Understanding Cryptography and PKI
CompTIA Security+ objectives covered in this chapter:
1.2 Given a scenario, analyze potential indicators to determine the type of attack • Password attacks (Spraying, Dictionary, Brute force, Offline, Online, Rainbow table, Plaintext/unencrypted) • Cryptographic attacks (Birthday, Collision, Downgrade)
1.3Given a scenario, analyze potential indicators associated with application attacks. • Pass the hash
2.1 Explain the importance of security concepts in an enterprise environment. • Data protection (Encryption, At rest, In transit/motion, In processing) • Hashing
2.5 Given a scenario, implement cybersecurity resilience. • Diversity (Crypto)
2.8 Summarize the basics of cryptographic concepts. • Digital signatures, Key length, Key stretching, Salting, Hashing, Key exchange, Elliptical curve cryptography, Perfect forward secrecy, Quantum (Communications, Computing), Post-quantum, Ephemeral, Modes of operation (Authenticated, Unauthenticated, Counter), Blockchain (Public ledgers), Cipher suites (Stream, Block), Symmetric vs. asymmetric, Lightweight cryptography, Steganography (Audio, Video, Image), Homomorphic encryption • Common use cases (Low power devices, Low latency, High resiliency, Supporting confidentiality, Supporting integrity, Supporting obfuscation, Supporting non-repudiation), Limitations (Speed, Size, Weak keys, Time, Longevity, Predictability, Reuse, Entropy, Computational overheads, Resource vs. security constraints)
3.1 Given a scenario, implement secure protocols. • Secure/Multipurpose Internet Mail Extensions (S/MIME)
3.9 Given a scenario, implement public key infrastructure. • Public key infrastructure (PKI) (Key management, Certificate authority (CA), Intermediate CA, Registration authority (RA), Certificate revocation list (CRL), Certificate attributes, Online Certificate Status Protocol (OCSP), Certificate signing request (CSR), CN, Subject alternative name, Expiration) • Types of certificates (Wildcard, Subject alternative name, Code signing, Self-signed, Machine/computer, Email, User, Root, Domain validation, Extended validation) • Certificate formats (Distinguished encoding rules (DER), Privacy enhanced mail (PEM), Personal information exchange (PFX), .cer, P12, P7B), Concepts (Online vs. offline CA, Stapling, Pinning, Trust model, Key escrow, Certificate chaining)
4.4 Given an incident, apply mitigation techniques or controls to secure an environment. • Configuration changes (Update or revoke certificates)
Cryptography and Public Key Infrastructure (PKI) topics are challenging for many test takers, mostly because they include topics that aren’t familiar to many system administrators. When tackling these topics, don’t lose sight of the basics. The first section in this chapter, “Introducing Cryptography Concepts,” outlines and summarizes these basics. Don’t worry if they aren’t clear to you right away—they should be once you complete the chapter. Passwords are commonly hashed and password attacks often try to exploit weaknesses in hashes. After hashes are explained, password attacks are explored. Other sections dig into the details of hashing, encryption, and Public Key Infrastructure (PKI) components.