4472 - Security Final

Question 1

What is Kerkhoffs Principle?

Answer 1

security should be based off secrecy of the key, not the encryption scheme; assume that the encryption scheme is publicly known

Question 2

What is the ‘don’t roll your own’ principle?

Answer 2

crypto algorithms are very easy to get wrong, don’t make any yourself

Question 3

What is a brute force attack?

Answer 3

trying every key and/or message until one “works”

Question 4

A system that can be broken into 2^128 operations has how many bits of security?

Answer 4

128

Question 5

What are bits of security?

Answer 5

exponential value describing how many operations are necessary to recover a message or key for a cryptosystem

Question 6

What defines a negligible quantity?

Answer 6

value that is less than on over any polynomial function with degree less than or equal to the security parameter

Question 7

What is a security parameter?

Answer 7

a variable that measures the input size of the computational problem

Question 8

What is the security parameter (k) in an RSA cryptosystem?

Answer 8

it is the length in bits of the modulus n, where n is a number in the set 0….(2^k) - 1

Question 9

What criteria must be met for indistinguishability?

Answer 9

probability that you can tell the difference between two things is less than the negligible quantity

Question 10

What are pseudo random functions?

Answer 10

random mapping of inputs to outputs, many to one mapping may exists, not necessarily inversible

Question 11

What are pseudo random permutations?

Answer 11

random mapping of inputs to outputs, one to one mapping, image and pre-image sets are equivalent, unique inverse for every element

Question 12

What is an “oracle”?

Answer 12

like a black box, ask a question get an answer

Question 13

What is the hierarchy of security levels?

Answer 13

IND-CCA2 –> IND-CCA1 –> IND-CPA –> IND-EAV

Question 14

How is IND-CCA2 achieved?

Answer 14

message authentication codes; you need to be able to only create a valid ciphertext with knowledge of a secret key

Question 15

How is IND-CPA achieved?

Answer 15

by using randomized encryption; encrypting the same message twice should give two completely different results

Question 16

How is IND-EAV achieved?

Answer 16

you should have negligible advantage telling the difference between cipher text

Question 17

What are block ciphers used for?

Answer 17

for efficient bulk encryption of data

Question 18

What is the ideal functionality for block ciphers?

Answer 18

pseudo-random permutation, secret key determines permutation, fixed length input maps to fixed length outputs

Question 19

What security level is the ECB cipher?

Answer 19

Not even EAV-Secure

Question 20

What does CBC mode require?

Answer 20

an initialization vector (IV)

Question 21

What does CTR mode require?

Answer 21

an initialization vector (IV)

Question 22

What is the benefit of CTR mode over CBC mode?

Answer 22

random access, no decryption function needed

Question 23

What must an IV be to avoid encryption oracle attacks?

Answer 23

unpredictable to adversary (secret)

Question 24

What is the block size for AES?

Answer 24

128

Question 25

What are the bit key options for AES?

Answer 25

128, 192, 256

Question 26

What are hashes used for typically?

Answer 26

checking file integrity, storing passwords, making certain operations more efficient

Question 27

What is pre-image resistance?

Answer 27

given a hash y, it should be difficult to find an x such that h(x) = y

Question 28

What is second pre-image resistance?

Answer 28

given a pre-image x, it should be difficult to find a second pre-image y such that h(x) = h(y)

Question 29

What is collision resistance?

Answer 29

it should be hard to find any pair such that h(x) = h(y)

Question 30

MD5 has how many images?

Answer 30

128

Question 31

Sha-1 has how many images?

Answer 31

160

Question 32

Sha-256 as how many images?

Answer 32

260

Question 33

Is MD5 collision resistant?

Answer 33

no

Question 34

Is Sha-1 collision resistant?

Answer 34

yes, up to 2^80

Question 35

Is Sha-256 collision resistant?

Answer 35

yes, 128 bits of collision resistance

Question 36

What are MAC’s for?

Answer 36

verifying the integrity of a message by associating a fixed length value (tag) to it

Question 37

What is a MAC tag derived from?

Answer 37

a secret key and a message

Question 38

What is the ideal functionality of a MAC?

Answer 38

like a keyed hash, variable length input maps to fixed length output

Question 39

What is authenticated encryption?

