Cryptography forms an important part of the CIA triad of security. Confidentiality is primarily protected with encryption. In this Apply Your Knowledge, you are going to look at some cryptographic tools and techniques.
12.1. Examining an SSL Certificate
To get a better understanding of how SSL works, this exercise will have you examine an SSL certificate.
Estimated Time: 10 minutes.
12.2. Using PGP
In this exercise, you will install PGP.
Estimated Time: 10 minutes.
12.3 Using a Steganographic Tool to Hide a Message
In this exercise, you will use a tool to hide information with a SPAM email. The tool is SPAM Mimic.
Estimated Time: 5 minutes.
Exam Prep Questions
This symmetric encryption is considered weak, as the same cleartext input will produce the same ciphertext output.
Which of the following can be used to provide confidentiality and integrity?
Jake has just been given a new hacking tool by an old acquaintance. Before he installs it, he would like to make sure that it is legitimate. Which of the following is the best approach?
Diskprobe can be used for which of the following tasks?
Which of the following is not correct about the registration authority?
Ginny has a co-worker's WinZip file with several locked documents that are encrypted, and she would like to hack it. Ginny also has one of the lock files in its unencrypted state. What's the best method to proceed?
You have become worried that one of your co-workers accessed your computer while you were on break and copied the secring.skr file. What would that mean?
Which of the following is a symmetric algorithm?
What is the key length of 3DES?
Which of the following binds a user's identity to a public key?
George has been sniffing the encrypted traffic between Bill and Al. He has noticed an increase in traffic and believes the two are planning a new venture. What is the name of this form of attack?
How many bits of plaintext can DES process at a time?
What are collisions?
While shoulder surfing some co-workers, you noticed one executing the following command: ./john /etc/shadow. What is the co-worker attempting to do?
How long is the DES encryption key?
Answers to Exam Questions
1. C. With DES electronic code book (ECB), the identical plaintext encrypted with the same key will always produce the same ciphertext. Answer A is incorrect because DES cipher block chaining is considered more secure, as it chains the blocks together. Answer B is incorrect because MD5 is a hashing algorithm. Answer D is incorrect, as Diffie-Hellman is an asymmetric algorithm.
2. B. Asymmetric encryption can provide users both confidentiality and authentication. Authentication is typically provided through digital certificates and digital signatures. Answer A is incorrect because steganography is used for file hiding and provides a means to hide information in the whitespace of a document, a sound file, or a graphic. Answer C is incorrect, as it can provide integrity but not confidentiality. Answer D is incorrect because symmetric encryption only provides confidentiality.
3. D. Jake should compare the tools hash value to the one found on the vendor's website. Answer A is incorrect, as having a copy of the vendor's digital certificate only proves the identity of the vendor; it does not verify the validity of the tool. Answer B is incorrect because having the digital certificate of his friend says nothing about the tool. Digital certificates are used to verify identity, not the validity of the file. Answer C is incorrect and the worst possible answer because loading the tool could produce any number of results, especially if the tool has been Trojaned.
4. B. When a standalone file is encrypted with EFS, a temp file is created named efs0.tmp. Diskprobe or a hex editor can be used to recover that file. All other answers are incorrect because Diskprobe is not used for spoofing a PKI certificate; it can only recover the last file encrypted, not an entire folder of encrypted files. Diskprobe is not used to crack an MD5 hash.
5. C. Because the question asks what the RA cannot do, the correct answer is that RA cannot generate a certificate. All other answers are incorrect, as they are functions the RA can provide, including reducing the load on the CA, verifying an owner's identity, and passing along the information to the CA for certificate generation.
6. B. The known plaintext attack requires the hacker to have both the plaintext and ciphertext of one or more messages. For example, if a WinZip file is encrypted and the hacker can find one of the files in its non-encrypted state, the two form plaintext and ciphertext. Together, these two items can be used to extract the cryptographic key and recover the remaining encrypted, zipped files. Answer A is incorrect, as ciphertext attacks don't require the hacker to have the plaintext; they require a hacker to obtain encrypted messages that have been encrypted using the same encryption algorithm. Answer C is incorrect because a chosen ciphertext occurs when a hacker can choose the ciphertext to be decrypted and can then analyze the plaintext output of the event. Answer D is incorrect, as an attack occurs when the attacker tries to repeat or delay a cryptographic transmission.
