Midterm # 2 Flashcards

Question

what is BLP

Answer 1

Bella-LaPadula

Answer 2

is to capture the minimal requirements with respect to confidentiality, that any MLS system must satisfy

Answer 3

Simple Security Condition, | Property

Answer 4

Subject S can read object O if and only if L(O) <= L(S)

Answer 5

Star property, Subject S can write objects O if and only if L(S) <= L(O)

Answer 6

to further restrict information flow "across" security level, compartments enforce he need to know principle.

Answer 7

communication path

Answer 8

is a test that a human can pass, but a computer can not pass with a probability better than guessing.

Answer 9

firewall provides access control for the network. Each type of firewall filters packets by examining the data up to a particular layer of the network protocol stack.

Answer 10

application, transport, network, link, physical

Answer 11

efficiency

Answer 12

firewall has no concept of state so each packet is treated independently of all others.

Answer 13

they are configured using access control ists or ACLs

Answer 14

Trudy tries to determine which ports are open through the firewall

Answer 15

the incoming packet is destroyed and a new packet is created in its place when the data passes trough the firewall.

Answer 16

it is a bad idea to have the two sides in a protocol do exactly the same thing, since this might open the door to an attack. small changes to a protocol can result in big changes in its security.

Answer 17

You should not use the same key pair for signing as you use for encryption

Answer 18

Alice and Bob can use their shared symmetric key K_AB, to encrypt the diffie hellman exchange

Answer 19

a time value

Answer 20

is that we do not need to waste any messages exchanging nonces, assuming that the current time is known to both Alive and Bob.

Answer 21

bobs cave which side

Answer 22

relies on the fact that finding a square root modulo N is as difficult as factoring.

Answer 23

Not a secret, stored with passwords dictionary attack more difficult it creates more work for hacker hacker can not use precomputed work.

Answer 24

store you have to encrypt the key, if you get the password file you get the key. Password file is a single point of failure

Answer 25

challenges used to verify authentication session PREVENT REPLAYS

Answer 26

MORE EFFICIENT

Answer 27

CLOCK SKEW | time is a security concern

Answer 28

C-lists, rows and describe permissions for subjects

Answer 29

Access control lists, are columns

Answer 30

Easy to add or delete | easy to delegate permissions

Answer 31

Easier to implement | Easy to change permissions

Answer 32

One to one VS one to many | subject compliance VS non subject compliance (data)

Answer 33

``` authentication is easier: Only one way for authentication Already know i am authenticating Comparisons to ONE with identification one to many, comparisons depends on data ```

Answer 34

works at the network layer, attacker uses TCP ACK scan

Answer 35

works at the transport layer, attacker uses firewalk to send packets.

Answer 36

to check for port opening, port scanning

Answer 37

works at the application layer, DLS attack can perform a port scanning

Answer 38

if bob and alice are doing the same thing you can get MIG

Answer 39

better fuse weak , reduces bandwidth, EASY TO DO RELATIVELY

Answer 40

Weak, reduces data leaks, EASY TO DO RELATIVELY

Answer 41

Do nothing at all , because you could flag it as import since the system is weak.

Answer 42

so if the password file is stolen or accessed by trudy they can not determine the passwords and use it to log in to that system or other resources.

Answer 43

hashes are one way and do not require that we decrypt any password files. Decrypting a password file would require that the key to be stored some where so that the system can automatically decrypt the file when verifying password. creates a security problem as to where to store the key.

Answer 44

are both used in security protocols to prevent replay attacks

Answer 45

less messages required to achieve authentication as the nonce does not need to be exchanged.

Answer 46

Time stapts in the first case are security critical parameter and require a window of "opportunity" to account for clock skew. Nonce do not have that and it is a disadvantage.

Answer 47

fast, less overhead s it does not monitor the state. stateful keeping track of state of lots of connections

Answer 48

prevents simple TCP ACK attack on firewall to determine if ports are blocked as the firewall will know that there is no valid session or state and reject the packet.

Answer 49

easier for admin to reset pwd than to issue a new thumb

Answer 50

same plain text and same ciphertext

Answer 51

padding with random bits prevents forward search attach, can not use a precomputed set of passwords, more work for trudy

Answer 52

brute force, hash it and compare to all the passwords

Answer 53

talk the salt hash it and compare work

Answer 54

size of dictionary / prob passwords in dictionary

Answer 55

cookie is provided by a website and stored on users machine, cookie indexes a database at website, cookies maintain STATE across sessions

Answer 56

a stateless protocol HTTP

Answer 57

access control

Answer 58

Access control lists store matrix by column

Answer 59

permissions tied to a file

Answer 60

permissions tied to the user

Answer 61

easier in changing files

Answer 62

complier is acting on alices behalf, confusing her permission with Alice's permissions overriding a bill for example

Answer 63

ACLs are used more often

Answer 64

easy to delegate authority

Answer 65

to objets ressources

Answer 66

to subjects users

Answer 67

when subjects and objects at different levels use on same system

Answer 68

Access Control

Answer 69

Multilevel security enforces access control up and down

Answer 70

enforce restrictions across, the need to know principle

Answer 71

MLS designed to restrict legitimate channels of communication

Answer 72

desecrate means of communication, 1 it is there , 0 it is not there

Answer 73

network layer

Answer 74

operate at the transport layer, firewall will keep track then it can drop it

Answer 75

``` no concept of state cannot see TCP connections blind to application data less information to go on on going connections we do not see it just like ARP cacheing ```

Answer 76

can not see application data slower than packet filtering more work state DoS is an issue

Answer 77

something that acts on your behalf

Answer 78

speed more work DoS

Answer 79

complete view of connections and applications data | Filter bad data at application layer

Answer 80

stateless protocol

Answer 81

user space

Answer 82

speaks first

Answer 83

responds to clients request

Answer 84

authentication

Answer 85

reliability

Answer 86

need to know bases

Answer 87

certain delays long or short packets

Answer 88

compromised machines

Answer 89

can do DoS an spam

Answer 90

not too difficult to do

Answer 91

the attacker knows the algorithm, the data, except the random numbers

Answer 92

the TCP 3-way handshake makes denial of service DoS attacks possible

Answer 93

first send SYN request BACK SYN-ACK ACK and data

Answer 94

Efficient Precise Robust easy to implement, easy to use ,flexible

Answer 95

Network layer, sending important information over the network back and forth attacker can replay messages.

Answer 96

prevents replay, only alice can respond to properly Bob has to verify it. Number used one is a Nonce

Answer 97

timestamps

Answer 98

man in the middle has to happen in real time

Answer 99

generate it and send it current to prevent replay

Answer 100

synchronization of clocks, network delay

Answer 101

3 messages

Answer 102

2 messages

Answer 103

x = r^2 mod N

Answer 104

y = r * s^e mod N

Answer 105

v = S^2 mod N

Answer 106

y^2 = x * V^2 mod N

Answer 107

y^2 = r ^2 * S ^(2e)