chap 7 security Flashcards

Question

Common Symmetric-Key Algorithms

Answer 1

DES (Data Encryption Standard): AES (Advanced Encryption Standard): Triple DES (3DES):

Answer 2

Older symmetric-key algorithm. 56-bit key and 64-bit block size for plaintext and ciphertext. Developed by IBM, adopted by NIST (1977) with NSA approval for unclassified info. Efficient in hardware, relatively slow in software. Security: was good for 20 yrs but insecure due to short key size

Answer 3

* Current industry standard * NIST initiated development in 1997 * Features: Unclassified, royalty-free algorithms. * Supports 128-bit block sizes and 128-, 192-, and 256-bit key sizes. * Known for speed, security, and versatility

Answer 4

A stronger variant of DES. Applies the DES encryption algorithm 3x for enhanced security.

Answer 5

This concept reiterates points covered under "Disadvantages of Symmetric-Key Cryptography". * Key Distribution Problem: Difficult to securely share the secret key. Compromise of one key affects all data encrypted with it. * Key Management Overhead: Complexities in generating, storing, and distributing keys, especially as systems grow. Revoking keys is difficult. * Scalability Issues: Impractical to establish and manage unique keys for every pair of users in large systems. * Limited Authentication: Does not inherently authenticate parties; requires additional mechanisms

Answer 6

A cryptographic system using a pair of mathematically linked keys: a public key and a private key. Also known as asymmetric cryptography. * more secure communication and key management than secret * Solves the key distribution problem if there's a reliable channel for public key communication. Each user distributes only their public key, which can be widely available without compromising security. Private keys are kept secret. * Uses separate keys for encryption/decryption * Scales well for large systems. * Confidentiality is based on the infeasibility of computing the private key from the public key. * Large key sizes (512 bits and more) make computation infeasible. RSA key size is often 1024 bits or more (n is a large number like 200+ digits).

Answer 7

Concept conceived by Diffie and Hellman in 1976. First Description: Rivest, Shamir, and Adleman (RSA) first described a public key system in 1978. Other Early Work: Merkle and Hellman published a different solution later in 1978, which was later broken by Shamir. Current Systems: Many early proposals were broken. Current systems include RSA, Diffie-Hellman, and El Gamal

Answer 8

this key is freely distributed and made available to anyone who wants to send encrypted messages to the owner. It can be published on websites, included in certificates, etc.. Use for Encryption: A sender encrypts a message using the recipient's public key.

Answer 9

key is kept secret and known only to the owner. Used to decrypt messages that were encrypted with the corresponding public key. Upon receiving an encrypted message, the recipient uses their private key to decrypt it and recover the plaintext.

Answer 10

providing authentication and integrity for messages. * sender encrypts a message digest (hash) using their private key. * recipient verifies the signature by decrypting it using the sender's public key and comparing the resulting message digest with the computed hash of the received message. Note: Public key technology is very slow, so for performance, the message digest (a short value) is signed rather than the entire message

Answer 11

Each user only needs to distribute their public key, which can be made widely available without compromising security. solves the key distribution challenges in symmetric-key systems.

Answer 12

Public key sizes are typically large (512 bits and more) RSA implementations often choose n to be 154 digits (512 bits), resulting in a 1024-bit key (n,e). RSA was first described in 1978 by Rivest, Shamir, and Adleman. In RSA, the public key is (n, e) and the private key is (n, d). The security of RSA is no better than the complexity of the factoring problem of factoring n into p*q. Factoring n is easy if p and q are known, but very hard otherwise.

Answer 13

RSA can encrypt kilobits/sec AES can encrypt megabits/sec. RSA be used for the secure exchange of AES keys. RSA key size is selected by the user and is typically large (e.g., 1024 bits). DES/AES key sizes are 64/128-256 bits.

Answer 14

RSA : encryption and decryption are commutative. This means applying encryption then decryption yields the original message and applying decryption then encryption also yields the original message This commutative property allows the same public key to be used for encryption and signature. Any crypto system that preserves message length will have this commutative property.

Answer 15

used for performance reasons to sign a small digest of the message instead of the entire message. aka message authentication codes. output of a one-way hash function: M is a long message m is a short digest can be used to check the authenticity of a message by comparing the computed hash of the received message with the transmitted digest.

Answer 16

the computation of message digests should be fast and efficient mapping is a many-to-one function. Many documents can potentially produce the same hash value. It should be practically infeasible to find a document that produces a given fingerprint (digest). This is why a good hash function is called one-way. The message digest value should depend on every bit of the corresponding message. If a single bit changes in the original message, about 50% of the digest bits should change in a random fashion.

