Basics Flashcards

Question 1

Q

Kerchoffs’ principle on Cryptography’s strength

Answer

A

If keys are:

Kept secret
Managed only by trusted systems
Adequate length

Then it has no importance that the encryption and decryption algos are keps secret.

It is better that those algos are public so that they can be widely studied and weaknesses are identified and fixed.

Question 2

Q

Secret key / symmetric cryptography

Answer

A

single key, shared only by the two parties.
low computational loas > used for data encryption.
Problem: how do we securely share the key among interested parties?

Question 3

Q

EX-OR function

Answer

A

The ideal confusion operator.

If the input is random the output will be equally random.

Question 4

Q

DES

Answer

A

Data Encryption Standard
Standard Federal Information Processing Standard 46/2 (FIPS)
Key size: 56 bits + 8 parity bits.
Datablock size: 64bits.
Designed to be hardware efficient:
- requires only XOR/SHIFT/Permutation.

Question 5

Q

Triple DES (3DES, TDES)

Answer

A

Repeated application of DES.
Uses 2 of 3 56bits keys.
MODES:
- DES - EEE3: 3-DES -> 3 different keys
- DES - EDE3: -> 3 different keys: E(k1, D(k2, E(k3, msg) ) ) [used for when compatibility with DES is wanted, in that case all keys are the same].
- DES - EEE2: Similar to DES-EEE3 but the first and third keys are the same
- DES - EDE2: Similar to DES-EDE3 but the first and third keys are the same
Stanard FIPS 46/3 and ANSI X9.52 (X9 is prefix for banking and finance standards)

Question 6

Q

Double DES

Answer

A

Double application of encryption algorithms is subject to known-plaintext attack named meet-in-the-middle.
- allows to decrypt data by attempting 2^N+1 combinations (N = key size in bits)
- this is why double usage of encryption algos isn’t used often.
  - computation time doubles, but the effective key-length is just another bit.
- Note that if the base symmetric algorithm would be a group, then it would exist K3 so that E(K2, E(K1, msg) = E(K3, msg).
  - DES is not a group, otherwise 3DES = DES.

Question 7

Q

Meet-in-the-Middle attack

Answer

A

Hypothesis
- N bit keys
- known P and C such that C = E(k2, E(k1, P) )
Note:
- ∃ M such that M = E(K₁, P) and C = E(K₂, M)
Actions:
- Compute 2^N values X_i = E(K_i, P)
- Compute 2^N values Y_j = D(K_j, C)
- Look for K_j and K_i such that Y_j = X_i.
- False positive can be discarded easily.

Question 8

Q

IDEA

Answer

A

International Data Encryption Algorithm
Patented with low royalty (commercial use)
128 bits key
64 bits data block
Famous because it is used in PGP
Operations:
- XOR
- ADDITION mod 16
- MULTIPLICATION mod 2¹⁶ + 1

Question 9

Q

RC{2,4}

Answer

A

Ron Rivest invention
RC = RON’S CODE
Proprietary algorithm (owned by RSA) but not patented
3-10x faster than DES
RC2 is a block algo
RC4 is a stream algo
Key length is not fixed

RC2 was published as RFC-2268 in 1998, 8 to 1024 bits keys (usually 64bits), 64b datablock.

RC4 reverse engineered (ARCFOUR).

Question 10

Q

Application of block algorithms to data blocks of size != algorithm’s block size.

Answer

A

To encrypt data size > algo’s block size
- ECB (Electronic Cod Book)
- CBC (Cipher Block Chaining)
To encrypt data size < algo’s block size
- Padding
- CFB (Cipher FeedBack), OFB (Output FeedBack)
- CTR (Counter mode)

Question 11

Q

ECB

Answer

A

Electronic Code Book

Encryption:
- Formula: C_i = enc(K, P_i)
- Can’t be used on messages > algo block size because swapping of blocks goes undetected.
- Identical blocks generate identical cyphertext, thus it is vulnerable to known-plaintext attack
Decryption:
- Formula = P_i = dec(K, C_i)
- A trasmission error generates an error at decription of the block.

Question 12

Q

CBC

Answer

A

Cipher Block Chaining

Encryption
- Formula: C_i = enc(K, P_i xor C_i-1)
- Requires C₀ = IV (Init. Vector)
  - IV changes at every message, so that pre-computation cannot be performed
  - IV is sent in clear to the receiver
  - IV should be a nonce (number used once)
Decryption:
- Formula: P_i = dec(K, C_i) xor C_i-1
An error in trasmission generates and error at the decryption of two blocks.

