4472 - Security Final Flashcards
1
Q
What is Kerkhoffs Principle?
A
security should be based off secrecy of the key, not the encryption scheme; assume that the encryption scheme is publicly known
2
Q
What is the ‘don’t roll your own’ principle?
A
crypto algorithms are very easy to get wrong, don’t make any yourself
3
Q
What is a brute force attack?
A
trying every key and/or message until one “works”
4
Q
A system that can be broken into 2^128 operations has how many bits of security?
A
128
5
Q
What are bits of security?
A
exponential value describing how many operations are necessary to recover a message or key for a cryptosystem
6
Q
What defines a negligible quantity?
A
value that is less than on over any polynomial function with degree less than or equal to the security parameter
7
Q
What is a security parameter?
A
a variable that measures the input size of the computational problem
8
Q
What is the security parameter (k) in an RSA cryptosystem?
A
it is the length in bits of the modulus n, where n is a number in the set 0….(2^k) - 1
9
Q
What criteria must be met for indistinguishability?
A
probability that you can tell the difference between two things is less than the negligible quantity
10
Q
What are pseudo random functions?
A
random mapping of inputs to outputs, many to one mapping may exists, not necessarily inversible
11
Q
What are pseudo random permutations?
A
random mapping of inputs to outputs, one to one mapping, image and pre-image sets are equivalent, unique inverse for every element
12
Q
What is an “oracle”?
A
like a black box, ask a question get an answer
13
Q
What is the hierarchy of security levels?
A
IND-CCA2 –> IND-CCA1 –> IND-CPA –> IND-EAV
14
Q
How is IND-CCA2 achieved?
A
message authentication codes; you need to be able to only create a valid ciphertext with knowledge of a secret key
15
Q
How is IND-CPA achieved?
A
by using randomized encryption; encrypting the same message twice should give two completely different results
16
Q
How is IND-EAV achieved?
A
you should have negligible advantage telling the difference between cipher text
17
Q
What are block ciphers used for?
A
for efficient bulk encryption of data
18
Q
What is the ideal functionality for block ciphers?
A
pseudo-random permutation, secret key determines permutation, fixed length input maps to fixed length outputs
19
Q
What security level is the ECB cipher?
A
Not even EAV-Secure
20
Q
What does CBC mode require?
A
an initialization vector (IV)
21
Q
What does CTR mode require?
A
an initialization vector (IV)
22
Q
What is the benefit of CTR mode over CBC mode?
A
random access, no decryption function needed
23
Q
What must an IV be to avoid encryption oracle attacks?
A
unpredictable to adversary (secret)
24
Q
What is the block size for AES?
A
128
25
What are the bit key options for AES?
128, 192, 256
26
What are hashes used for typically?
checking file integrity, storing passwords, making certain operations more efficient
27
What is pre-image resistance?
given a hash y, it should be difficult to find an x such that h(x) = y
28
What is second pre-image resistance?
given a pre-image x, it should be difficult to find a second pre-image y such that h(x) = h(y)
29
What is collision resistance?
it should be hard to find any pair such that h(x) = h(y)
30
MD5 has how many images?
128
31
Sha-1 has how many images?
160
32
Sha-256 as how many images?
260
33
Is MD5 collision resistant?
no
34
Is Sha-1 collision resistant?
yes, up to 2^80
35
Is Sha-256 collision resistant?
yes, 128 bits of collision resistance
36
What are MAC's for?
verifying the integrity of a message by associating a fixed length value (tag) to it
37
What is a MAC tag derived from?
a secret key and a message
38
What is the ideal functionality of a MAC?
like a keyed hash, variable length input maps to fixed length output
39
What is authenticated encryption?
a means of securely packaging a cipher with a mac under one common interface, prevents a plaintext from being returned without a valid mac. Uses the encrypt then mac strategy
40
Encryption, MAC Keys and IV must be what for athenticated encyption to work?
independently generated
41
What distinguishes asymmetric key primitives?
the existence of both a key for performing public operations and a key for performing private operations
42
what is the discrete logarithmic problem?
given a=g^xmodp find x
43
what makes the discrete logarithmic problem hard? under what circumstances?
if g generates a cyclic group of large, prime order 'q'
44
what are the keys in DHE?
private key: randomly generated number between 1
45
What is the Diffie Helman problem?
given g, g^a and g^b, compute g^ab
46
why do we hash messages before signing them?
because RSA can't handle operations longer than the modulus size, so for a 2048 bit RSA you can't sign any messages longer than 256 bits - which is why we use a hashing algorithm like sha-256, since it will always have a 256 bit output (fixed length outputs of hash are crucial to RSA)
47
what is different about ephemeral DH vs regular DH?
private keys are newly generated for each connection
48
If EVE sends her public key to ALICE and ALICE accepts it as BOB's key will EVE be able to sign any message? what protects against this?
