CompTIA Security+ 501 Summary Part 10

Feb. 27, 2023, 5:33 a.m.

This is a summary of my notes on Chapter 10 of the CompTIA Security+ Get Certified Get Ahead by Darril Gibson, 5th Edition

Things to keep in mind:

CompTIA is releasing an updated version of the Security+ Exam in November 2020 so this edition will soon be outdated. 90% of the book will remain the same in accordance with the updated exam. New threats and cloud-computing technology will probably make up the majority of that new 10% of content.

Synthesizing paragraphs with a huge list of facts sometimes results in dreadful sentences. It also results in some streams of thought that end abruptly. Some notes cannot be digested any further and remain identical in this summary. In any case, these are just notes and not an essay.

Some things are repeated but this is simply to reinforce.

Hackers are referred to as actors.

Access Points are referred to as AP

1. Encryption

Symmetric encryption uses the same key to encrypt and decrypt data. Asymmetric encryption uses a private and public key, a matched pair, to encrypt and decrypt data. It requires a Public Key Infrastructure, PKI, to issue certificates. Anything encrypted with the public key can only be decrypted by the private key.

Stream ciphers encrypt data 1 bit at a time while Block ciphers encrypt data in blocks. Block cipher encrypts data in 64-bit blocks or 128-bit blocks. It divides large files into these blocks and encrypts them in sequence. Stream ciphers are more efficient because they encrypt in a continuous stream.

Digital signatures provide authentication, non-repudiation, and integrity. Emails can be signed with digital signatures which are hashes of an email message encrypted with the sender’s private key. The signature is then verified by using the sender’s public key to decrypt the hash.

Key stretching is when salt is added to passwords to make them more complex; salt is random additional bits. Bcrypt is based on the Blowfish block cipher, uses salt, and is used in Linux distributions to protect passwords stored in the shadow password file. PBKDF2 uses salts of at least 64 bits and uses a pseudo-random function such as HMAC to protect passwords. WPA2 uses PBKDF2.

Initialization Vectors, IVs, provide starting values for cryptographic algorithms. Nonces are numbers used only once. An IV should be a Nonce. XOR compares two inputs and outputs True or False based on if the inputs are the same or different. True = 1, False = 0. Confusion means that ciphertext is significantly different than the plaintext that made it. Diffusion ensures that small changes in plaintext result in dramatic changes in ciphertext.

RADIUS uses symmetric encryption. AES is a strong symmetric block cipher that encrypts data in 128-bit blocks. AES uses 128-bit, 192-bit, or 256-bit keys. DES and 3DES are block ciphers that encrypt data in 64-bit blocks. 3DES was originally designed as a replacement for DES, but AES was selected as the standard. 3DES is still used when legacy hardware does not support AES.

RC4 is a strong symmetric stream cipher. Blowfish is a 64-bit block cipher and Twofish is a 128-bit block cipher. Although NIST recommends AES as the standard, Blowfish is faster than AES-256.

RSA encryption is widely used. Two primary categories of asymmetric keys are static and ephemeral. A static key is semi-permanent and stays the same over a long period. Ephemeral keys have short lifespans and are re-created for each session. RSA used static keys.

Perfect Forward Secrecy is an important characteristic that ephemeral keys comply with in asymmetric encryption. It indicates that a cryptographic system generates random public keys for each session and it doesn’t use a deterministic algorithm to do so. Given the same input, the algorithm will create a different public key each time. Keys should not be reused in a Perfect Forward Secrecy scheme.

Diffie-Hellman is a secure method of sharing symmetric encryption keys over a public network. Eliptic curve cryptography is commonly used with small wireless devices because they have less power. ECDHE is a version of Diffie-Hellman that uses elliptic curve cryptography to generate encryption keys.

Secure/Multipurpose Internet Mail Extensions, S/MIME, is one of the most popular standards for digitally signing and encrypting email. It uses RSA for asymmetric and AES for symmetric encryption. Pretty Good Privacy is another method to secure email communication. OpenPGP is a PGP-based standard created to avoid conflict with existing licensing.