Question 13

Q

Padding

Answer

A

B = size of algo block
D = size of data to process
Used for aligning and filling
Padding: add bits until a multiple of the algo block size is reached.
Problems:
- We store/transmit more data than needed.
- What value do we use to do padding?
Padding Techniques:
- If message length is known: add null bytes
- Original DES: one 1 bit followed by many zeros
- one byte with value 128 followed by null bytes: 0x80 0x00 0x00
- last byte’s value equal to the length of padding: 0x?? 0x?? 0x03
Padding with exlicit length L:
(Schneier) NULL bytes eg.: 0x00 0x00 0x03
(SSL/TLS0 bytes with value L, e.g.: 0x03 0x03 0x03
(SSH2) random bytes, e.g.: 0x05 0xF2 0x03
(IPSec/ESP) progressive number, e.g.: 0x01, 0x02, x03
byte with value L-1, e.g.: 0x02 0x02 0x02

Notes:

Some offer minimal integrity control:
- if key is wrong or data is manipulated, the padding bytes are incoherent (e.g. Padding length > Block size, or wrong padding values)
Don’t design your own padding, read books instead.
Typically applied to large data, on last fragment.
if |D| < |B| we prefer ad-hoc techniques (CFB, OFB, CTR, …)
padding is always added to avoid interpretation errors, even if |D| is a multiple of |B|
The type of padding used in algorithms determines some of the possible attacks

Question 14

Q

CTS

Answer

A

Ciphertext Stealing

CTS permits to use block algorithms without padding
- last (partial) block filled with bytes from the second-to-last-block
- these bytes are removed from the second-to-last block (which becomes a partial one)
- after encryption, exchange the position of the last and second to last blocks
useful when we cannot increase the size of the data after encryption: when the HDD is full you can’t use padding.
the computation time slightly increases

In CBC the tail of the second-to-last block got xored with the padding of the last block, so we have it.

Question 15

Q

CTR

Answer

A

Counter mode

Uses a block algorithm to encrypt N bits at a time (a “group”, often a byte)
random direct access to any ciphertext group
requires a nonce and a counter (concatenated, summed, XORed, …)
trasmission error results in having an error only in one group
Enables encryption/decription of a specific block without performing it for the whole message.
*

Question 16

Q

Symmetric stream algorithms

Answer

A

operate ona a stream of data without requiring the division on blocks, typically on one bit or byte at a time
ideal algorithm:
- one-time pad (requires a key as long as the message to protect)
real algorithms:
- use pseudo-random key generators, syncrhonized between sender and receiver
- if an attacker deletes a message sync. is lost -> communication is broken
- example: RC4, SEAL
EU sponsored a competition for stream cipher in 2008, that resulted in the selection of an algorithm portfolio for software and hardware.

Question 17

Q

Salsa20, ChaCha20

Answer

A

Symmetric stream algorithms invented by DJ Bernstein

128 or 256 bit keys

ChaCha20 is an improvement of Salsa20
- more diffusion of bits
- faster on some archs.
base operation: 32bit ARX (add - rotate - xor)
base function: f(key256, Nonce64, Counter64) = 513-bit keystream block
permits O(1) decryption of any block at random
Salsa20 performs 20 mixing rounds of the input
Salsa 20/12 and Salsa20/8 make 12 and 8 mixing rounds (faster but less secure)
ChaCha20 was standardized and adopted (IETF has slightly modified the original specification)

Question 18

Q

Symmetric encryption

Answer

A

single and secret key
one for each couple (or group!) of users
Key distribution:
- for N parties, N(N-1)/2 keys are necessary.
- distribution can be Out Of Band or by meanch of key exchange algorithms.
Length of secret keys:
- if the encryption algo was well designed and the keys are kept secret, then the only possible attack is brute force, that requires 2^Nbit attempts.

Question 19

Q

Length of cryptographic keys in relation with security

Question 20

Q

DES challenges

Answer

A

Total of 3
- 1st took 5 months to break (distributed computing)
- 2nd 1 month (distributed computing)
- 3rd 2 days: 1 special-purpouse sysem (deep crack) developed by EFF at the cost $250k
  - there was an assumption about the encoding (ASCII)
- 4th: 22 hours
  - DEEP CRACK + a few thousands workstations
Doesn’t mean that DES is weak, just that the key is short.
3DES could not be decrypted by DEEP CRACK

IETF changed all RFC advising not to use DES, but 3DES.

Question 21

Q

AES

Answer

A

US competition called for selecting a new symmetric algorithm.

AES (Advanced Ecryption Standard)

key length up to 256 bits.
block size of at least 128 bits.

5 finalists, RIJNDAEL won in 2000, published in 2001 a FIPS-197 => AES = RIJNDAEL.

Gradually being adopted since 2010, encryption algos are like wine, the bests are the one that ages.

Question 22

Q

Public key criptography

Answer

A

k1 != k2
asymmetric algorithms
pair of keys (public and private): one used for decription and the other for encryption.
high computational load
used to distribute secret keys and create electronic signature (with hashing)
main algos:
- Diffie-Hellman, RSA, DSA, El Gamal

Question 23

Q

Digital Signature

Answer

A

Digital signature asymmetric encryption of data made with the private key of the author
Since asymmetric encryption is very slow, usually only a summary of the message is encrypted
provides data authentication and integrity

Question 24

Q

Confidentiality without a shared secret

Answer

A

Given the public key of a receiver, it is possible to create a secret message that only the receiver can decrypt.

Question 25

Q

Public Key Algorithms

Answer

A

RSA
- product of prime numbers, factoring of the result
- usable for secrecy and digital signatures
- patented (only in USA) by RSA, expired in 20-09-2000
- computational optimizations:
  - all public keys have E = 3, 17 or 65537 (0x10001, fermat number)
  - the power operation is very easy since these numbers have only two bits to 1
    - high speed of encryption and signature verification
  - optimized algorithms for this special calse
  - Possible attack: provide signature made with key whose exponent has > 2 bits to one, since the algorithms are not efficient with those keys it willl generate a high computational load.
DSA (Digital Signature Algorithm)
- taking the power, logarithm of the result
- digital signature only (uses one-way lossy compression)
  - for encryption it uses the El-Gamal algorithm

Question 26

Q

Length of public keys and relative time in which they can be attacked (atm)

Answer

A

512 bits can be attacked in some weeks
1024 bits can be attacked in some months
2048 bits offer an appropriate security level for several years
Note that MS system don’t accept any RSA keys < 1024 since 2012; Mozilla does not accept keys < 2048 & md5 since 2013

Question 27

Q

Twinkle, Twirl

Answer

A

Twinkle

Electro-optical sieving device that executed factoring algorithms 2/3 order of magnitude faster than conventional fast PC. Estimated cost after design of $5k. (1999)

Twirl

Electronic device for factoring large integers, that implements the sieving step very efficiently. Possible to factor 1024-bit integers, and hence break 1024-bit RSA keys in 1 year at the cost of 1M dollars or less if more integers are factored at the same time.

Question 28

Q

Key distribution for asymmetric cryptography

Answer

A

Private keys are never disclosed
public key distributed as widely as possible
Problem: verifying that the public key indeed corresponds to the entity we want to talk to.
- Solution 1: exchange key Out Of Band
- Solution 2: distribution of the public key by means of a specific data strucute named public-key certificate (= digital certificate)
  - Format of certificate?
  - Can we trust certificate issuer?

Question 29

Q

Secret key exchange by asymmetric algorithms

Answer

A

confidentiality without shared secrets is often used to send the secret key chosen for a symmetric algorithm
*

Question 30

Q

Diffie-Hellman

Answer

A

First public key algorithm invented
Frequently used to agree on secret key.
Resistant to the sniffing attack
If the attacker can manipulte the data then it is possible to make a man in the middle attack: to protect from MITM we need pre-authentication (certificates for DH keys, authenticated DH = MQV)

How

A and B agree to use two public integers p (prime, large) and g (generators) such that: 1 < g < p ( typically g=2,3,5 )
DH key length = bits of p
A arbitrarily chooses an integer x > 0 and computes: X = g^x mod p
B arbitrarily chooses and integer y > 0 and computes: Y = g^y mod p
A and b exchange (publish) X and y
A computes K_A = Y^x
B computes K_B = X^y
K_A = K_B = g^xy mod p

Question 31

Q

DH, RSA and quantum computers

Answer

A

DH has comparable complexity to discrete logarithm computation == exponential in the number of bites of p (linear with p)
Algorithms to compute the discrete logarithm can often be used for factorization
Shor’s algorithm is polinomial O((logN)³) but requires a quantum computer.

