
Is widely deployed in VPN technology.
Can be used with IP only.
Can be used to encrypt any traffic supported by the IP protocol.
This includes web, email, TELNET, file transfer, and
SNMP traffic, as well as countless others.
Includes both encryption and authentication mechanisms.
Is fully capable of providing a secure communication means for
any LAN or internet-based system using TCP/IP.
Can be used with L2TP or alone to protect data.
Requires either certificates or pre-shared keys.
Functions at the Network layer of the OSI model.
Generally can't be used when a NAT proxy is deployed.
Operates at the Network layer (Layer 3).
Uses UDP port 500.
Secure
Real-Time
Secure real-time transport protocol (SRTP) is a secure extension
of RTP (real-time transport protocol) that adds enhanced
security
features. It was developed to secure VoIP (Voice over IP)
communications. SRTP uses encryption and authentication and
can
20. 7/22/2019 TestOut LabSim
https://cdn.testout.com/client-v5-1-10-563/startlabsim.html 3/3
Transport
Protocol
achieve high throughput in multiple communications
environments, including both hard-wired and wireless
environments.
The following table identifies the encryption technologies
implemented to secure email messages:
Technology Description
Privacy
Enhanced
Mail
Privacy Enhanced Mail (PEM) was one of the first email
securing technologies. It supports digital signatures, digital
certificates,
and asymmetric key cryptography.
Pretty Good
Privacy
Pretty Good Privacy (PGP) is a commercial asymmetric
cryptosystem used for email. PGP provides all four
cryptographic
services and uses the RSA public key encryption system for key
exchange and digital signatures. It relies upon the IDEA or
3DES
algorithm for encryption and is based on a pass phrase and a
21. web of trust, not a hierarchy of trust. The public keys used in a
PGP
system are stored in a key ring. PGP can also secure the email
attachments to the messages.
Secure
Multipurpose
Internet Mail
Extensions
Secure Multipurpose Internet Mail Extensions (S/MIME) uses a
standard public key encryption, authenticates through digital
signatures, uses X.509 version 3 certificates, and is included in
most web browsers. Similar to PGP, S/MIME can secure email
attachments.
Message
Security
Protocol
Message security protocol (MSP) is a military implementation
of PEM.
7/22/2019 TestOut LabSim
https://cdn.testout.com/client-v5-1-10-563/startlabsim.html 1/2
9.4.2Cryptographic Attack Facts9.4.2Cryptographic Attack
Facts
Cryptanalysis is the method of recovering original data that has
been encrypted without having access to the key used in the
encryption
22. process. This can be done to measure and validate the strength
of a cryptosystem. It can also be done to violate the
confidentiality and/or
integrity of a cryptosystem.
The security of data depends on the secrecy of the keys, not on
the algorithm used to encrypt the data. For this reason, the less
information the
attacker has concerning the key used during encryption, the
stronger the security. Most cryptographic attacks focus on
breaking the key.
Attacks can be classified using one of the following general
methods:
Attack
Type
Description
Brute Force
In a brute force attack, the attacker tries every known
combination. These types of attacks take the longest amount of
time, though
they are always successful if enough time is allowed.
Cryptosystems are almost always subject to brute force attacks
against the
key. Types of brute force attacks include:
A mathematical attack, which is an attack on a key containing a
small data set. The smaller data set provides fewer
combinations to decipher. A 40-bit encryption is considered
weak and a 128-bit encryption is considered strong. The
longer the key, the more combinations a brute force attack will
require.
A birthday attack is a brute force attack that focuses on hashing
23. algorithms. The attacker hashes messages until two
plaintext messages are found that produce the same hashed
value. This type of attack is based on the statistic that there is
more than a 50% chance that two out of 23 people in a room
will have the same birthday. To match a selected day, 253
people would need to be in the room.
Plaintext
Types of plaintext attacks include:
A chosen cipher text attack, in which the attacker produces
cipher text and then sends it through a decryption process to
see the resulting plaintext.
A known plaintext attack, in which the attacker has seen the
plaintext and the resulting cipher text. The attacker can make
conclusions about the encrypting key and will have validation if
the encrypting key is discovered.
A chosen plaintext attack, in which the attacker chooses the
plaintext to be encrypted. This can occur when a worker steps
away from the computer and the attacker sends a message and
captures the resulting ciphertext (this attack is also known
as a lunchtime attack or midnight attack). The attacker can
select plaintext that will produce clues to the encryption key
used.
Analytic An analytic attack uses an algebraic manipulation to
reduce the complexity of the algorithm.
Weakness
Exploitation
Attacks exploiting weaknesses in encryption include:
A statistical attack exploits weaknesses in a cryptosystem, such
as inability to produce random numbers or floating point
24. errors.
A dictionary attack uses known words and common variations.
A weak key attack is an attack on an encrypted algorithm that
contains keys with poorly decrypted ciphertext.
An implementation attack exploits implementation weaknesses,
such as in software, the protocol, or the encryption
algorithm.
A hybrid attack refers to the technique of adding appendages to
known dictionary words. (For example, 1password,
password07, or [email protected])
Encryption
Encryption attack types include:
A key clustering attack, in which the attacker decrypts an
encoded message using a different key than was used during
encryption.
A replay attack, in which the attacker attempts to re-transmit
encryption session keys in hopes of accessing the encrypted
resource in a decrypted mode.
A PKI attack, in which the attacker attempts to have a user
accept a fake or spoofed PKI certificate.
A side-channel attack, which is based on information gained
from the physical implementation of a cryptosystem rather
than theoretical weaknesses in the algorithms, such as the
length of time required during encryption or decryption.
Man-in-the-
Middle
In a man-in-the-middle attack, the attacker is able to read,
insert, and modify messages between two parties without either
party
knowing that the link between them has been compromised.
25. Downgrade A downgrade attack is often exploited through a
man-in-the-middle attack. Security protocols that employ
encryption may have
different modes of operations. A downgrade attack convinces a
protocol to disregard a high-quality mode of operation and use a
7/22/2019 TestOut LabSim
https://cdn.testout.com/client-v5-1-10-563/startlabsim.html 2/2
lower-quality mode instead. For instance, a higher mode may
require an encrypted connection, but a lower mode may use
clear
text. An example of this flaw was found in OpenSSL, which is
an open-source implementation of the SSL and TLS protocols.
Use these countermeasures to strengthen the cryptosystem:
Use strong passwords
Implement strong cryptosystems with redundant ciphers
Implement long key spaces