Answer 17

A good hash function achieves a pseudo-random message-to-digest mapping. * This pseudo-random nature and the large number space of possible hash values make it impossible that two distinct messages will produce the same digest value

Answer 18

Weak hash function: Difficult to find M' such that H(M') = H(M), given M and m=H(M). Finding such an M' requires about 2^k trials on average for a k-bit digest. k=64 is considered safe for this characteristic. Strong hash function: Difficult to find any two M1 and M2 such that H(M1) = H(M2). Finding such a pair requires about 2^(k/2) trials on average for a k-bit digest (due to the birthday attack). k=128 is considered safe, but k=160 is better. For an n-bit digest, the birthday attack allows finding M1, M2 in 2^(n/2) operations.

Answer 19

To verify a digital signature created using a message digest and the sender's private key: 1. Generate the message digest (MD) from the plaintext. 1. Decrypt the "encrypted MD" (the digital signature) using the sender's public key. 1. Compare the two MDs. If the comparison fails, it indicates that either someone is impersonating the sender, the message has been altered, or an error occurred during transmission. * Problems with this method include the possibility of collisions (birthday attack) and someone pretending to be the sender by using their own key pair

Answer 20

* secret key technique providing efficient authentication and integrity. * It does not provide non-repudiation. * Also called HMAC (Hash function based Message Authentication code). * Unlike digital signatures, MACs are computed and verified with the same key. * Therefore, they can only be verified by the intended recipient who shares the secret key.

Answer 21

Authentication is the process of reliably verifying the identity of a person or a computer system. Fundamental components: * A: Authentication Information provided by entities. * C: Complementary Information used by the system to validate A. * F: Complementation Function that generates C from A. * L: Authentication Function that verifies if A matches C.

Answer 22

* Different methods used for authentication include: ◦ Password-based ◦ Token-based ◦ Biometrics ◦ Address-based ◦ Cryptographic

Answer 23

Involves using a physical token for authentication. * Examples include Memory Cards, Smart Tokens, and Smart Cards

Answer 24

* Can store but do not process data. * common type is the magnetic stripe card. * Can include an internal electronic memory. * Can be used alone for physical access (e.g., hotel room, ATM). * Provide significantly greater security when combined with a password or PIN. Drawbacks: requires a special reader, loss of token, user dissatisfaction

Answer 25

* Include an embedded microprocessor. * Can look like bank cards, calculators, keys, or small portable objects. * Can have manual interfaces (keypad, display) or require an electronic interface. * Classified into Static, Dynamic password generator, and Challenge-response

Answer 26

* Appearance of a credit card. * Include an electronic interface. * May use any smart token protocols. * Contain an entire microprocessor with Processor, Memory, and I/O ports. Typically include three types of memory: 1. Read-only memory (ROM): 1. Electrically erasable programmable ROM (EEPROM): 1. Random access memory (RAM):

Answer 27

Stores data that does not change during the card’s life.

Answer 28

Holds application data and programs.

Answer 29

Holds temporary data generated when applications are executed.

Answer 30

Can provide stronger proof of identity and be used in a wider variety of applications. In effect, it's a smart card verified by the national government. Has human-readable data printed on its surface, such as personal data, document number, Card Access Number (CAN), and Machine Readable Zone (MRZ)

Answer 31

Attempts to authenticate an individual based on unique physical characteristics. * Based on pattern recognition. * Is technically complex and expensive compared to passwords and tokens. * Examples of characteristics used: Face (optical, thermal), iris, retinal scan, voice print, signature, fingerprint. * Other examples mentioned: odor, ear, key stroke pattern, gait

Answer 32

Security for e-mail can be provided through mechanisms like MIME and S/MIME

Answer 33

Extension to the old RFC 822 specification for Internet mail format. * RFC 822 defined a simple heading (To, From, Subject) and assumed ASCII text. * MIME provides new header fields defining information about the body of the message.

Answer 34

Secure/Multipurpose Internet Mail Extension. * Security enhancement to the MIME Internet e-mail format. * Based on technology from RSA Data Security. * Provides the ability to sign and/or encrypt e-mail messages.

Answer 35

1. Encrypted content and associated keys. 1. Encoded message + signed digest. 1. Cleartext message + encoded signed digest.