Question 32

Q

Elliptic curve cryptography

Answer

A

Instead of using arithmetic, the operations are executed on the surface of a 2D (elliptic) curve
- The problem of discrete logarithm becomes harder on these curves, hence it is possible to reduce the length of the keys to have comparable security.
Digital signatures = ECDSA
Key agreement = ECDH
Authenticated key agreement = ECMQV (patented)
Key distribution = ECIES (EC Integrated Encryption Scheme)

Question 33

Q

EC arithmetics

Answer

A

Elliptic curve = y² = x³ + ax + b (mod p)
compute R = (x, y) = P + Q given P and Q (two points)
x = λ²–xP–xQ
y = λ(xP – x) – yP
We can compute addition of two point and moltiplication of a point by a scalar

Question 34

Q

EC-Diffie-Hellman

Answer

A

A and b selecte the same elliptic curve and a point G of it
A chooses a random value x and computes:
- X = x G
B chooses a random value y and computes:
- Y = y G
A and B exchange (publish) X and Y
A computes K = x Y
B computes K’ = y X
but K = K’ = x y G
Note: this uses only scalar multiplication of a point.

Question 35

Q

ECDSA and ECIES

Answer

A

ECDSA:
- Message digest computed with a normal hash function (e.g. SHA-256)
- Signature = pair of scalars derived from the digest + some operations on the curve
ECIES:
- Generates a symmetric encryption key (e.g. AES-128 one) with operations on the curve
- gives the receive the information (based on his public key)

Question 36

Q

Sony PS3 hacking

Answer

A

PS3 has embedded linux loaded verifying the binaries ECDSA signature before execution
Generation of ECDSA signature requires a random nonce, otherwise from the signature the private key can be computed, but Sony used a fixed random => someone computed the private key and distributed it world-wide so that anybody could run their binaries.

Question 37

Q

Message integrity

Answer

A

A person that intercepts an encrypted communication cannot read it, but can modify it in an unpredictable way
Digest: fixed length summary of the message to be protected (of any length)
it must be:
- Fast to compute
- impossible or very difficult to invert
- difficult to create “collisions”
- digest often used to avoid performing operations on the whole message, especially when the message is very large
- digest can be calculated in many ways, but usually via a (cryptographic) hash function (specifically designed to be secure.

Question 38

Q

Hash functions

Answer

A

They usually split the message M in N blocks (M1, …. Mn) and iteratively apply a base function (f)

V_k = f(V_k-1, M_k) with V₀ = IV and h = V_N

Question 39

Q

SHA-1 death

Answer

A

In 2005 a chinese team published a paper describing how they were able to break SHA-1.

Results:

Much less collision hash operaton than in the brute force attack (orders of magnituted)
*

Question 40

Q

SHA-2

Answer

A

Quick fix for SHA-1 attack, simply making the digest longer.
SHA-2 = {SHA-(224|256|354|512}

Question 41

Q

Aliasing

Answer

A

To avoid aliasing it’s important to make the digest long enough
md1 = h(m1)
md2 = h(m2)
If m2 != m1 we’d like to have md1 != md2 most of the times.
If the algorithm is well designed the probability of aliasing is proportial to 1/2^Nbit
*

Question 42

Q

Birthday paradox/attack

Answer

A

If there are at least 23 persons in the same room, then the probability that 2 of them were born in the same day is > 0.5; with 30 persons the probability is > 0.7:

Subtract from 1 the probability that the second person is born in the same day of any preceding one:
- P(2 born in the same day) = 1 - 364/365
- P(3 …) = 1 - 364/365 * 363/365

Attack:

a N-bit digest algo is insecure when more than 2^(N/2) digests are generated because the probability of collision is circa 0.5
- If the system is used over a long period of time, the probability of collision increases
A balanced cryptosystem is “balanced” when the encryption and digest algorithms have the same resistance:
- SHA-256 and SHA-512 have been designed to be used with AES-128 and AES-256, respectively

Question 43

Q

SHA-3

Answer

A

Competition started in 2008 with 64 candidates, the winner was declared in 2012: Keccak (“catch-ack”)
SHA-3 family has many hash functions