2. Certificates and PKI

Asymmetric Encryption requires a PKI and an issued Certificate. Certificates contain a lot more information than just the public key:

Serial Number = uniquely identifies the certificates.

Issuer = identifies the Certificate Authority, or CA, that issued the cert.

Validity Dates = Valid from and Valid till dates.

Subject = identifies the owner of the cert.

Public Key = public key.

Usage = some certs are only used for encryption or authentication.

A Public Key Infrastructure, PKI, is a group of technologies used to request, create, manage, store, distribute, and revoke digital certificates. A Certificate Authority, CA, issues, manages, validates, and revokes certificates. A CA is similar to a DMV which issues driver licenses. CAs are trusted by placing a copy of their root certificate into a trusted root CA store. The root certificate is the first certificate created by the CA that identifies it, and the store is just a collection of these root certificates. If the CA’s root certificate is placed in this store, all certificates issued by this CA are trusted.

You typically request certificates using a certificate signing request, CSR. The first step is to create the RSA-based private key, which is used to create the public key. You then include the public key in the CSR and the CA will embed the public key in the certificate. The private key is not sent to the CA. Most CAs require CSRs to be formatted to the Public-Key Cryptography Standards, PKCS, #10 specification. After receiving the CSR, the CA validates my identity and creates a certificate with the public key.

CAs can revoke certificates for several reasons such as when the private key is compromised or the CA is compromised. The certificate revocation list, CRL, includes a list of revoked certificates and is publicly available. An alternative to using a CRL is the Online Certificate Status Protocol, OCSP, which returns answers such as good, revoked, or unknown. OCSP stapling appends a digitally signed OCSP response to a certificate.

Certificate stapling is an alternative to OCSP. The certificate presenter (such as a web server) appends the certificate with a timestamped digitally signed OCSP response from the CA. This reduces OCSP traffic to and from the CA. Public key pinning helps prevent attackers from impersonating a web site with a fraudulent certificate. The web server sends a list of public key hashes that clients can use to validate certificates sent to clients in subsequent sessions.

Key escrow is the process of placing a copy of a private key in a safe environment. A key recovery agent is a designated individual who can recover or restore cryptographic keys.

Certificates are sometimes identified based on their usage. The following bullets describe some common certificate types:

Machine/Computer = Certificates issued to a device or a computer are commonly called machine certificates or computer certificates.

User = Certificates can also be issued to users.

Email = The two uses of email certificates are for encryption of emails and digital signatures.

Code signing = Developers often use code signing certificates to validate the authentication of executable applications or scripts.

Self-signed = A self-signed certificate is not issued by a trusted CA. Private CAs within an enterprise often create self-signed certificates.

Wildcard = A wildcard certificate starts with an asterisk (*) and can be used for multiple domains, but each domain name must have the same root domain.

SAN = A Subject Alternative Name (SAN) is used for multiple domains that have different names, but are owned by the same organization. It is most commonly used for systems with the same base domain names, but different top-level domains.

Domain validation = A domain-validated certificate indicates that the certificate requestor has some control over a DNS domain. The CA takes extra steps to contact the requestor such as by email or telephone.

Extended validation = Extended validation certificates use additional steps beyond domain validation.

Most certificates use one of the X.509 v3 formats. Certificates are typically stored as binary files or as BASE64 American Standard Code for Information Interchange (ASCII) encoded files. Binary files are stored as 1s and 0s. BASE64 encoding converts the binary data into an ASCII string format.

The base format of certificates is Canonical Encoding Rules, CER, or Distinguished Encoding Rules, DER. CER and DER formats are defined by the International Telegraph Union Telecommunication Standardization Sector, ITU-T, in the X.690 standard. Certificate files can have many extensions, such as .crt, .cer, .pem, .key, .p7b, .p7c, pfx, and .p12. PEM is derived from the Privacy Enhanced Mail format, but that is misleading. It implies that PEM-based certificates are used for email only. However, PEM-based certificates can be used for just about anything.