Answer Description

The term Trusted Operating System (TOS) refers to an operating system that has been certified to have a certain level of security. The requirement of this certification are defined in the Common Criteria for Information Technology Security Evaluation (abbreviated as Common Criteria or CC). Many organizations (especially governments) may only use operating systems certified as Trusted OS's.

Wikipedia

Trusted Operating System (TOS) generally refers to an operating system that provides sufficient support for multilevel security and evidence of correctness to meet a particular set of government requirements. The most common set of criteria for trusted operating system design is the Common Criteria combined with the Security Functional Requirements (SFRs) for Labeled Security Protection Profile (LSPP) and mandatory access control (MAC). The Common Criteria is the result of a multi-year effort by the governments of the U.S., Canada, United Kingdom, France, Germany, the Netherlands and other countries to develop a harmonized security criteria for IT products.

Answer Description

Online Certificate Status Protocol (OCSP) is used for obtaining the status of X.509 digital certs.

Wikipedia

The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. It is described in RFC 6960 and is on the Internet standards track. It was created as an alternative to certificate revocation lists (CRL), specifically addressing certain problems associated with using CRLs in a public key infrastructure (PKI). Messages communicated via OCSP are encoded in ASN.1 and are usually communicated over HTTP. The "request/response" nature of these messages leads to OCSP servers being termed OCSP responders. Some web browsers (Firefox) use OCSP to validate HTTPS certificates, while others have disabled it. Most OCSP revocation statuses on the Internet disappear soon after certificate expiration.

Answer Description

In PKI data encrypted using a public key can only be decrypted by the public key's private pair. James needs to send the email so only Bob can decrypt it, so he will use Bob's public key. When Bob gets the email he will use his private key to decrypt it, therefor ensuring confidentiality.

Wikipedia

Email encryption is encryption of email messages to protect the content from being read by entities other than the intended recipients. Email encryption may also include authentication. Email is prone to the disclosure of information. Most emails are encrypted during transmission, but they are stored in clear text, making them readable by third parties such as email providers. By default, popular email services such as Gmail and Outlook do not enable end-to-end encryption. By means of some available tools, persons other than the designated recipients can read the email contents.Email encryption can rely on public-key cryptography, in which users can each publish a public key that others can use to encrypt messages to them, while keeping secret a private key they can use to decrypt such messages or to digitally encrypt and sign messages they send.

Answer Description

A Virtual Local Area Network (VLAN) provides a logical or virtual way to separate areas of a network. This means devices can physically share the same network infrastructure (e.g. using a common switch) but remain separated from each other on the network.

Wikipedia

A virtual LAN (VLAN) is any broadcast domain that is partitioned and isolated in a computer network at the data link layer (OSI layer 2). LAN is the abbreviation for local area network and in this context virtual refers to a physical object recreated and altered by additional logic. VLANs work by applying tags to network frames and handling these tags in networking systems – creating the appearance and functionality of network traffic that is physically on a single network but acts as if it is split between separate networks. In this way, VLANs can keep network applications separate despite being connected to the same physical network, and without requiring multiple sets of cabling and networking devices to be deployed. VLANs allow network administrators to group hosts together even if the hosts are not directly connected to the same network switch. Because VLAN membership can be configured through software, this can greatly simplify network design and deployment. Without VLANs, grouping hosts according to their resource needs the labor of relocating nodes or rewiring data links. VLANs allow devices that must be kept separate to share the cabling of a physical network and yet be prevented from directly interacting with one another. This managed sharing yields gains in simplicity, security, traffic management, and economy. For example, a VLAN can be used to separate traffic within a business based on individual users or groups of users or their roles (e.g. network administrators), or based on traffic characteristics (e.g. low-priority traffic prevented from impinging

Answer Description

Subject Alternative Name Certificates are public certificates with a list of alternative domains, sub domains and/or IP addresses that can also use the certificate. For example CrucialExams.com, www.CrucialExams.com, api.CrucialExams.com and the IP 4.5.4.5 all in a single cert. Wildcards are a close alternative that supports any sub domain (e.g. *.google.com) but a wildcard could not also be used for gmail.com. To use a single certificate for a sub-domain and entirely different domain a SAN must be used.

Wikipedia

Subject Alternative Name (SAN) is an extension to X.509 that allows various values to be associated with a security certificate using a subjectAltName field. These values are called Subject Alternative Names (SANs). Names include:Email addresses IP addresses URIs DNS names: this is usually also provided as the Common Name RDN within the Subject field of the main certificate. Directory names: alternative Distinguished Names to that given in the Subject. Other names, given as a General Name or Universal Principal Name: a registered object identifier followed by a value. RFC 2818 (May 2000) specifies Subject Alternative Names as the preferred method of adding DNS names to certificates, deprecating the previous method of putting DNS names in the commonName field. Google Chrome version 58 (March 2017) removed support for checking the commonName field at all, instead only looking at the SANs.

Answer Description

A Self Encrypting Drive (SED) is a type of hard drive that automatically encrypted all data saved to the disk. It is a hardware based encryption meaning that a circuit built in the disk drive controller handles the encrypted/decryption itself. All contents of the drive are encrypted including the operating system and any user files or documents.

Answer Description

Trusted Platform Module (TPM) is a chip embedded into a device's motherboard. TPM's provide a way for the device to securely store certain important artifacts like passwords and cryptographic keys.

Wikipedia

Trusted Platform Module (TPM, also known as ISO/IEC 11889) is an international standard for a secure cryptoprocessor, a dedicated microcontroller designed to secure hardware through integrated cryptographic keys. The term can also refer to a chip conforming to the standard. One of Windows 11's system requirements is TPM 2.0. Microsoft has stated that this is to help increase security against firmware attacks.

Answer Description

Data Encryption Standard (DES) is a symmetric-key algorithm used for encryption. RSA, PGP/GPG and DSA are all asymmetric.

Wikipedia

The Data Encryption Standard (DES ) is a symmetric-key algorithm for the encryption of digital data. Although its short key length of 56 bits makes it too insecure for modern applications, it has been highly influential in the advancement of cryptography. Developed in the early 1970s at IBM and based on an earlier design by Horst Feistel, the algorithm was submitted to the National Bureau of Standards (NBS) following the agency's invitation to propose a candidate for the protection of sensitive, unclassified electronic government data. In 1976, after consultation with the National Security Agency (NSA), the NBS selected a slightly modified version (strengthened against differential cryptanalysis, but weakened against brute-force attacks), which was published as an official Federal Information Processing Standard (FIPS) for the United States in 1977.The publication of an NSA-approved encryption standard led to its quick international adoption and widespread academic scrutiny. Controversies arose from classified design elements, a relatively short key length of the symmetric-key block cipher design, and the involvement of the NSA, raising suspicions about a backdoor. The S-boxes that had prompted those suspicions were designed by the NSA to remove a backdoor they secretly knew (differential cryptanalysis). However, the NSA also ensured that the key size was drastically reduced so that they could break the cipher by brute force attack. The intense academic scrutiny the algorithm received over time led to the modern understanding of block ciphers and their cryptanalysis. DES is insecure due to the relatively short 56-bit key size. In January 1999, distributed.net

Answer Description

Code signing can be used to digitally sign a program's executable or script files. This allows the person/computer running the application or script to verify it's authenticity as well as ensuring it has not been altered since the developer created it.