Question 44

Q

KDF

Answer

A

Key derivation function

A cryptographic key must be random, but users typicall insert guessable passwords
K = KDF (P, S, I)
- P = password
- S = salt
- I = no. of iterations of the base function (to slow down the computation and make like complex for attackers)
KDF hash functions: PBKDF2 (SHA-1, |S| > 64, |I| > 1000); HKDF uses HMAC

Question 45

Q

PBKDF2

Answer

A

Key derivation function
DK = PBKDF2( PRF, PWD, Salt, C, dkLen)
- PRF = pseudorandom function of two parameters with output length hLen
- PWD = password from which a derived key is generated
- Salt = cryptographic salt
- C = number of iterations desired
- dkLen = desired length of the derived key
- DK = generated derived key = T₁ || T₂ || … || T_dkLen/hLen
WPA2 uses it: DK = PBDKF2(HMAC-SHA1, PWD, SSID, 4096, 256)

PBKDF2 can be attacked because C may be large, but this requires only a lot of computation, not a lot of memory, ASIC can attack it. Competitions have been lunched to find an alternatie, Argon2 was the winner.

Question 46

Q

MAC, MIC, MID

Answer

A

MAC = Message authentication code: the message is authentic.

MIC = Message integrity code: guarantees message integrity through a code added to the message.

MID = Message identifier: used to avoid replay attackd.

Question 47

Q

Authentication by means of keyed-digest

Answer

A

A way to intrinsically secure the digest, since it cannot be exchanged out of band.

The digest is calculated on the message and on the secret key.

Operations:

Sender: d = digest(K, M)
Transmission: M || d
Receiver: d’ = digest(K, M)
Verification: is d == d’?

Only entities that know the key can compare the transmitted digest with the digest calculated on the received data.

Advantages:

Only one operation needs to be performed (digest computation)
few additional data

Cons:

Does not provide non-repudiation.

Possible mistakes in computing keyed-digest:

if kd = H(K || M) an attacker could add a message block to the end
- kd’ = H(K || M || M’) = f(kd, M’)
if kd = H(M || K) an attacker could add a message to the beginning of the message
- kd = H(M’ || M || K), choosing M’ s.t. IV = f(IV, M’)
to protect against these attacks:
- insert the length of the message in the digest
- define kd = H(K || M || K)
- use a standard key digest.

Question 48

Q

HMAC

Answer

A

This is the most widely solution used when is needed to create a keyed-digest, MAC (or MIC, it is the same), starting from a hash function H.

HMAC is typically used to protect integrity. If confidentiality must also be protected, there is CBC-MAC.

Details

H must have a block size of B, with an output long L bytes, with B > L.

Definitions:

ipad = 0x36 repeated B times
opad = 0x5C repeated B times
deprecated keys: | K | < | L |
if | K | > B then K’ = H(K) else K’ = K
if | K’ | < B then K’ is 0-padded-up to B bytes
HMAC = H( K’ xor opad || H( K’ xor ipad || data ) )

Basically HMAC is a double hash of the data composed in someway with the key. This is much stronger than just pre or post appending the key to the data.

Question 49

Q

CBC-MAC

Answer

A

When we want integrity and confidentiality, instead of using two different functions (one for encryption and one for hashing), we can compute a MAC based on a symmetric encryption algorithm: CBC-MAC.

Works by using the last block of CBC as MAC, IV = null.

The message is split in N blocks.

Loop:

V₀ = 0
from k= 1…N: V_k = enc(K, M_k xor V_k-1)
CBC-MAC = V_N

Usable only for fixed length messges (for variable length message use CMAC).

Question 50

Q

A&E, AtE, EtA

Answer

A

Various ways to combine secrecy (symmetric encryption with K₁) and integrity (keyed-digest with K₂).

A&E
- enc(K₁, p) || mac( K₂, p )
- To verify the integrity the message must be decrypted, this could lead to DoS attacks.
- MAC is sent in plain-text, may leak information about the message
- Note: insecure unless performed in a single step.
AtE
- enc( K₁ , p || mac( K₂ , p ) )
- must always decrypt before checking integrity
- slightly better than A&E
- used by SSL and TLS
- Note: secure only with CBC or stream encryption
EtA
- enc( K₁ , p ) || mac( K₂ , enc( K₁ , p ) )
- can avoid decryption of message if mac is wrong.
- Used by IPsec
- Note: beware of implementation errors: must always include IV and and specify algo in the MAC, otherwise some attacks are possble.