Answer 36

1. S/MIME generates a pseudorandom (session) key for each message. 1. session key is used to encrypt the message using AES/other encryption 1. session key is encrypted using recipient's public RSA key. 1. recipient uses their private RSA key to recover the session key 1. uses the session key with AES to recover the plaintext message. session key encryp message, session key encryp by rsa key, private rsa recovers session, session key recovers message

Answer 37

Connection: A transport layer peer-to-peer relationship that is transient and associated with one session. Session: An association between a client and a server, created by the Handshake Protocol. Sessions define shared cryptographic security parameters and are used to avoid expensive negotiation for each new connection.

Answer 38

The most complex part of TLS. * Used before any application data are transmitted. * Allows the server and client to authenticate each other, negotiate encryption and MAC algorithms, and negotiate cryptographic keys to be used. * Comprises a series of messages exchanged between client and server. * Exchange has four phases

Answer 39

1. the client sends its SSL version, cipher settings, and session data to the server. 1. The server sends its SSL version, cipher settings, session data, and certificate to the client. The server requests the client's certificate if needed for authentication. 1. The client authenticates the server using the received information. If authentication fails, the user is warned. 1. The client encrypts a seed value with the server’s public key and sends it to the server. The client also sends its certificate if requested. 1. If client authentication was requested, the server attempts to authenticate the client certificate. The session ends if authentication fails. 1. The server uses its private key to decrypt the seed value and generates a master secret (client also performs steps to generate this). 1. Both client and server use the master secret to generate the session key, which is a symmetric key used for encrypting/decrypting subsequent session data. 1. * 1. The client sends a message indicating future client messages will be encrypted with the session key, followed by an encrypted "finished" message. 1. The server sends a message indicating future server messages will be encrypted with the session key, followed by an encrypted "finished" message. * The handshake is complete, and the session begins

Answer 40

* A framework for providing security features at the network layer (IP layer) for all applications. * Authentication and encryption features are included in next-generation IPv6. * Also usable in existing IPv4

Answer 41

* When implemented in a firewall or router, it provides strong security to all traffic crossing the perimeter. * In a firewall, it is resistant to bypass. * It is below the transport layer, making it transparent to applications. * Can be transparent to end users. * Can provide security for individual users. * Secures the routing architecture

Answer 42

Provides two main functions: 1. A combined authentication/encryption function called Encapsulating Security Payload (ESP). 1. Also includes an authentication-only function using an Authentication Header (AH). AH is included in IPsecv3 for backward compatibility but should not be used in new applications as ESP provides message authentication.

Answer 43

* Extends security protection to the payload of an IP packet. * used for end-to-end comm between two hosts. * ESP encrypts and optionally authenticates the IP payload but not the IP header

Answer 44

* Provides protection to the entire IP packet * packet travels through a tunnel from one point in an IP network to another. * Used when one or both ends of a security association are a security gateway (e.g., a firewall or router). * Allows a number of hosts behind firewalls to communicate securely without implementing IPsec themselves.

Answer 45

* When visiting a website with SSL, the browser validates the server's certificate. * Validation is done before content is downloaded, which can add delay. Common methods include OCSP (Online Certificate Status Protocol) and CRLs (Certificate Revocation Lists). Microsoft Edge and Chrome may time-out after 15 seconds attempting to check a certificate's status. Time-outs cause delay for users. * The default browser behavior when checking certificate status is "soft-revocation failure". * This means if the check fails for any reason the browser will treat the certificate as valid anyway. * Browsers have options for "hard" or "strict" revocation checking,

Answer 46

Public, private, and government networks have been penetrated by unauthorized users and rogue programs. ◦ There has been an increased volume of security breaches. ◦ The Computer Emergency Response Team (CERT) reports a tremendous increase in cracking incidents

Answer 47

* insider is already an authorized user. * insider acquires privileged access. * exploiting bugs in privileged systems programs. * exploiting poorly configured privileges. *may install backdoors to facilitate subsequent acquisition of privileged access.

Answer 48

The attacker acquires access to an authorized account. ◦ They then perpetrate an insider attack

Answer 49

* Lack of awareness of Internet threats and risks. * Security measures are often not considered until an Enterprise has been penetrated by malicious users. * Wide-open network policies. * Vast majority of Internet traffic is unencrypted. * Network traffic can be monitored and captured. * Lack of security in TCP/IP protocol suite. * Complexity of security management and administration. * Exploitation of software (e.g., protocol implementation) bugs. * Cracker skills keep improving

Answer 50

* Software, hardware, or a combination can be used. * monitors and analyzes network traffic. * Can be used for detecting bottlenecks and problems, and troubleshooting network performance. * Packets can be intercepted at any point. * User IDs, passwords, and other information are often stolen on the Internet. * There is an ability to target specific protocol, service, string of characters * May be able to modify some or all traffic in route.