Answer 39

a means of securely packaging a cipher with a mac under one common interface, prevents a plaintext from being returned without a valid mac. Uses the encrypt then mac strategy

Question 40

Encryption, MAC Keys and IV must be what for athenticated encyption to work?

Answer 40

independently generated

Question 41

What distinguishes asymmetric key primitives?

Answer 41

the existence of both a key for performing public operations and a key for performing private operations

Question 42

what is the discrete logarithmic problem?

Answer 42

given a=g^xmodp find x

Question 43

what makes the discrete logarithmic problem hard? under what circumstances?

Answer 43

if g generates a cyclic group of large, prime order ‘q’

Question 44

what are the keys in DHE?

Answer 44

private key: randomly generated number between 1

Question 45

What is the Diffie Helman problem?

Answer 45

given g, g^a and g^b, compute g^ab

Question 46

why do we hash messages before signing them?

Answer 46

because RSA can’t handle operations longer than the modulus size, so for a 2048 bit RSA you can’t sign any messages longer than 256 bits - which is why we use a hashing algorithm like sha-256, since it will always have a 256 bit output (fixed length outputs of hash are crucial to RSA)

Question 47

what is different about ephemeral DH vs regular DH?

Answer 47

private keys are newly generated for each connection

Question 48

If EVE sends her public key to ALICE and ALICE accepts it as BOB’s key will EVE be able to sign any message? what protects against this?

Answer 48

Yes she will, certificates or some higher level protocol security

Question 49

Explain RSA encryption

Answer 49

I give an open padlock to everyone to which only I know the combination. They write a message in a box and lock it using the padlock. Anyone can create the locked box but only I can unlock it and read the message

Question 50

What is the basis for the “hardness” of RSA

Answer 50

factoring the two large prime numbers; given n=pq find p and q (which are both large prime numbers)

Question 51

why is RSA not IND-CCA2?

Answer 51

because it is multiplicatively homomorphic; meaning that the product of two cipher texts is equivalent to the encryption of the product of corresponding plaintexts

Question 52

How can you make RSA IND-CCA secure?

Answer 52

by padding it with a scheme like OAEP

Question 53

what are digital signatures for?

Answer 53

linking an identity to a message

Question 54

the private key for digital signatures is used for verifying (T/F)

Answer 54

F; it is used for signing - only the key holder should be able to sign messages associated with their key pair

Question 55

the public key for digital signatures is used for verifying (T/F)

Answer 55

T; anyone should be able to verify that the a signature relates to a relative party’s verification key

Question 56

what margin does NIST suggest for efficient modulo bias solver

Answer 56

64 bits of margin for generating 256 bit numbers

Question 57

what does verification accept? what does it output

Answer 57

a message, verification key and signature; outputs success if signature is valid output fail if otherwise

Question 58

what is a universal forgery?

Answer 58

an attacker can create a valid signature on any type of message

Question 59

what is a selective forgery?

Answer 59

an attacker can create a valid signature on some message that was chosen ahead of time

Question 60

what is an existential forgery?

Answer 60

an attacker can create a valid signature on some messages but doesn’t necessarily have control over what the message is, and it may not make sense

Question 61

signatures are usually performed on what? why?

Answer 61

the hash of the message; for efficiency reasons

Question 62

how does padded RSA solve the problem of existential forgery in unpadded RSA?

Answer 62

it makes the signature “non malleable” meaning that linear operations on ciphertext does not result in linear operations on plaintext

Question 63

cryptograms can replace what with ECC?

Answer 63

their basis; if they are based on the hardness of solving discrete logarithmic functions they can replace that with ECC

Question 64

what are the two flavours of ECC and what are their advantages?

Answer 64

EC over GF(2^m); fast in hardware

EC over GF(p); fast in software

Question 65

What are the pros of ECC?

Answer 65

• point multiplication is faster than analog modular exponentiation
• public keys are smaller than their integer counterparts

Question 66

What are the cons of ECC?

Answer 66

• harder/more complex to implement and understand

- some concerns over backdoors in some common curve parameters

Question 67

what is NIST?

Answer 67

a standard for information system security

Question 68

what does NIST require as a minimum security level in terms of bits?

Answer 68

112

Question 69

based on NIST what must symmetric keys (block cipher/MAC) be greater than or equal to?

