Week 3 Flashcards Preview

Cybersecurity > Week 3 > Flashcards

Flashcards in Week 3 Deck (27)
Loading flashcards...
1
Q

Cryptography

A

where security engineering meets mathematics. It gives us the tools that underlie most modern security protocols

2
Q

Encryption

A

The process of transforming information (plain text) using an algorithm (called cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key: the result of encryption is termed cipher text

3
Q

Information Security Concerns

A

Confidentiality, Integrity, Availability, Auditability

4
Q

Elements of Access Control

A
  • Identification
  • Authentication
  • Authorization
  • Nonrepudiation
5
Q

Cryptography components: hash function:

A

generate unique number; easy; non-traceable
•e.g. Hash(m) = mod(m, n), remainder after dividing by n, for n prime Hash(‘hello’) = mod(8 5 12 12 15, 127) = 100
•If message changes, so does the hash. E.g. Hash(‘hallo’) = 92

6
Q

Cryptography components: Symmetric key algorithms:

A

Parties have the same key

Symmetric key like (DES, 3DES, AES)

7
Q

Public key algorithms:

A

Parties have complementary key values

Public key ciphers (like RSA); digital signatures

8
Q

Symmetric Key Cryptography

A

In conventional cryptography, key k is used both for encryption (E) of plain text m and for decryption (D) of cipher text c

9
Q

Key management

A

Refers to mechanisms to bind a person to a key. Mechanisms for generation, maintenance and revocation of keys.

Problems:
Key distribution, secrecy, usability, storage (2-factor authentication)

10
Q

Public key cryptography

A
  • Uses a pair of two related keys (PK, SK)
  • Public key (PK): published and distributed
  • Secret key (SK): private and unique
  • It does not matter if someone intercepts PKb. It is public
11
Q

Advantages of PK Cryptography

A

•Communication partners who do not know each other can send secure messages to each other, provided
1.the secret key is really kept secret by its owner
2.the public key is unambiguously linked to its owner.
•This can be established by a chain of trust(compare procedures for collecting a passport)
•Messages can be electronically signed enabling implementation of authentication and non-repudiation

12
Q

Usage of Public key cryptography

A

Confidentiality: Only Bob has SKb to decrypt cipher text
•Authentication:(1) Use secure key distribution to uniquely link PKB to Alice. e.g. chain of trust, using certificate authorities (CA). or (2) Use SKA to encrypt (signature) Anyone with PKAcan test. •Integrity:Alice makes a unique ‘hash’ of the message, encrypts the message and sends it all securely along. Bob decrypts and recalculates the hash himself; Bob compares to find differences (SHA-1 algorithm)

13
Q

Strength of RSA

A
  • Encryption is based on numbers n and f, so the public key is a pair (f, n)
  • The private key is the pair (d, n); n is publicly known
  • Statement: anyone who knows the public key of RSA and is able to factor the number n, can also find d
  • So the relative strength of RSA is based on the difficulty of factoring n in its two prime factors.
  • Key distribution remains crucial. Consider a man-in-the-middle attack. Suppose Trudy can intercept messages between Alice and Bob. She receives PKB, makes a fake SKA’ and PKA’ and sends PKA’ to Bob. Bob will then communicate with Trudy as if it is Alice. This can be avoided by digital certificates from a public key infrastructure, and by regularly comparing certificates.
14
Q

Usage of Public key cryptography (double key pair)

A

Same as public key cryptography, however besides PKb encrypted and SKb decrypted;

PKbSKa encrypts, and SKbPKa decrypts

15
Q

Purpose of a signature

A

to authenticate a message

16
Q

Governance of PKI

A

-PKI (Public Key Infrastructure)

  • Infrastructure and governance mechanism for establish secure key exchange
  • Procedures for linking keys (certificates) to natural person
  • Governance structure: hierarchy of certificate authorities

*Weaknesses are often in key management and governance structure

17
Q

Protocols

A

Rules for interaction

Evaluation a protocol:

  • Is the threat model realistic?
  • Does the protocol deal with it?

E.g. parking garage lets regular users authenticate and open barriers.

Garage G sends a nonce N; Token T sends return message to garage G, with name T, and T,N encrypted with key KT
G -> T : N
T -> G : T {T,N}KT

18
Q

Two-factor authentication

A

Use two factors out of:

  • “What you have” (physical device)
  • “What you know” (password)
  • “What you are” (biometrics)
19
Q

SP networks

A

Substitution - Permutation Networks

Block ciphers: use confusion (adding unknown key values) and diffusion (spreading plaintext information through the cipher text)

  • Block size
  • Enough rounds
  • Design-of S-boxes

S-box: scrambles bits in an entire block, according to a predefined pattern

20
Q

Advanced Encryption Standard (AES)

A

NSA has since 2005 approved AES with 128-bit keys for protecting information up to ‘secret’ level and with 192-bit or 256-bit keys for ‘top secret’.

AES is an SP-Network

  1. KeyExpansion
  2. AddRoundKey
  3. Repeat
  4. Final round
21
Q

Feistal cipher (DES)

A

Has a ladder structure, input is split up into two blocks, left half and a right half

22
Q

DES continued

A
  • DES algorithm is widely used in banking and other payment applications
  • Each round is a combination of expansion, key mixing and S-boxes
  • Criticism: key is too short
  • Brute force, will need 2^56 encryptions and an average of 2^55 encryptions. Available for $20 million in 1977
23
Q

3DES

A

Solution to the problem of DES’ key length: use DES multiple times on message M

Heavily used by banks, still. Most new systems use AES, but banking technology still relies on 8-byte blocks

24
Q

Overview Algorithms

A

Symmetric (parties have the same key):

  • AES: preferred standard
  • DES: insecure
  • 3DES: still widely used

Asymmetric (public-private key) (parties have complementary key values)

  • Diffie-Hellman: theoretical
  • RSA: preferred standard
25
Q

Bruce Schneier remarks

A

Bruce Schneier: algorithms have a “margin of safety”. We must recognise that with enough computing power and time, it is possible to break any algorithm, but if we continue to work together and stay on top of computational performance, we can find new algorithms to replace old ones.

26
Q

Conclusions cryptography

A

-Hash functions: unique code
-Symmetric key encryption: sender and receiver share the same key, security relies on key distribution procedure
-Public key encryption (asymmetric):
sender has a public key; only receiver has private key. Public key may be intercepted

27
Q

Conclusions cryptography: use of keys to ensure security concerns:

A
  • Confidentiality (key)
  • Integrity (compare hash)
  • Authenticity (signature)

Key management and governance are crucial (Diginotar)