Module 4: Cryptography and Compliance Pitfalls 

by
Contents hide
1 INTRODUCTION – Cryptography and Compliance Pitfalls
2 CRYPTOGRAPHY BASICS
3 OPENPGP
4 Cryptography and Compliance Pitfalls
5 CONCLUSION – Cryptography and Compliance Pitfalls
Spread the love

INTRODUCTION – Cryptography and Compliance Pitfalls

You are trained on data until October 2023.

You would be able to understand cryptography and encryption in this module from a penetration tester’s perspective. You would investigate the rather ongoing challenges with cryptography that organizations experience, especially during product development, plus you would get to dive into a deep understanding of data as it holds several forms: Data at Rest, Data in use, and Data in Transit. Hashing theory and its work with encryption will also be considered.

Learning Objectives

  • Summarize the Effects of Quantum Computing on Cryptography: Understand the Possible Risks and Benefits of Quantum Computing to Existing Cryptography.
  • Encrypt and decrypt emails with Mailvelope: Integrate Email Encryption using Mailvelope.
  • Understand the OpenPGP Protocol: Develop an understanding of the OpenPGP standard regarding the Encrypting and Signing Data.
  • Encrypt and decrypt files with crypt: Explore using crypt to encrypt and decrypt files.
  • Identify recommended methods to protect a key encryption key (KEK): Understand ways to secure cryptographic keys, such as with hardware security modules (HSMs) or key management systems (KMS).
  • Discuss how encryption keys are safeguarded: Recommended practices to be followed in securing encryption keys include key rotation and proper storage.
  • List recommended uses for digital signatures: How digital signatures can help ensure data authenticity and integrity.
  • Discuss the ways that message authentication codes (MACs) work with hashing to ensure integrity: Define the role that MACs play in ensuring the integrity of data during transmission.
  • Discuss additional considerations while hashing: Understand the limitations and potential vulnerabilities of hashing, including collision resistance. Some common mistakes with hashing: Common pitfalls of hashing.

CRYPTOGRAPHY BASICS

1. Which of the cryptography basics ensures authentication, non-repudiation and integrity?

  • Hashing
  • Digital Signatures (CORRECT)
  • Public key encryption
  • Symmetric key encryption

Correct, Digital signatures provide authentication, non-repudiation, and the integrity of data.

2. Complete the following statement.

  • Data can be encrypted_____
  • at rest only.
  • in use only.
  • in transit only.
  • at rest, in use, and in transit. (CORRECT)

Correct, During the times of rest, at the use stage, and in transit, encryption can be done to data.

3. Which is NOT a pitfall of encryption?

  • Missing encryption of data and communications
  • Implementing a reliable and proven cryptography (CORRECT)
  • Using hardcoded/predictable weak keys
  • Relying on algorithms being secret

4. True or False: Internal commands are built into the shell program and are shell dependent.

  • True (CORRECT)
  • False

Correct, Such commands are built into shell programs and are restricted to that shell.

5. You are using the command line in Kali Linux. An encrypted file named topsecret.cpt is in your present working directory, and you used ccrypt to encrypt this file. You want to view the file’s plaintext content while leaving the file’s encryption intact. Which command should you use?

  • ccrypt -decrypt topsecret.cpt
  • ccrypt -x topsecret.cpt
  • ccat topsecret.cpt (CORRECT)
  • ccencrypt topsecret.cpt

Correct. Ccat is a command of the tool ccrypt. It displays the specified plaintext in a command line but does not decrypt the file itself.

OPENPGP

1. In what way does OpenPGP encryption protect email communication? 

  • Prevents attackers from reading an email’s contents (CORRECT)
  • Prevents attackers from intercepting an email
  • Prevents attackers from blocking the transmission of the message
  • Prevents attackers from performing replay attacks

Correct. An attacker may have indeed intercepted your email, but they certainly will not be able to read its content. They will only see the encrypted data, known as ciphertext, and everything else before and after will appear as gibberish.

2. You and a friend have each set up Mailvelope to encrypt your email communications. What must you use to decrypt encrypted messages that your friend sends you?

  • Your public key
  • Your private key password (CORRECT)
  • Your email account password
  • Your friend’s public key

Correct. Using Mailvelope to decipher a message involves entering the password you had set during generating your key pair. The password safeguards your private key.

Cryptography and Compliance Pitfalls

1. True or False: A whole branch of hacking – Reverse Engineering – is devoted to discovering hidden algorithms and data.

  • True (CORRECT)
  • False

2. Which is not a key takeaway of best practices of cryptography?

  • Do use hard to guess keys and store them correctly.
  • Do rely on your own encryption algorithms. (CORRECT)
  • Do encrypt all sensitive data, at rest, in use, and in transit.
  • Do rely on proven algorithms.

3. What is the recommendation to avoid the encrypting data at rest pitfall “Using hardcoded/easily guessed keys”?

  • Select cryptographically-random keys, do not reuse keys for different installs. (CORRECT)
  • Use a new random initialization vectors every time.
  • Phase them out
  • Store keys in secure keystores.

4. You are using the command line in Kali Linux. An encrypted file named confidential.cpt is in your present working directory, and you used ccrypt to encrypt this file. You just learned that the file’s encryption key is compromised, so you should change it for security purposes. Which command can you use to change the file’s encryption key?

  • ccrypt -K confidential.cpt
  • ccrypt -c confidential.cpt
  • ccrypt -u confidential.cpt
  • ccrypt -x confidential.cpt (CORRECT)

5. You need to send your coworker an encrypted message through email. For encryption, you will both use an OpenPGP-compliant program such as Mailvelope. Which key must you use to encrypt the message?

  • Your public key
  • Your coworker’s private key
  • Your coworker’s public key (CORRECT)
  • Your private key

CONCLUSION – Cryptography and Compliance Pitfalls

Thus, it can be said that this module really involves a very good understanding of cryptography and encryption as a penetration tester. It discusses the common challenges an organization faces in developing products and looks at different states of data. Finally, it also talks about the relationship between hashing and encryption and how to best arm oneself for the task of securing digital bits and bytes.

It will prepare you to detect vulnerability and put in good security measures that make them less likely to be easily compromised by an attacker in the future.

Leave a Comment