Cryptography

Question 1

What is the Caesar Cipher?

Answer 1

• Simple substitution cipher
• ROT3 (rotate 3 spaces to the right)

Question 2

What is the main problem with substitution ciphers?

Answer 2

Subject to pattern (frequency) analysis

Question 3

What is Scytale?

Answer 3

Ancient Greek cipher. Tape wrapped around a horizontal rod, and message written across the tape.
Diameter of the rod has to be pre-agreed or you can’t read the message.

Question 4

What is Vignere?

Answer 4

Polyalphabetic cypher (grid with alphabet horizontally and vertically, and different alphabet variations across each row). Find the character from the cyphertext horizontally, then find the character from the key word vertically.
Keyword agreed out-of-bounds

Question 5

What is Enigma / Purple

Answer 5

6-rotor machine. Config of rotors agreed out-of-bounds.

Question 6

What is Vernam cipher?

Answer 6

• One time pad
• Mathematically unbreakable
• Pad must be as long as the message
• Pad must be securely distributed and only used once
• A one-time-password (OTP) is a vernam cipher

Question 7

What properties are we trying to achieve through cryptography?

Answer 7

PAIN.
Privacy
Authenticity
Integrity
Non-repudiation

Question 8

What things are involved in converting plaintext to cyphertext?

Answer 8

Plaintext
+ initialization vector
+ algorithm (cipher)
+ key
= Ciphertext

Question 9

What are initialization vectors?

Answer 9

Random starting value.
Adds randomness by changing the starting value.
Like salt in password hashes

Question 10

What are algorithms?

Answer 10

• Collection of maths functions.
• Should use string and complex maths for substitution- Should be open (Kerckhoff’s principle)
• Each function is an s-box
• Key length is a trade-off between performance & value of asset (amount of security required)

Question 11

What are the pros of symmetric cryptography?

Answer 11

• Fast data transfer
• Good strong privacy

Question 12

What are the cons of symmetric cryptography?

Answer 12

• Out-of-band key distribution
• Doesn’t scale well
• Doesn’t provide non-repudiation

Question 13

What are the other names for a symmetric key?

Answer 13

• Secret
• Shared key
• Private key (do not confuse with asymmetric private key)
• Session key

Question 14

What are the 2 types of symmetric ciphers?

Answer 14

• Stream
• Block

Question 15

What is the formula for determining how many unique symmetric keys are needed to communicate securely?

Answer 15

(n * (n-1)) / 2

Question 16

What properties does symmetric encryption provide and not provide?

Answer 16

Provides: privacy
Does not provide: integrity, authenticity or non-repudiation

Question 17

What do we know about stream ciphers?

Answer 17

• Encrypt 1 bit (up to 1 byte) at a time
• Use transposition, substitution, XOR
• Very fast & efficient
• Not as secure as block ciphers
• RC-4 is a stream cipher

Question 18

How to XOR?

Answer 18

• Alike bits = 0
• Different bits = 1
• (Only 1 1)

Question 19

What are the common symmetric algorithms (11)?

Answer 19

• DES
• 3DES
• AES
• RC-4
• RC-5
• Blowfish
• Twofish
• IDEA
• CAST
• MARS
• Skipjack

Question 20

Asymmetric cryptography: Process for proving authenticity?

Answer 20

• Encrypt message with recipient’s public key (for privacy)
• Encrypt something else (e.g. timestamp) with sender’s private key for authenticity. If it can be decrypted using the sender’s public key, it must have come from them.

Question 21

What are the properties of hashing?

Answer 21

• Also known as checksums, message digests
• Provides integrity
• Fixed-length output
• If the input changes, the hash will change
• One-way function
• 2 different plaintexts producing the same hash is a collision

Question 22

What is a birthday attack?

Answer 22

Attempt to cause collisions. Idea is that it is easier to find 2 hashes that match than to produce a specific hash.