Question 51

Q

Authenticated encryption

Answer

A

Combine privacy and authentication (and integrity), has many benefits:

Just one key and one algorithm
high speed
less error likelihood in combining 2 functions
Useful for many applications (e-mail messages, network packets, …)
Normal encrytion modes are vulnerabe to chosen ciphertext attacks when on-line: Attacker modified ciphetext and observes whether the receiver signaled an error (e.g. padding oracle or decryption oracle attack).

In the picture: AEAD (Authenticated Encryption with Associated Data), one way of making AE possible. Note that AEAD is spliting the message in: part that needs integrity and part that needs privacy . The nonce is added to avoid replay attacks. The encrypted payload also includes a tag that provides integrity for the header and the nonce.

Question 52

Q

IGE

Answer

A

(Infinite Garble Extension)

Basically, it is like the CBC with one addition: in CBC a modification in one block of the ciphertext affect only the block itself and the next one (and then propagation stops). IGE makes it so that an error will occur on every block after the tampered one.

In this way verifying the validity of the message requires only to decrypt the last block to check if it contains the expected value (some fixed content: all zeros, content length, etc.)

In this context the last block is what in AEAD is called tag.

Not a very good algo, but interesting.

Question 53

Q

GCM as an example of AEAD

Answer

A

GCM (Galois/Counter Mode) is one of the 6 standard modes for authenticated encryption, it’s defined for algorithms with 128-bit block.

(C, T) = algo_GCM_enc(K, IV, P, A) with:

IV size from 1 to 2⁶⁴ bits
P (original plaintext) size from 0 to 2³⁹ - 256 bits
A (associated authenticated data) size from 0 to 2⁶⁴ bits
C (Ciphertext) has the same size of P
T (Authentication tag) with size from 0 to 128 bits
- Since we are not using an hash algorithm, the security is worth 128 bits (not half of the size, as we would get using an hash function).

P = algo_GCM_dec(K, IV, C, A, T):

If authentication is not OK P = FAILURE VALUE

Question 54

Q

CCM as an example of AEAD

Answer

A

It is Counter-mode with CBC-MAC: first an authentication tag of (plaintext + associated data) is computed by CBC-MAC, then the plaintext and the tag are (separately) encrypted in CTR mode.

Double pass algorithm defined for encryption algorithms with 128-bit block.

Question 55

Q

Application of authenticated encryption

Answer

A

TLS-1.3 uses GCM and CCM
802.11i uses CCM
ZigBee uses CCM* (=CCM + auth-only + enc-only)
ANSI C12.22 (house power meter) uses EAX’
- broken since the standard has 3-5 less encryption steps respect to the implementation used in the formal proof of its security

Question 56

Q

AE modes comparison

Answer

A

GCM: the most popular, on-line single-pass AEAD, parallelizable, used by TLS, present in openssl.
- encryption: generate ciphertext + authentication tag;
- decryption:
  - compute authentication tag, then if it matches the input one
  - ciphertext is decrypted
- Fast on Intel arch (4 cycle/byte)
OCB 2.0: the fastest one, on-line single pass AEAD, GPL patented (thus scarcely used), free for military use.
EAX: on-line double-pass AEAD, slow but small (only uses encryption block), good for constrained systems.
CCM: off-line double pass, slowest.

Question 57

Q

Digital signature

Answer

A

Authentication by means of digest, using asymmetric crypto.

Keyed digest doesn’t provide non-repudiation.

(signer S) H = enc( S_Kpri, hash( M ) )
(transmission) M || H
(verifiier V) X = dec( S_Kpub, H )
(verification) if ( X == hash( M ) ) then OK else ALARM!

Problem: guerantee of association between identity and public key.

Attack: tampering the digital signature will result in an error, but it cannot be determined if it is because of a tramission error in the signature or in the message.

Question 58

Q

Authentication + integrity: summary

Answer

A

using a shared secret
- only useful for the receiver
- cannot be used as a proof without disclosing the secret key
- not useful for non-repudiation
- usable agains two peers that trust each other but anyone else
using asym. encryption (digital signature)
- applied to digest only (since it is slow)
- can be used as a formal proof
- can be used for non-repudiation, provided that is possible to demonstrate the owner of the public key (public key certificate)

Question 59

Q

digital vs handwritten signature

Answer

A

Digital is better: gives authentication + integrity.

Note that each document signed by an user has a different signature made with the same key.