7. C. The secring.skr file contains the PGP secret key. PGP is regarded as secure because a strong passphrase is used and the secret key is protected. The easiest way to break into an unbreakable box is with the key. Therefore, anyone who wants to attack the system will attempt to retrieve the secring.skr file before attempting to crack PGP itself. Answer A is incorrect, as the Windows passwords are kept in the SAM file. Answer B is incorrect because Linux passwords are generally kept in the passwd or shadow file. Answer D is incorrect, as secring.skr is a real file and holds the user's PGP secret key.
8. D. Examples of symmetric algorithms include DES, 3DES, and Rijindael. All other answers are incorrect because El Gamal, ECC, and Diffie-Helman are all asymmetric algorithms.
9. B. 3DES has a key length of 168 bits. Answer A is incorrect because 3DES does not have a key length of 192 bits. Answer C is incorrect because 3DES does not have a key length of 64 bits. Answer D is incorrect because 56 bits is the length of DES not 3DES.
10. D. A digital certificate binds a user's identity to a public key. Answers A, B, and C are incorrect because a digital signature is electronic and not a written signature. A hash value is used to verify integrity, and a private key is not shared and does not bind a user's identity to a public key.
11. A. An inference attack involves taking bits of non-secret information, such as the flow of traffic, and making certain assumptions from noticeable changes. Answer B is incorrect, as ciphertext attacks don't require the hacker to have the plaintext; they require a hacker to obtain messages that have been encrypted using the same encryption algorithm. Answer C is incorrect because a chosen ciphertext occurs when a hacker can choose the ciphertext to be decrypted and then analyze the plaintext output of the event. Answer D is incorrect, as an attack occurs when the attacker tries to repeat or delay a cryptographic transmission.
12. C. DES processes 64 bits of plaintext at a time. Answer A is incorrect, as 192 bits is not correct. Answer B is incorrect, but it does specify the key length of 3DES. Answer D is incorrect, as 56 bits is the key length of DES.
13. B. Collisions occur when two message digests produce the same hash value. This is a highly undesirable event and was proven with MD5 in 2005 when two X.509 certificates were created with the same MD5sum in just a few hours. Answer A is incorrect because collisions address hashing algorithms, not asymmetric encryption. Answer C is incorrect, as collisions address hashing algorithms, not symmetric encryption. Answer D is incorrect, as the goal of steganography is to produce two images that look almost identical, yet text is hidden in one.
14. C. John is a password cracking tool available for Linux and Windows. Answer A is incorrect, as John is not used to crack PGP public keys. Also, because the key is public, there would be no reason to attempt a crack. Answer B is incorrect, as John is not a PGP cracking tool. Answer D is incorrect because John is not used to crack EFS files.
15. B. DES uses a 56-bit key, whereas the remaining eight bits are used for parity. Answer A is incorrect as 32 bits is not the length of the DES key. Answer C is incorrect as 64 bits is not the length of the DES key, as eight bits are used for parity. Answer D is incorrect as 128 bits is not the length of the DES key; it is 56 bits.
Suggested Reading and Resources
www.spammimic.com/encode.cgiSPAM steganographic tool
www.ciscopress.com/articles/article.asp?p=369221&seqNum=4&rl=1Components of WPA
www.e-government.govt.nz/see/pki/attack-scenarios.asp50 ways to attack PKI
www.pgpi.org/doc/pgpintroPublic key encryption
Physical Security and Social Engineering
Part I: Exam Preparation
The Business Aspects of Penetration Testing
The Technical Foundations of Hacking
Footprinting and Scanning
Enumeration and System Hacking
Linux and Automated Security Assessment Tools
Trojans and Backdoors
Sniffers, Session Hijacking, and Denial of Service
Web Server Hacking, Web Applications, and Database Attacks
Wireless Technologies, Security, and Attacks
IDS, Firewalls, and Honeypots
Buffer Overflows, Viruses, and Worms
Cryptographic Attacks and Defenses
Physical Security and Social Engineering
Part II: Final Review
Part III: Appendixes
Appendix A. Using the ExamGear Special Edition Software