Yes she will, certificates or some higher level protocol security
49
Explain RSA encryption
I give an open padlock to everyone to which only I know the combination. They write a message in a box and lock it using the padlock. Anyone can create the locked box but only I can unlock it and read the message
50
What is the basis for the "hardness" of RSA
factoring the two large prime numbers; given n=pq find p and q (which are both large prime numbers)
51
why is RSA not IND-CCA2?
because it is multiplicatively homomorphic; meaning that the product of two cipher texts is equivalent to the encryption of the product of corresponding plaintexts
52
How can you make RSA IND-CCA secure?
by padding it with a scheme like OAEP
53
what are digital signatures for?
linking an identity to a message
54
the private key for digital signatures is used for verifying (T/F)
F; it is used for signing - only the key holder should be able to sign messages associated with their key pair
55
the public key for digital signatures is used for verifying (T/F)
T; anyone should be able to verify that the a signature relates to a relative party's verification key
56
what margin does NIST suggest for efficient modulo bias solver
64 bits of margin for generating 256 bit numbers
57
what does verification accept? what does it output
a message, verification key and signature; outputs success if signature is valid output fail if otherwise
58
what is a universal forgery?
an attacker can create a valid signature on any type of message
59
what is a selective forgery?
an attacker can create a valid signature on some message that was chosen ahead of time
60
what is an existential forgery?
an attacker can create a valid signature on some messages but doesn't necessarily have control over what the message is, and it may not make sense
61
signatures are usually performed on what? why?
the hash of the message; for efficiency reasons
62
how does padded RSA solve the problem of existential forgery in unpadded RSA?
it makes the signature "non malleable" meaning that linear operations on ciphertext does not result in linear operations on plaintext
63
cryptograms can replace what with ECC?
their basis; if they are based on the hardness of solving discrete logarithmic functions they can replace that with ECC
64
what are the two flavours of ECC and what are their advantages?
EC over GF(2^m); fast in hardware
| EC over GF(p); fast in software
65
What are the pros of ECC?
- point multiplication is faster than analog modular exponentiation
- public keys are smaller than their integer counterparts
66
What are the cons of ECC?
- harder/more complex to implement and understand
| - some concerns over backdoors in some common curve parameters
67
what is NIST?
a standard for information system security
68
what does NIST require as a minimum security level in terms of bits?
112
69
based on NIST what must symmetric keys (block cipher/MAC) be greater than or equal to?
112
70
for hash function based on NIST what needs to be true in order for their to be pre-image and second pre-image resistance? what about collision resistance?
output length >=112 (image)
| output length >=224 (collision)
71
for DHE and DSA based on NIST what must the prime modulus and group order be?
p >= 2048
| q >= 224
72
for ECDHE and ECDSA based on NIST what must the prime modulus and group order be?
p >= 224
| q >= 224
73
for RSA encyption based on NIST what must be true?
n>=2048
| p,q >= 1024
74
what is the rate for AES/SHA hashes on a CPU?
2^30 per second
75
how long does it take to find an MD5 hash collision on a modern computer?
about 5 minutes shit is broke af
76
what is a certificate?
a document used to authenticate a signature verification key
77
what does a certificate prevent?
man in the middle attacks
78
what is a certificate revocation list
a signed list of certificates held by a certificate authority that have been revoked prior to some expiration date
79
What are some common reasons for a certificate to be on a certificate revocation list?
part of it is being updated, an entity has shut down, servers private key is comprimised
80
what does the TLS cipher suite specify?
KSCH
- key exchange algorith
- signature algorith
- cipher and mode of operation
- hashing function
81
what is entropy relating to passwords?
how many bits of information does it take to encode a password - considers not just how many possibilities there are but the probability of each password occuring
82
High entropy passwords are what?
harder to guess
83
how to web servers store passwords to prevent passwords getting exposed if database is illegally accessed?
hashing
84
what are the pros and cons of password hashing?
pros; attackers can't guess passwords outright they need to guess, hash it, then check it
con; the same password maps to the same hash, so if one password is guess everyone with that same hash is exposed, attackers can prebuild large dictionaries or rainbow tables
85
what is a "salt"?
a random value that is hashed along with the password to ensure that every hash is unique
86
what is key stretching and what does it attempt to solve?
purposely slowing down hash functions so they take longer to compute; salted and hashed passwords are still vulnerable to guessing so by making each guess take longer you are directly impacting the efficiency of an attack
87
what makes keys "assymetric"?
the "do" key is different from the "undo" key
88
what is a key pair?
a public key and corresponding private key
89
what is the diffie helman tuple?