Question 23

What are the popular hashing algorithms (6)?

Answer 23

• MD-5 128-bit
• SHA-1 160-bit
• SHA-2 256, 384, 512-bit
• HAVAL
• Tiger
• RipeMD

Question 24

How to achieve non-repudiation with hashing?

Answer 24

Encrypt hash with sender’s private key

Question 25

How to achieve 'PAIN' properties with asymmetric cryptography?

Answer 25

Privacy - encrypt message with receiver's public key Authenticity - Encrypt something (e.g. timestamp) with sender's private key Integrity - Include hash / checksum / CRC of message Non-repudiation - Encrypt hash with sender's private key

Question 26

What are the common asymmetric algorithms?

Answer 26

- RSA - DSA - ECC - El Gamal - Diffie Hellman - Knapsack

Question 27

What is RSA?

Answer 27

- Asymmetric algorithm - Replaced DSA (Digital Signature Algorithm) - Current standard for digital signatures - Uses factorisation (prime numbers)

Question 28

What is Diffie Hellman?

Answer 28

- First asymmetric algorithm - Secure key agreement without pre-shared secrets - Based on discreet logarithms in a finite field

Question 29

What is ECC?

Answer 29

- Elliptical Curve Cryptography - Based on plotting points along a curve - Very efficient but only applicable for key agreement, digital signatures pseudorandom generators & other tasks with small data - Frequently used in handheld & small devices due to their limited processing capability

Question 30

What are the main uses of symmetric & asymmetric cryptography?

Answer 30

Symmetric: bulk data encryption (files and communication) Asymmetric: Key encryption & digital signatures

Question 31

What services (properties) are provided by symmetric & asymmetric encryption?

Answer 31

Symmetric: Confidentiality (privacy) Asymmetric: PAN - Confidentiality (privacy), authenticity, non-repudiation

Question 32

What do we know about certificates?

Answer 32

- X.509 v4 standard - Provides authenticity of a server's public key - Necessary to avoid MITM attacks with servers using SSL/TLS - Digitally signed by the Certificate Authority (CA)

Question 33

PKI terms

Answer 33

- Certificate Authority (CA) - Registration Authority (RA) - Certificate Repository - Certificate Revocation List (CRL) - Online Certificate Status Protocol (OCSP)

Question 34

How can integrity be achieved (3)?

Answer 34

- Hash - only good for accidental modification (because attacker can create new hash) - Digital signatures - detects accidental & malicious modification , but requires PKI. Also provides non-repudiation. Asymmetric. - MAC - Provides reasonable authenticity & integrity, but not string enough to provide non-repudiation (because symmetric).

Question 35

What are the 2 types of Message Authentication Code (MAC)?

Answer 35

- HMAC: HashAlg(Message + Symmetric key) - CBC MAC: Constructs MAC from block cipher (cipher block chaining)

Question 36

What are algorithms for asymmetric key exchange/agreement?

Answer 36

- Diffie Hellman - El Gamal

Question 37

What are algorithms for symmetric data exchange?

Answer 37

- AES - DES, 3DES - Blowfish, Twofish - IDEA (PGP) - CAST

Question 38

What algorithms are used for integrity (6)?

Answer 38

- MD-5 - SHA-1, SHA-2 - Tiger - HAVAL - RipeMD

Question 39

What algorithms are used for asymmetric authenticity?

Answer 39

- RSA - DSA

Question 40

What algorithm can be used for non-repudiation?

Answer 40

SHA-1 RSA

Question 41

What is IPSec?

Answer 41

- Provides the framework for services such as encryption, authentication, integrity (any or all of these) - Provides encapsulation, not encryption - What is encapsulated can be protected through the sub-protocols within IPSec

Question 42

What are the IPSec modes?

Answer 42

- Tunnel mode: Whole IP packet is encrypted. Better security. - Transport mode: Only IP payload encapsulated (not header, trailer). Less security, but better performance. Used on trusted local networks.

