Back to FlashcardsInformation Technology / Security+ (SY0-701): Cryptographic Solutions Part 3
Security+ (SY0-701): Cryptographic Solutions Part 3
This deck covers key concepts and definitions related to cryptographic solutions, including random number generators, cryptoprocessors, key management, and data encryption states.
Define 'pseudo RNG (PRNG) software'
Tap or swipe ↕ to flip
Swipe ←→Navigate
1/30
Key Terms
Term
Definition
Define 'pseudo RNG (PRNG) software'
Software that is still deterministic, but able to approximate a high level of disorder
Define 'true random number generator (TRNG) hardware'
Generates random key values by sampling physical phenomena (noise/air movement) that has a high rate of entropy.
What is the drawback of storing a key pair or secret key on a host/file system running general purpose OS?
Could easily be compromised via user credential or physical theft of the device; Difficult to ensure that key access is fully audited.
What is best practice to securely monitor cryptographic keys?
Tamper evident; Immediately known when a private/secret key has been compromised.
Define a 'cryptoprocessor'
Dedicated hardware for key generation and storage and can decrypt and sign on behalf of applications.
What is the security benefit of a cryptoprocessor?
Creates smaller attack surface for key management because key material never leaves the cryptoprocessor.
Related Flashcard Decks
| Term | Definition |
|---|---|
Define 'pseudo RNG (PRNG) software' | Software that is still deterministic, but able to approximate a high level of disorder |
Define 'true random number generator (TRNG) hardware' | Generates random key values by sampling physical phenomena (noise/air movement) that has a high rate of entropy. |
What is the drawback of storing a key pair or secret key on a host/file system running general purpose OS? | Could easily be compromised via user credential or physical theft of the device; Difficult to ensure that key access is fully audited. |
What is best practice to securely monitor cryptographic keys? | Tamper evident; Immediately known when a private/secret key has been compromised. |
Define a 'cryptoprocessor' | Dedicated hardware for key generation and storage and can decrypt and sign on behalf of applications. |
What is the security benefit of a cryptoprocessor? | Creates smaller attack surface for key management because key material never leaves the cryptoprocessor. |
What are the two main implementations of cryptoprocessor hardware? |
|
Define a 'Trusted Platform Module (TPM)' | Implemented as a module within the CPU on a computer or mobile device. |
Define a 'Hardware security module (HSM)' | Implemented in a removable or dedicated form factor, including rack-mounted appliances, plug-in PCIe adapter cards, and USB-connected security keys; Can be provisioned as a virtual appliance. |
How does a cryptoprocessor decrease attack surface? | Keys are not directly accessible via the file system. |
How do cryptoprocessors interact with applications that need to access a key? | Via an application programming interface (API) |
Define an 'Application programming interface (API)' | Mechanisms that enable two software components to communicate with each other using a set of definitions and protocols. |
What is the mechanism implemented to mitigate vulnerabilities in cryptoprocessors? | A trusted execution environment (TEE) secure enclave |
Define a 'trusted execution environment (TEE) secure enclave' | CPU extensions that protects data stored in system memory so that an untrusted process cannot read it. |
What is a vulnerability with cryptoprocessors? | Decrypted data needs to be loaded into the computer's system memory (RAM) for applications to access it raising the potential for a malicious process to gain access to the data via some type of exploit. |
How do secure enclaves (Trusted Execution Environments, TEEs) protect API's moving data from a cryptoprocessor to another application? | Only authorized processes can have access, regardless if it has system/root privilege. |
What is the result of a misplaced/damaged cryptographic key? | Ciphertexts cannot be recovered unless a backup of the key has been made. |
Why is it against best practice to make backups of private keys or secret keys? | Problematic as it becomes more likely that a copy will be compromised and more difficult to detect that a compromise has occurred. |
What are controls to mitigate issues of making copies of a private key/secret key? |
|
Define 'Escrow' in key management | The storage of a backup key with a third party. |
Define 'M of N controls' in key management | An operation cannot be performed by a single individual; A quorum (M) of available persons (N) must agree to authorize the operation. |
How can risks of a compromised private key be reduced? | Splitting the key into parts, and each part being held by separate escrow providers. |
Define a 'key recovery agent (KRA)' | An account authorized to access a key held in escrow. |
What should be included in a key recovery policy to mitigate impersonation? | Require two or more KRAs to authorize an operation. |
How does encryption fulfill the goal of confidentiality? | Threat actor will not be able to understand or change what has been stolen. |
List the 3 states data can be described as? |
|
Define 'Data at rest' | When the data is in some sort of persistent storage media. |
Define 'Data in transit' | Data transmitted between two hosts, such as over a private network or the Internet. |
Define 'Data in use' | Data present in volatile memory, such as system RAM or CPU registers and cache. |
Define 'bulk encryption' | Encrypting megabytes or gigabytes of data. |