90
how can you prove the security of DDH (decisional diffie helman)?
based on DLP being hard
91
what is the difference between CDH and DDH?
CDH asks us to derive the shared secret of a diffie helman whereas DDH just asks us to recognize it
92
why do we hash messages before signing them?
because RSA can't handle operations longer than the modulus size, so for a 2048 bit RSA you can't sign any messages longer than 256 bits - which is why we use a hashing algorithm like sha-256, since it will always have a 256 bit output
93
why can't an attacker control the message in an RSA forgery attack?
because if he could, which mean given (m^e)modn find m, then he has solved the RSA problem
94
If EVE sends her public key to ALICE and ALICE accepts it as BOB's key will EVE be able to sign any message? what protects against this?
Yes she will, certificates or some higher level protocol security
95
RSA is faster at a creating a signature than DSA (T/F)
F; DSA is faster when creating signatures
96
RSA is faster at validating a signature than DSA (T/F)
T; RSA is faster at validating a signature
97
DSA is faster at encrypting than RSA (T/F)
F; RSA encrypts faster
98
DSA is faster at decrypting that RSA (T/F)
T; DSA decrypts faster
99
what is the minimum bits of security allowed for key agreements according to NIST?
112 bits of security
100
what are the only approved symmetric encryption algorithms?
three key triple DES and AES
101
is sha-1 secure?
no due to length extension attacks
102
what is a 1024 bit RSA key equivalent to in symmetric key strength?
80 bits
103
what is the minimum security for RSA keys?
2048, equivalent to 112 bits in symmetric keys
104
DHE key strength matches RSA key strength (T/F)
T; a 2048 RSA key is about as strong as a 2048bit DHE key
105
ECC keys can be secure at shorter lengths than other assymetric key schemes (T/F)
True; can be twice the length of symmetric keys and be just as secure
106
what is the minimum security for ECC schemes?
224 bits
107
what is the key distribution problem?
there are two parts;
1. sender or recipient must create a key and send it to the other party, while in transit it can be stolen or copied by a third party
2. large numbers of key pairs are difficult to manage
108
how many key pairs in traditional symmetric encryption would be needed for 10 parties to communicate?
n(n-1)/2
10(10-1)/2 = 45
109
what is the "web of trust"
a decentralized trust model that is used to establish authenticity between a public key and its owner
110
what is a digital certificate, what does it say, how does it prove it is what it says it is?
a claim made by a certificate authority that says what the server's public key is, that is signed by the signing key of the certificate authority
111
what are the types of validation for a certificate authority to issue a certificate
domain validation; prove you have a domain name
organization validation; prove you are company X
extended validation; pay more money get more validation
112
what are the fields of a certificate?
SSSSPIV
- serial number
- signature algorithm
- signature
- subject ID
- public key
- issuer ID
- validity period
113
what are certificate chains?
hierarchy of certificates that are stateless, seamless, and transparent
114
what are the endpoints of a certificate chain?
start point: the host (eg. google.com)
| end point: root certificate authority that the browser/device trusts (eg. Geo Trust)
115
what is a trust store?
a place in you browser or device where all trusted root certificate authorities are stored
116
what is certificate pinning? what does it solve?
directly associates a host with a public key (pins it to the browser) and allows device to bypass certificate chain, good to prevent state-level attacks
117
what are some reason for certificate revocation?
company gets hacked, CA is compromised (private key compromised), new business/affiliate name, company goes out of business
118
What can happen if you knowingly trust a revoked certificate?
you could get man in the middled
119
what are the three main ways a client can check if a servers certificate has been revoked?
- certificate revocation list
- request via online certificate status protocol (OCSP)
- OCSP stapling
120
what is the difference between certificate revocation through CRL and OCSP?
client has to manually search CRL to check but with OCSP client can make a request to check a certificate status
121
what is OCSP stapling?
the server will make the request to OCSP and "staple" the CA's signed and timestamped response to its certificate chain. this way client can clearly see certificate status of server with initial request
122
what are the 4 phases to the TLS handshake
1. establish security capabilities
2. authentication and public key exchange
3. secret key exchange and derivation
4. finish
123
in what phase is the server ciphersuite shared with the client?
phase 1, server_hello
124
what are the components of a cipher suite?