Answer 51

Physical security is key in preventing introduction of sniffers on the internal network

Answer 52

is a Denial of service attack. based on the TCP 3-way handshake. * The attack sends SYN packets with a random IP source address. * The return SYN-ACK packet is lost because the source address is faked. * This half open connection stays for a fairly long period of time. * also listed as a basis for an IP spoofing attack.

Answer 53

TCP has a limit on how many concurrent SYN requests it can process for a given socket, called the backlog. This limit: length of the queue where incomplete) connections are kept. The queue limit: both incomplete connections and the number of completed connections that have not been pulled from the queue by the application. If the backlog limit is reached, TCP silently discards all incoming SYN requests until the pending connections can be dealt with

Answer 54

1. Communication request sent to target system. 1. Target responds to faked IP address. 1. Target waits for non-existent system response. 1. Request eventually times out. 1. If attacks outpace the requests timing-out, then system resources will be exhausted. SYN Flooding is a Denial of Service attack. It is the basis for IP spoofing attack

Answer 55

1. Send SYN packet with spoofed IP address. 1. SYN flood real source so it drops SYN-ACK packet. 1. Guess sequence number and send ACK packet to target. 1. Target will continue to accept packets and response packets will be dropped. Often used to exploit trusted relationships.

Answer 56

1. Attacker is positioned between two target hosts. 1. accomplished through router manipulation. 1. Traffic is redirected to the attacker, then forwarded on. Benefits: Attacker can intercept, modify, and/or block traffic. Communication appears normal to target hosts. Limitation: Useful data collection is reduced if traffic is encrypted. SSL/TLS is specifically designed to provide protection from man-in-the-middle attack

Answer 57

Fraudulent e-mails designed to trick users into divulging confidential information.

Answer 58

SSL/TLS is designed to provide protection from man-in-the-middle attacks. However, a Trojan program that copies keystrokes and echoes them to another TCP/IP address in parallel with the intended communication can defeat SSL/TLS.

Answer 59

Fake web sites created to elicit authentic user credentials

Answer 60

Because SSL is enabled does not mean the user is safe. * Key loggers can record what is being typed on a user’s computer before it is encrypted. * A company’s database can get hacked releasing your information to the world.

Answer 61

1. Viruses 1. Trojan horses 1. Spyware 1. Logic bombs 1. Rootkits 1. Worms 1. Zombies and botnets.

Answer 62

Replicate and attach to executable code.

Answer 63

* Infects the master boot record (MBR) of a storage device. * Activates when the computer boots up, allowing it to infect the system and spread.

Answer 64

* Infects executable files on a computer. * When an infected program is executed, the virus activates * may perform malicious actions, such as damaging files, stealing information, or spreading.

Answer 65

* Designed to infect documents that contain macros * Can execute malicious actions when the infected document is opened and the macros are enabled.

Answer 66

* hide its presence and activities from antivirus software and system scans. * Employs techniques to modify or evade detection by antivirus programs.

Answer 67

* change its appearance (code) each time it infects a new file or system. * makes it challenging for antivirus software to detect and eradicate.

Answer 68

Software that appears to do one thing but contains hidden functionality. A standalone program that must be installed by the user. Disguised well enough to entice the user. Delivers payload without user’s knowledge. Prevention: Never run software of unknown origin or integrity. Keep virus-checking program running continuously.

Answer 69

* Software capable of recording and reporting a user's actions. * Typically installed unbeknownst to users. * Can steal information through keylogging.

Answer 70

* Malicious code dormant until triggered by a specified future event. * Usually installed by an authorized user. * Reinforces the need for backups. * A time bomb is similar but delivers payload at a predetermined time/date.

Answer 71

* Modifies OS kernel or other process on system. * Originally designed to grant root access. * Designed to avoid being detected and deleted. * Often operating unbeknownst to user. * Found in OS kernel, application level, firmware, etc

Answer 72

* Code that penetrates and replicates on systems. * Doesn’t need to attach to other files or code. * Spread by a variety of methods such as e-mail, infected web sites, and P2P sharing networks.

Answer 73

aka Internet Worm/Great Worm. One of the earliest computer worms to gain widespread attention. Created by Robert Tappan Morris in 1988 and targeted Unix-based systems. * Spread by exploiting vulnerabilities in sendmail, finger, and rsh/rexec services. * Caused significant disruption by infecting thousands of computers and causing system slowdowns and crashes.

Answer 74

ILOVEYOU virus. A computer worm that spread via email in May 2000. Originated in the Philippines. * Designed to trick users into opening an email attachment that appeared to be a love letter. * Once opened, it infected the user's system, overwrote files, and sent copies of itself to the user's email contacts.

Answer 75

worm that targeted Microsoft Internet Information Services (IIS) servers running on Windows NT and Windows 2000. * Spread by exploiting a vulnerability in the IIS indexing service. * Once infected, the worm defaced web pages and launched distributed denial-of-service (DDoS) attacks against targeted websites

Answer 76

Samy MySpace Worm. * A self-propagating cross-site scripting (XSS) worm that targeted MySpace in 2005. Created by Samy Kamkar. * Spread by exploiting a vulnerability in MySpace's profile page functionality. * When a user viewed an infected profile, the worm added a friend request from the user to the profile, thereby spreading to the user's friends

Answer 77

1. Install all patches. 1. Use firewalls. 1. Implement an intrusion detection system. 1. Eliminate unnecessary services. 1. Use extreme caution with e-mail attachment

Answer 78

* Malware installed on machines creates zombies under the control of the attacker. * Large networks of zombies are called botnets. * Some attacker’s botnets have 1,000,000+ zombies. * Botnets are responsible for millions of spam messages daily

Answer 79

1. Use an antivirus program. 1. Ensure all software is up-to-date

Answer 80

* Manipulating authorized users into providing access to an attacker. * Applies to both virtual and physical access. * Requires educating users

Answer 81

* Firewalls are an effective means of protecting LANs. * Inserted between the premises network and the Internet to establish a controlled link. * Can be a single computer system or a set of systems working together. * Used as a perimeter defense. * Provides a single choke point to impose security and auditing. * Insulates the internal systems from external networks

Answer 82

* lists the types of traffic authorized to pass through the firewall. * Includes address ranges, protocols, applications, and content types. * Should be developed from the organization’s information security risk assessment and policy. * Starts from a broad specification of needed traffic types and is refined to detail filter elements for implementation

Answer 83

* Not possible to safely squeeze everything that users desire through a firewall. * Users may settle for degraded service or tolerate increased vulnerability. * Performance may suffer. * Single point of failure.

Answer 84

1. Packet Filtering firewall (IP layer). 1. Circuit relay firewalls (TCP layer). 1. Application gateway firewall (application layer). 1. Combinations of these

Answer 85

* Applies rules to each incoming and outgoing IP packet. * Typically a list of rules based on matches in the IP or TCP header. * Forwards or discards the packet based on rules match. * Uses special software to examine network traffic * Rules often match on source/destination IP address, source/destination port number, or protocol. Example: Drop TCP/IP packets from the Internet to Telnet (port 23) of any internal host

Answer 86

Discard: Prohibit unless expressly permitted. More conservative, controlled, visible to users. Forward: Permit unless expressly prohibited. Easier to manage and use but less secure

Answer 87

* Generally faster since fewer evaluations performed. * Easily implemented as hardware solutions. * A single rule can help protect an entire network. * Do not require client computers to be specifically configured. * Can be used with NAT to shield internal IP addresses.

Answer 88

* Do not understand application layer protocols. * Cannot restrict access to protocol subsets - less secure than application layer and circuit level firewalls. * Typically stateless. * Limited abilities to manipulate information within a packet. * No value-added features (like caching, URL filtering, authentication) as they have no knowledge of protocols. * Little or no audit event generation and alerting mechanisms. * Difficult to test "accept" and "deny" rules

Answer 89

* Operates at the transport layer. * Looks at sessions, instead of packets or connections. * Validates connections before allowing data to be exchanged according to configurable rules. * Opens a session and permits traffic only from the allowed source, possibly for a limited time. * Connection validity may be based on destination IP/port, source IP/port, time of day, protocol, user, or password

Answer 90

* Acts as a proxy for applications, performing all data exchanges with the remote system on their behalf. * Can render a computer behind the firewall all but invisible to the remote system. * Can allow or disallow traffic according to very specific rules

Answer 91

* Analyze a data stream for a particular application. * Provide application-specific processing (inspecting, screening, blocking, redirecting, modifying data). * Inspect many different protocols. * Works on clear-text traffic

Answer 92

* Controls traffic between a personal computer or workstation and the Internet or enterprise network. * For both home or corporate use. * Typically a software module on a personal computer. * Can be housed in a router. * less complex than server-based or stand-alone firewalls. * Primary role is to deny unauthorized remote access. * May also monitor outgoing traffic to detect and block worms and malware activity