Wikipedia

Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted since it was signed. The process employs the use of a cryptographic hash to validate authenticity and integrity. Code signing was invented in 1995 by Michael Doyle, as part of the Eolas WebWish browser plug-in, which enabled the use of public-key cryptography to sign downloadable Web app program code using a secret key, so the plug-in code interpreter could then use the corresponding public key to authenticate the code before allowing it access to the code interpreter’s APIs. Code signing can provide several valuable features. The most common use of code signing is to provide security when deploying; in some programming languages, it can also be used to help prevent namespace conflicts. Almost every code signing implementation will provide some sort of digital signature mechanism to verify the identity of the author or build system, and a checksum to verify that the object has not been modified. It can also be used to provide versioning information about an object or to store other metadata about an object.The efficacy of code signing as an authentication mechanism for software depends on the security of underpinning signing keys. As with other public key infrastructure (PKI) technologies, the integrity of the system relies on publishers securing their private keys against unauthorized access. Keys stored in software on general-purpose computers are susceptible to compromise. Therefore,

Answer Description

For existing systems the best option to add additional hardware based encryption functionalities is using a Hardware Security Module (HSM). HSM's are usually stand alone devices that can be used by other systems or expansion cards that can be added. Trusted Platform Module could provide similar functionalities but are permanently embedded into a system, so to use a TPM the systems falling under this new policy would need to be replaced with new hardware that has a TPM.

Wikipedia

Trusted Platform Module (TPM, also known as ISO/IEC 11889) is an international standard for a secure cryptoprocessor, a dedicated microcontroller designed to secure hardware through integrated cryptographic keys. The term can also refer to a chip conforming to the standard. One of Windows 11's system requirements is TPM 2.0. Microsoft has stated that this is to help increase security against firmware attacks.

Answer Description

Elliptic Curve Diffie-Hellman (ECDH) is a key exchange protocol used in Public Key Infrastructure (PKI). It allows for establishing shared secrets between two parties.

Wikipedia

Answer Description

This setup is best known as an air gap. In network an air gap means two or more networks are physically separated from each other to ensure no data can traverse from one to the other. Generally if a network is so critical it requires an air gap it will be a completely stand alone network with no access to other networks and especially the internet. A true air gap is not common in most businesses, but some known examples are government or military networks, highly critical infrastructure networks like nuclear power plant controls and financial systems like stock exchanges.

Wikipedia

An air gap, air wall, air gapping or disconnected network is a network security measure employed on one or more computers to ensure that a secure computer network is physically isolated from unsecured networks, such as the public Internet or an unsecured local area network. It means a computer or network has no network interface controllers connected to other networks, with a physical or conceptual air gap, analogous to the air gap used in plumbing to maintain water quality.

Answer Description

This type of network setup is called an Extranet. An extranet is a private network that allows access to certain authorized parties. Most commonly this would be to share systems like a file server between two companies that have created a long-term partnership.

Wikipedia

An extranet is a controlled private network that allows access to partners, vendors and suppliers or an authorized set of customers – normally to a subset of the information accessible from an organization's intranet. An extranet is similar to a DMZ in that it provides access to needed services for authorized parties, without granting access to an organization's entire network. Historically, the term was occasionally also used in the sense of two organizations sharing their internal networks over a virtual private network (VPN).

Answer Description

Defense-in-depth is a concept that covers security from many different angles. The idea is to apply security measures wherever possible including physical controls like fences, technical controls like firewalls and administrative concepts like policies and user training. Defense-in-depth is a concept meant to ensure all possible security measures are taken into account.

Wikipedia

Defense in depth is a concept used in information security in which multiple layers of security controls (defense) are placed throughout an information technology (IT) system. Its intent is to provide redundancy in the event a security control fails or a vulnerability is exploited that can cover aspects of personnel, procedural, technical and physical security for the duration of the system's life cycle.

Answer Description

Using a Hash or Hashing data converts information using a one way function. This means it cannot be converted back into it's original format. This is ideal for storing things like passwords so even if the list of hashed passwords is lost they cannot be easily "decrypted."

Wikipedia

A cryptographic hash function (CHF) is a hash algorithm (a map of an arbitrary binary string to a binary string with fixed size of n {\displaystyle n} bits) that has special properties desirable for a cryptographic application:the probability of a particular n {\displaystyle n} -bit output result (hash value) for a random input string ("message") is 2 − n {\displaystyle 2^{-n}} (as for any good hash), so the hash value can be used as a representative of the message; finding an input string that matches a given

Answer Description

This type of system is called a honeypot or honeynet. A honeypot is a system created specifically to attract hackers and act as a decoy system. Most likely it will have some obvious vulnerability like a misconfigured proxy or firewall to attract attackers. You can think of it as the digital equivalent of a string operation. By creating an easy target you can avoid attacks on the productive network and also learn what types of vulnerabilities and attack types exist in the honeypot/net to better protect the productive network.

