7. Security and SSL Flashcards

1
Q

What layer is security implemented at?

A

Transport

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the desirable properties of secure communication? (7)

A
  • MANAREC
  • confidentialilty, only the sender and intended receiver sould be able to understand the message
  • anonymity, only the sender and the receiver know of the existence of the message
  • authentication, both parties are who they say they are
  • message integrity, arrives unmodified
  • non-repudiation, the sender cannot deny they sent the message
  • replay protection, the message cannot be copied and reused
  • efficiency, must be feasible for specfic types of device
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What does SSL provide?

A

confidentiality, integrity and authentication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is a man-in-the-middle attack?

A

The act of maliciously inserting messages into a connection.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Describe private key (symmetric) encryption, and it’s drawbacks.

A

Both Alice and Bob have a secret key that they use to encrypt and decrypt the data they send to each other. The drawbacks are that you need to find a way to securely share this key in the first place, otherwise the whole thing is pointless. Sucks with many-to-many connections because you have to share more keys. There’s no way of telling who a message came from.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Describe public key (asymmetic) encryption, and it’s drawbacks.

A

Sender has a public key which is known to all and distributed, and a private key which only they know. Messages encrypted with the public key can only be decrypted by the private key, and vice versa. Can be used to verify who sent the message, because only they have their private key. Drawback - computationally expensive, so slower.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is a session key? Why use it?

A

Bob and Alice use public key cryptography to enchange a symmetric key, Ks. They use Ks for a session, then throw it away when they’re done. Allows for the speed of symmetric and the security of public.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is the purpose of a hash algorithm/function?

A

It is very difficult to work out what the message is if you know the hash digest, even if you know the function. Very difficult to create a different message with the same hash digest too. Used to ensure integrity of a message.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is the purpose of a nonce?

A

Defending against a playback attack. Send a nonce with the message that is only good for one interaction.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Describe digital signatures.

A

A cryptographic technique analogous to hand-written signatures. Sender signs document, establishing he is the owner/creator. Verifiable and nonforgeable. Uses public key cryptography. Provides non-repudiation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is the role of a Certification Authority?

A

Binds a public key to an entity. (Person, router…). Entity E provides proof of indentity to CA, CA creates certifcate binding E to it’s key. Signed by CA.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Describe the SSL handshake process.

A
  1. Client sends list of supported algorithms and a nonce
  2. Server choses an algorithm, sends back choice + certificate + server nonce
  3. client verifies cert, extracts server’s public key, generates secret, encrypts it with server’s public key, sends
  4. both parties indepenently compute encryption and mac keys from secret and nonces
  5. client sends a mac of the handshake messages
  6. server sends a mac of the handshake messages

steps 5 and 6 prevent MITM deleting stronger algorithms from the list.

purpose:

  1. server authentication
  2. negotiation: agree on crypto algorithms
  3. establish keys
  4. client authentication (optional)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What’s the problem with CAs?

A

Any CA can sign certificates for any domain. Users are under the impression they are using HTTPS if they are accessing the second version of the website.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly