Back to FlashcardsInformation Technology / Security+ (SY0-701): Cryptographic Solutions Part 4
Security+ (SY0-701): Cryptographic Solutions Part 4
This deck covers key concepts and definitions related to cryptographic solutions as outlined in the Security+ (SY0-701) Lesson 3, Part 4. It includes encryption methods, protocols, and security features.
What encryption method is best suited for bulk encryption?
Tap or swipe ↕ to flip
Swipe ←→Navigate
1/30
Key Terms
Term
Definition
What encryption method is best suited for bulk encryption?
Symmetric encryption due to overhead of asymmetric.
Define an 'encryption level'
Depth of encryption; Ranging from more granular (file/folder or row/record) to less granular (volume/partition/disk or database).
Define 'Full-disk encryption (FDE)'
Disk/Drive firmware that encrypts the full contents of a storage device, including metadata, free space.
What is the purpose of Full-disk encryption (FDE)?
Protects against physical theft of the disk.
What is a software/firmware alternative to Full-disk encryption (FDE)?
A self-encrypting drive (SED).
Define a 'A self-encrypting drive (SED)'
Storage device (SSD/HDD/USB) with cryptoprocessor firmware that can perform self-encryption and storage of keys.
Related Flashcard Decks
| Term | Definition |
|---|---|
What encryption method is best suited for bulk encryption? | Symmetric encryption due to overhead of asymmetric. |
Define an 'encryption level' | Depth of encryption; Ranging from more granular (file/folder or row/record) to less granular (volume/partition/disk or database). |
Define 'Full-disk encryption (FDE)' | Disk/Drive firmware that encrypts the full contents of a storage device, including metadata, free space. |
What is the purpose of Full-disk encryption (FDE)? | Protects against physical theft of the disk. |
What is a software/firmware alternative to Full-disk encryption (FDE)? | A self-encrypting drive (SED). |
Define a 'A self-encrypting drive (SED)' | Storage device (SSD/HDD/USB) with cryptoprocessor firmware that can perform self-encryption and storage of keys. |
Define a 'volume' | Any storage resource with a single file system; The way the OS 'sees' a storage resource. |
What can be defined as a 'volume'? | A removable disk; Partition on an HDD or SSD; RAID array. |
What makes self-encrypting drives less secure? | Typically only encrypts volumes, implemented as a software application rather than disk firmware. |
What is the difference between 'Full-disk encryption (FDE)' and 'Self-encrypting drive (SDE) software'? | Self-encrypting drive (SDE) software may or may not encrypt free space and/or metadata. |
Define a 'file encryption product' | Software that applies encryption to individual files (or perhaps to folders/directories). |
What products are defined as A self-encrypting drive? | Microsoft's BitLocker and Apple's FileVault products perform volume encryption. |
What are the two methods of encrypting a database? |
|
Define how 'Database/Page-Level Encryption' functions | All records and logs are encrypted while they are stored on disk. |
How does 'Database/Page-Level Encryption' manage the transfer of data between an application and storage? | Encryption and decryption occurs when any data is transferred between disk and memory. |
Define how 'Record-Level Encryption' is implemented | DBA determines which fields need encryption with asymmetric encryption. |
How does 'Record-Level Encryption' or 'Cell/column encryption' leverage PKI? | Storing the private key used to unlock the value of a cell outside of the database. |
How does 'Record-Level Encryption' protect the transfer of data between storage and an application? | Data remains encrypted when loaded into memory; It is only decrypted when the client application supplies the key in the DBMS. |
Define 'Transport/communication encryption' and its function | Protects data-in-motion using key exchange. |
Define 'key exchange' | Any method by which cryptographic keys are transferred between users, enabling the use of a cryptographic algorithm. |
What protocols are commonly used for Transport/communication encryption? | Wi-Fi Protected Access (WPA), Internet Protocol Security (IPsec), Transport Layer Security (TLS). |
Define 'Wi-Fi Protected Access (WPA)' and its purpose | Securing traffic sent over a wireless network. |
Define 'Internet Protocol Security (IPsec)' and its purpose | Secured traffic sent between two endpoints over a public or untrusted transport network - refereed to as a VPN. |
Define 'Transport Layer Security (TLS)' and its purpose | Securing application data, such as web or email data, sent over a public or untrusted network. |
What protocol is used to ensure integrity/confidentiality of transport encryption? | Cryptographic protocol ‘Hash-based Message Authentication Code (HMAC)’. |
Define the purpose and function of 'Hash-based Message Authentication Code (HMAC)' | Provides confidentiality/integrity for a message by combining a cryptographic hash of the data with a symmetric secret key. |
Define the function of 'Perfect Forward Secrecy (PFS)' | Periodically creates a new key value based on data supplied by both parties in the exchange. |
What is the security benefit of 'Perfect Forward Secrecy (PFS)' | Ensures if a key is compromised, the compromise will only affect a single session and not facilitate recovery of plaintext data from other sessions. |
What cipher does Perfect Forward Secrecy (PFS) use to implement new session keys? | Diffie-Hellman (D-H) key agreement to create ephemeral session keys. |
Define an 'ephemeral session key' | Created by Diffie-Hellman (D-H), a key that is used within the context of a single session only. |