Answer 69

112

Question 70

for hash function based on NIST what needs to be true in order for their to be pre-image and second pre-image resistance? what about collision resistance?

Answer 70

output length >=112 (image)

output length >=224 (collision)

Question 71

for DHE and DSA based on NIST what must the prime modulus and group order be?

Answer 71

p >= 2048

q >= 224

Question 72

for ECDHE and ECDSA based on NIST what must the prime modulus and group order be?

Answer 72

p >= 224

q >= 224

Question 73

for RSA encyption based on NIST what must be true?

Answer 73

n>=2048

p,q >= 1024

Question 74

what is the rate for AES/SHA hashes on a CPU?

Answer 74

2^30 per second

Question 75

how long does it take to find an MD5 hash collision on a modern computer?

Answer 75

about 5 minutes shit is broke af

Question 76

what is a certificate?

Answer 76

a document used to authenticate a signature verification key

Question 77

what does a certificate prevent?

Answer 77

man in the middle attacks

Question 78

what is a certificate revocation list

Answer 78

a signed list of certificates held by a certificate authority that have been revoked prior to some expiration date

Question 79

What are some common reasons for a certificate to be on a certificate revocation list?

Answer 79

part of it is being updated, an entity has shut down, servers private key is comprimised

Question 80

what does the TLS cipher suite specify?

Answer 80

KSCH

• key exchange algorith
• signature algorith
• cipher and mode of operation
• hashing function

Question 81

what is entropy relating to passwords?

Answer 81

how many bits of information does it take to encode a password - considers not just how many possibilities there are but the probability of each password occuring

Question 82

High entropy passwords are what?

Answer 82

harder to guess

Question 83

how to web servers store passwords to prevent passwords getting exposed if database is illegally accessed?

Answer 83

hashing

Question 84

what are the pros and cons of password hashing?

Answer 84

pros; attackers can’t guess passwords outright they need to guess, hash it, then check it
con; the same password maps to the same hash, so if one password is guess everyone with that same hash is exposed, attackers can prebuild large dictionaries or rainbow tables

Question 85

what is a “salt”?

Answer 85

a random value that is hashed along with the password to ensure that every hash is unique

Question 86

what is key stretching and what does it attempt to solve?

Answer 86

purposely slowing down hash functions so they take longer to compute; salted and hashed passwords are still vulnerable to guessing so by making each guess take longer you are directly impacting the efficiency of an attack

Question 87

what makes keys “assymetric”?

Answer 87

the “do” key is different from the “undo” key

Question 88

what is a key pair?

Answer 88

a public key and corresponding private key

Question 89

what is the diffie helman tuple?

Question 90

how can you prove the security of DDH (decisional diffie helman)?

Answer 90

based on DLP being hard

Question 91

what is the difference between CDH and DDH?

Answer 91

CDH asks us to derive the shared secret of a diffie helman whereas DDH just asks us to recognize it

Question 92

why do we hash messages before signing them?

Answer 92

because RSA can’t handle operations longer than the modulus size, so for a 2048 bit RSA you can’t sign any messages longer than 256 bits - which is why we use a hashing algorithm like sha-256, since it will always have a 256 bit output

Question 93

why can’t an attacker control the message in an RSA forgery attack?

Answer 93

because if he could, which mean given (m^e)modn find m, then he has solved the RSA problem

Question 94

If EVE sends her public key to ALICE and ALICE accepts it as BOB’s key will EVE be able to sign any message? what protects against this?

Answer 94

Yes she will, certificates or some higher level protocol security

Question 95

RSA is faster at a creating a signature than DSA (T/F)

Answer 95

F; DSA is faster when creating signatures

Question 96

RSA is faster at validating a signature than DSA (T/F)

Answer 96

T; RSA is faster at validating a signature

Question 97

DSA is faster at encrypting than RSA (T/F)

Answer 97

F; RSA encrypts faster

Question 98

DSA is faster at decrypting that RSA (T/F)

Answer 98

T; DSA decrypts faster

Question 99

what is the minimum bits of security allowed for key agreements according to NIST?

Answer 99

112 bits of security

Question 100

what are the only approved symmetric encryption algorithms?