Question 43

What are the IPSec sub-protocols

Answer 43

- Authentication Header (AH) - Encapsulating Security Payload (ESP) - Internet Key Exchange (IKE)

Question 44

What is IPSec AH?

Answer 44

- Authentication Header (AH) - Provides integrity, non-repudiation & authenticity through ICV (integrity check value), like a hash. -ICV runs on static fields e.g. header, data, trailer. Does not run on dynamic fields e.g. TTL - No confidentiality - Doesn't work with NAT (because AH prevents address spoofing)

Question 45

What is IPSec ESP?

Answer 45

- Encapsulating Security Payload - Provides authenticity and integrity through MACs - Does not provide non-repudiation because MACs are symmetric - Provides encryption - ICV is payload only - Does work with NAT

Question 46

Hash, Digital Signature, MAC - symmetric or asymmetric?

Answer 46

Digital signature - asymmetric MAC - symmetric (therefore no non-repudiation) Hash - neither (just an algorithm)

Question 47

What is IPSec IKE?

Answer 47

- Internet Key Exchange - No security services - Manages secure connection, such as key negotiation - Contains: - Oakley: uses Diffie Hellman to agree on key - ISAKMP (Internet Security Association & Key Management Protocol) Manages keys, security associations (SAs), Security Parameters Index (SPIs)

Question 48

What is an IPSec SA?

Answer 48

- Security Association - Part of IKE - Unique identifier for each secure session - 2 SAs for each connection (1 incoming, 1 outgoing) - Contains: - Destination address - SPI - IPSec transform (AH, HMAC-MD5) - Key - Additional attributes e.g. lifetime (8 hours; 100MB; etc)

Question 49

What is an IPSec SPI?

Answer 49

- Security Parameters Index - Unique ID to differentiate between multiple sessions with same destination - Used in IKE Security Association (SA)

Question 50

What are the email cryptosystems?

Answer 50

- S/MIME (Secure Multipart Internet Mail Exchange) - PGP (Pretty Good Privacy)

Question 51

What is S/MIME?

Answer 51

- Secure Multipart Internet Mail Exchange - Standards-based secure email by creating a digital envelope - Sender: - Hashes message - Encrypts message with session key - Encrypts hash with private key - Encrypts session key with receiver's public key - Receiver: - Decrypts session key with private key - Decrypts hash with sender's public key - Decrypts message with session key - Calcs hash value of message & compares to hash sent

Question 52

What is PGP?

Answer 52

- Pretty Good Privacy - Free but uses proprietary software (so users need the software) - Uses web of trust - Pass phrases instead of passwords - Learned keys stored in a keyring (cached)

Question 53

What are the main attacks on cryptography (5)?

Answer 53

- Ciphertext only - Attacker has captured ciphertext - Usually attacker has to brute-force - Known plaintext - Attacker captures ciphertext and knows option of plaintext - E.g. standard email signature - Chosen plaintext - Attacker sees full text encrypted & decrypted - Usually attacker initiates message (e.g. ambassador) Chosen ciphertext - Attacker can see whatever they want in plain or cipher - e.g. compromised workstation ("lunchtime/midnight" attack) Meet in the middle - Attack on algorithms that use multiple keys (e.g. 3DES) - Attacker tries to learn what each key does individually

Question 54

What is the Meet-in-the-Middle attack?

Answer 54

For anything double-encrypted (e.g. C = Ek2(Ek1(P)), if you know the plaintext and ciphertext ... Try every possible key to encrypt P and store the results. Try every possible key to decrypt C and store the results. Look for a match from each list - this would be Ek1(P), therefore you have identified both K1 and K2.

Question 55

What type of attacks are polyalphabetic attacks vulnerable to?

Answer 55

Period analysis (because key is repeated).

Question 56

What is a running key cipher

Answer 56

Book cipher. Usually a passage from a book.