Wikipedia

In computer terminology, a honeypot is a computer security mechanism set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems. Generally, a honeypot consists of data (for example, in a network site) that appears to be a legitimate part of the site which contains information or resources of value to attackers. It is actually isolated, monitored, and capable of blocking or analyzing the attackers. This is similar to police sting operations, colloquially known as "baiting" a suspect.The main use for this network decoy is to distract potential attackers from more important information and machines on the real network, learn about the forms of attacks they can suffer, and examine such attacks during and after the exploitation of a honeypot. Given the increase in attacks, it is relevant to have a way to prevent and see vulnerabilities in a specific network system. That is, a decoy is used to protect a network from present or future attacks.

Answer Description

This type of WiFi network is called Guest WiFi. Guest WiFi's are intended for external users like subcontractors or 3rd party partners. It could also be permitted for employees personnel devices. In some cases the Guest WiFi may also allow restricted access to internal resources, but this needs to be properly secured to ensure access is limited as much as possible.

Answer Description

A wildcard domain applies to the domain and any subdomains. For example a certificate for *.google.com could be used on mail.google.com, photos.google.com, etc. This way it is not necessary to create and manage individual certificates for all of these sub domains.

Wikipedia

In computer networking, a wildcard certificate is a public key certificate which can be used with multiple sub-domains of a domain. The principal use is for securing web sites with HTTPS, but there are also applications in many other fields. Compared with conventional certificates, a wildcard certificate can be cheaper and more convenient than a certificate for each sub-domain. Multi-domain wildcard certificates further simplify the complexity and reduce costs by securing multiple domains and their sub-domains.

Answer Description

3DES or Triple DES applies the DES algorithm three times. DES uses 16 rounds so we can conclude that 3 DES performs 48 (3 * 16 = 48)

Wikipedia

In cryptography, Triple DES (3DES or TDES), officially the Triple Data Encryption Algorithm (TDEA or Triple DEA), is a symmetric-key block cipher, which applies the DES cipher algorithm three times to each data block. The Data Encryption Standard's (DES) 56-bit key is no longer considered adequate in the face of modern cryptanalytic techniques and supercomputing power. A CVE released in 2016, CVE-2016-2183 disclosed a major security vulnerability in DES and 3DES encryption algorithms. This CVE, combined with the inadequate key size of DES and 3DES, NIST has deprecated DES and 3DES for new applications in 2017, and for all applications by the end of 2023. It has been replaced with the more secure, more robust AES. While the government and industry standards abbreviate the algorithm's name as TDES (Triple DES) and TDEA (Triple Data Encryption Algorithm), RFC 1851 referred to it as 3DES from the time it first promulgated the idea, and this namesake has since come into wide use by most vendors, users, and cryptographers.

Answer Description

It is okay to share a public certificate stored in a .CER file. However a .PFX file (called a PKCS 12 archive) because it also includes the private key which should never be shared!

Wikipedia

In cryptography, PKCS #12 defines an archive file format for storing many cryptography objects as a single file. It is commonly used to bundle a private key with its X.509 certificate or to bundle all the members of a chain of trust. A PKCS #12 file may be encrypted and signed. The internal storage containers, called "SafeBags", may also be encrypted and signed. A few SafeBags are predefined to store certificates, private keys and CRLs. Another SafeBag is provided to store any other data at individual implementer's choice.PKCS #12 is one of the family of standards called Public-Key Cryptography Standards (PKCS) published by RSA Laboratories. The filename extension for PKCS #12 files is .p12 or .pfx.These files can be created, parsed and read out with the OpenSSL pkcs12 command.