- key exchange (RSA, DHE/ECDHE)
- cipher algorithm (AES, three key triple DES)
- hashing algorithm (SHA-1)
125
if using DHE or ECDHE what does the client need to do in phase 2 of the TLS handshake?
check certificate chain and signature on private key
126
when exchanging the pre master secret using RSA what happens?
client generates pre master secret and encrypts with public key and sends to server
127
when exchanging the pre master secret using DHE what happens?
parties compute DH shared secret (which becomes the pre-master secret)
128
what is the purpose of PRF in TLS?
to expand secrets into keys
129
how do you go from pre master secret to master secret?
using a pseudo random function
130
what is a TLS key block?
all the values used in the symmetric key operations
131
what distribution of random numbers do you need to do cryptography? why do you need it?
uniform distribution
- makes brute force maximally hard
- you could end up with people using the same primes in RSA and could factor their keys
132
what are the components of Fortuna/CTR_DRBG
its a deterministic random bit generator based on a block cipher in CTR mode, key and counter are drawn from an entropy source, output function uses AES
133
how does fortuna overcome the fact that CTR is not a one way function?
by frequently reseeding
134
Under what conditions is fortuna distinguishable from true randomness?
given enough output that the counter wraps and a repeat value can be observed
135
what is a bias?
a deviation from uniform distribution
136
what is the modulo bias?
when using modular arithmetic to get a random number that is not a power of two you are more likely to get a number that is less than n/2, n being the maximum of the range
137
what is the correct way to solve modulo bias
keep calling the rng function until you get a random number that is within the desired range, that way when modular arithmetic is applied there is not difference in the distribution of result
138
what is the efficient way to solve modulo bias
generate way more bits than you need, then modulo reduce
139
given b bits of security what should the key length be for symmetric encryption?
k>=b
140
what are integer based discrete logarithm systems susceptible to ?
index calculus attacks
141
for elliptic curve discrete logarithm problems, given bits of security b what must the group size be so that it is infeasible?
|q| > 2b
142
what will happen to RSA as time goes on?
it will be replaced by ECC because increasing bits of security results in a much larger increase in the required modulo (2n = 15x modulo)
143
given b bits of security what must the size of hash length be? what if collisions aren't a problem?
>=2b
| if collisions don't matter then >=b
144
do collisions matter in HMAC? why or why not?
no they don't, because eve would need to know the secret key to be able to compute tags and compare them
145
what are the pros and cons of passwords?
pro: easy, inexpensive
cons: have to generate and store them securely, also have to memorize them
146
what is the problem with no salt password storage?
if an attacker finds the hash corresponding to one users password she will be able to crack all users that have the same password
147
what is the pros and cons of scrypts (instead of passwords)
pros: memory-hard
cons: more complicated
148
is the one time pad perfect theoretical hiding? why or why not?
yes it is perfect in theory since no amount of computing power can help you decrypt ciphertext as it can be ANY message and all pads are equally likely
149
what is the difference between passive and malicious adversaries?
passive adversaries just observe ciphertext whereas malicious adversaries can modify and replace ciphertext
150
what is the CIA triad of security
confidentiality, integrity, authenticity
151
what are ideal block ciphers (PRF or PRP) ?
pseudo random permutations
152
given b bits in an ideal block cipher how many plaintexts are there? how many possible mappings (permutations) are there? how many possible keys?
2^b plaintexts, 2^b! permutations, 2^k keys
153
does CTR use decryption functions?
no, only uses encryption function of a block cipher
154
what is the disadvantage of CTR mode?
can't be used with a small block length cipher (3DES)
155
what is the problems with traditional RSA?
1. it is malleable (i can make predictable changes to the ciphertext)
2. it is deterministic, it fails the CPA game
156
what padding scheme is used in block ciphers? what does it do?
pksc 7: pads with N bytes of 0xN
157
what are the inputs for authenticated encryption?
plaintext, encryption key, mac key
158
what are the outputs for authenticated encryption?
ciphertext and authentication tag
159
what are the inputs for authenticated decryption?
ciphertext, mac tag, encryption key, mac key
160
what are the outputs for authenticated decryption?
plaintext or error if the tag is invalid