Answer 100

three key triple DES and AES

Question 101

is sha-1 secure?

Answer 101

no due to length extension attacks

Question 102

what is a 1024 bit RSA key equivalent to in symmetric key strength?

Answer 102

80 bits

Question 103

what is the minimum security for RSA keys?

Answer 103

2048, equivalent to 112 bits in symmetric keys

Question 104

DHE key strength matches RSA key strength (T/F)

Answer 104

T; a 2048 RSA key is about as strong as a 2048bit DHE key

Question 105

ECC keys can be secure at shorter lengths than other assymetric key schemes (T/F)

Answer 105

True; can be twice the length of symmetric keys and be just as secure

Question 106

what is the minimum security for ECC schemes?

Answer 106

224 bits

Question 107

what is the key distribution problem?

Answer 107

there are two parts;

1. sender or recipient must create a key and send it to the other party, while in transit it can be stolen or copied by a third party
2. large numbers of key pairs are difficult to manage

Question 108

how many key pairs in traditional symmetric encryption would be needed for 10 parties to communicate?

Answer 108

n(n-1)/2

10(10-1)/2 = 45

Question 109

what is the “web of trust”

Answer 109

a decentralized trust model that is used to establish authenticity between a public key and its owner

Question 110

what is a digital certificate, what does it say, how does it prove it is what it says it is?

Answer 110

a claim made by a certificate authority that says what the server’s public key is, that is signed by the signing key of the certificate authority

Question 111

what are the types of validation for a certificate authority to issue a certificate

Answer 111

domain validation; prove you have a domain name
organization validation; prove you are company X
extended validation; pay more money get more validation

Question 112

what are the fields of a certificate?

Answer 112

SSSSPIV

• serial number
• signature algorithm
• signature
• subject ID
• public key
• issuer ID
• validity period

Question 113

what are certificate chains?

Answer 113

hierarchy of certificates that are stateless, seamless, and transparent

Question 114

what are the endpoints of a certificate chain?

Answer 114

start point: the host (eg. google.com)

end point: root certificate authority that the browser/device trusts (eg. Geo Trust)

Question 115

what is a trust store?

Answer 115

a place in you browser or device where all trusted root certificate authorities are stored

Question 116

what is certificate pinning? what does it solve?

Answer 116

directly associates a host with a public key (pins it to the browser) and allows device to bypass certificate chain, good to prevent state-level attacks

Question 117

what are some reason for certificate revocation?

Answer 117

company gets hacked, CA is compromised (private key compromised), new business/affiliate name, company goes out of business

Question 118

What can happen if you knowingly trust a revoked certificate?

Answer 118

you could get man in the middled

Question 119

what are the three main ways a client can check if a servers certificate has been revoked?

Answer 119

• certificate revocation list
• request via online certificate status protocol (OCSP)
• OCSP stapling

Question 120

what is the difference between certificate revocation through CRL and OCSP?

Answer 120

client has to manually search CRL to check but with OCSP client can make a request to check a certificate status

Question 121

what is OCSP stapling?

Answer 121

the server will make the request to OCSP and “staple” the CA’s signed and timestamped response to its certificate chain. this way client can clearly see certificate status of server with initial request

Question 122

what are the 4 phases to the TLS handshake

Answer 122

1. establish security capabilities
2. authentication and public key exchange
3. secret key exchange and derivation
4. finish

Question 123

in what phase is the server ciphersuite shared with the client?

Answer 123

phase 1, server_hello

Question 124

what are the components of a cipher suite?

Answer 124

• key exchange (RSA, DHE/ECDHE)
• cipher algorithm (AES, three key triple DES)
• hashing algorithm (SHA-1)

Question 125

if using DHE or ECDHE what does the client need to do in phase 2 of the TLS handshake?

Answer 125

check certificate chain and signature on private key

Question 126

when exchanging the pre master secret using RSA what happens?

Answer 126

client generates pre master secret and encrypts with public key and sends to server

Question 127

when exchanging the pre master secret using DHE what happens?

Answer 127

parties compute DH shared secret (which becomes the pre-master secret)

Question 128

what is the purpose of PRF in TLS?

Answer 128

to expand secrets into keys

Question 129

how do you go from pre master secret to master secret?

Answer 129

using a pseudo random function

Question 130

what is a TLS key block?

