Information Technology /Security+ (SY0-701): Cryptographic Solutions Part 3
Security+ (SY0-701): Cryptographic Solutions Part 3
This deck covers key concepts and definitions related to cryptographic solutions, including random number generators, cryptoprocessors, key management, and data encryption states.
Define 'pseudo RNG (PRNG) software'
Software that is still deterministic, but able to approximate a high level of disorder
Tap or swipe ↕ to flip
Swipe ←→Navigate
SSpeak
FFocus
1/30
Key Terms
Term
Definition
Define 'pseudo RNG (PRNG) software'
Software that is still deterministic, but able to approximate a high level of disorder
Define 'true random number generator (TRNG) hardware'
Generates random key values by sampling physical phenomena (noise/air movement) that has a high rate of entropy.
What is the drawback of storing a key pair or secret key on a host/file system running general purpose OS?
Could easily be compromised via user credential or physical theft of the device; Difficult to ensure that key access is fully audited.
What is best practice to securely monitor cryptographic keys?
Tamper evident; Immediately known when a private/secret key has been compromised.
Define a 'cryptoprocessor'
Dedicated hardware for key generation and storage and can decrypt and sign on behalf of applications.
What is the security benefit of a cryptoprocessor?
Creates smaller attack surface for key management because key material never leaves the cryptoprocessor.
Related Flashcard Decks
Study Tips
- Press F to enter focus mode for distraction-free studying
- Review cards regularly to improve retention
- Try to recall the answer before flipping the card
- Share this deck with friends to study together
| Term | Definition |
|---|---|
Define 'pseudo RNG (PRNG) software' | Software that is still deterministic, but able to approximate a high level of disorder |
Define 'true random number generator (TRNG) hardware' | Generates random key values by sampling physical phenomena (noise/air movement) that has a high rate of entropy. |
What is the drawback of storing a key pair or secret key on a host/file system running general purpose OS? | Could easily be compromised via user credential or physical theft of the device; Difficult to ensure that key access is fully audited. |
What is best practice to securely monitor cryptographic keys? | Tamper evident; Immediately known when a private/secret key has been compromised. |
Define a 'cryptoprocessor' | Dedicated hardware for key generation and storage and can decrypt and sign on behalf of applications. |
What is the security benefit of a cryptoprocessor? | Creates smaller attack surface for key management because key material never leaves the cryptoprocessor. |
What are the two main implementations of cryptoprocessor hardware? |
|
Define a 'Trusted Platform Module (TPM)' | Implemented as a module within the CPU on a computer or mobile device. |
Define a 'Hardware security module (HSM)' | Implemented in a removable or dedicated form factor, including rack-mounted appliances, plug-in PCIe adapter cards, and USB-connected security keys; Can be provisioned as a virtual appliance. |
How does a cryptoprocessor decrease attack surface? | Keys are not directly accessible via the file system. |
How do cryptoprocessors interact with applications that need to access a key? | Via an application programming interface (API) |
Define an 'Application programming interface (API)' | Mechanisms that enable two software components to communicate with each other using a set of definitions and protocols. |
What is the mechanism implemented to mitigate vulnerabilities in cryptoprocessors? | A trusted execution environment (TEE) secure enclave |
Define a 'trusted execution environment (TEE) secure enclave' | CPU extensions that protects data stored in system memory so that an untrusted process cannot read it. |
What is a vulnerability with cryptoprocessors? | Decrypted data needs to be loaded into the computer's system memory (RAM) for applications to access it raising the potential for a malicious process to gain access to the data via some type of exploit. |
How do secure enclaves (Trusted Execution Environments, TEEs) protect API's moving data from a cryptoprocessor to another application? | Only authorized processes can have access, regardless if it has system/root privilege. |
What is the result of a misplaced/damaged cryptographic key? | Ciphertexts cannot be recovered unless a backup of the key has been made. |
Why is it against best practice to make backups of private keys or secret keys? | Problematic as it becomes more likely that a copy will be compromised and more difficult to detect that a compromise has occurred. |
What are controls to mitigate issues of making copies of a private key/secret key? |
|
Define 'Escrow' in key management | The storage of a backup key with a third party. |
Define 'M of N controls' in key management | An operation cannot be performed by a single individual; A quorum (M) of available persons (N) must agree to authorize the operation. |
How can risks of a compromised private key be reduced? | Splitting the key into parts, and each part being held by separate escrow providers. |
Define a 'key recovery agent (KRA)' | An account authorized to access a key held in escrow. |
What should be included in a key recovery policy to mitigate impersonation? | Require two or more KRAs to authorize an operation. |
How does encryption fulfill the goal of confidentiality? | Threat actor will not be able to understand or change what has been stolen. |
List the 3 states data can be described as? |
|
Define 'Data at rest' | When the data is in some sort of persistent storage media. |
Define 'Data in transit' | Data transmitted between two hosts, such as over a private network or the Internet. |
Define 'Data in use' | Data present in volatile memory, such as system RAM or CPU registers and cache. |
Define 'bulk encryption' | Encrypting megabytes or gigabytes of data. |