Handwritten only authentication.

Question 60

Q

Public key certificate

Answer

A

A data structure used to securely bind a public key to some attributes.

Binds a key to an identity, but supports also other kinds of associations (ip addresses).

The binding is secured by a certificate authority that digitally signs the public key certificate, so that:

we have a proof of authentication: it is a valid certificate because it has been created by a certification authority.
a proof of integrity: the has not been modifyied.
has a limited validity, like a identity document, and can also be revoked by the user or the issuer. It is responsability of the receiver to check that the certificate is still valid.

Verification:

To verify a signature, we request the public key certificate that is signed by the entitiy that provides, then we need to verify the public key of the Certificate Authority, and in-turn of the Certificate Authority that hosts its public key certificate, continue like this until we react the Root CA, this cannot be verified, it is self-signed.

There are multiple TLCA. Tipically in a computer system there are lot of trusted CA: for security (so that no one entity can control who is trusted) and since obtaining a certificate by a CA has a price. (CA pay to be in the list of trusted CA of Windows for example).

Problem: attackers could fake the whole CA tree, if the device is left unattended and the attacker manages to have administrative privileges, it is possible to add another (fake) Root CA, making the whole hierarchical system useless for that device. The list of Root CA can be managed either by the operating system or by the application being used.

Question 61

Q

Structure of a X.509 certificate

Answer

A

Version: since there are more versions of the same format as seen previously;
Serial number: each certificate is uniquely identified;
Signature algorithm: algorithm used to perform the signature;
Issuer: name of the entity that created the certificate, the certification authority. The syntax used to specify this information is called DN (distinguished name), composed by three fields:
- C stands for country (e.g. Italy);
- O stands for organization (e.g. Politecnico di Torino);
- OU stands for organizational unit, which means that this is the department who created this certificate (e.g. certification authority).
Validity: period of validity.
Subject: the entity that is controlling the private key corresponding to the public key being certified. Also, here it is used the DM to identify that entity, with other fields not mentioned earlier:
- CN stands for common name (e.g. Antonio Lioy);
- Email, that is the e-mail of the entity. It is important to include this fields because public key certificates are used to protect internet applications, for example to send an e-mail to “Antonio Lioy”, the mail server needs to be able to understand what is the certified mail for the entity (so, the e-mail field is required). The same reasoning applies to other applications for which protection is wanted.
subjectPublicKeyInfo: is the field containing the public key; it specifies the algorithm, the length of the key and all the bits that constitute it;
CA digital signature: it is the digital signature of the certification authority computed over the certificate.

Question 62

Q

Public-Key Infrastructure

Answer

A

Technical and administrative infrastructure that manages creation, distribution and revocation of public key certificates.

Question 63

Q

Public key Certificate Revocation mechanisms

Answer

A

CRL (Certificate Revocation List):
- list of revoked certificates
- signed by the CA or by a delegated party
- certificate validity since it was issues
- allows the receiver to verify the validity since the certificate was issues
  - example: document received 3 months ago is valid even if the certificate is not valid from today, because 3 months ago the certificate was valid.
- Only way to check certificate history (of validity)
  - To verify one certificate we must download the full list
OCSP (On-line certificate status protocol):
- is a client-server protocol in which is possible to request to a specific service if the certificate is valid or not at the current time. The response is signed by the server, so that is not possible for someone to provide a fake response.
- Good for real-time checks.

Question 64

Q

Crypto performance

Answer

A

Depends on CPU, not on ram.

Performance is not a problem on clients (if not embedded systems).

Perfmance is an issue on servers when making secure a network of ndoes (e.g. routers), in these cases special hardware is used, either for crypto functions or for the whole packet processing step (including crypto stuff).

RC4 is the best of all cause it’s a stream algo.
3DES is 3x slower than DES.
AES is faster than DES and guarantees better security.
Singnature verification is faster than creation.

Answer 64

A

In 2018:
- AES-256, K < 256bit is weak.
- SHA-384 for hashing
- key agreement: ECDH and ECMQV
- digital signature: ECDSA, with EC on curve P-384

Answer 65

A

User browser uses weak crypto generally, and strong crypto when it talks with a bank.

It is also named gated cryptography because the strong part is inside a gate opened only when the server submits the correct certificate.

Brainscape's Knowledge GenomeTM

Basics Flashcards

Brainscape's Knowledge Genome^TM