Answer 130

all the values used in the symmetric key operations

Question 131

what distribution of random numbers do you need to do cryptography? why do you need it?

Answer 131

uniform distribution

• makes brute force maximally hard
• you could end up with people using the same primes in RSA and could factor their keys

Question 132

what are the components of Fortuna/CTR_DRBG

Answer 132

its a deterministic random bit generator based on a block cipher in CTR mode, key and counter are drawn from an entropy source, output function uses AES

Question 133

how does fortuna overcome the fact that CTR is not a one way function?

Answer 133

by frequently reseeding

Question 134

Under what conditions is fortuna distinguishable from true randomness?

Answer 134

given enough output that the counter wraps and a repeat value can be observed

Question 135

what is a bias?

Answer 135

a deviation from uniform distribution

Question 136

what is the modulo bias?

Answer 136

when using modular arithmetic to get a random number that is not a power of two you are more likely to get a number that is less than n/2, n being the maximum of the range

Question 137

what is the correct way to solve modulo bias

Answer 137

keep calling the rng function until you get a random number that is within the desired range, that way when modular arithmetic is applied there is not difference in the distribution of result

Question 138

what is the efficient way to solve modulo bias

Answer 138

generate way more bits than you need, then modulo reduce

Question 139

given b bits of security what should the key length be for symmetric encryption?

Answer 139

k>=b

Question 140

what are integer based discrete logarithm systems susceptible to ?

Answer 140

index calculus attacks

Question 141

for elliptic curve discrete logarithm problems, given bits of security b what must the group size be so that it is infeasible?

Answer 141

|q| > 2b

Question 142

what will happen to RSA as time goes on?

Answer 142

it will be replaced by ECC because increasing bits of security results in a much larger increase in the required modulo (2n = 15x modulo)

Question 143

given b bits of security what must the size of hash length be? what if collisions aren’t a problem?

Answer 143

> =2b

if collisions don’t matter then >=b

Question 144

do collisions matter in HMAC? why or why not?

Answer 144

no they don’t, because eve would need to know the secret key to be able to compute tags and compare them

Question 145

what are the pros and cons of passwords?

Answer 145

pro: easy, inexpensive
cons: have to generate and store them securely, also have to memorize them

Question 146

what is the problem with no salt password storage?

Answer 146

if an attacker finds the hash corresponding to one users password she will be able to crack all users that have the same password

Question 147

what is the pros and cons of scrypts (instead of passwords)

Answer 147

pros: memory-hard
cons: more complicated

Question 148

is the one time pad perfect theoretical hiding? why or why not?

Answer 148

yes it is perfect in theory since no amount of computing power can help you decrypt ciphertext as it can be ANY message and all pads are equally likely

Question 149

what is the difference between passive and malicious adversaries?

Answer 149

passive adversaries just observe ciphertext whereas malicious adversaries can modify and replace ciphertext

Question 150

what is the CIA triad of security

Answer 150

confidentiality, integrity, authenticity

Question 151

what are ideal block ciphers (PRF or PRP) ?

Answer 151

pseudo random permutations

Question 152

given b bits in an ideal block cipher how many plaintexts are there? how many possible mappings (permutations) are there? how many possible keys?

Answer 152

2^b plaintexts, 2^b! permutations, 2^k keys

Question 153

does CTR use decryption functions?

Answer 153

no, only uses encryption function of a block cipher

Question 154

what is the disadvantage of CTR mode?

Answer 154

can’t be used with a small block length cipher (3DES)

Question 155

what is the problems with traditional RSA?

Answer 155

1. it is malleable (i can make predictable changes to the ciphertext)
2. it is deterministic, it fails the CPA game

Question 156

what padding scheme is used in block ciphers? what does it do?

Answer 156

pksc 7: pads with N bytes of 0xN

Question 157

what are the inputs for authenticated encryption?

Answer 157

plaintext, encryption key, mac key

Question 158

what are the outputs for authenticated encryption?

Answer 158

ciphertext and authentication tag

Question 159

what are the inputs for authenticated decryption?

Answer 159

ciphertext, mac tag, encryption key, mac key

Question 160

what are the outputs for authenticated decryption?

Answer 160

plaintext or error if the tag is invalid